diff options
author | Joe MacDonald <joe@deserted.net> | 2019-04-08 13:50:40 -0400 |
---|---|---|
committer | Joe MacDonald <joe@deserted.net> | 2019-04-10 10:57:14 -0400 |
commit | 776da889b550ac9e5be414a8cc10fd86b1923264 (patch) | |
tree | 79771fa29c551e934321434f4b5f3da7a27fd91f | |
parent | a6a3cadb1ef3203a123d8f5f9df27832f55b2ce3 (diff) | |
download | meta-selinux-jjm/RELEASE_2.20190201.tar.gz |
refpolicy: update to 2.20190201 and git HEAD policiesjjm/RELEASE_2.20190201
Additionally, the README has fallen out of date, update it to reflect the
current reality of layer dependencies.
Signed-off-by: Joe MacDonald <joe@deserted.net>
156 files changed, 3145 insertions, 3748 deletions
@@ -16,20 +16,8 @@ of this layer, as well as instructions for submitting patches. | |||
16 | Dependencies | 16 | Dependencies |
17 | ------------ | 17 | ------------ |
18 | 18 | ||
19 | This layer depends on the openembedded-core metadata. | 19 | This layer depends on the openembedded-core metadata and the meta-python and |
20 | 20 | meta-oe layers from the meta-openembedded repository. | |
21 | This layer also optionally depends on the following layers: | ||
22 | |||
23 | URI: git://github.com/openembedded/meta-oe.git | ||
24 | branch: master | ||
25 | revision: HEAD | ||
26 | layers: meta-oe | ||
27 | meta-networking | ||
28 | meta-python | ||
29 | |||
30 | URI: git://git.yoctoproject.org/meta-virtualization | ||
31 | branch: master | ||
32 | revision: HEAD | ||
33 | 21 | ||
34 | 22 | ||
35 | Maintenance | 23 | Maintenance |
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-clock.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-clock.patch deleted file mode 100644 index b2102af..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-clock.patch +++ /dev/null | |||
@@ -1,20 +0,0 @@ | |||
1 | Subject: [PATCH] refpolicy: fix real path for clock | ||
2 | |||
3 | Upstream-Status: Inappropriate [configuration] | ||
4 | |||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
6 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
7 | --- | ||
8 | policy/modules/system/clock.fc | 1 + | ||
9 | 1 file changed, 1 insertion(+) | ||
10 | |||
11 | --- a/policy/modules/system/clock.fc | ||
12 | +++ b/policy/modules/system/clock.fc | ||
13 | @@ -1,6 +1,7 @@ | ||
14 | |||
15 | /etc/adjtime -- gen_context(system_u:object_r:adjtime_t,s0) | ||
16 | |||
17 | /sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) | ||
18 | +/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0) | ||
19 | |||
20 | /usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) | ||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-corecommands.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-corecommands.patch deleted file mode 100644 index 3739059..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-corecommands.patch +++ /dev/null | |||
@@ -1,24 +0,0 @@ | |||
1 | Subject: [PATCH] refpolicy: fix real path for corecommands | ||
2 | |||
3 | Upstream-Status: Inappropriate [configuration] | ||
4 | |||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
6 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
7 | --- | ||
8 | policy/modules/kernel/corecommands.fc | 1 + | ||
9 | 1 file changed, 1 insertion(+) | ||
10 | |||
11 | --- a/policy/modules/kernel/corecommands.fc | ||
12 | +++ b/policy/modules/kernel/corecommands.fc | ||
13 | @@ -154,10 +154,11 @@ ifdef(`distro_gentoo',` | ||
14 | /sbin -d gen_context(system_u:object_r:bin_t,s0) | ||
15 | /sbin/.* gen_context(system_u:object_r:bin_t,s0) | ||
16 | /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) | ||
17 | /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) | ||
18 | /sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
19 | +/usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
20 | |||
21 | # | ||
22 | # /opt | ||
23 | # | ||
24 | /opt/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) | ||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-dmesg.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-dmesg.patch deleted file mode 100644 index 2a567da..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-dmesg.patch +++ /dev/null | |||
@@ -1,18 +0,0 @@ | |||
1 | Subject: [PATCH] refpolicy: fix real path for dmesg | ||
2 | |||
3 | Upstream-Status: Inappropriate [configuration] | ||
4 | |||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
6 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
7 | --- | ||
8 | policy/modules/admin/dmesg.fc | 1 + | ||
9 | 1 file changed, 1 insertion(+) | ||
10 | |||
11 | --- a/policy/modules/admin/dmesg.fc | ||
12 | +++ b/policy/modules/admin/dmesg.fc | ||
13 | @@ -1,4 +1,5 @@ | ||
14 | |||
15 | /bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) | ||
16 | +/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0) | ||
17 | |||
18 | /usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) | ||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_login.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_login.patch deleted file mode 100644 index dfb7544..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_login.patch +++ /dev/null | |||
@@ -1,37 +0,0 @@ | |||
1 | Subject: [PATCH] fix real path for login commands. | ||
2 | |||
3 | Upstream-Status: Inappropriate [only for Poky] | ||
4 | |||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
6 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
7 | --- | ||
8 | policy/modules/system/authlogin.fc | 7 ++++--- | ||
9 | 1 files changed, 4 insertions(+), 3 deletions(-) | ||
10 | |||
11 | --- a/policy/modules/system/authlogin.fc | ||
12 | +++ b/policy/modules/system/authlogin.fc | ||
13 | @@ -1,19 +1,21 @@ | ||
14 | |||
15 | /bin/login -- gen_context(system_u:object_r:login_exec_t,s0) | ||
16 | +/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0) | ||
17 | +/bin/login\.tinylogin -- gen_context(system_u:object_r:login_exec_t,s0) | ||
18 | |||
19 | /etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) | ||
20 | /etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0) | ||
21 | /etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0) | ||
22 | /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) | ||
23 | /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) | ||
24 | |||
25 | /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) | ||
26 | /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) | ||
27 | -/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) | ||
28 | -/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) | ||
29 | -/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) | ||
30 | +/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) | ||
31 | +/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) | ||
32 | +/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) | ||
33 | ifdef(`distro_suse', ` | ||
34 | /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) | ||
35 | ') | ||
36 | |||
37 | /usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0) | ||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_shadow.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_shadow.patch deleted file mode 100644 index 9819c1d..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_shadow.patch +++ /dev/null | |||
@@ -1,34 +0,0 @@ | |||
1 | Subject: [PATCH] fix real path for shadow commands. | ||
2 | |||
3 | Upstream-Status: Inappropriate [only for Poky] | ||
4 | |||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
6 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
7 | --- | ||
8 | policy/modules/admin/usermanage.fc | 6 ++++++ | ||
9 | 1 file changed, 6 insertions(+) | ||
10 | |||
11 | --- a/policy/modules/admin/usermanage.fc | ||
12 | +++ b/policy/modules/admin/usermanage.fc | ||
13 | @@ -6,15 +6,21 @@ ifdef(`distro_debian',` | ||
14 | /etc/cron\.daily/cracklib-runtime -- gen_context(system_u:object_r:crack_exec_t,s0) | ||
15 | ') | ||
16 | |||
17 | /usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0) | ||
18 | /usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0) | ||
19 | +/usr/bin/chfn\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0) | ||
20 | /usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0) | ||
21 | +/usr/bin/chsh\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0) | ||
22 | /usr/bin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0) | ||
23 | /usr/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0) | ||
24 | +/usr/bin/passwd\.shadow -- gen_context(system_u:object_r:passwd_exec_t,s0) | ||
25 | +/usr/bin/passwd\.tinylogin -- gen_context(system_u:object_r:passwd_exec_t,s0) | ||
26 | /usr/bin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) | ||
27 | +/sbin/vigr\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) | ||
28 | /usr/bin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) | ||
29 | +/sbin/vipw\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) | ||
30 | |||
31 | /usr/lib/cracklib_dict.* -- gen_context(system_u:object_r:crack_db_t,s0) | ||
32 | |||
33 | /usr/sbin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) | ||
34 | /usr/sbin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) | ||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fstools.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fstools.patch deleted file mode 100644 index 66bef0f..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fstools.patch +++ /dev/null | |||
@@ -1,75 +0,0 @@ | |||
1 | From b420621f7bacdb803bfd104686e9b1785d7a6309 Mon Sep 17 00:00:00 2001 | ||
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | ||
3 | Date: Mon, 27 Jan 2014 03:54:01 -0500 | ||
4 | Subject: [PATCH] refpolicy: fix real path for fstools | ||
5 | |||
6 | Upstream-Status: Inappropriate [configuration] | ||
7 | |||
8 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
10 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
11 | --- | ||
12 | policy/modules/system/fstools.fc | 9 +++++++++ | ||
13 | 1 file changed, 9 insertions(+) | ||
14 | |||
15 | --- a/policy/modules/system/fstools.fc | ||
16 | +++ b/policy/modules/system/fstools.fc | ||
17 | @@ -1,19 +1,23 @@ | ||
18 | /sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
19 | /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
20 | +/sbin/blkid/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
21 | /sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
22 | +/sbin/blockdev/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
23 | /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
24 | /sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
25 | /sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
26 | /sbin/dumpe2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
27 | /sbin/e2fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
28 | /sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
29 | /sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
30 | /sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
31 | +/sbin/fdisk/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
32 | /sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
33 | /sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
34 | /sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
35 | +/sbin/hdparm/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
36 | /sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
37 | /sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
38 | /sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
39 | /sbin/lsraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
40 | /sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
41 | @@ -22,20 +26,22 @@ | ||
42 | /sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
43 | /sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
44 | /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
45 | /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
46 | /sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
47 | +/sbin/mkswap/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
48 | /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
49 | /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
50 | /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
51 | /sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
52 | /sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
53 | /sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
54 | /sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
55 | /sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
56 | /sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
57 | /sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
58 | +/sbin/swapoff/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
59 | /sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
60 | /sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
61 | /sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
62 | /sbin/zhack -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
63 | /sbin/zinject -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
64 | @@ -83,10 +89,11 @@ | ||
65 | /usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
66 | /usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
67 | /usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
68 | /usr/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
69 | /usr/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
70 | +/usr/sbin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
71 | /usr/sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
72 | /usr/sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
73 | /usr/sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
74 | /usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
75 | /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-ftpwho-dir.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-ftpwho-dir.patch deleted file mode 100644 index d58de6a..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-ftpwho-dir.patch +++ /dev/null | |||
@@ -1,27 +0,0 @@ | |||
1 | fix ftpwho install dir | ||
2 | |||
3 | Upstream-Status: Pending | ||
4 | |||
5 | ftpwho is installed into /usr/bin/, not /usr/sbin, so fix it | ||
6 | |||
7 | Signed-off-by: Roy Li <rongqing.li@windriver.com> | ||
8 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | ||
10 | policy/modules/contrib/ftp.fc | 2 +- | ||
11 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
12 | |||
13 | --- a/policy/modules/contrib/ftp.fc | ||
14 | +++ b/policy/modules/contrib/ftp.fc | ||
15 | @@ -10,11 +10,11 @@ | ||
16 | /usr/kerberos/sbin/ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) | ||
17 | |||
18 | /usr/lib/systemd/system/proftpd.*\.service -- gen_context(system_u:object_r:ftpd_unit_t,s0) | ||
19 | /usr/lib/systemd/system/vsftpd.*\.service -- gen_context(system_u:object_r:ftpd_unit_t,s0) | ||
20 | |||
21 | -/usr/sbin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0) | ||
22 | +/usr/bin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0) | ||
23 | /usr/sbin/in\.ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) | ||
24 | /usr/sbin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) | ||
25 | /usr/sbin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) | ||
26 | /usr/sbin/vsftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) | ||
27 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-iptables.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-iptables.patch deleted file mode 100644 index 9e1196a..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-iptables.patch +++ /dev/null | |||
@@ -1,24 +0,0 @@ | |||
1 | Subject: [PATCH] refpolicy: fix real path for iptables | ||
2 | |||
3 | Upstream-Status: Inappropriate [configuration] | ||
4 | |||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
6 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
7 | --- | ||
8 | policy/modules/system/iptables.fc | 1 + | ||
9 | 1 file changed, 1 insertion(+) | ||
10 | |||
11 | --- a/policy/modules/system/iptables.fc | ||
12 | +++ b/policy/modules/system/iptables.fc | ||
13 | @@ -14,10 +14,11 @@ | ||
14 | /sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0) | ||
15 | /sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) | ||
16 | /sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) | ||
17 | /sbin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0) | ||
18 | /sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) | ||
19 | +/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) | ||
20 | |||
21 | /usr/lib/systemd/system/[^/]*arptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0) | ||
22 | /usr/lib/systemd/system/[^/]*ebtables.* -- gen_context(system_u:object_r:iptables_unit_t,s0) | ||
23 | /usr/lib/systemd/system/[^/]*ip6tables.* -- gen_context(system_u:object_r:iptables_unit_t,s0) | ||
24 | /usr/lib/systemd/system/[^/]*iptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0) | ||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-mta.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-mta.patch deleted file mode 100644 index 5d2b0cf..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-mta.patch +++ /dev/null | |||
@@ -1,27 +0,0 @@ | |||
1 | From c0bb2996db4f55f3987967bacfb99805fc45d027 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 19:21:55 +0800 | ||
4 | Subject: [PATCH] refpolicy: fix real path for mta | ||
5 | |||
6 | Upstream-Status: Inappropriate [configuration] | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
10 | --- | ||
11 | policy/modules/contrib/mta.fc | 1 + | ||
12 | 1 file changed, 1 insertion(+) | ||
13 | |||
14 | --- a/policy/modules/contrib/mta.fc | ||
15 | +++ b/policy/modules/contrib/mta.fc | ||
16 | @@ -20,10 +20,11 @@ HOME_DIR/\.maildir(/.*)? gen_context(sys | ||
17 | /usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) | ||
18 | |||
19 | /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) | ||
20 | /usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0) | ||
21 | /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) | ||
22 | +/usr/sbin/msmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) | ||
23 | /usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) | ||
24 | |||
25 | /var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) | ||
26 | |||
27 | /var/qmail/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) | ||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-netutils.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-netutils.patch deleted file mode 100644 index b41e6e4..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-netutils.patch +++ /dev/null | |||
@@ -1,24 +0,0 @@ | |||
1 | Subject: [PATCH] refpolicy: fix real path for netutils | ||
2 | |||
3 | Upstream-Status: Inappropriate [configuration] | ||
4 | |||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
6 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
7 | --- | ||
8 | policy/modules/admin/netutils.fc | 1 + | ||
9 | 1 file changed, 1 insertion(+) | ||
10 | |||
11 | --- a/policy/modules/admin/netutils.fc | ||
12 | +++ b/policy/modules/admin/netutils.fc | ||
13 | @@ -1,10 +1,11 @@ | ||
14 | /bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0) | ||
15 | /bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) | ||
16 | /bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) | ||
17 | |||
18 | /sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0) | ||
19 | +/bin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0) | ||
20 | |||
21 | /usr/bin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0) | ||
22 | /usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0) | ||
23 | /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0) | ||
24 | /usr/bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0) | ||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-nscd.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-nscd.patch deleted file mode 100644 index 0adf7c2..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-nscd.patch +++ /dev/null | |||
@@ -1,25 +0,0 @@ | |||
1 | From 642fab321a5f1f40495b4ca07f1fca4145024986 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 19:25:36 +0800 | ||
4 | Subject: [PATCH] refpolicy: fix real path for nscd | ||
5 | |||
6 | Upstream-Status: Inappropriate [configuration] | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
10 | --- | ||
11 | policy/modules/contrib/nscd.fc | 1 + | ||
12 | 1 file changed, 1 insertion(+) | ||
13 | |||
14 | --- a/policy/modules/contrib/nscd.fc | ||
15 | +++ b/policy/modules/contrib/nscd.fc | ||
16 | @@ -1,8 +1,9 @@ | ||
17 | /etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0) | ||
18 | |||
19 | /usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0) | ||
20 | +/usr/bin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0) | ||
21 | |||
22 | /var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) | ||
23 | |||
24 | /var/db/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) | ||
25 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-rpm.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-rpm.patch deleted file mode 100644 index 9de7532..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-rpm.patch +++ /dev/null | |||
@@ -1,23 +0,0 @@ | |||
1 | From 3ecbd842d51a8e70b3403e857a24203285d4983b Mon Sep 17 00:00:00 2001 | ||
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | ||
3 | Date: Mon, 27 Jan 2014 01:13:06 -0500 | ||
4 | Subject: [PATCH] refpolicy: fix real path for cpio | ||
5 | |||
6 | Upstream-Status: Inappropriate [configuration] | ||
7 | |||
8 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
10 | --- | ||
11 | policy/modules/contrib/rpm.fc | 1 + | ||
12 | 1 file changed, 1 insertion(+) | ||
13 | |||
14 | --- a/policy/modules/contrib/rpm.fc | ||
15 | +++ b/policy/modules/contrib/rpm.fc | ||
16 | @@ -61,6 +61,7 @@ ifdef(`distro_redhat',` | ||
17 | /run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0) | ||
18 | /run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) | ||
19 | |||
20 | ifdef(`enable_mls',` | ||
21 | /usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) | ||
22 | +/bin/cpio.cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) | ||
23 | ') | ||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-screen.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-screen.patch deleted file mode 100644 index 8ea210e..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-screen.patch +++ /dev/null | |||
@@ -1,23 +0,0 @@ | |||
1 | From 3615e2d67f402a37ae7333e62b54f1d9d0a3bfd1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 19:27:19 +0800 | ||
4 | Subject: [PATCH] refpolicy: fix real path for screen | ||
5 | |||
6 | Upstream-Status: Inappropriate [configuration] | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
10 | --- | ||
11 | policy/modules/contrib/screen.fc | 1 + | ||
12 | 1 file changed, 1 insertion(+) | ||
13 | |||
14 | --- a/policy/modules/contrib/screen.fc | ||
15 | +++ b/policy/modules/contrib/screen.fc | ||
16 | @@ -4,6 +4,7 @@ HOME_DIR/\.tmux\.conf -- gen_context(sys | ||
17 | |||
18 | /run/screen(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0) | ||
19 | /run/tmux(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0) | ||
20 | |||
21 | /usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0) | ||
22 | +/usr/bin/screen-.* -- gen_context(system_u:object_r:screen_exec_t,s0) | ||
23 | /usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0) | ||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-su.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-su.patch deleted file mode 100644 index e3d156e..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-su.patch +++ /dev/null | |||
@@ -1,20 +0,0 @@ | |||
1 | Subject: [PATCH] refpolicy: fix real path for su | ||
2 | |||
3 | Upstream-Status: Inappropriate [configuration] | ||
4 | |||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
6 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
7 | --- | ||
8 | policy/modules/admin/su.fc | 1 + | ||
9 | 1 file changed, 1 insertion(+) | ||
10 | |||
11 | --- a/policy/modules/admin/su.fc | ||
12 | +++ b/policy/modules/admin/su.fc | ||
13 | @@ -1,6 +1,7 @@ | ||
14 | |||
15 | /bin/su -- gen_context(system_u:object_r:su_exec_t,s0) | ||
16 | +/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) | ||
17 | |||
18 | /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0) | ||
19 | /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) | ||
20 | /usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) | ||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-subs_dist.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-subs_dist.patch deleted file mode 100644 index c5fdc51..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-subs_dist.patch +++ /dev/null | |||
@@ -1,33 +0,0 @@ | |||
1 | Subject: [PATCH] fix file_contexts.subs_dist for poky | ||
2 | |||
3 | This file is used for Linux distros to define specific pathes | ||
4 | mapping to the pathes in file_contexts. | ||
5 | |||
6 | Upstream-Status: Inappropriate [only for Poky] | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
10 | --- | ||
11 | config/file_contexts.subs_dist | 10 ++++++++++ | ||
12 | 1 file changed, 10 insertions(+) | ||
13 | |||
14 | --- a/config/file_contexts.subs_dist | ||
15 | +++ b/config/file_contexts.subs_dist | ||
16 | @@ -21,5 +21,17 @@ | ||
17 | |||
18 | # backward compatibility | ||
19 | # not for refpolicy intern, but for /var/run using applications, | ||
20 | # like systemd tmpfiles or systemd socket configurations | ||
21 | /var/run /run | ||
22 | + | ||
23 | +# Yocto compatibility | ||
24 | +/var/volatile/log /var/log | ||
25 | +/var/volatile/run /var/run | ||
26 | +/var/volatile/cache /var/cache | ||
27 | +/var/volatile/tmp /var/tmp | ||
28 | +/var/volatile/lock /var/lock | ||
29 | +/var/volatile/run/lock /var/lock | ||
30 | +/www /var/www | ||
31 | +/usr/lib/busybox/bin /bin | ||
32 | +/usr/lib/busybox/sbin /sbin | ||
33 | +/usr/lib/busybox/usr /usr | ||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-sysnetwork.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-sysnetwork.patch deleted file mode 100644 index fa369ca..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-sysnetwork.patch +++ /dev/null | |||
@@ -1,48 +0,0 @@ | |||
1 | From 56ec3e527f2a03d217d5f07ebb708e6e26fa26ff Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Tue, 9 Jun 2015 21:22:52 +0530 | ||
4 | Subject: [PATCH] refpolicy: fix real path for sysnetwork | ||
5 | |||
6 | Upstream-Status: Inappropriate [configuration] | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> | ||
10 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
11 | --- | ||
12 | policy/modules/system/sysnetwork.fc | 4 ++++ | ||
13 | 1 file changed, 4 insertions(+) | ||
14 | |||
15 | --- a/policy/modules/system/sysnetwork.fc | ||
16 | +++ b/policy/modules/system/sysnetwork.fc | ||
17 | @@ -2,10 +2,11 @@ | ||
18 | # | ||
19 | # /bin | ||
20 | # | ||
21 | /bin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
22 | /bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
23 | +/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
24 | |||
25 | # | ||
26 | # /dev | ||
27 | # | ||
28 | ifdef(`distro_debian',` | ||
29 | @@ -43,17 +44,19 @@ ifdef(`distro_redhat',` | ||
30 | /sbin/dhclient.* -- gen_context(system_u:object_r:dhcpc_exec_t,s0) | ||
31 | /sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) | ||
32 | /sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) | ||
33 | /sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
34 | /sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
35 | +/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
36 | /sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
37 | /sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
38 | /sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
39 | /sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
40 | /sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
41 | /sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
42 | /sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
43 | +/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
44 | /sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0) | ||
45 | /sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
46 | |||
47 | # | ||
48 | # /usr | ||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-udevd.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-udevd.patch deleted file mode 100644 index 8e2cb1b..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-udevd.patch +++ /dev/null | |||
@@ -1,38 +0,0 @@ | |||
1 | From 025bd3c77d3eeb0e316413bf7e6353f1ccd7f6b2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | ||
3 | Date: Sat, 25 Jan 2014 23:40:05 -0500 | ||
4 | Subject: [PATCH] refpolicy: fix real path for udevd/udevadm | ||
5 | |||
6 | Upstream-Status: Inappropriate [configuration] | ||
7 | |||
8 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
9 | --- | ||
10 | policy/modules/system/udev.fc | 2 ++ | ||
11 | 1 file changed, 2 insertions(+) | ||
12 | |||
13 | --- a/policy/modules/system/udev.fc | ||
14 | +++ b/policy/modules/system/udev.fc | ||
15 | @@ -8,10 +8,11 @@ | ||
16 | |||
17 | /etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_rules_t,s0) | ||
18 | /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) | ||
19 | |||
20 | /lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
21 | +/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
22 | |||
23 | ifdef(`distro_debian',` | ||
24 | /bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
25 | /lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
26 | ') | ||
27 | @@ -26,10 +27,11 @@ ifdef(`distro_debian',` | ||
28 | ifdef(`distro_redhat',` | ||
29 | /sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
30 | ') | ||
31 | |||
32 | /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
33 | +/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
34 | |||
35 | /usr/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
36 | /usr/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
37 | /usr/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
38 | /usr/sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_bash.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_bash.patch deleted file mode 100644 index e0fdba1..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_bash.patch +++ /dev/null | |||
@@ -1,24 +0,0 @@ | |||
1 | From 845518a6f196e6e8c49ba38791c85e17276920e1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mark Hatle <mark.hatle@windriver.com> | ||
3 | Date: Thu, 14 Sep 2017 15:02:23 -0500 | ||
4 | Subject: [PATCH 3/4] fix update-alternatives for hostname | ||
5 | |||
6 | Upstream-Status: Inappropriate [only for Poky] | ||
7 | |||
8 | Signed-off-by: Mark Hatle <mark.hatle@windriver.com> | ||
9 | --- | ||
10 | policy/modules/system/corecommands.fc | 1 + | ||
11 | 1 file changed, 1 insertion(+) | ||
12 | |||
13 | Index: refpolicy/policy/modules/kernel/corecommands.fc | ||
14 | =================================================================== | ||
15 | --- refpolicy.orig/policy/modules/kernel/corecommands.fc | ||
16 | +++ refpolicy/policy/modules/kernel/corecommands.fc | ||
17 | @@ -6,6 +6,7 @@ | ||
18 | /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
19 | /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
20 | /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
21 | +/bin/bash\.bash -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
22 | /bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
23 | /bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
24 | /bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_hostname.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_hostname.patch deleted file mode 100644 index 038cb1f..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_hostname.patch +++ /dev/null | |||
@@ -1,21 +0,0 @@ | |||
1 | From 845518a6f196e6e8c49ba38791c85e17276920e1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH 3/4] fix update-alternatives for hostname | ||
5 | |||
6 | Upstream-Status: Inappropriate [only for Poky] | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
10 | --- | ||
11 | policy/modules/system/hostname.fc | 1 + | ||
12 | 1 file changed, 1 insertion(+) | ||
13 | |||
14 | --- a/policy/modules/system/hostname.fc | ||
15 | +++ b/policy/modules/system/hostname.fc | ||
16 | @@ -1,4 +1,5 @@ | ||
17 | |||
18 | /bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) | ||
19 | +/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0) | ||
20 | |||
21 | /usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) | ||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch deleted file mode 100644 index e9a0464..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch +++ /dev/null | |||
@@ -1,62 +0,0 @@ | |||
1 | From 4964fa5593349916d8f5c69edb0b16f611586098 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:39:41 +0800 | ||
4 | Subject: [PATCH 2/4] fix update-alternatives for sysklogd | ||
5 | |||
6 | /etc/syslog.conf is a symlink to /etc/syslog.conf.sysklogd, so a allow rule | ||
7 | for syslogd_t to read syslog_conf_t lnk_file is needed. | ||
8 | |||
9 | Upstream-Status: Inappropriate [only for Poky] | ||
10 | |||
11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
13 | --- | ||
14 | policy/modules/system/logging.fc | 3 +++ | ||
15 | policy/modules/system/logging.te | 2 ++ | ||
16 | 2 files changed, 5 insertions(+) | ||
17 | |||
18 | --- a/policy/modules/system/logging.fc | ||
19 | +++ b/policy/modules/system/logging.fc | ||
20 | @@ -1,9 +1,10 @@ | ||
21 | /dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) | ||
22 | |||
23 | /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) | ||
24 | /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) | ||
25 | +/etc/syslog.conf\.sysklogd gen_context(system_u:object_r:syslog_conf_t,s0) | ||
26 | /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) | ||
27 | /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0) | ||
28 | /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) | ||
29 | |||
30 | /usr/bin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) | ||
31 | @@ -27,14 +28,16 @@ | ||
32 | /usr/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) | ||
33 | /usr/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) | ||
34 | /usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) | ||
35 | /usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) | ||
36 | /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) | ||
37 | +/usr/sbin/klogd\.sysklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) | ||
38 | /usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
39 | /usr/sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
40 | /usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) | ||
41 | /usr/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
42 | +/usr/sbin/syslogd\.sysklogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
43 | /usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
44 | /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
45 | |||
46 | /var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0) | ||
47 | /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) | ||
48 | --- a/policy/modules/system/logging.te | ||
49 | +++ b/policy/modules/system/logging.te | ||
50 | @@ -390,10 +390,12 @@ allow syslogd_t self:unix_dgram_socket s | ||
51 | allow syslogd_t self:fifo_file rw_fifo_file_perms; | ||
52 | allow syslogd_t self:udp_socket create_socket_perms; | ||
53 | allow syslogd_t self:tcp_socket create_stream_socket_perms; | ||
54 | |||
55 | allow syslogd_t syslog_conf_t:file read_file_perms; | ||
56 | +allow syslogd_t syslog_conf_t:lnk_file read_file_perms; | ||
57 | +allow syslogd_t syslog_conf_t:dir list_dir_perms; | ||
58 | |||
59 | # Create and bind to /dev/log or /var/run/log. | ||
60 | allow syslogd_t devlog_t:sock_file manage_sock_file_perms; | ||
61 | files_pid_filetrans(syslogd_t, devlog_t, sock_file) | ||
62 | init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log") | ||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysvinit.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysvinit.patch deleted file mode 100644 index d8c1642..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysvinit.patch +++ /dev/null | |||
@@ -1,57 +0,0 @@ | |||
1 | From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH 1/4] fix update-alternatives for sysvinit | ||
5 | |||
6 | Upstream-Status: Inappropriate [only for Poky] | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
10 | --- | ||
11 | policy/modules/contrib/shutdown.fc | 1 + | ||
12 | policy/modules/kernel/corecommands.fc | 1 + | ||
13 | policy/modules/system/init.fc | 1 + | ||
14 | 3 files changed, 3 insertions(+) | ||
15 | |||
16 | --- a/policy/modules/contrib/shutdown.fc | ||
17 | +++ b/policy/modules/contrib/shutdown.fc | ||
18 | @@ -1,10 +1,11 @@ | ||
19 | /etc/nologin -- gen_context(system_u:object_r:shutdown_etc_t,s0) | ||
20 | |||
21 | /lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
22 | |||
23 | /sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
24 | +/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
25 | |||
26 | /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
27 | |||
28 | /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
29 | |||
30 | --- a/policy/modules/kernel/corecommands.fc | ||
31 | +++ b/policy/modules/kernel/corecommands.fc | ||
32 | @@ -8,10 +8,11 @@ | ||
33 | /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
34 | /bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
35 | /bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
36 | /bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
37 | /bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0) | ||
38 | +/bin/mountpoint\.sysvinit -- gen_context(system_u:object_r:bin_t,s0) | ||
39 | /bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
40 | /bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
41 | /bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
42 | /bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
43 | |||
44 | --- a/policy/modules/system/init.fc | ||
45 | +++ b/policy/modules/system/init.fc | ||
46 | @@ -30,10 +30,11 @@ ifdef(`distro_gentoo', ` | ||
47 | |||
48 | # | ||
49 | # /sbin | ||
50 | # | ||
51 | /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) | ||
52 | +/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0) | ||
53 | # because nowadays, /sbin/init is often a symlink to /sbin/upstart | ||
54 | /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) | ||
55 | |||
56 | ifdef(`distro_gentoo', ` | ||
57 | /sbin/rc -- gen_context(system_u:object_r:rc_exec_t,s0) | ||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-syslogd_t-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-syslogd_t-symlink.patch deleted file mode 100644 index e90aab5..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-syslogd_t-symlink.patch +++ /dev/null | |||
@@ -1,30 +0,0 @@ | |||
1 | Subject: [PATCH] add rules for the symlink of /var/log - syslogd_t | ||
2 | |||
3 | We have added rules for the symlink of /var/log in logging.if, | ||
4 | while syslogd_t uses /var/log but does not use the | ||
5 | interfaces in logging.if. So still need add a individual rule for | ||
6 | syslogd_t. | ||
7 | |||
8 | Upstream-Status: Inappropriate [only for Poky] | ||
9 | |||
10 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
11 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
12 | --- | ||
13 | policy/modules/system/logging.te | 2 ++ | ||
14 | 1 file changed, 2 insertions(+) | ||
15 | |||
16 | --- a/policy/modules/system/logging.te | ||
17 | +++ b/policy/modules/system/logging.te | ||
18 | @@ -404,10 +404,12 @@ rw_fifo_files_pattern(syslogd_t, var_log | ||
19 | files_search_spool(syslogd_t) | ||
20 | |||
21 | # Allow access for syslog-ng | ||
22 | allow syslogd_t var_log_t:dir { create setattr }; | ||
23 | |||
24 | +allow syslogd_t var_log_t:lnk_file read_lnk_file_perms; | ||
25 | + | ||
26 | # manage temporary files | ||
27 | manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) | ||
28 | manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) | ||
29 | files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) | ||
30 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch deleted file mode 100644 index fb912b5..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch +++ /dev/null | |||
@@ -1,31 +0,0 @@ | |||
1 | From ed2b0a00e2fb78056041b03c7e198e8f5adaf939 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 19:36:44 +0800 | ||
4 | Subject: [PATCH 3/6] add rules for the symlink of /var/log - apache2 | ||
5 | |||
6 | We have added rules for the symlink of /var/log in logging.if, | ||
7 | while apache.te uses /var/log but does not use the interfaces in | ||
8 | logging.if. So still need add a individual rule for apache.te. | ||
9 | |||
10 | Upstream-Status: Inappropriate [only for Poky] | ||
11 | |||
12 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
13 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
14 | --- | ||
15 | policy/modules/contrib/apache.te | 1 + | ||
16 | 1 file changed, 1 insertion(+) | ||
17 | |||
18 | --- a/policy/modules/contrib/apache.te | ||
19 | +++ b/policy/modules/contrib/apache.te | ||
20 | @@ -407,10 +407,11 @@ allow httpd_t httpd_lock_t:file manage_f | ||
21 | files_lock_filetrans(httpd_t, httpd_lock_t, { file dir }) | ||
22 | |||
23 | manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t) | ||
24 | manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t) | ||
25 | read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t) | ||
26 | +read_lnk_files_pattern(httpd_t, var_log_t, var_log_t) | ||
27 | logging_log_filetrans(httpd_t, httpd_log_t, file) | ||
28 | |||
29 | allow httpd_t httpd_modules_t:dir list_dir_perms; | ||
30 | mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) | ||
31 | read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) | ||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch deleted file mode 100644 index 2e8e1f2..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch +++ /dev/null | |||
@@ -1,29 +0,0 @@ | |||
1 | Subject: [PATCH] add rules for the symlink of /var/log - audisp_remote_t | ||
2 | |||
3 | We have added rules for the symlink of /var/log in logging.if, | ||
4 | while audisp_remote_t uses /var/log but does not use the | ||
5 | interfaces in logging.if. So still need add a individual rule for | ||
6 | audisp_remote_t. | ||
7 | |||
8 | Upstream-Status: Inappropriate [only for Poky] | ||
9 | |||
10 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
11 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
12 | --- | ||
13 | policy/modules/system/logging.te | 1 + | ||
14 | 1 file changed, 1 insertion(+) | ||
15 | |||
16 | --- a/policy/modules/system/logging.te | ||
17 | +++ b/policy/modules/system/logging.te | ||
18 | @@ -278,10 +278,11 @@ optional_policy(` | ||
19 | |||
20 | allow audisp_remote_t self:capability { setuid setpcap }; | ||
21 | allow audisp_remote_t self:process { getcap setcap }; | ||
22 | allow audisp_remote_t self:tcp_socket create_socket_perms; | ||
23 | allow audisp_remote_t var_log_t:dir search_dir_perms; | ||
24 | +allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms; | ||
25 | |||
26 | manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) | ||
27 | manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) | ||
28 | files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file }) | ||
29 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink.patch deleted file mode 100644 index a7161d5..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink.patch +++ /dev/null | |||
@@ -1,185 +0,0 @@ | |||
1 | From 03cb6534f75812f3a33ac768fe83861e0805b0e0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH 2/6] add rules for the symlink of /var/log | ||
5 | |||
6 | /var/log is a symlink in poky, so we need allow rules for files to read | ||
7 | lnk_file while doing search/list/delete/rw.. in /var/log/ directory. | ||
8 | |||
9 | Upstream-Status: Inappropriate [only for Poky] | ||
10 | |||
11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
13 | --- | ||
14 | policy/modules/system/logging.fc | 1 + | ||
15 | policy/modules/system/logging.if | 14 +++++++++++++- | ||
16 | policy/modules/system/logging.te | 1 + | ||
17 | 3 files changed, 15 insertions(+), 1 deletion(-) | ||
18 | |||
19 | --- a/policy/modules/system/logging.fc | ||
20 | +++ b/policy/modules/system/logging.fc | ||
21 | @@ -49,10 +49,11 @@ ifdef(`distro_suse', ` | ||
22 | |||
23 | /var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) | ||
24 | /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) | ||
25 | |||
26 | /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) | ||
27 | +/var/log -l gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) | ||
28 | /var/log/.* gen_context(system_u:object_r:var_log_t,s0) | ||
29 | /var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh) | ||
30 | /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) | ||
31 | /var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) | ||
32 | /var/log/maillog[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) | ||
33 | --- a/policy/modules/system/logging.if | ||
34 | +++ b/policy/modules/system/logging.if | ||
35 | @@ -134,16 +134,17 @@ interface(`logging_set_audit_parameters' | ||
36 | ## </param> | ||
37 | ## <rolecap/> | ||
38 | # | ||
39 | interface(`logging_read_audit_log',` | ||
40 | gen_require(` | ||
41 | - type auditd_log_t; | ||
42 | + type auditd_log_t, var_log_t; | ||
43 | ') | ||
44 | |||
45 | files_search_var($1) | ||
46 | read_files_pattern($1, auditd_log_t, auditd_log_t) | ||
47 | allow $1 auditd_log_t:dir list_dir_perms; | ||
48 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
49 | ') | ||
50 | |||
51 | ######################################## | ||
52 | ## <summary> | ||
53 | ## Execute auditctl in the auditctl domain. | ||
54 | @@ -665,10 +666,11 @@ interface(`logging_search_logs',` | ||
55 | type var_log_t; | ||
56 | ') | ||
57 | |||
58 | files_search_var($1) | ||
59 | allow $1 var_log_t:dir search_dir_perms; | ||
60 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
61 | ') | ||
62 | |||
63 | ####################################### | ||
64 | ## <summary> | ||
65 | ## Do not audit attempts to search the var log directory. | ||
66 | @@ -702,10 +704,11 @@ interface(`logging_list_logs',` | ||
67 | type var_log_t; | ||
68 | ') | ||
69 | |||
70 | files_search_var($1) | ||
71 | allow $1 var_log_t:dir list_dir_perms; | ||
72 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
73 | ') | ||
74 | |||
75 | ####################################### | ||
76 | ## <summary> | ||
77 | ## Read and write the generic log directory (/var/log). | ||
78 | @@ -721,10 +724,11 @@ interface(`logging_rw_generic_log_dirs', | ||
79 | type var_log_t; | ||
80 | ') | ||
81 | |||
82 | files_search_var($1) | ||
83 | allow $1 var_log_t:dir rw_dir_perms; | ||
84 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
85 | ') | ||
86 | |||
87 | ####################################### | ||
88 | ## <summary> | ||
89 | ## Search through all log dirs. | ||
90 | @@ -832,14 +836,16 @@ interface(`logging_append_all_logs',` | ||
91 | ## <rolecap/> | ||
92 | # | ||
93 | interface(`logging_read_all_logs',` | ||
94 | gen_require(` | ||
95 | attribute logfile; | ||
96 | + type var_log_t; | ||
97 | ') | ||
98 | |||
99 | files_search_var($1) | ||
100 | allow $1 logfile:dir list_dir_perms; | ||
101 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
102 | read_files_pattern($1, logfile, logfile) | ||
103 | ') | ||
104 | |||
105 | ######################################## | ||
106 | ## <summary> | ||
107 | @@ -854,14 +860,16 @@ interface(`logging_read_all_logs',` | ||
108 | # cjp: not sure why this is needed. This was added | ||
109 | # because of logrotate. | ||
110 | interface(`logging_exec_all_logs',` | ||
111 | gen_require(` | ||
112 | attribute logfile; | ||
113 | + type var_log_t; | ||
114 | ') | ||
115 | |||
116 | files_search_var($1) | ||
117 | allow $1 logfile:dir list_dir_perms; | ||
118 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
119 | can_exec($1, logfile) | ||
120 | ') | ||
121 | |||
122 | ######################################## | ||
123 | ## <summary> | ||
124 | @@ -919,10 +927,11 @@ interface(`logging_read_generic_logs',` | ||
125 | type var_log_t; | ||
126 | ') | ||
127 | |||
128 | files_search_var($1) | ||
129 | allow $1 var_log_t:dir list_dir_perms; | ||
130 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
131 | read_files_pattern($1, var_log_t, var_log_t) | ||
132 | ') | ||
133 | |||
134 | ######################################## | ||
135 | ## <summary> | ||
136 | @@ -939,10 +948,11 @@ interface(`logging_write_generic_logs',` | ||
137 | type var_log_t; | ||
138 | ') | ||
139 | |||
140 | files_search_var($1) | ||
141 | allow $1 var_log_t:dir list_dir_perms; | ||
142 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
143 | write_files_pattern($1, var_log_t, var_log_t) | ||
144 | ') | ||
145 | |||
146 | ######################################## | ||
147 | ## <summary> | ||
148 | @@ -977,10 +987,11 @@ interface(`logging_rw_generic_logs',` | ||
149 | type var_log_t; | ||
150 | ') | ||
151 | |||
152 | files_search_var($1) | ||
153 | allow $1 var_log_t:dir list_dir_perms; | ||
154 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
155 | rw_files_pattern($1, var_log_t, var_log_t) | ||
156 | ') | ||
157 | |||
158 | ######################################## | ||
159 | ## <summary> | ||
160 | @@ -999,10 +1010,11 @@ interface(`logging_manage_generic_logs', | ||
161 | type var_log_t; | ||
162 | ') | ||
163 | |||
164 | files_search_var($1) | ||
165 | manage_files_pattern($1, var_log_t, var_log_t) | ||
166 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
167 | ') | ||
168 | |||
169 | ######################################## | ||
170 | ## <summary> | ||
171 | ## All of the rules required to administrate | ||
172 | --- a/policy/modules/system/logging.te | ||
173 | +++ b/policy/modules/system/logging.te | ||
174 | @@ -151,10 +151,11 @@ allow auditd_t auditd_etc_t:file read_fi | ||
175 | |||
176 | manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) | ||
177 | allow auditd_t auditd_log_t:dir setattr; | ||
178 | manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) | ||
179 | allow auditd_t var_log_t:dir search_dir_perms; | ||
180 | +allow auditd_t var_log_t:lnk_file read_lnk_file_perms; | ||
181 | |||
182 | manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) | ||
183 | manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) | ||
184 | files_pid_filetrans(auditd_t, auditd_var_run_t, { file sock_file }) | ||
185 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-nfsd-to-exec-shell-commands.patch deleted file mode 100644 index ca2796f..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-nfsd-to-exec-shell-commands.patch +++ /dev/null | |||
@@ -1,60 +0,0 @@ | |||
1 | From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH] allow nfsd to exec shell commands. | ||
5 | |||
6 | Upstream-Status: Inappropriate [only for Poky] | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
10 | --- | ||
11 | policy/modules/contrib/rpc.te | 2 +- | ||
12 | policy/modules/kernel/kernel.if | 18 ++++++++++++++++++ | ||
13 | 2 files changed, 19 insertions(+), 1 deletions(-) | ||
14 | |||
15 | --- a/policy/modules/contrib/rpc.te | ||
16 | +++ b/policy/modules/contrib/rpc.te | ||
17 | @@ -222,11 +222,11 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir | ||
18 | |||
19 | kernel_read_network_state(nfsd_t) | ||
20 | kernel_dontaudit_getattr_core_if(nfsd_t) | ||
21 | kernel_setsched(nfsd_t) | ||
22 | kernel_request_load_module(nfsd_t) | ||
23 | -# kernel_mounton_proc(nfsd_t) | ||
24 | +kernel_mounton_proc(nfsd_t) | ||
25 | |||
26 | corenet_sendrecv_nfs_server_packets(nfsd_t) | ||
27 | corenet_tcp_bind_nfs_port(nfsd_t) | ||
28 | corenet_udp_bind_nfs_port(nfsd_t) | ||
29 | |||
30 | --- a/policy/modules/kernel/kernel.if | ||
31 | +++ b/policy/modules/kernel/kernel.if | ||
32 | @@ -844,10 +844,28 @@ interface(`kernel_unmount_proc',` | ||
33 | allow $1 proc_t:filesystem unmount; | ||
34 | ') | ||
35 | |||
36 | ######################################## | ||
37 | ## <summary> | ||
38 | +## Mounton a proc filesystem. | ||
39 | +## </summary> | ||
40 | +## <param name="domain"> | ||
41 | +## <summary> | ||
42 | +## Domain allowed access. | ||
43 | +## </summary> | ||
44 | +## </param> | ||
45 | +# | ||
46 | +interface(`kernel_mounton_proc',` | ||
47 | + gen_require(` | ||
48 | + type proc_t; | ||
49 | + ') | ||
50 | + | ||
51 | + allow $1 proc_t:dir mounton; | ||
52 | +') | ||
53 | + | ||
54 | +######################################## | ||
55 | +## <summary> | ||
56 | ## Get the attributes of the proc filesystem. | ||
57 | ## </summary> | ||
58 | ## <param name="domain"> | ||
59 | ## <summary> | ||
60 | ## Domain allowed access. | ||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-setfiles_t-to-read-symlinks.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-setfiles_t-to-read-symlinks.patch deleted file mode 100644 index d28bde0..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-setfiles_t-to-read-symlinks.patch +++ /dev/null | |||
@@ -1,30 +0,0 @@ | |||
1 | From 87b6daf87a07350a58c1724db8fc0a99b849818a Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH] fix setfiles_t to read symlinks | ||
5 | |||
6 | Upstream-Status: Pending | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> | ||
10 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
11 | --- | ||
12 | policy/modules/system/selinuxutil.te | 3 +++ | ||
13 | 1 file changed, 3 insertions(+) | ||
14 | |||
15 | --- a/policy/modules/system/selinuxutil.te | ||
16 | +++ b/policy/modules/system/selinuxutil.te | ||
17 | @@ -553,10 +553,13 @@ files_read_etc_files(setfiles_t) | ||
18 | files_list_all(setfiles_t) | ||
19 | files_relabel_all_files(setfiles_t) | ||
20 | files_read_usr_symlinks(setfiles_t) | ||
21 | files_dontaudit_read_all_symlinks(setfiles_t) | ||
22 | |||
23 | +# needs to be able to read symlinks to make restorecon on symlink working | ||
24 | +files_read_all_symlinks(setfiles_t) | ||
25 | + | ||
26 | fs_getattr_all_xattr_fs(setfiles_t) | ||
