diff options
author | Yi Zhao <yi.zhao@windriver.com> | 2022-01-05 16:52:02 +0800 |
---|---|---|
committer | Joe MacDonald <joe@deserted.net> | 2022-01-18 16:49:58 -0500 |
commit | d3902c823895ed3f7fe3f79a455f0e8e4d04c431 (patch) | |
tree | 220a6bb649d91fa0cd7fb9567646f7e802a8fcca | |
parent | eb5b607d396b185aecf7c6732acc9816853a71a6 (diff) | |
download | meta-selinux-d3902c823895ed3f7fe3f79a455f0e8e4d04c431.tar.gz |
refpolicy: upgrade 20210203+git -> 20210908+git
* Update to latest git rev.
* Drop obsolete and useless patches.
* Rebase patches.
* Set POLICY_DISTRO from redhat to debian, which can reduce the amount
of local patches.
* Set max kernel policy version from 31 to 33.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
108 files changed, 1086 insertions, 2294 deletions
diff --git a/recipes-security/refpolicy/refpolicy-minimum_git.bb b/recipes-security/refpolicy/refpolicy-minimum_git.bb index c4c9031..2e95b9f 100644 --- a/recipes-security/refpolicy/refpolicy-minimum_git.bb +++ b/recipes-security/refpolicy/refpolicy-minimum_git.bb | |||
@@ -13,7 +13,8 @@ domains are unconfined. \ | |||
13 | 13 | ||
14 | SRC_URI += " \ | 14 | SRC_URI += " \ |
15 | file://0001-refpolicy-minimum-make-sysadmin-module-optional.patch \ | 15 | file://0001-refpolicy-minimum-make-sysadmin-module-optional.patch \ |
16 | file://0002-refpolicy-minimum-enable-nscd_use_shm.patch \ | 16 | file://0002-refpolicy-minimum-make-xdg-module-optional.patch \ |
17 | file://0003-refpolicy-minimum-enable-nscd_use_shm.patch \ | ||
17 | " | 18 | " |
18 | 19 | ||
19 | POLICY_NAME = "minimum" | 20 | POLICY_NAME = "minimum" |
diff --git a/recipes-security/refpolicy/refpolicy-targeted_git.bb b/recipes-security/refpolicy/refpolicy-targeted_git.bb index de81d46..15226db 100644 --- a/recipes-security/refpolicy/refpolicy-targeted_git.bb +++ b/recipes-security/refpolicy/refpolicy-targeted_git.bb | |||
@@ -14,4 +14,5 @@ include refpolicy_${PV}.inc | |||
14 | 14 | ||
15 | SRC_URI += " \ | 15 | SRC_URI += " \ |
16 | file://0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch \ | 16 | file://0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch \ |
17 | file://0002-refpolicy-targeted-add-capability2-bpf-and-perfmon-f.patch \ | ||
17 | " | 18 | " |
diff --git a/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch b/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch index 9f85980..c3a03f3 100644 --- a/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch +++ b/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 8a6052604e4f39ef9cbab62372006bc6f736dbed Mon Sep 17 00:00:00 2001 | 1 | From d39f2ddbfcfd6e224a50bf327a7bd0031d74d0c6 Mon Sep 17 00:00:00 2001 |
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | 2 | From: Joe MacDonald <joe_macdonald@mentor.com> |
3 | Date: Thu, 28 Mar 2019 16:14:09 -0400 | 3 | Date: Thu, 28 Mar 2019 16:14:09 -0400 |
4 | Subject: [PATCH] fc/subs/volatile: alias common /var/volatile paths | 4 | Subject: [PATCH] fc/subs/volatile: alias common /var/volatile paths |
@@ -15,10 +15,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
15 | 1 file changed, 6 insertions(+) | 15 | 1 file changed, 6 insertions(+) |
16 | 16 | ||
17 | diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist | 17 | diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist |
18 | index 653d25d93..652e1dd35 100644 | 18 | index ba22ce7e7..23d4328f7 100644 |
19 | --- a/config/file_contexts.subs_dist | 19 | --- a/config/file_contexts.subs_dist |
20 | +++ b/config/file_contexts.subs_dist | 20 | +++ b/config/file_contexts.subs_dist |
21 | @@ -32,3 +32,9 @@ | 21 | @@ -33,3 +33,9 @@ |
22 | # not for refpolicy intern, but for /var/run using applications, | 22 | # not for refpolicy intern, but for /var/run using applications, |
23 | # like systemd tmpfiles or systemd socket configurations | 23 | # like systemd tmpfiles or systemd socket configurations |
24 | /var/run /run | 24 | /var/run /run |
diff --git a/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch b/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch index d300edd..f607cbb 100644 --- a/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch +++ b/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From dc757d6df2314d82029b23b409df8de22a4df45e Mon Sep 17 00:00:00 2001 | 1 | From 669293ddf351f231b34979a7d708601ccbd11930 Mon Sep 17 00:00:00 2001 |
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | 2 | From: Joe MacDonald <joe_macdonald@mentor.com> |
3 | Date: Fri, 5 Apr 2019 11:53:28 -0400 | 3 | Date: Fri, 5 Apr 2019 11:53:28 -0400 |
4 | Subject: [PATCH] refpolicy-minimum: make sysadmin module optional | 4 | Subject: [PATCH] refpolicy-minimum: make sysadmin module optional |
@@ -22,10 +22,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
22 | 2 files changed, 11 insertions(+), 7 deletions(-) | 22 | 2 files changed, 11 insertions(+), 7 deletions(-) |
23 | 23 | ||
24 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | 24 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
25 | index aa57a5661..9b03d3767 100644 | 25 | index 5a19f0e43..1f4a671dc 100644 |
26 | --- a/policy/modules/system/init.te | 26 | --- a/policy/modules/system/init.te |
27 | +++ b/policy/modules/system/init.te | 27 | +++ b/policy/modules/system/init.te |
28 | @@ -527,13 +527,15 @@ ifdef(`init_systemd',` | 28 | @@ -556,13 +556,15 @@ ifdef(`init_systemd',` |
29 | unconfined_write_keys(init_t) | 29 | unconfined_write_keys(init_t) |
30 | ') | 30 | ') |
31 | ',` | 31 | ',` |
diff --git a/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch b/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch index 89bc68e..9939b59 100644 --- a/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch +++ b/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 7ff6cf3766a672c4f2b7bd0dc5efa296bd6aba51 Mon Sep 17 00:00:00 2001 | 1 | From bf7b74e7c38b546e162eb5a3bd4774e3d84d593d Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Mon, 20 Apr 2020 11:50:03 +0800 | 3 | Date: Mon, 20 Apr 2020 11:50:03 +0800 |
4 | Subject: [PATCH] refpolicy-targeted: make unconfined_u the default selinux | 4 | Subject: [PATCH] refpolicy-targeted: make unconfined_u the default selinux |
@@ -8,9 +8,6 @@ For targeted policy type, we define unconfined_u as the default selinux | |||
8 | user for root and normal users, so users could login in and run most | 8 | user for root and normal users, so users could login in and run most |
