refpolicy: Forward patch to apply cleanly on thudthud

Also fix devtool generated warnings by refreshing patches Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
author: Khem Raj <raj.khem@gmail.com> 2019-02-26 11:44:43 -0800
committer: Joe MacDonald <joe@deserted.net> 2019-02-27 10:30:20 -0500
commit: fb6192aa2c5df8e80c5e6d4fa5448d574332f68f (patch)
tree: 2587a5c53709841555f5611ef46b81e77575c52f
parent: fd7cafedda33810fe592742b7c2c81d049091dea (diff)
download: meta-selinux-thud.tar.gz
3 files changed, 11 insertions, 35 deletions
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch
index e9a0464..aa928c6 100644
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch
@@ -17,8 +17,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 --- a/policy/modules/system/logging.fc
 +++ b/policy/modules/system/logging.fc
-@@ -1,9 +1,10 @@
+@@ -2,6 +2,7 @@
- /dev/log               -s      gen_context(system_u:object_r:devlog_t,mls_systemhigh)
 
 /etc/rsyslog.conf              gen_context(system_u:object_r:syslog_conf_t,s0)
 /etc/syslog.conf               gen_context(system_u:object_r:syslog_conf_t,s0)
@@ -26,11 +25,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 /etc/audit(/.*)?               gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
 /etc/rc\.d/init\.d/auditd --   gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/rsyslog --  gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
- 
+@@ -27,10 +28,12 @@
- /usr/bin/audispd       --      gen_context(system_u:object_r:audisp_exec_t,s0)
-@@ -27,14 +28,16 @@
- /usr/sbin/audispd      --      gen_context(system_u:object_r:audisp_exec_t,s0)
- /usr/sbin/audisp-remote        --      gen_context(system_u:object_r:audisp_remote_exec_t,s0)
 /usr/sbin/auditctl     --      gen_context(system_u:object_r:auditctl_exec_t,s0)
 /usr/sbin/auditd       --      gen_context(system_u:object_r:auditd_exec_t,s0)
 /usr/sbin/klogd                --      gen_context(system_u:object_r:klogd_exec_t,s0)
@@ -43,13 +38,9 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 /usr/sbin/syslog-ng    --      gen_context(system_u:object_r:syslogd_exec_t,s0)
 /usr/sbin/syslogd      --      gen_context(system_u:object_r:syslogd_exec_t,s0)
 
- /var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
- /var/lib/syslog-ng(/.*)?       gen_context(system_u:object_r:syslogd_var_lib_t,s0)
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
-@@ -390,10 +390,12 @@ allow syslogd_t self:unix_dgram_socket s
+@@ -390,6 +390,8 @@ allow syslogd_t self:udp_socket create_s
- allow syslogd_t self:fifo_file rw_fifo_file_perms;
- allow syslogd_t self:udp_socket create_socket_perms;
 allow syslogd_t self:tcp_socket create_stream_socket_perms;
 
 allow syslogd_t syslog_conf_t:file read_file_perms;
@@ -58,5 +49,3 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 
 # Create and bind to /dev/log or /var/run/log.
 allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
- files_pid_filetrans(syslogd_t, devlog_t, sock_file)
- init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log")
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch
index fb912b5..6c96e33 100644
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch
@@ -17,15 +17,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 --- a/policy/modules/contrib/apache.te
 +++ b/policy/modules/contrib/apache.te
-@@ -407,10 +407,11 @@ allow httpd_t httpd_lock_t:file manage_f
+@@ -411,6 +411,7 @@ create_files_pattern(httpd_t, httpd_log_
- files_lock_filetrans(httpd_t, httpd_lock_t, { file dir })
+ append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
- 
+ read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
- manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
- manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
 read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
 +read_lnk_files_pattern(httpd_t, var_log_t, var_log_t)
 logging_log_filetrans(httpd_t, httpd_log_t, file)
 
 allow httpd_t httpd_modules_t:dir list_dir_perms;
- mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
- read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch b/recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch
index a7338e1..f5a767d 100644
--- a/recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch
+++ b/recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch
@@ -37,11 +37,9 @@ Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
 policy/modules/system/systemd.te |  3 +++
 3 files changed, 45 insertions(+)
-diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 1cedea2..4ea7d55 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
-@@ -6729,3 +6729,22 @@ interface(`files_unconfined',`
+@@ -6906,3 +6906,22 @@ interface(`files_unconfined',`
 
