diff options
author | Khem Raj <raj.khem@gmail.com> | 2019-02-26 11:44:43 -0800 |
---|---|---|
committer | Joe MacDonald <joe@deserted.net> | 2019-02-27 10:30:20 -0500 |
commit | fb6192aa2c5df8e80c5e6d4fa5448d574332f68f (patch) | |
tree | 2587a5c53709841555f5611ef46b81e77575c52f | |
parent | fd7cafedda33810fe592742b7c2c81d049091dea (diff) | |
download | meta-selinux-thud.tar.gz |
refpolicy: Forward patch to apply cleanly on thudthud
Also fix devtool generated warnings by refreshing patches
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
3 files changed, 11 insertions, 35 deletions
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch index e9a0464..aa928c6 100644 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch +++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch | |||
@@ -17,8 +17,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
17 | 17 | ||
18 | --- a/policy/modules/system/logging.fc | 18 | --- a/policy/modules/system/logging.fc |
19 | +++ b/policy/modules/system/logging.fc | 19 | +++ b/policy/modules/system/logging.fc |
20 | @@ -1,9 +1,10 @@ | 20 | @@ -2,6 +2,7 @@ |
21 | /dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) | ||
22 | 21 | ||
23 | /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) | 22 | /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) |
24 | /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) | 23 | /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) |
@@ -26,11 +25,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
26 | /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) | 25 | /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) |
27 | /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0) | 26 | /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0) |
28 | /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) | 27 | /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) |
29 | 28 | @@ -27,10 +28,12 @@ | |
30 | /usr/bin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) | ||
31 | @@ -27,14 +28,16 @@ | ||
32 | /usr/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) | ||
33 | /usr/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) | ||
34 | /usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) | 29 | /usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) |
35 | /usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) | 30 | /usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) |
36 | /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) | 31 | /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) |
@@ -43,13 +38,9 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
43 | /usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) | 38 | /usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) |
44 | /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | 39 | /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) |
45 | 40 | ||
46 | /var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0) | ||
47 | /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) | ||
48 | --- a/policy/modules/system/logging.te | 41 | --- a/policy/modules/system/logging.te |
49 | +++ b/policy/modules/system/logging.te | 42 | +++ b/policy/modules/system/logging.te |
50 | @@ -390,10 +390,12 @@ allow syslogd_t self:unix_dgram_socket s | 43 | @@ -390,6 +390,8 @@ allow syslogd_t self:udp_socket create_s |
51 | allow syslogd_t self:fifo_file rw_fifo_file_perms; | ||
52 | allow syslogd_t self:udp_socket create_socket_perms; | ||
53 | allow syslogd_t self:tcp_socket create_stream_socket_perms; | 44 | allow syslogd_t self:tcp_socket create_stream_socket_perms; |
54 | 45 | ||
55 | allow syslogd_t syslog_conf_t:file read_file_perms; | 46 | allow syslogd_t syslog_conf_t:file read_file_perms; |
@@ -58,5 +49,3 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
58 | 49 | ||
59 | # Create and bind to /dev/log or /var/run/log. | 50 | # Create and bind to /dev/log or /var/run/log. |
60 | allow syslogd_t devlog_t:sock_file manage_sock_file_perms; | 51 | allow syslogd_t devlog_t:sock_file manage_sock_file_perms; |
61 | files_pid_filetrans(syslogd_t, devlog_t, sock_file) | ||
62 | init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log") | ||
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch index fb912b5..6c96e33 100644 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch +++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch | |||
@@ -17,15 +17,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
17 | 17 | ||