27 | fs_list_all(setfiles_t) | ||
28 | fs_search_auto_mountpoints(setfiles_t) | ||
29 | fs_relabelfrom_noxattr_fs(setfiles_t) | ||
30 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-dmesg-to-use-dev-kmsg.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-dmesg-to-use-dev-kmsg.patch deleted file mode 100644 index 8443e31..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-dmesg-to-use-dev-kmsg.patch +++ /dev/null | |||
@@ -1,37 +0,0 @@ | |||
1 | From 2f5981f2244289a1cc79748e9ffdaaea168b1df2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Fri, 23 Aug 2013 16:36:09 +0800 | ||
4 | Subject: [PATCH] fix dmesg to use /dev/kmsg as default input | ||
5 | |||
6 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
7 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
8 | --- | ||
9 | policy/modules/admin/dmesg.if | 1 + | ||
10 | policy/modules/admin/dmesg.te | 2 ++ | ||
11 | 2 files changed, 3 insertions(+) | ||
12 | |||
13 | --- a/policy/modules/admin/dmesg.if | ||
14 | +++ b/policy/modules/admin/dmesg.if | ||
15 | @@ -35,6 +35,7 @@ interface(`dmesg_exec',` | ||
16 | type dmesg_exec_t; | ||
17 | ') | ||
18 | |||
19 | corecmd_search_bin($1) | ||
20 | can_exec($1, dmesg_exec_t) | ||
21 | + dev_read_kmsg($1) | ||
22 | ') | ||
23 | --- a/policy/modules/admin/dmesg.te | ||
24 | +++ b/policy/modules/admin/dmesg.te | ||
25 | @@ -28,10 +28,12 @@ kernel_read_proc_symlinks(dmesg_t) | ||
26 | # for when /usr is not mounted: | ||
27 | kernel_dontaudit_search_unlabeled(dmesg_t) | ||
28 | |||
29 | dev_read_sysfs(dmesg_t) | ||
30 | |||
31 | +dev_read_kmsg(dmesg_t) | ||
32 | + | ||
33 | fs_search_auto_mountpoints(dmesg_t) | ||
34 | |||
35 | term_dontaudit_use_console(dmesg_t) | ||
36 | |||
37 | domain_use_interactive_fds(dmesg_t) | ||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-new-SELINUXMNT-in-sys.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-new-SELINUXMNT-in-sys.patch deleted file mode 100644 index 58903ce..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-new-SELINUXMNT-in-sys.patch +++ /dev/null | |||
@@ -1,259 +0,0 @@ | |||
1 | From 0bd1187768c79ccf7d0563fa8e2bc01494fef167 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH] fix for new SELINUXMNT in /sys | ||
5 | |||
6 | SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should | ||
7 | add rules to access sysfs. | ||
8 | |||
9 | Upstream-Status: Inappropriate [only for Poky] | ||
10 | |||
11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
13 | --- | ||
14 | policy/modules/kernel/selinux.if | 34 ++++++++++++++++++++++++++++++++-- | ||
15 | 1 file changed, 32 insertions(+), 2 deletions(-) | ||
16 | |||
17 | --- a/policy/modules/kernel/selinux.if | ||
18 | +++ b/policy/modules/kernel/selinux.if | ||
19 | @@ -56,10 +56,14 @@ interface(`selinux_labeled_boolean',` | ||
20 | interface(`selinux_get_fs_mount',` | ||
21 | gen_require(` | ||
22 | type security_t; | ||
23 | ') | ||
24 | |||
25 | + # SELINUXMNT is now /sys/fs/selinux, so we should add rules to | ||
26 | + # access sysfs | ||
27 | + dev_getattr_sysfs_dirs($1) | ||
28 | + dev_search_sysfs($1) | ||
29 | # starting in libselinux 2.0.5, init_selinuxmnt() will | ||
30 | # attempt to short circuit by checking if SELINUXMNT | ||
31 | # (/selinux) is already a selinuxfs | ||
32 | allow $1 security_t:filesystem getattr; | ||
33 | |||
34 | @@ -86,10 +90,11 @@ interface(`selinux_get_fs_mount',` | ||
35 | interface(`selinux_dontaudit_get_fs_mount',` | ||
36 | gen_require(` | ||
37 | type security_t; | ||
38 | ') | ||
39 | |||
40 | + dev_dontaudit_search_sysfs($1) | ||
41 | # starting in libselinux 2.0.5, init_selinuxmnt() will | ||
42 | # attempt to short circuit by checking if SELINUXMNT | ||
43 | # (/selinux) is already a selinuxfs | ||
44 | dontaudit $1 security_t:filesystem getattr; | ||
45 | |||
46 | @@ -115,10 +120,12 @@ interface(`selinux_dontaudit_get_fs_moun | ||
47 | interface(`selinux_mount_fs',` | ||
48 | gen_require(` | ||
49 | type security_t; | ||
50 | ') | ||
51 | |||
52 | + dev_getattr_sysfs_dirs($1) | ||
53 | + dev_search_sysfs($1) | ||
54 | allow $1 security_t:filesystem mount; | ||
55 | ') | ||
56 | |||
57 | ######################################## | ||
58 | ## <summary> | ||
59 | @@ -134,10 +141,12 @@ interface(`selinux_mount_fs',` | ||
60 | interface(`selinux_remount_fs',` | ||
61 | gen_require(` | ||
62 | type security_t; | ||
63 | ') | ||
64 | |||
65 | + dev_getattr_sysfs_dirs($1) | ||
66 | + dev_search_sysfs($1) | ||
67 | allow $1 security_t:filesystem remount; | ||
68 | ') | ||
69 | |||
70 | ######################################## | ||
71 | ## <summary> | ||
72 | @@ -152,10 +161,12 @@ interface(`selinux_remount_fs',` | ||
73 | interface(`selinux_unmount_fs',` | ||
74 | gen_require(` | ||
75 | type security_t; | ||
76 | ') | ||
77 | |||
78 | + dev_getattr_sysfs_dirs($1) | ||
79 | + dev_search_sysfs($1) | ||
80 | allow $1 security_t:filesystem unmount; | ||
81 | ') | ||
82 | |||
83 | ######################################## | ||
84 | ## <summary> | ||
85 | @@ -170,10 +181,12 @@ interface(`selinux_unmount_fs',` | ||
86 | interface(`selinux_getattr_fs',` | ||
87 | gen_require(` | ||
88 | type security_t; | ||
89 | ') | ||
90 | |||
91 | + dev_getattr_sysfs_dirs($1) | ||
92 | + dev_search_sysfs($1) | ||
93 | allow $1 security_t:filesystem getattr; | ||
94 | |||
95 | dev_getattr_sysfs($1) | ||
96 | dev_search_sysfs($1) | ||
97 | ') | ||
98 | @@ -192,10 +205,11 @@ interface(`selinux_getattr_fs',` | ||
99 | interface(`selinux_dontaudit_getattr_fs',` | ||
100 | gen_require(` | ||
101 | type security_t; | ||
102 | ') | ||
103 | |||
104 | + dev_dontaudit_search_sysfs($1) | ||
105 | dontaudit $1 security_t:filesystem getattr; | ||
106 | |||
107 | dev_dontaudit_getattr_sysfs($1) | ||
108 | dev_dontaudit_search_sysfs($1) | ||
109 | ') | ||
110 | @@ -214,10 +228,11 @@ interface(`selinux_dontaudit_getattr_fs' | ||
111 | interface(`selinux_dontaudit_getattr_dir',` | ||
112 | gen_require(` | ||
113 | type security_t; | ||
114 | ') | ||
115 | |||
116 | + dev_dontaudit_search_sysfs($1) | ||
117 | dontaudit $1 security_t:dir getattr; | ||
118 | ') | ||
119 | |||
120 | ######################################## | ||
121 | ## <summary> | ||
122 | @@ -232,10 +247,11 @@ interface(`selinux_dontaudit_getattr_dir | ||
123 | interface(`selinux_search_fs',` | ||
124 | gen_require(` | ||
125 | type security_t; | ||
126 | ') | ||
127 | |||
128 | + dev_getattr_sysfs_dirs($1) | ||
129 | dev_search_sysfs($1) | ||
130 | allow $1 security_t:dir search_dir_perms; | ||
131 | ') | ||
132 | |||
133 | ######################################## | ||
134 | @@ -251,10 +267,11 @@ interface(`selinux_search_fs',` | ||
135 | interface(`selinux_dontaudit_search_fs',` | ||
136 | gen_require(` | ||
137 | type security_t; | ||
138 | ') | ||
139 | |||
140 | + dev_dontaudit_search_sysfs($1) | ||
141 | dontaudit $1 security_t:dir search_dir_perms; | ||
142 | ') | ||
143 | |||
144 | ######################################## | ||
145 | ## <summary> | ||
146 | @@ -270,10 +287,11 @@ interface(`selinux_dontaudit_search_fs', | ||
147 | interface(`selinux_dontaudit_read_fs',` | ||
148 | gen_require(` | ||
149 | type security_t; | ||
150 | ') | ||
151 | |||
152 | + dev_dontaudit_search_sysfs($1) | ||
153 | dontaudit $1 security_t:dir search_dir_perms; | ||
154 | dontaudit $1 security_t:file read_file_perms; | ||
155 | ') | ||
156 | |||
157 | ######################################## | ||
158 | @@ -291,10 +309,11 @@ interface(`selinux_dontaudit_read_fs',` | ||
159 | interface(`selinux_get_enforce_mode',` | ||
160 | gen_require(` | ||
161 | type security_t; | ||
162 | ') | ||
163 | |||
164 | + dev_getattr_sysfs_dirs($1) | ||
165 | dev_search_sysfs($1) | ||
166 | allow $1 security_t:dir list_dir_perms; | ||
167 | allow $1 security_t:file read_file_perms; | ||
168 | ') | ||
169 | |||
170 | @@ -359,10 +378,11 @@ interface(`selinux_load_policy',` | ||
171 | interface(`selinux_read_policy',` | ||
172 | gen_require(` | ||
173 | type security_t; | ||
174 | ') | ||
175 | |||
176 | + dev_getattr_sysfs_dirs($1) | ||
177 | dev_search_sysfs($1) | ||
178 | allow $1 security_t:dir list_dir_perms; | ||
179 | allow $1 security_t:file read_file_perms; | ||
180 | allow $1 security_t:security read_policy; | ||
181 | ') | ||
182 | @@ -424,10 +444,11 @@ interface(`selinux_set_boolean',` | ||
183 | interface(`selinux_set_generic_booleans',` | ||
184 | gen_require(` | ||
185 | type security_t; | ||
186 | ') | ||
187 | |||
188 | + dev_getattr_sysfs_dirs($1) | ||
189 | dev_search_sysfs($1) | ||
190 | |||
191 | allow $1 security_t:dir list_dir_perms; | ||
192 | allow $1 security_t:file rw_file_perms; | ||
193 | |||
194 | @@ -461,10 +482,11 @@ interface(`selinux_set_all_booleans',` | ||
195 | type security_t, secure_mode_policyload_t; | ||
196 | attribute boolean_type; | ||
197 | bool secure_mode_policyload; | ||
198 | ') | ||
199 | |||
200 | + dev_getattr_sysfs_dirs($1) | ||
201 | dev_search_sysfs($1) | ||
202 | |||
203 | allow $1 security_t:dir list_dir_perms; | ||
204 | allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms; | ||
205 | allow $1 secure_mode_policyload_t:file read_file_perms; | ||
206 | @@ -520,10 +542,11 @@ interface(`selinux_set_parameters',` | ||
207 | interface(`selinux_validate_context',` | ||
208 | gen_require(` | ||
209 | type security_t; | ||
210 | ') | ||
211 | |||
212 | + dev_getattr_sysfs_dirs($1) | ||
213 | dev_search_sysfs($1) | ||
214 | allow $1 security_t:dir list_dir_perms; | ||
215 | allow $1 security_t:file rw_file_perms; | ||
216 | allow $1 security_t:security check_context; | ||
217 | ') | ||
218 | @@ -542,10 +565,11 @@ interface(`selinux_validate_context',` | ||
219 | interface(`selinux_dontaudit_validate_context',` | ||
220 | gen_require(` | ||
221 | type security_t; | ||
222 | ') | ||
223 | |||
224 | + dev_dontaudit_search_sysfs($1) | ||
225 | dontaudit $1 security_t:dir list_dir_perms; | ||
226 | dontaudit $1 security_t:file rw_file_perms; | ||
227 | dontaudit $1 security_t:security check_context; | ||
228 | ') | ||
229 | |||
230 | @@ -563,10 +587,11 @@ interface(`selinux_dontaudit_validate_co | ||
231 | interface(`selinux_compute_access_vector',` | ||
232 | gen_require(` | ||
233 | type security_t; | ||
234 | ') | ||
235 | |||
236 | + dev_getattr_sysfs_dirs($1) | ||
237 | dev_search_sysfs($1) | ||
238 | allow $1 security_t:dir list_dir_perms; | ||
239 | allow $1 security_t:file rw_file_perms; | ||
240 | allow $1 security_t:security compute_av; | ||
241 | ') | ||
242 | @@ -658,10 +683,17 @@ interface(`selinux_compute_relabel_conte | ||
243 | interface(`selinux_compute_user_contexts',` | ||
244 | gen_require(` | ||
245 | type security_t; | ||
246 | ') | ||
247 | |||
248 | + dev_getattr_sysfs_dirs($1) | ||
249 | + dev_getattr_sysfs_dirs($1) | ||
250 | + dev_getattr_sysfs_dirs($1) | ||
251 | + dev_getattr_sysfs_dirs($1) | ||
252 | + dev_getattr_sysfs_dirs($1) | ||
253 | + dev_getattr_sysfs_dirs($1) | ||
254 | + dev_getattr_sysfs_dirs($1) | ||
255 | dev_search_sysfs($1) | ||
256 | allow $1 security_t:dir list_dir_perms; | ||
257 | allow $1 security_t:file rw_file_perms; | ||
258 | allow $1 security_t:security compute_user; | ||
259 | ') | ||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-setfiles-statvfs-get-file-count.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-setfiles-statvfs-get-file-count.patch deleted file mode 100644 index 1cfd80b..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-setfiles-statvfs-get-file-count.patch +++ /dev/null | |||
@@ -1,32 +0,0 @@ | |||
1 | From f4e034d6996c5b1f88a9262828dac2ad6ee09b7b Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Fri, 23 Aug 2013 14:38:53 +0800 | ||
4 | Subject: [PATCH] fix setfiles statvfs to get file count | ||
5 | |||
6 | New setfiles will read /proc/mounts and use statvfs in | ||
7 | file_system_count() to get file count of filesystems. | ||
8 | |||
9 | Upstream-Status: pending | ||
10 | |||
11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
12 | Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> | ||
13 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
14 | --- | ||
15 | policy/modules/system/selinuxutil.te | 2 +- | ||
16 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
17 | |||
18 | --- a/policy/modules/system/selinuxutil.te | ||
19 | +++ b/policy/modules/system/selinuxutil.te | ||
20 | @@ -556,11 +556,11 @@ files_read_usr_symlinks(setfiles_t) | ||
21 | files_dontaudit_read_all_symlinks(setfiles_t) | ||
22 | |||
23 | # needs to be able to read symlinks to make restorecon on symlink working | ||
24 | files_read_all_symlinks(setfiles_t) | ||
25 | |||
26 | -fs_getattr_all_xattr_fs(setfiles_t) | ||
27 | +fs_getattr_all_fs(setfiles_t) | ||
28 | fs_list_all(setfiles_t) | ||
29 | fs_search_auto_mountpoints(setfiles_t) | ||
30 | fs_relabelfrom_noxattr_fs(setfiles_t) | ||
31 | |||
32 | mls_file_read_all_levels(setfiles_t) | ||
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch new file mode 100644 index 0000000..2692ffa --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | From 49dd08e69938debc792ac9c3ac3e81a38929d11f Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Thu, 28 Mar 2019 16:14:09 -0400 | ||
4 | Subject: [PATCH 01/34] fc/subs/volatile: alias common /var/volatile paths | ||
5 | |||
6 | Ensure /var/volatile paths get the appropriate base file context. | ||
7 | |||
8 | Upstream-Status: Pending | ||
9 | |||
10 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
11 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
12 | --- | ||
13 | config/file_contexts.subs_dist | 10 ++++++++++ | ||
14 | 1 file changed, 10 insertions(+) | ||
15 | |||
16 | diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist | ||
17 | index 346d920e..be532d7f 100644 | ||
18 | --- a/config/file_contexts.subs_dist | ||
19 | +++ b/config/file_contexts.subs_dist | ||
20 | @@ -31,3 +31,13 @@ | ||
21 | # not for refpolicy intern, but for /var/run using applications, | ||
22 | # like systemd tmpfiles or systemd socket configurations | ||
23 | /var/run /run | ||
24 | + | ||
25 | +# volatile aliases | ||
26 | +# ensure the policy applied to the base filesystem objects are reflected in the | ||
27 | +# volatile hierarchy. | ||
28 | +/var/volatile/log /var/log | ||
29 | +/var/volatile/run /var/run | ||
30 | +/var/volatile/cache /var/cache | ||
31 | +/var/volatile/tmp /var/tmp | ||
32 | +/var/volatile/lock /var/lock | ||
33 | +/var/volatile/run/lock /var/lock | ||
34 | -- | ||
35 | 2.19.1 | ||
36 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0001-fix-update-alternatives-for-sysvinit.patch index 3f6a5c8..62e7da1 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0001-fix-update-alternatives-for-sysvinit.patch | |||
@@ -1,34 +1,34 @@ | |||
1 | From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001 | 1 | From 83508f3365277c0ef8c570e744879b904de64cd7 Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | 3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 |
4 | Subject: [PATCH 1/4] fix update-alternatives for sysvinit | 4 | Subject: [PATCH] fix update-alternatives for sysvinit |
5 | 5 | ||
6 | Upstream-Status: Inappropriate [only for Poky] | 6 | Upstream-Status: Inappropriate [only for Poky] |
7 | 7 | ||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | 9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> |
10 | --- | 10 | --- |
11 | policy/modules/contrib/shutdown.fc | 1 + | 11 | policy/modules/admin/shutdown.fc | 1 + |
12 | policy/modules/kernel/corecommands.fc | 1 + | 12 | policy/modules/kernel/corecommands.fc | 1 + |
13 | policy/modules/system/init.fc | 1 + | 13 | policy/modules/system/init.fc | 1 + |
14 | 3 files changed, 3 insertions(+) | 14 | 3 files changed, 3 insertions(+) |
15 | 15 | ||
16 | --- a/policy/modules/contrib/shutdown.fc | 16 | diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc |
17 | +++ b/policy/modules/contrib/shutdown.fc | 17 | index 03a2230c..2ba049ff 100644 |
18 | @@ -3,7 +3,8 @@ | 18 | --- a/policy/modules/admin/shutdown.fc |
19 | /usr/bin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) | 19 | +++ b/policy/modules/admin/shutdown.fc |
20 | 20 | @@ -5,5 +5,6 @@ | |
21 | /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) | 21 | /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) |
22 | 22 | ||
23 | /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) | 23 | /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) |
24 | +/usr/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0) | 24 | +/usr/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0) |
25 | 25 | ||
26 | /run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) | 26 | /run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) |
27 | diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc | ||
28 | index cf3848db..86920167 100644 | ||
27 | --- a/policy/modules/kernel/corecommands.fc | 29 | --- a/policy/modules/kernel/corecommands.fc |
28 | +++ b/policy/modules/kernel/corecommands.fc | 30 | +++ b/policy/modules/kernel/corecommands.fc |
29 | @@ -144,10 +144,11 @@ ifdef(`distro_gentoo',` | 31 | @@ -149,6 +149,7 @@ ifdef(`distro_gentoo',` |
30 | /usr/bin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) | ||
31 | /usr/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
32 | /usr/bin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) | 32 | /usr/bin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) |
33 | /usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) | 33 | /usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) |
34 | /usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0) | 34 | /usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0) |
@@ -36,19 +36,18 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
36 | /usr/bin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) | 36 | /usr/bin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) |
37 | /usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) | 37 | /usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) |
38 | /usr/bin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) | 38 | /usr/bin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) |
39 | /usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0) | 39 | diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc |
40 | /usr/bin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) | 40 | index 11a6ce93..93e9d2b4 100644 |
41 | --- a/policy/modules/system/init.fc | 41 | --- a/policy/modules/system/init.fc |
42 | +++ b/policy/modules/system/init.fc | 42 | +++ b/policy/modules/system/init.fc |
43 | @@ -40,10 +40,11 @@ ifdef(`distro_gentoo', ` | 43 | @@ -23,6 +23,7 @@ ifdef(`distro_gentoo',` |
44 | 44 | # /usr | |
45 | /usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) | 45 | # |
46 | /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) | 46 | /usr/bin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) |
47 | |||
48 | /usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) | ||
49 | +/usr/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0) | 47 | +/usr/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0) |
50 | /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) | 48 | /usr/bin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) |
51 | /usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) | 49 | /usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0) |
52 | 50 | /usr/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0) | |
53 | ifdef(`distro_gentoo', ` | 51 | -- |
54 | /usr/sbin/rc -- gen_context(system_u:object_r:rc_exec_t,s0) | 52 | 2.19.1 |
53 | |||
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0002-refpolicy-minimum-audit-logging-getty-audit-related-.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch index 23bc397..f92ddb8 100644 --- a/recipes-security/refpolicy/refpolicy-minimum/0002-refpolicy-minimum-audit-logging-getty-audit-related-.patch +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch | |||
@@ -1,7 +1,7 @@ | |||
1 | From edbc234baecfbf5b8e2dbadc976750071d5e7f7f Mon Sep 17 00:00:00 2001 | 1 | From aa79b5e7803232a4e57e2cf60613f6fb7dcfc025 Mon Sep 17 00:00:00 2001 |
2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | 2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> |
3 | Date: Fri, 26 Aug 2016 17:51:44 +0530 | 3 | Date: Fri, 26 Aug 2016 17:51:44 +0530 |
4 | Subject: [PATCH 2/9] refpolicy-minimum: audit: logging: getty: audit related | 4 | Subject: [PATCH 1/9] refpolicy-minimum: audit: logging: getty: audit related |
5 | allow rules | 5 | allow rules |
6 | 6 | ||
7 | add allow rules for audit.log file & resolve dependent avc denials. | 7 | add allow rules for audit.log file & resolve dependent avc denials. |
@@ -22,16 +22,17 @@ volatile/log/wtmp" dev="tmpfs" ino=9536 scontext=system_u:system_r:getty_t | |||
22 | Upstream-Status: Pending | 22 | Upstream-Status: Pending |
23 | 23 | ||
24 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | 24 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> |
25 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
25 | --- | 26 | --- |
26 | policy/modules/system/getty.te | 3 +++ | 27 | policy/modules/system/getty.te | 3 +++ |
27 | policy/modules/system/logging.te | 8 ++++++++ | 28 | policy/modules/system/logging.te | 8 ++++++++ |
28 | 2 files changed, 11 insertions(+) | 29 | 2 files changed, 11 insertions(+) |
29 | 30 | ||
30 | diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te | 31 | diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te |
31 | index f6743ea..84eaf77 100644 | 32 | index 6d3c4284..423db0cc 100644 |
32 | --- a/policy/modules/system/getty.te | 33 | --- a/policy/modules/system/getty.te |
33 | +++ b/policy/modules/system/getty.te | 34 | +++ b/policy/modules/system/getty.te |
34 | @@ -139,3 +139,6 @@ optional_policy(` | 35 | @@ -129,3 +129,6 @@ optional_policy(` |
35 | optional_policy(` | 36 | optional_policy(` |
36 | udev_read_db(getty_t) | 37 | udev_read_db(getty_t) |
37 | ') | 38 | ') |
@@ -39,10 +40,10 @@ index f6743ea..84eaf77 100644 | |||
39 | +allow getty_t tmpfs_t:dir search; | 40 | +allow getty_t tmpfs_t:dir search; |
40 | +allow getty_t tmpfs_t:file { open write lock }; | 41 | +allow getty_t tmpfs_t:file { open write lock }; |
41 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | 42 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te |
42 | index 9b18aad..fdf86ef 100644 | 43 | index 63e92a8e..8ab46925 100644 |
43 | --- a/policy/modules/system/logging.te | 44 | --- a/policy/modules/system/logging.te |
44 | +++ b/policy/modules/system/logging.te | 45 | +++ b/policy/modules/system/logging.te |
45 | @@ -238,6 +238,7 @@ allow audisp_t self:unix_stream_socket create_stream_socket_perms; | 46 | @@ -249,6 +249,7 @@ allow audisp_t self:unix_stream_socket create_stream_socket_perms; |
46 | allow audisp_t self:unix_dgram_socket create_socket_perms; | 47 | allow audisp_t self:unix_dgram_socket create_socket_perms; |
47 | 48 | ||
48 | allow audisp_t auditd_t:unix_stream_socket rw_socket_perms; | 49 | allow audisp_t auditd_t:unix_stream_socket rw_socket_perms; |
@@ -50,7 +51,7 @@ index 9b18aad..fdf86ef 100644 | |||
50 | 51 | ||
51 | manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t) | 52 | manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t) |
52 | files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file) | 53 | files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file) |
53 | @@ -569,3 +570,10 @@ optional_policy(` | 54 | @@ -620,3 +621,10 @@ optional_policy(` |
54 | # log to the xconsole | 55 | # log to the xconsole |
55 | xserver_rw_console(syslogd_t) | 56 | xserver_rw_console(syslogd_t) |
56 | ') | 57 | ') |
@@ -63,5 +64,5 @@ index 9b18aad..fdf86ef 100644 | |||
63 | +allow klogd_t initrc_t:unix_dgram_socket sendto; | 64 | +allow klogd_t initrc_t:unix_dgram_socket sendto; |
64 | \ No newline at end of file | 65 | \ No newline at end of file |
65 | -- | 66 | -- |
66 | 1.9.1 | 67 | 2.19.1 |
67 | 68 | ||
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch new file mode 100644 index 0000000..a963751 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch | |||
@@ -0,0 +1,31 @@ | |||
1 | From c02445a1073ca6fcb42c771c233ab8aa822cbdda Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Thu, 28 Mar 2019 20:48:10 -0400 | ||
4 | Subject: [PATCH 02/34] fc/subs/busybox: set aliases for bin, sbin and usr | ||
5 | |||
6 | The objects in /usr/lib/busybox/* should have the same policy applied as | ||
7 | the corresponding objects in the / hierarchy. | ||
8 | |||
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
10 | --- | ||
11 | config/file_contexts.subs_dist | 7 +++++++ | ||
12 | 1 file changed, 7 insertions(+) | ||
13 | |||
14 | diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist | ||
15 | index be532d7f..04fca3c3 100644 | ||
16 | --- a/config/file_contexts.subs_dist | ||
17 | +++ b/config/file_contexts.subs_dist | ||
18 | @@ -41,3 +41,10 @@ | ||
19 | /var/volatile/tmp /var/tmp | ||
20 | /var/volatile/lock /var/lock | ||
21 | /var/volatile/run/lock /var/lock | ||
22 | + | ||
23 | +# busybox aliases | ||
24 | +# quickly match up the busybox built-in tree to the base filesystem tree | ||
25 | +/usr/lib/busybox/bin /bin | ||
26 | +/usr/lib/busybox/sbin /sbin | ||
27 | +/usr/lib/busybox/usr /usr | ||
28 | + | ||
29 | -- | ||
30 | 2.19.1 | ||
31 | |||
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch index 3623215..37423ec 100644 --- a/recipes-security/refpolicy/refpolicy-minimum/0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch | |||
@@ -1,7 +1,7 @@ | |||
1 | From 0e99f9e7c6d69d5f784fe7352c9507791d8cbef9 Mon Sep 17 00:00:00 2001 | 1 | From d8fe68150ae85657b2091bc193b11bd77f7b1f31 Mon Sep 17 00:00:00 2001 |
2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | 2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> |
3 | Date: Fri, 26 Aug 2016 17:53:46 +0530 | 3 | Date: Fri, 26 Aug 2016 17:53:46 +0530 |
4 | Subject: [PATCH 4/9] refpolicy-minimum: locallogin: add allow rules for type | 4 | Subject: [PATCH 2/9] refpolicy-minimum: locallogin: add allow rules for type |
5 | local_login_t | 5 | local_login_t |
6 | 6 | ||
7 | add allow rules for locallogin module avc denials. | 7 | add allow rules for locallogin module avc denials. |
@@ -26,15 +26,16 @@ type=AVC msg=audit(): avc: denied { lock } for pid=353 comm="login" path= | |||
26 | Upstream-Status: Pending | 26 | Upstream-Status: Pending |
27 | 27 | ||
28 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | 28 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> |
29 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
29 | --- | 30 | --- |
30 | policy/modules/system/locallogin.te | 10 ++++++++++ | 31 | policy/modules/system/locallogin.te | 10 ++++++++++ |
31 | 1 file changed, 10 insertions(+) | 32 | 1 file changed, 10 insertions(+) |
32 | 33 | ||
33 | diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te | 34 | diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te |
34 | index 53923f8..09ec33f 100644 | 35 | index 4c679ff3..75750e4c 100644 |
35 | --- a/policy/modules/system/locallogin.te | 36 | --- a/policy/modules/system/locallogin.te |
36 | +++ b/policy/modules/system/locallogin.te | 37 | +++ b/policy/modules/system/locallogin.te |
37 | @@ -274,3 +274,13 @@ optional_policy(` | 38 | @@ -288,3 +288,13 @@ optional_policy(` |
38 | optional_policy(` | 39 | optional_policy(` |
39 | nscd_use(sulogin_t) | 40 | nscd_use(sulogin_t) |
40 | ') | 41 | ') |
@@ -49,5 +50,5 @@ index 53923f8..09ec33f 100644 | |||
49 | +allow local_login_t tmpfs_t:dir { add_name write search}; | 50 | +allow local_login_t tmpfs_t:dir { add_name write search}; |
50 | +allow local_login_t tmpfs_t:file { create open read write lock }; | 51 | +allow local_login_t tmpfs_t:file { create open read write lock }; |
51 | -- | 52 | -- |
52 | 1.9.1 | 53 | 2.19.1 |
53 | 54 | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch index 737c0a2..ad94252 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch | |||
@@ -1,33 +1,33 @@ | |||
1 | From 4964fa5593349916d8f5c69edb0b16f611586098 Mon Sep 17 00:00:00 2001 | 1 | From fdbd4461bbd6ce8a7f2b2702f7801ed07c41d5a9 Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
3 | Date: Thu, 22 Aug 2013 13:39:41 +0800 | 3 | Date: Thu, 22 Aug 2013 13:39:41 +0800 |
4 | Subject: [PATCH 2/4] fix update-alternatives for sysklogd | 4 | Subject: [PATCH 03/34] fc/sysklogd: apply policy to sysklogd symlink |
5 | 5 | ||
6 | /etc/syslog.conf is a symlink to /etc/syslog.conf.sysklogd, so a allow rule | 6 | /etc/syslog.conf is a symlink to /etc/syslog.conf.sysklogd, so a allow |
7 | for syslogd_t to read syslog_conf_t lnk_file is needed. | 7 | rule for syslogd_t to read syslog_conf_t lnk_file is needed. |
8 | 8 | ||
9 | Upstream-Status: Inappropriate [only for Poky] | 9 | Upstream-Status: Inappropriate [only for Poky] |
10 | 10 | ||
11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | 12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> |
13 | --- | 13 | --- |
14 | policy/modules/system/logging.fc | 4 ++++ | 14 | policy/modules/system/logging.fc | 3 +++ |
15 | policy/modules/system/logging.te | 1 + | 15 | policy/modules/system/logging.te | 1 + |
16 | 2 files changed, 5 insertions(+) | 16 | 2 files changed, 4 insertions(+) |
17 | 17 | ||
18 | Index: refpolicy/policy/modules/system/logging.fc | 18 | diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc |
19 | =================================================================== | 19 | index 6693d87b..0cf108e0 100644 |
20 | --- refpolicy.orig/policy/modules/system/logging.fc | 20 | --- a/policy/modules/system/logging.fc |
21 | +++ refpolicy/policy/modules/system/logging.fc | 21 | +++ b/policy/modules/system/logging.fc |
22 | @@ -2,6 +2,7 @@ | 22 | @@ -2,6 +2,7 @@ |
23 | 23 | ||
24 | /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) | 24 | /etc/rsyslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0) |
25 | /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) | 25 | /etc/syslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0) |
26 | +/etc/syslog.conf\.sysklogd gen_context(system_u:object_r:syslog_conf_t,s0) | 26 | +/etc/syslog\.conf\.sysklogd gen_context(system_u:object_r:syslog_conf_t,s0) |
27 | /etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0) | 27 | /etc/rsyslog\.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0) |
28 | /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) | 28 | /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) |
29 | /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0) | 29 | /etc/systemd/journal.*\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0) |
30 | @@ -30,10 +31,12 @@ | 30 | @@ -32,10 +33,12 @@ |
31 | /usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) | 31 | /usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) |
32 | /usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) | 32 | /usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) |
33 | /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) | 33 | /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) |
@@ -40,11 +40,11 @@ Index: refpolicy/policy/modules/system/logging.fc | |||
40 | /usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) | 40 | /usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) |
41 | /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | 41 | /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) |
42 | 42 | ||
43 | Index: refpolicy/policy/modules/system/logging.te | 43 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te |
44 | =================================================================== | 44 | index adc628f8..07ed546d 100644 |
45 | --- refpolicy.orig/policy/modules/system/logging.te | 45 | --- a/policy/modules/system/logging.te |
46 | +++ refpolicy/policy/modules/system/logging.te | 46 | +++ b/policy/modules/system/logging.te |
47 | @@ -396,6 +396,7 @@ allow syslogd_t self:udp_socket create_s | 47 | @@ -399,6 +399,7 @@ allow syslogd_t self:udp_socket create_socket_perms; |
48 | allow syslogd_t self:tcp_socket create_stream_socket_perms; | 48 | allow syslogd_t self:tcp_socket create_stream_socket_perms; |
49 | 49 | ||
50 | allow syslogd_t syslog_conf_t:file read_file_perms; | 50 | allow syslogd_t syslog_conf_t:file read_file_perms; |
@@ -52,3 +52,6 @@ Index: refpolicy/policy/modules/system/logging.te | |||
52 | allow syslogd_t syslog_conf_t:dir list_dir_perms; | 52 | allow syslogd_t syslog_conf_t:dir list_dir_perms; |
53 | 53 | ||
54 | # Create and bind to /dev/log or /var/run/log. | 54 | # Create and bind to /dev/log or /var/run/log. |
55 | -- | ||
56 | 2.19.1 | ||
57 | |||
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch index b5ca0f8..ed470e4 100644 --- a/recipes-security/refpolicy/refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch | |||
@@ -1,7 +1,7 @@ | |||
1 | From 17507a42ce91376b00069ff22b43786894910ed6 Mon Sep 17 00:00:00 2001 | 1 | From 53aaf2acb8bc3fb115e5d5327f6e7a994cfbf0bd Mon Sep 17 00:00:00 2001 |
2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | 2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> |
3 | Date: Fri, 26 Aug 2016 17:51:32 +0530 | 3 | Date: Fri, 26 Aug 2016 17:51:32 +0530 |
4 | Subject: [PATCH 1/9] refpolicy-minimum: systemd:unconfined:lib: add systemd | 4 | Subject: [PATCH 3/9] refpolicy-minimum: systemd:unconfined:lib: add systemd |
5 | services allow rules | 5 | services allow rules |
6 | 6 | ||
7 | systemd allow rules for systemd service file operations: start, stop, restart | 7 | systemd allow rules for systemd service file operations: start, stop, restart |
@@ -24,18 +24,19 @@ unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service | |||
24 | Upstream-Status: Pending | 24 | Upstream-Status: Pending |
25 | 25 | ||
26 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | 26 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> |
27 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
27 | --- | 28 | --- |
28 | policy/modules/system/init.te | 6 +++++- | 29 | policy/modules/system/init.te | 4 +++ |
29 | policy/modules/system/libraries.te | 3 +++ | 30 | policy/modules/system/libraries.te | 3 +++ |
30 | policy/modules/system/systemd.if | 40 +++++++++++++++++++++++++++++++++++++ | 31 | policy/modules/system/systemd.if | 39 +++++++++++++++++++++++++++++ |
31 | policy/modules/system/unconfined.te | 6 ++++++ | 32 | policy/modules/system/unconfined.te | 6 +++++ |
32 | 4 files changed, 54 insertions(+), 1 deletion(-) | 33 | 4 files changed, 52 insertions(+) |
33 | 34 | ||
34 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | 35 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
35 | index d710fb0..f9d7114 100644 | 36 | index 8352428a..15745c83 100644 |
36 | --- a/policy/modules/system/init.te | 37 | --- a/policy/modules/system/init.te |
37 | +++ b/policy/modules/system/init.te | 38 | +++ b/policy/modules/system/init.te |
38 | @@ -1114,3 +1114,7 @@ optional_policy(` | 39 | @@ -1425,3 +1425,7 @@ optional_policy(` |
39 | allow kernel_t init_t:process dyntransition; | 40 | allow kernel_t init_t:process dyntransition; |
40 | allow devpts_t device_t:filesystem associate; | 41 | allow devpts_t device_t:filesystem associate; |
41 | allow init_t self:capability2 block_suspend; | 42 | allow init_t self:capability2 block_suspend; |
@@ -44,10 +45,10 @@ index d710fb0..f9d7114 100644 | |||
44 | +allow initrc_t init_t:system { start status }; | 45 | +allow initrc_t init_t:system { start status }; |
45 | +allow initrc_t init_var_run_t:service { start status }; | 46 | +allow initrc_t init_var_run_t:service { start status }; |
46 | diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te | 47 | diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te |
47 | index 0f5cd56..df98fe9 100644 | 48 | index 422b0ea1..80b0c9a5 100644 |
48 | --- a/policy/modules/system/libraries.te | 49 | --- a/policy/modules/system/libraries.te |
49 | +++ b/policy/modules/system/libraries.te | 50 | +++ b/policy/modules/system/libraries.te |
50 | @@ -144,3 +144,6 @@ optional_policy(` | 51 | @@ -145,3 +145,6 @@ optional_policy(` |
51 | optional_policy(` | 52 | optional_policy(` |
52 | unconfined_domain(ldconfig_t) | 53 | unconfined_domain(ldconfig_t) |
53 | ') | 54 | ') |
@@ -55,15 +56,14 @@ index 0f5cd56..df98fe9 100644 | |||
55 | +# systemd: init domain to start lib domain service | 56 | +# systemd: init domain to start lib domain service |
56 | +systemd_service_lib_function(lib_t) | 57 | +systemd_service_lib_function(lib_t) |
57 | diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if | 58 | diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if |
58 | index 3cd6670..822c03d 100644 | 59 | index 8d2bb8da..8fc61843 100644 |
59 | --- a/policy/modules/system/systemd.if | 60 | --- a/policy/modules/system/systemd.if |
60 | +++ b/policy/modules/system/systemd.if | 61 | +++ b/policy/modules/system/systemd.if |
61 | @@ -171,3 +171,43 @@ interface(`systemd_start_power_units',` | 62 | @@ -887,3 +887,42 @@ interface(`systemd_getattr_updated_runtime',` |
62 | 63 | ||
63 | allow $1 power_unit_t:service start; | 64 | getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t) |
64 | ') | 65 | ') |
65 | + | 66 | + |
66 | + | ||
67 | +######################################## | 67 | +######################################## |
68 | +## <summary> | 68 | +## <summary> |
69 | +## Allow specified domain to start stop reset systemd service | 69 | +## Allow specified domain to start stop reset systemd service |
@@ -103,10 +103,10 @@ index 3cd6670..822c03d 100644 | |||
103 | + | 103 | + |
104 | +') | 104 | +') |
105 | diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te | 105 | diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te |
106 | index 99cab31..87a1b03 100644 | 106 | index 12cc0d7c..c09e94a5 100644 |
107 | --- a/policy/modules/system/unconfined.te | 107 | --- a/policy/modules/system/unconfined.te |
108 | +++ b/policy/modules/system/unconfined.te | 108 | +++ b/policy/modules/system/unconfined.te |
109 | @@ -220,3 +220,9 @@ unconfined_domain_noaudit(unconfined_execmem_t) | 109 | @@ -240,3 +240,9 @@ unconfined_domain_noaudit(unconfined_execmem_t) |
110 | optional_policy(` | 110 | optional_policy(` |
111 | unconfined_dbus_chat(unconfined_execmem_t) | 111 | unconfined_dbus_chat(unconfined_execmem_t) |
112 | ') | 112 | ') |
@@ -117,5 +117,5 @@ index 99cab31..87a1b03 100644 | |||
117 | + | 117 | + |
118 | +allow unconfined_t init_t:system reload; | 118 | +allow unconfined_t init_t:system reload; |
119 | -- | 119 | -- |
120 | 1.9.1 | 120 | 2.19.1 |
121 | 121 | ||
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch new file mode 100644 index 0000000..77c6829 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch | |||
@@ -0,0 +1,27 @@ | |||
1 | From 85f5825111d4c6d6b276ed07fec2292804b97a39 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH 04/34] fc/hostname: apply policy to common yocto hostname | ||
5 | alternatives | ||
6 | |||
7 | Upstream-Status: Inappropriate [only for Yocto] | ||
8 | |||
9 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
10 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
11 | --- | ||
12 | policy/modules/system/hostname.fc | 4 ++++ | ||
13 | 1 file changed, 4 insertions(+) | ||
14 | |||
15 | diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc | ||
16 | index 83ddeb57..653e038d 100644 | ||
17 | --- a/policy/modules/system/hostname.fc | ||
18 | +++ b/policy/modules/system/hostname.fc | ||
19 | @@ -1 +1,5 @@ | ||
20 | +/usr/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0) | ||
21 | +/usr/bin/hostname\.coreutils -- gen_context(system_u:object_r:hostname_exec_t,s0) | ||
22 | +/usr/lib/busybox/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) | ||
23 | + | ||
24 | /usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) | ||
25 | -- | ||
26 | 2.19.1 | ||
27 | |||
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch index 35a8e1b..98b6156 100644 --- a/recipes-security/refpolicy/refpolicy-minimum/0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch | |||
@@ -1,7 +1,7 @@ | |||
1 | From edae03ea521a501a2b3229383609f1aec85575c1 Mon Sep 17 00:00:00 2001 | 1 | From 5694d5bdc5ff824c4d5848dcd61cf021305b5e00 Mon Sep 17 00:00:00 2001 |
2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | 2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> |
3 | Date: Fri, 26 Aug 2016 17:53:37 +0530 | 3 | Date: Fri, 26 Aug 2016 17:53:37 +0530 |
4 | Subject: [PATCH 3/9] refpolicy-minimum: systemd: mount: logging: authlogin: | 4 | Subject: [PATCH 4/9] refpolicy-minimum: systemd: mount: logging: authlogin: |
5 | add allow rules | 5 | add allow rules |
6 | 6 | ||
7 | add allow rules for avc denails for systemd, mount, logging & authlogin | 7 | add allow rules for avc denails for systemd, mount, logging & authlogin |
@@ -30,28 +30,29 @@ tcontext=system_u:system_r:syslogd_t:s0 tclass=shm permissive=1 | |||
30 | Upstream-Status: Pending | 30 | Upstream-Status: Pending |
31 | 31 | ||
32 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | 32 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> |
33 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
33 | --- | 34 | --- |
34 | policy/modules/system/authlogin.te | 2 ++ | 35 | policy/modules/system/authlogin.te | 2 ++ |
35 | policy/modules/system/logging.te | 7 ++++++- | 36 | policy/modules/system/logging.te | 7 ++++++- |
36 | policy/modules/system/mount.te | 3 +++ | 37 | policy/modules/system/mount.te | 3 +++ |
37 | policy/modules/system/systemd.te | 6 ++++++ | 38 | policy/modules/system/systemd.te | 5 +++++ |
38 | 4 files changed, 17 insertions(+), 1 deletion(-) | 39 | 4 files changed, 16 insertions(+), 1 deletion(-) |
39 | 40 | ||
40 | diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te | 41 | diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te |
41 | index f80dfcb..5fab54a 100644 | 42 | index 345e07f3..39f860e0 100644 |
42 | --- a/policy/modules/system/authlogin.te | 43 | --- a/policy/modules/system/authlogin.te |
43 | +++ b/policy/modules/system/authlogin.te | 44 | +++ b/policy/modules/system/authlogin.te |
44 | @@ -464,3 +464,5 @@ optional_policy(` | 45 | @@ -472,3 +472,5 @@ optional_policy(` |
45 | samba_read_var_files(nsswitch_domain) | 46 | samba_read_var_files(nsswitch_domain) |
46 | samba_dontaudit_write_var_files(nsswitch_domain) | 47 | samba_dontaudit_write_var_files(nsswitch_domain) |
47 | ') | 48 | ') |
48 | + | 49 | + |
49 | +allow chkpwd_t proc_t:filesystem getattr; | 50 | +allow chkpwd_t proc_t:filesystem getattr; |
50 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | 51 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te |
51 | index fdf86ef..107db03 100644 | 52 | index 8ab46925..520f7da6 100644 |
52 | --- a/policy/modules/system/logging.te | 53 | --- a/policy/modules/system/logging.te |
53 | +++ b/policy/modules/system/logging.te | 54 | +++ b/policy/modules/system/logging.te |
54 | @@ -576,4 +576,9 @@ allow auditd_t tmpfs_t:file { getattr setattr create open read append }; | 55 | @@ -627,4 +627,9 @@ allow auditd_t tmpfs_t:file { getattr setattr create open read append }; |
55 | allow auditd_t tmpfs_t:dir { open read search add_name write getattr search }; | 56 | allow auditd_t tmpfs_t:dir { open read search add_name write getattr search }; |
56 | allow auditd_t initrc_t:unix_dgram_socket sendto; | 57 | allow auditd_t initrc_t:unix_dgram_socket sendto; |
57 | 58 | ||
@@ -64,10 +65,10 @@ index fdf86ef..107db03 100644 | |||
64 | +allow syslogd_t self:shm { read unix_read unix_write write }; | 65 | +allow syslogd_t self:shm { read unix_read unix_write write }; |
65 | +allow syslogd_t tmpfs_t:file { read write }; | 66 | +allow syslogd_t tmpfs_t:file { read write }; |
66 | diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te | 67 | diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te |
67 | index 1c2fc33..b699309 100644 | 68 | index 3dcb8493..a87d0e82 100644 |
68 | --- a/policy/modules/system/mount.te | 69 | --- a/policy/modules/system/mount.te |
69 | +++ b/policy/modules/system/mount.te | 70 | +++ b/policy/modules/system/mount.te |
70 | @@ -229,3 +229,6 @@ optional_policy(` | 71 | @@ -231,3 +231,6 @@ optional_policy(` |
71 | files_etc_filetrans_etc_runtime(unconfined_mount_t, file) | 72 | files_etc_filetrans_etc_runtime(unconfined_mount_t, file) |
72 | unconfined_domain(unconfined_mount_t) | 73 | unconfined_domain(unconfined_mount_t) |
73 | ') | 74 | ') |
@@ -75,19 +76,21 @@ index 1c2fc33..b699309 100644 | |||
75 | +allow mount_t proc_t:filesystem getattr; | 76 | +allow mount_t proc_t:filesystem getattr; |
76 | +allow mount_t initrc_t:udp_socket { read write }; | 77 | +allow mount_t initrc_t:udp_socket { read write }; |
77 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | 78 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te |
78 | index fdb9fef..734d455 100644 | 79 | index a6f09dfd..68b80de3 100644 |
79 | --- a/policy/modules/system/systemd.te | 80 | --- a/policy/modules/system/systemd.te |
80 | +++ b/policy/modules/system/systemd.te | 81 | +++ b/policy/modules/system/systemd.te |
81 | @@ -262,3 +262,9 @@ tunable_policy(`systemd_tmpfiles_manage_all',` | 82 | @@ -993,6 +993,11 @@ allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto }; |
82 | files_relabel_non_security_dirs(systemd_tmpfiles_t) | 83 | allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms; |
83 | files_relabel_non_security_files(systemd_tmpfiles_t) | 84 | allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms; |
84 | ') | 85 | |
85 | + | ||
86 | +allow systemd_tmpfiles_t init_t:dir search; | 86 | +allow systemd_tmpfiles_t init_t:dir search; |
87 | +allow systemd_tmpfiles_t proc_t:filesystem getattr; | 87 | +allow systemd_tmpfiles_t proc_t:filesystem getattr; |
88 | +allow systemd_tmpfiles_t init_t:file read; | 88 | +allow systemd_tmpfiles_t init_t:file read; |
89 | +allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto; | 89 | +allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto; |
90 | +allow systemd_tmpfiles_t self:capability net_admin; | 90 | + |
91 | kernel_getattr_proc(systemd_tmpfiles_t) | ||
92 | kernel_read_kernel_sysctls(systemd_tmpfiles_t) | ||
93 | kernel_read_network_state(systemd_tmpfiles_t) | ||
91 | -- | 94 | -- |
92 | 1.9.1 | 95 | 2.19.1 |
93 | 96 | ||
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch new file mode 100644 index 0000000..60d585b --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch | |||
@@ -0,0 +1,30 @@ | |||
1 | From ed53bb0452aab6aee11c6d6442b8524d3b27fa6f Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Thu, 28 Mar 2019 21:37:32 -0400 | ||
4 | Subject: [PATCH 05/34] fc/bash: apply /usr/bin/bash context to /bin/bash.bash | ||
5 | |||
6 | We include /bin/bash.bash as a valid alias for /bin/bash, so ensure we apply | ||
7 | the proper context to the target for our policy. | ||
8 | |||
9 | Upstream-Status: Inappropriate [only for Yocto] | ||
10 | |||
11 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
12 | --- | ||
13 | policy/modules/kernel/corecommands.fc | 1 + | ||
14 | 1 file changed, 1 insertion(+) | ||
15 | |||
16 | diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc | ||
17 | index e7415cac..cf3848db 100644 | ||
18 | --- a/policy/modules/kernel/corecommands.fc | ||
19 | +++ b/policy/modules/kernel/corecommands.fc | ||
20 | @@ -141,6 +141,7 @@ ifdef(`distro_gentoo',` | ||
21 | /usr/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
22 | /usr/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
23 | /usr/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
24 | +/usr/bin/bash.bash -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
25 | /usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
26 | /usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
27 | /usr/bin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) | ||
28 | -- | ||
29 | 2.19.1 | ||
30 | |||
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch index c88f2b2..7d7908f 100644 --- a/recipes-security/refpolicy/refpolicy-minimum/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 07b7eb45458de8a6781019a927c66aabe736e03a Mon Sep 17 00:00:00 2001 | 1 | From bf8da1fd057ce11e8ce6e445ccd532fde11868a6 Mon Sep 17 00:00:00 2001 |
2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | 2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> |
3 | Date: Fri, 26 Aug 2016 17:53:53 +0530 | 3 | Date: Fri, 26 Aug 2016 17:53:53 +0530 |
4 | Subject: [PATCH 5/9] refpolicy-minimum: init: fix reboot with systemd as init | 4 | Subject: [PATCH 5/9] refpolicy-minimum: init: fix reboot with systemd as init |
@@ -16,15 +16,16 @@ initrc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system | |||
16 | Upstream-Status: Pending | 16 | Upstream-Status: Pending |
17 | 17 | ||
18 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | 18 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> |
19 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
19 | --- | 20 | --- |
20 | policy/modules/system/init.te | 2 +- | 21 | policy/modules/system/init.te | 2 +- |
21 | 1 file changed, 1 insertion(+), 1 deletion(-) | 22 | 1 file changed, 1 insertion(+), 1 deletion(-) |
22 | 23 | ||
23 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | 24 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
24 | index f9d7114..19a7a20 100644 | 25 | index 15745c83..d6a0270a 100644 |
25 | --- a/policy/modules/system/init.te | 26 | --- a/policy/modules/system/init.te |
26 | +++ b/policy/modules/system/init.te | 27 | +++ b/policy/modules/system/init.te |
27 | @@ -1103,5 +1103,5 @@ allow devpts_t device_t:filesystem associate; | 28 | @@ -1427,5 +1427,5 @@ allow devpts_t device_t:filesystem associate; |
28 | allow init_t self:capability2 block_suspend; | 29 | allow init_t self:capability2 block_suspend; |
29 | allow init_t self:capability2 audit_read; | 30 | allow init_t self:capability2 audit_read; |
30 | 31 | ||
@@ -32,5 +33,5 @@ index f9d7114..19a7a20 100644 | |||
32 | +allow initrc_t init_t:system { start status reboot }; | 33 | +allow initrc_t init_t:system { start status reboot }; |
33 | allow initrc_t init_var_run_t:service { start status }; | 34 | allow initrc_t init_var_run_t:service { start status }; |
34 | -- | 35 | -- |
35 | 1.9.1 | 36 | 2.19.1 |
36 | 37 | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_resolv.conf.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch index cd79f45..f318c23 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_resolv.conf.patch +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch | |||
@@ -1,24 +1,30 @@ | |||
1 | Subject: [PATCH] fix real path for resolv.conf | 1 | From 8614bc85ab13b72f7f83892ffd227c73b3df42bc Mon Sep 17 00:00:00 2001 |
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Thu, 4 Apr 2019 10:45:03 -0400 | ||
4 | Subject: [PATCH 06/34] fc/resolv.conf: label resolv.conf in var/run/ properly | ||
2 | 5 | ||
3 | Upstream-Status: Inappropriate [only for Poky] | 6 | Upstream-Status: Pending |
4 | 7 | ||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
6 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | 9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> |
10 | |||
11 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
7 | --- | 12 | --- |
8 | policy/modules/system/sysnetwork.fc | 1 + | 13 | policy/modules/system/sysnetwork.fc | 1 + |
9 | 1 file changed, 1 insertion(+) | 14 | 1 file changed, 1 insertion(+) |
10 | 15 | ||
16 | diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc | ||
17 | index 1e5432a4..ac7c2dd1 100644 | ||
11 | --- a/policy/modules/system/sysnetwork.fc | 18 | --- a/policy/modules/system/sysnetwork.fc |
12 | +++ b/policy/modules/system/sysnetwork.fc | 19 | +++ b/policy/modules/system/sysnetwork.fc |
13 | @@ -17,10 +17,11 @@ ifdef(`distro_debian',` | 20 | @@ -22,6 +22,7 @@ ifdef(`distro_debian',` |
14 | /etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0) | ||
15 | /etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0) | ||
16 | /etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0) | ||
17 | /etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0) | 21 | /etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0) |
18 | /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) | 22 | /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) |
19 | +/var/run/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) | ||
20 | /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) | 23 | /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) |
24 | +/var/run/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) | ||
21 | 25 | ||
22 | /etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0) | 26 | /etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0) |
23 | /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0) | 27 | /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0) |
24 | 28 | -- | |
29 | 2.19.1 | ||
30 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch new file mode 100644 index 0000000..4f7d916 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch | |||
@@ -0,0 +1,92 @@ | |||
1 | From 853b6611e50369b386a77d5bd8a28eeb9ef4cb9b Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Wed, 3 Apr 2019 14:51:29 -0400 | ||
4 | Subject: [PATCH 6/9] refpolicy-minimum: systemd: mount: enable required | ||
5 | refpolicy booleans | ||
6 | |||
7 | enable required refpolicy booleans for these modules | ||
8 | |||
9 | i. mount: allow_mount_anyfile | ||
10 | without enabling this boolean we are getting below avc denial | ||
11 | |||
12 | audit(): avc: denied { mounton } for pid=462 comm="mount" path="/run/media | ||
13 | /mmcblk2p1" dev="tmpfs" ino=11523 scontext=system_u:system_r:mount_t:s0 | ||
14 | tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=0 | ||
15 | |||
16 | This avc can be allowed using the boolean 'allow_mount_anyfile' | ||
17 | allow mount_t initrc_var_run_t:dir mounton; | ||
18 | |||
19 | ii. systemd : systemd_tmpfiles_manage_all | ||
20 | without enabling this boolean we are not getting access to mount systemd | ||
21 | essential tmpfs during bootup, also not getting access to create audit.log | ||
22 | |||
23 | audit(): avc: denied { search } for pid=168 comm="systemd-tmpfile" name= | ||
24 | "sys" dev="proc" ino=4026531855 scontext=system_u:system_r:systemd_tmpfiles | ||
