From: Shrikant Bobade <shrikant_bob...@mentor.com> add allow rules for locallogin module avc denials.
Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com> --- ...in-add-allow-rules-for-type-local_login_t.patch | 52 ++++++++++++++++++++++ .../refpolicy/refpolicy_2.20151208.inc | 1 + 2 files changed, 53 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/0004-locallogin-add-allow-rules-for-type-local_login_t.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/0004-locallogin-add-allow-rules-for-type-local_login_t.patch b/recipes-security/refpolicy/refpolicy-2.20151208/0004-locallogin-add-allow-rules-for-type-local_login_t.patch new file mode 100644 index 0000000..fd3d477 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20151208/0004-locallogin-add-allow-rules-for-type-local_login_t.patch @@ -0,0 +1,52 @@ +From 545ebd866283ae929cfec716d067cd34015ad142 Mon Sep 17 00:00:00 2001 +From: Shrikant Bobade <shrikant_bob...@mentor.com> +Date: Mon, 25 Jul 2016 18:26:18 +0530 +Subject: [PATCH 4/6] locallogin: add allow rules for type local_login_t + +add allow rules for locallogin module avc denials. + +without this change we are getting errors like these: + +type=AVC msg=audit(): avc: denied { read write open } for pid=353 +comm="login" path="/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext +=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r: +var_log_t:s0 tclass=file permissive=1 + +type=AVC msg=audit(): avc: denied { sendto } for pid=353 comm="login" +path="/run/systemd/journal/dev-log" scontext=system_u:system_r: +local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 +tclass=unix_dgram_socket permissive=1 + +type=AVC msg=audit(): avc: denied { lock } for pid=353 comm="login" path= +"/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext=system_u:system_r +:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass +=file permissive=1 + +upstream-status: pending + +Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com> +--- + policy/modules/system/locallogin.te | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te +index 53923f8..09ec33f 100644 +--- a/policy/modules/system/locallogin.te ++++ b/policy/modules/system/locallogin.te +@@ -274,3 +274,13 @@ optional_policy(` + optional_policy(` + nscd_use(sulogin_t) + ') ++ ++allow local_login_t initrc_t:fd use; ++allow local_login_t initrc_t:unix_dgram_socket sendto; ++allow local_login_t initrc_t:unix_stream_socket connectto; ++allow local_login_t self:capability net_admin; ++allow local_login_t var_log_t:file { create lock open read write }; ++allow local_login_t var_run_t:file { open read write lock}; ++allow local_login_t var_run_t:sock_file write; ++allow local_login_t tmpfs_t:dir { add_name write search}; ++allow local_login_t tmpfs_t:file { create open read write lock }; +-- +1.9.1 + diff --git a/recipes-security/refpolicy/refpolicy_2.20151208.inc b/recipes-security/refpolicy/refpolicy_2.20151208.inc index c051aec..151c973 100644 --- a/recipes-security/refpolicy/refpolicy_2.20151208.inc +++ b/recipes-security/refpolicy/refpolicy_2.20151208.inc @@ -65,6 +65,7 @@ SYSTEMD_REFPOLICY_PATCHES = "\ file://0001-systemd-unconfined-lib-add-systemd-services-allow-ru.patch \ file://0002-audit-logging-getty-audit-related-allow-rules.patch \ file://0003-systemd-mount-logging-authlogin-add-allow-rules.patch \ + file://0004-locallogin-add-allow-rules-for-type-local_login_t.patch \ " -- 1.9.1 -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto