diff options
author | Joe MacDonald <joe_macdonald@mentor.com> | 2017-05-03 21:05:44 -0400 |
---|---|---|
committer | Joe MacDonald <joe_macdonald@mentor.com> | 2017-05-03 21:05:44 -0400 |
commit | 0cfdbb47aafef9e9af562c9dffebd0aefefe5457 (patch) | |
tree | 3ab165035cc90e193aeb0de686fb3a80fa4d9285 | |
parent | 849cd74b5ff3c915356ae7411746194728594212 (diff) | |
download | meta-selinux-0cfdbb47aafef9e9af562c9dffebd0aefefe5457.tar.gz |
refpolicy: update git recipes
The targeted, mls and minimum recipes had fallen far behind the upstream
refpolicy repository. Refresh all patches and discard ones that are
obviously no longer needed. This should not have any functional change on
the policies.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
43 files changed, 391 insertions, 446 deletions
diff --git a/recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch b/recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch index 4830566..85c40a4 100644 --- a/recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch +++ b/recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch | |||
@@ -17,6 +17,7 @@ root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name | |||
17 | root@localhost:~# | 17 | root@localhost:~# |
18 | 18 | ||
19 | Signed-off-by: Roy Li <rongqing.li@windriver.com> | 19 | Signed-off-by: Roy Li <rongqing.li@windriver.com> |
20 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
20 | --- | 21 | --- |
21 | policy/modules/contrib/ftp.te | 2 ++ | 22 | policy/modules/contrib/ftp.te | 2 ++ |
22 | 1 file changed, 2 insertions(+) | 23 | 1 file changed, 2 insertions(+) |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch index b36c209..628e8a3 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch | |||
@@ -3,17 +3,15 @@ Subject: [PATCH] refpolicy: fix real path for clock | |||
3 | Upstream-Status: Inappropriate [configuration] | 3 | Upstream-Status: Inappropriate [configuration] |
4 | 4 | ||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
6 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
6 | --- | 7 | --- |
7 | policy/modules/system/clock.fc | 1 + | 8 | policy/modules/system/clock.fc | 1 + |
8 | 1 file changed, 1 insertion(+) | 9 | 1 file changed, 1 insertion(+) |
9 | 10 | ||
10 | --- a/policy/modules/system/clock.fc | 11 | --- a/policy/modules/system/clock.fc |
11 | +++ b/policy/modules/system/clock.fc | 12 | +++ b/policy/modules/system/clock.fc |
12 | @@ -1,6 +1,7 @@ | 13 | @@ -1,3 +1,4 @@ |
13 | |||
14 | /etc/adjtime -- gen_context(system_u:object_r:adjtime_t,s0) | 14 | /etc/adjtime -- gen_context(system_u:object_r:adjtime_t,s0) |
15 | 15 | ||
16 | /sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) | 16 | +/usr/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0) |
17 | +/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0) | ||
18 | |||
19 | /usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) | 17 | /usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch index 6995bb5..689c75b 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch | |||
@@ -3,15 +3,13 @@ Subject: [PATCH] refpolicy: fix real path for dmesg | |||
3 | Upstream-Status: Inappropriate [configuration] | 3 | Upstream-Status: Inappropriate [configuration] |
4 | 4 | ||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
6 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
6 | --- | 7 | --- |
7 | policy/modules/admin/dmesg.fc | 1 + | 8 | policy/modules/admin/dmesg.fc | 1 + |
8 | 1 file changed, 1 insertion(+) | 9 | 1 file changed, 1 insertion(+) |
9 | 10 | ||
10 | --- a/policy/modules/admin/dmesg.fc | 11 | --- a/policy/modules/admin/dmesg.fc |
11 | +++ b/policy/modules/admin/dmesg.fc | 12 | +++ b/policy/modules/admin/dmesg.fc |
12 | @@ -1,4 +1,5 @@ | 13 | @@ -1 +1,2 @@ |
13 | 14 | +/usr/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0) | |
14 | /bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) | ||
15 | +/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0) | ||
16 | |||
17 | /usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) | 15 | /usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-bind.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-bind.patch index a96b4a7..3218c88 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-bind.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-bind.patch | |||
@@ -6,6 +6,7 @@ Subject: [PATCH] refpolicy: fix real path for bind. | |||
6 | Upstream-Status: Inappropriate [configuration] | 6 | Upstream-Status: Inappropriate [configuration] |
7 | 7 | ||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | 10 | --- |
10 | policy/modules/contrib/bind.fc | 2 ++ | 11 | policy/modules/contrib/bind.fc | 2 ++ |
11 | 1 file changed, 2 insertions(+) | 12 | 1 file changed, 2 insertions(+) |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch index d97d58e..fc54217 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch | |||
@@ -3,31 +3,33 @@ Subject: [PATCH] fix real path for login commands. | |||
3 | Upstream-Status: Inappropriate [only for Poky] | 3 | Upstream-Status: Inappropriate [only for Poky] |
4 | 4 | ||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
6 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
6 | --- | 7 | --- |
7 | policy/modules/system/authlogin.fc | 5 ++--- | 8 | policy/modules/system/authlogin.fc | 5 ++--- |
8 | 1 file changed, 2 insertions(+), 3 deletions(-) | 9 | 1 file changed, 2 insertions(+), 3 deletions(-) |
9 | 10 | ||
10 | --- a/policy/modules/system/authlogin.fc | 11 | --- a/policy/modules/system/authlogin.fc |
11 | +++ b/policy/modules/system/authlogin.fc | 12 | +++ b/policy/modules/system/authlogin.fc |
12 | @@ -1,19 +1,18 @@ | 13 | @@ -3,20 +3,19 @@ |
13 | |||
14 | /bin/login -- gen_context(system_u:object_r:login_exec_t,s0) | ||
15 | +/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0) | ||
16 | +/bin/login\.tinylogin -- gen_context(system_u:object_r:login_exec_t,s0) | ||
17 | |||
18 | /etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) | ||
19 | /etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0) | ||
20 | /etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0) | 14 | /etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0) |
21 | /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) | 15 | /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) |
22 | /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) | 16 | /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) |
23 | 17 | ||
24 | /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) | 18 | /usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0) |
25 | /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) | 19 | +/usr/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0) |
26 | -/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) | 20 | +/usr/bin/login\.tinylogin -- gen_context(system_u:object_r:login_exec_t,s0) |
27 | -/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) | 21 | |
28 | -/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) | 22 | /usr/kerberos/sbin/login\.krb5 -- gen_context(system_u:object_r:login_exec_t,s0) |
23 | |||
24 | /usr/lib/utempter/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0) | ||
25 | |||
26 | /usr/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) | ||
27 | /usr/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) | ||
28 | -/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) | ||
29 | -/usr/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) | ||
30 | -/usr/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) | ||
31 | /usr/sbin/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0) | ||
32 | /usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0) | ||
29 | ifdef(`distro_suse', ` | 33 | ifdef(`distro_suse', ` |
30 | /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) | 34 | /usr/sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) |
31 | ') | 35 | ') |
32 | |||
33 | /usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0) | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_resolv.conf.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_resolv.conf.patch index c1cd74d..cd79f45 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_resolv.conf.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_resolv.conf.patch | |||
@@ -3,13 +3,14 @@ Subject: [PATCH] fix real path for resolv.conf | |||
3 | Upstream-Status: Inappropriate [only for Poky] | 3 | Upstream-Status: Inappropriate [only for Poky] |
4 | 4 | ||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
6 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
6 | --- | 7 | --- |
7 | policy/modules/system/sysnetwork.fc | 1 + | 8 | policy/modules/system/sysnetwork.fc | 1 + |
8 | 1 file changed, 1 insertion(+) | 9 | 1 file changed, 1 insertion(+) |
9 | 10 | ||
10 | --- a/policy/modules/system/sysnetwork.fc | 11 | --- a/policy/modules/system/sysnetwork.fc |
11 | +++ b/policy/modules/system/sysnetwork.fc | 12 | +++ b/policy/modules/system/sysnetwork.fc |
12 | @@ -23,10 +23,11 @@ ifdef(`distro_debian',` | 13 | @@ -17,10 +17,11 @@ ifdef(`distro_debian',` |
13 | /etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0) | 14 | /etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0) |
14 | /etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0) | 15 | /etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0) |
15 | /etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0) | 16 | /etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0) |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch index d74f524..a15a776 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch | |||
@@ -3,13 +3,14 @@ Subject: [PATCH] fix real path for shadow commands. | |||
3 | Upstream-Status: Inappropriate [only for Poky] | 3 | Upstream-Status: Inappropriate [only for Poky] |
4 | 4 | ||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
6 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
6 | --- | 7 | --- |
7 | policy/modules/admin/usermanage.fc | 6 ++++++ | 8 | policy/modules/admin/usermanage.fc | 6 ++++++ |
8 | 1 file changed, 6 insertions(+) | 9 | 1 file changed, 6 insertions(+) |
9 | 10 | ||
10 | --- a/policy/modules/admin/usermanage.fc | 11 | --- a/policy/modules/admin/usermanage.fc |
11 | +++ b/policy/modules/admin/usermanage.fc | 12 | +++ b/policy/modules/admin/usermanage.fc |
12 | @@ -6,15 +6,21 @@ ifdef(`distro_debian',` | 13 | @@ -2,15 +2,21 @@ ifdef(`distro_debian',` |
13 | /etc/cron\.daily/cracklib-runtime -- gen_context(system_u:object_r:crack_exec_t,s0) | 14 | /etc/cron\.daily/cracklib-runtime -- gen_context(system_u:object_r:crack_exec_t,s0) |
14 | ') | 15 | ') |
15 | 16 | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_su.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_su.patch index 23484de..41c32df 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_su.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_su.patch | |||
@@ -6,17 +6,15 @@ Subject: [PATCH] fix real path for su.shadow command | |||
6 | Upstream-Status: Inappropriate [only for Poky] | 6 | Upstream-Status: Inappropriate [only for Poky] |
7 | 7 | ||
8 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | 8 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> |
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | 10 | --- |
10 | policy/modules/admin/su.fc | 2 ++ | 11 | policy/modules/admin/su.fc | 2 ++ |
11 | 1 file changed, 2 insertions(+) | 12 | 1 file changed, 2 insertions(+) |
12 | 13 | ||
13 | --- a/policy/modules/admin/su.fc | 14 | --- a/policy/modules/admin/su.fc |
14 | +++ b/policy/modules/admin/su.fc | 15 | +++ b/policy/modules/admin/su.fc |
15 | @@ -3,5 +3,7 @@ | 16 | @@ -1,3 +1,4 @@ |
16 | /usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) | ||
17 | |||
18 | /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0) | 17 | /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0) |
19 | /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) | 18 | /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) |
20 | /usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) | 19 | /usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) |
21 | + | 20 | +/usr/bin/su.shadow -- gen_context(system_u:object_r:su_exec_t,s0) |
22 | +/bin/su.shadow -- gen_context(system_u:object_r:su_exec_t,s0) | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch index 5d3aa76..cf07b23 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch | |||
@@ -14,62 +14,57 @@ Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | |||
14 | 14 | ||
15 | --- a/policy/modules/system/fstools.fc | 15 | --- a/policy/modules/system/fstools.fc |
16 | +++ b/policy/modules/system/fstools.fc | 16 | +++ b/policy/modules/system/fstools.fc |
17 | @@ -1,19 +1,23 @@ | 17 | @@ -4,10 +4,11 @@ |
18 | /sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
19 | /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
20 | +/sbin/blkid/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
