blob: f92ddb8e87af36d4e48c5a93ef73a12f7e0577cc (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
From aa79b5e7803232a4e57e2cf60613f6fb7dcfc025 Mon Sep 17 00:00:00 2001
From: Shrikant Bobade <shrikant_bobade@mentor.com>
Date: Fri, 26 Aug 2016 17:51:44 +0530
Subject: [PATCH 1/9] refpolicy-minimum: audit: logging: getty: audit related
allow rules
add allow rules for audit.log file & resolve dependent avc denials.
without this change we are getting audit avc denials mixed into bootlog &
audit other avc denials.
audit: type=1400 audit(): avc: denied { getattr } for pid=217 comm="mount"
name="/" dev="proc" ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_0
audit: type=1400 audit(): avc: denied { sendto } for pid=310 comm="klogd"
path="/run/systemd/journal/dev-log" scontext=sy0
audit: type=1400 audit(): avc: denied { sendto } for pid=310 comm="klogd"
path="/run/systemd/journal/dev-log" scontext=system_u:system_r:klogd_t:s0
audit(): avc: denied { open } for pid=540 comm="agetty" path="/var/
volatile/log/wtmp" dev="tmpfs" ino=9536 scontext=system_u:system_r:getty_t
:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
Upstream-Status: Pending
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/system/getty.te | 3 +++
policy/modules/system/logging.te | 8 ++++++++
2 files changed, 11 insertions(+)
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index 6d3c4284..423db0cc 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -129,3 +129,6 @@ optional_policy(`
optional_policy(`
udev_read_db(getty_t)
')
+
+allow getty_t tmpfs_t:dir search;
+allow getty_t tmpfs_t:file { open write lock };
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 63e92a8e..8ab46925 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -249,6 +249,7 @@ allow audisp_t self:unix_stream_socket create_stream_socket_perms;
allow audisp_t self:unix_dgram_socket create_socket_perms;
allow audisp_t auditd_t:unix_stream_socket rw_socket_perms;
+allow audisp_t initrc_t:unix_dgram_socket sendto;
manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
@@ -620,3 +621,10 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')
+
+
+allow auditd_t tmpfs_t:file { getattr setattr create open read append };
+allow auditd_t tmpfs_t:dir { open read search add_name write getattr search };
+allow auditd_t initrc_t:unix_dgram_socket sendto;
+
+allow klogd_t initrc_t:unix_dgram_socket sendto;
\ No newline at end of file
--
2.19.1
|
