diff options
| author | Shrikant Bobade <Shrikant_Bobade@mentor.com> | 2014-11-19 13:43:06 +0530 |
|---|---|---|
| committer | Joe MacDonald <joe_macdonald@mentor.com> | 2015-01-12 11:51:47 -0500 |
| commit | 1e57d96d3af1912998acd2936667ca89bee29990 (patch) | |
| tree | d19853a7bc83689db910cab91219c783099d63f4 | |
| parent | 869aded23e5f999c4f6b3ecf0562ea9da4862c73 (diff) | |
| download | meta-selinux-1e57d96d3af1912998acd2936667ca89bee29990.tar.gz | |
V2 refpolicy:20140311 update for systemd
Systemd init type and related allow rules
updated for refpolicy.
Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
| -rw-r--r-- | recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch | 46 | ||||
| -rw-r--r-- | recipes-security/refpolicy/refpolicy_2.20140311.inc | 1 |
2 files changed, 47 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch b/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch new file mode 100644 index 0000000..80b420c --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch | |||
| @@ -0,0 +1,46 @@ | |||
| 1 | refpolicy: update for systemd | ||
| 2 | |||
| 3 | It provides the systemd support for refpolicy | ||
| 4 | and related allow rules. | ||
| 5 | The restorecon provides systemd init labeled | ||
| 6 | as init_exec_t. | ||
| 7 | |||
| 8 | Upstream-Status: Pending | ||
| 9 | |||
| 10 | |||
| 11 | Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> | ||
| 12 | |||
| 13 | --- a/policy/modules/contrib/shutdown.fc | ||
| 14 | +++ b/policy/modules/contrib/shutdown.fc | ||
| 15 | @@ -5,6 +5,9 @@ | ||
| 16 | /sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
| 17 | /sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
| 18 | |||
| 19 | +# systemd support | ||
| 20 | +/bin/systemctl -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
| 21 | + | ||
| 22 | /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
| 23 | |||
| 24 | /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
| 25 | --- a/policy/modules/system/init.fc | ||
| 26 | +++ b/policy/modules/system/init.fc | ||
| 27 | @@ -31,6 +31,8 @@ | ||
| 28 | # | ||
| 29 | /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) | ||
| 30 | /sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0) | ||
| 31 | +# systemd support | ||
| 32 | +/lib/systemd/systemd -- gen_context(system_u:object_r:init_exec_t,s0) | ||
| 33 | # because nowadays, /sbin/init is often a symlink to /sbin/upstart | ||
| 34 | /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) | ||
| 35 | |||
| 36 | --- a/policy/modules/system/init.te | ||
| 37 | +++ b/policy/modules/system/init.te | ||
| 38 | @@ -913,3 +913,8 @@ | ||
| 39 | optional_policy(` | ||
| 40 | zebra_read_config(initrc_t) | ||
| 41 | ') | ||
| 42 | + | ||
| 43 | +# systemd related allow rules | ||
| 44 | +allow kernel_t init_t:process dyntransition; | ||
| 45 | +allow devpts_t device_t:filesystem associate; | ||
| 46 | +allow init_t self:capability2 block_suspend; | ||
diff --git a/recipes-security/refpolicy/refpolicy_2.20140311.inc b/recipes-security/refpolicy/refpolicy_2.20140311.inc index 8894583..557b4ab 100644 --- a/recipes-security/refpolicy/refpolicy_2.20140311.inc +++ b/recipes-security/refpolicy/refpolicy_2.20140311.inc | |||
| @@ -29,6 +29,7 @@ SRC_URI += "file://poky-fc-subs_dist.patch \ | |||
| 29 | file://poky-fc-rpm.patch \ | 29 | file://poky-fc-rpm.patch \ |
| 30 | file://poky-fc-ftpwho-dir.patch \ | 30 | file://poky-fc-ftpwho-dir.patch \ |
| 31 | file://poky-fc-fix-real-path_su.patch \ | 31 | file://poky-fc-fix-real-path_su.patch \ |
| 32 | file://refpolicy-update-for_systemd.patch \ | ||
| 32 | " | 33 | " |
| 33 | 34 | ||
| 34 | # Specific policy for Poky | 35 | # Specific policy for Poky |