diff options
author | Yi Zhao <yi.zhao@windriver.com> | 2023-10-11 10:50:24 +0800 |
---|---|---|
committer | Joe MacDonald <joe@deserted.net> | 2023-10-12 10:14:19 -0400 |
commit | 0d58268e290fe9dfa1c17d97b9ca7709aa53d595 (patch) | |
tree | 0b6341288f378e5e77ee8a5425793897c5d18fa8 | |
parent | e44d4ff853a0ea835462c3476cba400124a00bdd (diff) | |
download | meta-selinux-0d58268e290fe9dfa1c17d97b9ca7709aa53d595.tar.gz |
refpolicy: upgrade 20221101+git -> 20231002+git
* Switch branch to main.
* Update to latest git rev.
* Drop obsolete and useless patches.
* Refresh patches.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
61 files changed, 304 insertions, 317 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch b/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch index 1605d90..2b879d2 100644 --- a/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch +++ b/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From ee66387c393af77b88c833f5d271efe48036112c Mon Sep 17 00:00:00 2001 | 1 | From 1d96fd0c6906566d40cb4c4f2c8a30fe80ed4ad4 Mon Sep 17 00:00:00 2001 |
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | 2 | From: Joe MacDonald <joe_macdonald@mentor.com> |
3 | Date: Thu, 28 Mar 2019 16:14:09 -0400 | 3 | Date: Thu, 28 Mar 2019 16:14:09 -0400 |
4 | Subject: [PATCH] fc/subs/volatile: alias common /var/volatile paths | 4 | Subject: [PATCH] fc/subs/volatile: alias common /var/volatile paths |
diff --git a/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch b/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch index 657c5cd..50e0339 100644 --- a/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch +++ b/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 0e3b79ae0ae468640d7092c9a91a91d258d07645 Mon Sep 17 00:00:00 2001 | 1 | From 6c5f86f8c5e5fda6ded270753d0535a31ebfbab0 Mon Sep 17 00:00:00 2001 |
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | 2 | From: Joe MacDonald <joe_macdonald@mentor.com> |
3 | Date: Fri, 5 Apr 2019 11:53:28 -0400 | 3 | Date: Fri, 5 Apr 2019 11:53:28 -0400 |
4 | Subject: [PATCH] refpolicy-minimum: make sysadmin module optional | 4 | Subject: [PATCH] refpolicy-minimum: make sysadmin module optional |
@@ -22,10 +22,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
22 | 2 files changed, 11 insertions(+), 7 deletions(-) | 22 | 2 files changed, 11 insertions(+), 7 deletions(-) |
23 | 23 | ||
24 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | 24 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
25 | index 671b5aef3..8ce3d5956 100644 | 25 | index e94a29a73..6b1879bb4 100644 |
26 | --- a/policy/modules/system/init.te | 26 | --- a/policy/modules/system/init.te |
27 | +++ b/policy/modules/system/init.te | 27 | +++ b/policy/modules/system/init.te |
28 | @@ -615,13 +615,15 @@ ifdef(`init_systemd',` | 28 | @@ -638,13 +638,15 @@ ifdef(`init_systemd',` |
29 | unconfined_write_keys(init_t) | 29 | unconfined_write_keys(init_t) |
30 | ') | 30 | ') |
31 | ',` | 31 | ',` |
@@ -48,10 +48,10 @@ index 671b5aef3..8ce3d5956 100644 | |||
48 | ') | 48 | ') |
49 | ') | 49 | ') |
50 | diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te | 50 | diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te |
51 | index 7728de804..a8ff403dd 100644 | 51 | index 8330be8a9..933e94b24 100644 |
52 | --- a/policy/modules/system/locallogin.te | 52 | --- a/policy/modules/system/locallogin.te |
53 | +++ b/policy/modules/system/locallogin.te | 53 | +++ b/policy/modules/system/locallogin.te |
54 | @@ -274,7 +274,9 @@ userdom_use_unpriv_users_fds(sulogin_t) | 54 | @@ -277,7 +277,9 @@ userdom_use_unpriv_users_fds(sulogin_t) |
55 | userdom_search_user_home_dirs(sulogin_t) | 55 | userdom_search_user_home_dirs(sulogin_t) |
56 | userdom_use_user_ptys(sulogin_t) | 56 | userdom_use_user_ptys(sulogin_t) |
57 | 57 | ||
diff --git a/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch b/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch index 64e658e..fb92e6c 100644 --- a/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch +++ b/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 60b4e5ea5668a71b2a0660461daecea66fd11d51 Mon Sep 17 00:00:00 2001 | 1 | From c26f856ac11b3d61aff56c4e512bedca811cf004 Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
3 | Date: Mon, 20 Apr 2020 11:50:03 +0800 | 3 | Date: Mon, 20 Apr 2020 11:50:03 +0800 |
4 | Subject: [PATCH] refpolicy-targeted: make unconfined_u the default selinux | 4 | Subject: [PATCH] refpolicy-targeted: make unconfined_u the default selinux |
@@ -38,7 +38,7 @@ index ce614b41b..c0903d98b 100644 | |||
38 | +root:unconfined_u:s0-mcs_systemhigh | 38 | +root:unconfined_u:s0-mcs_systemhigh |
39 | +__default__:unconfined_u:s0 | 39 | +__default__:unconfined_u:s0 |
40 | diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te | 40 | diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te |
41 | index d116a1b9b..32720f68f 100644 | 41 | index 6431d35da..922e7e285 100644 |
42 | --- a/policy/modules/system/unconfined.te | 42 | --- a/policy/modules/system/unconfined.te |
43 | +++ b/policy/modules/system/unconfined.te | 43 | +++ b/policy/modules/system/unconfined.te |
44 | @@ -20,6 +20,11 @@ type unconfined_execmem_t alias ada_t; | 44 | @@ -20,6 +20,11 @@ type unconfined_execmem_t alias ada_t; |
diff --git a/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch b/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch index ef00602..26669ba 100644 --- a/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch +++ b/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 8fa6c5b7b99a50b09e9dffd142c066fa41319750 Mon Sep 17 00:00:00 2001 | 1 | From c94348cbaacfdc47a50cc93c8d52295f09b3c1f2 Mon Sep 17 00:00:00 2001 |
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | 2 | From: Joe MacDonald <joe_macdonald@mentor.com> |
3 | Date: Thu, 28 Mar 2019 20:48:10 -0400 | 3 | Date: Thu, 28 Mar 2019 20:48:10 -0400 |
4 | Subject: [PATCH] fc/subs/busybox: set aliases for bin, sbin and usr | 4 | Subject: [PATCH] fc/subs/busybox: set aliases for bin, sbin and usr |
diff --git a/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-make-xdg-module-optional.patch b/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-make-xdg-module-optional.patch index 25afa3b..75ff75e 100644 --- a/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-make-xdg-module-optional.patch +++ b/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-make-xdg-module-optional.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 9a8d6b634d4f714fc63125be5e23228c565d1aaf Mon Sep 17 00:00:00 2001 | 1 | From c69e55b03777ee15701ebb9b53b288fc773dbd87 Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Wed, 29 Sep 2021 11:08:49 +0800 | 3 | Date: Wed, 29 Sep 2021 11:08:49 +0800 |
4 | Subject: [PATCH] refpolicy-minimum: make xdg module optional | 4 | Subject: [PATCH] refpolicy-minimum: make xdg module optional |
@@ -15,10 +15,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
15 | 1 file changed, 6 insertions(+), 2 deletions(-) | 15 | 1 file changed, 6 insertions(+), 2 deletions(-) |
16 | 16 | ||
17 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | 17 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te |
18 | index 7b717d3ba..3b07b368d 100644 | 18 | index 52c7b5346..d9f21b6bf 100644 |
19 | --- a/policy/modules/system/systemd.te | 19 | --- a/policy/modules/system/systemd.te |
20 | +++ b/policy/modules/system/systemd.te | 20 | +++ b/policy/modules/system/systemd.te |
21 | @@ -298,10 +298,14 @@ init_unit_file(systemd_user_manager_unit_t) | 21 | @@ -305,10 +305,14 @@ init_unit_file(systemd_user_manager_unit_t) |
22 | 22 | ||
23 | type systemd_conf_home_t; | 23 | type systemd_conf_home_t; |
24 | init_unit_file(systemd_conf_home_t) | 24 | init_unit_file(systemd_conf_home_t) |
diff --git a/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch b/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch index 94ac31b..140af4e 100644 --- a/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch +++ b/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 5a0bbd1920205f488b6a4565f7217b9d0825067b Mon Sep 17 00:00:00 2001 | 1 | From cb1c9ffb1c8f2c615731c2afae81b687a59b94c4 Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | 3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 |
4 | Subject: [PATCH] fc/hostname: apply policy to common yocto hostname | 4 | Subject: [PATCH] fc/hostname: apply policy to common yocto hostname |
diff --git a/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch b/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch index eff0255..13a0343 100644 --- a/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch +++ b/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From c9219d2f7be1e641b3866b770a9b570c12333b93 Mon Sep 17 00:00:00 2001 | 1 | From 23f156d0adc37eb9f6f8308c28da4db0bac48200 Mon Sep 17 00:00:00 2001 |
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | 2 | From: Joe MacDonald <joe_macdonald@mentor.com> |
3 | Date: Thu, 28 Mar 2019 21:37:32 -0400 | 3 | Date: Thu, 28 Mar 2019 21:37:32 -0400 |
4 | Subject: [PATCH] fc/bash: apply /usr/bin/bash context to /bin/bash.bash | 4 | Subject: [PATCH] fc/bash: apply /usr/bin/bash context to /bin/bash.bash |
@@ -15,10 +15,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
15 | 1 file changed, 1 insertion(+) | 15 | 1 file changed, 1 insertion(+) |
16 | 16 | ||
17 | diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc | 17 | diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc |
18 | index 0c05c693d..b70940928 100644 | 18 | index f031e1704..30ac066e4 100644 |
19 | --- a/policy/modules/kernel/corecommands.fc | 19 | --- a/policy/modules/kernel/corecommands.fc |
20 | +++ b/policy/modules/kernel/corecommands.fc | 20 | +++ b/policy/modules/kernel/corecommands.fc |
21 | @@ -142,6 +142,7 @@ ifdef(`distro_gentoo',` | 21 | @@ -144,6 +144,7 @@ ifdef(`distro_gentoo',` |
22 | /usr/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) | 22 | /usr/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) |
23 | /usr/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) | 23 | /usr/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) |
24 | /usr/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) | 24 | /usr/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) |
diff --git a/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch b/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch index 06c8087..e3d9e93 100644 --- a/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch +++ b/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 51631a7eaaea1fab4b36a2488497cf725317ce6e Mon Sep 17 00:00:00 2001 | 1 | From 10df3192847b50162c7f404b6c5bd1a010951112 Mon Sep 17 00:00:00 2001 |
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | 2 | From: Joe MacDonald <joe_macdonald@mentor.com> |
3 | Date: Thu, 4 Apr 2019 10:45:03 -0400 | 3 | Date: Thu, 4 Apr 2019 10:45:03 -0400 |
4 | Subject: [PATCH] fc/resolv.conf: label resolv.conf in var/run/ properly | 4 | Subject: [PATCH] fc/resolv.conf: label resolv.conf in var/run/ properly |
diff --git a/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch b/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch index 70c5566..a1125d8 100644 --- a/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch +++ b/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 1c61b10d21a22d4110bc880b23477295f6cd9efb Mon Sep 17 00:00:00 2001 | 1 | From 61900d0f5576fa0cd8297a011f60cb9a40cefc7b Mon Sep 17 00:00:00 2001 |
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | 2 | From: Joe MacDonald <joe_macdonald@mentor.com> |
3 | Date: Thu, 28 Mar 2019 21:43:53 -0400 | 3 | Date: Thu, 28 Mar 2019 21:43:53 -0400 |
4 | Subject: [PATCH] fc/login: apply login context to login.shadow | 4 | Subject: [PATCH] fc/login: apply login context to login.shadow |
@@ -12,11 +12,11 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
12 | 1 file changed, 1 insertion(+) | 12 | 1 file changed, 1 insertion(+) |
13 | 13 | ||
14 | diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc | 14 | diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc |
15 | index 50efcff7b..5cb48882c 100644 | 15 | index adb53a05a..a25a9d607 100644 |
16 | --- a/policy/modules/system/authlogin.fc | 16 | --- a/policy/modules/system/authlogin.fc |
17 | +++ b/policy/modules/system/authlogin.fc | 17 | +++ b/policy/modules/system/authlogin.fc |
18 | @@ -6,6 +6,7 @@ | 18 | @@ -8,6 +8,7 @@ |
19 | /etc/tcb(/.*)? -- gen_context(system_u:object_r:shadow_t,s0) | 19 | /etc/security/opasswd\.old -- gen_context(system_u:object_r:shadow_history_t,s0) |
20 | 20 | ||
21 | /usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0) | 21 | /usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0) |
22 | +/usr/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0) | 22 | +/usr/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0) |
diff --git a/recipes-security/refpolicy/refpolicy/0007-fc-hwclock-add-hwclock-alternatives.patch b/recipes-security/refpolicy/refpolicy/0007-fc-hwclock-add-hwclock-alternatives.patch index 2f9f703..26bc8a0 100644 --- a/recipes-security/refpolicy/refpolicy/0007-fc-hwclock-add-hwclock-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0007-fc-hwclock-add-hwclock-alternatives.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From e4d7d9fb1cb157bf205874e1a81d5719017866a1 Mon Sep 17 00:00:00 2001 | 1 | From e393201b6f3c0242ccc41dd86eada8be97326a08 Mon Sep 17 00:00:00 2001 |
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | 2 | From: Joe MacDonald <joe_macdonald@mentor.com> |
3 | Date: Thu, 28 Mar 2019 21:59:18 -0400 | 3 | Date: Thu, 28 Mar 2019 21:59:18 -0400 |
4 | Subject: [PATCH] fc/hwclock: add hwclock alternatives | 4 | Subject: [PATCH] fc/hwclock: add hwclock alternatives |