21 | /sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
22 | +/sbin/blockdev/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
23 | /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
24 | /sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
25 | /sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
26 | /sbin/dumpe2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
27 | /sbin/e2fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
28 | /sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
29 | /sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
30 | /sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
31 | +/sbin/fdisk/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
32 | /sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
33 | /sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
34 | /sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
35 | +/sbin/hdparm/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
36 | /sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
37 | /sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
38 | /sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
39 | /sbin/lsraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
40 | /sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
41 | @@ -22,20 +26,22 @@ | ||
42 | /sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
43 | /sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
44 | /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
45 | /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
46 | /sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
47 | +/sbin/mkswap/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
48 | /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
49 | /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
50 | /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
51 | /sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
52 | /sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
53 | /sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
54 | /sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
55 | /sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
56 | /sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
57 | /sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
58 | +/sbin/swapoff/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
59 | /sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
60 | /sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
61 | /sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
62 | /sbin/zhack -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
63 | /sbin/zinject -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
64 | @@ -43,10 +49,11 @@ | ||
65 | /sbin/zstreamdump -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
66 | /sbin/ztest -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
67 | |||
68 | /usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
69 | /usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
70 | +/usr/sbin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
71 | /usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
72 | /usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 18 | /usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
73 | 19 | ||
74 | /usr/sbin/addpart -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 20 | /usr/sbin/addpart -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
75 | /usr/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 21 | /usr/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
22 | /usr/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
23 | +/usr/sbin/blkid/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
24 | /usr/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
25 | /usr/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
26 | /usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
27 | /usr/sbin/delpart -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
28 | /usr/sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
29 | @@ -17,14 +18,16 @@ | ||
30 | /usr/sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
31 | /usr/sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
32 | /usr/sbin/efibootmgr -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
33 | /usr/sbin/fatsort -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
34 | /usr/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
35 | +/usr/sbin/fdisk/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
36 | /usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
37 | /usr/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
38 | /usr/sbin/gdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
39 | /usr/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
40 | +/usr/sbin/hdparm/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
41 | /usr/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
42 | /usr/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
43 | /usr/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
44 | /usr/sbin/lsraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
45 | /usr/sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
46 | @@ -33,21 +36,24 @@ | ||
47 | /usr/sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
48 | /usr/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
49 | /usr/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
50 | /usr/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
51 | /usr/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
52 | +/usr/sbin/mkswap/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
53 | /usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
54 | /usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
55 | /usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
56 | /usr/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
57 | /usr/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
58 | +/usr/sbin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
59 | /usr/sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
60 | /usr/sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
61 | /usr/sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
62 | /usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
63 | /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
64 | /usr/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
65 | +/usr/sbin/swapoff/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
66 | /usr/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
67 | /usr/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
68 | /usr/sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
69 | /usr/sbin/zhack -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
70 | /usr/sbin/zinject -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch index b4ba2e2..d58de6a 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch | |||
@@ -5,6 +5,7 @@ Upstream-Status: Pending | |||
5 | ftpwho is installed into /usr/bin/, not /usr/sbin, so fix it | 5 | ftpwho is installed into /usr/bin/, not /usr/sbin, so fix it |
6 | 6 | ||
7 | Signed-off-by: Roy Li <rongqing.li@windriver.com> | 7 | Signed-off-by: Roy Li <rongqing.li@windriver.com> |
8 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
8 | --- | 9 | --- |
9 | policy/modules/contrib/ftp.fc | 2 +- | 10 | policy/modules/contrib/ftp.fc | 2 +- |
10 | 1 file changed, 1 insertion(+), 1 deletion(-) | 11 | 1 file changed, 1 insertion(+), 1 deletion(-) |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch index 1a8fbe3..72b559f 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch | |||
@@ -6,13 +6,14 @@ Subject: [PATCH] refpolicy: fix real path for mta | |||
6 | Upstream-Status: Inappropriate [configuration] | 6 | Upstream-Status: Inappropriate [configuration] |
7 | 7 | ||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | 10 | --- |
10 | policy/modules/contrib/mta.fc | 1 + | 11 | policy/modules/contrib/mta.fc | 1 + |
11 | 1 file changed, 1 insertion(+) | 12 | 1 file changed, 1 insertion(+) |
12 | 13 | ||
13 | --- a/policy/modules/contrib/mta.fc | 14 | --- a/policy/modules/contrib/mta.fc |
14 | +++ b/policy/modules/contrib/mta.fc | 15 | +++ b/policy/modules/contrib/mta.fc |
15 | @@ -20,10 +20,11 @@ HOME_DIR/\.maildir(/.*)? gen_context(sys | 16 | @@ -19,10 +19,11 @@ HOME_DIR/\.maildir(/.*)? gen_context(sys |
16 | /usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) | 17 | /usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) |
17 | 18 | ||
18 | /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) | 19 | /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-netutils.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-netutils.patch deleted file mode 100644 index fea90ad..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-netutils.patch +++ /dev/null | |||
@@ -1,23 +0,0 @@ | |||
1 | Subject: [PATCH] refpolicy: fix real path for netutils | ||
2 | |||
3 | Upstream-Status: Inappropriate [configuration] | ||
4 | |||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
6 | --- | ||
7 | policy/modules/admin/netutils.fc | 1 + | ||
8 | 1 file changed, 1 insertion(+) | ||
9 | |||
10 | --- a/policy/modules/admin/netutils.fc | ||
11 | +++ b/policy/modules/admin/netutils.fc | ||
12 | @@ -1,10 +1,11 @@ | ||
13 | /bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0) | ||
14 | /bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) | ||
15 | /bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) | ||
16 | |||
17 | /sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0) | ||
18 | +/bin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0) | ||
19 | |||
20 | /usr/bin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0) | ||
21 | /usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0) | ||
22 | /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0) | ||
23 | /usr/bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0) | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch index 5fe5062..0adf7c2 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch | |||
@@ -6,6 +6,7 @@ Subject: [PATCH] refpolicy: fix real path for nscd | |||
6 | Upstream-Status: Inappropriate [configuration] | 6 | Upstream-Status: Inappropriate [configuration] |
7 | 7 | ||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | 10 | --- |
10 | policy/modules/contrib/nscd.fc | 1 + | 11 | policy/modules/contrib/nscd.fc | 1 + |
11 | 1 file changed, 1 insertion(+) | 12 | 1 file changed, 1 insertion(+) |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch index 8680f19..922afa9 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch | |||
@@ -6,13 +6,14 @@ Subject: [PATCH] refpolicy: fix real path for cpio | |||
6 | Upstream-Status: Inappropriate [configuration] | 6 | Upstream-Status: Inappropriate [configuration] |
7 | 7 | ||
8 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | 8 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> |
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | 10 | --- |
10 | policy/modules/contrib/rpm.fc | 1 + | 11 | policy/modules/contrib/rpm.fc | 1 + |
11 | 1 file changed, 1 insertion(+) | 12 | 1 file changed, 1 insertion(+) |
12 | 13 | ||
13 | --- a/policy/modules/contrib/rpm.fc | 14 | --- a/policy/modules/contrib/rpm.fc |
14 | +++ b/policy/modules/contrib/rpm.fc | 15 | +++ b/policy/modules/contrib/rpm.fc |
15 | @@ -61,6 +61,7 @@ ifdef(`distro_redhat',` | 16 | @@ -57,6 +57,7 @@ ifdef(`distro_redhat',` |
16 | /run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0) | 17 | /run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0) |
17 | /run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) | 18 | /run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) |
18 | 19 | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch index a7301e9..8ea210e 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch | |||
@@ -6,20 +6,18 @@ Subject: [PATCH] refpolicy: fix real path for screen | |||
6 | Upstream-Status: Inappropriate [configuration] | 6 | Upstream-Status: Inappropriate [configuration] |
7 | 7 | ||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | 10 | --- |
10 | policy/modules/contrib/screen.fc | 1 + | 11 | policy/modules/contrib/screen.fc | 1 + |
11 | 1 file changed, 1 insertion(+) | 12 | 1 file changed, 1 insertion(+) |
12 | 13 | ||
13 | --- a/policy/modules/contrib/screen.fc | 14 | --- a/policy/modules/contrib/screen.fc |
14 | +++ b/policy/modules/contrib/screen.fc | 15 | +++ b/policy/modules/contrib/screen.fc |
15 | @@ -1,9 +1,10 @@ | 16 | @@ -4,6 +4,7 @@ HOME_DIR/\.tmux\.conf -- gen_context(sys |
16 | HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0) | ||
17 | HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0) | ||
18 | HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0) | ||
19 | 17 | ||
20 | /usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0) | 18 | /run/screen(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0) |
