refpolicy: policy fixes for seutils and auditd_log_t

Two patches to fix these two issue: * Current policy has incomplete allow rules for selinux utils to manage selinux config files and policy store. * auditd_log_t(/var/log/audit/audit.log) is also placed in var_log_t, so add related rules. CQID: WIND00396415 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
2026-01-01 13:58:04 +00:00 · 2013-01-21 19:26:12 +08:00 · 2013-01-21 19:26:12 +08:00 · a1d632a26f
commit a1d632a26f
parent b0f4055b70
3 changed files with 104 additions and 12 deletions
--- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-var-log-symlink.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-var-log-symlink.patch
@ -8,8 +8,8 @@ Upstream-Status: Inappropriate [only for Poky]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 ---
 policy/modules/system/logging.fc |    1 +
- policy/modules/system/logging.if |    7 +++++++
- 2 files changed, 8 insertions(+), 0 deletions(-)
+ policy/modules/system/logging.if |   14 +++++++++++++-
+ 2 files changed, 14 insertions(+), 1 deletion(-)

 diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
 index 3cb65f1..2419cd7 100644
@ -24,10 +24,25 @@ index 3cb65f1..2419cd7 100644
 /var/log/boot\.log	--	gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/log/messages[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 321bb13..2be355e 100644
+index 321bb13..4812d46 100644
 --- a/policy/modules/system/logging.if
 +++ b/policy/modules/system/logging.if
-@@ -626,6 +626,7 @@ interface(`logging_search_logs',`
+@@ -136,12 +136,13 @@ interface(`logging_set_audit_parameters',`
+ #
+ interface(`logging_read_audit_log',`
+ 	gen_require(`
+-		type auditd_log_t;
+		type auditd_log_t, var_log_t;
+ 	')
+ 
+ 	files_search_var($1)
+ 	read_files_pattern($1, auditd_log_t, auditd_log_t)
+ 	allow $1 auditd_log_t:dir list_dir_perms;
+	allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -626,6 +627,7 @@ interface(`logging_search_logs',`
 
 	files_search_var($1)
 	allow $1 var_log_t:dir search_dir_perms;
@ -35,7 +50,7 @@ index 321bb13..2be355e 100644
 ')
 
 #######################################
-@@ -663,6 +664,7 @@ interface(`logging_list_logs',`
+@@ -663,6 +665,7 @@ interface(`logging_list_logs',`
 
 	files_search_var($1)
 	allow $1 var_log_t:dir list_dir_perms;
@ -43,7 +58,7 @@ index 321bb13..2be355e 100644
 ')
 
 #######################################
-@@ -682,6 +684,7 @@ interface(`logging_rw_generic_log_dirs',`
+@@ -682,6 +685,7 @@ interface(`logging_rw_generic_log_dirs',`
 
 	files_search_var($1)
 	allow $1 var_log_t:dir rw_dir_perms;
@ -51,7 +66,33 @@ index 321bb13..2be355e 100644
 ')
 
 #######################################
-@@ -843,6 +846,7 @@ interface(`logging_read_generic_logs',`
+@@ -756,10 +760,12 @@ interface(`logging_append_all_logs',`
+ interface(`logging_read_all_logs',`
+ 	gen_require(`
+ 		attribute logfile;
+		type var_log_t;
+ 	')
+ 
+ 	files_search_var($1)
+ 	allow $1 logfile:dir list_dir_perms;
+	allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ 	read_files_pattern($1, logfile, logfile)
+ ')
+ 
+@@ -778,10 +784,12 @@ interface(`logging_read_all_logs',`
+ interface(`logging_exec_all_logs',`
+ 	gen_require(`
+ 		attribute logfile;
+		type var_log_t;
+ 	')
+ 
+ 	files_search_var($1)
+ 	allow $1 logfile:dir list_dir_perms;
+	allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ 	can_exec($1, logfile)
+ ')
+ 
+@@ -843,6 +851,7 @@ interface(`logging_read_generic_logs',`
 
 	files_search_var($1)
 	allow $1 var_log_t:dir list_dir_perms;
@ -59,7 +100,7 @@ index 321bb13..2be355e 100644
 	read_files_pattern($1, var_log_t, var_log_t)
 ')
 
-@@ -863,6 +867,7 @@ interface(`logging_write_generic_logs',`
+@@ -863,6 +872,7 @@ interface(`logging_write_generic_logs',`
 
 	files_search_var($1)
 	allow $1 var_log_t:dir list_dir_perms;
@ -67,7 +108,7 @@ index 321bb13..2be355e 100644
 	write_files_pattern($1, var_log_t, var_log_t)
 ')
 
-@@ -901,6 +906,7 @@ interface(`logging_rw_generic_logs',`
+@@ -901,6 +911,7 @@ interface(`logging_rw_generic_logs',`
 
 	files_search_var($1)
 	allow $1 var_log_t:dir list_dir_perms;
@ -75,7 +116,7 @@ index 321bb13..2be355e 100644
 	rw_files_pattern($1, var_log_t, var_log_t)
 ')
 
-@@ -923,6 +929,7 @@ interface(`logging_manage_generic_logs',`
+@@ -923,6 +934,7 @@ interface(`logging_manage_generic_logs',`
 
 	files_search_var($1)
 	manage_files_pattern($1, var_log_t, var_log_t)
@ -83,6 +124,17 @@ index 321bb13..2be355e 100644
 ')
 
 ########################################
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index a3a25c2..a45c68e 100644
+--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
+@@ -139,6 +139,7 @@ allow auditd_t auditd_etc_t:file read_file_perms;
+ manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+ manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+ allow auditd_t var_log_t:dir search_dir_perms;
+allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
+ 
+ manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
+ manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
 -- 
-1.7.5.4
-
+1.7.9.5
--- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-seutils-manage-config-files.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-seutils-manage-config-files.patch
@ -0,0 +1,39 @@
+Subject: [PATCH] refpolicy: fix selinux utils to manage config files
+
+Upstream-Status: Pending
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/selinuxutil.if |    1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
+index 3822072..db03ca1 100644
+--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
+@@ -680,6 +680,7 @@ interface(`seutil_manage_config',`
+ 	')
+ 
+ 	files_search_etc($1)
+	manage_dirs_pattern($1, selinux_config_t, selinux_config_t)
+ 	manage_files_pattern($1, selinux_config_t, selinux_config_t)
+ 	read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
+ ')
+diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
+index e720dcd..6b6a5b3 100644
+--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
+@@ -1235,6 +1235,10 @@ template(`userdom_security_admin_template',`
+ 	logging_read_audit_config($1)
+ 
+ 	seutil_manage_bin_policy($1)
+	seutil_manage_default_contexts($1)
+	seutil_manage_file_contexts($1)
+	seutil_manage_module_store($1)
+	seutil_manage_config($1)
+ 	seutil_run_checkpolicy($1, $2)
+ 	seutil_run_loadpolicy($1, $2)
+ 	seutil_run_semanage($1, $2)
+-- 
+1.7.9.5
+
--- a/recipes-security/refpolicy/refpolicy_2.20120725.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20120725.inc
@ -31,6 +31,7 @@ SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \

 # Other policy fixes 
 SRC_URI += "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \
+            file://poky-policy-fix-seutils-manage-config-files.patch \
            file://poky-policy-fix-nfsd_t.patch \
           "