diff --git a/recipes-security/refpolicy/refpolicy/0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch b/recipes-security/refpolicy/refpolicy/0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch index 6e576a8..5449754 100644 --- a/recipes-security/refpolicy/refpolicy/0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From ac6536f04674ccc051744e6eb3644e68fe38da33 Mon Sep 17 00:00:00 2001 | 1 | From 2d5ca79ed3f775878b91d76e952644b1347d5f9e Mon Sep 17 00:00:00 2001 |
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | 2 | From: Joe MacDonald <joe_macdonald@mentor.com> |
3 | Date: Fri, 29 Mar 2019 08:26:55 -0400 | 3 | Date: Fri, 29 Mar 2019 08:26:55 -0400 |
4 | Subject: [PATCH] fc/dmesg: apply policy to dmesg alternatives | 4 | Subject: [PATCH] fc/dmesg: apply policy to dmesg alternatives |
diff --git a/recipes-security/refpolicy/refpolicy/0009-fc-ssh-apply-policy-to-ssh-alternatives.patch b/recipes-security/refpolicy/refpolicy/0009-fc-ssh-apply-policy-to-ssh-alternatives.patch index 611c0d3..7fada95 100644 --- a/recipes-security/refpolicy/refpolicy/0009-fc-ssh-apply-policy-to-ssh-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0009-fc-ssh-apply-policy-to-ssh-alternatives.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From a56887ca448b60ad6715348b2cfe533e8109a040 Mon Sep 17 00:00:00 2001 | 1 | From d676349ee55f8c1c16b9d5c6770b9137391d396e Mon Sep 17 00:00:00 2001 |
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | 2 | From: Joe MacDonald <joe_macdonald@mentor.com> |
3 | Date: Fri, 29 Mar 2019 09:20:58 -0400 | 3 | Date: Fri, 29 Mar 2019 09:20:58 -0400 |
4 | Subject: [PATCH] fc/ssh: apply policy to ssh alternatives | 4 | Subject: [PATCH] fc/ssh: apply policy to ssh alternatives |
diff --git a/recipes-security/refpolicy/refpolicy/0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch b/recipes-security/refpolicy/refpolicy/0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch index 7af147d..5886168 100644 --- a/recipes-security/refpolicy/refpolicy/0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch +++ b/recipes-security/refpolicy/refpolicy/0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 47a5e9a0bd4960534998798ab1a5ab62e77b2b61 Mon Sep 17 00:00:00 2001 | 1 | From 6730f53849cce4d2586a6e6540f3e7aae1117236 Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
3 | Date: Tue, 9 Jun 2015 21:22:52 +0530 | 3 | Date: Tue, 9 Jun 2015 21:22:52 +0530 |
4 | Subject: [PATCH] fc/sysnetwork: apply policy to network commands alternatives | 4 | Subject: [PATCH] fc/sysnetwork: apply policy to network commands alternatives |
diff --git a/recipes-security/refpolicy/refpolicy/0012-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch b/recipes-security/refpolicy/refpolicy/0011-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch index bf562d6..2d1d287 100644 --- a/recipes-security/refpolicy/refpolicy/0012-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch +++ b/recipes-security/refpolicy/refpolicy/0011-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 00533fded8e2264f8bdc68c8ed79644a10e4e2ad Mon Sep 17 00:00:00 2001 | 1 | From cfb5cec05c98a65d8eb086868444a6e74e1f96bf Mon Sep 17 00:00:00 2001 |
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | 2 | From: Joe MacDonald <joe_macdonald@mentor.com> |
3 | Date: Fri, 29 Mar 2019 09:54:07 -0400 | 3 | Date: Fri, 29 Mar 2019 09:54:07 -0400 |
4 | Subject: [PATCH] fc/rpm: apply rpm_exec policy to cpio binaries | 4 | Subject: [PATCH] fc/rpm: apply rpm_exec policy to cpio binaries |
diff --git a/recipes-security/refpolicy/refpolicy/0011-fc-udev-apply-policy-to-udevadm-in-libexec.patch b/recipes-security/refpolicy/refpolicy/0011-fc-udev-apply-policy-to-udevadm-in-libexec.patch deleted file mode 100644 index 434fc1d..0000000 --- a/recipes-security/refpolicy/refpolicy/0011-fc-udev-apply-policy-to-udevadm-in-libexec.patch +++ /dev/null | |||
@@ -1,29 +0,0 @@ | |||
1 | From bbc6eb20e9509a61236051df7a5fa552a8f2654d Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Fri, 29 Mar 2019 09:36:08 -0400 | ||
4 | Subject: [PATCH] fc/udev: apply policy to udevadm in libexec | ||
5 | |||
6 | Upstream-Status: Inappropriate [embedded specific] | ||
7 | |||
8 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
10 | --- | ||
11 | policy/modules/system/udev.fc | 2 ++ | ||
12 | 1 file changed, 2 insertions(+) | ||
13 | |||
14 | diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc | ||
15 | index 7898ff01c..bc717e60c 100644 | ||
16 | --- a/policy/modules/system/udev.fc | ||
17 | +++ b/policy/modules/system/udev.fc | ||
18 | @@ -24,6 +24,8 @@ ifdef(`distro_debian',` | ||
19 | /usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
20 | /usr/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
21 | |||
22 | +/usr/libexec/udevadm -- gen_context(system_u:object_r:udevadm_exec_t,s0) | ||
23 | + | ||
24 | ifdef(`distro_redhat',` | ||
25 | /usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
26 | ') | ||
27 | -- | ||
28 | 2.25.1 | ||
29 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0013-fc-su-apply-policy-to-su-alternatives.patch b/recipes-security/refpolicy/refpolicy/0012-fc-su-apply-policy-to-su-alternatives.patch index 32d38f1..f1138d6 100644 --- a/recipes-security/refpolicy/refpolicy/0013-fc-su-apply-policy-to-su-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0012-fc-su-apply-policy-to-su-alternatives.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 4b202554e646a60000c1acad7bbdfae1078bdc10 Mon Sep 17 00:00:00 2001 | 1 | From dd1663aaffec1f7b36097c742094c9c239342d9f Mon Sep 17 00:00:00 2001 |
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | 2 | From: Wenzong Fan <wenzong.fan@windriver.com> |
3 | Date: Thu, 13 Feb 2014 00:33:07 -0500 | 3 | Date: Thu, 13 Feb 2014 00:33:07 -0500 |
4 | Subject: [PATCH] fc/su: apply policy to su alternatives | 4 | Subject: [PATCH] fc/su: apply policy to su alternatives |
diff --git a/recipes-security/refpolicy/refpolicy/0014-fc-fstools-fix-real-path-for-fstools.patch b/recipes-security/refpolicy/refpolicy/0013-fc-fstools-fix-real-path-for-fstools.patch index de0aad7..4bc2bbc 100644 --- a/recipes-security/refpolicy/refpolicy/0014-fc-fstools-fix-real-path-for-fstools.patch +++ b/recipes-security/refpolicy/refpolicy/0013-fc-fstools-fix-real-path-for-fstools.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From f64a5d6a2f2e72ae6c5122220eb759117b6384c8 Mon Sep 17 00:00:00 2001 | 1 | From 9cd6000d7d01cee2eb92038bf4361f603736200b Mon Sep 17 00:00:00 2001 |
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | 2 | From: Wenzong Fan <wenzong.fan@windriver.com> |
3 | Date: Mon, 27 Jan 2014 03:54:01 -0500 | 3 | Date: Mon, 27 Jan 2014 03:54:01 -0500 |
4 | Subject: [PATCH] fc/fstools: fix real path for fstools | 4 | Subject: [PATCH] fc/fstools: fix real path for fstools |
@@ -10,11 +10,11 @@ Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | |||
10 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | 10 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> |
11 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | 11 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> |
12 | --- | 12 | --- |
13 | policy/modules/system/fstools.fc | 11 +++++++++++ | 13 | policy/modules/system/fstools.fc | 10 ++++++++++ |
14 | 1 file changed, 11 insertions(+) | 14 | 1 file changed, 10 insertions(+) |
15 | 15 | ||
16 | diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc | 16 | diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc |
17 | index 8fbd5ce44..2842afbcc 100644 | 17 | index 63423802d..124109a68 100644 |
18 | --- a/policy/modules/system/fstools.fc | 18 | --- a/policy/modules/system/fstools.fc |
19 | +++ b/policy/modules/system/fstools.fc | 19 | +++ b/policy/modules/system/fstools.fc |
20 | @@ -58,7 +58,9 @@ | 20 | @@ -58,7 +58,9 @@ |
@@ -41,7 +41,7 @@ index 8fbd5ce44..2842afbcc 100644 | |||
41 | /usr/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 41 | /usr/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
42 | /usr/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 42 | /usr/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
43 | /usr/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 43 | /usr/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
44 | @@ -83,24 +88,30 @@ | 44 | @@ -83,13 +88,16 @@ |
45 | /usr/sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 45 | /usr/sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
46 | /usr/sbin/mkdosfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 46 | /usr/sbin/mkdosfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
47 | /usr/sbin/mke2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 47 | /usr/sbin/mke2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
@@ -58,10 +58,7 @@ index 8fbd5ce44..2842afbcc 100644 | |||
58 | /usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 58 | /usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
59 | /usr/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 59 | /usr/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
60 | /usr/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 60 | /usr/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
61 | +/usr/sbin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 61 | @@ -99,8 +107,10 @@ |
62 | /usr/sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
63 | /usr/sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
64 | /usr/sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
65 | /usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 62 | /usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
66 | /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 63 | /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
67 | /usr/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 64 | /usr/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
diff --git a/recipes-security/refpolicy/refpolicy/0015-fc-init-fix-update-alternatives-for-sysvinit.patch b/recipes-security/refpolicy/refpolicy/0014-fc-init-fix-update-alternatives-for-sysvinit.patch index 5e9c197..746a8be 100644 --- a/recipes-security/refpolicy/refpolicy/0015-fc-init-fix-update-alternatives-for-sysvinit.patch +++ b/recipes-security/refpolicy/refpolicy/0014-fc-init-fix-update-alternatives-for-sysvinit.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 6d2a96abd1e292d0c34ff77501e618cfc193655f Mon Sep 17 00:00:00 2001 | 1 | From 4c6db6e9d637c6ecde7d104ae3544d18004d2a2c Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | 3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 |
4 | Subject: [PATCH] fc/init: fix update-alternatives for sysvinit | 4 | Subject: [PATCH] fc/init: fix update-alternatives for sysvinit |
@@ -15,21 +15,21 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
15 | 3 files changed, 4 insertions(+) | 15 | 3 files changed, 4 insertions(+) |
16 | 16 | ||
17 | diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc | 17 | diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc |
18 | index bf51c103f..91ed72be0 100644 | 18 | index 89d682d36..354f4d1d9 100644 |
19 | --- a/policy/modules/admin/shutdown.fc | 19 | --- a/policy/modules/admin/shutdown.fc |
20 | +++ b/policy/modules/admin/shutdown.fc | 20 | +++ b/policy/modules/admin/shutdown.fc |
21 | @@ -5,5 +5,6 @@ | 21 | @@ -7,5 +7,6 @@ |
22 | /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
23 | 22 | ||
23 | /usr/sbin/halt -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
24 | /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) | 24 | /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) |
25 | +/usr/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0) | 25 | +/usr/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0) |
26 | 26 | ||
27 | /run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_runtime_t,s0) | 27 | /run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_runtime_t,s0) |
28 | diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc | 28 | diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc |
29 | index b70940928..e6077fd5b 100644 | 29 | index 30ac066e4..1edc035f3 100644 |
30 | --- a/policy/modules/kernel/corecommands.fc | 30 | --- a/policy/modules/kernel/corecommands.fc |
31 | +++ b/policy/modules/kernel/corecommands.fc | 31 | +++ b/policy/modules/kernel/corecommands.fc |
32 | @@ -151,6 +151,8 @@ ifdef(`distro_gentoo',` | 32 | @@ -153,6 +153,8 @@ ifdef(`distro_gentoo',` |
33 | /usr/bin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) | 33 | /usr/bin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) |
34 | /usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) | 34 | /usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) |
35 | /usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0) | 35 | /usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0) |
@@ -39,10 +39,10 @@ index b70940928..e6077fd5b 100644 | |||
39 | /usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) | 39 | /usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) |
40 | /usr/bin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) | 40 | /usr/bin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) |
41 | diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc | 41 | diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc |
42 | index 1a99e5824..7f0b7c699 100644 | 42 | index 9ebd6094c..e9e9eae85 100644 |
43 | --- a/policy/modules/system/init.fc | 43 | --- a/policy/modules/system/init.fc |
44 | +++ b/policy/modules/system/init.fc | 44 | +++ b/policy/modules/system/init.fc |
45 | @@ -41,6 +41,7 @@ ifdef(`distro_gentoo',` | 45 | @@ -48,6 +48,7 @@ ifdef(`distro_gentoo',` |
46 | /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) | 46 | /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) |
47 | 47 | ||
48 | /usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) | 48 | /usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) |