25 | _t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=dir permissive=0 | ||
26 | |||
27 | ls /var/log | ||
28 | /var/log -> volatile/log | ||
29 | :~# | ||
30 | |||
31 | The old refpolicy included a pre-generated booleans.conf that could be | ||
32 | patched. That's no longer the case so we're left with a few options, | ||
33 | tweak the default directly or create a template booleans.conf file which | ||
34 | will be updated during build time. Since this is intended to be applied | ||
35 | only for specific configuraitons it seems like the same either way and | ||
36 | this avoids us playing games to work around .gitignore. | ||
37 | |||
38 | Upstream-Status: Pending | ||
39 | |||
40 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
41 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
42 | --- | ||
43 | policy/booleans.conf | 9 +++++++++ | ||
44 | policy/modules/system/mount.te | 2 +- | ||
45 | policy/modules/system/systemd.te | 2 +- | ||
46 | 3 files changed, 11 insertions(+), 2 deletions(-) | ||
47 | create mode 100644 policy/booleans.conf | ||
48 | |||
49 | diff --git a/policy/booleans.conf b/policy/booleans.conf | ||
50 | new file mode 100644 | ||
51 | index 00000000..850f56ed | ||
52 | --- /dev/null | ||
53 | +++ b/policy/booleans.conf | ||
54 | @@ -0,0 +1,9 @@ | ||
55 | +# | ||
56 | +# Allow the mount command to mount any directory or file. | ||
57 | +# | ||
58 | +allow_mount_anyfile = true | ||
59 | + | ||
60 | +# | ||
61 | +# Enable support for systemd-tmpfiles to manage all non-security files. | ||
62 | +# | ||
63 | +systemd_tmpfiles_manage_all = true | ||
64 | diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te | ||
65 | index a87d0e82..868052b7 100644 | ||
66 | --- a/policy/modules/system/mount.te | ||
67 | +++ b/policy/modules/system/mount.te | ||
68 | @@ -10,7 +10,7 @@ policy_module(mount, 1.20.0) | ||
69 | ## Allow the mount command to mount any directory or file. | ||
70 | ## </p> | ||
71 | ## </desc> | ||
72 | -gen_tunable(allow_mount_anyfile, false) | ||
73 | +gen_tunable(allow_mount_anyfile, true) | ||
74 | |||
75 | attribute_role mount_roles; | ||
76 | roleattribute system_r mount_roles; | ||
77 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
78 | index 68b80de3..a1ef6990 100644 | ||
79 | --- a/policy/modules/system/systemd.te | ||
80 | +++ b/policy/modules/system/systemd.te | ||
81 | @@ -10,7 +10,7 @@ policy_module(systemd, 1.7.0) | ||
82 | ## Enable support for systemd-tmpfiles to manage all non-security files. | ||
83 | ## </p> | ||
84 | ## </desc> | ||
85 | -gen_tunable(systemd_tmpfiles_manage_all, false) | ||
86 | +gen_tunable(systemd_tmpfiles_manage_all, true) | ||
87 | |||
88 | ## <desc> | ||
89 | ## <p> | ||
90 | -- | ||
91 | 2.19.1 | ||
92 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0007-fc-login-apply-login-context-to-login.shadow.patch index 49f4960..8c71c90 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0007-fc-login-apply-login-context-to-login.shadow.patch | |||
@@ -1,25 +1,27 @@ | |||
1 | Subject: [PATCH] fix real path for login commands. | 1 | From c1f7e3033057dfb613bd92d723094b06c00e82f8 Mon Sep 17 00:00:00 2001 |
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Thu, 28 Mar 2019 21:43:53 -0400 | ||
4 | Subject: [PATCH 07/34] fc/login: apply login context to login.shadow | ||
2 | 5 | ||
3 | Upstream-Status: Inappropriate [only for Poky] | 6 | Upstream-Status: Inappropriate [only for Poky] |
4 | 7 | ||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
6 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | 8 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> |
7 | --- | 9 | --- |
8 | policy/modules/system/authlogin.fc | 5 ++--- | 10 | policy/modules/system/authlogin.fc | 1 + |
9 | 1 file changed, 2 insertions(+), 3 deletions(-) | 11 | 1 file changed, 1 insertion(+) |
10 | 12 | ||
13 | diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc | ||
14 | index e22945cd..a42bc0da 100644 | ||
11 | --- a/policy/modules/system/authlogin.fc | 15 | --- a/policy/modules/system/authlogin.fc |
12 | +++ b/policy/modules/system/authlogin.fc | 16 | +++ b/policy/modules/system/authlogin.fc |
13 | @@ -3,10 +3,12 @@ | 17 | @@ -5,6 +5,7 @@ |
14 | /etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0) | ||
15 | /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) | ||
16 | /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) | 18 | /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) |
17 | 19 | ||
18 | /usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0) | 20 | /usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0) |
19 | +/usr/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0) | 21 | +/usr/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0) |
20 | +/usr/bin/login\.tinylogin -- gen_context(system_u:object_r:login_exec_t,s0) | ||
21 | /usr/bin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) | 22 | /usr/bin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) |
22 | /usr/bin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) | 23 | /usr/bin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) |
23 | /usr/bin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) | 24 | /usr/bin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) |
24 | /usr/bin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) | 25 | -- |
25 | /usr/bin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) | 26 | 2.19.1 |
27 | |||
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch index 2dd90fe..27cbc9f 100644 --- a/recipes-security/refpolicy/refpolicy-minimum/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 5a1cef9e4a9472982f6c68190f3aa20c73c8de1e Mon Sep 17 00:00:00 2001 | 1 | From 34630eecb211199c60c9b01fd77f0ede6e182712 Mon Sep 17 00:00:00 2001 |
2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | 2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> |
3 | Date: Fri, 26 Aug 2016 17:54:09 +0530 | 3 | Date: Fri, 26 Aug 2016 17:54:09 +0530 |
4 | Subject: [PATCH 7/9] refpolicy-minimum: systemd: fix for login & journal | 4 | Subject: [PATCH 7/9] refpolicy-minimum: systemd: fix for login & journal |
@@ -38,28 +38,29 @@ See 'systemctl status avahi-daemon.service' for details. | |||
38 | Upstream-Status: Pending | 38 | Upstream-Status: Pending |
39 | 39 | ||
40 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | 40 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> |
41 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
41 | --- | 42 | --- |
42 | policy/modules/system/init.te | 5 +++++ | 43 | policy/modules/system/init.te | 2 ++ |
43 | policy/modules/system/locallogin.te | 3 +++ | 44 | policy/modules/system/locallogin.te | 3 +++ |
44 | policy/modules/system/systemd.if | 6 ++++-- | 45 | policy/modules/system/systemd.if | 6 ++++-- |
45 | policy/modules/system/systemd.te | 3 ++- | 46 | policy/modules/system/systemd.te | 2 +- |
46 | 4 files changed, 14 insertions(+), 3 deletions(-) | 47 | 4 files changed, 10 insertions(+), 3 deletions(-) |
47 | 48 | ||
48 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | 49 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
49 | index 19a7a20..cefa59d 100644 | 50 | index d6a0270a..035c7ad2 100644 |
50 | --- a/policy/modules/system/init.te | 51 | --- a/policy/modules/system/init.te |
51 | +++ b/policy/modules/system/init.te | 52 | +++ b/policy/modules/system/init.te |
52 | @@ -1105,3 +1105,5 @@ allow init_t self:capability2 audit_read; | 53 | @@ -1429,3 +1429,5 @@ allow init_t self:capability2 audit_read; |
53 | 54 | ||
54 | allow initrc_t init_t:system { start status reboot }; | 55 | allow initrc_t init_t:system { start status reboot }; |
55 | allow initrc_t init_var_run_t:service { start status }; | 56 | allow initrc_t init_var_run_t:service { start status }; |
56 | + | 57 | + |
57 | +allow initrc_t init_var_run_t:service stop; | 58 | +allow initrc_t init_var_run_t:service stop; |
58 | diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te | 59 | diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te |
59 | index 09ec33f..be25c82 100644 | 60 | index 75750e4c..2c2cfc7d 100644 |
60 | --- a/policy/modules/system/locallogin.te | 61 | --- a/policy/modules/system/locallogin.te |
61 | +++ b/policy/modules/system/locallogin.te | 62 | +++ b/policy/modules/system/locallogin.te |
62 | @@ -284,3 +284,6 @@ allow local_login_t var_run_t:file { open read write lock}; | 63 | @@ -298,3 +298,6 @@ allow local_login_t var_run_t:file { open read write lock}; |
63 | allow local_login_t var_run_t:sock_file write; | 64 | allow local_login_t var_run_t:sock_file write; |
64 | allow local_login_t tmpfs_t:dir { add_name write search}; | 65 | allow local_login_t tmpfs_t:dir { add_name write search}; |
65 | allow local_login_t tmpfs_t:file { create open read write lock }; | 66 | allow local_login_t tmpfs_t:file { create open read write lock }; |
@@ -67,10 +68,10 @@ index 09ec33f..be25c82 100644 | |||
67 | +allow local_login_t initrc_t:dbus send_msg; | 68 | +allow local_login_t initrc_t:dbus send_msg; |
68 | +allow initrc_t local_login_t:dbus send_msg; | 69 | +allow initrc_t local_login_t:dbus send_msg; |
69 | diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if | 70 | diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if |
70 | index 822c03d..8723527 100644 | 71 | index 8fc61843..1166505f 100644 |
71 | --- a/policy/modules/system/systemd.if | 72 | --- a/policy/modules/system/systemd.if |
72 | +++ b/policy/modules/system/systemd.if | 73 | +++ b/policy/modules/system/systemd.if |
73 | @@ -205,9 +205,11 @@ interface(`systemd_service_file_operations',` | 74 | @@ -920,9 +920,11 @@ interface(`systemd_service_file_operations',` |
74 | # | 75 | # |
75 | interface(`systemd_service_lib_function',` | 76 | interface(`systemd_service_lib_function',` |
76 | gen_require(` | 77 | gen_require(` |
@@ -85,18 +86,18 @@ index 822c03d..8723527 100644 | |||
85 | 86 | ||
86 | ') | 87 | ') |
87 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | 88 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te |
88 | index 70ccb0e..22021eb 100644 | 89 | index a1ef6990..a62c3c38 100644 |
89 | --- a/policy/modules/system/systemd.te | 90 | --- a/policy/modules/system/systemd.te |
90 | +++ b/policy/modules/system/systemd.te | 91 | +++ b/policy/modules/system/systemd.te |
91 | @@ -265,6 +265,7 @@ tunable_policy(`systemd_tmpfiles_manage_all',` | 92 | @@ -995,7 +995,7 @@ allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms; |
92 | 93 | ||
93 | allow systemd_tmpfiles_t init_t:dir search; | 94 | allow systemd_tmpfiles_t init_t:dir search; |
94 | allow systemd_tmpfiles_t proc_t:filesystem getattr; | 95 | allow systemd_tmpfiles_t proc_t:filesystem getattr; |
95 | -allow systemd_tmpfiles_t init_t:file read; | 96 | -allow systemd_tmpfiles_t init_t:file read; |
96 | allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto; | ||
97 | allow systemd_tmpfiles_t self:capability net_admin; | ||
98 | + | ||
99 | +allow systemd_tmpfiles_t init_t:file { open getattr read }; | 97 | +allow systemd_tmpfiles_t init_t:file { open getattr read }; |
98 | allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto; | ||
99 | |||
100 | kernel_getattr_proc(systemd_tmpfiles_t) | ||
100 | -- | 101 | -- |
101 | 1.9.1 | 102 | 2.19.1 |
102 | 103 | ||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-bind.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0008-fc-bind-fix-real-path-for-bind.patch index 3218c88..7a9f3f2 100644 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-bind.patch +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0008-fc-bind-fix-real-path-for-bind.patch | |||
@@ -1,19 +1,21 @@ | |||
1 | From e438a9466a615db3f63421157d5ee3bd6d055403 Mon Sep 17 00:00:00 2001 | 1 | From 878b005462f7b2208427af60ed6b670dca697b6c Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Joe MacDonald <joe_macdonald@mentor.com> |
3 | Date: Thu, 22 Aug 2013 19:09:11 +0800 | 3 | Date: Thu, 28 Mar 2019 21:58:53 -0400 |
4 | Subject: [PATCH] refpolicy: fix real path for bind. | 4 | Subject: [PATCH 08/34] fc/bind: fix real path for bind |
5 | 5 | ||
6 | Upstream-Status: Inappropriate [configuration] | 6 | Upstream-Status: Pending |
7 | 7 | ||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | 9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> |
10 | --- | 10 | --- |
11 | policy/modules/contrib/bind.fc | 2 ++ | 11 | policy/modules/services/bind.fc | 2 ++ |
12 | 1 file changed, 2 insertions(+) | 12 | 1 file changed, 2 insertions(+) |
13 | 13 | ||
14 | --- a/policy/modules/contrib/bind.fc | 14 | diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc |
15 | +++ b/policy/modules/contrib/bind.fc | 15 | index b4879dc1..59498e25 100644 |
16 | @@ -1,10 +1,12 @@ | 16 | --- a/policy/modules/services/bind.fc |
17 | +++ b/policy/modules/services/bind.fc | ||
18 | @@ -1,8 +1,10 @@ | ||
17 | /etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) | 19 | /etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) |
18 | +/etc/rc\.d/init\.d/bind -- gen_context(system_u:object_r:named_initrc_exec_t,s0) | 20 | +/etc/rc\.d/init\.d/bind -- gen_context(system_u:object_r:named_initrc_exec_t,s0) |
19 | /etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) | 21 | /etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) |
@@ -24,5 +26,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
24 | /etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) | 26 | /etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) |
25 | /etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0) | 27 | /etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0) |
26 | /etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0) | 28 | /etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0) |
27 | /etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0) | 29 | -- |
28 | /etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) | 30 | 2.19.1 |
31 | |||
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch index a7338e1..efe81a4 100644 --- a/recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From ec96260a28f9aae44afc8eec0e089bf95a36b557 Mon Sep 17 00:00:00 2001 | 1 | From 6ac3c261a7cfc3a5d38ccc420f1ea371258c49fa Mon Sep 17 00:00:00 2001 |
2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | 2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> |
3 | Date: Fri, 26 Aug 2016 17:54:17 +0530 | 3 | Date: Fri, 26 Aug 2016 17:54:17 +0530 |
4 | Subject: [PATCH 8/9] refpolicy-minimum: systemd: fix for systemd tmp-files | 4 | Subject: [PATCH 8/9] refpolicy-minimum: systemd: fix for systemd tmp-files |
@@ -31,17 +31,18 @@ See 'systemctl status systemd-tmpfiles-setup.service' for details. | |||
31 | Upstream-Status: Pending | 31 | Upstream-Status: Pending |
32 | 32 | ||
33 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | 33 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> |
34 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
34 | --- | 35 | --- |
35 | policy/modules/kernel/files.if | 19 +++++++++++++++++++ | 36 | policy/modules/kernel/files.if | 19 +++++++++++++++++++ |
36 | policy/modules/kernel/kernel.if | 23 +++++++++++++++++++++++ | 37 | policy/modules/kernel/kernel.if | 21 +++++++++++++++++++++ |
37 | policy/modules/system/systemd.te | 3 +++ | 38 | policy/modules/system/systemd.te | 2 ++ |
38 | 3 files changed, 45 insertions(+) | 39 | 3 files changed, 42 insertions(+) |
39 | 40 | ||
40 | diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if | 41 | diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if |
41 | index 1cedea2..4ea7d55 100644 | 42 | index eb067ad3..ff74f55a 100644 |
42 | --- a/policy/modules/kernel/files.if | 43 | --- a/policy/modules/kernel/files.if |
43 | +++ b/policy/modules/kernel/files.if | 44 | +++ b/policy/modules/kernel/files.if |
44 | @@ -6729,3 +6729,22 @@ interface(`files_unconfined',` | 45 | @@ -7076,3 +7076,22 @@ interface(`files_unconfined',` |
45 | 46 | ||
46 | typeattribute $1 files_unconfined_type; | 47 | typeattribute $1 files_unconfined_type; |
47 | ') | 48 | ') |
@@ -65,14 +66,13 @@ index 1cedea2..4ea7d55 100644 | |||
65 | + allow $1 tmp_t:lnk_file getattr; | 66 | + allow $1 tmp_t:lnk_file getattr; |
66 | +') | 67 | +') |
67 | diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if | 68 | diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if |
68 | index f1130d1..4604441 100644 | 69 | index 1ad282aa..342eb033 100644 |
69 | --- a/policy/modules/kernel/kernel.if | 70 | --- a/policy/modules/kernel/kernel.if |
70 | +++ b/policy/modules/kernel/kernel.if | 71 | +++ b/policy/modules/kernel/kernel.if |
71 | @@ -3323,3 +3323,26 @@ interface(`kernel_unconfined',` | 72 | @@ -3584,3 +3584,24 @@ interface(`kernel_ib_manage_subnet_unlabeled_endports',` |
72 | typeattribute $1 kern_unconfined; | 73 | allow $1 unlabeled_t:infiniband_endport manage_subnet; |
73 | kernel_load_module($1) | ||
74 | ') | 74 | ') |
75 | + | 75 | |
76 | +######################################## | 76 | +######################################## |
77 | +## <summary> | 77 | +## <summary> |
78 | +## systemd tmp files access to kernel sysctl domain | 78 | +## systemd tmp files access to kernel sysctl domain |
@@ -94,18 +94,16 @@ index f1130d1..4604441 100644 | |||
94 | + allow $1 sysctl_kernel_t:file { open read }; | 94 | + allow $1 sysctl_kernel_t:file { open read }; |
95 | + | 95 | + |
96 | +') | 96 | +') |
97 | + | ||
98 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | 97 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te |
99 | index 22021eb..8813664 100644 | 98 | index a62c3c38..9b696823 100644 |
100 | --- a/policy/modules/system/systemd.te | 99 | --- a/policy/modules/system/systemd.te |
101 | +++ b/policy/modules/system/systemd.te | 100 | +++ b/policy/modules/system/systemd.te |
102 | @@ -269,3 +269,6 @@ allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto; | 101 | @@ -1121,3 +1121,5 @@ files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated |
103 | allow systemd_tmpfiles_t self:capability net_admin; | 102 | |
103 | kernel_read_system_state(systemd_update_done_t) | ||
104 | 104 | ||
105 | allow systemd_tmpfiles_t init_t:file { open getattr read }; | ||
106 | + | ||
107 | +systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t(systemd_tmpfiles_t) | 105 | +systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t(systemd_tmpfiles_t) |
108 | +systemd_service_allow_kernel_files_domain_to_tmp_t(systemd_tmpfiles_t) | 106 | +systemd_service_allow_kernel_files_domain_to_tmp_t(systemd_tmpfiles_t) |
109 | -- | 107 | -- |
110 | 1.9.1 | 108 | 2.19.1 |
111 | 109 | ||
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0009-fc-hwclock-add-hwclock-alternatives.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0009-fc-hwclock-add-hwclock-alternatives.patch new file mode 100644 index 0000000..6039f49 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0009-fc-hwclock-add-hwclock-alternatives.patch | |||
@@ -0,0 +1,28 @@ | |||
1 | From d21287d2c0b63e19e1004f098a1934b6b02a0c05 Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Thu, 28 Mar 2019 21:59:18 -0400 | ||
4 | Subject: [PATCH 09/34] fc/hwclock: add hwclock alternatives | ||
5 | |||
6 | Upstream-Status: Pending | ||
7 | |||
8 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | ||
10 | policy/modules/system/clock.fc | 5 ++++- | ||
11 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
12 | |||
13 | diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc | ||
14 | index 30196589..e0dc4b6f 100644 | ||
15 | --- a/policy/modules/system/clock.fc | ||
16 | +++ b/policy/modules/system/clock.fc | ||
17 | @@ -2,4 +2,7 @@ | ||
18 | |||
19 | /usr/bin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) | ||
20 | |||
21 | -/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) | ||
22 | +/usr/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0) | ||
23 | +/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) | ||
24 | +/usr/lib/busybox/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) | ||
25 | +/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) | ||
26 | -- | ||
27 | 2.19.1 | ||
28 | |||
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0009-refpolicy-minimum-systemd-fix-for-syslog.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0009-refpolicy-minimum-systemd-fix-for-syslog.patch index b01947d..f67221a 100644 --- a/recipes-security/refpolicy/refpolicy-minimum/0009-refpolicy-minimum-systemd-fix-for-syslog.patch +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0009-refpolicy-minimum-systemd-fix-for-syslog.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 9476fb0aad7caa725014e72cd009b78389ba66d5 Mon Sep 17 00:00:00 2001 | 1 | From 57d554187619e32ecf925ecb015a60f1fca26fb8 Mon Sep 17 00:00:00 2001 |
2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | 2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> |
3 | Date: Fri, 26 Aug 2016 17:54:29 +0530 | 3 | Date: Fri, 26 Aug 2016 17:54:29 +0530 |
4 | Subject: [PATCH 9/9] refpolicy-minimum: systemd: fix for syslog | 4 | Subject: [PATCH 9/9] refpolicy-minimum: systemd: fix for syslog |
@@ -39,25 +39,26 @@ syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 | |||
39 | Upstream-Status: Pending | 39 | Upstream-Status: Pending |
40 | 40 | ||
41 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | 41 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> |
42 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
42 | --- | 43 | --- |
43 | policy/modules/system/getty.te | 1 + | 44 | policy/modules/system/getty.te | 1 + |
44 | policy/modules/system/logging.te | 3 ++- | 45 | policy/modules/system/logging.te | 3 ++- |
45 | 2 files changed, 3 insertions(+), 1 deletion(-) | 46 | 2 files changed, 3 insertions(+), 1 deletion(-) |
46 | 47 | ||
47 | diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te | 48 | diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te |
48 | index 84eaf77..2e53daf 100644 | 49 | index 423db0cc..9ab03956 100644 |
49 | --- a/policy/modules/system/getty.te | 50 | --- a/policy/modules/system/getty.te |
50 | +++ b/policy/modules/system/getty.te | 51 | +++ b/policy/modules/system/getty.te |
51 | @@ -142,3 +142,4 @@ optional_policy(` | 52 | @@ -132,3 +132,4 @@ optional_policy(` |
52 | 53 | ||
53 | allow getty_t tmpfs_t:dir search; | 54 | allow getty_t tmpfs_t:dir search; |
54 | allow getty_t tmpfs_t:file { open write lock }; | 55 | allow getty_t tmpfs_t:file { open write lock }; |
55 | +allow getty_t initrc_t:unix_dgram_socket sendto; | 56 | +allow getty_t initrc_t:unix_dgram_socket sendto; |
56 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | 57 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te |
57 | index 107db03..95de86d 100644 | 58 | index 520f7da6..4e02dab8 100644 |
58 | --- a/policy/modules/system/logging.te | 59 | --- a/policy/modules/system/logging.te |
59 | +++ b/policy/modules/system/logging.te | 60 | +++ b/policy/modules/system/logging.te |
60 | @@ -581,4 +581,5 @@ allow klogd_t initrc_t:unix_dgram_socket sendto; | 61 | @@ -632,4 +632,5 @@ allow klogd_t initrc_t:unix_dgram_socket sendto; |
61 | allow syslogd_t self:shm create; | 62 | allow syslogd_t self:shm create; |
62 | allow syslogd_t self:sem { create read unix_write write }; | 63 | allow syslogd_t self:sem { create read unix_write write }; |
63 | allow syslogd_t self:shm { read unix_read unix_write write }; | 64 | allow syslogd_t self:shm { read unix_read unix_write write }; |
@@ -65,5 +66,5 @@ index 107db03..95de86d 100644 | |||
65 | +allow syslogd_t tmpfs_t:file { read write create getattr append open }; | 66 | +allow syslogd_t tmpfs_t:file { read write create getattr append open }; |
66 | +allow syslogd_t tmpfs_t:dir { search write add_name }; | 67 | +allow syslogd_t tmpfs_t:dir { search write add_name }; |
67 | -- | 68 | -- |
68 | 1.9.1 | 69 | 2.19.1 |
69 | 70 | ||
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch new file mode 100644 index 0000000..dc715c4 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch | |||
@@ -0,0 +1,24 @@ | |||
1 | From 0ee40e0a68645e23f59842929629a94ebe9873b4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Fri, 29 Mar 2019 08:26:55 -0400 | ||
4 | Subject: [PATCH 10/34] fc/dmesg: apply policy to dmesg alternatives | ||
5 | |||
6 | Upstream-Status: Pending | ||
7 | |||
8 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | ||
10 | policy/modules/admin/dmesg.fc | 4 +++- | ||
11 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
12 | |||
13 | diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc | ||
14 | index e52fdfcf..85d15127 100644 | ||
15 | --- a/policy/modules/admin/dmesg.fc | ||
16 | +++ b/policy/modules/admin/dmesg.fc | ||
17 | @@ -1 +1,3 @@ | ||
18 | -/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) | ||
19 | +/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) | ||
20 | +/usr/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0) | ||
21 | +/usr/lib/busybox/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) | ||
22 | -- | ||
23 | 2.19.1 | ||
24 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch index f01e5aa..09576fa 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch | |||
@@ -1,18 +1,20 @@ | |||
1 | Subject: [PATCH] refpolicy: fix real path for ssh | 1 | From 10548eeaba694ff4320fdcbddc9e6cbb71856280 Mon Sep 17 00:00:00 2001 |
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Fri, 29 Mar 2019 09:20:58 -0400 | ||
4 | Subject: [PATCH 11/34] fc/ssh: apply policy to ssh alternatives | ||
2 | 5 | ||
3 | Upstream-Status: Inappropriate [configuration] | 6 | Upstream-Status: Pending |
4 | 7 | ||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
6 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | 8 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> |
7 | --- | 9 | --- |
8 | policy/modules/services/ssh.fc | 1 + | 10 | policy/modules/services/ssh.fc | 1 + |
9 | 1 file changed, 1 insertion(+) | 11 | 1 file changed, 1 insertion(+) |
10 | 12 | ||
13 | diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc | ||
14 | index 4ac3e733..1f453091 100644 | ||
11 | --- a/policy/modules/services/ssh.fc | 15 | --- a/policy/modules/services/ssh.fc |
12 | +++ b/policy/modules/services/ssh.fc | 16 | +++ b/policy/modules/services/ssh.fc |
13 | @@ -2,10 +2,11 @@ HOME_DIR/\.ssh(/.*)? gen_context(syste | 17 | @@ -4,6 +4,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) |
14 | |||
15 | /etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0) | ||
16 | /etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0) | 18 | /etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0) |
17 | 19 | ||
18 | /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0) | 20 | /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0) |
@@ -20,5 +22,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
20 | /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0) | 22 | /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0) |
21 | /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0) | 23 | /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0) |
22 | /usr/bin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) | 24 | /usr/bin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) |
23 | 25 | -- | |
24 | /usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) | 26 | 2.19.1 |
27 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch index 88c8c45..f02bd3a 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch | |||
@@ -1,37 +1,48 @@ | |||
1 | From 56ec3e527f2a03d217d5f07ebb708e6e26fa26ff Mon Sep 17 00:00:00 2001 | 1 | From 457f278717ef53e19392c40ea8645ca216c0ae83 Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
3 | Date: Tue, 9 Jun 2015 21:22:52 +0530 | 3 | Date: Tue, 9 Jun 2015 21:22:52 +0530 |
4 | Subject: [PATCH] refpolicy: fix real path for sysnetwork | 4 | Subject: [PATCH 12/34] fc/sysnetwork: apply policy to ip alternatives |
5 | 5 | ||
6 | Upstream-Status: Inappropriate [configuration] | 6 | Upstream-Status: Pending |
7 | 7 | ||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
9 | Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> | 9 | Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> |
10 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | 10 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> |
11 | --- | 11 | --- |
12 | policy/modules/system/sysnetwork.fc | 3 +++ | 12 | policy/modules/system/sysnetwork.fc | 10 ++++++++++ |
13 | 1 file changed, 3 insertions(+) | 13 | 1 file changed, 10 insertions(+) |
14 | 14 | ||
15 | diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc | ||
16 | index ac7c2dd1..4e441503 100644 | ||
15 | --- a/policy/modules/system/sysnetwork.fc | 17 | --- a/policy/modules/system/sysnetwork.fc |
16 | +++ b/policy/modules/system/sysnetwork.fc | 18 | +++ b/policy/modules/system/sysnetwork.fc |
17 | @@ -54,17 +54,20 @@ ifdef(`distro_redhat',` | 19 | @@ -60,6 +60,8 @@ ifdef(`distro_redhat',` |
18 | /usr/sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) | ||
19 | /usr/sbin/dhcp6c -- gen_context(system_u:object_r:dhcpc_exec_t,s0) | ||
20 | /usr/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) | 20 | /usr/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) |
21 | /usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | 21 | /usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
22 | /usr/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | 22 | /usr/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
23 | +/usr/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | 23 | +/usr/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
24 | +/usr/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | 24 | +/usr/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
25 | /usr/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | 25 | /usr/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
26 | /usr/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | 26 | /usr/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
27 | /usr/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | 27 | /usr/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
28 | /usr/sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | 28 | @@ -67,9 +69,17 @@ ifdef(`distro_redhat',` |
29 | /usr/sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | 29 | /usr/sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
30 | /usr/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | 30 | /usr/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
31 | /usr/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | 31 | /usr/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
32 | +/usr/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | 32 | +/usr/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
33 | /usr/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0) | 33 | /usr/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0) |
34 | /usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | 34 | /usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
35 | 35 | ||
36 | +# | ||
37 | +# /usr/lib/busybox | ||
38 | +# | ||
39 | +/usr/lib/busybox/bin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
40 | +/usr/lib/busybox/bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
41 | +/usr/lib/busybox/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
42 | + | ||
36 | # | 43 | # |
37 | # /var | 44 | # /var |
45 | # | ||
46 | -- | ||
47 | 2.19.1 | ||
48 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch new file mode 100644 index 0000000..495b82f --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch | |||
@@ -0,0 +1,28 @@ | |||
1 | From e38e269b172ec75dcd218cfeac64271fbb3d17db Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Fri, 29 Mar 2019 09:36:08 -0400 | ||
4 | Subject: [PATCH 13/34] fc/udev: apply policy to udevadm in libexec | ||
5 | |||
6 | Upstream-Status: Pending | ||
7 | |||
8 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | ||
10 | policy/modules/system/udev.fc | 2 ++ | ||
11 | 1 file changed, 2 insertions(+) | ||
12 | |||
13 | diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc | ||
14 | index 009d821a..cc438609 100644 | ||
15 | --- a/policy/modules/system/udev.fc | ||
16 | +++ b/policy/modules/system/udev.fc | ||
17 | @@ -28,6 +28,8 @@ ifdef(`distro_debian',` | ||
18 | /usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
19 | /usr/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
20 | |||
21 | +/usr/libexec/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
22 | + | ||
23 | ifdef(`distro_redhat',` | ||
24 | /usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
25 | ') | ||
26 | -- | ||
27 | 2.19.1 | ||
28 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch new file mode 100644 index 0000000..6ffabe4 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch | |||
@@ -0,0 +1,29 @@ | |||
1 | From 8d730316e752601949346c9ebd4aff8a3cb2b1bf Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Fri, 29 Mar 2019 09:54:07 -0400 | ||
4 | Subject: [PATCH 14/34] fc/rpm: apply rpm_exec policy to cpio binaries | ||
5 | |||
6 | Upstream-Status: Pending | ||
7 | |||
8 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | ||
10 | policy/modules/admin/rpm.fc | 5 ++++- | ||
11 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
12 | |||
13 | diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc | ||
14 | index 578d465c..f2b8003a 100644 | ||
15 | --- a/policy/modules/admin/rpm.fc | ||
16 | +++ b/policy/modules/admin/rpm.fc | ||
17 | @@ -65,5 +65,8 @@ ifdef(`distro_redhat',` | ||
18 | /run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) | ||
19 | |||
20 | ifdef(`enable_mls',` | ||
21 | -/usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) | ||
22 | +/usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) | ||
23 | +/usr/bin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) | ||
24 | +/usr/bin/cpio.cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) | ||
25 | ') | ||
26 | + | ||
27 | -- | ||
28 | 2.19.1 | ||
29 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_su.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0015-fc-su-apply-policy-to-su-alternatives.patch index 41c32df..c0fbb69 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_su.patch +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0015-fc-su-apply-policy-to-su-alternatives.patch | |||
@@ -1,20 +1,26 @@ | |||
1 | From 4affa5e9797f5d51597c9b8e0f2503883c766699 Mon Sep 17 00:00:00 2001 | 1 | From d9f2d5857c1d558fa09f7e7864bba8427437bea6 Mon Sep 17 00:00:00 2001 |
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | 2 | From: Wenzong Fan <wenzong.fan@windriver.com> |
3 | Date: Thu, 13 Feb 2014 00:33:07 -0500 | 3 | Date: Thu, 13 Feb 2014 00:33:07 -0500 |
4 | Subject: [PATCH] fix real path for su.shadow command | 4 | Subject: [PATCH 15/34] fc/su: apply policy to su alternatives |
5 | 5 | ||
6 | Upstream-Status: Inappropriate [only for Poky] | 6 | Upstream-Status: Pending |
7 | 7 | ||
8 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | 8 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> |
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | 9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> |
10 | --- | 10 | --- |
11 | policy/modules/admin/su.fc | 2 ++ | 11 | policy/modules/admin/su.fc | 2 ++ |
12 | 1 file changed, 2 insertions(+) | 12 | 1 file changed, 2 insertions(+) |
13 | 13 | ||
14 | diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc | ||
15 | index 3375c969..435a6892 100644 | ||
14 | --- a/policy/modules/admin/su.fc | 16 | --- a/policy/modules/admin/su.fc |
15 | +++ b/policy/modules/admin/su.fc | 17 | +++ b/policy/modules/admin/su.fc |
16 | @@ -1,3 +1,4 @@ | 18 | @@ -1,3 +1,5 @@ |
17 | /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0) | 19 | /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0) |
18 | /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) | 20 | /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) |
19 | /usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) | 21 | /usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) |
20 | +/usr/bin/su.shadow -- gen_context(system_u:object_r:su_exec_t,s0) | 22 | +/usr/bin/su\.shadow -- gen_context(system_u:object_r:su_exec_t,s0) |
23 | +/usr/bin/su\.util-linux -- gen_context(system_u:object_r:su_exec_t,s0) | ||
24 | -- | ||
25 | 2.19.1 | ||
26 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0016-fc-fstools-fix-real-path-for-fstools.patch index d887e96..34e9830 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0016-fc-fstools-fix-real-path-for-fstools.patch | |||
@@ -1,55 +1,47 @@ | |||
1 | From b420621f7bacdb803bfd104686e9b1785d7a6309 Mon Sep 17 00:00:00 2001 | 1 | From 5d8f2e090c9dbb270156c2f76f1614b03f3b0191 Mon Sep 17 00:00:00 2001 |
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | 2 | From: Wenzong Fan <wenzong.fan@windriver.com> |
3 | Date: Mon, 27 Jan 2014 03:54:01 -0500 | 3 | Date: Mon, 27 Jan 2014 03:54:01 -0500 |
4 | Subject: [PATCH] refpolicy: fix real path for fstools | 4 | Subject: [PATCH 16/34] fc/fstools: fix real path for fstools |
5 | 5 | ||
6 | Upstream-Status: Inappropriate [configuration] | 6 | Upstream-Status: Pending |
7 | 7 | ||
8 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | 8 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> |
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
10 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | 9 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> |
10 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
11 | --- | 11 | --- |
12 | policy/modules/system/fstools.fc | 7 +++++++ | 12 | policy/modules/system/fstools.fc | 12 ++++++++++++ |
13 | 1 file changed, 7 insertions(+) | 13 | 1 file changed, 12 insertions(+) |
14 | 14 | ||
15 | diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc | ||
16 | index 8fbd5ce4..d719e22c 100644 | ||
15 | --- a/policy/modules/system/fstools.fc | 17 | --- a/policy/modules/system/fstools.fc |
16 | +++ b/policy/modules/system/fstools.fc | 18 | +++ b/policy/modules/system/fstools.fc |
17 | @@ -55,10 +55,11 @@ | 19 | @@ -58,6 +58,7 @@ |
18 | /usr/bin/ztest -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
19 | |||
20 | /usr/sbin/addpart -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 20 | /usr/sbin/addpart -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
21 | /usr/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 21 | /usr/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
22 | /usr/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 22 | /usr/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
23 | +/usr/sbin/blkid/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 23 | +/usr/sbin/blkid\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
24 | /usr/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 24 | /usr/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
25 | /usr/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 25 | /usr/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
26 | /usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 26 | /usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
27 | /usr/sbin/delpart -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 27 | @@ -72,10 +73,12 @@ |
28 | /usr/sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
29 | @@ -68,14 +69,16 @@ | ||
30 | /usr/sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
31 | /usr/sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
32 | /usr/sbin/efibootmgr -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 28 | /usr/sbin/efibootmgr -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
33 | /usr/sbin/fatsort -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 29 | /usr/sbin/fatsort -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
34 | /usr/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 30 | /usr/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
35 | +/usr/sbin/fdisk/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 31 | +/usr/sbin/fdisk\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
36 | /usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 32 | /usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
37 | /usr/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 33 | /usr/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
38 | /usr/sbin/gdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 34 | /usr/sbin/gdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
39 | /usr/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 35 | /usr/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
40 | +/usr/sbin/hdparm/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 36 | +/usr/sbin/hdparm\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
41 | /usr/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 37 | /usr/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
42 | /usr/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 38 | /usr/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
43 | /usr/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 39 | /usr/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
44 | /usr/sbin/lsraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 40 | @@ -88,17 +91,20 @@ |
45 | /usr/sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
46 | @@ -84,21 +87,24 @@ | ||
47 | /usr/sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
48 | /usr/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
49 | /usr/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 41 | /usr/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
50 | /usr/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 42 | /usr/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
51 | /usr/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 43 | /usr/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
52 | +/usr/sbin/mkswap/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 44 | +/usr/sbin/mkswap\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
53 | /usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 45 | /usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
54 | /usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 46 | /usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
55 | /usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 47 | /usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
@@ -62,9 +54,23 @@ Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | |||
62 | /usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 54 | /usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
63 | /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 55 | /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
64 | /usr/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 56 | /usr/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
65 | +/usr/sbin/swapoff/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 57 | +/usr/sbin/swapoff\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
66 | /usr/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 58 | /usr/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
67 | /usr/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 59 | /usr/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
68 | /usr/sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 60 | /usr/sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
69 | /usr/sbin/zhack -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 61 | @@ -108,6 +114,12 @@ |
70 | /usr/sbin/zinject -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 62 | /usr/sbin/zstreamdump -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
63 | /usr/sbin/ztest -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
64 | |||
65 | +/usr/lib/busybox/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
66 | +/usr/lib/busybox/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
67 | +/usr/lib/busybox/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
68 | +/usr/lib/busybox/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
69 | +/usr/lib/busybox/sbin/swapon -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
70 | + | ||
71 | /var/swap -- gen_context(system_u:object_r:swapfile_t,s0) | ||
72 | |||
73 | /var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0) | ||
74 | -- | ||
75 | 2.19.1 | ||
76 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-syslogd_t-to-trusted-object.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch index dc623d3..8455c08 100644 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-syslogd_t-to-trusted-object.patch +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch | |||
@@ -1,7 +1,8 @@ | |||
1 | From 27e62a5d9ab9993760369ccdad83673e9148cbb2 Mon Sep 17 00:00:00 2001 | 1 | From 628281e2e192269468cbe2c2818b6cab40975532 Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | 3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 |
4 | Subject: [PATCH 1/6] Add the syslogd_t to trusted object | 4 | Subject: [PATCH 17/34] policy/module/logging: Add the syslogd_t to trusted |
5 | object | ||
5 | 6 | ||
6 | We add the syslogd_t to trusted object, because other process need | 7 | We add the syslogd_t to trusted object, because other process need |
7 | to have the right to connectto/sendto /dev/log. | 8 | to have the right to connectto/sendto /dev/log. |
@@ -12,14 +13,14 @@ Signed-off-by: Roy.Li <rongqing.li@windriver.com> | |||
12 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 13 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
13 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | 14 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> |
14 | --- | 15 | --- |
15 | policy/modules/system/logging.te | 1 + | 16 | policy/modules/system/logging.te | 1 + |
16 | 1 file changed, 1 insertion(+) | 17 | 1 file changed, 1 insertion(+) |
17 | 18 | ||
19 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
20 | index 07ed546d..a7b69932 100644 | ||
18 | --- a/policy/modules/system/logging.te | 21 | --- a/policy/modules/system/logging.te |
19 | +++ b/policy/modules/system/logging.te | 22 | +++ b/policy/modules/system/logging.te |
20 | @@ -477,10 +477,11 @@ files_var_lib_filetrans(syslogd_t, syslo | 23 | @@ -501,6 +501,7 @@ fs_getattr_all_fs(syslogd_t) |
21 | |||
22 | fs_getattr_all_fs(syslogd_t) | ||
23 | fs_search_auto_mountpoints(syslogd_t) | 24 | fs_search_auto_mountpoints(syslogd_t) |
24 | 25 | ||
25 | mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories | 26 | mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories |
@@ -27,5 +28,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
27 | 28 | ||
28 | term_write_console(syslogd_t) | 29 | term_write_console(syslogd_t) |
29 | # Allow syslog to a terminal | 30 | # Allow syslog to a terminal |
30 | term_write_unallocated_ttys(syslogd_t) | 31 | -- |
31 | 32 | 2.19.1 | |
33 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch new file mode 100644 index 0000000..b253f84 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch | |||
@@ -0,0 +1,100 @@ | |||
1 | From 0036dfb42db831e2dd6c6dc71c093e983a30dbd6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH 18/34] policy/module/logging: add rules for the symlink of | ||
5 | /var/log | ||
6 | |||
7 | /var/log is a symlink in poky, so we need allow rules for files to read | ||
8 | lnk_file while doing search/list/delete/rw... in /var/log/ directory. | ||
9 | |||
10 | Upstream-Status: Inappropriate [only for Poky] | ||
11 | |||
12 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
13 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
14 | --- | ||
15 | policy/modules/system/logging.fc | 1 + | ||
16 | policy/modules/system/logging.if | 6 ++++++ | ||
17 | policy/modules/system/logging.te | 2 ++ | ||
18 | 3 files changed, 9 insertions(+) | ||
19 | |||
20 | diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc | ||
21 | index 0cf108e0..5bec7e99 100644 | ||
22 | --- a/policy/modules/system/logging.fc | ||
23 | +++ b/policy/modules/system/logging.fc | ||
24 | @@ -55,6 +55,7 @@ ifdef(`distro_suse', ` | ||
25 | /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) | ||
26 | |||
27 | /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) | ||
28 | +/var/log -l gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) | ||
29 | /var/log/.* gen_context(system_u:object_r:var_log_t,s0) | ||
30 | /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0) | ||
31 | /var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0) | ||
32 | diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if | ||
33 | index 16091eb6..e83cb5b5 100644 | ||
34 | --- a/policy/modules/system/logging.if | ||
35 | +++ b/policy/modules/system/logging.if | ||
36 | @@ -948,10 +948,12 @@ interface(`logging_append_all_inherited_logs',` | ||
37 | interface(`logging_read_all_logs',` | ||
38 | gen_require(` | ||
39 | attribute logfile; | ||
40 | + type var_log_t; | ||
41 | ') | ||
42 | |||
43 | files_search_var($1) | ||
44 | allow $1 logfile:dir list_dir_perms; | ||
45 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
46 | read_files_pattern($1, logfile, logfile) | ||
47 | ') | ||
48 | |||
49 | @@ -970,10 +972,12 @@ interface(`logging_read_all_logs',` | ||
50 | interface(`logging_exec_all_logs',` | ||
51 | gen_require(` | ||
52 | attribute logfile; | ||
53 | + type var_log_t; | ||
54 | ') | ||
55 | |||
56 | files_search_var($1) | ||
57 | allow $1 logfile:dir list_dir_perms; | ||
58 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
59 | can_exec($1, logfile) | ||
60 | ') | ||
61 | |||
62 | @@ -1075,6 +1079,7 @@ interface(`logging_read_generic_logs',` | ||
63 | |||
64 | files_search_var($1) | ||
65 | allow $1 var_log_t:dir list_dir_perms; | ||
66 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
67 | read_files_pattern($1, var_log_t, var_log_t) | ||
68 | ') | ||
69 | |||
70 | @@ -1176,6 +1181,7 @@ interface(`logging_manage_generic_logs',` | ||
71 | |||
72 | files_search_var($1) | ||
73 | manage_files_pattern($1, var_log_t, var_log_t) | ||
74 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
75 | ') | ||
76 | |||
77 | ######################################## | ||
78 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
79 | index a7b69932..fa5664b0 100644 | ||
80 | --- a/policy/modules/system/logging.te | ||
81 | +++ b/policy/modules/system/logging.te | ||
82 | @@ -161,6 +161,7 @@ manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) | ||
83 | allow auditd_t auditd_log_t:dir setattr; | ||
84 | manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) | ||
85 | allow auditd_t var_log_t:dir search_dir_perms; | ||
86 | +allow auditd_t var_log_t:lnk_file read_lnk_file_perms; | ||
87 | |||
88 | manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) | ||
89 | manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) | ||
90 | @@ -288,6 +289,7 @@ allow audisp_remote_t self:capability { setpcap setuid }; | ||
91 | allow audisp_remote_t self:process { getcap setcap }; | ||
92 | allow audisp_remote_t self:tcp_socket create_socket_perms; | ||
93 | allow audisp_remote_t var_log_t:dir search_dir_perms; | ||
94 | +allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms; | ||
95 | |||
96 | manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) | ||
97 | manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) | ||
98 | -- | ||
99 | 2.19.1 | ||
100 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch new file mode 100644 index 0000000..588c5c6 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From 51e282aa2730e4c6e038d42a84a561c080f41187 Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Fri, 29 Mar 2019 10:33:18 -0400 | ||
4 | Subject: [PATCH 19/34] policy/module/logging: add rules for syslogd symlink of | ||
5 | /var/log | ||
6 | |||
7 | We have added rules for the symlink of /var/log in logging.if, while | ||
8 | syslogd_t uses /var/log but does not use the interfaces in logging.if. So | ||
9 | still need add a individual rule for syslogd_t. | ||
10 | |||
11 | Upstream-Status: Inappropriate [only for Poky] | ||
12 | |||
13 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
14 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
15 | --- | ||
16 | policy/modules/system/logging.te | 1 + | ||
17 | 1 file changed, 1 insertion(+) | ||
18 | |||
19 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
20 | index fa5664b0..63e92a8e 100644 | ||
21 | --- a/policy/modules/system/logging.te | ||
22 | +++ b/policy/modules/system/logging.te | ||
23 | @@ -417,6 +417,7 @@ files_search_spool(syslogd_t) | ||
24 | |||
25 | # Allow access for syslog-ng | ||
26 | allow syslogd_t var_log_t:dir { create setattr }; | ||
27 | +allow syslogd_t var_log_t:lnk_file read_lnk_file_perms; | ||
28 | |||
29 | # for systemd but can not be conditional | ||
30 | files_pid_filetrans(syslogd_t, syslogd_tmp_t, dir, "log") | ||
31 | -- | ||
32 | 2.19.1 | ||
33 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-cache-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch index b828b7a..3d55476 100644 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-cache-symlink.patch +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch | |||
@@ -1,7 +1,8 @@ | |||
1 | From bad816bc752369a6c1bf40231c505d21d95cab08 Mon Sep 17 00:00:00 2001 | 1 | From 6a0b9c735253a2596bfb2a453694e620a1fdc50b Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
3 | Date: Fri, 23 Aug 2013 11:20:00 +0800 | 3 | Date: Fri, 23 Aug 2013 11:20:00 +0800 |
4 | Subject: [PATCH 4/6] add rules for the subdir symlinks in /var/ | 4 | Subject: [PATCH 20/34] policy/module/logging: add domain rules for the subdir |
5 | symlinks in /var/ | ||
5 | 6 | ||
6 | Except /var/log,/var/run,/var/lock, there still other subdir symlinks in | 7 | Except /var/log,/var/run,/var/lock, there still other subdir symlinks in |
7 | /var for poky, so we need allow rules for all domains to read these | 8 | /var for poky, so we need allow rules for all domains to read these |
@@ -13,14 +14,14 @@ Upstream-Status: Inappropriate [only for Poky] | |||
13 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 14 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
14 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | 15 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> |
15 | --- | 16 | --- |
16 | policy/modules/kernel/domain.te | 3 +++ | 17 | policy/modules/kernel/domain.te | 3 +++ |
