summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJoe MacDonald <joe@deserted.net>2019-04-08 13:50:40 -0400
committerJoe MacDonald <joe@deserted.net>2019-04-10 10:57:14 -0400
commit776da889b550ac9e5be414a8cc10fd86b1923264 (patch)
tree79771fa29c551e934321434f4b5f3da7a27fd91f
parenta6a3cadb1ef3203a123d8f5f9df27832f55b2ce3 (diff)
downloadmeta-selinux-jjm/RELEASE_2.20190201.tar.gz
refpolicy: update to 2.20190201 and git HEAD policiesjjm/RELEASE_2.20190201
Additionally, the README has fallen out of date, update it to reflect the current reality of layer dependencies. Signed-off-by: Joe MacDonald <joe@deserted.net>
Diffstat
-rw-r--r--README16
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-clock.patch20
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-corecommands.patch24
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-dmesg.patch18
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_login.patch37
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_shadow.patch34
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fstools.patch75
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-ftpwho-dir.patch27
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-iptables.patch24
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-mta.patch27
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-netutils.patch24
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-nscd.patch25
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-rpm.patch23
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-screen.patch23
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-su.patch20
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-subs_dist.patch33
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-sysnetwork.patch48
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-udevd.patch38
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_bash.patch24
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_hostname.patch21
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch62
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysvinit.patch57
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-syslogd_t-symlink.patch30
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch31
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch29
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink.patch185
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-nfsd-to-exec-shell-commands.patch60
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-setfiles_t-to-read-symlinks.patch30
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-dmesg-to-use-dev-kmsg.patch37
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-new-SELINUXMNT-in-sys.patch259
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-setfiles-statvfs-get-file-count.patch32
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch36
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0001-fix-update-alternatives-for-sysvinit.patch (renamed from recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch)51
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch (renamed from recipes-security/refpolicy/refpolicy-minimum/0002-refpolicy-minimum-audit-logging-getty-audit-related-.patch)17
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch31
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch (renamed from recipes-security/refpolicy/refpolicy-minimum/0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch)11
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch (renamed from recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch)49
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch (renamed from recipes-security/refpolicy/refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch)34
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch27
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch (renamed from recipes-security/refpolicy/refpolicy-minimum/0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch)39
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch30
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch (renamed from recipes-security/refpolicy/refpolicy-minimum/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch)9
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch (renamed from recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_resolv.conf.patch)24
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch92
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0007-fc-login-apply-login-context-to-login.shadow.patch (renamed from recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch)22
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch (renamed from recipes-security/refpolicy/refpolicy-minimum/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch)33
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0008-fc-bind-fix-real-path-for-bind.patch (renamed from recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-bind.patch)25
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch (renamed from recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch)34
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0009-fc-hwclock-add-hwclock-alternatives.patch28
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0009-refpolicy-minimum-systemd-fix-for-syslog.patch (renamed from recipes-security/refpolicy/refpolicy-minimum/0009-refpolicy-minimum-systemd-fix-for-syslog.patch)13
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch24
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch (renamed from recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch)21
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch (renamed from recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch)35
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch28
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch29
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0015-fc-su-apply-policy-to-su-alternatives.patch (renamed from recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_su.patch)18
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0016-fc-fstools-fix-real-path-for-fstools.patch (renamed from recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch)58
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch (renamed from recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-syslogd_t-to-trusted-object.patch)18
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch100
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch33
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch (renamed from recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-cache-symlink.patch)18
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch (renamed from recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-tmp-symlink.patch)69
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch (renamed from recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-bsdpty_device_t.patch)60
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch (renamed from recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-don-t-audit-tty_device_t.patch)18
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch29
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch (renamed from recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch)96
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch126
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch (renamed from recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-sysadm-to-run-rpcinfo.patch)24
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch (renamed from recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-seutils-manage-config-files.patch)28
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch33
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch25
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch (renamed from recipes-security/refpolicy/refpolicy-2.20170204/ftp-add-ftpd_t-to-mlsfilewrite.patch)26
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0032-policy-module-init-update-for-systemd-related-allow-.patch (renamed from recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch)16
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0033-refpolicy-minimum-make-sysadmin-module-optional.patch (renamed from recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch)28
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20190201/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch33
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch36
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0001-fix-update-alternatives-for-sysvinit.patch53
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch68
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch31
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch54
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch57
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch121
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch27
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch96
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch30
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch37
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch (renamed from recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_resolv.conf.patch)26
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch92
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0007-fc-login-apply-login-context-to-login.shadow.patch27
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch103
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0008-fc-bind-fix-real-path-for-bind.patch (renamed from recipes-security/refpolicy/refpolicy-git/poky-fc-fix-bind.patch)25
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch110
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0009-fc-hwclock-add-hwclock-alternatives.patch28
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0009-refpolicy-minimum-systemd-fix-for-syslog.patch70
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch24
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch (renamed from recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-ssh.patch)21
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch48
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch28
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch29
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0015-fc-su-apply-policy-to-su-alternatives.patch (renamed from recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_su.patch)20
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0016-fc-fstools-fix-real-path-for-fstools.patch76
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch (renamed from recipes-security/refpolicy/refpolicy-git/poky-policy-add-syslogd_t-to-trusted-object.patch)18
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch100
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch33
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch (renamed from recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-cache-symlink.patch)18
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch (renamed from recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-tmp-symlink.patch)71
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch (renamed from recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-bsdpty_device_t.patch)60
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch (renamed from recipes-security/refpolicy/refpolicy-git/poky-policy-don-t-audit-tty_device_t.patch)18
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch29
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch (renamed from recipes-security/refpolicy/refpolicy-git/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch)96
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch126
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch (renamed from recipes-security/refpolicy/refpolicy-git/poky-policy-allow-sysadm-to-run-rpcinfo.patch)24
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch (renamed from recipes-security/refpolicy/refpolicy-git/poky-policy-fix-seutils-manage-config-files.patch)28
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch33
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch25
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch (renamed from recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch)26
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0032-policy-module-init-update-for-systemd-related-allow-.patch (renamed from recipes-security/refpolicy/refpolicy-2.20170204/refpolicy-update-for_systemd.patch)23
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0033-refpolicy-minimum-make-sysadmin-module-optional.patch (renamed from recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module_2.20170204.patch)53
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch (renamed from recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch)24
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch19
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch15
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch50
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch27
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch27
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch25
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch23
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch23
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch32
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch27
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_bash.patch12
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch19
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch29
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch29
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch88
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch81
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch30
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch22
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-policy-fix-new-SELINUXMNT-in-sys.patch253
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch31
-rw-r--r--recipes-security/refpolicy/refpolicy-mcs_2.20190201.bb (renamed from recipes-security/refpolicy/refpolicy-mcs_2.20170204.bb)0
-rw-r--r--recipes-security/refpolicy/refpolicy-minimum/0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch47
-rw-r--r--recipes-security/refpolicy/refpolicy-minimum_2.20190201.bb (renamed from recipes-security/refpolicy/refpolicy-minimum_2.20170204.bb)39
-rw-r--r--recipes-security/refpolicy/refpolicy-minimum_git.bb22
-rw-r--r--recipes-security/refpolicy/refpolicy-mls_2.20190201.bb (renamed from recipes-security/refpolicy/refpolicy-mls_2.20170204.bb)0
-rw-r--r--recipes-security/refpolicy/refpolicy-standard_2.20190201.bb (renamed from recipes-security/refpolicy/refpolicy-standard_2.20170204.bb)0
-rw-r--r--recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch46
-rw-r--r--recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition_2.20170204.patch46
-rw-r--r--recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch222
-rw-r--r--recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user_2.20170204.patch222
-rw-r--r--recipes-security/refpolicy/refpolicy-targeted_2.20170204.bb29
-rw-r--r--recipes-security/refpolicy/refpolicy-targeted_2.20190201.bb35
-rw-r--r--recipes-security/refpolicy/refpolicy-targeted_git.bb22
-rw-r--r--recipes-security/refpolicy/refpolicy_2.20170204.inc58
-rw-r--r--recipes-security/refpolicy/refpolicy_2.20190201.inc7
-rw-r--r--recipes-security/refpolicy/refpolicy_common.inc48
-rw-r--r--recipes-security/refpolicy/refpolicy_git.inc55
156 files changed, 3145 insertions, 3748 deletions
diff --git a/README b/README
index 806d9c3..20e94ca 100644
--- a/README
+++ b/README
@@ -16,20 +16,8 @@ of this layer, as well as instructions for submitting patches.
16Dependencies 16Dependencies
17------------ 17------------
18 18
19This layer depends on the openembedded-core metadata. 19This layer depends on the openembedded-core metadata and the meta-python and
20 20meta-oe layers from the meta-openembedded repository.
21This layer also optionally depends on the following layers:
22
23URI: git://github.com/openembedded/meta-oe.git
24branch: master
25revision: HEAD
26layers: meta-oe
27 meta-networking
28 meta-python
29
30URI: git://git.yoctoproject.org/meta-virtualization
31branch: master
32revision: HEAD
33 21
34 22
35Maintenance 23Maintenance
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-clock.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-clock.patch
deleted file mode 100644
index b2102af..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-clock.patch
+++ /dev/null
@@ -1,20 +0,0 @@
1Subject: [PATCH] refpolicy: fix real path for clock
2
3Upstream-Status: Inappropriate [configuration]
4
5Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
6Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
7---
8 policy/modules/system/clock.fc | 1 +
9 1 file changed, 1 insertion(+)
10
11--- a/policy/modules/system/clock.fc
12+++ b/policy/modules/system/clock.fc
13@@ -1,6 +1,7 @@
14
15 /etc/adjtime -- gen_context(system_u:object_r:adjtime_t,s0)
16
17 /sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
18+/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0)
19
20 /usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-corecommands.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-corecommands.patch
deleted file mode 100644
index 3739059..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-corecommands.patch
+++ /dev/null
@@ -1,24 +0,0 @@
1Subject: [PATCH] refpolicy: fix real path for corecommands
2
3Upstream-Status: Inappropriate [configuration]
4
5Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
6Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
7---
8 policy/modules/kernel/corecommands.fc | 1 +
9 1 file changed, 1 insertion(+)
10
11--- a/policy/modules/kernel/corecommands.fc
12+++ b/policy/modules/kernel/corecommands.fc
13@@ -154,10 +154,11 @@ ifdef(`distro_gentoo',`
14 /sbin -d gen_context(system_u:object_r:bin_t,s0)
15 /sbin/.* gen_context(system_u:object_r:bin_t,s0)
16 /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
17 /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
18 /sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
19+/usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
20
21 #
22 # /opt
23 #
24 /opt/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-dmesg.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-dmesg.patch
deleted file mode 100644
index 2a567da..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-dmesg.patch
+++ /dev/null
@@ -1,18 +0,0 @@
1Subject: [PATCH] refpolicy: fix real path for dmesg
2
3Upstream-Status: Inappropriate [configuration]
4
5Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
6Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
7---
8 policy/modules/admin/dmesg.fc | 1 +
9 1 file changed, 1 insertion(+)
10
11--- a/policy/modules/admin/dmesg.fc
12+++ b/policy/modules/admin/dmesg.fc
13@@ -1,4 +1,5 @@
14
15 /bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
16+/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0)
17
18 /usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_login.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_login.patch
deleted file mode 100644
index dfb7544..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_login.patch
+++ /dev/null
@@ -1,37 +0,0 @@
1Subject: [PATCH] fix real path for login commands.
2
3Upstream-Status: Inappropriate [only for Poky]
4
5Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
6Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
7---
8 policy/modules/system/authlogin.fc | 7 ++++---
9 1 files changed, 4 insertions(+), 3 deletions(-)
10
11--- a/policy/modules/system/authlogin.fc
12+++ b/policy/modules/system/authlogin.fc
13@@ -1,19 +1,21 @@
14
15 /bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
16+/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0)
17+/bin/login\.tinylogin -- gen_context(system_u:object_r:login_exec_t,s0)
18
19 /etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
20 /etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0)
21 /etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0)
22 /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
23 /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
24
25 /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
26 /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
27-/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
28-/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
29-/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
30+/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
31+/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
32+/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
33 ifdef(`distro_suse', `
34 /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
35 ')
36
37 /usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_shadow.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_shadow.patch
deleted file mode 100644
index 9819c1d..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_shadow.patch
+++ /dev/null
@@ -1,34 +0,0 @@
1Subject: [PATCH] fix real path for shadow commands.
2
3Upstream-Status: Inappropriate [only for Poky]
4
5Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
6Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
7---
8 policy/modules/admin/usermanage.fc | 6 ++++++
9 1 file changed, 6 insertions(+)
10
11--- a/policy/modules/admin/usermanage.fc
12+++ b/policy/modules/admin/usermanage.fc
13@@ -6,15 +6,21 @@ ifdef(`distro_debian',`
14 /etc/cron\.daily/cracklib-runtime -- gen_context(system_u:object_r:crack_exec_t,s0)
15 ')
16
17 /usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0)
18 /usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0)
19+/usr/bin/chfn\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0)
20 /usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0)
21+/usr/bin/chsh\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0)
22 /usr/bin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0)
23 /usr/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0)
24+/usr/bin/passwd\.shadow -- gen_context(system_u:object_r:passwd_exec_t,s0)
25+/usr/bin/passwd\.tinylogin -- gen_context(system_u:object_r:passwd_exec_t,s0)
26 /usr/bin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
27+/sbin/vigr\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
28 /usr/bin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
29+/sbin/vipw\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
30
31 /usr/lib/cracklib_dict.* -- gen_context(system_u:object_r:crack_db_t,s0)
32
33 /usr/sbin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
34 /usr/sbin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fstools.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fstools.patch
deleted file mode 100644
index 66bef0f..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fstools.patch
+++ /dev/null
@@ -1,75 +0,0 @@
1From b420621f7bacdb803bfd104686e9b1785d7a6309 Mon Sep 17 00:00:00 2001
2From: Wenzong Fan <wenzong.fan@windriver.com>
3Date: Mon, 27 Jan 2014 03:54:01 -0500
4Subject: [PATCH] refpolicy: fix real path for fstools
5
6Upstream-Status: Inappropriate [configuration]
7
8Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
10Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
11---
12 policy/modules/system/fstools.fc | 9 +++++++++
13 1 file changed, 9 insertions(+)
14
15--- a/policy/modules/system/fstools.fc
16+++ b/policy/modules/system/fstools.fc
17@@ -1,19 +1,23 @@
18 /sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0)
19 /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
20+/sbin/blkid/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
21 /sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0)
22+/sbin/blockdev/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
23 /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
24 /sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
25 /sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0)
26 /sbin/dumpe2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
27 /sbin/e2fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
28 /sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
29 /sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0)
30 /sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
31+/sbin/fdisk/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
32 /sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
33 /sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
34 /sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0)
35+/sbin/hdparm/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
36 /sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
37 /sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
38 /sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
39 /sbin/lsraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
40 /sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0)
41@@ -22,20 +26,22 @@
42 /sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
43 /sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
44 /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
45 /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
46 /sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0)
47+/sbin/mkswap/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
48 /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
49 /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
50 /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
51 /sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0)
52 /sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
53 /sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0)
54 /sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
55 /sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0)
56 /sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
57 /sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0)
58+/sbin/swapoff/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
59 /sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
60 /sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
61 /sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0)
62 /sbin/zhack -- gen_context(system_u:object_r:fsadm_exec_t,s0)
63 /sbin/zinject -- gen_context(system_u:object_r:fsadm_exec_t,s0)
64@@ -83,10 +89,11 @@
65 /usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
66 /usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
67 /usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
68 /usr/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0)
69 /usr/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
70+/usr/sbin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
71 /usr/sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0)
72 /usr/sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
73 /usr/sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0)
74 /usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
75 /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-ftpwho-dir.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-ftpwho-dir.patch
deleted file mode 100644
index d58de6a..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-ftpwho-dir.patch
+++ /dev/null
@@ -1,27 +0,0 @@
1fix ftpwho install dir
2
3Upstream-Status: Pending
4
5ftpwho is installed into /usr/bin/, not /usr/sbin, so fix it
6
7Signed-off-by: Roy Li <rongqing.li@windriver.com>
8Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
9---
10 policy/modules/contrib/ftp.fc | 2 +-
11 1 file changed, 1 insertion(+), 1 deletion(-)
12
13--- a/policy/modules/contrib/ftp.fc
14+++ b/policy/modules/contrib/ftp.fc
15@@ -10,11 +10,11 @@
16 /usr/kerberos/sbin/ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
17
18 /usr/lib/systemd/system/proftpd.*\.service -- gen_context(system_u:object_r:ftpd_unit_t,s0)
19 /usr/lib/systemd/system/vsftpd.*\.service -- gen_context(system_u:object_r:ftpd_unit_t,s0)
20
21-/usr/sbin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0)
22+/usr/bin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0)
23 /usr/sbin/in\.ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
24 /usr/sbin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
25 /usr/sbin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
26 /usr/sbin/vsftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
27
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-iptables.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-iptables.patch
deleted file mode 100644
index 9e1196a..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-iptables.patch
+++ /dev/null
@@ -1,24 +0,0 @@
1Subject: [PATCH] refpolicy: fix real path for iptables
2
3Upstream-Status: Inappropriate [configuration]
4
5Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
6Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
7---
8 policy/modules/system/iptables.fc | 1 +
9 1 file changed, 1 insertion(+)
10
11--- a/policy/modules/system/iptables.fc
12+++ b/policy/modules/system/iptables.fc
13@@ -14,10 +14,11 @@
14 /sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
15 /sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
16 /sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
17 /sbin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0)
18 /sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
19+/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
20
21 /usr/lib/systemd/system/[^/]*arptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
22 /usr/lib/systemd/system/[^/]*ebtables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
23 /usr/lib/systemd/system/[^/]*ip6tables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
24 /usr/lib/systemd/system/[^/]*iptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-mta.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-mta.patch
deleted file mode 100644
index 5d2b0cf..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-mta.patch
+++ /dev/null
@@ -1,27 +0,0 @@
1From c0bb2996db4f55f3987967bacfb99805fc45d027 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 19:21:55 +0800
4Subject: [PATCH] refpolicy: fix real path for mta
5
6Upstream-Status: Inappropriate [configuration]
7
8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
10---
11 policy/modules/contrib/mta.fc | 1 +
12 1 file changed, 1 insertion(+)
13
14--- a/policy/modules/contrib/mta.fc
15+++ b/policy/modules/contrib/mta.fc
16@@ -20,10 +20,11 @@ HOME_DIR/\.maildir(/.*)? gen_context(sys
17 /usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
18
19 /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
20 /usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
21 /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
22+/usr/sbin/msmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
23 /usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
24
25 /var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
26
27 /var/qmail/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-netutils.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-netutils.patch
deleted file mode 100644
index b41e6e4..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-netutils.patch
+++ /dev/null
@@ -1,24 +0,0 @@
1Subject: [PATCH] refpolicy: fix real path for netutils
2
3Upstream-Status: Inappropriate [configuration]
4
5Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
6Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
7---
8 policy/modules/admin/netutils.fc | 1 +
9 1 file changed, 1 insertion(+)
10
11--- a/policy/modules/admin/netutils.fc
12+++ b/policy/modules/admin/netutils.fc
13@@ -1,10 +1,11 @@
14 /bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
15 /bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
16 /bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
17
18 /sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0)
19+/bin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0)
20
21 /usr/bin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0)
22 /usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0)
23 /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0)
24 /usr/bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-nscd.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-nscd.patch
deleted file mode 100644
index 0adf7c2..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-nscd.patch
+++ /dev/null
@@ -1,25 +0,0 @@
1From 642fab321a5f1f40495b4ca07f1fca4145024986 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 19:25:36 +0800
4Subject: [PATCH] refpolicy: fix real path for nscd
5
6Upstream-Status: Inappropriate [configuration]
7
8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
10---
11 policy/modules/contrib/nscd.fc | 1 +
12 1 file changed, 1 insertion(+)
13
14--- a/policy/modules/contrib/nscd.fc
15+++ b/policy/modules/contrib/nscd.fc
16@@ -1,8 +1,9 @@
17 /etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0)
18
19 /usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
20+/usr/bin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
21
22 /var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
23
24 /var/db/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
25
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-rpm.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-rpm.patch
deleted file mode 100644
index 9de7532..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-rpm.patch
+++ /dev/null
@@ -1,23 +0,0 @@
1From 3ecbd842d51a8e70b3403e857a24203285d4983b Mon Sep 17 00:00:00 2001
2From: Wenzong Fan <wenzong.fan@windriver.com>
3Date: Mon, 27 Jan 2014 01:13:06 -0500
4Subject: [PATCH] refpolicy: fix real path for cpio
5
6Upstream-Status: Inappropriate [configuration]
7
8Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
10---
11 policy/modules/contrib/rpm.fc | 1 +
12 1 file changed, 1 insertion(+)
13
14--- a/policy/modules/contrib/rpm.fc
15+++ b/policy/modules/contrib/rpm.fc
16@@ -61,6 +61,7 @@ ifdef(`distro_redhat',`
17 /run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0)
18 /run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
19
20 ifdef(`enable_mls',`
21 /usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
22+/bin/cpio.cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
23 ')
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-screen.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-screen.patch
deleted file mode 100644
index 8ea210e..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-screen.patch
+++ /dev/null
@@ -1,23 +0,0 @@
1From 3615e2d67f402a37ae7333e62b54f1d9d0a3bfd1 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 19:27:19 +0800
4Subject: [PATCH] refpolicy: fix real path for screen
5
6Upstream-Status: Inappropriate [configuration]
7
8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
10---
11 policy/modules/contrib/screen.fc | 1 +
12 1 file changed, 1 insertion(+)
13
14--- a/policy/modules/contrib/screen.fc
15+++ b/policy/modules/contrib/screen.fc
16@@ -4,6 +4,7 @@ HOME_DIR/\.tmux\.conf -- gen_context(sys
17
18 /run/screen(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0)
19 /run/tmux(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0)
20
21 /usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0)
22+/usr/bin/screen-.* -- gen_context(system_u:object_r:screen_exec_t,s0)
23 /usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-su.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-su.patch
deleted file mode 100644
index e3d156e..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-su.patch
+++ /dev/null
@@ -1,20 +0,0 @@
1Subject: [PATCH] refpolicy: fix real path for su
2
3Upstream-Status: Inappropriate [configuration]
4
5Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
6Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
7---
8 policy/modules/admin/su.fc | 1 +
9 1 file changed, 1 insertion(+)
10
11--- a/policy/modules/admin/su.fc
12+++ b/policy/modules/admin/su.fc
13@@ -1,6 +1,7 @@
14
15 /bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
16+/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
17
18 /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
19 /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
20 /usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-subs_dist.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-subs_dist.patch
deleted file mode 100644
index c5fdc51..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-subs_dist.patch
+++ /dev/null
@@ -1,33 +0,0 @@
1Subject: [PATCH] fix file_contexts.subs_dist for poky
2
3This file is used for Linux distros to define specific pathes
4mapping to the pathes in file_contexts.
5
6Upstream-Status: Inappropriate [only for Poky]
7
8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
10---
11 config/file_contexts.subs_dist | 10 ++++++++++
12 1 file changed, 10 insertions(+)
13
14--- a/config/file_contexts.subs_dist
15+++ b/config/file_contexts.subs_dist
16@@ -21,5 +21,17 @@
17
18 # backward compatibility
19 # not for refpolicy intern, but for /var/run using applications,
20 # like systemd tmpfiles or systemd socket configurations
21 /var/run /run
22+
23+# Yocto compatibility
24+/var/volatile/log /var/log
25+/var/volatile/run /var/run
26+/var/volatile/cache /var/cache
27+/var/volatile/tmp /var/tmp
28+/var/volatile/lock /var/lock
29+/var/volatile/run/lock /var/lock
30+/www /var/www
31+/usr/lib/busybox/bin /bin
32+/usr/lib/busybox/sbin /sbin
33+/usr/lib/busybox/usr /usr
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-sysnetwork.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-sysnetwork.patch
deleted file mode 100644
index fa369ca..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-sysnetwork.patch
+++ /dev/null
@@ -1,48 +0,0 @@
1From 56ec3e527f2a03d217d5f07ebb708e6e26fa26ff Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Tue, 9 Jun 2015 21:22:52 +0530
4Subject: [PATCH] refpolicy: fix real path for sysnetwork
5
6Upstream-Status: Inappropriate [configuration]
7
8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
9Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
10Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
11---
12 policy/modules/system/sysnetwork.fc | 4 ++++
13 1 file changed, 4 insertions(+)
14
15--- a/policy/modules/system/sysnetwork.fc
16+++ b/policy/modules/system/sysnetwork.fc
17@@ -2,10 +2,11 @@
18 #
19 # /bin
20 #
21 /bin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
22 /bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
23+/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
24
25 #
26 # /dev
27 #
28 ifdef(`distro_debian',`
29@@ -43,17 +44,19 @@ ifdef(`distro_redhat',`
30 /sbin/dhclient.* -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
31 /sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
32 /sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
33 /sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
34 /sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
35+/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
36 /sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
37 /sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
38 /sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
39 /sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
40 /sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
41 /sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
42 /sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
43+/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
44 /sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
45 /sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
46
47 #
48 # /usr
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-udevd.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-udevd.patch
deleted file mode 100644
index 8e2cb1b..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-udevd.patch
+++ /dev/null
@@ -1,38 +0,0 @@
1From 025bd3c77d3eeb0e316413bf7e6353f1ccd7f6b2 Mon Sep 17 00:00:00 2001
2From: Wenzong Fan <wenzong.fan@windriver.com>
3Date: Sat, 25 Jan 2014 23:40:05 -0500
4Subject: [PATCH] refpolicy: fix real path for udevd/udevadm
5
6Upstream-Status: Inappropriate [configuration]
7
8Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
9---
10 policy/modules/system/udev.fc | 2 ++
11 1 file changed, 2 insertions(+)
12
13--- a/policy/modules/system/udev.fc
14+++ b/policy/modules/system/udev.fc
15@@ -8,10 +8,11 @@
16
17 /etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_rules_t,s0)
18 /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
19
20 /lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
21+/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
22
23 ifdef(`distro_debian',`
24 /bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
25 /lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0)
26 ')
27@@ -26,10 +27,11 @@ ifdef(`distro_debian',`
28 ifdef(`distro_redhat',`
29 /sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
30 ')
31
32 /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
33+/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
34
35 /usr/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
36 /usr/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
37 /usr/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
38 /usr/sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_bash.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_bash.patch
deleted file mode 100644
index e0fdba1..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_bash.patch
+++ /dev/null
@@ -1,24 +0,0 @@
1From 845518a6f196e6e8c49ba38791c85e17276920e1 Mon Sep 17 00:00:00 2001
2From: Mark Hatle <mark.hatle@windriver.com>
3Date: Thu, 14 Sep 2017 15:02:23 -0500
4Subject: [PATCH 3/4] fix update-alternatives for hostname
5
6Upstream-Status: Inappropriate [only for Poky]
7
8Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
9---
10 policy/modules/system/corecommands.fc | 1 +
11 1 file changed, 1 insertion(+)
12
13Index: refpolicy/policy/modules/kernel/corecommands.fc
14===================================================================
15--- refpolicy.orig/policy/modules/kernel/corecommands.fc
16+++ refpolicy/policy/modules/kernel/corecommands.fc
17@@ -6,6 +6,7 @@
18 /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
19 /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
20 /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
21+/bin/bash\.bash -- gen_context(system_u:object_r:shell_exec_t,s0)
22 /bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
23 /bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
24 /bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_hostname.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_hostname.patch
deleted file mode 100644
index 038cb1f..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_hostname.patch
+++ /dev/null
@@ -1,21 +0,0 @@
1From 845518a6f196e6e8c49ba38791c85e17276920e1 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 13:37:23 +0800
4Subject: [PATCH 3/4] fix update-alternatives for hostname
5
6Upstream-Status: Inappropriate [only for Poky]
7
8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
10---
11 policy/modules/system/hostname.fc | 1 +
12 1 file changed, 1 insertion(+)
13
14--- a/policy/modules/system/hostname.fc
15+++ b/policy/modules/system/hostname.fc
16@@ -1,4 +1,5 @@
17
18 /bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
19+/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0)
20
21 /usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch
deleted file mode 100644
index e9a0464..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch
+++ /dev/null
@@ -1,62 +0,0 @@
1From 4964fa5593349916d8f5c69edb0b16f611586098 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 13:39:41 +0800
4Subject: [PATCH 2/4] fix update-alternatives for sysklogd
5
6/etc/syslog.conf is a symlink to /etc/syslog.conf.sysklogd, so a allow rule
7for syslogd_t to read syslog_conf_t lnk_file is needed.
8
9Upstream-Status: Inappropriate [only for Poky]
10
11Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
12Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
13---
14 policy/modules/system/logging.fc | 3 +++
15 policy/modules/system/logging.te | 2 ++
16 2 files changed, 5 insertions(+)
17
18--- a/policy/modules/system/logging.fc
19+++ b/policy/modules/system/logging.fc
20@@ -1,9 +1,10 @@
21 /dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
22
23 /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
24 /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
25+/etc/syslog.conf\.sysklogd gen_context(system_u:object_r:syslog_conf_t,s0)
26 /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
27 /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
28 /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
29
30 /usr/bin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
31@@ -27,14 +28,16 @@
32 /usr/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
33 /usr/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
34 /usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
35 /usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
36 /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
37+/usr/sbin/klogd\.sysklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
38 /usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0)
39 /usr/sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
40 /usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
41 /usr/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
42+/usr/sbin/syslogd\.sysklogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
43 /usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
44 /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
45
46 /var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
47 /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
48--- a/policy/modules/system/logging.te
49+++ b/policy/modules/system/logging.te
50@@ -390,10 +390,12 @@ allow syslogd_t self:unix_dgram_socket s
51 allow syslogd_t self:fifo_file rw_fifo_file_perms;
52 allow syslogd_t self:udp_socket create_socket_perms;
53 allow syslogd_t self:tcp_socket create_stream_socket_perms;
54
55 allow syslogd_t syslog_conf_t:file read_file_perms;
56+allow syslogd_t syslog_conf_t:lnk_file read_file_perms;
57+allow syslogd_t syslog_conf_t:dir list_dir_perms;
58
59 # Create and bind to /dev/log or /var/run/log.
60 allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
61 files_pid_filetrans(syslogd_t, devlog_t, sock_file)
62 init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log")
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysvinit.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysvinit.patch
deleted file mode 100644
index d8c1642..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysvinit.patch
+++ /dev/null
@@ -1,57 +0,0 @@
1From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 13:37:23 +0800
4Subject: [PATCH 1/4] fix update-alternatives for sysvinit
5
6Upstream-Status: Inappropriate [only for Poky]
7
8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
10---
11 policy/modules/contrib/shutdown.fc | 1 +
12 policy/modules/kernel/corecommands.fc | 1 +
13 policy/modules/system/init.fc | 1 +
14 3 files changed, 3 insertions(+)
15
16--- a/policy/modules/contrib/shutdown.fc
17+++ b/policy/modules/contrib/shutdown.fc
18@@ -1,10 +1,11 @@
19 /etc/nologin -- gen_context(system_u:object_r:shutdown_etc_t,s0)
20
21 /lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
22
23 /sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
24+/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0)
25
26 /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
27
28 /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
29
30--- a/policy/modules/kernel/corecommands.fc
31+++ b/policy/modules/kernel/corecommands.fc
32@@ -8,10 +8,11 @@
33 /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
34 /bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
35 /bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
36 /bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0)
37 /bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0)
38+/bin/mountpoint\.sysvinit -- gen_context(system_u:object_r:bin_t,s0)
39 /bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
40 /bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
41 /bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0)
42 /bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
43
44--- a/policy/modules/system/init.fc
45+++ b/policy/modules/system/init.fc
46@@ -30,10 +30,11 @@ ifdef(`distro_gentoo', `
47
48 #
49 # /sbin
50 #
51 /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
52+/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0)
53 # because nowadays, /sbin/init is often a symlink to /sbin/upstart
54 /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
55
56 ifdef(`distro_gentoo', `
57 /sbin/rc -- gen_context(system_u:object_r:rc_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-syslogd_t-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-syslogd_t-symlink.patch
deleted file mode 100644
index e90aab5..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-syslogd_t-symlink.patch
+++ /dev/null
@@ -1,30 +0,0 @@
1Subject: [PATCH] add rules for the symlink of /var/log - syslogd_t
2
3We have added rules for the symlink of /var/log in logging.if,
4while syslogd_t uses /var/log but does not use the
5interfaces in logging.if. So still need add a individual rule for
6syslogd_t.
7
8Upstream-Status: Inappropriate [only for Poky]
9
10Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
11Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
12---
13 policy/modules/system/logging.te | 2 ++
14 1 file changed, 2 insertions(+)
15
16--- a/policy/modules/system/logging.te
17+++ b/policy/modules/system/logging.te
18@@ -404,10 +404,12 @@ rw_fifo_files_pattern(syslogd_t, var_log
19 files_search_spool(syslogd_t)
20
21 # Allow access for syslog-ng
22 allow syslogd_t var_log_t:dir { create setattr };
23
24+allow syslogd_t var_log_t:lnk_file read_lnk_file_perms;
25+
26 # manage temporary files
27 manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
28 manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
29 files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
30
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch
deleted file mode 100644
index fb912b5..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch
+++ /dev/null
@@ -1,31 +0,0 @@
1From ed2b0a00e2fb78056041b03c7e198e8f5adaf939 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 19:36:44 +0800
4Subject: [PATCH 3/6] add rules for the symlink of /var/log - apache2
5
6We have added rules for the symlink of /var/log in logging.if,
7while apache.te uses /var/log but does not use the interfaces in
8logging.if. So still need add a individual rule for apache.te.
9
10Upstream-Status: Inappropriate [only for Poky]
11
12Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
13Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
14---
15 policy/modules/contrib/apache.te | 1 +
16 1 file changed, 1 insertion(+)
17
18--- a/policy/modules/contrib/apache.te
19+++ b/policy/modules/contrib/apache.te
20@@ -407,10 +407,11 @@ allow httpd_t httpd_lock_t:file manage_f
21 files_lock_filetrans(httpd_t, httpd_lock_t, { file dir })
22
23 manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
24 manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
25 read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
26+read_lnk_files_pattern(httpd_t, var_log_t, var_log_t)
27 logging_log_filetrans(httpd_t, httpd_log_t, file)
28
29 allow httpd_t httpd_modules_t:dir list_dir_perms;
30 mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
31 read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
deleted file mode 100644
index 2e8e1f2..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
+++ /dev/null
@@ -1,29 +0,0 @@
1Subject: [PATCH] add rules for the symlink of /var/log - audisp_remote_t
2
3We have added rules for the symlink of /var/log in logging.if,
4while audisp_remote_t uses /var/log but does not use the
5interfaces in logging.if. So still need add a individual rule for
6audisp_remote_t.
7
8Upstream-Status: Inappropriate [only for Poky]
9
10Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
11Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
12---
13 policy/modules/system/logging.te | 1 +
14 1 file changed, 1 insertion(+)
15
16--- a/policy/modules/system/logging.te
17+++ b/policy/modules/system/logging.te
18@@ -278,10 +278,11 @@ optional_policy(`
19
20 allow audisp_remote_t self:capability { setuid setpcap };
21 allow audisp_remote_t self:process { getcap setcap };
22 allow audisp_remote_t self:tcp_socket create_socket_perms;
23 allow audisp_remote_t var_log_t:dir search_dir_perms;
24+allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms;
25
26 manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
27 manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
28 files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
29
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink.patch
deleted file mode 100644
index a7161d5..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink.patch
+++ /dev/null
@@ -1,185 +0,0 @@
1From 03cb6534f75812f3a33ac768fe83861e0805b0e0 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 13:37:23 +0800
4Subject: [PATCH 2/6] add rules for the symlink of /var/log
5
6/var/log is a symlink in poky, so we need allow rules for files to read
7lnk_file while doing search/list/delete/rw.. in /var/log/ directory.
8
9Upstream-Status: Inappropriate [only for Poky]
10
11Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
12Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
13---
14 policy/modules/system/logging.fc | 1 +
15 policy/modules/system/logging.if | 14 +++++++++++++-
16 policy/modules/system/logging.te | 1 +
17 3 files changed, 15 insertions(+), 1 deletion(-)
18
19--- a/policy/modules/system/logging.fc
20+++ b/policy/modules/system/logging.fc
21@@ -49,10 +49,11 @@ ifdef(`distro_suse', `
22
23 /var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
24 /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
25
26 /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
27+/var/log -l gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
28 /var/log/.* gen_context(system_u:object_r:var_log_t,s0)
29 /var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh)
30 /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
31 /var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
32 /var/log/maillog[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
33--- a/policy/modules/system/logging.if
34+++ b/policy/modules/system/logging.if
35@@ -134,16 +134,17 @@ interface(`logging_set_audit_parameters'
36 ## </param>
37 ## <rolecap/>
38 #
39 interface(`logging_read_audit_log',`
40 gen_require(`
41- type auditd_log_t;
42+ type auditd_log_t, var_log_t;
43 ')
44
45 files_search_var($1)
46 read_files_pattern($1, auditd_log_t, auditd_log_t)
47 allow $1 auditd_log_t:dir list_dir_perms;
48+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
49 ')
50
51 ########################################
52 ## <summary>
53 ## Execute auditctl in the auditctl domain.
54@@ -665,10 +666,11 @@ interface(`logging_search_logs',`
55 type var_log_t;
56 ')
57
58 files_search_var($1)
59 allow $1 var_log_t:dir search_dir_perms;
60+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
61 ')
62
63 #######################################
64 ## <summary>
65 ## Do not audit attempts to search the var log directory.
66@@ -702,10 +704,11 @@ interface(`logging_list_logs',`
67 type var_log_t;
68 ')
69
70 files_search_var($1)
71 allow $1 var_log_t:dir list_dir_perms;
72+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
73 ')
74
75 #######################################
76 ## <summary>
77 ## Read and write the generic log directory (/var/log).
78@@ -721,10 +724,11 @@ interface(`logging_rw_generic_log_dirs',
79 type var_log_t;
80 ')
81
82 files_search_var($1)
83 allow $1 var_log_t:dir rw_dir_perms;
84+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
85 ')
86
87 #######################################
88 ## <summary>
89 ## Search through all log dirs.
90@@ -832,14 +836,16 @@ interface(`logging_append_all_logs',`
91 ## <rolecap/>
92 #
93 interface(`logging_read_all_logs',`
94 gen_require(`
95 attribute logfile;
96+ type var_log_t;
97 ')
98
99 files_search_var($1)
100 allow $1 logfile:dir list_dir_perms;
101+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
102 read_files_pattern($1, logfile, logfile)
103 ')
104
105 ########################################
106 ## <summary>
107@@ -854,14 +860,16 @@ interface(`logging_read_all_logs',`
108 # cjp: not sure why this is needed. This was added
109 # because of logrotate.
110 interface(`logging_exec_all_logs',`
111 gen_require(`
112 attribute logfile;
113+ type var_log_t;
114 ')
115
116 files_search_var($1)
117 allow $1 logfile:dir list_dir_perms;
118+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
119 can_exec($1, logfile)
120 ')
121
122 ########################################
123 ## <summary>
124@@ -919,10 +927,11 @@ interface(`logging_read_generic_logs',`
125 type var_log_t;
126 ')
127
128 files_search_var($1)
129 allow $1 var_log_t:dir list_dir_perms;
130+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
131 read_files_pattern($1, var_log_t, var_log_t)
132 ')
133
134 ########################################
135 ## <summary>
136@@ -939,10 +948,11 @@ interface(`logging_write_generic_logs',`
137 type var_log_t;
138 ')
139
140 files_search_var($1)
141 allow $1 var_log_t:dir list_dir_perms;
142+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
143 write_files_pattern($1, var_log_t, var_log_t)
144 ')
145
146 ########################################
147 ## <summary>
148@@ -977,10 +987,11 @@ interface(`logging_rw_generic_logs',`
149 type var_log_t;
150 ')
151
152 files_search_var($1)
153 allow $1 var_log_t:dir list_dir_perms;
154+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
155 rw_files_pattern($1, var_log_t, var_log_t)
156 ')
157
158 ########################################
159 ## <summary>
160@@ -999,10 +1010,11 @@ interface(`logging_manage_generic_logs',
161 type var_log_t;
162 ')
163
164 files_search_var($1)
165 manage_files_pattern($1, var_log_t, var_log_t)
166+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
167 ')
168
169 ########################################
170 ## <summary>
171 ## All of the rules required to administrate
172--- a/policy/modules/system/logging.te
173+++ b/policy/modules/system/logging.te
174@@ -151,10 +151,11 @@ allow auditd_t auditd_etc_t:file read_fi
175
176 manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
177 allow auditd_t auditd_log_t:dir setattr;
178 manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
179 allow auditd_t var_log_t:dir search_dir_perms;
180+allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
181
182 manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
183 manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
184 files_pid_filetrans(auditd_t, auditd_var_run_t, { file sock_file })
185
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-nfsd-to-exec-shell-commands.patch
deleted file mode 100644
index ca2796f..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-nfsd-to-exec-shell-commands.patch
+++ /dev/null
@@ -1,60 +0,0 @@
1From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 13:37:23 +0800
4Subject: [PATCH] allow nfsd to exec shell commands.
5
6Upstream-Status: Inappropriate [only for Poky]
7
8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
10---
11 policy/modules/contrib/rpc.te | 2 +-
12 policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
13 2 files changed, 19 insertions(+), 1 deletions(-)
14
15--- a/policy/modules/contrib/rpc.te
16+++ b/policy/modules/contrib/rpc.te
17@@ -222,11 +222,11 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir
18
19 kernel_read_network_state(nfsd_t)
20 kernel_dontaudit_getattr_core_if(nfsd_t)
21 kernel_setsched(nfsd_t)
22 kernel_request_load_module(nfsd_t)
23-# kernel_mounton_proc(nfsd_t)
24+kernel_mounton_proc(nfsd_t)
25
26 corenet_sendrecv_nfs_server_packets(nfsd_t)
27 corenet_tcp_bind_nfs_port(nfsd_t)
28 corenet_udp_bind_nfs_port(nfsd_t)
29
30--- a/policy/modules/kernel/kernel.if
31+++ b/policy/modules/kernel/kernel.if
32@@ -844,10 +844,28 @@ interface(`kernel_unmount_proc',`
33 allow $1 proc_t:filesystem unmount;
34 ')
35
36 ########################################
37 ## <summary>
38+## Mounton a proc filesystem.
39+## </summary>
40+## <param name="domain">
41+## <summary>
42+## Domain allowed access.
43+## </summary>
44+## </param>
45+#
46+interface(`kernel_mounton_proc',`
47+ gen_require(`
48+ type proc_t;
49+ ')
50+
51+ allow $1 proc_t:dir mounton;
52+')
53+
54+########################################
55+## <summary>
56 ## Get the attributes of the proc filesystem.
57 ## </summary>
58 ## <param name="domain">
59 ## <summary>
60 ## Domain allowed access.
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-setfiles_t-to-read-symlinks.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-setfiles_t-to-read-symlinks.patch
deleted file mode 100644
index d28bde0..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-setfiles_t-to-read-symlinks.patch
+++ /dev/null
@@ -1,30 +0,0 @@
1From 87b6daf87a07350a58c1724db8fc0a99b849818a Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 13:37:23 +0800
4Subject: [PATCH] fix setfiles_t to read symlinks
5
6Upstream-Status: Pending
7
8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
9Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
10Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
11---
12 policy/modules/system/selinuxutil.te | 3 +++
13 1 file changed, 3 insertions(+)
14
15--- a/policy/modules/system/selinuxutil.te
16+++ b/policy/modules/system/selinuxutil.te
17@@ -553,10 +553,13 @@ files_read_etc_files(setfiles_t)
18 files_list_all(setfiles_t)
19 files_relabel_all_files(setfiles_t)
20 files_read_usr_symlinks(setfiles_t)
21 files_dontaudit_read_all_symlinks(setfiles_t)
22
23+# needs to be able to read symlinks to make restorecon on symlink working
24+files_read_all_symlinks(setfiles_t)
25+
26 fs_getattr_all_xattr_fs(setfiles_t)
27 fs_list_all(setfiles_t)
28 fs_search_auto_mountpoints(setfiles_t)
29 fs_relabelfrom_noxattr_fs(setfiles_t)
30
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-dmesg-to-use-dev-kmsg.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
deleted file mode 100644
index 8443e31..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
+++ /dev/null
@@ -1,37 +0,0 @@
1From 2f5981f2244289a1cc79748e9ffdaaea168b1df2 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Fri, 23 Aug 2013 16:36:09 +0800
4Subject: [PATCH] fix dmesg to use /dev/kmsg as default input
5
6Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
7Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
8---
9 policy/modules/admin/dmesg.if | 1 +
10 policy/modules/admin/dmesg.te | 2 ++
11 2 files changed, 3 insertions(+)
12
13--- a/policy/modules/admin/dmesg.if
14+++ b/policy/modules/admin/dmesg.if
15@@ -35,6 +35,7 @@ interface(`dmesg_exec',`
16 type dmesg_exec_t;
17 ')
18
19 corecmd_search_bin($1)
20 can_exec($1, dmesg_exec_t)
21+ dev_read_kmsg($1)
22 ')
23--- a/policy/modules/admin/dmesg.te
24+++ b/policy/modules/admin/dmesg.te
25@@ -28,10 +28,12 @@ kernel_read_proc_symlinks(dmesg_t)
26 # for when /usr is not mounted:
27 kernel_dontaudit_search_unlabeled(dmesg_t)
28
29 dev_read_sysfs(dmesg_t)
30
31+dev_read_kmsg(dmesg_t)
32+
33 fs_search_auto_mountpoints(dmesg_t)
34
35 term_dontaudit_use_console(dmesg_t)
36
37 domain_use_interactive_fds(dmesg_t)
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-new-SELINUXMNT-in-sys.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-new-SELINUXMNT-in-sys.patch
deleted file mode 100644
index 58903ce..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-new-SELINUXMNT-in-sys.patch
+++ /dev/null
@@ -1,259 +0,0 @@
1From 0bd1187768c79ccf7d0563fa8e2bc01494fef167 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 13:37:23 +0800
4Subject: [PATCH] fix for new SELINUXMNT in /sys
5
6SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should
7add rules to access sysfs.