diff --git a/recipes-security/refpolicy/refpolicy/0016-fc-brctl-apply-policy-to-brctl-alternatives.patch b/recipes-security/refpolicy/refpolicy/0015-fc-brctl-apply-policy-to-brctl-alternatives.patch index b0ba609..c592e8e 100644 --- a/recipes-security/refpolicy/refpolicy/0016-fc-brctl-apply-policy-to-brctl-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0015-fc-brctl-apply-policy-to-brctl-alternatives.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 2e9c22ee83b7d4fea7b177ca8111c06e69338db9 Mon Sep 17 00:00:00 2001 | 1 | From e95592bb4138b7bbf3e7725144ac2cbe9cecc4cd Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Fri, 15 Nov 2019 10:19:54 +0800 | 3 | Date: Fri, 15 Nov 2019 10:19:54 +0800 |
4 | Subject: [PATCH] fc/brctl: apply policy to brctl alternatives | 4 | Subject: [PATCH] fc/brctl: apply policy to brctl alternatives |
diff --git a/recipes-security/refpolicy/refpolicy/0017-fc-corecommands-apply-policy-to-nologin-alternatives.patch b/recipes-security/refpolicy/refpolicy/0016-fc-corecommands-apply-policy-to-nologin-alternatives.patch index 58ac463..8047863 100644 --- a/recipes-security/refpolicy/refpolicy/0017-fc-corecommands-apply-policy-to-nologin-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0016-fc-corecommands-apply-policy-to-nologin-alternatives.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From c43f2d7ddf1d0c2185796e0297dd9f85b9663aaf Mon Sep 17 00:00:00 2001 | 1 | From 788d2c125f18dce9e0871fb260b4a0c394b9db53 Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Fri, 15 Nov 2019 10:21:51 +0800 | 3 | Date: Fri, 15 Nov 2019 10:21:51 +0800 |
4 | Subject: [PATCH] fc/corecommands: apply policy to nologin alternatives | 4 | Subject: [PATCH] fc/corecommands: apply policy to nologin alternatives |
@@ -11,10 +11,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
11 | 1 file changed, 2 insertions(+) | 11 | 1 file changed, 2 insertions(+) |
12 | 12 | ||
13 | diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc | 13 | diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc |
14 | index e6077fd5b..0df59e837 100644 | 14 | index 1edc035f3..258d97c3c 100644 |
15 | --- a/policy/modules/kernel/corecommands.fc | 15 | --- a/policy/modules/kernel/corecommands.fc |
16 | +++ b/policy/modules/kernel/corecommands.fc | 16 | +++ b/policy/modules/kernel/corecommands.fc |
17 | @@ -306,6 +306,8 @@ ifdef(`distro_debian',` | 17 | @@ -308,6 +308,8 @@ ifdef(`distro_debian',` |
18 | /usr/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) | 18 | /usr/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) |
19 | /usr/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) | 19 | /usr/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) |
20 | /usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) | 20 | /usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) |
diff --git a/recipes-security/refpolicy/refpolicy/0018-fc-locallogin-apply-policy-to-sulogin-alternatives.patch b/recipes-security/refpolicy/refpolicy/0017-fc-locallogin-apply-policy-to-sulogin-alternatives.patch index 3c43254..3dd959c 100644 --- a/recipes-security/refpolicy/refpolicy/0018-fc-locallogin-apply-policy-to-sulogin-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0017-fc-locallogin-apply-policy-to-sulogin-alternatives.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 11c95928e325aea7e4c41a9cdf969f9bdd306611 Mon Sep 17 00:00:00 2001 | 1 | From 03199ca4933ef2760c0e575a76e90521117ea4c3 Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Fri, 15 Nov 2019 10:43:28 +0800 | 3 | Date: Fri, 15 Nov 2019 10:43:28 +0800 |
4 | Subject: [PATCH] fc/locallogin: apply policy to sulogin alternatives | 4 | Subject: [PATCH] fc/locallogin: apply policy to sulogin alternatives |
diff --git a/recipes-security/refpolicy/refpolicy/0019-fc-ntp-apply-policy-to-ntpd-alternatives.patch b/recipes-security/refpolicy/refpolicy/0018-fc-ntp-apply-policy-to-ntpd-alternatives.patch index cbae4c5..1d902f2 100644 --- a/recipes-security/refpolicy/refpolicy/0019-fc-ntp-apply-policy-to-ntpd-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0018-fc-ntp-apply-policy-to-ntpd-alternatives.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 5841a5bd25e6017b6ccff4f56628ad6e950eadad Mon Sep 17 00:00:00 2001 | 1 | From ee9c65a2d3db145309bd2898223f8229915c304c Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Fri, 15 Nov 2019 10:45:23 +0800 | 3 | Date: Fri, 15 Nov 2019 10:45:23 +0800 |
4 | Subject: [PATCH] fc/ntp: apply policy to ntpd alternatives | 4 | Subject: [PATCH] fc/ntp: apply policy to ntpd alternatives |
@@ -11,7 +11,7 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
11 | 1 file changed, 1 insertion(+) | 11 | 1 file changed, 1 insertion(+) |
12 | 12 | ||
13 | diff --git a/policy/modules/services/ntp.fc b/policy/modules/services/ntp.fc | 13 | diff --git a/policy/modules/services/ntp.fc b/policy/modules/services/ntp.fc |
14 | index cd69ea5d5..49ffe6f68 100644 | 14 | index 9243f3304..e13cf6a9b 100644 |
15 | --- a/policy/modules/services/ntp.fc | 15 | --- a/policy/modules/services/ntp.fc |
16 | +++ b/policy/modules/services/ntp.fc | 16 | +++ b/policy/modules/services/ntp.fc |
17 | @@ -25,6 +25,7 @@ | 17 | @@ -25,6 +25,7 @@ |
diff --git a/recipes-security/refpolicy/refpolicy/0020-fc-kerberos-apply-policy-to-kerberos-alternatives.patch b/recipes-security/refpolicy/refpolicy/0019-fc-kerberos-apply-policy-to-kerberos-alternatives.patch index 76e7fe9..778ed43 100644 --- a/recipes-security/refpolicy/refpolicy/0020-fc-kerberos-apply-policy-to-kerberos-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0019-fc-kerberos-apply-policy-to-kerberos-alternatives.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 8126ec521e5a0f72da098f5d90b5b5b392006b7c Mon Sep 17 00:00:00 2001 | 1 | From 435ae64d593cc09b1109d0457f7ba084259090e8 Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Fri, 15 Nov 2019 10:55:05 +0800 | 3 | Date: Fri, 15 Nov 2019 10:55:05 +0800 |
4 | Subject: [PATCH] fc/kerberos: apply policy to kerberos alternatives | 4 | Subject: [PATCH] fc/kerberos: apply policy to kerberos alternatives |
diff --git a/recipes-security/refpolicy/refpolicy/0021-fc-ldap-apply-policy-to-ldap-alternatives.patch b/recipes-security/refpolicy/refpolicy/0020-fc-ldap-apply-policy-to-ldap-alternatives.patch index a46c9c9..baad70c 100644 --- a/recipes-security/refpolicy/refpolicy/0021-fc-ldap-apply-policy-to-ldap-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0020-fc-ldap-apply-policy-to-ldap-alternatives.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From c71ea08245069001b56aadd7bb0af28e019f45e4 Mon Sep 17 00:00:00 2001 | 1 | From a1c0776ac6405d1b6aeadf07cc222f5cc9daa424 Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Fri, 15 Nov 2019 11:06:13 +0800 | 3 | Date: Fri, 15 Nov 2019 11:06:13 +0800 |
4 | Subject: [PATCH] fc/ldap: apply policy to ldap alternatives | 4 | Subject: [PATCH] fc/ldap: apply policy to ldap alternatives |
diff --git a/recipes-security/refpolicy/refpolicy/0022-fc-postgresql-apply-policy-to-postgresql-alternative.patch b/recipes-security/refpolicy/refpolicy/0021-fc-postgresql-apply-policy-to-postgresql-alternative.patch index 0a0464f..8bce781 100644 --- a/recipes-security/refpolicy/refpolicy/0022-fc-postgresql-apply-policy-to-postgresql-alternative.patch +++ b/recipes-security/refpolicy/refpolicy/0021-fc-postgresql-apply-policy-to-postgresql-alternative.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 72726c1bc51628e6eb56e758f1e334f9b9a0f17e Mon Sep 17 00:00:00 2001 | 1 | From dd6dc74388daffba5c336059fbc046e632bee0f6 Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Fri, 15 Nov 2019 11:13:16 +0800 | 3 | Date: Fri, 15 Nov 2019 11:13:16 +0800 |
4 | Subject: [PATCH] fc/postgresql: apply policy to postgresql alternatives | 4 | Subject: [PATCH] fc/postgresql: apply policy to postgresql alternatives |
diff --git a/recipes-security/refpolicy/refpolicy/0023-fc-screen-apply-policy-to-screen-alternatives.patch b/recipes-security/refpolicy/refpolicy/0022-fc-screen-apply-policy-to-screen-alternatives.patch index e95cb3c..7fba90e 100644 --- a/recipes-security/refpolicy/refpolicy/0023-fc-screen-apply-policy-to-screen-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0022-fc-screen-apply-policy-to-screen-alternatives.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 003a22f73563ef7b8b4ab6a6a0cb4a920a43570f Mon Sep 17 00:00:00 2001 | 1 | From 7d78632d5553fcddf12dd57de56ff15b057625ab Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Fri, 15 Nov 2019 11:15:33 +0800 | 3 | Date: Fri, 15 Nov 2019 11:15:33 +0800 |
4 | Subject: [PATCH] fc/screen: apply policy to screen alternatives | 4 | Subject: [PATCH] fc/screen: apply policy to screen alternatives |
diff --git a/recipes-security/refpolicy/refpolicy/0024-fc-usermanage-apply-policy-to-usermanage-alternative.patch b/recipes-security/refpolicy/refpolicy/0023-fc-usermanage-apply-policy-to-usermanage-alternative.patch index a92b809..b65e3b0 100644 --- a/recipes-security/refpolicy/refpolicy/0024-fc-usermanage-apply-policy-to-usermanage-alternative.patch +++ b/recipes-security/refpolicy/refpolicy/0023-fc-usermanage-apply-policy-to-usermanage-alternative.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From fdf7c2d27b6ecf08c88bb98e52a7d8284ac828af Mon Sep 17 00:00:00 2001 | 1 | From 074eff7d27765a1f489f3a787d7f6f64a890f07e Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Fri, 15 Nov 2019 11:25:34 +0800 | 3 | Date: Fri, 15 Nov 2019 11:25:34 +0800 |
4 | Subject: [PATCH] fc/usermanage: apply policy to usermanage alternatives | 4 | Subject: [PATCH] fc/usermanage: apply policy to usermanage alternatives |
diff --git a/recipes-security/refpolicy/refpolicy/0025-fc-getty-add-file-context-to-start_getty.patch b/recipes-security/refpolicy/refpolicy/0024-fc-getty-add-file-context-to-start_getty.patch index f6fa8a0..b1a85b4 100644 --- a/recipes-security/refpolicy/refpolicy/0025-fc-getty-add-file-context-to-start_getty.patch +++ b/recipes-security/refpolicy/refpolicy/0024-fc-getty-add-file-context-to-start_getty.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 863ece4fd9815997486c04ce89180707435669e4 Mon Sep 17 00:00:00 2001 | 1 | From dca38e304bb64a5c3a18d02521f56ffe461ec126 Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Fri, 15 Nov 2019 16:07:30 +0800 | 3 | Date: Fri, 15 Nov 2019 16:07:30 +0800 |
4 | Subject: [PATCH] fc/getty: add file context to start_getty | 4 | Subject: [PATCH] fc/getty: add file context to start_getty |
diff --git a/recipes-security/refpolicy/refpolicy/0026-fc-vlock-apply-policy-to-vlock-alternatives.patch b/recipes-security/refpolicy/refpolicy/0025-fc-vlock-apply-policy-to-vlock-alternatives.patch index 7f63b14..de97331 100644 --- a/recipes-security/refpolicy/refpolicy/0026-fc-vlock-apply-policy-to-vlock-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0025-fc-vlock-apply-policy-to-vlock-alternatives.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 5bb33b7d9d7915399cca7d8c6fbdd9c0e27c1cd8 Mon Sep 17 00:00:00 2001 | 1 | From ae142b7d993a7f03b6ff1cf4f7a49c3aec77fe1c Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Wed, 18 Dec 2019 15:04:41 +0800 | 3 | Date: Wed, 18 Dec 2019 15:04:41 +0800 |
4 | Subject: [PATCH] fc/vlock: apply policy to vlock alternatives | 4 | Subject: [PATCH] fc/vlock: apply policy to vlock alternatives |
diff --git a/recipes-security/refpolicy/refpolicy/0027-fc-add-fcontext-for-init-scripts-and-systemd-service.patch b/recipes-security/refpolicy/refpolicy/0026-fc-add-fcontext-for-init-scripts-and-systemd-service.patch index cfb2fd5..c47984d 100644 --- a/recipes-security/refpolicy/refpolicy/0027-fc-add-fcontext-for-init-scripts-and-systemd-service.patch +++ b/recipes-security/refpolicy/refpolicy/0026-fc-add-fcontext-for-init-scripts-and-systemd-service.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 574df1810c8f32bbf24b223f72f6622b0df7e82c Mon Sep 17 00:00:00 2001 | 1 | From 1096b2eb1172506006691e90769e51a086b8374f Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Tue, 30 Jun 2020 10:45:57 +0800 | 3 | Date: Tue, 30 Jun 2020 10:45:57 +0800 |
4 | Subject: [PATCH] fc: add fcontext for init scripts and systemd service files | 4 | Subject: [PATCH] fc: add fcontext for init scripts and systemd service files |
@@ -48,7 +48,7 @@ index 75c2f0617..fa881ba2e 100644 | |||
48 | 48 | ||
49 | /usr/bin/nfsdcld -- gen_context(system_u:object_r:rpcd_exec_t,s0) | 49 | /usr/bin/nfsdcld -- gen_context(system_u:object_r:rpcd_exec_t,s0) |
50 | diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc | 50 | diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc |
51 | index 5681acb51..4ff5f990a 100644 | 51 | index 3b0dea51b..0ce2bec4b 100644 |
52 | --- a/policy/modules/system/logging.fc | 52 | --- a/policy/modules/system/logging.fc |
53 | +++ b/policy/modules/system/logging.fc | 53 | +++ b/policy/modules/system/logging.fc |
54 | @@ -24,6 +24,7 @@ | 54 | @@ -24,6 +24,7 @@ |
diff --git a/recipes-security/refpolicy/refpolicy/0028-file_contexts.subs_dist-set-aliase-for-root-director.patch b/recipes-security/refpolicy/refpolicy/0027-file_contexts.subs_dist-set-aliase-for-root-director.patch index 82b4708..a527d94 100644 --- a/recipes-security/refpolicy/refpolicy/0028-file_contexts.subs_dist-set-aliase-for-root-director.patch +++ b/recipes-security/refpolicy/refpolicy/0027-file_contexts.subs_dist-set-aliase-for-root-director.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 01f57c996e09fb68daf3d97805c46c27a6d34304 Mon Sep 17 00:00:00 2001 | 1 | From 153bdbda047a3e769983000b4c8263eb4bfd2031 Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Sun, 5 Apr 2020 22:03:45 +0800 | 3 | Date: Sun, 5 Apr 2020 22:03:45 +0800 |
4 | Subject: [PATCH] file_contexts.subs_dist: set aliase for /root directory | 4 | Subject: [PATCH] file_contexts.subs_dist: set aliase for /root directory |
