diff options
author | Sajjad Ahmed <sajjad_ahmed@mentor.com> | 2018-01-09 16:10:12 +0500 |
---|---|---|
committer | Joe MacDonald <joe_macdonald@mentor.com> | 2018-01-19 13:06:46 -0500 |
commit | e8d39ffb15b4d78f8b95711bbb509f9afbd46c05 (patch) | |
tree | a8b1a70441cbf3da129c83cf68eb298726f4155c | |
parent | d855c624f32c5e599bf27e06cb8f5b25b3aae12d (diff) | |
download | meta-selinux-e8d39ffb15b4d78f8b95711bbb509f9afbd46c05.tar.gz |
Fix URL, update refpolicy patches and dependencies
* audit_2.7.6.bb : fix error [gzip: stdin: not in gzip format] and checksum
* refpolicy-minimum_git.bb : fix [Failed to resolve typeattributeset statement], dependency for "fsadm" in init.pp
* refpolicy-targeted_2.20170204.bb : added version dependent patches
* patches : separate patches for release 2.20170204 version and 2.20170805+git version
Signed-off-by: Sajjad Ahmed <sajjad_ahmed@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
9 files changed, 370 insertions, 59 deletions
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_bash.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_bash.patch index e0fdba1..49136e6 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_bash.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_bash.patch | |||
@@ -1,24 +1,12 @@ | |||
1 | From 845518a6f196e6e8c49ba38791c85e17276920e1 Mon Sep 17 00:00:00 2001 | 1 | diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc |
2 | From: Mark Hatle <mark.hatle@windriver.com> | 2 | index f2e4f51..c39912d 100644 |
3 | Date: Thu, 14 Sep 2017 15:02:23 -0500 | 3 | --- a/policy/modules/kernel/corecommands.fc |
4 | Subject: [PATCH 3/4] fix update-alternatives for hostname | 4 | +++ b/policy/modules/kernel/corecommands.fc |
5 | 5 | @@ -141,6 +141,7 @@ ifdef(`distro_gentoo',` | |
6 | Upstream-Status: Inappropriate [only for Poky] | 6 | /usr/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) |
7 | 7 | /usr/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) | |
8 | Signed-off-by: Mark Hatle <mark.hatle@windriver.com> | 8 | /usr/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) |
9 | --- | 9 | +/usr/bin\.bash -- gen_context(system_u:object_r:shell_exec_t,s0) |
10 | policy/modules/system/corecommands.fc | 1 + | 10 | /usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) |
11 | 1 file changed, 1 insertion(+) | 11 | /usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) |
12 | 12 | /usr/bin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) | |
13 | Index: refpolicy/policy/modules/kernel/corecommands.fc | ||
14 | =================================================================== | ||
15 | --- refpolicy.orig/policy/modules/kernel/corecommands.fc | ||
16 | +++ refpolicy/policy/modules/kernel/corecommands.fc | ||
17 | @@ -6,6 +6,7 @@ | ||
18 | /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
19 | /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
20 | /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
21 | +/bin/bash\.bash -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
22 | /bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
23 | /bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
24 | /bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch index fb912b5..5bd5b2e 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch | |||
@@ -1,31 +1,12 @@ | |||
1 | From ed2b0a00e2fb78056041b03c7e198e8f5adaf939 Mon Sep 17 00:00:00 2001 | 1 | diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | index fcf795f..529057c 100644 |
3 | Date: Thu, 22 Aug 2013 19:36:44 +0800 | ||
4 | Subject: [PATCH 3/6] add rules for the symlink of /var/log - apache2 | ||
5 | |||
6 | We have added rules for the symlink of /var/log in logging.if, | ||