8
9Upstream-Status: Inappropriate [only for Poky]
10
11Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
12Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
13---
14 policy/modules/kernel/selinux.if | 34 ++++++++++++++++++++++++++++++++--
15 1 file changed, 32 insertions(+), 2 deletions(-)
16
17--- a/policy/modules/kernel/selinux.if
18+++ b/policy/modules/kernel/selinux.if
19@@ -56,10 +56,14 @@ interface(`selinux_labeled_boolean',`
20 interface(`selinux_get_fs_mount',`
21 gen_require(`
22 type security_t;
23 ')
24
25+ # SELINUXMNT is now /sys/fs/selinux, so we should add rules to
26+ # access sysfs
27+ dev_getattr_sysfs_dirs($1)
28+ dev_search_sysfs($1)
29 # starting in libselinux 2.0.5, init_selinuxmnt() will
30 # attempt to short circuit by checking if SELINUXMNT
31 # (/selinux) is already a selinuxfs
32 allow $1 security_t:filesystem getattr;
33
34@@ -86,10 +90,11 @@ interface(`selinux_get_fs_mount',`
35 interface(`selinux_dontaudit_get_fs_mount',`
36 gen_require(`
37 type security_t;
38 ')
39
40+ dev_dontaudit_search_sysfs($1)
41 # starting in libselinux 2.0.5, init_selinuxmnt() will
42 # attempt to short circuit by checking if SELINUXMNT
43 # (/selinux) is already a selinuxfs
44 dontaudit $1 security_t:filesystem getattr;
45
46@@ -115,10 +120,12 @@ interface(`selinux_dontaudit_get_fs_moun
47 interface(`selinux_mount_fs',`
48 gen_require(`
49 type security_t;
50 ')
51
52+ dev_getattr_sysfs_dirs($1)
53+ dev_search_sysfs($1)
54 allow $1 security_t:filesystem mount;
55 ')
56
57 ########################################
58 ## <summary>
59@@ -134,10 +141,12 @@ interface(`selinux_mount_fs',`
60 interface(`selinux_remount_fs',`
61 gen_require(`
62 type security_t;
63 ')
64
65+ dev_getattr_sysfs_dirs($1)
66+ dev_search_sysfs($1)
67 allow $1 security_t:filesystem remount;
68 ')
69
70 ########################################
71 ## <summary>
72@@ -152,10 +161,12 @@ interface(`selinux_remount_fs',`
73 interface(`selinux_unmount_fs',`
74 gen_require(`
75 type security_t;
76 ')
77
78+ dev_getattr_sysfs_dirs($1)
79+ dev_search_sysfs($1)
80 allow $1 security_t:filesystem unmount;
81 ')
82
83 ########################################
84 ## <summary>
85@@ -170,10 +181,12 @@ interface(`selinux_unmount_fs',`
86 interface(`selinux_getattr_fs',`
87 gen_require(`
88 type security_t;
89 ')
90
91+ dev_getattr_sysfs_dirs($1)
92+ dev_search_sysfs($1)
93 allow $1 security_t:filesystem getattr;
94
95 dev_getattr_sysfs($1)
96 dev_search_sysfs($1)
97 ')
98@@ -192,10 +205,11 @@ interface(`selinux_getattr_fs',`
99 interface(`selinux_dontaudit_getattr_fs',`
100 gen_require(`
101 type security_t;
102 ')
103
104+ dev_dontaudit_search_sysfs($1)
105 dontaudit $1 security_t:filesystem getattr;
106
107 dev_dontaudit_getattr_sysfs($1)
108 dev_dontaudit_search_sysfs($1)
109 ')
110@@ -214,10 +228,11 @@ interface(`selinux_dontaudit_getattr_fs'
111 interface(`selinux_dontaudit_getattr_dir',`
112 gen_require(`
113 type security_t;
114 ')
115
116+ dev_dontaudit_search_sysfs($1)
117 dontaudit $1 security_t:dir getattr;
118 ')
119
120 ########################################
121 ## <summary>
122@@ -232,10 +247,11 @@ interface(`selinux_dontaudit_getattr_dir
123 interface(`selinux_search_fs',`
124 gen_require(`
125 type security_t;
126 ')
127
128+ dev_getattr_sysfs_dirs($1)
129 dev_search_sysfs($1)
130 allow $1 security_t:dir search_dir_perms;
131 ')
132
133 ########################################
134@@ -251,10 +267,11 @@ interface(`selinux_search_fs',`
135 interface(`selinux_dontaudit_search_fs',`
136 gen_require(`
137 type security_t;
138 ')
139
140+ dev_dontaudit_search_sysfs($1)
141 dontaudit $1 security_t:dir search_dir_perms;
142 ')
143
144 ########################################
145 ## <summary>
146@@ -270,10 +287,11 @@ interface(`selinux_dontaudit_search_fs',
147 interface(`selinux_dontaudit_read_fs',`
148 gen_require(`
149 type security_t;
150 ')
151
152+ dev_dontaudit_search_sysfs($1)
153 dontaudit $1 security_t:dir search_dir_perms;
154 dontaudit $1 security_t:file read_file_perms;
155 ')
156
157 ########################################
158@@ -291,10 +309,11 @@ interface(`selinux_dontaudit_read_fs',`
159 interface(`selinux_get_enforce_mode',`
160 gen_require(`
161 type security_t;
162 ')
163
164+ dev_getattr_sysfs_dirs($1)
165 dev_search_sysfs($1)
166 allow $1 security_t:dir list_dir_perms;
167 allow $1 security_t:file read_file_perms;
168 ')
169
170@@ -359,10 +378,11 @@ interface(`selinux_load_policy',`
171 interface(`selinux_read_policy',`
172 gen_require(`
173 type security_t;
174 ')
175
176+ dev_getattr_sysfs_dirs($1)
177 dev_search_sysfs($1)
178 allow $1 security_t:dir list_dir_perms;
179 allow $1 security_t:file read_file_perms;
180 allow $1 security_t:security read_policy;
181 ')
182@@ -424,10 +444,11 @@ interface(`selinux_set_boolean',`
183 interface(`selinux_set_generic_booleans',`
184 gen_require(`
185 type security_t;
186 ')
187
188+ dev_getattr_sysfs_dirs($1)
189 dev_search_sysfs($1)
190
191 allow $1 security_t:dir list_dir_perms;
192 allow $1 security_t:file rw_file_perms;
193
194@@ -461,10 +482,11 @@ interface(`selinux_set_all_booleans',`
195 type security_t, secure_mode_policyload_t;
196 attribute boolean_type;
197 bool secure_mode_policyload;
198 ')
199
200+ dev_getattr_sysfs_dirs($1)
201 dev_search_sysfs($1)
202
203 allow $1 security_t:dir list_dir_perms;
204 allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms;
205 allow $1 secure_mode_policyload_t:file read_file_perms;
206@@ -520,10 +542,11 @@ interface(`selinux_set_parameters',`
207 interface(`selinux_validate_context',`
208 gen_require(`
209 type security_t;
210 ')
211
212+ dev_getattr_sysfs_dirs($1)
213 dev_search_sysfs($1)
214 allow $1 security_t:dir list_dir_perms;
215 allow $1 security_t:file rw_file_perms;
216 allow $1 security_t:security check_context;
217 ')
218@@ -542,10 +565,11 @@ interface(`selinux_validate_context',`
219 interface(`selinux_dontaudit_validate_context',`
220 gen_require(`
221 type security_t;
222 ')
223
224+ dev_dontaudit_search_sysfs($1)
225 dontaudit $1 security_t:dir list_dir_perms;
226 dontaudit $1 security_t:file rw_file_perms;
227 dontaudit $1 security_t:security check_context;
228 ')
229
230@@ -563,10 +587,11 @@ interface(`selinux_dontaudit_validate_co
231 interface(`selinux_compute_access_vector',`
232 gen_require(`
233 type security_t;
234 ')
235
236+ dev_getattr_sysfs_dirs($1)
237 dev_search_sysfs($1)
238 allow $1 security_t:dir list_dir_perms;
239 allow $1 security_t:file rw_file_perms;
240 allow $1 security_t:security compute_av;
241 ')
242@@ -658,10 +683,17 @@ interface(`selinux_compute_relabel_conte
243 interface(`selinux_compute_user_contexts',`
244 gen_require(`
245 type security_t;
246 ')
247
248+ dev_getattr_sysfs_dirs($1)
249+ dev_getattr_sysfs_dirs($1)
250+ dev_getattr_sysfs_dirs($1)
251+ dev_getattr_sysfs_dirs($1)
252+ dev_getattr_sysfs_dirs($1)
253+ dev_getattr_sysfs_dirs($1)
254+ dev_getattr_sysfs_dirs($1)
255 dev_search_sysfs($1)
256 allow $1 security_t:dir list_dir_perms;
257 allow $1 security_t:file rw_file_perms;
258 allow $1 security_t:security compute_user;
259 ')
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-setfiles-statvfs-get-file-count.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-setfiles-statvfs-get-file-count.patch
deleted file mode 100644
index 1cfd80b..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-setfiles-statvfs-get-file-count.patch
+++ /dev/null
@@ -1,32 +0,0 @@
1From f4e034d6996c5b1f88a9262828dac2ad6ee09b7b Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Fri, 23 Aug 2013 14:38:53 +0800
4Subject: [PATCH] fix setfiles statvfs to get file count
5
6New setfiles will read /proc/mounts and use statvfs in
7file_system_count() to get file count of filesystems.
8
9Upstream-Status: pending
10
11Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
12Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
13Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
14---
15 policy/modules/system/selinuxutil.te | 2 +-
16 1 file changed, 1 insertion(+), 1 deletion(-)
17
18--- a/policy/modules/system/selinuxutil.te
19+++ b/policy/modules/system/selinuxutil.te
20@@ -556,11 +556,11 @@ files_read_usr_symlinks(setfiles_t)
21 files_dontaudit_read_all_symlinks(setfiles_t)
22
23 # needs to be able to read symlinks to make restorecon on symlink working
24 files_read_all_symlinks(setfiles_t)
25
26-fs_getattr_all_xattr_fs(setfiles_t)
27+fs_getattr_all_fs(setfiles_t)
28 fs_list_all(setfiles_t)
29 fs_search_auto_mountpoints(setfiles_t)
30 fs_relabelfrom_noxattr_fs(setfiles_t)
31
32 mls_file_read_all_levels(setfiles_t)
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch
new file mode 100644
index 0000000..2692ffa
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch
@@ -0,0 +1,36 @@
1From 49dd08e69938debc792ac9c3ac3e81a38929d11f Mon Sep 17 00:00:00 2001
2From: Joe MacDonald <joe_macdonald@mentor.com>
3Date: Thu, 28 Mar 2019 16:14:09 -0400
4Subject: [PATCH 01/34] fc/subs/volatile: alias common /var/volatile paths
5
6Ensure /var/volatile paths get the appropriate base file context.
7
8Upstream-Status: Pending
9
10Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
11Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
12---
13 config/file_contexts.subs_dist | 10 ++++++++++
14 1 file changed, 10 insertions(+)
15
16diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
17index 346d920e..be532d7f 100644
18--- a/config/file_contexts.subs_dist
19+++ b/config/file_contexts.subs_dist
20@@ -31,3 +31,13 @@
21 # not for refpolicy intern, but for /var/run using applications,
22 # like systemd tmpfiles or systemd socket configurations
23 /var/run /run
24+
25+# volatile aliases
26+# ensure the policy applied to the base filesystem objects are reflected in the
27+# volatile hierarchy.
28+/var/volatile/log /var/log
29+/var/volatile/run /var/run
30+/var/volatile/cache /var/cache
31+/var/volatile/tmp /var/tmp
32+/var/volatile/lock /var/lock
33+/var/volatile/run/lock /var/lock
34--
352.19.1
36
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0001-fix-update-alternatives-for-sysvinit.patch
index 3f6a5c8..62e7da1 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0001-fix-update-alternatives-for-sysvinit.patch
@@ -1,34 +1,34 @@
1From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001 1From 83508f3365277c0ef8c570e744879b904de64cd7 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com> 2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 13:37:23 +0800 3Date: Thu, 22 Aug 2013 13:37:23 +0800
4Subject: [PATCH 1/4] fix update-alternatives for sysvinit 4Subject: [PATCH] fix update-alternatives for sysvinit
5 5
6Upstream-Status: Inappropriate [only for Poky] 6Upstream-Status: Inappropriate [only for Poky]
7 7
8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> 8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> 9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
10--- 10---
11 policy/modules/contrib/shutdown.fc | 1 + 11 policy/modules/admin/shutdown.fc | 1 +
12 policy/modules/kernel/corecommands.fc | 1 + 12 policy/modules/kernel/corecommands.fc | 1 +
13 policy/modules/system/init.fc | 1 + 13 policy/modules/system/init.fc | 1 +
14 3 files changed, 3 insertions(+) 14 3 files changed, 3 insertions(+)
15 15
16--- a/policy/modules/contrib/shutdown.fc 16diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc
17+++ b/policy/modules/contrib/shutdown.fc 17index 03a2230c..2ba049ff 100644
18@@ -3,7 +3,8 @@ 18--- a/policy/modules/admin/shutdown.fc
19 /usr/bin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) 19+++ b/policy/modules/admin/shutdown.fc
20 20@@ -5,5 +5,6 @@
21 /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) 21 /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
22 22
23 /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) 23 /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
24+/usr/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0) 24+/usr/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0)
25 25
26 /run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) 26 /run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
27diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
28index cf3848db..86920167 100644
27--- a/policy/modules/kernel/corecommands.fc 29--- a/policy/modules/kernel/corecommands.fc
28+++ b/policy/modules/kernel/corecommands.fc 30+++ b/policy/modules/kernel/corecommands.fc
29@@ -144,10 +144,11 @@ ifdef(`distro_gentoo',` 31@@ -149,6 +149,7 @@ ifdef(`distro_gentoo',`
30 /usr/bin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
31 /usr/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
32 /usr/bin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) 32 /usr/bin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
33 /usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) 33 /usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0)
34 /usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0) 34 /usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0)
@@ -36,19 +36,18 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
36 /usr/bin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) 36 /usr/bin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
37 /usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) 37 /usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
38 /usr/bin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) 38 /usr/bin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
39 /usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0) 39diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
40 /usr/bin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) 40index 11a6ce93..93e9d2b4 100644
41--- a/policy/modules/system/init.fc 41--- a/policy/modules/system/init.fc
42+++ b/policy/modules/system/init.fc 42+++ b/policy/modules/system/init.fc
43@@ -40,10 +40,11 @@ ifdef(`distro_gentoo', ` 43@@ -23,6 +23,7 @@ ifdef(`distro_gentoo',`
44 44 # /usr
45 /usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) 45 #
46 /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) 46 /usr/bin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
47
48 /usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
49+/usr/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0) 47+/usr/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0)
50 /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) 48 /usr/bin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0)
51 /usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) 49 /usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0)
52 50 /usr/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
53 ifdef(`distro_gentoo', ` 51--
54 /usr/sbin/rc -- gen_context(system_u:object_r:rc_exec_t,s0) 522.19.1
53
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0002-refpolicy-minimum-audit-logging-getty-audit-related-.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
index 23bc397..f92ddb8 100644
--- a/recipes-security/refpolicy/refpolicy-minimum/0002-refpolicy-minimum-audit-logging-getty-audit-related-.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
@@ -1,7 +1,7 @@
1From edbc234baecfbf5b8e2dbadc976750071d5e7f7f Mon Sep 17 00:00:00 2001 1From aa79b5e7803232a4e57e2cf60613f6fb7dcfc025 Mon Sep 17 00:00:00 2001
2From: Shrikant Bobade <shrikant_bobade@mentor.com> 2From: Shrikant Bobade <shrikant_bobade@mentor.com>
3Date: Fri, 26 Aug 2016 17:51:44 +0530 3Date: Fri, 26 Aug 2016 17:51:44 +0530
4Subject: [PATCH 2/9] refpolicy-minimum: audit: logging: getty: audit related 4Subject: [PATCH 1/9] refpolicy-minimum: audit: logging: getty: audit related
5 allow rules 5 allow rules
6 6
7add allow rules for audit.log file & resolve dependent avc denials. 7add allow rules for audit.log file & resolve dependent avc denials.
@@ -22,16 +22,17 @@ volatile/log/wtmp" dev="tmpfs" ino=9536 scontext=system_u:system_r:getty_t
22Upstream-Status: Pending 22Upstream-Status: Pending
23 23
24Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> 24Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
25Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
25--- 26---
26 policy/modules/system/getty.te | 3 +++ 27 policy/modules/system/getty.te | 3 +++
27 policy/modules/system/logging.te | 8 ++++++++ 28 policy/modules/system/logging.te | 8 ++++++++
28 2 files changed, 11 insertions(+) 29 2 files changed, 11 insertions(+)
29 30
30diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te 31diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
31index f6743ea..84eaf77 100644 32index 6d3c4284..423db0cc 100644
32--- a/policy/modules/system/getty.te 33--- a/policy/modules/system/getty.te
33+++ b/policy/modules/system/getty.te 34+++ b/policy/modules/system/getty.te
34@@ -139,3 +139,6 @@ optional_policy(` 35@@ -129,3 +129,6 @@ optional_policy(`
35 optional_policy(` 36 optional_policy(`
36 udev_read_db(getty_t) 37 udev_read_db(getty_t)
37 ') 38 ')
@@ -39,10 +40,10 @@ index f6743ea..84eaf77 100644
39+allow getty_t tmpfs_t:dir search; 40+allow getty_t tmpfs_t:dir search;
40+allow getty_t tmpfs_t:file { open write lock }; 41+allow getty_t tmpfs_t:file { open write lock };
41diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te 42diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
42index 9b18aad..fdf86ef 100644 43index 63e92a8e..8ab46925 100644
43--- a/policy/modules/system/logging.te 44--- a/policy/modules/system/logging.te
44+++ b/policy/modules/system/logging.te 45+++ b/policy/modules/system/logging.te
45@@ -238,6 +238,7 @@ allow audisp_t self:unix_stream_socket create_stream_socket_perms; 46@@ -249,6 +249,7 @@ allow audisp_t self:unix_stream_socket create_stream_socket_perms;
46 allow audisp_t self:unix_dgram_socket create_socket_perms; 47 allow audisp_t self:unix_dgram_socket create_socket_perms;
47 48
48 allow audisp_t auditd_t:unix_stream_socket rw_socket_perms; 49 allow audisp_t auditd_t:unix_stream_socket rw_socket_perms;
@@ -50,7 +51,7 @@ index 9b18aad..fdf86ef 100644
50 51
51 manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t) 52 manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
52 files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file) 53 files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
53@@ -569,3 +570,10 @@ optional_policy(` 54@@ -620,3 +621,10 @@ optional_policy(`
54 # log to the xconsole 55 # log to the xconsole
55 xserver_rw_console(syslogd_t) 56 xserver_rw_console(syslogd_t)
56 ') 57 ')
@@ -63,5 +64,5 @@ index 9b18aad..fdf86ef 100644
63+allow klogd_t initrc_t:unix_dgram_socket sendto; 64+allow klogd_t initrc_t:unix_dgram_socket sendto;
64\ No newline at end of file 65\ No newline at end of file
65-- 66--
661.9.1 672.19.1
67 68
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch
new file mode 100644
index 0000000..a963751
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch
@@ -0,0 +1,31 @@
1From c02445a1073ca6fcb42c771c233ab8aa822cbdda Mon Sep 17 00:00:00 2001
2From: Joe MacDonald <joe_macdonald@mentor.com>
3Date: Thu, 28 Mar 2019 20:48:10 -0400
4Subject: [PATCH 02/34] fc/subs/busybox: set aliases for bin, sbin and usr
5
6The objects in /usr/lib/busybox/* should have the same policy applied as
7the corresponding objects in the / hierarchy.
8
9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
10---
11 config/file_contexts.subs_dist | 7 +++++++
12 1 file changed, 7 insertions(+)
13
14diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
15index be532d7f..04fca3c3 100644
16--- a/config/file_contexts.subs_dist
17+++ b/config/file_contexts.subs_dist
18@@ -41,3 +41,10 @@
19 /var/volatile/tmp /var/tmp
20 /var/volatile/lock /var/lock
21 /var/volatile/run/lock /var/lock
22+
23+# busybox aliases
24+# quickly match up the busybox built-in tree to the base filesystem tree
25+/usr/lib/busybox/bin /bin
26+/usr/lib/busybox/sbin /sbin
27+/usr/lib/busybox/usr /usr
28+
29--
302.19.1
31
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch
index 3623215..37423ec 100644
--- a/recipes-security/refpolicy/refpolicy-minimum/0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch
@@ -1,7 +1,7 @@
1From 0e99f9e7c6d69d5f784fe7352c9507791d8cbef9 Mon Sep 17 00:00:00 2001 1From d8fe68150ae85657b2091bc193b11bd77f7b1f31 Mon Sep 17 00:00:00 2001
2From: Shrikant Bobade <shrikant_bobade@mentor.com> 2From: Shrikant Bobade <shrikant_bobade@mentor.com>
3Date: Fri, 26 Aug 2016 17:53:46 +0530 3Date: Fri, 26 Aug 2016 17:53:46 +0530
4Subject: [PATCH 4/9] refpolicy-minimum: locallogin: add allow rules for type 4Subject: [PATCH 2/9] refpolicy-minimum: locallogin: add allow rules for type
5 local_login_t 5 local_login_t
6 6
7add allow rules for locallogin module avc denials. 7add allow rules for locallogin module avc denials.
@@ -26,15 +26,16 @@ type=AVC msg=audit(): avc: denied { lock } for pid=353 comm="login" path=
26Upstream-Status: Pending 26Upstream-Status: Pending
27 27
28Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> 28Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
29Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
29--- 30---
30 policy/modules/system/locallogin.te | 10 ++++++++++ 31 policy/modules/system/locallogin.te | 10 ++++++++++
31 1 file changed, 10 insertions(+) 32 1 file changed, 10 insertions(+)
32 33
33diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te 34diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
34index 53923f8..09ec33f 100644 35index 4c679ff3..75750e4c 100644
35--- a/policy/modules/system/locallogin.te 36--- a/policy/modules/system/locallogin.te
36+++ b/policy/modules/system/locallogin.te 37+++ b/policy/modules/system/locallogin.te
37@@ -274,3 +274,13 @@ optional_policy(` 38@@ -288,3 +288,13 @@ optional_policy(`
38 optional_policy(` 39 optional_policy(`
39 nscd_use(sulogin_t) 40 nscd_use(sulogin_t)
40 ') 41 ')
@@ -49,5 +50,5 @@ index 53923f8..09ec33f 100644
49+allow local_login_t tmpfs_t:dir { add_name write search}; 50+allow local_login_t tmpfs_t:dir { add_name write search};
50+allow local_login_t tmpfs_t:file { create open read write lock }; 51+allow local_login_t tmpfs_t:file { create open read write lock };
51-- 52--
521.9.1 532.19.1
53 54
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch
index 737c0a2..ad94252 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch
@@ -1,33 +1,33 @@
1From 4964fa5593349916d8f5c69edb0b16f611586098 Mon Sep 17 00:00:00 2001 1From fdbd4461bbd6ce8a7f2b2702f7801ed07c41d5a9 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com> 2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 13:39:41 +0800 3Date: Thu, 22 Aug 2013 13:39:41 +0800
4Subject: [PATCH 2/4] fix update-alternatives for sysklogd 4Subject: [PATCH 03/34] fc/sysklogd: apply policy to sysklogd symlink
5 5
6/etc/syslog.conf is a symlink to /etc/syslog.conf.sysklogd, so a allow rule 6/etc/syslog.conf is a symlink to /etc/syslog.conf.sysklogd, so a allow
7for syslogd_t to read syslog_conf_t lnk_file is needed. 7rule for syslogd_t to read syslog_conf_t lnk_file is needed.
8 8
9Upstream-Status: Inappropriate [only for Poky] 9Upstream-Status: Inappropriate [only for Poky]
10 10
11Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> 11Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
12Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> 12Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
13--- 13---
14 policy/modules/system/logging.fc | 4 ++++ 14 policy/modules/system/logging.fc | 3 +++
15 policy/modules/system/logging.te | 1 + 15 policy/modules/system/logging.te | 1 +
16 2 files changed, 5 insertions(+) 16 2 files changed, 4 insertions(+)
17 17
18Index: refpolicy/policy/modules/system/logging.fc 18diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
19=================================================================== 19index 6693d87b..0cf108e0 100644
20--- refpolicy.orig/policy/modules/system/logging.fc 20--- a/policy/modules/system/logging.fc
21+++ refpolicy/policy/modules/system/logging.fc 21+++ b/policy/modules/system/logging.fc
22@@ -2,6 +2,7 @@ 22@@ -2,6 +2,7 @@
23 23
24 /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) 24 /etc/rsyslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
25 /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) 25 /etc/syslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
26+/etc/syslog.conf\.sysklogd gen_context(system_u:object_r:syslog_conf_t,s0) 26+/etc/syslog\.conf\.sysklogd gen_context(system_u:object_r:syslog_conf_t,s0)
27 /etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0) 27 /etc/rsyslog\.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0)
28 /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) 28 /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
29 /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0) 29 /etc/systemd/journal.*\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
30@@ -30,10 +31,12 @@ 30@@ -32,10 +33,12 @@
31 /usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) 31 /usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
32 /usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) 32 /usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
33 /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) 33 /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
@@ -40,11 +40,11 @@ Index: refpolicy/policy/modules/system/logging.fc
40 /usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) 40 /usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
41 /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) 41 /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
42 42
43Index: refpolicy/policy/modules/system/logging.te 43diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
44=================================================================== 44index adc628f8..07ed546d 100644
45--- refpolicy.orig/policy/modules/system/logging.te 45--- a/policy/modules/system/logging.te
46+++ refpolicy/policy/modules/system/logging.te 46+++ b/policy/modules/system/logging.te
47@@ -396,6 +396,7 @@ allow syslogd_t self:udp_socket create_s 47@@ -399,6 +399,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
48 allow syslogd_t self:tcp_socket create_stream_socket_perms; 48 allow syslogd_t self:tcp_socket create_stream_socket_perms;
49 49
50 allow syslogd_t syslog_conf_t:file read_file_perms; 50 allow syslogd_t syslog_conf_t:file read_file_perms;
@@ -52,3 +52,6 @@ Index: refpolicy/policy/modules/system/logging.te
52 allow syslogd_t syslog_conf_t:dir list_dir_perms; 52 allow syslogd_t syslog_conf_t:dir list_dir_perms;
53 53
54 # Create and bind to /dev/log or /var/run/log. 54 # Create and bind to /dev/log or /var/run/log.
55--
562.19.1
57
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch
index b5ca0f8..ed470e4 100644
--- a/recipes-security/refpolicy/refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch
@@ -1,7 +1,7 @@
1From 17507a42ce91376b00069ff22b43786894910ed6 Mon Sep 17 00:00:00 2001 1From 53aaf2acb8bc3fb115e5d5327f6e7a994cfbf0bd Mon Sep 17 00:00:00 2001
2From: Shrikant Bobade <shrikant_bobade@mentor.com> 2From: Shrikant Bobade <shrikant_bobade@mentor.com>
3Date: Fri, 26 Aug 2016 17:51:32 +0530 3Date: Fri, 26 Aug 2016 17:51:32 +0530
4Subject: [PATCH 1/9] refpolicy-minimum: systemd:unconfined:lib: add systemd 4Subject: [PATCH 3/9] refpolicy-minimum: systemd:unconfined:lib: add systemd
5 services allow rules 5 services allow rules
6 6
7systemd allow rules for systemd service file operations: start, stop, restart 7systemd allow rules for systemd service file operations: start, stop, restart
@@ -24,18 +24,19 @@ unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service
24Upstream-Status: Pending 24Upstream-Status: Pending
25 25
26Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> 26Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
27Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
27--- 28---
28 policy/modules/system/init.te | 6 +++++- 29 policy/modules/system/init.te | 4 +++
29 policy/modules/system/libraries.te | 3 +++ 30 policy/modules/system/libraries.te | 3 +++
30 policy/modules/system/systemd.if | 40 +++++++++++++++++++++++++++++++++++++ 31 policy/modules/system/systemd.if | 39 +++++++++++++++++++++++++++++
31 policy/modules/system/unconfined.te | 6 ++++++ 32 policy/modules/system/unconfined.te | 6 +++++
32 4 files changed, 54 insertions(+), 1 deletion(-) 33 4 files changed, 52 insertions(+)
33 34
34diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te 35diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
35index d710fb0..f9d7114 100644 36index 8352428a..15745c83 100644
36--- a/policy/modules/system/init.te 37--- a/policy/modules/system/init.te
37+++ b/policy/modules/system/init.te 38+++ b/policy/modules/system/init.te
38@@ -1114,3 +1114,7 @@ optional_policy(` 39@@ -1425,3 +1425,7 @@ optional_policy(`
39 allow kernel_t init_t:process dyntransition; 40 allow kernel_t init_t:process dyntransition;
40 allow devpts_t device_t:filesystem associate; 41 allow devpts_t device_t:filesystem associate;
41 allow init_t self:capability2 block_suspend; 42 allow init_t self:capability2 block_suspend;
@@ -44,10 +45,10 @@ index d710fb0..f9d7114 100644
44+allow initrc_t init_t:system { start status }; 45+allow initrc_t init_t:system { start status };
45+allow initrc_t init_var_run_t:service { start status }; 46+allow initrc_t init_var_run_t:service { start status };
46diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te 47diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
47index 0f5cd56..df98fe9 100644 48index 422b0ea1..80b0c9a5 100644
48--- a/policy/modules/system/libraries.te 49--- a/policy/modules/system/libraries.te
49+++ b/policy/modules/system/libraries.te 50+++ b/policy/modules/system/libraries.te
50@@ -144,3 +144,6 @@ optional_policy(` 51@@ -145,3 +145,6 @@ optional_policy(`
51 optional_policy(` 52 optional_policy(`
52 unconfined_domain(ldconfig_t) 53 unconfined_domain(ldconfig_t)
53 ') 54 ')
@@ -55,15 +56,14 @@ index 0f5cd56..df98fe9 100644
55+# systemd: init domain to start lib domain service 56+# systemd: init domain to start lib domain service
56+systemd_service_lib_function(lib_t) 57+systemd_service_lib_function(lib_t)
57diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if 58diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
58index 3cd6670..822c03d 100644 59index 8d2bb8da..8fc61843 100644
59--- a/policy/modules/system/systemd.if 60--- a/policy/modules/system/systemd.if
60+++ b/policy/modules/system/systemd.if 61+++ b/policy/modules/system/systemd.if
61@@ -171,3 +171,43 @@ interface(`systemd_start_power_units',` 62@@ -887,3 +887,42 @@ interface(`systemd_getattr_updated_runtime',`
62 63
63 allow $1 power_unit_t:service start; 64 getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t)
64 ') 65 ')
65+ 66+
66+
67+######################################## 67+########################################
68+## <summary> 68+## <summary>
69+## Allow specified domain to start stop reset systemd service 69+## Allow specified domain to start stop reset systemd service
@@ -103,10 +103,10 @@ index 3cd6670..822c03d 100644
103+ 103+
104+') 104+')
105diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te 105diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
106index 99cab31..87a1b03 100644 106index 12cc0d7c..c09e94a5 100644
107--- a/policy/modules/system/unconfined.te 107--- a/policy/modules/system/unconfined.te
108+++ b/policy/modules/system/unconfined.te 108+++ b/policy/modules/system/unconfined.te
109@@ -220,3 +220,9 @@ unconfined_domain_noaudit(unconfined_execmem_t) 109@@ -240,3 +240,9 @@ unconfined_domain_noaudit(unconfined_execmem_t)
110 optional_policy(` 110 optional_policy(`
111 unconfined_dbus_chat(unconfined_execmem_t) 111 unconfined_dbus_chat(unconfined_execmem_t)
112 ') 112 ')
@@ -117,5 +117,5 @@ index 99cab31..87a1b03 100644
117+ 117+
118+allow unconfined_t init_t:system reload; 118+allow unconfined_t init_t:system reload;
119-- 119--
1201.9.1 1202.19.1
121 121
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch
new file mode 100644
index 0000000..77c6829
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch
@@ -0,0 +1,27 @@
1From 85f5825111d4c6d6b276ed07fec2292804b97a39 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 13:37:23 +0800
4Subject: [PATCH 04/34] fc/hostname: apply policy to common yocto hostname
5 alternatives
6
7Upstream-Status: Inappropriate [only for Yocto]
8
9Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
10Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
11---
12 policy/modules/system/hostname.fc | 4 ++++
13 1 file changed, 4 insertions(+)
14
15diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc
16index 83ddeb57..653e038d 100644
17--- a/policy/modules/system/hostname.fc
18+++ b/policy/modules/system/hostname.fc
19@@ -1 +1,5 @@
20+/usr/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0)
21+/usr/bin/hostname\.coreutils -- gen_context(system_u:object_r:hostname_exec_t,s0)
22+/usr/lib/busybox/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
23+
24 /usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
25--
262.19.1
27
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
index 35a8e1b..98b6156 100644
--- a/recipes-security/refpolicy/refpolicy-minimum/0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
@@ -1,7 +1,7 @@
1From edae03ea521a501a2b3229383609f1aec85575c1 Mon Sep 17 00:00:00 2001 1From 5694d5bdc5ff824c4d5848dcd61cf021305b5e00 Mon Sep 17 00:00:00 2001
2From: Shrikant Bobade <shrikant_bobade@mentor.com> 2From: Shrikant Bobade <shrikant_bobade@mentor.com>
3Date: Fri, 26 Aug 2016 17:53:37 +0530 3Date: Fri, 26 Aug 2016 17:53:37 +0530
4Subject: [PATCH 3/9] refpolicy-minimum: systemd: mount: logging: authlogin: 4Subject: [PATCH 4/9] refpolicy-minimum: systemd: mount: logging: authlogin:
5 add allow rules 5 add allow rules
6 6
7add allow rules for avc denails for systemd, mount, logging & authlogin 7add allow rules for avc denails for systemd, mount, logging & authlogin
@@ -30,28 +30,29 @@ tcontext=system_u:system_r:syslogd_t:s0 tclass=shm permissive=1
30Upstream-Status: Pending 30Upstream-Status: Pending
31 31
32Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> 32Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
33Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
33--- 34---
34 policy/modules/system/authlogin.te | 2 ++ 35 policy/modules/system/authlogin.te | 2 ++
35 policy/modules/system/logging.te | 7 ++++++- 36 policy/modules/system/logging.te | 7 ++++++-
36 policy/modules/system/mount.te | 3 +++ 37 policy/modules/system/mount.te | 3 +++
37 policy/modules/system/systemd.te | 6 ++++++ 38 policy/modules/system/systemd.te | 5 +++++
38 4 files changed, 17 insertions(+), 1 deletion(-) 39 4 files changed, 16 insertions(+), 1 deletion(-)
39 40
40diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te 41diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
41index f80dfcb..5fab54a 100644 42index 345e07f3..39f860e0 100644
42--- a/policy/modules/system/authlogin.te 43--- a/policy/modules/system/authlogin.te
43+++ b/policy/modules/system/authlogin.te 44+++ b/policy/modules/system/authlogin.te
44@@ -464,3 +464,5 @@ optional_policy(` 45@@ -472,3 +472,5 @@ optional_policy(`
45 samba_read_var_files(nsswitch_domain) 46 samba_read_var_files(nsswitch_domain)
46 samba_dontaudit_write_var_files(nsswitch_domain) 47 samba_dontaudit_write_var_files(nsswitch_domain)
47 ') 48 ')
48+ 49+
49+allow chkpwd_t proc_t:filesystem getattr; 50+allow chkpwd_t proc_t:filesystem getattr;
50diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te 51diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
51index fdf86ef..107db03 100644 52index 8ab46925..520f7da6 100644
52--- a/policy/modules/system/logging.te 53--- a/policy/modules/system/logging.te
53+++ b/policy/modules/system/logging.te 54+++ b/policy/modules/system/logging.te
54@@ -576,4 +576,9 @@ allow auditd_t tmpfs_t:file { getattr setattr create open read append }; 55@@ -627,4 +627,9 @@ allow auditd_t tmpfs_t:file { getattr setattr create open read append };
55 allow auditd_t tmpfs_t:dir { open read search add_name write getattr search }; 56 allow auditd_t tmpfs_t:dir { open read search add_name write getattr search };
56 allow auditd_t initrc_t:unix_dgram_socket sendto; 57 allow auditd_t initrc_t:unix_dgram_socket sendto;
57 58
@@ -64,10 +65,10 @@ index fdf86ef..107db03 100644
64+allow syslogd_t self:shm { read unix_read unix_write write }; 65+allow syslogd_t self:shm { read unix_read unix_write write };
65+allow syslogd_t tmpfs_t:file { read write }; 66+allow syslogd_t tmpfs_t:file { read write };
66diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te 67diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
67index 1c2fc33..b699309 100644 68index 3dcb8493..a87d0e82 100644
68--- a/policy/modules/system/mount.te 69--- a/policy/modules/system/mount.te
69+++ b/policy/modules/system/mount.te 70+++ b/policy/modules/system/mount.te
70@@ -229,3 +229,6 @@ optional_policy(` 71@@ -231,3 +231,6 @@ optional_policy(`
71 files_etc_filetrans_etc_runtime(unconfined_mount_t, file) 72 files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
72 unconfined_domain(unconfined_mount_t) 73 unconfined_domain(unconfined_mount_t)
73 ') 74 ')
@@ -75,19 +76,21 @@ index 1c2fc33..b699309 100644
75+allow mount_t proc_t:filesystem getattr; 76+allow mount_t proc_t:filesystem getattr;
76+allow mount_t initrc_t:udp_socket { read write }; 77+allow mount_t initrc_t:udp_socket { read write };
77diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te 78diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
78index fdb9fef..734d455 100644 79index a6f09dfd..68b80de3 100644
79--- a/policy/modules/system/systemd.te 80--- a/policy/modules/system/systemd.te
80+++ b/policy/modules/system/systemd.te 81+++ b/policy/modules/system/systemd.te
81@@ -262,3 +262,9 @@ tunable_policy(`systemd_tmpfiles_manage_all',` 82@@ -993,6 +993,11 @@ allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
82 files_relabel_non_security_dirs(systemd_tmpfiles_t) 83 allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
83 files_relabel_non_security_files(systemd_tmpfiles_t) 84 allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
84 ') 85
85+
86+allow systemd_tmpfiles_t init_t:dir search; 86+allow systemd_tmpfiles_t init_t:dir search;
87+allow systemd_tmpfiles_t proc_t:filesystem getattr; 87+allow systemd_tmpfiles_t proc_t:filesystem getattr;
88+allow systemd_tmpfiles_t init_t:file read; 88+allow systemd_tmpfiles_t init_t:file read;
89+allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto; 89+allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto;
90+allow systemd_tmpfiles_t self:capability net_admin; 90+
91 kernel_getattr_proc(systemd_tmpfiles_t)
92 kernel_read_kernel_sysctls(systemd_tmpfiles_t)
93 kernel_read_network_state(systemd_tmpfiles_t)
91-- 94--
921.9.1 952.19.1
93 96
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch
new file mode 100644
index 0000000..60d585b
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch
@@ -0,0 +1,30 @@
1From ed53bb0452aab6aee11c6d6442b8524d3b27fa6f Mon Sep 17 00:00:00 2001
2From: Joe MacDonald <joe_macdonald@mentor.com>
3Date: Thu, 28 Mar 2019 21:37:32 -0400
4Subject: [PATCH 05/34] fc/bash: apply /usr/bin/bash context to /bin/bash.bash
5
6We include /bin/bash.bash as a valid alias for /bin/bash, so ensure we apply
7the proper context to the target for our policy.
8
9Upstream-Status: Inappropriate [only for Yocto]
10
11Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
12---
13 policy/modules/kernel/corecommands.fc | 1 +
14 1 file changed, 1 insertion(+)
15
16diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
17index e7415cac..cf3848db 100644
18--- a/policy/modules/kernel/corecommands.fc
19+++ b/policy/modules/kernel/corecommands.fc
20@@ -141,6 +141,7 @@ ifdef(`distro_gentoo',`
21 /usr/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
22 /usr/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
23 /usr/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
24+/usr/bin/bash.bash -- gen_context(system_u:object_r:shell_exec_t,s0)
25 /usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
26 /usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
27 /usr/bin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
28--
292.19.1
30
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch
index c88f2b2..7d7908f 100644
--- a/recipes-security/refpolicy/refpolicy-minimum/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch
@@ -1,4 +1,4 @@
1From 07b7eb45458de8a6781019a927c66aabe736e03a Mon Sep 17 00:00:00 2001 1From bf8da1fd057ce11e8ce6e445ccd532fde11868a6 Mon Sep 17 00:00:00 2001
2From: Shrikant Bobade <shrikant_bobade@mentor.com> 2From: Shrikant Bobade <shrikant_bobade@mentor.com>
3Date: Fri, 26 Aug 2016 17:53:53 +0530 3Date: Fri, 26 Aug 2016 17:53:53 +0530
4Subject: [PATCH 5/9] refpolicy-minimum: init: fix reboot with systemd as init 4Subject: [PATCH 5/9] refpolicy-minimum: init: fix reboot with systemd as init
@@ -16,15 +16,16 @@ initrc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system
16Upstream-Status: Pending 16Upstream-Status: Pending
17 17
18Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> 18Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
19Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
19--- 20---
20 policy/modules/system/init.te | 2 +- 21 policy/modules/system/init.te | 2 +-
21 1 file changed, 1 insertion(+), 1 deletion(-) 22 1 file changed, 1 insertion(+), 1 deletion(-)
22 23
23diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te 24diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
24index f9d7114..19a7a20 100644 25index 15745c83..d6a0270a 100644
25--- a/policy/modules/system/init.te 26--- a/policy/modules/system/init.te
26+++ b/policy/modules/system/init.te 27+++ b/policy/modules/system/init.te
27@@ -1103,5 +1103,5 @@ allow devpts_t device_t:filesystem associate; 28@@ -1427,5 +1427,5 @@ allow devpts_t device_t:filesystem associate;
28 allow init_t self:capability2 block_suspend; 29 allow init_t self:capability2 block_suspend;
29 allow init_t self:capability2 audit_read; 30 allow init_t self:capability2 audit_read;
30 31
@@ -32,5 +33,5 @@ index f9d7114..19a7a20 100644
32+allow initrc_t init_t:system { start status reboot }; 33+allow initrc_t init_t:system { start status reboot };
33 allow initrc_t init_var_run_t:service { start status }; 34 allow initrc_t init_var_run_t:service { start status };
34-- 35--
351.9.1 362.19.1
36 37
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_resolv.conf.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch
index cd79f45..f318c23 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_resolv.conf.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch
@@ -1,24 +1,30 @@
1Subject: [PATCH] fix real path for resolv.conf 1From 8614bc85ab13b72f7f83892ffd227c73b3df42bc Mon Sep 17 00:00:00 2001
2From: Joe MacDonald <joe_macdonald@mentor.com>
3Date: Thu, 4 Apr 2019 10:45:03 -0400
4Subject: [PATCH 06/34] fc/resolv.conf: label resolv.conf in var/run/ properly
2 5
3Upstream-Status: Inappropriate [only for Poky] 6Upstream-Status: Pending
4 7
5Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> 8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
6Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> 9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
10
11Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
7--- 12---
8 policy/modules/system/sysnetwork.fc | 1 + 13 policy/modules/system/sysnetwork.fc | 1 +
9 1 file changed, 1 insertion(+) 14 1 file changed, 1 insertion(+)
10 15
16diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
17index 1e5432a4..ac7c2dd1 100644
11--- a/policy/modules/system/sysnetwork.fc 18--- a/policy/modules/system/sysnetwork.fc
12+++ b/policy/modules/system/sysnetwork.fc 19+++ b/policy/modules/system/sysnetwork.fc
13@@ -17,10 +17,11 @@ ifdef(`distro_debian',` 20@@ -22,6 +22,7 @@ ifdef(`distro_debian',`
14 /etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0)
15 /etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0)
16 /etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0)
17 /etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0) 21 /etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
18 /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) 22 /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
19+/var/run/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
20 /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) 23 /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
24+/var/run/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
21 25
22 /etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0) 26 /etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
23 /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0) 27 /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)
24 28--
292.19.1
30
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch
new file mode 100644
index 0000000..4f7d916
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch
@@ -0,0 +1,92 @@
1From 853b6611e50369b386a77d5bd8a28eeb9ef4cb9b Mon Sep 17 00:00:00 2001
2From: Joe MacDonald <joe_macdonald@mentor.com>
3Date: Wed, 3 Apr 2019 14:51:29 -0400
4Subject: [PATCH 6/9] refpolicy-minimum: systemd: mount: enable required
5 refpolicy booleans
6
7enable required refpolicy booleans for these modules
8
9i. mount: allow_mount_anyfile
10without enabling this boolean we are getting below avc denial
11
12audit(): avc: denied { mounton } for pid=462 comm="mount" path="/run/media
13/mmcblk2p1" dev="tmpfs" ino=11523 scontext=system_u:system_r:mount_t:s0
14tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=0
15
16This avc can be allowed using the boolean 'allow_mount_anyfile'
17allow mount_t initrc_var_run_t:dir mounton;
18
19ii. systemd : systemd_tmpfiles_manage_all
20without enabling this boolean we are not getting access to mount systemd
21essential tmpfs during bootup, also not getting access to create audit.log
22
23audit(): avc: denied { search } for pid=168 comm="systemd-tmpfile" name=
24"sys" dev="proc" ino=4026531855 scontext=system_u:system_r:systemd_tmpfiles
25_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=dir permissive=0
26
27 ls /var/log
28 /var/log -> volatile/log
29:~#
30
31The old refpolicy included a pre-generated booleans.conf that could be
32patched. That's no longer the case so we're left with a few options,
33tweak the default directly or create a template booleans.conf file which
34will be updated during build time. Since this is intended to be applied
35only for specific configuraitons it seems like the same either way and
36this avoids us playing games to work around .gitignore.
