refpolicy: oe-core /var/log symlink policy for apache

Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>

recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-var-log-symlink-apache.patch

@@ -0,0 +1,28 @@
+Subject: [PATCH] add rules for the symlink of /var/log - apache2
+
+We have added rules for the symlink of /var/log in logging.if,
+while apache.te uses /var/log but does not use the interfaces in
+logging.if. So still need add a individual rule for apache.te.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/contrib/apache.te |    1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
+index 1115d37..4c6316d 100644
+--- a/policy/modules/contrib/apache.te
++++ b/policy/modules/contrib/apache.te
+@@ -310,6 +310,7 @@ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
++read_lnk_files_pattern(httpd_t, var_log_t, var_log_t)
+ # cjp: need to refine create interfaces to
+ # cut this back to add_name only
+ logging_log_filetrans(httpd_t, httpd_log_t, file)
+-- 
+1.7.9.5
+

recipes-security/refpolicy/refpolicy_2.20120725.inc

@@ -35,6 +35,7 @@ SRC_URI += "file://poky-fc-subs_dist.patch \
 # Specific policy for Poky
 SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \
             file://poky-policy-add-rules-for-var-log-symlink.patch \
+            file://poky-policy-add-rules-for-var-log-symlink-apache.patch \
             file://poky-policy-add-rules-for-var-cache-symlink.patch \
             file://poky-policy-add-rules-for-tmp-symlink.patch \
             file://poky-policy-add-rules-for-bsdpty_device_t.patch \

recipes-security/refpolicy/refpolicy_common.inc

@@ -1,4 +1,4 @@
-PRINC = "3"
+PRINC = "4"
 
 SECTION = "base"
 LICENSE = "GPLv2"