diff options
author | Xin Ouyang <Xin.Ouyang@windriver.com> | 2013-09-23 21:18:03 +0800 |
---|---|---|
committer | Joe MacDonald <joe@deserted.net> | 2013-10-02 13:24:45 -0400 |
commit | 292e6f4ac670d2f5ae5dbb53d6c7c265f006975d (patch) | |
tree | 9b53470a4acb08220734bd993d8256110848c699 | |
parent | c7fc09794c20db9e3b32d326abb627985d2b5b65 (diff) | |
download | meta-selinux-292e6f4ac670d2f5ae5dbb53d6c7c265f006975d.tar.gz |
refpolicy*: add new version 2.20130424
These patches are removed because new version merged:
- poky-fc-update-alternatives_tinylogin.patch
- poky-fc-fix-prefix-path_rpc.patch
- poky-fc-fix-portmap.patch
- poky-fc-cgroup.patch
- poky-fc-networkmanager.patch
- poky-policy-allow-dbusd-to-setrlimit-itself.patch
- poky-policy-allow-dbusd-to-exec-shell-commands.patch
- poky-policy-allow-nfsd-to-bind-nfs-port.patch
Add two new patches:
+ poky-policy-fix-setfiles-statvfs-get-file-count.patch
+ poky-policy-fix-dmesg-to-use-dev-kmsg.patch
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
39 files changed, 1753 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-clock.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-clock.patch new file mode 100644 index 0000000..3ff8f55 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-clock.patch | |||
@@ -0,0 +1,22 @@ | |||
1 | Subject: [PATCH] refpolicy: fix real path for clock | ||
2 | |||
3 | Upstream-Status: Inappropriate [configuration] | ||
4 | |||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
6 | --- | ||
7 | policy/modules/system/clock.fc | 1 + | ||
8 | 1 file changed, 1 insertion(+) | ||
9 | |||
10 | diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc | ||
11 | index c5e05ca..a74c40c 100644 | ||
12 | --- a/policy/modules/system/clock.fc | ||
13 | +++ b/policy/modules/system/clock.fc | ||
14 | @@ -2,4 +2,5 @@ | ||
15 | /etc/adjtime -- gen_context(system_u:object_r:adjtime_t,s0) | ||
16 | |||
17 | /sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) | ||
18 | +/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0) | ||
19 | |||
20 | -- | ||
21 | 1.7.11.7 | ||
22 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-corecommands.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-corecommands.patch new file mode 100644 index 0000000..24b67c3 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-corecommands.patch | |||
@@ -0,0 +1,24 @@ | |||
1 | Subject: [PATCH] refpolicy: fix real path for corecommands | ||
2 | |||
3 | Upstream-Status: Inappropriate [configuration] | ||
4 | |||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
6 | --- | ||
7 | policy/modules/kernel/corecommands.fc | 1 + | ||
8 | 1 file changed, 1 insertion(+) | ||
9 | |||
10 | diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc | ||
11 | index f051c4a..ab624f3 100644 | ||
12 | --- a/policy/modules/kernel/corecommands.fc | ||
13 | +++ b/policy/modules/kernel/corecommands.fc | ||
14 | @@ -153,6 +153,7 @@ ifdef(`distro_gentoo',` | ||
15 | /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) | ||
16 | /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) | ||
17 | /sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
18 | +/usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
19 | |||
20 | # | ||
21 | # /opt | ||
22 | -- | ||
23 | 1.7.11.7 | ||
24 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-dmesg.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-dmesg.patch new file mode 100644 index 0000000..db4c4d4 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-dmesg.patch | |||
@@ -0,0 +1,20 @@ | |||
1 | Subject: [PATCH] refpolicy: fix real path for dmesg | ||
2 | |||
3 | Upstream-Status: Inappropriate [configuration] | ||
4 | |||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
6 | --- | ||
7 | policy/modules/admin/dmesg.fc | 1 + | ||
8 | 1 file changed, 1 insertion(+) | ||
9 | |||
10 | diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc | ||
11 | index d6cc2d9..7f3e5b0 100644 | ||
12 | --- a/policy/modules/admin/dmesg.fc | ||
13 | +++ b/policy/modules/admin/dmesg.fc | ||
14 | @@ -1,2 +1,3 @@ | ||
15 | |||
16 | /bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) | ||
17 | +/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0) | ||
18 | -- | ||
19 | 1.7.11.7 | ||
20 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-bind.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-bind.patch new file mode 100644 index 0000000..59ba5bc --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-bind.patch | |||
@@ -0,0 +1,30 @@ | |||
1 | From e438a9466a615db3f63421157d5ee3bd6d055403 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 19:09:11 +0800 | ||
4 | Subject: [PATCH] refpolicy: fix real path for bind. | ||
5 | |||
6 | Upstream-Status: Inappropriate [configuration] | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | --- | ||
10 | policy/modules/contrib/bind.fc | 2 ++ | ||
11 | 1 file changed, 2 insertions(+) | ||
12 | |||
13 | diff --git a/policy/modules/contrib/bind.fc b/policy/modules/contrib/bind.fc | ||
14 | index 2b9a3a1..fd45d53 100644 | ||
15 | --- a/policy/modules/contrib/bind.fc | ||
16 | +++ b/policy/modules/contrib/bind.fc | ||
17 | @@ -1,8 +1,10 @@ | ||
18 | /etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) | ||
19 | +/etc/rc\.d/init\.d/bind -- gen_context(system_u:object_r:named_initrc_exec_t,s0) | ||
20 | /etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) | ||
21 | |||
22 | /etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) | ||
23 | /etc/bind/named\.conf.* -- gen_context(system_u:object_r:named_conf_t,s0) | ||
24 | +/etc/bind/rndc\.conf -- gen_context(system_u:object_r:named_conf_t,s0) | ||
25 | /etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) | ||
26 | /etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0) | ||
27 | /etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0) | ||
28 | -- | ||
29 | 1.7.9.5 | ||
30 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_login.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_login.patch new file mode 100644 index 0000000..427181e --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_login.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | Subject: [PATCH] fix real path for login commands. | ||
2 | |||
3 | Upstream-Status: Inappropriate [only for Poky] | ||
4 | |||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
6 | --- | ||
7 | policy/modules/system/authlogin.fc | 7 ++++--- | ||
8 | 1 files changed, 4 insertions(+), 3 deletions(-) | ||
9 | |||
10 | diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc | ||
11 | index 28ad538..c8dd17f 100644 | ||
12 | --- a/policy/modules/system/authlogin.fc | ||
13 | +++ b/policy/modules/system/authlogin.fc | ||
14 | @@ -1,5 +1,7 @@ | ||
15 | |||
16 | /bin/login -- gen_context(system_u:object_r:login_exec_t,s0) | ||
17 | +/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0) | ||
18 | +/bin/login\.tinylogin -- gen_context(system_u:object_r:login_exec_t,s0) | ||
19 | |||
20 | /etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) | ||
21 | /etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0) | ||
22 | @@ -9,9 +11,9 @@ | ||
23 | |||
24 | /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) | ||
25 | /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) | ||
26 | -/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) | ||
27 | -/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) | ||
28 | -/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) | ||
29 | +/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) | ||
30 | +/usr/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) | ||
31 | +/usr/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) | ||
32 | ifdef(`distro_suse', ` | ||
33 | /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) | ||
34 | ') | ||
35 | -- | ||
36 | 1.7.5.4 | ||
37 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_resolv.conf.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_resolv.conf.patch new file mode 100644 index 0000000..80cca67 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_resolv.conf.patch | |||
@@ -0,0 +1,24 @@ | |||
1 | Subject: [PATCH] fix real path for resolv.conf | ||
2 | |||
3 | Upstream-Status: Inappropriate [only for Poky] | ||
4 | |||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
6 | --- | ||
7 | policy/modules/system/sysnetwork.fc | 1 + | ||
8 | 1 files changed, 1 insertions(+), 0 deletions(-) | ||
9 | |||
10 | diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc | ||
11 | index 346a7cc..dec8632 100644 | ||
12 | --- a/policy/modules/system/sysnetwork.fc | ||
13 | +++ b/policy/modules/system/sysnetwork.fc | ||
14 | @@ -24,6 +24,7 @@ ifdef(`distro_debian',` | ||
15 | /etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0) | ||
16 | /etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0) | ||
17 | /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) | ||
18 | +/var/run/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) | ||
19 | /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) | ||
20 | |||
21 | /etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0) | ||
22 | -- | ||
23 | 1.7.5.4 | ||
24 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_shadow.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_shadow.patch new file mode 100644 index 0000000..29ac2c3 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_shadow.patch | |||
@@ -0,0 +1,34 @@ | |||
1 | Subject: [PATCH] fix real path for shadow commands. | ||
2 | |||
3 | Upstream-Status: Inappropriate [only for Poky] | ||
4 | |||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
6 | --- | ||
7 | policy/modules/admin/usermanage.fc | 6 ++++++ | ||
8 | 1 file changed, 6 insertions(+) | ||
9 | |||
10 | diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc | ||
11 | index f82f0ce..841ba9b 100644 | ||
12 | --- a/policy/modules/admin/usermanage.fc | ||
13 | +++ b/policy/modules/admin/usermanage.fc | ||
14 | @@ -4,11 +4,17 @@ ifdef(`distro_gentoo',` | ||
15 | |||
16 | /usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0) | ||
17 | /usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0) | ||
18 | +/usr/bin/chfn\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0) | ||
19 | /usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0) | ||
