diff mbox series

[meta-selinux,master,scarthgap,2/2] refpolicy: fixes for auditctl and rsyslog

Message ID 20240606061434.2764343-2-yi.zhao@windriver.com
State New
Headers show
Series [meta-selinux,master,scarthgap,1/2] refpolicy: update to latest git rev | expand

Commit Message

Yi Zhao June 6, 2024, 6:14 a.m. UTC 
* Allow auditctl to read symlink of var/log directory.
* Grant getpcap capability to syslogd_t.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 ...ystem-logging-fix-auditd-startup-fai.patch | 20 +++++++---
 ...ystem-logging-grant-getpcap-capabili.patch | 38 +++++++++++++++++++
 .../refpolicy/refpolicy_common.inc            |  1 +
 3 files changed, 53 insertions(+), 6 deletions(-)
 create mode 100644 recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-grant-getpcap-capabili.patch
diff mbox series

Patch

diff --git a/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch b/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch
index e9e717b..6ad2475 100644
--- a/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch
+++ b/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch
@@ -1,4 +1,4 @@ 
-From d7dfe01114f9a1449ce2efd792ddf4b18fe91a45 Mon Sep 17 00:00:00 2001
+From 5b33f07f60b20eb6e07ea3f517c43a539ee21332 Mon Sep 17 00:00:00 2001
 From: Xin Ouyang <Xin.Ouyang@windriver.com>
 Date: Thu, 22 Aug 2013 13:37:23 +0800
 Subject: [PATCH] policy/modules/system/logging: fix auditd startup failures
@@ -13,14 +13,22 @@  Upstream-Status: Inappropriate [embedded specific]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
- policy/modules/system/logging.te | 2 ++
- 1 file changed, 2 insertions(+)
+ policy/modules/system/logging.te | 3 +++
+ 1 file changed, 3 insertions(+)
 
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 45584dba6..8bc70b81d 100644
+index 45584dba6..4fb2fb63c 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
-@@ -177,6 +177,7 @@ dontaudit auditd_t auditd_etc_t:file map;
+@@ -117,6 +117,7 @@ allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
+ 
+ read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
+ allow auditctl_t auditd_etc_t:dir list_dir_perms;
++allow auditctl_t var_log_t:lnk_file read_lnk_file_perms;
+ dontaudit auditctl_t auditd_etc_t:file map;
+ 
+ corecmd_search_bin(auditctl_t)
+@@ -177,6 +178,7 @@ dontaudit auditd_t auditd_etc_t:file map;
  manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
  allow auditd_t auditd_log_t:dir setattr;
  manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
@@ -28,7 +36,7 @@  index 45584dba6..8bc70b81d 100644
  allow auditd_t var_log_t:dir search_dir_perms;
  
  manage_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t)
-@@ -306,6 +307,7 @@ optional_policy(`
+@@ -306,6 +308,7 @@ optional_policy(`
  allow audisp_remote_t self:capability { setpcap setuid };
  allow audisp_remote_t self:process { getcap setcap };
  allow audisp_remote_t self:tcp_socket create_socket_perms;
diff --git a/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-grant-getpcap-capabili.patch b/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-grant-getpcap-capabili.patch
new file mode 100644
index 0000000..5c2e789
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-grant-getpcap-capabili.patch
@@ -0,0 +1,38 @@ 
+From f48edb588d799a7aab9110e4f67468d8e5e41c10 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Tue, 28 May 2024 11:21:48 +0800
+Subject: [PATCH] policy/modules/system/logging: grant getpcap capability to
+ syslogd_t
+
+The rsyslog is configured with --enable-libpcap which requires getpcap
+capability.
+
+Fixes:
+avc: denied { setpcap } for pid=317 comm="rsyslogd" capability=8
+scontext=system_u:system_r:syslogd_t:s15:c0.c1023
+tcontext=system_u:system_r:syslogd_t:s15:c0.c1023 tclass=capability
+permissive=1
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/logging.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 511604493..9c0a58aef 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -404,6 +404,8 @@ optional_policy(`
+ # sys_admin for the integrated klog of syslog-ng and metalog
+ # sys_nice for rsyslog
+ allow syslogd_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
++# Rsyslog configures with --enable-libcap-ng
++allow syslogd_t self:capability setpcap;
+ dontaudit syslogd_t self:capability { sys_ptrace };
+ dontaudit syslogd_t self:cap_userns { kill sys_ptrace };
+ # setpgid for metalog
+-- 
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
index 6ea1fc2..2edcbcd 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -72,6 +72,7 @@  SRC_URI += " \
         file://0054-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \
         file://0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \
         file://0056-policy-modules-system-logging-make-syslogd_runtime_t.patch \
+        file://0057-policy-modules-system-logging-grant-getpcap-capabili.patch \
         "
 
 S = "${WORKDIR}/refpolicy"