7 | while apache.te uses /var/log but does not use the interfaces in | ||
8 | logging.if. So still need add a individual rule for apache.te. | ||
9 | |||
10 | Upstream-Status: Inappropriate [only for Poky] | ||
11 | |||
12 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
13 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
14 | --- | ||
15 | policy/modules/contrib/apache.te | 1 + | ||
16 | 1 file changed, 1 insertion(+) | ||
17 | |||
18 | --- a/policy/modules/contrib/apache.te | 3 | --- a/policy/modules/contrib/apache.te |
19 | +++ b/policy/modules/contrib/apache.te | 4 | +++ b/policy/modules/contrib/apache.te |
20 | @@ -407,10 +407,11 @@ allow httpd_t httpd_lock_t:file manage_f | 5 | @@ -412,6 +412,7 @@ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t) |
21 | files_lock_filetrans(httpd_t, httpd_lock_t, { file dir }) | 6 | read_files_pattern(httpd_t, httpd_log_t, httpd_log_t) |
22 | 7 | setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t) | |
23 | manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t) | ||
24 | manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t) | ||
25 | read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t) | 8 | read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t) |
26 | +read_lnk_files_pattern(httpd_t, var_log_t, var_log_t) | 9 | +read_lnk_files_pattern(httpd_t, var_log_t, var_log_t) |
27 | logging_log_filetrans(httpd_t, httpd_log_t, file) | 10 | logging_log_filetrans(httpd_t, httpd_log_t, file) |
28 | 11 | ||
29 | allow httpd_t httpd_modules_t:dir list_dir_perms; | 12 | allow httpd_t httpd_modules_t:dir list_dir_perms; |
30 | mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) | ||
31 | read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) | ||
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch b/recipes-security/refpolicy/refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch index 7a72f18..b5ca0f8 100644 --- a/recipes-security/refpolicy/refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch +++ b/recipes-security/refpolicy/refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch | |||
@@ -35,13 +35,10 @@ diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | |||
35 | index d710fb0..f9d7114 100644 | 35 | index d710fb0..f9d7114 100644 |
36 | --- a/policy/modules/system/init.te | 36 | --- a/policy/modules/system/init.te |
37 | +++ b/policy/modules/system/init.te | 37 | +++ b/policy/modules/system/init.te |
38 | @@ -1100,4 +1100,8 @@ optional_policy(` | 38 | @@ -1114,3 +1114,7 @@ optional_policy(` |
39 | # systemd related allow rules | ||
40 | allow kernel_t init_t:process dyntransition; | 39 | allow kernel_t init_t:process dyntransition; |
41 | allow devpts_t device_t:filesystem associate; | 40 | allow devpts_t device_t:filesystem associate; |
42 | -allow init_t self:capability2 block_suspend; | 41 | allow init_t self:capability2 block_suspend; |
43 | \ No newline at end of file | ||
44 | +allow init_t self:capability2 block_suspend; | ||
45 | +allow init_t self:capability2 audit_read; | 42 | +allow init_t self:capability2 audit_read; |
46 | + | 43 | + |
47 | +allow initrc_t init_t:system { start status }; | 44 | +allow initrc_t init_t:system { start status }; |
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch b/recipes-security/refpolicy/refpolicy-minimum/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch index 50e3c64..2dd90fe 100644 --- a/recipes-security/refpolicy/refpolicy-minimum/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch +++ b/recipes-security/refpolicy/refpolicy-minimum/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch | |||