20 | +/usr/bin/chsh\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0) | ||
21 | /usr/bin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0) | ||
22 | /usr/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0) | ||
23 | +/usr/bin/passwd\.shadow -- gen_context(system_u:object_r:passwd_exec_t,s0) | ||
24 | +/usr/bin/passwd\.tinylogin -- gen_context(system_u:object_r:passwd_exec_t,s0) | ||
25 | /usr/bin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) | ||
26 | +/sbin/vigr\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) | ||
27 | /usr/bin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) | ||
28 | +/sbin/vipw\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) | ||
29 | |||
30 | /usr/lib/cracklib_dict.* -- gen_context(system_u:object_r:crack_db_t,s0) | ||
31 | |||
32 | -- | ||
33 | 1.7.9.5 | ||
34 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fstools.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fstools.patch new file mode 100644 index 0000000..8e54921 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fstools.patch | |||
@@ -0,0 +1,69 @@ | |||
1 | From 852860529f24547b662d9383c0eaa821c9efa406 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 19:18:39 +0800 | ||
4 | Subject: [PATCH] efpolicy: fix real path for fstools | ||
5 | |||
6 | Upstream-Status: Inappropriate [configuration] | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | --- | ||
10 | policy/modules/system/fstools.fc | 11 +++++++++++ | ||
11 | 1 file changed, 11 insertions(+) | ||
12 | |||
13 | diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc | ||
14 | index 7a46b45..9656352 100644 | ||
15 | --- a/policy/modules/system/fstools.fc | ||
16 | +++ b/policy/modules/system/fstools.fc | ||
17 | @@ -1,6 +1,8 @@ | ||
18 | /sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
19 | /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
20 | +/sbin/blkid\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
21 | /sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
22 | +/sbin/blockdev\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
23 | /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
24 | /sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
25 | /sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
26 | @@ -9,9 +11,12 @@ | ||
27 | /sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
28 | /sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
29 | /sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
30 | +/sbin/fdisk\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
31 | /sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
32 | +/usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
33 | /sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
34 | /sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
35 | +/sbin/hdparm\.hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
36 | /sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
37 | /sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
38 | /sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
39 | @@ -24,21 +29,27 @@ | ||
40 | /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
41 | /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
42 | /sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
43 | +/sbin/mkswap\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
44 | /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
45 | +/usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
46 | /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
47 | +/usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
48 | /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
49 | +/usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
50 | /sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
51 | /sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
52 | /sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
53 | /sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
54 | /sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
55 | /sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
56 | +/usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
57 | /sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
58 | /sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
59 | /sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
60 | |||
61 | /usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
62 | /usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
63 | +/usr/sbin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
64 | /usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
65 | /usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
66 | |||
67 | -- | ||
68 | 1.7.9.5 | ||
69 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-iptables.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-iptables.patch new file mode 100644 index 0000000..89b1547 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-iptables.patch | |||
@@ -0,0 +1,24 @@ | |||
1 | Subject: [PATCH] refpolicy: fix real path for iptables | ||
2 | |||
3 | Upstream-Status: Inappropriate [configuration] | ||
4 | |||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
6 | --- | ||
7 | policy/modules/system/iptables.fc | 1 + | ||
8 | 1 file changed, 1 insertion(+) | ||
9 | |||
10 | diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc | ||
11 | index 14cffd2..84ac92b 100644 | ||
12 | --- a/policy/modules/system/iptables.fc | ||
13 | +++ b/policy/modules/system/iptables.fc | ||
14 | @@ -13,6 +13,7 @@ | ||
15 | /sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) | ||
16 | /sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) | ||
17 | /sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) | ||
18 | +/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) | ||
19 | |||
20 | /usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) | ||
21 | /usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0) | ||
22 | -- | ||
23 | 1.7.11.7 | ||
24 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-mta.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-mta.patch new file mode 100644 index 0000000..bbd83ec --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-mta.patch | |||
@@ -0,0 +1,27 @@ | |||
1 | From c0bb2996db4f55f3987967bacfb99805fc45d027 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 19:21:55 +0800 | ||
4 | Subject: [PATCH] refpolicy: fix real path for mta | ||
5 | |||
6 | Upstream-Status: Inappropriate [configuration] | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | --- | ||
10 | policy/modules/contrib/mta.fc | 1 + | ||
11 | 1 file changed, 1 insertion(+) | ||
12 | |||
13 | diff --git a/policy/modules/contrib/mta.fc b/policy/modules/contrib/mta.fc | ||
14 | index f42896c..0d4bcef 100644 | ||
15 | --- a/policy/modules/contrib/mta.fc | ||
16 | +++ b/policy/modules/contrib/mta.fc | ||
17 | @@ -22,6 +22,7 @@ HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) | ||
18 | /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) | ||
19 | /usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0) | ||
20 | /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) | ||
21 | +/usr/sbin/msmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) | ||
22 | /usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) | ||
23 | |||
24 | /var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) | ||
25 | -- | ||
26 | 1.7.9.5 | ||
27 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-netutils.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-netutils.patch new file mode 100644 index 0000000..b45d03e --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-netutils.patch | |||
@@ -0,0 +1,24 @@ | |||
1 | Subject: [PATCH] refpolicy: fix real path for netutils | ||
2 | |||
3 | Upstream-Status: Inappropriate [configuration] | ||
4 | |||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
6 | --- | ||
7 | policy/modules/admin/netutils.fc | 1 + | ||
8 | 1 file changed, 1 insertion(+) | ||
9 | |||
10 | diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc | ||
11 | index 407078f..f2ed3dc 100644 | ||
12 | --- a/policy/modules/admin/netutils.fc | ||
13 | +++ b/policy/modules/admin/netutils.fc | ||
14 | @@ -3,6 +3,7 @@ | ||
15 | /bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) | ||
16 | |||
17 | /sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0) | ||
18 | +/bin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0) | ||
19 | |||
20 | /usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0) | ||
21 | /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0) | ||
22 | -- | ||
23 | 1.7.11.7 | ||
24 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-nscd.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-nscd.patch new file mode 100644 index 0000000..1db328c --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-nscd.patch | |||
@@ -0,0 +1,27 @@ | |||
1 | From 642fab321a5f1f40495b4ca07f1fca4145024986 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 19:25:36 +0800 | ||
4 | Subject: [PATCH] refpolicy: fix real path for nscd | ||
5 | |||
6 | Upstream-Status: Inappropriate [configuration] | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | --- | ||
10 | policy/modules/contrib/nscd.fc | 1 + | ||
11 | 1 file changed, 1 insertion(+) | ||
12 | |||
13 | diff --git a/policy/modules/contrib/nscd.fc b/policy/modules/contrib/nscd.fc | ||
14 | index ba64485..61a6f24 100644 | ||
15 | --- a/policy/modules/contrib/nscd.fc | ||
16 | +++ b/policy/modules/contrib/nscd.fc | ||
17 | @@ -1,6 +1,7 @@ | ||
18 | /etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0) | ||
19 | |||
20 | /usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0) | ||
21 | +/usr/bin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0) | ||
22 | |||
23 | /var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) | ||
24 | |||
25 | -- | ||
26 | 1.7.9.5 | ||
27 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-screen.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-screen.patch new file mode 100644 index 0000000..3218194 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-screen.patch | |||
@@ -0,0 +1,27 @@ | |||
1 | From 3615e2d67f402a37ae7333e62b54f1d9d0a3bfd1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 19:27:19 +0800 | ||
4 | Subject: [PATCH] refpolicy: fix real path for screen | ||
5 | |||