9 | commands and services on unconfined domains. | 9 | commands and services on unconfined domains. |
10 | 10 | ||
11 | Also add rules for users to run init scripts directly, instead of via | ||
12 | run_init. | ||
13 | |||
14 | Upstream-Status: Inappropriate [configuration] | 11 | Upstream-Status: Inappropriate [configuration] |
15 | 12 | ||
16 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 13 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
@@ -18,13 +15,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
18 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | 15 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> |
19 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | 16 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> |
20 | --- | 17 | --- |
21 | config/appconfig-mcs/failsafe_context | 2 +- | 18 | config/appconfig-mcs/failsafe_context | 2 +- |
22 | config/appconfig-mcs/seusers | 4 +-- | 19 | config/appconfig-mcs/seusers | 4 ++-- |
23 | policy/modules/roles/sysadm.te | 1 + | 20 | policy/modules/system/unconfined.te | 5 +++++ |
24 | policy/modules/system/init.if | 42 +++++++++++++++++++++++---- | 21 | policy/users | 6 +++--- |
25 | policy/modules/system/unconfined.te | 7 +++++ | 22 | 4 files changed, 11 insertions(+), 6 deletions(-) |
26 | policy/users | 6 ++-- | ||
27 | 6 files changed, 50 insertions(+), 12 deletions(-) | ||
28 | 23 | ||
29 | diff --git a/config/appconfig-mcs/failsafe_context b/config/appconfig-mcs/failsafe_context | 24 | diff --git a/config/appconfig-mcs/failsafe_context b/config/appconfig-mcs/failsafe_context |
30 | index 999abd9a3..a50bde775 100644 | 25 | index 999abd9a3..a50bde775 100644 |
@@ -42,106 +37,8 @@ index ce614b41b..c0903d98b 100644 | |||
42 | -__default__:user_u:s0 | 37 | -__default__:user_u:s0 |
43 | +root:unconfined_u:s0-mcs_systemhigh | 38 | +root:unconfined_u:s0-mcs_systemhigh |
44 | +__default__:unconfined_u:s0 | 39 | +__default__:unconfined_u:s0 |
45 | diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te | ||
46 | index ce7d77d31..1aff2c31a 100644 | ||
47 | --- a/policy/modules/roles/sysadm.te | ||
48 | +++ b/policy/modules/roles/sysadm.te | ||
49 | @@ -53,6 +53,7 @@ ubac_fd_exempt(sysadm_t) | ||
50 | |||
51 | init_exec(sysadm_t) | ||
52 | init_admin(sysadm_t) | ||
53 | +init_script_role_transition(sysadm_r) | ||
54 | |||
55 | # Add/remove user home directories | ||
56 | userdom_manage_user_home_dirs(sysadm_t) | ||
57 | diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if | ||
58 | index 98e94283f..eb6d5b32d 100644 | ||
59 | --- a/policy/modules/system/init.if | ||
60 | +++ b/policy/modules/system/init.if | ||
61 | @@ -1821,11 +1821,12 @@ interface(`init_script_file_entry_type',` | ||
62 | # | ||
63 | interface(`init_spec_domtrans_script',` | ||
64 | gen_require(` | ||
65 | - type initrc_t, initrc_exec_t; | ||
66 | + type initrc_t; | ||
67 | + attribute init_script_file_type; | ||
68 | ') | ||
69 | |||
70 | files_list_etc($1) | ||
71 | - spec_domtrans_pattern($1, initrc_exec_t, initrc_t) | ||
72 | + spec_domtrans_pattern($1, init_script_file_type, initrc_t) | ||
73 | |||
74 | ifdef(`distro_gentoo',` | ||
75 | gen_require(` | ||
76 | @@ -1836,11 +1837,11 @@ interface(`init_spec_domtrans_script',` | ||
77 | ') | ||
78 | |||
79 | ifdef(`enable_mcs',` | ||
80 | - range_transition $1 initrc_exec_t:process s0; | ||
81 | + range_transition $1 init_script_file_type:process s0; | ||
82 | ') | ||
83 | |||
84 | ifdef(`enable_mls',` | ||
85 | - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; | ||
86 | + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; | ||
87 | ') | ||
88 | ') | ||
89 | |||
90 | @@ -1857,17 +1858,18 @@ interface(`init_spec_domtrans_script',` | ||
91 | interface(`init_domtrans_script',` | ||
92 | gen_require(` | ||
93 | type initrc_t, initrc_exec_t; | ||
94 | + attribute init_script_file_type; | ||
95 | ') | ||
96 | |||
97 | files_list_etc($1) | ||
98 | domtrans_pattern($1, initrc_exec_t, initrc_t) | ||
99 | |||
100 | ifdef(`enable_mcs',` | ||
101 | - range_transition $1 initrc_exec_t:process s0; | ||
102 | + range_transition $1 init_script_file_type:process s0; | ||
103 | ') | ||
104 | |||
105 | ifdef(`enable_mls',` | ||
106 | - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; | ||
107 | + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; | ||
108 | ') | ||
109 | ') | ||
110 | |||
111 | @@ -3532,3 +3534,31 @@ interface(`init_getrlimit',` | ||
112 | |||
113 | allow $1 init_t:process getrlimit; | ||
114 | ') | ||
115 | + | ||
116 | +######################################## | ||
117 | +## <summary> | ||
118 | +## Transition to system_r when execute an init script | ||
119 | +## </summary> | ||
120 | +## <desc> | ||
121 | +## <p> | ||
122 | +## Execute a init script in a specified role | ||
123 | +## </p> | ||
124 | +## <p> | ||
125 | +## No interprocess communication (signals, pipes, | ||
126 | +## etc.) is provided by this interface since | ||
127 | +## the domains are not owned by this module. | ||
128 | +## </p> | ||
129 | +## </desc> | ||
130 | +## <param name="source_role"> | ||
131 | +## <summary> | ||
132 | +## Role to transition from. | ||
133 | +## </summary> | ||
134 | +## </param> | ||
135 | +# | ||
136 | +interface(`init_script_role_transition',` | ||
137 | + gen_require(` | ||
138 | + attribute init_script_file_type; | ||
139 | + ') | ||
140 | + | ||
141 | + role_transition $1 init_script_file_type system_r; | ||
142 | +') | ||
143 | diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te | 40 | diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te |
144 | index 385c88695..87adb7e9d 100644 | 41 | index 4972094cb..b6d769412 100644 |
145 | --- a/policy/modules/system/unconfined.te | 42 | --- a/policy/modules/system/unconfined.te |
146 | +++ b/policy/modules/system/unconfined.te | 43 | +++ b/policy/modules/system/unconfined.te |
147 | @@ -20,6 +20,11 @@ type unconfined_execmem_t alias ada_t; | 44 | @@ -20,6 +20,11 @@ type unconfined_execmem_t alias ada_t; |
@@ -156,15 +53,6 @@ index 385c88695..87adb7e9d 100644 | |||
156 | 53 | ||
157 | ######################################## | 54 | ######################################## |
158 | # | 55 | # |
159 | @@ -50,6 +55,8 @@ userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_f | ||