        typeattribute $1 files_unconfined_type;
 ')
@@ -64,13 +62,11 @@ index 1cedea2..4ea7d55 100644
 +
 +       allow $1 tmp_t:lnk_file getattr;
 +')
-diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index f1130d1..4604441 100644
 --- a/policy/modules/kernel/kernel.if
 +++ b/policy/modules/kernel/kernel.if
-@@ -3323,3 +3323,26 @@ interface(`kernel_unconfined',`
+@@ -3418,3 +3418,26 @@ interface(`kernel_rw_vm_overcommit_sysct
-        typeattribute $1 kern_unconfined;
+        kernel_search_vm_sysctl($1)
-        kernel_load_module($1)
+        allow $1 sysctl_vm_overcommit_t:file rw_file_perms;
 ')
 +
 +########################################
@@ -95,17 +91,12 @@ index f1130d1..4604441 100644
 +
 +')
 +
-diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index 22021eb..8813664 100644
 --- a/policy/modules/system/systemd.te
 +++ b/policy/modules/system/systemd.te
-@@ -269,3 +269,6 @@ allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto;
+@@ -374,3 +374,6 @@ allow systemd_tmpfiles_t initrc_t:unix_d
 allow systemd_tmpfiles_t self:capability net_admin;
 
 allow systemd_tmpfiles_t init_t:file { open getattr read };
 +
 +systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t(systemd_tmpfiles_t)
 +systemd_service_allow_kernel_files_domain_to_tmp_t(systemd_tmpfiles_t)
-- 
-1.9.1
author	Khem Raj <raj.khem@gmail.com>	2019-02-26 11:44:43 -0800
committer	Joe MacDonald <joe@deserted.net>	2019-02-27 10:30:20 -0500
commit	fb6192aa2c5df8e80c5e6d4fa5448d574332f68f (patch)
tree	2587a5c53709841555f5611ef46b81e77575c52f
parent	fd7cafedda33810fe592742b7c2c81d049091dea (diff)
download	meta-selinux-thud.tar.gz

diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch index e9a0464..aa928c6 100644 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch +++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch
@@ -17,8 +17,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
17		17
18	--- a/policy/modules/system/logging.fc	18	--- a/policy/modules/system/logging.fc
19	+++ b/policy/modules/system/logging.fc	19	+++ b/policy/modules/system/logging.fc
20	@@ -1,9 +1,10 @@	20	@@ -2,6 +2,7 @@
21	/dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
22		21
23	/etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)	22	/etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
24	/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)	23	/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
@@ -26,11 +25,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
26	/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)	25	/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
27	/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)	26	/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
28	/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)	27	/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
29		28	@@ -27,10 +28,12 @@
30	/usr/bin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
31	@@ -27,14 +28,16 @@
32	/usr/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
33	/usr/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
34	/usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)	29	/usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
35	/usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)	30	/usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
36	/usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)	31	/usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
@@ -43,13 +38,9 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
43	/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)	38	/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
44	/usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)	39	/usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
45		40
46	/var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
47	/var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
48	--- a/policy/modules/system/logging.te	41	--- a/policy/modules/system/logging.te
49	+++ b/policy/modules/system/logging.te	42	+++ b/policy/modules/system/logging.te
50	@@ -390,10 +390,12 @@ allow syslogd_t self:unix_dgram_socket s	43	@@ -390,6 +390,8 @@ allow syslogd_t self:udp_socket create_s
51	allow syslogd_t self:fifo_file rw_fifo_file_perms;
52	allow syslogd_t self:udp_socket create_socket_perms;
53	allow syslogd_t self:tcp_socket create_stream_socket_perms;	44	allow syslogd_t self:tcp_socket create_stream_socket_perms;
54		45
55	allow syslogd_t syslog_conf_t:file read_file_perms;	46	allow syslogd_t syslog_conf_t:file read_file_perms;
@@ -58,5 +49,3 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
58		49
59	# Create and bind to /dev/log or /var/run/log.	50	# Create and bind to /dev/log or /var/run/log.
60	allow syslogd_t devlog_t:sock_file manage_sock_file_perms;	51	allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
61	files_pid_filetrans(syslogd_t, devlog_t, sock_file)
62	init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log")


diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch index fb912b5..6c96e33 100644 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch +++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch
@@ -17,15 +17,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
17		17
18	--- a/policy/modules/contrib/apache.te	18	--- a/policy/modules/contrib/apache.te
19	+++ b/policy/modules/contrib/apache.te	19	+++ b/policy/modules/contrib/apache.te
20	@@ -407,10 +407,11 @@ allow httpd_t httpd_lock_t:file manage_f	20	@@ -411,6 +411,7 @@ create_files_pattern(httpd_t, httpd_log_
21	files_lock_filetrans(httpd_t, httpd_lock_t, { file dir })	21	append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
22		22	read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
23	manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
24	manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
25	read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)	23	read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
26	+read_lnk_files_pattern(httpd_t, var_log_t, var_log_t)	24	+read_lnk_files_pattern(httpd_t, var_log_t, var_log_t)
27	logging_log_filetrans(httpd_t, httpd_log_t, file)	25	logging_log_filetrans(httpd_t, httpd_log_t, file)
28		26
29	allow httpd_t httpd_modules_t:dir list_dir_perms;	27	allow httpd_t httpd_modules_t:dir list_dir_perms;
30	mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
31	read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)


diff --git a/recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch b/recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch index a7338e1..f5a767d 100644 --- a/recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch +++ b/recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch
@@ -37,11 +37,9 @@ Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
37	policy/modules/system/systemd.te \| 3 +++	37	policy/modules/system/systemd.te \| 3 +++
38	3 files changed, 45 insertions(+)	38	3 files changed, 45 insertions(+)
39		39
40	diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
41	index 1cedea2..4ea7d55 100644
42	--- a/policy/modules/kernel/files.if	40	--- a/policy/modules/kernel/files.if
43	+++ b/policy/modules/kernel/files.if	41	+++ b/policy/modules/kernel/files.if
44	@@ -6729,3 +6729,22 @@ interface(`files_unconfined',`	42	@@ -6906,3 +6906,22 @@ interface(`files_unconfined',`
45		43
46	typeattribute $1 files_unconfined_type;	44	typeattribute $1 files_unconfined_type;
47	')	45	')
@@ -64,13 +62,11 @@ index 1cedea2..4ea7d55 100644
64	+	62	+
65	+ allow $1 tmp_t:lnk_file getattr;	63	+ allow $1 tmp_t:lnk_file getattr;
66	+')	64	+')
67	diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
68	index f1130d1..4604441 100644
69	--- a/policy/modules/kernel/kernel.if	65	--- a/policy/modules/kernel/kernel.if
70	+++ b/policy/modules/kernel/kernel.if	66	+++ b/policy/modules/kernel/kernel.if
71	@@ -3323,3 +3323,26 @@ interface(`kernel_unconfined',`	67	@@ -3418,3 +3418,26 @@ interface(`kernel_rw_vm_overcommit_sysct
72	typeattribute $1 kern_unconfined;	68	kernel_search_vm_sysctl($1)
73	kernel_load_module($1)	69	allow $1 sysctl_vm_overcommit_t:file rw_file_perms;
74	')	70	')
75	+	71	+
76	+########################################	72	+########################################
@@ -95,17 +91,12 @@ index f1130d1..4604441 100644
95	+	91	+
96	+')	92	+')
97	+	93	+
98	diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
99	index 22021eb..8813664 100644
100	--- a/policy/modules/system/systemd.te	94	--- a/policy/modules/system/systemd.te
101	+++ b/policy/modules/system/systemd.te	95	+++ b/policy/modules/system/systemd.te
102	@@ -269,3 +269,6 @@ allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto;	96	@@ -374,3 +374,6 @@ allow systemd_tmpfiles_t initrc_t:unix_d
103	allow systemd_tmpfiles_t self:capability net_admin;	97	allow systemd_tmpfiles_t self:capability net_admin;
104		98
105	allow systemd_tmpfiles_t init_t:file { open getattr read };	99	allow systemd_tmpfiles_t init_t:file { open getattr read };
106	+	100	+
107	+systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t(systemd_tmpfiles_t)	101	+systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t(systemd_tmpfiles_t)
108	+systemd_service_allow_kernel_files_domain_to_tmp_t(systemd_tmpfiles_t)	102	+systemd_service_allow_kernel_files_domain_to_tmp_t(systemd_tmpfiles_t)
109	--
110	1.9.1
111