6 | Upstream-Status: Inappropriate [configuration] | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | --- | ||
10 | policy/modules/contrib/screen.fc | 1 + | ||
11 | 1 file changed, 1 insertion(+) | ||
12 | |||
13 | diff --git a/policy/modules/contrib/screen.fc b/policy/modules/contrib/screen.fc | ||
14 | index e7c2cf7..49ddca2 100644 | ||
15 | --- a/policy/modules/contrib/screen.fc | ||
16 | +++ b/policy/modules/contrib/screen.fc | ||
17 | @@ -3,6 +3,7 @@ HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0) | ||
18 | HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0) | ||
19 | |||
20 | /usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0) | ||
21 | +/usr/bin/screen-.* -- gen_context(system_u:object_r:screen_exec_t,s0) | ||
22 | /usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0) | ||
23 | |||
24 | /var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) | ||
25 | -- | ||
26 | 1.7.9.5 | ||
27 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-ssh.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-ssh.patch new file mode 100644 index 0000000..9aeb3a2 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-ssh.patch | |||
@@ -0,0 +1,24 @@ | |||
1 | Subject: [PATCH] refpolicy: fix real path for ssh | ||
2 | |||
3 | Upstream-Status: Inappropriate [configuration] | ||
4 | |||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
6 | --- | ||
7 | policy/modules/services/ssh.fc | 1 + | ||
8 | 1 file changed, 1 insertion(+) | ||
9 | |||
10 | diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc | ||
11 | index 078bcd7..9717428 100644 | ||
12 | --- a/policy/modules/services/ssh.fc | ||
13 | +++ b/policy/modules/services/ssh.fc | ||
14 | @@ -6,6 +6,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) | ||
15 | /etc/ssh/ssh_host_rsa_key -- gen_context(system_u:object_r:sshd_key_t,s0) | ||
16 | |||
17 | /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0) | ||
18 | +/usr/bin/ssh\.openssh -- gen_context(system_u:object_r:ssh_exec_t,s0) | ||
19 | /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0) | ||
20 | /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0) | ||
21 | |||
22 | -- | ||
23 | 1.7.11.7 | ||
24 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-su.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-su.patch new file mode 100644 index 0000000..358e4ef --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-su.patch | |||
@@ -0,0 +1,23 @@ | |||
1 | Subject: [PATCH] refpolicy: fix real path for su | ||
2 | |||
3 | Upstream-Status: Inappropriate [configuration] | ||
4 | |||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
6 | --- | ||
7 | policy/modules/admin/su.fc | 1 + | ||
8 | 1 file changed, 1 insertion(+) | ||
9 | |||
10 | diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc | ||
11 | index 688abc2..a563687 100644 | ||
12 | --- a/policy/modules/admin/su.fc | ||
13 | +++ b/policy/modules/admin/su.fc | ||
14 | @@ -1,5 +1,6 @@ | ||
15 | |||
16 | /bin/su -- gen_context(system_u:object_r:su_exec_t,s0) | ||
17 | +/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) | ||
18 | |||
19 | /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0) | ||
20 | /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) | ||
21 | -- | ||
22 | 1.7.11.7 | ||
23 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-subs_dist.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-subs_dist.patch new file mode 100644 index 0000000..2eaecdf --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-subs_dist.patch | |||
@@ -0,0 +1,31 @@ | |||
1 | Subject: [PATCH] fix file_contexts.subs_dist for poky | ||
2 | |||
3 | This file is used for Linux distros to define specific pathes | ||
4 | mapping to the pathes in file_contexts. | ||
5 | |||
6 | Upstream-Status: Inappropriate [only for Poky] | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | --- | ||
10 | config/file_contexts.subs_dist | 8 ++++++++ | ||
11 | 1 files changed, 8 insertions(+), 0 deletions(-) | ||
12 | |||
13 | diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist | ||
14 | index 32b87a4..ebba73d 100644 | ||
15 | --- a/config/file_contexts.subs_dist | ||
16 | +++ b/config/file_contexts.subs_dist | ||
17 | @@ -5,3 +5,11 @@ | ||
18 | /usr/lib32 /usr/lib | ||
19 | /usr/lib64 /usr/lib | ||
20 | /var/run/lock /var/lock | ||
21 | +/etc/init.d /etc/rc.d/init.d | ||
22 | +/var/volatile/log /var/log | ||
23 | +/var/volatile/run /var/run | ||
24 | +/var/volatile/cache /var/cache | ||
25 | +/var/volatile/tmp /var/tmp | ||
26 | +/var/volatile/lock /var/lock | ||
27 | +/var/volatile/run/lock /var/lock | ||
28 | +/www /var/www | ||
29 | -- | ||
30 | 1.7.5.4 | ||
31 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-sysnetwork.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-sysnetwork.patch new file mode 100644 index 0000000..e0af6a1 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-sysnetwork.patch | |||
@@ -0,0 +1,41 @@ | |||
1 | Subject: [PATCH] refpolicy: fix real path for sysnetwork | ||
2 | |||
3 | Upstream-Status: Inappropriate [configuration] | ||
4 | |||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
6 | --- | ||
7 | policy/modules/system/sysnetwork.fc | 4 ++++ | ||
8 | 1 file changed, 4 insertions(+) | ||
9 | |||
10 | diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc | ||
11 | index dec8632..2e602e4 100644 | ||
12 | --- a/policy/modules/system/sysnetwork.fc | ||
13 | +++ b/policy/modules/system/sysnetwork.fc | ||
14 | @@ -3,6 +3,7 @@ | ||
15 | # /bin | ||
16 | # | ||
17 | /bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
18 | +/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
19 | |||
20 | # | ||
21 | # /dev | ||
22 | @@ -43,13 +44,16 @@ ifdef(`distro_redhat',` | ||
23 | /sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) | ||
24 | /sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) | ||
25 | /sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
26 | +/usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
27 | /sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
28 | +/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
29 | /sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
30 | /sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
31 | /sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
32 | /sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
33 | /sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
34 | /sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
35 | +/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
36 | /sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0) | ||
37 | /sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
38 | |||
39 | -- | ||
40 | 1.7.11.7 | ||
41 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_hostname.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_hostname.patch new file mode 100644 index 0000000..cedb5b5 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_hostname.patch | |||
@@ -0,0 +1,23 @@ | |||
1 | From 845518a6f196e6e8c49ba38791c85e17276920e1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH 3/4] fix update-alternatives for hostname | ||
5 | |||
6 | Upstream-Status: Inappropriate [only for Poky] | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | --- | ||
10 | policy/modules/system/hostname.fc | 1 + | ||
11 | 1 file changed, 1 insertion(+) | ||
12 | |||
13 | diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc | ||
14 | index 9dfecf7..4003b6d 100644 | ||
15 | --- a/policy/modules/system/hostname.fc | ||
16 | +++ b/policy/modules/system/hostname.fc | ||
17 | @@ -1,2 +1,3 @@ | ||
18 | |||
19 | /bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) | ||
20 | +/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0) | ||
21 | -- | ||
22 | 1.7.9.5 | ||
23 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_sysklogd.patch new file mode 100644 index 0000000..868ee6b --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_sysklogd.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | From 4964fa5593349916d8f5c69edb0b16f611586098 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:39:41 +0800 | ||
4 | Subject: [PATCH 2/4] fix update-alternatives for sysklogd | ||
5 | |||
6 | /etc/syslog.conf is a symlink to /etc/syslog.conf.sysklogd, so a allow rule | ||
7 | for syslogd_t to read syslog_conf_t lnk_file is needed. | ||
8 | |||
9 | Upstream-Status: Inappropriate [only for Poky] | ||
10 | |||
11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
12 | --- | ||
13 | policy/modules/system/logging.fc | 4 ++++ | ||
14 | policy/modules/system/logging.te | 1 + | ||
15 | 2 files changed, 5 insertions(+) | ||
16 | |||
17 | diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc | ||
18 | index b50c5fe..c005f33 100644 | ||
19 | --- a/policy/modules/system/logging.fc | ||
20 | +++ b/policy/modules/system/logging.fc | ||
21 | @@ -2,19 +2,23 @@ | ||
22 | |||
23 | /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) | ||
24 | /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) | ||
25 | +/etc/syslog.conf\.sysklogd gen_context(system_u:object_r:syslog_conf_t,s0) | ||
26 | /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) | ||
27 | /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0) | ||
28 | /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) | ||
29 | +/etc/rc\.d/init\.d/syslog\.sysklogd -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) | ||
30 | |||
31 | /sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) | ||
32 | /sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) | ||
33 | /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) | ||
34 | /sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) | ||
35 | /sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) | ||
36 | +/sbin/klogd\.sysklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) | ||
37 | /sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
38 | /sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) | ||
39 | /sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
40 | /sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
41 | +/sbin/syslogd\.sysklogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
42 | /sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
43 | |||
44 | /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) | ||
