Gitiles
Code Review Sign In
192.168.1.100 / T106_DC / c1abb54eddf3a09ba0b229fc714b6df603d9fa2d^! / .
commitc1abb54eddf3a09ba0b229fc714b6df603d9fa2d[log] [tgz]
authorjb.qi <jb.qi@mobiletek.cn>Tue Oct 29 01:41:05 2024 -0700
committerjb.qi <jb.qi@mobiletek.cn>Tue Oct 29 01:41:05 2024 -0700
treeccdaf1a1acd120544884a886d82d31b3e964fd4b
parent7d586cd4b1c8acdd0d6b7d22b64916d0ef0448fe [diff]
[Feature][T106][task-view-591]fix selinux policy for syslog

Affected module:FOTA
Is it addected on both ZXIC and MTK: only ZXIC
Self-test: YES
Doc Update: No

Change-Id: Ib26218402a318bd070db3e9c47fc2d58d7f7eac0

diff --git a/cap/zx297520v3/sources/meta-zxic-selinux/recipes-security/refpolicy/files/policy-mls/policy/modules/system/logging.te b/cap/zx297520v3/sources/meta-zxic-selinux/recipes-security/refpolicy/files/policy-mls/policy/modules/system/logging.te
index fe01295..3eabb0a 100644
--- a/cap/zx297520v3/sources/meta-zxic-selinux/recipes-security/refpolicy/files/policy-mls/policy/modules/system/logging.te
+++ b/cap/zx297520v3/sources/meta-zxic-selinux/recipes-security/refpolicy/files/policy-mls/policy/modules/system/logging.te

@@ -5,6 +5,7 @@
 # Declarations
 #
 
+
 attribute logfile;
 
 type auditctl_t;
@@ -323,6 +324,8 @@
 allow klogd_t self:capability sys_admin;
 dontaudit klogd_t self:capability { sys_resource sys_tty_config };
 allow klogd_t self:process signal_perms;
+allow klogd_t kernel_t:fd { use };
+allow klogd_t root_t:chr_file { read write };
 
 manage_dirs_pattern(klogd_t, klogd_tmp_t, klogd_tmp_t)
 manage_files_pattern(klogd_t, klogd_tmp_t, klogd_tmp_t)
@@ -620,7 +623,8 @@
 	xserver_rw_console(syslogd_t)
 ')
 gen_require(`
-    type default_t;
+        type root_t;
+        type default_t;
 	type nvserver_t;
 	type mnt_t;
 	type tmpfs_t;
@@ -670,7 +674,8 @@
 allow syslogd_t default_t:lnk_file { read  };
 allow syslogd_t mnt_t:dir { search };
 allow syslogd_t tmpfs_t:dir { write add_name remove_name search };
-
+allow syslogd_t root_t:chr_file { read write };
+allow syslogd_t mnt_t:file { getattr open append };
 allow syslogd_t self:capability { sys_rawio };