21 | +/usr/bin/screen-.* -- gen_context(system_u:object_r:screen_exec_t,s0) | 19 | /run/tmux(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0) |
22 | /usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0) | ||
23 | 20 | ||
24 | /run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) | 21 | /usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0) |
25 | /run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) | 22 | +/usr/bin/screen-.* -- gen_context(system_u:object_r:screen_exec_t,s0) |
23 | /usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0) | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch index 35bbc9e..648b21b 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch | |||
@@ -3,6 +3,7 @@ Subject: [PATCH] refpolicy: fix real path for ssh | |||
3 | Upstream-Status: Inappropriate [configuration] | 3 | Upstream-Status: Inappropriate [configuration] |
4 | 4 | ||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
6 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
6 | --- | 7 | --- |
7 | policy/modules/services/ssh.fc | 1 + | 8 | policy/modules/services/ssh.fc | 1 + |
8 | 1 file changed, 1 insertion(+) | 9 | 1 file changed, 1 insertion(+) |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch index f82f359..8aec193 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch | |||
@@ -13,7 +13,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
13 | 13 | ||
14 | --- a/config/file_contexts.subs_dist | 14 | --- a/config/file_contexts.subs_dist |
15 | +++ b/config/file_contexts.subs_dist | 15 | +++ b/config/file_contexts.subs_dist |
16 | @@ -21,5 +21,16 @@ | 16 | @@ -26,5 +26,16 @@ |
17 | 17 | ||
18 | # backward compatibility | 18 | # backward compatibility |
19 | # not for refpolicy intern, but for /var/run using applications, | 19 | # not for refpolicy intern, but for /var/run using applications, |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch index 7f8f368..0b148b5 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch | |||
@@ -7,41 +7,31 @@ Upstream-Status: Inappropriate [configuration] | |||
7 | 7 | ||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
9 | Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> | 9 | Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> |
10 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
10 | --- | 11 | --- |
11 | policy/modules/system/sysnetwork.fc | 3 +++ | 12 | policy/modules/system/sysnetwork.fc | 3 +++ |
12 | 1 file changed, 3 insertions(+) | 13 | 1 file changed, 3 insertions(+) |
13 | 14 | ||
14 | --- a/policy/modules/system/sysnetwork.fc | 15 | --- a/policy/modules/system/sysnetwork.fc |
15 | +++ b/policy/modules/system/sysnetwork.fc | 16 | +++ b/policy/modules/system/sysnetwork.fc |
16 | @@ -2,10 +2,11 @@ | 17 | @@ -41,17 +41,20 @@ ifdef(`distro_redhat',` |
17 | # | 18 | /usr/sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) |
18 | # /bin | 19 | /usr/sbin/dhcp6c -- gen_context(system_u:object_r:dhcpc_exec_t,s0) |
19 | # | 20 | /usr/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) |
20 | /bin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | 21 | /usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
21 | /bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | 22 | /usr/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
22 | +/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | 23 | +/usr/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
23 | 24 | +/usr/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | |
24 | # | 25 | /usr/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
25 | # /dev | 26 | /usr/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
26 | # | 27 | /usr/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
27 | ifdef(`distro_debian',` | 28 | /usr/sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
28 | @@ -43,17 +44,19 @@ ifdef(`distro_redhat',` | 29 | /usr/sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
29 | /sbin/dhclient.* -- gen_context(system_u:object_r:dhcpc_exec_t,s0) | 30 | /usr/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
30 | /sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) | 31 | /usr/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
31 | /sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) | 32 | +/usr/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
32 | /sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | 33 | /usr/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0) |
33 | /sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | 34 | /usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
34 | +/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
35 | /sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
36 | /sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
37 | /sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
38 | /sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
39 | /sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
40 | /sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
41 | /sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
42 | +/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
43 | /sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0) | ||
44 | /sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
45 | 35 | ||
46 | # | 36 | # |
47 | # /usr | 37 | # /var |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch index 8e2cb1b..2271a05 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch | |||
@@ -6,6 +6,7 @@ Subject: [PATCH] refpolicy: fix real path for udevd/udevadm | |||
6 | Upstream-Status: Inappropriate [configuration] | 6 | Upstream-Status: Inappropriate [configuration] |
7 | 7 | ||
8 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | 8 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> |
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | 10 | --- |
10 | policy/modules/system/udev.fc | 2 ++ | 11 | policy/modules/system/udev.fc | 2 ++ |
11 | 1 file changed, 2 insertions(+) | 12 | 1 file changed, 2 insertions(+) |
@@ -17,22 +18,22 @@ Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | |||
17 | /etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_rules_t,s0) | 18 | /etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_rules_t,s0) |
18 | /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) | 19 | /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) |
19 | 20 | ||
20 | /lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0) | 21 | /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) |
21 | +/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) | 22 | +/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) |
22 | 23 | ||
23 | ifdef(`distro_debian',` | 24 | ifdef(`distro_debian',` |
24 | /bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) | 25 | /usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) |
25 | /lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
26 | ') | 26 | ') |
27 | @@ -26,10 +27,11 @@ ifdef(`distro_debian',` | 27 | |
28 | ifdef(`distro_redhat',` | 28 | @@ -30,10 +31,11 @@ ifdef(`distro_redhat',` |
29 | /sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) | 29 | /usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) |
30 | ') | 30 | ') |
31 | 31 | ||
32 | /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) | 32 | /usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0) |
33 | +/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) | 33 | /usr/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0) |
34 | +/usr/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
35 | |||
36 | /usr/share/virtualbox/VBoxCreateUSBNode\.sh -- gen_context(system_u:object_r:udev_helper_exec_t,s0) | ||
37 | |||
38 | /run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) | ||
34 | 39 | ||
35 | /usr/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
36 | /usr/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
37 | /usr/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
38 | /usr/sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch index 80c40d0..e3edce1 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch | |||
@@ -6,15 +6,14 @@ Subject: [PATCH 3/4] fix update-alternatives for hostname | |||
6 | Upstream-Status: Inappropriate [only for Poky] | 6 | Upstream-Status: Inappropriate [only for Poky] |
7 | 7 | ||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | 10 | --- |
10 | policy/modules/system/hostname.fc | 1 + | 11 | policy/modules/system/hostname.fc | 1 + |
11 | 1 file changed, 1 insertion(+) | 12 | 1 file changed, 1 insertion(+) |
12 | 13 | ||
13 | --- a/policy/modules/system/hostname.fc | 14 | --- a/policy/modules/system/hostname.fc |
14 | +++ b/policy/modules/system/hostname.fc | 15 | +++ b/policy/modules/system/hostname.fc |
15 | @@ -1,4 +1,5 @@ | 16 | @@ -1 +1,3 @@ |
16 | 17 | +/usr/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0) | |
17 | /bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) | 18 | + |
18 | +/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0) | ||
19 | |||
20 | /usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) | 19 | /usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch index 03284cd..dfa67a6 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch | |||
@@ -9,6 +9,7 @@ for syslogd_t to read syslog_conf_t lnk_file is needed. | |||
9 | Upstream-Status: Inappropriate [only for Poky] | 9 | Upstream-Status: Inappropriate [only for Poky] |
10 | 10 | ||
11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
12 | --- | 13 | --- |
13 | policy/modules/system/logging.fc | 4 ++++ | 14 | policy/modules/system/logging.fc | 4 ++++ |
14 | policy/modules/system/logging.te | 1 + | 15 | policy/modules/system/logging.te | 1 + |
@@ -16,7 +17,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
16 | 17 | ||
17 | --- a/policy/modules/system/logging.fc | 18 | --- a/policy/modules/system/logging.fc |
18 | +++ b/policy/modules/system/logging.fc | 19 | +++ b/policy/modules/system/logging.fc |
19 | @@ -1,22 +1,26 @@ | 20 | @@ -1,12 +1,14 @@ |
20 | /dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) | 21 | /dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) |
21 | 22 | ||
22 | /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) | 23 | /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) |
@@ -27,25 +28,30 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
27 | /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) | 28 | /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) |
28 | +/etc/rc\.d/init\.d/syslog\.sysklogd -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) | 29 | +/etc/rc\.d/init\.d/syslog\.sysklogd -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) |
29 | 30 | ||
30 | /sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) | ||
31 | /sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) | ||
32 | /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) | ||
33 | /sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) | ||
34 | /sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) | ||
35 | +/sbin/klogd\.sysklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) | ||
36 | /sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
37 | /sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) | ||
38 | /sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
39 | /sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
40 | +/sbin/syslogd\.sysklogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
41 | /sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
42 | |||
43 | /usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0) | 31 | /usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0) |
44 | /usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0) | 32 | /usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0) |
33 | /usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0) | ||
45 | /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0) | 34 | /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0) |
35 | @@ -15,14 +17,16 @@ | ||
36 | /usr/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) | ||
37 | /usr/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) | ||
38 | /usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) | ||
39 | /usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) | ||
40 | /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) | ||
41 | +/usr/sbin/klogd\.sysklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) | ||
42 | /usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
43 | /usr/sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
44 | /usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) | ||
45 | /usr/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
46 | +/usr/sbin/syslogd\.sysklogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
47 | /usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
48 | /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