160 | ifdef(`direct_sysadm_daemon',` | ||
161 | optional_policy(` | ||
162 | init_run_daemon(unconfined_t, unconfined_r) | ||
163 | + init_domtrans_script(unconfined_t) | ||
164 | + init_script_role_transition(unconfined_r) | ||
165 | ') | ||
166 | ',` | ||
167 | ifdef(`distro_gentoo',` | ||
168 | diff --git a/policy/users b/policy/users | 56 | diff --git a/policy/users b/policy/users |
169 | index ca203758c..e737cd9cc 100644 | 57 | index ca203758c..e737cd9cc 100644 |
170 | --- a/policy/users | 58 | --- a/policy/users |
diff --git a/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch b/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch index 5907c4d..d2b8139 100644 --- a/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch +++ b/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 0ee7bc5f28ffae30b1a1f40edd96cfed993db667 Mon Sep 17 00:00:00 2001 | 1 | From 974befcafcee1377e122f19a4182f74eea757158 Mon Sep 17 00:00:00 2001 |
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | 2 | From: Joe MacDonald <joe_macdonald@mentor.com> |
3 | Date: Thu, 28 Mar 2019 20:48:10 -0400 | 3 | Date: Thu, 28 Mar 2019 20:48:10 -0400 |
4 | Subject: [PATCH] fc/subs/busybox: set aliases for bin, sbin and usr | 4 | Subject: [PATCH] fc/subs/busybox: set aliases for bin, sbin and usr |
@@ -15,10 +15,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
15 | 1 file changed, 6 insertions(+) | 15 | 1 file changed, 6 insertions(+) |
16 | 16 | ||
17 | diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist | 17 | diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist |
18 | index 652e1dd35..a38d58e16 100644 | 18 | index 23d4328f7..690007f22 100644 |
19 | --- a/config/file_contexts.subs_dist | 19 | --- a/config/file_contexts.subs_dist |
20 | +++ b/config/file_contexts.subs_dist | 20 | +++ b/config/file_contexts.subs_dist |
21 | @@ -38,3 +38,9 @@ | 21 | @@ -39,3 +39,9 @@ |
22 | # volatile hierarchy. | 22 | # volatile hierarchy. |
23 | /var/volatile/log /var/log | 23 | /var/volatile/log /var/log |
24 | /var/volatile/tmp /var/tmp | 24 | /var/volatile/tmp /var/tmp |
diff --git a/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-make-xdg-module-optional.patch b/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-make-xdg-module-optional.patch new file mode 100644 index 0000000..84764e5 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-make-xdg-module-optional.patch | |||
@@ -0,0 +1,40 @@ | |||
1 | From 1ff0e212ce737bba59d90977a58a15250bc84ea9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Wed, 29 Sep 2021 11:08:49 +0800 | ||
4 | Subject: [PATCH] refpolicy-minimum: make xdg module optional | ||
5 | |||
6 | The systemd module invokes xdg_config_content and xdg_data_content | ||
7 | interfaces which are from xdg module. Since xdg is not a core module, we | ||
8 | could make it optional in minimum policy. | ||
9 | |||
10 | Upstream-Status: Inappropriate [embedded specific] | ||
11 | |||
12 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
13 | --- | ||
14 | policy/modules/system/systemd.te | 8 ++++++-- | ||
15 | 1 file changed, 6 insertions(+), 2 deletions(-) | ||
16 | |||
17 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
18 | index 8cea6baa1..218834495 100644 | ||
19 | --- a/policy/modules/system/systemd.te | ||
20 | +++ b/policy/modules/system/systemd.te | ||
21 | @@ -276,10 +276,14 @@ files_type(systemd_update_run_t) | ||
22 | |||
23 | type systemd_conf_home_t; | ||
24 | init_unit_file(systemd_conf_home_t) | ||
25 | -xdg_config_content(systemd_conf_home_t) | ||
26 | +optional_policy(` | ||
27 | + xdg_config_content(systemd_conf_home_t) | ||
28 | +') | ||
29 | |||
30 | type systemd_data_home_t; | ||
31 | -xdg_data_content(systemd_data_home_t) | ||
32 | +optional_policy(` | ||
33 | + xdg_data_content(systemd_data_home_t) | ||
34 | +') | ||
35 | |||
36 | type systemd_user_runtime_notify_t; | ||
37 | userdom_user_runtime_content(systemd_user_runtime_notify_t) | ||
38 | -- | ||
39 | 2.17.1 | ||
40 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0002-refpolicy-targeted-add-capability2-bpf-and-perfmon-f.patch b/recipes-security/refpolicy/refpolicy/0002-refpolicy-targeted-add-capability2-bpf-and-perfmon-f.patch new file mode 100644 index 0000000..e4c081d --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0002-refpolicy-targeted-add-capability2-bpf-and-perfmon-f.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From b46903aaf7e52f9c4c51a2fa7fe7a85190da98b1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Wed, 29 Sep 2021 16:43:54 +0800 | ||
4 | Subject: [PATCH] refpolicy-targeted: add capability2 bpf and perfmon for | ||
5 | unconfined_t | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { bpf } for pid=433 comm="systemd" capability=39 | ||
9 | scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 | ||
10 | tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 | ||
11 | tclass=capability2 permissive=0 | ||
12 | |||
13 | avc: denied { perfmon } for pid=433 comm="systemd" capability=38 | ||
14 | scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 | ||
15 | tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 | ||
16 | tclass=capability2 permissive=0 | ||
17 | |||
18 | type=USER_AVC msg=audit(1632901631.693:86): pid=433 uid=0 auid=0 ses=3 | ||
19 | subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='avc: | ||
20 | denied { reload } for auid=n/a uid=0 gid=0 cmdline="" | ||
21 | scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 | ||
22 | tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 | ||
23 | tclass=system permissive=0 exe="/lib/systemd/systemd" sauid=0 | ||
24 | hostname=? addr=? terminal=?'UID="root" AUID="root" AUID="root" | ||
25 | UID="root" GID="root" SAUID="root" | ||
26 | |||
27 | Upstream-Status: Inappropriate [embedded specific] | ||
28 | |||
29 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
30 | --- | ||
31 | policy/modules/system/unconfined.if | 5 +++++ | ||
32 | 1 file changed, 5 insertions(+) | ||
33 | |||
34 | diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if | ||
35 | index a139cfe78..807e959c3 100644 | ||
36 | --- a/policy/modules/system/unconfined.if | ||
37 | +++ b/policy/modules/system/unconfined.if | ||
38 | @@ -66,6 +66,11 @@ interface(`unconfined_domain_noaudit',` | ||
39 | files_start_etc_service($1) | ||
40 | files_stop_etc_service($1) | ||
41 | |||