18 | --- a/policy/modules/contrib/apache.te | 18 | --- a/policy/modules/contrib/apache.te |
19 | +++ b/policy/modules/contrib/apache.te | 19 | +++ b/policy/modules/contrib/apache.te |
20 | @@ -407,10 +407,11 @@ allow httpd_t httpd_lock_t:file manage_f | 20 | @@ -411,6 +411,7 @@ create_files_pattern(httpd_t, httpd_log_ |
21 | files_lock_filetrans(httpd_t, httpd_lock_t, { file dir }) | 21 | append_files_pattern(httpd_t, httpd_log_t, httpd_log_t) |
22 | 22 | read_files_pattern(httpd_t, httpd_log_t, httpd_log_t) | |
23 | manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t) | ||
24 | manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t) | ||
25 | read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t) | 23 | read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t) |
26 | +read_lnk_files_pattern(httpd_t, var_log_t, var_log_t) | 24 | +read_lnk_files_pattern(httpd_t, var_log_t, var_log_t) |
27 | logging_log_filetrans(httpd_t, httpd_log_t, file) | 25 | logging_log_filetrans(httpd_t, httpd_log_t, file) |
28 | 26 | ||
29 | allow httpd_t httpd_modules_t:dir list_dir_perms; | 27 | allow httpd_t httpd_modules_t:dir list_dir_perms; |
30 | mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) | ||
31 | read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) | ||
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch b/recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch index a7338e1..f5a767d 100644 --- a/recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch +++ b/recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch | |||
@@ -37,11 +37,9 @@ Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | |||
37 | policy/modules/system/systemd.te | 3 +++ | 37 | policy/modules/system/systemd.te | 3 +++ |
38 | 3 files changed, 45 insertions(+) | 38 | 3 files changed, 45 insertions(+) |
39 | 39 | ||
40 | diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if | ||
41 | index 1cedea2..4ea7d55 100644 | ||
42 | --- a/policy/modules/kernel/files.if | 40 | --- a/policy/modules/kernel/files.if |
43 | +++ b/policy/modules/kernel/files.if | 41 | +++ b/policy/modules/kernel/files.if |
44 | @@ -6729,3 +6729,22 @@ interface(`files_unconfined',` | 42 | @@ -6906,3 +6906,22 @@ interface(`files_unconfined',` |
45 | 43 | ||
46 | typeattribute $1 files_unconfined_type; | 44 | typeattribute $1 files_unconfined_type; |
47 | ') | 45 | ') |
@@ -64,13 +62,11 @@ index 1cedea2..4ea7d55 100644 | |||
64 | + | 62 | + |
65 | + allow $1 tmp_t:lnk_file getattr; | 63 | + allow $1 tmp_t:lnk_file getattr; |
66 | +') | 64 | +') |
67 | diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if | ||
68 | index f1130d1..4604441 100644 | ||
69 | --- a/policy/modules/kernel/kernel.if | 65 | --- a/policy/modules/kernel/kernel.if |
70 | +++ b/policy/modules/kernel/kernel.if | 66 | +++ b/policy/modules/kernel/kernel.if |
71 | @@ -3323,3 +3323,26 @@ interface(`kernel_unconfined',` | 67 | @@ -3418,3 +3418,26 @@ interface(`kernel_rw_vm_overcommit_sysct |
72 | typeattribute $1 kern_unconfined; | 68 | kernel_search_vm_sysctl($1) |
73 | kernel_load_module($1) | 69 | allow $1 sysctl_vm_overcommit_t:file rw_file_perms; |
74 | ') | 70 | ') |
75 | + | 71 | + |
76 | +######################################## | 72 | +######################################## |
@@ -95,17 +91,12 @@ index f1130d1..4604441 100644 | |||
95 | + | 91 | + |
96 | +') | 92 | +') |
97 | + | 93 | + |
98 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
99 | index 22021eb..8813664 100644 | ||
100 | --- a/policy/modules/system/systemd.te | 94 | --- a/policy/modules/system/systemd.te |
101 | +++ b/policy/modules/system/systemd.te | 95 | +++ b/policy/modules/system/systemd.te |
102 | @@ -269,3 +269,6 @@ allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto; | 96 | @@ -374,3 +374,6 @@ allow systemd_tmpfiles_t initrc_t:unix_d |
103 | allow systemd_tmpfiles_t self:capability net_admin; | 97 | allow systemd_tmpfiles_t self:capability net_admin; |
104 | 98 | ||
105 | allow systemd_tmpfiles_t init_t:file { open getattr read }; | 99 | allow systemd_tmpfiles_t init_t:file { open getattr read }; |
106 | + | 100 | + |
107 | +systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t(systemd_tmpfiles_t) | 101 | +systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t(systemd_tmpfiles_t) |
108 | +systemd_service_allow_kernel_files_domain_to_tmp_t(systemd_tmpfiles_t) | 102 | +systemd_service_allow_kernel_files_domain_to_tmp_t(systemd_tmpfiles_t) |
109 | -- | ||
110 | 1.9.1 | ||
111 | |||