From 59c29aa28424cf61f6b71a9022dced52d5b58c8f Mon Sep 17 00:00:00 2001 From: Xin Ouyang Date: Thu, 22 Aug 2013 13:37:23 +0800 Subject: [PATCH] policy/modules/system/logging: fix auditd startup failures Fixes: avc: denied { read } for pid=321 comm="auditd" name="log" dev="vda" ino=12552 scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:var_log_t tclass=lnk_file permissive=0 Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Xin Ouyang Signed-off-by: Yi Zhao --- policy/modules/system/logging.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 38e0b4766..a1912254e 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -117,6 +117,7 @@ allow auditctl_t self:netlink_audit_socket nlmsg_readpriv; read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t) allow auditctl_t auditd_etc_t:dir list_dir_perms; +allow auditctl_t var_log_t:lnk_file read_lnk_file_perms; dontaudit auditctl_t auditd_etc_t:file map; corecmd_search_bin(auditctl_t) @@ -177,6 +178,7 @@ dontaudit auditd_t auditd_etc_t:file map; manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) allow auditd_t auditd_log_t:dir setattr; manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) +allow auditd_t var_log_t:lnk_file read_lnk_file_perms; allow auditd_t var_log_t:dir search_dir_perms; manage_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t) @@ -306,6 +308,7 @@ optional_policy(` allow audisp_remote_t self:capability { setpcap setuid }; allow audisp_remote_t self:process { getcap setcap }; allow audisp_remote_t self:tcp_socket create_socket_perms; +allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms; allow audisp_remote_t var_log_t:dir search_dir_perms; manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) -- 2.25.1