37
38Upstream-Status: Pending
39
40Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
41Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
42---
43 policy/booleans.conf | 9 +++++++++
44 policy/modules/system/mount.te | 2 +-
45 policy/modules/system/systemd.te | 2 +-
46 3 files changed, 11 insertions(+), 2 deletions(-)
47 create mode 100644 policy/booleans.conf
48
49diff --git a/policy/booleans.conf b/policy/booleans.conf
50new file mode 100644
51index 00000000..850f56ed
52--- /dev/null
53+++ b/policy/booleans.conf
54@@ -0,0 +1,9 @@
55+#
56+# Allow the mount command to mount any directory or file.
57+#
58+allow_mount_anyfile = true
59+
60+#
61+# Enable support for systemd-tmpfiles to manage all non-security files.
62+#
63+systemd_tmpfiles_manage_all = true
64diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
65index a87d0e82..868052b7 100644
66--- a/policy/modules/system/mount.te
67+++ b/policy/modules/system/mount.te
68@@ -10,7 +10,7 @@ policy_module(mount, 1.20.0)
69 ## Allow the mount command to mount any directory or file.
70 ## </p>
71 ## </desc>
72-gen_tunable(allow_mount_anyfile, false)
73+gen_tunable(allow_mount_anyfile, true)
74
75 attribute_role mount_roles;
76 roleattribute system_r mount_roles;
77diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
78index 68b80de3..a1ef6990 100644
79--- a/policy/modules/system/systemd.te
80+++ b/policy/modules/system/systemd.te
81@@ -10,7 +10,7 @@ policy_module(systemd, 1.7.0)
82 ## Enable support for systemd-tmpfiles to manage all non-security files.
83 ## </p>
84 ## </desc>
85-gen_tunable(systemd_tmpfiles_manage_all, false)
86+gen_tunable(systemd_tmpfiles_manage_all, true)
87
88 ## <desc>
89 ## <p>
90--
912.19.1
92
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0007-fc-login-apply-login-context-to-login.shadow.patch
index 49f4960..8c71c90 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0007-fc-login-apply-login-context-to-login.shadow.patch
@@ -1,25 +1,27 @@
1Subject: [PATCH] fix real path for login commands. 1From c1f7e3033057dfb613bd92d723094b06c00e82f8 Mon Sep 17 00:00:00 2001
2From: Joe MacDonald <joe_macdonald@mentor.com>
3Date: Thu, 28 Mar 2019 21:43:53 -0400
4Subject: [PATCH 07/34] fc/login: apply login context to login.shadow
2 5
3Upstream-Status: Inappropriate [only for Poky] 6Upstream-Status: Inappropriate [only for Poky]
4 7
5Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
6Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> 8Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
7--- 9---
8 policy/modules/system/authlogin.fc | 5 ++--- 10 policy/modules/system/authlogin.fc | 1 +
9 1 file changed, 2 insertions(+), 3 deletions(-) 11 1 file changed, 1 insertion(+)
10 12
13diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
14index e22945cd..a42bc0da 100644
11--- a/policy/modules/system/authlogin.fc 15--- a/policy/modules/system/authlogin.fc
12+++ b/policy/modules/system/authlogin.fc 16+++ b/policy/modules/system/authlogin.fc
13@@ -3,10 +3,12 @@ 17@@ -5,6 +5,7 @@
14 /etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0)
15 /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
16 /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) 18 /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
17 19
18 /usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0) 20 /usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
19+/usr/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0) 21+/usr/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0)
20+/usr/bin/login\.tinylogin -- gen_context(system_u:object_r:login_exec_t,s0)
21 /usr/bin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) 22 /usr/bin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
22 /usr/bin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) 23 /usr/bin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
23 /usr/bin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) 24 /usr/bin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
24 /usr/bin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) 25--
25 /usr/bin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) 262.19.1
27
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch
index 2dd90fe..27cbc9f 100644
--- a/recipes-security/refpolicy/refpolicy-minimum/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch
@@ -1,4 +1,4 @@
1From 5a1cef9e4a9472982f6c68190f3aa20c73c8de1e Mon Sep 17 00:00:00 2001 1From 34630eecb211199c60c9b01fd77f0ede6e182712 Mon Sep 17 00:00:00 2001
2From: Shrikant Bobade <shrikant_bobade@mentor.com> 2From: Shrikant Bobade <shrikant_bobade@mentor.com>
3Date: Fri, 26 Aug 2016 17:54:09 +0530 3Date: Fri, 26 Aug 2016 17:54:09 +0530
4Subject: [PATCH 7/9] refpolicy-minimum: systemd: fix for login & journal 4Subject: [PATCH 7/9] refpolicy-minimum: systemd: fix for login & journal
@@ -38,28 +38,29 @@ See 'systemctl status avahi-daemon.service' for details.
38Upstream-Status: Pending 38Upstream-Status: Pending
39 39
40Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> 40Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
41Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
41--- 42---
42 policy/modules/system/init.te | 5 +++++ 43 policy/modules/system/init.te | 2 ++
43 policy/modules/system/locallogin.te | 3 +++ 44 policy/modules/system/locallogin.te | 3 +++
44 policy/modules/system/systemd.if | 6 ++++-- 45 policy/modules/system/systemd.if | 6 ++++--
45 policy/modules/system/systemd.te | 3 ++- 46 policy/modules/system/systemd.te | 2 +-
46 4 files changed, 14 insertions(+), 3 deletions(-) 47 4 files changed, 10 insertions(+), 3 deletions(-)
47 48
48diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te 49diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
49index 19a7a20..cefa59d 100644 50index d6a0270a..035c7ad2 100644
50--- a/policy/modules/system/init.te 51--- a/policy/modules/system/init.te
51+++ b/policy/modules/system/init.te 52+++ b/policy/modules/system/init.te
52@@ -1105,3 +1105,5 @@ allow init_t self:capability2 audit_read; 53@@ -1429,3 +1429,5 @@ allow init_t self:capability2 audit_read;
53 54
54 allow initrc_t init_t:system { start status reboot }; 55 allow initrc_t init_t:system { start status reboot };
55 allow initrc_t init_var_run_t:service { start status }; 56 allow initrc_t init_var_run_t:service { start status };
56+ 57+
57+allow initrc_t init_var_run_t:service stop; 58+allow initrc_t init_var_run_t:service stop;
58diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te 59diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
59index 09ec33f..be25c82 100644 60index 75750e4c..2c2cfc7d 100644
60--- a/policy/modules/system/locallogin.te 61--- a/policy/modules/system/locallogin.te
61+++ b/policy/modules/system/locallogin.te 62+++ b/policy/modules/system/locallogin.te
62@@ -284,3 +284,6 @@ allow local_login_t var_run_t:file { open read write lock}; 63@@ -298,3 +298,6 @@ allow local_login_t var_run_t:file { open read write lock};
63 allow local_login_t var_run_t:sock_file write; 64 allow local_login_t var_run_t:sock_file write;
64 allow local_login_t tmpfs_t:dir { add_name write search}; 65 allow local_login_t tmpfs_t:dir { add_name write search};
65 allow local_login_t tmpfs_t:file { create open read write lock }; 66 allow local_login_t tmpfs_t:file { create open read write lock };
@@ -67,10 +68,10 @@ index 09ec33f..be25c82 100644
67+allow local_login_t initrc_t:dbus send_msg; 68+allow local_login_t initrc_t:dbus send_msg;
68+allow initrc_t local_login_t:dbus send_msg; 69+allow initrc_t local_login_t:dbus send_msg;
69diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if 70diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
70index 822c03d..8723527 100644 71index 8fc61843..1166505f 100644
71--- a/policy/modules/system/systemd.if 72--- a/policy/modules/system/systemd.if
72+++ b/policy/modules/system/systemd.if 73+++ b/policy/modules/system/systemd.if
73@@ -205,9 +205,11 @@ interface(`systemd_service_file_operations',` 74@@ -920,9 +920,11 @@ interface(`systemd_service_file_operations',`
74 # 75 #
75 interface(`systemd_service_lib_function',` 76 interface(`systemd_service_lib_function',`
76 gen_require(` 77 gen_require(`
@@ -85,18 +86,18 @@ index 822c03d..8723527 100644
85 86
86 ') 87 ')
87diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te 88diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
88index 70ccb0e..22021eb 100644 89index a1ef6990..a62c3c38 100644
89--- a/policy/modules/system/systemd.te 90--- a/policy/modules/system/systemd.te
90+++ b/policy/modules/system/systemd.te 91+++ b/policy/modules/system/systemd.te
91@@ -265,6 +265,7 @@ tunable_policy(`systemd_tmpfiles_manage_all',` 92@@ -995,7 +995,7 @@ allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
92 93
93 allow systemd_tmpfiles_t init_t:dir search; 94 allow systemd_tmpfiles_t init_t:dir search;
94 allow systemd_tmpfiles_t proc_t:filesystem getattr; 95 allow systemd_tmpfiles_t proc_t:filesystem getattr;
95-allow systemd_tmpfiles_t init_t:file read; 96-allow systemd_tmpfiles_t init_t:file read;
96 allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto;
97 allow systemd_tmpfiles_t self:capability net_admin;
98+
99+allow systemd_tmpfiles_t init_t:file { open getattr read }; 97+allow systemd_tmpfiles_t init_t:file { open getattr read };
98 allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto;
99
100 kernel_getattr_proc(systemd_tmpfiles_t)
100-- 101--
1011.9.1 1022.19.1
102 103
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-bind.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0008-fc-bind-fix-real-path-for-bind.patch
index 3218c88..7a9f3f2 100644
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-bind.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0008-fc-bind-fix-real-path-for-bind.patch
@@ -1,19 +1,21 @@
1From e438a9466a615db3f63421157d5ee3bd6d055403 Mon Sep 17 00:00:00 2001 1From 878b005462f7b2208427af60ed6b670dca697b6c Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com> 2From: Joe MacDonald <joe_macdonald@mentor.com>
3Date: Thu, 22 Aug 2013 19:09:11 +0800 3Date: Thu, 28 Mar 2019 21:58:53 -0400
4Subject: [PATCH] refpolicy: fix real path for bind. 4Subject: [PATCH 08/34] fc/bind: fix real path for bind
5 5
6Upstream-Status: Inappropriate [configuration] 6Upstream-Status: Pending
7 7
8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> 8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> 9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
10--- 10---
11 policy/modules/contrib/bind.fc | 2 ++ 11 policy/modules/services/bind.fc | 2 ++
12 1 file changed, 2 insertions(+) 12 1 file changed, 2 insertions(+)
13 13
14--- a/policy/modules/contrib/bind.fc 14diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc
15+++ b/policy/modules/contrib/bind.fc 15index b4879dc1..59498e25 100644
16@@ -1,10 +1,12 @@ 16--- a/policy/modules/services/bind.fc
17+++ b/policy/modules/services/bind.fc
18@@ -1,8 +1,10 @@
17 /etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) 19 /etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
18+/etc/rc\.d/init\.d/bind -- gen_context(system_u:object_r:named_initrc_exec_t,s0) 20+/etc/rc\.d/init\.d/bind -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
19 /etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) 21 /etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
@@ -24,5 +26,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
24 /etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) 26 /etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
25 /etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0) 27 /etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0)
26 /etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0) 28 /etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0)
27 /etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0) 29--
28 /etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) 302.19.1
31
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch
index a7338e1..efe81a4 100644
--- a/recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch
@@ -1,4 +1,4 @@
1From ec96260a28f9aae44afc8eec0e089bf95a36b557 Mon Sep 17 00:00:00 2001 1From 6ac3c261a7cfc3a5d38ccc420f1ea371258c49fa Mon Sep 17 00:00:00 2001
2From: Shrikant Bobade <shrikant_bobade@mentor.com> 2From: Shrikant Bobade <shrikant_bobade@mentor.com>
3Date: Fri, 26 Aug 2016 17:54:17 +0530 3Date: Fri, 26 Aug 2016 17:54:17 +0530
4Subject: [PATCH 8/9] refpolicy-minimum: systemd: fix for systemd tmp-files 4Subject: [PATCH 8/9] refpolicy-minimum: systemd: fix for systemd tmp-files
@@ -31,17 +31,18 @@ See 'systemctl status systemd-tmpfiles-setup.service' for details.
31Upstream-Status: Pending 31Upstream-Status: Pending
32 32
33Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> 33Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
34Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
34--- 35---
35 policy/modules/kernel/files.if | 19 +++++++++++++++++++ 36 policy/modules/kernel/files.if | 19 +++++++++++++++++++
36 policy/modules/kernel/kernel.if | 23 +++++++++++++++++++++++ 37 policy/modules/kernel/kernel.if | 21 +++++++++++++++++++++
37 policy/modules/system/systemd.te | 3 +++ 38 policy/modules/system/systemd.te | 2 ++
38 3 files changed, 45 insertions(+) 39 3 files changed, 42 insertions(+)
39 40
40diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if 41diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
41index 1cedea2..4ea7d55 100644 42index eb067ad3..ff74f55a 100644
42--- a/policy/modules/kernel/files.if 43--- a/policy/modules/kernel/files.if
43+++ b/policy/modules/kernel/files.if 44+++ b/policy/modules/kernel/files.if
44@@ -6729,3 +6729,22 @@ interface(`files_unconfined',` 45@@ -7076,3 +7076,22 @@ interface(`files_unconfined',`
45 46
46 typeattribute $1 files_unconfined_type; 47 typeattribute $1 files_unconfined_type;
47 ') 48 ')
@@ -65,14 +66,13 @@ index 1cedea2..4ea7d55 100644
65+ allow $1 tmp_t:lnk_file getattr; 66+ allow $1 tmp_t:lnk_file getattr;
66+') 67+')
67diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if 68diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
68index f1130d1..4604441 100644 69index 1ad282aa..342eb033 100644
69--- a/policy/modules/kernel/kernel.if 70--- a/policy/modules/kernel/kernel.if
70+++ b/policy/modules/kernel/kernel.if 71+++ b/policy/modules/kernel/kernel.if
71@@ -3323,3 +3323,26 @@ interface(`kernel_unconfined',` 72@@ -3584,3 +3584,24 @@ interface(`kernel_ib_manage_subnet_unlabeled_endports',`
72 typeattribute $1 kern_unconfined; 73 allow $1 unlabeled_t:infiniband_endport manage_subnet;
73 kernel_load_module($1)
74 ') 74 ')
75+ 75
76+######################################## 76+########################################
77+## <summary> 77+## <summary>
78+## systemd tmp files access to kernel sysctl domain 78+## systemd tmp files access to kernel sysctl domain
@@ -94,18 +94,16 @@ index f1130d1..4604441 100644
94+ allow $1 sysctl_kernel_t:file { open read }; 94+ allow $1 sysctl_kernel_t:file { open read };
95+ 95+
96+') 96+')
97+
98diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te 97diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
99index 22021eb..8813664 100644 98index a62c3c38..9b696823 100644
100--- a/policy/modules/system/systemd.te 99--- a/policy/modules/system/systemd.te
101+++ b/policy/modules/system/systemd.te 100+++ b/policy/modules/system/systemd.te
102@@ -269,3 +269,6 @@ allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto; 101@@ -1121,3 +1121,5 @@ files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated
103 allow systemd_tmpfiles_t self:capability net_admin; 102
103 kernel_read_system_state(systemd_update_done_t)
104 104
105 allow systemd_tmpfiles_t init_t:file { open getattr read };
106+
107+systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t(systemd_tmpfiles_t) 105+systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t(systemd_tmpfiles_t)
108+systemd_service_allow_kernel_files_domain_to_tmp_t(systemd_tmpfiles_t) 106+systemd_service_allow_kernel_files_domain_to_tmp_t(systemd_tmpfiles_t)
109-- 107--
1101.9.1 1082.19.1
111 109
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0009-fc-hwclock-add-hwclock-alternatives.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0009-fc-hwclock-add-hwclock-alternatives.patch
new file mode 100644
index 0000000..6039f49
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0009-fc-hwclock-add-hwclock-alternatives.patch
@@ -0,0 +1,28 @@
1From d21287d2c0b63e19e1004f098a1934b6b02a0c05 Mon Sep 17 00:00:00 2001
2From: Joe MacDonald <joe_macdonald@mentor.com>
3Date: Thu, 28 Mar 2019 21:59:18 -0400
4Subject: [PATCH 09/34] fc/hwclock: add hwclock alternatives
5
6Upstream-Status: Pending
7
8Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
9---
10 policy/modules/system/clock.fc | 5 ++++-
11 1 file changed, 4 insertions(+), 1 deletion(-)
12
13diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc
14index 30196589..e0dc4b6f 100644
15--- a/policy/modules/system/clock.fc
16+++ b/policy/modules/system/clock.fc
17@@ -2,4 +2,7 @@
18
19 /usr/bin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
20
21-/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
22+/usr/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0)
23+/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
24+/usr/lib/busybox/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
25+/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
26--
272.19.1
28
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0009-refpolicy-minimum-systemd-fix-for-syslog.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0009-refpolicy-minimum-systemd-fix-for-syslog.patch
index b01947d..f67221a 100644
--- a/recipes-security/refpolicy/refpolicy-minimum/0009-refpolicy-minimum-systemd-fix-for-syslog.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0009-refpolicy-minimum-systemd-fix-for-syslog.patch
@@ -1,4 +1,4 @@
1From 9476fb0aad7caa725014e72cd009b78389ba66d5 Mon Sep 17 00:00:00 2001 1From 57d554187619e32ecf925ecb015a60f1fca26fb8 Mon Sep 17 00:00:00 2001
2From: Shrikant Bobade <shrikant_bobade@mentor.com> 2From: Shrikant Bobade <shrikant_bobade@mentor.com>
3Date: Fri, 26 Aug 2016 17:54:29 +0530 3Date: Fri, 26 Aug 2016 17:54:29 +0530
4Subject: [PATCH 9/9] refpolicy-minimum: systemd: fix for syslog 4Subject: [PATCH 9/9] refpolicy-minimum: systemd: fix for syslog
@@ -39,25 +39,26 @@ syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
39Upstream-Status: Pending 39Upstream-Status: Pending
40 40
41Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> 41Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
42Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
42--- 43---
43 policy/modules/system/getty.te | 1 + 44 policy/modules/system/getty.te | 1 +
44 policy/modules/system/logging.te | 3 ++- 45 policy/modules/system/logging.te | 3 ++-
45 2 files changed, 3 insertions(+), 1 deletion(-) 46 2 files changed, 3 insertions(+), 1 deletion(-)
46 47
47diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te 48diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
48index 84eaf77..2e53daf 100644 49index 423db0cc..9ab03956 100644
49--- a/policy/modules/system/getty.te 50--- a/policy/modules/system/getty.te
50+++ b/policy/modules/system/getty.te 51+++ b/policy/modules/system/getty.te
51@@ -142,3 +142,4 @@ optional_policy(` 52@@ -132,3 +132,4 @@ optional_policy(`
52 53
53 allow getty_t tmpfs_t:dir search; 54 allow getty_t tmpfs_t:dir search;
54 allow getty_t tmpfs_t:file { open write lock }; 55 allow getty_t tmpfs_t:file { open write lock };
55+allow getty_t initrc_t:unix_dgram_socket sendto; 56+allow getty_t initrc_t:unix_dgram_socket sendto;
56diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te 57diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
57index 107db03..95de86d 100644 58index 520f7da6..4e02dab8 100644
58--- a/policy/modules/system/logging.te 59--- a/policy/modules/system/logging.te
59+++ b/policy/modules/system/logging.te 60+++ b/policy/modules/system/logging.te
60@@ -581,4 +581,5 @@ allow klogd_t initrc_t:unix_dgram_socket sendto; 61@@ -632,4 +632,5 @@ allow klogd_t initrc_t:unix_dgram_socket sendto;
61 allow syslogd_t self:shm create; 62 allow syslogd_t self:shm create;
62 allow syslogd_t self:sem { create read unix_write write }; 63 allow syslogd_t self:sem { create read unix_write write };
63 allow syslogd_t self:shm { read unix_read unix_write write }; 64 allow syslogd_t self:shm { read unix_read unix_write write };
@@ -65,5 +66,5 @@ index 107db03..95de86d 100644
65+allow syslogd_t tmpfs_t:file { read write create getattr append open }; 66+allow syslogd_t tmpfs_t:file { read write create getattr append open };
66+allow syslogd_t tmpfs_t:dir { search write add_name }; 67+allow syslogd_t tmpfs_t:dir { search write add_name };
67-- 68--
681.9.1 692.19.1
69 70
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch
new file mode 100644
index 0000000..dc715c4
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch
@@ -0,0 +1,24 @@
1From 0ee40e0a68645e23f59842929629a94ebe9873b4 Mon Sep 17 00:00:00 2001
2From: Joe MacDonald <joe_macdonald@mentor.com>
3Date: Fri, 29 Mar 2019 08:26:55 -0400
4Subject: [PATCH 10/34] fc/dmesg: apply policy to dmesg alternatives
5
6Upstream-Status: Pending
7
8Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
9---
10 policy/modules/admin/dmesg.fc | 4 +++-
11 1 file changed, 3 insertions(+), 1 deletion(-)
12
13diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc
14index e52fdfcf..85d15127 100644
15--- a/policy/modules/admin/dmesg.fc
16+++ b/policy/modules/admin/dmesg.fc
17@@ -1 +1,3 @@
18-/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
19+/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
20+/usr/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0)
21+/usr/lib/busybox/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
22--
232.19.1
24
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch
index f01e5aa..09576fa 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch
@@ -1,18 +1,20 @@
1Subject: [PATCH] refpolicy: fix real path for ssh 1From 10548eeaba694ff4320fdcbddc9e6cbb71856280 Mon Sep 17 00:00:00 2001
2From: Joe MacDonald <joe_macdonald@mentor.com>
3Date: Fri, 29 Mar 2019 09:20:58 -0400
4Subject: [PATCH 11/34] fc/ssh: apply policy to ssh alternatives
2 5
3Upstream-Status: Inappropriate [configuration] 6Upstream-Status: Pending
4 7
5Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
6Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> 8Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
7--- 9---
8 policy/modules/services/ssh.fc | 1 + 10 policy/modules/services/ssh.fc | 1 +
9 1 file changed, 1 insertion(+) 11 1 file changed, 1 insertion(+)
10 12
13diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
14index 4ac3e733..1f453091 100644
11--- a/policy/modules/services/ssh.fc 15--- a/policy/modules/services/ssh.fc
12+++ b/policy/modules/services/ssh.fc 16+++ b/policy/modules/services/ssh.fc
13@@ -2,10 +2,11 @@ HOME_DIR/\.ssh(/.*)? gen_context(syste 17@@ -4,6 +4,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
14
15 /etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
16 /etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0) 18 /etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0)
17 19
18 /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0) 20 /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
@@ -20,5 +22,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
20 /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0) 22 /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
21 /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0) 23 /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
22 /usr/bin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) 24 /usr/bin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
23 25--
24 /usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) 262.19.1
27
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch
index 88c8c45..f02bd3a 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch
@@ -1,37 +1,48 @@
1From 56ec3e527f2a03d217d5f07ebb708e6e26fa26ff Mon Sep 17 00:00:00 2001 1From 457f278717ef53e19392c40ea8645ca216c0ae83 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com> 2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Tue, 9 Jun 2015 21:22:52 +0530 3Date: Tue, 9 Jun 2015 21:22:52 +0530
4Subject: [PATCH] refpolicy: fix real path for sysnetwork 4Subject: [PATCH 12/34] fc/sysnetwork: apply policy to ip alternatives
5 5
6Upstream-Status: Inappropriate [configuration] 6Upstream-Status: Pending
7 7
8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> 8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
9Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> 9Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
10Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> 10Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
11--- 11---
12 policy/modules/system/sysnetwork.fc | 3 +++ 12 policy/modules/system/sysnetwork.fc | 10 ++++++++++
13 1 file changed, 3 insertions(+) 13 1 file changed, 10 insertions(+)
14 14
15diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
16index ac7c2dd1..4e441503 100644
15--- a/policy/modules/system/sysnetwork.fc 17--- a/policy/modules/system/sysnetwork.fc
16+++ b/policy/modules/system/sysnetwork.fc 18+++ b/policy/modules/system/sysnetwork.fc
17@@ -54,17 +54,20 @@ ifdef(`distro_redhat',` 19@@ -60,6 +60,8 @@ ifdef(`distro_redhat',`
18 /usr/sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
19 /usr/sbin/dhcp6c -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
20 /usr/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) 20 /usr/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
21 /usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) 21 /usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
22 /usr/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) 22 /usr/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
23+/usr/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) 23+/usr/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
24+/usr/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0) 24+/usr/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
25 /usr/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) 25 /usr/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
26 /usr/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) 26 /usr/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
27 /usr/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) 27 /usr/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
28 /usr/sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0) 28@@ -67,9 +69,17 @@ ifdef(`distro_redhat',`
29 /usr/sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0) 29 /usr/sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
30 /usr/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) 30 /usr/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
31 /usr/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) 31 /usr/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
32+/usr/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) 32+/usr/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
33 /usr/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0) 33 /usr/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
34 /usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) 34 /usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
35 35
36+#
37+# /usr/lib/busybox
38+#
39+/usr/lib/busybox/bin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
40+/usr/lib/busybox/bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
41+/usr/lib/busybox/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
42+
36 # 43 #
37 # /var 44 # /var
45 #
46--
472.19.1
48
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch
new file mode 100644
index 0000000..495b82f
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch
@@ -0,0 +1,28 @@
1From e38e269b172ec75dcd218cfeac64271fbb3d17db Mon Sep 17 00:00:00 2001
2From: Joe MacDonald <joe_macdonald@mentor.com>
3Date: Fri, 29 Mar 2019 09:36:08 -0400
4Subject: [PATCH 13/34] fc/udev: apply policy to udevadm in libexec
5
6Upstream-Status: Pending
7
8Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
9---
10 policy/modules/system/udev.fc | 2 ++
11 1 file changed, 2 insertions(+)
12
13diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
14index 009d821a..cc438609 100644
15--- a/policy/modules/system/udev.fc
16+++ b/policy/modules/system/udev.fc
17@@ -28,6 +28,8 @@ ifdef(`distro_debian',`
18 /usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0)
19 /usr/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0)
20
21+/usr/libexec/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
22+
23 ifdef(`distro_redhat',`
24 /usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
25 ')
26--
272.19.1
28
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
new file mode 100644
index 0000000..6ffabe4
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
@@ -0,0 +1,29 @@
1From 8d730316e752601949346c9ebd4aff8a3cb2b1bf Mon Sep 17 00:00:00 2001
2From: Joe MacDonald <joe_macdonald@mentor.com>
3Date: Fri, 29 Mar 2019 09:54:07 -0400
4Subject: [PATCH 14/34] fc/rpm: apply rpm_exec policy to cpio binaries
5
6Upstream-Status: Pending
7
8Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
9---
10 policy/modules/admin/rpm.fc | 5 ++++-
11 1 file changed, 4 insertions(+), 1 deletion(-)
12
13diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
14index 578d465c..f2b8003a 100644
15--- a/policy/modules/admin/rpm.fc
16+++ b/policy/modules/admin/rpm.fc
17@@ -65,5 +65,8 @@ ifdef(`distro_redhat',`
18 /run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
19
20 ifdef(`enable_mls',`
21-/usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
22+/usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
23+/usr/bin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
24+/usr/bin/cpio.cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
25 ')
26+
27--
282.19.1
29
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_su.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0015-fc-su-apply-policy-to-su-alternatives.patch
index 41c32df..c0fbb69 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_su.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0015-fc-su-apply-policy-to-su-alternatives.patch
@@ -1,20 +1,26 @@
1From 4affa5e9797f5d51597c9b8e0f2503883c766699 Mon Sep 17 00:00:00 2001 1From d9f2d5857c1d558fa09f7e7864bba8427437bea6 Mon Sep 17 00:00:00 2001
2From: Wenzong Fan <wenzong.fan@windriver.com> 2From: Wenzong Fan <wenzong.fan@windriver.com>
3Date: Thu, 13 Feb 2014 00:33:07 -0500 3Date: Thu, 13 Feb 2014 00:33:07 -0500
4Subject: [PATCH] fix real path for su.shadow command 4Subject: [PATCH 15/34] fc/su: apply policy to su alternatives
5 5
6Upstream-Status: Inappropriate [only for Poky] 6Upstream-Status: Pending
7 7
8Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> 8Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> 9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
10--- 10---
11 policy/modules/admin/su.fc | 2 ++ 11 policy/modules/admin/su.fc | 2 ++
12 1 file changed, 2 insertions(+) 12 1 file changed, 2 insertions(+)
13 13
14diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc
15index 3375c969..435a6892 100644
14--- a/policy/modules/admin/su.fc 16--- a/policy/modules/admin/su.fc
15+++ b/policy/modules/admin/su.fc 17+++ b/policy/modules/admin/su.fc
16@@ -1,3 +1,4 @@ 18@@ -1,3 +1,5 @@
17 /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0) 19 /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
18 /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) 20 /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
19 /usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) 21 /usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
20+/usr/bin/su.shadow -- gen_context(system_u:object_r:su_exec_t,s0) 22+/usr/bin/su\.shadow -- gen_context(system_u:object_r:su_exec_t,s0)
23+/usr/bin/su\.util-linux -- gen_context(system_u:object_r:su_exec_t,s0)
24--
252.19.1
26
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0016-fc-fstools-fix-real-path-for-fstools.patch
index d887e96..34e9830 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0016-fc-fstools-fix-real-path-for-fstools.patch
@@ -1,55 +1,47 @@
1From b420621f7bacdb803bfd104686e9b1785d7a6309 Mon Sep 17 00:00:00 2001 1From 5d8f2e090c9dbb270156c2f76f1614b03f3b0191 Mon Sep 17 00:00:00 2001
2From: Wenzong Fan <wenzong.fan@windriver.com> 2From: Wenzong Fan <wenzong.fan@windriver.com>
3Date: Mon, 27 Jan 2014 03:54:01 -0500 3Date: Mon, 27 Jan 2014 03:54:01 -0500
4Subject: [PATCH] refpolicy: fix real path for fstools 4Subject: [PATCH 16/34] fc/fstools: fix real path for fstools
5 5
6Upstream-Status: Inappropriate [configuration] 6Upstream-Status: Pending
7 7
8Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> 8Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
10Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> 9Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
10Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
11--- 11---
12 policy/modules/system/fstools.fc | 7 +++++++ 12 policy/modules/system/fstools.fc | 12 ++++++++++++
13 1 file changed, 7 insertions(+) 13 1 file changed, 12 insertions(+)
14 14
15diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
16index 8fbd5ce4..d719e22c 100644
15--- a/policy/modules/system/fstools.fc 17--- a/policy/modules/system/fstools.fc
16+++ b/policy/modules/system/fstools.fc 18+++ b/policy/modules/system/fstools.fc
17@@ -55,10 +55,11 @@ 19@@ -58,6 +58,7 @@
18 /usr/bin/ztest -- gen_context(system_u:object_r:fsadm_exec_t,s0)
19
20 /usr/sbin/addpart -- gen_context(system_u:object_r:fsadm_exec_t,s0) 20 /usr/sbin/addpart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
21 /usr/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) 21 /usr/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0)
22 /usr/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) 22 /usr/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
23+/usr/sbin/blkid/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) 23+/usr/sbin/blkid\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
24 /usr/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) 24 /usr/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0)
25 /usr/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) 25 /usr/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
26 /usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0) 26 /usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0)
27 /usr/sbin/delpart -- gen_context(system_u:object_r:fsadm_exec_t,s0) 27@@ -72,10 +73,12 @@
28 /usr/sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
29@@ -68,14 +69,16 @@
30 /usr/sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
31 /usr/sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0)
32 /usr/sbin/efibootmgr -- gen_context(system_u:object_r:fsadm_exec_t,s0) 28 /usr/sbin/efibootmgr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
33 /usr/sbin/fatsort -- gen_context(system_u:object_r:fsadm_exec_t,s0) 29 /usr/sbin/fatsort -- gen_context(system_u:object_r:fsadm_exec_t,s0)
34 /usr/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) 30 /usr/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
35+/usr/sbin/fdisk/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) 31+/usr/sbin/fdisk\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
36 /usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) 32 /usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
37 /usr/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) 33 /usr/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
38 /usr/sbin/gdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) 34 /usr/sbin/gdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
39 /usr/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) 35 /usr/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0)
40+/usr/sbin/hdparm/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) 36+/usr/sbin/hdparm\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
41 /usr/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0) 37 /usr/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
42 /usr/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) 38 /usr/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
43 /usr/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) 39 /usr/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
44 /usr/sbin/lsraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) 40@@ -88,17 +91,20 @@
45 /usr/sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0)
46@@ -84,21 +87,24 @@
47 /usr/sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
48 /usr/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
49 /usr/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) 41 /usr/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
50 /usr/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) 42 /usr/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
51 /usr/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) 43 /usr/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0)
52+/usr/sbin/mkswap/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) 44+/usr/sbin/mkswap\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
53 /usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) 45 /usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
54 /usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) 46 /usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
55 /usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) 47 /usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -62,9 +54,23 @@ Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
62 /usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) 54 /usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
63 /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0) 55 /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0)
64 /usr/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) 56 /usr/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0)
65+/usr/sbin/swapoff/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) 57+/usr/sbin/swapoff\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
66 /usr/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) 58 /usr/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
67 /usr/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) 59 /usr/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
68 /usr/sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0) 60 /usr/sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0)
69 /usr/sbin/zhack -- gen_context(system_u:object_r:fsadm_exec_t,s0) 61@@ -108,6 +114,12 @@
70 /usr/sbin/zinject -- gen_context(system_u:object_r:fsadm_exec_t,s0) 62 /usr/sbin/zstreamdump -- gen_context(system_u:object_r:fsadm_exec_t,s0)
63 /usr/sbin/ztest -- gen_context(system_u:object_r:fsadm_exec_t,s0)
64
65+/usr/lib/busybox/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
66+/usr/lib/busybox/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
67+/usr/lib/busybox/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0)
68+/usr/lib/busybox/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0)
69+/usr/lib/busybox/sbin/swapon -- gen_context(system_u:object_r:fsadm_exec_t,s0)
70+
71 /var/swap -- gen_context(system_u:object_r:swapfile_t,s0)
72
73 /var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0)
74--
752.19.1
76
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-syslogd_t-to-trusted-object.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch
index dc623d3..8455c08 100644
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-syslogd_t-to-trusted-object.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch
@@ -1,7 +1,8 @@
1From 27e62a5d9ab9993760369ccdad83673e9148cbb2 Mon Sep 17 00:00:00 2001 1From 628281e2e192269468cbe2c2818b6cab40975532 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com> 2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 13:37:23 +0800 3Date: Thu, 22 Aug 2013 13:37:23 +0800
4Subject: [PATCH 1/6] Add the syslogd_t to trusted object 4Subject: [PATCH 17/34] policy/module/logging: Add the syslogd_t to trusted
5 object
5 6
6We add the syslogd_t to trusted object, because other process need 7We add the syslogd_t to trusted object, because other process need
7to have the right to connectto/sendto /dev/log. 8to have the right to connectto/sendto /dev/log.
@@ -12,14 +13,14 @@ Signed-off-by: Roy.Li <rongqing.li@windriver.com>
12Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> 13Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
13Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> 14Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
14--- 15---
15 policy/modules/system/logging.te | 1 + 16 policy/modules/system/logging.te | 1 +
16 1 file changed, 1 insertion(+) 17 1 file changed, 1 insertion(+)
17 18
19diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
20index 07ed546d..a7b69932 100644
18--- a/policy/modules/system/logging.te 21--- a/policy/modules/system/logging.te
19+++ b/policy/modules/system/logging.te 22+++ b/policy/modules/system/logging.te
20@@ -477,10 +477,11 @@ files_var_lib_filetrans(syslogd_t, syslo 23@@ -501,6 +501,7 @@ fs_getattr_all_fs(syslogd_t)
21
22 fs_getattr_all_fs(syslogd_t)
23 fs_search_auto_mountpoints(syslogd_t) 24 fs_search_auto_mountpoints(syslogd_t)
24 25
25 mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories 26 mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
@@ -27,5 +28,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
27 28
28 term_write_console(syslogd_t) 29 term_write_console(syslogd_t)
29 # Allow syslog to a terminal 30 # Allow syslog to a terminal
30 term_write_unallocated_ttys(syslogd_t) 31--
31 322.19.1
33
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch
new file mode 100644
index 0000000..b253f84
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch
@@ -0,0 +1,100 @@
1From 0036dfb42db831e2dd6c6dc71c093e983a30dbd6 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 13:37:23 +0800
4Subject: [PATCH 18/34] policy/module/logging: add rules for the symlink of
5 /var/log
6
7/var/log is a symlink in poky, so we need allow rules for files to read
8lnk_file while doing search/list/delete/rw... in /var/log/ directory.
9
10Upstream-Status: Inappropriate [only for Poky]
11
12Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
13Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
14---
15 policy/modules/system/logging.fc | 1 +
16 policy/modules/system/logging.if | 6 ++++++
17 policy/modules/system/logging.te | 2 ++
18 3 files changed, 9 insertions(+)
19
20diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
21index 0cf108e0..5bec7e99 100644
22--- a/policy/modules/system/logging.fc
23+++ b/policy/modules/system/logging.fc
24@@ -55,6 +55,7 @@ ifdef(`distro_suse', `
25 /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
26
27 /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
28+/var/log -l gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
29 /var/log/.* gen_context(system_u:object_r:var_log_t,s0)
30 /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
31 /var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0)
32diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
33index 16091eb6..e83cb5b5 100644
34--- a/policy/modules/system/logging.if
35+++ b/policy/modules/system/logging.if
36@@ -948,10 +948,12 @@ interface(`logging_append_all_inherited_logs',`
37 interface(`logging_read_all_logs',`
38 gen_require(`
39 attribute logfile;
40+ type var_log_t;
41 ')
42
43 files_search_var($1)
44 allow $1 logfile:dir list_dir_perms;
45+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
46 read_files_pattern($1, logfile, logfile)
47 ')
48
49@@ -970,10 +972,12 @@ interface(`logging_read_all_logs',`
50 interface(`logging_exec_all_logs',`
51 gen_require(`
52 attribute logfile;
53+ type var_log_t;
54 ')
55
56 files_search_var($1)
57 allow $1 logfile:dir list_dir_perms;
58+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
59 can_exec($1, logfile)
60 ')
61
62@@ -1075,6 +1079,7 @@ interface(`logging_read_generic_logs',`
63
64 files_search_var($1)
65 allow $1 var_log_t:dir list_dir_perms;
66+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
67 read_files_pattern($1, var_log_t, var_log_t)
68 ')
69
70@@ -1176,6 +1181,7 @@ interface(`logging_manage_generic_logs',`
71
72 files_search_var($1)
73 manage_files_pattern($1, var_log_t, var_log_t)
74+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
75 ')
76
77 ########################################
78diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
79index a7b69932..fa5664b0 100644
80--- a/policy/modules/system/logging.te
81+++ b/policy/modules/system/logging.te
82@@ -161,6 +161,7 @@ manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
83 allow auditd_t auditd_log_t:dir setattr;
84 manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
85 allow auditd_t var_log_t:dir search_dir_perms;
86+allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
87
88 manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
89 manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
90@@ -288,6 +289,7 @@ allow audisp_remote_t self:capability { setpcap setuid };
91 allow audisp_remote_t self:process { getcap setcap };
92 allow audisp_remote_t self:tcp_socket create_socket_perms;
93 allow audisp_remote_t var_log_t:dir search_dir_perms;
94+allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms;
95
96 manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
97 manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
98--
992.19.1
100
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch
new file mode 100644
index 0000000..588c5c6
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch
@@ -0,0 +1,33 @@
1From 51e282aa2730e4c6e038d42a84a561c080f41187 Mon Sep 17 00:00:00 2001
2From: Joe MacDonald <joe_macdonald@mentor.com>
3Date: Fri, 29 Mar 2019 10:33:18 -0400
4Subject: [PATCH 19/34] policy/module/logging: add rules for syslogd symlink of
5 /var/log
6
7We have added rules for the symlink of /var/log in logging.if, while
8syslogd_t uses /var/log but does not use the interfaces in logging.if. So
9still need add a individual rule for syslogd_t.
10
11Upstream-Status: Inappropriate [only for Poky]
12
13Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
14Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
15---
16 policy/modules/system/logging.te | 1 +
17 1 file changed, 1 insertion(+)
18
19diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
20index fa5664b0..63e92a8e 100644
21--- a/policy/modules/system/logging.te
22+++ b/policy/modules/system/logging.te
23@@ -417,6 +417,7 @@ files_search_spool(syslogd_t)
24
25 # Allow access for syslog-ng
26 allow syslogd_t var_log_t:dir { create setattr };
27+allow syslogd_t var_log_t:lnk_file read_lnk_file_perms;
28
29 # for systemd but can not be conditional
30 files_pid_filetrans(syslogd_t, syslogd_tmp_t, dir, "log")
31--
322.19.1
33
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-cache-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch
index b828b7a..3d55476 100644
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-cache-symlink.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch
@@ -1,7 +1,8 @@
1From bad816bc752369a6c1bf40231c505d21d95cab08 Mon Sep 17 00:00:00 2001 1From 6a0b9c735253a2596bfb2a453694e620a1fdc50b Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com> 2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Fri, 23 Aug 2013 11:20:00 +0800 3Date: Fri, 23 Aug 2013 11:20:00 +0800
4Subject: [PATCH 4/6] add rules for the subdir symlinks in /var/ 4Subject: [PATCH 20/34] policy/module/logging: add domain rules for the subdir
5 symlinks in /var/
5 6
6Except /var/log,/var/run,/var/lock, there still other subdir symlinks in 7Except /var/log,/var/run,/var/lock, there still other subdir symlinks in
7/var for poky, so we need allow rules for all domains to read these 8/var for poky, so we need allow rules for all domains to read these
@@ -13,14 +14,14 @@ Upstream-Status: Inappropriate [only for Poky]
13Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> 14Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
14Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> 15Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
15--- 16---
16 policy/modules/kernel/domain.te | 3 +++ 17 policy/modules/kernel/domain.te | 3 +++
17 1 file changed, 3 insertions(+) 18 1 file changed, 3 insertions(+)
18 19
20diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
21index 1a55e3d2..babb794f 100644
19--- a/policy/modules/kernel/domain.te 22--- a/policy/modules/kernel/domain.te
20+++ b/policy/modules/kernel/domain.te 23+++ b/policy/modules/kernel/domain.te
21@@ -108,10 +108,13 @@ dev_rw_zero(domain) 24@@ -110,6 +110,9 @@ term_use_controlling_term(domain)
22 term_use_controlling_term(domain)
23
24 # list the root directory 25 # list the root directory
25 files_list_root(domain) 26 files_list_root(domain)
26 27
@@ -30,5 +31,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
30 ifdef(`hide_broken_symptoms',` 31 ifdef(`hide_broken_symptoms',`
31 # This check is in the general socket 32 # This check is in the general socket
32 # listen code, before protocol-specific 33 # listen code, before protocol-specific
33 # listen function is called, so bad calls 34--
34 # to listen on UDP sockets should be silenced 352.19.1
36
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-tmp-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch
index d3c1ee5..2546457 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-tmp-symlink.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch
@@ -1,7 +1,7 @@
1From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001 1From 437bb5a3318fd0fb268f6e015564b006135368d1 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com> 2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 13:37:23 +0800 3Date: Thu, 22 Aug 2013 13:37:23 +0800
4Subject: [PATCH] add rules for the symlink of /tmp 4Subject: [PATCH 21/34] policy/module/files: add rules for the symlink of /tmp
5 5
6/tmp is a symlink in poky, so we need allow rules for files to read 6/tmp is a symlink in poky, so we need allow rules for files to read
7lnk_file while doing search/list/delete/rw.. in /tmp/ directory. 7lnk_file while doing search/list/delete/rw.. in /tmp/ directory.
@@ -11,15 +11,15 @@ Upstream-Status: Inappropriate [only for Poky]
11Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> 11Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
12Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> 12Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
13--- 13---
14 policy/modules/kernel/files.fc | 1 + 14 policy/modules/kernel/files.fc | 1 +
15 policy/modules/kernel/files.if | 8 ++++++++ 15 policy/modules/kernel/files.if | 8 ++++++++
16 2 files changed, 9 insertions(+) 16 2 files changed, 9 insertions(+)
17 17
18diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
19index c3496c21..05b1734b 100644
18--- a/policy/modules/kernel/files.fc 20--- a/policy/modules/kernel/files.fc
19+++ b/policy/modules/kernel/files.fc 21+++ b/policy/modules/kernel/files.fc
20@@ -172,10 +172,11 @@ HOME_ROOT/lost\+found/.* <<none>> 22@@ -176,6 +176,7 @@ HOME_ROOT/lost\+found/.* <<none>>
21
22 #
23 # /tmp 23 # /tmp
24 # 24 #
25 /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) 25 /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
@@ -27,13 +27,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
27 /tmp/.* <<none>> 27 /tmp/.* <<none>>
28 /tmp/\.journal <<none>> 28 /tmp/\.journal <<none>>
29 29
30 /tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) 30diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
31 /tmp/lost\+found/.* <<none>> 31index f1c94411..eb067ad3 100644
32--- a/policy/modules/kernel/files.if 32--- a/policy/modules/kernel/files.if
33+++ b/policy/modules/kernel/files.if 33+++ b/policy/modules/kernel/files.if
34@@ -4579,10 +4579,11 @@ interface(`files_search_tmp',` 34@@ -4350,6 +4350,7 @@ interface(`files_search_tmp',`
35 gen_require(`
36 type tmp_t;
37 ') 35 ')
38 36
39 allow $1 tmp_t:dir search_dir_perms; 37 allow $1 tmp_t:dir search_dir_perms;
@@ -41,11 +39,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
41 ') 39 ')
42 40
43 ######################################## 41 ########################################
44 ## <summary> 42@@ -4386,6 +4387,7 @@ interface(`files_list_tmp',`
45 ## Do not audit attempts to search the tmp directory (/tmp).