@@ -49,15 +49,12 @@ diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | |||
49 | index 19a7a20..cefa59d 100644 | 49 | index 19a7a20..cefa59d 100644 |
50 | --- a/policy/modules/system/init.te | 50 | --- a/policy/modules/system/init.te |
51 | +++ b/policy/modules/system/init.te | 51 | +++ b/policy/modules/system/init.te |
52 | @@ -1105,3 +1105,8 @@ allow init_t self:capability2 audit_read; | 52 | @@ -1105,3 +1105,5 @@ allow init_t self:capability2 audit_read; |
53 | 53 | ||
54 | allow initrc_t init_t:system { start status reboot }; | 54 | allow initrc_t init_t:system { start status reboot }; |
55 | allow initrc_t init_var_run_t:service { start status }; | 55 | allow initrc_t init_var_run_t:service { start status }; |
56 | + | 56 | + |
57 | +allow initrc_t init_var_run_t:service stop; | 57 | +allow initrc_t init_var_run_t:service stop; |
58 | +allow initrc_t init_t:dbus send_msg; | ||
59 | + | ||
60 | +allow init_t initrc_t:dbus { send_msg acquire_svc }; | ||
61 | diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te | 58 | diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te |
62 | index 09ec33f..be25c82 100644 | 59 | index 09ec33f..be25c82 100644 |
63 | --- a/policy/modules/system/locallogin.te | 60 | --- a/policy/modules/system/locallogin.te |
diff --git a/recipes-security/refpolicy/refpolicy-minimum_git.bb b/recipes-security/refpolicy/refpolicy-minimum_git.bb index 04ceadd..0f2a139 100644 --- a/recipes-security/refpolicy/refpolicy-minimum_git.bb +++ b/recipes-security/refpolicy/refpolicy-minimum_git.bb | |||
@@ -18,7 +18,7 @@ CORE_POLICY_MODULES = "unconfined \ | |||
18 | init mount modutils getty authlogin locallogin \ | 18 | init mount modutils getty authlogin locallogin \ |
19 | " | 19 | " |
20 | #systemd dependent policy modules | 20 | #systemd dependent policy modules |
21 | CORE_POLICY_MODULES += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'clock systemd udev', '', d)}" | 21 | CORE_POLICY_MODULES += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'clock systemd udev fstools', '', d)}" |
22 | 22 | ||
23 | # nscd caches libc-issued requests to the name service. | 23 | # nscd caches libc-issued requests to the name service. |
24 | # Without nscd.pp, commands want to use these caches will be blocked. | 24 | # Without nscd.pp, commands want to use these caches will be blocked. |
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module_2.20170204.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module_2.20170204.patch new file mode 100644 index 0000000..3a8a95e --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module_2.20170204.patch | |||
@@ -0,0 +1,72 @@ | |||
1 | Subject: [PATCH] refpolicy: fix optional issue on sysadm module | ||
2 | |||
3 | init and locallogin modules have a depend for sysadm module because | ||
4 | they have called sysadm interfaces(sysadm_shell_domtrans). Since | ||
5 | sysadm is not a core module, we could make the sysadm_shell_domtrans | ||
6 | calls optionally by optional_policy. | ||
7 | |||
8 | So, we could make the minimum policy without sysadm module. | ||
9 | |||
10 | Upstream-Status: pending | ||
11 | |||
12 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
13 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
14 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
15 | --- | ||
16 | policy/modules/system/init.te | 14 ++++++++------ | ||
17 | policy/modules/system/locallogin.te | 4 +++- | ||
18 | 2 files changed, 11 insertions(+), 7 deletions(-) | ||
19 | |||
20 | --- a/policy/modules/system/init.te | ||
21 | +++ b/policy/modules/system/init.te | ||
22 | @@ -300,16 +300,18 @@ ifdef(`init_systemd',` | ||
23 | |||