45 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
46 | index 87e3db2..2914b0b 100644 | ||
47 | --- a/policy/modules/system/logging.te | ||
48 | +++ b/policy/modules/system/logging.te | ||
49 | @@ -371,6 +371,7 @@ allow syslogd_t self:udp_socket create_socket_perms; | ||
50 | allow syslogd_t self:tcp_socket create_stream_socket_perms; | ||
51 | |||
52 | allow syslogd_t syslog_conf_t:file read_file_perms; | ||
53 | +allow syslogd_t syslog_conf_t:lnk_file read_file_perms; | ||
54 | |||
55 | # Create and bind to /dev/log or /var/run/log. | ||
56 | allow syslogd_t devlog_t:sock_file manage_sock_file_perms; | ||
57 | -- | ||
58 | 1.7.9.5 | ||
59 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_sysvinit.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_sysvinit.patch new file mode 100644 index 0000000..3a617d8 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_sysvinit.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH 1/4] fix update-alternatives for sysvinit | ||
5 | |||
6 | Upstream-Status: Inappropriate [only for Poky] | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | --- | ||
10 | policy/modules/contrib/shutdown.fc | 1 + | ||
11 | policy/modules/kernel/corecommands.fc | 1 + | ||
12 | policy/modules/system/init.fc | 1 + | ||
13 | 3 files changed, 3 insertions(+) | ||
14 | |||
15 | diff --git a/policy/modules/contrib/shutdown.fc b/policy/modules/contrib/shutdown.fc | ||
16 | index a91f33b..90e51e0 100644 | ||
17 | --- a/policy/modules/contrib/shutdown.fc | ||
18 | +++ b/policy/modules/contrib/shutdown.fc | ||
19 | @@ -3,6 +3,7 @@ | ||
20 | /lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
21 | |||
22 | /sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
23 | +/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
24 | |||
25 | /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
26 | |||
27 | diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc | ||
28 | index bcfdba7..87502a3 100644 | ||
29 | --- a/policy/modules/kernel/corecommands.fc | ||
30 | +++ b/policy/modules/kernel/corecommands.fc | ||
31 | @@ -10,6 +10,7 @@ | ||
32 | /bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
33 | /bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
34 | /bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0) | ||
35 | +/bin/mountpoint\.sysvinit -- gen_context(system_u:object_r:bin_t,s0) | ||
36 | /bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
37 | /bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
38 | /bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
39 | diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc | ||
40 | index bc0ffc8..020b9fe 100644 | ||
41 | --- a/policy/modules/system/init.fc | ||
42 | +++ b/policy/modules/system/init.fc | ||
43 | @@ -30,6 +30,7 @@ ifdef(`distro_gentoo', ` | ||
44 | # /sbin | ||
45 | # | ||
46 | /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) | ||
47 | +/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0) | ||
48 | # because nowadays, /sbin/init is often a symlink to /sbin/upstart | ||
49 | /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) | ||
50 | |||
51 | -- | ||
52 | 1.7.9.5 | ||
53 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-bsdpty_device_t.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-bsdpty_device_t.patch new file mode 100644 index 0000000..9a3322f --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-bsdpty_device_t.patch | |||
@@ -0,0 +1,121 @@ | |||
1 | From c0b65c327b9354ee5c403cbde428e762ce3f327e Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH 5/6] add rules for bsdpty_device_t to complete pty devices. | ||
5 | |||
6 | Upstream-Status: Pending | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | --- | ||
10 | policy/modules/kernel/terminal.if | 16 ++++++++++++++++ | ||
11 | 1 file changed, 16 insertions(+) | ||
12 | |||
13 | diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if | ||
14 | index 771bce1..7519d0e 100644 | ||
15 | --- a/policy/modules/kernel/terminal.if | ||
16 | +++ b/policy/modules/kernel/terminal.if | ||
17 | @@ -531,9 +531,11 @@ interface(`term_dontaudit_manage_pty_dirs',` | ||
18 | interface(`term_dontaudit_getattr_generic_ptys',` | ||
19 | gen_require(` | ||
20 | type devpts_t; | ||
21 | + type bsdpty_device_t; | ||
22 | ') | ||
23 | |||
24 | dontaudit $1 devpts_t:chr_file getattr; | ||
25 | + dontaudit $1 bsdpty_device_t:chr_file getattr; | ||
26 | ') | ||
27 | ######################################## | ||
28 | ## <summary> | ||
29 | @@ -549,11 +551,13 @@ interface(`term_dontaudit_getattr_generic_ptys',` | ||
30 | interface(`term_ioctl_generic_ptys',` | ||
31 | gen_require(` | ||
32 | type devpts_t; | ||
33 | + type bsdpty_device_t; | ||
34 | ') | ||
35 | |||
36 | dev_list_all_dev_nodes($1) | ||
37 | allow $1 devpts_t:dir search; | ||
38 | allow $1 devpts_t:chr_file ioctl; | ||
39 | + allow $1 bsdpty_device_t:chr_file ioctl; | ||
40 | ') | ||
41 | |||
42 | ######################################## | ||
43 | @@ -571,9 +575,11 @@ interface(`term_ioctl_generic_ptys',` | ||
44 | interface(`term_setattr_generic_ptys',` | ||
45 | gen_require(` | ||
46 | type devpts_t; | ||
47 | + type bsdpty_device_t; | ||
48 | ') | ||
49 | |||
50 | allow $1 devpts_t:chr_file setattr; | ||
51 | + allow $1 bsdpty_device_t:chr_file setattr; | ||
52 | ') | ||
53 | |||
54 | ######################################## | ||
55 | @@ -591,9 +597,11 @@ interface(`term_setattr_generic_ptys',` | ||
56 | interface(`term_dontaudit_setattr_generic_ptys',` | ||
57 | gen_require(` | ||
58 | type devpts_t; | ||
59 | + type bsdpty_device_t; | ||
60 | ') | ||
61 | |||
62 | dontaudit $1 devpts_t:chr_file setattr; | ||
63 | + dontaudit $1 bsdpty_device_t:chr_file setattr; | ||
64 | ') | ||
65 | |||
66 | ######################################## | ||
67 | @@ -611,11 +619,13 @@ interface(`term_dontaudit_setattr_generic_ptys',` | ||
68 | interface(`term_use_generic_ptys',` | ||
69 | gen_require(` | ||
70 | type devpts_t; | ||
71 | + type bsdpty_device_t; | ||
72 | ') | ||
73 | |||
74 | dev_list_all_dev_nodes($1) | ||
75 | allow $1 devpts_t:dir list_dir_perms; | ||
76 | allow $1 devpts_t:chr_file { rw_term_perms lock append }; | ||
77 | + allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append }; | ||
78 | ') | ||
79 | |||
80 | ######################################## | ||
81 | @@ -633,9 +643,11 @@ interface(`term_use_generic_ptys',` | ||
82 | interface(`term_dontaudit_use_generic_ptys',` | ||
83 | gen_require(` | ||
84 | type devpts_t; | ||
85 | + type bsdpty_device_t; | ||
86 | ') | ||
87 | |||
88 | dontaudit $1 devpts_t:chr_file { getattr read write ioctl }; | ||
89 | + dontaudit $1 bsdpty_device_t:chr_file { getattr read write ioctl }; | ||
90 | ') | ||
91 | |||
92 | ####################################### | ||
93 | @@ -651,10 +663,12 @@ interface(`term_dontaudit_use_generic_ptys',` | ||
94 | interface(`term_setattr_controlling_term',` | ||
95 | gen_require(` | ||
96 | type devtty_t; | ||
97 | + type bsdpty_device_t; | ||
98 | ') | ||
99 | |||
100 | dev_list_all_dev_nodes($1) | ||
101 | allow $1 devtty_t:chr_file setattr; | ||
102 | + allow $1 bsdpty_device_t:chr_file setattr; | ||
103 | ') | ||
104 | |||
105 | ######################################## | ||
106 | @@ -671,10 +685,12 @@ interface(`term_setattr_controlling_term',` | ||
107 | interface(`term_use_controlling_term',` | ||
108 | gen_require(` | ||
109 | type devtty_t; | ||
110 | + type bsdpty_device_t; | ||
111 | ') | ||
112 | |||
113 | dev_list_all_dev_nodes($1) | ||
114 | allow $1 devtty_t:chr_file { rw_term_perms lock append }; | ||
115 | + allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append }; | ||
116 | ') | ||
117 | |||
118 | ####################################### | ||
119 | -- | ||
120 | 1.7.9.5 | ||
121 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-tmp-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-tmp-symlink.patch new file mode 100644 index 0000000..210c297 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-tmp-symlink.patch | |||
@@ -0,0 +1,99 @@ | |||
1 | From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH] add rules for the symlink of /tmp | ||
5 | |||
6 | /tmp is a symlink in poky, so we need allow rules for files to read | ||
7 | lnk_file while doing search/list/delete/rw.. in /tmp/ directory. | ||
8 | |||
9 | Upstream-Status: Inappropriate [only for Poky] | ||
10 | |||
11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
12 | --- | ||
13 | policy/modules/kernel/files.fc | 1 + | ||
14 | policy/modules/kernel/files.if | 8 ++++++++ | ||
15 | 2 files changed, 9 insertions(+), 0 deletions(-) | ||
16 | |||
17 | diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc | ||
18 | index 8796ca3..a0db748 100644 | ||
19 | --- a/policy/modules/kernel/files.fc | ||
20 | +++ b/policy/modules/kernel/files.fc | ||
21 | @@ -185,6 +185,7 @@ ifdef(`distro_debian',` | ||
22 | # /tmp | ||
23 | # | ||
24 | /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) | ||
25 | +/tmp -l gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) | ||
26 | /tmp/.* <<none>> | ||
27 | /tmp/\.journal <<none>> | ||
28 | |||
29 | diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if | ||
30 | index e1e814d..a7384b0 100644 | ||
31 | --- a/policy/modules/kernel/files.if | ||
32 | +++ b/policy/modules/kernel/files.if | ||
33 | @@ -4199,6 +4199,7 @@ interface(`files_search_tmp',` | ||
34 | ') | ||
35 | |||
36 | allow $1 tmp_t:dir search_dir_perms; | ||
37 | + allow $1 tmp_t:lnk_file read_lnk_file_perms; | ||
38 | ') | ||
39 | |||
40 | ######################################## | ||
41 | @@ -4235,6 +4236,7 @@ interface(`files_list_tmp',` | ||
42 | ') | ||
43 | |||
44 | allow $1 tmp_t:dir list_dir_perms; | ||
45 | + allow $1 tmp_t:lnk_file read_lnk_file_perms; | ||
46 | ') | ||
47 | |||
48 | ######################################## | ||
49 | @@ -4271,6 +4273,7 @@ interface(`files_delete_tmp_dir_entry',` | ||
50 | ') | ||
51 | |||
52 | allow $1 tmp_t:dir del_entry_dir_perms; | ||
53 | + allow $1 tmp_t:lnk_file read_lnk_file_perms; | ||
54 | ') | ||
55 | |||
56 | ######################################## | ||
57 | @@ -4289,6 +4292,7 @@ interface(`files_read_generic_tmp_files',` | ||
58 | ') | ||
59 | |||
60 | read_files_pattern($1, tmp_t, tmp_t) | ||
61 | + allow $1 tmp_t:lnk_file read_lnk_file_perms; | ||