17 | 1 file changed, 3 insertions(+) | 18 | 1 file changed, 3 insertions(+) |
18 | 19 | ||
20 | diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te | ||
21 | index 1a55e3d2..babb794f 100644 | ||
19 | --- a/policy/modules/kernel/domain.te | 22 | --- a/policy/modules/kernel/domain.te |
20 | +++ b/policy/modules/kernel/domain.te | 23 | +++ b/policy/modules/kernel/domain.te |
21 | @@ -108,10 +108,13 @@ dev_rw_zero(domain) | 24 | @@ -110,6 +110,9 @@ term_use_controlling_term(domain) |
22 | term_use_controlling_term(domain) | ||
23 | |||
24 | # list the root directory | 25 | # list the root directory |
25 | files_list_root(domain) | 26 | files_list_root(domain) |
26 | 27 | ||
@@ -30,5 +31,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
30 | ifdef(`hide_broken_symptoms',` | 31 | ifdef(`hide_broken_symptoms',` |
31 | # This check is in the general socket | 32 | # This check is in the general socket |
32 | # listen code, before protocol-specific | 33 | # listen code, before protocol-specific |
33 | # listen function is called, so bad calls | 34 | -- |
34 | # to listen on UDP sockets should be silenced | 35 | 2.19.1 |
36 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-tmp-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch index d3c1ee5..2546457 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-tmp-symlink.patch +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch | |||
@@ -1,7 +1,7 @@ | |||
1 | From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001 | 1 | From 437bb5a3318fd0fb268f6e015564b006135368d1 Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | 3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 |
4 | Subject: [PATCH] add rules for the symlink of /tmp | 4 | Subject: [PATCH 21/34] policy/module/files: add rules for the symlink of /tmp |
5 | 5 | ||
6 | /tmp is a symlink in poky, so we need allow rules for files to read | 6 | /tmp is a symlink in poky, so we need allow rules for files to read |
7 | lnk_file while doing search/list/delete/rw.. in /tmp/ directory. | 7 | lnk_file while doing search/list/delete/rw.. in /tmp/ directory. |
@@ -11,15 +11,15 @@ Upstream-Status: Inappropriate [only for Poky] | |||
11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | 12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> |
13 | --- | 13 | --- |
14 | policy/modules/kernel/files.fc | 1 + | 14 | policy/modules/kernel/files.fc | 1 + |
15 | policy/modules/kernel/files.if | 8 ++++++++ | 15 | policy/modules/kernel/files.if | 8 ++++++++ |
16 | 2 files changed, 9 insertions(+) | 16 | 2 files changed, 9 insertions(+) |
17 | 17 | ||
18 | diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc | ||
19 | index c3496c21..05b1734b 100644 | ||
18 | --- a/policy/modules/kernel/files.fc | 20 | --- a/policy/modules/kernel/files.fc |
19 | +++ b/policy/modules/kernel/files.fc | 21 | +++ b/policy/modules/kernel/files.fc |
20 | @@ -172,10 +172,11 @@ HOME_ROOT/lost\+found/.* <<none>> | 22 | @@ -176,6 +176,7 @@ HOME_ROOT/lost\+found/.* <<none>> |
21 | |||
22 | # | ||
23 | # /tmp | 23 | # /tmp |
24 | # | 24 | # |
25 | /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) | 25 | /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) |
@@ -27,13 +27,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
27 | /tmp/.* <<none>> | 27 | /tmp/.* <<none>> |
28 | /tmp/\.journal <<none>> | 28 | /tmp/\.journal <<none>> |
29 | 29 | ||
30 | /tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) | 30 | diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if |
31 | /tmp/lost\+found/.* <<none>> | 31 | index f1c94411..eb067ad3 100644 |
32 | --- a/policy/modules/kernel/files.if | 32 | --- a/policy/modules/kernel/files.if |
33 | +++ b/policy/modules/kernel/files.if | 33 | +++ b/policy/modules/kernel/files.if |
34 | @@ -4579,10 +4579,11 @@ interface(`files_search_tmp',` | 34 | @@ -4350,6 +4350,7 @@ interface(`files_search_tmp',` |
35 | gen_require(` | ||
36 | type tmp_t; | ||
37 | ') | 35 | ') |
38 | 36 | ||
39 | allow $1 tmp_t:dir search_dir_perms; | 37 | allow $1 tmp_t:dir search_dir_perms; |
@@ -41,11 +39,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
41 | ') | 39 | ') |
42 | 40 | ||
43 | ######################################## | 41 | ######################################## |
44 | ## <summary> | 42 | @@ -4386,6 +4387,7 @@ interface(`files_list_tmp',` |
45 | ## Do not audit attempts to search the tmp directory (/tmp). | ||
46 | @@ -4615,10 +4616,11 @@ interface(`files_list_tmp',` | ||
47 | gen_require(` | ||
48 | type tmp_t; | ||
49 | ') | 43 | ') |
50 | 44 | ||
51 | allow $1 tmp_t:dir list_dir_perms; | 45 | allow $1 tmp_t:dir list_dir_perms; |
@@ -53,11 +47,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
53 | ') | 47 | ') |
54 | 48 | ||
55 | ######################################## | 49 | ######################################## |
56 | ## <summary> | 50 | @@ -4422,6 +4424,7 @@ interface(`files_delete_tmp_dir_entry',` |
57 | ## Do not audit listing of the tmp directory (/tmp). | ||
58 | @@ -4651,10 +4653,11 @@ interface(`files_delete_tmp_dir_entry',` | ||
59 | gen_require(` | ||
60 | type tmp_t; | ||
61 | ') | 51 | ') |
62 | 52 | ||
63 | allow $1 tmp_t:dir del_entry_dir_perms; | 53 | allow $1 tmp_t:dir del_entry_dir_perms; |
@@ -65,11 +55,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
65 | ') | 55 | ') |
66 | 56 | ||
67 | ######################################## | 57 | ######################################## |
68 | ## <summary> | 58 | @@ -4440,6 +4443,7 @@ interface(`files_read_generic_tmp_files',` |
69 | ## Read files in the tmp directory (/tmp). | ||
70 | @@ -4669,10 +4672,11 @@ interface(`files_read_generic_tmp_files' | ||
71 | gen_require(` | ||
72 | type tmp_t; | ||
73 | ') | 59 | ') |
74 | 60 | ||
75 | read_files_pattern($1, tmp_t, tmp_t) | 61 | read_files_pattern($1, tmp_t, tmp_t) |
@@ -77,11 +63,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
77 | ') | 63 | ') |
78 | 64 | ||
79 | ######################################## | 65 | ######################################## |
80 | ## <summary> | 66 | @@ -4458,6 +4462,7 @@ interface(`files_manage_generic_tmp_dirs',` |
81 | ## Manage temporary directories in /tmp. | ||
82 | @@ -4687,10 +4691,11 @@ interface(`files_manage_generic_tmp_dirs | ||
83 | gen_require(` | ||
84 | type tmp_t; | ||
85 | ') | 67 | ') |
86 | 68 | ||
87 | manage_dirs_pattern($1, tmp_t, tmp_t) | 69 | manage_dirs_pattern($1, tmp_t, tmp_t) |
@@ -89,11 +71,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
89 | ') | 71 | ') |
90 | 72 | ||
91 | ######################################## | 73 | ######################################## |
92 | ## <summary> | 74 | @@ -4476,6 +4481,7 @@ interface(`files_manage_generic_tmp_files',` |
93 | ## Manage temporary files and directories in /tmp. | ||
94 | @@ -4705,10 +4710,11 @@ interface(`files_manage_generic_tmp_file | ||
95 | gen_require(` | ||
96 | type tmp_t; | ||
97 | ') | 75 | ') |
98 | 76 | ||
99 | manage_files_pattern($1, tmp_t, tmp_t) | 77 | manage_files_pattern($1, tmp_t, tmp_t) |
@@ -101,11 +79,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
101 | ') | 79 | ') |
102 | 80 | ||
103 | ######################################## | 81 | ######################################## |
104 | ## <summary> | 82 | @@ -4512,6 +4518,7 @@ interface(`files_rw_generic_tmp_sockets',` |
105 | ## Read symbolic links in the tmp directory (/tmp). | ||
106 | @@ -4741,10 +4747,11 @@ interface(`files_rw_generic_tmp_sockets' | ||
107 | gen_require(` | ||
108 | type tmp_t; | ||
109 | ') | 83 | ') |
110 | 84 | ||
111 | rw_sock_files_pattern($1, tmp_t, tmp_t) | 85 | rw_sock_files_pattern($1, tmp_t, tmp_t) |
@@ -113,11 +87,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
113 | ') | 87 | ') |
114 | 88 | ||
115 | ######################################## | 89 | ######################################## |
116 | ## <summary> | 90 | @@ -4719,6 +4726,7 @@ interface(`files_tmp_filetrans',` |
117 | ## Mount filesystems in the tmp directory (/tmp) | ||
118 | @@ -4948,10 +4955,11 @@ interface(`files_tmp_filetrans',` | ||
119 | gen_require(` | ||
120 | type tmp_t; | ||
121 | ') | 91 | ') |
122 | 92 | ||
123 | filetrans_pattern($1, tmp_t, $2, $3, $4) | 93 | filetrans_pattern($1, tmp_t, $2, $3, $4) |
@@ -125,5 +95,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
125 | ') | 95 | ') |
126 | 96 | ||
127 | ######################################## | 97 | ######################################## |
128 | ## <summary> | 98 | -- |
129 | ## Delete the contents of /tmp. | 99 | 2.19.1 |
100 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-bsdpty_device_t.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch index 7be7147..3281ae8 100644 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-bsdpty_device_t.patch +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch | |||
@@ -1,21 +1,22 @@ | |||
1 | From c0b65c327b9354ee5c403cbde428e762ce3f327e Mon Sep 17 00:00:00 2001 | 1 | From 2512a367f4c16d4af6dd90d5f93f223466595d86 Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | 3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 |
4 | Subject: [PATCH 5/6] add rules for bsdpty_device_t to complete pty devices. | 4 | Subject: [PATCH 22/34] policy/module/terminals: add rules for bsdpty_device_t |
5 | to complete pty devices. | ||
5 | 6 | ||
6 | Upstream-Status: Pending | 7 | Upstream-Status: Pending |
7 | 8 | ||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 9 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | 10 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> |
10 | --- | 11 | --- |
11 | policy/modules/kernel/terminal.if | 16 ++++++++++++++++ | 12 | policy/modules/kernel/terminal.if | 16 ++++++++++++++++ |
12 | 1 file changed, 16 insertions(+) | 13 | 1 file changed, 16 insertions(+) |
13 | 14 | ||
15 | diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if | ||
16 | index 61308843..a84787e6 100644 | ||
14 | --- a/policy/modules/kernel/terminal.if | 17 | --- a/policy/modules/kernel/terminal.if |
15 | +++ b/policy/modules/kernel/terminal.if | 18 | +++ b/policy/modules/kernel/terminal.if |
16 | @@ -585,13 +585,15 @@ interface(`term_getattr_generic_ptys',` | 19 | @@ -623,9 +623,11 @@ interface(`term_getattr_generic_ptys',` |
17 | ## </param> | ||
18 | # | ||
19 | interface(`term_dontaudit_getattr_generic_ptys',` | 20 | interface(`term_dontaudit_getattr_generic_ptys',` |
20 | gen_require(` | 21 | gen_require(` |
21 | type devpts_t; | 22 | type devpts_t; |
@@ -27,11 +28,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
27 | ') | 28 | ') |
28 | ######################################## | 29 | ######################################## |
29 | ## <summary> | 30 | ## <summary> |
30 | ## ioctl of generic pty devices. | 31 | @@ -641,11 +643,13 @@ interface(`term_dontaudit_getattr_generic_ptys',` |
31 | ## </summary> | ||
32 | @@ -603,15 +605,17 @@ interface(`term_dontaudit_getattr_generi | ||
33 | # | ||
34 | # cjp: added for ppp | ||
35 | interface(`term_ioctl_generic_ptys',` | 32 | interface(`term_ioctl_generic_ptys',` |
36 | gen_require(` | 33 | gen_require(` |
37 | type devpts_t; | 34 | type devpts_t; |
@@ -45,11 +42,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
45 | ') | 42 | ') |
46 | 43 | ||
47 | ######################################## | 44 | ######################################## |
48 | ## <summary> | 45 | @@ -663,9 +667,11 @@ interface(`term_ioctl_generic_ptys',` |
49 | ## Allow setting the attributes of | ||
50 | @@ -625,13 +629,15 @@ interface(`term_ioctl_generic_ptys',` | ||
51 | # | ||
52 | # dwalsh: added for rhgb | ||
53 | interface(`term_setattr_generic_ptys',` | 46 | interface(`term_setattr_generic_ptys',` |
54 | gen_require(` | 47 | gen_require(` |
55 | type devpts_t; | 48 | type devpts_t; |
@@ -61,11 +54,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
61 | ') | 54 | ') |
62 | 55 | ||
63 | ######################################## | 56 | ######################################## |
64 | ## <summary> | 57 | @@ -683,9 +689,11 @@ interface(`term_setattr_generic_ptys',` |
65 | ## Dontaudit setting the attributes of | ||
66 | @@ -645,13 +651,15 @@ interface(`term_setattr_generic_ptys',` | ||
67 | # | ||
68 | # dwalsh: added for rhgb | ||
69 | interface(`term_dontaudit_setattr_generic_ptys',` | 58 | interface(`term_dontaudit_setattr_generic_ptys',` |
70 | gen_require(` | 59 | gen_require(` |
71 | type devpts_t; | 60 | type devpts_t; |
@@ -77,11 +66,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
77 | ') | 66 | ') |
78 | 67 | ||
79 | ######################################## | 68 | ######################################## |
80 | ## <summary> | 69 | @@ -703,11 +711,13 @@ interface(`term_dontaudit_setattr_generic_ptys',` |
81 | ## Read and write the generic pty | ||
82 | @@ -665,15 +673,17 @@ interface(`term_dontaudit_setattr_generi | ||
83 | ## </param> | ||
84 | # | ||
85 | interface(`term_use_generic_ptys',` | 70 | interface(`term_use_generic_ptys',` |
86 | gen_require(` | 71 | gen_require(` |
87 | type devpts_t; | 72 | type devpts_t; |
@@ -95,11 +80,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
95 | ') | 80 | ') |
96 | 81 | ||
97 | ######################################## | 82 | ######################################## |
98 | ## <summary> | 83 | @@ -725,9 +735,11 @@ interface(`term_use_generic_ptys',` |
99 | ## Dot not audit attempts to read and | ||
100 | @@ -687,13 +697,15 @@ interface(`term_use_generic_ptys',` | ||
101 | ## </param> | ||
102 | # | ||
103 | interface(`term_dontaudit_use_generic_ptys',` | 84 | interface(`term_dontaudit_use_generic_ptys',` |
104 | gen_require(` | 85 | gen_require(` |
105 | type devpts_t; | 86 | type devpts_t; |
@@ -111,11 +92,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
111 | ') | 92 | ') |
112 | 93 | ||
113 | ####################################### | 94 | ####################################### |
114 | ## <summary> | 95 | @@ -743,10 +755,12 @@ interface(`term_dontaudit_use_generic_ptys',` |
115 | ## Set the attributes of the tty device | ||
116 | @@ -705,14 +717,16 @@ interface(`term_dontaudit_use_generic_pt | ||
117 | ## </param> | ||
118 | # | ||
119 | interface(`term_setattr_controlling_term',` | 96 | interface(`term_setattr_controlling_term',` |
120 | gen_require(` | 97 | gen_require(` |
121 | type devtty_t; | 98 | type devtty_t; |
@@ -128,11 +105,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
128 | ') | 105 | ') |
129 | 106 | ||
130 | ######################################## | 107 | ######################################## |
131 | ## <summary> | 108 | @@ -763,10 +777,12 @@ interface(`term_setattr_controlling_term',` |
132 | ## Read and write the controlling | ||
133 | @@ -725,14 +739,16 @@ interface(`term_setattr_controlling_term | ||
134 | ## </param> | ||
135 | # | ||
136 | interface(`term_use_controlling_term',` | 109 | interface(`term_use_controlling_term',` |
137 | gen_require(` | 110 | gen_require(` |
138 | type devtty_t; | 111 | type devtty_t; |
@@ -145,5 +118,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
145 | ') | 118 | ') |
146 | 119 | ||
147 | ####################################### | 120 | ####################################### |
148 | ## <summary> | 121 | -- |
149 | ## Get the attributes of the pty multiplexor (/dev/ptmx). | 122 | 2.19.1 |
123 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-don-t-audit-tty_device_t.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch index 346872a..887af46 100644 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-don-t-audit-tty_device_t.patch +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch | |||
@@ -1,7 +1,8 @@ | |||
1 | From 29a0d287880f8f83cf4337a3db7c8b94c0c36e1d Mon Sep 17 00:00:00 2001 | 1 | From fcf756e6906bba50d09224184d64ac56f40b6424 Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | 3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 |
4 | Subject: [PATCH 6/6] don't audit tty_device_t in term_dontaudit_use_console. | 4 | Subject: [PATCH 23/34] policy/module/terminals: don't audit tty_device_t in |
5 | term_dontaudit_use_console. | ||
5 | 6 | ||
6 | We should also not audit terminal to rw tty_device_t and fds in | 7 | We should also not audit terminal to rw tty_device_t and fds in |
7 | term_dontaudit_use_console. | 8 | term_dontaudit_use_console. |
@@ -11,14 +12,14 @@ Upstream-Status: Inappropriate [only for Poky] | |||
11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 12 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | 13 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> |
13 | --- | 14 | --- |
14 | policy/modules/kernel/terminal.if | 3 +++ | 15 | policy/modules/kernel/terminal.if | 3 +++ |
15 | 1 file changed, 3 insertions(+) | 16 | 1 file changed, 3 insertions(+) |
16 | 17 | ||
18 | diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if | ||
19 | index a84787e6..cf66da2f 100644 | ||
17 | --- a/policy/modules/kernel/terminal.if | 20 | --- a/policy/modules/kernel/terminal.if |
18 | +++ b/policy/modules/kernel/terminal.if | 21 | +++ b/policy/modules/kernel/terminal.if |
19 | @@ -297,13 +297,16 @@ interface(`term_use_console',` | 22 | @@ -335,9 +335,12 @@ interface(`term_use_console',` |
20 | ## </param> | ||
21 | # | ||
22 | interface(`term_dontaudit_use_console',` | 23 | interface(`term_dontaudit_use_console',` |
23 | gen_require(` | 24 | gen_require(` |
24 | type console_device_t; | 25 | type console_device_t; |
@@ -31,5 +32,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
31 | ') | 32 | ') |
32 | 33 | ||
33 | ######################################## | 34 | ######################################## |
34 | ## <summary> | 35 | -- |
35 | ## Set the attributes of the console | 36 | 2.19.1 |
37 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch new file mode 100644 index 0000000..0188fa9 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch | |||
@@ -0,0 +1,29 @@ | |||
1 | From 85d5fc695ae69956715b502a8f1d95e9070dfbcc Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH 24/34] policy/module/rpc: allow nfsd to exec shell commands. | ||
5 | |||
6 | Upstream-Status: Inappropriate [only for Poky] | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
10 | --- | ||
11 | policy/modules/services/rpc.te | 2 +- | ||
12 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
13 | |||
14 | diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te | ||
15 | index 47fa2fd0..d4209231 100644 | ||
16 | --- a/policy/modules/services/rpc.te | ||
17 | +++ b/policy/modules/services/rpc.te | ||
18 | @@ -227,7 +227,7 @@ kernel_read_network_state(nfsd_t) | ||
19 | kernel_dontaudit_getattr_core_if(nfsd_t) | ||
20 | kernel_setsched(nfsd_t) | ||
21 | kernel_request_load_module(nfsd_t) | ||
22 | -# kernel_mounton_proc(nfsd_t) | ||
23 | +kernel_mounton_proc(nfsd_t) | ||
24 | |||
25 | corenet_sendrecv_nfs_server_packets(nfsd_t) | ||
26 | corenet_tcp_bind_nfs_port(nfsd_t) | ||
27 | -- | ||
28 | 2.19.1 | ||
29 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch index 883daf8..b4befdd 100644 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch | |||
@@ -1,58 +1,25 @@ | |||
1 | From 054a2d81a42bc127d29a916c64b43ad5a7c97f21 Mon Sep 17 00:00:00 2001 | 1 | From 97a6eec0d2ea437b5155090ba880a88666f40059 Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
3 | Date: Fri, 23 Aug 2013 12:01:53 +0800 | 3 | Date: Fri, 23 Aug 2013 12:01:53 +0800 |
4 | Subject: [PATCH] fix policy for nfsserver to mount nfsd_fs_t. | 4 | Subject: [PATCH 25/34] policy/module/rpc: fix policy for nfsserver to mount |
5 | nfsd_fs_t. | ||
5 | 6 | ||
6 | Upstream-Status: Pending | 7 | Upstream-Status: Pending |
7 | 8 | ||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 9 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | 10 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> |
10 | --- | 11 | --- |
11 | policy/modules/contrib/rpc.te | 5 +++++ | 12 | policy/modules/kernel/filesystem.te | 1 + |
12 | policy/modules/contrib/rpcbind.te | 5 +++++ | 13 | policy/modules/kernel/kernel.te | 2 ++ |
13 | policy/modules/kernel/filesystem.te | 1 + | 14 | policy/modules/services/rpc.te | 5 +++++ |
14 | policy/modules/kernel/kernel.te | 2 ++ | 15 | policy/modules/services/rpcbind.te | 5 +++++ |
15 | 4 files changed, 13 insertions(+) | 16 | 4 files changed, 13 insertions(+) |
16 | 17 | ||
17 | --- a/policy/modules/contrib/rpcbind.te | 18 | diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te |
18 | +++ b/policy/modules/contrib/rpcbind.te | 19 | index 1db0c652..bf1c0173 100644 |
19 | @@ -71,8 +71,13 @@ auth_use_nsswitch(rpcbind_t) | ||
20 | |||
21 | logging_send_syslog_msg(rpcbind_t) | ||
22 | |||
23 | miscfiles_read_localization(rpcbind_t) | ||
24 | |||
25 | +# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t, | ||
26 | +# because the are running in different level. So add rules to allow this. | ||
27 | +mls_socket_read_all_levels(rpcbind_t) | ||
28 | +mls_socket_write_all_levels(rpcbind_t) | ||
29 | + | ||
30 | ifdef(`distro_debian',` | ||
31 | term_dontaudit_use_unallocated_ttys(rpcbind_t) | ||
32 | ') | ||
33 | --- a/policy/modules/contrib/rpc.te | ||
34 | +++ b/policy/modules/contrib/rpc.te | ||
35 | @@ -275,10 +275,15 @@ tunable_policy(`nfs_export_all_ro',` | ||
36 | files_read_non_auth_files(nfsd_t) | ||
37 | ') | ||
38 | |||
39 | optional_policy(` | ||
40 | mount_exec(nfsd_t) | ||
41 | + # Should domtrans to mount_t while mounting nfsd_fs_t. | ||
42 | + mount_domtrans(nfsd_t) | ||
43 | + # nfsd_t need to chdir to /var/lib/nfs and read files. | ||
44 | + files_list_var(nfsd_t) | ||
45 | + rpc_read_nfs_state_data(nfsd_t) | ||
46 | ') | ||
47 | |||
48 | ######################################## | ||
49 | # | ||
50 | # GSSD local policy | ||
51 | --- a/policy/modules/kernel/filesystem.te | 20 | --- a/policy/modules/kernel/filesystem.te |
52 | +++ b/policy/modules/kernel/filesystem.te | 21 | +++ b/policy/modules/kernel/filesystem.te |
53 | @@ -127,10 +127,11 @@ fs_noxattr_type(mvfs_t) | 22 | @@ -129,6 +129,7 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) |
54 | allow mvfs_t self:filesystem associate; | ||
55 | genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) | ||
56 | 23 | ||
57 | type nfsd_fs_t; | 24 | type nfsd_fs_t; |
58 | fs_type(nfsd_fs_t) | 25 | fs_type(nfsd_fs_t) |
@@ -60,13 +27,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
60 | genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0) | 27 | genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0) |
61 | 28 | ||
62 | type nsfs_t; | 29 | type nsfs_t; |
63 | fs_type(nsfs_t) | 30 | diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te |
64 | genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0) | 31 | index e971c533..ad7c823a 100644 |
65 | --- a/policy/modules/kernel/kernel.te | 32 | --- a/policy/modules/kernel/kernel.te |
66 | +++ b/policy/modules/kernel/kernel.te | 33 | +++ b/policy/modules/kernel/kernel.te |
67 | @@ -324,10 +324,12 @@ mcs_process_set_categories(kernel_t) | 34 | @@ -334,6 +334,8 @@ mls_process_read_all_levels(kernel_t) |
68 | |||
69 | mls_process_read_all_levels(kernel_t) | ||
70 | mls_process_write_all_levels(kernel_t) | 35 | mls_process_write_all_levels(kernel_t) |
71 | mls_file_write_all_levels(kernel_t) | 36 | mls_file_write_all_levels(kernel_t) |
72 | mls_file_read_all_levels(kernel_t) | 37 | mls_file_read_all_levels(kernel_t) |
@@ -75,5 +40,38 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
75 | 40 | ||
76 | ifdef(`distro_redhat',` | 41 | ifdef(`distro_redhat',` |
77 | # Bugzilla 222337 | 42 | # Bugzilla 222337 |
78 | fs_rw_tmpfs_chr_files(kernel_t) | 43 | diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te |
44 | index d4209231..a2327b44 100644 | ||
45 | --- a/policy/modules/services/rpc.te | ||
46 | +++ b/policy/modules/services/rpc.te | ||
47 | @@ -280,6 +280,11 @@ tunable_policy(`nfs_export_all_ro',` | ||
48 | |||
49 | optional_policy(` | ||
50 | mount_exec(nfsd_t) | ||
51 | + # Should domtrans to mount_t while mounting nfsd_fs_t. | ||
52 | + mount_domtrans(nfsd_t) | ||
53 | + # nfsd_t need to chdir to /var/lib/nfs and read files. | ||
54 | + files_list_var(nfsd_t) | ||
55 | + rpc_read_nfs_state_data(nfsd_t) | ||
79 | ') | 56 | ') |
57 | |||
58 | ######################################## | ||
59 | diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te | ||
60 | index 5914af99..2055c114 100644 | ||
61 | --- a/policy/modules/services/rpcbind.te | ||
62 | +++ b/policy/modules/services/rpcbind.te | ||
63 | @@ -75,6 +75,11 @@ logging_send_syslog_msg(rpcbind_t) | ||
64 | |||
65 | miscfiles_read_localization(rpcbind_t) | ||
66 | |||
67 | +# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t, | ||
68 | +# because the are running in different level. So add rules to allow this. | ||
69 | +mls_socket_read_all_levels(rpcbind_t) | ||
70 | +mls_socket_write_all_levels(rpcbind_t) | ||
71 | + | ||
72 | ifdef(`distro_debian',` | ||
73 | term_dontaudit_use_unallocated_ttys(rpcbind_t) | ||
74 | ') | ||
75 | -- | ||
76 | 2.19.1 | ||
77 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch new file mode 100644 index 0000000..94b7dd3 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch | |||
@@ -0,0 +1,126 @@ | |||
1 | From 00d81a825519cac67d88e513d75e82ab3269124c Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Fri, 29 Mar 2019 11:16:37 -0400 | ||
4 | Subject: [PATCH 26/34] policy/module/sysfs: fix for new SELINUXMNT in /sys | ||
5 | |||
6 | SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should | ||
7 | add rules to access sysfs. | ||
8 | |||
9 | Upstream-Status: Inappropriate [only for Poky] | ||
10 | |||
11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
13 | --- | ||
14 | policy/modules/kernel/selinux.if | 19 +++++++++++++++++++ | ||
15 | 1 file changed, 19 insertions(+) | ||
16 | |||
17 | diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if | ||
18 | index 6790e5d0..2c95db81 100644 | ||
19 | --- a/policy/modules/kernel/selinux.if | ||
20 | +++ b/policy/modules/kernel/selinux.if | ||
21 | @@ -117,6 +117,9 @@ interface(`selinux_mount_fs',` | ||
22 | type security_t; | ||
23 | ') | ||
24 | |||
25 | + dev_getattr_sysfs($1) | ||
26 | + dev_search_sysfs($1) | ||
27 | + | ||
28 | allow $1 security_t:filesystem mount; | ||
29 | ') | ||
30 | |||
31 | @@ -136,6 +139,9 @@ interface(`selinux_remount_fs',` | ||
32 | type security_t; | ||
33 | ') | ||
34 | |||
35 | + dev_getattr_sysfs($1) | ||
36 | + dev_search_sysfs($1) | ||
37 | + | ||
38 | allow $1 security_t:filesystem remount; | ||
39 | ') | ||
40 | |||
41 | @@ -155,6 +161,9 @@ interface(`selinux_unmount_fs',` | ||
42 | ') | ||
43 | |||
44 | allow $1 security_t:filesystem unmount; | ||
45 | + | ||
46 | + dev_getattr_sysfs($1) | ||
47 | + dev_search_sysfs($1) | ||
48 | ') | ||
49 | |||
50 | ######################################## | ||
51 | @@ -217,6 +226,8 @@ interface(`selinux_dontaudit_getattr_dir',` | ||
52 | ') | ||
53 | |||
54 | dontaudit $1 security_t:dir getattr; | ||
55 | + dev_dontaudit_getattr_sysfs($1) | ||
56 | + dev_dontaudit_search_sysfs($1) | ||
57 | ') | ||
58 | |||
59 | ######################################## | ||
60 | @@ -253,6 +264,7 @@ interface(`selinux_dontaudit_search_fs',` | ||
61 | type security_t; | ||
62 | ') | ||
63 | |||
64 | + dev_dontaudit_search_sysfs($1) | ||
65 | dontaudit $1 security_t:dir search_dir_perms; | ||
66 | ') | ||
67 | |||
68 | @@ -272,6 +284,7 @@ interface(`selinux_dontaudit_read_fs',` | ||
69 | type security_t; | ||
70 | ') | ||
71 | |||
72 | + dev_dontaudit_getattr_sysfs($1) | ||
73 | dontaudit $1 security_t:dir search_dir_perms; | ||
74 | dontaudit $1 security_t:file read_file_perms; | ||
75 | ') | ||
76 | @@ -361,6 +374,7 @@ interface(`selinux_read_policy',` | ||
77 | type security_t; | ||
78 | ') | ||
79 | |||
80 | + dev_getattr_sysfs($1) | ||
81 | dev_search_sysfs($1) | ||
82 | allow $1 security_t:dir list_dir_perms; | ||
83 | allow $1 security_t:file read_file_perms; | ||
84 | @@ -394,6 +408,7 @@ interface(`selinux_set_generic_booleans',` | ||
85 | type security_t; | ||
86 | ') | ||
87 | |||
88 | + dev_getattr_sysfs($1) | ||
89 | dev_search_sysfs($1) | ||
90 | |||
91 | allow $1 security_t:dir list_dir_perms; | ||
92 | @@ -431,6 +446,7 @@ interface(`selinux_set_all_booleans',` | ||
93 | bool secure_mode_policyload; | ||
94 | ') | ||
95 | |||
96 | + dev_getattr_sysfs($1) | ||
97 | dev_search_sysfs($1) | ||
98 | |||
99 | allow $1 security_t:dir list_dir_perms; | ||
100 | @@ -512,6 +528,7 @@ interface(`selinux_dontaudit_validate_context',` | ||
101 | type security_t; | ||
102 | ') | ||
103 | |||
104 | + dev_dontaudit_search_sysfs($1) | ||
105 | dontaudit $1 security_t:dir list_dir_perms; | ||
106 | dontaudit $1 security_t:file rw_file_perms; | ||
107 | dontaudit $1 security_t:security check_context; | ||
108 | @@ -533,6 +550,7 @@ interface(`selinux_compute_access_vector',` | ||
109 | type security_t; | ||
110 | ') | ||
111 | |||
112 | + dev_getattr_sysfs($1) | ||
113 | dev_search_sysfs($1) | ||
114 | allow $1 self:netlink_selinux_socket create_socket_perms; | ||
115 | allow $1 security_t:dir list_dir_perms; | ||
116 | @@ -629,6 +647,7 @@ interface(`selinux_compute_user_contexts',` | ||
117 | type security_t; | ||
118 | ') | ||
119 | |||
120 | + dev_getattr_sysfs($1) | ||
121 | dev_search_sysfs($1) | ||
122 | allow $1 security_t:dir list_dir_perms; | ||
123 | allow $1 security_t:file rw_file_perms; | ||
124 | -- | ||
125 | 2.19.1 | ||
126 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-sysadm-to-run-rpcinfo.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch index a1fda13..c20dd5f 100644 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-sysadm-to-run-rpcinfo.patch +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch | |||
@@ -1,7 +1,7 @@ | |||
1 | From 7005533d61770fed5a3312aa9dfd1c18dae88c16 Mon Sep 17 00:00:00 2001 | 1 | From fbb7431a4288c7dd2739bc3adfa521d427e6375a Mon Sep 17 00:00:00 2001 |
2 | From: Roy Li <rongqing.li@windriver.com> | 2 | From: Roy Li <rongqing.li@windriver.com> |
3 | Date: Sat, 15 Feb 2014 09:45:00 +0800 | 3 | Date: Sat, 15 Feb 2014 09:45:00 +0800 |
4 | Subject: [PATCH] allow sysadm to run rpcinfo | 4 | Subject: [PATCH 27/34] policy/module/rpc: allow sysadm to run rpcinfo |
5 | 5 | ||
6 | Upstream-Status: Pending | 6 | Upstream-Status: Pending |
7 | 7 | ||
@@ -11,23 +11,21 @@ type=SYSCALL msg=audit(1392427946.976:264): arch=c000003e syscall=42 success=no | |||
11 | Signed-off-by: Roy Li <rongqing.li@windriver.com> | 11 | Signed-off-by: Roy Li <rongqing.li@windriver.com> |
12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | 12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> |
13 | --- | 13 | --- |
14 | policy/modules/roles/sysadm.te | 4 ++++ | 14 | policy/modules/roles/sysadm.te | 1 + |
15 | 1 file changed, 4 insertions(+) | 15 | 1 file changed, 1 insertion(+) |
16 | 16 | ||
17 | diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te | ||
18 | index e411d4fd..f326d1d7 100644 | ||
17 | --- a/policy/modules/roles/sysadm.te | 19 | --- a/policy/modules/roles/sysadm.te |
18 | +++ b/policy/modules/roles/sysadm.te | 20 | +++ b/policy/modules/roles/sysadm.te |
19 | @@ -1169,10 +1169,14 @@ optional_policy(` | 21 | @@ -939,6 +939,7 @@ optional_policy(` |
20 | virt_admin(sysadm_t, sysadm_r) | ||
21 | virt_stream_connect(sysadm_t) | ||
22 | ') | 22 | ') |
23 | 23 | ||
24 | optional_policy(` | 24 | optional_policy(` |
25 | + rpcbind_stream_connect(sysadm_t) | 25 | + rpcbind_stream_connect(sysadm_t) |
26 | +') | 26 | rpcbind_admin(sysadm_t, sysadm_r) |
27 | + | ||
28 | +optional_policy(` | ||
29 | vmware_role(sysadm_r, sysadm_t) | ||
30 | ') | 27 | ') |
31 | 28 | ||
32 | optional_policy(` | 29 | -- |
33 | vnstatd_admin(sysadm_t, sysadm_r) | 30 | 2.19.1 |
31 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-seutils-manage-config-files.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch index fba7759..e0208aa 100644 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-seutils-manage-config-files.patch +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch | |||
@@ -1,22 +1,23 @@ | |||
1 | From be8e015aec19553d3753af132861d24da9ed0265 Mon Sep 17 00:00:00 2001 | 1 | From 8a3c685c1f868f04cb4a7953d14443527b920310 Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | 3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 |
4 | Subject: [PATCH 2/2] refpolicy: fix selinux utils to manage config files | 4 | Subject: [PATCH 28/34] policy/module/userdomain: fix selinux utils to manage |
5 | config files | ||
5 | 6 | ||
6 | Upstream-Status: Pending | 7 | Upstream-Status: Pending |
7 | 8 | ||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 9 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | 10 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> |
10 | --- | 11 | --- |
11 | policy/modules/system/selinuxutil.if | 1 + | 12 | policy/modules/system/selinuxutil.if | 1 + |
12 | policy/modules/system/userdomain.if | 4 ++++ | 13 | policy/modules/system/userdomain.if | 4 ++++ |
13 | 2 files changed, 5 insertions(+) | 14 | 2 files changed, 5 insertions(+) |
14 | 15 | ||
16 | diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if | ||
17 | index 20024993..0fdc8c10 100644 | ||
15 | --- a/policy/modules/system/selinuxutil.if | 18 | --- a/policy/modules/system/selinuxutil.if |
16 | +++ b/policy/modules/system/selinuxutil.if | 19 | +++ b/policy/modules/system/selinuxutil.if |
17 | @@ -753,10 +753,11 @@ interface(`seutil_manage_config',` | 20 | @@ -674,6 +674,7 @@ interface(`seutil_manage_config',` |
18 | gen_require(` | ||
19 | type selinux_config_t; | ||
20 | ') | 21 | ') |
21 | 22 | ||
22 | files_search_etc($1) | 23 | files_search_etc($1) |
@@ -24,13 +25,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
24 | manage_files_pattern($1, selinux_config_t, selinux_config_t) | 25 | manage_files_pattern($1, selinux_config_t, selinux_config_t) |
25 | read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) | 26 | read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) |
26 | ') | 27 | ') |
27 | 28 | diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if | |
28 | ####################################### | 29 | index 5221bd13..4cf987d1 100644 |
29 | --- a/policy/modules/system/userdomain.if | 30 | --- a/policy/modules/system/userdomain.if |
30 | +++ b/policy/modules/system/userdomain.if | 31 | +++ b/policy/modules/system/userdomain.if |
31 | @@ -1327,10 +1327,14 @@ template(`userdom_security_admin_templat | 32 | @@ -1431,6 +1431,10 @@ template(`userdom_security_admin_template',` |
32 | logging_read_audit_log($1) | ||
33 | logging_read_generic_logs($1) | ||
34 | logging_read_audit_config($1) | 33 | logging_read_audit_config($1) |
35 | 34 | ||
36 | seutil_manage_bin_policy($1) | 35 | seutil_manage_bin_policy($1) |
@@ -41,5 +40,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
41 | seutil_run_checkpolicy($1, $2) | 40 | seutil_run_checkpolicy($1, $2) |
42 | seutil_run_loadpolicy($1, $2) | 41 | seutil_run_loadpolicy($1, $2) |
43 | seutil_run_semanage($1, $2) | 42 | seutil_run_semanage($1, $2) |
44 | seutil_run_setfiles($1, $2) | 43 | -- |
45 | 44 | 2.19.1 | |
45 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch new file mode 100644 index 0000000..e62c81e --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From 524f823bb07e0eb763683b72f18999ef29ae43c9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Fri, 29 Mar 2019 11:30:27 -0400 | ||
4 | Subject: [PATCH 29/34] policy/module/selinuxutil: fix setfiles statvfs to get | ||
5 | file count | ||
6 | |||
7 | New setfiles will read /proc/mounts and use statvfs in | ||
8 | file_system_count() to get file count of filesystems. | ||
9 | |||
10 | Upstream-Status: Pending | ||
11 | |||
12 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
13 | Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> | ||
14 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
15 | --- | ||
16 | policy/modules/system/selinuxutil.te | 1 + | ||
17 | 1 file changed, 1 insertion(+) | ||
18 | |||
19 | diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te | ||
20 | index db6bb368..98fed2d0 100644 | ||
21 | --- a/policy/modules/system/selinuxutil.te | ||
22 | +++ b/policy/modules/system/selinuxutil.te | ||
23 | @@ -607,6 +607,7 @@ files_relabel_all_files(setfiles_t) | ||
24 | files_read_usr_symlinks(setfiles_t) | ||
25 | files_dontaudit_read_all_symlinks(setfiles_t) | ||
26 | |||
27 | +fs_getattr_all_fs(setfiles_t) | ||
28 | fs_getattr_all_xattr_fs(setfiles_t) | ||
29 | fs_getattr_cgroup(setfiles_t) | ||
30 | fs_getattr_nfs(setfiles_t) | ||
31 | -- | ||
32 | 2.19.1 | ||
33 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch new file mode 100644 index 0000000..88c94c5 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch | |||
@@ -0,0 +1,25 @@ | |||
1 | From 78210f371391ccfad1d18b89a91ffb5a83f451e0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Fri, 23 Aug 2013 16:36:09 +0800 | ||
4 | Subject: [PATCH 30/34] policy/module/admin: fix dmesg to use /dev/kmsg as | ||
5 | default input | ||
6 | |||
7 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
8 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | ||
10 | policy/modules/admin/dmesg.if | 1 + | ||
11 | 1 file changed, 1 insertion(+) | ||
12 | |||
13 | diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if | ||
14 | index e1973c78..739a4bc5 100644 | ||
15 | --- a/policy/modules/admin/dmesg.if | ||
16 | +++ b/policy/modules/admin/dmesg.if | ||
17 | @@ -37,4 +37,5 @@ interface(`dmesg_exec',` | ||
18 | |||
19 | corecmd_search_bin($1) | ||
20 | can_exec($1, dmesg_exec_t) | ||
21 | + dev_read_kmsg($1) | ||
22 | ') | ||
23 | -- | ||
24 | 2.19.1 | ||
25 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/ftp-add-ftpd_t-to-mlsfilewrite.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch index 85c40a4..d002830 100644 --- a/recipes-security/refpolicy/refpolicy-2.20170204/ftp-add-ftpd_t-to-mlsfilewrite.patch +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch | |||
@@ -1,7 +1,8 @@ | |||
1 | From e4e95b723d31c7b678a05cd81a96b10185978b4e Mon Sep 17 00:00:00 2001 | 1 | From a406bcd2838772573e2cdde1a408ea52a60adc87 Mon Sep 17 00:00:00 2001 |
2 | From: Roy Li <rongqing.li@windriver.com> | 2 | From: Roy Li <rongqing.li@windriver.com> |
3 | Date: Mon, 10 Feb 2014 18:10:12 +0800 | 3 | Date: Mon, 10 Feb 2014 18:10:12 +0800 |
4 | Subject: [PATCH] ftp: add ftpd_t to mls_file_write_all_levels | 4 | Subject: [PATCH 31/34] policy/module/ftp: add ftpd_t to |
5 | mls_file_write_all_levels | ||
5 | 6 | ||
6 | Proftpd will create file under /var/run, but its mls is in high, and | 7 | Proftpd will create file under /var/run, but its mls is in high, and |
7 | can not write to lowlevel | 8 | can not write to lowlevel |
@@ -12,21 +13,21 @@ type=AVC msg=audit(1392347709.621:15): avc: denied { write } for pid=545 comm | |||
12 | type=AVC msg=audit(1392347709.621:15): avc: denied { add_name } for pid=545 comm="proftpd" name="proftpd.delay" scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir | 13 | type=AVC msg=audit(1392347709.621:15): avc: denied { add_name } for pid=545 comm="proftpd" name="proftpd.delay" scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir |
13 | type=SYSCALL msg=audit(1392347709.621:15): arch=c000003e syscall=2 success=yes exit=3 a0=471910 a1=42 a2=1b6 a3=8 items=0 ppid=539 pid=545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s15:c0.c1023 key=(null) | 14 | type=SYSCALL msg=audit(1392347709.621:15): arch=c000003e syscall=2 success=yes exit=3 a0=471910 a1=42 a2=1b6 a3=8 items=0 ppid=539 pid=545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s15:c0.c1023 key=(null) |
14 | 15 | ||
15 | root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name | 16 | root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name |
16 | allow ftpd_t var_run_t : dir { ioctl read write getattr lock add_name remove_name search open } ; | 17 | allow ftpd_t var_run_t : dir { ioctl read write getattr lock add_name remove_name search open } ; |
17 | root@localhost:~# | 18 | root@localhost:~# |
18 | 19 | ||
19 | Signed-off-by: Roy Li <rongqing.li@windriver.com> | 20 | Signed-off-by: Roy Li <rongqing.li@windriver.com> |
20 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | 21 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> |
21 | --- | 22 | --- |
22 | policy/modules/contrib/ftp.te | 2 ++ | 23 | policy/modules/services/ftp.te | 2 ++ |
23 | 1 file changed, 2 insertions(+) | 24 | 1 file changed, 2 insertions(+) |
24 | 25 | ||
25 | --- a/policy/modules/contrib/ftp.te | 26 | diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te |
26 | +++ b/policy/modules/contrib/ftp.te | 27 | index 29bc077c..d582cf80 100644 |
27 | @@ -148,10 +148,12 @@ init_system_domain(ftpdctl_t, ftpdctl_ex | 28 | --- a/policy/modules/services/ftp.te |
28 | role ftpdctl_roles types ftpdctl_t; | 29 | +++ b/policy/modules/services/ftp.te |
29 | 30 | @@ -150,6 +150,8 @@ role ftpdctl_roles types ftpdctl_t; | |
30 | type ftpdctl_tmp_t; | 31 | type ftpdctl_tmp_t; |
31 | files_tmp_file(ftpdctl_tmp_t) | 32 | files_tmp_file(ftpdctl_tmp_t) |
32 | 33 | ||
@@ -35,5 +36,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
35 | type sftpd_t; | 36 | type sftpd_t; |
36 | domain_type(sftpd_t) | 37 | domain_type(sftpd_t) |
37 | role system_r types sftpd_t; | 38 | role system_r types sftpd_t; |
38 | 39 | -- | |
39 | type xferlog_t; | 40 | 2.19.1 |
41 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0032-policy-module-init-update-for-systemd-related-allow-.patch index 6eba356..37d180c 100644 --- a/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0032-policy-module-init-update-for-systemd-related-allow-.patch | |||
@@ -1,7 +1,8 @@ | |||
1 | From 07553727dca51631c93bca482442da8d0c50ac94 Mon Sep 17 00:00:00 2001 | 1 | From dfbda15401f92e5d1b9b55c7ba24a543deea18e8 Mon Sep 17 00:00:00 2001 |
2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | 2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> |
3 | Date: Fri, 12 Jun 2015 19:37:52 +0530 | 3 | Date: Fri, 12 Jun 2015 19:37:52 +0530 |
4 | Subject: [PATCH] refpolicy: update for systemd related allow rules | 4 | Subject: [PATCH 32/34] policy/module/init: update for systemd related allow |
5 | rules | ||
5 | 6 | ||
6 | It provide, the systemd support related allow rules | 7 | It provide, the systemd support related allow rules |
7 | 8 | ||
@@ -10,14 +11,14 @@ Upstream-Status: Pending | |||
10 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | 11 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> |
11 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | 12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> |
12 | --- | 13 | --- |
13 | policy/modules/system/init.te | 5 +++++ | 14 | policy/modules/system/init.te | 5 +++++ |
14 | 1 file changed, 5 insertions(+) | 15 | 1 file changed, 5 insertions(+) |
15 | 16 | ||
17 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | ||
18 | index eabba1ed..5da25cd6 100644 | ||
16 | --- a/policy/modules/system/init.te | 19 | --- a/policy/modules/system/init.te |
17 | +++ b/policy/modules/system/init.te | 20 | +++ b/policy/modules/system/init.te |
18 | @@ -1387,5 +1387,10 @@ dontaudit systemprocess init_t:unix_stre | 21 | @@ -1418,3 +1418,8 @@ optional_policy(` |
19 | optional_policy(` | ||
20 | userdom_dontaudit_search_user_home_dirs(systemprocess) | ||
21 | userdom_dontaudit_rw_all_users_stream_sockets(systemprocess) | 22 | userdom_dontaudit_rw_all_users_stream_sockets(systemprocess) |
22 | userdom_dontaudit_write_user_tmp_files(systemprocess) | 23 | userdom_dontaudit_write_user_tmp_files(systemprocess) |
23 | ') | 24 | ') |
@@ -26,3 +27,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
26 | +allow kernel_t init_t:process dyntransition; | 27 | +allow kernel_t init_t:process dyntransition; |
27 | +allow devpts_t device_t:filesystem associate; | 28 | +allow devpts_t device_t:filesystem associate; |
28 | +allow init_t self:capability2 block_suspend; | 29 | +allow init_t self:capability2 block_suspend; |
30 | -- | ||
31 | 2.19.1 | ||
32 | |||
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0033-refpolicy-minimum-make-sysadmin-module-optional.patch index b33e84b..644c2cd 100644 --- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0033-refpolicy-minimum-make-sysadmin-module-optional.patch | |||
@@ -1,4 +1,7 @@ | |||
1 | Subject: [PATCH] refpolicy: fix optional issue on sysadm module | 1 | From 937924e34c516c4a18d183084958b2612439ba52 Mon Sep 17 00:00:00 2001 |
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Fri, 5 Apr 2019 11:53:28 -0400 | ||
4 | Subject: [PATCH 33/34] refpolicy/minimum: make sysadmin module optional | ||
2 | 5 | ||
3 | init and locallogin modules have a depend for sysadm module because | 6 | init and locallogin modules have a depend for sysadm module because |
4 | they have called sysadm interfaces(sysadm_shell_domtrans). Since | 7 | they have called sysadm interfaces(sysadm_shell_domtrans). Since |
@@ -13,15 +16,15 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
13 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | 16 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> |
14 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | 17 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> |
15 | --- | 18 | --- |
16 | policy/modules/system/init.te | 14 ++++++++------ | 19 | policy/modules/system/init.te | 16 +++++++++------- |
17 | policy/modules/system/locallogin.te | 4 +++- | 20 | policy/modules/system/locallogin.te | 4 +++- |
18 | 2 files changed, 11 insertions(+), 7 deletions(-) | 21 | 2 files changed, 12 insertions(+), 8 deletions(-) |
19 | 22 | ||
23 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | ||
24 | index 5da25cd6..8352428a 100644 | ||
20 | --- a/policy/modules/system/init.te | 25 | --- a/policy/modules/system/init.te |
21 | +++ b/policy/modules/system/init.te | 26 | +++ b/policy/modules/system/init.te |
22 | @@ -344,17 +344,19 @@ ifdef(`init_systemd',` | 27 | @@ -446,13 +446,15 @@ ifdef(`init_systemd',` |
23 | |||
24 | optional_policy(` | ||
25 | modutils_domtrans(init_t) | 28 | modutils_domtrans(init_t) |
26 | ') | 29 | ') |
27 | ',` | 30 | ',` |
@@ -44,13 +47,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
44 | ') | 47 | ') |
45 | ') | 48 | ') |
46 | ') | 49 | ') |
47 | 50 | diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te | |
48 | ifdef(`distro_debian',` | 51 | index a56f3d1f..4c679ff3 100644 |
49 | --- a/policy/modules/system/locallogin.te | 52 | --- a/policy/modules/system/locallogin.te |
50 | +++ b/policy/modules/system/locallogin.te | 53 | +++ b/policy/modules/system/locallogin.te |
51 | @@ -260,11 +260,13 @@ seutil_read_default_contexts(sulogin_t) | 54 | @@ -266,7 +266,9 @@ userdom_use_unpriv_users_fds(sulogin_t) |
52 | userdom_use_unpriv_users_fds(sulogin_t) | ||
53 | |||
54 | userdom_search_user_home_dirs(sulogin_t) | 55 | userdom_search_user_home_dirs(sulogin_t) |
55 | userdom_use_user_ptys(sulogin_t) | 56 | userdom_use_user_ptys(sulogin_t) |
56 | 57 | ||
@@ -61,5 +62,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
61 | 62 | ||
62 | # by default, sulogin does not use pam... | 63 | # by default, sulogin does not use pam... |
63 | # sulogin_pam might need to be defined otherwise | 64 | # sulogin_pam might need to be defined otherwise |
64 | ifdef(`sulogin_pam', ` | 65 | -- |
65 | selinux_get_fs_mount(sulogin_t) | 66 | 2.19.1 |
67 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch new file mode 100644 index 0000000..c374384 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From bbad13d008ab4df827ac2ba8dfc6dd3e430f6dd6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 19:36:44 +0800 | ||
4 | Subject: [PATCH 34/34] policy/module/apache: add rules for the symlink of | ||
5 | /var/log - apache2 | ||
6 | |||
7 | We have added rules for the symlink of /var/log in logging.if, | ||
8 | while apache.te uses /var/log but does not use the interfaces in | ||
9 | logging.if. So still need add a individual rule for apache.te. | ||
10 | |||
11 | Upstream-Status: Pending | ||
12 | |||
13 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
14 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
15 | --- | ||
16 | policy/modules/services/apache.te | 1 + | ||
17 | 1 file changed, 1 insertion(+) | ||
18 | |||
19 | diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te | ||
20 | index 15c4ea53..596370b1 100644 | ||
21 | --- a/policy/modules/services/apache.te | ||
22 | +++ b/policy/modules/services/apache.te | ||
23 | @@ -412,6 +412,7 @@ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t) | ||
24 | read_files_pattern(httpd_t, httpd_log_t, httpd_log_t) | ||
25 | setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t) | ||
26 | read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t) | ||
27 | +read_lnk_files_pattern(httpd_t, var_log_t, var_log_t) | ||
28 | logging_log_filetrans(httpd_t, httpd_log_t, file) | ||
29 | |||
30 | allow httpd_t httpd_modules_t:dir list_dir_perms; | ||
31 | -- | ||
32 | 2.19.1 | ||
33 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch b/recipes-security/refpolicy/refpolicy-git/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch new file mode 100644 index 0000000..5e38b8c --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | From ab97bea9248f62e735526292fc1253ebb1ecfa6c Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Thu, 28 Mar 2019 16:14:09 -0400 | ||
4 | Subject: [PATCH 01/34] fc/subs/volatile: alias common /var/volatile paths | ||
5 | |||
6 | Ensure /var/volatile paths get the appropriate base file context. | ||
7 | |||
8 | Upstream-Status: Pending | ||
9 | |||
10 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
11 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
12 | --- | ||
13 | config/file_contexts.subs_dist | 10 ++++++++++ | ||
14 | 1 file changed, 10 insertions(+) | ||
15 | |||
16 | diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist | ||
17 | index 346d920e..be532d7f 100644 | ||
18 | --- a/config/file_contexts.subs_dist | ||
19 | +++ b/config/file_contexts.subs_dist | ||
20 | @@ -31,3 +31,13 @@ | ||
21 | # not for refpolicy intern, but for /var/run using applications, | ||
22 | # like systemd tmpfiles or systemd socket configurations | ||
23 | /var/run /run | ||
24 | + | ||
25 | +# volatile aliases | ||
26 | +# ensure the policy applied to the base filesystem objects are reflected in the | ||
27 | +# volatile hierarchy. | ||
28 | +/var/volatile/log /var/log | ||
29 | +/var/volatile/run /var/run | ||
30 | +/var/volatile/cache /var/cache | ||
31 | +/var/volatile/tmp /var/tmp | ||
32 | +/var/volatile/lock /var/lock | ||
33 | +/var/volatile/run/lock /var/lock | ||
34 | -- | ||
35 | 2.19.1 | ||
36 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0001-fix-update-alternatives-for-sysvinit.patch b/recipes-security/refpolicy/refpolicy-git/0001-fix-update-alternatives-for-sysvinit.patch new file mode 100644 index 0000000..98d98d4 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0001-fix-update-alternatives-for-sysvinit.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From cf2f08bdb2d64b38b6c83c96f409c1cd9975fe6a Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH] fix update-alternatives for sysvinit | ||
5 | |||
6 | Upstream-Status: Inappropriate [only for Poky] | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
10 | --- | ||
11 | policy/modules/admin/shutdown.fc | 1 + | ||
12 | policy/modules/kernel/corecommands.fc | 1 + | ||
13 | policy/modules/system/init.fc | 1 + | ||
14 | 3 files changed, 3 insertions(+) | ||
15 | |||
16 | diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc | ||
17 | index 03a2230c..2ba049ff 100644 | ||
18 | --- a/policy/modules/admin/shutdown.fc | ||
19 | +++ b/policy/modules/admin/shutdown.fc | ||
20 | @@ -5,5 +5,6 @@ | ||
21 | /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
22 | |||
23 | /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
24 | +/usr/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
25 | |||
26 | /run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) | ||
27 | diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc | ||
28 | index cf3848db..86920167 100644 | ||
29 | --- a/policy/modules/kernel/corecommands.fc | ||
30 | +++ b/policy/modules/kernel/corecommands.fc | ||
31 | @@ -149,6 +149,7 @@ ifdef(`distro_gentoo',` | ||
32 | /usr/bin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) | ||
33 | /usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
34 | /usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0) | ||
35 | +/usr/bin/mountpoint\.sysvinit -- gen_context(system_u:object_r:bin_t,s0) | ||
36 | /usr/bin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
37 | /usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
38 | /usr/bin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
39 | diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc | ||
40 | index 11a6ce93..93e9d2b4 100644 | ||
41 | --- a/policy/modules/system/init.fc | ||
42 | +++ b/policy/modules/system/init.fc | ||
43 | @@ -23,6 +23,7 @@ ifdef(`distro_gentoo',` | ||
44 | # /usr | ||
45 | # | ||
46 | /usr/bin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) | ||
47 | +/usr/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0) | ||
48 | /usr/bin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) | ||
49 | /usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0) | ||
50 | /usr/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0) | ||
51 | -- | ||
52 | 2.19.1 | ||
53 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch b/recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch new file mode 100644 index 0000000..3cc5395 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch | |||
@@ -0,0 +1,68 @@ | |||
1 | From 0f25b7c345d516eccd1c02c93f752ce073b84865 Mon Sep 17 00:00:00 2001 | ||
2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
3 | Date: Fri, 26 Aug 2016 17:51:44 +0530 | ||
4 | Subject: [PATCH 1/9] refpolicy-minimum: audit: logging: getty: audit related | ||
5 | allow rules | ||
6 | |||
7 | add allow rules for audit.log file & resolve dependent avc denials. | ||
8 | |||
9 | without this change we are getting audit avc denials mixed into bootlog & | ||
10 | audit other avc denials. | ||
11 | |||
12 | audit: type=1400 audit(): avc: denied { getattr } for pid=217 comm="mount" | ||