24 | optional_policy(` | ||
25 | modutils_domtrans_insmod(init_t) | ||
26 | ') | ||
27 | ',` | ||
28 | - tunable_policy(`init_upstart',` | ||
29 | - corecmd_shell_domtrans(init_t, initrc_t) | ||
30 | - ',` | ||
31 | - # Run the shell in the sysadm role for single-user mode. | ||
32 | - # causes problems with upstart | ||
33 | - sysadm_shell_domtrans(init_t) | ||
34 | + optional_policy(` | ||
35 | + tunable_policy(`init_upstart',` | ||
36 | + corecmd_shell_domtrans(init_t, initrc_t) | ||
37 | + ',` | ||
38 | + # Run the shell in the sysadm role for single-user mode. | ||
39 | + # causes problems with upstart | ||
40 | + sysadm_shell_domtrans(init_t) | ||
41 | + ') | ||
42 | ') | ||
43 | ') | ||
44 | |||
45 | ifdef(`distro_debian',` | ||
46 | fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl") | ||
47 | @@ -1109,6 +1111,6 @@ optional_policy(` | ||
48 | ') | ||
49 | |||
50 | # systemd related allow rules | ||
51 | allow kernel_t init_t:process dyntransition; | ||
52 | allow devpts_t device_t:filesystem associate; | ||
53 | -allow init_t self:capability2 block_suspend; | ||
54 | \ No newline at end of file | ||
55 | +allow init_t self:capability2 block_suspend; | ||
56 | --- a/policy/modules/system/locallogin.te | ||
57 | +++ b/policy/modules/system/locallogin.te | ||
58 | @@ -244,11 +244,13 @@ seutil_read_default_contexts(sulogin_t) | ||
59 | userdom_use_unpriv_users_fds(sulogin_t) | ||
60 | |||
61 | userdom_search_user_home_dirs(sulogin_t) | ||
62 | userdom_use_user_ptys(sulogin_t) | ||
63 | |||
64 | -sysadm_shell_domtrans(sulogin_t) | ||
65 | +optional_policy(` | ||
66 | + sysadm_shell_domtrans(sulogin_t) | ||
67 | +') | ||
68 | |||
69 | # suse and debian do not use pam with sulogin... | ||
70 | ifdef(`distro_suse', `define(`sulogin_no_pam')') | ||
71 | ifdef(`distro_debian', `define(`sulogin_no_pam')') | ||
72 | |||
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition_2.20170204.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition_2.20170204.patch new file mode 100644 index 0000000..1dc9911 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition_2.20170204.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | From e1693b640f889818091c976a90041ea6a843fafd Mon Sep 17 00:00:00 2001 | ||
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | ||
3 | Date: Wed, 17 Feb 2016 08:35:51 -0500 | ||
4 | Subject: [PATCH] remove duplicate type_transition | ||
5 | |||
6 | Remove duplicate type rules from init_t to init_script_file_type, | ||
7 | they have been included by systemd policies. This also fixes the | ||
8 | errors while installing modules for refpolicy-targeted if systemd | ||
9 | support is enabled: | ||
10 | |||
11 | | Conflicting type rules | ||
12 | | Binary policy creation failed at line 327 of \ | ||
13 | .../tmp/work/qemux86-poky-linux/refpolicy-targeted/git-r0/image\ | ||
14 | /var/lib/selinux/targeted/tmp/modules/100/init/cil | ||
15 | | Failed to generate binary | ||
16 | | semodule: Failed! | ||
17 | |||
18 | Upstream-Status: Inappropriate | ||
19 | |||
20 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
21 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
22 | --- | ||
23 | policy/modules/system/init.if | 4 ++-- | ||
24 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
25 | |||
26 | --- a/policy/modules/system/init.if | ||
27 | +++ b/policy/modules/system/init.if | ||
28 | @@ -1268,16 +1268,16 @@ interface(`init_spec_domtrans_script',` | ||
29 | ## </summary> | ||
30 | ## </param> | ||
31 | # | ||
32 | interface(`init_domtrans_script',` | ||
33 | gen_require(` | ||
34 | - type initrc_t; | ||
35 | + type initrc_t, initrc_exec_t; | ||