diff --git a/recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-the-syml.patch b/recipes-security/refpolicy/refpolicy/0028-policy-modules-system-logging-add-rules-for-the-syml.patch index 06b792a..5c4e023 100644 --- a/recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-the-syml.patch +++ b/recipes-security/refpolicy/refpolicy/0028-policy-modules-system-logging-add-rules-for-the-syml.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 2e9b42143ccb92f04d8d57430b3ae1e9f55eb00e Mon Sep 17 00:00:00 2001 | 1 | From f08f3c554d70c9cd11f0297678bb4a29b8ab034b Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | 3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 |
4 | Subject: [PATCH] policy/modules/system/logging: add rules for the symlink of | 4 | Subject: [PATCH] policy/modules/system/logging: add rules for the symlink of |
@@ -14,11 +14,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
14 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | 14 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> |
15 | --- | 15 | --- |
16 | policy/modules/system/logging.fc | 1 + | 16 | policy/modules/system/logging.fc | 1 + |
17 | policy/modules/system/logging.if | 9 +++++++++ | 17 | policy/modules/system/logging.if | 7 +++++++ |
18 | 2 files changed, 10 insertions(+) | 18 | 2 files changed, 8 insertions(+) |
19 | 19 | ||
20 | diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc | 20 | diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc |
21 | index 4ff5f990a..dee26a9f4 100644 | 21 | index 0ce2bec4b..8957366b0 100644 |
22 | --- a/policy/modules/system/logging.fc | 22 | --- a/policy/modules/system/logging.fc |
23 | +++ b/policy/modules/system/logging.fc | 23 | +++ b/policy/modules/system/logging.fc |
24 | @@ -53,6 +53,7 @@ ifdef(`distro_suse', ` | 24 | @@ -53,6 +53,7 @@ ifdef(`distro_suse', ` |
@@ -30,10 +30,10 @@ index 4ff5f990a..dee26a9f4 100644 | |||
30 | /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0) | 30 | /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0) |
31 | /var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0) | 31 | /var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0) |
32 | diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if | 32 | diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if |
33 | index cf7ef1721..b627cacb8 100644 | 33 | index 49028a0cb..4381d2e83 100644 |
34 | --- a/policy/modules/system/logging.if | 34 | --- a/policy/modules/system/logging.if |
35 | +++ b/policy/modules/system/logging.if | 35 | +++ b/policy/modules/system/logging.if |
36 | @@ -1086,10 +1086,12 @@ interface(`logging_append_all_inherited_logs',` | 36 | @@ -1091,10 +1091,12 @@ interface(`logging_append_all_inherited_logs',` |
37 | interface(`logging_read_all_logs',` | 37 | interface(`logging_read_all_logs',` |
38 | gen_require(` | 38 | gen_require(` |
39 | attribute logfile; | 39 | attribute logfile; |
@@ -46,20 +46,7 @@ index cf7ef1721..b627cacb8 100644 | |||
46 | read_files_pattern($1, logfile, logfile) | 46 | read_files_pattern($1, logfile, logfile) |
47 | ') | 47 | ') |
48 | 48 | ||
49 | @@ -1127,10 +1129,12 @@ interface(`logging_watch_all_logs',` | 49 | @@ -1175,6 +1177,7 @@ interface(`logging_manage_generic_log_dirs',` |
50 | interface(`logging_exec_all_logs',` | ||
51 | gen_require(` | ||
52 | attribute logfile; | ||
53 | + type var_log_t; | ||
54 | ') | ||
55 | |||
56 | files_search_var($1) | ||
57 | allow $1 logfile:dir list_dir_perms; | ||
58 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
59 | can_exec($1, logfile) | ||
60 | ') | ||
61 | |||
62 | @@ -1192,6 +1196,7 @@ interface(`logging_manage_generic_log_dirs',` | ||
63 | 50 | ||
64 | files_search_var($1) | 51 | files_search_var($1) |
65 | allow $1 var_log_t:dir manage_dir_perms; | 52 | allow $1 var_log_t:dir manage_dir_perms; |
@@ -67,7 +54,7 @@ index cf7ef1721..b627cacb8 100644 | |||
67 | ') | 54 | ') |
68 | 55 | ||
69 | ######################################## | 56 | ######################################## |
70 | @@ -1212,6 +1217,7 @@ interface(`logging_relabel_generic_log_dirs',` | 57 | @@ -1195,6 +1198,7 @@ interface(`logging_relabel_generic_log_dirs',` |
71 | 58 | ||
72 | files_search_var($1) | 59 | files_search_var($1) |
73 | allow $1 var_log_t:dir relabel_dir_perms; | 60 | allow $1 var_log_t:dir relabel_dir_perms; |
@@ -75,7 +62,7 @@ index cf7ef1721..b627cacb8 100644 | |||
75 | ') | 62 | ') |
76 | 63 | ||
77 | ######################################## | 64 | ######################################## |
78 | @@ -1232,6 +1238,7 @@ interface(`logging_read_generic_logs',` | 65 | @@ -1215,6 +1219,7 @@ interface(`logging_read_generic_logs',` |
79 | 66 | ||
80 | files_search_var($1) | 67 | files_search_var($1) |
81 | allow $1 var_log_t:dir list_dir_perms; | 68 | allow $1 var_log_t:dir list_dir_perms; |
@@ -83,7 +70,7 @@ index cf7ef1721..b627cacb8 100644 | |||
83 | read_files_pattern($1, var_log_t, var_log_t) | 70 | read_files_pattern($1, var_log_t, var_log_t) |
84 | ') | 71 | ') |
85 | 72 | ||
86 | @@ -1333,6 +1340,7 @@ interface(`logging_manage_generic_logs',` | 73 | @@ -1316,6 +1321,7 @@ interface(`logging_manage_generic_logs',` |
87 | 74 | ||
88 | files_search_var($1) | 75 | files_search_var($1) |
89 | manage_files_pattern($1, var_log_t, var_log_t) | 76 | manage_files_pattern($1, var_log_t, var_log_t) |
@@ -91,7 +78,7 @@ index cf7ef1721..b627cacb8 100644 | |||
91 | ') | 78 | ') |
92 | 79 | ||
93 | ######################################## | 80 | ######################################## |
94 | @@ -1351,6 +1359,7 @@ interface(`logging_watch_generic_logs_dir',` | 81 | @@ -1334,6 +1340,7 @@ interface(`logging_watch_generic_logs_dir',` |
95 | ') | 82 | ') |
96 | 83 | ||
97 | allow $1 var_log_t:dir watch; | 84 | allow $1 var_log_t:dir watch; |
diff --git a/recipes-security/refpolicy/refpolicy/0030-policy-modules-system-logging-add-rules-for-syslogd-.patch b/recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-syslogd-.patch index ecfc018..2889ee8 100644 --- a/recipes-security/refpolicy/refpolicy/0030-policy-modules-system-logging-add-rules-for-syslogd-.patch +++ b/recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-syslogd-.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 26dc5529db7664ae248eba4dbc5d17915c371137 Mon Sep 17 00:00:00 2001 | 1 | From a40442cbc570b9b028ebc1da0115bc368e165c29 Mon Sep 17 00:00:00 2001 |
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | 2 | From: Joe MacDonald <joe_macdonald@mentor.com> |
3 | Date: Fri, 29 Mar 2019 10:33:18 -0400 | 3 | Date: Fri, 29 Mar 2019 10:33:18 -0400 |
4 | Subject: [PATCH] policy/modules/system/logging: add rules for syslogd symlink | 4 | Subject: [PATCH] policy/modules/system/logging: add rules for syslogd symlink |
@@ -18,10 +18,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
18 | 1 file changed, 1 insertion(+) | 18 | 1 file changed, 1 insertion(+) |
19 | 19 | ||
20 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | 20 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te |
21 | index abd61e6bd..90d8ccd31 100644 | 21 | index 9d9a01fcc..45584dba6 100644 |
22 | --- a/policy/modules/system/logging.te | 22 | --- a/policy/modules/system/logging.te |
23 | +++ b/policy/modules/system/logging.te | 23 | +++ b/policy/modules/system/logging.te |
24 | @@ -420,6 +420,7 @@ files_search_spool(syslogd_t) | 24 | @@ -425,6 +425,7 @@ files_search_spool(syslogd_t) |
25 | 25 | ||
26 | # Allow access for syslog-ng | 26 | # Allow access for syslog-ng |
27 | allow syslogd_t var_log_t:dir { create setattr }; | 27 | allow syslogd_t var_log_t:dir { create setattr }; |
diff --git a/recipes-security/refpolicy/refpolicy/0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch b/recipes-security/refpolicy/refpolicy/0030-policy-modules-kernel-files-add-rules-for-the-symlin.patch index 48e8acf..ee329b1 100644 --- a/recipes-security/refpolicy/refpolicy/0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch +++ b/recipes-security/refpolicy/refpolicy/0030-policy-modules-kernel-files-add-rules-for-the-symlin.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 9052089dfc4f7466fcf304ab282c2e32933a5881 Mon Sep 17 00:00:00 2001 | 1 | From b4110d4f30f6dc82c810ceaf24911b1fadb0e7c4 Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | 3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 |
4 | Subject: [PATCH] policy/modules/kernel/files: add rules for the symlink of | 4 | Subject: [PATCH] policy/modules/kernel/files: add rules for the symlink of |
@@ -18,10 +18,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
18 | 2 files changed, 9 insertions(+) | 18 | 2 files changed, 9 insertions(+) |
19 | 19 | ||
20 | diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc | 20 | diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc |
21 | index f6ff6b079..279df3d3c 100644 | 21 | index 9a6f9d2d4..0f511c830 100644 |
22 | --- a/policy/modules/kernel/files.fc | 22 | --- a/policy/modules/kernel/files.fc |
23 | +++ b/policy/modules/kernel/files.fc | 23 | +++ b/policy/modules/kernel/files.fc |
24 | @@ -170,6 +170,7 @@ HOME_ROOT/lost\+found/.* <<none>> | 24 | @@ -171,6 +171,7 @@ HOME_ROOT/lost\+found/.* <<none>> |
25 | # /tmp | 25 | # /tmp |
26 | # | 26 | # |
27 | /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) | 27 | /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) |
@@ -30,10 +30,10 @@ index f6ff6b079..279df3d3c 100644 | |||
30 | /tmp/\.journal <<none>> | 30 | /tmp/\.journal <<none>> |
31 | 31 | ||
32 | diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if | 32 | diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if |
33 | index f7217b226..451f302af 100644 | 33 | index 9e4344d24..14b34a467 100644 |
34 | --- a/policy/modules/kernel/files.if | 34 | --- a/policy/modules/kernel/files.if |
35 | +++ b/policy/modules/kernel/files.if | 35 | +++ b/policy/modules/kernel/files.if |
36 | @@ -4750,6 +4750,7 @@ interface(`files_search_tmp',` | 36 | @@ -4780,6 +4780,7 @@ interface(`files_search_tmp',` |
37 | ') | 37 | ') |
38 | 38 | ||
39 | allow $1 tmp_t:dir search_dir_perms; | 39 | allow $1 tmp_t:dir search_dir_perms; |
@@ -41,7 +41,7 @@ index f7217b226..451f302af 100644 | |||
41 | ') | 41 | ') |
42 | 42 | ||
43 | ######################################## | 43 | ######################################## |
44 | @@ -4786,6 +4787,7 @@ interface(`files_list_tmp',` | 44 | @@ -4816,6 +4817,7 @@ interface(`files_list_tmp',` |
45 | ') | 45 | ') |
46 | 46 | ||
47 | allow $1 tmp_t:dir list_dir_perms; | 47 | allow $1 tmp_t:dir list_dir_perms; |
@@ -49,7 +49,7 @@ index f7217b226..451f302af 100644 | |||
49 | ') | 49 | ') |
50 | 50 | ||
51 | ######################################## | 51 | ######################################## |
52 | @@ -4822,6 +4824,7 @@ interface(`files_delete_tmp_dir_entry',` | 52 | @@ -4852,6 +4854,7 @@ interface(`files_delete_tmp_dir_entry',` |
53 | ') | 53 | ') |
54 | 54 | ||
55 | allow $1 tmp_t:dir del_entry_dir_perms; | 55 | allow $1 tmp_t:dir del_entry_dir_perms; |
@@ -57,7 +57,7 @@ index f7217b226..451f302af 100644 | |||
57 | ') | 57 | ') |
58 | 58 | ||
59 | ######################################## | 59 | ######################################## |
60 | @@ -4840,6 +4843,7 @@ interface(`files_read_generic_tmp_files',` | 60 | @@ -4870,6 +4873,7 @@ interface(`files_read_generic_tmp_files',` |
61 | ') | 61 | ') |
62 | 62 | ||
63 | read_files_pattern($1, tmp_t, tmp_t) | 63 | read_files_pattern($1, tmp_t, tmp_t) |
@@ -65,7 +65,7 @@ index f7217b226..451f302af 100644 | |||
65 | ') | 65 | ') |
66 | 66 | ||
67 | ######################################## | 67 | ######################################## |
68 | @@ -4858,6 +4862,7 @@ interface(`files_manage_generic_tmp_dirs',` | 68 | @@ -4888,6 +4892,7 @@ interface(`files_manage_generic_tmp_dirs',` |
69 | ') | 69 | ') |
70 | 70 | ||
71 | manage_dirs_pattern($1, tmp_t, tmp_t) | 71 | manage_dirs_pattern($1, tmp_t, tmp_t) |
@@ -73,7 +73,7 @@ index f7217b226..451f302af 100644 | |||
73 | ') | 73 | ') |
74 | 74 | ||
75 | ######################################## | 75 | ######################################## |
76 | @@ -4894,6 +4899,7 @@ interface(`files_manage_generic_tmp_files',` | 76 | @@ -4924,6 +4929,7 @@ interface(`files_manage_generic_tmp_files',` |
77 | ') | 77 | ') |
78 | 78 | ||
79 | manage_files_pattern($1, tmp_t, tmp_t) | 79 | manage_files_pattern($1, tmp_t, tmp_t) |
@@ -81,7 +81,7 @@ index f7217b226..451f302af 100644 | |||
81 | ') | 81 | ') |
82 | 82 | ||
83 | ######################################## | 83 | ######################################## |
84 | @@ -4930,6 +4936,7 @@ interface(`files_rw_generic_tmp_sockets',` | 84 | @@ -4960,6 +4966,7 @@ interface(`files_rw_generic_tmp_sockets',` |
85 | ') | 85 | ') |
86 | 86 | ||
87 | rw_sock_files_pattern($1, tmp_t, tmp_t) | 87 | rw_sock_files_pattern($1, tmp_t, tmp_t) |
@@ -89,7 +89,7 @@ index f7217b226..451f302af 100644 | |||
89 | ') | 89 | ') |
90 | 90 | ||
91 | ######################################## | 91 | ######################################## |
92 | @@ -5137,6 +5144,7 @@ interface(`files_tmp_filetrans',` | 92 | @@ -5167,6 +5174,7 @@ interface(`files_tmp_filetrans',` |
93 | ') | 93 | ') |
94 | 94 | ||
95 | filetrans_pattern($1, tmp_t, $2, $3, $4) | 95 | filetrans_pattern($1, tmp_t, $2, $3, $4) |
diff --git a/recipes-security/refpolicy/refpolicy/0032-policy-modules-system-logging-fix-auditd-startup-fai.patch b/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch index 22ce8f2..ae6e5cf 100644 --- a/recipes-security/refpolicy/refpolicy/0032-policy-modules-system-logging-fix-auditd-startup-fai.patch +++ b/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From eed095029b270bbc49dc67d6b7b6b2fe9c3bca07 Mon Sep 17 00:00:00 2001 | 1 | From bd4f7608f50da4a829d9042311163922776146ca Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | 3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 |