49 | |||
50 | /var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0) | ||
51 | /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) | ||
46 | --- a/policy/modules/system/logging.te | 52 | --- a/policy/modules/system/logging.te |
47 | +++ b/policy/modules/system/logging.te | 53 | +++ b/policy/modules/system/logging.te |
48 | @@ -386,10 +386,11 @@ allow syslogd_t self:unix_dgram_socket s | 54 | @@ -390,10 +390,11 @@ allow syslogd_t self:unix_dgram_socket s |
49 | allow syslogd_t self:fifo_file rw_fifo_file_perms; | 55 | allow syslogd_t self:fifo_file rw_fifo_file_perms; |
50 | allow syslogd_t self:udp_socket create_socket_perms; | 56 | allow syslogd_t self:udp_socket create_socket_perms; |
51 | allow syslogd_t self:tcp_socket create_stream_socket_perms; | 57 | allow syslogd_t self:tcp_socket create_stream_socket_perms; |
@@ -56,4 +62,4 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
56 | # Create and bind to /dev/log or /var/run/log. | 62 | # Create and bind to /dev/log or /var/run/log. |
57 | allow syslogd_t devlog_t:sock_file manage_sock_file_perms; | 63 | allow syslogd_t devlog_t:sock_file manage_sock_file_perms; |
58 | files_pid_filetrans(syslogd_t, devlog_t, sock_file) | 64 | files_pid_filetrans(syslogd_t, devlog_t, sock_file) |
59 | 65 | init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log") | |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch index 0c09825..81fe141 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch | |||
@@ -6,51 +6,45 @@ Subject: [PATCH 1/4] fix update-alternatives for sysvinit | |||
6 | Upstream-Status: Inappropriate [only for Poky] | 6 | Upstream-Status: Inappropriate [only for Poky] |
7 | 7 | ||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | 10 | --- |
10 | policy/modules/contrib/shutdown.fc | 1 + | 11 | policy/modules/contrib/shutdown.fc | 1 + |
11 | policy/modules/kernel/corecommands.fc | 1 + | 12 | policy/modules/kernel/corecommands.fc | 1 + |
12 | policy/modules/system/init.fc | 1 + | 13 | policy/modules/system/init.fc | 1 + |
13 | 3 files changed, 3 insertions(+) | 14 | 3 files changed, 3 insertions(+) |
14 | 15 | ||
15 | --- a/policy/modules/contrib/shutdown.fc | 16 | Index: refpolicy/policy/modules/contrib/shutdown.fc |
16 | +++ b/policy/modules/contrib/shutdown.fc | 17 | =================================================================== |
17 | @@ -1,10 +1,11 @@ | 18 | --- refpolicy.orig/policy/modules/contrib/shutdown.fc |
18 | /etc/nologin -- gen_context(system_u:object_r:shutdown_etc_t,s0) | 19 | +++ refpolicy/policy/modules/contrib/shutdown.fc |
19 | 20 | @@ -3,5 +3,6 @@ | |
20 | /lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
21 | |||
22 | /sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
23 | +/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
24 | |||
25 | /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) | 21 | /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) |
26 | 22 | ||
27 | /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) | 23 | /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) |
24 | +/usr/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
25 | |||
26 | /run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) | ||
27 | Index: refpolicy/policy/modules/kernel/corecommands.fc | ||
28 | =================================================================== | ||
29 | --- refpolicy.orig/policy/modules/kernel/corecommands.fc | ||
30 | +++ refpolicy/policy/modules/kernel/corecommands.fc | ||
31 | @@ -144,6 +144,7 @@ ifdef(`distro_gentoo',` | ||
32 | /usr/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
33 | /usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
34 | /usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0) | ||
35 | +/usr/bin/mountpoint\.sysvinit -- gen_context(system_u:object_r:bin_t,s0) | ||
36 | /usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
37 | /usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
38 | /usr/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
39 | Index: refpolicy/policy/modules/system/init.fc | ||
40 | =================================================================== | ||
41 | --- refpolicy.orig/policy/modules/system/init.fc | ||
42 | +++ refpolicy/policy/modules/system/init.fc | ||
43 | @@ -39,6 +39,7 @@ ifdef(`distro_gentoo', ` | ||
44 | /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) | ||
45 | |||
46 | /usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) | ||
47 | +/usr/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0) | ||
48 | /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) | ||
49 | /usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) | ||
28 | 50 | ||
29 | --- a/policy/modules/kernel/corecommands.fc | ||
30 | +++ b/policy/modules/kernel/corecommands.fc | ||
31 | @@ -8,10 +8,11 @@ | ||
32 | /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
33 | /bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
34 | /bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
35 | /bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
36 | /bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0) | ||
37 | +/bin/mountpoint\.sysvinit -- gen_context(system_u:object_r:bin_t,s0) | ||
38 | /bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
39 | /bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
40 | /bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
41 | /bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
42 | |||
43 | --- a/policy/modules/system/init.fc | ||
44 | +++ b/policy/modules/system/init.fc | ||
45 | @@ -30,10 +30,11 @@ ifdef(`distro_gentoo', ` | ||
46 | |||
47 | # | ||
48 | # /sbin | ||
49 | # | ||
50 | /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) | ||
51 | +/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0) | ||
52 | # because nowadays, /sbin/init is often a symlink to /sbin/upstart | ||
53 | /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) | ||
54 | |||
55 | ifdef(`distro_gentoo', ` | ||
56 | /sbin/rc -- gen_context(system_u:object_r:rc_exec_t,s0) | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-bsdpty_device_t.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-bsdpty_device_t.patch index fee4068..ad7b5a6 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-bsdpty_device_t.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-bsdpty_device_t.patch | |||
@@ -6,13 +6,14 @@ Subject: [PATCH 5/6] add rules for bsdpty_device_t to complete pty devices. | |||
6 | Upstream-Status: Pending | 6 | Upstream-Status: Pending |
7 | 7 | ||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | 10 | --- |
10 | policy/modules/kernel/terminal.if | 16 ++++++++++++++++ | 11 | policy/modules/kernel/terminal.if | 16 ++++++++++++++++ |
11 | 1 file changed, 16 insertions(+) | 12 | 1 file changed, 16 insertions(+) |
12 | 13 | ||
13 | --- a/policy/modules/kernel/terminal.if | 14 | --- a/policy/modules/kernel/terminal.if |
14 | +++ b/policy/modules/kernel/terminal.if | 15 | +++ b/policy/modules/kernel/terminal.if |
15 | @@ -585,13 +585,15 @@ interface(`term_getattr_generic_ptys',` | 16 | @@ -603,13 +603,15 @@ interface(`term_getattr_generic_ptys',` |
16 | ## </param> | 17 | ## </param> |
17 | # | 18 | # |
18 | interface(`term_dontaudit_getattr_generic_ptys',` | 19 | interface(`term_dontaudit_getattr_generic_ptys',` |
@@ -28,7 +29,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
28 | ## <summary> | 29 | ## <summary> |
29 | ## ioctl of generic pty devices. | 30 | ## ioctl of generic pty devices. |
30 | ## </summary> | 31 | ## </summary> |
31 | @@ -603,15 +605,17 @@ interface(`term_dontaudit_getattr_generi | 32 | @@ -621,15 +623,17 @@ interface(`term_dontaudit_getattr_generi |
32 | # | 33 | # |
33 | # cjp: added for ppp | 34 | # cjp: added for ppp |
34 | interface(`term_ioctl_generic_ptys',` | 35 | interface(`term_ioctl_generic_ptys',` |
@@ -46,7 +47,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
46 | ######################################## | 47 | ######################################## |
47 | ## <summary> | 48 | ## <summary> |
48 | ## Allow setting the attributes of | 49 | ## Allow setting the attributes of |
49 | @@ -625,13 +629,15 @@ interface(`term_ioctl_generic_ptys',` | 50 | @@ -643,13 +647,15 @@ interface(`term_ioctl_generic_ptys',` |
50 | # | 51 | # |
51 | # dwalsh: added for rhgb | 52 | # dwalsh: added for rhgb |
52 | interface(`term_setattr_generic_ptys',` | 53 | interface(`term_setattr_generic_ptys',` |
@@ -62,7 +63,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
62 | ######################################## | 63 | ######################################## |
63 | ## <summary> | 64 | ## <summary> |
64 | ## Dontaudit setting the attributes of | 65 | ## Dontaudit setting the attributes of |
65 | @@ -645,13 +651,15 @@ interface(`term_setattr_generic_ptys',` | 66 | @@ -663,13 +669,15 @@ interface(`term_setattr_generic_ptys',` |
66 | # | 67 | # |
67 | # dwalsh: added for rhgb | 68 | # dwalsh: added for rhgb |
68 | interface(`term_dontaudit_setattr_generic_ptys',` | 69 | interface(`term_dontaudit_setattr_generic_ptys',` |
@@ -78,7 +79,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
78 | ######################################## | 79 | ######################################## |
79 | ## <summary> | 80 | ## <summary> |
80 | ## Read and write the generic pty | 81 | ## Read and write the generic pty |
81 | @@ -665,15 +673,17 @@ interface(`term_dontaudit_setattr_generi | 82 | @@ -683,15 +691,17 @@ interface(`term_dontaudit_setattr_generi |
82 | ## </param> | 83 | ## </param> |
83 | # | 84 | # |
84 | interface(`term_use_generic_ptys',` | 85 | interface(`term_use_generic_ptys',` |
@@ -96,7 +97,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
96 | ######################################## | 97 | ######################################## |
97 | ## <summary> | 98 | ## <summary> |
98 | ## Dot not audit attempts to read and | 99 | ## Dot not audit attempts to read and |
99 | @@ -687,13 +697,15 @@ interface(`term_use_generic_ptys',` | 100 | @@ -705,13 +715,15 @@ interface(`term_use_generic_ptys',` |
100 | ## </param> | 101 | ## </param> |
101 | # | 102 | # |
102 | interface(`term_dontaudit_use_generic_ptys',` | 103 | interface(`term_dontaudit_use_generic_ptys',` |
@@ -112,7 +113,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
112 | ####################################### | 113 | ####################################### |
113 | ## <summary> | 114 | ## <summary> |
114 | ## Set the attributes of the tty device | 115 | ## Set the attributes of the tty device |
115 | @@ -705,14 +717,16 @@ interface(`term_dontaudit_use_generic_pt | 116 | @@ -723,14 +735,16 @@ interface(`term_dontaudit_use_generic_pt |
116 | ## </param> | 117 | ## </param> |
117 | # | 118 | # |
118 | interface(`term_setattr_controlling_term',` | 119 | interface(`term_setattr_controlling_term',` |
@@ -129,7 +130,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
129 | ######################################## | 130 | ######################################## |
130 | ## <summary> | 131 | ## <summary> |
131 | ## Read and write the controlling | 132 | ## Read and write the controlling |
132 | @@ -725,14 +739,16 @@ interface(`term_setattr_controlling_term | 133 | @@ -743,14 +757,16 @@ interface(`term_setattr_controlling_term |
133 | ## </param> | 134 | ## </param> |
134 | # | 135 | # |
135 | interface(`term_use_controlling_term',` | 136 | interface(`term_use_controlling_term',` |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch index d3aa705..b12ee9d 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch | |||
@@ -8,22 +8,22 @@ syslogd_t. | |||
8 | Upstream-Status: Inappropriate [only for Poky] | 8 | Upstream-Status: Inappropriate [only for Poky] |
9 | 9 | ||
10 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 10 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
11 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
11 | --- | 12 | --- |
12 | policy/modules/system/logging.te | 2 ++ | 13 | policy/modules/system/logging.te | 2 ++ |
13 | 1 file changed, 2 insertions(+) | 14 | 1 file changed, 2 insertions(+) |
14 | 15 | ||
15 | --- a/policy/modules/system/logging.te | 16 | --- a/policy/modules/system/logging.te |
16 | +++ b/policy/modules/system/logging.te | 17 | +++ b/policy/modules/system/logging.te |
17 | @@ -402,10 +402,12 @@ rw_fifo_files_pattern(syslogd_t, var_log | 18 | @@ -406,10 +406,11 @@ manage_files_pattern(syslogd_t, var_log_ |
19 | rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) | ||
18 | files_search_spool(syslogd_t) | 20 | files_search_spool(syslogd_t) |
19 | 21 | ||
20 | # Allow access for syslog-ng | 22 | # Allow access for syslog-ng |
21 | allow syslogd_t var_log_t:dir { create setattr }; | 23 | allow syslogd_t var_log_t:dir { create setattr }; |
22 | |||
23 | +allow syslogd_t var_log_t:lnk_file read_lnk_file_perms; | 24 | +allow syslogd_t var_log_t:lnk_file read_lnk_file_perms; |