62 | ') | ||
63 | |||
64 | ######################################## | ||
65 | @@ -4307,6 +4311,7 @@ interface(`files_manage_generic_tmp_dirs',` | ||
66 | ') | ||
67 | |||
68 | manage_dirs_pattern($1, tmp_t, tmp_t) | ||
69 | + allow $1 tmp_t:lnk_file read_lnk_file_perms; | ||
70 | ') | ||
71 | |||
72 | ######################################## | ||
73 | @@ -4325,6 +4330,7 @@ interface(`files_manage_generic_tmp_files',` | ||
74 | ') | ||
75 | |||
76 | manage_files_pattern($1, tmp_t, tmp_t) | ||
77 | + allow $1 tmp_t:lnk_file read_lnk_file_perms; | ||
78 | ') | ||
79 | |||
80 | ######################################## | ||
81 | @@ -4361,6 +4367,7 @@ interface(`files_rw_generic_tmp_sockets',` | ||
82 | ') | ||
83 | |||
84 | rw_sock_files_pattern($1, tmp_t, tmp_t) | ||
85 | + allow $1 tmp_t:lnk_file read_lnk_file_perms; | ||
86 | ') | ||
87 | |||
88 | ######################################## | ||
89 | @@ -4550,6 +4557,7 @@ interface(`files_tmp_filetrans',` | ||
90 | ') | ||
91 | |||
92 | filetrans_pattern($1, tmp_t, $2, $3, $4) | ||
93 | + allow $1 tmp_t:lnk_file read_lnk_file_perms; | ||
94 | ') | ||
95 | |||
96 | ######################################## | ||
97 | -- | ||
98 | 1.7.5.4 | ||
99 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-cache-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-cache-symlink.patch new file mode 100644 index 0000000..18a92dd --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-cache-symlink.patch | |||
@@ -0,0 +1,34 @@ | |||
1 | From bad816bc752369a6c1bf40231c505d21d95cab08 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Fri, 23 Aug 2013 11:20:00 +0800 | ||
4 | Subject: [PATCH 4/6] add rules for the subdir symlinks in /var/ | ||
5 | |||
6 | Except /var/log,/var/run,/var/lock, there still other subdir symlinks in | ||
7 | /var for poky, so we need allow rules for all domains to read these | ||
8 | symlinks. Domains still need their practical allow rules to read the | ||
9 | contents, so this is still a secure relax. | ||
10 | |||
11 | Upstream-Status: Inappropriate [only for Poky] | ||
12 | |||
13 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
14 | --- | ||
15 | policy/modules/kernel/domain.te | 3 +++ | ||
16 | 1 file changed, 3 insertions(+) | ||
17 | |||
18 | diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te | ||
19 | index cf04cb5..9ffe6b0 100644 | ||
20 | --- a/policy/modules/kernel/domain.te | ||
21 | +++ b/policy/modules/kernel/domain.te | ||
22 | @@ -104,6 +104,9 @@ term_use_controlling_term(domain) | ||
23 | # list the root directory | ||
24 | files_list_root(domain) | ||
25 | |||
26 | +# Yocto/oe-core use some var volatile links | ||
27 | +files_read_var_symlinks(domain) | ||
28 | + | ||
29 | ifdef(`hide_broken_symptoms',` | ||
30 | # This check is in the general socket | ||
31 | # listen code, before protocol-specific | ||
32 | -- | ||
33 | 1.7.9.5 | ||
34 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-apache.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-apache.patch new file mode 100644 index 0000000..8bc40c4 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-apache.patch | |||
@@ -0,0 +1,31 @@ | |||
1 | From ed2b0a00e2fb78056041b03c7e198e8f5adaf939 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 19:36:44 +0800 | ||
4 | Subject: [PATCH 3/6] add rules for the symlink of /var/log - apache2 | ||
5 | |||
6 | We have added rules for the symlink of /var/log in logging.if, | ||
7 | while apache.te uses /var/log but does not use the interfaces in | ||
8 | logging.if. So still need add a individual rule for apache.te. | ||
9 | |||
10 | Upstream-Status: Inappropriate [only for Poky] | ||
11 | |||
12 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
13 | --- | ||
14 | policy/modules/contrib/apache.te | 1 + | ||
15 | 1 file changed, 1 insertion(+) | ||
16 | |||
17 | diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te | ||
18 | index ec8bd13..06f2e95 100644 | ||
19 | --- a/policy/modules/contrib/apache.te | ||
20 | +++ b/policy/modules/contrib/apache.te | ||
21 | @@ -400,6 +400,7 @@ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t) | ||
22 | append_files_pattern(httpd_t, httpd_log_t, httpd_log_t) | ||
23 | read_files_pattern(httpd_t, httpd_log_t, httpd_log_t) | ||
24 | read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t) | ||
25 | +read_lnk_files_pattern(httpd_t, var_log_t, var_log_t) | ||
26 | logging_log_filetrans(httpd_t, httpd_log_t, file) | ||
27 | |||
28 | allow httpd_t httpd_modules_t:dir list_dir_perms; | ||
29 | -- | ||
30 | 1.7.9.5 | ||
31 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink.patch new file mode 100644 index 0000000..b06f3ef --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink.patch | |||
@@ -0,0 +1,145 @@ | |||
1 | From 03cb6534f75812f3a33ac768fe83861e0805b0e0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH 2/6] add rules for the symlink of /var/log | ||
5 | |||
6 | /var/log is a symlink in poky, so we need allow rules for files to read | ||
7 | lnk_file while doing search/list/delete/rw.. in /var/log/ directory. | ||
8 | |||
9 | Upstream-Status: Inappropriate [only for Poky] | ||
10 | |||
11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
12 | --- | ||
13 | policy/modules/system/logging.fc | 1 + | ||
14 | policy/modules/system/logging.if | 14 +++++++++++++- | ||
15 | policy/modules/system/logging.te | 1 + | ||
16 | 3 files changed, 15 insertions(+), 1 deletion(-) | ||
17 | |||
18 | diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc | ||
19 | index c005f33..9529e40 100644 | ||
20 | --- a/policy/modules/system/logging.fc | ||
21 | +++ b/policy/modules/system/logging.fc | ||
22 | @@ -41,6 +41,7 @@ ifdef(`distro_suse', ` | ||
23 | /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) | ||
24 | |||
25 | /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) | ||
26 | +/var/log -l gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) | ||
27 | /var/log/.* gen_context(system_u:object_r:var_log_t,s0) | ||
28 | /var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh) | ||
29 | /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) | ||
30 | diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if | ||
31 | index 4e94884..9a6f599 100644 | ||
32 | --- a/policy/modules/system/logging.if | ||
33 | +++ b/policy/modules/system/logging.if | ||
34 | @@ -136,12 +136,13 @@ interface(`logging_set_audit_parameters',` | ||
35 | # | ||
36 | interface(`logging_read_audit_log',` | ||
37 | gen_require(` | ||
38 | - type auditd_log_t; | ||
39 | + type auditd_log_t, var_log_t; | ||
40 | ') | ||
41 | |||
42 | files_search_var($1) | ||
43 | read_files_pattern($1, auditd_log_t, auditd_log_t) | ||
44 | allow $1 auditd_log_t:dir list_dir_perms; | ||
45 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
46 | ') | ||
47 | |||
48 | ######################################## | ||
49 | @@ -626,6 +627,7 @@ interface(`logging_search_logs',` | ||
50 | |||
51 | files_search_var($1) | ||
52 | allow $1 var_log_t:dir search_dir_perms; | ||
53 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
54 | ') | ||
55 | |||
56 | ####################################### | ||
57 | @@ -663,6 +665,7 @@ interface(`logging_list_logs',` | ||
58 | |||
59 | files_search_var($1) | ||
60 | allow $1 var_log_t:dir list_dir_perms; | ||
61 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
62 | ') | ||
63 | |||
64 | ####################################### | ||
65 | @@ -682,6 +685,7 @@ interface(`logging_rw_generic_log_dirs',` | ||
66 | |||
67 | files_search_var($1) | ||
68 | allow $1 var_log_t:dir rw_dir_perms; | ||
69 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
70 | ') | ||
71 | |||
72 | ####################################### | ||
73 | @@ -793,10 +797,12 @@ interface(`logging_append_all_logs',` | ||
74 | interface(`logging_read_all_logs',` | ||
75 | gen_require(` | ||
76 | attribute logfile; | ||
77 | + type var_log_t; | ||
78 | ') | ||
79 | |||
80 | files_search_var($1) | ||
81 | allow $1 logfile:dir list_dir_perms; | ||
82 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
83 | read_files_pattern($1, logfile, logfile) | ||
84 | ') | ||
85 | |||
86 | @@ -815,10 +821,12 @@ interface(`logging_read_all_logs',` | ||
87 | interface(`logging_exec_all_logs',` | ||
88 | gen_require(` | ||
89 | attribute logfile; | ||
90 | + type var_log_t; | ||
91 | ') | ||
92 | |||
93 | files_search_var($1) | ||
94 | allow $1 logfile:dir list_dir_perms; | ||
95 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
96 | can_exec($1, logfile) | ||
97 | ') | ||
98 | |||
99 | @@ -880,6 +888,7 @@ interface(`logging_read_generic_logs',` | ||
100 | |||
101 | files_search_var($1) | ||
102 | allow $1 var_log_t:dir list_dir_perms; | ||
103 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
104 | read_files_pattern($1, var_log_t, var_log_t) | ||
105 | ') | ||
106 | |||
107 | @@ -900,6 +909,7 @@ interface(`logging_write_generic_logs',` | ||
108 | |||
109 | files_search_var($1) | ||
110 | allow $1 var_log_t:dir list_dir_perms; | ||
111 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
112 | write_files_pattern($1, var_log_t, var_log_t) | ||
113 | ') | ||
114 | |||
115 | @@ -938,6 +948,7 @@ interface(`logging_rw_generic_logs',` | ||
116 | |||
117 | files_search_var($1) | ||
118 | allow $1 var_log_t:dir list_dir_perms; | ||
119 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
120 | rw_files_pattern($1, var_log_t, var_log_t) | ||
121 | ') | ||
122 | |||
123 | @@ -960,6 +971,7 @@ interface(`logging_manage_generic_logs',` | ||
124 | |||
125 | files_search_var($1) | ||
126 | manage_files_pattern($1, var_log_t, var_log_t) | ||
127 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
128 | ') | ||
129 | |||
130 | ######################################## | ||
131 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
132 | index 2ab0a49..2795d89 100644 | ||
133 | --- a/policy/modules/system/logging.te | ||
134 | +++ b/policy/modules/system/logging.te | ||
135 | @@ -139,6 +139,7 @@ allow auditd_t auditd_etc_t:file read_file_perms; | ||
136 | manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) | ||
137 | manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) | ||
138 | allow auditd_t var_log_t:dir search_dir_perms; | ||
139 | +allow auditd_t var_log_t:lnk_file read_lnk_file_perms; | ||