4 | Subject: [PATCH] policy/modules/system/logging: fix auditd startup failures | 4 | Subject: [PATCH] policy/modules/system/logging: fix auditd startup failures |
@@ -17,10 +17,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
17 | 1 file changed, 2 insertions(+) | 17 | 1 file changed, 2 insertions(+) |
18 | 18 | ||
19 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | 19 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te |
20 | index 90d8ccd31..d3b06db7d 100644 | 20 | index 45584dba6..8bc70b81d 100644 |
21 | --- a/policy/modules/system/logging.te | 21 | --- a/policy/modules/system/logging.te |
22 | +++ b/policy/modules/system/logging.te | 22 | +++ b/policy/modules/system/logging.te |
23 | @@ -169,6 +169,7 @@ dontaudit auditd_t auditd_etc_t:file map; | 23 | @@ -177,6 +177,7 @@ dontaudit auditd_t auditd_etc_t:file map; |
24 | manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) | 24 | manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) |
25 | allow auditd_t auditd_log_t:dir setattr; | 25 | allow auditd_t auditd_log_t:dir setattr; |
26 | manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) | 26 | manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) |
@@ -28,7 +28,7 @@ index 90d8ccd31..d3b06db7d 100644 | |||
28 | allow auditd_t var_log_t:dir search_dir_perms; | 28 | allow auditd_t var_log_t:dir search_dir_perms; |
29 | 29 | ||
30 | manage_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t) | 30 | manage_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t) |
31 | @@ -298,6 +299,7 @@ optional_policy(` | 31 | @@ -306,6 +307,7 @@ optional_policy(` |
32 | allow audisp_remote_t self:capability { setpcap setuid }; | 32 | allow audisp_remote_t self:capability { setpcap setuid }; |
33 | allow audisp_remote_t self:process { getcap setcap }; | 33 | allow audisp_remote_t self:process { getcap setcap }; |
34 | allow audisp_remote_t self:tcp_socket create_socket_perms; | 34 | allow audisp_remote_t self:tcp_socket create_socket_perms; |
diff --git a/recipes-security/refpolicy/refpolicy/0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch b/recipes-security/refpolicy/refpolicy/0032-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch index f62db74..9648dfd 100644 --- a/recipes-security/refpolicy/refpolicy/0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch +++ b/recipes-security/refpolicy/refpolicy/0032-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 3f24b88886fcd1a17248d8d674a02d01061d937a Mon Sep 17 00:00:00 2001 | 1 | From a23028f17d5e56e20ed3930b3075ba2d1c211b16 Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | 3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 |
4 | Subject: [PATCH] policy/modules/kernel/terminal: don't audit tty_device_t in | 4 | Subject: [PATCH] policy/modules/kernel/terminal: don't audit tty_device_t in |
diff --git a/recipes-security/refpolicy/refpolicy/0034-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch b/recipes-security/refpolicy/refpolicy/0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch index 0b00f5a..e7b993e 100644 --- a/recipes-security/refpolicy/refpolicy/0034-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch +++ b/recipes-security/refpolicy/refpolicy/0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 9c84425bbcaef5913fb6e309b8811639134714ed Mon Sep 17 00:00:00 2001 | 1 | From 288c0c4b20a80846691d113a1759325b214d64f9 Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Wed, 1 Jul 2020 08:44:07 +0800 | 3 | Date: Wed, 1 Jul 2020 08:44:07 +0800 |
4 | Subject: [PATCH] policy/modules/services/rpcbind: allow rpcbind_t to create | 4 | Subject: [PATCH] policy/modules/services/rpcbind: allow rpcbind_t to create |
diff --git a/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-systemd-enable-support-for-sys.patch b/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-systemd-enable-support-for-sys.patch new file mode 100644 index 0000000..e54d69e --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-systemd-enable-support-for-sys.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | From 48da8a2589b1d5bce2609fd307ca009605d801c3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | ||
3 | Date: Thu, 4 Feb 2016 06:03:19 -0500 | ||
4 | Subject: [PATCH] policy/modules/system/systemd: enable support for | ||
5 | systemd-tmpfiles to manage all non-security files | ||
6 | |||
7 | Fixes: | ||
8 | systemd-tmpfiles[226]: Failed to create directory or subvolume "/root/.ssh", ignoring: Permission denied | ||
9 | systemd-tmpfiles[226]: Failed to create directory or subvolume "/var/lib/systemd/ephemeral-trees": Permission denied | ||
10 | |||
11 | AVC avc: denied { relabelfrom } for pid=226 comm="systemd-tmpfile" | ||
12 | name="root" dev="vda" ino=643 scontext=system_u:system_r:systemd_tmpfiles_t | ||
13 | tcontext=root:object_r:user_home_dir_t tclass=dir permissive=0 | ||
14 | |||
15 | AVC avc: denied { write } for pid=226 comm="systemd-tmpfile" | ||
16 | name="root" dev="vda" ino=643 scontext=system_u:system_r:systemd_tmpfiles_t | ||
17 | tcontext=root:object_r:user_home_dir_t tclass=dir permissive=0 | ||
18 | |||
19 | AVC avc: denied { create } for pid=226 comm="systemd-tmpfile" | ||
20 | name="ephemeral-trees" scontext=system_u:system_r:systemd_tmpfiles_t | ||
21 | tcontext=system_u:object_r:init_var_lib_t tclass=dir permissive=0 | ||
22 | |||
23 | Upstream-Status: Inappropriate [embedded specific] | ||
24 | |||
25 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
26 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
27 | --- | ||
28 | policy/modules/system/systemd.te | 2 +- | ||
29 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
30 | |||
31 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
32 | index b6d575f87..70a45ac58 100644 | ||
33 | --- a/policy/modules/system/systemd.te | ||
34 | +++ b/policy/modules/system/systemd.te | ||
35 | @@ -10,7 +10,7 @@ policy_module(systemd) | ||
36 | ## Enable support for systemd-tmpfiles to manage all non-security files. | ||
37 | ## </p> | ||
38 | ## </desc> | ||
39 | -gen_tunable(systemd_tmpfiles_manage_all, false) | ||
40 | +gen_tunable(systemd_tmpfiles_manage_all, true) | ||
41 | |||
42 | ## <desc> | ||
43 | ## <p> | ||
44 | -- | ||
45 | 2.25.1 | ||
46 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-logging-allow-systemd-tmpfiles.patch b/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-logging-allow-systemd-tmpfiles.patch new file mode 100644 index 0000000..05a0887 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-logging-allow-systemd-tmpfiles.patch | |||
@@ -0,0 +1,43 @@ | |||
1 | From 1f7fb5de202cb30c45b4051b0bce6e9b1aa53ea8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Sat, 30 Sep 2023 17:20:29 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/logging: allow systemd-tmpfiles to | ||
5 | create /var/log/audit | ||
6 | |||
7 | Fixes: | ||
8 | systemd[1]: Starting Security Auditing Service... | ||
9 | auditd[246]: Could not open dir /var/log/audit (No such file or directory) | ||
10 | auditd[246]: The audit daemon is exiting. | ||
11 | systemd[1]: auditd.service: Control process exited, code=exited, status=6/NOTCONFIGURED | ||
12 | systemd[1]: auditd.service: Failed with result 'exit-code'. | ||
13 | systemd[1]: Failed to start Security Auditing Service. | ||
14 | |||
15 | AVC avc: denied { create } for pid=224 comm="systemd-tmpfile" | ||
16 | name="audit" scontext=system_u:system_r:systemd_tmpfiles_t | ||
17 | tcontext=system_u:object_r:auditd_log_t tclass=dir permissive=0 | ||
18 | |||
19 | Upstream-Status: Inappropriate [embedded specific] | ||
20 | |||
21 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
22 | --- | ||
23 | policy/modules/system/logging.te | 4 ++++ | ||
24 | 1 file changed, 4 insertions(+) | ||
25 | |||
26 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
27 | index 8bc70b81d..3cab14381 100644 | ||
28 | --- a/policy/modules/system/logging.te | ||
29 | +++ b/policy/modules/system/logging.te | ||
30 | @@ -27,6 +27,10 @@ type auditd_log_t; | ||
31 | files_security_file(auditd_log_t) | ||
32 | files_security_mountpoint(auditd_log_t) | ||
33 | |||
34 | +optional_policy(` | ||
35 | + systemd_tmpfilesd_managed(auditd_log_t) | ||
36 | +') | ||
37 | + | ||
38 | type audit_spool_t; | ||
39 | files_security_file(audit_spool_t) | ||
40 | files_security_mountpoint(audit_spool_t) | ||
41 | -- | ||
42 | 2.25.1 | ||
43 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-systemd-enable-support-for-sys.patch b/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-systemd-enable-support-for-sys.patch deleted file mode 100644 index 43b2f4d..0000000 --- a/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-systemd-enable-support-for-sys.patch +++ /dev/null | |||
@@ -1,64 +0,0 @@ | |||
1 | From 6465e39b6dfe8daa88cab321e3cf44ccc9f1441d Mon Sep 17 00:00:00 2001 | ||
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | ||
3 | Date: Thu, 4 Feb 2016 06:03:19 -0500 | ||
4 | Subject: [PATCH] policy/modules/system/systemd: enable support for | ||
5 | systemd-tmpfiles to manage all non-security files | ||
6 | |||
7 | Fixes: | ||
8 | systemd-tmpfiles[137]: Failed to create directory or subvolume "/var/volatile/log": Permission denied | ||
9 | systemd-tmpfiles[137]: Failed to create directory or subvolume "/var/volatile/tmp": Permission denied | ||
10 | systemd-tmpfiles[137]: Failed to create directory or subvolume "/var/log/audit": Permission denied | ||
11 | |||
12 | avc: denied { write } for pid=137 comm="systemd-tmpfile" name="/" | ||
13 | dev="tmpfs" ino=12400 scontext=system_u:system_r:systemd_tmpfiles_t | ||
14 | tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=0 | ||
15 | |||
16 | avc: denied { read } for pid=137 comm="systemd-tmpfile" name="dbus" | ||
17 | dev="vda" ino=12363 scontext=system_u:system_r:systemd_tmpfiles_t | ||
18 | tcontext=system_u:object_r:system_dbusd_var_lib_t tclass=dir | ||
19 | permissive=0 | ||
20 | |||
21 | avc: denied { relabelfrom } for pid=137 comm="systemd-tmpfile" | ||
22 | name="log" dev="vda" ino=14129 | ||
23 | scontext=system_u:system_r:systemd_tmpfiles_t | ||
24 | tcontext=system_u:object_r:var_log_t tclass=lnk_file permissive=0 | ||
25 | |||
26 | avc: denied { create } for pid=137 comm="systemd-tmpfile" | ||
27 | name="audit" scontext=system_u:system_r:systemd_tmpfiles_t | ||
28 | tcontext=system_u:object_r:auditd_log_t tclass=dir permissive=0 | ||
29 | |||
30 | Upstream-Status: Inappropriate [embedded specific] | ||
31 | |||
32 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
33 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
34 | --- | ||
35 | policy/modules/system/systemd.te | 6 +++++- | ||
36 | 1 file changed, 5 insertions(+), 1 deletion(-) | ||
37 | |||
38 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
39 | index ef25974ac..362248d17 100644 | ||
40 | --- a/policy/modules/system/systemd.te | ||
41 | +++ b/policy/modules/system/systemd.te | ||
42 | @@ -10,7 +10,7 @@ policy_module(systemd) | ||
43 | ## Enable support for systemd-tmpfiles to manage all non-security files. | ||
44 | ## </p> | ||
45 | ## </desc> | ||
46 | -gen_tunable(systemd_tmpfiles_manage_all, false) | ||
47 | +gen_tunable(systemd_tmpfiles_manage_all, true) | ||
48 | |||
49 | ## <desc> | ||
50 | ## <p> | ||
51 | @@ -1640,6 +1640,10 @@ files_relabelfrom_home(systemd_tmpfiles_t) | ||
52 | files_relabelto_home(systemd_tmpfiles_t) | ||
53 | files_relabelto_etc_dirs(systemd_tmpfiles_t) | ||
54 | files_setattr_lock_dirs(systemd_tmpfiles_t) | ||
55 | + | ||
56 | +files_manage_non_auth_files(systemd_tmpfiles_t) | ||
57 | +files_relabel_non_auth_files(systemd_tmpfiles_t) | ||
58 | + | ||
59 | # for /etc/mtab | ||
60 | files_manage_etc_symlinks(systemd_tmpfiles_t) | ||
61 | |||
62 | -- | ||
63 | 2.25.1 | ||
64 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0036-policy-modules-system-systemd-allow-systemd_logind_t.patch b/recipes-security/refpolicy/refpolicy/0036-policy-modules-system-systemd-allow-systemd_logind_t.patch index 56b6119..8f218ca 100644 --- a/recipes-security/refpolicy/refpolicy/0036-policy-modules-system-systemd-allow-systemd_logind_t.patch +++ b/recipes-security/refpolicy/refpolicy/0036-policy-modules-system-systemd-allow-systemd_logind_t.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 2acb5ddbd04c578a420418e3bcb572bbd2dfbae6 Mon Sep 17 00:00:00 2001 | 1 | From 5d53b5ab28038eb7e326ab577e0b5e0799c9500b Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Sat, 18 Dec 2021 09:26:43 +0800 | 3 | Date: Sat, 18 Dec 2021 09:26:43 +0800 |
4 | Subject: [PATCH] policy/modules/system/systemd: allow systemd_logind_t to read | 4 | Subject: [PATCH] policy/modules/system/systemd: allow systemd_logind_t to read |
@@ -27,10 +27,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
27 | 1 file changed, 1 insertion(+) | 27 | 1 file changed, 1 insertion(+) |
28 | 28 | ||
29 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | 29 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te |
30 | index 362248d17..4a1e06640 100644 | 30 | index 70a45ac58..42520f9f8 100644 |
31 | --- a/policy/modules/system/systemd.te | 31 | --- a/policy/modules/system/systemd.te |
32 | +++ b/policy/modules/system/systemd.te | 32 | +++ b/policy/modules/system/systemd.te |
33 | @@ -920,6 +920,7 @@ userdom_relabelfrom_user_runtime_dirs(systemd_logind_t) | 33 | @@ -980,6 +980,7 @@ userdom_relabelfrom_user_runtime_dirs(systemd_logind_t) |
34 | userdom_relabelto_user_runtime_dirs(systemd_logind_t) | 34 | userdom_relabelto_user_runtime_dirs(systemd_logind_t) |
35 | userdom_setattr_user_ttys(systemd_logind_t) | 35 | userdom_setattr_user_ttys(systemd_logind_t) |
36 | userdom_use_user_ttys(systemd_logind_t) | 36 | userdom_use_user_ttys(systemd_logind_t) |