46@@ -4615,10 +4616,11 @@ interface(`files_list_tmp',`
47 gen_require(`
48 type tmp_t;
49 ') 43 ')
50 44
51 allow $1 tmp_t:dir list_dir_perms; 45 allow $1 tmp_t:dir list_dir_perms;
@@ -53,11 +47,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
53 ') 47 ')
54 48
55 ######################################## 49 ########################################
56 ## <summary> 50@@ -4422,6 +4424,7 @@ interface(`files_delete_tmp_dir_entry',`
57 ## Do not audit listing of the tmp directory (/tmp).
58@@ -4651,10 +4653,11 @@ interface(`files_delete_tmp_dir_entry',`
59 gen_require(`
60 type tmp_t;
61 ') 51 ')
62 52
63 allow $1 tmp_t:dir del_entry_dir_perms; 53 allow $1 tmp_t:dir del_entry_dir_perms;
@@ -65,11 +55,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
65 ') 55 ')
66 56
67 ######################################## 57 ########################################
68 ## <summary> 58@@ -4440,6 +4443,7 @@ interface(`files_read_generic_tmp_files',`
69 ## Read files in the tmp directory (/tmp).
70@@ -4669,10 +4672,11 @@ interface(`files_read_generic_tmp_files'
71 gen_require(`
72 type tmp_t;
73 ') 59 ')
74 60
75 read_files_pattern($1, tmp_t, tmp_t) 61 read_files_pattern($1, tmp_t, tmp_t)
@@ -77,11 +63,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
77 ') 63 ')
78 64
79 ######################################## 65 ########################################
80 ## <summary> 66@@ -4458,6 +4462,7 @@ interface(`files_manage_generic_tmp_dirs',`
81 ## Manage temporary directories in /tmp.
82@@ -4687,10 +4691,11 @@ interface(`files_manage_generic_tmp_dirs
83 gen_require(`
84 type tmp_t;
85 ') 67 ')
86 68
87 manage_dirs_pattern($1, tmp_t, tmp_t) 69 manage_dirs_pattern($1, tmp_t, tmp_t)
@@ -89,11 +71,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
89 ') 71 ')
90 72
91 ######################################## 73 ########################################
92 ## <summary> 74@@ -4476,6 +4481,7 @@ interface(`files_manage_generic_tmp_files',`
93 ## Manage temporary files and directories in /tmp.
94@@ -4705,10 +4710,11 @@ interface(`files_manage_generic_tmp_file
95 gen_require(`
96 type tmp_t;
97 ') 75 ')
98 76
99 manage_files_pattern($1, tmp_t, tmp_t) 77 manage_files_pattern($1, tmp_t, tmp_t)
@@ -101,11 +79,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
101 ') 79 ')
102 80
103 ######################################## 81 ########################################
104 ## <summary> 82@@ -4512,6 +4518,7 @@ interface(`files_rw_generic_tmp_sockets',`
105 ## Read symbolic links in the tmp directory (/tmp).
106@@ -4741,10 +4747,11 @@ interface(`files_rw_generic_tmp_sockets'
107 gen_require(`
108 type tmp_t;
109 ') 83 ')
110 84
111 rw_sock_files_pattern($1, tmp_t, tmp_t) 85 rw_sock_files_pattern($1, tmp_t, tmp_t)
@@ -113,11 +87,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
113 ') 87 ')
114 88
115 ######################################## 89 ########################################
116 ## <summary> 90@@ -4719,6 +4726,7 @@ interface(`files_tmp_filetrans',`
117 ## Mount filesystems in the tmp directory (/tmp)
118@@ -4948,10 +4955,11 @@ interface(`files_tmp_filetrans',`
119 gen_require(`
120 type tmp_t;
121 ') 91 ')
122 92
123 filetrans_pattern($1, tmp_t, $2, $3, $4) 93 filetrans_pattern($1, tmp_t, $2, $3, $4)
@@ -125,5 +95,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
125 ') 95 ')
126 96
127 ######################################## 97 ########################################
128 ## <summary> 98--
129 ## Delete the contents of /tmp. 992.19.1
100
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-bsdpty_device_t.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch
index 7be7147..3281ae8 100644
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-bsdpty_device_t.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch
@@ -1,21 +1,22 @@
1From c0b65c327b9354ee5c403cbde428e762ce3f327e Mon Sep 17 00:00:00 2001 1From 2512a367f4c16d4af6dd90d5f93f223466595d86 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com> 2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 13:37:23 +0800 3Date: Thu, 22 Aug 2013 13:37:23 +0800
4Subject: [PATCH 5/6] add rules for bsdpty_device_t to complete pty devices. 4Subject: [PATCH 22/34] policy/module/terminals: add rules for bsdpty_device_t
5 to complete pty devices.
5 6
6Upstream-Status: Pending 7Upstream-Status: Pending
7 8
8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> 9Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> 10Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
10--- 11---
11 policy/modules/kernel/terminal.if | 16 ++++++++++++++++ 12 policy/modules/kernel/terminal.if | 16 ++++++++++++++++
12 1 file changed, 16 insertions(+) 13 1 file changed, 16 insertions(+)
13 14
15diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
16index 61308843..a84787e6 100644
14--- a/policy/modules/kernel/terminal.if 17--- a/policy/modules/kernel/terminal.if
15+++ b/policy/modules/kernel/terminal.if 18+++ b/policy/modules/kernel/terminal.if
16@@ -585,13 +585,15 @@ interface(`term_getattr_generic_ptys',` 19@@ -623,9 +623,11 @@ interface(`term_getattr_generic_ptys',`
17 ## </param>
18 #
19 interface(`term_dontaudit_getattr_generic_ptys',` 20 interface(`term_dontaudit_getattr_generic_ptys',`
20 gen_require(` 21 gen_require(`
21 type devpts_t; 22 type devpts_t;
@@ -27,11 +28,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
27 ') 28 ')
28 ######################################## 29 ########################################
29 ## <summary> 30 ## <summary>
30 ## ioctl of generic pty devices. 31@@ -641,11 +643,13 @@ interface(`term_dontaudit_getattr_generic_ptys',`
31 ## </summary>
32@@ -603,15 +605,17 @@ interface(`term_dontaudit_getattr_generi
33 #
34 # cjp: added for ppp
35 interface(`term_ioctl_generic_ptys',` 32 interface(`term_ioctl_generic_ptys',`
36 gen_require(` 33 gen_require(`
37 type devpts_t; 34 type devpts_t;
@@ -45,11 +42,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
45 ') 42 ')
46 43
47 ######################################## 44 ########################################
48 ## <summary> 45@@ -663,9 +667,11 @@ interface(`term_ioctl_generic_ptys',`
49 ## Allow setting the attributes of
50@@ -625,13 +629,15 @@ interface(`term_ioctl_generic_ptys',`
51 #
52 # dwalsh: added for rhgb
53 interface(`term_setattr_generic_ptys',` 46 interface(`term_setattr_generic_ptys',`
54 gen_require(` 47 gen_require(`
55 type devpts_t; 48 type devpts_t;
@@ -61,11 +54,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
61 ') 54 ')
62 55
63 ######################################## 56 ########################################
64 ## <summary> 57@@ -683,9 +689,11 @@ interface(`term_setattr_generic_ptys',`
65 ## Dontaudit setting the attributes of
66@@ -645,13 +651,15 @@ interface(`term_setattr_generic_ptys',`
67 #
68 # dwalsh: added for rhgb
69 interface(`term_dontaudit_setattr_generic_ptys',` 58 interface(`term_dontaudit_setattr_generic_ptys',`
70 gen_require(` 59 gen_require(`
71 type devpts_t; 60 type devpts_t;
@@ -77,11 +66,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
77 ') 66 ')
78 67
79 ######################################## 68 ########################################
80 ## <summary> 69@@ -703,11 +711,13 @@ interface(`term_dontaudit_setattr_generic_ptys',`
81 ## Read and write the generic pty
82@@ -665,15 +673,17 @@ interface(`term_dontaudit_setattr_generi
83 ## </param>
84 #
85 interface(`term_use_generic_ptys',` 70 interface(`term_use_generic_ptys',`
86 gen_require(` 71 gen_require(`
87 type devpts_t; 72 type devpts_t;
@@ -95,11 +80,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
95 ') 80 ')
96 81
97 ######################################## 82 ########################################
98 ## <summary> 83@@ -725,9 +735,11 @@ interface(`term_use_generic_ptys',`
99 ## Dot not audit attempts to read and
100@@ -687,13 +697,15 @@ interface(`term_use_generic_ptys',`
101 ## </param>
102 #
103 interface(`term_dontaudit_use_generic_ptys',` 84 interface(`term_dontaudit_use_generic_ptys',`
104 gen_require(` 85 gen_require(`
105 type devpts_t; 86 type devpts_t;
@@ -111,11 +92,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
111 ') 92 ')
112 93
113 ####################################### 94 #######################################
114 ## <summary> 95@@ -743,10 +755,12 @@ interface(`term_dontaudit_use_generic_ptys',`
115 ## Set the attributes of the tty device
116@@ -705,14 +717,16 @@ interface(`term_dontaudit_use_generic_pt
117 ## </param>
118 #
119 interface(`term_setattr_controlling_term',` 96 interface(`term_setattr_controlling_term',`
120 gen_require(` 97 gen_require(`
121 type devtty_t; 98 type devtty_t;
@@ -128,11 +105,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
128 ') 105 ')
129 106
130 ######################################## 107 ########################################
131 ## <summary> 108@@ -763,10 +777,12 @@ interface(`term_setattr_controlling_term',`
132 ## Read and write the controlling
133@@ -725,14 +739,16 @@ interface(`term_setattr_controlling_term
134 ## </param>
135 #
136 interface(`term_use_controlling_term',` 109 interface(`term_use_controlling_term',`
137 gen_require(` 110 gen_require(`
138 type devtty_t; 111 type devtty_t;
@@ -145,5 +118,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
145 ') 118 ')
146 119
147 ####################################### 120 #######################################
148 ## <summary> 121--
149 ## Get the attributes of the pty multiplexor (/dev/ptmx). 1222.19.1
123
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-don-t-audit-tty_device_t.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch
index 346872a..887af46 100644
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-don-t-audit-tty_device_t.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch
@@ -1,7 +1,8 @@
1From 29a0d287880f8f83cf4337a3db7c8b94c0c36e1d Mon Sep 17 00:00:00 2001 1From fcf756e6906bba50d09224184d64ac56f40b6424 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com> 2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 13:37:23 +0800 3Date: Thu, 22 Aug 2013 13:37:23 +0800
4Subject: [PATCH 6/6] don't audit tty_device_t in term_dontaudit_use_console. 4Subject: [PATCH 23/34] policy/module/terminals: don't audit tty_device_t in
5 term_dontaudit_use_console.
5 6
6We should also not audit terminal to rw tty_device_t and fds in 7We should also not audit terminal to rw tty_device_t and fds in
7term_dontaudit_use_console. 8term_dontaudit_use_console.
@@ -11,14 +12,14 @@ Upstream-Status: Inappropriate [only for Poky]
11Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> 12Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
12Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> 13Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
13--- 14---
14 policy/modules/kernel/terminal.if | 3 +++ 15 policy/modules/kernel/terminal.if | 3 +++
15 1 file changed, 3 insertions(+) 16 1 file changed, 3 insertions(+)
16 17
18diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
19index a84787e6..cf66da2f 100644
17--- a/policy/modules/kernel/terminal.if 20--- a/policy/modules/kernel/terminal.if
18+++ b/policy/modules/kernel/terminal.if 21+++ b/policy/modules/kernel/terminal.if
19@@ -297,13 +297,16 @@ interface(`term_use_console',` 22@@ -335,9 +335,12 @@ interface(`term_use_console',`
20 ## </param>
21 #
22 interface(`term_dontaudit_use_console',` 23 interface(`term_dontaudit_use_console',`
23 gen_require(` 24 gen_require(`
24 type console_device_t; 25 type console_device_t;
@@ -31,5 +32,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
31 ') 32 ')
32 33
33 ######################################## 34 ########################################
34 ## <summary> 35--
35 ## Set the attributes of the console 362.19.1
37
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch
new file mode 100644
index 0000000..0188fa9
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch
@@ -0,0 +1,29 @@
1From 85d5fc695ae69956715b502a8f1d95e9070dfbcc Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 13:37:23 +0800
4Subject: [PATCH 24/34] policy/module/rpc: allow nfsd to exec shell commands.
5
6Upstream-Status: Inappropriate [only for Poky]
7
8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
10---
11 policy/modules/services/rpc.te | 2 +-
12 1 file changed, 1 insertion(+), 1 deletion(-)
13
14diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
15index 47fa2fd0..d4209231 100644
16--- a/policy/modules/services/rpc.te
17+++ b/policy/modules/services/rpc.te
18@@ -227,7 +227,7 @@ kernel_read_network_state(nfsd_t)
19 kernel_dontaudit_getattr_core_if(nfsd_t)
20 kernel_setsched(nfsd_t)
21 kernel_request_load_module(nfsd_t)
22-# kernel_mounton_proc(nfsd_t)
23+kernel_mounton_proc(nfsd_t)
24
25 corenet_sendrecv_nfs_server_packets(nfsd_t)
26 corenet_tcp_bind_nfs_port(nfsd_t)
27--
282.19.1
29
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch
index 883daf8..b4befdd 100644
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch
@@ -1,58 +1,25 @@
1From 054a2d81a42bc127d29a916c64b43ad5a7c97f21 Mon Sep 17 00:00:00 2001 1From 97a6eec0d2ea437b5155090ba880a88666f40059 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com> 2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Fri, 23 Aug 2013 12:01:53 +0800 3Date: Fri, 23 Aug 2013 12:01:53 +0800
4Subject: [PATCH] fix policy for nfsserver to mount nfsd_fs_t. 4Subject: [PATCH 25/34] policy/module/rpc: fix policy for nfsserver to mount
5 nfsd_fs_t.
5 6
6Upstream-Status: Pending 7Upstream-Status: Pending
7 8
8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> 9Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> 10Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
10--- 11---
11 policy/modules/contrib/rpc.te | 5 +++++ 12 policy/modules/kernel/filesystem.te | 1 +
12 policy/modules/contrib/rpcbind.te | 5 +++++ 13 policy/modules/kernel/kernel.te | 2 ++
13 policy/modules/kernel/filesystem.te | 1 + 14 policy/modules/services/rpc.te | 5 +++++
14 policy/modules/kernel/kernel.te | 2 ++ 15 policy/modules/services/rpcbind.te | 5 +++++
15 4 files changed, 13 insertions(+) 16 4 files changed, 13 insertions(+)
16 17
17--- a/policy/modules/contrib/rpcbind.te 18diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
18+++ b/policy/modules/contrib/rpcbind.te 19index 1db0c652..bf1c0173 100644
19@@ -71,8 +71,13 @@ auth_use_nsswitch(rpcbind_t)
20
21 logging_send_syslog_msg(rpcbind_t)
22
23 miscfiles_read_localization(rpcbind_t)
24
25+# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
26+# because the are running in different level. So add rules to allow this.
27+mls_socket_read_all_levels(rpcbind_t)
28+mls_socket_write_all_levels(rpcbind_t)
29+
30 ifdef(`distro_debian',`
31 term_dontaudit_use_unallocated_ttys(rpcbind_t)
32 ')
33--- a/policy/modules/contrib/rpc.te
34+++ b/policy/modules/contrib/rpc.te
35@@ -275,10 +275,15 @@ tunable_policy(`nfs_export_all_ro',`
36 files_read_non_auth_files(nfsd_t)
37 ')
38
39 optional_policy(`
40 mount_exec(nfsd_t)
41+ # Should domtrans to mount_t while mounting nfsd_fs_t.
42+ mount_domtrans(nfsd_t)
43+ # nfsd_t need to chdir to /var/lib/nfs and read files.
44+ files_list_var(nfsd_t)
45+ rpc_read_nfs_state_data(nfsd_t)
46 ')
47
48 ########################################
49 #
50 # GSSD local policy
51--- a/policy/modules/kernel/filesystem.te 20--- a/policy/modules/kernel/filesystem.te
52+++ b/policy/modules/kernel/filesystem.te 21+++ b/policy/modules/kernel/filesystem.te
53@@ -127,10 +127,11 @@ fs_noxattr_type(mvfs_t) 22@@ -129,6 +129,7 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
54 allow mvfs_t self:filesystem associate;
55 genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
56 23
57 type nfsd_fs_t; 24 type nfsd_fs_t;
58 fs_type(nfsd_fs_t) 25 fs_type(nfsd_fs_t)
@@ -60,13 +27,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
60 genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0) 27 genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
61 28
62 type nsfs_t; 29 type nsfs_t;
63 fs_type(nsfs_t) 30diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
64 genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0) 31index e971c533..ad7c823a 100644
65--- a/policy/modules/kernel/kernel.te 32--- a/policy/modules/kernel/kernel.te
66+++ b/policy/modules/kernel/kernel.te 33+++ b/policy/modules/kernel/kernel.te
67@@ -324,10 +324,12 @@ mcs_process_set_categories(kernel_t) 34@@ -334,6 +334,8 @@ mls_process_read_all_levels(kernel_t)
68
69 mls_process_read_all_levels(kernel_t)
70 mls_process_write_all_levels(kernel_t) 35 mls_process_write_all_levels(kernel_t)
71 mls_file_write_all_levels(kernel_t) 36 mls_file_write_all_levels(kernel_t)
72 mls_file_read_all_levels(kernel_t) 37 mls_file_read_all_levels(kernel_t)
@@ -75,5 +40,38 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
75 40
76 ifdef(`distro_redhat',` 41 ifdef(`distro_redhat',`
77 # Bugzilla 222337 42 # Bugzilla 222337
78 fs_rw_tmpfs_chr_files(kernel_t) 43diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
44index d4209231..a2327b44 100644
45--- a/policy/modules/services/rpc.te
46+++ b/policy/modules/services/rpc.te
47@@ -280,6 +280,11 @@ tunable_policy(`nfs_export_all_ro',`
48
49 optional_policy(`
50 mount_exec(nfsd_t)
51+ # Should domtrans to mount_t while mounting nfsd_fs_t.
52+ mount_domtrans(nfsd_t)
53+ # nfsd_t need to chdir to /var/lib/nfs and read files.
54+ files_list_var(nfsd_t)
55+ rpc_read_nfs_state_data(nfsd_t)
79 ') 56 ')
57
58 ########################################
59diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
60index 5914af99..2055c114 100644
61--- a/policy/modules/services/rpcbind.te
62+++ b/policy/modules/services/rpcbind.te
63@@ -75,6 +75,11 @@ logging_send_syslog_msg(rpcbind_t)
64
65 miscfiles_read_localization(rpcbind_t)
66
67+# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
68+# because the are running in different level. So add rules to allow this.
69+mls_socket_read_all_levels(rpcbind_t)
70+mls_socket_write_all_levels(rpcbind_t)
71+
72 ifdef(`distro_debian',`
73 term_dontaudit_use_unallocated_ttys(rpcbind_t)
74 ')
75--
762.19.1
77
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch
new file mode 100644
index 0000000..94b7dd3
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch
@@ -0,0 +1,126 @@
1From 00d81a825519cac67d88e513d75e82ab3269124c Mon Sep 17 00:00:00 2001
2From: Joe MacDonald <joe_macdonald@mentor.com>
3Date: Fri, 29 Mar 2019 11:16:37 -0400
4Subject: [PATCH 26/34] policy/module/sysfs: fix for new SELINUXMNT in /sys
5
6SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should
7add rules to access sysfs.
8
9Upstream-Status: Inappropriate [only for Poky]
10
11Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
12Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
13---
14 policy/modules/kernel/selinux.if | 19 +++++++++++++++++++
15 1 file changed, 19 insertions(+)
16
17diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
18index 6790e5d0..2c95db81 100644
19--- a/policy/modules/kernel/selinux.if
20+++ b/policy/modules/kernel/selinux.if
21@@ -117,6 +117,9 @@ interface(`selinux_mount_fs',`
22 type security_t;
23 ')
24
25+ dev_getattr_sysfs($1)
26+ dev_search_sysfs($1)
27+
28 allow $1 security_t:filesystem mount;
29 ')
30
31@@ -136,6 +139,9 @@ interface(`selinux_remount_fs',`
32 type security_t;
33 ')
34
35+ dev_getattr_sysfs($1)
36+ dev_search_sysfs($1)
37+
38 allow $1 security_t:filesystem remount;
39 ')
40
41@@ -155,6 +161,9 @@ interface(`selinux_unmount_fs',`
42 ')
43
44 allow $1 security_t:filesystem unmount;
45+
46+ dev_getattr_sysfs($1)
47+ dev_search_sysfs($1)
48 ')
49
50 ########################################
51@@ -217,6 +226,8 @@ interface(`selinux_dontaudit_getattr_dir',`
52 ')
53
54 dontaudit $1 security_t:dir getattr;
55+ dev_dontaudit_getattr_sysfs($1)
56+ dev_dontaudit_search_sysfs($1)
57 ')
58
59 ########################################
60@@ -253,6 +264,7 @@ interface(`selinux_dontaudit_search_fs',`
61 type security_t;
62 ')
63
64+ dev_dontaudit_search_sysfs($1)
65 dontaudit $1 security_t:dir search_dir_perms;
66 ')
67
68@@ -272,6 +284,7 @@ interface(`selinux_dontaudit_read_fs',`
69 type security_t;
70 ')
71
72+ dev_dontaudit_getattr_sysfs($1)
73 dontaudit $1 security_t:dir search_dir_perms;
74 dontaudit $1 security_t:file read_file_perms;
75 ')
76@@ -361,6 +374,7 @@ interface(`selinux_read_policy',`
77 type security_t;
78 ')
79
80+ dev_getattr_sysfs($1)
81 dev_search_sysfs($1)
82 allow $1 security_t:dir list_dir_perms;
83 allow $1 security_t:file read_file_perms;
84@@ -394,6 +408,7 @@ interface(`selinux_set_generic_booleans',`
85 type security_t;
86 ')
87
88+ dev_getattr_sysfs($1)
89 dev_search_sysfs($1)
90
91 allow $1 security_t:dir list_dir_perms;
92@@ -431,6 +446,7 @@ interface(`selinux_set_all_booleans',`
93 bool secure_mode_policyload;
94 ')
95
96+ dev_getattr_sysfs($1)
97 dev_search_sysfs($1)
98
99 allow $1 security_t:dir list_dir_perms;
100@@ -512,6 +528,7 @@ interface(`selinux_dontaudit_validate_context',`
101 type security_t;
102 ')
103
104+ dev_dontaudit_search_sysfs($1)
105 dontaudit $1 security_t:dir list_dir_perms;
106 dontaudit $1 security_t:file rw_file_perms;
107 dontaudit $1 security_t:security check_context;
108@@ -533,6 +550,7 @@ interface(`selinux_compute_access_vector',`
109 type security_t;
110 ')
111
112+ dev_getattr_sysfs($1)
113 dev_search_sysfs($1)
114 allow $1 self:netlink_selinux_socket create_socket_perms;
115 allow $1 security_t:dir list_dir_perms;
116@@ -629,6 +647,7 @@ interface(`selinux_compute_user_contexts',`
117 type security_t;
118 ')
119
120+ dev_getattr_sysfs($1)
121 dev_search_sysfs($1)
122 allow $1 security_t:dir list_dir_perms;
123 allow $1 security_t:file rw_file_perms;
124--
1252.19.1
126
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-sysadm-to-run-rpcinfo.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch
index a1fda13..c20dd5f 100644
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-allow-sysadm-to-run-rpcinfo.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch
@@ -1,7 +1,7 @@
1From 7005533d61770fed5a3312aa9dfd1c18dae88c16 Mon Sep 17 00:00:00 2001 1From fbb7431a4288c7dd2739bc3adfa521d427e6375a Mon Sep 17 00:00:00 2001
2From: Roy Li <rongqing.li@windriver.com> 2From: Roy Li <rongqing.li@windriver.com>
3Date: Sat, 15 Feb 2014 09:45:00 +0800 3Date: Sat, 15 Feb 2014 09:45:00 +0800
4Subject: [PATCH] allow sysadm to run rpcinfo 4Subject: [PATCH 27/34] policy/module/rpc: allow sysadm to run rpcinfo
5 5
6Upstream-Status: Pending 6Upstream-Status: Pending
7 7
@@ -11,23 +11,21 @@ type=SYSCALL msg=audit(1392427946.976:264): arch=c000003e syscall=42 success=no
11Signed-off-by: Roy Li <rongqing.li@windriver.com> 11Signed-off-by: Roy Li <rongqing.li@windriver.com>
12Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> 12Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
13--- 13---
14 policy/modules/roles/sysadm.te | 4 ++++ 14 policy/modules/roles/sysadm.te | 1 +
15 1 file changed, 4 insertions(+) 15 1 file changed, 1 insertion(+)
16 16
17diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
18index e411d4fd..f326d1d7 100644
17--- a/policy/modules/roles/sysadm.te 19--- a/policy/modules/roles/sysadm.te
18+++ b/policy/modules/roles/sysadm.te 20+++ b/policy/modules/roles/sysadm.te
19@@ -1169,10 +1169,14 @@ optional_policy(` 21@@ -939,6 +939,7 @@ optional_policy(`
20 virt_admin(sysadm_t, sysadm_r)
21 virt_stream_connect(sysadm_t)
22 ') 22 ')
23 23
24 optional_policy(` 24 optional_policy(`
25+ rpcbind_stream_connect(sysadm_t) 25+ rpcbind_stream_connect(sysadm_t)
26+') 26 rpcbind_admin(sysadm_t, sysadm_r)
27+
28+optional_policy(`
29 vmware_role(sysadm_r, sysadm_t)
30 ') 27 ')
31 28
32 optional_policy(` 29--
33 vnstatd_admin(sysadm_t, sysadm_r) 302.19.1
31
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-seutils-manage-config-files.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch
index fba7759..e0208aa 100644
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-fix-seutils-manage-config-files.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch
@@ -1,22 +1,23 @@
1From be8e015aec19553d3753af132861d24da9ed0265 Mon Sep 17 00:00:00 2001 1From 8a3c685c1f868f04cb4a7953d14443527b920310 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com> 2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 13:37:23 +0800 3Date: Thu, 22 Aug 2013 13:37:23 +0800
4Subject: [PATCH 2/2] refpolicy: fix selinux utils to manage config files 4Subject: [PATCH 28/34] policy/module/userdomain: fix selinux utils to manage
5 config files
5 6
6Upstream-Status: Pending 7Upstream-Status: Pending
7 8
8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> 9Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> 10Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
10--- 11---
11 policy/modules/system/selinuxutil.if | 1 + 12 policy/modules/system/selinuxutil.if | 1 +
12 policy/modules/system/userdomain.if | 4 ++++ 13 policy/modules/system/userdomain.if | 4 ++++
13 2 files changed, 5 insertions(+) 14 2 files changed, 5 insertions(+)
14 15
16diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
17index 20024993..0fdc8c10 100644
15--- a/policy/modules/system/selinuxutil.if 18--- a/policy/modules/system/selinuxutil.if
16+++ b/policy/modules/system/selinuxutil.if 19+++ b/policy/modules/system/selinuxutil.if
17@@ -753,10 +753,11 @@ interface(`seutil_manage_config',` 20@@ -674,6 +674,7 @@ interface(`seutil_manage_config',`
18 gen_require(`
19 type selinux_config_t;
20 ') 21 ')
21 22
22 files_search_etc($1) 23 files_search_etc($1)
@@ -24,13 +25,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
24 manage_files_pattern($1, selinux_config_t, selinux_config_t) 25 manage_files_pattern($1, selinux_config_t, selinux_config_t)
25 read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) 26 read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
26 ') 27 ')
27 28diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
28 ####################################### 29index 5221bd13..4cf987d1 100644
29--- a/policy/modules/system/userdomain.if 30--- a/policy/modules/system/userdomain.if
30+++ b/policy/modules/system/userdomain.if 31+++ b/policy/modules/system/userdomain.if
31@@ -1327,10 +1327,14 @@ template(`userdom_security_admin_templat 32@@ -1431,6 +1431,10 @@ template(`userdom_security_admin_template',`
32 logging_read_audit_log($1)
33 logging_read_generic_logs($1)
34 logging_read_audit_config($1) 33 logging_read_audit_config($1)
35 34
36 seutil_manage_bin_policy($1) 35 seutil_manage_bin_policy($1)
@@ -41,5 +40,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
41 seutil_run_checkpolicy($1, $2) 40 seutil_run_checkpolicy($1, $2)
42 seutil_run_loadpolicy($1, $2) 41 seutil_run_loadpolicy($1, $2)
43 seutil_run_semanage($1, $2) 42 seutil_run_semanage($1, $2)
44 seutil_run_setfiles($1, $2) 43--
45 442.19.1
45
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch
new file mode 100644
index 0000000..e62c81e
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch
@@ -0,0 +1,33 @@
1From 524f823bb07e0eb763683b72f18999ef29ae43c9 Mon Sep 17 00:00:00 2001
2From: Joe MacDonald <joe_macdonald@mentor.com>
3Date: Fri, 29 Mar 2019 11:30:27 -0400
4Subject: [PATCH 29/34] policy/module/selinuxutil: fix setfiles statvfs to get
5 file count
6
7New setfiles will read /proc/mounts and use statvfs in
8file_system_count() to get file count of filesystems.
9
10Upstream-Status: Pending
11
12Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
13Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
14Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
15---
16 policy/modules/system/selinuxutil.te | 1 +
17 1 file changed, 1 insertion(+)
18
19diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
20index db6bb368..98fed2d0 100644
21--- a/policy/modules/system/selinuxutil.te
22+++ b/policy/modules/system/selinuxutil.te
23@@ -607,6 +607,7 @@ files_relabel_all_files(setfiles_t)
24 files_read_usr_symlinks(setfiles_t)
25 files_dontaudit_read_all_symlinks(setfiles_t)
26
27+fs_getattr_all_fs(setfiles_t)
28 fs_getattr_all_xattr_fs(setfiles_t)
29 fs_getattr_cgroup(setfiles_t)
30 fs_getattr_nfs(setfiles_t)
31--
322.19.1
33
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch
new file mode 100644
index 0000000..88c94c5
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch
@@ -0,0 +1,25 @@
1From 78210f371391ccfad1d18b89a91ffb5a83f451e0 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Fri, 23 Aug 2013 16:36:09 +0800
4Subject: [PATCH 30/34] policy/module/admin: fix dmesg to use /dev/kmsg as
5 default input
6
7Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
8Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
9---
10 policy/modules/admin/dmesg.if | 1 +
11 1 file changed, 1 insertion(+)
12
13diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if
14index e1973c78..739a4bc5 100644
15--- a/policy/modules/admin/dmesg.if
16+++ b/policy/modules/admin/dmesg.if
17@@ -37,4 +37,5 @@ interface(`dmesg_exec',`
18
19 corecmd_search_bin($1)
20 can_exec($1, dmesg_exec_t)
21+ dev_read_kmsg($1)
22 ')
23--
242.19.1
25
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/ftp-add-ftpd_t-to-mlsfilewrite.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch
index 85c40a4..d002830 100644
--- a/recipes-security/refpolicy/refpolicy-2.20170204/ftp-add-ftpd_t-to-mlsfilewrite.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch
@@ -1,7 +1,8 @@
1From e4e95b723d31c7b678a05cd81a96b10185978b4e Mon Sep 17 00:00:00 2001 1From a406bcd2838772573e2cdde1a408ea52a60adc87 Mon Sep 17 00:00:00 2001
2From: Roy Li <rongqing.li@windriver.com> 2From: Roy Li <rongqing.li@windriver.com>
3Date: Mon, 10 Feb 2014 18:10:12 +0800 3Date: Mon, 10 Feb 2014 18:10:12 +0800
4Subject: [PATCH] ftp: add ftpd_t to mls_file_write_all_levels 4Subject: [PATCH 31/34] policy/module/ftp: add ftpd_t to
5 mls_file_write_all_levels
5 6
6Proftpd will create file under /var/run, but its mls is in high, and 7Proftpd will create file under /var/run, but its mls is in high, and
7can not write to lowlevel 8can not write to lowlevel
@@ -12,21 +13,21 @@ type=AVC msg=audit(1392347709.621:15): avc: denied { write } for pid=545 comm
12type=AVC msg=audit(1392347709.621:15): avc: denied { add_name } for pid=545 comm="proftpd" name="proftpd.delay" scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir 13type=AVC msg=audit(1392347709.621:15): avc: denied { add_name } for pid=545 comm="proftpd" name="proftpd.delay" scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir
13type=SYSCALL msg=audit(1392347709.621:15): arch=c000003e syscall=2 success=yes exit=3 a0=471910 a1=42 a2=1b6 a3=8 items=0 ppid=539 pid=545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s15:c0.c1023 key=(null) 14type=SYSCALL msg=audit(1392347709.621:15): arch=c000003e syscall=2 success=yes exit=3 a0=471910 a1=42 a2=1b6 a3=8 items=0 ppid=539 pid=545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s15:c0.c1023 key=(null)
14 15
15root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name 16root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name
16 allow ftpd_t var_run_t : dir { ioctl read write getattr lock add_name remove_name search open } ; 17 allow ftpd_t var_run_t : dir { ioctl read write getattr lock add_name remove_name search open } ;
17root@localhost:~# 18root@localhost:~#
18 19
19Signed-off-by: Roy Li <rongqing.li@windriver.com> 20Signed-off-by: Roy Li <rongqing.li@windriver.com>
20Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> 21Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
21--- 22---
22 policy/modules/contrib/ftp.te | 2 ++ 23 policy/modules/services/ftp.te | 2 ++
23 1 file changed, 2 insertions(+) 24 1 file changed, 2 insertions(+)
24 25
25--- a/policy/modules/contrib/ftp.te 26diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
26+++ b/policy/modules/contrib/ftp.te 27index 29bc077c..d582cf80 100644
27@@ -148,10 +148,12 @@ init_system_domain(ftpdctl_t, ftpdctl_ex 28--- a/policy/modules/services/ftp.te
28 role ftpdctl_roles types ftpdctl_t; 29+++ b/policy/modules/services/ftp.te
29 30@@ -150,6 +150,8 @@ role ftpdctl_roles types ftpdctl_t;
30 type ftpdctl_tmp_t; 31 type ftpdctl_tmp_t;
31 files_tmp_file(ftpdctl_tmp_t) 32 files_tmp_file(ftpdctl_tmp_t)
32 33
@@ -35,5 +36,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
35 type sftpd_t; 36 type sftpd_t;
36 domain_type(sftpd_t) 37 domain_type(sftpd_t)
37 role system_r types sftpd_t; 38 role system_r types sftpd_t;
38 39--
39 type xferlog_t; 402.19.1
41
diff --git a/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0032-policy-module-init-update-for-systemd-related-allow-.patch
index 6eba356..37d180c 100644
--- a/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0032-policy-module-init-update-for-systemd-related-allow-.patch
@@ -1,7 +1,8 @@
1From 07553727dca51631c93bca482442da8d0c50ac94 Mon Sep 17 00:00:00 2001 1From dfbda15401f92e5d1b9b55c7ba24a543deea18e8 Mon Sep 17 00:00:00 2001
2From: Shrikant Bobade <shrikant_bobade@mentor.com> 2From: Shrikant Bobade <shrikant_bobade@mentor.com>
3Date: Fri, 12 Jun 2015 19:37:52 +0530 3Date: Fri, 12 Jun 2015 19:37:52 +0530
4Subject: [PATCH] refpolicy: update for systemd related allow rules 4Subject: [PATCH 32/34] policy/module/init: update for systemd related allow
5 rules
5 6
6It provide, the systemd support related allow rules 7It provide, the systemd support related allow rules
7 8
@@ -10,14 +11,14 @@ Upstream-Status: Pending
10Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> 11Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
11Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> 12Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
12--- 13---
13 policy/modules/system/init.te | 5 +++++ 14 policy/modules/system/init.te | 5 +++++
14 1 file changed, 5 insertions(+) 15 1 file changed, 5 insertions(+)
15 16
17diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
18index eabba1ed..5da25cd6 100644
16--- a/policy/modules/system/init.te 19--- a/policy/modules/system/init.te
17+++ b/policy/modules/system/init.te 20+++ b/policy/modules/system/init.te
18@@ -1387,5 +1387,10 @@ dontaudit systemprocess init_t:unix_stre 21@@ -1418,3 +1418,8 @@ optional_policy(`
19 optional_policy(`
20 userdom_dontaudit_search_user_home_dirs(systemprocess)
21 userdom_dontaudit_rw_all_users_stream_sockets(systemprocess) 22 userdom_dontaudit_rw_all_users_stream_sockets(systemprocess)
22 userdom_dontaudit_write_user_tmp_files(systemprocess) 23 userdom_dontaudit_write_user_tmp_files(systemprocess)
23 ') 24 ')
@@ -26,3 +27,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
26+allow kernel_t init_t:process dyntransition; 27+allow kernel_t init_t:process dyntransition;
27+allow devpts_t device_t:filesystem associate; 28+allow devpts_t device_t:filesystem associate;
28+allow init_t self:capability2 block_suspend; 29+allow init_t self:capability2 block_suspend;
30--
312.19.1
32
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0033-refpolicy-minimum-make-sysadmin-module-optional.patch
index b33e84b..644c2cd 100644
--- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0033-refpolicy-minimum-make-sysadmin-module-optional.patch
@@ -1,4 +1,7 @@
1Subject: [PATCH] refpolicy: fix optional issue on sysadm module 1From 937924e34c516c4a18d183084958b2612439ba52 Mon Sep 17 00:00:00 2001
2From: Joe MacDonald <joe_macdonald@mentor.com>
3Date: Fri, 5 Apr 2019 11:53:28 -0400
4Subject: [PATCH 33/34] refpolicy/minimum: make sysadmin module optional
2 5
3init and locallogin modules have a depend for sysadm module because 6init and locallogin modules have a depend for sysadm module because
4they have called sysadm interfaces(sysadm_shell_domtrans). Since 7they have called sysadm interfaces(sysadm_shell_domtrans). Since
@@ -13,15 +16,15 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
13Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> 16Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
14Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> 17Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
15--- 18---
16 policy/modules/system/init.te | 14 ++++++++------ 19 policy/modules/system/init.te | 16 +++++++++-------
17 policy/modules/system/locallogin.te | 4 +++- 20 policy/modules/system/locallogin.te | 4 +++-
18 2 files changed, 11 insertions(+), 7 deletions(-) 21 2 files changed, 12 insertions(+), 8 deletions(-)
19 22
23diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
24index 5da25cd6..8352428a 100644
20--- a/policy/modules/system/init.te 25--- a/policy/modules/system/init.te
21+++ b/policy/modules/system/init.te 26+++ b/policy/modules/system/init.te
22@@ -344,17 +344,19 @@ ifdef(`init_systemd',` 27@@ -446,13 +446,15 @@ ifdef(`init_systemd',`
23
24 optional_policy(`
25 modutils_domtrans(init_t) 28 modutils_domtrans(init_t)
26 ') 29 ')
27 ',` 30 ',`
@@ -44,13 +47,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
44 ') 47 ')
45 ') 48 ')
46 ') 49 ')
47 50diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
48 ifdef(`distro_debian',` 51index a56f3d1f..4c679ff3 100644
49--- a/policy/modules/system/locallogin.te 52--- a/policy/modules/system/locallogin.te
50+++ b/policy/modules/system/locallogin.te 53+++ b/policy/modules/system/locallogin.te
51@@ -260,11 +260,13 @@ seutil_read_default_contexts(sulogin_t) 54@@ -266,7 +266,9 @@ userdom_use_unpriv_users_fds(sulogin_t)
52 userdom_use_unpriv_users_fds(sulogin_t)
53
54 userdom_search_user_home_dirs(sulogin_t) 55 userdom_search_user_home_dirs(sulogin_t)
55 userdom_use_user_ptys(sulogin_t) 56 userdom_use_user_ptys(sulogin_t)
56 57
@@ -61,5 +62,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
61 62
62 # by default, sulogin does not use pam... 63 # by default, sulogin does not use pam...
63 # sulogin_pam might need to be defined otherwise 64 # sulogin_pam might need to be defined otherwise
64 ifdef(`sulogin_pam', ` 65--
65 selinux_get_fs_mount(sulogin_t) 662.19.1
67
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch
new file mode 100644
index 0000000..c374384
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch
@@ -0,0 +1,33 @@
1From bbad13d008ab4df827ac2ba8dfc6dd3e430f6dd6 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 19:36:44 +0800
4Subject: [PATCH 34/34] policy/module/apache: add rules for the symlink of
5 /var/log - apache2
6
7We have added rules for the symlink of /var/log in logging.if,
8while apache.te uses /var/log but does not use the interfaces in
9logging.if. So still need add a individual rule for apache.te.
10
11Upstream-Status: Pending
12
13Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
14Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
15---
16 policy/modules/services/apache.te | 1 +
17 1 file changed, 1 insertion(+)
18
19diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
20index 15c4ea53..596370b1 100644
21--- a/policy/modules/services/apache.te
22+++ b/policy/modules/services/apache.te
23@@ -412,6 +412,7 @@ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
24 read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
25 setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
26 read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
27+read_lnk_files_pattern(httpd_t, var_log_t, var_log_t)
28 logging_log_filetrans(httpd_t, httpd_log_t, file)
29
30 allow httpd_t httpd_modules_t:dir list_dir_perms;
31--
322.19.1
33
diff --git a/recipes-security/refpolicy/refpolicy-git/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch b/recipes-security/refpolicy/refpolicy-git/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch
new file mode 100644
index 0000000..5e38b8c
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch
@@ -0,0 +1,36 @@
1From ab97bea9248f62e735526292fc1253ebb1ecfa6c Mon Sep 17 00:00:00 2001
2From: Joe MacDonald <joe_macdonald@mentor.com>
3Date: Thu, 28 Mar 2019 16:14:09 -0400
4Subject: [PATCH 01/34] fc/subs/volatile: alias common /var/volatile paths
5
6Ensure /var/volatile paths get the appropriate base file context.
7
8Upstream-Status: Pending
9
10Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
11Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
12---
13 config/file_contexts.subs_dist | 10 ++++++++++
14 1 file changed, 10 insertions(+)
15
16diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
17index 346d920e..be532d7f 100644
18--- a/config/file_contexts.subs_dist
19+++ b/config/file_contexts.subs_dist
20@@ -31,3 +31,13 @@
21 # not for refpolicy intern, but for /var/run using applications,
22 # like systemd tmpfiles or systemd socket configurations
23 /var/run /run
24+
25+# volatile aliases
26+# ensure the policy applied to the base filesystem objects are reflected in the
27+# volatile hierarchy.
28+/var/volatile/log /var/log
29+/var/volatile/run /var/run
30+/var/volatile/cache /var/cache
31+/var/volatile/tmp /var/tmp
32+/var/volatile/lock /var/lock
33+/var/volatile/run/lock /var/lock
34--
352.19.1
36
diff --git a/recipes-security/refpolicy/refpolicy-git/0001-fix-update-alternatives-for-sysvinit.patch b/recipes-security/refpolicy/refpolicy-git/0001-fix-update-alternatives-for-sysvinit.patch
new file mode 100644
index 0000000..98d98d4
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0001-fix-update-alternatives-for-sysvinit.patch
@@ -0,0 +1,53 @@
1From cf2f08bdb2d64b38b6c83c96f409c1cd9975fe6a Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 13:37:23 +0800
4Subject: [PATCH] fix update-alternatives for sysvinit
5
6Upstream-Status: Inappropriate [only for Poky]
7
8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
10---
11 policy/modules/admin/shutdown.fc | 1 +
12 policy/modules/kernel/corecommands.fc | 1 +
13 policy/modules/system/init.fc | 1 +
14 3 files changed, 3 insertions(+)
15
16diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc
17index 03a2230c..2ba049ff 100644
18--- a/policy/modules/admin/shutdown.fc
19+++ b/policy/modules/admin/shutdown.fc
20@@ -5,5 +5,6 @@
21 /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
22
23 /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
24+/usr/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0)
25
26 /run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
27diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
28index cf3848db..86920167 100644
29--- a/policy/modules/kernel/corecommands.fc
30+++ b/policy/modules/kernel/corecommands.fc
31@@ -149,6 +149,7 @@ ifdef(`distro_gentoo',`
32 /usr/bin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
33 /usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0)
34 /usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0)
35+/usr/bin/mountpoint\.sysvinit -- gen_context(system_u:object_r:bin_t,s0)
36 /usr/bin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
37 /usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
38 /usr/bin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
39diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
40index 11a6ce93..93e9d2b4 100644
41--- a/policy/modules/system/init.fc
42+++ b/policy/modules/system/init.fc
43@@ -23,6 +23,7 @@ ifdef(`distro_gentoo',`
44 # /usr
45 #
46 /usr/bin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
47+/usr/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0)
48 /usr/bin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0)
49 /usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0)
50 /usr/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
51--
522.19.1
53
diff --git a/recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch b/recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
new file mode 100644
index 0000000..3cc5395
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
@@ -0,0 +1,68 @@
1From 0f25b7c345d516eccd1c02c93f752ce073b84865 Mon Sep 17 00:00:00 2001
2From: Shrikant Bobade <shrikant_bobade@mentor.com>
3Date: Fri, 26 Aug 2016 17:51:44 +0530
4Subject: [PATCH 1/9] refpolicy-minimum: audit: logging: getty: audit related
5 allow rules
6
7add allow rules for audit.log file & resolve dependent avc denials.