42 | + ifdef(`init_systemd',` | ||
43 | + allow $1 self:capability2 { bpf perfmon }; | ||
44 | + allow $1 self:system reload; | ||
45 | + ') | ||
46 | + | ||
47 | tunable_policy(`allow_execheap',` | ||
48 | # Allow making the stack executable via mprotect. | ||
49 | allow $1 self:process execheap; | ||
50 | -- | ||
51 | 2.17.1 | ||
52 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch b/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch index db3f9c3..6596e76 100644 --- a/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch +++ b/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From e0c34d0feb5305b1397f252d698501b641277517 Mon Sep 17 00:00:00 2001 | 1 | From 9c6f3c5acc01607a67277f69faa67e34dc98232b Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | 3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 |
4 | Subject: [PATCH] fc/hostname: apply policy to common yocto hostname | 4 | Subject: [PATCH] fc/hostname: apply policy to common yocto hostname |
diff --git a/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-enable-nscd_use_shm.patch b/recipes-security/refpolicy/refpolicy/0003-refpolicy-minimum-enable-nscd_use_shm.patch index 5598c70..edf9caa 100644 --- a/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-enable-nscd_use_shm.patch +++ b/recipes-security/refpolicy/refpolicy/0003-refpolicy-minimum-enable-nscd_use_shm.patch | |||
@@ -1,7 +1,7 @@ | |||
1 | From d71b79cc9b174181934d588f64baa5637c8e85d1 Mon Sep 17 00:00:00 2001 | 1 | From 5f992b59a74cc6cde8fd20162a11065dc30fd7ab Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Fri, 26 Feb 2021 09:13:23 +0800 | 3 | Date: Fri, 26 Feb 2021 09:13:23 +0800 |
4 | Subject: [PATCH] policy/modules/services/nscd: enable nscd_use_shm | 4 | Subject: [PATCH] refpolicy-minimum: enable nscd_use_shm |
5 | 5 | ||
6 | Fixes: | 6 | Fixes: |
7 | avc: denied { listen } for pid=199 comm="systemd-resolve" | 7 | avc: denied { listen } for pid=199 comm="systemd-resolve" |
diff --git a/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch b/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch index 4a6d5eb..cf333f1 100644 --- a/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch +++ b/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 8d2c24bc1e2ef8ddf3cf7a08297cfab8a8a92b0d Mon Sep 17 00:00:00 2001 | 1 | From bbc8b58fe5fe709dfadbffc86e17ebd2d76a257c Mon Sep 17 00:00:00 2001 |
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | 2 | From: Joe MacDonald <joe_macdonald@mentor.com> |
3 | Date: Thu, 28 Mar 2019 21:37:32 -0400 | 3 | Date: Thu, 28 Mar 2019 21:37:32 -0400 |
4 | Subject: [PATCH] fc/bash: apply /usr/bin/bash context to /bin/bash.bash | 4 | Subject: [PATCH] fc/bash: apply /usr/bin/bash context to /bin/bash.bash |
diff --git a/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch b/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch index cb36ac4..078c246 100644 --- a/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch +++ b/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 85a77289d193bb3335c78f6d51b4ae2b81249952 Mon Sep 17 00:00:00 2001 | 1 | From 3cccdec2aaa273ca09100ca957f4968a25f4f3a3 Mon Sep 17 00:00:00 2001 |
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | 2 | From: Joe MacDonald <joe_macdonald@mentor.com> |
3 | Date: Thu, 4 Apr 2019 10:45:03 -0400 | 3 | Date: Thu, 4 Apr 2019 10:45:03 -0400 |
4 | Subject: [PATCH] fc/resolv.conf: label resolv.conf in var/run/ properly | 4 | Subject: [PATCH] fc/resolv.conf: label resolv.conf in var/run/ properly |
diff --git a/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch b/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch index 30bbe07..b4747f7 100644 --- a/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch +++ b/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 253ab75676232be5522fc628b0819d0c48a08c03 Mon Sep 17 00:00:00 2001 | 1 | From 9a1e1c7b65cb3f5ab97ce05463ca02a3eaa57d86 Mon Sep 17 00:00:00 2001 |
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | 2 | From: Joe MacDonald <joe_macdonald@mentor.com> |
3 | Date: Thu, 28 Mar 2019 21:43:53 -0400 | 3 | Date: Thu, 28 Mar 2019 21:43:53 -0400 |
4 | Subject: [PATCH] fc/login: apply login context to login.shadow | 4 | Subject: [PATCH] fc/login: apply login context to login.shadow |
@@ -12,17 +12,17 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
12 | 1 file changed, 1 insertion(+) | 12 | 1 file changed, 1 insertion(+) |
13 | 13 | ||
14 | diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc | 14 | diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc |
15 | index 7fd315706..fa86d6f92 100644 | 15 | index 50efcff7b..5cb48882c 100644 |
16 | --- a/policy/modules/system/authlogin.fc | 16 | --- a/policy/modules/system/authlogin.fc |
17 | +++ b/policy/modules/system/authlogin.fc | 17 | +++ b/policy/modules/system/authlogin.fc |
18 | @@ -5,6 +5,7 @@ | 18 | @@ -6,6 +6,7 @@ |
19 | /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) | 19 | /etc/tcb(/.*)? -- gen_context(system_u:object_r:shadow_t,s0) |
20 | 20 | ||
21 | /usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0) | 21 | /usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0) |
22 | +/usr/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0) | 22 | +/usr/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0) |
23 | /usr/bin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) | 23 | /usr/bin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) |
24 | /usr/bin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) | 24 | /usr/bin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) |
25 | /usr/bin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) | 25 | /usr/bin/tcb_convert -- gen_context(system_u:object_r:updpwd_exec_t,s0) |
26 | -- | 26 | -- |
27 | 2.17.1 | 27 | 2.17.1 |
28 | 28 | ||
diff --git a/recipes-security/refpolicy/refpolicy/0007-fc-bind-fix-real-path-for-bind.patch b/recipes-security/refpolicy/refpolicy/0007-fc-bind-fix-real-path-for-bind.patch deleted file mode 100644 index 351b30e..0000000 --- a/recipes-security/refpolicy/refpolicy/0007-fc-bind-fix-real-path-for-bind.patch +++ /dev/null | |||
@@ -1,32 +0,0 @@ | |||
1 | From 7e61e5d715451bafd785ec7db01e24e726e31c35 Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Thu, 28 Mar 2019 21:58:53 -0400 | ||
4 | Subject: [PATCH] fc/bind: fix real path for bind | ||
5 | |||