diff --git a/recipes-security/refpolicy/refpolicy/0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch b/recipes-security/refpolicy/refpolicy/0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch index 78c4dc8..e7406e5 100644 --- a/recipes-security/refpolicy/refpolicy/0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch +++ b/recipes-security/refpolicy/refpolicy/0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 51a7f8058fee569322c1a0597fccd36c318ad943 Mon Sep 17 00:00:00 2001 | 1 | From 11c172fe44a22341b686dc537fde4991b7a49ed5 Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Fri, 28 Oct 2022 11:56:09 +0800 | 3 | Date: Fri, 28 Oct 2022 11:56:09 +0800 |
4 | Subject: [PATCH] policy/modules/roles/sysadm: allow sysadm to use init file | 4 | Subject: [PATCH] policy/modules/roles/sysadm: allow sysadm to use init file |
@@ -19,10 +19,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
19 | 1 file changed, 2 insertions(+) | 19 | 1 file changed, 2 insertions(+) |
20 | 20 | ||
21 | diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te | 21 | diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te |
22 | index bb715a847..088c954f5 100644 | 22 | index 936381f25..a6b0c35f3 100644 |
23 | --- a/policy/modules/roles/sysadm.te | 23 | --- a/policy/modules/roles/sysadm.te |
24 | +++ b/policy/modules/roles/sysadm.te | 24 | +++ b/policy/modules/roles/sysadm.te |
25 | @@ -86,6 +86,8 @@ ifdef(`init_systemd',` | 25 | @@ -92,6 +92,8 @@ ifdef(`init_systemd',` |
26 | # LookupDynamicUserByUID on org.freedesktop.systemd1. | 26 | # LookupDynamicUserByUID on org.freedesktop.systemd1. |
27 | init_dbus_chat(sysadm_t) | 27 | init_dbus_chat(sysadm_t) |
28 | 28 | ||
diff --git a/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch b/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch index 85bb82b..6a48b3d 100644 --- a/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch +++ b/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 5b6f3fcb1ddabd0a66541959306e7b0adfe2b2b0 Mon Sep 17 00:00:00 2001 | 1 | From 9dcbec008d4213c6649f894fda0e87b0829c56de Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Thu, 4 Feb 2021 10:48:54 +0800 | 3 | Date: Thu, 4 Feb 2021 10:48:54 +0800 |
4 | Subject: [PATCH] policy/modules/system/systemd: systemd --user fixes | 4 | Subject: [PATCH] policy/modules/system/systemd: systemd --user fixes |
@@ -26,59 +26,66 @@ Upstream-Status: Inappropriate [embedded specific] | |||
26 | 26 | ||
27 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | 27 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> |
28 | --- | 28 | --- |
29 | policy/modules/roles/sysadm.te | 2 ++ | 29 | policy/modules/system/systemd.if | 30 +++++++++++++++++++++++++++++ |
30 | policy/modules/system/systemd.if | 21 ++++++++++++++++++++- | 30 | policy/modules/system/userdomain.if | 4 ++++ |
31 | 2 files changed, 22 insertions(+), 1 deletion(-) | 31 | 2 files changed, 34 insertions(+) |
32 | 32 | ||
33 | diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te | ||
34 | index 088c954f5..92f50fd5a 100644 | ||
35 | --- a/policy/modules/roles/sysadm.te | ||
36 | +++ b/policy/modules/roles/sysadm.te | ||
37 | @@ -98,6 +98,8 @@ ifdef(`init_systemd',` | ||
38 | |||
39 | # Allow sysadm to follow logs in the journal, i.e. with podman logs -f | ||
40 | systemd_watch_journal_dirs(sysadm_t) | ||
41 | + | ||
42 | + systemd_sysadm_user(sysadm_t) | ||
43 | ') | ||
44 | |||
45 | tunable_policy(`allow_ptrace',` | ||
46 | diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if | 33 | diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if |
47 | index 9dc91fbb7..325ca548b 100644 | 34 | index 6054b5038..d89ad35b1 100644 |
48 | --- a/policy/modules/system/systemd.if | 35 | --- a/policy/modules/system/systemd.if |
49 | +++ b/policy/modules/system/systemd.if | 36 | +++ b/policy/modules/system/systemd.if |
50 | @@ -58,7 +58,7 @@ template(`systemd_role_template',` | 37 | @@ -199,6 +199,36 @@ template(`systemd_role_template',` |
51 | allow $1_systemd_t self:process { getsched signal }; | 38 | ') |
52 | allow $1_systemd_t self:netlink_kobject_uevent_socket create_socket_perms; | ||
53 | allow $1_systemd_t self:unix_stream_socket create_stream_socket_perms; | ||
54 | - allow $1_systemd_t $3:process { setsched rlimitinh signal_perms }; | ||
55 | + allow $1_systemd_t $3:process { setsched rlimitinh signal_perms noatsecure }; | ||
56 | corecmd_shell_domtrans($1_systemd_t, $3) | ||
57 | corecmd_bin_domtrans($1_systemd_t, $3) | ||
58 | |||
59 | @@ -2613,3 +2613,22 @@ interface(`systemd_use_inherited_machined_ptys', ` | ||
60 | allow $1 systemd_machined_t:fd use; | ||
61 | allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms; | ||
62 | ') | 39 | ') |
63 | + | 40 | |
64 | +######################################### | 41 | +###################################### |
65 | +## <summary> | 42 | +## <summary> |
66 | +## sysadm user for systemd --user | 43 | +## Admin role for systemd --user |
67 | +## </summary> | 44 | +## </summary> |
45 | +## <param name="prefix"> | ||
46 | +## <summary> | ||
47 | +## Prefix for generated types | ||
48 | +## </summary> | ||
49 | +## </param> | ||
68 | +## <param name="role"> | 50 | +## <param name="role"> |
69 | +## <summary> | 51 | +## <summary> |
70 | +## Role allowed access. | 52 | +## The admin role. |
53 | +## </summary> | ||
54 | +## </param> | ||
55 | +## <param name="userdomain"> | ||
56 | +## <summary> | ||
57 | +## The amdin domain for the role. | ||
71 | +## </summary> | 58 | +## </summary> |
72 | +## </param> | 59 | +## </param> |
73 | +# | 60 | +# |
74 | +interface(`systemd_sysadm_user',` | 61 | +template(`systemd_admin_role_extra',` |
75 | + gen_require(` | 62 | + gen_require(` |
76 | + type sysadm_systemd_t; | 63 | + type $1_systemd_t; |
77 | + ') | 64 | + ') |
78 | + | 65 | + |
79 | + allow sysadm_systemd_t self:capability { mknod sys_admin }; | 66 | + allow $1_systemd_t $3:process noatsecure; |
80 | + allow sysadm_systemd_t self:capability2 { bpf perfmon }; | 67 | + allow $1_systemd_t self:capability { mknod sys_admin }; |
68 | + allow $1_systemd_t self:capability2 { bpf perfmon }; | ||
81 | +') | 69 | +') |
70 | + | ||
71 | ###################################### | ||
72 | ## <summary> | ||
73 | ## Allow the specified domain to be started as a daemon by the | ||
74 | diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if | ||
75 | index 24c3cb012..80072c03e 100644 | ||
76 | --- a/policy/modules/system/userdomain.if | ||
77 | +++ b/policy/modules/system/userdomain.if | ||
78 | @@ -1455,6 +1455,10 @@ template(`userdom_admin_user_template',` | ||
79 | optional_policy(` | ||
80 | userhelper_exec($1_t) | ||
81 | ') | ||
82 | + | ||
83 | + optional_policy(` | ||
84 | + systemd_admin_role_extra($1, $1_r, $1_t) | ||
85 | + ') | ||
86 | ') | ||
87 | |||
88 | ######################################## | ||
82 | -- | 89 | -- |
83 | 2.25.1 | 90 | 2.25.1 |
84 | 91 | ||
diff --git a/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-mount-make-mount_t-domain-MLS-.patch b/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-mount-make-mount_t-domain-MLS-.patch index c3b4b55..d3f035e 100644 --- a/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-mount-make-mount_t-domain-MLS-.patch +++ b/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-mount-make-mount_t-domain-MLS-.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From ccdd22cc2776b695f96faffc88699aa2b182e085 Mon Sep 17 00:00:00 2001 | 1 | From 15e29022299d44fbb172560b448c531b9714616b Mon Sep 17 00:00:00 2001 |
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | 2 | From: Wenzong Fan <wenzong.fan@windriver.com> |
3 | Date: Sat, 15 Feb 2014 04:22:47 -0500 | 3 | Date: Sat, 15 Feb 2014 04:22:47 -0500 |
4 | Subject: [PATCH] policy/modules/system/mount: make mount_t domain MLS trusted | 4 | Subject: [PATCH] policy/modules/system/mount: make mount_t domain MLS trusted |
@@ -19,10 +19,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
19 | 1 file changed, 1 insertion(+) | 19 | 1 file changed, 1 insertion(+) |
20 | 20 | ||
21 | diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te | 21 | diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te |
22 | index d028723ce..97f49e58e 100644 | 22 | index e08df77a5..30b26841f 100644 |
23 | --- a/policy/modules/system/mount.te | 23 | --- a/policy/modules/system/mount.te |
24 | +++ b/policy/modules/system/mount.te | 24 | +++ b/policy/modules/system/mount.te |
25 | @@ -112,6 +112,7 @@ fs_dontaudit_write_all_image_files(mount_t) | 25 | @@ -113,6 +113,7 @@ fs_dontaudit_write_all_image_files(mount_t) |
26 | 26 | ||
27 | mls_file_read_all_levels(mount_t) | 27 | mls_file_read_all_levels(mount_t) |
28 | mls_file_write_all_levels(mount_t) | 28 | mls_file_write_all_levels(mount_t) |
diff --git a/recipes-security/refpolicy/refpolicy/0040-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch b/recipes-security/refpolicy/refpolicy/0040-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch index d711612..46d4851 100644 --- a/recipes-security/refpolicy/refpolicy/0040-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch +++ b/recipes-security/refpolicy/refpolicy/0040-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 64498d6cd30a0a65a24e3e7ab22cca5921c2db89 Mon Sep 17 00:00:00 2001 | 1 | From 183070b02b5ca9aeb8fd58c8c737b5f9589e9a12 Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
3 | Date: Mon, 28 Jan 2019 14:05:18 +0800 | 3 | Date: Mon, 28 Jan 2019 14:05:18 +0800 |
4 | Subject: [PATCH] policy/modules/roles/sysadm: MLS - sysadm rw to clearance | 4 | Subject: [PATCH] policy/modules/roles/sysadm: MLS - sysadm rw to clearance |
@@ -23,7 +23,7 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
23 | 1 file changed, 2 insertions(+) | 23 | 1 file changed, 2 insertions(+) |
24 | 24 | ||
25 | diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te | 25 | diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te |
26 | index 92f50fd5a..8c154d474 100644 | 26 | index a6b0c35f3..68f7ab381 100644 |
27 | --- a/policy/modules/roles/sysadm.te | 27 | --- a/policy/modules/roles/sysadm.te |
28 | +++ b/policy/modules/roles/sysadm.te | 28 | +++ b/policy/modules/roles/sysadm.te |
29 | @@ -45,6 +45,8 @@ logging_watch_all_logs(sysadm_t) | 29 | @@ -45,6 +45,8 @@ logging_watch_all_logs(sysadm_t) |
diff --git a/recipes-security/refpolicy/refpolicy/0041-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch b/recipes-security/refpolicy/refpolicy/0041-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch index d22dacf..9c602fe 100644 --- a/recipes-security/refpolicy/refpolicy/0041-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch +++ b/recipes-security/refpolicy/refpolicy/0041-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From e82c43e60ef52ba00e8f2af5b46b2a6d49331209 Mon Sep 17 00:00:00 2001 | 1 | From 3b93adc08461ebea92d018bf7704386426f129d3 Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
3 | Date: Fri, 23 Aug 2013 12:01:53 +0800 | 3 | Date: Fri, 23 Aug 2013 12:01:53 +0800 |
4 | Subject: [PATCH] policy/modules/services/rpc: make nfsd_t domain MLS trusted | 4 | Subject: [PATCH] policy/modules/services/rpc: make nfsd_t domain MLS trusted |
@@ -15,10 +15,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
15 | 2 files changed, 7 insertions(+) | 15 | 2 files changed, 7 insertions(+) |
16 | 16 | ||
17 | diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te | 17 | diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te |
18 | index 5124ae016..a40db8507 100644 | 18 | index e449160d8..9ef5e0b6f 100644 |
19 | --- a/policy/modules/kernel/kernel.te | 19 | --- a/policy/modules/kernel/kernel.te |
20 | +++ b/policy/modules/kernel/kernel.te | 20 | +++ b/policy/modules/kernel/kernel.te |
21 | @@ -368,6 +368,8 @@ mls_process_read_all_levels(kernel_t) | 21 | @@ -373,6 +373,8 @@ mls_process_read_all_levels(kernel_t) |
22 | mls_process_write_all_levels(kernel_t) | 22 | mls_process_write_all_levels(kernel_t) |
23 | mls_file_write_all_levels(kernel_t) | 23 | mls_file_write_all_levels(kernel_t) |
24 | mls_file_read_all_levels(kernel_t) | 24 | mls_file_read_all_levels(kernel_t) |
diff --git a/recipes-security/refpolicy/refpolicy/0042-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch b/recipes-security/refpolicy/refpolicy/0042-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch index 30c84f6..9598a41 100644 --- a/recipes-security/refpolicy/refpolicy/0042-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch +++ b/recipes-security/refpolicy/refpolicy/0042-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 9343914c0486b5aa6ff7cceeb8f6c399115e5fb3 Mon Sep 17 00:00:00 2001 | 1 | From 7b5cac323ea0638fcd5d35658f49c644f32d3442 Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Tue, 30 Jun 2020 10:18:20 +0800 | 3 | Date: Tue, 30 Jun 2020 10:18:20 +0800 |
4 | Subject: [PATCH] policy/modules/admin/dmesg: make dmesg_t MLS trusted reading | 4 | Subject: [PATCH] policy/modules/admin/dmesg: make dmesg_t MLS trusted reading |
diff --git a/recipes-security/refpolicy/refpolicy/0043-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch b/recipes-security/refpolicy/refpolicy/0043-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch index 932047a..fec9532 100644 --- a/recipes-security/refpolicy/refpolicy/0043-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch +++ b/recipes-security/refpolicy/refpolicy/0043-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 057e4e6a6e2e87edcd6a93dd533620700b00b1c2 Mon Sep 17 00:00:00 2001 | 1 | From fd0d3887275237c1f1968d20972b535b9fdc9954 Mon Sep 17 00:00:00 2001 |
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | 2 | From: Wenzong Fan <wenzong.fan@windriver.com> |
3 | Date: Fri, 13 Oct 2017 07:20:40 +0000 | 3 | Date: Fri, 13 Oct 2017 07:20:40 +0000 |