36 | attribute init_script_file_type; | ||
37 | ') | ||
38 | |||
39 | files_list_etc($1) | ||
40 | - domtrans_pattern($1, init_script_file_type, initrc_t) | ||
41 | + domtrans_pattern($1, initrc_exec_t, initrc_t) | ||
42 | |||
43 | ifdef(`enable_mcs',` | ||
44 | range_transition $1 init_script_file_type:process s0; | ||
45 | ') | ||
46 | |||
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user_2.20170204.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user_2.20170204.patch new file mode 100644 index 0000000..f28ab74 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user_2.20170204.patch | |||
@@ -0,0 +1,222 @@ | |||
1 | Subject: [PATCH] refpolicy: make unconfined_u the default selinux user | ||
2 | |||
3 | For targeted policy type, we define unconfined_u as the default selinux | ||
4 | user for root and normal users, so users could login in and run most | ||
5 | commands and services on unconfined domains. | ||
6 | |||
7 | Also add rules for users to run init scripts directly, instead of via | ||
8 | run_init. | ||
9 | |||
10 | Upstream-Status: Inappropriate [configuration] | ||
11 | |||
12 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
13 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
14 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
15 | --- | ||
16 | config/appconfig-mcs/seusers | 4 ++-- | ||
17 | policy/modules/roles/sysadm.te | 1 + | ||
18 | policy/modules/system/init.if | 47 ++++++++++++++++++++++++++++++------- | ||
19 | policy/modules/system/unconfined.te | 7 ++++++ | ||
20 | policy/users | 16 +++++-------- | ||
21 | 5 files changed, 55 insertions(+), 20 deletions(-) | ||
22 | |||
23 | --- a/config/appconfig-mcs/seusers | ||
24 | +++ b/config/appconfig-mcs/seusers | ||
25 | @@ -1,2 +1,3 @@ | ||
26 | -root:root:s0-mcs_systemhigh | ||
27 | -__default__:user_u:s0 | ||
28 | +root:unconfined_u:s0-mcs_systemhigh | ||
29 | +__default__:unconfined_u:s0 | ||
30 | + | ||
31 | --- a/policy/modules/roles/sysadm.te | ||
32 | +++ b/policy/modules/roles/sysadm.te | ||
33 | @@ -41,10 +41,11 @@ init_reload(sysadm_t) | ||
34 | init_reboot_system(sysadm_t) | ||
35 | init_shutdown_system(sysadm_t) | ||
36 | init_start_generic_units(sysadm_t) | ||
37 | init_stop_generic_units(sysadm_t) | ||
38 | init_reload_generic_units(sysadm_t) | ||
39 | +init_script_role_transition(sysadm_r) | ||
40 | |||
41 | # Add/remove user home directories | ||
42 | userdom_manage_user_home_dirs(sysadm_t) | ||
43 | userdom_home_filetrans_user_home_dir(sysadm_t) | ||
44 | |||
45 | --- a/policy/modules/system/init.if | ||
46 | +++ b/policy/modules/system/init.if | ||
47 | @@ -1232,30 +1232,31 @@ interface(`init_script_file_entry_type', | ||
48 | ## </summary> | ||
49 | ## </param> | ||
50 | # | ||
51 | interface(`init_spec_domtrans_script',` | ||
52 | gen_require(` | ||
53 | - type initrc_t, initrc_exec_t; | ||
54 | + type initrc_t; | ||
55 | + attribute init_script_file_type; | ||
56 | ') | ||
57 | |||
58 | files_list_etc($1) | ||
59 | - spec_domtrans_pattern($1, initrc_exec_t, initrc_t) | ||
60 | + spec_domtrans_pattern($1, init_script_file_type, initrc_t) | ||
61 | |||
62 | ifdef(`distro_gentoo',` | ||
63 | gen_require(` | ||
64 | type rc_exec_t; | ||
65 | ') | ||
66 | |||
67 | domtrans_pattern($1, rc_exec_t, initrc_t) | ||
68 | ') | ||
69 | |||
70 | ifdef(`enable_mcs',` | ||
71 | - range_transition $1 initrc_exec_t:process s0; | ||
72 | + range_transition $1 init_script_file_type:process s0; | ||
73 | ') | ||
74 | |||
75 | ifdef(`enable_mls',` | ||
76 | - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; | ||
77 | + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; | ||
78 | ') | ||
79 | ') | ||