8
9without this change we are getting audit avc denials mixed into bootlog &
10audit other avc denials.
11
12audit: type=1400 audit(): avc: denied { getattr } for pid=217 comm="mount"
13name="/" dev="proc" ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_0
14audit: type=1400 audit(): avc: denied { sendto } for pid=310 comm="klogd"
15path="/run/systemd/journal/dev-log" scontext=sy0
16audit: type=1400 audit(): avc: denied { sendto } for pid=310 comm="klogd"
17path="/run/systemd/journal/dev-log" scontext=system_u:system_r:klogd_t:s0
18audit(): avc: denied { open } for pid=540 comm="agetty" path="/var/
19volatile/log/wtmp" dev="tmpfs" ino=9536 scontext=system_u:system_r:getty_t
20:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
21
22Upstream-Status: Pending
23
24Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
25Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
26---
27 policy/modules/system/getty.te | 3 +++
28 policy/modules/system/logging.te | 8 ++++++++
29 2 files changed, 11 insertions(+)
30
31diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
32index 6d3c4284..423db0cc 100644
33--- a/policy/modules/system/getty.te
34+++ b/policy/modules/system/getty.te
35@@ -129,3 +129,6 @@ optional_policy(`
36 optional_policy(`
37 udev_read_db(getty_t)
38 ')
39+
40+allow getty_t tmpfs_t:dir search;
41+allow getty_t tmpfs_t:file { open write lock };
42diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
43index e6221a02..4cc73327 100644
44--- a/policy/modules/system/logging.te
45+++ b/policy/modules/system/logging.te
46@@ -249,6 +249,7 @@ allow audisp_t self:unix_stream_socket create_stream_socket_perms;
47 allow audisp_t self:unix_dgram_socket create_socket_perms;
48
49 allow audisp_t auditd_t:unix_stream_socket rw_socket_perms;
50+allow audisp_t initrc_t:unix_dgram_socket sendto;
51
52 manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
53 files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
54@@ -620,3 +621,10 @@ optional_policy(`
55 # log to the xconsole
56 xserver_rw_console(syslogd_t)
57 ')
58+
59+
60+allow auditd_t tmpfs_t:file { getattr setattr create open read append };
61+allow auditd_t tmpfs_t:dir { open read search add_name write getattr search };
62+allow auditd_t initrc_t:unix_dgram_socket sendto;
63+
64+allow klogd_t initrc_t:unix_dgram_socket sendto;
65\ No newline at end of file
66--
672.19.1
68
diff --git a/recipes-security/refpolicy/refpolicy-git/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch b/recipes-security/refpolicy/refpolicy-git/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch
new file mode 100644
index 0000000..22eab15
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch
@@ -0,0 +1,31 @@
1From a47fb4d6a25574d900213ef63b5c7e3ce7182419 Mon Sep 17 00:00:00 2001
2From: Joe MacDonald <joe_macdonald@mentor.com>
3Date: Thu, 28 Mar 2019 20:48:10 -0400
4Subject: [PATCH 02/34] fc/subs/busybox: set aliases for bin, sbin and usr
5
6The objects in /usr/lib/busybox/* should have the same policy applied as
7the corresponding objects in the / hierarchy.
8
9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
10---
11 config/file_contexts.subs_dist | 7 +++++++
12 1 file changed, 7 insertions(+)
13
14diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
15index be532d7f..04fca3c3 100644
16--- a/config/file_contexts.subs_dist
17+++ b/config/file_contexts.subs_dist
18@@ -41,3 +41,10 @@
19 /var/volatile/tmp /var/tmp
20 /var/volatile/lock /var/lock
21 /var/volatile/run/lock /var/lock
22+
23+# busybox aliases
24+# quickly match up the busybox built-in tree to the base filesystem tree
25+/usr/lib/busybox/bin /bin
26+/usr/lib/busybox/sbin /sbin
27+/usr/lib/busybox/usr /usr
28+
29--
302.19.1
31
diff --git a/recipes-security/refpolicy/refpolicy-git/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch b/recipes-security/refpolicy/refpolicy-git/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch
new file mode 100644
index 0000000..e2c6c89
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch
@@ -0,0 +1,54 @@
1From b69a82237ccc8de3f5b822739760f5cb6596fe51 Mon Sep 17 00:00:00 2001
2From: Shrikant Bobade <shrikant_bobade@mentor.com>
3Date: Fri, 26 Aug 2016 17:53:46 +0530
4Subject: [PATCH 2/9] refpolicy-minimum: locallogin: add allow rules for type
5 local_login_t
6
7add allow rules for locallogin module avc denials.
8
9without this change we are getting errors like these:
10
11type=AVC msg=audit(): avc: denied { read write open } for pid=353
12comm="login" path="/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext
13=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:
14var_log_t:s0 tclass=file permissive=1
15
16type=AVC msg=audit(): avc: denied { sendto } for pid=353 comm="login"
17path="/run/systemd/journal/dev-log" scontext=system_u:system_r:
18local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0
19tclass=unix_dgram_socket permissive=1
20
21type=AVC msg=audit(): avc: denied { lock } for pid=353 comm="login" path=
22"/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext=system_u:system_r
23:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass
24=file permissive=1
25
26Upstream-Status: Pending
27
28Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
29Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
30---
31 policy/modules/system/locallogin.te | 10 ++++++++++
32 1 file changed, 10 insertions(+)
33
34diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
35index 4c679ff3..75750e4c 100644
36--- a/policy/modules/system/locallogin.te
37+++ b/policy/modules/system/locallogin.te
38@@ -288,3 +288,13 @@ optional_policy(`
39 optional_policy(`
40 nscd_use(sulogin_t)
41 ')
42+
43+allow local_login_t initrc_t:fd use;
44+allow local_login_t initrc_t:unix_dgram_socket sendto;
45+allow local_login_t initrc_t:unix_stream_socket connectto;
46+allow local_login_t self:capability net_admin;
47+allow local_login_t var_log_t:file { create lock open read write };
48+allow local_login_t var_run_t:file { open read write lock};
49+allow local_login_t var_run_t:sock_file write;
50+allow local_login_t tmpfs_t:dir { add_name write search};
51+allow local_login_t tmpfs_t:file { create open read write lock };
52--
532.19.1
54
diff --git a/recipes-security/refpolicy/refpolicy-git/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch b/recipes-security/refpolicy/refpolicy-git/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch
new file mode 100644
index 0000000..f194d6d
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch
@@ -0,0 +1,57 @@
1From d0fd07dda45b349af634e4671a70e47fef102386 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 13:39:41 +0800
4Subject: [PATCH 03/34] fc/sysklogd: apply policy to sysklogd symlink
5
6/etc/syslog.conf is a symlink to /etc/syslog.conf.sysklogd, so a allow
7rule for syslogd_t to read syslog_conf_t lnk_file is needed.
8
9Upstream-Status: Inappropriate [only for Poky]
10
11Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
12Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
13---
14 policy/modules/system/logging.fc | 3 +++
15 policy/modules/system/logging.te | 1 +
16 2 files changed, 4 insertions(+)
17
18diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
19index 6693d87b..0cf108e0 100644
20--- a/policy/modules/system/logging.fc
21+++ b/policy/modules/system/logging.fc
22@@ -2,6 +2,7 @@
23
24 /etc/rsyslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
25 /etc/syslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
26+/etc/syslog\.conf\.sysklogd gen_context(system_u:object_r:syslog_conf_t,s0)
27 /etc/rsyslog\.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0)
28 /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
29 /etc/systemd/journal.*\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
30@@ -32,10 +33,12 @@
31 /usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
32 /usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
33 /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
34+/usr/sbin/klogd\.sysklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
35 /usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0)
36 /usr/sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
37 /usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
38 /usr/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
39+/usr/sbin/syslogd\.sysklogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
40 /usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
41 /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
42
43diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
44index 0c5be1cd..38ccfe3a 100644
45--- a/policy/modules/system/logging.te
46+++ b/policy/modules/system/logging.te
47@@ -399,6 +399,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
48 allow syslogd_t self:tcp_socket create_stream_socket_perms;
49
50 allow syslogd_t syslog_conf_t:file read_file_perms;
51+allow syslogd_t syslog_conf_t:lnk_file read_file_perms;
52 allow syslogd_t syslog_conf_t:dir list_dir_perms;
53
54 # Create and bind to /dev/log or /var/run/log.
55--
562.19.1
57
diff --git a/recipes-security/refpolicy/refpolicy-git/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch b/recipes-security/refpolicy/refpolicy-git/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch
new file mode 100644
index 0000000..968a9be
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch
@@ -0,0 +1,121 @@
1From ec36df125da565fe1a9b64000151afaf40c2887d Mon Sep 17 00:00:00 2001
2From: Shrikant Bobade <shrikant_bobade@mentor.com>
3Date: Fri, 26 Aug 2016 17:51:32 +0530
4Subject: [PATCH 3/9] refpolicy-minimum: systemd:unconfined:lib: add systemd
5 services allow rules
6
7systemd allow rules for systemd service file operations: start, stop, restart
8& allow rule for unconfined systemd service.
9
10without this change we are getting these errors:
11:~# systemctl status selinux-init.service
12Failed to get properties: Access denied
13
14:~# systemctl stop selinux-init.service
15Failed to stop selinux-init.service: Access denied
16
17:~# systemctl restart selinux-init.service
18audit: type=1107 audit: pid=1 uid=0 auid=4294967295 ses=4294967295 subj=
19system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0
20gid=0 path="/lib/systemd/system/selinux-init.service" cmdline="systemctl
21restart selinux-init.service" scontext=unconfined_u:unconfined_r:
22unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service
23
24Upstream-Status: Pending
25
26Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
27Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
28---
29 policy/modules/system/init.te | 4 +++
30 policy/modules/system/libraries.te | 3 +++
31 policy/modules/system/systemd.if | 39 +++++++++++++++++++++++++++++
32 policy/modules/system/unconfined.te | 6 +++++
33 4 files changed, 52 insertions(+)
34
35diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
36index d8696580..e15ec4b9 100644
37--- a/policy/modules/system/init.te
38+++ b/policy/modules/system/init.te
39@@ -1425,3 +1425,7 @@ optional_policy(`
40 allow kernel_t init_t:process dyntransition;
41 allow devpts_t device_t:filesystem associate;
42 allow init_t self:capability2 block_suspend;
43+allow init_t self:capability2 audit_read;
44+
45+allow initrc_t init_t:system { start status };
46+allow initrc_t init_var_run_t:service { start status };
47diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
48index 422b0ea1..80b0c9a5 100644
49--- a/policy/modules/system/libraries.te
50+++ b/policy/modules/system/libraries.te
51@@ -145,3 +145,6 @@ optional_policy(`
52 optional_policy(`
53 unconfined_domain(ldconfig_t)
54 ')
55+
56+# systemd: init domain to start lib domain service
57+systemd_service_lib_function(lib_t)
58diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
59index 6353ca69..4519a448 100644
60--- a/policy/modules/system/systemd.if
61+++ b/policy/modules/system/systemd.if
62@@ -905,3 +905,42 @@ interface(`systemd_getattr_updated_runtime',`
63
64 getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t)
65 ')
66+
67+########################################
68+## <summary>
69+## Allow specified domain to start stop reset systemd service
70+## </summary>
71+## <param name="domain">
72+## <summary>
73+## Domain to not audit.
74+## </summary>
75+## </param>
76+#
77+interface(`systemd_service_file_operations',`
78+ gen_require(`
79+ class service { start status stop };
80+ ')
81+
82+ allow $1 lib_t:service { start status stop };
83+
84+')
85+
86+
87+########################################
88+## <summary>
89+## Allow init domain to start lib domain service
90+## </summary>
91+## <param name="domain">
92+## <summary>
93+## Domain to not audit.
94+## </summary>
95+## </param>
96+#
97+interface(`systemd_service_lib_function',`
98+ gen_require(`
99+ class service start;
100+ ')
101+
102+ allow initrc_t $1:service start;
103+
104+')
105diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
106index 12cc0d7c..c09e94a5 100644
107--- a/policy/modules/system/unconfined.te
108+++ b/policy/modules/system/unconfined.te
109@@ -240,3 +240,9 @@ unconfined_domain_noaudit(unconfined_execmem_t)
110 optional_policy(`
111 unconfined_dbus_chat(unconfined_execmem_t)
112 ')
113+
114+
115+# systemd: specified domain to start stop reset systemd service
116+systemd_service_file_operations(unconfined_t)
117+
118+allow unconfined_t init_t:system reload;
119--
1202.19.1
121
diff --git a/recipes-security/refpolicy/refpolicy-git/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch b/recipes-security/refpolicy/refpolicy-git/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch
new file mode 100644
index 0000000..36bfdcf
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch
@@ -0,0 +1,27 @@
1From abd7d9fa3398be45e733930ebaec9e05b1aba252 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 13:37:23 +0800
4Subject: [PATCH 04/34] fc/hostname: apply policy to common yocto hostname
5 alternatives
6
7Upstream-Status: Inappropriate [only for Yocto]
8
9Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
10Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
11---
12 policy/modules/system/hostname.fc | 4 ++++
13 1 file changed, 4 insertions(+)
14
15diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc
16index 83ddeb57..653e038d 100644
17--- a/policy/modules/system/hostname.fc
18+++ b/policy/modules/system/hostname.fc
19@@ -1 +1,5 @@
20+/usr/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0)
21+/usr/bin/hostname\.coreutils -- gen_context(system_u:object_r:hostname_exec_t,s0)
22+/usr/lib/busybox/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
23+
24 /usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
25--
262.19.1
27
diff --git a/recipes-security/refpolicy/refpolicy-git/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch b/recipes-security/refpolicy/refpolicy-git/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
new file mode 100644
index 0000000..06b9192
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
@@ -0,0 +1,96 @@
1From 0918b156dcf4d126fd0e36de5a6c61f114448c8a Mon Sep 17 00:00:00 2001
2From: Shrikant Bobade <shrikant_bobade@mentor.com>
3Date: Fri, 26 Aug 2016 17:53:37 +0530
4Subject: [PATCH 4/9] refpolicy-minimum: systemd: mount: logging: authlogin:
5 add allow rules
6
7add allow rules for avc denails for systemd, mount, logging & authlogin
8modules.
9
10without this change we are getting avc denial like these:
11
12type=AVC msg=audit(): avc: denied { sendto } for pid=893 comm="systemd-
13tmpfile" path="/run/systemd/journal/socket" scontext=system_u:system_r:
14systemd_tmpfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=
15unix_dgram_socket permissive=0
16
17type=AVC msg=audit(): avc: denied { open } for pid=703 comm="systemd-
18tmpfile" path="/proc/1/environ" dev="proc" ino=8841 scontext=system_u:
19system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=
20file permissive=0
21
22type=AVC msg=audit(): avc: denied { read write } for pid=486 comm="mount"
23path="socket:[9717]" dev="sockfs" ino=9717 scontext=system_u:system_r:
24mount_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=udp_socket
25
26type=AVC msg=audit(): avc: denied { unix_read unix_write } for pid=292
27comm="syslogd" key=1095648583 scontext=system_u:system_r:syslogd_t:s0
28tcontext=system_u:system_r:syslogd_t:s0 tclass=shm permissive=1
29
30Upstream-Status: Pending
31
32Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
33Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
34---
35 policy/modules/system/authlogin.te | 2 ++
36 policy/modules/system/logging.te | 7 ++++++-
37 policy/modules/system/mount.te | 3 +++
38 policy/modules/system/systemd.te | 5 +++++
39 4 files changed, 16 insertions(+), 1 deletion(-)
40
41diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
42index 28f74bac..dfa46612 100644
43--- a/policy/modules/system/authlogin.te
44+++ b/policy/modules/system/authlogin.te
45@@ -479,3 +479,5 @@ optional_policy(`
46 samba_read_var_files(nsswitch_domain)
47 samba_dontaudit_write_var_files(nsswitch_domain)
48 ')
49+
50+allow chkpwd_t proc_t:filesystem getattr;
51diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
52index 4cc73327..98c2bd19 100644
53--- a/policy/modules/system/logging.te
54+++ b/policy/modules/system/logging.te
55@@ -627,4 +627,9 @@ allow auditd_t tmpfs_t:file { getattr setattr create open read append };
56 allow auditd_t tmpfs_t:dir { open read search add_name write getattr search };
57 allow auditd_t initrc_t:unix_dgram_socket sendto;
58
59-allow klogd_t initrc_t:unix_dgram_socket sendto;
60\ No newline at end of file
61+allow klogd_t initrc_t:unix_dgram_socket sendto;
62+
63+allow syslogd_t self:shm create;
64+allow syslogd_t self:sem { create read unix_write write };
65+allow syslogd_t self:shm { read unix_read unix_write write };
66+allow syslogd_t tmpfs_t:file { read write };
67diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
68index 3dcb8493..a87d0e82 100644
69--- a/policy/modules/system/mount.te
70+++ b/policy/modules/system/mount.te
71@@ -231,3 +231,6 @@ optional_policy(`
72 files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
73 unconfined_domain(unconfined_mount_t)
74 ')
75+
76+allow mount_t proc_t:filesystem getattr;
77+allow mount_t initrc_t:udp_socket { read write };
78diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
79index f6455f6f..b13337b9 100644
80--- a/policy/modules/system/systemd.te
81+++ b/policy/modules/system/systemd.te
82@@ -1011,6 +1011,11 @@ allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
83 allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
84 allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
85
86+allow systemd_tmpfiles_t init_t:dir search;
87+allow systemd_tmpfiles_t proc_t:filesystem getattr;
88+allow systemd_tmpfiles_t init_t:file read;
89+allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto;
90+
91 kernel_getattr_proc(systemd_tmpfiles_t)
92 kernel_read_kernel_sysctls(systemd_tmpfiles_t)
93 kernel_read_network_state(systemd_tmpfiles_t)
94--
952.19.1
96
diff --git a/recipes-security/refpolicy/refpolicy-git/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch b/recipes-security/refpolicy/refpolicy-git/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch
new file mode 100644
index 0000000..194a474
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch
@@ -0,0 +1,30 @@
1From 783ba03eff9d5b94363fff148aa1c745ff02ddd4 Mon Sep 17 00:00:00 2001
2From: Joe MacDonald <joe_macdonald@mentor.com>
3Date: Thu, 28 Mar 2019 21:37:32 -0400
4Subject: [PATCH 05/34] fc/bash: apply /usr/bin/bash context to /bin/bash.bash
5
6We include /bin/bash.bash as a valid alias for /bin/bash, so ensure we apply
7the proper context to the target for our policy.
8
9Upstream-Status: Inappropriate [only for Yocto]
10
11Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
12---
13 policy/modules/kernel/corecommands.fc | 1 +
14 1 file changed, 1 insertion(+)
15
16diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
17index e7415cac..cf3848db 100644
18--- a/policy/modules/kernel/corecommands.fc
19+++ b/policy/modules/kernel/corecommands.fc
20@@ -141,6 +141,7 @@ ifdef(`distro_gentoo',`
21 /usr/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
22 /usr/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
23 /usr/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
24+/usr/bin/bash.bash -- gen_context(system_u:object_r:shell_exec_t,s0)
25 /usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
26 /usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
27 /usr/bin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
28--
292.19.1
30
diff --git a/recipes-security/refpolicy/refpolicy-git/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch b/recipes-security/refpolicy/refpolicy-git/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch
new file mode 100644
index 0000000..aec54cd
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch
@@ -0,0 +1,37 @@
1From 54a00a22a0d9aca794440bf51511f5477e9249d2 Mon Sep 17 00:00:00 2001
2From: Shrikant Bobade <shrikant_bobade@mentor.com>
3Date: Fri, 26 Aug 2016 17:53:53 +0530
4Subject: [PATCH 5/9] refpolicy-minimum: init: fix reboot with systemd as init
5 manager.
6
7add allow rule to fix avc denial during system reboot.
8
9without this change we are getting:
10
11audit: type=1107 audit(): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=
12system_u:system_r:init_t:s0 msg='avc: denied { reboot } for auid=n/a uid=0
13gid=0 cmdline="/bin/systemctl --force reboot" scontext=system_u:system_r:
14initrc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system
15
16Upstream-Status: Pending
17
18Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
19Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
20---
21 policy/modules/system/init.te | 2 +-
22 1 file changed, 1 insertion(+), 1 deletion(-)
23
24diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
25index e15ec4b9..843fdcff 100644
26--- a/policy/modules/system/init.te
27+++ b/policy/modules/system/init.te
28@@ -1427,5 +1427,5 @@ allow devpts_t device_t:filesystem associate;
29 allow init_t self:capability2 block_suspend;
30 allow init_t self:capability2 audit_read;
31
32-allow initrc_t init_t:system { start status };
33+allow initrc_t init_t:system { start status reboot };
34 allow initrc_t init_var_run_t:service { start status };
35--
362.19.1
37
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_resolv.conf.patch b/recipes-security/refpolicy/refpolicy-git/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch
index b90b744..d098118 100644
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_resolv.conf.patch
+++ b/recipes-security/refpolicy/refpolicy-git/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch
@@ -1,24 +1,30 @@
1Subject: [PATCH] fix real path for resolv.conf 1From 9818faa2a732d6d1cda72926526f104de74bd992 Mon Sep 17 00:00:00 2001
2From: Joe MacDonald <joe_macdonald@mentor.com>
3Date: Thu, 4 Apr 2019 10:45:03 -0400
4Subject: [PATCH 06/34] fc/resolv.conf: label resolv.conf in var/run/ properly
2 5
3Upstream-Status: Inappropriate [only for Poky] 6Upstream-Status: Pending
4 7
5Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> 8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
6Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> 9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
10
11Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
7--- 12---
8 policy/modules/system/sysnetwork.fc | 1 + 13 policy/modules/system/sysnetwork.fc | 1 +
9 1 files changed, 1 insertions(+), 0 deletions(-) 14 1 file changed, 1 insertion(+)
10 15
16diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
17index 1e5432a4..ac7c2dd1 100644
11--- a/policy/modules/system/sysnetwork.fc 18--- a/policy/modules/system/sysnetwork.fc
12+++ b/policy/modules/system/sysnetwork.fc 19+++ b/policy/modules/system/sysnetwork.fc
13@@ -23,10 +23,11 @@ ifdef(`distro_debian',` 20@@ -22,6 +22,7 @@ ifdef(`distro_debian',`
14 /etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0)
15 /etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0)
16 /etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0)
17 /etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0) 21 /etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
18 /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) 22 /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
19+/var/run/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
20 /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) 23 /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
24+/var/run/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
21 25
22 /etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0) 26 /etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
23 /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0) 27 /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)
24 28--
292.19.1
30
diff --git a/recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch b/recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch
new file mode 100644
index 0000000..bf770d9
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch
@@ -0,0 +1,92 @@
1From ca6644e1f1066a8354f2f6dbb068713f59225f37 Mon Sep 17 00:00:00 2001
2From: Joe MacDonald <joe_macdonald@mentor.com>
3Date: Wed, 3 Apr 2019 14:51:29 -0400
4Subject: [PATCH 6/9] refpolicy-minimum: systemd: mount: enable required
5 refpolicy booleans
6
7enable required refpolicy booleans for these modules
8
9i. mount: allow_mount_anyfile
10without enabling this boolean we are getting below avc denial
11
12audit(): avc: denied { mounton } for pid=462 comm="mount" path="/run/media
13/mmcblk2p1" dev="tmpfs" ino=11523 scontext=system_u:system_r:mount_t:s0
14tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=0
15
16This avc can be allowed using the boolean 'allow_mount_anyfile'
17allow mount_t initrc_var_run_t:dir mounton;
18
19ii. systemd : systemd_tmpfiles_manage_all
20without enabling this boolean we are not getting access to mount systemd
21essential tmpfs during bootup, also not getting access to create audit.log
22
23audit(): avc: denied { search } for pid=168 comm="systemd-tmpfile" name=
24"sys" dev="proc" ino=4026531855 scontext=system_u:system_r:systemd_tmpfiles
25_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=dir permissive=0
26
27 ls /var/log
28 /var/log -> volatile/log
29:~#
30
31The old refpolicy included a pre-generated booleans.conf that could be
32patched. That's no longer the case so we're left with a few options,
33tweak the default directly or create a template booleans.conf file which
34will be updated during build time. Since this is intended to be applied
35only for specific configuraitons it seems like the same either way and
36this avoids us playing games to work around .gitignore.
37
38Upstream-Status: Pending
39
40Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
41Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
42---
43 policy/booleans.conf | 9 +++++++++
44 policy/modules/system/mount.te | 2 +-
45 policy/modules/system/systemd.te | 2 +-
46 3 files changed, 11 insertions(+), 2 deletions(-)
47 create mode 100644 policy/booleans.conf
48
49diff --git a/policy/booleans.conf b/policy/booleans.conf
50new file mode 100644
51index 00000000..850f56ed
52--- /dev/null
53+++ b/policy/booleans.conf
54@@ -0,0 +1,9 @@
55+#
56+# Allow the mount command to mount any directory or file.
57+#
58+allow_mount_anyfile = true
59+
60+#
61+# Enable support for systemd-tmpfiles to manage all non-security files.
62+#
63+systemd_tmpfiles_manage_all = true
64diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
65index a87d0e82..868052b7 100644
66--- a/policy/modules/system/mount.te
67+++ b/policy/modules/system/mount.te
68@@ -10,7 +10,7 @@ policy_module(mount, 1.20.0)
69 ## Allow the mount command to mount any directory or file.
70 ## </p>
71 ## </desc>
72-gen_tunable(allow_mount_anyfile, false)
73+gen_tunable(allow_mount_anyfile, true)
74
75 attribute_role mount_roles;
76 roleattribute system_r mount_roles;
77diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
78index b13337b9..74f9c1cb 100644
79--- a/policy/modules/system/systemd.te
80+++ b/policy/modules/system/systemd.te
81@@ -10,7 +10,7 @@ policy_module(systemd, 1.7.5)
82 ## Enable support for systemd-tmpfiles to manage all non-security files.
83 ## </p>
84 ## </desc>
85-gen_tunable(systemd_tmpfiles_manage_all, false)
86+gen_tunable(systemd_tmpfiles_manage_all, true)
87
88 ## <desc>
89 ## <p>
90--
912.19.1
92
diff --git a/recipes-security/refpolicy/refpolicy-git/0007-fc-login-apply-login-context-to-login.shadow.patch b/recipes-security/refpolicy/refpolicy-git/0007-fc-login-apply-login-context-to-login.shadow.patch
new file mode 100644
index 0000000..824c136
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0007-fc-login-apply-login-context-to-login.shadow.patch
@@ -0,0 +1,27 @@
1From 3323cd185bd27a010fb4353d16cb6c3a8608fd20 Mon Sep 17 00:00:00 2001
2From: Joe MacDonald <joe_macdonald@mentor.com>
3Date: Thu, 28 Mar 2019 21:43:53 -0400
4Subject: [PATCH 07/34] fc/login: apply login context to login.shadow
5
6Upstream-Status: Inappropriate [only for Poky]
7
8Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
9---
10 policy/modules/system/authlogin.fc | 1 +
11 1 file changed, 1 insertion(+)
12
13diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
14index e22945cd..a42bc0da 100644
15--- a/policy/modules/system/authlogin.fc
16+++ b/policy/modules/system/authlogin.fc
17@@ -5,6 +5,7 @@
18 /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
19
20 /usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
21+/usr/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0)
22 /usr/bin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
23 /usr/bin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
24 /usr/bin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
25--
262.19.1
27
diff --git a/recipes-security/refpolicy/refpolicy-git/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch b/recipes-security/refpolicy/refpolicy-git/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch
new file mode 100644
index 0000000..307574c
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch
@@ -0,0 +1,103 @@
1From a1b92a176fe791468e750b95fa8299e8beecf2b1 Mon Sep 17 00:00:00 2001
2From: Shrikant Bobade <shrikant_bobade@mentor.com>
3Date: Fri, 26 Aug 2016 17:54:09 +0530
4Subject: [PATCH 7/9] refpolicy-minimum: systemd: fix for login & journal
5 service
6
71. fix for systemd services: login & journal wile using refpolicy-minimum and
8systemd as init manager.
92. fix login duration after providing root password.
10
11without these changes we are getting avc denails like these and below
12systemd services failure:
13
14audit[]: AVC avc: denied { write } for pid=422 comm="login" path="/run/
15systemd/sessions/c1.ref" dev="tmpfs" ino=13455 scontext=system_u:system_r:
16local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0
17tclass=fifo_file permissive=0
18
19audit[]: AVC avc: denied { open } for pid=216 comm="systemd-tmpfile" path
20="/proc/1/environ" dev="proc" ino=9221 scontext=system_u:system_r:
21systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file
22
23audit[]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:
24system_r:init_t:s0 msg='avc: denied { stop } for auid=n/a uid=0 gid=0 path
25="/lib/systemd/system/systemd-journald.service" cmdline="/bin/journalctl
26--flush" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:
27lib_t:s0 tclass=service
28
29[FAILED] Failed to start Flush Journal to Persistent Storage.
30See 'systemctl status systemd-journal-flush.service' for details.
31
32[FAILED] Failed to start Login Service.
33See 'systemctl status systemd-logind.service' for details.
34
35[FAILED] Failed to start Avahi mDNS/DNS-SD Stack.
36See 'systemctl status avahi-daemon.service' for details.
37
38Upstream-Status: Pending
39
40Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
41Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
42---
43 policy/modules/system/init.te | 2 ++
44 policy/modules/system/locallogin.te | 3 +++
45 policy/modules/system/systemd.if | 6 ++++--
46 policy/modules/system/systemd.te | 2 +-
47 4 files changed, 10 insertions(+), 3 deletions(-)
48
49diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
50index 843fdcff..ca8678b8 100644
51--- a/policy/modules/system/init.te
52+++ b/policy/modules/system/init.te
53@@ -1429,3 +1429,5 @@ allow init_t self:capability2 audit_read;
54
55 allow initrc_t init_t:system { start status reboot };
56 allow initrc_t init_var_run_t:service { start status };
57+
58+allow initrc_t init_var_run_t:service stop;
59diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
60index 75750e4c..2c2cfc7d 100644
61--- a/policy/modules/system/locallogin.te
62+++ b/policy/modules/system/locallogin.te
63@@ -298,3 +298,6 @@ allow local_login_t var_run_t:file { open read write lock};
64 allow local_login_t var_run_t:sock_file write;
65 allow local_login_t tmpfs_t:dir { add_name write search};
66 allow local_login_t tmpfs_t:file { create open read write lock };
67+allow local_login_t init_var_run_t:fifo_file write;
68+allow local_login_t initrc_t:dbus send_msg;
69+allow initrc_t local_login_t:dbus send_msg;
70diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
71index 4519a448..79133e6f 100644
72--- a/policy/modules/system/systemd.if
73+++ b/policy/modules/system/systemd.if
74@@ -938,9 +938,11 @@ interface(`systemd_service_file_operations',`
75 #
76 interface(`systemd_service_lib_function',`
77 gen_require(`
78- class service start;
79+ class service { start status stop };
80+ class file { execmod open };
81 ')
82
83- allow initrc_t $1:service start;
84+ allow initrc_t $1:service { start status stop };
85+ allow initrc_t $1:file execmod;
86
87 ')
88diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
89index 74f9c1cb..f1d26a44 100644
90--- a/policy/modules/system/systemd.te
91+++ b/policy/modules/system/systemd.te
92@@ -1013,7 +1013,7 @@ allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
93
94 allow systemd_tmpfiles_t init_t:dir search;
95 allow systemd_tmpfiles_t proc_t:filesystem getattr;
96-allow systemd_tmpfiles_t init_t:file read;
97+allow systemd_tmpfiles_t init_t:file { open getattr read };
98 allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto;
99
100 kernel_getattr_proc(systemd_tmpfiles_t)
101--
1022.19.1
103
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-bind.patch b/recipes-security/refpolicy/refpolicy-git/0008-fc-bind-fix-real-path-for-bind.patch
index 3218c88..6472a21 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-bind.patch
+++ b/recipes-security/refpolicy/refpolicy-git/0008-fc-bind-fix-real-path-for-bind.patch
@@ -1,19 +1,21 @@
1From e438a9466a615db3f63421157d5ee3bd6d055403 Mon Sep 17 00:00:00 2001 1From 9207386c0a860b3b6520eca5e509b9633c67c1e4 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com> 2From: Joe MacDonald <joe_macdonald@mentor.com>
3Date: Thu, 22 Aug 2013 19:09:11 +0800 3Date: Thu, 28 Mar 2019 21:58:53 -0400
4Subject: [PATCH] refpolicy: fix real path for bind. 4Subject: [PATCH 08/34] fc/bind: fix real path for bind
5 5
6Upstream-Status: Inappropriate [configuration] 6Upstream-Status: Pending
7 7
8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> 8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> 9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
10--- 10---
11 policy/modules/contrib/bind.fc | 2 ++ 11 policy/modules/services/bind.fc | 2 ++
12 1 file changed, 2 insertions(+) 12 1 file changed, 2 insertions(+)
13 13
14--- a/policy/modules/contrib/bind.fc 14diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc
15+++ b/policy/modules/contrib/bind.fc 15index b4879dc1..59498e25 100644
16@@ -1,10 +1,12 @@ 16--- a/policy/modules/services/bind.fc
17+++ b/policy/modules/services/bind.fc
18@@ -1,8 +1,10 @@
17 /etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) 19 /etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
18+/etc/rc\.d/init\.d/bind -- gen_context(system_u:object_r:named_initrc_exec_t,s0) 20+/etc/rc\.d/init\.d/bind -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
19 /etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) 21 /etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
@@ -24,5 +26,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
24 /etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) 26 /etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
25 /etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0) 27 /etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0)
26 /etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0) 28 /etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0)
27 /etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0) 29--
28 /etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) 302.19.1
31
diff --git a/recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch b/recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch
new file mode 100644
index 0000000..05543da
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch
@@ -0,0 +1,110 @@
1From c268b15ec696aa23be73e040daae433b509fa82f Mon Sep 17 00:00:00 2001
2From: Shrikant Bobade <shrikant_bobade@mentor.com>
3Date: Fri, 26 Aug 2016 17:54:17 +0530
4Subject: [PATCH 8/9] refpolicy-minimum: systemd: fix for systemd tmp-files
5 services
6
7fix for systemd tmp files setup service while using refpolicy-minimum and
8systemd as init manager.
9
10these allow rules require kernel domain & files access, so added interfaces
11at systemd.te to merge these allow rules.
12
13without these changes we are getting avc denails like these and below
14systemd services failure:
15
16audit[]: AVC avc: denied { getattr } for pid=232 comm="systemd-tmpfile"
17path="/var/tmp" dev="mmcblk2p2" ino=4993 scontext=system_u:system_r:systemd
18_tmpfiles_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=lnk_file
19
20audit[]: AVC avc: denied { search } for pid=232 comm="systemd-tmpfile"
21name="kernel" dev="proc" ino=9341 scontext=system_u:system_r:
22systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0
23tclass=dir permissive=0
24
25[FAILED] Failed to start Create Static Device Nodes in /dev.
26See 'systemctl status systemd-tmpfiles-setup-dev.service' for details.
27
28[FAILED] Failed to start Create Volatile Files and Directories.
29See 'systemctl status systemd-tmpfiles-setup.service' for details.
30
31Upstream-Status: Pending
32
33Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
34Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
35---
36 policy/modules/kernel/files.if | 19 +++++++++++++++++++
37 policy/modules/kernel/kernel.if | 21 +++++++++++++++++++++
38 policy/modules/system/systemd.te | 2 ++
39 3 files changed, 42 insertions(+)
40
41diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
42index eb067ad3..ff74f55a 100644
43--- a/policy/modules/kernel/files.if
44+++ b/policy/modules/kernel/files.if
45@@ -7076,3 +7076,22 @@ interface(`files_unconfined',`
46
47 typeattribute $1 files_unconfined_type;
48 ')
49+
50+########################################
51+## <summary>
52+## systemd tmp files access to kernel tmp files domain
53+## </summary>
54+## <param name="domain">
55+## <summary>
56+## Domain allowed access.
57+## </summary>
58+## </param>
59+#
60+interface(`systemd_service_allow_kernel_files_domain_to_tmp_t',`
61+ gen_require(`
62+ type tmp_t;
63+ class lnk_file getattr;
64+ ')
65+
66+ allow $1 tmp_t:lnk_file getattr;
67+')
68diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
69index 1ad282aa..342eb033 100644
70--- a/policy/modules/kernel/kernel.if
71+++ b/policy/modules/kernel/kernel.if
72@@ -3584,3 +3584,24 @@ interface(`kernel_ib_manage_subnet_unlabeled_endports',`
73 allow $1 unlabeled_t:infiniband_endport manage_subnet;
74 ')
75
76+########################################
77+## <summary>
78+## systemd tmp files access to kernel sysctl domain
79+## </summary>
80+## <param name="domain">
81+## <summary>
82+## Domain allowed access.
83+## </summary>
84+## </param>
85+#
86+interface(`systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t',`
87+ gen_require(`
88+ type sysctl_kernel_t;
89+ class dir search;
90+ class file { open read };
91+ ')
92+
93+ allow $1 sysctl_kernel_t:dir search;
94+ allow $1 sysctl_kernel_t:file { open read };
95+
96+')
97diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
98index f1d26a44..b4c64bc1 100644
99--- a/policy/modules/system/systemd.te
100+++ b/policy/modules/system/systemd.te
101@@ -1139,4 +1139,6 @@ files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated
102
103 seutil_read_file_contexts(systemd_update_done_t)
104
105+systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t(systemd_tmpfiles_t)
106+systemd_service_allow_kernel_files_domain_to_tmp_t(systemd_tmpfiles_t)
107 systemd_log_parse_environment(systemd_update_done_t)
108--
1092.19.1
110
diff --git a/recipes-security/refpolicy/refpolicy-git/0009-fc-hwclock-add-hwclock-alternatives.patch b/recipes-security/refpolicy/refpolicy-git/0009-fc-hwclock-add-hwclock-alternatives.patch
new file mode 100644
index 0000000..382a62c
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0009-fc-hwclock-add-hwclock-alternatives.patch
@@ -0,0 +1,28 @@
1From afaee985ce8cb915905b9cbef141db5d4b7f228c Mon Sep 17 00:00:00 2001
2From: Joe MacDonald <joe_macdonald@mentor.com>
3Date: Thu, 28 Mar 2019 21:59:18 -0400
4Subject: [PATCH 09/34] fc/hwclock: add hwclock alternatives
5
6Upstream-Status: Pending
7
8Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
9---
10 policy/modules/system/clock.fc | 5 ++++-
11 1 file changed, 4 insertions(+), 1 deletion(-)
12
13diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc
14index 30196589..e0dc4b6f 100644
15--- a/policy/modules/system/clock.fc
16+++ b/policy/modules/system/clock.fc
17@@ -2,4 +2,7 @@
18
19 /usr/bin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
20
21-/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
22+/usr/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0)
23+/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
24+/usr/lib/busybox/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
25+/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
26--
272.19.1
28
diff --git a/recipes-security/refpolicy/refpolicy-git/0009-refpolicy-minimum-systemd-fix-for-syslog.patch b/recipes-security/refpolicy/refpolicy-git/0009-refpolicy-minimum-systemd-fix-for-syslog.patch
new file mode 100644
index 0000000..de9180a
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0009-refpolicy-minimum-systemd-fix-for-syslog.patch
@@ -0,0 +1,70 @@
1From 3c7c492f060212bf7c854a27ffa6afa5035f4862 Mon Sep 17 00:00:00 2001
2From: Shrikant Bobade <shrikant_bobade@mentor.com>
3Date: Fri, 26 Aug 2016 17:54:29 +0530
4Subject: [PATCH 9/9] refpolicy-minimum: systemd: fix for syslog
5
6syslog & getty related allow rules required to fix the syslog mixup with
7boot log, while using systemd as init manager.