6 | Upstream-Status: Inappropriate [embedded specific] | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
10 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
11 | --- | ||
12 | policy/modules/services/bind.fc | 2 ++ | ||
13 | 1 file changed, 2 insertions(+) | ||
14 | |||
15 | diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc | ||
16 | index ce68a0af9..585103eb9 100644 | ||
17 | --- a/policy/modules/services/bind.fc | ||
18 | +++ b/policy/modules/services/bind.fc | ||
19 | @@ -1,8 +1,10 @@ | ||
20 | /etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) | ||
21 | +/etc/rc\.d/init\.d/bind -- gen_context(system_u:object_r:named_initrc_exec_t,s0) | ||
22 | /etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) | ||
23 | |||
24 | /etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) | ||
25 | /etc/bind/named\.conf.* -- gen_context(system_u:object_r:named_conf_t,s0) | ||
26 | +/etc/bind/rndc\.conf.* -- gen_context(system_u:object_r:named_conf_t,s0) | ||
27 | /etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) | ||
28 | /etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0) | ||
29 | /etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0) | ||
30 | -- | ||
31 | 2.17.1 | ||
32 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0008-fc-hwclock-add-hwclock-alternatives.patch b/recipes-security/refpolicy/refpolicy/0007-fc-hwclock-add-hwclock-alternatives.patch index 75c8e7f..33f6a10 100644 --- a/recipes-security/refpolicy/refpolicy/0008-fc-hwclock-add-hwclock-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0007-fc-hwclock-add-hwclock-alternatives.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From c7e69aa036d16a57709684fd2f72959f9a4ac251 Mon Sep 17 00:00:00 2001 | 1 | From 73716015ab28a9474912902e9467f2d2a864ecd0 Mon Sep 17 00:00:00 2001 |
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | 2 | From: Joe MacDonald <joe_macdonald@mentor.com> |
3 | Date: Thu, 28 Mar 2019 21:59:18 -0400 | 3 | Date: Thu, 28 Mar 2019 21:59:18 -0400 |
4 | Subject: [PATCH] fc/hwclock: add hwclock alternatives | 4 | Subject: [PATCH] fc/hwclock: add hwclock alternatives |
diff --git a/recipes-security/refpolicy/refpolicy/0009-fc-dmesg-apply-policy-to-dmesg-alternatives.patch b/recipes-security/refpolicy/refpolicy/0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch index 3c939de..5f2ffdf 100644 --- a/recipes-security/refpolicy/refpolicy/0009-fc-dmesg-apply-policy-to-dmesg-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 0fe5ae0d1b5f4268b04ba6c6134324385bb630a2 Mon Sep 17 00:00:00 2001 | 1 | From 504e8429500ab0984adfd52bb09a3e993b87f2f1 Mon Sep 17 00:00:00 2001 |
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | 2 | From: Joe MacDonald <joe_macdonald@mentor.com> |
3 | Date: Fri, 29 Mar 2019 08:26:55 -0400 | 3 | Date: Fri, 29 Mar 2019 08:26:55 -0400 |
4 | Subject: [PATCH] fc/dmesg: apply policy to dmesg alternatives | 4 | Subject: [PATCH] fc/dmesg: apply policy to dmesg alternatives |
diff --git a/recipes-security/refpolicy/refpolicy/0010-fc-ssh-apply-policy-to-ssh-alternatives.patch b/recipes-security/refpolicy/refpolicy/0009-fc-ssh-apply-policy-to-ssh-alternatives.patch index 2a89acc..585850b 100644 --- a/recipes-security/refpolicy/refpolicy/0010-fc-ssh-apply-policy-to-ssh-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0009-fc-ssh-apply-policy-to-ssh-alternatives.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From e2d9462c5f26dc02f7d547548d8a94bfd79ea88f Mon Sep 17 00:00:00 2001 | 1 | From 8ad451ceff2ba4ea26290a7ba9918406a90bb10f Mon Sep 17 00:00:00 2001 |
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | 2 | From: Joe MacDonald <joe_macdonald@mentor.com> |
3 | Date: Fri, 29 Mar 2019 09:20:58 -0400 | 3 | Date: Fri, 29 Mar 2019 09:20:58 -0400 |
4 | Subject: [PATCH] fc/ssh: apply policy to ssh alternatives | 4 | Subject: [PATCH] fc/ssh: apply policy to ssh alternatives |
diff --git a/recipes-security/refpolicy/refpolicy/0011-fc-sysnetwork-apply-policy-to-ip-alternatives.patch b/recipes-security/refpolicy/refpolicy/0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch index 9d7d71c..0621923 100644 --- a/recipes-security/refpolicy/refpolicy/0011-fc-sysnetwork-apply-policy-to-ip-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch | |||
@@ -1,7 +1,7 @@ | |||
1 | From dc3edc3b65dccf57d4cb22eb220498c2a5d9685f Mon Sep 17 00:00:00 2001 | 1 | From c85fd7d9c45770b31de44bb35521e2251882df10 Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
3 | Date: Tue, 9 Jun 2015 21:22:52 +0530 | 3 | Date: Tue, 9 Jun 2015 21:22:52 +0530 |
4 | Subject: [PATCH] fc/sysnetwork: apply policy to ip alternatives | 4 | Subject: [PATCH] fc/sysnetwork: apply policy to network commands alternatives |
5 | 5 | ||
6 | Upstream-Status: Inappropriate [embedded specific] | 6 | Upstream-Status: Inappropriate [embedded specific] |
7 | 7 | ||
@@ -10,14 +10,22 @@ Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> | |||
10 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | 10 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> |
11 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | 11 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> |
12 | --- | 12 | --- |
13 | policy/modules/system/sysnetwork.fc | 3 +++ | 13 | policy/modules/system/sysnetwork.fc | 4 ++++ |
14 | 1 file changed, 3 insertions(+) | 14 | 1 file changed, 4 insertions(+) |
15 | 15 | ||
16 | diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc | 16 | diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc |
17 | index c9ec4e5ab..c3291962d 100644 | 17 | index c9ec4e5ab..4ca151524 100644 |
18 | --- a/policy/modules/system/sysnetwork.fc | 18 | --- a/policy/modules/system/sysnetwork.fc |
19 | +++ b/policy/modules/system/sysnetwork.fc | 19 | +++ b/policy/modules/system/sysnetwork.fc |
20 | @@ -60,13 +60,16 @@ ifdef(`distro_redhat',` | 20 | @@ -44,6 +44,7 @@ ifdef(`distro_redhat',` |
21 | /usr/bin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) | ||
22 | /usr/bin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
23 | /usr/bin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
24 | +/usr/bin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
25 | /usr/bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
26 | /usr/bin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
27 | /usr/bin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
