CaROS/meta-selinux
3
0
Fork 0
mirror of git://git.yoctoproject.org/meta-selinux synced 2026-01-01 13:58:04 +00:00
Code Issues Packages Projects Releases Wiki Activity
7af62c91d7
meta-selinux/recipes-security/refpolicy/refpolicy-2.20190201/0009-refpolicy-minimum-systemd-fix-for-syslog.patch
Joe MacDonald d668669844 refpolicy: update to 2.20190201 and git HEAD policies 
Additionally, the README has fallen out of date, update it to reflect the
current reality of layer dependencies.

Signed-off-by: Joe MacDonald <joe@deserted.net>
2019-04-12 15:28:38 -04:00

71 lines
3.0 KiB
Diff
Raw Blame History

From 57d554187619e32ecf925ecb015a60f1fca26fb8 Mon Sep 17 00:00:00 2001
From: Shrikant Bobade <shrikant_bobade@mentor.com>
Date: Fri, 26 Aug 2016 17:54:29 +0530
Subject: [PATCH 9/9] refpolicy-minimum: systemd: fix for syslog
syslog & getty related allow rules required to fix the syslog mixup with
boot log, while using systemd as init manager.
without this change we are getting these avc denials:
audit: avc: denied { search } for pid=484 comm="syslogd" name="/"
dev="tmpfs" ino=7269 scontext=system_u:system_r:syslogd_t:s0 tcontext=
system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
audit: avc: denied { write } for pid=372 comm="syslogd" name="log" dev=
"tmpfs" ino=954 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:
object_r:tmpfs_t:s0 tclass=dir permissive=0
audit: avc: denied { add_name } for pid=390 comm="syslogd" name=
"messages" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r
:tmpfs_t:s0 tclass=dir permissive=0
audit: avc: denied { sendto } for pid=558 comm="agetty" path="/run/systemd
/journal/dev-log" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:
system_r:initrc_t:s0 tclass=unix_dgram_socket permissive=0
audit: avc: denied { create } for pid=374 comm="syslogd" name="messages"
scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:
s0 tclass=file permissive=0
audit: avc: denied { append } for pid=423 comm="syslogd" name="messages"
dev="tmpfs" ino=7995 scontext=system_u:system_r:syslogd_t:s0 tcontext=
system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
audit: avc: denied { getattr } for pid=425 comm="syslogd" path="/var/
volatile/log/messages" dev="tmpfs" ino=8857 scontext=system_u:system_r:
syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
Upstream-Status: Pending
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/system/getty.te | 1 +
policy/modules/system/logging.te | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index 423db0cc..9ab03956 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -132,3 +132,4 @@ optional_policy(`
allow getty_t tmpfs_t:dir search;
allow getty_t tmpfs_t:file { open write lock };
+allow getty_t initrc_t:unix_dgram_socket sendto;
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 520f7da6..4e02dab8 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -632,4 +632,5 @@ allow klogd_t initrc_t:unix_dgram_socket sendto;
allow syslogd_t self:shm create;
allow syslogd_t self:sem { create read unix_write write };
allow syslogd_t self:shm { read unix_read unix_write write };
-allow syslogd_t tmpfs_t:file { read write };
+allow syslogd_t tmpfs_t:file { read write create getattr append open };
+allow syslogd_t tmpfs_t:dir { search write add_name };
--
2.19.1
Reference in New Issue View Git Blame Copy Permalink