8
9without this change we are getting these avc denials:
10
11audit: avc: denied { search } for pid=484 comm="syslogd" name="/"
12dev="tmpfs" ino=7269 scontext=system_u:system_r:syslogd_t:s0 tcontext=
13system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
14
15audit: avc: denied { write } for pid=372 comm="syslogd" name="log" dev=
16"tmpfs" ino=954 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:
17object_r:tmpfs_t:s0 tclass=dir permissive=0
18
19audit: avc: denied { add_name } for pid=390 comm="syslogd" name=
20"messages" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r
21:tmpfs_t:s0 tclass=dir permissive=0
22
23audit: avc: denied { sendto } for pid=558 comm="agetty" path="/run/systemd
24/journal/dev-log" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:
25system_r:initrc_t:s0 tclass=unix_dgram_socket permissive=0
26
27audit: avc: denied { create } for pid=374 comm="syslogd" name="messages"
28scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:
29s0 tclass=file permissive=0
30
31audit: avc: denied { append } for pid=423 comm="syslogd" name="messages"
32dev="tmpfs" ino=7995 scontext=system_u:system_r:syslogd_t:s0 tcontext=
33system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
34
35audit: avc: denied { getattr } for pid=425 comm="syslogd" path="/var/
36volatile/log/messages" dev="tmpfs" ino=8857 scontext=system_u:system_r:
37syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
38
39Upstream-Status: Pending
40
41Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
42Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
43---
44 policy/modules/system/getty.te | 1 +
45 policy/modules/system/logging.te | 3 ++-
46 2 files changed, 3 insertions(+), 1 deletion(-)
47
48diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
49index 423db0cc..9ab03956 100644
50--- a/policy/modules/system/getty.te
51+++ b/policy/modules/system/getty.te
52@@ -132,3 +132,4 @@ optional_policy(`
53
54 allow getty_t tmpfs_t:dir search;
55 allow getty_t tmpfs_t:file { open write lock };
56+allow getty_t initrc_t:unix_dgram_socket sendto;
57diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
58index 98c2bd19..6a94ac12 100644
59--- a/policy/modules/system/logging.te
60+++ b/policy/modules/system/logging.te
61@@ -632,4 +632,5 @@ allow klogd_t initrc_t:unix_dgram_socket sendto;
62 allow syslogd_t self:shm create;
63 allow syslogd_t self:sem { create read unix_write write };
64 allow syslogd_t self:shm { read unix_read unix_write write };
65-allow syslogd_t tmpfs_t:file { read write };
66+allow syslogd_t tmpfs_t:file { read write create getattr append open };
67+allow syslogd_t tmpfs_t:dir { search write add_name };
68--
692.19.1
70
diff --git a/recipes-security/refpolicy/refpolicy-git/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch b/recipes-security/refpolicy/refpolicy-git/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch
new file mode 100644
index 0000000..5de6d0d
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch
@@ -0,0 +1,24 @@
1From 9f8b5359ce85eab23a5c46157497c44fd3bc4335 Mon Sep 17 00:00:00 2001
2From: Joe MacDonald <joe_macdonald@mentor.com>
3Date: Fri, 29 Mar 2019 08:26:55 -0400
4Subject: [PATCH 10/34] fc/dmesg: apply policy to dmesg alternatives
5
6Upstream-Status: Pending
7
8Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
9---
10 policy/modules/admin/dmesg.fc | 4 +++-
11 1 file changed, 3 insertions(+), 1 deletion(-)
12
13diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc
14index e52fdfcf..85d15127 100644
15--- a/policy/modules/admin/dmesg.fc
16+++ b/policy/modules/admin/dmesg.fc
17@@ -1 +1,3 @@
18-/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
19+/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
20+/usr/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0)
21+/usr/lib/busybox/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
22--
232.19.1
24
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-ssh.patch b/recipes-security/refpolicy/refpolicy-git/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch
index a01e2eb..ab81b31 100644
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-ssh.patch
+++ b/recipes-security/refpolicy/refpolicy-git/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch
@@ -1,24 +1,27 @@
1Subject: [PATCH] refpolicy: fix real path for ssh 1From c7002e990710f83763a1481ddaa56a1f658defee Mon Sep 17 00:00:00 2001
2From: Joe MacDonald <joe_macdonald@mentor.com>
3Date: Fri, 29 Mar 2019 09:20:58 -0400
4Subject: [PATCH 11/34] fc/ssh: apply policy to ssh alternatives
2 5
3Upstream-Status: Inappropriate [configuration] 6Upstream-Status: Pending
4 7
5Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
6Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> 8Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
7--- 9---
8 policy/modules/services/ssh.fc | 1 + 10 policy/modules/services/ssh.fc | 1 +
9 1 file changed, 1 insertion(+) 11 1 file changed, 1 insertion(+)
10 12
13diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
14index 4ac3e733..1f453091 100644
11--- a/policy/modules/services/ssh.fc 15--- a/policy/modules/services/ssh.fc
12+++ b/policy/modules/services/ssh.fc 16+++ b/policy/modules/services/ssh.fc
13@@ -2,10 +2,11 @@ HOME_DIR/\.ssh(/.*)? gen_context(syste 17@@ -4,6 +4,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
14
15 /etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
16 /etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0) 18 /etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0)
17 19
18 /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0) 20 /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
19+/usr/bin/ssh\.openssh -- gen_context(system_u:object_r:ssh_exec_t,s0) 21+/usr/bin/ssh\.openssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
20 /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0) 22 /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
21 /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0) 23 /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
22 24 /usr/bin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
23 /usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) 25--
24 /usr/lib/ssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) 262.19.1
27
diff --git a/recipes-security/refpolicy/refpolicy-git/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch b/recipes-security/refpolicy/refpolicy-git/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch
new file mode 100644
index 0000000..8346fcf
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch
@@ -0,0 +1,48 @@
1From 881a9f637b6eec90d1fa20bf4c102bb595225aaf Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Tue, 9 Jun 2015 21:22:52 +0530
4Subject: [PATCH 12/34] fc/sysnetwork: apply policy to ip alternatives
5
6Upstream-Status: Pending
7
8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
9Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
10Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
11---
12 policy/modules/system/sysnetwork.fc | 10 ++++++++++
13 1 file changed, 10 insertions(+)
14
15diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
16index ac7c2dd1..4e441503 100644
17--- a/policy/modules/system/sysnetwork.fc
18+++ b/policy/modules/system/sysnetwork.fc
19@@ -60,6 +60,8 @@ ifdef(`distro_redhat',`
20 /usr/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
21 /usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
22 /usr/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
23+/usr/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
24+/usr/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
25 /usr/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
26 /usr/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
27 /usr/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
28@@ -67,9 +69,17 @@ ifdef(`distro_redhat',`
29 /usr/sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
30 /usr/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
31 /usr/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
32+/usr/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
33 /usr/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
34 /usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
35
36+#
37+# /usr/lib/busybox
38+#
39+/usr/lib/busybox/bin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
40+/usr/lib/busybox/bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
41+/usr/lib/busybox/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
42+
43 #
44 # /var
45 #
46--
472.19.1
48
diff --git a/recipes-security/refpolicy/refpolicy-git/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch b/recipes-security/refpolicy/refpolicy-git/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch
new file mode 100644
index 0000000..9ec2e21
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch
@@ -0,0 +1,28 @@
1From 434fe791713127cea8a796529266b87763833117 Mon Sep 17 00:00:00 2001
2From: Joe MacDonald <joe_macdonald@mentor.com>
3Date: Fri, 29 Mar 2019 09:36:08 -0400
4Subject: [PATCH 13/34] fc/udev: apply policy to udevadm in libexec
5
6Upstream-Status: Pending
7
8Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
9---
10 policy/modules/system/udev.fc | 2 ++
11 1 file changed, 2 insertions(+)
12
13diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
14index 606ad517..2919c0bd 100644
15--- a/policy/modules/system/udev.fc
16+++ b/policy/modules/system/udev.fc
17@@ -28,6 +28,8 @@ ifdef(`distro_debian',`
18 /usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0)
19 /usr/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0)
20
21+/usr/libexec/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
22+
23 ifdef(`distro_redhat',`
24 /usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
25 ')
26--
272.19.1
28
diff --git a/recipes-security/refpolicy/refpolicy-git/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch b/recipes-security/refpolicy/refpolicy-git/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
new file mode 100644
index 0000000..fff816a
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
@@ -0,0 +1,29 @@
1From c8dbbbaed4371c600d057736d1dab78371066fdd Mon Sep 17 00:00:00 2001
2From: Joe MacDonald <joe_macdonald@mentor.com>
3Date: Fri, 29 Mar 2019 09:54:07 -0400
4Subject: [PATCH 14/34] fc/rpm: apply rpm_exec policy to cpio binaries
5
6Upstream-Status: Pending
7
8Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
9---
10 policy/modules/admin/rpm.fc | 5 ++++-
11 1 file changed, 4 insertions(+), 1 deletion(-)
12
13diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
14index 578d465c..f2b8003a 100644
15--- a/policy/modules/admin/rpm.fc
16+++ b/policy/modules/admin/rpm.fc
17@@ -65,5 +65,8 @@ ifdef(`distro_redhat',`
18 /run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
19
20 ifdef(`enable_mls',`
21-/usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
22+/usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
23+/usr/bin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
24+/usr/bin/cpio.cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
25 ')
26+
27--
282.19.1
29
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_su.patch b/recipes-security/refpolicy/refpolicy-git/0015-fc-su-apply-policy-to-su-alternatives.patch
index b8597f9..b26eeea 100644
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-fix-real-path_su.patch
+++ b/recipes-security/refpolicy/refpolicy-git/0015-fc-su-apply-policy-to-su-alternatives.patch
@@ -1,22 +1,26 @@
1From 4affa5e9797f5d51597c9b8e0f2503883c766699 Mon Sep 17 00:00:00 2001 1From d6eb7326773a01cea4cb6949e8e8f94e12d145ca Mon Sep 17 00:00:00 2001
2From: Wenzong Fan <wenzong.fan@windriver.com> 2From: Wenzong Fan <wenzong.fan@windriver.com>
3Date: Thu, 13 Feb 2014 00:33:07 -0500 3Date: Thu, 13 Feb 2014 00:33:07 -0500
4Subject: [PATCH] fix real path for su.shadow command 4Subject: [PATCH 15/34] fc/su: apply policy to su alternatives
5 5
6Upstream-Status: Inappropriate [only for Poky] 6Upstream-Status: Pending
7 7
8Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> 8Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> 9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
10--- 10---
11 policy/modules/admin/su.fc | 2 ++ 11 policy/modules/admin/su.fc | 2 ++
12 1 file changed, 2 insertions(+) 12 1 file changed, 2 insertions(+)
13 13
14diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc
15index 3375c969..435a6892 100644
14--- a/policy/modules/admin/su.fc 16--- a/policy/modules/admin/su.fc
15+++ b/policy/modules/admin/su.fc 17+++ b/policy/modules/admin/su.fc
16@@ -2,5 +2,6 @@ 18@@ -1,3 +1,5 @@
17 /bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
18
19 /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0) 19 /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
20 /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) 20 /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
21 /usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) 21 /usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
22+/bin/su.shadow -- gen_context(system_u:object_r:su_exec_t,s0) 22+/usr/bin/su\.shadow -- gen_context(system_u:object_r:su_exec_t,s0)
23+/usr/bin/su\.util-linux -- gen_context(system_u:object_r:su_exec_t,s0)
24--
252.19.1
26
diff --git a/recipes-security/refpolicy/refpolicy-git/0016-fc-fstools-fix-real-path-for-fstools.patch b/recipes-security/refpolicy/refpolicy-git/0016-fc-fstools-fix-real-path-for-fstools.patch
new file mode 100644
index 0000000..35676f8
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0016-fc-fstools-fix-real-path-for-fstools.patch
@@ -0,0 +1,76 @@
1From 4cc043905534403d2c6c5882ed982bd09a6c605f Mon Sep 17 00:00:00 2001
2From: Wenzong Fan <wenzong.fan@windriver.com>
3Date: Mon, 27 Jan 2014 03:54:01 -0500
4Subject: [PATCH 16/34] fc/fstools: fix real path for fstools
5
6Upstream-Status: Pending
7
8Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
9Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
10Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
11---
12 policy/modules/system/fstools.fc | 12 ++++++++++++
13 1 file changed, 12 insertions(+)
14
15diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
16index 8fbd5ce4..d719e22c 100644
17--- a/policy/modules/system/fstools.fc
18+++ b/policy/modules/system/fstools.fc
19@@ -58,6 +58,7 @@
20 /usr/sbin/addpart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
21 /usr/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0)
22 /usr/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
23+/usr/sbin/blkid\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
24 /usr/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0)
25 /usr/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
26 /usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0)
27@@ -72,10 +73,12 @@
28 /usr/sbin/efibootmgr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
29 /usr/sbin/fatsort -- gen_context(system_u:object_r:fsadm_exec_t,s0)
30 /usr/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
31+/usr/sbin/fdisk\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
32 /usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
33 /usr/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
34 /usr/sbin/gdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
35 /usr/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0)
36+/usr/sbin/hdparm\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
37 /usr/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
38 /usr/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
39 /usr/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
40@@ -88,17 +91,20 @@
41 /usr/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
42 /usr/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
43 /usr/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0)
44+/usr/sbin/mkswap\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
45 /usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
46 /usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
47 /usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
48 /usr/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0)
49 /usr/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
50+/usr/sbin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
51 /usr/sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0)
52 /usr/sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
53 /usr/sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0)
54 /usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
55 /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0)
56 /usr/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0)
57+/usr/sbin/swapoff\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
58 /usr/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
59 /usr/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
60 /usr/sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0)
61@@ -108,6 +114,12 @@
62 /usr/sbin/zstreamdump -- gen_context(system_u:object_r:fsadm_exec_t,s0)
63 /usr/sbin/ztest -- gen_context(system_u:object_r:fsadm_exec_t,s0)
64
65+/usr/lib/busybox/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
66+/usr/lib/busybox/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
67+/usr/lib/busybox/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0)
68+/usr/lib/busybox/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0)
69+/usr/lib/busybox/sbin/swapon -- gen_context(system_u:object_r:fsadm_exec_t,s0)
70+
71 /var/swap -- gen_context(system_u:object_r:swapfile_t,s0)
72
73 /var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0)
74--
752.19.1
76
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-syslogd_t-to-trusted-object.patch b/recipes-security/refpolicy/refpolicy-git/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch
index b755b45..af24d90 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-syslogd_t-to-trusted-object.patch
+++ b/recipes-security/refpolicy/refpolicy-git/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch
@@ -1,7 +1,8 @@
1From 27e62a5d9ab9993760369ccdad83673e9148cbb2 Mon Sep 17 00:00:00 2001 1From f84b1809e45bf08ce2a603827de3ade876ce8683 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com> 2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 13:37:23 +0800 3Date: Thu, 22 Aug 2013 13:37:23 +0800
4Subject: [PATCH 1/6] Add the syslogd_t to trusted object 4Subject: [PATCH 17/34] policy/module/logging: Add the syslogd_t to trusted
5 object
5 6
6We add the syslogd_t to trusted object, because other process need 7We add the syslogd_t to trusted object, because other process need
7to have the right to connectto/sendto /dev/log. 8to have the right to connectto/sendto /dev/log.
@@ -12,14 +13,14 @@ Signed-off-by: Roy.Li <rongqing.li@windriver.com>
12Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> 13Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
13Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> 14Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
14--- 15---
15 policy/modules/system/logging.te | 1 + 16 policy/modules/system/logging.te | 1 +
16 1 file changed, 1 insertion(+) 17 1 file changed, 1 insertion(+)
17 18
19diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
20index 38ccfe3a..c892f547 100644
18--- a/policy/modules/system/logging.te 21--- a/policy/modules/system/logging.te
19+++ b/policy/modules/system/logging.te 22+++ b/policy/modules/system/logging.te
20@@ -484,10 +484,11 @@ files_var_lib_filetrans(syslogd_t, syslo 23@@ -501,6 +501,7 @@ fs_getattr_all_fs(syslogd_t)
21
22 fs_getattr_all_fs(syslogd_t)
23 fs_search_auto_mountpoints(syslogd_t) 24 fs_search_auto_mountpoints(syslogd_t)
24 25
25 mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories 26 mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
@@ -27,5 +28,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
27 28
28 term_write_console(syslogd_t) 29 term_write_console(syslogd_t)
29 # Allow syslog to a terminal 30 # Allow syslog to a terminal
30 term_write_unallocated_ttys(syslogd_t) 31--
31 322.19.1
33
diff --git a/recipes-security/refpolicy/refpolicy-git/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch b/recipes-security/refpolicy/refpolicy-git/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch
new file mode 100644
index 0000000..6dca744
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch
@@ -0,0 +1,100 @@
1From ccb0b3884513829a2ab344f1682df6ea6ff4e7de Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 13:37:23 +0800
4Subject: [PATCH 18/34] policy/module/logging: add rules for the symlink of
5 /var/log
6
7/var/log is a symlink in poky, so we need allow rules for files to read
8lnk_file while doing search/list/delete/rw... in /var/log/ directory.
9
10Upstream-Status: Inappropriate [only for Poky]
11
12Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
13Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
14---
15 policy/modules/system/logging.fc | 1 +
16 policy/modules/system/logging.if | 6 ++++++
17 policy/modules/system/logging.te | 2 ++
18 3 files changed, 9 insertions(+)
19
20diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
21index 0cf108e0..5bec7e99 100644
22--- a/policy/modules/system/logging.fc
23+++ b/policy/modules/system/logging.fc
24@@ -55,6 +55,7 @@ ifdef(`distro_suse', `
25 /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
26
27 /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
28+/var/log -l gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
29 /var/log/.* gen_context(system_u:object_r:var_log_t,s0)
30 /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
31 /var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0)
32diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
33index 7b7644f7..0c7268ff 100644
34--- a/policy/modules/system/logging.if
35+++ b/policy/modules/system/logging.if
36@@ -972,10 +972,12 @@ interface(`logging_append_all_inherited_logs',`
37 interface(`logging_read_all_logs',`
38 gen_require(`
39 attribute logfile;
40+ type var_log_t;
41 ')
42
43 files_search_var($1)
44 allow $1 logfile:dir list_dir_perms;
45+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
46 read_files_pattern($1, logfile, logfile)
47 ')
48
49@@ -994,10 +996,12 @@ interface(`logging_read_all_logs',`
50 interface(`logging_exec_all_logs',`
51 gen_require(`
52 attribute logfile;
53+ type var_log_t;
54 ')
55
56 files_search_var($1)
57 allow $1 logfile:dir list_dir_perms;
58+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
59 can_exec($1, logfile)
60 ')
61
62@@ -1099,6 +1103,7 @@ interface(`logging_read_generic_logs',`
63
64 files_search_var($1)
65 allow $1 var_log_t:dir list_dir_perms;
66+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
67 read_files_pattern($1, var_log_t, var_log_t)
68 ')
69
70@@ -1200,6 +1205,7 @@ interface(`logging_manage_generic_logs',`
71
72 files_search_var($1)
73 manage_files_pattern($1, var_log_t, var_log_t)
74+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
75 ')
76
77 ########################################
78diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
79index c892f547..499a4552 100644
80--- a/policy/modules/system/logging.te
81+++ b/policy/modules/system/logging.te
82@@ -161,6 +161,7 @@ manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
83 allow auditd_t auditd_log_t:dir setattr;
84 manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
85 allow auditd_t var_log_t:dir search_dir_perms;
86+allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
87
88 manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
89 manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
90@@ -288,6 +289,7 @@ allow audisp_remote_t self:capability { setpcap setuid };
91 allow audisp_remote_t self:process { getcap setcap };
92 allow audisp_remote_t self:tcp_socket create_socket_perms;
93 allow audisp_remote_t var_log_t:dir search_dir_perms;
94+allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms;
95
96 manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
97 manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
98--
992.19.1
100
diff --git a/recipes-security/refpolicy/refpolicy-git/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch b/recipes-security/refpolicy/refpolicy-git/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch
new file mode 100644
index 0000000..a532316
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch
@@ -0,0 +1,33 @@
1From b52614cce12e4a7d3437350bb35688d5470f92fc Mon Sep 17 00:00:00 2001
2From: Joe MacDonald <joe_macdonald@mentor.com>
3Date: Fri, 29 Mar 2019 10:33:18 -0400
4Subject: [PATCH 19/34] policy/module/logging: add rules for syslogd symlink of
5 /var/log
6
7We have added rules for the symlink of /var/log in logging.if, while
8syslogd_t uses /var/log but does not use the interfaces in logging.if. So
9still need add a individual rule for syslogd_t.
10
11Upstream-Status: Inappropriate [only for Poky]
12
13Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
14Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
15---
16 policy/modules/system/logging.te | 1 +
17 1 file changed, 1 insertion(+)
18
19diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
20index 499a4552..e6221a02 100644
21--- a/policy/modules/system/logging.te
22+++ b/policy/modules/system/logging.te
23@@ -417,6 +417,7 @@ files_search_spool(syslogd_t)
24
25 # Allow access for syslog-ng
26 allow syslogd_t var_log_t:dir { create setattr };
27+allow syslogd_t var_log_t:lnk_file read_lnk_file_perms;
28
29 # for systemd but can not be conditional
30 files_pid_filetrans(syslogd_t, syslogd_tmp_t, dir, "log")
31--
322.19.1
33
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-cache-symlink.patch b/recipes-security/refpolicy/refpolicy-git/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch
index b828b7a..a494671 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-cache-symlink.patch
+++ b/recipes-security/refpolicy/refpolicy-git/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch
@@ -1,7 +1,8 @@
1From bad816bc752369a6c1bf40231c505d21d95cab08 Mon Sep 17 00:00:00 2001 1From 07456143d9478b345dbe480e1b418b744de96751 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com> 2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Fri, 23 Aug 2013 11:20:00 +0800 3Date: Fri, 23 Aug 2013 11:20:00 +0800
4Subject: [PATCH 4/6] add rules for the subdir symlinks in /var/ 4Subject: [PATCH 20/34] policy/module/logging: add domain rules for the subdir
5 symlinks in /var/
5 6
6Except /var/log,/var/run,/var/lock, there still other subdir symlinks in 7Except /var/log,/var/run,/var/lock, there still other subdir symlinks in
7/var for poky, so we need allow rules for all domains to read these 8/var for poky, so we need allow rules for all domains to read these
@@ -13,14 +14,14 @@ Upstream-Status: Inappropriate [only for Poky]
13Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> 14Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
14Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> 15Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
15--- 16---
16 policy/modules/kernel/domain.te | 3 +++ 17 policy/modules/kernel/domain.te | 3 +++
17 1 file changed, 3 insertions(+) 18 1 file changed, 3 insertions(+)
18 19
20diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
21index 1a55e3d2..babb794f 100644
19--- a/policy/modules/kernel/domain.te 22--- a/policy/modules/kernel/domain.te
20+++ b/policy/modules/kernel/domain.te 23+++ b/policy/modules/kernel/domain.te
21@@ -108,10 +108,13 @@ dev_rw_zero(domain) 24@@ -110,6 +110,9 @@ term_use_controlling_term(domain)
22 term_use_controlling_term(domain)
23
24 # list the root directory 25 # list the root directory
25 files_list_root(domain) 26 files_list_root(domain)
26 27
@@ -30,5 +31,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
30 ifdef(`hide_broken_symptoms',` 31 ifdef(`hide_broken_symptoms',`
31 # This check is in the general socket 32 # This check is in the general socket
32 # listen code, before protocol-specific 33 # listen code, before protocol-specific
33 # listen function is called, so bad calls 34--
34 # to listen on UDP sockets should be silenced 352.19.1
36
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-tmp-symlink.patch b/recipes-security/refpolicy/refpolicy-git/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch
index 07ebf58..aa61a80 100644
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-tmp-symlink.patch
+++ b/recipes-security/refpolicy/refpolicy-git/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch
@@ -1,7 +1,7 @@
1From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001 1From edcfc7eb98658352f3ffdeb8079517c54ba7f984 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com> 2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 13:37:23 +0800 3Date: Thu, 22 Aug 2013 13:37:23 +0800
4Subject: [PATCH] add rules for the symlink of /tmp 4Subject: [PATCH 21/34] policy/module/files: add rules for the symlink of /tmp
5 5
6/tmp is a symlink in poky, so we need allow rules for files to read 6/tmp is a symlink in poky, so we need allow rules for files to read
7lnk_file while doing search/list/delete/rw.. in /tmp/ directory. 7lnk_file while doing search/list/delete/rw.. in /tmp/ directory.
@@ -11,15 +11,15 @@ Upstream-Status: Inappropriate [only for Poky]
11Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> 11Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
12Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> 12Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
13--- 13---
14 policy/modules/kernel/files.fc | 1 + 14 policy/modules/kernel/files.fc | 1 +
15 policy/modules/kernel/files.if | 8 ++++++++ 15 policy/modules/kernel/files.if | 8 ++++++++
16 2 files changed, 9 insertions(+), 0 deletions(-) 16 2 files changed, 9 insertions(+)
17 17
18diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
19index c3496c21..05b1734b 100644
18--- a/policy/modules/kernel/files.fc 20--- a/policy/modules/kernel/files.fc
19+++ b/policy/modules/kernel/files.fc 21+++ b/policy/modules/kernel/files.fc
20@@ -191,10 +191,11 @@ ifdef(`distro_debian',` 22@@ -176,6 +176,7 @@ HOME_ROOT/lost\+found/.* <<none>>
21
22 #
23 # /tmp 23 # /tmp
24 # 24 #
25 /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) 25 /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
@@ -27,13 +27,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
27 /tmp/.* <<none>> 27 /tmp/.* <<none>>
28 /tmp/\.journal <<none>> 28 /tmp/\.journal <<none>>
29 29
30 /tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) 30diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
31 /tmp/lost\+found/.* <<none>> 31index f1c94411..eb067ad3 100644
32--- a/policy/modules/kernel/files.if 32--- a/policy/modules/kernel/files.if
33+++ b/policy/modules/kernel/files.if 33+++ b/policy/modules/kernel/files.if
34@@ -4471,10 +4471,11 @@ interface(`files_search_tmp',` 34@@ -4350,6 +4350,7 @@ interface(`files_search_tmp',`
35 gen_require(`
36 type tmp_t;
37 ') 35 ')
38 36
39 allow $1 tmp_t:dir search_dir_perms; 37 allow $1 tmp_t:dir search_dir_perms;
@@ -41,11 +39,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
41 ') 39 ')
42 40
43 ######################################## 41 ########################################
44 ## <summary> 42@@ -4386,6 +4387,7 @@ interface(`files_list_tmp',`
45 ## Do not audit attempts to search the tmp directory (/tmp).
46@@ -4507,10 +4508,11 @@ interface(`files_list_tmp',`
47 gen_require(`
48 type tmp_t;
49 ') 43 ')
50 44
51 allow $1 tmp_t:dir list_dir_perms; 45 allow $1 tmp_t:dir list_dir_perms;
@@ -53,11 +47,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
53 ') 47 ')
54 48
55 ######################################## 49 ########################################
56 ## <summary> 50@@ -4422,6 +4424,7 @@ interface(`files_delete_tmp_dir_entry',`
57 ## Do not audit listing of the tmp directory (/tmp).
58@@ -4543,10 +4545,11 @@ interface(`files_delete_tmp_dir_entry',`
59 gen_require(`
60 type tmp_t;
61 ') 51 ')
62 52
63 allow $1 tmp_t:dir del_entry_dir_perms; 53 allow $1 tmp_t:dir del_entry_dir_perms;
@@ -65,11 +55,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
65 ') 55 ')
66 56
67 ######################################## 57 ########################################
68 ## <summary> 58@@ -4440,6 +4443,7 @@ interface(`files_read_generic_tmp_files',`
69 ## Read files in the tmp directory (/tmp).
70@@ -4561,10 +4564,11 @@ interface(`files_read_generic_tmp_files'
71 gen_require(`
72 type tmp_t;
73 ') 59 ')
74 60
75 read_files_pattern($1, tmp_t, tmp_t) 61 read_files_pattern($1, tmp_t, tmp_t)
@@ -77,11 +63,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
77 ') 63 ')
78 64
79 ######################################## 65 ########################################
80 ## <summary> 66@@ -4458,6 +4462,7 @@ interface(`files_manage_generic_tmp_dirs',`
81 ## Manage temporary directories in /tmp.
82@@ -4579,10 +4583,11 @@ interface(`files_manage_generic_tmp_dirs
83 gen_require(`
84 type tmp_t;
85 ') 67 ')
86 68
87 manage_dirs_pattern($1, tmp_t, tmp_t) 69 manage_dirs_pattern($1, tmp_t, tmp_t)
@@ -89,11 +71,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
89 ') 71 ')
90 72
91 ######################################## 73 ########################################
92 ## <summary> 74@@ -4476,6 +4481,7 @@ interface(`files_manage_generic_tmp_files',`
93 ## Manage temporary files and directories in /tmp.
94@@ -4597,10 +4602,11 @@ interface(`files_manage_generic_tmp_file
95 gen_require(`
96 type tmp_t;
97 ') 75 ')
98 76
99 manage_files_pattern($1, tmp_t, tmp_t) 77 manage_files_pattern($1, tmp_t, tmp_t)
@@ -101,11 +79,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
101 ') 79 ')
102 80
103 ######################################## 81 ########################################
104 ## <summary> 82@@ -4512,6 +4518,7 @@ interface(`files_rw_generic_tmp_sockets',`
105 ## Read symbolic links in the tmp directory (/tmp).
106@@ -4633,10 +4639,11 @@ interface(`files_rw_generic_tmp_sockets'
107 gen_require(`
108 type tmp_t;
109 ') 83 ')
110 84
111 rw_sock_files_pattern($1, tmp_t, tmp_t) 85 rw_sock_files_pattern($1, tmp_t, tmp_t)
@@ -113,11 +87,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
113 ') 87 ')
114 88
115 ######################################## 89 ########################################
116 ## <summary> 90@@ -4719,6 +4726,7 @@ interface(`files_tmp_filetrans',`
117 ## Mount filesystems in the tmp directory (/tmp)
118@@ -4840,10 +4847,11 @@ interface(`files_tmp_filetrans',`
119 gen_require(`
120 type tmp_t;
121 ') 91 ')
122 92
123 filetrans_pattern($1, tmp_t, $2, $3, $4) 93 filetrans_pattern($1, tmp_t, $2, $3, $4)
@@ -125,5 +95,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
125 ') 95 ')
126 96
127 ######################################## 97 ########################################
128 ## <summary> 98--
129 ## Delete the contents of /tmp. 992.19.1
100
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-bsdpty_device_t.patch b/recipes-security/refpolicy/refpolicy-git/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch
index ad7b5a6..68235b1 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-bsdpty_device_t.patch
+++ b/recipes-security/refpolicy/refpolicy-git/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch
@@ -1,21 +1,22 @@
1From c0b65c327b9354ee5c403cbde428e762ce3f327e Mon Sep 17 00:00:00 2001 1From 938ae00d2358d6ebad8173fce274ebb70d95cf72 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com> 2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 13:37:23 +0800 3Date: Thu, 22 Aug 2013 13:37:23 +0800
4Subject: [PATCH 5/6] add rules for bsdpty_device_t to complete pty devices. 4Subject: [PATCH 22/34] policy/module/terminals: add rules for bsdpty_device_t
5 to complete pty devices.
5 6
6Upstream-Status: Pending 7Upstream-Status: Pending
7 8
8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> 9Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> 10Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
10--- 11---
11 policy/modules/kernel/terminal.if | 16 ++++++++++++++++ 12 policy/modules/kernel/terminal.if | 16 ++++++++++++++++
12 1 file changed, 16 insertions(+) 13 1 file changed, 16 insertions(+)
13 14
15diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
16index 61308843..a84787e6 100644
14--- a/policy/modules/kernel/terminal.if 17--- a/policy/modules/kernel/terminal.if
15+++ b/policy/modules/kernel/terminal.if 18+++ b/policy/modules/kernel/terminal.if
16@@ -603,13 +603,15 @@ interface(`term_getattr_generic_ptys',` 19@@ -623,9 +623,11 @@ interface(`term_getattr_generic_ptys',`
17 ## </param>
18 #
19 interface(`term_dontaudit_getattr_generic_ptys',` 20 interface(`term_dontaudit_getattr_generic_ptys',`
20 gen_require(` 21 gen_require(`
21 type devpts_t; 22 type devpts_t;
@@ -27,11 +28,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
27 ') 28 ')
28 ######################################## 29 ########################################
29 ## <summary> 30 ## <summary>
30 ## ioctl of generic pty devices. 31@@ -641,11 +643,13 @@ interface(`term_dontaudit_getattr_generic_ptys',`
31 ## </summary>
32@@ -621,15 +623,17 @@ interface(`term_dontaudit_getattr_generi
33 #
34 # cjp: added for ppp
35 interface(`term_ioctl_generic_ptys',` 32 interface(`term_ioctl_generic_ptys',`
36 gen_require(` 33 gen_require(`
37 type devpts_t; 34 type devpts_t;
@@ -45,11 +42,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
45 ') 42 ')
46 43
47 ######################################## 44 ########################################
48 ## <summary> 45@@ -663,9 +667,11 @@ interface(`term_ioctl_generic_ptys',`
49 ## Allow setting the attributes of
50@@ -643,13 +647,15 @@ interface(`term_ioctl_generic_ptys',`
51 #
52 # dwalsh: added for rhgb
53 interface(`term_setattr_generic_ptys',` 46 interface(`term_setattr_generic_ptys',`
54 gen_require(` 47 gen_require(`
55 type devpts_t; 48 type devpts_t;
@@ -61,11 +54,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
61 ') 54 ')
62 55
63 ######################################## 56 ########################################
64 ## <summary> 57@@ -683,9 +689,11 @@ interface(`term_setattr_generic_ptys',`
65 ## Dontaudit setting the attributes of
66@@ -663,13 +669,15 @@ interface(`term_setattr_generic_ptys',`
67 #
68 # dwalsh: added for rhgb
69 interface(`term_dontaudit_setattr_generic_ptys',` 58 interface(`term_dontaudit_setattr_generic_ptys',`
70 gen_require(` 59 gen_require(`
71 type devpts_t; 60 type devpts_t;
@@ -77,11 +66,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
77 ') 66 ')
78 67
79 ######################################## 68 ########################################
80 ## <summary> 69@@ -703,11 +711,13 @@ interface(`term_dontaudit_setattr_generic_ptys',`
81 ## Read and write the generic pty
82@@ -683,15 +691,17 @@ interface(`term_dontaudit_setattr_generi
83 ## </param>
84 #
85 interface(`term_use_generic_ptys',` 70 interface(`term_use_generic_ptys',`
86 gen_require(` 71 gen_require(`
87 type devpts_t; 72 type devpts_t;
@@ -95,11 +80,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
95 ') 80 ')
96 81
97 ######################################## 82 ########################################
98 ## <summary> 83@@ -725,9 +735,11 @@ interface(`term_use_generic_ptys',`
99 ## Dot not audit attempts to read and
100@@ -705,13 +715,15 @@ interface(`term_use_generic_ptys',`
101 ## </param>
102 #
103 interface(`term_dontaudit_use_generic_ptys',` 84 interface(`term_dontaudit_use_generic_ptys',`
104 gen_require(` 85 gen_require(`
105 type devpts_t; 86 type devpts_t;
@@ -111,11 +92,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
111 ') 92 ')
112 93
113 ####################################### 94 #######################################
114 ## <summary> 95@@ -743,10 +755,12 @@ interface(`term_dontaudit_use_generic_ptys',`
115 ## Set the attributes of the tty device
116@@ -723,14 +735,16 @@ interface(`term_dontaudit_use_generic_pt
117 ## </param>
118 #
119 interface(`term_setattr_controlling_term',` 96 interface(`term_setattr_controlling_term',`
120 gen_require(` 97 gen_require(`
121 type devtty_t; 98 type devtty_t;
@@ -128,11 +105,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
128 ') 105 ')
129 106
130 ######################################## 107 ########################################
131 ## <summary> 108@@ -763,10 +777,12 @@ interface(`term_setattr_controlling_term',`
132 ## Read and write the controlling
133@@ -743,14 +757,16 @@ interface(`term_setattr_controlling_term
134 ## </param>
135 #
136 interface(`term_use_controlling_term',` 109 interface(`term_use_controlling_term',`
137 gen_require(` 110 gen_require(`
138 type devtty_t; 111 type devtty_t;
@@ -145,5 +118,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
145 ') 118 ')
146 119
147 ####################################### 120 #######################################
148 ## <summary> 121--
149 ## Get the attributes of the pty multiplexor (/dev/ptmx). 1222.19.1
123
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-don-t-audit-tty_device_t.patch b/recipes-security/refpolicy/refpolicy-git/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch
index e3ea75e..06f9207 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-don-t-audit-tty_device_t.patch
+++ b/recipes-security/refpolicy/refpolicy-git/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch
@@ -1,7 +1,8 @@
1From 29a0d287880f8f83cf4337a3db7c8b94c0c36e1d Mon Sep 17 00:00:00 2001 1From 3f5a9b987211ef511bfd1c76b1a7dffad51fba0c Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com> 2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 13:37:23 +0800 3Date: Thu, 22 Aug 2013 13:37:23 +0800
4Subject: [PATCH 6/6] don't audit tty_device_t in term_dontaudit_use_console. 4Subject: [PATCH 23/34] policy/module/terminals: don't audit tty_device_t in
5 term_dontaudit_use_console.
5 6
6We should also not audit terminal to rw tty_device_t and fds in 7We should also not audit terminal to rw tty_device_t and fds in
7term_dontaudit_use_console. 8term_dontaudit_use_console.
@@ -11,14 +12,14 @@ Upstream-Status: Inappropriate [only for Poky]
11Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> 12Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
12Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> 13Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
13--- 14---
14 policy/modules/kernel/terminal.if | 3 +++ 15 policy/modules/kernel/terminal.if | 3 +++
15 1 file changed, 3 insertions(+) 16 1 file changed, 3 insertions(+)
16 17
18diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
19index a84787e6..cf66da2f 100644
17--- a/policy/modules/kernel/terminal.if 20--- a/policy/modules/kernel/terminal.if
18+++ b/policy/modules/kernel/terminal.if 21+++ b/policy/modules/kernel/terminal.if
19@@ -315,13 +315,16 @@ interface(`term_use_console',` 22@@ -335,9 +335,12 @@ interface(`term_use_console',`
20 ## </param>
21 #
22 interface(`term_dontaudit_use_console',` 23 interface(`term_dontaudit_use_console',`
23 gen_require(` 24 gen_require(`
24 type console_device_t; 25 type console_device_t;
@@ -31,5 +32,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
31 ') 32 ')
32 33
33 ######################################## 34 ########################################
34 ## <summary> 35--
35 ## Set the attributes of the console 362.19.1
37
diff --git a/recipes-security/refpolicy/refpolicy-git/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-git/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch
new file mode 100644
index 0000000..01f6c8b
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch
@@ -0,0 +1,29 @@
1From bc1f2fba24fb63cd9a65ec22b34fcc59798bbaff Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 13:37:23 +0800
4Subject: [PATCH 24/34] policy/module/rpc: allow nfsd to exec shell commands.
5
6Upstream-Status: Inappropriate [only for Poky]
7
8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
10---
11 policy/modules/services/rpc.te | 2 +-
12 1 file changed, 1 insertion(+), 1 deletion(-)
13
14diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
15index 47fa2fd0..d4209231 100644
16--- a/policy/modules/services/rpc.te
17+++ b/policy/modules/services/rpc.te
18@@ -227,7 +227,7 @@ kernel_read_network_state(nfsd_t)
19 kernel_dontaudit_getattr_core_if(nfsd_t)
20 kernel_setsched(nfsd_t)
21 kernel_request_load_module(nfsd_t)
22-# kernel_mounton_proc(nfsd_t)
23+kernel_mounton_proc(nfsd_t)
24
25 corenet_sendrecv_nfs_server_packets(nfsd_t)
26 corenet_tcp_bind_nfs_port(nfsd_t)
27--
282.19.1
29
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch b/recipes-security/refpolicy/refpolicy-git/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch
index d0b0073..78a4328 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
+++ b/recipes-security/refpolicy/refpolicy-git/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch
@@ -1,58 +1,25 @@
1From 054a2d81a42bc127d29a916c64b43ad5a7c97f21 Mon Sep 17 00:00:00 2001 1From f24c277f622d1ae72275525c6d5863f1ddce1d58 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com> 2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Fri, 23 Aug 2013 12:01:53 +0800 3Date: Fri, 23 Aug 2013 12:01:53 +0800
4Subject: [PATCH] fix policy for nfsserver to mount nfsd_fs_t. 4Subject: [PATCH 25/34] policy/module/rpc: fix policy for nfsserver to mount
5 nfsd_fs_t.
5 6
6Upstream-Status: Pending 7Upstream-Status: Pending
7 8
8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> 9Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> 10Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
10--- 11---
11 policy/modules/contrib/rpc.te | 5 +++++ 12 policy/modules/kernel/filesystem.te | 1 +
12 policy/modules/contrib/rpcbind.te | 5 +++++ 13 policy/modules/kernel/kernel.te | 2 ++
13 policy/modules/kernel/filesystem.te | 1 + 14 policy/modules/services/rpc.te | 5 +++++
14 policy/modules/kernel/kernel.te | 2 ++ 15 policy/modules/services/rpcbind.te | 5 +++++
15 4 files changed, 13 insertions(+) 16 4 files changed, 13 insertions(+)
16 17
17--- a/policy/modules/contrib/rpcbind.te 18diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
18+++ b/policy/modules/contrib/rpcbind.te 19index 41037951..b341ba83 100644
19@@ -73,8 +73,13 @@ auth_use_nsswitch(rpcbind_t)
20
21 logging_send_syslog_msg(rpcbind_t)
22
23 miscfiles_read_localization(rpcbind_t)
24
25+# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
26+# because the are running in different level. So add rules to allow this.
27+mls_socket_read_all_levels(rpcbind_t)
28+mls_socket_write_all_levels(rpcbind_t)
29+
30 ifdef(`distro_debian',`
31 term_dontaudit_use_unallocated_ttys(rpcbind_t)
32 ')
33--- a/policy/modules/contrib/rpc.te
34+++ b/policy/modules/contrib/rpc.te
35@@ -277,10 +277,15 @@ tunable_policy(`nfs_export_all_ro',`
36 files_read_non_auth_files(nfsd_t)
37 ')
38
39 optional_policy(`
40 mount_exec(nfsd_t)
41+ # Should domtrans to mount_t while mounting nfsd_fs_t.
42+ mount_domtrans(nfsd_t)
43+ # nfsd_t need to chdir to /var/lib/nfs and read files.
44+ files_list_var(nfsd_t)
45+ rpc_read_nfs_state_data(nfsd_t)
46 ')
47
48 ########################################
49 #
50 # GSSD local policy
51--- a/policy/modules/kernel/filesystem.te 20--- a/policy/modules/kernel/filesystem.te
52+++ b/policy/modules/kernel/filesystem.te 21+++ b/policy/modules/kernel/filesystem.te
53@@ -127,10 +127,11 @@ fs_noxattr_type(mvfs_t) 22@@ -129,6 +129,7 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
54 allow mvfs_t self:filesystem associate;
55 genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
56 23
57 type nfsd_fs_t; 24 type nfsd_fs_t;
58 fs_type(nfsd_fs_t) 25 fs_type(nfsd_fs_t)
@@ -60,13 +27,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
60 genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0) 27 genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
61 28
62 type nsfs_t; 29 type nsfs_t;
63 fs_type(nsfs_t) 30diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
64 genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0) 31index 8e958074..7b81c732 100644
65--- a/policy/modules/kernel/kernel.te 32--- a/policy/modules/kernel/kernel.te
66+++ b/policy/modules/kernel/kernel.te 33+++ b/policy/modules/kernel/kernel.te
67@@ -325,10 +325,12 @@ mcs_process_set_categories(kernel_t) 34@@ -334,6 +334,8 @@ mls_process_read_all_levels(kernel_t)
68
69 mls_process_read_all_levels(kernel_t)
70 mls_process_write_all_levels(kernel_t) 35 mls_process_write_all_levels(kernel_t)
71 mls_file_write_all_levels(kernel_t) 36 mls_file_write_all_levels(kernel_t)
72 mls_file_read_all_levels(kernel_t) 37 mls_file_read_all_levels(kernel_t)
@@ -75,5 +40,38 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
75 40
76 ifdef(`distro_redhat',` 41 ifdef(`distro_redhat',`
77 # Bugzilla 222337 42 # Bugzilla 222337
78 fs_rw_tmpfs_chr_files(kernel_t) 43diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
44index d4209231..a2327b44 100644
45--- a/policy/modules/services/rpc.te
46+++ b/policy/modules/services/rpc.te
47@@ -280,6 +280,11 @@ tunable_policy(`nfs_export_all_ro',`
48
49 optional_policy(`
50 mount_exec(nfsd_t)
51+ # Should domtrans to mount_t while mounting nfsd_fs_t.
52+ mount_domtrans(nfsd_t)
53+ # nfsd_t need to chdir to /var/lib/nfs and read files.
54+ files_list_var(nfsd_t)
55+ rpc_read_nfs_state_data(nfsd_t)
79 ') 56 ')
57
58 ########################################
59diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
60index 5914af99..2055c114 100644
61--- a/policy/modules/services/rpcbind.te
62+++ b/policy/modules/services/rpcbind.te
63@@ -75,6 +75,11 @@ logging_send_syslog_msg(rpcbind_t)
64
65 miscfiles_read_localization(rpcbind_t)
66
67+# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
68+# because the are running in different level. So add rules to allow this.
69+mls_socket_read_all_levels(rpcbind_t)
70+mls_socket_write_all_levels(rpcbind_t)
71+
72 ifdef(`distro_debian',`
73 term_dontaudit_use_unallocated_ttys(rpcbind_t)
74 ')
75--
762.19.1
77
diff --git a/recipes-security/refpolicy/refpolicy-git/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch b/recipes-security/refpolicy/refpolicy-git/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch
new file mode 100644
index 0000000..257395a
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch
@@ -0,0 +1,126 @@
1From 06d2bad9325fdc6b0a73858bca7ba51fe591f39d Mon Sep 17 00:00:00 2001
2From: Joe MacDonald <joe_macdonald@mentor.com>
3Date: Fri, 29 Mar 2019 11:16:37 -0400
4Subject: [PATCH 26/34] policy/module/sysfs: fix for new SELINUXMNT in /sys
5
6SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should
7add rules to access sysfs.
8
9Upstream-Status: Inappropriate [only for Poky]
10
11Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
12Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
13---
14 policy/modules/kernel/selinux.if | 19 +++++++++++++++++++
15 1 file changed, 19 insertions(+)
16
17diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
18index 6790e5d0..2c95db81 100644
19--- a/policy/modules/kernel/selinux.if
20+++ b/policy/modules/kernel/selinux.if
21@@ -117,6 +117,9 @@ interface(`selinux_mount_fs',`
22 type security_t;
23 ')
24
25+ dev_getattr_sysfs($1)
26+ dev_search_sysfs($1)
27+
28 allow $1 security_t:filesystem mount;
29 ')
30
31@@ -136,6 +139,9 @@ interface(`selinux_remount_fs',`
32 type security_t;
33 ')
34
35+ dev_getattr_sysfs($1)
36+ dev_search_sysfs($1)
37+
38 allow $1 security_t:filesystem remount;
39 ')
40
41@@ -155,6 +161,9 @@ interface(`selinux_unmount_fs',`
42 ')
43
44 allow $1 security_t:filesystem unmount;
45+
46+ dev_getattr_sysfs($1)
47+ dev_search_sysfs($1)
48 ')
49
50 ########################################
51@@ -217,6 +226,8 @@ interface(`selinux_dontaudit_getattr_dir',`
52 ')
53
54 dontaudit $1 security_t:dir getattr;
55+ dev_dontaudit_getattr_sysfs($1)
56+ dev_dontaudit_search_sysfs($1)
57 ')
58
59 ########################################
60@@ -253,6 +264,7 @@ interface(`selinux_dontaudit_search_fs',`
61 type security_t;
62 ')
63
64+ dev_dontaudit_search_sysfs($1)
65 dontaudit $1 security_t:dir search_dir_perms;
66 ')
67
68@@ -272,6 +284,7 @@ interface(`selinux_dontaudit_read_fs',`
69 type security_t;
70 ')
71
72+ dev_dontaudit_getattr_sysfs($1)
73 dontaudit $1 security_t:dir search_dir_perms;
74 dontaudit $1 security_t:file read_file_perms;
75 ')
76@@ -361,6 +374,7 @@ interface(`selinux_read_policy',`
77 type security_t;
78 ')
79
80+ dev_getattr_sysfs($1)
81 dev_search_sysfs($1)
82 allow $1 security_t:dir list_dir_perms;
83 allow $1 security_t:file read_file_perms;
84@@ -394,6 +408,7 @@ interface(`selinux_set_generic_booleans',`
85 type security_t;
86 ')
87
88+ dev_getattr_sysfs($1)
89 dev_search_sysfs($1)
90
91 allow $1 security_t:dir list_dir_perms;
92@@ -431,6 +446,7 @@ interface(`selinux_set_all_booleans',`
93 bool secure_mode_policyload;
94 ')
95
96+ dev_getattr_sysfs($1)
97 dev_search_sysfs($1)
98
99 allow $1 security_t:dir list_dir_perms;
100@@ -512,6 +528,7 @@ interface(`selinux_dontaudit_validate_context',`
101 type security_t;
102 ')
103
104+ dev_dontaudit_search_sysfs($1)
105 dontaudit $1 security_t:dir list_dir_perms;
106 dontaudit $1 security_t:file rw_file_perms;
107 dontaudit $1 security_t:security check_context;
108@@ -533,6 +550,7 @@ interface(`selinux_compute_access_vector',`
109 type security_t;
110 ')
111
112+ dev_getattr_sysfs($1)
113 dev_search_sysfs($1)
114 allow $1 self:netlink_selinux_socket create_socket_perms;
115 allow $1 security_t:dir list_dir_perms;
116@@ -629,6 +647,7 @@ interface(`selinux_compute_user_contexts',`
117 type security_t;
118 ')
119
120+ dev_getattr_sysfs($1)
121 dev_search_sysfs($1)
122 allow $1 security_t:dir list_dir_perms;
123 allow $1 security_t:file rw_file_perms;
124--
1252.19.1
126
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-sysadm-to-run-rpcinfo.patch b/recipes-security/refpolicy/refpolicy-git/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch
index a1fda13..23226a0 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-sysadm-to-run-rpcinfo.patch
+++ b/recipes-security/refpolicy/refpolicy-git/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch
@@ -1,7 +1,7 @@
1From 7005533d61770fed5a3312aa9dfd1c18dae88c16 Mon Sep 17 00:00:00 2001 1From 447036f5ead83977933b375f5587595b85307a7d Mon Sep 17 00:00:00 2001
2From: Roy Li <rongqing.li@windriver.com> 2From: Roy Li <rongqing.li@windriver.com>
3Date: Sat, 15 Feb 2014 09:45:00 +0800 3Date: Sat, 15 Feb 2014 09:45:00 +0800
4Subject: [PATCH] allow sysadm to run rpcinfo 4Subject: [PATCH 27/34] policy/module/rpc: allow sysadm to run rpcinfo
5 5
6Upstream-Status: Pending 6Upstream-Status: Pending
7 7
@@ -11,23 +11,21 @@ type=SYSCALL msg=audit(1392427946.976:264): arch=c000003e syscall=42 success=no
11Signed-off-by: Roy Li <rongqing.li@windriver.com> 11Signed-off-by: Roy Li <rongqing.li@windriver.com>
12Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> 12Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
13--- 13---
14 policy/modules/roles/sysadm.te | 4 ++++ 14 policy/modules/roles/sysadm.te | 1 +
15 1 file changed, 4 insertions(+) 15 1 file changed, 1 insertion(+)
16 16
17diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
18index 2ae952bf..d781378f 100644
17--- a/policy/modules/roles/sysadm.te 19--- a/policy/modules/roles/sysadm.te
18+++ b/policy/modules/roles/sysadm.te 20+++ b/policy/modules/roles/sysadm.te
19@@ -1169,10 +1169,14 @@ optional_policy(` 21@@ -945,6 +945,7 @@ optional_policy(`
20 virt_admin(sysadm_t, sysadm_r)
21 virt_stream_connect(sysadm_t)
22 ') 22 ')
23 23
24 optional_policy(` 24 optional_policy(`
25+ rpcbind_stream_connect(sysadm_t) 25+ rpcbind_stream_connect(sysadm_t)
26+') 26 rpcbind_admin(sysadm_t, sysadm_r)
27+
28+optional_policy(`
29 vmware_role(sysadm_r, sysadm_t)
30 ') 27 ')
31 28
32 optional_policy(` 29--
33 vnstatd_admin(sysadm_t, sysadm_r) 302.19.1
31
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-seutils-manage-config-files.patch b/recipes-security/refpolicy/refpolicy-git/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch
index e0f8c1a..732eaaf 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-seutils-manage-config-files.patch
+++ b/recipes-security/refpolicy/refpolicy-git/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch
@@ -1,22 +1,23 @@
1From be8e015aec19553d3753af132861d24da9ed0265 Mon Sep 17 00:00:00 2001 1From 391ab30556a3276bac131b3d4bd6c5e52b49c77c Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com> 2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 13:37:23 +0800 3Date: Thu, 22 Aug 2013 13:37:23 +0800
4Subject: [PATCH 2/2] refpolicy: fix selinux utils to manage config files 4Subject: [PATCH 28/34] policy/module/userdomain: fix selinux utils to manage
5 config files
5 6
6Upstream-Status: Pending 7Upstream-Status: Pending
7 8
8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> 9Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> 10Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
10--- 11---
11 policy/modules/system/selinuxutil.if | 1 + 12 policy/modules/system/selinuxutil.if | 1 +
12 policy/modules/system/userdomain.if | 4 ++++ 13 policy/modules/system/userdomain.if | 4 ++++
13 2 files changed, 5 insertions(+) 14 2 files changed, 5 insertions(+)
14 15
16diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
17index 20024993..0fdc8c10 100644
15--- a/policy/modules/system/selinuxutil.if 18--- a/policy/modules/system/selinuxutil.if
16+++ b/policy/modules/system/selinuxutil.if 19+++ b/policy/modules/system/selinuxutil.if
17@@ -753,10 +753,11 @@ interface(`seutil_manage_config',` 20@@ -674,6 +674,7 @@ interface(`seutil_manage_config',`
18 gen_require(`
19 type selinux_config_t;
20 ') 21 ')
21 22
22 files_search_etc($1) 23 files_search_etc($1)
@@ -24,13 +25,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
24 manage_files_pattern($1, selinux_config_t, selinux_config_t) 25 manage_files_pattern($1, selinux_config_t, selinux_config_t)
25 read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) 26 read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
26 ') 27 ')
27 28diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
28 ####################################### 29index 5221bd13..4cf987d1 100644
29--- a/policy/modules/system/userdomain.if 30--- a/policy/modules/system/userdomain.if
30+++ b/policy/modules/system/userdomain.if 31+++ b/policy/modules/system/userdomain.if
31@@ -1361,10 +1361,14 @@ template(`userdom_security_admin_templat 32@@ -1431,6 +1431,10 @@ template(`userdom_security_admin_template',`
32 logging_read_audit_log($1)
33 logging_read_generic_logs($1)
34 logging_read_audit_config($1) 33 logging_read_audit_config($1)
35 34
36 seutil_manage_bin_policy($1) 35 seutil_manage_bin_policy($1)
@@ -41,5 +40,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
41 seutil_run_checkpolicy($1, $2) 40 seutil_run_checkpolicy($1, $2)
42 seutil_run_loadpolicy($1, $2) 41 seutil_run_loadpolicy($1, $2)
43 seutil_run_semanage($1, $2) 42 seutil_run_semanage($1, $2)
44 seutil_run_setfiles($1, $2) 43--
45 442.19.1
45
diff --git a/recipes-security/refpolicy/refpolicy-git/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch b/recipes-security/refpolicy/refpolicy-git/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch
new file mode 100644
index 0000000..14734b2
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch
@@ -0,0 +1,33 @@
1From d97aef0ecdb2ff964b1ed3d0b18ce83c2ab42f14 Mon Sep 17 00:00:00 2001
2From: Joe MacDonald <joe_macdonald@mentor.com>
3Date: Fri, 29 Mar 2019 11:30:27 -0400
4Subject: [PATCH 29/34] policy/module/selinuxutil: fix setfiles statvfs to get
5 file count
6
7New setfiles will read /proc/mounts and use statvfs in
8file_system_count() to get file count of filesystems.