80 | |||
81 | ######################################## | ||
82 | ## <summary> | ||
83 | @@ -1267,22 +1268,23 @@ interface(`init_spec_domtrans_script',` | ||
84 | ## </summary> | ||
85 | ## </param> | ||
86 | # | ||
87 | interface(`init_domtrans_script',` | ||
88 | gen_require(` | ||
89 | - type initrc_t, initrc_exec_t; | ||
90 | + type initrc_t; | ||
91 | + attribute init_script_file_type; | ||
92 | ') | ||
93 | |||
94 | files_list_etc($1) | ||
95 | - domtrans_pattern($1, initrc_exec_t, initrc_t) | ||
96 | + domtrans_pattern($1, init_script_file_type, initrc_t) | ||
97 | |||
98 | ifdef(`enable_mcs',` | ||
99 | - range_transition $1 initrc_exec_t:process s0; | ||
100 | + range_transition $1 init_script_file_type:process s0; | ||
101 | ') | ||
102 | |||
103 | ifdef(`enable_mls',` | ||
104 | - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; | ||
105 | + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; | ||
106 | ') | ||
107 | ') | ||
108 | |||
109 | ######################################## | ||
110 | ## <summary> | ||
111 | @@ -2502,5 +2504,34 @@ interface(`init_reload_all_units',` | ||
112 | class service reload; | ||
113 | ') | ||
114 | |||
115 | allow $1 systemdunit:service reload; | ||
116 | ') | ||
117 | + | ||
118 | +######################################## | ||
119 | +## <summary> | ||
120 | +## Transition to system_r when execute an init script | ||
121 | +## </summary> | ||
122 | +## <desc> | ||
123 | +## <p> | ||
124 | +## Execute a init script in a specified role | ||
125 | +## </p> | ||
126 | +## <p> | ||
127 | +## No interprocess communication (signals, pipes, | ||
128 | +## etc.) is provided by this interface since | ||
129 | +## the domains are not owned by this module. | ||
130 | +## </p> | ||
131 | +## </desc> | ||
132 | +## <param name="source_role"> | ||
133 | +## <summary> | ||
134 | +## Role to transition from. | ||
135 | +## </summary> | ||
136 | +## </param> | ||
137 | +# | ||
138 | +interface(`init_script_role_transition',` | ||
139 | + gen_require(` | ||
140 | + attribute init_script_file_type; | ||
141 | + ') | ||
142 | + | ||
143 | + role_transition $1 init_script_file_type system_r; | ||
144 | +') | ||
145 | + | ||
146 | --- a/policy/modules/system/unconfined.te | ||
147 | +++ b/policy/modules/system/unconfined.te | ||
148 | @@ -18,10 +18,15 @@ init_system_domain(unconfined_t, unconfi | ||
149 | |||
150 | type unconfined_execmem_t; | ||
151 | type unconfined_execmem_exec_t; | ||
152 | init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t) | ||
153 | role unconfined_r types unconfined_execmem_t; | ||
154 | +role unconfined_r types unconfined_t; | ||
155 | +role system_r types unconfined_t; | ||
156 | +role_transition system_r unconfined_exec_t unconfined_r; | ||
157 | +allow system_r unconfined_r; | ||
158 | +allow unconfined_r system_r; | ||
159 | |||
160 | ######################################## | ||
161 | # | ||
162 | # Local policy | ||
163 | # | ||
164 | @@ -48,10 +53,12 @@ unconfined_domain(unconfined_t) | ||
165 | userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file }) | ||
166 | |||
167 | ifdef(`direct_sysadm_daemon',` | ||
168 | optional_policy(` | ||
169 | init_run_daemon(unconfined_t, unconfined_r) | ||
170 | + init_domtrans_script(unconfined_t) | ||
171 | + init_script_role_transition(unconfined_r) | ||
172 | ') | ||
173 | ',` | ||
174 | ifdef(`distro_gentoo',` | ||
175 | seutil_run_runinit(unconfined_t, unconfined_r) | ||
176 | seutil_init_script_run_runinit(unconfined_t, unconfined_r) | ||
177 | --- a/policy/users | ||
178 | +++ b/policy/users | ||
179 | @@ -13,37 +13,33 @@ | ||
180 | # system_u is the user identity for system processes and objects. | ||