28 | @@ -60,13 +61,16 @@ ifdef(`distro_redhat',` | ||
21 | /usr/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) | 29 | /usr/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) |
22 | /usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | 30 | /usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
23 | /usr/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | 31 | /usr/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
diff --git a/recipes-security/refpolicy/refpolicy/0012-fc-udev-apply-policy-to-udevadm-in-libexec.patch b/recipes-security/refpolicy/refpolicy/0011-fc-udev-apply-policy-to-udevadm-in-libexec.patch index 0bb05e3..cc3e529 100644 --- a/recipes-security/refpolicy/refpolicy/0012-fc-udev-apply-policy-to-udevadm-in-libexec.patch +++ b/recipes-security/refpolicy/refpolicy/0011-fc-udev-apply-policy-to-udevadm-in-libexec.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 9afd44d1300bc858c1569344fc1271e0468edad9 Mon Sep 17 00:00:00 2001 | 1 | From aa2635a54f9c36205ebc469f799a56ece01ac610 Mon Sep 17 00:00:00 2001 |
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | 2 | From: Joe MacDonald <joe_macdonald@mentor.com> |
3 | Date: Fri, 29 Mar 2019 09:36:08 -0400 | 3 | Date: Fri, 29 Mar 2019 09:36:08 -0400 |
4 | Subject: [PATCH] fc/udev: apply policy to udevadm in libexec | 4 | Subject: [PATCH] fc/udev: apply policy to udevadm in libexec |
@@ -12,7 +12,7 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
12 | 1 file changed, 2 insertions(+) | 12 | 1 file changed, 2 insertions(+) |
13 | 13 | ||
14 | diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc | 14 | diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc |
15 | index c88189fb7..ad4c0bba2 100644 | 15 | index 7898ff01c..bc717e60c 100644 |
16 | --- a/policy/modules/system/udev.fc | 16 | --- a/policy/modules/system/udev.fc |
17 | +++ b/policy/modules/system/udev.fc | 17 | +++ b/policy/modules/system/udev.fc |
18 | @@ -24,6 +24,8 @@ ifdef(`distro_debian',` | 18 | @@ -24,6 +24,8 @@ ifdef(`distro_debian',` |
diff --git a/recipes-security/refpolicy/refpolicy/0013-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch b/recipes-security/refpolicy/refpolicy/0012-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch index 55f0444..b039f53 100644 --- a/recipes-security/refpolicy/refpolicy/0013-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch +++ b/recipes-security/refpolicy/refpolicy/0012-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 79e58207060c25d5f2484ed164ab74413d00792a Mon Sep 17 00:00:00 2001 | 1 | From faf757c732c9a022499b584cea64ce1fcc78e118 Mon Sep 17 00:00:00 2001 |
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | 2 | From: Joe MacDonald <joe_macdonald@mentor.com> |
3 | Date: Fri, 29 Mar 2019 09:54:07 -0400 | 3 | Date: Fri, 29 Mar 2019 09:54:07 -0400 |
4 | Subject: [PATCH] fc/rpm: apply rpm_exec policy to cpio binaries | 4 | Subject: [PATCH] fc/rpm: apply rpm_exec policy to cpio binaries |
diff --git a/recipes-security/refpolicy/refpolicy/0014-fc-su-apply-policy-to-su-alternatives.patch b/recipes-security/refpolicy/refpolicy/0013-fc-su-apply-policy-to-su-alternatives.patch index 8d1c9aa..14c7d5b 100644 --- a/recipes-security/refpolicy/refpolicy/0014-fc-su-apply-policy-to-su-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0013-fc-su-apply-policy-to-su-alternatives.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From a1281be5b894c0c6dc3471a1e6b6c910bab7aa46 Mon Sep 17 00:00:00 2001 | 1 | From 52853ae9ee13038c5ffae8616858c442d412a2b8 Mon Sep 17 00:00:00 2001 |
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | 2 | From: Wenzong Fan <wenzong.fan@windriver.com> |
3 | Date: Thu, 13 Feb 2014 00:33:07 -0500 | 3 | Date: Thu, 13 Feb 2014 00:33:07 -0500 |
4 | Subject: [PATCH] fc/su: apply policy to su alternatives | 4 | Subject: [PATCH] fc/su: apply policy to su alternatives |
diff --git a/recipes-security/refpolicy/refpolicy/0015-fc-fstools-fix-real-path-for-fstools.patch b/recipes-security/refpolicy/refpolicy/0014-fc-fstools-fix-real-path-for-fstools.patch index a9fbe33..c2e0ca8 100644 --- a/recipes-security/refpolicy/refpolicy/0015-fc-fstools-fix-real-path-for-fstools.patch +++ b/recipes-security/refpolicy/refpolicy/0014-fc-fstools-fix-real-path-for-fstools.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 02f6557320c60d895397650a59c39708c8e63d27 Mon Sep 17 00:00:00 2001 | 1 | From 4f3a637c0385204c0b87806d158e106fb9f88972 Mon Sep 17 00:00:00 2001 |
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | 2 | From: Wenzong Fan <wenzong.fan@windriver.com> |
3 | Date: Mon, 27 Jan 2014 03:54:01 -0500 | 3 | Date: Mon, 27 Jan 2014 03:54:01 -0500 |
4 | Subject: [PATCH] fc/fstools: fix real path for fstools | 4 | Subject: [PATCH] fc/fstools: fix real path for fstools |
diff --git a/recipes-security/refpolicy/refpolicy/0016-fc-init-fix-update-alternatives-for-sysvinit.patch b/recipes-security/refpolicy/refpolicy/0015-fc-init-fix-update-alternatives-for-sysvinit.patch index a2e5762..b3ab0cc 100644 --- a/recipes-security/refpolicy/refpolicy/0016-fc-init-fix-update-alternatives-for-sysvinit.patch +++ b/recipes-security/refpolicy/refpolicy/0015-fc-init-fix-update-alternatives-for-sysvinit.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From f7860456e3867e6d9c24a7e07bc9e518f65ec478 Mon Sep 17 00:00:00 2001 | 1 | From e1439aa43af6ef15b35eac3cdbf0cea561768362 Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | 3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 |
4 | Subject: [PATCH] fc/init: fix update-alternatives for sysvinit | 4 | Subject: [PATCH] fc/init: fix update-alternatives for sysvinit |
diff --git a/recipes-security/refpolicy/refpolicy/0017-fc-brctl-apply-policy-to-brctl-alternatives.patch b/recipes-security/refpolicy/refpolicy/0016-fc-brctl-apply-policy-to-brctl-alternatives.patch index 9da5acc..b9812b7 100644 --- a/recipes-security/refpolicy/refpolicy/0017-fc-brctl-apply-policy-to-brctl-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0016-fc-brctl-apply-policy-to-brctl-alternatives.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 3a83de3883d0e287c0b6647e87a93d2cdc48aa10 Mon Sep 17 00:00:00 2001 | 1 | From 274066b3397b53d63134aee94a0148d9c7d1886d Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Fri, 15 Nov 2019 10:19:54 +0800 | 3 | Date: Fri, 15 Nov 2019 10:19:54 +0800 |