13 | name="/" dev="proc" ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_0 | ||
14 | audit: type=1400 audit(): avc: denied { sendto } for pid=310 comm="klogd" | ||
15 | path="/run/systemd/journal/dev-log" scontext=sy0 | ||
16 | audit: type=1400 audit(): avc: denied { sendto } for pid=310 comm="klogd" | ||
17 | path="/run/systemd/journal/dev-log" scontext=system_u:system_r:klogd_t:s0 | ||
18 | audit(): avc: denied { open } for pid=540 comm="agetty" path="/var/ | ||
19 | volatile/log/wtmp" dev="tmpfs" ino=9536 scontext=system_u:system_r:getty_t | ||
20 | :s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 | ||
21 | |||
22 | Upstream-Status: Pending | ||
23 | |||
24 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
25 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
26 | --- | ||
27 | policy/modules/system/getty.te | 3 +++ | ||
28 | policy/modules/system/logging.te | 8 ++++++++ | ||
29 | 2 files changed, 11 insertions(+) | ||
30 | |||
31 | diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te | ||
32 | index 6d3c4284..423db0cc 100644 | ||
33 | --- a/policy/modules/system/getty.te | ||
34 | +++ b/policy/modules/system/getty.te | ||
35 | @@ -129,3 +129,6 @@ optional_policy(` | ||
36 | optional_policy(` | ||
37 | udev_read_db(getty_t) | ||
38 | ') | ||
39 | + | ||
40 | +allow getty_t tmpfs_t:dir search; | ||
41 | +allow getty_t tmpfs_t:file { open write lock }; | ||
42 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
43 | index e6221a02..4cc73327 100644 | ||
44 | --- a/policy/modules/system/logging.te | ||
45 | +++ b/policy/modules/system/logging.te | ||
46 | @@ -249,6 +249,7 @@ allow audisp_t self:unix_stream_socket create_stream_socket_perms; | ||
47 | allow audisp_t self:unix_dgram_socket create_socket_perms; | ||
48 | |||
49 | allow audisp_t auditd_t:unix_stream_socket rw_socket_perms; | ||
50 | +allow audisp_t initrc_t:unix_dgram_socket sendto; | ||
51 | |||
52 | manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t) | ||
53 | files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file) | ||
54 | @@ -620,3 +621,10 @@ optional_policy(` | ||
55 | # log to the xconsole | ||
56 | xserver_rw_console(syslogd_t) | ||
57 | ') | ||
58 | + | ||
59 | + | ||
60 | +allow auditd_t tmpfs_t:file { getattr setattr create open read append }; | ||
61 | +allow auditd_t tmpfs_t:dir { open read search add_name write getattr search }; | ||
62 | +allow auditd_t initrc_t:unix_dgram_socket sendto; | ||
63 | + | ||
64 | +allow klogd_t initrc_t:unix_dgram_socket sendto; | ||
65 | \ No newline at end of file | ||
66 | -- | ||
67 | 2.19.1 | ||
68 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch b/recipes-security/refpolicy/refpolicy-git/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch new file mode 100644 index 0000000..22eab15 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch | |||
@@ -0,0 +1,31 @@ | |||
1 | From a47fb4d6a25574d900213ef63b5c7e3ce7182419 Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Thu, 28 Mar 2019 20:48:10 -0400 | ||
4 | Subject: [PATCH 02/34] fc/subs/busybox: set aliases for bin, sbin and usr | ||
5 | |||
6 | The objects in /usr/lib/busybox/* should have the same policy applied as | ||
7 | the corresponding objects in the / hierarchy. | ||
8 | |||
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
10 | --- | ||
11 | config/file_contexts.subs_dist | 7 +++++++ | ||
12 | 1 file changed, 7 insertions(+) | ||
13 | |||
14 | diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist | ||
15 | index be532d7f..04fca3c3 100644 | ||
16 | --- a/config/file_contexts.subs_dist | ||
17 | +++ b/config/file_contexts.subs_dist | ||
18 | @@ -41,3 +41,10 @@ | ||
19 | /var/volatile/tmp /var/tmp | ||
20 | /var/volatile/lock /var/lock | ||
21 | /var/volatile/run/lock /var/lock | ||
22 | + | ||
23 | +# busybox aliases | ||
24 | +# quickly match up the busybox built-in tree to the base filesystem tree | ||
25 | +/usr/lib/busybox/bin /bin | ||
26 | +/usr/lib/busybox/sbin /sbin | ||
27 | +/usr/lib/busybox/usr /usr | ||
28 | + | ||
29 | -- | ||
30 | 2.19.1 | ||
31 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch b/recipes-security/refpolicy/refpolicy-git/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch new file mode 100644 index 0000000..e2c6c89 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch | |||
@@ -0,0 +1,54 @@ | |||
1 | From b69a82237ccc8de3f5b822739760f5cb6596fe51 Mon Sep 17 00:00:00 2001 | ||
2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
3 | Date: Fri, 26 Aug 2016 17:53:46 +0530 | ||
4 | Subject: [PATCH 2/9] refpolicy-minimum: locallogin: add allow rules for type | ||
5 | local_login_t | ||
6 | |||
7 | add allow rules for locallogin module avc denials. | ||
8 | |||
9 | without this change we are getting errors like these: | ||
10 | |||
11 | type=AVC msg=audit(): avc: denied { read write open } for pid=353 | ||
12 | comm="login" path="/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext | ||
13 | =system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r: | ||
14 | var_log_t:s0 tclass=file permissive=1 | ||
15 | |||
16 | type=AVC msg=audit(): avc: denied { sendto } for pid=353 comm="login" | ||
17 | path="/run/systemd/journal/dev-log" scontext=system_u:system_r: | ||
18 | local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 | ||
19 | tclass=unix_dgram_socket permissive=1 | ||
20 | |||
21 | type=AVC msg=audit(): avc: denied { lock } for pid=353 comm="login" path= | ||
22 | "/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext=system_u:system_r | ||
23 | :local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass | ||
24 | =file permissive=1 | ||
25 | |||
26 | Upstream-Status: Pending | ||
27 | |||
28 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
29 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
30 | --- | ||
31 | policy/modules/system/locallogin.te | 10 ++++++++++ | ||
32 | 1 file changed, 10 insertions(+) | ||
33 | |||
34 | diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te | ||
35 | index 4c679ff3..75750e4c 100644 | ||
36 | --- a/policy/modules/system/locallogin.te | ||
37 | +++ b/policy/modules/system/locallogin.te | ||
38 | @@ -288,3 +288,13 @@ optional_policy(` | ||
39 | optional_policy(` | ||
40 | nscd_use(sulogin_t) | ||
41 | ') | ||
42 | + | ||
43 | +allow local_login_t initrc_t:fd use; | ||
44 | +allow local_login_t initrc_t:unix_dgram_socket sendto; | ||
45 | +allow local_login_t initrc_t:unix_stream_socket connectto; | ||
46 | +allow local_login_t self:capability net_admin; | ||
47 | +allow local_login_t var_log_t:file { create lock open read write }; | ||
48 | +allow local_login_t var_run_t:file { open read write lock}; | ||
49 | +allow local_login_t var_run_t:sock_file write; | ||
50 | +allow local_login_t tmpfs_t:dir { add_name write search}; | ||
51 | +allow local_login_t tmpfs_t:file { create open read write lock }; | ||
52 | -- | ||
53 | 2.19.1 | ||
54 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch b/recipes-security/refpolicy/refpolicy-git/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch new file mode 100644 index 0000000..f194d6d --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch | |||
@@ -0,0 +1,57 @@ | |||
1 | From d0fd07dda45b349af634e4671a70e47fef102386 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:39:41 +0800 | ||
4 | Subject: [PATCH 03/34] fc/sysklogd: apply policy to sysklogd symlink | ||
5 | |||
6 | /etc/syslog.conf is a symlink to /etc/syslog.conf.sysklogd, so a allow | ||
7 | rule for syslogd_t to read syslog_conf_t lnk_file is needed. | ||
8 | |||
9 | Upstream-Status: Inappropriate [only for Poky] | ||
10 | |||
11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
13 | --- | ||
14 | policy/modules/system/logging.fc | 3 +++ | ||
15 | policy/modules/system/logging.te | 1 + | ||
16 | 2 files changed, 4 insertions(+) | ||
17 | |||
18 | diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc | ||
19 | index 6693d87b..0cf108e0 100644 | ||
20 | --- a/policy/modules/system/logging.fc | ||
21 | +++ b/policy/modules/system/logging.fc | ||
22 | @@ -2,6 +2,7 @@ | ||
23 | |||
24 | /etc/rsyslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0) | ||
25 | /etc/syslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0) | ||
26 | +/etc/syslog\.conf\.sysklogd gen_context(system_u:object_r:syslog_conf_t,s0) | ||
27 | /etc/rsyslog\.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0) | ||
28 | /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) | ||
29 | /etc/systemd/journal.*\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0) | ||
30 | @@ -32,10 +33,12 @@ | ||
31 | /usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) | ||
32 | /usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) | ||
33 | /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) | ||
34 | +/usr/sbin/klogd\.sysklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) | ||
35 | /usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
36 | /usr/sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
37 | /usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) | ||
38 | /usr/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
39 | +/usr/sbin/syslogd\.sysklogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
40 | /usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
41 | /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
42 | |||
43 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
44 | index 0c5be1cd..38ccfe3a 100644 | ||
45 | --- a/policy/modules/system/logging.te | ||
46 | +++ b/policy/modules/system/logging.te | ||
47 | @@ -399,6 +399,7 @@ allow syslogd_t self:udp_socket create_socket_perms; | ||
48 | allow syslogd_t self:tcp_socket create_stream_socket_perms; | ||
49 | |||
50 | allow syslogd_t syslog_conf_t:file read_file_perms; | ||
51 | +allow syslogd_t syslog_conf_t:lnk_file read_file_perms; | ||
52 | allow syslogd_t syslog_conf_t:dir list_dir_perms; | ||
53 | |||
54 | # Create and bind to /dev/log or /var/run/log. | ||
55 | -- | ||
56 | 2.19.1 | ||
57 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch b/recipes-security/refpolicy/refpolicy-git/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch new file mode 100644 index 0000000..968a9be --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch | |||
@@ -0,0 +1,121 @@ | |||
1 | From ec36df125da565fe1a9b64000151afaf40c2887d Mon Sep 17 00:00:00 2001 | ||
2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
3 | Date: Fri, 26 Aug 2016 17:51:32 +0530 | ||
4 | Subject: [PATCH 3/9] refpolicy-minimum: systemd:unconfined:lib: add systemd | ||
5 | services allow rules | ||
6 | |||
7 | systemd allow rules for systemd service file operations: start, stop, restart | ||
8 | & allow rule for unconfined systemd service. | ||
9 | |||
10 | without this change we are getting these errors: | ||
11 | :~# systemctl status selinux-init.service | ||
12 | Failed to get properties: Access denied | ||
13 | |||
14 | :~# systemctl stop selinux-init.service | ||
15 | Failed to stop selinux-init.service: Access denied | ||
16 | |||
17 | :~# systemctl restart selinux-init.service | ||
18 | audit: type=1107 audit: pid=1 uid=0 auid=4294967295 ses=4294967295 subj= | ||
19 | system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 | ||
20 | gid=0 path="/lib/systemd/system/selinux-init.service" cmdline="systemctl | ||
21 | restart selinux-init.service" scontext=unconfined_u:unconfined_r: | ||
22 | unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service | ||
23 | |||
24 | Upstream-Status: Pending | ||
25 | |||
26 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
27 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
28 | --- | ||
29 | policy/modules/system/init.te | 4 +++ | ||
30 | policy/modules/system/libraries.te | 3 +++ | ||
31 | policy/modules/system/systemd.if | 39 +++++++++++++++++++++++++++++ | ||
32 | policy/modules/system/unconfined.te | 6 +++++ | ||
33 | 4 files changed, 52 insertions(+) | ||
34 | |||
35 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | ||
36 | index d8696580..e15ec4b9 100644 | ||
37 | --- a/policy/modules/system/init.te | ||
38 | +++ b/policy/modules/system/init.te | ||
39 | @@ -1425,3 +1425,7 @@ optional_policy(` | ||
40 | allow kernel_t init_t:process dyntransition; | ||
41 | allow devpts_t device_t:filesystem associate; | ||
42 | allow init_t self:capability2 block_suspend; | ||
43 | +allow init_t self:capability2 audit_read; | ||
44 | + | ||
45 | +allow initrc_t init_t:system { start status }; | ||
46 | +allow initrc_t init_var_run_t:service { start status }; | ||
47 | diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te | ||
48 | index 422b0ea1..80b0c9a5 100644 | ||
49 | --- a/policy/modules/system/libraries.te | ||
50 | +++ b/policy/modules/system/libraries.te | ||
51 | @@ -145,3 +145,6 @@ optional_policy(` | ||
52 | optional_policy(` | ||
53 | unconfined_domain(ldconfig_t) | ||
54 | ') | ||
55 | + | ||
56 | +# systemd: init domain to start lib domain service | ||
57 | +systemd_service_lib_function(lib_t) | ||
58 | diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if | ||
59 | index 6353ca69..4519a448 100644 | ||
60 | --- a/policy/modules/system/systemd.if | ||
61 | +++ b/policy/modules/system/systemd.if | ||
62 | @@ -905,3 +905,42 @@ interface(`systemd_getattr_updated_runtime',` | ||
63 | |||
64 | getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t) | ||
65 | ') | ||
66 | + | ||
67 | +######################################## | ||
68 | +## <summary> | ||
69 | +## Allow specified domain to start stop reset systemd service | ||
70 | +## </summary> | ||
71 | +## <param name="domain"> | ||
72 | +## <summary> | ||
73 | +## Domain to not audit. | ||
74 | +## </summary> | ||
75 | +## </param> | ||
76 | +# | ||
77 | +interface(`systemd_service_file_operations',` | ||
78 | + gen_require(` | ||
79 | + class service { start status stop }; | ||
80 | + ') | ||
81 | + | ||
82 | + allow $1 lib_t:service { start status stop }; | ||
83 | + | ||
84 | +') | ||
85 | + | ||
86 | + | ||
87 | +######################################## | ||
88 | +## <summary> | ||
89 | +## Allow init domain to start lib domain service | ||
90 | +## </summary> | ||
91 | +## <param name="domain"> | ||
92 | +## <summary> | ||
93 | +## Domain to not audit. | ||
94 | +## </summary> | ||
95 | +## </param> | ||
96 | +# | ||
97 | +interface(`systemd_service_lib_function',` | ||
98 | + gen_require(` | ||
99 | + class service start; | ||
100 | + ') | ||
101 | + | ||
102 | + allow initrc_t $1:service start; | ||
103 | + | ||
104 | +') | ||
105 | diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te | ||
106 | index 12cc0d7c..c09e94a5 100644 | ||
107 | --- a/policy/modules/system/unconfined.te | ||
108 | +++ b/policy/modules/system/unconfined.te | ||
109 | @@ -240,3 +240,9 @@ unconfined_domain_noaudit(unconfined_execmem_t) | ||
110 | optional_policy(` | ||
111 | unconfined_dbus_chat(unconfined_execmem_t) | ||
112 | ') | ||
113 | + | ||
114 | + | ||
115 | +# systemd: specified domain to start stop reset systemd service | ||
116 | +systemd_service_file_operations(unconfined_t) | ||
117 | + | ||
118 | +allow unconfined_t init_t:system reload; | ||
119 | -- | ||
120 | 2.19.1 | ||
121 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch b/recipes-security/refpolicy/refpolicy-git/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch new file mode 100644 index 0000000..36bfdcf --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch | |||
@@ -0,0 +1,27 @@ | |||
1 | From abd7d9fa3398be45e733930ebaec9e05b1aba252 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH 04/34] fc/hostname: apply policy to common yocto hostname | ||
5 | alternatives | ||
6 | |||
7 | Upstream-Status: Inappropriate [only for Yocto] | ||
8 | |||
9 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
10 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
11 | --- | ||
12 | policy/modules/system/hostname.fc | 4 ++++ | ||
13 | 1 file changed, 4 insertions(+) | ||
14 | |||
15 | diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc | ||
16 | index 83ddeb57..653e038d 100644 | ||
17 | --- a/policy/modules/system/hostname.fc | ||
18 | +++ b/policy/modules/system/hostname.fc | ||
19 | @@ -1 +1,5 @@ | ||
20 | +/usr/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0) | ||
21 | +/usr/bin/hostname\.coreutils -- gen_context(system_u:object_r:hostname_exec_t,s0) | ||
22 | +/usr/lib/busybox/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) | ||
23 | + | ||
24 | /usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) | ||
25 | -- | ||
26 | 2.19.1 | ||
27 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch b/recipes-security/refpolicy/refpolicy-git/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch new file mode 100644 index 0000000..06b9192 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch | |||
@@ -0,0 +1,96 @@ | |||
1 | From 0918b156dcf4d126fd0e36de5a6c61f114448c8a Mon Sep 17 00:00:00 2001 | ||
2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
3 | Date: Fri, 26 Aug 2016 17:53:37 +0530 | ||
4 | Subject: [PATCH 4/9] refpolicy-minimum: systemd: mount: logging: authlogin: | ||
5 | add allow rules | ||
6 | |||
7 | add allow rules for avc denails for systemd, mount, logging & authlogin | ||
8 | modules. | ||
9 | |||
10 | without this change we are getting avc denial like these: | ||
11 | |||
12 | type=AVC msg=audit(): avc: denied { sendto } for pid=893 comm="systemd- | ||
13 | tmpfile" path="/run/systemd/journal/socket" scontext=system_u:system_r: | ||
14 | systemd_tmpfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass= | ||
15 | unix_dgram_socket permissive=0 | ||
16 | |||
17 | type=AVC msg=audit(): avc: denied { open } for pid=703 comm="systemd- | ||
18 | tmpfile" path="/proc/1/environ" dev="proc" ino=8841 scontext=system_u: | ||
19 | system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass= | ||
20 | file permissive=0 | ||
21 | |||
22 | type=AVC msg=audit(): avc: denied { read write } for pid=486 comm="mount" | ||
23 | path="socket:[9717]" dev="sockfs" ino=9717 scontext=system_u:system_r: | ||
24 | mount_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=udp_socket | ||
25 | |||
26 | type=AVC msg=audit(): avc: denied { unix_read unix_write } for pid=292 | ||
27 | comm="syslogd" key=1095648583 scontext=system_u:system_r:syslogd_t:s0 | ||
28 | tcontext=system_u:system_r:syslogd_t:s0 tclass=shm permissive=1 | ||
29 | |||
30 | Upstream-Status: Pending | ||
31 | |||
32 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
33 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
34 | --- | ||
35 | policy/modules/system/authlogin.te | 2 ++ | ||
36 | policy/modules/system/logging.te | 7 ++++++- | ||
37 | policy/modules/system/mount.te | 3 +++ | ||
38 | policy/modules/system/systemd.te | 5 +++++ | ||
39 | 4 files changed, 16 insertions(+), 1 deletion(-) | ||
40 | |||
41 | diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te | ||
42 | index 28f74bac..dfa46612 100644 | ||
43 | --- a/policy/modules/system/authlogin.te | ||
44 | +++ b/policy/modules/system/authlogin.te | ||
45 | @@ -479,3 +479,5 @@ optional_policy(` | ||
46 | samba_read_var_files(nsswitch_domain) | ||
47 | samba_dontaudit_write_var_files(nsswitch_domain) | ||
48 | ') | ||
49 | + | ||
50 | +allow chkpwd_t proc_t:filesystem getattr; | ||
51 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
52 | index 4cc73327..98c2bd19 100644 | ||
53 | --- a/policy/modules/system/logging.te | ||
54 | +++ b/policy/modules/system/logging.te | ||
55 | @@ -627,4 +627,9 @@ allow auditd_t tmpfs_t:file { getattr setattr create open read append }; | ||
56 | allow auditd_t tmpfs_t:dir { open read search add_name write getattr search }; | ||
57 | allow auditd_t initrc_t:unix_dgram_socket sendto; | ||
58 | |||
59 | -allow klogd_t initrc_t:unix_dgram_socket sendto; | ||
60 | \ No newline at end of file | ||
61 | +allow klogd_t initrc_t:unix_dgram_socket sendto; | ||
62 | + | ||
63 | +allow syslogd_t self:shm create; | ||
64 | +allow syslogd_t self:sem { create read unix_write write }; | ||
65 | +allow syslogd_t self:shm { read unix_read unix_write write }; | ||
66 | +allow syslogd_t tmpfs_t:file { read write }; | ||
67 | diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te | ||
68 | index 3dcb8493..a87d0e82 100644 | ||
69 | --- a/policy/modules/system/mount.te | ||
70 | +++ b/policy/modules/system/mount.te | ||
71 | @@ -231,3 +231,6 @@ optional_policy(` | ||
72 | files_etc_filetrans_etc_runtime(unconfined_mount_t, file) | ||
73 | unconfined_domain(unconfined_mount_t) | ||
74 | ') | ||
75 | + | ||
76 | +allow mount_t proc_t:filesystem getattr; | ||
77 | +allow mount_t initrc_t:udp_socket { read write }; | ||
78 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
79 | index f6455f6f..b13337b9 100644 | ||
80 | --- a/policy/modules/system/systemd.te | ||
81 | +++ b/policy/modules/system/systemd.te | ||
82 | @@ -1011,6 +1011,11 @@ allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto }; | ||
83 | allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms; | ||
84 | allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms; | ||
85 | |||
86 | +allow systemd_tmpfiles_t init_t:dir search; | ||
87 | +allow systemd_tmpfiles_t proc_t:filesystem getattr; | ||
88 | +allow systemd_tmpfiles_t init_t:file read; | ||
89 | +allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto; | ||
90 | + | ||
91 | kernel_getattr_proc(systemd_tmpfiles_t) | ||
92 | kernel_read_kernel_sysctls(systemd_tmpfiles_t) | ||
93 | kernel_read_network_state(systemd_tmpfiles_t) | ||
94 | -- | ||
95 | 2.19.1 | ||
96 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch b/recipes-security/refpolicy/refpolicy-git/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch new file mode 100644 index 0000000..194a474 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch | |||
@@ -0,0 +1,30 @@ | |||
1 | From 783ba03eff9d5b94363fff148aa1c745ff02ddd4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Thu, 28 Mar 2019 21:37:32 -0400 | ||
4 | Subject: [PATCH 05/34] fc/bash: apply /usr/bin/bash context to /bin/bash.bash | ||
5 | |||
6 | We include /bin/bash.bash as a valid alias for /bin/bash, so ensure we apply | ||
7 | the proper context to the target for our policy. | ||
8 | |||
9 | Upstream-Status: Inappropriate [only for Yocto] | ||
10 | |||
11 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
12 | --- | ||
13 | policy/modules/kernel/corecommands.fc | 1 + | ||
14 | 1 file changed, 1 insertion(+) | ||
15 | |||
16 | diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc | ||
17 | index e7415cac..cf3848db 100644 | ||
18 | --- a/policy/modules/kernel/corecommands.fc | ||
19 | +++ b/policy/modules/kernel/corecommands.fc | ||
20 | @@ -141,6 +141,7 @@ ifdef(`distro_gentoo',` | ||
21 | /usr/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
22 | /usr/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
23 | /usr/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
24 | +/usr/bin/bash.bash -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
25 | /usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
26 | /usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
27 | /usr/bin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) | ||
28 | -- | ||
29 | 2.19.1 | ||
30 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch b/recipes-security/refpolicy/refpolicy-git/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch new file mode 100644 index 0000000..aec54cd --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | From 54a00a22a0d9aca794440bf51511f5477e9249d2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
3 | Date: Fri, 26 Aug 2016 17:53:53 +0530 | ||
4 | Subject: [PATCH 5/9] refpolicy-minimum: init: fix reboot with systemd as init | ||
5 | manager. | ||
6 | |||
7 | add allow rule to fix avc denial during system reboot. | ||
8 | |||
9 | without this change we are getting: | ||
10 | |||
11 | audit: type=1107 audit(): pid=1 uid=0 auid=4294967295 ses=4294967295 subj= | ||
12 | system_u:system_r:init_t:s0 msg='avc: denied { reboot } for auid=n/a uid=0 | ||
13 | gid=0 cmdline="/bin/systemctl --force reboot" scontext=system_u:system_r: | ||
14 | initrc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system | ||
15 | |||
16 | Upstream-Status: Pending | ||
17 | |||
18 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
19 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
20 | --- | ||
21 | policy/modules/system/init.te | 2 +- | ||
22 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
23 | |||
24 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | ||
25 | index e15ec4b9..843fdcff 100644 | ||
26 | --- a/policy/modules/system/init.te | ||
27 | +++ b/policy/modules/system/init.te | ||
28 | @@ -1427,5 +1427,5 @@ allow devpts_t device_t:filesystem associate; | ||
29 | allow init_t self:capability2 block_suspend; | ||
30 | allow init_t self:capability2 audit_read; | ||
31 | |||
32 | -allow initrc_t init_t:system { start status }; | ||
33 | +allow initrc_t init_t:system { start status reboot }; | ||
34 | allow initrc_t init_var_run_t:service { start status }; | ||
35 | -- | ||
36 | 2.19.1 | ||
37 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_resolv.conf.patch b/recipes-security/refpolicy/refpolicy-git/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch index b90b744..d098118 100644 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_resolv.conf.patch +++ b/recipes-security/refpolicy/refpolicy-git/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch | |||
@@ -1,24 +1,30 @@ | |||
1 | Subject: [PATCH] fix real path for resolv.conf | 1 | From 9818faa2a732d6d1cda72926526f104de74bd992 Mon Sep 17 00:00:00 2001 |
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Thu, 4 Apr 2019 10:45:03 -0400 | ||
4 | Subject: [PATCH 06/34] fc/resolv.conf: label resolv.conf in var/run/ properly | ||
2 | 5 | ||
3 | Upstream-Status: Inappropriate [only for Poky] | 6 | Upstream-Status: Pending |
4 | 7 | ||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
6 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | 9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> |
10 | |||
11 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
7 | --- | 12 | --- |
8 | policy/modules/system/sysnetwork.fc | 1 + | 13 | policy/modules/system/sysnetwork.fc | 1 + |
9 | 1 files changed, 1 insertions(+), 0 deletions(-) | 14 | 1 file changed, 1 insertion(+) |
10 | 15 | ||
16 | diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc | ||
17 | index 1e5432a4..ac7c2dd1 100644 | ||
11 | --- a/policy/modules/system/sysnetwork.fc | 18 | --- a/policy/modules/system/sysnetwork.fc |
12 | +++ b/policy/modules/system/sysnetwork.fc | 19 | +++ b/policy/modules/system/sysnetwork.fc |
13 | @@ -23,10 +23,11 @@ ifdef(`distro_debian',` | 20 | @@ -22,6 +22,7 @@ ifdef(`distro_debian',` |
14 | /etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0) | ||
15 | /etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0) | ||
16 | /etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0) | ||
17 | /etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0) | 21 | /etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0) |
18 | /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) | 22 | /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) |
19 | +/var/run/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) | ||
20 | /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) | 23 | /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) |
24 | +/var/run/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) | ||
21 | 25 | ||
22 | /etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0) | 26 | /etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0) |
23 | /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0) | 27 | /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0) |
24 | 28 | -- | |
29 | 2.19.1 | ||
30 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch b/recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch new file mode 100644 index 0000000..bf770d9 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch | |||
@@ -0,0 +1,92 @@ | |||
1 | From ca6644e1f1066a8354f2f6dbb068713f59225f37 Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Wed, 3 Apr 2019 14:51:29 -0400 | ||
4 | Subject: [PATCH 6/9] refpolicy-minimum: systemd: mount: enable required | ||
5 | refpolicy booleans | ||
6 | |||
7 | enable required refpolicy booleans for these modules | ||
8 | |||
9 | i. mount: allow_mount_anyfile | ||
10 | without enabling this boolean we are getting below avc denial | ||
11 | |||
12 | audit(): avc: denied { mounton } for pid=462 comm="mount" path="/run/media | ||
13 | /mmcblk2p1" dev="tmpfs" ino=11523 scontext=system_u:system_r:mount_t:s0 | ||
14 | tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=0 | ||
15 | |||
16 | This avc can be allowed using the boolean 'allow_mount_anyfile' | ||
17 | allow mount_t initrc_var_run_t:dir mounton; | ||
18 | |||
19 | ii. systemd : systemd_tmpfiles_manage_all | ||
20 | without enabling this boolean we are not getting access to mount systemd | ||
21 | essential tmpfs during bootup, also not getting access to create audit.log | ||
22 | |||
23 | audit(): avc: denied { search } for pid=168 comm="systemd-tmpfile" name= | ||
24 | "sys" dev="proc" ino=4026531855 scontext=system_u:system_r:systemd_tmpfiles | ||
25 | _t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=dir permissive=0 | ||
26 | |||
27 | ls /var/log | ||
28 | /var/log -> volatile/log | ||
29 | :~# | ||
30 | |||
31 | The old refpolicy included a pre-generated booleans.conf that could be | ||
32 | patched. That's no longer the case so we're left with a few options, | ||
33 | tweak the default directly or create a template booleans.conf file which | ||
34 | will be updated during build time. Since this is intended to be applied | ||
35 | only for specific configuraitons it seems like the same either way and | ||
36 | this avoids us playing games to work around .gitignore. | ||
37 | |||
38 | Upstream-Status: Pending | ||
39 | |||
40 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
41 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
42 | --- | ||
43 | policy/booleans.conf | 9 +++++++++ | ||
44 | policy/modules/system/mount.te | 2 +- | ||
45 | policy/modules/system/systemd.te | 2 +- | ||
46 | 3 files changed, 11 insertions(+), 2 deletions(-) | ||
47 | create mode 100644 policy/booleans.conf | ||
48 | |||
49 | diff --git a/policy/booleans.conf b/policy/booleans.conf | ||
50 | new file mode 100644 | ||
51 | index 00000000..850f56ed | ||
52 | --- /dev/null | ||
53 | +++ b/policy/booleans.conf | ||
54 | @@ -0,0 +1,9 @@ | ||
55 | +# | ||
56 | +# Allow the mount command to mount any directory or file. | ||
57 | +# | ||
58 | +allow_mount_anyfile = true | ||
59 | + | ||
60 | +# | ||
61 | +# Enable support for systemd-tmpfiles to manage all non-security files. | ||
62 | +# | ||
63 | +systemd_tmpfiles_manage_all = true | ||
64 | diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te | ||
65 | index a87d0e82..868052b7 100644 | ||
66 | --- a/policy/modules/system/mount.te | ||
67 | +++ b/policy/modules/system/mount.te | ||
68 | @@ -10,7 +10,7 @@ policy_module(mount, 1.20.0) | ||
69 | ## Allow the mount command to mount any directory or file. | ||
70 | ## </p> | ||
71 | ## </desc> | ||
72 | -gen_tunable(allow_mount_anyfile, false) | ||
73 | +gen_tunable(allow_mount_anyfile, true) | ||
74 | |||
75 | attribute_role mount_roles; | ||
76 | roleattribute system_r mount_roles; | ||
77 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
78 | index b13337b9..74f9c1cb 100644 | ||
79 | --- a/policy/modules/system/systemd.te | ||
80 | +++ b/policy/modules/system/systemd.te | ||
81 | @@ -10,7 +10,7 @@ policy_module(systemd, 1.7.5) | ||
82 | ## Enable support for systemd-tmpfiles to manage all non-security files. | ||
83 | ## </p> | ||
84 | ## </desc> | ||
85 | -gen_tunable(systemd_tmpfiles_manage_all, false) | ||
86 | +gen_tunable(systemd_tmpfiles_manage_all, true) | ||
87 | |||
88 | ## <desc> | ||
89 | ## <p> | ||
90 | -- | ||
91 | 2.19.1 | ||
92 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0007-fc-login-apply-login-context-to-login.shadow.patch b/recipes-security/refpolicy/refpolicy-git/0007-fc-login-apply-login-context-to-login.shadow.patch new file mode 100644 index 0000000..824c136 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0007-fc-login-apply-login-context-to-login.shadow.patch | |||
@@ -0,0 +1,27 @@ | |||
1 | From 3323cd185bd27a010fb4353d16cb6c3a8608fd20 Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Thu, 28 Mar 2019 21:43:53 -0400 | ||
4 | Subject: [PATCH 07/34] fc/login: apply login context to login.shadow | ||
5 | |||
6 | Upstream-Status: Inappropriate [only for Poky] | ||
7 | |||
8 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | ||
10 | policy/modules/system/authlogin.fc | 1 + | ||
11 | 1 file changed, 1 insertion(+) | ||
12 | |||
13 | diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc | ||
14 | index e22945cd..a42bc0da 100644 | ||
15 | --- a/policy/modules/system/authlogin.fc | ||
16 | +++ b/policy/modules/system/authlogin.fc | ||
17 | @@ -5,6 +5,7 @@ | ||
18 | /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) | ||
19 | |||
20 | /usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0) | ||
21 | +/usr/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0) | ||
22 | /usr/bin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) | ||
23 | /usr/bin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) | ||
24 | /usr/bin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) | ||
25 | -- | ||
26 | 2.19.1 | ||
27 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch b/recipes-security/refpolicy/refpolicy-git/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch new file mode 100644 index 0000000..307574c --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch | |||
@@ -0,0 +1,103 @@ | |||
1 | From a1b92a176fe791468e750b95fa8299e8beecf2b1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
3 | Date: Fri, 26 Aug 2016 17:54:09 +0530 | ||
4 | Subject: [PATCH 7/9] refpolicy-minimum: systemd: fix for login & journal | ||
5 | service | ||
6 | |||
7 | 1. fix for systemd services: login & journal wile using refpolicy-minimum and | ||
8 | systemd as init manager. | ||
9 | 2. fix login duration after providing root password. | ||
10 | |||
11 | without these changes we are getting avc denails like these and below | ||
12 | systemd services failure: | ||
13 | |||
14 | audit[]: AVC avc: denied { write } for pid=422 comm="login" path="/run/ | ||
15 | systemd/sessions/c1.ref" dev="tmpfs" ino=13455 scontext=system_u:system_r: | ||
16 | local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0 | ||
17 | tclass=fifo_file permissive=0 | ||
18 | |||
19 | audit[]: AVC avc: denied { open } for pid=216 comm="systemd-tmpfile" path | ||
20 | ="/proc/1/environ" dev="proc" ino=9221 scontext=system_u:system_r: | ||
21 | systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file | ||
22 | |||
23 | audit[]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u: | ||
24 | system_r:init_t:s0 msg='avc: denied { stop } for auid=n/a uid=0 gid=0 path | ||
25 | ="/lib/systemd/system/systemd-journald.service" cmdline="/bin/journalctl | ||
26 | --flush" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r: | ||
27 | lib_t:s0 tclass=service | ||
28 | |||
29 | [FAILED] Failed to start Flush Journal to Persistent Storage. | ||
30 | See 'systemctl status systemd-journal-flush.service' for details. | ||
31 | |||
32 | [FAILED] Failed to start Login Service. | ||
33 | See 'systemctl status systemd-logind.service' for details. | ||
34 | |||
35 | [FAILED] Failed to start Avahi mDNS/DNS-SD Stack. | ||
36 | See 'systemctl status avahi-daemon.service' for details. | ||
37 | |||
38 | Upstream-Status: Pending | ||
39 | |||
40 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
41 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
42 | --- | ||
43 | policy/modules/system/init.te | 2 ++ | ||
44 | policy/modules/system/locallogin.te | 3 +++ | ||
45 | policy/modules/system/systemd.if | 6 ++++-- | ||
46 | policy/modules/system/systemd.te | 2 +- | ||
47 | 4 files changed, 10 insertions(+), 3 deletions(-) | ||
48 | |||
49 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | ||
50 | index 843fdcff..ca8678b8 100644 | ||
51 | --- a/policy/modules/system/init.te | ||
52 | +++ b/policy/modules/system/init.te | ||
53 | @@ -1429,3 +1429,5 @@ allow init_t self:capability2 audit_read; | ||
54 | |||
55 | allow initrc_t init_t:system { start status reboot }; | ||
56 | allow initrc_t init_var_run_t:service { start status }; | ||
57 | + | ||
58 | +allow initrc_t init_var_run_t:service stop; | ||
59 | diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te | ||
60 | index 75750e4c..2c2cfc7d 100644 | ||
61 | --- a/policy/modules/system/locallogin.te | ||
62 | +++ b/policy/modules/system/locallogin.te | ||
63 | @@ -298,3 +298,6 @@ allow local_login_t var_run_t:file { open read write lock}; | ||
64 | allow local_login_t var_run_t:sock_file write; | ||
65 | allow local_login_t tmpfs_t:dir { add_name write search}; | ||
66 | allow local_login_t tmpfs_t:file { create open read write lock }; | ||
67 | +allow local_login_t init_var_run_t:fifo_file write; | ||
68 | +allow local_login_t initrc_t:dbus send_msg; | ||
69 | +allow initrc_t local_login_t:dbus send_msg; | ||
70 | diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if | ||
71 | index 4519a448..79133e6f 100644 | ||
72 | --- a/policy/modules/system/systemd.if | ||
73 | +++ b/policy/modules/system/systemd.if | ||
74 | @@ -938,9 +938,11 @@ interface(`systemd_service_file_operations',` | ||
75 | # | ||
76 | interface(`systemd_service_lib_function',` | ||
77 | gen_require(` | ||
78 | - class service start; | ||
79 | + class service { start status stop }; | ||
80 | + class file { execmod open }; | ||
81 | ') | ||
82 | |||
83 | - allow initrc_t $1:service start; | ||
84 | + allow initrc_t $1:service { start status stop }; | ||
85 | + allow initrc_t $1:file execmod; | ||
86 | |||
87 | ') | ||
88 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
89 | index 74f9c1cb..f1d26a44 100644 | ||
90 | --- a/policy/modules/system/systemd.te | ||
91 | +++ b/policy/modules/system/systemd.te | ||
92 | @@ -1013,7 +1013,7 @@ allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms; | ||
93 | |||
94 | allow systemd_tmpfiles_t init_t:dir search; | ||
95 | allow systemd_tmpfiles_t proc_t:filesystem getattr; | ||
96 | -allow systemd_tmpfiles_t init_t:file read; | ||
97 | +allow systemd_tmpfiles_t init_t:file { open getattr read }; | ||
98 | allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto; | ||
99 | |||
100 | kernel_getattr_proc(systemd_tmpfiles_t) | ||
101 | -- | ||
102 | 2.19.1 | ||
103 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-bind.patch b/recipes-security/refpolicy/refpolicy-git/0008-fc-bind-fix-real-path-for-bind.patch index 3218c88..6472a21 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-bind.patch +++ b/recipes-security/refpolicy/refpolicy-git/0008-fc-bind-fix-real-path-for-bind.patch | |||
@@ -1,19 +1,21 @@ | |||
1 | From e438a9466a615db3f63421157d5ee3bd6d055403 Mon Sep 17 00:00:00 2001 | 1 | From 9207386c0a860b3b6520eca5e509b9633c67c1e4 Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Joe MacDonald <joe_macdonald@mentor.com> |
3 | Date: Thu, 22 Aug 2013 19:09:11 +0800 | 3 | Date: Thu, 28 Mar 2019 21:58:53 -0400 |
4 | Subject: [PATCH] refpolicy: fix real path for bind. | 4 | Subject: [PATCH 08/34] fc/bind: fix real path for bind |
5 | 5 | ||
6 | Upstream-Status: Inappropriate [configuration] | 6 | Upstream-Status: Pending |
7 | 7 | ||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | 9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> |
10 | --- | 10 | --- |
11 | policy/modules/contrib/bind.fc | 2 ++ | 11 | policy/modules/services/bind.fc | 2 ++ |
12 | 1 file changed, 2 insertions(+) | 12 | 1 file changed, 2 insertions(+) |
13 | 13 | ||
14 | --- a/policy/modules/contrib/bind.fc | 14 | diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc |
15 | +++ b/policy/modules/contrib/bind.fc | 15 | index b4879dc1..59498e25 100644 |
16 | @@ -1,10 +1,12 @@ | 16 | --- a/policy/modules/services/bind.fc |
17 | +++ b/policy/modules/services/bind.fc | ||
18 | @@ -1,8 +1,10 @@ | ||
17 | /etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) | 19 | /etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) |
18 | +/etc/rc\.d/init\.d/bind -- gen_context(system_u:object_r:named_initrc_exec_t,s0) | 20 | +/etc/rc\.d/init\.d/bind -- gen_context(system_u:object_r:named_initrc_exec_t,s0) |
19 | /etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) | 21 | /etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) |
@@ -24,5 +26,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
24 | /etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) | 26 | /etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) |
25 | /etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0) | 27 | /etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0) |
26 | /etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0) | 28 | /etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0) |
27 | /etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0) | 29 | -- |
28 | /etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) | 30 | 2.19.1 |
31 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch b/recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch new file mode 100644 index 0000000..05543da --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch | |||
@@ -0,0 +1,110 @@ | |||
1 | From c268b15ec696aa23be73e040daae433b509fa82f Mon Sep 17 00:00:00 2001 | ||
2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
3 | Date: Fri, 26 Aug 2016 17:54:17 +0530 | ||
4 | Subject: [PATCH 8/9] refpolicy-minimum: systemd: fix for systemd tmp-files | ||
5 | services | ||
6 | |||
7 | fix for systemd tmp files setup service while using refpolicy-minimum and | ||
8 | systemd as init manager. | ||
9 | |||
10 | these allow rules require kernel domain & files access, so added interfaces | ||
11 | at systemd.te to merge these allow rules. | ||
12 | |||
13 | without these changes we are getting avc denails like these and below | ||
14 | systemd services failure: | ||
15 | |||
16 | audit[]: AVC avc: denied { getattr } for pid=232 comm="systemd-tmpfile" | ||
17 | path="/var/tmp" dev="mmcblk2p2" ino=4993 scontext=system_u:system_r:systemd | ||
18 | _tmpfiles_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=lnk_file | ||
19 | |||
20 | audit[]: AVC avc: denied { search } for pid=232 comm="systemd-tmpfile" | ||
21 | name="kernel" dev="proc" ino=9341 scontext=system_u:system_r: | ||
22 | systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 | ||
23 | tclass=dir permissive=0 | ||
24 | |||
25 | [FAILED] Failed to start Create Static Device Nodes in /dev. | ||
26 | See 'systemctl status systemd-tmpfiles-setup-dev.service' for details. | ||
27 | |||
28 | [FAILED] Failed to start Create Volatile Files and Directories. | ||
29 | See 'systemctl status systemd-tmpfiles-setup.service' for details. | ||
30 | |||
31 | Upstream-Status: Pending | ||
32 | |||
33 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
34 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
35 | --- | ||
36 | policy/modules/kernel/files.if | 19 +++++++++++++++++++ | ||
37 | policy/modules/kernel/kernel.if | 21 +++++++++++++++++++++ | ||
38 | policy/modules/system/systemd.te | 2 ++ | ||
39 | 3 files changed, 42 insertions(+) | ||
40 | |||
41 | diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if | ||
42 | index eb067ad3..ff74f55a 100644 | ||
43 | --- a/policy/modules/kernel/files.if | ||
44 | +++ b/policy/modules/kernel/files.if | ||
45 | @@ -7076,3 +7076,22 @@ interface(`files_unconfined',` | ||
46 | |||
47 | typeattribute $1 files_unconfined_type; | ||
48 | ') | ||
49 | + | ||
50 | +######################################## | ||
51 | +## <summary> | ||
52 | +## systemd tmp files access to kernel tmp files domain | ||
53 | +## </summary> | ||
54 | +## <param name="domain"> | ||
55 | +## <summary> | ||
56 | +## Domain allowed access. | ||
57 | +## </summary> | ||
58 | +## </param> | ||
59 | +# | ||
60 | +interface(`systemd_service_allow_kernel_files_domain_to_tmp_t',` | ||
61 | + gen_require(` | ||
62 | + type tmp_t; | ||
63 | + class lnk_file getattr; | ||
64 | + ') | ||
65 | + | ||
66 | + allow $1 tmp_t:lnk_file getattr; | ||
67 | +') | ||
68 | diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if | ||
69 | index 1ad282aa..342eb033 100644 | ||
70 | --- a/policy/modules/kernel/kernel.if | ||
71 | +++ b/policy/modules/kernel/kernel.if | ||
72 | @@ -3584,3 +3584,24 @@ interface(`kernel_ib_manage_subnet_unlabeled_endports',` | ||
73 | allow $1 unlabeled_t:infiniband_endport manage_subnet; | ||
74 | ') | ||
75 | |||
76 | +######################################## | ||
77 | +## <summary> | ||
78 | +## systemd tmp files access to kernel sysctl domain | ||
79 | +## </summary> | ||
80 | +## <param name="domain"> | ||
81 | +## <summary> | ||
82 | +## Domain allowed access. | ||
83 | +## </summary> | ||
84 | +## </param> | ||
85 | +# | ||
86 | +interface(`systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t',` | ||
87 | + gen_require(` | ||
88 | + type sysctl_kernel_t; | ||
89 | + class dir search; | ||
90 | + class file { open read }; | ||
91 | + ') | ||
92 | + | ||
93 | + allow $1 sysctl_kernel_t:dir search; | ||
94 | + allow $1 sysctl_kernel_t:file { open read }; | ||
95 | + | ||
96 | +') | ||
97 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
98 | index f1d26a44..b4c64bc1 100644 | ||
99 | --- a/policy/modules/system/systemd.te | ||
100 | +++ b/policy/modules/system/systemd.te | ||
101 | @@ -1139,4 +1139,6 @@ files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated | ||
102 | |||
103 | seutil_read_file_contexts(systemd_update_done_t) | ||
104 | |||
105 | +systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t(systemd_tmpfiles_t) | ||
106 | +systemd_service_allow_kernel_files_domain_to_tmp_t(systemd_tmpfiles_t) | ||
107 | systemd_log_parse_environment(systemd_update_done_t) | ||
108 | -- | ||
109 | 2.19.1 | ||
110 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0009-fc-hwclock-add-hwclock-alternatives.patch b/recipes-security/refpolicy/refpolicy-git/0009-fc-hwclock-add-hwclock-alternatives.patch new file mode 100644 index 0000000..382a62c --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0009-fc-hwclock-add-hwclock-alternatives.patch | |||
@@ -0,0 +1,28 @@ | |||
1 | From afaee985ce8cb915905b9cbef141db5d4b7f228c Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Thu, 28 Mar 2019 21:59:18 -0400 | ||
4 | Subject: [PATCH 09/34] fc/hwclock: add hwclock alternatives | ||
5 | |||
6 | Upstream-Status: Pending | ||
7 | |||
8 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | ||
10 | policy/modules/system/clock.fc | 5 ++++- | ||
11 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
12 | |||
13 | diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc | ||
14 | index 30196589..e0dc4b6f 100644 | ||
15 | --- a/policy/modules/system/clock.fc | ||
16 | +++ b/policy/modules/system/clock.fc | ||
17 | @@ -2,4 +2,7 @@ | ||
18 | |||
19 | /usr/bin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) | ||
20 | |||
21 | -/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) | ||
22 | +/usr/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0) | ||
23 | +/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) | ||
24 | +/usr/lib/busybox/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) | ||
25 | +/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) | ||
26 | -- | ||
27 | 2.19.1 | ||
28 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0009-refpolicy-minimum-systemd-fix-for-syslog.patch b/recipes-security/refpolicy/refpolicy-git/0009-refpolicy-minimum-systemd-fix-for-syslog.patch new file mode 100644 index 0000000..de9180a --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0009-refpolicy-minimum-systemd-fix-for-syslog.patch | |||
@@ -0,0 +1,70 @@ | |||
1 | From 3c7c492f060212bf7c854a27ffa6afa5035f4862 Mon Sep 17 00:00:00 2001 | ||
2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
3 | Date: Fri, 26 Aug 2016 17:54:29 +0530 | ||
4 | Subject: [PATCH 9/9] refpolicy-minimum: systemd: fix for syslog | ||
5 | |||
6 | syslog & getty related allow rules required to fix the syslog mixup with | ||
7 | boot log, while using systemd as init manager. | ||
8 | |||
9 | without this change we are getting these avc denials: | ||
10 | |||
11 | audit: avc: denied { search } for pid=484 comm="syslogd" name="/" | ||
12 | dev="tmpfs" ino=7269 scontext=system_u:system_r:syslogd_t:s0 tcontext= | ||
13 | system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 | ||
14 | |||
15 | audit: avc: denied { write } for pid=372 comm="syslogd" name="log" dev= | ||
16 | "tmpfs" ino=954 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u: | ||
17 | object_r:tmpfs_t:s0 tclass=dir permissive=0 | ||
18 | |||
19 | audit: avc: denied { add_name } for pid=390 comm="syslogd" name= | ||
20 | "messages" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r | ||
21 | :tmpfs_t:s0 tclass=dir permissive=0 | ||
22 | |||
23 | audit: avc: denied { sendto } for pid=558 comm="agetty" path="/run/systemd | ||
24 | /journal/dev-log" scontext=system_u:system_r:getty_t:s0 tcontext=system_u: | ||
25 | system_r:initrc_t:s0 tclass=unix_dgram_socket permissive=0 | ||
26 | |||
27 | audit: avc: denied { create } for pid=374 comm="syslogd" name="messages" | ||
28 | scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t: | ||
29 | s0 tclass=file permissive=0 | ||
30 | |||
31 | audit: avc: denied { append } for pid=423 comm="syslogd" name="messages" | ||
32 | dev="tmpfs" ino=7995 scontext=system_u:system_r:syslogd_t:s0 tcontext= | ||
33 | system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 | ||
34 | |||
35 | audit: avc: denied { getattr } for pid=425 comm="syslogd" path="/var/ | ||
36 | volatile/log/messages" dev="tmpfs" ino=8857 scontext=system_u:system_r: | ||
37 | syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 | ||
38 | |||
39 | Upstream-Status: Pending | ||
40 | |||
41 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
42 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
43 | --- | ||
44 | policy/modules/system/getty.te | 1 + | ||
45 | policy/modules/system/logging.te | 3 ++- | ||
46 | 2 files changed, 3 insertions(+), 1 deletion(-) | ||
47 | |||
48 | diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te | ||
49 | index 423db0cc..9ab03956 100644 | ||
50 | --- a/policy/modules/system/getty.te | ||
51 | +++ b/policy/modules/system/getty.te | ||
52 | @@ -132,3 +132,4 @@ optional_policy(` | ||
53 | |||
54 | allow getty_t tmpfs_t:dir search; | ||
55 | allow getty_t tmpfs_t:file { open write lock }; | ||
56 | +allow getty_t initrc_t:unix_dgram_socket sendto; | ||
57 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
58 | index 98c2bd19..6a94ac12 100644 | ||
59 | --- a/policy/modules/system/logging.te | ||
60 | +++ b/policy/modules/system/logging.te | ||
61 | @@ -632,4 +632,5 @@ allow klogd_t initrc_t:unix_dgram_socket sendto; | ||
62 | allow syslogd_t self:shm create; | ||
63 | allow syslogd_t self:sem { create read unix_write write }; | ||
64 | allow syslogd_t self:shm { read unix_read unix_write write }; | ||
65 | -allow syslogd_t tmpfs_t:file { read write }; | ||
66 | +allow syslogd_t tmpfs_t:file { read write create getattr append open }; | ||
67 | +allow syslogd_t tmpfs_t:dir { search write add_name }; | ||
68 | -- | ||
69 | 2.19.1 | ||
70 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch b/recipes-security/refpolicy/refpolicy-git/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch new file mode 100644 index 0000000..5de6d0d --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch | |||
@@ -0,0 +1,24 @@ | |||
1 | From 9f8b5359ce85eab23a5c46157497c44fd3bc4335 Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Fri, 29 Mar 2019 08:26:55 -0400 | ||
4 | Subject: [PATCH 10/34] fc/dmesg: apply policy to dmesg alternatives | ||
5 | |||
6 | Upstream-Status: Pending | ||
7 | |||
8 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | ||
10 | policy/modules/admin/dmesg.fc | 4 +++- | ||
11 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
12 | |||
13 | diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc | ||
14 | index e52fdfcf..85d15127 100644 | ||
15 | --- a/policy/modules/admin/dmesg.fc | ||
16 | +++ b/policy/modules/admin/dmesg.fc | ||
17 | @@ -1 +1,3 @@ | ||
18 | -/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) | ||
19 | +/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) | ||
20 | +/usr/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0) | ||
21 | +/usr/lib/busybox/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) | ||
22 | -- | ||
23 | 2.19.1 | ||
24 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-ssh.patch b/recipes-security/refpolicy/refpolicy-git/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch index a01e2eb..ab81b31 100644 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-ssh.patch +++ b/recipes-security/refpolicy/refpolicy-git/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch | |||
@@ -1,24 +1,27 @@ | |||
1 | Subject: [PATCH] refpolicy: fix real path for ssh | 1 | From c7002e990710f83763a1481ddaa56a1f658defee Mon Sep 17 00:00:00 2001 |
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Fri, 29 Mar 2019 09:20:58 -0400 | ||
4 | Subject: [PATCH 11/34] fc/ssh: apply policy to ssh alternatives | ||
2 | 5 | ||
3 | Upstream-Status: Inappropriate [configuration] | 6 | Upstream-Status: Pending |
4 | 7 | ||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
6 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | 8 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> |
7 | --- | 9 | --- |
8 | policy/modules/services/ssh.fc | 1 + | 10 | policy/modules/services/ssh.fc | 1 + |
9 | 1 file changed, 1 insertion(+) | 11 | 1 file changed, 1 insertion(+) |
10 | 12 | ||
13 | diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc | ||
14 | index 4ac3e733..1f453091 100644 | ||