140 | |||
141 | manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) | ||
142 | manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) | ||
143 | -- | ||
144 | 1.7.9.5 | ||
145 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-syslogd_t-to-trusted-object.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-syslogd_t-to-trusted-object.patch new file mode 100644 index 0000000..92b1592 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-syslogd_t-to-trusted-object.patch | |||
@@ -0,0 +1,31 @@ | |||
1 | From 27e62a5d9ab9993760369ccdad83673e9148cbb2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH 1/6] Add the syslogd_t to trusted object | ||
5 | |||
6 | We add the syslogd_t to trusted object, because other process need | ||
7 | to have the right to connectto/sendto /dev/log. | ||
8 | |||
9 | Upstream-Status: Inappropriate [only for Poky] | ||
10 | |||
11 | Signed-off-by: Roy.Li <rongqing.li@windriver.com> | ||
12 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
13 | --- | ||
14 | policy/modules/system/logging.te | 1 + | ||
15 | 1 file changed, 1 insertion(+) | ||
16 | |||
17 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
18 | index 2914b0b..2ab0a49 100644 | ||
19 | --- a/policy/modules/system/logging.te | ||
20 | +++ b/policy/modules/system/logging.te | ||
21 | @@ -450,6 +450,7 @@ fs_getattr_all_fs(syslogd_t) | ||
22 | fs_search_auto_mountpoints(syslogd_t) | ||
23 | |||
24 | mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories | ||
25 | +mls_trusted_object(syslogd_t) # Other process need to have the right to connectto/sendto /dev/log | ||
26 | |||
27 | term_write_console(syslogd_t) | ||
28 | # Allow syslog to a terminal | ||
29 | -- | ||
30 | 1.7.9.5 | ||
31 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-nfsd-to-exec-shell-commands.patch new file mode 100644 index 0000000..e77a730 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-nfsd-to-exec-shell-commands.patch | |||
@@ -0,0 +1,58 @@ | |||
1 | From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH] allow nfsd to exec shell commands. | ||
5 | |||
6 | Upstream-Status: Inappropriate [only for Poky] | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | --- | ||
10 | policy/modules/contrib/rpc.te | 2 +- | ||
11 | policy/modules/kernel/kernel.if | 18 ++++++++++++++++++ | ||
12 | 2 files changed, 19 insertions(+), 1 deletions(-) | ||
13 | |||
14 | diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te | ||
15 | index 9566932..5605205 100644 | ||
16 | --- a/policy/modules/contrib/rpc.te | ||
17 | +++ b/policy/modules/contrib/rpc.te | ||
18 | @@ -203,7 +203,7 @@ kernel_read_network_state(nfsd_t) | ||
19 | kernel_dontaudit_getattr_core_if(nfsd_t) | ||
20 | kernel_setsched(nfsd_t) | ||
21 | kernel_request_load_module(nfsd_t) | ||
22 | -# kernel_mounton_proc(nfsd_t) | ||
23 | +kernel_mounton_proc(nfsd_t) | ||
24 | |||
25 | corenet_sendrecv_nfs_server_packets(nfsd_t) | ||
26 | corenet_tcp_bind_nfs_port(nfsd_t) | ||
27 | diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if | ||
28 | index 649e458..8a669c5 100644 | ||
29 | --- a/policy/modules/kernel/kernel.if | ||
30 | +++ b/policy/modules/kernel/kernel.if | ||
31 | @@ -804,6 +804,24 @@ interface(`kernel_unmount_proc',` | ||
32 | |||
33 | ######################################## | ||
34 | ## <summary> | ||
35 | +## Mounton a proc filesystem. | ||
36 | +## </summary> | ||
37 | +## <param name="domain"> | ||
38 | +## <summary> | ||
39 | +## Domain allowed access. | ||
40 | +## </summary> | ||
41 | +## </param> | ||
42 | +# | ||
43 | +interface(`kernel_mounton_proc',` | ||
44 | + gen_require(` | ||
45 | + type proc_t; | ||
46 | + ') | ||
47 | + | ||
48 | + allow $1 proc_t:dir mounton; | ||
49 | +') | ||
50 | + | ||
51 | +######################################## | ||
52 | +## <summary> | ||
53 | ## Get the attributes of the proc filesystem. | ||
54 | ## </summary> | ||
55 | ## <param name="domain"> | ||
56 | -- | ||
57 | 1.7.5.4 | ||
58 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-setfiles_t-to-read-symlinks.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-setfiles_t-to-read-symlinks.patch new file mode 100644 index 0000000..71497fb --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-setfiles_t-to-read-symlinks.patch | |||
@@ -0,0 +1,29 @@ | |||
1 | From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH] fix setfiles_t to read symlinks | ||
5 | |||
6 | Upstream-Status: Pending | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | --- | ||
10 | policy/modules/system/selinuxutil.te | 3 +++ | ||
11 | 1 files changed, 3 insertions(+), 0 deletions(-) | ||
12 | |||
13 | diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te | ||
14 | index ec01d0b..45ed81b 100644 | ||
15 | --- a/policy/modules/system/selinuxutil.te | ||
16 | +++ b/policy/modules/system/selinuxutil.te | ||
17 | @@ -553,6 +553,9 @@ files_list_all(setfiles_t) | ||
18 | files_relabel_all_files(setfiles_t) | ||
19 | files_read_usr_symlinks(setfiles_t) | ||
20 | |||
21 | +# needs to be able to read symlinks to make restorecon on symlink working | ||
22 | +files_read_all_symlinks(setfiles_t) | ||
23 | + | ||
24 | fs_getattr_xattr_fs(setfiles_t) | ||
25 | fs_list_all(setfiles_t) | ||
26 | fs_search_auto_mountpoints(setfiles_t) | ||
27 | -- | ||
28 | 1.7.5.4 | ||
29 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-don-t-audit-tty_device_t.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-don-t-audit-tty_device_t.patch new file mode 100644 index 0000000..82370d8 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-don-t-audit-tty_device_t.patch | |||
@@ -0,0 +1,35 @@ | |||
1 | From 29a0d287880f8f83cf4337a3db7c8b94c0c36e1d Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH 6/6] don't audit tty_device_t in term_dontaudit_use_console. | ||
5 | |||
6 | We should also not audit terminal to rw tty_device_t and fds in | ||
7 | term_dontaudit_use_console. | ||
8 | |||
9 | Upstream-Status: Inappropriate [only for Poky] | ||
10 | |||
11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
12 | --- | ||
13 | policy/modules/kernel/terminal.if | 3 +++ | ||
14 | 1 file changed, 3 insertions(+) | ||
15 | |||
16 | diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if | ||
17 | index 7519d0e..45de1ac 100644 | ||
18 | --- a/policy/modules/kernel/terminal.if | ||
19 | +++ b/policy/modules/kernel/terminal.if | ||
20 | @@ -299,9 +299,12 @@ interface(`term_use_console',` | ||
21 | interface(`term_dontaudit_use_console',` | ||
22 | gen_require(` | ||
23 | type console_device_t; | ||
24 | + type tty_device_t; | ||
25 | ') | ||
26 | |||
27 | + init_dontaudit_use_fds($1) | ||
28 | dontaudit $1 console_device_t:chr_file rw_chr_file_perms; | ||
29 | + dontaudit $1 tty_device_t:chr_file rw_chr_file_perms; | ||
30 | ') | ||
31 | |||
32 | ######################################## | ||
33 | -- | ||
34 | 1.7.9.5 | ||
35 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-dmesg-to-use-dev-kmsg.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-dmesg-to-use-dev-kmsg.patch new file mode 100644 index 0000000..d6c8dbf --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-dmesg-to-use-dev-kmsg.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | From 2f5981f2244289a1cc79748e9ffdaaea168b1df2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Fri, 23 Aug 2013 16:36:09 +0800 | ||
4 | Subject: [PATCH] fix dmesg to use /dev/kmsg as default input | ||
5 | |||
6 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
7 | --- | ||
8 | policy/modules/admin/dmesg.if | 1 + | ||
9 | policy/modules/admin/dmesg.te | 2 ++ | ||
10 | 2 files changed, 3 insertions(+) | ||
11 | |||
12 | diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if | ||
13 | index e1973c7..739a4bc 100644 | ||
14 | --- a/policy/modules/admin/dmesg.if | ||
15 | +++ b/policy/modules/admin/dmesg.if | ||
16 | @@ -37,4 +37,5 @@ interface(`dmesg_exec',` | ||
17 | |||
18 | corecmd_search_bin($1) | ||
19 | can_exec($1, dmesg_exec_t) | ||
20 | + dev_read_kmsg($1) | ||
21 | ') | ||
22 | diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te | ||
23 | index 72bc6d8..c591aea 100644 | ||
24 | --- a/policy/modules/admin/dmesg.te | ||
25 | +++ b/policy/modules/admin/dmesg.te | ||
26 | @@ -28,6 +28,8 @@ kernel_read_proc_symlinks(dmesg_t) | ||
27 | |||
28 | dev_read_sysfs(dmesg_t) | ||
29 | |||
30 | +dev_read_kmsg(dmesg_t) | ||
31 | + | ||
32 | fs_search_auto_mountpoints(dmesg_t) | ||
33 | |||
34 | term_dontaudit_use_console(dmesg_t) | ||
35 | -- | ||
36 | 1.7.9.5 | ||
37 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-new-SELINUXMNT-in-sys.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-new-SELINUXMNT-in-sys.patch new file mode 100644 index 0000000..557af04 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-new-SELINUXMNT-in-sys.patch | |||
@@ -0,0 +1,216 @@ | |||
1 | From 0bd1187768c79ccf7d0563fa8e2bc01494fef167 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH] fix for new SELINUXMNT in /sys | ||
5 | |||
6 | SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should | ||
7 | add rules to access sysfs. | ||
8 | |||
9 | Upstream-Status: Inappropriate [only for Poky] | ||
10 | |||
11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
12 | --- | ||
13 | policy/modules/kernel/selinux.if | 40 ++++++++++++++++++++++++++++++++++++++ | ||
14 | 1 file changed, 40 insertions(+) | ||
15 | |||
16 | diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if | ||
17 | index 81440c5..ee4e86b 100644 | ||
18 | --- a/policy/modules/kernel/selinux.if | ||
19 | +++ b/policy/modules/kernel/selinux.if | ||
20 | @@ -58,6 +58,10 @@ interface(`selinux_get_fs_mount',` | ||
21 | type security_t; | ||
22 | ') | ||
23 | |||
24 | + # SELINUXMNT is now /sys/fs/selinux, so we should add rules to | ||
25 | + # access sysfs | ||
26 | + dev_getattr_sysfs_dirs($1) | ||
27 | + dev_search_sysfs($1) | ||
28 | # starting in libselinux 2.0.5, init_selinuxmnt() will | ||
29 | # attempt to short circuit by checking if SELINUXMNT | ||
30 | # (/selinux) is already a selinuxfs | ||
31 | @@ -84,6 +88,7 @@ interface(`selinux_dontaudit_get_fs_mount',` | ||
32 | type security_t; | ||
33 | ') | ||
34 | |||
35 | + dev_dontaudit_search_sysfs($1) | ||
36 | # starting in libselinux 2.0.5, init_selinuxmnt() will | ||
37 | # attempt to short circuit by checking if SELINUXMNT | ||