9
10Upstream-Status: Pending
11
12Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
13Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
14Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
15---
16 policy/modules/system/selinuxutil.te | 1 +
17 1 file changed, 1 insertion(+)
18
19diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
20index 8a1688cc..a9930e9e 100644
21--- a/policy/modules/system/selinuxutil.te
22+++ b/policy/modules/system/selinuxutil.te
23@@ -607,6 +607,7 @@ files_relabel_all_files(setfiles_t)
24 files_read_usr_symlinks(setfiles_t)
25 files_dontaudit_read_all_symlinks(setfiles_t)
26
27+fs_getattr_all_fs(setfiles_t)
28 fs_getattr_all_xattr_fs(setfiles_t)
29 fs_getattr_cgroup(setfiles_t)
30 fs_getattr_nfs(setfiles_t)
31--
322.19.1
33
diff --git a/recipes-security/refpolicy/refpolicy-git/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch b/recipes-security/refpolicy/refpolicy-git/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch
new file mode 100644
index 0000000..aebdcb3
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch
@@ -0,0 +1,25 @@
1From 43eba9b9205c5e63f634d60ab8eb5302f7bf4408 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Fri, 23 Aug 2013 16:36:09 +0800
4Subject: [PATCH 30/34] policy/module/admin: fix dmesg to use /dev/kmsg as
5 default input
6
7Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
8Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
9---
10 policy/modules/admin/dmesg.if | 1 +
11 1 file changed, 1 insertion(+)
12
13diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if
14index e1973c78..739a4bc5 100644
15--- a/policy/modules/admin/dmesg.if
16+++ b/policy/modules/admin/dmesg.if
17@@ -37,4 +37,5 @@ interface(`dmesg_exec',`
18
19 corecmd_search_bin($1)
20 can_exec($1, dmesg_exec_t)
21+ dev_read_kmsg($1)
22 ')
23--
242.19.1
25
diff --git a/recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch b/recipes-security/refpolicy/refpolicy-git/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch
index 85c40a4..afba90f 100644
--- a/recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch
+++ b/recipes-security/refpolicy/refpolicy-git/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch
@@ -1,7 +1,8 @@
1From e4e95b723d31c7b678a05cd81a96b10185978b4e Mon Sep 17 00:00:00 2001 1From 2d81043e7c98b31b37a1ecd1f037a04c60e662aa Mon Sep 17 00:00:00 2001
2From: Roy Li <rongqing.li@windriver.com> 2From: Roy Li <rongqing.li@windriver.com>
3Date: Mon, 10 Feb 2014 18:10:12 +0800 3Date: Mon, 10 Feb 2014 18:10:12 +0800
4Subject: [PATCH] ftp: add ftpd_t to mls_file_write_all_levels 4Subject: [PATCH 31/34] policy/module/ftp: add ftpd_t to
5 mls_file_write_all_levels
5 6
6Proftpd will create file under /var/run, but its mls is in high, and 7Proftpd will create file under /var/run, but its mls is in high, and
7can not write to lowlevel 8can not write to lowlevel
@@ -12,21 +13,21 @@ type=AVC msg=audit(1392347709.621:15): avc: denied { write } for pid=545 comm
12type=AVC msg=audit(1392347709.621:15): avc: denied { add_name } for pid=545 comm="proftpd" name="proftpd.delay" scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir 13type=AVC msg=audit(1392347709.621:15): avc: denied { add_name } for pid=545 comm="proftpd" name="proftpd.delay" scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir
13type=SYSCALL msg=audit(1392347709.621:15): arch=c000003e syscall=2 success=yes exit=3 a0=471910 a1=42 a2=1b6 a3=8 items=0 ppid=539 pid=545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s15:c0.c1023 key=(null) 14type=SYSCALL msg=audit(1392347709.621:15): arch=c000003e syscall=2 success=yes exit=3 a0=471910 a1=42 a2=1b6 a3=8 items=0 ppid=539 pid=545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s15:c0.c1023 key=(null)
14 15
15root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name 16root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name
16 allow ftpd_t var_run_t : dir { ioctl read write getattr lock add_name remove_name search open } ; 17 allow ftpd_t var_run_t : dir { ioctl read write getattr lock add_name remove_name search open } ;
17root@localhost:~# 18root@localhost:~#
18 19
19Signed-off-by: Roy Li <rongqing.li@windriver.com> 20Signed-off-by: Roy Li <rongqing.li@windriver.com>
20Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> 21Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
21--- 22---
22 policy/modules/contrib/ftp.te | 2 ++ 23 policy/modules/services/ftp.te | 2 ++
23 1 file changed, 2 insertions(+) 24 1 file changed, 2 insertions(+)
24 25
25--- a/policy/modules/contrib/ftp.te 26diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
26+++ b/policy/modules/contrib/ftp.te 27index 29bc077c..d582cf80 100644
27@@ -148,10 +148,12 @@ init_system_domain(ftpdctl_t, ftpdctl_ex 28--- a/policy/modules/services/ftp.te
28 role ftpdctl_roles types ftpdctl_t; 29+++ b/policy/modules/services/ftp.te
29 30@@ -150,6 +150,8 @@ role ftpdctl_roles types ftpdctl_t;
30 type ftpdctl_tmp_t; 31 type ftpdctl_tmp_t;
31 files_tmp_file(ftpdctl_tmp_t) 32 files_tmp_file(ftpdctl_tmp_t)
32 33
@@ -35,5 +36,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
35 type sftpd_t; 36 type sftpd_t;
36 domain_type(sftpd_t) 37 domain_type(sftpd_t)
37 role system_r types sftpd_t; 38 role system_r types sftpd_t;
38 39--
39 type xferlog_t; 402.19.1
41
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/refpolicy-update-for_systemd.patch b/recipes-security/refpolicy/refpolicy-git/0032-policy-module-init-update-for-systemd-related-allow-.patch
index 41b9c2b..ced90be 100644
--- a/recipes-security/refpolicy/refpolicy-2.20170204/refpolicy-update-for_systemd.patch
+++ b/recipes-security/refpolicy/refpolicy-git/0032-policy-module-init-update-for-systemd-related-allow-.patch
@@ -1,27 +1,32 @@
1From 07553727dca51631c93bca482442da8d0c50ac94 Mon Sep 17 00:00:00 2001 1From ddb7393018483be0ce1cfc4734043b413e3b8a04 Mon Sep 17 00:00:00 2001
2From: Shrikant Bobade <shrikant_bobade@mentor.com> 2From: Shrikant Bobade <shrikant_bobade@mentor.com>
3Date: Fri, 12 Jun 2015 19:37:52 +0530 3Date: Fri, 12 Jun 2015 19:37:52 +0530
4Subject: [PATCH] refpolicy: update for systemd related allow rules 4Subject: [PATCH 32/34] policy/module/init: update for systemd related allow
5 rules
5 6
6It provide, the systemd support related allow rules 7It provide, the systemd support related allow rules
7 8
9Upstream-Status: Pending
10
8Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> 11Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> 12Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
10--- 13---
11 policy/modules/system/init.te | 5 +++++ 14 policy/modules/system/init.te | 5 +++++
12 1 file changed, 5 insertions(+) 15 1 file changed, 5 insertions(+)
13 16
17diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
18index f7635d6f..2e6b57a6 100644
14--- a/policy/modules/system/init.te 19--- a/policy/modules/system/init.te
15+++ b/policy/modules/system/init.te 20+++ b/policy/modules/system/init.te
16@@ -1105,5 +1105,10 @@ optional_policy(` 21@@ -1418,3 +1418,8 @@ optional_policy(`
17 ') 22 userdom_dontaudit_rw_all_users_stream_sockets(systemprocess)
18 23 userdom_dontaudit_write_user_tmp_files(systemprocess)
19 optional_policy(`
20 zebra_read_config(initrc_t)
21 ') 24 ')
22+ 25+
23+# systemd related allow rules 26+# systemd related allow rules
24+allow kernel_t init_t:process dyntransition; 27+allow kernel_t init_t:process dyntransition;
25+allow devpts_t device_t:filesystem associate; 28+allow devpts_t device_t:filesystem associate;
26+allow init_t self:capability2 block_suspend; 29+allow init_t self:capability2 block_suspend;
27\ No newline at end of file 30--
312.19.1
32
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module_2.20170204.patch b/recipes-security/refpolicy/refpolicy-git/0033-refpolicy-minimum-make-sysadmin-module-optional.patch
index 3a8a95e..09a16fb 100644
--- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module_2.20170204.patch
+++ b/recipes-security/refpolicy/refpolicy-git/0033-refpolicy-minimum-make-sysadmin-module-optional.patch
@@ -1,4 +1,7 @@
1Subject: [PATCH] refpolicy: fix optional issue on sysadm module 1From a45624beb571ad5dadfca95d53ff69925c9f628c Mon Sep 17 00:00:00 2001
2From: Joe MacDonald <joe_macdonald@mentor.com>
3Date: Fri, 5 Apr 2019 11:53:28 -0400
4Subject: [PATCH 33/34] refpolicy/minimum: make sysadmin module optional
2 5
3init and locallogin modules have a depend for sysadm module because 6init and locallogin modules have a depend for sysadm module because
4they have called sysadm interfaces(sysadm_shell_domtrans). Since 7they have called sysadm interfaces(sysadm_shell_domtrans). Since
@@ -13,16 +16,16 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
13Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> 16Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
14Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> 17Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
15--- 18---
16 policy/modules/system/init.te | 14 ++++++++------ 19 policy/modules/system/init.te | 16 +++++++++-------
17 policy/modules/system/locallogin.te | 4 +++- 20 policy/modules/system/locallogin.te | 4 +++-
18 2 files changed, 11 insertions(+), 7 deletions(-) 21 2 files changed, 12 insertions(+), 8 deletions(-)
19 22
23diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
24index 2e6b57a6..d8696580 100644
20--- a/policy/modules/system/init.te 25--- a/policy/modules/system/init.te
21+++ b/policy/modules/system/init.te 26+++ b/policy/modules/system/init.te
22@@ -300,16 +300,18 @@ ifdef(`init_systemd',` 27@@ -448,13 +448,15 @@ ifdef(`init_systemd',`
23 28 modutils_domtrans(init_t)
24 optional_policy(`
25 modutils_domtrans_insmod(init_t)
26 ') 29 ')
27 ',` 30 ',`
28- tunable_policy(`init_upstart',` 31- tunable_policy(`init_upstart',`
@@ -30,34 +33,25 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
30- ',` 33- ',`
31- # Run the shell in the sysadm role for single-user mode. 34- # Run the shell in the sysadm role for single-user mode.
32- # causes problems with upstart 35- # causes problems with upstart
33- sysadm_shell_domtrans(init_t) 36- ifndef(`distro_debian',`
37- sysadm_shell_domtrans(init_t)
34+ optional_policy(` 38+ optional_policy(`
35+ tunable_policy(`init_upstart',` 39+ tunable_policy(`init_upstart',`
36+ corecmd_shell_domtrans(init_t, initrc_t) 40+ corecmd_shell_domtrans(init_t, initrc_t)
37+ ',` 41+ ',`
38+ # Run the shell in the sysadm role for single-user mode. 42+ # Run the shell in the sysadm role for single-user mode.
39+ # causes problems with upstart 43+ # causes problems with upstart
40+ sysadm_shell_domtrans(init_t) 44+ ifndef(`distro_debian',`
41+ ') 45+ sysadm_shell_domtrans(init_t)
46+ ')
47 ')
42 ') 48 ')
43 ') 49 ')
44 50diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
45 ifdef(`distro_debian',` 51index a56f3d1f..4c679ff3 100644
46 fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
47@@ -1109,6 +1111,6 @@ optional_policy(`
48 ')
49
50 # systemd related allow rules
51 allow kernel_t init_t:process dyntransition;
52 allow devpts_t device_t:filesystem associate;
53-allow init_t self:capability2 block_suspend;
54\ No newline at end of file
55+allow init_t self:capability2 block_suspend;
56--- a/policy/modules/system/locallogin.te 52--- a/policy/modules/system/locallogin.te
57+++ b/policy/modules/system/locallogin.te 53+++ b/policy/modules/system/locallogin.te
58@@ -244,11 +244,13 @@ seutil_read_default_contexts(sulogin_t) 54@@ -266,7 +266,9 @@ userdom_use_unpriv_users_fds(sulogin_t)
59 userdom_use_unpriv_users_fds(sulogin_t)
60
61 userdom_search_user_home_dirs(sulogin_t) 55 userdom_search_user_home_dirs(sulogin_t)
62 userdom_use_user_ptys(sulogin_t) 56 userdom_use_user_ptys(sulogin_t)
63 57
@@ -66,7 +60,8 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
66+ sysadm_shell_domtrans(sulogin_t) 60+ sysadm_shell_domtrans(sulogin_t)
67+') 61+')
68 62
69 # suse and debian do not use pam with sulogin... 63 # by default, sulogin does not use pam...
70 ifdef(`distro_suse', `define(`sulogin_no_pam')') 64 # sulogin_pam might need to be defined otherwise
71 ifdef(`distro_debian', `define(`sulogin_no_pam')') 65--
72 662.19.1
67
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch b/recipes-security/refpolicy/refpolicy-git/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch
index 8d22c21..03b1439 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch
+++ b/recipes-security/refpolicy/refpolicy-git/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch
@@ -1,7 +1,8 @@
1From ed2b0a00e2fb78056041b03c7e198e8f5adaf939 Mon Sep 17 00:00:00 2001 1From 2e2abdbc7a0e57a27518de0d879ecc84053203d8 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com> 2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 19:36:44 +0800 3Date: Thu, 22 Aug 2013 19:36:44 +0800
4Subject: [PATCH 3/6] add rules for the symlink of /var/log - apache2 4Subject: [PATCH 34/34] policy/module/apache: add rules for the symlink of
5 /var/log - apache2
5 6
6We have added rules for the symlink of /var/log in logging.if, 7We have added rules for the symlink of /var/log in logging.if,
7while apache.te uses /var/log but does not use the interfaces in 8while apache.te uses /var/log but does not use the interfaces in
@@ -12,20 +13,21 @@ Upstream-Status: Inappropriate [only for Poky]
12Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> 13Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
13Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> 14Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
14--- 15---
15 policy/modules/contrib/apache.te | 1 + 16 policy/modules/services/apache.te | 1 +
16 1 file changed, 1 insertion(+) 17 1 file changed, 1 insertion(+)
17 18
18--- a/policy/modules/contrib/apache.te 19diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
19+++ b/policy/modules/contrib/apache.te 20index 15c4ea53..596370b1 100644
20@@ -409,10 +409,11 @@ allow httpd_t httpd_log_t:dir setattr_di 21--- a/policy/modules/services/apache.te
21 create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t) 22+++ b/policy/modules/services/apache.te
22 create_files_pattern(httpd_t, httpd_log_t, httpd_log_t) 23@@ -412,6 +412,7 @@ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
23 append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
24 read_files_pattern(httpd_t, httpd_log_t, httpd_log_t) 24 read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
25 setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
25 read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t) 26 read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
26+read_lnk_files_pattern(httpd_t, var_log_t, var_log_t) 27+read_lnk_files_pattern(httpd_t, var_log_t, var_log_t)
27 logging_log_filetrans(httpd_t, httpd_log_t, file) 28 logging_log_filetrans(httpd_t, httpd_log_t, file)
28 29
29 allow httpd_t httpd_modules_t:dir list_dir_perms; 30 allow httpd_t httpd_modules_t:dir list_dir_perms;
30 mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) 31--
31 read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) 322.19.1
33
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch
deleted file mode 100644
index 946dcc2..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch
+++ /dev/null
@@ -1,19 +0,0 @@
1Subject: [PATCH] refpolicy: fix real path for clock
2
3Upstream-Status: Inappropriate [configuration]
4
5Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
6Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
7---
8 policy/modules/system/clock.fc | 1 +
9 1 file changed, 1 insertion(+)
10
11--- a/policy/modules/system/clock.fc
12+++ b/policy/modules/system/clock.fc
13@@ -1,5 +1,6 @@
14 /etc/adjtime -- gen_context(system_u:object_r:adjtime_t,s0)
15
16 /usr/bin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
17
18+/usr/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0)
19 /usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch
deleted file mode 100644
index 689c75b..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch
+++ /dev/null
@@ -1,15 +0,0 @@
1Subject: [PATCH] refpolicy: fix real path for dmesg
2
3Upstream-Status: Inappropriate [configuration]
4
5Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
6Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
7---
8 policy/modules/admin/dmesg.fc | 1 +
9 1 file changed, 1 insertion(+)
10
11--- a/policy/modules/admin/dmesg.fc
12+++ b/policy/modules/admin/dmesg.fc
13@@ -1 +1,2 @@
14+/usr/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0)
15 /usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch
deleted file mode 100644
index b441257..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch
+++ /dev/null
@@ -1,50 +0,0 @@
1Subject: [PATCH] fix real path for shadow commands.
2
3Upstream-Status: Inappropriate [only for Poky]
4
5Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
6Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
7---
8 policy/modules/admin/usermanage.fc | 6 ++++++
9 1 file changed, 6 insertions(+)
10
11--- a/policy/modules/admin/usermanage.fc
12+++ b/policy/modules/admin/usermanage.fc
13@@ -2,20 +2,24 @@ ifdef(`distro_debian',`
14 /etc/cron\.daily/cracklib-runtime -- gen_context(system_u:object_r:crack_exec_t,s0)
15 ')
16
17 /usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0)
18 /usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0)
19+/usr/bin/chfn\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0)
20 /usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0)
21+/usr/bin/chsh\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0)
22 /usr/bin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
23 /usr/bin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
24 /usr/bin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0)
25 /usr/bin/groupadd -- gen_context(system_u:object_r:groupadd_exec_t,s0)
26 /usr/bin/groupdel -- gen_context(system_u:object_r:groupadd_exec_t,s0)
27 /usr/bin/groupmod -- gen_context(system_u:object_r:groupadd_exec_t,s0)
28 /usr/bin/grpconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
29 /usr/bin/grpunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
30 /usr/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0)
31+/usr/bin/passwd\.shadow -- gen_context(system_u:object_r:passwd_exec_t,s0)
32+/usr/bin/passwd\.tinylogin -- gen_context(system_u:object_r:passwd_exec_t,s0)
33 /usr/bin/pwconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
34 /usr/bin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
35 /usr/bin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0)
36 /usr/bin/userdel -- gen_context(system_u:object_r:useradd_exec_t,s0)
37 /usr/bin/usermod -- gen_context(system_u:object_r:useradd_exec_t,s0)
38@@ -36,10 +40,12 @@ ifdef(`distro_debian',`
39 /usr/sbin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
40 /usr/sbin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0)
41 /usr/sbin/userdel -- gen_context(system_u:object_r:useradd_exec_t,s0)
42 /usr/sbin/usermod -- gen_context(system_u:object_r:useradd_exec_t,s0)
43 /usr/sbin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
44+/usr/sbin/vigr\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
45 /usr/sbin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
46+/usr/sbin/vipw\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
47
48 /usr/share/cracklib(/.*)? gen_context(system_u:object_r:crack_db_t,s0)
49
50 /var/cache/cracklib(/.*)? gen_context(system_u:object_r:crack_db_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch
deleted file mode 100644
index 5ed7eae..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch
+++ /dev/null
@@ -1,27 +0,0 @@
1fix ftpwho install dir
2
3Upstream-Status: Pending
4
5ftpwho is installed into /usr/bin/, not /usr/sbin, so fix it
6
7Signed-off-by: Roy Li <rongqing.li@windriver.com>
8Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
9---
10 policy/modules/contrib/ftp.fc | 2 +-
11 1 file changed, 1 insertion(+), 1 deletion(-)
12
13--- a/policy/modules/contrib/ftp.fc
14+++ b/policy/modules/contrib/ftp.fc
15@@ -15,11 +15,11 @@
16 /usr/kerberos/sbin/ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
17
18 /usr/lib/systemd/system/proftpd.*\.service -- gen_context(system_u:object_r:ftpd_unit_t,s0)
19 /usr/lib/systemd/system/vsftpd.*\.service -- gen_context(system_u:object_r:ftpd_unit_t,s0)
20
21-/usr/sbin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0)
22+/usr/bin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0)
23 /usr/sbin/in\.ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
24 /usr/sbin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
25 /usr/sbin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
26 /usr/sbin/vsftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
27
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch
deleted file mode 100644
index b3e2846..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch
+++ /dev/null
@@ -1,27 +0,0 @@
1From c0bb2996db4f55f3987967bacfb99805fc45d027 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 19:21:55 +0800
4Subject: [PATCH] refpolicy: fix real path for mta
5
6Upstream-Status: Inappropriate [configuration]
7
8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
10---
11 policy/modules/contrib/mta.fc | 1 +
12 1 file changed, 1 insertion(+)
13
14--- a/policy/modules/contrib/mta.fc
15+++ b/policy/modules/contrib/mta.fc
16@@ -23,10 +23,11 @@ HOME_DIR/\.maildir(/.*)? gen_context(sys
17 /usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
18
19 /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
20 /usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
21 /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
22+/usr/sbin/msmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
23 /usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
24
25 /var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
26
27 /var/qmail/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch
deleted file mode 100644
index 0adf7c2..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch
+++ /dev/null
@@ -1,25 +0,0 @@
1From 642fab321a5f1f40495b4ca07f1fca4145024986 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 19:25:36 +0800
4Subject: [PATCH] refpolicy: fix real path for nscd
5
6Upstream-Status: Inappropriate [configuration]
7
8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
10---
11 policy/modules/contrib/nscd.fc | 1 +
12 1 file changed, 1 insertion(+)
13
14--- a/policy/modules/contrib/nscd.fc
15+++ b/policy/modules/contrib/nscd.fc
16@@ -1,8 +1,9 @@
17 /etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0)
18
19 /usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
20+/usr/bin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
21
22 /var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
23
24 /var/db/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
25
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch
deleted file mode 100644
index 3cd766d..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch
+++ /dev/null
@@ -1,23 +0,0 @@
1From 3ecbd842d51a8e70b3403e857a24203285d4983b Mon Sep 17 00:00:00 2001
2From: Wenzong Fan <wenzong.fan@windriver.com>
3Date: Mon, 27 Jan 2014 01:13:06 -0500
4Subject: [PATCH] refpolicy: fix real path for cpio
5
6Upstream-Status: Inappropriate [configuration]
7
8Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
10---
11 policy/modules/contrib/rpm.fc | 1 +
12 1 file changed, 1 insertion(+)
13
14--- a/policy/modules/contrib/rpm.fc
15+++ b/policy/modules/contrib/rpm.fc
16@@ -67,6 +67,7 @@ ifdef(`distro_redhat',`
17 /run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0)
18 /run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
19
20 ifdef(`enable_mls',`
21 /usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
22+/bin/cpio.cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
23 ')
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch
deleted file mode 100644
index 8ea210e..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch
+++ /dev/null
@@ -1,23 +0,0 @@
1From 3615e2d67f402a37ae7333e62b54f1d9d0a3bfd1 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 19:27:19 +0800
4Subject: [PATCH] refpolicy: fix real path for screen
5
6Upstream-Status: Inappropriate [configuration]
7
8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
10---
11 policy/modules/contrib/screen.fc | 1 +
12 1 file changed, 1 insertion(+)
13
14--- a/policy/modules/contrib/screen.fc
15+++ b/policy/modules/contrib/screen.fc
16@@ -4,6 +4,7 @@ HOME_DIR/\.tmux\.conf -- gen_context(sys
17
18 /run/screen(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0)
19 /run/tmux(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0)
20
21 /usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0)
22+/usr/bin/screen-.* -- gen_context(system_u:object_r:screen_exec_t,s0)
23 /usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch
deleted file mode 100644
index 8aec193..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch
+++ /dev/null
@@ -1,32 +0,0 @@
1Subject: [PATCH] fix file_contexts.subs_dist for poky
2
3This file is used for Linux distros to define specific pathes
4mapping to the pathes in file_contexts.
5
6Upstream-Status: Inappropriate [only for Poky]
7
8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
10---
11 config/file_contexts.subs_dist | 11 +++++++++++
12 1 file changed, 11 insertions(+)
13
14--- a/config/file_contexts.subs_dist
15+++ b/config/file_contexts.subs_dist
16@@ -26,5 +26,16 @@
17
18 # backward compatibility
19 # not for refpolicy intern, but for /var/run using applications,
20 # like systemd tmpfiles or systemd socket configurations
21 /var/run /run
22+
23+/var/volatile/log /var/log
24+/var/volatile/run /var/run
25+/var/volatile/cache /var/cache
26+/var/volatile/tmp /var/tmp
27+/var/volatile/lock /var/lock
28+/var/volatile/run/lock /var/lock
29+/www /var/www
30+/usr/lib/busybox/bin /bin
31+/usr/lib/busybox/sbin /sbin
32+/usr/lib/busybox/usr /usr
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch
deleted file mode 100644
index f53b551..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch
+++ /dev/null
@@ -1,27 +0,0 @@
1From 025bd3c77d3eeb0e316413bf7e6353f1ccd7f6b2 Mon Sep 17 00:00:00 2001
2From: Wenzong Fan <wenzong.fan@windriver.com>
3Date: Sat, 25 Jan 2014 23:40:05 -0500
4Subject: [PATCH] refpolicy: fix real path for udevd/udevadm
5
6Upstream-Status: Inappropriate [configuration]
7
8Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
10---
11 policy/modules/system/udev.fc | 2 ++
12 1 file changed, 2 insertions(+)
13
14--- a/policy/modules/system/udev.fc
15+++ b/policy/modules/system/udev.fc
16@@ -32,10 +32,11 @@ ifdef(`distro_redhat',`
17 /usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
18 ')
19
20 /usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
21 /usr/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
22+/usr/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
23
24 /usr/share/virtualbox/VBoxCreateUSBNode\.sh -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
25
26 /run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
27
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_bash.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_bash.patch
deleted file mode 100644
index 49136e6..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_bash.patch
+++ /dev/null
@@ -1,12 +0,0 @@
1diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
2index f2e4f51..c39912d 100644
3--- a/policy/modules/kernel/corecommands.fc
4+++ b/policy/modules/kernel/corecommands.fc
5@@ -141,6 +141,7 @@ ifdef(`distro_gentoo',`
6 /usr/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
7 /usr/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
8 /usr/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
9+/usr/bin\.bash -- gen_context(system_u:object_r:shell_exec_t,s0)
10 /usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
11 /usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
12 /usr/bin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch
deleted file mode 100644
index e3edce1..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch
+++ /dev/null
@@ -1,19 +0,0 @@
1From 845518a6f196e6e8c49ba38791c85e17276920e1 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 13:37:23 +0800
4Subject: [PATCH 3/4] fix update-alternatives for hostname
5
6Upstream-Status: Inappropriate [only for Poky]
7
8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
10---
11 policy/modules/system/hostname.fc | 1 +
12 1 file changed, 1 insertion(+)
13
14--- a/policy/modules/system/hostname.fc
15+++ b/policy/modules/system/hostname.fc
16@@ -1 +1,3 @@
17+/usr/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0)
18+
19 /usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch
deleted file mode 100644
index b12ee9d..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch
+++ /dev/null
@@ -1,29 +0,0 @@
1Subject: [PATCH] add rules for the symlink of /var/log - syslogd_t
2
3We have added rules for the symlink of /var/log in logging.if,
4while syslogd_t uses /var/log but does not use the
5interfaces in logging.if. So still need add a individual rule for
6syslogd_t.
7
8Upstream-Status: Inappropriate [only for Poky]
9
10Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
11Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
12---
13 policy/modules/system/logging.te | 2 ++
14 1 file changed, 2 insertions(+)
15
16--- a/policy/modules/system/logging.te
17+++ b/policy/modules/system/logging.te
18@@ -406,10 +406,11 @@ manage_files_pattern(syslogd_t, var_log_
19 rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
20 files_search_spool(syslogd_t)
21
22 # Allow access for syslog-ng
23 allow syslogd_t var_log_t:dir { create setattr };
24+allow syslogd_t var_log_t:lnk_file read_lnk_file_perms;
25
26 # for systemd but can not be conditional
27 files_pid_filetrans(syslogd_t, syslogd_tmp_t, dir, "log")
28
29 # manage temporary files
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
deleted file mode 100644
index 7c7355f..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
+++ /dev/null
@@ -1,29 +0,0 @@
1Subject: [PATCH] add rules for the symlink of /var/log - audisp_remote_t
2
3We have added rules for the symlink of /var/log in logging.if,
4while audisp_remote_t uses /var/log but does not use the
5interfaces in logging.if. So still need add a individual rule for
6audisp_remote_t.
7
8Upstream-Status: Inappropriate [only for Poky]
9
10Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
11Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
12---
13 policy/modules/system/logging.te | 1 +
14 1 file changed, 1 insertion(+)
15
16--- a/policy/modules/system/logging.te
17+++ b/policy/modules/system/logging.te
18@@ -280,10 +280,11 @@ optional_policy(`
19
20 allow audisp_remote_t self:capability { setpcap setuid };
21 allow audisp_remote_t self:process { getcap setcap };
22 allow audisp_remote_t self:tcp_socket create_socket_perms;
23 allow audisp_remote_t var_log_t:dir search_dir_perms;
24+allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms;
25
26 manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
27 manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
28 files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
29
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch
deleted file mode 100644
index 4a05a2a..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch
+++ /dev/null
@@ -1,88 +0,0 @@
1From 03cb6534f75812f3a33ac768fe83861e0805b0e0 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 13:37:23 +0800
4Subject: [PATCH 2/6] add rules for the symlink of /var/log
5
6/var/log is a symlink in poky, so we need allow rules for files to read
7lnk_file while doing search/list/delete/rw.. in /var/log/ directory.
8
9Upstream-Status: Inappropriate [only for Poky]
10
11Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
12Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
13---
14 policy/modules/system/logging.fc | 1 +
15 policy/modules/system/logging.if | 14 +++++++++++++-
16 policy/modules/system/logging.te | 1 +
17 3 files changed, 15 insertions(+), 1 deletion(-)
18
19Index: refpolicy/policy/modules/system/logging.fc
20===================================================================
21--- refpolicy.orig/policy/modules/system/logging.fc
22+++ refpolicy/policy/modules/system/logging.fc
23@@ -53,6 +53,7 @@ ifdef(`distro_suse', `
24 /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
25
26 /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
27+/var/log -l gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
28 /var/log/.* gen_context(system_u:object_r:var_log_t,s0)
29 /var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh)
30 /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
31Index: refpolicy/policy/modules/system/logging.if
32===================================================================
33--- refpolicy.orig/policy/modules/system/logging.if
34+++ refpolicy/policy/modules/system/logging.if
35@@ -945,10 +945,12 @@ interface(`logging_append_all_inherited_
36 interface(`logging_read_all_logs',`
37 gen_require(`
38 attribute logfile;
39+ type var_log_t;
40 ')
41
42 files_search_var($1)
43 allow $1 logfile:dir list_dir_perms;
44+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
45 read_files_pattern($1, logfile, logfile)
46 ')
47
48@@ -967,10 +969,12 @@ interface(`logging_read_all_logs',`
49 interface(`logging_exec_all_logs',`
50 gen_require(`
51 attribute logfile;
52+ type var_log_t;
53 ')
54
55 files_search_var($1)
56 allow $1 logfile:dir list_dir_perms;
57+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
58 can_exec($1, logfile)
59 ')
60
61@@ -1072,6 +1076,7 @@ interface(`logging_read_generic_logs',`
62
63 files_search_var($1)
64 allow $1 var_log_t:dir list_dir_perms;
65+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
66 read_files_pattern($1, var_log_t, var_log_t)
67 ')
68
69@@ -1173,6 +1178,7 @@ interface(`logging_manage_generic_logs',
70
71 files_search_var($1)
72 manage_files_pattern($1, var_log_t, var_log_t)
73+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
74 ')
75
76 ########################################
77Index: refpolicy/policy/modules/system/logging.te
78===================================================================
79--- refpolicy.orig/policy/modules/system/logging.te
80+++ refpolicy/policy/modules/system/logging.te
81@@ -159,6 +159,7 @@ manage_files_pattern(auditd_t, auditd_lo
82 allow auditd_t auditd_log_t:dir setattr;
83 manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
84 allow auditd_t var_log_t:dir search_dir_perms;
85+allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
86
87 manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
88 manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch
deleted file mode 100644
index a9a0a55..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch
+++ /dev/null
@@ -1,81 +0,0 @@
1From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 13:37:23 +0800
4Subject: [PATCH] allow nfsd to exec shell commands.
5
6Upstream-Status: Inappropriate [only for Poky]
7
8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
10---
11 policy/modules/contrib/rpc.te | 2 +-
12 policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
13 2 files changed, 19 insertions(+), 1 deletion(-)
14
15--- a/policy/modules/contrib/rpc.te
16+++ b/policy/modules/contrib/rpc.te
17@@ -224,11 +224,11 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir
18
19 kernel_read_network_state(nfsd_t)
20 kernel_dontaudit_getattr_core_if(nfsd_t)
21 kernel_setsched(nfsd_t)
22 kernel_request_load_module(nfsd_t)
23-# kernel_mounton_proc(nfsd_t)
24+kernel_mounton_proc(nfsd_t)
25
26 corenet_sendrecv_nfs_server_packets(nfsd_t)
27 corenet_tcp_bind_nfs_port(nfsd_t)
28 corenet_udp_bind_nfs_port(nfsd_t)
29
30--- a/policy/modules/kernel/kernel.if
31+++ b/policy/modules/kernel/kernel.if
32@@ -880,43 +880,42 @@ interface(`kernel_unmount_proc',`
33 allow $1 proc_t:filesystem unmount;
34 ')
35
36 ########################################
37 ## <summary>
38-## Get the attributes of the proc filesystem.
39+## Mounton a proc filesystem.
40 ## </summary>
41 ## <param name="domain">
42 ## <summary>
43 ## Domain allowed access.
44 ## </summary>
45 ## </param>
46 #
47-interface(`kernel_getattr_proc',`
48+interface(`kernel_mounton_proc',`
49 gen_require(`
50 type proc_t;
51 ')
52
53- allow $1 proc_t:filesystem getattr;
54+ allow $1 proc_t:dir mounton;
55 ')
56
57 ########################################
58 ## <summary>
59-## Mount on proc directories.
60+## Get the attributes of the proc filesystem.
61 ## </summary>
62 ## <param name="domain">
63 ## <summary>
64 ## Domain allowed access.
65 ## </summary>
66 ## </param>
67-## <rolecap/>
68 #
69-interface(`kernel_mounton_proc',`
70+interface(`kernel_getattr_proc',`
71 gen_require(`
72 type proc_t;
73 ')
74
75- allow $1 proc_t:dir mounton;
76+ allow $1 proc_t:filesystem getattr;
77 ')
78
79 ########################################
80 ## <summary>
81 ## Do not audit attempts to set the
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch
deleted file mode 100644
index 08e9398..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch
+++ /dev/null
@@ -1,30 +0,0 @@
1From 87b6daf87a07350a58c1724db8fc0a99b849818a Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 13:37:23 +0800
4Subject: [PATCH] fix setfiles_t to read symlinks
5
6Upstream-Status: Pending
7
8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
9Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
10Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
11---
12 policy/modules/system/selinuxutil.te | 3 +++
13 1 file changed, 3 insertions(+)
14
15--- a/policy/modules/system/selinuxutil.te
16+++ b/policy/modules/system/selinuxutil.te
17@@ -591,10 +591,13 @@ files_read_etc_files(setfiles_t)
18 files_list_all(setfiles_t)
19 files_relabel_all_files(setfiles_t)
20 files_read_usr_symlinks(setfiles_t)
21 files_dontaudit_read_all_symlinks(setfiles_t)
22
23+# needs to be able to read symlinks to make restorecon on symlink working
24+files_read_all_symlinks(setfiles_t)
25+
26 fs_getattr_all_xattr_fs(setfiles_t)
27 fs_getattr_nfs(setfiles_t)
28 fs_getattr_pstore_dirs(setfiles_t)
29 fs_getattr_pstorefs(setfiles_t)
30 fs_getattr_tracefs(setfiles_t)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
deleted file mode 100644
index 11a6963..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
+++ /dev/null
@@ -1,22 +0,0 @@
1From 2f5981f2244289a1cc79748e9ffdaaea168b1df2 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Fri, 23 Aug 2013 16:36:09 +0800
4Subject: [PATCH] fix dmesg to use /dev/kmsg as default input
5
6Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
7Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
8---
9 policy/modules/admin/dmesg.if | 1 +
10 policy/modules/admin/dmesg.te | 2 ++
11 2 files changed, 3 insertions(+)
12
13--- a/policy/modules/admin/dmesg.if
14+++ b/policy/modules/admin/dmesg.if
15@@ -35,6 +35,7 @@ interface(`dmesg_exec',`
16 type dmesg_exec_t;
17 ')
18
19 corecmd_search_bin($1)
20 can_exec($1, dmesg_exec_t)
21+ dev_read_kmsg($1)
22 ')
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-new-SELINUXMNT-in-sys.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-new-SELINUXMNT-in-sys.patch
deleted file mode 100644
index f3adc70..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-new-SELINUXMNT-in-sys.patch
+++ /dev/null
@@ -1,253 +0,0 @@
1From 0bd1187768c79ccf7d0563fa8e2bc01494fef167 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Thu, 22 Aug 2013 13:37:23 +0800
4Subject: [PATCH] fix for new SELINUXMNT in /sys
5
6SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should
7add rules to access sysfs.