11 | --- a/policy/modules/services/ssh.fc | 15 | --- a/policy/modules/services/ssh.fc |
12 | +++ b/policy/modules/services/ssh.fc | 16 | +++ b/policy/modules/services/ssh.fc |
13 | @@ -2,10 +2,11 @@ HOME_DIR/\.ssh(/.*)? gen_context(syste | 17 | @@ -4,6 +4,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) |
14 | |||
15 | /etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0) | ||
16 | /etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0) | 18 | /etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0) |
17 | 19 | ||
18 | /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0) | 20 | /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0) |
19 | +/usr/bin/ssh\.openssh -- gen_context(system_u:object_r:ssh_exec_t,s0) | 21 | +/usr/bin/ssh\.openssh -- gen_context(system_u:object_r:ssh_exec_t,s0) |
20 | /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0) | 22 | /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0) |
21 | /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0) | 23 | /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0) |
22 | 24 | /usr/bin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) | |
23 | /usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) | 25 | -- |
24 | /usr/lib/ssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) | 26 | 2.19.1 |
27 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch b/recipes-security/refpolicy/refpolicy-git/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch new file mode 100644 index 0000000..8346fcf --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch | |||
@@ -0,0 +1,48 @@ | |||
1 | From 881a9f637b6eec90d1fa20bf4c102bb595225aaf Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Tue, 9 Jun 2015 21:22:52 +0530 | ||
4 | Subject: [PATCH 12/34] fc/sysnetwork: apply policy to ip alternatives | ||
5 | |||
6 | Upstream-Status: Pending | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> | ||
10 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
11 | --- | ||
12 | policy/modules/system/sysnetwork.fc | 10 ++++++++++ | ||
13 | 1 file changed, 10 insertions(+) | ||
14 | |||
15 | diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc | ||
16 | index ac7c2dd1..4e441503 100644 | ||
17 | --- a/policy/modules/system/sysnetwork.fc | ||
18 | +++ b/policy/modules/system/sysnetwork.fc | ||
19 | @@ -60,6 +60,8 @@ ifdef(`distro_redhat',` | ||
20 | /usr/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) | ||
21 | /usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
22 | /usr/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
23 | +/usr/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
24 | +/usr/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
25 | /usr/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
26 | /usr/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
27 | /usr/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
28 | @@ -67,9 +69,17 @@ ifdef(`distro_redhat',` | ||
29 | /usr/sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
30 | /usr/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
31 | /usr/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
32 | +/usr/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
33 | /usr/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0) | ||
34 | /usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
35 | |||
36 | +# | ||
37 | +# /usr/lib/busybox | ||
38 | +# | ||
39 | +/usr/lib/busybox/bin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
40 | +/usr/lib/busybox/bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
41 | +/usr/lib/busybox/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
42 | + | ||
43 | # | ||
44 | # /var | ||
45 | # | ||
46 | -- | ||
47 | 2.19.1 | ||
48 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch b/recipes-security/refpolicy/refpolicy-git/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch new file mode 100644 index 0000000..9ec2e21 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch | |||
@@ -0,0 +1,28 @@ | |||
1 | From 434fe791713127cea8a796529266b87763833117 Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Fri, 29 Mar 2019 09:36:08 -0400 | ||
4 | Subject: [PATCH 13/34] fc/udev: apply policy to udevadm in libexec | ||
5 | |||
6 | Upstream-Status: Pending | ||
7 | |||
8 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | ||
10 | policy/modules/system/udev.fc | 2 ++ | ||
11 | 1 file changed, 2 insertions(+) | ||
12 | |||
13 | diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc | ||
14 | index 606ad517..2919c0bd 100644 | ||
15 | --- a/policy/modules/system/udev.fc | ||
16 | +++ b/policy/modules/system/udev.fc | ||
17 | @@ -28,6 +28,8 @@ ifdef(`distro_debian',` | ||
18 | /usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
19 | /usr/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
20 | |||
21 | +/usr/libexec/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
22 | + | ||
23 | ifdef(`distro_redhat',` | ||
24 | /usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
25 | ') | ||
26 | -- | ||
27 | 2.19.1 | ||
28 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch b/recipes-security/refpolicy/refpolicy-git/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch new file mode 100644 index 0000000..fff816a --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch | |||
@@ -0,0 +1,29 @@ | |||
1 | From c8dbbbaed4371c600d057736d1dab78371066fdd Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Fri, 29 Mar 2019 09:54:07 -0400 | ||
4 | Subject: [PATCH 14/34] fc/rpm: apply rpm_exec policy to cpio binaries | ||
5 | |||
6 | Upstream-Status: Pending | ||
7 | |||
8 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | ||
10 | policy/modules/admin/rpm.fc | 5 ++++- | ||
11 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
12 | |||
13 | diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc | ||
14 | index 578d465c..f2b8003a 100644 | ||
15 | --- a/policy/modules/admin/rpm.fc | ||
16 | +++ b/policy/modules/admin/rpm.fc | ||
17 | @@ -65,5 +65,8 @@ ifdef(`distro_redhat',` | ||
18 | /run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) | ||
19 | |||
20 | ifdef(`enable_mls',` | ||
21 | -/usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) | ||
22 | +/usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) | ||
23 | +/usr/bin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) | ||
24 | +/usr/bin/cpio.cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) | ||
25 | ') | ||
26 | + | ||
27 | -- | ||
28 | 2.19.1 | ||
29 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_su.patch b/recipes-security/refpolicy/refpolicy-git/0015-fc-su-apply-policy-to-su-alternatives.patch index b8597f9..b26eeea 100644 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_su.patch +++ b/recipes-security/refpolicy/refpolicy-git/0015-fc-su-apply-policy-to-su-alternatives.patch | |||
@@ -1,22 +1,26 @@ | |||
1 | From 4affa5e9797f5d51597c9b8e0f2503883c766699 Mon Sep 17 00:00:00 2001 | 1 | From d6eb7326773a01cea4cb6949e8e8f94e12d145ca Mon Sep 17 00:00:00 2001 |
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | 2 | From: Wenzong Fan <wenzong.fan@windriver.com> |
3 | Date: Thu, 13 Feb 2014 00:33:07 -0500 | 3 | Date: Thu, 13 Feb 2014 00:33:07 -0500 |
4 | Subject: [PATCH] fix real path for su.shadow command | 4 | Subject: [PATCH 15/34] fc/su: apply policy to su alternatives |
5 | 5 | ||
6 | Upstream-Status: Inappropriate [only for Poky] | 6 | Upstream-Status: Pending |
7 | 7 | ||
8 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | 8 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> |
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | 9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> |
10 | --- | 10 | --- |
11 | policy/modules/admin/su.fc | 2 ++ | 11 | policy/modules/admin/su.fc | 2 ++ |
12 | 1 file changed, 2 insertions(+) | 12 | 1 file changed, 2 insertions(+) |
13 | 13 | ||
14 | diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc | ||
15 | index 3375c969..435a6892 100644 | ||
14 | --- a/policy/modules/admin/su.fc | 16 | --- a/policy/modules/admin/su.fc |
15 | +++ b/policy/modules/admin/su.fc | 17 | +++ b/policy/modules/admin/su.fc |
16 | @@ -2,5 +2,6 @@ | 18 | @@ -1,3 +1,5 @@ |
17 | /bin/su -- gen_context(system_u:object_r:su_exec_t,s0) | ||
18 | |||
19 | /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0) | 19 | /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0) |
20 | /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) | 20 | /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) |
21 | /usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) | 21 | /usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) |
22 | +/bin/su.shadow -- gen_context(system_u:object_r:su_exec_t,s0) | 22 | +/usr/bin/su\.shadow -- gen_context(system_u:object_r:su_exec_t,s0) |
23 | +/usr/bin/su\.util-linux -- gen_context(system_u:object_r:su_exec_t,s0) | ||
24 | -- | ||
25 | 2.19.1 | ||
26 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0016-fc-fstools-fix-real-path-for-fstools.patch b/recipes-security/refpolicy/refpolicy-git/0016-fc-fstools-fix-real-path-for-fstools.patch new file mode 100644 index 0000000..35676f8 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0016-fc-fstools-fix-real-path-for-fstools.patch | |||
@@ -0,0 +1,76 @@ | |||
1 | From 4cc043905534403d2c6c5882ed982bd09a6c605f Mon Sep 17 00:00:00 2001 | ||
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | ||
3 | Date: Mon, 27 Jan 2014 03:54:01 -0500 | ||
4 | Subject: [PATCH 16/34] fc/fstools: fix real path for fstools | ||
5 | |||
6 | Upstream-Status: Pending | ||
7 | |||
8 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
9 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
10 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
11 | --- | ||
12 | policy/modules/system/fstools.fc | 12 ++++++++++++ | ||
13 | 1 file changed, 12 insertions(+) | ||
14 | |||
15 | diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc | ||
16 | index 8fbd5ce4..d719e22c 100644 | ||
17 | --- a/policy/modules/system/fstools.fc | ||
18 | +++ b/policy/modules/system/fstools.fc | ||
19 | @@ -58,6 +58,7 @@ | ||
20 | /usr/sbin/addpart -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
21 | /usr/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
22 | /usr/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
23 | +/usr/sbin/blkid\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
24 | /usr/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
25 | /usr/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
26 | /usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
27 | @@ -72,10 +73,12 @@ | ||
28 | /usr/sbin/efibootmgr -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
29 | /usr/sbin/fatsort -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
30 | /usr/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
31 | +/usr/sbin/fdisk\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
32 | /usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
33 | /usr/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
34 | /usr/sbin/gdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
35 | /usr/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
36 | +/usr/sbin/hdparm\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
37 | /usr/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
38 | /usr/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
39 | /usr/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
40 | @@ -88,17 +91,20 @@ | ||
41 | /usr/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
42 | /usr/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
43 | /usr/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
44 | +/usr/sbin/mkswap\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
45 | /usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
46 | /usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
47 | /usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
48 | /usr/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
49 | /usr/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
50 | +/usr/sbin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
51 | /usr/sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
52 | /usr/sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
53 | /usr/sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
54 | /usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
55 | /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
56 | /usr/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
57 | +/usr/sbin/swapoff\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
58 | /usr/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
59 | /usr/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
60 | /usr/sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
61 | @@ -108,6 +114,12 @@ | ||
62 | /usr/sbin/zstreamdump -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
63 | /usr/sbin/ztest -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
64 | |||
65 | +/usr/lib/busybox/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
66 | +/usr/lib/busybox/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
67 | +/usr/lib/busybox/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
68 | +/usr/lib/busybox/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
69 | +/usr/lib/busybox/sbin/swapon -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
70 | + | ||
71 | /var/swap -- gen_context(system_u:object_r:swapfile_t,s0) | ||
72 | |||
73 | /var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0) | ||
74 | -- | ||
75 | 2.19.1 | ||
76 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-syslogd_t-to-trusted-object.patch b/recipes-security/refpolicy/refpolicy-git/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch index b755b45..af24d90 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-syslogd_t-to-trusted-object.patch +++ b/recipes-security/refpolicy/refpolicy-git/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch | |||
@@ -1,7 +1,8 @@ | |||
1 | From 27e62a5d9ab9993760369ccdad83673e9148cbb2 Mon Sep 17 00:00:00 2001 | 1 | From f84b1809e45bf08ce2a603827de3ade876ce8683 Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | 3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 |
4 | Subject: [PATCH 1/6] Add the syslogd_t to trusted object | 4 | Subject: [PATCH 17/34] policy/module/logging: Add the syslogd_t to trusted |
5 | object | ||
5 | 6 | ||
6 | We add the syslogd_t to trusted object, because other process need | 7 | We add the syslogd_t to trusted object, because other process need |
7 | to have the right to connectto/sendto /dev/log. | 8 | to have the right to connectto/sendto /dev/log. |
@@ -12,14 +13,14 @@ Signed-off-by: Roy.Li <rongqing.li@windriver.com> | |||
12 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 13 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
13 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | 14 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> |
14 | --- | 15 | --- |
15 | policy/modules/system/logging.te | 1 + | 16 | policy/modules/system/logging.te | 1 + |
16 | 1 file changed, 1 insertion(+) | 17 | 1 file changed, 1 insertion(+) |
17 | 18 | ||
19 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
20 | index 38ccfe3a..c892f547 100644 | ||
18 | --- a/policy/modules/system/logging.te | 21 | --- a/policy/modules/system/logging.te |
19 | +++ b/policy/modules/system/logging.te | 22 | +++ b/policy/modules/system/logging.te |
20 | @@ -484,10 +484,11 @@ files_var_lib_filetrans(syslogd_t, syslo | 23 | @@ -501,6 +501,7 @@ fs_getattr_all_fs(syslogd_t) |
21 | |||
22 | fs_getattr_all_fs(syslogd_t) | ||
23 | fs_search_auto_mountpoints(syslogd_t) | 24 | fs_search_auto_mountpoints(syslogd_t) |
24 | 25 | ||
25 | mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories | 26 | mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories |
@@ -27,5 +28,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
27 | 28 | ||
28 | term_write_console(syslogd_t) | 29 | term_write_console(syslogd_t) |
29 | # Allow syslog to a terminal | 30 | # Allow syslog to a terminal |
30 | term_write_unallocated_ttys(syslogd_t) | 31 | -- |
31 | 32 | 2.19.1 | |
33 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch b/recipes-security/refpolicy/refpolicy-git/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch new file mode 100644 index 0000000..6dca744 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch | |||
@@ -0,0 +1,100 @@ | |||
1 | From ccb0b3884513829a2ab344f1682df6ea6ff4e7de Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH 18/34] policy/module/logging: add rules for the symlink of | ||
5 | /var/log | ||
6 | |||
7 | /var/log is a symlink in poky, so we need allow rules for files to read | ||
8 | lnk_file while doing search/list/delete/rw... in /var/log/ directory. | ||
9 | |||
10 | Upstream-Status: Inappropriate [only for Poky] | ||
11 | |||
12 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
13 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
14 | --- | ||
15 | policy/modules/system/logging.fc | 1 + | ||
16 | policy/modules/system/logging.if | 6 ++++++ | ||
17 | policy/modules/system/logging.te | 2 ++ | ||
18 | 3 files changed, 9 insertions(+) | ||
19 | |||
20 | diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc | ||
21 | index 0cf108e0..5bec7e99 100644 | ||
22 | --- a/policy/modules/system/logging.fc | ||
23 | +++ b/policy/modules/system/logging.fc | ||
24 | @@ -55,6 +55,7 @@ ifdef(`distro_suse', ` | ||
25 | /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) | ||
26 | |||
27 | /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) | ||
28 | +/var/log -l gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) | ||
29 | /var/log/.* gen_context(system_u:object_r:var_log_t,s0) | ||
30 | /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0) | ||
31 | /var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0) | ||
32 | diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if | ||
33 | index 7b7644f7..0c7268ff 100644 | ||
34 | --- a/policy/modules/system/logging.if | ||
35 | +++ b/policy/modules/system/logging.if | ||
36 | @@ -972,10 +972,12 @@ interface(`logging_append_all_inherited_logs',` | ||
37 | interface(`logging_read_all_logs',` | ||
38 | gen_require(` | ||
39 | attribute logfile; | ||
40 | + type var_log_t; | ||
41 | ') | ||
42 | |||
43 | files_search_var($1) | ||
44 | allow $1 logfile:dir list_dir_perms; | ||
45 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
46 | read_files_pattern($1, logfile, logfile) | ||
47 | ') | ||
48 | |||
49 | @@ -994,10 +996,12 @@ interface(`logging_read_all_logs',` | ||
50 | interface(`logging_exec_all_logs',` | ||
51 | gen_require(` | ||
52 | attribute logfile; | ||
53 | + type var_log_t; | ||
54 | ') | ||
55 | |||
56 | files_search_var($1) | ||
57 | allow $1 logfile:dir list_dir_perms; | ||
58 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
59 | can_exec($1, logfile) | ||
60 | ') | ||
61 | |||
62 | @@ -1099,6 +1103,7 @@ interface(`logging_read_generic_logs',` | ||
63 | |||
64 | files_search_var($1) | ||
65 | allow $1 var_log_t:dir list_dir_perms; | ||
66 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
67 | read_files_pattern($1, var_log_t, var_log_t) | ||
68 | ') | ||
69 | |||
70 | @@ -1200,6 +1205,7 @@ interface(`logging_manage_generic_logs',` | ||
71 | |||
72 | files_search_var($1) | ||
73 | manage_files_pattern($1, var_log_t, var_log_t) | ||
74 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
75 | ') | ||
76 | |||
77 | ######################################## | ||
78 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
79 | index c892f547..499a4552 100644 | ||
80 | --- a/policy/modules/system/logging.te | ||
81 | +++ b/policy/modules/system/logging.te | ||
82 | @@ -161,6 +161,7 @@ manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) | ||
83 | allow auditd_t auditd_log_t:dir setattr; | ||
84 | manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) | ||
85 | allow auditd_t var_log_t:dir search_dir_perms; | ||
86 | +allow auditd_t var_log_t:lnk_file read_lnk_file_perms; | ||
87 | |||
88 | manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) | ||
89 | manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) | ||
90 | @@ -288,6 +289,7 @@ allow audisp_remote_t self:capability { setpcap setuid }; | ||
91 | allow audisp_remote_t self:process { getcap setcap }; | ||
92 | allow audisp_remote_t self:tcp_socket create_socket_perms; | ||
93 | allow audisp_remote_t var_log_t:dir search_dir_perms; | ||
94 | +allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms; | ||
95 | |||
96 | manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) | ||
97 | manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) | ||
98 | -- | ||
99 | 2.19.1 | ||
100 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch b/recipes-security/refpolicy/refpolicy-git/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch new file mode 100644 index 0000000..a532316 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From b52614cce12e4a7d3437350bb35688d5470f92fc Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Fri, 29 Mar 2019 10:33:18 -0400 | ||
4 | Subject: [PATCH 19/34] policy/module/logging: add rules for syslogd symlink of | ||
5 | /var/log | ||
6 | |||
7 | We have added rules for the symlink of /var/log in logging.if, while | ||
8 | syslogd_t uses /var/log but does not use the interfaces in logging.if. So | ||
9 | still need add a individual rule for syslogd_t. | ||
10 | |||
11 | Upstream-Status: Inappropriate [only for Poky] | ||
12 | |||
13 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
14 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
15 | --- | ||
16 | policy/modules/system/logging.te | 1 + | ||
17 | 1 file changed, 1 insertion(+) | ||
18 | |||
19 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
20 | index 499a4552..e6221a02 100644 | ||
21 | --- a/policy/modules/system/logging.te | ||
22 | +++ b/policy/modules/system/logging.te | ||
23 | @@ -417,6 +417,7 @@ files_search_spool(syslogd_t) | ||
24 | |||
25 | # Allow access for syslog-ng | ||
26 | allow syslogd_t var_log_t:dir { create setattr }; | ||
27 | +allow syslogd_t var_log_t:lnk_file read_lnk_file_perms; | ||
28 | |||
29 | # for systemd but can not be conditional | ||
30 | files_pid_filetrans(syslogd_t, syslogd_tmp_t, dir, "log") | ||
31 | -- | ||
32 | 2.19.1 | ||
33 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-cache-symlink.patch b/recipes-security/refpolicy/refpolicy-git/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch index b828b7a..a494671 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-cache-symlink.patch +++ b/recipes-security/refpolicy/refpolicy-git/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch | |||
@@ -1,7 +1,8 @@ | |||
1 | From bad816bc752369a6c1bf40231c505d21d95cab08 Mon Sep 17 00:00:00 2001 | 1 | From 07456143d9478b345dbe480e1b418b744de96751 Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
3 | Date: Fri, 23 Aug 2013 11:20:00 +0800 | 3 | Date: Fri, 23 Aug 2013 11:20:00 +0800 |
4 | Subject: [PATCH 4/6] add rules for the subdir symlinks in /var/ | 4 | Subject: [PATCH 20/34] policy/module/logging: add domain rules for the subdir |
5 | symlinks in /var/ | ||
5 | 6 | ||
6 | Except /var/log,/var/run,/var/lock, there still other subdir symlinks in | 7 | Except /var/log,/var/run,/var/lock, there still other subdir symlinks in |
7 | /var for poky, so we need allow rules for all domains to read these | 8 | /var for poky, so we need allow rules for all domains to read these |
@@ -13,14 +14,14 @@ Upstream-Status: Inappropriate [only for Poky] | |||
13 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 14 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
14 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | 15 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> |
15 | --- | 16 | --- |
16 | policy/modules/kernel/domain.te | 3 +++ | 17 | policy/modules/kernel/domain.te | 3 +++ |
17 | 1 file changed, 3 insertions(+) | 18 | 1 file changed, 3 insertions(+) |
18 | 19 | ||
20 | diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te | ||
21 | index 1a55e3d2..babb794f 100644 | ||
19 | --- a/policy/modules/kernel/domain.te | 22 | --- a/policy/modules/kernel/domain.te |
20 | +++ b/policy/modules/kernel/domain.te | 23 | +++ b/policy/modules/kernel/domain.te |
21 | @@ -108,10 +108,13 @@ dev_rw_zero(domain) | 24 | @@ -110,6 +110,9 @@ term_use_controlling_term(domain) |
22 | term_use_controlling_term(domain) | ||
23 | |||
24 | # list the root directory | 25 | # list the root directory |
25 | files_list_root(domain) | 26 | files_list_root(domain) |
26 | 27 | ||
@@ -30,5 +31,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
30 | ifdef(`hide_broken_symptoms',` | 31 | ifdef(`hide_broken_symptoms',` |
31 | # This check is in the general socket | 32 | # This check is in the general socket |
32 | # listen code, before protocol-specific | 33 | # listen code, before protocol-specific |
33 | # listen function is called, so bad calls | 34 | -- |
34 | # to listen on UDP sockets should be silenced | 35 | 2.19.1 |
36 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-tmp-symlink.patch b/recipes-security/refpolicy/refpolicy-git/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch index 07ebf58..aa61a80 100644 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-tmp-symlink.patch +++ b/recipes-security/refpolicy/refpolicy-git/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch | |||
@@ -1,7 +1,7 @@ | |||
1 | From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001 | 1 | From edcfc7eb98658352f3ffdeb8079517c54ba7f984 Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | 3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 |
4 | Subject: [PATCH] add rules for the symlink of /tmp | 4 | Subject: [PATCH 21/34] policy/module/files: add rules for the symlink of /tmp |
5 | 5 | ||
6 | /tmp is a symlink in poky, so we need allow rules for files to read | 6 | /tmp is a symlink in poky, so we need allow rules for files to read |
7 | lnk_file while doing search/list/delete/rw.. in /tmp/ directory. | 7 | lnk_file while doing search/list/delete/rw.. in /tmp/ directory. |
@@ -11,15 +11,15 @@ Upstream-Status: Inappropriate [only for Poky] | |||
11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | 12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> |
13 | --- | 13 | --- |
14 | policy/modules/kernel/files.fc | 1 + | 14 | policy/modules/kernel/files.fc | 1 + |
15 | policy/modules/kernel/files.if | 8 ++++++++ | 15 | policy/modules/kernel/files.if | 8 ++++++++ |
16 | 2 files changed, 9 insertions(+), 0 deletions(-) | 16 | 2 files changed, 9 insertions(+) |
17 | 17 | ||
18 | diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc | ||
19 | index c3496c21..05b1734b 100644 | ||
18 | --- a/policy/modules/kernel/files.fc | 20 | --- a/policy/modules/kernel/files.fc |
19 | +++ b/policy/modules/kernel/files.fc | 21 | +++ b/policy/modules/kernel/files.fc |
20 | @@ -191,10 +191,11 @@ ifdef(`distro_debian',` | 22 | @@ -176,6 +176,7 @@ HOME_ROOT/lost\+found/.* <<none>> |
21 | |||
22 | # | ||
23 | # /tmp | 23 | # /tmp |
24 | # | 24 | # |
25 | /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) | 25 | /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) |
@@ -27,13 +27,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
27 | /tmp/.* <<none>> | 27 | /tmp/.* <<none>> |
28 | /tmp/\.journal <<none>> | 28 | /tmp/\.journal <<none>> |
29 | 29 | ||
30 | /tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) | 30 | diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if |
31 | /tmp/lost\+found/.* <<none>> | 31 | index f1c94411..eb067ad3 100644 |
32 | --- a/policy/modules/kernel/files.if | 32 | --- a/policy/modules/kernel/files.if |
33 | +++ b/policy/modules/kernel/files.if | 33 | +++ b/policy/modules/kernel/files.if |
34 | @@ -4471,10 +4471,11 @@ interface(`files_search_tmp',` | 34 | @@ -4350,6 +4350,7 @@ interface(`files_search_tmp',` |
35 | gen_require(` | ||
36 | type tmp_t; | ||
37 | ') | 35 | ') |
38 | 36 | ||
39 | allow $1 tmp_t:dir search_dir_perms; | 37 | allow $1 tmp_t:dir search_dir_perms; |
@@ -41,11 +39,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
41 | ') | 39 | ') |
42 | 40 | ||
43 | ######################################## | 41 | ######################################## |
44 | ## <summary> | 42 | @@ -4386,6 +4387,7 @@ interface(`files_list_tmp',` |
45 | ## Do not audit attempts to search the tmp directory (/tmp). | ||
46 | @@ -4507,10 +4508,11 @@ interface(`files_list_tmp',` | ||
47 | gen_require(` | ||
48 | type tmp_t; | ||
49 | ') | 43 | ') |
50 | 44 | ||
51 | allow $1 tmp_t:dir list_dir_perms; | 45 | allow $1 tmp_t:dir list_dir_perms; |
@@ -53,11 +47,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
53 | ') | 47 | ') |
54 | 48 | ||
55 | ######################################## | 49 | ######################################## |
56 | ## <summary> | 50 | @@ -4422,6 +4424,7 @@ interface(`files_delete_tmp_dir_entry',` |
57 | ## Do not audit listing of the tmp directory (/tmp). | ||
58 | @@ -4543,10 +4545,11 @@ interface(`files_delete_tmp_dir_entry',` | ||
59 | gen_require(` | ||
60 | type tmp_t; | ||
61 | ') | 51 | ') |
62 | 52 | ||
63 | allow $1 tmp_t:dir del_entry_dir_perms; | 53 | allow $1 tmp_t:dir del_entry_dir_perms; |
@@ -65,11 +55,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
65 | ') | 55 | ') |
66 | 56 | ||
67 | ######################################## | 57 | ######################################## |
68 | ## <summary> | 58 | @@ -4440,6 +4443,7 @@ interface(`files_read_generic_tmp_files',` |
69 | ## Read files in the tmp directory (/tmp). | ||
70 | @@ -4561,10 +4564,11 @@ interface(`files_read_generic_tmp_files' | ||
71 | gen_require(` | ||
72 | type tmp_t; | ||
73 | ') | 59 | ') |
74 | 60 | ||
75 | read_files_pattern($1, tmp_t, tmp_t) | 61 | read_files_pattern($1, tmp_t, tmp_t) |
@@ -77,11 +63,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
77 | ') | 63 | ') |
78 | 64 | ||
79 | ######################################## | 65 | ######################################## |
80 | ## <summary> | 66 | @@ -4458,6 +4462,7 @@ interface(`files_manage_generic_tmp_dirs',` |
81 | ## Manage temporary directories in /tmp. | ||
82 | @@ -4579,10 +4583,11 @@ interface(`files_manage_generic_tmp_dirs | ||
83 | gen_require(` | ||
84 | type tmp_t; | ||
85 | ') | 67 | ') |
86 | 68 | ||
87 | manage_dirs_pattern($1, tmp_t, tmp_t) | 69 | manage_dirs_pattern($1, tmp_t, tmp_t) |
@@ -89,11 +71,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
89 | ') | 71 | ') |
90 | 72 | ||
91 | ######################################## | 73 | ######################################## |
92 | ## <summary> | 74 | @@ -4476,6 +4481,7 @@ interface(`files_manage_generic_tmp_files',` |
93 | ## Manage temporary files and directories in /tmp. | ||
94 | @@ -4597,10 +4602,11 @@ interface(`files_manage_generic_tmp_file | ||
95 | gen_require(` | ||
96 | type tmp_t; | ||
97 | ') | 75 | ') |
98 | 76 | ||
99 | manage_files_pattern($1, tmp_t, tmp_t) | 77 | manage_files_pattern($1, tmp_t, tmp_t) |
@@ -101,11 +79,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
101 | ') | 79 | ') |
102 | 80 | ||
103 | ######################################## | 81 | ######################################## |
104 | ## <summary> | 82 | @@ -4512,6 +4518,7 @@ interface(`files_rw_generic_tmp_sockets',` |
105 | ## Read symbolic links in the tmp directory (/tmp). | ||
106 | @@ -4633,10 +4639,11 @@ interface(`files_rw_generic_tmp_sockets' | ||
107 | gen_require(` | ||
108 | type tmp_t; | ||
109 | ') | 83 | ') |
110 | 84 | ||
111 | rw_sock_files_pattern($1, tmp_t, tmp_t) | 85 | rw_sock_files_pattern($1, tmp_t, tmp_t) |
@@ -113,11 +87,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
113 | ') | 87 | ') |
114 | 88 | ||
115 | ######################################## | 89 | ######################################## |
116 | ## <summary> | 90 | @@ -4719,6 +4726,7 @@ interface(`files_tmp_filetrans',` |
117 | ## Mount filesystems in the tmp directory (/tmp) | ||
118 | @@ -4840,10 +4847,11 @@ interface(`files_tmp_filetrans',` | ||
119 | gen_require(` | ||
120 | type tmp_t; | ||
121 | ') | 91 | ') |
122 | 92 | ||
123 | filetrans_pattern($1, tmp_t, $2, $3, $4) | 93 | filetrans_pattern($1, tmp_t, $2, $3, $4) |
@@ -125,5 +95,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
125 | ') | 95 | ') |
126 | 96 | ||
127 | ######################################## | 97 | ######################################## |
128 | ## <summary> | 98 | -- |
129 | ## Delete the contents of /tmp. | 99 | 2.19.1 |
100 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-bsdpty_device_t.patch b/recipes-security/refpolicy/refpolicy-git/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch index ad7b5a6..68235b1 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-bsdpty_device_t.patch +++ b/recipes-security/refpolicy/refpolicy-git/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch | |||
@@ -1,21 +1,22 @@ | |||
1 | From c0b65c327b9354ee5c403cbde428e762ce3f327e Mon Sep 17 00:00:00 2001 | 1 | From 938ae00d2358d6ebad8173fce274ebb70d95cf72 Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | 3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 |
4 | Subject: [PATCH 5/6] add rules for bsdpty_device_t to complete pty devices. | 4 | Subject: [PATCH 22/34] policy/module/terminals: add rules for bsdpty_device_t |
5 | to complete pty devices. | ||
5 | 6 | ||
6 | Upstream-Status: Pending | 7 | Upstream-Status: Pending |
7 | 8 | ||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 9 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | 10 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> |
10 | --- | 11 | --- |
11 | policy/modules/kernel/terminal.if | 16 ++++++++++++++++ | 12 | policy/modules/kernel/terminal.if | 16 ++++++++++++++++ |
12 | 1 file changed, 16 insertions(+) | 13 | 1 file changed, 16 insertions(+) |
13 | 14 | ||
15 | diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if | ||
16 | index 61308843..a84787e6 100644 | ||
14 | --- a/policy/modules/kernel/terminal.if | 17 | --- a/policy/modules/kernel/terminal.if |
15 | +++ b/policy/modules/kernel/terminal.if | 18 | +++ b/policy/modules/kernel/terminal.if |
16 | @@ -603,13 +603,15 @@ interface(`term_getattr_generic_ptys',` | 19 | @@ -623,9 +623,11 @@ interface(`term_getattr_generic_ptys',` |
17 | ## </param> | ||
18 | # | ||
19 | interface(`term_dontaudit_getattr_generic_ptys',` | 20 | interface(`term_dontaudit_getattr_generic_ptys',` |
20 | gen_require(` | 21 | gen_require(` |
21 | type devpts_t; | 22 | type devpts_t; |
@@ -27,11 +28,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
27 | ') | 28 | ') |
28 | ######################################## | 29 | ######################################## |
29 | ## <summary> | 30 | ## <summary> |
30 | ## ioctl of generic pty devices. | 31 | @@ -641,11 +643,13 @@ interface(`term_dontaudit_getattr_generic_ptys',` |
31 | ## </summary> | ||
32 | @@ -621,15 +623,17 @@ interface(`term_dontaudit_getattr_generi | ||
33 | # | ||
34 | # cjp: added for ppp | ||
35 | interface(`term_ioctl_generic_ptys',` | 32 | interface(`term_ioctl_generic_ptys',` |
36 | gen_require(` | 33 | gen_require(` |
37 | type devpts_t; | 34 | type devpts_t; |
@@ -45,11 +42,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
45 | ') | 42 | ') |
46 | 43 | ||
47 | ######################################## | 44 | ######################################## |
48 | ## <summary> | 45 | @@ -663,9 +667,11 @@ interface(`term_ioctl_generic_ptys',` |
49 | ## Allow setting the attributes of | ||
50 | @@ -643,13 +647,15 @@ interface(`term_ioctl_generic_ptys',` | ||
51 | # | ||
52 | # dwalsh: added for rhgb | ||
53 | interface(`term_setattr_generic_ptys',` | 46 | interface(`term_setattr_generic_ptys',` |
54 | gen_require(` | 47 | gen_require(` |
55 | type devpts_t; | 48 | type devpts_t; |
@@ -61,11 +54,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
61 | ') | 54 | ') |
62 | 55 | ||
63 | ######################################## | 56 | ######################################## |
64 | ## <summary> | 57 | @@ -683,9 +689,11 @@ interface(`term_setattr_generic_ptys',` |
65 | ## Dontaudit setting the attributes of | ||
66 | @@ -663,13 +669,15 @@ interface(`term_setattr_generic_ptys',` | ||
67 | # | ||
68 | # dwalsh: added for rhgb | ||
69 | interface(`term_dontaudit_setattr_generic_ptys',` | 58 | interface(`term_dontaudit_setattr_generic_ptys',` |
70 | gen_require(` | 59 | gen_require(` |
71 | type devpts_t; | 60 | type devpts_t; |
@@ -77,11 +66,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
77 | ') | 66 | ') |
78 | 67 | ||
79 | ######################################## | 68 | ######################################## |
80 | ## <summary> | 69 | @@ -703,11 +711,13 @@ interface(`term_dontaudit_setattr_generic_ptys',` |
81 | ## Read and write the generic pty | ||
82 | @@ -683,15 +691,17 @@ interface(`term_dontaudit_setattr_generi | ||
83 | ## </param> | ||
84 | # | ||
85 | interface(`term_use_generic_ptys',` | 70 | interface(`term_use_generic_ptys',` |
86 | gen_require(` | 71 | gen_require(` |
87 | type devpts_t; | 72 | type devpts_t; |
@@ -95,11 +80,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
95 | ') | 80 | ') |
96 | 81 | ||
97 | ######################################## | 82 | ######################################## |
98 | ## <summary> | 83 | @@ -725,9 +735,11 @@ interface(`term_use_generic_ptys',` |
99 | ## Dot not audit attempts to read and | ||
100 | @@ -705,13 +715,15 @@ interface(`term_use_generic_ptys',` | ||
101 | ## </param> | ||
102 | # | ||
103 | interface(`term_dontaudit_use_generic_ptys',` | 84 | interface(`term_dontaudit_use_generic_ptys',` |
104 | gen_require(` | 85 | gen_require(` |
105 | type devpts_t; | 86 | type devpts_t; |
@@ -111,11 +92,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
111 | ') | 92 | ') |
112 | 93 | ||
113 | ####################################### | 94 | ####################################### |
114 | ## <summary> | 95 | @@ -743,10 +755,12 @@ interface(`term_dontaudit_use_generic_ptys',` |
115 | ## Set the attributes of the tty device | ||
116 | @@ -723,14 +735,16 @@ interface(`term_dontaudit_use_generic_pt | ||
117 | ## </param> | ||
118 | # | ||
119 | interface(`term_setattr_controlling_term',` | 96 | interface(`term_setattr_controlling_term',` |
120 | gen_require(` | 97 | gen_require(` |
121 | type devtty_t; | 98 | type devtty_t; |
@@ -128,11 +105,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
128 | ') | 105 | ') |
129 | 106 | ||
130 | ######################################## | 107 | ######################################## |
131 | ## <summary> | 108 | @@ -763,10 +777,12 @@ interface(`term_setattr_controlling_term',` |
132 | ## Read and write the controlling | ||
133 | @@ -743,14 +757,16 @@ interface(`term_setattr_controlling_term | ||
134 | ## </param> | ||
135 | # | ||
136 | interface(`term_use_controlling_term',` | 109 | interface(`term_use_controlling_term',` |
137 | gen_require(` | 110 | gen_require(` |
138 | type devtty_t; | 111 | type devtty_t; |
@@ -145,5 +118,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
145 | ') | 118 | ') |
146 | 119 | ||
147 | ####################################### | 120 | ####################################### |
148 | ## <summary> | 121 | -- |
149 | ## Get the attributes of the pty multiplexor (/dev/ptmx). | 122 | 2.19.1 |
123 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-don-t-audit-tty_device_t.patch b/recipes-security/refpolicy/refpolicy-git/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch index e3ea75e..06f9207 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-don-t-audit-tty_device_t.patch +++ b/recipes-security/refpolicy/refpolicy-git/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch | |||
@@ -1,7 +1,8 @@ | |||
1 | From 29a0d287880f8f83cf4337a3db7c8b94c0c36e1d Mon Sep 17 00:00:00 2001 | 1 | From 3f5a9b987211ef511bfd1c76b1a7dffad51fba0c Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | 3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 |
4 | Subject: [PATCH 6/6] don't audit tty_device_t in term_dontaudit_use_console. | 4 | Subject: [PATCH 23/34] policy/module/terminals: don't audit tty_device_t in |
5 | term_dontaudit_use_console. | ||
5 | 6 | ||
6 | We should also not audit terminal to rw tty_device_t and fds in | 7 | We should also not audit terminal to rw tty_device_t and fds in |
7 | term_dontaudit_use_console. | 8 | term_dontaudit_use_console. |
@@ -11,14 +12,14 @@ Upstream-Status: Inappropriate [only for Poky] | |||
11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 12 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | 13 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> |
13 | --- | 14 | --- |
14 | policy/modules/kernel/terminal.if | 3 +++ | 15 | policy/modules/kernel/terminal.if | 3 +++ |
15 | 1 file changed, 3 insertions(+) | 16 | 1 file changed, 3 insertions(+) |
16 | 17 | ||
18 | diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if | ||
19 | index a84787e6..cf66da2f 100644 | ||
17 | --- a/policy/modules/kernel/terminal.if | 20 | --- a/policy/modules/kernel/terminal.if |
18 | +++ b/policy/modules/kernel/terminal.if | 21 | +++ b/policy/modules/kernel/terminal.if |
19 | @@ -315,13 +315,16 @@ interface(`term_use_console',` | 22 | @@ -335,9 +335,12 @@ interface(`term_use_console',` |
20 | ## </param> | ||
21 | # | ||
22 | interface(`term_dontaudit_use_console',` | 23 | interface(`term_dontaudit_use_console',` |
23 | gen_require(` | 24 | gen_require(` |
24 | type console_device_t; | 25 | type console_device_t; |
@@ -31,5 +32,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
31 | ') | 32 | ') |
32 | 33 | ||
33 | ######################################## | 34 | ######################################## |
34 | ## <summary> | 35 | -- |
35 | ## Set the attributes of the console | 36 | 2.19.1 |
37 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-git/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch new file mode 100644 index 0000000..01f6c8b --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch | |||
@@ -0,0 +1,29 @@ | |||
1 | From bc1f2fba24fb63cd9a65ec22b34fcc59798bbaff Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH 24/34] policy/module/rpc: allow nfsd to exec shell commands. | ||
5 | |||
6 | Upstream-Status: Inappropriate [only for Poky] | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
10 | --- | ||
11 | policy/modules/services/rpc.te | 2 +- | ||
12 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
13 | |||
14 | diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te | ||
15 | index 47fa2fd0..d4209231 100644 | ||
16 | --- a/policy/modules/services/rpc.te | ||
17 | +++ b/policy/modules/services/rpc.te | ||
18 | @@ -227,7 +227,7 @@ kernel_read_network_state(nfsd_t) | ||
19 | kernel_dontaudit_getattr_core_if(nfsd_t) | ||
20 | kernel_setsched(nfsd_t) | ||
21 | kernel_request_load_module(nfsd_t) | ||
22 | -# kernel_mounton_proc(nfsd_t) | ||
23 | +kernel_mounton_proc(nfsd_t) | ||
24 | |||
25 | corenet_sendrecv_nfs_server_packets(nfsd_t) | ||
26 | corenet_tcp_bind_nfs_port(nfsd_t) | ||
27 | -- | ||
28 | 2.19.1 | ||
29 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch b/recipes-security/refpolicy/refpolicy-git/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch index d0b0073..78a4328 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch +++ b/recipes-security/refpolicy/refpolicy-git/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch | |||
@@ -1,58 +1,25 @@ | |||
1 | From 054a2d81a42bc127d29a916c64b43ad5a7c97f21 Mon Sep 17 00:00:00 2001 | 1 | From f24c277f622d1ae72275525c6d5863f1ddce1d58 Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
3 | Date: Fri, 23 Aug 2013 12:01:53 +0800 | 3 | Date: Fri, 23 Aug 2013 12:01:53 +0800 |
4 | Subject: [PATCH] fix policy for nfsserver to mount nfsd_fs_t. | 4 | Subject: [PATCH 25/34] policy/module/rpc: fix policy for nfsserver to mount |
5 | nfsd_fs_t. | ||
5 | 6 | ||
6 | Upstream-Status: Pending | 7 | Upstream-Status: Pending |
7 | 8 | ||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 9 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | 10 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> |
10 | --- | 11 | --- |
11 | policy/modules/contrib/rpc.te | 5 +++++ | 12 | policy/modules/kernel/filesystem.te | 1 + |
12 | policy/modules/contrib/rpcbind.te | 5 +++++ | 13 | policy/modules/kernel/kernel.te | 2 ++ |
13 | policy/modules/kernel/filesystem.te | 1 + | 14 | policy/modules/services/rpc.te | 5 +++++ |
14 | policy/modules/kernel/kernel.te | 2 ++ | 15 | policy/modules/services/rpcbind.te | 5 +++++ |
15 | 4 files changed, 13 insertions(+) | 16 | 4 files changed, 13 insertions(+) |
16 | 17 | ||
17 | --- a/policy/modules/contrib/rpcbind.te | 18 | diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te |
18 | +++ b/policy/modules/contrib/rpcbind.te | 19 | index 41037951..b341ba83 100644 |
19 | @@ -73,8 +73,13 @@ auth_use_nsswitch(rpcbind_t) | ||
20 | |||
21 | logging_send_syslog_msg(rpcbind_t) | ||
22 | |||
23 | miscfiles_read_localization(rpcbind_t) | ||
24 | |||
25 | +# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t, | ||
26 | +# because the are running in different level. So add rules to allow this. | ||
27 | +mls_socket_read_all_levels(rpcbind_t) | ||
28 | +mls_socket_write_all_levels(rpcbind_t) | ||
29 | + | ||
30 | ifdef(`distro_debian',` | ||
31 | term_dontaudit_use_unallocated_ttys(rpcbind_t) | ||
32 | ') | ||
33 | --- a/policy/modules/contrib/rpc.te | ||
34 | +++ b/policy/modules/contrib/rpc.te | ||
35 | @@ -277,10 +277,15 @@ tunable_policy(`nfs_export_all_ro',` | ||
36 | files_read_non_auth_files(nfsd_t) | ||
37 | ') | ||
38 | |||
39 | optional_policy(` | ||
40 | mount_exec(nfsd_t) | ||
41 | + # Should domtrans to mount_t while mounting nfsd_fs_t. | ||
42 | + mount_domtrans(nfsd_t) | ||
43 | + # nfsd_t need to chdir to /var/lib/nfs and read files. | ||
44 | + files_list_var(nfsd_t) | ||
45 | + rpc_read_nfs_state_data(nfsd_t) | ||
46 | ') | ||
47 | |||
48 | ######################################## | ||
49 | # | ||
50 | # GSSD local policy | ||
51 | --- a/policy/modules/kernel/filesystem.te | 20 | --- a/policy/modules/kernel/filesystem.te |
52 | +++ b/policy/modules/kernel/filesystem.te | 21 | +++ b/policy/modules/kernel/filesystem.te |
53 | @@ -127,10 +127,11 @@ fs_noxattr_type(mvfs_t) | 22 | @@ -129,6 +129,7 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) |
54 | allow mvfs_t self:filesystem associate; | ||
55 | genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) | ||
56 | 23 | ||
57 | type nfsd_fs_t; | 24 | type nfsd_fs_t; |
58 | fs_type(nfsd_fs_t) | 25 | fs_type(nfsd_fs_t) |
@@ -60,13 +27,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
60 | genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0) | 27 | genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0) |
61 | 28 | ||
62 | type nsfs_t; | 29 | type nsfs_t; |
63 | fs_type(nsfs_t) | 30 | diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te |
64 | genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0) | 31 | index 8e958074..7b81c732 100644 |
65 | --- a/policy/modules/kernel/kernel.te | 32 | --- a/policy/modules/kernel/kernel.te |
66 | +++ b/policy/modules/kernel/kernel.te | 33 | +++ b/policy/modules/kernel/kernel.te |
67 | @@ -325,10 +325,12 @@ mcs_process_set_categories(kernel_t) | 34 | @@ -334,6 +334,8 @@ mls_process_read_all_levels(kernel_t) |
68 | |||
69 | mls_process_read_all_levels(kernel_t) | ||
70 | mls_process_write_all_levels(kernel_t) | 35 | mls_process_write_all_levels(kernel_t) |
71 | mls_file_write_all_levels(kernel_t) | 36 | mls_file_write_all_levels(kernel_t) |
72 | mls_file_read_all_levels(kernel_t) | 37 | mls_file_read_all_levels(kernel_t) |
@@ -75,5 +40,38 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
75 | 40 | ||
76 | ifdef(`distro_redhat',` | 41 | ifdef(`distro_redhat',` |
77 | # Bugzilla 222337 | 42 | # Bugzilla 222337 |
78 | fs_rw_tmpfs_chr_files(kernel_t) | 43 | diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te |
44 | index d4209231..a2327b44 100644 | ||
45 | --- a/policy/modules/services/rpc.te | ||
46 | +++ b/policy/modules/services/rpc.te | ||
47 | @@ -280,6 +280,11 @@ tunable_policy(`nfs_export_all_ro',` | ||
48 | |||
49 | optional_policy(` | ||
50 | mount_exec(nfsd_t) | ||
51 | + # Should domtrans to mount_t while mounting nfsd_fs_t. | ||
52 | + mount_domtrans(nfsd_t) | ||
53 | + # nfsd_t need to chdir to /var/lib/nfs and read files. | ||
54 | + files_list_var(nfsd_t) | ||
55 | + rpc_read_nfs_state_data(nfsd_t) | ||
79 | ') | 56 | ') |
57 | |||
58 | ######################################## | ||
59 | diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te | ||
60 | index 5914af99..2055c114 100644 | ||
61 | --- a/policy/modules/services/rpcbind.te | ||
62 | +++ b/policy/modules/services/rpcbind.te | ||
63 | @@ -75,6 +75,11 @@ logging_send_syslog_msg(rpcbind_t) | ||
64 | |||
65 | miscfiles_read_localization(rpcbind_t) | ||
66 | |||
67 | +# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t, | ||
68 | +# because the are running in different level. So add rules to allow this. | ||
69 | +mls_socket_read_all_levels(rpcbind_t) | ||
70 | +mls_socket_write_all_levels(rpcbind_t) | ||
71 | + | ||
72 | ifdef(`distro_debian',` | ||
73 | term_dontaudit_use_unallocated_ttys(rpcbind_t) | ||
74 | ') | ||
75 | -- | ||
76 | 2.19.1 | ||
77 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch b/recipes-security/refpolicy/refpolicy-git/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch new file mode 100644 index 0000000..257395a --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch | |||
@@ -0,0 +1,126 @@ | |||
1 | From 06d2bad9325fdc6b0a73858bca7ba51fe591f39d Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Fri, 29 Mar 2019 11:16:37 -0400 | ||
4 | Subject: [PATCH 26/34] policy/module/sysfs: fix for new SELINUXMNT in /sys | ||
5 | |||
6 | SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should | ||
7 | add rules to access sysfs. | ||
8 | |||
9 | Upstream-Status: Inappropriate [only for Poky] | ||
10 | |||
11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
13 | --- | ||
14 | policy/modules/kernel/selinux.if | 19 +++++++++++++++++++ | ||
15 | 1 file changed, 19 insertions(+) | ||
16 | |||
17 | diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if | ||
18 | index 6790e5d0..2c95db81 100644 | ||
19 | --- a/policy/modules/kernel/selinux.if | ||
20 | +++ b/policy/modules/kernel/selinux.if | ||
21 | @@ -117,6 +117,9 @@ interface(`selinux_mount_fs',` | ||
22 | type security_t; | ||
23 | ') | ||
24 | |||
25 | + dev_getattr_sysfs($1) | ||
26 | + dev_search_sysfs($1) | ||
27 | + | ||
28 | allow $1 security_t:filesystem mount; | ||
29 | ') | ||
30 | |||
31 | @@ -136,6 +139,9 @@ interface(`selinux_remount_fs',` | ||
32 | type security_t; | ||
33 | ') | ||
34 | |||
35 | + dev_getattr_sysfs($1) | ||
36 | + dev_search_sysfs($1) | ||
37 | + | ||
38 | allow $1 security_t:filesystem remount; | ||
39 | ') | ||
40 | |||
41 | @@ -155,6 +161,9 @@ interface(`selinux_unmount_fs',` | ||
42 | ') | ||
43 | |||
44 | allow $1 security_t:filesystem unmount; | ||
45 | + | ||
46 | + dev_getattr_sysfs($1) | ||
47 | + dev_search_sysfs($1) | ||
48 | ') | ||
49 | |||
50 | ######################################## | ||
51 | @@ -217,6 +226,8 @@ interface(`selinux_dontaudit_getattr_dir',` | ||
52 | ') | ||
53 | |||
54 | dontaudit $1 security_t:dir getattr; | ||
55 | + dev_dontaudit_getattr_sysfs($1) | ||
56 | + dev_dontaudit_search_sysfs($1) | ||
57 | ') | ||
58 | |||
59 | ######################################## | ||
60 | @@ -253,6 +264,7 @@ interface(`selinux_dontaudit_search_fs',` | ||
61 | type security_t; | ||
62 | ') | ||
63 | |||
64 | + dev_dontaudit_search_sysfs($1) | ||
65 | dontaudit $1 security_t:dir search_dir_perms; | ||
66 | ') | ||
67 | |||
68 | @@ -272,6 +284,7 @@ interface(`selinux_dontaudit_read_fs',` | ||
69 | type security_t; | ||
70 | ') | ||
71 | |||
72 | + dev_dontaudit_getattr_sysfs($1) | ||
73 | dontaudit $1 security_t:dir search_dir_perms; | ||
74 | dontaudit $1 security_t:file read_file_perms; | ||
75 | ') | ||
76 | @@ -361,6 +374,7 @@ interface(`selinux_read_policy',` | ||
77 | type security_t; | ||
78 | ') | ||
79 | |||
80 | + dev_getattr_sysfs($1) | ||
81 | dev_search_sysfs($1) | ||
82 | allow $1 security_t:dir list_dir_perms; | ||
83 | allow $1 security_t:file read_file_perms; | ||
84 | @@ -394,6 +408,7 @@ interface(`selinux_set_generic_booleans',` | ||
85 | type security_t; | ||
86 | ') | ||
87 | |||
88 | + dev_getattr_sysfs($1) | ||
89 | dev_search_sysfs($1) | ||
90 | |||
91 | allow $1 security_t:dir list_dir_perms; | ||
92 | @@ -431,6 +446,7 @@ interface(`selinux_set_all_booleans',` | ||
93 | bool secure_mode_policyload; | ||
94 | ') | ||
95 | |||
96 | + dev_getattr_sysfs($1) | ||
97 | dev_search_sysfs($1) | ||
98 | |||
99 | allow $1 security_t:dir list_dir_perms; | ||
100 | @@ -512,6 +528,7 @@ interface(`selinux_dontaudit_validate_context',` | ||
101 | type security_t; | ||
102 | ') | ||
103 | |||
104 | + dev_dontaudit_search_sysfs($1) | ||
105 | dontaudit $1 security_t:dir list_dir_perms; | ||
106 | dontaudit $1 security_t:file rw_file_perms; | ||
107 | dontaudit $1 security_t:security check_context; | ||
108 | @@ -533,6 +550,7 @@ interface(`selinux_compute_access_vector',` | ||
109 | type security_t; | ||
110 | ') | ||
111 | |||
112 | + dev_getattr_sysfs($1) | ||
113 | dev_search_sysfs($1) | ||
114 | allow $1 self:netlink_selinux_socket create_socket_perms; | ||
115 | allow $1 security_t:dir list_dir_perms; | ||
116 | @@ -629,6 +647,7 @@ interface(`selinux_compute_user_contexts',` | ||
117 | type security_t; | ||
118 | ') | ||
119 | |||
120 | + dev_getattr_sysfs($1) | ||
121 | dev_search_sysfs($1) | ||
122 | allow $1 security_t:dir list_dir_perms; | ||
123 | allow $1 security_t:file rw_file_perms; | ||
124 | -- | ||
125 | 2.19.1 | ||
126 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-sysadm-to-run-rpcinfo.patch b/recipes-security/refpolicy/refpolicy-git/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch index a1fda13..23226a0 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-sysadm-to-run-rpcinfo.patch +++ b/recipes-security/refpolicy/refpolicy-git/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch | |||