181 | # There should be no corresponding Unix user identity for system, | ||
182 | # and a user process should never be assigned the system user | ||
183 | # identity. | ||
184 | # | ||
185 | -gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
186 | +gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
187 | |||
188 | # | ||
189 | # user_u is a generic user identity for Linux users who have no | ||
190 | # SELinux user identity defined. The modified daemons will use | ||
191 | # this user identity in the security context if there is no matching | ||
192 | # SELinux user identity for a Linux user. If you do not want to | ||
193 | # permit any access to such users, then remove this entry. | ||
194 | # | ||
195 | gen_user(user_u, user, user_r, s0, s0) | ||
196 | -gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) | ||
197 | -gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
198 | +gen_user(staff_u, user, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
199 | +gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
200 | |||
201 | # Until order dependence is fixed for users: | ||
202 | ifdef(`direct_sysadm_daemon',` | ||
203 | - gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
204 | + gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
205 | ',` | ||
206 | - gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
207 | + gen_user(unconfined_u, user, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
208 | ') | ||
209 | |||
210 | # | ||
211 | # The following users correspond to Unix identities. | ||
212 | # These identities are typically assigned as the user attribute | ||
213 | # when login starts the user shell. Users with access to the sysadm_r | ||
214 | # role should use the staff_r role instead of the user_r role when | ||
215 | # not in the sysadm_r. | ||
216 | # | ||
217 | -ifdef(`direct_sysadm_daemon',` | ||
218 | - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
219 | -',` | ||
220 | - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) | ||
221 | -') | ||
222 | +gen_user(root, user, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
diff --git a/recipes-security/refpolicy/refpolicy-targeted_2.20170204.bb b/recipes-security/refpolicy/refpolicy-targeted_2.20170204.bb index f795bf7..4705c46 100644 --- a/recipes-security/refpolicy/refpolicy-targeted_2.20170204.bb +++ b/recipes-security/refpolicy/refpolicy-targeted_2.20170204.bb | |||
@@ -14,8 +14,16 @@ POLICY_MLS_SENS = "0" | |||
14 | 14 | ||
15 | include refpolicy_${PV}.inc | 15 | include refpolicy_${PV}.inc |
16 | 16 | ||
17 | SRC_URI += " \ | 17 | SRC_URI += "${@bb.utils.contains('${PV}', '2.20170805', '${PATCH_2.20170805}', '${PATCH_2.20170204}', d)}" |
18 | |||
19 | PATCH_2.20170805 = " \ | ||
18 | file://refpolicy-fix-optional-issue-on-sysadm-module.patch \ | 20 | file://refpolicy-fix-optional-issue-on-sysadm-module.patch \ |
19 | file://refpolicy-unconfined_u-default-user.patch \ | 21 | file://refpolicy-unconfined_u-default-user.patch \ |
20 | ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'file://refpolicy-remove-duplicate-type_transition.patch', '', d)} \ | 22 | ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'file://refpolicy-remove-duplicate-type_transition.patch', '', d)} \ |
21 | " | 23 | " |
24 | |||
25 | PATCH_2.20170204 = " \ | ||
26 | file://refpolicy-fix-optional-issue-on-sysadm-module_2.20170204.patch \ | ||
27 | file://refpolicy-unconfined_u-default-user_2.20170204.patch \ | ||
28 | ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'file://refpolicy-remove-duplicate-type_transition_2.20170204.patch', '', d)} \ | ||
29 | " | ||