Signed-off-by: Joe MacDonald <***@deserted.net>
---
...poky-fc-update-alternatives_sysklogd.patch | 44 ++++++++++---------
...add-rules-for-var-log-symlink-apache.patch | 10 ++---
...add-rules-for-var-log-symlink-apache.patch | 27 ++++++++++--
recipes-security/refpolicy/refpolicy_git.inc | 2 -
4 files changed, 51 insertions(+), 32 deletions(-)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch
index 2038110..e9a0464 100644
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch
@@ -11,13 +11,13 @@ Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <***@windriver.com>
Signed-off-by: Joe MacDonald <***@mentor.com>
---
- policy/modules/system/logging.fc | 4 ++++
- policy/modules/system/logging.te | 1 +
+ policy/modules/system/logging.fc | 3 +++
+ policy/modules/system/logging.te | 2 ++
2 files changed, 5 insertions(+)
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
-@@ -1,22 +1,26 @@
+@@ -1,9 +1,10 @@
/dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
/etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
@@ -26,35 +26,37 @@ Signed-off-by: Joe MacDonald <***@mentor.com>
/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/syslog\.sysklogd -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
- /sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
- /sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
- /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
- /sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
- /sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
-+/sbin/klogd\.sysklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
- /sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
- /sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
- /sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
- /sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-+/sbin/syslogd\.sysklogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
- /sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/bin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
+@@ -27,14 +28,16 @@
+ /usr/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
+ /usr/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
+ /usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
+ /usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
+ /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
++/usr/sbin/klogd\.sysklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
+ /usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
+ /usr/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
++/usr/sbin/syslogd\.sysklogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
- /usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
- /usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0)
- /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
+ /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
-@@ -388,10 +388,11 @@ allow syslogd_t self:unix_dgram_socket s
+@@ -390,10 +390,12 @@ allow syslogd_t self:unix_dgram_socket s
allow syslogd_t self:fifo_file rw_fifo_file_perms;
allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
allow syslogd_t syslog_conf_t:file read_file_perms;
+allow syslogd_t syslog_conf_t:lnk_file read_file_perms;
++allow syslogd_t syslog_conf_t:dir list_dir_perms;
# Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
files_pid_filetrans(syslogd_t, devlog_t, sock_file)
-
+ init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log")
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch
index 8d22c21..fb912b5 100644
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch
@@ -17,11 +17,11 @@ Signed-off-by: Joe MacDonald <***@mentor.com>
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
-@@ -409,10 +409,11 @@ allow httpd_t httpd_log_t:dir setattr_di
- create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
- create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
- append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
- read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+@@ -407,10 +407,11 @@ allow httpd_t httpd_lock_t:file manage_f
+ files_lock_filetrans(httpd_t, httpd_lock_t, { file dir })
+
+ manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+read_lnk_files_pattern(httpd_t, var_log_t, var_log_t)
logging_log_filetrans(httpd_t, httpd_log_t, file)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch
index 5bd5b2e..8d22c21 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch
@@ -1,12 +1,31 @@
-diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
-index fcf795f..529057c 100644
+From ed2b0a00e2fb78056041b03c7e198e8f5adaf939 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <***@windriver.com>
+Date: Thu, 22 Aug 2013 19:36:44 +0800
+Subject: [PATCH 3/6] add rules for the symlink of /var/log - apache2
+
+We have added rules for the symlink of /var/log in logging.if,
+while apache.te uses /var/log but does not use the interfaces in
+logging.if. So still need add a individual rule for apache.te.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <***@windriver.com>
+Signed-off-by: Joe MacDonald <***@mentor.com>
+---
+ policy/modules/contrib/apache.te | 1 +
+ 1 file changed, 1 insertion(+)
+
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
-@@ -412,6 +412,7 @@ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+@@ -409,10 +409,11 @@ allow httpd_t httpd_log_t:dir setattr_di
+ create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
- setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+read_lnk_files_pattern(httpd_t, var_log_t, var_log_t)
logging_log_filetrans(httpd_t, httpd_log_t, file)
allow httpd_t httpd_modules_t:dir list_dir_perms;
+ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+ read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
diff --git a/recipes-security/refpolicy/refpolicy_git.inc b/recipes-security/refpolicy/refpolicy_git.inc
index 6c318ab..b2fd638 100644
--- a/recipes-security/refpolicy/refpolicy_git.inc
+++ b/recipes-security/refpolicy/refpolicy_git.inc
@@ -12,7 +12,6 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-git:"
# Fix file contexts for Poky
SRC_URI += "file://poky-fc-subs_dist.patch \
file://poky-fc-update-alternatives_sysvinit.patch \
- file://poky-fc-update-alternatives_sysklogd.patch \
file://poky-fc-update-alternatives_hostname.patch \
file://poky-fc-update-alternatives_bash.patch \
file://poky-fc-fix-real-path_resolv.conf.patch \
@@ -35,7 +34,6 @@ SRC_URI += "file://poky-fc-subs_dist.patch \
# Specific policy for Poky
SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \
file://poky-policy-add-rules-for-var-log-symlink.patch \
- file://poky-policy-add-rules-for-var-log-symlink-apache.patch \
file://poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch \
file://poky-policy-add-rules-for-syslogd_t-symlink.patch \
file://poky-policy-add-rules-for-var-cache-symlink.patch \
--
2.17.1
--