24 | + | ||
25 | # manage temporary files | ||
26 | manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) | ||
27 | manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) | ||
28 | files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) | ||
29 | 25 | ||
26 | # for systemd but can not be conditional | ||
27 | files_pid_filetrans(syslogd_t, syslogd_tmp_t, dir, "log") | ||
28 | |||
29 | # manage temporary files | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-tmp-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-tmp-symlink.patch index 7a30460..d3c1ee5 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-tmp-symlink.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-tmp-symlink.patch | |||
@@ -9,6 +9,7 @@ lnk_file while doing search/list/delete/rw.. in /tmp/ directory. | |||
9 | Upstream-Status: Inappropriate [only for Poky] | 9 | Upstream-Status: Inappropriate [only for Poky] |
10 | 10 | ||
11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
12 | --- | 13 | --- |
13 | policy/modules/kernel/files.fc | 1 + | 14 | policy/modules/kernel/files.fc | 1 + |
14 | policy/modules/kernel/files.if | 8 ++++++++ | 15 | policy/modules/kernel/files.if | 8 ++++++++ |
@@ -16,7 +17,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
16 | 17 | ||
17 | --- a/policy/modules/kernel/files.fc | 18 | --- a/policy/modules/kernel/files.fc |
18 | +++ b/policy/modules/kernel/files.fc | 19 | +++ b/policy/modules/kernel/files.fc |
19 | @@ -191,10 +191,11 @@ ifdef(`distro_debian',` | 20 | @@ -172,10 +172,11 @@ HOME_ROOT/lost\+found/.* <<none>> |
20 | 21 | ||
21 | # | 22 | # |
22 | # /tmp | 23 | # /tmp |
@@ -30,7 +31,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
30 | /tmp/lost\+found/.* <<none>> | 31 | /tmp/lost\+found/.* <<none>> |
31 | --- a/policy/modules/kernel/files.if | 32 | --- a/policy/modules/kernel/files.if |
32 | +++ b/policy/modules/kernel/files.if | 33 | +++ b/policy/modules/kernel/files.if |
33 | @@ -4471,10 +4471,11 @@ interface(`files_search_tmp',` | 34 | @@ -4579,10 +4579,11 @@ interface(`files_search_tmp',` |
34 | gen_require(` | 35 | gen_require(` |
35 | type tmp_t; | 36 | type tmp_t; |
36 | ') | 37 | ') |
@@ -42,7 +43,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
42 | ######################################## | 43 | ######################################## |
43 | ## <summary> | 44 | ## <summary> |
44 | ## Do not audit attempts to search the tmp directory (/tmp). | 45 | ## Do not audit attempts to search the tmp directory (/tmp). |
45 | @@ -4507,10 +4508,11 @@ interface(`files_list_tmp',` | 46 | @@ -4615,10 +4616,11 @@ interface(`files_list_tmp',` |
46 | gen_require(` | 47 | gen_require(` |
47 | type tmp_t; | 48 | type tmp_t; |
48 | ') | 49 | ') |
@@ -54,7 +55,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
54 | ######################################## | 55 | ######################################## |
55 | ## <summary> | 56 | ## <summary> |
56 | ## Do not audit listing of the tmp directory (/tmp). | 57 | ## Do not audit listing of the tmp directory (/tmp). |
57 | @@ -4543,10 +4545,11 @@ interface(`files_delete_tmp_dir_entry',` | 58 | @@ -4651,10 +4653,11 @@ interface(`files_delete_tmp_dir_entry',` |
58 | gen_require(` | 59 | gen_require(` |
59 | type tmp_t; | 60 | type tmp_t; |
60 | ') | 61 | ') |
@@ -66,7 +67,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
66 | ######################################## | 67 | ######################################## |
67 | ## <summary> | 68 | ## <summary> |
68 | ## Read files in the tmp directory (/tmp). | 69 | ## Read files in the tmp directory (/tmp). |
69 | @@ -4561,10 +4564,11 @@ interface(`files_read_generic_tmp_files' | 70 | @@ -4669,10 +4672,11 @@ interface(`files_read_generic_tmp_files' |
70 | gen_require(` | 71 | gen_require(` |
71 | type tmp_t; | 72 | type tmp_t; |
72 | ') | 73 | ') |
@@ -78,7 +79,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
78 | ######################################## | 79 | ######################################## |
79 | ## <summary> | 80 | ## <summary> |
80 | ## Manage temporary directories in /tmp. | 81 | ## Manage temporary directories in /tmp. |
81 | @@ -4579,10 +4583,11 @@ interface(`files_manage_generic_tmp_dirs | 82 | @@ -4687,10 +4691,11 @@ interface(`files_manage_generic_tmp_dirs |
82 | gen_require(` | 83 | gen_require(` |
83 | type tmp_t; | 84 | type tmp_t; |
84 | ') | 85 | ') |
@@ -90,7 +91,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
90 | ######################################## | 91 | ######################################## |
91 | ## <summary> | 92 | ## <summary> |
92 | ## Manage temporary files and directories in /tmp. | 93 | ## Manage temporary files and directories in /tmp. |
93 | @@ -4597,10 +4602,11 @@ interface(`files_manage_generic_tmp_file | 94 | @@ -4705,10 +4710,11 @@ interface(`files_manage_generic_tmp_file |
94 | gen_require(` | 95 | gen_require(` |
95 | type tmp_t; | 96 | type tmp_t; |
96 | ') | 97 | ') |
@@ -102,7 +103,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
102 | ######################################## | 103 | ######################################## |
103 | ## <summary> | 104 | ## <summary> |
104 | ## Read symbolic links in the tmp directory (/tmp). | 105 | ## Read symbolic links in the tmp directory (/tmp). |
105 | @@ -4633,10 +4639,11 @@ interface(`files_rw_generic_tmp_sockets' | 106 | @@ -4741,10 +4747,11 @@ interface(`files_rw_generic_tmp_sockets' |
106 | gen_require(` | 107 | gen_require(` |
107 | type tmp_t; | 108 | type tmp_t; |
108 | ') | 109 | ') |
@@ -114,7 +115,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
114 | ######################################## | 115 | ######################################## |
115 | ## <summary> | 116 | ## <summary> |
116 | ## Mount filesystems in the tmp directory (/tmp) | 117 | ## Mount filesystems in the tmp directory (/tmp) |
117 | @@ -4840,10 +4847,11 @@ interface(`files_tmp_filetrans',` | 118 | @@ -4948,10 +4955,11 @@ interface(`files_tmp_filetrans',` |
118 | gen_require(` | 119 | gen_require(` |
119 | type tmp_t; | 120 | type tmp_t; |
120 | ') | 121 | ') |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-cache-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-cache-symlink.patch index fc6dea0..b828b7a 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-cache-symlink.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-cache-symlink.patch | |||
@@ -11,6 +11,7 @@ contents, so this is still a secure relax. | |||
11 | Upstream-Status: Inappropriate [only for Poky] | 11 | Upstream-Status: Inappropriate [only for Poky] |
12 | 12 | ||
13 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 13 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
14 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
14 | --- | 15 | --- |
15 | policy/modules/kernel/domain.te | 3 +++ | 16 | policy/modules/kernel/domain.te | 3 +++ |
16 | 1 file changed, 3 insertions(+) | 17 | 1 file changed, 3 insertions(+) |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch index d907095..fb912b5 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch | |||
@@ -10,17 +10,18 @@ logging.if. So still need add a individual rule for apache.te. | |||
10 | Upstream-Status: Inappropriate [only for Poky] | 10 | Upstream-Status: Inappropriate [only for Poky] |
11 | 11 | ||
12 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 12 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
13 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
13 | --- | 14 | --- |
14 | policy/modules/contrib/apache.te | 1 + | 15 | policy/modules/contrib/apache.te | 1 + |
15 | 1 file changed, 1 insertion(+) | 16 | 1 file changed, 1 insertion(+) |
16 | 17 | ||
17 | --- a/policy/modules/contrib/apache.te | 18 | --- a/policy/modules/contrib/apache.te |
18 | +++ b/policy/modules/contrib/apache.te | 19 | +++ b/policy/modules/contrib/apache.te |
19 | @@ -409,10 +409,11 @@ allow httpd_t httpd_log_t:dir setattr_di | 20 | @@ -407,10 +407,11 @@ allow httpd_t httpd_lock_t:file manage_f |
20 | create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t) | 21 | files_lock_filetrans(httpd_t, httpd_lock_t, { file dir }) |
21 | create_files_pattern(httpd_t, httpd_log_t, httpd_log_t) | 22 | |
22 | append_files_pattern(httpd_t, httpd_log_t, httpd_log_t) | 23 | manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t) |
23 | read_files_pattern(httpd_t, httpd_log_t, httpd_log_t) | 24 | manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t) |
24 | read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t) | 25 | read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t) |
25 | +read_lnk_files_pattern(httpd_t, var_log_t, var_log_t) | 26 | +read_lnk_files_pattern(httpd_t, var_log_t, var_log_t) |
26 | logging_log_filetrans(httpd_t, httpd_log_t, file) | 27 | logging_log_filetrans(httpd_t, httpd_log_t, file) |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch index 90c8f36..7c7355f 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch | |||
@@ -8,15 +8,16 @@ audisp_remote_t. | |||
8 | Upstream-Status: Inappropriate [only for Poky] | 8 | Upstream-Status: Inappropriate [only for Poky] |
9 | 9 | ||
10 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 10 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
11 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
11 | --- | 12 | --- |
12 | policy/modules/system/logging.te | 1 + | 13 | policy/modules/system/logging.te | 1 + |
13 | 1 file changed, 1 insertion(+) | 14 | 1 file changed, 1 insertion(+) |
14 | 15 | ||
15 | --- a/policy/modules/system/logging.te | 16 | --- a/policy/modules/system/logging.te |
16 | +++ b/policy/modules/system/logging.te | 17 | +++ b/policy/modules/system/logging.te |
17 | @@ -276,10 +276,11 @@ optional_policy(` | 18 | @@ -280,10 +280,11 @@ optional_policy(` |
18 | 19 | ||
19 | allow audisp_remote_t self:capability { setuid setpcap }; | 20 | allow audisp_remote_t self:capability { setpcap setuid }; |
20 | allow audisp_remote_t self:process { getcap setcap }; | 21 | allow audisp_remote_t self:process { getcap setcap }; |
21 | allow audisp_remote_t self:tcp_socket create_socket_perms; | 22 | allow audisp_remote_t self:tcp_socket create_socket_perms; |
22 | allow audisp_remote_t var_log_t:dir search_dir_perms; | 23 | allow audisp_remote_t var_log_t:dir search_dir_perms; |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch index a9ae381..19342f5 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch | |||
@@ -9,6 +9,7 @@ lnk_file while doing search/list/delete/rw.. in /var/log/ directory. | |||
9 | Upstream-Status: Inappropriate [only for Poky] | 9 | Upstream-Status: Inappropriate [only for Poky] |
10 | 10 | ||
11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
12 | --- | 13 | --- |
13 | policy/modules/system/logging.fc | 1 + | 14 | policy/modules/system/logging.fc | 1 + |
14 | policy/modules/system/logging.if | 14 +++++++++++++- | 15 | policy/modules/system/logging.if | 14 +++++++++++++- |
@@ -17,7 +18,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
17 | 18 | ||
18 | --- a/policy/modules/system/logging.fc | 19 | --- a/policy/modules/system/logging.fc |
19 | +++ b/policy/modules/system/logging.fc | 20 | +++ b/policy/modules/system/logging.fc |
20 | @@ -49,10 +49,11 @@ ifdef(`distro_suse', ` | 21 | @@ -39,10 +39,11 @@ ifdef(`distro_suse', ` |
21 | 22 | ||
22 | /var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) | 23 | /var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) |
23 | /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) | 24 | /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) |
@@ -50,43 +51,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
50 | ######################################## | 51 | ######################################## |
51 | ## <summary> | 52 | ## <summary> |
52 | ## Execute auditctl in the auditctl domain. | 53 | ## Execute auditctl in the auditctl domain. |
53 | @@ -665,10 +666,11 @@ interface(`logging_search_logs',` | 54 | @@ -950,14 +951,16 @@ interface(`logging_append_all_inherited_ |
54 | type var_log_t; | ||
55 | ') | ||
56 | |||
57 | files_search_var($1) | ||
58 | allow $1 var_log_t:dir search_dir_perms; | ||
59 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
60 | ') | ||
61 | |||
62 | ####################################### | ||
63 | ## <summary> | ||
64 | ## Do not audit attempts to search the var log directory. | ||
65 | @@ -702,10 +704,11 @@ interface(`logging_list_logs',` | ||
66 | type var_log_t; | ||
67 | ') | ||
68 | |||
69 | files_search_var($1) | ||
70 | allow $1 var_log_t:dir list_dir_perms; | ||
71 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
72 | ') | ||
73 | |||
74 | ####################################### | ||
75 | ## <summary> | ||
76 | ## Read and write the generic log directory (/var/log). | ||
77 | @@ -721,10 +724,11 @@ interface(`logging_rw_generic_log_dirs', | ||
78 | type var_log_t; | ||
79 | ') | ||
