* [meta-selinux] [PATCH 9/9] refpolicy-minimum: systemd: fix for syslog
@ 2016-08-29 13:38 Shrikant Bobade
0 siblings, 0 replies; only message in thread
From: Shrikant Bobade @ 2016-08-29 13:38 UTC (permalink / raw)
To: yocto; +Cc: Shrikant Bobade
From: Shrikant Bobade <shrikant_bobade@mentor.com>
syslog & getty related allow rules required to fix the syslog mixup with
boot log, while using systemd as init manager.
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
---
...-refpolicy-minimum-systemd-fix-for-syslog.patch | 69 ++++++++++++++++++++++
.../refpolicy/refpolicy-minimum_2.20151208.bb | 1 +
2 files changed, 70 insertions(+)
create mode 100644 recipes-security/refpolicy/refpolicy-minimum/0009-refpolicy-minimum-systemd-fix-for-syslog.patch
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0009-refpolicy-minimum-systemd-fix-for-syslog.patch b/recipes-security/refpolicy/refpolicy-minimum/0009-refpolicy-minimum-systemd-fix-for-syslog.patch
new file mode 100644
index 0000000..b01947d
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-minimum/0009-refpolicy-minimum-systemd-fix-for-syslog.patch
@@ -0,0 +1,69 @@
+From 9476fb0aad7caa725014e72cd009b78389ba66d5 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade@mentor.com>
+Date: Fri, 26 Aug 2016 17:54:29 +0530
+Subject: [PATCH 9/9] refpolicy-minimum: systemd: fix for syslog
+
+syslog & getty related allow rules required to fix the syslog mixup with
+boot log, while using systemd as init manager.
+
+without this change we are getting these avc denials:
+
+audit: avc: denied { search } for pid=484 comm="syslogd" name="/"
+dev="tmpfs" ino=7269 scontext=system_u:system_r:syslogd_t:s0 tcontext=
+system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
+
+audit: avc: denied { write } for pid=372 comm="syslogd" name="log" dev=
+"tmpfs" ino=954 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:
+object_r:tmpfs_t:s0 tclass=dir permissive=0
+
+audit: avc: denied { add_name } for pid=390 comm="syslogd" name=
+"messages" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r
+:tmpfs_t:s0 tclass=dir permissive=0
+
+audit: avc: denied { sendto } for pid=558 comm="agetty" path="/run/systemd
+/journal/dev-log" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:
+system_r:initrc_t:s0 tclass=unix_dgram_socket permissive=0
+
+audit: avc: denied { create } for pid=374 comm="syslogd" name="messages"
+scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:
+s0 tclass=file permissive=0
+
+audit: avc: denied { append } for pid=423 comm="syslogd" name="messages"
+dev="tmpfs" ino=7995 scontext=system_u:system_r:syslogd_t:s0 tcontext=
+system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
+
+audit: avc: denied { getattr } for pid=425 comm="syslogd" path="/var/
+volatile/log/messages" dev="tmpfs" ino=8857 scontext=system_u:system_r:
+syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
+
+Upstream-Status: Pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+---
+ policy/modules/system/getty.te | 1 +
+ policy/modules/system/logging.te | 3 ++-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
+index 84eaf77..2e53daf 100644
+--- a/policy/modules/system/getty.te
++++ b/policy/modules/system/getty.te
+@@ -142,3 +142,4 @@ optional_policy(`
+
+ allow getty_t tmpfs_t:dir search;
+ allow getty_t tmpfs_t:file { open write lock };
++allow getty_t initrc_t:unix_dgram_socket sendto;
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 107db03..95de86d 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -581,4 +581,5 @@ allow klogd_t initrc_t:unix_dgram_socket sendto;
+ allow syslogd_t self:shm create;
+ allow syslogd_t self:sem { create read unix_write write };
+ allow syslogd_t self:shm { read unix_read unix_write write };
+-allow syslogd_t tmpfs_t:file { read write };
++allow syslogd_t tmpfs_t:file { read write create getattr append open };
++allow syslogd_t tmpfs_t:dir { search write add_name };
+--
+1.9.1
+
diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
index 9f01492..da6626e 100644
--- a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
+++ b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
@@ -80,4 +80,5 @@ SYSTEMD_REFPOLICY_PATCHES = " \
file://0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch \
file://0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch \
file://0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch \
+ file://0009-refpolicy-minimum-systemd-fix-for-syslog.patch \
"
--
1.9.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2016-08-29 13:39 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-08-29 13:38 [meta-selinux] [PATCH 9/9] refpolicy-minimum: systemd: fix for syslog Shrikant Bobade
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.