* [PATCH 0/2] fix audit configuration file permission and enable systemd support
@ 2014-03-04 5:52 rongqing.li
2014-03-04 5:52 ` [PATCH 1/2] audit: Add " rongqing.li
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: rongqing.li @ 2014-03-04 5:52 UTC (permalink / raw)
To: yocto
From: Roy Li <rongqing.li@windriver.com>
The following changes since commit a6079a43719e79e12a57e609923a0cccdba06916:
refpolicy: fix real path for su.shadow (2014-02-13 10:52:07 -0500)
are available in the git repository at:
git://git.pokylinux.org/poky-contrib roy/audit-two-fix
http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=roy/audit-two-fix
Roy Li (2):
audit: Add systemd support
audit: fix the permission of configuration file
recipes-security/audit/audit/audit-volatile.conf | 1 +
recipes-security/audit/audit/auditd.service | 21 +++++++++++++++++++++
recipes-security/audit/audit_2.3.2.bb | 21 +++++++++++++++++++--
3 files changed, 41 insertions(+), 2 deletions(-)
create mode 100644 recipes-security/audit/audit/audit-volatile.conf
create mode 100644 recipes-security/audit/audit/auditd.service
--
1.7.10.4
^ permalink raw reply [flat|nested] 4+ messages in thread* [PATCH 1/2] audit: Add systemd support
2014-03-04 5:52 [PATCH 0/2] fix audit configuration file permission and enable systemd support rongqing.li
@ 2014-03-04 5:52 ` rongqing.li
2014-03-04 5:52 ` [PATCH 2/2] audit: fix the permission of configuration file rongqing.li
2014-03-07 3:33 ` [PATCH 0/2] fix audit configuration file permission and enable systemd support Rongqing Li
2 siblings, 0 replies; 4+ messages in thread
From: rongqing.li @ 2014-03-04 5:52 UTC (permalink / raw)
To: yocto
From: Roy Li <rongqing.li@windriver.com>
Audit unit file is from https://fedorahosted.org/audit/browser/trunk/init.d/auditd.service
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
recipes-security/audit/audit/audit-volatile.conf | 1 +
recipes-security/audit/audit/auditd.service | 21 +++++++++++++++++++++
recipes-security/audit/audit_2.3.2.bb | 18 ++++++++++++++++--
3 files changed, 38 insertions(+), 2 deletions(-)
create mode 100644 recipes-security/audit/audit/audit-volatile.conf
create mode 100644 recipes-security/audit/audit/auditd.service
diff --git a/recipes-security/audit/audit/audit-volatile.conf b/recipes-security/audit/audit/audit-volatile.conf
new file mode 100644
index 0000000..9cbe154
--- /dev/null
+++ b/recipes-security/audit/audit/audit-volatile.conf
@@ -0,0 +1 @@
+d /var/log/audit 0750 root root -
diff --git a/recipes-security/audit/audit/auditd.service b/recipes-security/audit/audit/auditd.service
new file mode 100644
index 0000000..6daa056
--- /dev/null
+++ b/recipes-security/audit/audit/auditd.service
@@ -0,0 +1,21 @@
+[Unit]
+Description=Security Auditing Service
+DefaultDependencies=no
+After=local-fs.target
+Conflicts=shutdown.target
+Before=sysinit.target shutdown.target
+After=systemd-tmpfiles-setup.service
+RefuseManualStop=yes
+
+[Service]
+ExecStart=/sbin/auditd -n
+## To use augenrules, copy this file to /etc/systemd/system/auditd.service
+## and uncomment the next line and delete/comment out the auditctl line.