4 | Subject: [PATCH] policy/modules/kernel/kernel: make kernel_t MLS trusted for | 4 | Subject: [PATCH] policy/modules/kernel/kernel: make kernel_t MLS trusted for |
@@ -59,10 +59,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
59 | 1 file changed, 2 insertions(+) | 59 | 1 file changed, 2 insertions(+) |
60 | 60 | ||
61 | diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te | 61 | diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te |
62 | index a40db8507..40cd52825 100644 | 62 | index 9ef5e0b6f..8082cf6b7 100644 |
63 | --- a/policy/modules/kernel/kernel.te | 63 | --- a/policy/modules/kernel/kernel.te |
64 | +++ b/policy/modules/kernel/kernel.te | 64 | +++ b/policy/modules/kernel/kernel.te |
65 | @@ -370,6 +370,8 @@ mls_file_write_all_levels(kernel_t) | 65 | @@ -375,6 +375,8 @@ mls_file_write_all_levels(kernel_t) |
66 | mls_file_read_all_levels(kernel_t) | 66 | mls_file_read_all_levels(kernel_t) |
67 | mls_socket_write_all_levels(kernel_t) | 67 | mls_socket_write_all_levels(kernel_t) |
68 | mls_fd_use_all_levels(kernel_t) | 68 | mls_fd_use_all_levels(kernel_t) |
diff --git a/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-init-make-init_t-MLS-trusted-f.patch b/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-init-make-init_t-MLS-trusted-f.patch index 9e52b7f..5457079 100644 --- a/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-init-make-init_t-MLS-trusted-f.patch +++ b/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-init-make-init_t-MLS-trusted-f.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From c47e288e8950e7e92e3c90972ca7ef8ef9fc6a7f Mon Sep 17 00:00:00 2001 | 1 | From f2fcbcde9dc16985f1ffa43329fb47d36d132bd3 Mon Sep 17 00:00:00 2001 |
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | 2 | From: Wenzong Fan <wenzong.fan@windriver.com> |
3 | Date: Fri, 15 Jan 2016 03:47:05 -0500 | 3 | Date: Fri, 15 Jan 2016 03:47:05 -0500 |
4 | Subject: [PATCH] policy/modules/system/init: make init_t MLS trusted for | 4 | Subject: [PATCH] policy/modules/system/init: make init_t MLS trusted for |
@@ -27,10 +27,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
27 | 1 file changed, 4 insertions(+) | 27 | 1 file changed, 4 insertions(+) |
28 | 28 | ||
29 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | 29 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
30 | index 97a75cf86..fee846cb5 100644 | 30 | index d19734d6f..8b9b8aa9a 100644 |
31 | --- a/policy/modules/system/init.te | 31 | --- a/policy/modules/system/init.te |
32 | +++ b/policy/modules/system/init.te | 32 | +++ b/policy/modules/system/init.te |
33 | @@ -229,6 +229,10 @@ mls_process_write_all_levels(init_t) | 33 | @@ -238,6 +238,10 @@ mls_process_write_all_levels(init_t) |
34 | mls_fd_use_all_levels(init_t) | 34 | mls_fd_use_all_levels(init_t) |
35 | mls_process_set_level(init_t) | 35 | mls_process_set_level(init_t) |
36 | 36 | ||
diff --git a/recipes-security/refpolicy/refpolicy/0045-policy-modules-system-systemd-make-systemd-tmpfiles_.patch b/recipes-security/refpolicy/refpolicy/0045-policy-modules-system-systemd-make-systemd-tmpfiles_.patch index 1bfbb16..c61b403 100644 --- a/recipes-security/refpolicy/refpolicy/0045-policy-modules-system-systemd-make-systemd-tmpfiles_.patch +++ b/recipes-security/refpolicy/refpolicy/0045-policy-modules-system-systemd-make-systemd-tmpfiles_.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From afd35f6c73551c674e5bfe7cc1832b6a0ea717a6 Mon Sep 17 00:00:00 2001 | 1 | From ff749bb5ba3786283c348bb2db160794ba74e20c Mon Sep 17 00:00:00 2001 |
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | 2 | From: Wenzong Fan <wenzong.fan@windriver.com> |
3 | Date: Thu, 4 Feb 2016 06:03:19 -0500 | 3 | Date: Thu, 4 Feb 2016 06:03:19 -0500 |
4 | Subject: [PATCH] policy/modules/system/systemd: make systemd-tmpfiles_t domain | 4 | Subject: [PATCH] policy/modules/system/systemd: make systemd-tmpfiles_t domain |
@@ -43,10 +43,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
43 | 1 file changed, 5 insertions(+) | 43 | 1 file changed, 5 insertions(+) |
44 | 44 | ||
45 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | 45 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te |
46 | index 4a1e06640..b44b9b2d7 100644 | 46 | index 42520f9f8..7a2041956 100644 |
47 | --- a/policy/modules/system/systemd.te | 47 | --- a/policy/modules/system/systemd.te |
48 | +++ b/policy/modules/system/systemd.te | 48 | +++ b/policy/modules/system/systemd.te |
49 | @@ -1694,6 +1694,11 @@ sysnet_relabel_config(systemd_tmpfiles_t) | 49 | @@ -1813,6 +1813,11 @@ sysnet_relabel_config(systemd_tmpfiles_t) |
50 | 50 | ||
51 | systemd_log_parse_environment(systemd_tmpfiles_t) | 51 | systemd_log_parse_environment(systemd_tmpfiles_t) |
52 | 52 | ||
diff --git a/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-systemd-systemd-make-systemd_-.patch b/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-systemd-systemd-make-systemd_-.patch index 800439c..da588ed 100644 --- a/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-systemd-systemd-make-systemd_-.patch +++ b/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-systemd-systemd-make-systemd_-.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 8aa70c13d63e093bff87ea938d35dcc76e5bdd56 Mon Sep 17 00:00:00 2001 | 1 | From a1d15d213fee3e40129968dbd9928d5012d541f7 Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Thu, 18 Jun 2020 09:59:58 +0800 | 3 | Date: Thu, 18 Jun 2020 09:59:58 +0800 |
4 | Subject: [PATCH] policy/modules/system/systemd: systemd-*: make systemd_*_t | 4 | Subject: [PATCH] policy/modules/system/systemd: systemd-*: make systemd_*_t |
@@ -43,10 +43,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
43 | 1 file changed, 12 insertions(+) | 43 | 1 file changed, 12 insertions(+) |
44 | 44 | ||
45 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | 45 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te |
46 | index b44b9b2d7..7b717d3ba 100644 | 46 | index 7a2041956..52c7b5346 100644 |
47 | --- a/policy/modules/system/systemd.te | 47 | --- a/policy/modules/system/systemd.te |
48 | +++ b/policy/modules/system/systemd.te | 48 | +++ b/policy/modules/system/systemd.te |
49 | @@ -373,6 +373,9 @@ files_search_var_lib(systemd_backlight_t) | 49 | @@ -383,6 +383,9 @@ files_search_var_lib(systemd_backlight_t) |
50 | fs_getattr_all_fs(systemd_backlight_t) | 50 | fs_getattr_all_fs(systemd_backlight_t) |
51 | fs_search_cgroup_dirs(systemd_backlight_t) | 51 | fs_search_cgroup_dirs(systemd_backlight_t) |
52 | 52 | ||
@@ -56,7 +56,7 @@ index b44b9b2d7..7b717d3ba 100644 | |||
56 | ####################################### | 56 | ####################################### |
57 | # | 57 | # |
58 | # Binfmt local policy | 58 | # Binfmt local policy |
59 | @@ -528,6 +531,9 @@ term_use_unallocated_ttys(systemd_generator_t) | 59 | @@ -545,6 +548,9 @@ term_use_unallocated_ttys(systemd_generator_t) |
60 | 60 | ||
61 | udev_read_runtime_files(systemd_generator_t) | 61 | udev_read_runtime_files(systemd_generator_t) |
62 | 62 | ||
@@ -66,7 +66,7 @@ index b44b9b2d7..7b717d3ba 100644 | |||
66 | ifdef(`distro_gentoo',` | 66 | ifdef(`distro_gentoo',` |
67 | corecmd_shell_entry_type(systemd_generator_t) | 67 | corecmd_shell_entry_type(systemd_generator_t) |
68 | ') | 68 | ') |
69 | @@ -922,6 +928,9 @@ userdom_setattr_user_ttys(systemd_logind_t) | 69 | @@ -982,6 +988,9 @@ userdom_setattr_user_ttys(systemd_logind_t) |
70 | userdom_use_user_ttys(systemd_logind_t) | 70 | userdom_use_user_ttys(systemd_logind_t) |
71 | domain_read_all_domains_state(systemd_logind_t) | 71 | domain_read_all_domains_state(systemd_logind_t) |
72 | 72 | ||
@@ -76,7 +76,7 @@ index b44b9b2d7..7b717d3ba 100644 | |||
76 | # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x | 76 | # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x |
77 | # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96 | 77 | # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96 |
78 | # should fix the problem where user directories in /run/user/$UID/ are not getting the proper context | 78 | # should fix the problem where user directories in /run/user/$UID/ are not getting the proper context |
79 | @@ -1412,6 +1421,9 @@ udev_read_runtime_files(systemd_rfkill_t) | 79 | @@ -1527,6 +1536,9 @@ udev_read_runtime_files(systemd_rfkill_t) |
80 | 80 | ||
81 | systemd_log_parse_environment(systemd_rfkill_t) | 81 | systemd_log_parse_environment(systemd_rfkill_t) |
82 | 82 | ||
diff --git a/recipes-security/refpolicy/refpolicy/0047-policy-modules-system-logging-add-the-syslogd_t-to-t.patch b/recipes-security/refpolicy/refpolicy/0047-policy-modules-system-logging-add-the-syslogd_t-to-t.patch index cb3894c..451e6bc 100644 --- a/recipes-security/refpolicy/refpolicy/0047-policy-modules-system-logging-add-the-syslogd_t-to-t.patch +++ b/recipes-security/refpolicy/refpolicy/0047-policy-modules-system-logging-add-the-syslogd_t-to-t.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 2afa5753f2ef8c7cee5ad0511c521d252bedf3e5 Mon Sep 17 00:00:00 2001 | 1 | From 8c45c5d48f7125ce47252c6ea36ed771c9baaf4d Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | 3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 |
4 | Subject: [PATCH] policy/modules/system/logging: add the syslogd_t to trusted | 4 | Subject: [PATCH] policy/modules/system/logging: add the syslogd_t to trusted |
@@ -18,10 +18,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
18 | 1 file changed, 3 insertions(+) | 18 | 1 file changed, 3 insertions(+) |
19 | 19 | ||
20 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | 20 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te |
21 | index d3b06db7d..f63965d4d 100644 | 21 | index 3cab14381..caf319f04 100644 |
22 | --- a/policy/modules/system/logging.te | 22 | --- a/policy/modules/system/logging.te |
23 | +++ b/policy/modules/system/logging.te | 23 | +++ b/policy/modules/system/logging.te |
24 | @@ -505,6 +505,9 @@ fs_getattr_all_fs(syslogd_t) | 24 | @@ -491,6 +491,9 @@ fs_getattr_all_fs(syslogd_t) |
25 | fs_search_auto_mountpoints(syslogd_t) | 25 | fs_search_auto_mountpoints(syslogd_t) |
26 | 26 | ||
27 | mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories | 27 | mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories |
diff --git a/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-init-make-init_t-MLS-trusted-f.patch b/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-init-make-init_t-MLS-trusted-f.patch index 16f0e4e..ebeee4f 100644 --- a/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-init-make-init_t-MLS-trusted-f.patch +++ b/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-init-make-init_t-MLS-trusted-f.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From f87bb3cb0843af69f9aecaef0a4052e04b15a630 Mon Sep 17 00:00:00 2001 | 1 | From 6867f764b99e48cfa6557e664c9ee8ae8947eb08 Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Tue, 28 May 2019 16:41:37 +0800 | 3 | Date: Tue, 28 May 2019 16:41:37 +0800 |
4 | Subject: [PATCH] policy/modules/system/init: make init_t MLS trusted for | 4 | Subject: [PATCH] policy/modules/system/init: make init_t MLS trusted for |
@@ -17,10 +17,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
17 | 1 file changed, 1 insertion(+) | 17 | 1 file changed, 1 insertion(+) |
18 | 18 | ||
19 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | 19 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
20 | index fee846cb5..df7f87f17 100644 | 20 | index 8b9b8aa9a..bd2ca0802 100644 |
21 | --- a/policy/modules/system/init.te | 21 | --- a/policy/modules/system/init.te |
22 | +++ b/policy/modules/system/init.te | 22 | +++ b/policy/modules/system/init.te |
23 | @@ -228,6 +228,7 @@ mls_file_write_all_levels(init_t) | 23 | @@ -237,6 +237,7 @@ mls_file_write_all_levels(init_t) |
24 | mls_process_write_all_levels(init_t) | 24 | mls_process_write_all_levels(init_t) |
25 | mls_fd_use_all_levels(init_t) | 25 | mls_fd_use_all_levels(init_t) |
26 | mls_process_set_level(init_t) | 26 | mls_process_set_level(init_t) |
diff --git a/recipes-security/refpolicy/refpolicy/0049-policy-modules-system-init-all-init_t-to-read-any-le.patch b/recipes-security/refpolicy/refpolicy/0049-policy-modules-system-init-all-init_t-to-read-any-le.patch index fb56eca..3c418dd 100644 --- a/recipes-security/refpolicy/refpolicy/0049-policy-modules-system-init-all-init_t-to-read-any-le.patch +++ b/recipes-security/refpolicy/refpolicy/0049-policy-modules-system-init-all-init_t-to-read-any-le.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From f3c0f18b647631fd2ffc1e86c9e3f51cbf74d60f Mon Sep 17 00:00:00 2001 | 1 | From ad9b0e1542804060ac3cea69129c224074da6766 Mon Sep 17 00:00:00 2001 |
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | 2 | From: Wenzong Fan <wenzong.fan@windriver.com> |
3 | Date: Wed, 3 Feb 2016 04:16:06 -0500 | 3 | Date: Wed, 3 Feb 2016 04:16:06 -0500 |
4 | Subject: [PATCH] policy/modules/system/init: all init_t to read any level | 4 | Subject: [PATCH] policy/modules/system/init: all init_t to read any level |
@@ -22,10 +22,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
22 | 1 file changed, 3 insertions(+) | 22 | 1 file changed, 3 insertions(+) |
23 | 23 | ||
24 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | 24 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
25 | index df7f87f17..671b5aef3 100644 | 25 | index bd2ca0802..e94a29a73 100644 |
26 | --- a/policy/modules/system/init.te | 26 | --- a/policy/modules/system/init.te |
27 | +++ b/policy/modules/system/init.te | 27 | +++ b/policy/modules/system/init.te |
28 | @@ -234,6 +234,9 @@ mls_key_write_all_levels(init_t) | 28 | @@ -243,6 +243,9 @@ mls_key_write_all_levels(init_t) |
29 | mls_file_downgrade(init_t) | 29 | mls_file_downgrade(init_t) |
30 | mls_file_upgrade(init_t) | 30 | mls_file_upgrade(init_t) |
31 | 31 | ||