80 | |||
81 | files_search_var($1) | ||
82 | allow $1 var_log_t:dir rw_dir_perms; | ||
83 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
84 | ') | ||
85 | |||
86 | ####################################### | ||
87 | ## <summary> | ||
88 | ## Search through all log dirs. | ||
89 | @@ -832,14 +836,16 @@ interface(`logging_append_all_logs',` | ||
90 | ## <rolecap/> | 55 | ## <rolecap/> |
91 | # | 56 | # |
92 | interface(`logging_read_all_logs',` | 57 | interface(`logging_read_all_logs',` |
@@ -103,7 +68,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
103 | 68 | ||
104 | ######################################## | 69 | ######################################## |
105 | ## <summary> | 70 | ## <summary> |
106 | @@ -854,14 +860,16 @@ interface(`logging_read_all_logs',` | 71 | @@ -972,14 +975,16 @@ interface(`logging_read_all_logs',` |
107 | # cjp: not sure why this is needed. This was added | 72 | # cjp: not sure why this is needed. This was added |
108 | # because of logrotate. | 73 | # because of logrotate. |
109 | interface(`logging_exec_all_logs',` | 74 | interface(`logging_exec_all_logs',` |
@@ -120,7 +85,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
120 | 85 | ||
121 | ######################################## | 86 | ######################################## |
122 | ## <summary> | 87 | ## <summary> |
123 | @@ -919,10 +927,11 @@ interface(`logging_read_generic_logs',` | 88 | @@ -1077,10 +1082,11 @@ interface(`logging_read_generic_logs',` |
124 | type var_log_t; | 89 | type var_log_t; |
125 | ') | 90 | ') |
126 | 91 | ||
@@ -132,31 +97,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
132 | 97 | ||
133 | ######################################## | 98 | ######################################## |
134 | ## <summary> | 99 | ## <summary> |
135 | @@ -939,10 +948,11 @@ interface(`logging_write_generic_logs',` | 100 | @@ -1159,10 +1165,11 @@ interface(`logging_manage_generic_logs', |
136 | type var_log_t; | ||
137 | ') | ||
138 | |||
139 | files_search_var($1) | ||
140 | allow $1 var_log_t:dir list_dir_perms; | ||
141 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
142 | write_files_pattern($1, var_log_t, var_log_t) | ||
143 | ') | ||
144 | |||
145 | ######################################## | ||
146 | ## <summary> | ||
147 | @@ -977,10 +987,11 @@ interface(`logging_rw_generic_logs',` | ||
148 | type var_log_t; | ||
149 | ') | ||
150 | |||
151 | files_search_var($1) | ||
152 | allow $1 var_log_t:dir list_dir_perms; | ||
153 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
154 | rw_files_pattern($1, var_log_t, var_log_t) | ||
155 | ') | ||
156 | |||
157 | ######################################## | ||
158 | ## <summary> | ||
159 | @@ -999,10 +1010,11 @@ interface(`logging_manage_generic_logs', | ||
160 | type var_log_t; | 101 | type var_log_t; |
161 | ') | 102 | ') |
162 | 103 | ||
@@ -170,10 +111,10 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
170 | ## All of the rules required to administrate | 111 | ## All of the rules required to administrate |
171 | --- a/policy/modules/system/logging.te | 112 | --- a/policy/modules/system/logging.te |
172 | +++ b/policy/modules/system/logging.te | 113 | +++ b/policy/modules/system/logging.te |
173 | @@ -149,10 +149,11 @@ allow auditd_t auditd_etc_t:dir list_dir | 114 | @@ -153,10 +153,11 @@ allow auditd_t auditd_etc_t:file read_fi |
174 | allow auditd_t auditd_etc_t:file read_file_perms; | ||
175 | 115 | ||
176 | manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) | 116 | manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) |
117 | allow auditd_t auditd_log_t:dir setattr; | ||
177 | manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) | 118 | manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) |
178 | allow auditd_t var_log_t:dir search_dir_perms; | 119 | allow auditd_t var_log_t:dir search_dir_perms; |
179 | +allow auditd_t var_log_t:lnk_file read_lnk_file_perms; | 120 | +allow auditd_t var_log_t:lnk_file read_lnk_file_perms; |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-syslogd_t-to-trusted-object.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-syslogd_t-to-trusted-object.patch index c2cba9a..b755b45 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-syslogd_t-to-trusted-object.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-syslogd_t-to-trusted-object.patch | |||
@@ -10,13 +10,14 @@ Upstream-Status: Inappropriate [only for Poky] | |||
10 | 10 | ||
11 | Signed-off-by: Roy.Li <rongqing.li@windriver.com> | 11 | Signed-off-by: Roy.Li <rongqing.li@windriver.com> |
12 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 12 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
13 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
13 | --- | 14 | --- |
14 | policy/modules/system/logging.te | 1 + | 15 | policy/modules/system/logging.te | 1 + |
15 | 1 file changed, 1 insertion(+) | 16 | 1 file changed, 1 insertion(+) |
16 | 17 | ||
17 | --- a/policy/modules/system/logging.te | 18 | --- a/policy/modules/system/logging.te |
18 | +++ b/policy/modules/system/logging.te | 19 | +++ b/policy/modules/system/logging.te |
19 | @@ -475,10 +475,11 @@ files_var_lib_filetrans(syslogd_t, syslo | 20 | @@ -484,10 +484,11 @@ files_var_lib_filetrans(syslogd_t, syslo |
20 | 21 | ||
21 | fs_getattr_all_fs(syslogd_t) | 22 | fs_getattr_all_fs(syslogd_t) |
22 | fs_search_auto_mountpoints(syslogd_t) | 23 | fs_search_auto_mountpoints(syslogd_t) |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch index 189dc6e..a9a0a55 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch | |||
@@ -6,6 +6,7 @@ Subject: [PATCH] allow nfsd to exec shell commands. | |||
6 | Upstream-Status: Inappropriate [only for Poky] | 6 | Upstream-Status: Inappropriate [only for Poky] |
7 | 7 | ||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | 10 | --- |
10 | policy/modules/contrib/rpc.te | 2 +- | 11 | policy/modules/contrib/rpc.te | 2 +- |
11 | policy/modules/kernel/kernel.if | 18 ++++++++++++++++++ | 12 | policy/modules/kernel/kernel.if | 18 ++++++++++++++++++ |
@@ -13,7 +14,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
13 | 14 | ||
14 | --- a/policy/modules/contrib/rpc.te | 15 | --- a/policy/modules/contrib/rpc.te |
15 | +++ b/policy/modules/contrib/rpc.te | 16 | +++ b/policy/modules/contrib/rpc.te |
16 | @@ -222,11 +222,11 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir | 17 | @@ -224,11 +224,11 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir |
17 | 18 | ||
18 | kernel_read_network_state(nfsd_t) | 19 | kernel_read_network_state(nfsd_t) |
19 | kernel_dontaudit_getattr_core_if(nfsd_t) | 20 | kernel_dontaudit_getattr_core_if(nfsd_t) |
@@ -28,32 +29,53 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
28 | 29 | ||
29 | --- a/policy/modules/kernel/kernel.if | 30 | --- a/policy/modules/kernel/kernel.if |
30 | +++ b/policy/modules/kernel/kernel.if | 31 | +++ b/policy/modules/kernel/kernel.if |
31 | @@ -844,10 +844,28 @@ interface(`kernel_unmount_proc',` | 32 | @@ -880,43 +880,42 @@ interface(`kernel_unmount_proc',` |
32 | allow $1 proc_t:filesystem unmount; | 33 | allow $1 proc_t:filesystem unmount; |
33 | ') | 34 | ') |
34 | 35 | ||
35 | ######################################## | 36 | ######################################## |
36 | ## <summary> | 37 | ## <summary> |
38 | -## Get the attributes of the proc filesystem. | ||
37 | +## Mounton a proc filesystem. | 39 | +## Mounton a proc filesystem. |
38 | +## </summary> | 40 | ## </summary> |
39 | +## <param name="domain"> | 41 | ## <param name="domain"> |
40 | +## <summary> | 42 | ## <summary> |
41 | +## Domain allowed access. | 43 | ## Domain allowed access. |
42 | +## </summary> | 44 | ## </summary> |
43 | +## </param> | 45 | ## </param> |
44 | +# | 46 | # |
47 | -interface(`kernel_getattr_proc',` | ||
45 | +interface(`kernel_mounton_proc',` | 48 | +interface(`kernel_mounton_proc',` |
46 | + gen_require(` | 49 | gen_require(` |
47 | + type proc_t; | 50 | type proc_t; |
48 | + ') | 51 | ') |
49 | + | 52 | |
53 | - allow $1 proc_t:filesystem getattr; | ||
50 | + allow $1 proc_t:dir mounton; | 54 | + allow $1 proc_t:dir mounton; |
51 | +') | 55 | ') |
52 | + | 56 | |
53 | +######################################## | 57 | ######################################## |
54 | +## <summary> | 58 | ## <summary> |
55 | ## Get the attributes of the proc filesystem. | 59 | -## Mount on proc directories. |
60 | +## Get the attributes of the proc filesystem. | ||
56 | ## </summary> | 61 | ## </summary> |
57 | ## <param name="domain"> | 62 | ## <param name="domain"> |
58 | ## <summary> | 63 | ## <summary> |
59 | ## Domain allowed access. | 64 | ## Domain allowed access. |
65 | ## </summary> | ||
66 | ## </param> | ||
67 | -## <rolecap/> | ||
68 | # | ||
69 | -interface(`kernel_mounton_proc',` | ||
70 | +interface(`kernel_getattr_proc',` | ||
71 | gen_require(` | ||
72 | type proc_t; | ||
73 | ') | ||
74 | |||
75 | - allow $1 proc_t:dir mounton; | ||
76 | + allow $1 proc_t:filesystem getattr; | ||
77 | ') | ||
78 | |||
79 | ######################################## | ||
80 | ## <summary> | ||
81 | ## Do not audit attempts to set the | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch index 766b3df..08e9398 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch | |||
@@ -7,13 +7,14 @@ Upstream-Status: Pending | |||
7 | 7 | ||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
9 | Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> | 9 | Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> |
10 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
10 | --- | 11 | --- |
11 | policy/modules/system/selinuxutil.te | 3 +++ | 12 | policy/modules/system/selinuxutil.te | 3 +++ |
12 | 1 file changed, 3 insertions(+) | 13 | 1 file changed, 3 insertions(+) |
13 | 14 | ||
14 | --- a/policy/modules/system/selinuxutil.te | 15 | --- a/policy/modules/system/selinuxutil.te |
15 | +++ b/policy/modules/system/selinuxutil.te | 16 | +++ b/policy/modules/system/selinuxutil.te |
16 | @@ -553,10 +553,13 @@ files_read_etc_files(setfiles_t) | 17 | @@ -591,10 +591,13 @@ files_read_etc_files(setfiles_t) |
17 | files_list_all(setfiles_t) | 18 | files_list_all(setfiles_t) |
18 | files_relabel_all_files(setfiles_t) | 19 | files_relabel_all_files(setfiles_t) |
19 | files_read_usr_symlinks(setfiles_t) | 20 | files_read_usr_symlinks(setfiles_t) |
@@ -23,7 +24,7 @@ Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> | |||
23 | +files_read_all_symlinks(setfiles_t) | 24 | +files_read_all_symlinks(setfiles_t) |
24 | + | 25 | + |
25 | fs_getattr_all_xattr_fs(setfiles_t) | 26 | fs_getattr_all_xattr_fs(setfiles_t) |
26 | fs_list_all(setfiles_t) | 27 | fs_getattr_nfs(setfiles_t) |
27 | fs_search_auto_mountpoints(setfiles_t) | 28 | fs_getattr_pstore_dirs(setfiles_t) |
28 | fs_relabelfrom_noxattr_fs(setfiles_t) | 29 | fs_getattr_pstorefs(setfiles_t) |
29 | 30 | fs_getattr_tracefs(setfiles_t) | |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-sysadm-to-run-rpcinfo.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-sysadm-to-run-rpcinfo.patch index 8ce2f62..a1fda13 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-sysadm-to-run-rpcinfo.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-sysadm-to-run-rpcinfo.patch | |||
@@ -9,6 +9,7 @@ type=AVC msg=audit(1392427946.976:264): avc: denied { connectto } for pid=211 | |||
9 | type=SYSCALL msg=audit(1392427946.976:264): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff3aa20000 a2=17 a3=22 items=0 ppid=2108 pid=2111 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="rpcinfo" exe="/usr/sbin/rpcinfo" subj=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 key=(null) | 9 | type=SYSCALL msg=audit(1392427946.976:264): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff3aa20000 a2=17 a3=22 items=0 ppid=2108 pid=2111 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="rpcinfo" exe="/usr/sbin/rpcinfo" subj=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 key=(null) |
10 | 10 | ||
11 | Signed-off-by: Roy Li <rongqing.li@windriver.com> | 11 | Signed-off-by: Roy Li <rongqing.li@windriver.com> |
12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
12 | --- | 13 | --- |
13 | policy/modules/roles/sysadm.te | 4 ++++ | 14 | policy/modules/roles/sysadm.te | 4 ++++ |
14 | 1 file changed, 4 insertions(+) | 15 | 1 file changed, 4 insertions(+) |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-don-t-audit-tty_device_t.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-don-t-audit-tty_device_t.patch index 998bfa0..e3ea75e 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-don-t-audit-tty_device_t.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-don-t-audit-tty_device_t.patch | |||
@@ -9,13 +9,14 @@ term_dontaudit_use_console. | |||
9 | Upstream-Status: Inappropriate [only for Poky] | 9 | Upstream-Status: Inappropriate [only for Poky] |
10 | 10 | ||
11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
