selinux-policy/add-avc-for-systemd-journald.patch

From 9865bc70309c32f731d85e18f8ed29af184086cf Mon Sep 17 00:00:00 2001
From: guoxiaoqi <guoxiaoqi2@huawei.com>
Date: Thu, 16 Jul 2020 18:54:28 +0800
Subject: [PATCH] add avc for systemd-journald

Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
---
 policy/modules/kernel/devices.if | 18 ++++++++++++++++++
 policy/modules/kernel/kernel.if  | 17 +++++++++++++++++
 policy/modules/system/init.te    |  5 ++++-
 policy/modules/system/logging.if | 18 ++++++++++++++++++
 policy/modules/system/logging.te |  3 +++
 5 files changed, 60 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 932b9bd..eb8c5c6 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -7343,3 +7343,21 @@ interface(`dev_filetrans_xserver_named_dev',`
 	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card8")
 	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
 ')
+
+########################################
+## <summary>
+##      Allow to read the kernel messages
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to allow.
+##      </summary>
+## </param>
+#
+interface(`dev_read_kernel_msg',`
+gen_require(`
+type kmsg_device_t;
+')
+
+allow $1 kmsg_device_t:chr_file read;
+')
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 023ee09..a1bb39b 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -4268,3 +4268,20 @@ interface(`kernel_unlabeled_entry_type',`
 	allow $1 unlabeled_t:file { mmap_exec_file_perms ioctl lock };
 ')
 
+########################################
+## <summary>
+##      Access to netlink audit socket
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`kernel_netlink_audit_socket',`
+gen_require(`
+type kernel_t;
+')
+
+allow $1 kernel_t:netlink_audit_socket $2;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index a92f4d8..6bccd0b 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1946,5 +1946,8 @@ optional_policy(`
     ')
  ')
 
-# avc for oprnEuler
+# avc for openEuler
 systemd_manage_faillog(init_t)
+kernel_netlink_audit_socket(init_t, getattr)
+dev_read_kernel_msg(init_t)
+logging_journal(init_t)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 408dba0..526a813 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -1686,3 +1686,21 @@ interface(`logging_dgram_send',`
 
 	allow $1 syslogd_t:unix_dgram_socket sendto;
 ')
+
+#######################################
+## <summary>
+##      Access to files in /run/log/journal/ directory.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`logging_journal',`
+gen_require(`
+type syslogd_var_run_t;
+')
+
+allow $1 syslogd_var_run_t:file { create rename write };
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index cdaba23..ddeb00a 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -753,3 +753,6 @@ ifdef(`hide_broken_symptoms',`
 ')
 
 logging_stream_connect_syslog(syslog_client_type)
+
+# avc for openEuler
+init_nnp_daemon_domain(syslogd_t)
-- 
1.8.3.1