8
9Upstream-Status: Inappropriate [only for Poky]
10
11Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
12Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
13---
14 policy/modules/kernel/selinux.if | 26 ++++++++++++++++++++++++++
15 1 file changed, 26 insertions(+)
16
17--- a/policy/modules/kernel/selinux.if
18+++ b/policy/modules/kernel/selinux.if
19@@ -56,10 +56,14 @@ interface(`selinux_labeled_boolean',`
20 interface(`selinux_get_fs_mount',`
21 gen_require(`
22 type security_t;
23 ')
24
25+ # SELINUXMNT is now /sys/fs/selinux, so we should add rules to
26+ # access sysfs
27+ dev_getattr_sysfs_dirs($1)
28+ dev_search_sysfs($1)
29 # starting in libselinux 2.0.5, init_selinuxmnt() will
30 # attempt to short circuit by checking if SELINUXMNT
31 # (/selinux) is already a selinuxfs
32 allow $1 security_t:filesystem getattr;
33
34@@ -86,10 +90,11 @@ interface(`selinux_get_fs_mount',`
35 interface(`selinux_dontaudit_get_fs_mount',`
36 gen_require(`
37 type security_t;
38 ')
39
40+ dev_dontaudit_search_sysfs($1)
41 # starting in libselinux 2.0.5, init_selinuxmnt() will
42 # attempt to short circuit by checking if SELINUXMNT
43 # (/selinux) is already a selinuxfs
44 dontaudit $1 security_t:filesystem getattr;
45
46@@ -115,10 +120,12 @@ interface(`selinux_dontaudit_get_fs_moun
47 interface(`selinux_mount_fs',`
48 gen_require(`
49 type security_t;
50 ')
51
52+ dev_getattr_sysfs_dirs($1)
53+ dev_search_sysfs($1)
54 allow $1 security_t:filesystem mount;
55 ')
56
57 ########################################
58 ## <summary>
59@@ -134,10 +141,12 @@ interface(`selinux_mount_fs',`
60 interface(`selinux_remount_fs',`
61 gen_require(`
62 type security_t;
63 ')
64
65+ dev_getattr_sysfs_dirs($1)
66+ dev_search_sysfs($1)
67 allow $1 security_t:filesystem remount;
68 ')
69
70 ########################################
71 ## <summary>
72@@ -152,10 +161,12 @@ interface(`selinux_remount_fs',`
73 interface(`selinux_unmount_fs',`
74 gen_require(`
75 type security_t;
76 ')
77
78+ dev_getattr_sysfs_dirs($1)
79+ dev_search_sysfs($1)
80 allow $1 security_t:filesystem unmount;
81 ')
82
83 ########################################
84 ## <summary>
85@@ -170,10 +181,12 @@ interface(`selinux_unmount_fs',`
86 interface(`selinux_getattr_fs',`
87 gen_require(`
88 type security_t;
89 ')
90
91+ dev_getattr_sysfs_dirs($1)
92+ dev_search_sysfs($1)
93 allow $1 security_t:filesystem getattr;
94
95 dev_getattr_sysfs($1)
96 dev_search_sysfs($1)
97 ')
98@@ -192,10 +205,11 @@ interface(`selinux_getattr_fs',`
99 interface(`selinux_dontaudit_getattr_fs',`
100 gen_require(`
101 type security_t;
102 ')
103
104+ dev_dontaudit_search_sysfs($1)
105 dontaudit $1 security_t:filesystem getattr;
106
107 dev_dontaudit_getattr_sysfs($1)
108 dev_dontaudit_search_sysfs($1)
109 ')
110@@ -214,10 +228,11 @@ interface(`selinux_dontaudit_getattr_fs'
111 interface(`selinux_dontaudit_getattr_dir',`
112 gen_require(`
113 type security_t;
114 ')
115
116+ dev_dontaudit_search_sysfs($1)
117 dontaudit $1 security_t:dir getattr;
118 ')
119
120 ########################################
121 ## <summary>
122@@ -232,10 +247,11 @@ interface(`selinux_dontaudit_getattr_dir
123 interface(`selinux_search_fs',`
124 gen_require(`
125 type security_t;
126 ')
127
128+ dev_getattr_sysfs_dirs($1)
129 dev_search_sysfs($1)
130 allow $1 security_t:dir search_dir_perms;
131 ')
132
133 ########################################
134@@ -251,10 +267,11 @@ interface(`selinux_search_fs',`
135 interface(`selinux_dontaudit_search_fs',`
136 gen_require(`
137 type security_t;
138 ')
139
140+ dev_dontaudit_search_sysfs($1)
141 dontaudit $1 security_t:dir search_dir_perms;
142 ')
143
144 ########################################
145 ## <summary>
146@@ -270,10 +287,11 @@ interface(`selinux_dontaudit_search_fs',
147 interface(`selinux_dontaudit_read_fs',`
148 gen_require(`
149 type security_t;
150 ')
151
152+ dev_dontaudit_search_sysfs($1)
153 dontaudit $1 security_t:dir search_dir_perms;
154 dontaudit $1 security_t:file read_file_perms;
155 ')
156
157 ########################################
158@@ -291,10 +309,11 @@ interface(`selinux_dontaudit_read_fs',`
159 interface(`selinux_get_enforce_mode',`
160 gen_require(`
161 type security_t;
162 ')
163
164+ dev_getattr_sysfs_dirs($1)
165 dev_search_sysfs($1)
166 allow $1 security_t:dir list_dir_perms;
167 allow $1 security_t:file read_file_perms;
168 ')
169
170@@ -359,10 +378,11 @@ interface(`selinux_load_policy',`
171 interface(`selinux_read_policy',`
172 gen_require(`
173 type security_t;
174 ')
175
176+ dev_getattr_sysfs_dirs($1)
177 dev_search_sysfs($1)
178 allow $1 security_t:dir list_dir_perms;
179 allow $1 security_t:file read_file_perms;
180 allow $1 security_t:security read_policy;
181 ')
182@@ -424,10 +444,11 @@ interface(`selinux_set_boolean',`
183 interface(`selinux_set_generic_booleans',`
184 gen_require(`
185 type security_t;
186 ')
187
188+ dev_getattr_sysfs_dirs($1)
189 dev_search_sysfs($1)
190
191 allow $1 security_t:dir list_dir_perms;
192 allow $1 security_t:file rw_file_perms;
193
194@@ -461,10 +482,11 @@ interface(`selinux_set_all_booleans',`
195 type security_t, secure_mode_policyload_t;
196 attribute boolean_type;
197 bool secure_mode_policyload;
198 ')
199
200+ dev_getattr_sysfs_dirs($1)
201 dev_search_sysfs($1)
202
203 allow $1 security_t:dir list_dir_perms;
204 allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms;
205 allow $1 secure_mode_policyload_t:file read_file_perms;
206@@ -520,10 +542,11 @@ interface(`selinux_set_parameters',`
207 interface(`selinux_validate_context',`
208 gen_require(`
209 type security_t;
210 ')
211
212+ dev_getattr_sysfs_dirs($1)
213 dev_search_sysfs($1)
214 allow $1 security_t:dir list_dir_perms;
215 allow $1 security_t:file rw_file_perms;
216 allow $1 security_t:security check_context;
217 ')
218@@ -542,10 +565,11 @@ interface(`selinux_validate_context',`
219 interface(`selinux_dontaudit_validate_context',`
220 gen_require(`
221 type security_t;
222 ')
223
224+ dev_dontaudit_search_sysfs($1)
225 dontaudit $1 security_t:dir list_dir_perms;
226 dontaudit $1 security_t:file rw_file_perms;
227 dontaudit $1 security_t:security check_context;
228 ')
229
230@@ -563,10 +587,11 @@ interface(`selinux_dontaudit_validate_co
231 interface(`selinux_compute_access_vector',`
232 gen_require(`
233 type security_t;
234 ')
235
236+ dev_getattr_sysfs_dirs($1)
237 dev_search_sysfs($1)
238 allow $1 security_t:dir list_dir_perms;
239 allow $1 security_t:file rw_file_perms;
240 allow $1 security_t:security compute_av;
241 ')
242@@ -658,10 +683,11 @@ interface(`selinux_compute_relabel_conte
243 interface(`selinux_compute_user_contexts',`
244 gen_require(`
245 type security_t;
246 ')
247
248+ dev_getattr_sysfs_dirs($1)
249 dev_search_sysfs($1)
250 allow $1 security_t:dir list_dir_perms;
251 allow $1 security_t:file rw_file_perms;
252 allow $1 security_t:security compute_user;
253 ')
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch
deleted file mode 100644
index 0cd8bf9..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch
+++ /dev/null
@@ -1,31 +0,0 @@
1From f4e034d6996c5b1f88a9262828dac2ad6ee09b7b Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Fri, 23 Aug 2013 14:38:53 +0800
4Subject: [PATCH] fix setfiles statvfs to get file count
5
6New setfiles will read /proc/mounts and use statvfs in
7file_system_count() to get file count of filesystems.
8
9Upstream-Status: pending
10
11Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
12Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
13Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
14---
15 policy/modules/system/selinuxutil.te | 2 +-
16 1 file changed, 1 insertion(+), 1 deletion(-)
17
18--- a/policy/modules/system/selinuxutil.te
19+++ b/policy/modules/system/selinuxutil.te
20@@ -594,10 +594,11 @@ files_read_usr_symlinks(setfiles_t)
21 files_dontaudit_read_all_symlinks(setfiles_t)
22
23 # needs to be able to read symlinks to make restorecon on symlink working
24 files_read_all_symlinks(setfiles_t)
25
26+fs_getattr_all_fs(setfiles_t)
27 fs_getattr_all_xattr_fs(setfiles_t)
28 fs_getattr_nfs(setfiles_t)
29 fs_getattr_pstore_dirs(setfiles_t)
30 fs_getattr_pstorefs(setfiles_t)
31 fs_getattr_tracefs(setfiles_t)
diff --git a/recipes-security/refpolicy/refpolicy-mcs_2.20170204.bb b/recipes-security/refpolicy/refpolicy-mcs_2.20190201.bb
index 062727b..062727b 100644
--- a/recipes-security/refpolicy/refpolicy-mcs_2.20170204.bb
+++ b/recipes-security/refpolicy/refpolicy-mcs_2.20190201.bb
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch b/recipes-security/refpolicy/refpolicy-minimum/0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch
deleted file mode 100644
index bf7b980..0000000
--- a/recipes-security/refpolicy/refpolicy-minimum/0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch
+++ /dev/null
@@ -1,47 +0,0 @@
1refpolicy-minimum: systemd: mount: enable required refpolicy booleans
2
3enable required refpolicy booleans for these modules
4
5i. mount: allow_mount_anyfile
6without enabling this boolean we are getting below avc denial
7
8audit(): avc: denied { mounton } for pid=462 comm="mount" path="/run/media
9/mmcblk2p1" dev="tmpfs" ino=11523 scontext=system_u:system_r:mount_t:s0
10tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=0
11
12This avc can be allowed using the boolean 'allow_mount_anyfile'
13allow mount_t initrc_var_run_t:dir mounton;
14
15ii. systemd : systemd_tmpfiles_manage_all
16without enabling this boolean we are not getting access to mount systemd
17essential tmpfs during bootup, also not getting access to create audit.log
18
19audit(): avc: denied { search } for pid=168 comm="systemd-tmpfile" name=
20"sys" dev="proc" ino=4026531855 scontext=system_u:system_r:systemd_tmpfiles
21_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=dir permissive=0
22
23 ls /var/log
24 /var/log -> volatile/log
25:~#
26
27Upstream-Status: Pending
28
29Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
30
31--- a/policy/booleans.conf
32+++ b/policy/booleans.conf
33@@ -1156,12 +1156,12 @@ racoon_read_shadow = false
34 #
35 # Allow the mount command to mount any directory or file.
36 #
37-allow_mount_anyfile = false
38+allow_mount_anyfile = true
39
40 #
41 # Enable support for systemd-tmpfiles to manage all non-security files.
42 #
43-systemd_tmpfiles_manage_all = false
44+systemd_tmpfiles_manage_all = true
45
46 #
47 # Allow users to connect to mysql
diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20170204.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20190201.bb
index da6626e..40abe35 100644
--- a/recipes-security/refpolicy/refpolicy-minimum_2.20170204.bb
+++ b/recipes-security/refpolicy/refpolicy-minimum_2.20190201.bb
@@ -1,3 +1,6 @@
1################################################################################
2# Note that -minimum specifically inherits from -targeted. Key policy pieces
3# will be missing if you do not preserve this relationship.
1include refpolicy-targeted_${PV}.bb 4include refpolicy-targeted_${PV}.bb
2 5
3SUMMARY = "SELinux minimum policy" 6SUMMARY = "SELinux minimum policy"
@@ -10,15 +13,24 @@ domains are unconfined. \
10 13
11POLICY_NAME = "minimum" 14POLICY_NAME = "minimum"
12 15
13FILESEXTRAPATHS_prepend := "${THISDIR}/files:${THISDIR}/refpolicy-${PV}:${THISDIR}/refpolicy-targeted:"
14
15CORE_POLICY_MODULES = "unconfined \ 16CORE_POLICY_MODULES = "unconfined \
16 selinuxutil storage sysnetwork \ 17 selinuxutil \
17 application libraries miscfiles logging userdomain \ 18 storage \
18 init mount modutils getty authlogin locallogin \ 19 sysnetwork \
20 application \
21 libraries \
22 miscfiles \
23 logging \
24 userdomain \
25 init \
26 mount \
27 modutils \
28 getty \
29 authlogin \
30 locallogin \
19 " 31 "
20#systemd dependent policy modules 32#systemd dependent policy modules
21CORE_POLICY_MODULES += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'clock systemd udev', '', d)}" 33CORE_POLICY_MODULES += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'clock systemd udev fstools', '', d)}"
22 34
23# nscd caches libc-issued requests to the name service. 35# nscd caches libc-issued requests to the name service.
24# Without nscd.pp, commands want to use these caches will be blocked. 36# Without nscd.pp, commands want to use these caches will be blocked.
@@ -67,18 +79,3 @@ prepare_policy_store () {
67 cp ${MOD_FILE} ${MOD_DIR}/hll 79 cp ${MOD_FILE} ${MOD_DIR}/hll
68 done 80 done
69} 81}
70
71SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', ' ${SYSTEMD_REFPOLICY_PATCHES}', '', d)}"
72
73
74SYSTEMD_REFPOLICY_PATCHES = " \
75 file://0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch \
76 file://0002-refpolicy-minimum-audit-logging-getty-audit-related-.patch \
77 file://0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch \
78 file://0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch \
79 file://0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch \
80 file://0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch \
81 file://0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch \
82 file://0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch \
83 file://0009-refpolicy-minimum-systemd-fix-for-syslog.patch \
84 "
diff --git a/recipes-security/refpolicy/refpolicy-minimum_git.bb b/recipes-security/refpolicy/refpolicy-minimum_git.bb
index 0f2a139..40abe35 100644
--- a/recipes-security/refpolicy/refpolicy-minimum_git.bb
+++ b/recipes-security/refpolicy/refpolicy-minimum_git.bb
@@ -1,3 +1,6 @@
1################################################################################
2# Note that -minimum specifically inherits from -targeted. Key policy pieces
3# will be missing if you do not preserve this relationship.
1include refpolicy-targeted_${PV}.bb 4include refpolicy-targeted_${PV}.bb
2 5
3SUMMARY = "SELinux minimum policy" 6SUMMARY = "SELinux minimum policy"
@@ -10,12 +13,21 @@ domains are unconfined. \
10 13
11POLICY_NAME = "minimum" 14POLICY_NAME = "minimum"
12 15
13FILESEXTRAPATHS_prepend := "${THISDIR}/files:${THISDIR}/refpolicy-${PV}:${THISDIR}/refpolicy-targeted:"
14
15CORE_POLICY_MODULES = "unconfined \ 16CORE_POLICY_MODULES = "unconfined \
16 selinuxutil storage sysnetwork \ 17 selinuxutil \
17 application libraries miscfiles logging userdomain \ 18 storage \
18 init mount modutils getty authlogin locallogin \ 19 sysnetwork \
20 application \
21 libraries \
22 miscfiles \
23 logging \
24 userdomain \
25 init \
26 mount \
27 modutils \
28 getty \
29 authlogin \
30 locallogin \
19 " 31 "
20#systemd dependent policy modules 32#systemd dependent policy modules
21CORE_POLICY_MODULES += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'clock systemd udev fstools', '', d)}" 33CORE_POLICY_MODULES += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'clock systemd udev fstools', '', d)}"
diff --git a/recipes-security/refpolicy/refpolicy-mls_2.20170204.bb b/recipes-security/refpolicy/refpolicy-mls_2.20190201.bb
index 7388232..7388232 100644
--- a/recipes-security/refpolicy/refpolicy-mls_2.20170204.bb
+++ b/recipes-security/refpolicy/refpolicy-mls_2.20190201.bb
diff --git a/recipes-security/refpolicy/refpolicy-standard_2.20170204.bb b/recipes-security/refpolicy/refpolicy-standard_2.20190201.bb
index 3674fdd..3674fdd 100644
--- a/recipes-security/refpolicy/refpolicy-standard_2.20170204.bb
+++ b/recipes-security/refpolicy/refpolicy-standard_2.20190201.bb
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch
deleted file mode 100644
index 17a8199..0000000
--- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch
+++ /dev/null
@@ -1,46 +0,0 @@
1From e1693b640f889818091c976a90041ea6a843fafd Mon Sep 17 00:00:00 2001
2From: Wenzong Fan <wenzong.fan@windriver.com>
3Date: Wed, 17 Feb 2016 08:35:51 -0500
4Subject: [PATCH] remove duplicate type_transition
5
6Remove duplicate type rules from init_t to init_script_file_type,
7they have been included by systemd policies. This also fixes the
8errors while installing modules for refpolicy-targeted if systemd
9support is enabled:
10
11| Conflicting type rules
12| Binary policy creation failed at line 327 of \
13 .../tmp/work/qemux86-poky-linux/refpolicy-targeted/git-r0/image\
14 /var/lib/selinux/targeted/tmp/modules/100/init/cil
15| Failed to generate binary
16| semodule: Failed!
17
18Upstream-Status: Inappropriate
19
20Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
21Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
22---
23 policy/modules/system/init.if | 4 ++--
24 1 file changed, 2 insertions(+), 2 deletions(-)
25
26--- a/policy/modules/system/init.if
27+++ b/policy/modules/system/init.if
28@@ -1430,16 +1430,16 @@ interface(`init_spec_domtrans_script',`
29 ## </summary>
30 ## </param>
31 #
32 interface(`init_domtrans_script',`
33 gen_require(`
34- type initrc_t;
35+ type initrc_t, initrc_exec_t;
36 attribute init_script_file_type;
37 ')
38
39 files_list_etc($1)
40- domtrans_pattern($1, init_script_file_type, initrc_t)
41+ domtrans_pattern($1, initrc_exec_t, initrc_t)
42
43 ifdef(`enable_mcs',`
44 range_transition $1 init_script_file_type:process s0;
45 ')
46
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition_2.20170204.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition_2.20170204.patch
deleted file mode 100644
index 1dc9911..0000000
--- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition_2.20170204.patch
+++ /dev/null
@@ -1,46 +0,0 @@
1From e1693b640f889818091c976a90041ea6a843fafd Mon Sep 17 00:00:00 2001
2From: Wenzong Fan <wenzong.fan@windriver.com>
3Date: Wed, 17 Feb 2016 08:35:51 -0500
4Subject: [PATCH] remove duplicate type_transition
5
6Remove duplicate type rules from init_t to init_script_file_type,
7they have been included by systemd policies. This also fixes the
8errors while installing modules for refpolicy-targeted if systemd
9support is enabled:
10
11| Conflicting type rules
12| Binary policy creation failed at line 327 of \
13 .../tmp/work/qemux86-poky-linux/refpolicy-targeted/git-r0/image\
14 /var/lib/selinux/targeted/tmp/modules/100/init/cil
15| Failed to generate binary
16| semodule: Failed!
17
18Upstream-Status: Inappropriate
19
20Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
21Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
22---
23 policy/modules/system/init.if | 4 ++--
24 1 file changed, 2 insertions(+), 2 deletions(-)
25
26--- a/policy/modules/system/init.if
27+++ b/policy/modules/system/init.if
28@@ -1268,16 +1268,16 @@ interface(`init_spec_domtrans_script',`
29 ## </summary>
30 ## </param>
31 #
32 interface(`init_domtrans_script',`
33 gen_require(`
34- type initrc_t;
35+ type initrc_t, initrc_exec_t;
36 attribute init_script_file_type;
37 ')
38
39 files_list_etc($1)
40- domtrans_pattern($1, init_script_file_type, initrc_t)
41+ domtrans_pattern($1, initrc_exec_t, initrc_t)
42
43 ifdef(`enable_mcs',`
44 range_transition $1 init_script_file_type:process s0;
45 ')
46
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
deleted file mode 100644
index 29d3e2d..0000000
--- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
+++ /dev/null
@@ -1,222 +0,0 @@
1Subject: [PATCH] refpolicy: make unconfined_u the default selinux user
2
3For targeted policy type, we define unconfined_u as the default selinux
4user for root and normal users, so users could login in and run most
5commands and services on unconfined domains.
6
7Also add rules for users to run init scripts directly, instead of via
8run_init.
9
10Upstream-Status: Inappropriate [configuration]
11
12Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
13Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
14Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
15---
16 config/appconfig-mcs/seusers | 4 ++--
17 policy/modules/roles/sysadm.te | 1 +
18 policy/modules/system/init.if | 47 ++++++++++++++++++++++++++++++-------
19 policy/modules/system/unconfined.te | 7 ++++++
20 policy/users | 16 +++++--------
21 5 files changed, 55 insertions(+), 20 deletions(-)
22
23--- a/config/appconfig-mcs/seusers
24+++ b/config/appconfig-mcs/seusers
25@@ -1,2 +1,3 @@
26-root:root:s0-mcs_systemhigh
27-__default__:user_u:s0
28+root:unconfined_u:s0-mcs_systemhigh
29+__default__:unconfined_u:s0
30+
31--- a/policy/modules/roles/sysadm.te
32+++ b/policy/modules/roles/sysadm.te
33@@ -37,10 +37,11 @@ ubac_process_exempt(sysadm_t)
34 ubac_file_exempt(sysadm_t)
35 ubac_fd_exempt(sysadm_t)
36
37 init_exec(sysadm_t)
38 init_admin(sysadm_t)
39+init_script_role_transition(sysadm_r)
40
41 selinux_read_policy(sysadm_t)
42
43 # Add/remove user home directories
44 userdom_manage_user_home_dirs(sysadm_t)
45--- a/policy/modules/system/init.if
46+++ b/policy/modules/system/init.if
47@@ -1394,30 +1394,31 @@ interface(`init_script_file_entry_type',
48 ## </summary>
49 ## </param>
50 #
51 interface(`init_spec_domtrans_script',`
52 gen_require(`
53- type initrc_t, initrc_exec_t;
54+ type initrc_t;
55+ attribute init_script_file_type;
56 ')
57
58 files_list_etc($1)
59- spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
60+ spec_domtrans_pattern($1, init_script_file_type, initrc_t)
61
62 ifdef(`distro_gentoo',`
63 gen_require(`
64 type rc_exec_t;
65 ')
66
67 domtrans_pattern($1, rc_exec_t, initrc_t)
68 ')
69
70 ifdef(`enable_mcs',`
71- range_transition $1 initrc_exec_t:process s0;
72+ range_transition $1 init_script_file_type:process s0;
73 ')
74
75 ifdef(`enable_mls',`
76- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
77+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
78 ')
79 ')
80
81 ########################################
82 ## <summary>
83@@ -1429,22 +1430,23 @@ interface(`init_spec_domtrans_script',`
84 ## </summary>
85 ## </param>
86 #
87 interface(`init_domtrans_script',`
88 gen_require(`
89- type initrc_t, initrc_exec_t;
90+ type initrc_t;
91+ attribute init_script_file_type;
92 ')
93
94 files_list_etc($1)
95- domtrans_pattern($1, initrc_exec_t, initrc_t)
96+ domtrans_pattern($1, init_script_file_type, initrc_t)
97
98 ifdef(`enable_mcs',`
99- range_transition $1 initrc_exec_t:process s0;
100+ range_transition $1 init_script_file_type:process s0;
101 ')
102
103 ifdef(`enable_mls',`
104- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
105+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
106 ')
107 ')
108
109 ########################################
110 ## <summary>
111@@ -2972,5 +2974,34 @@ interface(`init_admin',`
112 init_stop_all_units($1)
113 init_stop_generic_units($1)
114 init_stop_system($1)
115 init_telinit($1)
116 ')
117+
118+########################################
119+## <summary>
120+## Transition to system_r when execute an init script
121+## </summary>
122+## <desc>
123+## <p>
124+## Execute a init script in a specified role
125+## </p>
126+## <p>
127+## No interprocess communication (signals, pipes,
128+## etc.) is provided by this interface since
129+## the domains are not owned by this module.
130+## </p>
131+## </desc>
132+## <param name="source_role">
133+## <summary>
134+## Role to transition from.
135+## </summary>
136+## </param>
137+#
138+interface(`init_script_role_transition',`
139+ gen_require(`
140+ attribute init_script_file_type;
141+ ')
142+
143+ role_transition $1 init_script_file_type system_r;
144+')
145+
146--- a/policy/modules/system/unconfined.te
147+++ b/policy/modules/system/unconfined.te
148@@ -18,10 +18,15 @@ init_system_domain(unconfined_t, unconfi
149
150 type unconfined_execmem_t;
151 type unconfined_execmem_exec_t;
152 init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
153 role unconfined_r types unconfined_execmem_t;
154+role unconfined_r types unconfined_t;
155+role system_r types unconfined_t;
156+role_transition system_r unconfined_exec_t unconfined_r;
157+allow system_r unconfined_r;
158+allow unconfined_r system_r;
159
160 ########################################
161 #
162 # Local policy
163 #
164@@ -48,10 +53,12 @@ unconfined_domain(unconfined_t)
165 userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
166
167 ifdef(`direct_sysadm_daemon',`
168 optional_policy(`
169 init_run_daemon(unconfined_t, unconfined_r)
170+ init_domtrans_script(unconfined_t)
171+ init_script_role_transition(unconfined_r)
172 ')
173 ',`
174 ifdef(`distro_gentoo',`
175 seutil_run_runinit(unconfined_t, unconfined_r)
176 seutil_init_script_run_runinit(unconfined_t, unconfined_r)
177--- a/policy/users
178+++ b/policy/users
179@@ -13,37 +13,33 @@
180 # system_u is the user identity for system processes and objects.
181 # There should be no corresponding Unix user identity for system,
182 # and a user process should never be assigned the system user
183 # identity.
184 #
185-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
186+gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
187
188 #
189 # user_u is a generic user identity for Linux users who have no
190 # SELinux user identity defined. The modified daemons will use
191 # this user identity in the security context if there is no matching
192 # SELinux user identity for a Linux user. If you do not want to
193 # permit any access to such users, then remove this entry.
194 #
195 gen_user(user_u, user, user_r, s0, s0)
196-gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
197-gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
198+gen_user(staff_u, user, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
199+gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
200
201 # Until order dependence is fixed for users:
202 ifdef(`direct_sysadm_daemon',`
203- gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
204+ gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
205 ',`
206- gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
207+ gen_user(unconfined_u, user, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
208 ')
209
210 #
211 # The following users correspond to Unix identities.
212 # These identities are typically assigned as the user attribute
213 # when login starts the user shell. Users with access to the sysadm_r
214 # role should use the staff_r role instead of the user_r role when
215 # not in the sysadm_r.
216 #
217-ifdef(`direct_sysadm_daemon',`
218- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
219-',`
220- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
221-')
222+gen_user(root, user, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user_2.20170204.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user_2.20170204.patch
deleted file mode 100644
index f28ab74..0000000
--- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user_2.20170204.patch
+++ /dev/null
@@ -1,222 +0,0 @@
1Subject: [PATCH] refpolicy: make unconfined_u the default selinux user
2
3For targeted policy type, we define unconfined_u as the default selinux
4user for root and normal users, so users could login in and run most
5commands and services on unconfined domains.
6
7Also add rules for users to run init scripts directly, instead of via
8run_init.
9
10Upstream-Status: Inappropriate [configuration]
11
12Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
13Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
14Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
15---
16 config/appconfig-mcs/seusers | 4 ++--
17 policy/modules/roles/sysadm.te | 1 +
18 policy/modules/system/init.if | 47 ++++++++++++++++++++++++++++++-------
19 policy/modules/system/unconfined.te | 7 ++++++
20 policy/users | 16 +++++--------
21 5 files changed, 55 insertions(+), 20 deletions(-)
22
23--- a/config/appconfig-mcs/seusers
24+++ b/config/appconfig-mcs/seusers
25@@ -1,2 +1,3 @@
26-root:root:s0-mcs_systemhigh
27-__default__:user_u:s0
28+root:unconfined_u:s0-mcs_systemhigh
29+__default__:unconfined_u:s0
30+
31--- a/policy/modules/roles/sysadm.te
32+++ b/policy/modules/roles/sysadm.te
33@@ -41,10 +41,11 @@ init_reload(sysadm_t)
34 init_reboot_system(sysadm_t)
35 init_shutdown_system(sysadm_t)
36 init_start_generic_units(sysadm_t)
37 init_stop_generic_units(sysadm_t)
38 init_reload_generic_units(sysadm_t)
39+init_script_role_transition(sysadm_r)
40
41 # Add/remove user home directories
42 userdom_manage_user_home_dirs(sysadm_t)
43 userdom_home_filetrans_user_home_dir(sysadm_t)
44
45--- a/policy/modules/system/init.if
46+++ b/policy/modules/system/init.if
47@@ -1232,30 +1232,31 @@ interface(`init_script_file_entry_type',
48 ## </summary>
49 ## </param>
50 #
51 interface(`init_spec_domtrans_script',`
52 gen_require(`
53- type initrc_t, initrc_exec_t;
54+ type initrc_t;
55+ attribute init_script_file_type;
56 ')
57
58 files_list_etc($1)
59- spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
60+ spec_domtrans_pattern($1, init_script_file_type, initrc_t)
61
62 ifdef(`distro_gentoo',`
63 gen_require(`
64 type rc_exec_t;
65 ')
66
67 domtrans_pattern($1, rc_exec_t, initrc_t)
68 ')
69
70 ifdef(`enable_mcs',`
71- range_transition $1 initrc_exec_t:process s0;
72+ range_transition $1 init_script_file_type:process s0;
73 ')
74
75 ifdef(`enable_mls',`
76- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
77+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
78 ')
79 ')
80
81 ########################################
82 ## <summary>
83@@ -1267,22 +1268,23 @@ interface(`init_spec_domtrans_script',`
84 ## </summary>
85 ## </param>
86 #
87 interface(`init_domtrans_script',`
88 gen_require(`
89- type initrc_t, initrc_exec_t;
90+ type initrc_t;
91+ attribute init_script_file_type;
92 ')
93
94 files_list_etc($1)
95- domtrans_pattern($1, initrc_exec_t, initrc_t)
96+ domtrans_pattern($1, init_script_file_type, initrc_t)
97
98 ifdef(`enable_mcs',`
99- range_transition $1 initrc_exec_t:process s0;
100+ range_transition $1 init_script_file_type:process s0;
101 ')
102
103 ifdef(`enable_mls',`
104- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
105+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
106 ')
107 ')
108
109 ########################################
110 ## <summary>
111@@ -2502,5 +2504,34 @@ interface(`init_reload_all_units',`
112 class service reload;
113 ')
114
115 allow $1 systemdunit:service reload;
116 ')
117+
118+########################################
119+## <summary>
120+## Transition to system_r when execute an init script
121+## </summary>
122+## <desc>
123+## <p>
124+## Execute a init script in a specified role
125+## </p>
126+## <p>
127+## No interprocess communication (signals, pipes,
128+## etc.) is provided by this interface since
129+## the domains are not owned by this module.
130+## </p>
131+## </desc>
132+## <param name="source_role">
133+## <summary>
134+## Role to transition from.
135+## </summary>
136+## </param>
137+#
138+interface(`init_script_role_transition',`
139+ gen_require(`
140+ attribute init_script_file_type;
141+ ')
142+
143+ role_transition $1 init_script_file_type system_r;
144+')
145+
146--- a/policy/modules/system/unconfined.te
147+++ b/policy/modules/system/unconfined.te
148@@ -18,10 +18,15 @@ init_system_domain(unconfined_t, unconfi
149
150 type unconfined_execmem_t;
151 type unconfined_execmem_exec_t;
152 init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
153 role unconfined_r types unconfined_execmem_t;
154+role unconfined_r types unconfined_t;
155+role system_r types unconfined_t;
156+role_transition system_r unconfined_exec_t unconfined_r;
157+allow system_r unconfined_r;
158+allow unconfined_r system_r;
159
160 ########################################
161 #
162 # Local policy
163 #
164@@ -48,10 +53,12 @@ unconfined_domain(unconfined_t)
165 userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
166
167 ifdef(`direct_sysadm_daemon',`
168 optional_policy(`
169 init_run_daemon(unconfined_t, unconfined_r)
170+ init_domtrans_script(unconfined_t)
171+ init_script_role_transition(unconfined_r)
172 ')
173 ',`
174 ifdef(`distro_gentoo',`
175 seutil_run_runinit(unconfined_t, unconfined_r)
176 seutil_init_script_run_runinit(unconfined_t, unconfined_r)
177--- a/policy/users
178+++ b/policy/users
179@@ -13,37 +13,33 @@
180 # system_u is the user identity for system processes and objects.
181 # There should be no corresponding Unix user identity for system,
182 # and a user process should never be assigned the system user
183 # identity.
184 #
185-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
186+gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
187
188 #
189 # user_u is a generic user identity for Linux users who have no
190 # SELinux user identity defined. The modified daemons will use
191 # this user identity in the security context if there is no matching
192 # SELinux user identity for a Linux user. If you do not want to
193 # permit any access to such users, then remove this entry.
194 #
195 gen_user(user_u, user, user_r, s0, s0)
196-gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
197-gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
198+gen_user(staff_u, user, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
199+gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
200
201 # Until order dependence is fixed for users:
202 ifdef(`direct_sysadm_daemon',`
203- gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
204+ gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
205 ',`
206- gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
207+ gen_user(unconfined_u, user, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
208 ')
209
210 #
211 # The following users correspond to Unix identities.
212 # These identities are typically assigned as the user attribute
213 # when login starts the user shell. Users with access to the sysadm_r
214 # role should use the staff_r role instead of the user_r role when
215 # not in the sysadm_r.
216 #
217-ifdef(`direct_sysadm_daemon',`
218- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
219-',`
220- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
221-')
222+gen_user(root, user, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
diff --git a/recipes-security/refpolicy/refpolicy-targeted_2.20170204.bb b/recipes-security/refpolicy/refpolicy-targeted_2.20170204.bb
deleted file mode 100644
index 4705c46..0000000
--- a/recipes-security/refpolicy/refpolicy-targeted_2.20170204.bb
+++ /dev/null
@@ -1,29 +0,0 @@
1SUMMARY = "SELinux targeted policy"
2DESCRIPTION = "\
3This is the targeted variant of the SELinux reference policy. Most service \
4domains are locked down. Users and admins will login in with unconfined_t \
5domain, so they have the same access to the system as if SELinux was not \
6enabled. \
7"
8
9FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-${PV}:"
10
11POLICY_NAME = "targeted"
12POLICY_TYPE = "mcs"
13POLICY_MLS_SENS = "0"
14
15include refpolicy_${PV}.inc
16
17SRC_URI += "${@bb.utils.contains('${PV}', '2.20170805', '${PATCH_2.20170805}', '${PATCH_2.20170204}', d)}"
18
19PATCH_2.20170805 = " \
20 file://refpolicy-fix-optional-issue-on-sysadm-module.patch \
21 file://refpolicy-unconfined_u-default-user.patch \
22 ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'file://refpolicy-remove-duplicate-type_transition.patch', '', d)} \
23 "
24
25PATCH_2.20170204 = " \
26 file://refpolicy-fix-optional-issue-on-sysadm-module_2.20170204.patch \
27 file://refpolicy-unconfined_u-default-user_2.20170204.patch \
28 ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'file://refpolicy-remove-duplicate-type_transition_2.20170204.patch', '', d)} \
29 "
diff --git a/recipes-security/refpolicy/refpolicy-targeted_2.20190201.bb b/recipes-security/refpolicy/refpolicy-targeted_2.20190201.bb
new file mode 100644
index 0000000..1ecdb4e
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-targeted_2.20190201.bb
@@ -0,0 +1,35 @@
1SUMMARY = "SELinux targeted policy"
2DESCRIPTION = "\
3This is the targeted variant of the SELinux reference policy. Most service \
4domains are locked down. Users and admins will login in with unconfined_t \
5domain, so they have the same access to the system as if SELinux was not \
6enabled. \
7"
8
9FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-${PV}:"
10
11POLICY_NAME = "targeted"
12POLICY_TYPE = "mcs"
13POLICY_MLS_SENS = "0"
14
15include refpolicy_${PV}.inc
16
17SYSTEMD_REFPOLICY_PATCHES = " \
18 file://0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch \
19 file://0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch \
20 file://0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch \
21 file://0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch \
22 file://0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch \
23 file://0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch \
24 file://0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch \
25 file://0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch \
26 file://0009-refpolicy-minimum-systemd-fix-for-syslog.patch \
27 "
28
29SYSVINIT_REFPOLICY_PATCHES = " \
30 file://0001-fix-update-alternatives-for-sysvinit.patch \
31 "
32
33SRC_URI += " \
34 ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '${SYSTEMD_REFPOLICY_PATCHES}', '${SYSVINIT_REFPOLICY_PATCHES}', d)} \
35 "
diff --git a/recipes-security/refpolicy/refpolicy-targeted_git.bb b/recipes-security/refpolicy/refpolicy-targeted_git.bb
index f795bf7..1ecdb4e 100644
--- a/recipes-security/refpolicy/refpolicy-targeted_git.bb
+++ b/recipes-security/refpolicy/refpolicy-targeted_git.bb
@@ -14,8 +14,22 @@ POLICY_MLS_SENS = "0"
14 14
15include refpolicy_${PV}.inc 15include refpolicy_${PV}.inc
16 16
17SYSTEMD_REFPOLICY_PATCHES = " \
18 file://0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch \
19 file://0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch \
20 file://0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch \
21 file://0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch \
22 file://0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch \
23 file://0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch \
24 file://0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch \
25 file://0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch \
26 file://0009-refpolicy-minimum-systemd-fix-for-syslog.patch \
27 "
28
29SYSVINIT_REFPOLICY_PATCHES = " \
30 file://0001-fix-update-alternatives-for-sysvinit.patch \
31 "
32
17SRC_URI += " \ 33SRC_URI += " \
18 file://refpolicy-fix-optional-issue-on-sysadm-module.patch \ 34 ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '${SYSTEMD_REFPOLICY_PATCHES}', '${SYSVINIT_REFPOLICY_PATCHES}', d)} \
19 file://refpolicy-unconfined_u-default-user.patch \ 35 "
20 ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'file://refpolicy-remove-duplicate-type_transition.patch', '', d)} \
21 "
diff --git a/recipes-security/refpolicy/refpolicy_2.20170204.inc b/recipes-security/refpolicy/refpolicy_2.20170204.inc
deleted file mode 100644
index 8b72cbd..0000000
--- a/recipes-security/refpolicy/refpolicy_2.20170204.inc
+++ /dev/null
@@ -1,58 +0,0 @@
1SRC_URI = "https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2;"
2SRC_URI[md5sum] = "76a7a455289c9216ee0fbb8de71c9799"
3SRC_URI[sha256sum] = "5e4daee61d89dfdc8c7bf369f81c99845931e337916dc6401e301c5de57ea336"
4
5FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-2.20170204:"
6
7# Fix file contexts for Poky
8SRC_URI += "file://poky-fc-subs_dist.patch \
9 file://poky-fc-update-alternatives_sysvinit.patch \
10 file://poky-fc-update-alternatives_sysklogd.patch \
11 file://poky-fc-update-alternatives_hostname.patch \
12 file://poky-fc-update-alternatives_bash.patch \
13 file://poky-fc-fix-real-path_resolv.conf.patch \
14 file://poky-fc-fix-real-path_login.patch \
15 file://poky-fc-fix-real-path_shadow.patch \
16 file://poky-fc-fix-bind.patch \
17 file://poky-fc-clock.patch \
18 file://poky-fc-dmesg.patch \
19 file://poky-fc-fstools.patch \
20 file://poky-fc-mta.patch \
21 file://poky-fc-netutils.patch \
22 file://poky-fc-nscd.patch \
23 file://poky-fc-screen.patch \
24 file://poky-fc-ssh.patch \
25 file://poky-fc-sysnetwork.patch \
26 file://poky-fc-udevd.patch \
27 file://poky-fc-rpm.patch \
28 file://poky-fc-ftpwho-dir.patch \
29 file://poky-fc-fix-real-path_su.patch \
30 file://refpolicy-update-for_systemd.patch \
31 "
32
33# Specific policy for Poky
34SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \
35 file://poky-policy-add-rules-for-var-log-symlink.patch \
36 file://poky-policy-add-rules-for-var-log-symlink-apache.patch \
37 file://poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch \
38 file://poky-policy-add-rules-for-syslogd_t-symlink.patch \
39 file://poky-policy-add-rules-for-var-cache-symlink.patch \
40 file://poky-policy-add-rules-for-tmp-symlink.patch \
41 file://poky-policy-add-rules-for-bsdpty_device_t.patch \
42 file://poky-policy-don-t-audit-tty_device_t.patch \
43 file://poky-policy-allow-nfsd-to-exec-shell-commands.patch \
44 file://poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch \
45 file://poky-policy-allow-setfiles_t-to-read-symlinks.patch \
46 file://poky-policy-fix-new-SELINUXMNT-in-sys.patch \
47 file://poky-policy-allow-sysadm-to-run-rpcinfo.patch \
48 "
49
50# Other policy fixes
51SRC_URI += " \
52 file://poky-policy-fix-seutils-manage-config-files.patch \
53 file://poky-policy-fix-setfiles-statvfs-get-file-count.patch \
54 file://poky-policy-fix-dmesg-to-use-dev-kmsg.patch \
55 file://ftp-add-ftpd_t-to-mlsfilewrite.patch \
56 "
57
58include refpolicy_common.inc
diff --git a/recipes-security/refpolicy/refpolicy_2.20190201.inc b/recipes-security/refpolicy/refpolicy_2.20190201.inc
new file mode 100644
index 0000000..fa61fc5
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy_2.20190201.inc
@@ -0,0 +1,7 @@
1SRC_URI = "https://raw.githubusercontent.com/wiki/SELinuxProject/refpolicy/files/refpolicy-${PV}.tar.bz2;"
2SRC_URI[md5sum] = "76a7a455289c9216ee0fbb8de71c9799"
3SRC_URI[sha256sum] = "5e4daee61d89dfdc8c7bf369f81c99845931e337916dc6401e301c5de57ea336"
4
5FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-2.20190201:"
6
7include refpolicy_common.inc
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
index 2ce02ac..137ccee 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -1,6 +1,6 @@
1DEFAULT_ENFORCING ??= "enforcing" 1DEFAULT_ENFORCING ??= "enforcing"
2 2
3SECTION = "base" 3SECTION = "admin"
4LICENSE = "GPLv2" 4LICENSE = "GPLv2"
5 5
6LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833" 6LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833"
@@ -9,11 +9,51 @@ PROVIDES += "virtual/refpolicy"
9RPROVIDES_${PN} += "refpolicy" 9RPROVIDES_${PN} += "refpolicy"
10 10
11# Specific config files for Poky 11# Specific config files for Poky
12SRC_URI += "file://customizable_types \ 12SRC_URI += "file://customizable_types \
13 file://setrans-mls.conf \ 13 file://setrans-mls.conf \
14 file://setrans-mcs.conf \ 14 file://setrans-mcs.conf \
15 " 15 "
16 16
17# Base patches applied to all Yocto-based platforms. Your own version of
18# refpolicy should provide a version of these and place them in your own
19# refpolicy-${PV} directory.
20SRC_URI += " \
21 file://0001-fc-subs-volatile-alias-common-var-volatile-paths.patch \
22 file://0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch \
23 file://0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch \
24 file://0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch \
25 file://0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch \
26 file://0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch \
27 file://0007-fc-login-apply-login-context-to-login.shadow.patch \
28 file://0008-fc-bind-fix-real-path-for-bind.patch \
29 file://0009-fc-hwclock-add-hwclock-alternatives.patch \
30 file://0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch \
31 file://0011-fc-ssh-apply-policy-to-ssh-alternatives.patch \
32 file://0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch \
33 file://0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch \
34 file://0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch \
35 file://0015-fc-su-apply-policy-to-su-alternatives.patch \
36 file://0016-fc-fstools-fix-real-path-for-fstools.patch \
37 file://0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch \
38 file://0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch \
39 file://0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch \
40 file://0020-policy-module-logging-add-domain-rules-for-the-subdi.patch \
41 file://0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch \
42 file://0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch \
43 file://0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch \
44 file://0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch \
45 file://0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch \
46 file://0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch \
47 file://0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch \
48 file://0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch \
49 file://0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch \
50 file://0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch \
51 file://0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch \
52 file://0032-policy-module-init-update-for-systemd-related-allow-.patch \
53 file://0033-refpolicy-minimum-make-sysadmin-module-optional.patch \
54 file://0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch \
55 "
56
17S = "${WORKDIR}/refpolicy" 57S = "${WORKDIR}/refpolicy"
18 58
19CONFFILES_${PN} += "${sysconfdir}/selinux/config" 59CONFFILES_${PN} += "${sysconfdir}/selinux/config"
diff --git a/recipes-security/refpolicy/refpolicy_git.inc b/recipes-security/refpolicy/refpolicy_git.inc
index b2fd638..8aeaf27 100644
--- a/recipes-security/refpolicy/refpolicy_git.inc
+++ b/recipes-security/refpolicy/refpolicy_git.inc
@@ -1,58 +1,9 @@
1PV = "2.20170805+git${SRCPV}" 1PV = "2.20190201+git${SRCPV}"
2 2
3SRC_URI = "git://github.com/TresysTechnology/refpolicy.git;protocol=git;branch=master;name=refpolicy;destsuffix=refpolicy" 3SRC_URI = "git://github.com/SELinuxProject/refpolicy.git;protocol=git;branch=master;name=refpolicy;destsuffix=refpolicy"
4SRC_URI += "git://github.com/TresysTechnology/refpolicy-contrib.git;protocol=git;branch=master;name=refpolicy-contrib;destsuffix=refpolicy/policy/modules/contrib"
5 4
6SRCREV_refpolicy ?= "794ed7efd0eca19d0353659a1ec9d4ef4e4b751c" 5SRCREV_refpolicy ?= "df696a325404b84c2c931c85356510005e5e6916"
7SRCREV_refpolicy-contrib ?= "a393275a6ecb76311323726a029767a3a01e109e"
8SRCREV_FORMAT = "refpolicy.refpolicy-contrib"
9 6
10FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-git:" 7FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-git:"
11 8
12# Fix file contexts for Poky
13SRC_URI += "file://poky-fc-subs_dist.patch \
14 file://poky-fc-update-alternatives_sysvinit.patch \
15 file://poky-fc-update-alternatives_hostname.patch \
16 file://poky-fc-update-alternatives_bash.patch \
17 file://poky-fc-fix-real-path_resolv.conf.patch \
18 file://poky-fc-fix-real-path_login.patch \
19 file://poky-fc-fix-real-path_shadow.patch \
20 file://poky-fc-fix-bind.patch \
21 file://poky-fc-clock.patch \
22 file://poky-fc-dmesg.patch \
23 file://poky-fc-fstools.patch \
24 file://poky-fc-mta.patch \
25 file://poky-fc-screen.patch \
26 file://poky-fc-ssh.patch \
27 file://poky-fc-sysnetwork.patch \
28 file://poky-fc-udevd.patch \
29 file://poky-fc-rpm.patch \
30 file://poky-fc-fix-real-path_su.patch \
31 file://refpolicy-update-for_systemd.patch \
32 "
33
34# Specific policy for Poky
35SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \
36 file://poky-policy-add-rules-for-var-log-symlink.patch \
37 file://poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch \
38 file://poky-policy-add-rules-for-syslogd_t-symlink.patch \
39 file://poky-policy-add-rules-for-var-cache-symlink.patch \
40 file://poky-policy-add-rules-for-tmp-symlink.patch \
41 file://poky-policy-add-rules-for-bsdpty_device_t.patch \
42 file://poky-policy-don-t-audit-tty_device_t.patch \
43 file://poky-policy-allow-nfsd-to-exec-shell-commands.patch \
44 file://poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch \
45 file://poky-policy-allow-setfiles_t-to-read-symlinks.patch \
46 file://poky-policy-fix-new-SELINUXMNT-in-sys.patch \
47 file://poky-policy-allow-sysadm-to-run-rpcinfo.patch \
48 "
49
50# Other policy fixes
51SRC_URI += " \
52 file://poky-policy-fix-seutils-manage-config-files.patch \
53 file://poky-policy-fix-setfiles-statvfs-get-file-count.patch \
54 file://poky-policy-fix-dmesg-to-use-dev-kmsg.patch \
55 file://ftp-add-ftpd_t-to-mlsfilewrite.patch \
56 "
57
58include refpolicy_common.inc 9include refpolicy_common.inc
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-05-08 18:22:29 +0000