diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy/0056-policy-modules-system-logging-make-syslogd_runtime_t.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy/0056-policy-modules-system-logging-make-syslogd_runtime_t.patch | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-logging-make-syslogd_runtime_t.patch b/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-logging-make-syslogd_runtime_t.patch new file mode 100644 index 0000000..d07fa91 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-logging-make-syslogd_runtime_t.patch @@ -0,0 +1,48 @@ +From 2476910f6d7f116148bb9311498b5c98692c1ef3 Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Sat, 18 Dec 2021 17:31:45 +0800 +Subject: [PATCH] policy/modules/system/logging: make syslogd_runtime_t MLS + trusted. + +Make syslogd_runtime_t MLS trusted to allow all levels to read and write +the object. + +Fixes: +avc: denied { search } for pid=314 comm="useradd" name="journal" +dev="tmpfs" ino=34 scontext=root:sysadm_r:useradd_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir +permissive=0 + +avc: denied { search } for pid=319 comm="passwd" name="journal" +dev="tmpfs" ino=34 scontext=root:sysadm_r:passwd_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir +permissive=0 + +avc: denied { search } for pid=374 comm="rpc.statd" name="journal" +dev="tmpfs" ino=9854 scontext=system_u:system_r:rpcd_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:syslogd_var_run_t:s15:c0.c1023 tclass=dir +permissive=0 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/system/logging.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index 25e1d1397..ba0fd10e0 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -456,6 +456,8 @@ allow syslogd_t syslogd_runtime_t:file map; + manage_files_pattern(syslogd_t, syslogd_runtime_t, syslogd_runtime_t) + files_runtime_filetrans(syslogd_t, syslogd_runtime_t, file) + ++mls_trusted_object(syslogd_runtime_t) ++ + kernel_read_system_state(syslogd_t) + kernel_read_network_state(syslogd_t) + kernel_read_kernel_sysctls(syslogd_t) +-- +2.25.1 + |