@@ -1,7 +1,7 @@ | |||
1 | From 7005533d61770fed5a3312aa9dfd1c18dae88c16 Mon Sep 17 00:00:00 2001 | 1 | From 447036f5ead83977933b375f5587595b85307a7d Mon Sep 17 00:00:00 2001 |
2 | From: Roy Li <rongqing.li@windriver.com> | 2 | From: Roy Li <rongqing.li@windriver.com> |
3 | Date: Sat, 15 Feb 2014 09:45:00 +0800 | 3 | Date: Sat, 15 Feb 2014 09:45:00 +0800 |
4 | Subject: [PATCH] allow sysadm to run rpcinfo | 4 | Subject: [PATCH 27/34] policy/module/rpc: allow sysadm to run rpcinfo |
5 | 5 | ||
6 | Upstream-Status: Pending | 6 | Upstream-Status: Pending |
7 | 7 | ||
@@ -11,23 +11,21 @@ type=SYSCALL msg=audit(1392427946.976:264): arch=c000003e syscall=42 success=no | |||
11 | Signed-off-by: Roy Li <rongqing.li@windriver.com> | 11 | Signed-off-by: Roy Li <rongqing.li@windriver.com> |
12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | 12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> |
13 | --- | 13 | --- |
14 | policy/modules/roles/sysadm.te | 4 ++++ | 14 | policy/modules/roles/sysadm.te | 1 + |
15 | 1 file changed, 4 insertions(+) | 15 | 1 file changed, 1 insertion(+) |
16 | 16 | ||
17 | diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te | ||
18 | index 2ae952bf..d781378f 100644 | ||
17 | --- a/policy/modules/roles/sysadm.te | 19 | --- a/policy/modules/roles/sysadm.te |
18 | +++ b/policy/modules/roles/sysadm.te | 20 | +++ b/policy/modules/roles/sysadm.te |
19 | @@ -1169,10 +1169,14 @@ optional_policy(` | 21 | @@ -945,6 +945,7 @@ optional_policy(` |
20 | virt_admin(sysadm_t, sysadm_r) | ||
21 | virt_stream_connect(sysadm_t) | ||
22 | ') | 22 | ') |
23 | 23 | ||
24 | optional_policy(` | 24 | optional_policy(` |
25 | + rpcbind_stream_connect(sysadm_t) | 25 | + rpcbind_stream_connect(sysadm_t) |
26 | +') | 26 | rpcbind_admin(sysadm_t, sysadm_r) |
27 | + | ||
28 | +optional_policy(` | ||
29 | vmware_role(sysadm_r, sysadm_t) | ||
30 | ') | 27 | ') |
31 | 28 | ||
32 | optional_policy(` | 29 | -- |
33 | vnstatd_admin(sysadm_t, sysadm_r) | 30 | 2.19.1 |
31 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-seutils-manage-config-files.patch b/recipes-security/refpolicy/refpolicy-git/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch index e0f8c1a..732eaaf 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-seutils-manage-config-files.patch +++ b/recipes-security/refpolicy/refpolicy-git/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch | |||
@@ -1,22 +1,23 @@ | |||
1 | From be8e015aec19553d3753af132861d24da9ed0265 Mon Sep 17 00:00:00 2001 | 1 | From 391ab30556a3276bac131b3d4bd6c5e52b49c77c Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | 3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 |
4 | Subject: [PATCH 2/2] refpolicy: fix selinux utils to manage config files | 4 | Subject: [PATCH 28/34] policy/module/userdomain: fix selinux utils to manage |
5 | config files | ||
5 | 6 | ||
6 | Upstream-Status: Pending | 7 | Upstream-Status: Pending |
7 | 8 | ||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 9 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | 10 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> |
10 | --- | 11 | --- |
11 | policy/modules/system/selinuxutil.if | 1 + | 12 | policy/modules/system/selinuxutil.if | 1 + |
12 | policy/modules/system/userdomain.if | 4 ++++ | 13 | policy/modules/system/userdomain.if | 4 ++++ |
13 | 2 files changed, 5 insertions(+) | 14 | 2 files changed, 5 insertions(+) |
14 | 15 | ||
16 | diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if | ||
17 | index 20024993..0fdc8c10 100644 | ||
15 | --- a/policy/modules/system/selinuxutil.if | 18 | --- a/policy/modules/system/selinuxutil.if |
16 | +++ b/policy/modules/system/selinuxutil.if | 19 | +++ b/policy/modules/system/selinuxutil.if |
17 | @@ -753,10 +753,11 @@ interface(`seutil_manage_config',` | 20 | @@ -674,6 +674,7 @@ interface(`seutil_manage_config',` |
18 | gen_require(` | ||
19 | type selinux_config_t; | ||
20 | ') | 21 | ') |
21 | 22 | ||
22 | files_search_etc($1) | 23 | files_search_etc($1) |
@@ -24,13 +25,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
24 | manage_files_pattern($1, selinux_config_t, selinux_config_t) | 25 | manage_files_pattern($1, selinux_config_t, selinux_config_t) |
25 | read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) | 26 | read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) |
26 | ') | 27 | ') |
27 | 28 | diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if | |
28 | ####################################### | 29 | index 5221bd13..4cf987d1 100644 |
29 | --- a/policy/modules/system/userdomain.if | 30 | --- a/policy/modules/system/userdomain.if |
30 | +++ b/policy/modules/system/userdomain.if | 31 | +++ b/policy/modules/system/userdomain.if |
31 | @@ -1361,10 +1361,14 @@ template(`userdom_security_admin_templat | 32 | @@ -1431,6 +1431,10 @@ template(`userdom_security_admin_template',` |
32 | logging_read_audit_log($1) | ||
33 | logging_read_generic_logs($1) | ||
34 | logging_read_audit_config($1) | 33 | logging_read_audit_config($1) |
35 | 34 | ||
36 | seutil_manage_bin_policy($1) | 35 | seutil_manage_bin_policy($1) |
@@ -41,5 +40,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
41 | seutil_run_checkpolicy($1, $2) | 40 | seutil_run_checkpolicy($1, $2) |
42 | seutil_run_loadpolicy($1, $2) | 41 | seutil_run_loadpolicy($1, $2) |
43 | seutil_run_semanage($1, $2) | 42 | seutil_run_semanage($1, $2) |
44 | seutil_run_setfiles($1, $2) | 43 | -- |
45 | 44 | 2.19.1 | |
45 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch b/recipes-security/refpolicy/refpolicy-git/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch new file mode 100644 index 0000000..14734b2 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From d97aef0ecdb2ff964b1ed3d0b18ce83c2ab42f14 Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Fri, 29 Mar 2019 11:30:27 -0400 | ||
4 | Subject: [PATCH 29/34] policy/module/selinuxutil: fix setfiles statvfs to get | ||
5 | file count | ||
6 | |||
7 | New setfiles will read /proc/mounts and use statvfs in | ||
8 | file_system_count() to get file count of filesystems. | ||
9 | |||
10 | Upstream-Status: Pending | ||
11 | |||
12 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
13 | Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> | ||
14 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
15 | --- | ||
16 | policy/modules/system/selinuxutil.te | 1 + | ||
17 | 1 file changed, 1 insertion(+) | ||
18 | |||
19 | diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te | ||
20 | index 8a1688cc..a9930e9e 100644 | ||
21 | --- a/policy/modules/system/selinuxutil.te | ||
22 | +++ b/policy/modules/system/selinuxutil.te | ||
23 | @@ -607,6 +607,7 @@ files_relabel_all_files(setfiles_t) | ||
24 | files_read_usr_symlinks(setfiles_t) | ||
25 | files_dontaudit_read_all_symlinks(setfiles_t) | ||
26 | |||
27 | +fs_getattr_all_fs(setfiles_t) | ||
28 | fs_getattr_all_xattr_fs(setfiles_t) | ||
29 | fs_getattr_cgroup(setfiles_t) | ||
30 | fs_getattr_nfs(setfiles_t) | ||
31 | -- | ||
32 | 2.19.1 | ||
33 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch b/recipes-security/refpolicy/refpolicy-git/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch new file mode 100644 index 0000000..aebdcb3 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch | |||
@@ -0,0 +1,25 @@ | |||
1 | From 43eba9b9205c5e63f634d60ab8eb5302f7bf4408 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Fri, 23 Aug 2013 16:36:09 +0800 | ||
4 | Subject: [PATCH 30/34] policy/module/admin: fix dmesg to use /dev/kmsg as | ||
5 | default input | ||
6 | |||
7 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
8 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | ||
10 | policy/modules/admin/dmesg.if | 1 + | ||
11 | 1 file changed, 1 insertion(+) | ||
12 | |||
13 | diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if | ||
14 | index e1973c78..739a4bc5 100644 | ||
15 | --- a/policy/modules/admin/dmesg.if | ||
16 | +++ b/policy/modules/admin/dmesg.if | ||
17 | @@ -37,4 +37,5 @@ interface(`dmesg_exec',` | ||
18 | |||
19 | corecmd_search_bin($1) | ||
20 | can_exec($1, dmesg_exec_t) | ||
21 | + dev_read_kmsg($1) | ||
22 | ') | ||
23 | -- | ||
24 | 2.19.1 | ||
25 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch b/recipes-security/refpolicy/refpolicy-git/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch index 85c40a4..afba90f 100644 --- a/recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch +++ b/recipes-security/refpolicy/refpolicy-git/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch | |||
@@ -1,7 +1,8 @@ | |||
1 | From e4e95b723d31c7b678a05cd81a96b10185978b4e Mon Sep 17 00:00:00 2001 | 1 | From 2d81043e7c98b31b37a1ecd1f037a04c60e662aa Mon Sep 17 00:00:00 2001 |
2 | From: Roy Li <rongqing.li@windriver.com> | 2 | From: Roy Li <rongqing.li@windriver.com> |
3 | Date: Mon, 10 Feb 2014 18:10:12 +0800 | 3 | Date: Mon, 10 Feb 2014 18:10:12 +0800 |
4 | Subject: [PATCH] ftp: add ftpd_t to mls_file_write_all_levels | 4 | Subject: [PATCH 31/34] policy/module/ftp: add ftpd_t to |
5 | mls_file_write_all_levels | ||
5 | 6 | ||
6 | Proftpd will create file under /var/run, but its mls is in high, and | 7 | Proftpd will create file under /var/run, but its mls is in high, and |
7 | can not write to lowlevel | 8 | can not write to lowlevel |
@@ -12,21 +13,21 @@ type=AVC msg=audit(1392347709.621:15): avc: denied { write } for pid=545 comm | |||
12 | type=AVC msg=audit(1392347709.621:15): avc: denied { add_name } for pid=545 comm="proftpd" name="proftpd.delay" scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir | 13 | type=AVC msg=audit(1392347709.621:15): avc: denied { add_name } for pid=545 comm="proftpd" name="proftpd.delay" scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir |
13 | type=SYSCALL msg=audit(1392347709.621:15): arch=c000003e syscall=2 success=yes exit=3 a0=471910 a1=42 a2=1b6 a3=8 items=0 ppid=539 pid=545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s15:c0.c1023 key=(null) | 14 | type=SYSCALL msg=audit(1392347709.621:15): arch=c000003e syscall=2 success=yes exit=3 a0=471910 a1=42 a2=1b6 a3=8 items=0 ppid=539 pid=545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s15:c0.c1023 key=(null) |
14 | 15 | ||
15 | root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name | 16 | root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name |
16 | allow ftpd_t var_run_t : dir { ioctl read write getattr lock add_name remove_name search open } ; | 17 | allow ftpd_t var_run_t : dir { ioctl read write getattr lock add_name remove_name search open } ; |
17 | root@localhost:~# | 18 | root@localhost:~# |
18 | 19 | ||
19 | Signed-off-by: Roy Li <rongqing.li@windriver.com> | 20 | Signed-off-by: Roy Li <rongqing.li@windriver.com> |
20 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | 21 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> |
21 | --- | 22 | --- |
22 | policy/modules/contrib/ftp.te | 2 ++ | 23 | policy/modules/services/ftp.te | 2 ++ |
23 | 1 file changed, 2 insertions(+) | 24 | 1 file changed, 2 insertions(+) |
24 | 25 | ||
25 | --- a/policy/modules/contrib/ftp.te | 26 | diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te |
26 | +++ b/policy/modules/contrib/ftp.te | 27 | index 29bc077c..d582cf80 100644 |
27 | @@ -148,10 +148,12 @@ init_system_domain(ftpdctl_t, ftpdctl_ex | 28 | --- a/policy/modules/services/ftp.te |
28 | role ftpdctl_roles types ftpdctl_t; | 29 | +++ b/policy/modules/services/ftp.te |
29 | 30 | @@ -150,6 +150,8 @@ role ftpdctl_roles types ftpdctl_t; | |
30 | type ftpdctl_tmp_t; | 31 | type ftpdctl_tmp_t; |
31 | files_tmp_file(ftpdctl_tmp_t) | 32 | files_tmp_file(ftpdctl_tmp_t) |
32 | 33 | ||
@@ -35,5 +36,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
35 | type sftpd_t; | 36 | type sftpd_t; |
36 | domain_type(sftpd_t) | 37 | domain_type(sftpd_t) |
37 | role system_r types sftpd_t; | 38 | role system_r types sftpd_t; |
38 | 39 | -- | |
39 | type xferlog_t; | 40 | 2.19.1 |
41 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/refpolicy-update-for_systemd.patch b/recipes-security/refpolicy/refpolicy-git/0032-policy-module-init-update-for-systemd-related-allow-.patch index 41b9c2b..ced90be 100644 --- a/recipes-security/refpolicy/refpolicy-2.20170204/refpolicy-update-for_systemd.patch +++ b/recipes-security/refpolicy/refpolicy-git/0032-policy-module-init-update-for-systemd-related-allow-.patch | |||
@@ -1,27 +1,32 @@ | |||
1 | From 07553727dca51631c93bca482442da8d0c50ac94 Mon Sep 17 00:00:00 2001 | 1 | From ddb7393018483be0ce1cfc4734043b413e3b8a04 Mon Sep 17 00:00:00 2001 |
2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | 2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> |
3 | Date: Fri, 12 Jun 2015 19:37:52 +0530 | 3 | Date: Fri, 12 Jun 2015 19:37:52 +0530 |
4 | Subject: [PATCH] refpolicy: update for systemd related allow rules | 4 | Subject: [PATCH 32/34] policy/module/init: update for systemd related allow |
5 | rules | ||
5 | 6 | ||
6 | It provide, the systemd support related allow rules | 7 | It provide, the systemd support related allow rules |
7 | 8 | ||
9 | Upstream-Status: Pending | ||
10 | |||
8 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | 11 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> |
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | 12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> |
10 | --- | 13 | --- |
11 | policy/modules/system/init.te | 5 +++++ | 14 | policy/modules/system/init.te | 5 +++++ |
12 | 1 file changed, 5 insertions(+) | 15 | 1 file changed, 5 insertions(+) |
13 | 16 | ||
17 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | ||
18 | index f7635d6f..2e6b57a6 100644 | ||
14 | --- a/policy/modules/system/init.te | 19 | --- a/policy/modules/system/init.te |
15 | +++ b/policy/modules/system/init.te | 20 | +++ b/policy/modules/system/init.te |
16 | @@ -1105,5 +1105,10 @@ optional_policy(` | 21 | @@ -1418,3 +1418,8 @@ optional_policy(` |
17 | ') | 22 | userdom_dontaudit_rw_all_users_stream_sockets(systemprocess) |
18 | 23 | userdom_dontaudit_write_user_tmp_files(systemprocess) | |
19 | optional_policy(` | ||
20 | zebra_read_config(initrc_t) | ||
21 | ') | 24 | ') |
22 | + | 25 | + |
23 | +# systemd related allow rules | 26 | +# systemd related allow rules |
24 | +allow kernel_t init_t:process dyntransition; | 27 | +allow kernel_t init_t:process dyntransition; |
25 | +allow devpts_t device_t:filesystem associate; | 28 | +allow devpts_t device_t:filesystem associate; |
26 | +allow init_t self:capability2 block_suspend; | 29 | +allow init_t self:capability2 block_suspend; |
27 | \ No newline at end of file | 30 | -- |
31 | 2.19.1 | ||
32 | |||
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module_2.20170204.patch b/recipes-security/refpolicy/refpolicy-git/0033-refpolicy-minimum-make-sysadmin-module-optional.patch index 3a8a95e..09a16fb 100644 --- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module_2.20170204.patch +++ b/recipes-security/refpolicy/refpolicy-git/0033-refpolicy-minimum-make-sysadmin-module-optional.patch | |||
@@ -1,4 +1,7 @@ | |||
1 | Subject: [PATCH] refpolicy: fix optional issue on sysadm module | 1 | From a45624beb571ad5dadfca95d53ff69925c9f628c Mon Sep 17 00:00:00 2001 |
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Fri, 5 Apr 2019 11:53:28 -0400 | ||
4 | Subject: [PATCH 33/34] refpolicy/minimum: make sysadmin module optional | ||
2 | 5 | ||
3 | init and locallogin modules have a depend for sysadm module because | 6 | init and locallogin modules have a depend for sysadm module because |
4 | they have called sysadm interfaces(sysadm_shell_domtrans). Since | 7 | they have called sysadm interfaces(sysadm_shell_domtrans). Since |
@@ -13,16 +16,16 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
13 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | 16 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> |
14 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | 17 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> |
15 | --- | 18 | --- |
16 | policy/modules/system/init.te | 14 ++++++++------ | 19 | policy/modules/system/init.te | 16 +++++++++------- |
17 | policy/modules/system/locallogin.te | 4 +++- | 20 | policy/modules/system/locallogin.te | 4 +++- |
18 | 2 files changed, 11 insertions(+), 7 deletions(-) | 21 | 2 files changed, 12 insertions(+), 8 deletions(-) |
19 | 22 | ||
23 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | ||
24 | index 2e6b57a6..d8696580 100644 | ||
20 | --- a/policy/modules/system/init.te | 25 | --- a/policy/modules/system/init.te |
21 | +++ b/policy/modules/system/init.te | 26 | +++ b/policy/modules/system/init.te |
22 | @@ -300,16 +300,18 @@ ifdef(`init_systemd',` | 27 | @@ -448,13 +448,15 @@ ifdef(`init_systemd',` |
23 | 28 | modutils_domtrans(init_t) | |
24 | optional_policy(` | ||
25 | modutils_domtrans_insmod(init_t) | ||
26 | ') | 29 | ') |
27 | ',` | 30 | ',` |
28 | - tunable_policy(`init_upstart',` | 31 | - tunable_policy(`init_upstart',` |
@@ -30,34 +33,25 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
30 | - ',` | 33 | - ',` |
31 | - # Run the shell in the sysadm role for single-user mode. | 34 | - # Run the shell in the sysadm role for single-user mode. |
32 | - # causes problems with upstart | 35 | - # causes problems with upstart |
33 | - sysadm_shell_domtrans(init_t) | 36 | - ifndef(`distro_debian',` |
37 | - sysadm_shell_domtrans(init_t) | ||
34 | + optional_policy(` | 38 | + optional_policy(` |
35 | + tunable_policy(`init_upstart',` | 39 | + tunable_policy(`init_upstart',` |
36 | + corecmd_shell_domtrans(init_t, initrc_t) | 40 | + corecmd_shell_domtrans(init_t, initrc_t) |
37 | + ',` | 41 | + ',` |
38 | + # Run the shell in the sysadm role for single-user mode. | 42 | + # Run the shell in the sysadm role for single-user mode. |
39 | + # causes problems with upstart | 43 | + # causes problems with upstart |
40 | + sysadm_shell_domtrans(init_t) | 44 | + ifndef(`distro_debian',` |
41 | + ') | 45 | + sysadm_shell_domtrans(init_t) |
46 | + ') | ||
47 | ') | ||
42 | ') | 48 | ') |
43 | ') | 49 | ') |
44 | 50 | diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te | |
45 | ifdef(`distro_debian',` | 51 | index a56f3d1f..4c679ff3 100644 |
46 | fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl") | ||
47 | @@ -1109,6 +1111,6 @@ optional_policy(` | ||
48 | ') | ||
49 | |||
50 | # systemd related allow rules | ||
51 | allow kernel_t init_t:process dyntransition; | ||
52 | allow devpts_t device_t:filesystem associate; | ||
53 | -allow init_t self:capability2 block_suspend; | ||
54 | \ No newline at end of file | ||
55 | +allow init_t self:capability2 block_suspend; | ||
56 | --- a/policy/modules/system/locallogin.te | 52 | --- a/policy/modules/system/locallogin.te |
57 | +++ b/policy/modules/system/locallogin.te | 53 | +++ b/policy/modules/system/locallogin.te |
58 | @@ -244,11 +244,13 @@ seutil_read_default_contexts(sulogin_t) | 54 | @@ -266,7 +266,9 @@ userdom_use_unpriv_users_fds(sulogin_t) |
59 | userdom_use_unpriv_users_fds(sulogin_t) | ||
60 | |||
61 | userdom_search_user_home_dirs(sulogin_t) | 55 | userdom_search_user_home_dirs(sulogin_t) |
62 | userdom_use_user_ptys(sulogin_t) | 56 | userdom_use_user_ptys(sulogin_t) |
63 | 57 | ||
@@ -66,7 +60,8 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
66 | + sysadm_shell_domtrans(sulogin_t) | 60 | + sysadm_shell_domtrans(sulogin_t) |
67 | +') | 61 | +') |
68 | 62 | ||
69 | # suse and debian do not use pam with sulogin... | 63 | # by default, sulogin does not use pam... |
70 | ifdef(`distro_suse', `define(`sulogin_no_pam')') | 64 | # sulogin_pam might need to be defined otherwise |
71 | ifdef(`distro_debian', `define(`sulogin_no_pam')') | 65 | -- |
72 | 66 | 2.19.1 | |
67 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch b/recipes-security/refpolicy/refpolicy-git/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch index 8d22c21..03b1439 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch +++ b/recipes-security/refpolicy/refpolicy-git/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch | |||
@@ -1,7 +1,8 @@ | |||
1 | From ed2b0a00e2fb78056041b03c7e198e8f5adaf939 Mon Sep 17 00:00:00 2001 | 1 | From 2e2abdbc7a0e57a27518de0d879ecc84053203d8 Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
3 | Date: Thu, 22 Aug 2013 19:36:44 +0800 | 3 | Date: Thu, 22 Aug 2013 19:36:44 +0800 |
4 | Subject: [PATCH 3/6] add rules for the symlink of /var/log - apache2 | 4 | Subject: [PATCH 34/34] policy/module/apache: add rules for the symlink of |
5 | /var/log - apache2 | ||
5 | 6 | ||
6 | We have added rules for the symlink of /var/log in logging.if, | 7 | We have added rules for the symlink of /var/log in logging.if, |
7 | while apache.te uses /var/log but does not use the interfaces in | 8 | while apache.te uses /var/log but does not use the interfaces in |
@@ -12,20 +13,21 @@ Upstream-Status: Inappropriate [only for Poky] | |||
12 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 13 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
13 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | 14 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> |
14 | --- | 15 | --- |
15 | policy/modules/contrib/apache.te | 1 + | 16 | policy/modules/services/apache.te | 1 + |
16 | 1 file changed, 1 insertion(+) | 17 | 1 file changed, 1 insertion(+) |
17 | 18 | ||
18 | --- a/policy/modules/contrib/apache.te | 19 | diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te |
19 | +++ b/policy/modules/contrib/apache.te | 20 | index 15c4ea53..596370b1 100644 |
20 | @@ -409,10 +409,11 @@ allow httpd_t httpd_log_t:dir setattr_di | 21 | --- a/policy/modules/services/apache.te |
21 | create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t) | 22 | +++ b/policy/modules/services/apache.te |
22 | create_files_pattern(httpd_t, httpd_log_t, httpd_log_t) | 23 | @@ -412,6 +412,7 @@ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t) |
23 | append_files_pattern(httpd_t, httpd_log_t, httpd_log_t) | ||
24 | read_files_pattern(httpd_t, httpd_log_t, httpd_log_t) | 24 | read_files_pattern(httpd_t, httpd_log_t, httpd_log_t) |
25 | setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t) | ||
25 | read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t) | 26 | read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t) |
26 | +read_lnk_files_pattern(httpd_t, var_log_t, var_log_t) | 27 | +read_lnk_files_pattern(httpd_t, var_log_t, var_log_t) |
27 | logging_log_filetrans(httpd_t, httpd_log_t, file) | 28 | logging_log_filetrans(httpd_t, httpd_log_t, file) |
28 | 29 | ||
29 | allow httpd_t httpd_modules_t:dir list_dir_perms; | 30 | allow httpd_t httpd_modules_t:dir list_dir_perms; |
30 | mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) | 31 | -- |
31 | read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) | 32 | 2.19.1 |
33 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch deleted file mode 100644 index 946dcc2..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch +++ /dev/null | |||
@@ -1,19 +0,0 @@ | |||
1 | Subject: [PATCH] refpolicy: fix real path for clock | ||
2 | |||
3 | Upstream-Status: Inappropriate [configuration] | ||
4 | |||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
6 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
7 | --- | ||
8 | policy/modules/system/clock.fc | 1 + | ||
9 | 1 file changed, 1 insertion(+) | ||
10 | |||
11 | --- a/policy/modules/system/clock.fc | ||
12 | +++ b/policy/modules/system/clock.fc | ||
13 | @@ -1,5 +1,6 @@ | ||
14 | /etc/adjtime -- gen_context(system_u:object_r:adjtime_t,s0) | ||
15 | |||
16 | /usr/bin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) | ||
17 | |||
18 | +/usr/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0) | ||
19 | /usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch deleted file mode 100644 index 689c75b..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch +++ /dev/null | |||
@@ -1,15 +0,0 @@ | |||
1 | Subject: [PATCH] refpolicy: fix real path for dmesg | ||
2 | |||
3 | Upstream-Status: Inappropriate [configuration] | ||
4 | |||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
6 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
7 | --- | ||
8 | policy/modules/admin/dmesg.fc | 1 + | ||
9 | 1 file changed, 1 insertion(+) | ||
10 | |||
11 | --- a/policy/modules/admin/dmesg.fc | ||
12 | +++ b/policy/modules/admin/dmesg.fc | ||
13 | @@ -1 +1,2 @@ | ||
14 | +/usr/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0) | ||
15 | /usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch deleted file mode 100644 index b441257..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch +++ /dev/null | |||
@@ -1,50 +0,0 @@ | |||
1 | Subject: [PATCH] fix real path for shadow commands. | ||
2 | |||
3 | Upstream-Status: Inappropriate [only for Poky] | ||
4 | |||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
6 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
7 | --- | ||
8 | policy/modules/admin/usermanage.fc | 6 ++++++ | ||
9 | 1 file changed, 6 insertions(+) | ||
10 | |||
11 | --- a/policy/modules/admin/usermanage.fc | ||
12 | +++ b/policy/modules/admin/usermanage.fc | ||
13 | @@ -2,20 +2,24 @@ ifdef(`distro_debian',` | ||
14 | /etc/cron\.daily/cracklib-runtime -- gen_context(system_u:object_r:crack_exec_t,s0) | ||
15 | ') | ||
16 | |||
17 | /usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0) | ||
18 | /usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0) | ||
19 | +/usr/bin/chfn\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0) | ||
20 | /usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0) | ||
21 | +/usr/bin/chsh\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0) | ||
22 | /usr/bin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) | ||
23 | /usr/bin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) | ||
24 | /usr/bin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0) | ||
25 | /usr/bin/groupadd -- gen_context(system_u:object_r:groupadd_exec_t,s0) | ||
26 | /usr/bin/groupdel -- gen_context(system_u:object_r:groupadd_exec_t,s0) | ||
27 | /usr/bin/groupmod -- gen_context(system_u:object_r:groupadd_exec_t,s0) | ||
28 | /usr/bin/grpconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) | ||
29 | /usr/bin/grpunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) | ||
30 | /usr/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0) | ||
31 | +/usr/bin/passwd\.shadow -- gen_context(system_u:object_r:passwd_exec_t,s0) | ||
32 | +/usr/bin/passwd\.tinylogin -- gen_context(system_u:object_r:passwd_exec_t,s0) | ||
33 | /usr/bin/pwconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) | ||
34 | /usr/bin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) | ||
35 | /usr/bin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0) | ||
36 | /usr/bin/userdel -- gen_context(system_u:object_r:useradd_exec_t,s0) | ||
37 | /usr/bin/usermod -- gen_context(system_u:object_r:useradd_exec_t,s0) | ||
38 | @@ -36,10 +40,12 @@ ifdef(`distro_debian',` | ||
39 | /usr/sbin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) | ||
40 | /usr/sbin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0) | ||
41 | /usr/sbin/userdel -- gen_context(system_u:object_r:useradd_exec_t,s0) | ||
42 | /usr/sbin/usermod -- gen_context(system_u:object_r:useradd_exec_t,s0) | ||
43 | /usr/sbin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) | ||
44 | +/usr/sbin/vigr\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) | ||
45 | /usr/sbin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) | ||
46 | +/usr/sbin/vipw\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) | ||
47 | |||
48 | /usr/share/cracklib(/.*)? gen_context(system_u:object_r:crack_db_t,s0) | ||
49 | |||
50 | /var/cache/cracklib(/.*)? gen_context(system_u:object_r:crack_db_t,s0) | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch deleted file mode 100644 index 5ed7eae..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch +++ /dev/null | |||
@@ -1,27 +0,0 @@ | |||
1 | fix ftpwho install dir | ||
2 | |||
3 | Upstream-Status: Pending | ||
4 | |||
5 | ftpwho is installed into /usr/bin/, not /usr/sbin, so fix it | ||
6 | |||
7 | Signed-off-by: Roy Li <rongqing.li@windriver.com> | ||
8 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | ||
10 | policy/modules/contrib/ftp.fc | 2 +- | ||
11 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
12 | |||
13 | --- a/policy/modules/contrib/ftp.fc | ||
14 | +++ b/policy/modules/contrib/ftp.fc | ||
15 | @@ -15,11 +15,11 @@ | ||
16 | /usr/kerberos/sbin/ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) | ||
17 | |||
18 | /usr/lib/systemd/system/proftpd.*\.service -- gen_context(system_u:object_r:ftpd_unit_t,s0) | ||
19 | /usr/lib/systemd/system/vsftpd.*\.service -- gen_context(system_u:object_r:ftpd_unit_t,s0) | ||
20 | |||
21 | -/usr/sbin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0) | ||
22 | +/usr/bin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0) | ||
23 | /usr/sbin/in\.ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) | ||
24 | /usr/sbin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) | ||
25 | /usr/sbin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) | ||
26 | /usr/sbin/vsftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) | ||
27 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch deleted file mode 100644 index b3e2846..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch +++ /dev/null | |||
@@ -1,27 +0,0 @@ | |||
1 | From c0bb2996db4f55f3987967bacfb99805fc45d027 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 19:21:55 +0800 | ||
4 | Subject: [PATCH] refpolicy: fix real path for mta | ||
5 | |||
6 | Upstream-Status: Inappropriate [configuration] | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
10 | --- | ||
11 | policy/modules/contrib/mta.fc | 1 + | ||
12 | 1 file changed, 1 insertion(+) | ||
13 | |||
14 | --- a/policy/modules/contrib/mta.fc | ||
15 | +++ b/policy/modules/contrib/mta.fc | ||
16 | @@ -23,10 +23,11 @@ HOME_DIR/\.maildir(/.*)? gen_context(sys | ||
17 | /usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) | ||
18 | |||
19 | /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) | ||
20 | /usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0) | ||
21 | /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) | ||
22 | +/usr/sbin/msmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) | ||
23 | /usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) | ||
24 | |||
25 | /var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) | ||
26 | |||
27 | /var/qmail/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch deleted file mode 100644 index 0adf7c2..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch +++ /dev/null | |||
@@ -1,25 +0,0 @@ | |||
1 | From 642fab321a5f1f40495b4ca07f1fca4145024986 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 19:25:36 +0800 | ||
4 | Subject: [PATCH] refpolicy: fix real path for nscd | ||
5 | |||
6 | Upstream-Status: Inappropriate [configuration] | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
10 | --- | ||
11 | policy/modules/contrib/nscd.fc | 1 + | ||
12 | 1 file changed, 1 insertion(+) | ||
13 | |||
14 | --- a/policy/modules/contrib/nscd.fc | ||
15 | +++ b/policy/modules/contrib/nscd.fc | ||
16 | @@ -1,8 +1,9 @@ | ||
17 | /etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0) | ||
18 | |||
19 | /usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0) | ||
20 | +/usr/bin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0) | ||
21 | |||
22 | /var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) | ||
23 | |||
24 | /var/db/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) | ||
25 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch deleted file mode 100644 index 3cd766d..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch +++ /dev/null | |||
@@ -1,23 +0,0 @@ | |||
1 | From 3ecbd842d51a8e70b3403e857a24203285d4983b Mon Sep 17 00:00:00 2001 | ||
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | ||
3 | Date: Mon, 27 Jan 2014 01:13:06 -0500 | ||
4 | Subject: [PATCH] refpolicy: fix real path for cpio | ||
5 | |||
6 | Upstream-Status: Inappropriate [configuration] | ||
7 | |||
8 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
10 | --- | ||
11 | policy/modules/contrib/rpm.fc | 1 + | ||
12 | 1 file changed, 1 insertion(+) | ||
13 | |||
14 | --- a/policy/modules/contrib/rpm.fc | ||
15 | +++ b/policy/modules/contrib/rpm.fc | ||
16 | @@ -67,6 +67,7 @@ ifdef(`distro_redhat',` | ||
17 | /run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0) | ||
18 | /run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) | ||
19 | |||
20 | ifdef(`enable_mls',` | ||
21 | /usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) | ||
22 | +/bin/cpio.cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) | ||
23 | ') | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch deleted file mode 100644 index 8ea210e..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch +++ /dev/null | |||
@@ -1,23 +0,0 @@ | |||
1 | From 3615e2d67f402a37ae7333e62b54f1d9d0a3bfd1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 19:27:19 +0800 | ||
4 | Subject: [PATCH] refpolicy: fix real path for screen | ||
5 | |||
6 | Upstream-Status: Inappropriate [configuration] | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
10 | --- | ||
11 | policy/modules/contrib/screen.fc | 1 + | ||
12 | 1 file changed, 1 insertion(+) | ||
13 | |||
14 | --- a/policy/modules/contrib/screen.fc | ||
15 | +++ b/policy/modules/contrib/screen.fc | ||
16 | @@ -4,6 +4,7 @@ HOME_DIR/\.tmux\.conf -- gen_context(sys | ||
17 | |||
18 | /run/screen(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0) | ||
19 | /run/tmux(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0) | ||
20 | |||
21 | /usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0) | ||
22 | +/usr/bin/screen-.* -- gen_context(system_u:object_r:screen_exec_t,s0) | ||
23 | /usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0) | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch deleted file mode 100644 index 8aec193..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch +++ /dev/null | |||
@@ -1,32 +0,0 @@ | |||
1 | Subject: [PATCH] fix file_contexts.subs_dist for poky | ||
2 | |||
3 | This file is used for Linux distros to define specific pathes | ||
4 | mapping to the pathes in file_contexts. | ||
5 | |||
6 | Upstream-Status: Inappropriate [only for Poky] | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
10 | --- | ||
11 | config/file_contexts.subs_dist | 11 +++++++++++ | ||
12 | 1 file changed, 11 insertions(+) | ||
13 | |||
14 | --- a/config/file_contexts.subs_dist | ||
15 | +++ b/config/file_contexts.subs_dist | ||
16 | @@ -26,5 +26,16 @@ | ||
17 | |||
18 | # backward compatibility | ||
19 | # not for refpolicy intern, but for /var/run using applications, | ||
20 | # like systemd tmpfiles or systemd socket configurations | ||
21 | /var/run /run | ||
22 | + | ||
23 | +/var/volatile/log /var/log | ||
24 | +/var/volatile/run /var/run | ||
25 | +/var/volatile/cache /var/cache | ||
26 | +/var/volatile/tmp /var/tmp | ||
27 | +/var/volatile/lock /var/lock | ||
28 | +/var/volatile/run/lock /var/lock | ||
29 | +/www /var/www | ||
30 | +/usr/lib/busybox/bin /bin | ||
31 | +/usr/lib/busybox/sbin /sbin | ||
32 | +/usr/lib/busybox/usr /usr | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch deleted file mode 100644 index f53b551..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch +++ /dev/null | |||
@@ -1,27 +0,0 @@ | |||
1 | From 025bd3c77d3eeb0e316413bf7e6353f1ccd7f6b2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | ||
3 | Date: Sat, 25 Jan 2014 23:40:05 -0500 | ||
4 | Subject: [PATCH] refpolicy: fix real path for udevd/udevadm | ||
5 | |||
6 | Upstream-Status: Inappropriate [configuration] | ||
7 | |||
8 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
10 | --- | ||
11 | policy/modules/system/udev.fc | 2 ++ | ||
12 | 1 file changed, 2 insertions(+) | ||
13 | |||
14 | --- a/policy/modules/system/udev.fc | ||
15 | +++ b/policy/modules/system/udev.fc | ||
16 | @@ -32,10 +32,11 @@ ifdef(`distro_redhat',` | ||
17 | /usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
18 | ') | ||
19 | |||
20 | /usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
21 | /usr/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
22 | +/usr/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
23 | |||
24 | /usr/share/virtualbox/VBoxCreateUSBNode\.sh -- gen_context(system_u:object_r:udev_helper_exec_t,s0) | ||
25 | |||
26 | /run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) | ||
27 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_bash.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_bash.patch deleted file mode 100644 index 49136e6..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_bash.patch +++ /dev/null | |||
@@ -1,12 +0,0 @@ | |||
1 | diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc | ||
2 | index f2e4f51..c39912d 100644 | ||
3 | --- a/policy/modules/kernel/corecommands.fc | ||
4 | +++ b/policy/modules/kernel/corecommands.fc | ||
5 | @@ -141,6 +141,7 @@ ifdef(`distro_gentoo',` | ||
6 | /usr/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
7 | /usr/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
8 | /usr/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
9 | +/usr/bin\.bash -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
10 | /usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
11 | /usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
12 | /usr/bin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch deleted file mode 100644 index e3edce1..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch +++ /dev/null | |||
@@ -1,19 +0,0 @@ | |||
1 | From 845518a6f196e6e8c49ba38791c85e17276920e1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH 3/4] fix update-alternatives for hostname | ||
5 | |||
6 | Upstream-Status: Inappropriate [only for Poky] | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
10 | --- | ||
11 | policy/modules/system/hostname.fc | 1 + | ||
12 | 1 file changed, 1 insertion(+) | ||
13 | |||
14 | --- a/policy/modules/system/hostname.fc | ||
15 | +++ b/policy/modules/system/hostname.fc | ||
16 | @@ -1 +1,3 @@ | ||
17 | +/usr/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0) | ||
18 | + | ||
19 | /usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch deleted file mode 100644 index b12ee9d..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch +++ /dev/null | |||
@@ -1,29 +0,0 @@ | |||
1 | Subject: [PATCH] add rules for the symlink of /var/log - syslogd_t | ||
2 | |||
3 | We have added rules for the symlink of /var/log in logging.if, | ||
4 | while syslogd_t uses /var/log but does not use the | ||
5 | interfaces in logging.if. So still need add a individual rule for | ||
6 | syslogd_t. | ||
7 | |||
8 | Upstream-Status: Inappropriate [only for Poky] | ||
9 | |||
10 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
11 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
12 | --- | ||
13 | policy/modules/system/logging.te | 2 ++ | ||
14 | 1 file changed, 2 insertions(+) | ||
15 | |||
16 | --- a/policy/modules/system/logging.te | ||
17 | +++ b/policy/modules/system/logging.te | ||
18 | @@ -406,10 +406,11 @@ manage_files_pattern(syslogd_t, var_log_ | ||
19 | rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) | ||
20 | files_search_spool(syslogd_t) | ||
21 | |||
22 | # Allow access for syslog-ng | ||
23 | allow syslogd_t var_log_t:dir { create setattr }; | ||
24 | +allow syslogd_t var_log_t:lnk_file read_lnk_file_perms; | ||
25 | |||
26 | # for systemd but can not be conditional | ||
27 | files_pid_filetrans(syslogd_t, syslogd_tmp_t, dir, "log") | ||
28 | |||
29 | # manage temporary files | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch deleted file mode 100644 index 7c7355f..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch +++ /dev/null | |||
@@ -1,29 +0,0 @@ | |||
1 | Subject: [PATCH] add rules for the symlink of /var/log - audisp_remote_t | ||
2 | |||
3 | We have added rules for the symlink of /var/log in logging.if, | ||
4 | while audisp_remote_t uses /var/log but does not use the | ||
5 | interfaces in logging.if. So still need add a individual rule for | ||
6 | audisp_remote_t. | ||
7 | |||
8 | Upstream-Status: Inappropriate [only for Poky] | ||
9 | |||
10 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
11 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
12 | --- | ||
13 | policy/modules/system/logging.te | 1 + | ||
14 | 1 file changed, 1 insertion(+) | ||
15 | |||
16 | --- a/policy/modules/system/logging.te | ||
17 | +++ b/policy/modules/system/logging.te | ||
18 | @@ -280,10 +280,11 @@ optional_policy(` | ||
19 | |||
20 | allow audisp_remote_t self:capability { setpcap setuid }; | ||
21 | allow audisp_remote_t self:process { getcap setcap }; | ||
22 | allow audisp_remote_t self:tcp_socket create_socket_perms; | ||
23 | allow audisp_remote_t var_log_t:dir search_dir_perms; | ||
24 | +allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms; | ||
25 | |||
26 | manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) | ||
27 | manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) | ||
28 | files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file }) | ||
29 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch deleted file mode 100644 index 4a05a2a..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch +++ /dev/null | |||
@@ -1,88 +0,0 @@ | |||
1 | From 03cb6534f75812f3a33ac768fe83861e0805b0e0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH 2/6] add rules for the symlink of /var/log | ||
5 | |||
6 | /var/log is a symlink in poky, so we need allow rules for files to read | ||
7 | lnk_file while doing search/list/delete/rw.. in /var/log/ directory. | ||
8 | |||
9 | Upstream-Status: Inappropriate [only for Poky] | ||
10 | |||
11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
13 | --- | ||
14 | policy/modules/system/logging.fc | 1 + | ||
15 | policy/modules/system/logging.if | 14 +++++++++++++- | ||
16 | policy/modules/system/logging.te | 1 + | ||
17 | 3 files changed, 15 insertions(+), 1 deletion(-) | ||
18 | |||
19 | Index: refpolicy/policy/modules/system/logging.fc | ||
20 | =================================================================== | ||
21 | --- refpolicy.orig/policy/modules/system/logging.fc | ||
22 | +++ refpolicy/policy/modules/system/logging.fc | ||
23 | @@ -53,6 +53,7 @@ ifdef(`distro_suse', ` | ||
24 | /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) | ||
25 | |||
26 | /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) | ||
27 | +/var/log -l gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) | ||
28 | /var/log/.* gen_context(system_u:object_r:var_log_t,s0) | ||
29 | /var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh) | ||
30 | /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) | ||
31 | Index: refpolicy/policy/modules/system/logging.if | ||
32 | =================================================================== | ||
33 | --- refpolicy.orig/policy/modules/system/logging.if | ||
34 | +++ refpolicy/policy/modules/system/logging.if | ||
35 | @@ -945,10 +945,12 @@ interface(`logging_append_all_inherited_ | ||
36 | interface(`logging_read_all_logs',` | ||
37 | gen_require(` | ||
38 | attribute logfile; | ||
39 | + type var_log_t; | ||
40 | ') | ||
41 | |||
42 | files_search_var($1) | ||
43 | allow $1 logfile:dir list_dir_perms; | ||
44 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
45 | read_files_pattern($1, logfile, logfile) | ||
46 | ') | ||
47 | |||
48 | @@ -967,10 +969,12 @@ interface(`logging_read_all_logs',` | ||
49 | interface(`logging_exec_all_logs',` | ||
50 | gen_require(` | ||
51 | attribute logfile; | ||
52 | + type var_log_t; | ||
53 | ') | ||
54 | |||
55 | files_search_var($1) | ||
56 | allow $1 logfile:dir list_dir_perms; | ||
57 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
58 | can_exec($1, logfile) | ||
59 | ') | ||
60 | |||
61 | @@ -1072,6 +1076,7 @@ interface(`logging_read_generic_logs',` | ||
62 | |||
63 | files_search_var($1) | ||
64 | allow $1 var_log_t:dir list_dir_perms; | ||
65 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
66 | read_files_pattern($1, var_log_t, var_log_t) | ||
67 | ') | ||
68 | |||
69 | @@ -1173,6 +1178,7 @@ interface(`logging_manage_generic_logs', | ||
70 | |||
71 | files_search_var($1) | ||
72 | manage_files_pattern($1, var_log_t, var_log_t) | ||
73 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
74 | ') | ||
75 | |||
76 | ######################################## | ||
77 | Index: refpolicy/policy/modules/system/logging.te | ||
78 | =================================================================== | ||
79 | --- refpolicy.orig/policy/modules/system/logging.te | ||
80 | +++ refpolicy/policy/modules/system/logging.te | ||
81 | @@ -159,6 +159,7 @@ manage_files_pattern(auditd_t, auditd_lo | ||
82 | allow auditd_t auditd_log_t:dir setattr; | ||
83 | manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) | ||
84 | allow auditd_t var_log_t:dir search_dir_perms; | ||
85 | +allow auditd_t var_log_t:lnk_file read_lnk_file_perms; | ||
86 | |||
87 | manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) | ||
88 | manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch deleted file mode 100644 index a9a0a55..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch +++ /dev/null | |||
@@ -1,81 +0,0 @@ | |||
1 | From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH] allow nfsd to exec shell commands. | ||
5 | |||
6 | Upstream-Status: Inappropriate [only for Poky] | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
10 | --- | ||
11 | policy/modules/contrib/rpc.te | 2 +- | ||
12 | policy/modules/kernel/kernel.if | 18 ++++++++++++++++++ | ||
13 | 2 files changed, 19 insertions(+), 1 deletion(-) | ||
14 | |||
15 | --- a/policy/modules/contrib/rpc.te | ||
16 | +++ b/policy/modules/contrib/rpc.te | ||
17 | @@ -224,11 +224,11 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir | ||
18 | |||
19 | kernel_read_network_state(nfsd_t) | ||
20 | kernel_dontaudit_getattr_core_if(nfsd_t) | ||
21 | kernel_setsched(nfsd_t) | ||
22 | kernel_request_load_module(nfsd_t) | ||
23 | -# kernel_mounton_proc(nfsd_t) | ||
24 | +kernel_mounton_proc(nfsd_t) | ||
25 | |||
26 | corenet_sendrecv_nfs_server_packets(nfsd_t) | ||
27 | corenet_tcp_bind_nfs_port(nfsd_t) | ||
28 | corenet_udp_bind_nfs_port(nfsd_t) | ||
29 | |||
30 | --- a/policy/modules/kernel/kernel.if | ||
31 | +++ b/policy/modules/kernel/kernel.if | ||
32 | @@ -880,43 +880,42 @@ interface(`kernel_unmount_proc',` | ||
33 | allow $1 proc_t:filesystem unmount; | ||
34 | ') | ||
35 | |||
36 | ######################################## | ||
37 | ## <summary> | ||
38 | -## Get the attributes of the proc filesystem. | ||
39 | +## Mounton a proc filesystem. | ||
40 | ## </summary> | ||
41 | ## <param name="domain"> | ||
42 | ## <summary> | ||
43 | ## Domain allowed access. | ||
44 | ## </summary> | ||
45 | ## </param> | ||
46 | # | ||
47 | -interface(`kernel_getattr_proc',` | ||
48 | +interface(`kernel_mounton_proc',` | ||
49 | gen_require(` | ||
50 | type proc_t; | ||
51 | ') | ||
52 | |||
53 | - allow $1 proc_t:filesystem getattr; | ||
54 | + allow $1 proc_t:dir mounton; | ||
55 | ') | ||
56 | |||
57 | ######################################## | ||
58 | ## <summary> | ||
59 | -## Mount on proc directories. | ||
60 | +## Get the attributes of the proc filesystem. | ||
61 | ## </summary> | ||
62 | ## <param name="domain"> | ||
63 | ## <summary> | ||
64 | ## Domain allowed access. | ||
65 | ## </summary> | ||
66 | ## </param> | ||
67 | -## <rolecap/> | ||
68 | # | ||
69 | -interface(`kernel_mounton_proc',` | ||
70 | +interface(`kernel_getattr_proc',` | ||
71 | gen_require(` | ||
72 | type proc_t; | ||
73 | ') | ||
74 | |||
75 | - allow $1 proc_t:dir mounton; | ||
76 | + allow $1 proc_t:filesystem getattr; | ||
77 | ') | ||
78 | |||
79 | ######################################## | ||
80 | ## <summary> | ||
81 | ## Do not audit attempts to set the | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch deleted file mode 100644 index 08e9398..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch +++ /dev/null | |||
@@ -1,30 +0,0 @@ | |||
1 | From 87b6daf87a07350a58c1724db8fc0a99b849818a Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH] fix setfiles_t to read symlinks | ||
5 | |||
6 | Upstream-Status: Pending | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> | ||
10 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
11 | --- | ||
12 | policy/modules/system/selinuxutil.te | 3 +++ | ||
13 | 1 file changed, 3 insertions(+) | ||
14 | |||
15 | --- a/policy/modules/system/selinuxutil.te | ||
16 | +++ b/policy/modules/system/selinuxutil.te | ||
17 | @@ -591,10 +591,13 @@ files_read_etc_files(setfiles_t) | ||
18 | files_list_all(setfiles_t) | ||
19 | files_relabel_all_files(setfiles_t) | ||
20 | files_read_usr_symlinks(setfiles_t) | ||
21 | files_dontaudit_read_all_symlinks(setfiles_t) | ||
22 | |||
23 | +# needs to be able to read symlinks to make restorecon on symlink working | ||
24 | +files_read_all_symlinks(setfiles_t) | ||
25 | + | ||
26 | fs_getattr_all_xattr_fs(setfiles_t) | ||
27 | fs_getattr_nfs(setfiles_t) | ||
28 | fs_getattr_pstore_dirs(setfiles_t) | ||
29 | fs_getattr_pstorefs(setfiles_t) | ||
30 | fs_getattr_tracefs(setfiles_t) | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch deleted file mode 100644 index 11a6963..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch +++ /dev/null | |||
@@ -1,22 +0,0 @@ | |||
1 | From 2f5981f2244289a1cc79748e9ffdaaea168b1df2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Fri, 23 Aug 2013 16:36:09 +0800 | ||
4 | Subject: [PATCH] fix dmesg to use /dev/kmsg as default input | ||
5 | |||
6 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
7 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
8 | --- | ||
9 | policy/modules/admin/dmesg.if | 1 + | ||
10 | policy/modules/admin/dmesg.te | 2 ++ | ||
11 | 2 files changed, 3 insertions(+) | ||
12 | |||
13 | --- a/policy/modules/admin/dmesg.if | ||
14 | +++ b/policy/modules/admin/dmesg.if | ||
15 | @@ -35,6 +35,7 @@ interface(`dmesg_exec',` | ||
16 | type dmesg_exec_t; | ||
17 | ') | ||
18 | |||
19 | corecmd_search_bin($1) | ||
20 | can_exec($1, dmesg_exec_t) | ||
21 | + dev_read_kmsg($1) | ||
22 | ') | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-new-SELINUXMNT-in-sys.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-new-SELINUXMNT-in-sys.patch deleted file mode 100644 index f3adc70..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-new-SELINUXMNT-in-sys.patch +++ /dev/null | |||
@@ -1,253 +0,0 @@ | |||
1 | From 0bd1187768c79ccf7d0563fa8e2bc01494fef167 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH] fix for new SELINUXMNT in /sys | ||
5 | |||
6 | SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should | ||
7 | add rules to access sysfs. | ||
8 | |||
9 | Upstream-Status: Inappropriate [only for Poky] | ||
10 | |||
11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
13 | --- | ||
14 | policy/modules/kernel/selinux.if | 26 ++++++++++++++++++++++++++ | ||
15 | 1 file changed, 26 insertions(+) | ||
16 | |||
17 | --- a/policy/modules/kernel/selinux.if | ||
18 | +++ b/policy/modules/kernel/selinux.if | ||
19 | @@ -56,10 +56,14 @@ interface(`selinux_labeled_boolean',` | ||
20 | interface(`selinux_get_fs_mount',` | ||
21 | gen_require(` | ||
22 | type security_t; | ||
23 | ') | ||
24 | |||
25 | + # SELINUXMNT is now /sys/fs/selinux, so we should add rules to | ||
26 | + # access sysfs | ||
27 | + dev_getattr_sysfs_dirs($1) | ||
28 | + dev_search_sysfs($1) | ||
29 | # starting in libselinux 2.0.5, init_selinuxmnt() will | ||
30 | # attempt to short circuit by checking if SELINUXMNT | ||
31 | # (/selinux) is already a selinuxfs | ||
32 | allow $1 security_t:filesystem getattr; | ||
33 | |||
34 | @@ -86,10 +90,11 @@ interface(`selinux_get_fs_mount',` | ||
35 | interface(`selinux_dontaudit_get_fs_mount',` | ||
36 | gen_require(` | ||
37 | type security_t; | ||
38 | ') | ||
39 | |||
40 | + dev_dontaudit_search_sysfs($1) | ||
41 | # starting in libselinux 2.0.5, init_selinuxmnt() will | ||
42 | # attempt to short circuit by checking if SELINUXMNT | ||
43 | # (/selinux) is already a selinuxfs | ||
44 | dontaudit $1 security_t:filesystem getattr; | ||
45 | |||
46 | @@ -115,10 +120,12 @@ interface(`selinux_dontaudit_get_fs_moun | ||
47 | interface(`selinux_mount_fs',` | ||
48 | gen_require(` | ||
49 | type security_t; | ||
50 | ') | ||
51 | |||
52 | + dev_getattr_sysfs_dirs($1) | ||
53 | + dev_search_sysfs($1) | ||
54 | allow $1 security_t:filesystem mount; | ||
55 | ') | ||
56 | |||
57 | ######################################## | ||
58 | ## <summary> | ||
59 | @@ -134,10 +141,12 @@ interface(`selinux_mount_fs',` | ||
60 | interface(`selinux_remount_fs',` | ||
61 | gen_require(` | ||
62 | type security_t; | ||
63 | ') | ||
64 | |||
65 | + dev_getattr_sysfs_dirs($1) | ||
66 | + dev_search_sysfs($1) | ||
67 | allow $1 security_t:filesystem remount; | ||
68 | ') | ||
69 | |||
70 | ######################################## | ||
71 | ## <summary> | ||
72 | @@ -152,10 +161,12 @@ interface(`selinux_remount_fs',` | ||
73 | interface(`selinux_unmount_fs',` | ||
74 | gen_require(` | ||
75 | type security_t; | ||
76 | ') | ||
77 | |||
78 | + dev_getattr_sysfs_dirs($1) | ||
79 | + dev_search_sysfs($1) | ||
80 | allow $1 security_t:filesystem unmount; | ||
81 | ') | ||
82 | |||
83 | ######################################## | ||
84 | ## <summary> | ||
85 | @@ -170,10 +181,12 @@ interface(`selinux_unmount_fs',` | ||
86 | interface(`selinux_getattr_fs',` | ||
87 | gen_require(` | ||
88 | type security_t; | ||
89 | ') | ||
90 | |||
91 | + dev_getattr_sysfs_dirs($1) | ||
92 | + dev_search_sysfs($1) | ||
93 | allow $1 security_t:filesystem getattr; | ||
94 | |||
95 | dev_getattr_sysfs($1) | ||
96 | dev_search_sysfs($1) | ||
97 | ') | ||