38 | # (/selinux) is already a selinuxfs | ||
39 | @@ -109,6 +114,8 @@ interface(`selinux_mount_fs',` | ||
40 | type security_t; | ||
41 | ') | ||
42 | |||
43 | + dev_getattr_sysfs_dirs($1) | ||
44 | + dev_search_sysfs($1) | ||
45 | allow $1 security_t:filesystem mount; | ||
46 | ') | ||
47 | |||
48 | @@ -128,6 +135,8 @@ interface(`selinux_remount_fs',` | ||
49 | type security_t; | ||
50 | ') | ||
51 | |||
52 | + dev_getattr_sysfs_dirs($1) | ||
53 | + dev_search_sysfs($1) | ||
54 | allow $1 security_t:filesystem remount; | ||
55 | ') | ||
56 | |||
57 | @@ -146,6 +155,8 @@ interface(`selinux_unmount_fs',` | ||
58 | type security_t; | ||
59 | ') | ||
60 | |||
61 | + dev_getattr_sysfs_dirs($1) | ||
62 | + dev_search_sysfs($1) | ||
63 | allow $1 security_t:filesystem unmount; | ||
64 | ') | ||
65 | |||
66 | @@ -164,6 +175,8 @@ interface(`selinux_getattr_fs',` | ||
67 | type security_t; | ||
68 | ') | ||
69 | |||
70 | + dev_getattr_sysfs_dirs($1) | ||
71 | + dev_search_sysfs($1) | ||
72 | allow $1 security_t:filesystem getattr; | ||
73 | ') | ||
74 | |||
75 | @@ -183,6 +196,7 @@ interface(`selinux_dontaudit_getattr_fs',` | ||
76 | type security_t; | ||
77 | ') | ||
78 | |||
79 | + dev_dontaudit_search_sysfs($1) | ||
80 | dontaudit $1 security_t:filesystem getattr; | ||
81 | ') | ||
82 | |||
83 | @@ -202,6 +216,7 @@ interface(`selinux_dontaudit_getattr_dir',` | ||
84 | type security_t; | ||
85 | ') | ||
86 | |||
87 | + dev_dontaudit_search_sysfs($1) | ||
88 | dontaudit $1 security_t:dir getattr; | ||
89 | ') | ||
90 | |||
91 | @@ -220,6 +235,8 @@ interface(`selinux_search_fs',` | ||
92 | type security_t; | ||
93 | ') | ||
94 | |||
95 | + dev_getattr_sysfs_dirs($1) | ||
96 | + dev_search_sysfs($1) | ||
97 | allow $1 security_t:dir search_dir_perms; | ||
98 | ') | ||
99 | |||
100 | @@ -238,6 +255,7 @@ interface(`selinux_dontaudit_search_fs',` | ||
101 | type security_t; | ||
102 | ') | ||
103 | |||
104 | + dev_dontaudit_search_sysfs($1) | ||
105 | dontaudit $1 security_t:dir search_dir_perms; | ||
106 | ') | ||
107 | |||
108 | @@ -257,6 +275,7 @@ interface(`selinux_dontaudit_read_fs',` | ||
109 | type security_t; | ||
110 | ') | ||
111 | |||
112 | + dev_dontaudit_search_sysfs($1) | ||
113 | dontaudit $1 security_t:dir search_dir_perms; | ||
114 | dontaudit $1 security_t:file read_file_perms; | ||
115 | ') | ||
116 | @@ -342,6 +361,8 @@ interface(`selinux_load_policy',` | ||
117 | bool secure_mode_policyload; | ||
118 | ') | ||
119 | |||
120 | + dev_getattr_sysfs_dirs($1) | ||
121 | + dev_search_sysfs($1) | ||
122 | allow $1 security_t:dir list_dir_perms; | ||
123 | allow $1 security_t:file rw_file_perms; | ||
124 | typeattribute $1 can_load_policy; | ||
125 | @@ -371,6 +392,8 @@ interface(`selinux_read_policy',` | ||
126 | type security_t; | ||
127 | ') | ||
128 | |||
129 | + dev_getattr_sysfs_dirs($1) | ||
130 | + dev_search_sysfs($1) | ||
131 | allow $1 security_t:dir list_dir_perms; | ||
132 | allow $1 security_t:file read_file_perms; | ||
133 | allow $1 security_t:security read_policy; | ||
134 | @@ -435,6 +458,8 @@ interface(`selinux_set_generic_booleans',` | ||
135 | type security_t; | ||
136 | ') | ||
137 | |||
138 | + dev_getattr_sysfs_dirs($1) | ||
139 | + dev_search_sysfs($1) | ||
140 | allow $1 security_t:dir list_dir_perms; | ||
141 | allow $1 security_t:file rw_file_perms; | ||
142 | |||
143 | @@ -475,6 +500,8 @@ interface(`selinux_set_all_booleans',` | ||
144 | bool secure_mode_policyload; | ||
145 | ') | ||
146 | |||
147 | + dev_getattr_sysfs_dirs($1) | ||
148 | + dev_search_sysfs($1) | ||
149 | allow $1 security_t:dir list_dir_perms; | ||
150 | allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms; | ||
151 | allow $1 secure_mode_policyload_t:file read_file_perms; | ||
152 | @@ -519,6 +546,8 @@ interface(`selinux_set_parameters',` | ||
153 | attribute can_setsecparam; | ||
154 | ') | ||
155 | |||
156 | + dev_getattr_sysfs_dirs($1) | ||
157 | + dev_search_sysfs($1) | ||
158 | allow $1 security_t:dir list_dir_perms; | ||
159 | allow $1 security_t:file rw_file_perms; | ||
160 | allow $1 security_t:security setsecparam; | ||
161 | @@ -563,6 +592,7 @@ interface(`selinux_dontaudit_validate_context',` | ||
162 | type security_t; | ||
163 | ') | ||
164 | |||
165 | + dev_dontaudit_search_sysfs($1) | ||
166 | dontaudit $1 security_t:dir list_dir_perms; | ||
167 | dontaudit $1 security_t:file rw_file_perms; | ||
168 | dontaudit $1 security_t:security check_context; | ||
169 | @@ -584,6 +614,8 @@ interface(`selinux_compute_access_vector',` | ||
170 | type security_t; | ||
171 | ') | ||
172 | |||
173 | + dev_getattr_sysfs_dirs($1) | ||
174 | + dev_search_sysfs($1) | ||
175 | allow $1 security_t:dir list_dir_perms; | ||
176 | allow $1 security_t:file rw_file_perms; | ||
177 | allow $1 security_t:security compute_av; | ||
178 | @@ -605,6 +637,8 @@ interface(`selinux_compute_create_context',` | ||
179 | type security_t; | ||
180 | ') | ||
181 | |||
182 | + dev_getattr_sysfs_dirs($1) | ||
183 | + dev_search_sysfs($1) | ||
184 | allow $1 security_t:dir list_dir_perms; | ||
185 | allow $1 security_t:file rw_file_perms; | ||
186 | allow $1 security_t:security compute_create; | ||
187 | @@ -626,6 +660,8 @@ interface(`selinux_compute_member',` | ||
188 | type security_t; | ||
189 | ') | ||
190 | |||
191 | + dev_getattr_sysfs_dirs($1) | ||
192 | + dev_search_sysfs($1) | ||
193 | allow $1 security_t:dir list_dir_perms; | ||
194 | allow $1 security_t:file rw_file_perms; | ||
195 | allow $1 security_t:security compute_member; | ||
196 | @@ -655,6 +691,8 @@ interface(`selinux_compute_relabel_context',` | ||
197 | type security_t; | ||
198 | ') | ||
199 | |||
200 | + dev_getattr_sysfs_dirs($1) | ||
201 | + dev_search_sysfs($1) | ||
202 | allow $1 security_t:dir list_dir_perms; | ||
203 | allow $1 security_t:file rw_file_perms; | ||
204 | allow $1 security_t:security compute_relabel; | ||
205 | @@ -675,6 +713,8 @@ interface(`selinux_compute_user_contexts',` | ||
206 | type security_t; | ||
207 | ') | ||
208 | |||
209 | + dev_getattr_sysfs_dirs($1) | ||
210 | + dev_search_sysfs($1) | ||
211 | allow $1 security_t:dir list_dir_perms; | ||
212 | allow $1 security_t:file rw_file_perms; | ||
213 | allow $1 security_t:security compute_user; | ||
214 | -- | ||
215 | 1.7.9.5 | ||
216 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch new file mode 100644 index 0000000..19e2516 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch | |||
@@ -0,0 +1,75 @@ | |||
1 | From 054a2d81a42bc127d29a916c64b43ad5a7c97f21 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Fri, 23 Aug 2013 12:01:53 +0800 | ||
4 | Subject: [PATCH] fix policy for nfsserver to mount nfsd_fs_t. | ||
5 | |||
6 | Upstream-Status: Pending | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | --- | ||
10 | policy/modules/contrib/rpc.te | 5 +++++ | ||
11 | policy/modules/contrib/rpcbind.te | 5 +++++ | ||
12 | policy/modules/kernel/filesystem.te | 1 + | ||
13 | policy/modules/kernel/kernel.te | 2 ++ | ||
14 | 4 files changed, 13 insertions(+) | ||
15 | |||
16 | diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te | ||
17 | index 5605205..9e9f468 100644 | ||
18 | --- a/policy/modules/contrib/rpc.te | ||
19 | +++ b/policy/modules/contrib/rpc.te | ||
20 | @@ -256,6 +256,11 @@ tunable_policy(`nfs_export_all_ro',` | ||
21 | |||
22 | optional_policy(` | ||
23 | mount_exec(nfsd_t) | ||
24 | + # Should domtrans to mount_t while mounting nfsd_fs_t. | ||
25 | + mount_domtrans(nfsd_t) | ||
26 | + # nfsd_t need to chdir to /var/lib/nfs and read files. | ||
27 | + files_list_var(nfsd_t) | ||
28 | + rpc_read_nfs_state_data(nfsd_t) | ||
29 | ') | ||
30 | |||
31 | ######################################## | ||
32 | diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te | ||
33 | index 196f168..9c75677 100644 | ||
34 | --- a/policy/modules/contrib/rpcbind.te | ||
35 | +++ b/policy/modules/contrib/rpcbind.te | ||
36 | @@ -71,6 +71,11 @@ miscfiles_read_localization(rpcbind_t) | ||
37 | |||
38 | sysnet_dns_name_resolve(rpcbind_t) | ||
39 | |||
40 | +# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t, | ||
41 | +# because the are running in different level. So add rules to allow this. | ||
42 | +mls_socket_read_all_levels(rpcbind_t) | ||
43 | +mls_socket_write_all_levels(rpcbind_t) | ||
44 | + | ||
45 | optional_policy(` | ||
46 | nis_use_ypbind(rpcbind_t) | ||
47 | ') | ||
48 | diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te | ||
49 | index 1c66416..2b9e7ce 100644 | ||
50 | --- a/policy/modules/kernel/filesystem.te | ||
51 | +++ b/policy/modules/kernel/filesystem.te | ||
52 | @@ -119,6 +119,7 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) | ||
53 | |||
54 | type nfsd_fs_t; | ||
55 | fs_type(nfsd_fs_t) | ||
56 | +files_mountpoint(nfsd_fs_t) | ||
57 | genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0) | ||
58 | |||
59 | type oprofilefs_t; | ||
60 | diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te | ||
61 | index 49fde6e..a731078 100644 | ||
62 | --- a/policy/modules/kernel/kernel.te | ||
63 | +++ b/policy/modules/kernel/kernel.te | ||
64 | @@ -284,6 +284,8 @@ mls_process_read_up(kernel_t) | ||
65 | mls_process_write_down(kernel_t) | ||
66 | mls_file_write_all_levels(kernel_t) | ||
67 | mls_file_read_all_levels(kernel_t) | ||
68 | +mls_socket_write_all_levels(kernel_t) | ||
69 | +mls_fd_use_all_levels(kernel_t) | ||
70 | |||
71 | ifdef(`distro_redhat',` | ||
72 | # Bugzilla 222337 | ||
73 | -- | ||
74 | 1.7.9.5 | ||
75 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-setfiles-statvfs-get-file-count.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-setfiles-statvfs-get-file-count.patch new file mode 100644 index 0000000..90efbd8 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-setfiles-statvfs-get-file-count.patch | |||
@@ -0,0 +1,31 @@ | |||
1 | From 4d2c4c358602b246881210889756f229730505d3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Fri, 23 Aug 2013 14:38:53 +0800 | ||
4 | Subject: [PATCH] fix setfiles statvfs to get file count | ||
5 | |||
6 | New setfiles will read /proc/mounts and use statvfs in | ||
7 | file_system_count() to get file count of filesystems. | ||
8 | |||
9 | Upstream-Status: pending | ||
10 | |||
11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