4 | Subject: [PATCH] fc/brctl: apply policy to brctl alternatives | 4 | Subject: [PATCH] fc/brctl: apply policy to brctl alternatives |
diff --git a/recipes-security/refpolicy/refpolicy/0018-fc-corecommands-apply-policy-to-nologin-alternatives.patch b/recipes-security/refpolicy/refpolicy/0017-fc-corecommands-apply-policy-to-nologin-alternatives.patch index 4c1ac26..e0ddc5e 100644 --- a/recipes-security/refpolicy/refpolicy/0018-fc-corecommands-apply-policy-to-nologin-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0017-fc-corecommands-apply-policy-to-nologin-alternatives.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 5219bc4e0b3147455fecb1485e8387573207070c Mon Sep 17 00:00:00 2001 | 1 | From ab0267f77e38bcda797cfe00ba6fa49ba89e334a Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Fri, 15 Nov 2019 10:21:51 +0800 | 3 | Date: Fri, 15 Nov 2019 10:21:51 +0800 |
4 | Subject: [PATCH] fc/corecommands: apply policy to nologin alternatives | 4 | Subject: [PATCH] fc/corecommands: apply policy to nologin alternatives |
diff --git a/recipes-security/refpolicy/refpolicy/0019-fc-locallogin-apply-policy-to-sulogin-alternatives.patch b/recipes-security/refpolicy/refpolicy/0018-fc-locallogin-apply-policy-to-sulogin-alternatives.patch index acd2663..2fe3740 100644 --- a/recipes-security/refpolicy/refpolicy/0019-fc-locallogin-apply-policy-to-sulogin-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0018-fc-locallogin-apply-policy-to-sulogin-alternatives.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 2b3b5d43040e939e836ea5c9803f0b27641e50a4 Mon Sep 17 00:00:00 2001 | 1 | From cfb86acce9fe9da9b88c853c0b22d48d99602fbb Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Fri, 15 Nov 2019 10:43:28 +0800 | 3 | Date: Fri, 15 Nov 2019 10:43:28 +0800 |
4 | Subject: [PATCH] fc/locallogin: apply policy to sulogin alternatives | 4 | Subject: [PATCH] fc/locallogin: apply policy to sulogin alternatives |
diff --git a/recipes-security/refpolicy/refpolicy/0020-fc-ntp-apply-policy-to-ntpd-alternatives.patch b/recipes-security/refpolicy/refpolicy/0019-fc-ntp-apply-policy-to-ntpd-alternatives.patch index c40413a..4b046ce 100644 --- a/recipes-security/refpolicy/refpolicy/0020-fc-ntp-apply-policy-to-ntpd-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0019-fc-ntp-apply-policy-to-ntpd-alternatives.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 5308969204d535391cb766ba5aa4b5479f64248c Mon Sep 17 00:00:00 2001 | 1 | From e159e70b533b500390337ec666d678c7424afb90 Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Fri, 15 Nov 2019 10:45:23 +0800 | 3 | Date: Fri, 15 Nov 2019 10:45:23 +0800 |
4 | Subject: [PATCH] fc/ntp: apply policy to ntpd alternatives | 4 | Subject: [PATCH] fc/ntp: apply policy to ntpd alternatives |
diff --git a/recipes-security/refpolicy/refpolicy/0021-fc-kerberos-apply-policy-to-kerberos-alternatives.patch b/recipes-security/refpolicy/refpolicy/0020-fc-kerberos-apply-policy-to-kerberos-alternatives.patch index 8d9ccd8..9d2e6fa 100644 --- a/recipes-security/refpolicy/refpolicy/0021-fc-kerberos-apply-policy-to-kerberos-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0020-fc-kerberos-apply-policy-to-kerberos-alternatives.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 89a54472ea0195ec19c291374e88e55b40107ff8 Mon Sep 17 00:00:00 2001 | 1 | From 95797c20fb68558b9f37ded3f1cc9a4ef09717f9 Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Fri, 15 Nov 2019 10:55:05 +0800 | 3 | Date: Fri, 15 Nov 2019 10:55:05 +0800 |
4 | Subject: [PATCH] fc/kerberos: apply policy to kerberos alternatives | 4 | Subject: [PATCH] fc/kerberos: apply policy to kerberos alternatives |
diff --git a/recipes-security/refpolicy/refpolicy/0022-fc-ldap-apply-policy-to-ldap-alternatives.patch b/recipes-security/refpolicy/refpolicy/0021-fc-ldap-apply-policy-to-ldap-alternatives.patch index c88dcd9..e0b7b9e 100644 --- a/recipes-security/refpolicy/refpolicy/0022-fc-ldap-apply-policy-to-ldap-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0021-fc-ldap-apply-policy-to-ldap-alternatives.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 1130a43390bf41adb7747d0cc62c85c4320806cb Mon Sep 17 00:00:00 2001 | 1 | From 6b43af067ec45bce1b7059fc549e246f53311d3a Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Fri, 15 Nov 2019 11:06:13 +0800 | 3 | Date: Fri, 15 Nov 2019 11:06:13 +0800 |
4 | Subject: [PATCH] fc/ldap: apply policy to ldap alternatives | 4 | Subject: [PATCH] fc/ldap: apply policy to ldap alternatives |
diff --git a/recipes-security/refpolicy/refpolicy/0023-fc-postgresql-apply-policy-to-postgresql-alternative.patch b/recipes-security/refpolicy/refpolicy/0022-fc-postgresql-apply-policy-to-postgresql-alternative.patch index ddd78b0..4a1a2dc 100644 --- a/recipes-security/refpolicy/refpolicy/0023-fc-postgresql-apply-policy-to-postgresql-alternative.patch +++ b/recipes-security/refpolicy/refpolicy/0022-fc-postgresql-apply-policy-to-postgresql-alternative.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 184f1dfe4cbff9c5ff2cbe865d4e7427f100ff59 Mon Sep 17 00:00:00 2001 | 1 | From 5f664c3a38853129fa1703032822c203dbeaf0a6 Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Fri, 15 Nov 2019 11:13:16 +0800 | 3 | Date: Fri, 15 Nov 2019 11:13:16 +0800 |
4 | Subject: [PATCH] fc/postgresql: apply policy to postgresql alternatives | 4 | Subject: [PATCH] fc/postgresql: apply policy to postgresql alternatives |
diff --git a/recipes-security/refpolicy/refpolicy/0024-fc-screen-apply-policy-to-screen-alternatives.patch b/recipes-security/refpolicy/refpolicy/0023-fc-screen-apply-policy-to-screen-alternatives.patch index 7ae54d9..9ae9435 100644 --- a/recipes-security/refpolicy/refpolicy/0024-fc-screen-apply-policy-to-screen-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0023-fc-screen-apply-policy-to-screen-alternatives.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From e114e09928232dd9eed568a4717dca2094f6e4ad Mon Sep 17 00:00:00 2001 | 1 | From 2d1634127f8f5c9ec98f866711b8d15b7df815d1 Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Fri, 15 Nov 2019 11:15:33 +0800 | 3 | Date: Fri, 15 Nov 2019 11:15:33 +0800 |
4 | Subject: [PATCH] fc/screen: apply policy to screen alternatives | 4 | Subject: [PATCH] fc/screen: apply policy to screen alternatives |