diff --git a/recipes-security/refpolicy/refpolicy/0050-policy-modules-system-logging-allow-auditd_t-to-writ.patch b/recipes-security/refpolicy/refpolicy/0050-policy-modules-system-logging-allow-auditd_t-to-writ.patch index aa02eb1..3931641 100644 --- a/recipes-security/refpolicy/refpolicy/0050-policy-modules-system-logging-allow-auditd_t-to-writ.patch +++ b/recipes-security/refpolicy/refpolicy/0050-policy-modules-system-logging-allow-auditd_t-to-writ.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From cb7a4ff6081f19d05b109512275ec9a537f2f6d2 Mon Sep 17 00:00:00 2001 | 1 | From 315a53e50dd8957787e3a71c57ffc8ac46d0c474 Mon Sep 17 00:00:00 2001 |
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | 2 | From: Wenzong Fan <wenzong.fan@windriver.com> |
3 | Date: Thu, 25 Feb 2016 04:25:08 -0500 | 3 | Date: Thu, 25 Feb 2016 04:25:08 -0500 |
4 | Subject: [PATCH] policy/modules/system/logging: allow auditd_t to write socket | 4 | Subject: [PATCH] policy/modules/system/logging: allow auditd_t to write socket |
@@ -22,10 +22,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
22 | 1 file changed, 2 insertions(+) | 22 | 1 file changed, 2 insertions(+) |
23 | 23 | ||
24 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | 24 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te |
25 | index f63965d4d..7e41596f4 100644 | 25 | index caf319f04..25e1d1397 100644 |
26 | --- a/policy/modules/system/logging.te | 26 | --- a/policy/modules/system/logging.te |
27 | +++ b/policy/modules/system/logging.te | 27 | +++ b/policy/modules/system/logging.te |
28 | @@ -223,6 +223,8 @@ miscfiles_read_localization(auditd_t) | 28 | @@ -235,6 +235,8 @@ miscfiles_read_localization(auditd_t) |
29 | 29 | ||
30 | mls_file_read_all_levels(auditd_t) | 30 | mls_file_read_all_levels(auditd_t) |
31 | mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory | 31 | mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory |
diff --git a/recipes-security/refpolicy/refpolicy/0051-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch b/recipes-security/refpolicy/refpolicy/0051-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch index 16bdf84..9c38e7d 100644 --- a/recipes-security/refpolicy/refpolicy/0051-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch +++ b/recipes-security/refpolicy/refpolicy/0051-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 023e7b92a805103c54aec06bbd9465e4fbf7a6f2 Mon Sep 17 00:00:00 2001 | 1 | From 1c275b335fd047c678b449bf90a75a7ac48c2b38 Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Thu, 31 Oct 2019 17:35:59 +0800 | 3 | Date: Thu, 31 Oct 2019 17:35:59 +0800 |
4 | Subject: [PATCH] policy/modules/kernel/kernel: make kernel_t MLS trusted for | 4 | Subject: [PATCH] policy/modules/kernel/kernel: make kernel_t MLS trusted for |
@@ -15,10 +15,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
15 | 1 file changed, 1 insertion(+) | 15 | 1 file changed, 1 insertion(+) |
16 | 16 | ||
17 | diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te | 17 | diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te |
18 | index 40cd52825..d08610543 100644 | 18 | index 8082cf6b7..63c2087f7 100644 |
19 | --- a/policy/modules/kernel/kernel.te | 19 | --- a/policy/modules/kernel/kernel.te |
20 | +++ b/policy/modules/kernel/kernel.te | 20 | +++ b/policy/modules/kernel/kernel.te |
21 | @@ -372,6 +372,7 @@ mls_socket_write_all_levels(kernel_t) | 21 | @@ -377,6 +377,7 @@ mls_socket_write_all_levels(kernel_t) |
22 | mls_fd_use_all_levels(kernel_t) | 22 | mls_fd_use_all_levels(kernel_t) |
23 | # https://bugzilla.redhat.com/show_bug.cgi?id=667370 | 23 | # https://bugzilla.redhat.com/show_bug.cgi?id=667370 |
24 | mls_file_downgrade(kernel_t) | 24 | mls_file_downgrade(kernel_t) |
diff --git a/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-setrans-allow-setrans_t-use-fd.patch b/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-setrans-allow-setrans_t-use-fd.patch index b916084..a0a726d 100644 --- a/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-setrans-allow-setrans_t-use-fd.patch +++ b/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-setrans-allow-setrans_t-use-fd.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 55fe90eba640e6d52bb269176f45a3a5e2c3ed80 Mon Sep 17 00:00:00 2001 | 1 | From 95f5c28ce9ed0a6d955afa758988ef8542644a64 Mon Sep 17 00:00:00 2001 |
2 | From: Roy Li <rongqing.li@windriver.com> | 2 | From: Roy Li <rongqing.li@windriver.com> |
3 | Date: Sat, 22 Feb 2014 13:35:38 +0800 | 3 | Date: Sat, 22 Feb 2014 13:35:38 +0800 |
4 | Subject: [PATCH] policy/modules/system/setrans: allow setrans_t use fd at any | 4 | Subject: [PATCH] policy/modules/system/setrans: allow setrans_t use fd at any |
diff --git a/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch b/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch index c4dc87b..d1c0775 100644 --- a/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch +++ b/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From c9afe0dc30f51f7ad7b93b8878c88df1146272a0 Mon Sep 17 00:00:00 2001 | 1 | From 7af0a6b367cb21943d111c9f6386e40efdc02907 Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Mon, 22 Feb 2021 11:28:12 +0800 | 3 | Date: Mon, 22 Feb 2021 11:28:12 +0800 |
4 | Subject: [PATCH] policy/modules/system/systemd: make *_systemd_t MLS trusted | 4 | Subject: [PATCH] policy/modules/system/systemd: make *_systemd_t MLS trusted |
@@ -24,10 +24,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
24 | 1 file changed, 3 insertions(+) | 24 | 1 file changed, 3 insertions(+) |
25 | 25 | ||
26 | diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if | 26 | diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if |
27 | index 325ca548b..b23b9bb0a 100644 | 27 | index d89ad35b1..00ac2f27e 100644 |
28 | --- a/policy/modules/system/systemd.if | 28 | --- a/policy/modules/system/systemd.if |
29 | +++ b/policy/modules/system/systemd.if | 29 | +++ b/policy/modules/system/systemd.if |
30 | @@ -196,6 +196,9 @@ template(`systemd_role_template',` | 30 | @@ -197,6 +197,9 @@ template(`systemd_role_template',` |
31 | xdg_read_config_files($1_systemd_t) | 31 | xdg_read_config_files($1_systemd_t) |
32 | xdg_read_data_files($1_systemd_t) | 32 | xdg_read_data_files($1_systemd_t) |
33 | ') | 33 | ') |
diff --git a/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-logging-make-syslogd_runtime_t.patch b/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-logging-make-syslogd_runtime_t.patch index ab87039..3be7027 100644 --- a/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-logging-make-syslogd_runtime_t.patch +++ b/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-logging-make-syslogd_runtime_t.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 7a65c9f3636b43f3a29349ea1c045d5281efa5aa Mon Sep 17 00:00:00 2001 | 1 | From 1536eaea2cc68074f55ca50eff2d129b7e1894d8 Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Sat, 18 Dec 2021 17:31:45 +0800 | 3 | Date: Sat, 18 Dec 2021 17:31:45 +0800 |
4 | Subject: [PATCH] policy/modules/system/logging: make syslogd_runtime_t MLS | 4 | Subject: [PATCH] policy/modules/system/logging: make syslogd_runtime_t MLS |
@@ -31,10 +31,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
31 | 1 file changed, 2 insertions(+) | 31 | 1 file changed, 2 insertions(+) |
32 | 32 | ||
33 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | 33 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te |
34 | index 7e41596f4..0c25457d6 100644 | 34 | index 25e1d1397..ba0fd10e0 100644 |
35 | --- a/policy/modules/system/logging.te | 35 | --- a/policy/modules/system/logging.te |
36 | +++ b/policy/modules/system/logging.te | 36 | +++ b/policy/modules/system/logging.te |
37 | @@ -447,6 +447,8 @@ allow syslogd_t syslogd_runtime_t:file map; | 37 | @@ -456,6 +456,8 @@ allow syslogd_t syslogd_runtime_t:file map; |
38 | manage_files_pattern(syslogd_t, syslogd_runtime_t, syslogd_runtime_t) | 38 | manage_files_pattern(syslogd_t, syslogd_runtime_t, syslogd_runtime_t) |
39 | files_runtime_filetrans(syslogd_t, syslogd_runtime_t, file) | 39 | files_runtime_filetrans(syslogd_t, syslogd_runtime_t, file) |
40 | 40 | ||
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index a51312f..e9b0b1a 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc | |||
@@ -26,31 +26,31 @@ SRC_URI += " \ | |||
26 | file://0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch \ | 26 | file://0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch \ |
27 | file://0009-fc-ssh-apply-policy-to-ssh-alternatives.patch \ | 27 | file://0009-fc-ssh-apply-policy-to-ssh-alternatives.patch \ |
28 | file://0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch \ | 28 | file://0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch \ |
29 | file://0011-fc-udev-apply-policy-to-udevadm-in-libexec.patch \ | 29 | file://0011-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch \ |
30 | file://0012-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch \ | 30 | file://0012-fc-su-apply-policy-to-su-alternatives.patch \ |
31 | file://0013-fc-su-apply-policy-to-su-alternatives.patch \ | 31 | file://0013-fc-fstools-fix-real-path-for-fstools.patch \ |
32 | file://0014-fc-fstools-fix-real-path-for-fstools.patch \ | 32 | file://0014-fc-init-fix-update-alternatives-for-sysvinit.patch \ |
33 | file://0015-fc-init-fix-update-alternatives-for-sysvinit.patch \ | 33 | file://0015-fc-brctl-apply-policy-to-brctl-alternatives.patch \ |
34 | file://0016-fc-brctl-apply-policy-to-brctl-alternatives.patch \ | 34 | file://0016-fc-corecommands-apply-policy-to-nologin-alternatives.patch \ |
35 | file://0017-fc-corecommands-apply-policy-to-nologin-alternatives.patch \ | 35 | file://0017-fc-locallogin-apply-policy-to-sulogin-alternatives.patch \ |
36 | file://0018-fc-locallogin-apply-policy-to-sulogin-alternatives.patch \ | 36 | file://0018-fc-ntp-apply-policy-to-ntpd-alternatives.patch \ |
37 | file://0019-fc-ntp-apply-policy-to-ntpd-alternatives.patch \ | 37 | file://0019-fc-kerberos-apply-policy-to-kerberos-alternatives.patch \ |
38 | file://0020-fc-kerberos-apply-policy-to-kerberos-alternatives.patch \ | 38 | file://0020-fc-ldap-apply-policy-to-ldap-alternatives.patch \ |
39 | file://0021-fc-ldap-apply-policy-to-ldap-alternatives.patch \ | 39 | file://0021-fc-postgresql-apply-policy-to-postgresql-alternative.patch \ |
40 | file://0022-fc-postgresql-apply-policy-to-postgresql-alternative.patch \ | 40 | file://0022-fc-screen-apply-policy-to-screen-alternatives.patch \ |
41 | file://0023-fc-screen-apply-policy-to-screen-alternatives.patch \ | 41 | file://0023-fc-usermanage-apply-policy-to-usermanage-alternative.patch \ |
42 | file://0024-fc-usermanage-apply-policy-to-usermanage-alternative.patch \ | 42 | file://0024-fc-getty-add-file-context-to-start_getty.patch \ |
43 | file://0025-fc-getty-add-file-context-to-start_getty.patch \ | 43 | file://0025-fc-vlock-apply-policy-to-vlock-alternatives.patch \ |
44 | file://0026-fc-vlock-apply-policy-to-vlock-alternatives.patch \ | 44 | file://0026-fc-add-fcontext-for-init-scripts-and-systemd-service.patch \ |
45 | file://0027-fc-add-fcontext-for-init-scripts-and-systemd-service.patch \ | 45 | file://0027-file_contexts.subs_dist-set-aliase-for-root-director.patch \ |
46 | file://0028-file_contexts.subs_dist-set-aliase-for-root-director.patch \ | 46 | file://0028-policy-modules-system-logging-add-rules-for-the-syml.patch \ |
47 | file://0029-policy-modules-system-logging-add-rules-for-the-syml.patch \ | 47 | file://0029-policy-modules-system-logging-add-rules-for-syslogd-.patch \ |
48 | file://0030-policy-modules-system-logging-add-rules-for-syslogd-.patch \ | 48 | file://0030-policy-modules-kernel-files-add-rules-for-the-symlin.patch \ |
49 | file://0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch \ | 49 | file://0031-policy-modules-system-logging-fix-auditd-startup-fai.patch \ |
50 | file://0032-policy-modules-system-logging-fix-auditd-startup-fai.patch \ | 50 | file://0032-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch \ |
51 | file://0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch \ | 51 | file://0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch \ |
52 | file://0034-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch \ | 52 | file://0034-policy-modules-system-systemd-enable-support-for-sys.patch \ |
53 | file://0035-policy-modules-system-systemd-enable-support-for-sys.patch \ | 53 | file://0035-policy-modules-system-logging-allow-systemd-tmpfiles.patch \ |
54 | file://0036-policy-modules-system-systemd-allow-systemd_logind_t.patch \ | 54 | file://0036-policy-modules-system-systemd-allow-systemd_logind_t.patch \ |
55 | file://0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch \ | 55 | file://0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch \ |
56 | file://0038-policy-modules-system-systemd-systemd-user-fixes.patch \ | 56 | file://0038-policy-modules-system-systemd-systemd-user-fixes.patch \ |
diff --git a/recipes-security/refpolicy/refpolicy_git.inc b/recipes-security/refpolicy/refpolicy_git.inc index af3413b..1913ec8 100644 --- a/recipes-security/refpolicy/refpolicy_git.inc +++ b/recipes-security/refpolicy/refpolicy_git.inc | |||
@@ -1,8 +1,8 @@ | |||
1 | PV = "2.20221101+git${SRCPV}" | 1 | PV = "2.20231002+git${SRCPV}" |
2 | 2 | ||
3 | SRC_URI = "git://github.com/SELinuxProject/refpolicy.git;protocol=https;branch=master;name=refpolicy;destsuffix=refpolicy" | 3 | SRC_URI = "git://github.com/SELinuxProject/refpolicy.git;protocol=https;branch=main;name=refpolicy;destsuffix=refpolicy" |
4 | 4 | ||
5 | SRCREV_refpolicy ?= "8e8f5e3ca3e5900cad126cb8b4fadaa8adb8caac" | 5 | SRCREV_refpolicy ?= "f3865abfc25a395c877a27074bd03c5fc22992dd" |
6 | 6 | ||
7 | UPSTREAM_CHECK_GITTAGREGEX = "RELEASE_(?P<pver>\d+_\d+)" | 7 | UPSTREAM_CHECK_GITTAGREGEX = "RELEASE_(?P<pver>\d+_\d+)" |
8 | 8 | ||