packages/selinux-policy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
selinux-policy/add-avc-for-systemd-journald.patch
guoxiaoqi 32ea5da141 update avc for openEuler
2020-02-26 17:40:12 +08:00

118 lines
3.3 KiB
Diff
Raw Blame History

From 1c571a3a7da2b3caac9dabf0fdeda623529b229a Mon Sep 17 00:00:00 2001
From: guoxiaoqi <guoxiaoqi2@huawei.com>
Date: Wed, 26 Feb 2020 10:52:31 +0800
Subject: [PATCH] add avc for systemd-journald
Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
---
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
policy/modules/system/init.te | 3 +++
policy/modules/system/logging.if | 18 ++++++++++++++++++
policy/modules/system/logging.te | 3 +++
5 files changed, 60 insertions(+)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 155076b..2378f06 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -7258,3 +7258,21 @@ interface(`dev_filetrans_xserver_named_dev',`
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card8")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
')
+
+########################################
+## <summary>
+## Allow to read the kernel messages
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow.
+## </summary>
+## </param>
+#
+interface(`dev_read_kernel_msg',`
+gen_require(`
+type kmsg_device_t;
+')
+
+allow $1 kmsg_device_t:chr_file read;
+')
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index be3f313..ed2bd3f 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -4125,3 +4125,21 @@ interface(`kernel_file_mounton','
allow $1 sysctl_kernel_t:file mounton;
')
+
+########################################
+## <summary>
+## Access to netlink audit socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_netlink_audit_socket',`
+gen_require(`
+type kernel_t;
+')
+
+allow $1 kernel_t:netlink_audit_socket $2;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index e0d584a..afd20b0 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1871,3 +1871,6 @@ optional_policy(`
# avc for oprnEuler
systemd_manage_faillog(init_t)
+kernel_netlink_audit_socket(init_t, getattr)
+dev_read_kernel_msg(init_t)
+logging_journal(init_t)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 399fe0d..7718e08 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -1685,3 +1685,21 @@ interface(`logging_dgram_send',`
allow $1 syslogd_t:unix_dgram_socket sendto;
')
+
+#######################################
+## <summary>
+## Access to files in /run/log/journal/ directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_journal',`
+gen_require(`
+type syslogd_var_run_t;
+')
+
+allow $1 syslogd_var_run_t:file { create rename write };
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 03a4c99..93cf69e 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -738,3 +738,6 @@ ifdef(`hide_broken_symptoms',`
')
logging_stream_connect_syslog(syslog_client_type)
+
+# avc for openEuler
+init_nnp_daemon_domain(syslogd_t)
--
1.8.3.1
Reference in New Issue View Git Blame Copy Permalink