+## Then copy existing rules to /etc/audit/rules.d/
+## Not doing this last step can cause loss of existing rules
+#ExecStartPost=-/sbin/augenrules --load
+ExecStartPost=-/sbin/auditctl -R /etc/audit/rules.d/audit.rules
+ExecReload=/bin/kill -HUP $MAINPID
+
+[Install]
+WantedBy=multi-user.target
diff --git a/recipes-security/audit/audit_2.3.2.bb b/recipes-security/audit/audit_2.3.2.bb
index edcb881..eafcd30 100644
--- a/recipes-security/audit/audit_2.3.2.bb
+++ b/recipes-security/audit/audit_2.3.2.bb
@@ -14,14 +14,19 @@ SRC_URI = "http://people.redhat.com/sgrubb/audit/audit-${PV}.tar.gz \
file://audit-python-configure.patch \
file://audit-for-cross-compiling.patch \
file://auditd \
- file://fix-swig-host-contamination.patch"
+ file://fix-swig-host-contamination.patch \
+ file://auditd.service \
+ file://audit-volatile.conf \
+"
-inherit autotools pythonnative update-rc.d
+inherit autotools pythonnative update-rc.d systemd
UPDATERCPN = "auditd"
INITSCRIPT_NAME = "auditd"
INITSCRIPT_PARAMS = "defaults"
+SYSTEMD_SERVICE_${PN} = "auditd.service"
+
SRC_URI[md5sum] = "4e8d065b5cc16b77b9b61e93a9ed160e"
SRC_URI[sha256sum] = "8872e0b5392888789061db8034164305ef0e1b34543e1e7004d275f039081d29"
@@ -74,4 +79,13 @@ do_install_append() {
# replace init.d
install -D -m 0755 ${S}/../auditd ${D}/etc/init.d/auditd
rm -rf ${D}/etc/rc.d
+
+ if ${@base_contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+ install -d ${D}${sysconfdir}/tmpfiles.d/
+ install -m 0644 ${WORKDIR}/audit-volatile.conf ${D}${sysconfdir}/tmpfiles.d/
+ fi
+
+ # install systemd unit files
+ install -d ${D}${systemd_unitdir}/system
+ install -m 0644 ${WORKDIR}/auditd.service ${D}${systemd_unitdir}/system
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 4+ messages in thread* [PATCH 2/2] audit: fix the permission of configuration file
2014-03-04 5:52 [PATCH 0/2] fix audit configuration file permission and enable systemd support rongqing.li
2014-03-04 5:52 ` [PATCH 1/2] audit: Add " rongqing.li
@ 2014-03-04 5:52 ` rongqing.li
2014-03-07 3:33 ` [PATCH 0/2] fix audit configuration file permission and enable systemd support Rongqing Li
2 siblings, 0 replies; 4+ messages in thread
From: rongqing.li @ 2014-03-04 5:52 UTC (permalink / raw)
To: yocto
From: Roy Li <rongqing.li@windriver.com>
A ordinary use should not to access auditd configuration files
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
recipes-security/audit/audit_2.3.2.bb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/recipes-security/audit/audit_2.3.2.bb b/recipes-security/audit/audit_2.3.2.bb
index eafcd30..4a9c954 100644
--- a/recipes-security/audit/audit_2.3.2.bb
+++ b/recipes-security/audit/audit_2.3.2.bb
@@ -88,4 +88,7 @@ do_install_append() {
# install systemd unit files
install -d ${D}${systemd_unitdir}/system
install -m 0644 ${WORKDIR}/auditd.service ${D}${systemd_unitdir}/system
+
+ chmod 750 ${D}/etc/audit ${D}/etc/audit/rules.d
+ chmod 640 ${D}/etc/audit/auditd.conf ${D}/etc/audit/rules.d/audit.rules
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH 0/2] fix audit configuration file permission and enable systemd support
2014-03-04 5:52 [PATCH 0/2] fix audit configuration file permission and enable systemd support rongqing.li
2014-03-04 5:52 ` [PATCH 1/2] audit: Add " rongqing.li
2014-03-04 5:52 ` [PATCH 2/2] audit: fix the permission of configuration file rongqing.li
@ 2014-03-07 3:33 ` Rongqing Li
2 siblings, 0 replies; 4+ messages in thread
From: Rongqing Li @ 2014-03-07 3:33 UTC (permalink / raw)
To: rongqing.li; +Cc: yocto
ping, it should be [meta-selinux]
-Roy
On 03/04/2014 01:52 PM, rongqing.li@windriver.com wrote:
> From: Roy Li <rongqing.li@windriver.com>
>
> The following changes since commit a6079a43719e79e12a57e609923a0cccdba06916:
>
> refpolicy: fix real path for su.shadow (2014-02-13 10:52:07 -0500)
>
> are available in the git repository at:
>
> git://git.pokylinux.org/poky-contrib roy/audit-two-fix
> http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=roy/audit-two-fix
>
> Roy Li (2):
> audit: Add systemd support
> audit: fix the permission of configuration file
>
> recipes-security/audit/audit/audit-volatile.conf | 1 +
> recipes-security/audit/audit/auditd.service | 21 +++++++++++++++++++++
> recipes-security/audit/audit_2.3.2.bb | 21 +++++++++++++++++++--
> 3 files changed, 41 insertions(+), 2 deletions(-)
> create mode 100644 recipes-security/audit/audit/audit-volatile.conf
> create mode 100644 recipes-security/audit/audit/auditd.service
>
--
Best Reagrds,
Roy | RongQing Li
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2014-03-07 3:32 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-03-04 5:52 [PATCH 0/2] fix audit configuration file permission and enable systemd support rongqing.li
2014-03-04 5:52 ` [PATCH 1/2] audit: Add " rongqing.li
2014-03-04 5:52 ` [PATCH 2/2] audit: fix the permission of configuration file rongqing.li
2014-03-07 3:33 ` [PATCH 0/2] fix audit configuration file permission and enable systemd support Rongqing Li
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.