12 | --- | 13 | --- |
13 | policy/modules/kernel/terminal.if | 3 +++ | 14 | policy/modules/kernel/terminal.if | 3 +++ |
14 | 1 file changed, 3 insertions(+) | 15 | 1 file changed, 3 insertions(+) |
15 | 16 | ||
16 | --- a/policy/modules/kernel/terminal.if | 17 | --- a/policy/modules/kernel/terminal.if |
17 | +++ b/policy/modules/kernel/terminal.if | 18 | +++ b/policy/modules/kernel/terminal.if |
18 | @@ -297,13 +297,16 @@ interface(`term_use_console',` | 19 | @@ -315,13 +315,16 @@ interface(`term_use_console',` |
19 | ## </param> | 20 | ## </param> |
20 | # | 21 | # |
21 | interface(`term_dontaudit_use_console',` | 22 | interface(`term_dontaudit_use_console',` |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch index 131a9bb..11a6963 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch | |||
@@ -4,6 +4,7 @@ Date: Fri, 23 Aug 2013 16:36:09 +0800 | |||
4 | Subject: [PATCH] fix dmesg to use /dev/kmsg as default input | 4 | Subject: [PATCH] fix dmesg to use /dev/kmsg as default input |
5 | 5 | ||
6 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 6 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
7 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
7 | --- | 8 | --- |
8 | policy/modules/admin/dmesg.if | 1 + | 9 | policy/modules/admin/dmesg.if | 1 + |
9 | policy/modules/admin/dmesg.te | 2 ++ | 10 | policy/modules/admin/dmesg.te | 2 ++ |
@@ -19,18 +20,3 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
19 | can_exec($1, dmesg_exec_t) | 20 | can_exec($1, dmesg_exec_t) |
20 | + dev_read_kmsg($1) | 21 | + dev_read_kmsg($1) |
21 | ') | 22 | ') |
22 | --- a/policy/modules/admin/dmesg.te | ||
23 | +++ b/policy/modules/admin/dmesg.te | ||
24 | @@ -28,10 +28,12 @@ kernel_read_proc_symlinks(dmesg_t) | ||
25 | # for when /usr is not mounted: | ||
26 | kernel_dontaudit_search_unlabeled(dmesg_t) | ||
27 | |||
28 | dev_read_sysfs(dmesg_t) | ||
29 | |||
30 | +dev_read_kmsg(dmesg_t) | ||
31 | + | ||
32 | fs_search_auto_mountpoints(dmesg_t) | ||
33 | |||
34 | term_dontaudit_use_console(dmesg_t) | ||
35 | |||
36 | domain_use_interactive_fds(dmesg_t) | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch index 016685c..d0b0073 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch | |||
@@ -14,9 +14,25 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
14 | policy/modules/kernel/kernel.te | 2 ++ | 14 | policy/modules/kernel/kernel.te | 2 ++ |
15 | 4 files changed, 13 insertions(+) | 15 | 4 files changed, 13 insertions(+) |
16 | 16 | ||
17 | --- a/policy/modules/contrib/rpcbind.te | ||
18 | +++ b/policy/modules/contrib/rpcbind.te | ||
19 | @@ -73,8 +73,13 @@ auth_use_nsswitch(rpcbind_t) | ||
20 | |||
21 | logging_send_syslog_msg(rpcbind_t) | ||
22 | |||
23 | miscfiles_read_localization(rpcbind_t) | ||
24 | |||
25 | +# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t, | ||
26 | +# because the are running in different level. So add rules to allow this. | ||
27 | +mls_socket_read_all_levels(rpcbind_t) | ||
28 | +mls_socket_write_all_levels(rpcbind_t) | ||
29 | + | ||
30 | ifdef(`distro_debian',` | ||
31 | term_dontaudit_use_unallocated_ttys(rpcbind_t) | ||
32 | ') | ||
17 | --- a/policy/modules/contrib/rpc.te | 33 | --- a/policy/modules/contrib/rpc.te |
18 | +++ b/policy/modules/contrib/rpc.te | 34 | +++ b/policy/modules/contrib/rpc.te |
19 | @@ -275,10 +275,15 @@ tunable_policy(`nfs_export_all_ro',` | 35 | @@ -277,10 +277,15 @@ tunable_policy(`nfs_export_all_ro',` |
20 | files_read_non_auth_files(nfsd_t) | 36 | files_read_non_auth_files(nfsd_t) |
21 | ') | 37 | ') |
22 | 38 | ||
@@ -32,22 +48,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
32 | ######################################## | 48 | ######################################## |
33 | # | 49 | # |
34 | # GSSD local policy | 50 | # GSSD local policy |
35 | --- a/policy/modules/contrib/rpcbind.te | ||
36 | +++ b/policy/modules/contrib/rpcbind.te | ||
37 | @@ -71,8 +71,13 @@ auth_use_nsswitch(rpcbind_t) | ||
38 | |||
39 | logging_send_syslog_msg(rpcbind_t) | ||
40 | |||
41 | miscfiles_read_localization(rpcbind_t) | ||
42 | |||
43 | +# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t, | ||
44 | +# because the are running in different level. So add rules to allow this. | ||
45 | +mls_socket_read_all_levels(rpcbind_t) | ||
46 | +mls_socket_write_all_levels(rpcbind_t) | ||
47 | + | ||
48 | ifdef(`distro_debian',` | ||
49 | term_dontaudit_use_unallocated_ttys(rpcbind_t) | ||
50 | ') | ||
51 | --- a/policy/modules/kernel/filesystem.te | 51 | --- a/policy/modules/kernel/filesystem.te |
52 | +++ b/policy/modules/kernel/filesystem.te | 52 | +++ b/policy/modules/kernel/filesystem.te |
53 | @@ -127,10 +127,11 @@ fs_noxattr_type(mvfs_t) | 53 | @@ -127,10 +127,11 @@ fs_noxattr_type(mvfs_t) |
@@ -64,7 +64,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
64 | genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0) | 64 | genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0) |
65 | --- a/policy/modules/kernel/kernel.te | 65 | --- a/policy/modules/kernel/kernel.te |
66 | +++ b/policy/modules/kernel/kernel.te | 66 | +++ b/policy/modules/kernel/kernel.te |
67 | @@ -324,10 +324,12 @@ mcs_process_set_categories(kernel_t) | 67 | @@ -325,10 +325,12 @@ mcs_process_set_categories(kernel_t) |
68 | 68 | ||
69 | mls_process_read_all_levels(kernel_t) | 69 | mls_process_read_all_levels(kernel_t) |
70 | mls_process_write_all_levels(kernel_t) | 70 | mls_process_write_all_levels(kernel_t) |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch index 950f525..0cd8bf9 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch | |||
@@ -10,22 +10,22 @@ Upstream-Status: pending | |||
10 | 10 | ||
11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
12 | Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> | 12 | Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> |
13 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
13 | --- | 14 | --- |
14 | policy/modules/system/selinuxutil.te | 2 +- | 15 | policy/modules/system/selinuxutil.te | 2 +- |
15 | 1 file changed, 1 insertion(+), 1 deletion(-) | 16 | 1 file changed, 1 insertion(+), 1 deletion(-) |
16 | 17 | ||
17 | --- a/policy/modules/system/selinuxutil.te | 18 | --- a/policy/modules/system/selinuxutil.te |
18 | +++ b/policy/modules/system/selinuxutil.te | 19 | +++ b/policy/modules/system/selinuxutil.te |
19 | @@ -556,11 +556,11 @@ files_read_usr_symlinks(setfiles_t) | 20 | @@ -594,10 +594,11 @@ files_read_usr_symlinks(setfiles_t) |
20 | files_dontaudit_read_all_symlinks(setfiles_t) | 21 | files_dontaudit_read_all_symlinks(setfiles_t) |
21 | 22 | ||
22 | # needs to be able to read symlinks to make restorecon on symlink working | 23 | # needs to be able to read symlinks to make restorecon on symlink working |
23 | files_read_all_symlinks(setfiles_t) | 24 | files_read_all_symlinks(setfiles_t) |
24 | 25 | ||
25 | -fs_getattr_all_xattr_fs(setfiles_t) | ||
26 | +fs_getattr_all_fs(setfiles_t) | 26 | +fs_getattr_all_fs(setfiles_t) |
27 | fs_list_all(setfiles_t) | 27 | fs_getattr_all_xattr_fs(setfiles_t) |
28 | fs_search_auto_mountpoints(setfiles_t) | 28 | fs_getattr_nfs(setfiles_t) |
29 | fs_relabelfrom_noxattr_fs(setfiles_t) | 29 | fs_getattr_pstore_dirs(setfiles_t) |
30 | 30 | fs_getattr_pstorefs(setfiles_t) | |
31 | mls_file_read_all_levels(setfiles_t) | 31 | fs_getattr_tracefs(setfiles_t) |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-seutils-manage-config-files.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-seutils-manage-config-files.patch index c9a877b..e0f8c1a 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-seutils-manage-config-files.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-seutils-manage-config-files.patch | |||
@@ -6,6 +6,7 @@ Subject: [PATCH 2/2] refpolicy: fix selinux utils to manage config files | |||
6 | Upstream-Status: Pending | 6 | Upstream-Status: Pending |
7 | 7 | ||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | 10 | --- |
10 | policy/modules/system/selinuxutil.if | 1 + | 11 | policy/modules/system/selinuxutil.if | 1 + |
11 | policy/modules/system/userdomain.if | 4 ++++ | 12 | policy/modules/system/userdomain.if | 4 ++++ |
@@ -27,7 +28,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
27 | ####################################### | 28 | ####################################### |
28 | --- a/policy/modules/system/userdomain.if | 29 | --- a/policy/modules/system/userdomain.if |
29 | +++ b/policy/modules/system/userdomain.if | 30 | +++ b/policy/modules/system/userdomain.if |
30 | @@ -1327,10 +1327,14 @@ template(`userdom_security_admin_templat | 31 | @@ -1361,10 +1361,14 @@ template(`userdom_security_admin_templat |
31 | logging_read_audit_log($1) | 32 | logging_read_audit_log($1) |
32 | logging_read_generic_logs($1) | 33 | logging_read_generic_logs($1) |
33 | logging_read_audit_config($1) | 34 | logging_read_audit_config($1) |
diff --git a/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch b/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch index 86ff0d2..6eba356 100644 --- a/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch +++ b/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch | |||
@@ -8,21 +8,21 @@ It provide, the systemd support related allow rules | |||
8 | Upstream-Status: Pending | 8 | Upstream-Status: Pending |
9 | 9 | ||
10 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | 10 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> |
11 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
11 | --- | 12 | --- |
12 | policy/modules/system/init.te | 5 +++++ | 13 | policy/modules/system/init.te | 5 +++++ |
13 | 1 file changed, 5 insertions(+) | 14 | 1 file changed, 5 insertions(+) |
14 | 15 | ||
15 | --- a/policy/modules/system/init.te | 16 | --- a/policy/modules/system/init.te |
16 | +++ b/policy/modules/system/init.te | 17 | +++ b/policy/modules/system/init.te |
17 | @@ -1105,5 +1105,10 @@ optional_policy(` | 18 | @@ -1387,5 +1387,10 @@ dontaudit systemprocess init_t:unix_stre |
18 | ') | ||
19 | |||
20 | optional_policy(` | 19 | optional_policy(` |
21 | zebra_read_config(initrc_t) | 20 | userdom_dontaudit_search_user_home_dirs(systemprocess) |
21 | userdom_dontaudit_rw_all_users_stream_sockets(systemprocess) | ||
22 | userdom_dontaudit_write_user_tmp_files(systemprocess) | ||
22 | ') | 23 | ') |
23 | + | 24 | + |
24 | +# systemd related allow rules | 25 | +# systemd related allow rules |
25 | +allow kernel_t init_t:process dyntransition; | 26 | +allow kernel_t init_t:process dyntransition; |
26 | +allow devpts_t device_t:filesystem associate; | 27 | +allow devpts_t device_t:filesystem associate; |
27 | +allow init_t self:capability2 block_suspend; | 28 | +allow init_t self:capability2 block_suspend; |
28 | \ No newline at end of file | ||
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch index 2dd8291..b33e84b 100644 --- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch +++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch | |||
@@ -11,17 +11,18 @@ Upstream-Status: pending | |||
11 | 11 | ||
12 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 12 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
13 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | 13 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> |
14 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
14 | --- | 15 | --- |
15 | policy/modules/system/init.te | 14 ++++++++------ | 16 | policy/modules/system/init.te | 14 ++++++++------ |
16 | policy/modules/system/locallogin.te | 4 +++- | 17 | policy/modules/system/locallogin.te | 4 +++- |
17 | 2 files changed, 11 insertions(+), 7 deletions(-) | 18 | 2 files changed, 11 insertions(+), 7 deletions(-) |
18 | 19 | ||
19 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | ||
20 | index c058f0c..d710fb0 100644 | ||
21 | --- a/policy/modules/system/init.te | 20 | --- a/policy/modules/system/init.te |
22 | +++ b/policy/modules/system/init.te | 21 | +++ b/policy/modules/system/init.te |
23 | @@ -292,12 +292,14 @@ ifdef(`init_systemd',` | 22 | @@ -344,17 +344,19 @@ ifdef(`init_systemd',` |
24 | modutils_domtrans_insmod(init_t) | 23 | |
24 | optional_policy(` | ||
25 | modutils_domtrans(init_t) | ||
25 | ') | 26 | ') |
26 | ',` | 27 | ',` |
27 | - tunable_policy(`init_upstart',` | 28 | - tunable_policy(`init_upstart',` |
@@ -29,23 +30,27 @@ index c058f0c..d710fb0 100644 | |||
29 | - ',` | 30 | - ',` |
30 | - # Run the shell in the sysadm role for single-user mode. | 31 | - # Run the shell in the sysadm role for single-user mode. |
31 | - # causes problems with upstart | 32 | - # causes problems with upstart |
32 | - sysadm_shell_domtrans(init_t) | 33 | - ifndef(`distro_debian',` |
34 | - sysadm_shell_domtrans(init_t) | ||
33 | + optional_policy(` | 35 | + optional_policy(` |
34 | + tunable_policy(`init_upstart',` | 36 | + tunable_policy(`init_upstart',` |