12 | --- | ||
13 | policy/modules/system/selinuxutil.te | 2 +- | ||
14 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
15 | |||
16 | diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te | ||
17 | index 45ed81b..12c3d2e 100644 | ||
18 | --- a/policy/modules/system/selinuxutil.te | ||
19 | +++ b/policy/modules/system/selinuxutil.te | ||
20 | @@ -556,7 +556,7 @@ files_read_usr_symlinks(setfiles_t) | ||
21 | # needs to be able to read symlinks to make restorecon on symlink working | ||
22 | files_read_all_symlinks(setfiles_t) | ||
23 | |||
24 | -fs_getattr_xattr_fs(setfiles_t) | ||
25 | +fs_getattr_all_fs(setfiles_t) | ||
26 | fs_list_all(setfiles_t) | ||
27 | fs_search_auto_mountpoints(setfiles_t) | ||
28 | fs_relabelfrom_noxattr_fs(setfiles_t) | ||
29 | -- | ||
30 | 1.7.9.5 | ||
31 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-seutils-manage-config-files.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-seutils-manage-config-files.patch new file mode 100644 index 0000000..be33bf1 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-seutils-manage-config-files.patch | |||
@@ -0,0 +1,43 @@ | |||
1 | From be8e015aec19553d3753af132861d24da9ed0265 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH 2/2] refpolicy: fix selinux utils to manage config files | ||
5 | |||
6 | Upstream-Status: Pending | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | --- | ||
10 | policy/modules/system/selinuxutil.if | 1 + | ||
11 | policy/modules/system/userdomain.if | 4 ++++ | ||
12 | 2 files changed, 5 insertions(+) | ||
13 | |||
14 | diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if | ||
15 | index 3822072..db03ca1 100644 | ||
16 | --- a/policy/modules/system/selinuxutil.if | ||
17 | +++ b/policy/modules/system/selinuxutil.if | ||
18 | @@ -680,6 +680,7 @@ interface(`seutil_manage_config',` | ||
19 | ') | ||
20 | |||
21 | files_search_etc($1) | ||
22 | + manage_dirs_pattern($1, selinux_config_t, selinux_config_t) | ||
23 | manage_files_pattern($1, selinux_config_t, selinux_config_t) | ||
24 | read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) | ||
25 | ') | ||
26 | diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if | ||
27 | index b4a691d..20c8bf8 100644 | ||
28 | --- a/policy/modules/system/userdomain.if | ||
29 | +++ b/policy/modules/system/userdomain.if | ||
30 | @@ -1277,6 +1277,10 @@ template(`userdom_security_admin_template',` | ||
31 | logging_read_audit_config($1) | ||
32 | |||
33 | seutil_manage_bin_policy($1) | ||
34 | + seutil_manage_default_contexts($1) | ||
35 | + seutil_manage_file_contexts($1) | ||
36 | + seutil_manage_module_store($1) | ||
37 | + seutil_manage_config($1) | ||
38 | seutil_run_checkpolicy($1, $2) | ||
39 | seutil_run_loadpolicy($1, $2) | ||
40 | seutil_run_semanage($1, $2) | ||
41 | -- | ||
42 | 1.7.9.5 | ||
43 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-xconsole_device_t-as-a-dev_node.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-xconsole_device_t-as-a-dev_node.patch new file mode 100644 index 0000000..aa870f4 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-xconsole_device_t-as-a-dev_node.patch | |||
@@ -0,0 +1,27 @@ | |||
1 | From 843299c135c30b036ed163a10570a1d5efe36ff8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH 1/2] fix xconsole_device_t as a dev_node. | ||
5 | |||
6 | Upstream-Status: Inappropriate [only for Poky] | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | --- | ||
10 | policy/modules/services/xserver.te | 1 + | ||
11 | 1 file changed, 1 insertion(+) | ||
12 | |||
13 | diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te | ||
14 | index 4f6d693..b00f004 100644 | ||
15 | --- a/policy/modules/services/xserver.te | ||
16 | +++ b/policy/modules/services/xserver.te | ||
17 | @@ -151,6 +151,7 @@ userdom_user_tmp_file(xauth_tmp_t) | ||
18 | # this is not actually a device, its a pipe | ||
19 | type xconsole_device_t; | ||
20 | files_type(xconsole_device_t) | ||
21 | +dev_node(xconsole_device_t) | ||
22 | fs_associate_tmpfs(xconsole_device_t) | ||
23 | files_associate_tmp(xconsole_device_t) | ||
24 | |||
25 | -- | ||
26 | 1.7.9.5 | ||
27 | |||
diff --git a/recipes-security/refpolicy/refpolicy-mls_2.20130424.bb b/recipes-security/refpolicy/refpolicy-mls_2.20130424.bb new file mode 100644 index 0000000..3541611 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-mls_2.20130424.bb | |||
@@ -0,0 +1,24 @@ | |||
1 | SUMMARY = "MLS (Multi Level Security) variant of the SELinux policy" | ||
2 | DESCRIPTION = "\ | ||
3 | This is the reference policy for SE Linux built with MLS support. \ | ||
4 | It allows giving data labels such as \"Top Secret\" and preventing \ | ||
5 | such data from leaking to processes or files with lower classification. \ | ||
6 | " | ||
7 | |||
8 | PR = "r0" | ||
9 | |||
10 | POLICY_NAME = "mls" | ||
11 | POLICY_TYPE = "mls" | ||
12 | POLICY_DISTRO = "redhat" | ||
13 | POLICY_UBAC = "n" | ||
14 | POLICY_UNK_PERMS = "allow" | ||
15 | POLICY_DIRECT_INITRC = "n" | ||
16 | POLICY_MONOLITHIC = "n" | ||
17 | POLICY_CUSTOM_BUILDOPT = "" | ||
18 | POLICY_QUIET = "y" | ||
19 | |||
20 | POLICY_MLS_SENS = "16" | ||
21 | POLICY_MLS_CATS = "1024" | ||
22 | POLICY_MCS_CATS = "1024" | ||
23 | |||
24 | include refpolicy_${PV}.inc | ||
diff --git a/recipes-security/refpolicy/refpolicy-standard_2.20130424.bb b/recipes-security/refpolicy/refpolicy-standard_2.20130424.bb new file mode 100644 index 0000000..1f3030a --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-standard_2.20130424.bb | |||
@@ -0,0 +1,18 @@ | |||
1 | SUMMARY = "Standard variants of the SELinux policy" | ||
2 | DESCRIPTION = "\ | ||
3 | This is the reference policy for SELinux built with type enforcement \ | ||
4 | only." | ||
5 | |||
6 | PR = "r3" | ||
7 | |||
8 | POLICY_NAME = "standard" | ||
9 | POLICY_TYPE = "standard" | ||
10 | POLICY_DISTRO = "redhat" | ||
11 | POLICY_UBAC = "n" | ||
12 | POLICY_UNK_PERMS = "allow" | ||
13 | POLICY_DIRECT_INITRC = "n" | ||
14 | POLICY_MONOLITHIC = "n" | ||
15 | POLICY_CUSTOM_BUILDOPT = "" | ||
16 | POLICY_QUIET = "y" | ||
17 | |||
18 | include refpolicy_${PV}.inc | ||
diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc b/recipes-security/refpolicy/refpolicy_2.20130424.inc new file mode 100644 index 0000000..d081e33 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy_2.20130424.inc | |||
@@ -0,0 +1,51 @@ | |||
1 | SRC_URI = "http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2;" | ||
2 | SRC_URI[md5sum] = "6a5c975258cc8eb92c122f11b11a5085" | ||
3 | SRC_URI[sha256sum] = "6039ba854f244a39dc727cc7db25632f7b933bb271c803772d754d4354f5aef4" | ||
4 | |||
5 | FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-${PV}:" | ||
6 | |||
7 | # Fix file contexts for Poky | ||
8 | SRC_URI += "file://poky-fc-subs_dist.patch \ | ||
9 | file://poky-fc-update-alternatives_sysvinit.patch \ | ||
10 | file://poky-fc-update-alternatives_sysklogd.patch \ | ||
11 | file://poky-fc-update-alternatives_hostname.patch \ | ||
12 | file://poky-fc-fix-real-path_resolv.conf.patch \ | ||
13 | file://poky-fc-fix-real-path_login.patch \ | ||
14 | file://poky-fc-fix-real-path_shadow.patch \ | ||
15 | file://poky-fc-fix-bind.patch \ | ||
16 | file://poky-fc-clock.patch \ | ||
17 | file://poky-fc-corecommands.patch \ | ||
18 | file://poky-fc-dmesg.patch \ | ||
19 | file://poky-fc-fstools.patch \ | ||
20 | file://poky-fc-iptables.patch \ | ||
21 | file://poky-fc-mta.patch \ | ||
22 | file://poky-fc-netutils.patch \ | ||
23 | file://poky-fc-nscd.patch \ | ||
24 | file://poky-fc-screen.patch \ | ||
25 | file://poky-fc-ssh.patch \ | ||
26 | file://poky-fc-su.patch \ | ||
27 | file://poky-fc-sysnetwork.patch \ | ||
28 | " | ||
29 | |||
30 | # Specific policy for Poky | ||
31 | SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \ | ||
32 | file://poky-policy-add-rules-for-var-log-symlink.patch \ | ||
33 | file://poky-policy-add-rules-for-var-log-symlink-apache.patch \ | ||
34 | file://poky-policy-add-rules-for-var-cache-symlink.patch \ | ||
35 | file://poky-policy-add-rules-for-tmp-symlink.patch \ | ||
36 | file://poky-policy-add-rules-for-bsdpty_device_t.patch \ | ||
37 | file://poky-policy-don-t-audit-tty_device_t.patch \ | ||
38 | file://poky-policy-allow-nfsd-to-exec-shell-commands.patch \ | ||
39 | file://poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch \ | ||
40 | file://poky-policy-allow-setfiles_t-to-read-symlinks.patch \ | ||
41 | file://poky-policy-fix-new-SELINUXMNT-in-sys.patch \ | ||
42 | " | ||
43 | |||
44 | # Other policy fixes | ||
45 | SRC_URI += "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \ | ||
46 | file://poky-policy-fix-seutils-manage-config-files.patch \ | ||
47 | file://poky-policy-fix-setfiles-statvfs-get-file-count.patch \ | ||
48 | file://poky-policy-fix-dmesg-to-use-dev-kmsg.patch \ | ||
49 | " | ||
50 | |||
51 | include refpolicy_common.inc | ||
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index 0f9f83b..3eaf16d 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc | |||
@@ -58,10 +58,15 @@ module-store = direct | |||
58 | path = ${STAGING_DIR_NATIVE}${base_sbindir_native}/setfiles | 58 | path = ${STAGING_DIR_NATIVE}${base_sbindir_native}/setfiles |
59 | args = -q -c \$@ \$< | 59 | args = -q -c \$@ \$< |
60 | [end] | 60 | [end] |
61 | [sefcontext_compile] | ||
62 | path = ${STAGING_DIR_NATIVE}${sbindir_native}/sefcontext_compile | ||
63 | args = \$@ | ||
64 | [end] | ||
61 | EOF | 65 | EOF |
62 | mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/policy | 66 | mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/policy |
63 | mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules | 67 | mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules |
64 | mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files | 68 | mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files |
69 | touch ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.local | ||
65 | bzip2 -c ${D}${datadir}/selinux/${POLICY_NAME}/base.pp > \ | 70 | bzip2 -c ${D}${datadir}/selinux/${POLICY_NAME}/base.pp > \ |
66 | ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp | 71 | ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp |
67 | for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do | 72 | for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do |