98 | @@ -192,10 +205,11 @@ interface(`selinux_getattr_fs',` | ||
99 | interface(`selinux_dontaudit_getattr_fs',` | ||
100 | gen_require(` | ||
101 | type security_t; | ||
102 | ') | ||
103 | |||
104 | + dev_dontaudit_search_sysfs($1) | ||
105 | dontaudit $1 security_t:filesystem getattr; | ||
106 | |||
107 | dev_dontaudit_getattr_sysfs($1) | ||
108 | dev_dontaudit_search_sysfs($1) | ||
109 | ') | ||
110 | @@ -214,10 +228,11 @@ interface(`selinux_dontaudit_getattr_fs' | ||
111 | interface(`selinux_dontaudit_getattr_dir',` | ||
112 | gen_require(` | ||
113 | type security_t; | ||
114 | ') | ||
115 | |||
116 | + dev_dontaudit_search_sysfs($1) | ||
117 | dontaudit $1 security_t:dir getattr; | ||
118 | ') | ||
119 | |||
120 | ######################################## | ||
121 | ## <summary> | ||
122 | @@ -232,10 +247,11 @@ interface(`selinux_dontaudit_getattr_dir | ||
123 | interface(`selinux_search_fs',` | ||
124 | gen_require(` | ||
125 | type security_t; | ||
126 | ') | ||
127 | |||
128 | + dev_getattr_sysfs_dirs($1) | ||
129 | dev_search_sysfs($1) | ||
130 | allow $1 security_t:dir search_dir_perms; | ||
131 | ') | ||
132 | |||
133 | ######################################## | ||
134 | @@ -251,10 +267,11 @@ interface(`selinux_search_fs',` | ||
135 | interface(`selinux_dontaudit_search_fs',` | ||
136 | gen_require(` | ||
137 | type security_t; | ||
138 | ') | ||
139 | |||
140 | + dev_dontaudit_search_sysfs($1) | ||
141 | dontaudit $1 security_t:dir search_dir_perms; | ||
142 | ') | ||
143 | |||
144 | ######################################## | ||
145 | ## <summary> | ||
146 | @@ -270,10 +287,11 @@ interface(`selinux_dontaudit_search_fs', | ||
147 | interface(`selinux_dontaudit_read_fs',` | ||
148 | gen_require(` | ||
149 | type security_t; | ||
150 | ') | ||
151 | |||
152 | + dev_dontaudit_search_sysfs($1) | ||
153 | dontaudit $1 security_t:dir search_dir_perms; | ||
154 | dontaudit $1 security_t:file read_file_perms; | ||
155 | ') | ||
156 | |||
157 | ######################################## | ||
158 | @@ -291,10 +309,11 @@ interface(`selinux_dontaudit_read_fs',` | ||
159 | interface(`selinux_get_enforce_mode',` | ||
160 | gen_require(` | ||
161 | type security_t; | ||
162 | ') | ||
163 | |||
164 | + dev_getattr_sysfs_dirs($1) | ||
165 | dev_search_sysfs($1) | ||
166 | allow $1 security_t:dir list_dir_perms; | ||
167 | allow $1 security_t:file read_file_perms; | ||
168 | ') | ||
169 | |||
170 | @@ -359,10 +378,11 @@ interface(`selinux_load_policy',` | ||
171 | interface(`selinux_read_policy',` | ||
172 | gen_require(` | ||
173 | type security_t; | ||
174 | ') | ||
175 | |||
176 | + dev_getattr_sysfs_dirs($1) | ||
177 | dev_search_sysfs($1) | ||
178 | allow $1 security_t:dir list_dir_perms; | ||
179 | allow $1 security_t:file read_file_perms; | ||
180 | allow $1 security_t:security read_policy; | ||
181 | ') | ||
182 | @@ -424,10 +444,11 @@ interface(`selinux_set_boolean',` | ||
183 | interface(`selinux_set_generic_booleans',` | ||
184 | gen_require(` | ||
185 | type security_t; | ||
186 | ') | ||
187 | |||
188 | + dev_getattr_sysfs_dirs($1) | ||
189 | dev_search_sysfs($1) | ||
190 | |||
191 | allow $1 security_t:dir list_dir_perms; | ||
192 | allow $1 security_t:file rw_file_perms; | ||
193 | |||
194 | @@ -461,10 +482,11 @@ interface(`selinux_set_all_booleans',` | ||
195 | type security_t, secure_mode_policyload_t; | ||
196 | attribute boolean_type; | ||
197 | bool secure_mode_policyload; | ||
198 | ') | ||
199 | |||
200 | + dev_getattr_sysfs_dirs($1) | ||
201 | dev_search_sysfs($1) | ||
202 | |||
203 | allow $1 security_t:dir list_dir_perms; | ||
204 | allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms; | ||
205 | allow $1 secure_mode_policyload_t:file read_file_perms; | ||
206 | @@ -520,10 +542,11 @@ interface(`selinux_set_parameters',` | ||
207 | interface(`selinux_validate_context',` | ||
208 | gen_require(` | ||
209 | type security_t; | ||
210 | ') | ||
211 | |||
212 | + dev_getattr_sysfs_dirs($1) | ||
213 | dev_search_sysfs($1) | ||
214 | allow $1 security_t:dir list_dir_perms; | ||
215 | allow $1 security_t:file rw_file_perms; | ||
216 | allow $1 security_t:security check_context; | ||
217 | ') | ||
218 | @@ -542,10 +565,11 @@ interface(`selinux_validate_context',` | ||
219 | interface(`selinux_dontaudit_validate_context',` | ||
220 | gen_require(` | ||
221 | type security_t; | ||
222 | ') | ||
223 | |||
224 | + dev_dontaudit_search_sysfs($1) | ||
225 | dontaudit $1 security_t:dir list_dir_perms; | ||
226 | dontaudit $1 security_t:file rw_file_perms; | ||
227 | dontaudit $1 security_t:security check_context; | ||
228 | ') | ||
229 | |||
230 | @@ -563,10 +587,11 @@ interface(`selinux_dontaudit_validate_co | ||
231 | interface(`selinux_compute_access_vector',` | ||
232 | gen_require(` | ||
233 | type security_t; | ||
234 | ') | ||
235 | |||
236 | + dev_getattr_sysfs_dirs($1) | ||
237 | dev_search_sysfs($1) | ||
238 | allow $1 security_t:dir list_dir_perms; | ||
239 | allow $1 security_t:file rw_file_perms; | ||
240 | allow $1 security_t:security compute_av; | ||
241 | ') | ||
242 | @@ -658,10 +683,11 @@ interface(`selinux_compute_relabel_conte | ||
243 | interface(`selinux_compute_user_contexts',` | ||
244 | gen_require(` | ||
245 | type security_t; | ||
246 | ') | ||
247 | |||
248 | + dev_getattr_sysfs_dirs($1) | ||
249 | dev_search_sysfs($1) | ||
250 | allow $1 security_t:dir list_dir_perms; | ||
251 | allow $1 security_t:file rw_file_perms; | ||
252 | allow $1 security_t:security compute_user; | ||
253 | ') | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch deleted file mode 100644 index 0cd8bf9..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch +++ /dev/null | |||
@@ -1,31 +0,0 @@ | |||
1 | From f4e034d6996c5b1f88a9262828dac2ad6ee09b7b Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Fri, 23 Aug 2013 14:38:53 +0800 | ||
4 | Subject: [PATCH] fix setfiles statvfs to get file count | ||
5 | |||
6 | New setfiles will read /proc/mounts and use statvfs in | ||
7 | file_system_count() to get file count of filesystems. | ||
8 | |||
9 | Upstream-Status: pending | ||
10 | |||
11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
12 | Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> | ||
13 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
14 | --- | ||
15 | policy/modules/system/selinuxutil.te | 2 +- | ||
16 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
17 | |||
18 | --- a/policy/modules/system/selinuxutil.te | ||
19 | +++ b/policy/modules/system/selinuxutil.te | ||
20 | @@ -594,10 +594,11 @@ files_read_usr_symlinks(setfiles_t) | ||
21 | files_dontaudit_read_all_symlinks(setfiles_t) | ||
22 | |||
23 | # needs to be able to read symlinks to make restorecon on symlink working | ||
24 | files_read_all_symlinks(setfiles_t) | ||
25 | |||
26 | +fs_getattr_all_fs(setfiles_t) | ||
27 | fs_getattr_all_xattr_fs(setfiles_t) | ||
28 | fs_getattr_nfs(setfiles_t) | ||
29 | fs_getattr_pstore_dirs(setfiles_t) | ||
30 | fs_getattr_pstorefs(setfiles_t) | ||
31 | fs_getattr_tracefs(setfiles_t) | ||
diff --git a/recipes-security/refpolicy/refpolicy-mcs_2.20170204.bb b/recipes-security/refpolicy/refpolicy-mcs_2.20190201.bb index 062727b..062727b 100644 --- a/recipes-security/refpolicy/refpolicy-mcs_2.20170204.bb +++ b/recipes-security/refpolicy/refpolicy-mcs_2.20190201.bb | |||
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch b/recipes-security/refpolicy/refpolicy-minimum/0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch deleted file mode 100644 index bf7b980..0000000 --- a/recipes-security/refpolicy/refpolicy-minimum/0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch +++ /dev/null | |||
@@ -1,47 +0,0 @@ | |||
1 | refpolicy-minimum: systemd: mount: enable required refpolicy booleans | ||
2 | |||
3 | enable required refpolicy booleans for these modules | ||
4 | |||
5 | i. mount: allow_mount_anyfile | ||
6 | without enabling this boolean we are getting below avc denial | ||
7 | |||
8 | audit(): avc: denied { mounton } for pid=462 comm="mount" path="/run/media | ||
9 | /mmcblk2p1" dev="tmpfs" ino=11523 scontext=system_u:system_r:mount_t:s0 | ||
10 | tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=0 | ||
11 | |||
12 | This avc can be allowed using the boolean 'allow_mount_anyfile' | ||
13 | allow mount_t initrc_var_run_t:dir mounton; | ||
14 | |||
15 | ii. systemd : systemd_tmpfiles_manage_all | ||
16 | without enabling this boolean we are not getting access to mount systemd | ||
17 | essential tmpfs during bootup, also not getting access to create audit.log | ||
18 | |||
19 | audit(): avc: denied { search } for pid=168 comm="systemd-tmpfile" name= | ||
20 | "sys" dev="proc" ino=4026531855 scontext=system_u:system_r:systemd_tmpfiles | ||
21 | _t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=dir permissive=0 | ||
22 | |||
23 | ls /var/log | ||
24 | /var/log -> volatile/log | ||
25 | :~# | ||
26 | |||
27 | Upstream-Status: Pending | ||
28 | |||
29 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
30 | |||
31 | --- a/policy/booleans.conf | ||
32 | +++ b/policy/booleans.conf | ||
33 | @@ -1156,12 +1156,12 @@ racoon_read_shadow = false | ||
34 | # | ||
35 | # Allow the mount command to mount any directory or file. | ||
36 | # | ||
37 | -allow_mount_anyfile = false | ||
38 | +allow_mount_anyfile = true | ||
39 | |||
40 | # | ||
41 | # Enable support for systemd-tmpfiles to manage all non-security files. | ||
42 | # | ||
43 | -systemd_tmpfiles_manage_all = false | ||
44 | +systemd_tmpfiles_manage_all = true | ||
45 | |||
46 | # | ||
47 | # Allow users to connect to mysql | ||
diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20170204.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20190201.bb index da6626e..40abe35 100644 --- a/recipes-security/refpolicy/refpolicy-minimum_2.20170204.bb +++ b/recipes-security/refpolicy/refpolicy-minimum_2.20190201.bb | |||
@@ -1,3 +1,6 @@ | |||
1 | ################################################################################ | ||
2 | # Note that -minimum specifically inherits from -targeted. Key policy pieces | ||
3 | # will be missing if you do not preserve this relationship. | ||
1 | include refpolicy-targeted_${PV}.bb | 4 | include refpolicy-targeted_${PV}.bb |
2 | 5 | ||
3 | SUMMARY = "SELinux minimum policy" | 6 | SUMMARY = "SELinux minimum policy" |
@@ -10,15 +13,24 @@ domains are unconfined. \ | |||
10 | 13 | ||
11 | POLICY_NAME = "minimum" | 14 | POLICY_NAME = "minimum" |
12 | 15 | ||
13 | FILESEXTRAPATHS_prepend := "${THISDIR}/files:${THISDIR}/refpolicy-${PV}:${THISDIR}/refpolicy-targeted:" | ||
14 | |||
15 | CORE_POLICY_MODULES = "unconfined \ | 16 | CORE_POLICY_MODULES = "unconfined \ |
16 | selinuxutil storage sysnetwork \ | 17 | selinuxutil \ |
17 | application libraries miscfiles logging userdomain \ | 18 | storage \ |
18 | init mount modutils getty authlogin locallogin \ | 19 | sysnetwork \ |
20 | application \ | ||
21 | libraries \ | ||
22 | miscfiles \ | ||
23 | logging \ | ||
24 | userdomain \ | ||
25 | init \ | ||
26 | mount \ | ||
27 | modutils \ | ||
28 | getty \ | ||
29 | authlogin \ | ||
30 | locallogin \ | ||
19 | " | 31 | " |
20 | #systemd dependent policy modules | 32 | #systemd dependent policy modules |
21 | CORE_POLICY_MODULES += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'clock systemd udev', '', d)}" | 33 | CORE_POLICY_MODULES += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'clock systemd udev fstools', '', d)}" |
22 | 34 | ||
23 | # nscd caches libc-issued requests to the name service. | 35 | # nscd caches libc-issued requests to the name service. |
24 | # Without nscd.pp, commands want to use these caches will be blocked. | 36 | # Without nscd.pp, commands want to use these caches will be blocked. |
@@ -67,18 +79,3 @@ prepare_policy_store () { | |||
67 | cp ${MOD_FILE} ${MOD_DIR}/hll | 79 | cp ${MOD_FILE} ${MOD_DIR}/hll |
68 | done | 80 | done |
69 | } | 81 | } |
70 | |||
71 | SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', ' ${SYSTEMD_REFPOLICY_PATCHES}', '', d)}" | ||
72 | |||
73 | |||
74 | SYSTEMD_REFPOLICY_PATCHES = " \ | ||
75 | file://0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch \ | ||
76 | file://0002-refpolicy-minimum-audit-logging-getty-audit-related-.patch \ | ||
77 | file://0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch \ | ||
78 | file://0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch \ | ||
79 | file://0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch \ | ||
80 | file://0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch \ | ||
81 | file://0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch \ | ||
82 | file://0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch \ | ||
83 | file://0009-refpolicy-minimum-systemd-fix-for-syslog.patch \ | ||
84 | " | ||
diff --git a/recipes-security/refpolicy/refpolicy-minimum_git.bb b/recipes-security/refpolicy/refpolicy-minimum_git.bb index 0f2a139..40abe35 100644 --- a/recipes-security/refpolicy/refpolicy-minimum_git.bb +++ b/recipes-security/refpolicy/refpolicy-minimum_git.bb | |||
@@ -1,3 +1,6 @@ | |||
1 | ################################################################################ | ||
2 | # Note that -minimum specifically inherits from -targeted. Key policy pieces | ||
3 | # will be missing if you do not preserve this relationship. | ||
1 | include refpolicy-targeted_${PV}.bb | 4 | include refpolicy-targeted_${PV}.bb |
2 | 5 | ||
3 | SUMMARY = "SELinux minimum policy" | 6 | SUMMARY = "SELinux minimum policy" |
@@ -10,12 +13,21 @@ domains are unconfined. \ | |||
10 | 13 | ||
11 | POLICY_NAME = "minimum" | 14 | POLICY_NAME = "minimum" |
12 | 15 | ||
13 | FILESEXTRAPATHS_prepend := "${THISDIR}/files:${THISDIR}/refpolicy-${PV}:${THISDIR}/refpolicy-targeted:" | ||
14 | |||
15 | CORE_POLICY_MODULES = "unconfined \ | 16 | CORE_POLICY_MODULES = "unconfined \ |
16 | selinuxutil storage sysnetwork \ | 17 | selinuxutil \ |
17 | application libraries miscfiles logging userdomain \ | 18 | storage \ |
18 | init mount modutils getty authlogin locallogin \ | 19 | sysnetwork \ |
20 | application \ | ||
21 | libraries \ | ||
22 | miscfiles \ | ||
23 | logging \ | ||
24 | userdomain \ | ||
25 | init \ | ||
26 | mount \ | ||
27 | modutils \ | ||
28 | getty \ | ||
29 | authlogin \ | ||
30 | locallogin \ | ||
19 | " | 31 | " |
20 | #systemd dependent policy modules | 32 | #systemd dependent policy modules |
21 | CORE_POLICY_MODULES += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'clock systemd udev fstools', '', d)}" | 33 | CORE_POLICY_MODULES += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'clock systemd udev fstools', '', d)}" |
diff --git a/recipes-security/refpolicy/refpolicy-mls_2.20170204.bb b/recipes-security/refpolicy/refpolicy-mls_2.20190201.bb index 7388232..7388232 100644 --- a/recipes-security/refpolicy/refpolicy-mls_2.20170204.bb +++ b/recipes-security/refpolicy/refpolicy-mls_2.20190201.bb | |||
diff --git a/recipes-security/refpolicy/refpolicy-standard_2.20170204.bb b/recipes-security/refpolicy/refpolicy-standard_2.20190201.bb index 3674fdd..3674fdd 100644 --- a/recipes-security/refpolicy/refpolicy-standard_2.20170204.bb +++ b/recipes-security/refpolicy/refpolicy-standard_2.20190201.bb | |||
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch deleted file mode 100644 index 17a8199..0000000 --- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch +++ /dev/null | |||
@@ -1,46 +0,0 @@ | |||
1 | From e1693b640f889818091c976a90041ea6a843fafd Mon Sep 17 00:00:00 2001 | ||
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | ||
3 | Date: Wed, 17 Feb 2016 08:35:51 -0500 | ||
4 | Subject: [PATCH] remove duplicate type_transition | ||
5 | |||
6 | Remove duplicate type rules from init_t to init_script_file_type, | ||
7 | they have been included by systemd policies. This also fixes the | ||
8 | errors while installing modules for refpolicy-targeted if systemd | ||
9 | support is enabled: | ||
10 | |||
11 | | Conflicting type rules | ||
12 | | Binary policy creation failed at line 327 of \ | ||
13 | .../tmp/work/qemux86-poky-linux/refpolicy-targeted/git-r0/image\ | ||
14 | /var/lib/selinux/targeted/tmp/modules/100/init/cil | ||
15 | | Failed to generate binary | ||
16 | | semodule: Failed! | ||
17 | |||
18 | Upstream-Status: Inappropriate | ||
19 | |||
20 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
21 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
22 | --- | ||
23 | policy/modules/system/init.if | 4 ++-- | ||
24 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
25 | |||
26 | --- a/policy/modules/system/init.if | ||
27 | +++ b/policy/modules/system/init.if | ||
28 | @@ -1430,16 +1430,16 @@ interface(`init_spec_domtrans_script',` | ||
29 | ## </summary> | ||
30 | ## </param> | ||
31 | # | ||
32 | interface(`init_domtrans_script',` | ||
33 | gen_require(` | ||
34 | - type initrc_t; | ||
35 | + type initrc_t, initrc_exec_t; | ||
36 | attribute init_script_file_type; | ||
37 | ') | ||
38 | |||
39 | files_list_etc($1) | ||
40 | - domtrans_pattern($1, init_script_file_type, initrc_t) | ||
41 | + domtrans_pattern($1, initrc_exec_t, initrc_t) | ||
42 | |||
43 | ifdef(`enable_mcs',` | ||
44 | range_transition $1 init_script_file_type:process s0; | ||
45 | ') | ||
46 | |||
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition_2.20170204.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition_2.20170204.patch deleted file mode 100644 index 1dc9911..0000000 --- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition_2.20170204.patch +++ /dev/null | |||
@@ -1,46 +0,0 @@ | |||
1 | From e1693b640f889818091c976a90041ea6a843fafd Mon Sep 17 00:00:00 2001 | ||
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | ||
3 | Date: Wed, 17 Feb 2016 08:35:51 -0500 | ||
4 | Subject: [PATCH] remove duplicate type_transition | ||
5 | |||
6 | Remove duplicate type rules from init_t to init_script_file_type, | ||
7 | they have been included by systemd policies. This also fixes the | ||
8 | errors while installing modules for refpolicy-targeted if systemd | ||
9 | support is enabled: | ||
10 | |||
11 | | Conflicting type rules | ||
12 | | Binary policy creation failed at line 327 of \ | ||
13 | .../tmp/work/qemux86-poky-linux/refpolicy-targeted/git-r0/image\ | ||
14 | /var/lib/selinux/targeted/tmp/modules/100/init/cil | ||
15 | | Failed to generate binary | ||
16 | | semodule: Failed! | ||
17 | |||
18 | Upstream-Status: Inappropriate | ||
19 | |||
20 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
21 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
22 | --- | ||
23 | policy/modules/system/init.if | 4 ++-- | ||
24 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
25 | |||
26 | --- a/policy/modules/system/init.if | ||
27 | +++ b/policy/modules/system/init.if | ||
28 | @@ -1268,16 +1268,16 @@ interface(`init_spec_domtrans_script',` | ||
29 | ## </summary> | ||
30 | ## </param> | ||
31 | # | ||
32 | interface(`init_domtrans_script',` | ||
33 | gen_require(` | ||
34 | - type initrc_t; | ||
35 | + type initrc_t, initrc_exec_t; | ||
36 | attribute init_script_file_type; | ||
37 | ') | ||
38 | |||
39 | files_list_etc($1) | ||
40 | - domtrans_pattern($1, init_script_file_type, initrc_t) | ||
41 | + domtrans_pattern($1, initrc_exec_t, initrc_t) | ||
42 | |||
43 | ifdef(`enable_mcs',` | ||
44 | range_transition $1 init_script_file_type:process s0; | ||
45 | ') | ||
46 | |||
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch deleted file mode 100644 index 29d3e2d..0000000 --- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch +++ /dev/null | |||
@@ -1,222 +0,0 @@ | |||
1 | Subject: [PATCH] refpolicy: make unconfined_u the default selinux user | ||
2 | |||
3 | For targeted policy type, we define unconfined_u as the default selinux | ||
4 | user for root and normal users, so users could login in and run most | ||
5 | commands and services on unconfined domains. | ||
6 | |||
7 | Also add rules for users to run init scripts directly, instead of via | ||
8 | run_init. | ||
9 | |||
10 | Upstream-Status: Inappropriate [configuration] | ||
11 | |||
12 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
13 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
14 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
15 | --- | ||
16 | config/appconfig-mcs/seusers | 4 ++-- | ||
17 | policy/modules/roles/sysadm.te | 1 + | ||
18 | policy/modules/system/init.if | 47 ++++++++++++++++++++++++++++++------- | ||
19 | policy/modules/system/unconfined.te | 7 ++++++ | ||
20 | policy/users | 16 +++++-------- | ||
21 | 5 files changed, 55 insertions(+), 20 deletions(-) | ||
22 | |||
23 | --- a/config/appconfig-mcs/seusers | ||
24 | +++ b/config/appconfig-mcs/seusers | ||
25 | @@ -1,2 +1,3 @@ | ||
26 | -root:root:s0-mcs_systemhigh | ||
27 | -__default__:user_u:s0 | ||
28 | +root:unconfined_u:s0-mcs_systemhigh | ||
29 | +__default__:unconfined_u:s0 | ||
30 | + | ||
31 | --- a/policy/modules/roles/sysadm.te | ||
32 | +++ b/policy/modules/roles/sysadm.te | ||
33 | @@ -37,10 +37,11 @@ ubac_process_exempt(sysadm_t) | ||
34 | ubac_file_exempt(sysadm_t) | ||
35 | ubac_fd_exempt(sysadm_t) | ||
36 | |||
37 | init_exec(sysadm_t) | ||
38 | init_admin(sysadm_t) | ||
39 | +init_script_role_transition(sysadm_r) | ||
40 | |||
41 | selinux_read_policy(sysadm_t) | ||
42 | |||
43 | # Add/remove user home directories | ||
44 | userdom_manage_user_home_dirs(sysadm_t) | ||
45 | --- a/policy/modules/system/init.if | ||
46 | +++ b/policy/modules/system/init.if | ||
47 | @@ -1394,30 +1394,31 @@ interface(`init_script_file_entry_type', | ||
48 | ## </summary> | ||
49 | ## </param> | ||
50 | # | ||
51 | interface(`init_spec_domtrans_script',` | ||
52 | gen_require(` | ||
53 | - type initrc_t, initrc_exec_t; | ||
54 | + type initrc_t; | ||
55 | + attribute init_script_file_type; | ||
56 | ') | ||
57 | |||
58 | files_list_etc($1) | ||
59 | - spec_domtrans_pattern($1, initrc_exec_t, initrc_t) | ||
60 | + spec_domtrans_pattern($1, init_script_file_type, initrc_t) | ||
61 | |||
62 | ifdef(`distro_gentoo',` | ||
63 | gen_require(` | ||
64 | type rc_exec_t; | ||
65 | ') | ||
66 | |||
67 | domtrans_pattern($1, rc_exec_t, initrc_t) | ||
68 | ') | ||
69 | |||
70 | ifdef(`enable_mcs',` | ||
71 | - range_transition $1 initrc_exec_t:process s0; | ||
72 | + range_transition $1 init_script_file_type:process s0; | ||
73 | ') | ||
74 | |||
75 | ifdef(`enable_mls',` | ||
76 | - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; | ||
77 | + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; | ||
78 | ') | ||
79 | ') | ||
80 | |||
81 | ######################################## | ||
82 | ## <summary> | ||
83 | @@ -1429,22 +1430,23 @@ interface(`init_spec_domtrans_script',` | ||
84 | ## </summary> | ||
85 | ## </param> | ||
86 | # | ||
87 | interface(`init_domtrans_script',` | ||
88 | gen_require(` | ||
89 | - type initrc_t, initrc_exec_t; | ||
90 | + type initrc_t; | ||
91 | + attribute init_script_file_type; | ||
92 | ') | ||
93 | |||
94 | files_list_etc($1) | ||
95 | - domtrans_pattern($1, initrc_exec_t, initrc_t) | ||
96 | + domtrans_pattern($1, init_script_file_type, initrc_t) | ||
97 | |||
98 | ifdef(`enable_mcs',` | ||
99 | - range_transition $1 initrc_exec_t:process s0; | ||
100 | + range_transition $1 init_script_file_type:process s0; | ||
101 | ') | ||
102 | |||
103 | ifdef(`enable_mls',` | ||
104 | - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; | ||
105 | + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; | ||
106 | ') | ||
107 | ') | ||
108 | |||
109 | ######################################## | ||
110 | ## <summary> | ||
111 | @@ -2972,5 +2974,34 @@ interface(`init_admin',` | ||
112 | init_stop_all_units($1) | ||
113 | init_stop_generic_units($1) | ||
114 | init_stop_system($1) | ||
115 | init_telinit($1) | ||
116 | ') | ||
117 | + | ||
118 | +######################################## | ||
119 | +## <summary> | ||
120 | +## Transition to system_r when execute an init script | ||
121 | +## </summary> | ||
122 | +## <desc> | ||
123 | +## <p> | ||
124 | +## Execute a init script in a specified role | ||
125 | +## </p> | ||
126 | +## <p> | ||
127 | +## No interprocess communication (signals, pipes, | ||
128 | +## etc.) is provided by this interface since | ||
129 | +## the domains are not owned by this module. | ||
130 | +## </p> | ||
131 | +## </desc> | ||
132 | +## <param name="source_role"> | ||
133 | +## <summary> | ||
134 | +## Role to transition from. | ||
135 | +## </summary> | ||
136 | +## </param> | ||
137 | +# | ||
138 | +interface(`init_script_role_transition',` | ||
139 | + gen_require(` | ||
140 | + attribute init_script_file_type; | ||
141 | + ') | ||
142 | + | ||
143 | + role_transition $1 init_script_file_type system_r; | ||
144 | +') | ||
145 | + | ||
146 | --- a/policy/modules/system/unconfined.te | ||
147 | +++ b/policy/modules/system/unconfined.te | ||
148 | @@ -18,10 +18,15 @@ init_system_domain(unconfined_t, unconfi | ||
149 | |||
150 | type unconfined_execmem_t; | ||
151 | type unconfined_execmem_exec_t; | ||
152 | init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t) | ||
153 | role unconfined_r types unconfined_execmem_t; | ||
154 | +role unconfined_r types unconfined_t; | ||
155 | +role system_r types unconfined_t; | ||
156 | +role_transition system_r unconfined_exec_t unconfined_r; | ||
157 | +allow system_r unconfined_r; | ||
158 | +allow unconfined_r system_r; | ||
159 | |||
160 | ######################################## | ||
161 | # | ||
162 | # Local policy | ||
163 | # | ||
164 | @@ -48,10 +53,12 @@ unconfined_domain(unconfined_t) | ||
165 | userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file }) | ||
166 | |||
167 | ifdef(`direct_sysadm_daemon',` | ||
168 | optional_policy(` | ||
169 | init_run_daemon(unconfined_t, unconfined_r) | ||
170 | + init_domtrans_script(unconfined_t) | ||
171 | + init_script_role_transition(unconfined_r) | ||
172 | ') | ||
173 | ',` | ||
174 | ifdef(`distro_gentoo',` | ||
175 | seutil_run_runinit(unconfined_t, unconfined_r) | ||
176 | seutil_init_script_run_runinit(unconfined_t, unconfined_r) | ||
177 | --- a/policy/users | ||
178 | +++ b/policy/users | ||
179 | @@ -13,37 +13,33 @@ | ||
180 | # system_u is the user identity for system processes and objects. | ||
181 | # There should be no corresponding Unix user identity for system, | ||
182 | # and a user process should never be assigned the system user | ||
183 | # identity. | ||
184 | # | ||
185 | -gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
186 | +gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
187 | |||
188 | # | ||
189 | # user_u is a generic user identity for Linux users who have no | ||
190 | # SELinux user identity defined. The modified daemons will use | ||
191 | # this user identity in the security context if there is no matching | ||
192 | # SELinux user identity for a Linux user. If you do not want to | ||
193 | # permit any access to such users, then remove this entry. | ||
194 | # | ||
195 | gen_user(user_u, user, user_r, s0, s0) | ||
196 | -gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) | ||
197 | -gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
198 | +gen_user(staff_u, user, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
199 | +gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
200 | |||
201 | # Until order dependence is fixed for users: | ||
202 | ifdef(`direct_sysadm_daemon',` | ||
203 | - gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
204 | + gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
205 | ',` | ||
206 | - gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
207 | + gen_user(unconfined_u, user, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
208 | ') | ||
209 | |||
210 | # | ||
211 | # The following users correspond to Unix identities. | ||
212 | # These identities are typically assigned as the user attribute | ||
213 | # when login starts the user shell. Users with access to the sysadm_r | ||
214 | # role should use the staff_r role instead of the user_r role when | ||
215 | # not in the sysadm_r. | ||
216 | # | ||
217 | -ifdef(`direct_sysadm_daemon',` | ||
218 | - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
219 | -',` | ||
220 | - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) | ||
221 | -') | ||
222 | +gen_user(root, user, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user_2.20170204.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user_2.20170204.patch deleted file mode 100644 index f28ab74..0000000 --- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user_2.20170204.patch +++ /dev/null | |||
@@ -1,222 +0,0 @@ | |||
1 | Subject: [PATCH] refpolicy: make unconfined_u the default selinux user | ||
2 | |||
3 | For targeted policy type, we define unconfined_u as the default selinux | ||
4 | user for root and normal users, so users could login in and run most | ||
5 | commands and services on unconfined domains. | ||
6 | |||
7 | Also add rules for users to run init scripts directly, instead of via | ||
8 | run_init. | ||
9 | |||
10 | Upstream-Status: Inappropriate [configuration] | ||
11 | |||
12 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
13 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
14 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
15 | --- | ||
16 | config/appconfig-mcs/seusers | 4 ++-- | ||
17 | policy/modules/roles/sysadm.te | 1 + | ||
18 | policy/modules/system/init.if | 47 ++++++++++++++++++++++++++++++------- | ||
19 | policy/modules/system/unconfined.te | 7 ++++++ | ||
20 | policy/users | 16 +++++-------- | ||
21 | 5 files changed, 55 insertions(+), 20 deletions(-) | ||
22 | |||
23 | --- a/config/appconfig-mcs/seusers | ||
24 | +++ b/config/appconfig-mcs/seusers | ||
25 | @@ -1,2 +1,3 @@ | ||
26 | -root:root:s0-mcs_systemhigh | ||
27 | -__default__:user_u:s0 | ||
28 | +root:unconfined_u:s0-mcs_systemhigh | ||
29 | +__default__:unconfined_u:s0 | ||
30 | + | ||
31 | --- a/policy/modules/roles/sysadm.te | ||
32 | +++ b/policy/modules/roles/sysadm.te | ||
33 | @@ -41,10 +41,11 @@ init_reload(sysadm_t) | ||
34 | init_reboot_system(sysadm_t) | ||
35 | init_shutdown_system(sysadm_t) | ||
36 | init_start_generic_units(sysadm_t) | ||
37 | init_stop_generic_units(sysadm_t) | ||
38 | init_reload_generic_units(sysadm_t) | ||
39 | +init_script_role_transition(sysadm_r) | ||
40 | |||
41 | # Add/remove user home directories | ||
42 | userdom_manage_user_home_dirs(sysadm_t) | ||
43 | userdom_home_filetrans_user_home_dir(sysadm_t) | ||
44 | |||
45 | --- a/policy/modules/system/init.if | ||
46 | +++ b/policy/modules/system/init.if | ||
47 | @@ -1232,30 +1232,31 @@ interface(`init_script_file_entry_type', | ||
48 | ## </summary> | ||
49 | ## </param> | ||
50 | # | ||
51 | interface(`init_spec_domtrans_script',` | ||
52 | gen_require(` | ||
53 | - type initrc_t, initrc_exec_t; | ||
54 | + type initrc_t; | ||
55 | + attribute init_script_file_type; | ||
56 | ') | ||
57 | |||
58 | files_list_etc($1) | ||
59 | - spec_domtrans_pattern($1, initrc_exec_t, initrc_t) | ||
60 | + spec_domtrans_pattern($1, init_script_file_type, initrc_t) | ||
61 | |||
62 | ifdef(`distro_gentoo',` | ||
63 | gen_require(` | ||
64 | type rc_exec_t; | ||
65 | ') | ||
66 | |||
67 | domtrans_pattern($1, rc_exec_t, initrc_t) | ||
68 | ') | ||
69 | |||
70 | ifdef(`enable_mcs',` | ||
71 | - range_transition $1 initrc_exec_t:process s0; | ||
72 | + range_transition $1 init_script_file_type:process s0; | ||
73 | ') | ||
74 | |||
75 | ifdef(`enable_mls',` | ||
76 | - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; | ||
77 | + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; | ||
78 | ') | ||
79 | ') | ||
80 | |||
81 | ######################################## | ||
82 | ## <summary> | ||
83 | @@ -1267,22 +1268,23 @@ interface(`init_spec_domtrans_script',` | ||
84 | ## </summary> | ||
85 | ## </param> | ||
86 | # | ||
87 | interface(`init_domtrans_script',` | ||
88 | gen_require(` | ||
89 | - type initrc_t, initrc_exec_t; | ||
90 | + type initrc_t; | ||
91 | + attribute init_script_file_type; | ||
92 | ') | ||
93 | |||
94 | files_list_etc($1) | ||
95 | - domtrans_pattern($1, initrc_exec_t, initrc_t) | ||
96 | + domtrans_pattern($1, init_script_file_type, initrc_t) | ||
97 | |||
98 | ifdef(`enable_mcs',` | ||
99 | - range_transition $1 initrc_exec_t:process s0; | ||
100 | + range_transition $1 init_script_file_type:process s0; | ||
101 | ') | ||
102 | |||
103 | ifdef(`enable_mls',` | ||
104 | - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; | ||
105 | + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; | ||
106 | ') | ||
107 | ') | ||
108 | |||
109 | ######################################## | ||
110 | ## <summary> | ||
111 | @@ -2502,5 +2504,34 @@ interface(`init_reload_all_units',` | ||
112 | class service reload; | ||
113 | ') | ||
114 | |||
115 | allow $1 systemdunit:service reload; | ||
116 | ') | ||
117 | + | ||
118 | +######################################## | ||
119 | +## <summary> | ||
120 | +## Transition to system_r when execute an init script | ||
121 | +## </summary> | ||
122 | +## <desc> | ||
123 | +## <p> | ||
124 | +## Execute a init script in a specified role | ||
125 | +## </p> | ||
126 | +## <p> | ||
127 | +## No interprocess communication (signals, pipes, | ||
128 | +## etc.) is provided by this interface since | ||
129 | +## the domains are not owned by this module. | ||
130 | +## </p> | ||
131 | +## </desc> | ||
132 | +## <param name="source_role"> | ||
133 | +## <summary> | ||
134 | +## Role to transition from. | ||
135 | +## </summary> | ||
136 | +## </param> | ||
137 | +# | ||
138 | +interface(`init_script_role_transition',` | ||
139 | + gen_require(` | ||
140 | + attribute init_script_file_type; | ||
141 | + ') | ||
142 | + | ||
143 | + role_transition $1 init_script_file_type system_r; | ||
144 | +') | ||
145 | + | ||
146 | --- a/policy/modules/system/unconfined.te | ||
147 | +++ b/policy/modules/system/unconfined.te | ||
148 | @@ -18,10 +18,15 @@ init_system_domain(unconfined_t, unconfi | ||
149 | |||
150 | type unconfined_execmem_t; | ||
151 | type unconfined_execmem_exec_t; | ||
152 | init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t) | ||
153 | role unconfined_r types unconfined_execmem_t; | ||
154 | +role unconfined_r types unconfined_t; | ||
155 | +role system_r types unconfined_t; | ||
156 | +role_transition system_r unconfined_exec_t unconfined_r; | ||
157 | +allow system_r unconfined_r; | ||
158 | +allow unconfined_r system_r; | ||
159 | |||
160 | ######################################## | ||
161 | # | ||
162 | # Local policy | ||
163 | # | ||
164 | @@ -48,10 +53,12 @@ unconfined_domain(unconfined_t) | ||
165 | userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file }) | ||
166 | |||
167 | ifdef(`direct_sysadm_daemon',` | ||
168 | optional_policy(` | ||
169 | init_run_daemon(unconfined_t, unconfined_r) | ||
170 | + init_domtrans_script(unconfined_t) | ||
171 | + init_script_role_transition(unconfined_r) | ||
172 | ') | ||
173 | ',` | ||
174 | ifdef(`distro_gentoo',` | ||
175 | seutil_run_runinit(unconfined_t, unconfined_r) | ||
176 | seutil_init_script_run_runinit(unconfined_t, unconfined_r) | ||
177 | --- a/policy/users | ||
178 | +++ b/policy/users | ||
179 | @@ -13,37 +13,33 @@ | ||
180 | # system_u is the user identity for system processes and objects. | ||
181 | # There should be no corresponding Unix user identity for system, | ||
182 | # and a user process should never be assigned the system user | ||
183 | # identity. | ||
184 | # | ||
185 | -gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
186 | +gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
187 | |||
188 | # | ||
189 | # user_u is a generic user identity for Linux users who have no | ||
190 | # SELinux user identity defined. The modified daemons will use | ||
191 | # this user identity in the security context if there is no matching | ||
192 | # SELinux user identity for a Linux user. If you do not want to | ||
193 | # permit any access to such users, then remove this entry. | ||
194 | # | ||
195 | gen_user(user_u, user, user_r, s0, s0) | ||
196 | -gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) | ||
197 | -gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
198 | +gen_user(staff_u, user, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
199 | +gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
200 | |||
201 | # Until order dependence is fixed for users: | ||
202 | ifdef(`direct_sysadm_daemon',` | ||
203 | - gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
204 | + gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
205 | ',` | ||
206 | - gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
207 | + gen_user(unconfined_u, user, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
208 | ') | ||
209 | |||
210 | # | ||
211 | # The following users correspond to Unix identities. | ||
212 | # These identities are typically assigned as the user attribute | ||
213 | # when login starts the user shell. Users with access to the sysadm_r | ||
214 | # role should use the staff_r role instead of the user_r role when | ||
215 | # not in the sysadm_r. | ||
216 | # | ||
217 | -ifdef(`direct_sysadm_daemon',` | ||
218 | - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
219 | -',` | ||
220 | - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) | ||
221 | -') | ||
222 | +gen_user(root, user, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
diff --git a/recipes-security/refpolicy/refpolicy-targeted_2.20170204.bb b/recipes-security/refpolicy/refpolicy-targeted_2.20170204.bb deleted file mode 100644 index 4705c46..0000000 --- a/recipes-security/refpolicy/refpolicy-targeted_2.20170204.bb +++ /dev/null | |||
@@ -1,29 +0,0 @@ | |||
1 | SUMMARY = "SELinux targeted policy" | ||
2 | DESCRIPTION = "\ | ||
3 | This is the targeted variant of the SELinux reference policy. Most service \ | ||
4 | domains are locked down. Users and admins will login in with unconfined_t \ | ||
5 | domain, so they have the same access to the system as if SELinux was not \ | ||
6 | enabled. \ | ||
7 | " | ||
8 | |||
9 | FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-${PV}:" | ||
10 | |||
11 | POLICY_NAME = "targeted" | ||
12 | POLICY_TYPE = "mcs" | ||
13 | POLICY_MLS_SENS = "0" | ||
14 | |||
15 | include refpolicy_${PV}.inc | ||
16 | |||
17 | SRC_URI += "${@bb.utils.contains('${PV}', '2.20170805', '${PATCH_2.20170805}', '${PATCH_2.20170204}', d)}" | ||
18 | |||
19 | PATCH_2.20170805 = " \ | ||
20 | file://refpolicy-fix-optional-issue-on-sysadm-module.patch \ | ||
21 | file://refpolicy-unconfined_u-default-user.patch \ | ||
22 | ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'file://refpolicy-remove-duplicate-type_transition.patch', '', d)} \ | ||
23 | " | ||
24 | |||
25 | PATCH_2.20170204 = " \ | ||
26 | file://refpolicy-fix-optional-issue-on-sysadm-module_2.20170204.patch \ | ||
27 | file://refpolicy-unconfined_u-default-user_2.20170204.patch \ | ||
28 | ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'file://refpolicy-remove-duplicate-type_transition_2.20170204.patch', '', d)} \ | ||
29 | " | ||
diff --git a/recipes-security/refpolicy/refpolicy-targeted_2.20190201.bb b/recipes-security/refpolicy/refpolicy-targeted_2.20190201.bb new file mode 100644 index 0000000..1ecdb4e --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-targeted_2.20190201.bb | |||
@@ -0,0 +1,35 @@ | |||
1 | SUMMARY = "SELinux targeted policy" | ||
2 | DESCRIPTION = "\ | ||
3 | This is the targeted variant of the SELinux reference policy. Most service \ | ||
4 | domains are locked down. Users and admins will login in with unconfined_t \ | ||
5 | domain, so they have the same access to the system as if SELinux was not \ | ||
6 | enabled. \ | ||
7 | " | ||
8 | |||
9 | FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-${PV}:" | ||
10 | |||
11 | POLICY_NAME = "targeted" | ||
12 | POLICY_TYPE = "mcs" | ||
13 | POLICY_MLS_SENS = "0" | ||
14 | |||
15 | include refpolicy_${PV}.inc | ||
16 | |||
17 | SYSTEMD_REFPOLICY_PATCHES = " \ | ||
18 | file://0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch \ | ||
19 | file://0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch \ | ||
20 | file://0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch \ | ||
21 | file://0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch \ | ||
22 | file://0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch \ | ||
23 | file://0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch \ | ||
24 | file://0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch \ | ||
25 | file://0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch \ | ||
26 | file://0009-refpolicy-minimum-systemd-fix-for-syslog.patch \ | ||
27 | " | ||
28 | |||
29 | SYSVINIT_REFPOLICY_PATCHES = " \ | ||
30 | file://0001-fix-update-alternatives-for-sysvinit.patch \ | ||
31 | " | ||
32 | |||
33 | SRC_URI += " \ | ||
34 | ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '${SYSTEMD_REFPOLICY_PATCHES}', '${SYSVINIT_REFPOLICY_PATCHES}', d)} \ | ||
35 | " | ||
diff --git a/recipes-security/refpolicy/refpolicy-targeted_git.bb b/recipes-security/refpolicy/refpolicy-targeted_git.bb index f795bf7..1ecdb4e 100644 --- a/recipes-security/refpolicy/refpolicy-targeted_git.bb +++ b/recipes-security/refpolicy/refpolicy-targeted_git.bb | |||
@@ -14,8 +14,22 @@ POLICY_MLS_SENS = "0" | |||
14 | 14 | ||
15 | include refpolicy_${PV}.inc | 15 | include refpolicy_${PV}.inc |
16 | 16 | ||
17 | SYSTEMD_REFPOLICY_PATCHES = " \ | ||
18 | file://0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch \ | ||
19 | file://0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch \ | ||
20 | file://0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch \ | ||
21 | file://0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch \ | ||
22 | file://0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch \ | ||
23 | file://0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch \ | ||
24 | file://0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch \ | ||
25 | file://0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch \ | ||
26 | file://0009-refpolicy-minimum-systemd-fix-for-syslog.patch \ | ||
27 | " | ||
28 | |||
29 | SYSVINIT_REFPOLICY_PATCHES = " \ | ||
30 | file://0001-fix-update-alternatives-for-sysvinit.patch \ | ||
31 | " | ||
32 | |||
17 | SRC_URI += " \ | 33 | SRC_URI += " \ |
18 | file://refpolicy-fix-optional-issue-on-sysadm-module.patch \ | 34 | ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '${SYSTEMD_REFPOLICY_PATCHES}', '${SYSVINIT_REFPOLICY_PATCHES}', d)} \ |
19 | file://refpolicy-unconfined_u-default-user.patch \ | 35 | " |
20 | ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'file://refpolicy-remove-duplicate-type_transition.patch', '', d)} \ | ||
21 | " | ||
diff --git a/recipes-security/refpolicy/refpolicy_2.20170204.inc b/recipes-security/refpolicy/refpolicy_2.20170204.inc deleted file mode 100644 index 8b72cbd..0000000 --- a/recipes-security/refpolicy/refpolicy_2.20170204.inc +++ /dev/null | |||
@@ -1,58 +0,0 @@ | |||
1 | SRC_URI = "https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2;" | ||
2 | SRC_URI[md5sum] = "76a7a455289c9216ee0fbb8de71c9799" | ||
3 | SRC_URI[sha256sum] = "5e4daee61d89dfdc8c7bf369f81c99845931e337916dc6401e301c5de57ea336" | ||
4 | |||
5 | FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-2.20170204:" | ||
6 | |||
7 | # Fix file contexts for Poky | ||
8 | SRC_URI += "file://poky-fc-subs_dist.patch \ | ||
9 | file://poky-fc-update-alternatives_sysvinit.patch \ | ||
10 | file://poky-fc-update-alternatives_sysklogd.patch \ | ||
11 | file://poky-fc-update-alternatives_hostname.patch \ | ||
12 | file://poky-fc-update-alternatives_bash.patch \ | ||
13 | file://poky-fc-fix-real-path_resolv.conf.patch \ | ||
14 | file://poky-fc-fix-real-path_login.patch \ | ||
15 | file://poky-fc-fix-real-path_shadow.patch \ | ||
16 | file://poky-fc-fix-bind.patch \ | ||
17 | file://poky-fc-clock.patch \ | ||
18 | file://poky-fc-dmesg.patch \ | ||
19 | file://poky-fc-fstools.patch \ | ||
20 | file://poky-fc-mta.patch \ | ||
21 | file://poky-fc-netutils.patch \ | ||
22 | file://poky-fc-nscd.patch \ | ||
23 | file://poky-fc-screen.patch \ | ||
24 | file://poky-fc-ssh.patch \ | ||
25 | file://poky-fc-sysnetwork.patch \ | ||
26 | file://poky-fc-udevd.patch \ | ||
27 | file://poky-fc-rpm.patch \ | ||
28 | file://poky-fc-ftpwho-dir.patch \ | ||
29 | file://poky-fc-fix-real-path_su.patch \ | ||
30 | file://refpolicy-update-for_systemd.patch \ | ||
31 | " | ||
32 | |||
33 | # Specific policy for Poky | ||
34 | SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \ | ||
35 | file://poky-policy-add-rules-for-var-log-symlink.patch \ | ||
36 | file://poky-policy-add-rules-for-var-log-symlink-apache.patch \ | ||
37 | file://poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch \ | ||
38 | file://poky-policy-add-rules-for-syslogd_t-symlink.patch \ | ||
39 | file://poky-policy-add-rules-for-var-cache-symlink.patch \ | ||
40 | file://poky-policy-add-rules-for-tmp-symlink.patch \ | ||
41 | file://poky-policy-add-rules-for-bsdpty_device_t.patch \ | ||
42 | file://poky-policy-don-t-audit-tty_device_t.patch \ | ||
43 | file://poky-policy-allow-nfsd-to-exec-shell-commands.patch \ | ||
44 | file://poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch \ | ||
45 | file://poky-policy-allow-setfiles_t-to-read-symlinks.patch \ | ||
46 | file://poky-policy-fix-new-SELINUXMNT-in-sys.patch \ | ||
47 | file://poky-policy-allow-sysadm-to-run-rpcinfo.patch \ | ||
48 | " | ||
49 | |||
50 | # Other policy fixes | ||
51 | SRC_URI += " \ | ||
52 | file://poky-policy-fix-seutils-manage-config-files.patch \ | ||
53 | file://poky-policy-fix-setfiles-statvfs-get-file-count.patch \ | ||
54 | file://poky-policy-fix-dmesg-to-use-dev-kmsg.patch \ | ||
55 | file://ftp-add-ftpd_t-to-mlsfilewrite.patch \ | ||
56 | " | ||
57 | |||
58 | include refpolicy_common.inc | ||
diff --git a/recipes-security/refpolicy/refpolicy_2.20190201.inc b/recipes-security/refpolicy/refpolicy_2.20190201.inc new file mode 100644 index 0000000..fa61fc5 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy_2.20190201.inc | |||
@@ -0,0 +1,7 @@ | |||
1 | SRC_URI = "https://raw.githubusercontent.com/wiki/SELinuxProject/refpolicy/files/refpolicy-${PV}.tar.bz2;" | ||
2 | SRC_URI[md5sum] = "76a7a455289c9216ee0fbb8de71c9799" | ||
3 | SRC_URI[sha256sum] = "5e4daee61d89dfdc8c7bf369f81c99845931e337916dc6401e301c5de57ea336" | ||
4 | |||
5 | FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-2.20190201:" | ||
6 | |||
7 | include refpolicy_common.inc | ||
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index 2ce02ac..137ccee 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc | |||
@@ -1,6 +1,6 @@ | |||
1 | DEFAULT_ENFORCING ??= "enforcing" | 1 | DEFAULT_ENFORCING ??= "enforcing" |
2 | 2 | ||
3 | SECTION = "base" | 3 | SECTION = "admin" |
4 | LICENSE = "GPLv2" | 4 | LICENSE = "GPLv2" |
5 | 5 | ||
6 | LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833" | 6 | LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833" |
@@ -9,11 +9,51 @@ PROVIDES += "virtual/refpolicy" | |||
9 | RPROVIDES_${PN} += "refpolicy" | 9 | RPROVIDES_${PN} += "refpolicy" |
10 | 10 | ||
11 | # Specific config files for Poky | 11 | # Specific config files for Poky |
12 | SRC_URI += "file://customizable_types \ | 12 | SRC_URI += "file://customizable_types \ |
13 | file://setrans-mls.conf \ | 13 | file://setrans-mls.conf \ |
14 | file://setrans-mcs.conf \ | 14 | file://setrans-mcs.conf \ |
15 | " | 15 | " |
16 | 16 | ||
17 | # Base patches applied to all Yocto-based platforms. Your own version of | ||
18 | # refpolicy should provide a version of these and place them in your own | ||
19 | # refpolicy-${PV} directory. | ||
20 | SRC_URI += " \ | ||
21 | file://0001-fc-subs-volatile-alias-common-var-volatile-paths.patch \ | ||
22 | file://0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch \ | ||
23 | file://0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch \ | ||
24 | file://0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch \ | ||
25 | file://0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch \ | ||
26 | file://0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch \ | ||
27 | file://0007-fc-login-apply-login-context-to-login.shadow.patch \ | ||
28 | file://0008-fc-bind-fix-real-path-for-bind.patch \ | ||
29 | file://0009-fc-hwclock-add-hwclock-alternatives.patch \ | ||
30 | file://0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch \ | ||
31 | file://0011-fc-ssh-apply-policy-to-ssh-alternatives.patch \ | ||
32 | file://0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch \ | ||
33 | file://0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch \ | ||
34 | file://0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch \ | ||
35 | file://0015-fc-su-apply-policy-to-su-alternatives.patch \ | ||
36 | file://0016-fc-fstools-fix-real-path-for-fstools.patch \ | ||
37 | file://0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch \ | ||
38 | file://0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch \ | ||
39 | file://0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch \ | ||
40 | file://0020-policy-module-logging-add-domain-rules-for-the-subdi.patch \ | ||
41 | file://0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch \ | ||
42 | file://0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch \ | ||
43 | file://0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch \ | ||
44 | file://0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch \ | ||
45 | file://0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch \ | ||
46 | file://0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch \ | ||
47 | file://0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch \ | ||
48 | file://0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch \ | ||
49 | file://0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch \ | ||
50 | file://0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch \ | ||
51 | file://0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch \ | ||
52 | file://0032-policy-module-init-update-for-systemd-related-allow-.patch \ | ||
53 | file://0033-refpolicy-minimum-make-sysadmin-module-optional.patch \ | ||
54 | file://0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch \ | ||
55 | " | ||
56 | |||
17 | S = "${WORKDIR}/refpolicy" | 57 | S = "${WORKDIR}/refpolicy" |
18 | 58 | ||
19 | CONFFILES_${PN} += "${sysconfdir}/selinux/config" | 59 | CONFFILES_${PN} += "${sysconfdir}/selinux/config" |
diff --git a/recipes-security/refpolicy/refpolicy_git.inc b/recipes-security/refpolicy/refpolicy_git.inc index b2fd638..8aeaf27 100644 --- a/recipes-security/refpolicy/refpolicy_git.inc +++ b/recipes-security/refpolicy/refpolicy_git.inc | |||
@@ -1,58 +1,9 @@ | |||
1 | PV = "2.20170805+git${SRCPV}" | 1 | PV = "2.20190201+git${SRCPV}" |
2 | 2 | ||
3 | SRC_URI = "git://github.com/TresysTechnology/refpolicy.git;protocol=git;branch=master;name=refpolicy;destsuffix=refpolicy" | 3 | SRC_URI = "git://github.com/SELinuxProject/refpolicy.git;protocol=git;branch=master;name=refpolicy;destsuffix=refpolicy" |
4 | SRC_URI += "git://github.com/TresysTechnology/refpolicy-contrib.git;protocol=git;branch=master;name=refpolicy-contrib;destsuffix=refpolicy/policy/modules/contrib" | ||
5 | 4 | ||
6 | SRCREV_refpolicy ?= "794ed7efd0eca19d0353659a1ec9d4ef4e4b751c" | 5 | SRCREV_refpolicy ?= "df696a325404b84c2c931c85356510005e5e6916" |
7 | SRCREV_refpolicy-contrib ?= "a393275a6ecb76311323726a029767a3a01e109e" | ||
8 | SRCREV_FORMAT = "refpolicy.refpolicy-contrib" | ||
9 | 6 | ||
10 | FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-git:" | 7 | FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-git:" |
11 | 8 | ||
12 | # Fix file contexts for Poky | ||
13 | SRC_URI += "file://poky-fc-subs_dist.patch \ | ||
14 | file://poky-fc-update-alternatives_sysvinit.patch \ | ||
15 | file://poky-fc-update-alternatives_hostname.patch \ | ||
16 | file://poky-fc-update-alternatives_bash.patch \ | ||
17 | file://poky-fc-fix-real-path_resolv.conf.patch \ | ||
18 | file://poky-fc-fix-real-path_login.patch \ | ||
19 | file://poky-fc-fix-real-path_shadow.patch \ | ||
20 | file://poky-fc-fix-bind.patch \ | ||
21 | file://poky-fc-clock.patch \ | ||
22 | file://poky-fc-dmesg.patch \ | ||
23 | file://poky-fc-fstools.patch \ | ||
24 | file://poky-fc-mta.patch \ | ||
25 | file://poky-fc-screen.patch \ | ||
26 | file://poky-fc-ssh.patch \ | ||
27 | file://poky-fc-sysnetwork.patch \ | ||
28 | file://poky-fc-udevd.patch \ | ||
29 | file://poky-fc-rpm.patch \ | ||
30 | file://poky-fc-fix-real-path_su.patch \ | ||
31 | file://refpolicy-update-for_systemd.patch \ | ||
32 | " | ||
33 | |||
34 | # Specific policy for Poky | ||
35 | SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \ | ||
36 | file://poky-policy-add-rules-for-var-log-symlink.patch \ | ||
37 | file://poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch \ | ||
38 | file://poky-policy-add-rules-for-syslogd_t-symlink.patch \ | ||
39 | file://poky-policy-add-rules-for-var-cache-symlink.patch \ | ||
40 | file://poky-policy-add-rules-for-tmp-symlink.patch \ | ||
41 | file://poky-policy-add-rules-for-bsdpty_device_t.patch \ | ||
42 | file://poky-policy-don-t-audit-tty_device_t.patch \ | ||
43 | file://poky-policy-allow-nfsd-to-exec-shell-commands.patch \ | ||
44 | file://poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch \ | ||
45 | file://poky-policy-allow-setfiles_t-to-read-symlinks.patch \ | ||
46 | file://poky-policy-fix-new-SELINUXMNT-in-sys.patch \ | ||
47 | file://poky-policy-allow-sysadm-to-run-rpcinfo.patch \ | ||
48 | " | ||
49 | |||
50 | # Other policy fixes | ||
51 | SRC_URI += " \ | ||
52 | file://poky-policy-fix-seutils-manage-config-files.patch \ | ||
53 | file://poky-policy-fix-setfiles-statvfs-get-file-count.patch \ | ||
54 | file://poky-policy-fix-dmesg-to-use-dev-kmsg.patch \ | ||
55 | file://ftp-add-ftpd_t-to-mlsfilewrite.patch \ | ||
56 | " | ||
57 | |||
58 | include refpolicy_common.inc | 9 | include refpolicy_common.inc |