35 | + corecmd_shell_domtrans(init_t, initrc_t) | 37 | + corecmd_shell_domtrans(init_t, initrc_t) |
36 | + ',` | 38 | + ',` |
37 | + # Run the shell in the sysadm role for single-user mode. | 39 | + # Run the shell in the sysadm role for single-user mode. |
38 | + # causes problems with upstart | 40 | + # causes problems with upstart |
39 | + sysadm_shell_domtrans(init_t) | 41 | + ifndef(`distro_debian',` |
40 | + ') | 42 | + sysadm_shell_domtrans(init_t) |
43 | + ') | ||
44 | ') | ||
41 | ') | 45 | ') |
42 | ') | 46 | ') |
43 | 47 | ||
44 | diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te | 48 | ifdef(`distro_debian',` |
45 | index 0781eae..ea2493a 100644 | ||
46 | --- a/policy/modules/system/locallogin.te | 49 | --- a/policy/modules/system/locallogin.te |
47 | +++ b/policy/modules/system/locallogin.te | 50 | +++ b/policy/modules/system/locallogin.te |
48 | @@ -246,7 +246,9 @@ userdom_use_unpriv_users_fds(sulogin_t) | 51 | @@ -260,11 +260,13 @@ seutil_read_default_contexts(sulogin_t) |
52 | userdom_use_unpriv_users_fds(sulogin_t) | ||
53 | |||
49 | userdom_search_user_home_dirs(sulogin_t) | 54 | userdom_search_user_home_dirs(sulogin_t) |
50 | userdom_use_user_ptys(sulogin_t) | 55 | userdom_use_user_ptys(sulogin_t) |
51 | 56 | ||
@@ -54,8 +59,7 @@ index 0781eae..ea2493a 100644 | |||
54 | + sysadm_shell_domtrans(sulogin_t) | 59 | + sysadm_shell_domtrans(sulogin_t) |
55 | +') | 60 | +') |
56 | 61 | ||
57 | # suse and debian do not use pam with sulogin... | 62 | # by default, sulogin does not use pam... |
58 | ifdef(`distro_suse', `define(`sulogin_no_pam')') | 63 | # sulogin_pam might need to be defined otherwise |
59 | -- | 64 | ifdef(`sulogin_pam', ` |
60 | 1.9.1 | 65 | selinux_get_fs_mount(sulogin_t) |
61 | |||
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch index b6c64c6..17a8199 100644 --- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch +++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch | |||
@@ -18,15 +18,16 @@ support is enabled: | |||
18 | Upstream-Status: Inappropriate | 18 | Upstream-Status: Inappropriate |
19 | 19 | ||
20 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | 20 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> |
21 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
21 | --- | 22 | --- |
22 | policy/modules/system/init.if | 4 ++-- | 23 | policy/modules/system/init.if | 4 ++-- |
23 | 1 file changed, 2 insertions(+), 2 deletions(-) | 24 | 1 file changed, 2 insertions(+), 2 deletions(-) |
24 | 25 | ||
25 | diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if | ||
26 | index f50c6e1..b445886 100644 | ||
27 | --- a/policy/modules/system/init.if | 26 | --- a/policy/modules/system/init.if |
28 | +++ b/policy/modules/system/init.if | 27 | +++ b/policy/modules/system/init.if |
29 | @@ -1307,12 +1307,12 @@ interface(`init_spec_domtrans_script',` | 28 | @@ -1430,16 +1430,16 @@ interface(`init_spec_domtrans_script',` |
29 | ## </summary> | ||
30 | ## </param> | ||
30 | # | 31 | # |
31 | interface(`init_domtrans_script',` | 32 | interface(`init_domtrans_script',` |
32 | gen_require(` | 33 | gen_require(` |
@@ -41,6 +42,5 @@ index f50c6e1..b445886 100644 | |||
41 | 42 | ||
42 | ifdef(`enable_mcs',` | 43 | ifdef(`enable_mcs',` |
43 | range_transition $1 init_script_file_type:process s0; | 44 | range_transition $1 init_script_file_type:process s0; |
44 | -- | 45 | ') |
45 | 1.9.1 | 46 | |
46 | |||
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch index ba14851..29d3e2d 100644 --- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch +++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch | |||
@@ -20,33 +20,33 @@ Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | |||
20 | policy/users | 16 +++++-------- | 20 | policy/users | 16 +++++-------- |
21 | 5 files changed, 55 insertions(+), 20 deletions(-) | 21 | 5 files changed, 55 insertions(+), 20 deletions(-) |
22 | 22 | ||
23 | diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers | ||
24 | index dc5f1e4..4428da8 100644 | ||
25 | --- a/config/appconfig-mcs/seusers | 23 | --- a/config/appconfig-mcs/seusers |
26 | +++ b/config/appconfig-mcs/seusers | 24 | +++ b/config/appconfig-mcs/seusers |
27 | @@ -1,3 +1,3 @@ | 25 | @@ -1,2 +1,3 @@ |
28 | system_u:system_u:s0-mcs_systemhigh | ||
29 | -root:root:s0-mcs_systemhigh | 26 | -root:root:s0-mcs_systemhigh |
30 | -__default__:user_u:s0 | 27 | -__default__:user_u:s0 |
31 | +root:unconfined_u:s0-mcs_systemhigh | 28 | +root:unconfined_u:s0-mcs_systemhigh |
32 | +__default__:unconfined_u:s0 | 29 | +__default__:unconfined_u:s0 |
33 | diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te | 30 | + |
34 | index 005afd8..4699d6a 100644 | ||
35 | --- a/policy/modules/roles/sysadm.te | 31 | --- a/policy/modules/roles/sysadm.te |
36 | +++ b/policy/modules/roles/sysadm.te | 32 | +++ b/policy/modules/roles/sysadm.te |
37 | @@ -34,6 +34,7 @@ ubac_file_exempt(sysadm_t) | 33 | @@ -37,10 +37,11 @@ ubac_process_exempt(sysadm_t) |
34 | ubac_file_exempt(sysadm_t) | ||
38 | ubac_fd_exempt(sysadm_t) | 35 | ubac_fd_exempt(sysadm_t) |
39 | 36 | ||
40 | init_exec(sysadm_t) | 37 | init_exec(sysadm_t) |
38 | init_admin(sysadm_t) | ||
41 | +init_script_role_transition(sysadm_r) | 39 | +init_script_role_transition(sysadm_r) |
42 | init_get_system_status(sysadm_t) | 40 | |
43 | init_disable(sysadm_t) | 41 | selinux_read_policy(sysadm_t) |
44 | init_enable(sysadm_t) | 42 | |
45 | diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if | 43 | # Add/remove user home directories |
46 | index b68dfc1..35b4141 100644 | 44 | userdom_manage_user_home_dirs(sysadm_t) |
47 | --- a/policy/modules/system/init.if | 45 | --- a/policy/modules/system/init.if |
48 | +++ b/policy/modules/system/init.if | 46 | +++ b/policy/modules/system/init.if |
49 | @@ -1234,11 +1234,12 @@ interface(`init_script_file_entry_type',` | 47 | @@ -1394,30 +1394,31 @@ interface(`init_script_file_entry_type', |
48 | ## </summary> | ||
49 | ## </param> | ||
50 | # | 50 | # |
51 | interface(`init_spec_domtrans_script',` | 51 | interface(`init_spec_domtrans_script',` |
52 | gen_require(` | 52 | gen_require(` |
@@ -61,7 +61,10 @@ index b68dfc1..35b4141 100644 | |||
61 | 61 | ||
62 | ifdef(`distro_gentoo',` | 62 | ifdef(`distro_gentoo',` |
63 | gen_require(` | 63 | gen_require(` |
64 | @@ -1249,11 +1250,11 @@ interface(`init_spec_domtrans_script',` | 64 | type rc_exec_t; |
65 | ') | ||
66 | |||
67 | domtrans_pattern($1, rc_exec_t, initrc_t) | ||
65 | ') | 68 | ') |
66 | 69 | ||
67 | ifdef(`enable_mcs',` | 70 | ifdef(`enable_mcs',` |
@@ -75,7 +78,11 @@ index b68dfc1..35b4141 100644 | |||
75 | ') | 78 | ') |
76 | ') | 79 | ') |
77 | 80 | ||
78 | @@ -1269,18 +1270,19 @@ interface(`init_spec_domtrans_script',` | 81 | ######################################## |
82 | ## <summary> | ||
83 | @@ -1429,22 +1430,23 @@ interface(`init_spec_domtrans_script',` | ||
84 | ## </summary> | ||
85 | ## </param> | ||
79 | # | 86 | # |
80 | interface(`init_domtrans_script',` | 87 | interface(`init_domtrans_script',` |
81 | gen_require(` | 88 | gen_require(` |
@@ -99,9 +106,13 @@ index b68dfc1..35b4141 100644 | |||
99 | ') | 106 | ') |
100 | ') | 107 | ') |
101 | 108 | ||
102 | @@ -2504,3 +2506,32 @@ interface(`init_reload_all_units',` | 109 | ######################################## |
103 | 110 | ## <summary> | |
104 | allow $1 systemdunit:service reload; | 111 | @@ -2972,5 +2974,34 @@ interface(`init_admin',` |
112 | init_stop_all_units($1) | ||
113 | init_stop_generic_units($1) | ||
114 | init_stop_system($1) | ||
115 | init_telinit($1) | ||
105 | ') | 116 | ') |
106 | + | 117 | + |
107 | +######################################## | 118 | +######################################## |
@@ -132,11 +143,11 @@ index b68dfc1..35b4141 100644 | |||
132 | + role_transition $1 init_script_file_type system_r; | 143 | + role_transition $1 init_script_file_type system_r; |
133 | +') | 144 | +') |
134 | + | 145 | + |
135 | diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te | ||
136 | index ad23fce..99cab31 100644 | ||
137 | --- a/policy/modules/system/unconfined.te | 146 | --- a/policy/modules/system/unconfined.te |
138 | +++ b/policy/modules/system/unconfined.te | 147 | +++ b/policy/modules/system/unconfined.te |
139 | @@ -20,6 +20,11 @@ type unconfined_execmem_t; | 148 | @@ -18,10 +18,15 @@ init_system_domain(unconfined_t, unconfi |
149 | |||
150 | type unconfined_execmem_t; | ||
140 | type unconfined_execmem_exec_t; | 151 | type unconfined_execmem_exec_t; |
141 | init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t) | 152 | init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t) |
142 | role unconfined_r types unconfined_execmem_t; | 153 | role unconfined_r types unconfined_execmem_t; |
@@ -148,7 +159,11 @@ index ad23fce..99cab31 100644 | |||
148 | 159 | ||
149 | ######################################## | 160 | ######################################## |
150 | # | 161 | # |
151 | @@ -50,6 +55,8 @@ userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_f | 162 | # Local policy |
163 | # | ||
164 | @@ -48,10 +53,12 @@ unconfined_domain(unconfined_t) | ||
165 | userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file }) | ||
166 | |||
152 | ifdef(`direct_sysadm_daemon',` | 167 | ifdef(`direct_sysadm_daemon',` |
153 | optional_policy(` | 168 | optional_policy(` |
154 | init_run_daemon(unconfined_t, unconfined_r) | 169 | init_run_daemon(unconfined_t, unconfined_r) |
@@ -157,11 +172,13 @@ index ad23fce..99cab31 100644 | |||
157 | ') | 172 | ') |
158 | ',` | 173 | ',` |
159 | ifdef(`distro_gentoo',` | 174 | ifdef(`distro_gentoo',` |
160 | diff --git a/policy/users b/policy/users | 175 | seutil_run_runinit(unconfined_t, unconfined_r) |
161 | index ca20375..ac1ca6c 100644 | 176 | seutil_init_script_run_runinit(unconfined_t, unconfined_r) |
162 | --- a/policy/users | 177 | --- a/policy/users |
163 | +++ b/policy/users | 178 | +++ b/policy/users |
164 | @@ -15,7 +15,7 @@ | 179 | @@ -13,37 +13,33 @@ |
180 | # system_u is the user identity for system processes and objects. | ||
181 | # There should be no corresponding Unix user identity for system, | ||
165 | # and a user process should never be assigned the system user | 182 | # and a user process should never be assigned the system user |
166 | # identity. | 183 | # identity. |
167 | # | 184 | # |
@@ -170,7 +187,9 @@ index ca20375..ac1ca6c 100644 | |||
170 | 187 | ||
171 | # | 188 | # |
172 | # user_u is a generic user identity for Linux users who have no | 189 | # user_u is a generic user identity for Linux users who have no |
173 | @@ -25,14 +25,14 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) | 190 | # SELinux user identity defined. The modified daemons will use |
191 | # this user identity in the security context if there is no matching | ||
192 | # SELinux user identity for a Linux user. If you do not want to | ||
174 | # permit any access to such users, then remove this entry. | 193 | # permit any access to such users, then remove this entry. |
175 | # | 194 | # |
176 | gen_user(user_u, user, user_r, s0, s0) | 195 | gen_user(user_u, user, user_r, s0, s0) |
@@ -189,7 +208,9 @@ index ca20375..ac1ca6c 100644 | |||
189 | ') | 208 | ') |
190 | 209 | ||
191 | # | 210 | # |
192 | @@ -42,8 +42,4 @@ ifdef(`direct_sysadm_daemon',` | 211 | # The following users correspond to Unix identities. |
212 | # These identities are typically assigned as the user attribute | ||
213 | # when login starts the user shell. Users with access to the sysadm_r | ||
193 | # role should use the staff_r role instead of the user_r role when | 214 | # role should use the staff_r role instead of the user_r role when |
194 | # not in the sysadm_r. | 215 | # not in the sysadm_r. |
195 | # | 216 | # |
@@ -199,6 +220,3 @@ index ca20375..ac1ca6c 100644 | |||
199 | - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) | 220 | - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) |
200 | -') | 221 | -') |
201 | +gen_user(root, user, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) | 222 | +gen_user(root, user, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) |
202 | -- | ||
203 | 1.9.1 | ||
204 | |||
diff --git a/recipes-security/refpolicy/refpolicy_git.inc b/recipes-security/refpolicy/refpolicy_git.inc index e6e63c9..b320e4d 100644 --- a/recipes-security/refpolicy/refpolicy_git.inc +++ b/recipes-security/refpolicy/refpolicy_git.inc | |||
@@ -20,7 +20,6 @@ SRC_URI += "file://poky-fc-subs_dist.patch \ | |||
20 | file://poky-fc-dmesg.patch \ | 20 | file://poky-fc-dmesg.patch \ |
21 | file://poky-fc-fstools.patch \ | 21 | file://poky-fc-fstools.patch \ |
22 | file://poky-fc-mta.patch \ | 22 | file://poky-fc-mta.patch \ |
23 | file://poky-fc-netutils.patch \ | ||
24 | file://poky-fc-nscd.patch \ | 23 | file://poky-fc-nscd.patch \ |
25 | file://poky-fc-screen.patch \ | 24 | file://poky-fc-screen.patch \ |
26 | file://poky-fc-ssh.patch \ | 25 | file://poky-fc-ssh.patch \ |