diff --git a/recipes-security/refpolicy/refpolicy/0025-fc-usermanage-apply-policy-to-usermanage-alternative.patch b/recipes-security/refpolicy/refpolicy/0024-fc-usermanage-apply-policy-to-usermanage-alternative.patch index e6fbba0..2dbdcf4 100644 --- a/recipes-security/refpolicy/refpolicy/0025-fc-usermanage-apply-policy-to-usermanage-alternative.patch +++ b/recipes-security/refpolicy/refpolicy/0024-fc-usermanage-apply-policy-to-usermanage-alternative.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 62a5f9dee28411f1d88a2101e507c15780467b2f Mon Sep 17 00:00:00 2001 | 1 | From 2323a6ab69c4a74ab127c16e38f14616a289b3d1 Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Fri, 15 Nov 2019 11:25:34 +0800 | 3 | Date: Fri, 15 Nov 2019 11:25:34 +0800 |
4 | Subject: [PATCH] fc/usermanage: apply policy to usermanage alternatives | 4 | Subject: [PATCH] fc/usermanage: apply policy to usermanage alternatives |
@@ -7,24 +7,26 @@ Upstream-Status: Inappropriate [embedded specific] | |||
7 | 7 | ||
8 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | 8 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> |
9 | --- | 9 | --- |
10 | policy/modules/admin/usermanage.fc | 4 ++++ | 10 | policy/modules/admin/usermanage.fc | 6 ++++++ |
11 | 1 file changed, 4 insertions(+) | 11 | 1 file changed, 6 insertions(+) |
12 | 12 | ||
13 | diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc | 13 | diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc |
14 | index 620eefc6f..6a051f8a5 100644 | 14 | index 620eefc6f..bf1ff09ab 100644 |
15 | --- a/policy/modules/admin/usermanage.fc | 15 | --- a/policy/modules/admin/usermanage.fc |
16 | +++ b/policy/modules/admin/usermanage.fc | 16 | +++ b/policy/modules/admin/usermanage.fc |
17 | @@ -4,7 +4,9 @@ ifdef(`distro_debian',` | 17 | @@ -4,7 +4,11 @@ ifdef(`distro_debian',` |
18 | 18 | ||
19 | /usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0) | 19 | /usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0) |
20 | /usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0) | 20 | /usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0) |
21 | +/usr/bin/chfn\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0) | 21 | +/usr/bin/chfn\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0) |
22 | +/usr/bin/chfn\.util-linux -- gen_context(system_u:object_r:chfn_exec_t,s0) | ||
22 | /usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0) | 23 | /usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0) |
23 | +/usr/bin/chsh\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0) | 24 | +/usr/bin/chsh\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0) |
25 | +/usr/bin/chsh\.util-linux -- gen_context(system_u:object_r:chfn_exec_t,s0) | ||
24 | /usr/bin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) | 26 | /usr/bin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) |
25 | /usr/bin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) | 27 | /usr/bin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) |
26 | /usr/bin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0) | 28 | /usr/bin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0) |
27 | @@ -14,6 +16,7 @@ ifdef(`distro_debian',` | 29 | @@ -14,6 +18,7 @@ ifdef(`distro_debian',` |
28 | /usr/bin/grpconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) | 30 | /usr/bin/grpconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) |
29 | /usr/bin/grpunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) | 31 | /usr/bin/grpunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) |
30 | /usr/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0) | 32 | /usr/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0) |
@@ -32,7 +34,7 @@ index 620eefc6f..6a051f8a5 100644 | |||
32 | /usr/bin/pwconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) | 34 | /usr/bin/pwconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) |
33 | /usr/bin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) | 35 | /usr/bin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) |
34 | /usr/bin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0) | 36 | /usr/bin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0) |
35 | @@ -39,6 +42,7 @@ ifdef(`distro_debian',` | 37 | @@ -39,6 +44,7 @@ ifdef(`distro_debian',` |
36 | /usr/sbin/usermod -- gen_context(system_u:object_r:useradd_exec_t,s0) | 38 | /usr/sbin/usermod -- gen_context(system_u:object_r:useradd_exec_t,s0) |
37 | /usr/sbin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) | 39 | /usr/sbin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) |
38 | /usr/sbin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) | 40 | /usr/sbin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) |
diff --git a/recipes-security/refpolicy/refpolicy/0026-fc-getty-add-file-context-to-start_getty.patch b/recipes-security/refpolicy/refpolicy/0025-fc-getty-add-file-context-to-start_getty.patch index d51faa5..c0d9cf4 100644 --- a/recipes-security/refpolicy/refpolicy/0026-fc-getty-add-file-context-to-start_getty.patch +++ b/recipes-security/refpolicy/refpolicy/0025-fc-getty-add-file-context-to-start_getty.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 7be59b4d42165f7e12ccb8b2409304a2640eb898 Mon Sep 17 00:00:00 2001 | 1 | From dbd399143d6fbda828cfc9f2546bc730e0da584c Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Fri, 15 Nov 2019 16:07:30 +0800 | 3 | Date: Fri, 15 Nov 2019 16:07:30 +0800 |
4 | Subject: [PATCH] fc/getty: add file context to start_getty | 4 | Subject: [PATCH] fc/getty: add file context to start_getty |
diff --git a/recipes-security/refpolicy/refpolicy/0028-fc-vlock-apply-policy-to-vlock-alternatives.patch b/recipes-security/refpolicy/refpolicy/0026-fc-vlock-apply-policy-to-vlock-alternatives.patch index d0bd7b4..71521e8 100644 --- a/recipes-security/refpolicy/refpolicy/0028-fc-vlock-apply-policy-to-vlock-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0026-fc-vlock-apply-policy-to-vlock-alternatives.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 1ee2b12fa1585bf765370e3e787081fe01ad990f Mon Sep 17 00:00:00 2001 | 1 | From 0280f05e2c9665f094d7098cd03e11d75908bcdb Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Wed, 18 Dec 2019 15:04:41 +0800 | 3 | Date: Wed, 18 Dec 2019 15:04:41 +0800 |
4 | Subject: [PATCH] fc/vlock: apply policy to vlock alternatives | 4 | Subject: [PATCH] fc/vlock: apply policy to vlock alternatives |
diff --git a/recipes-security/refpolicy/refpolicy/0027-fc-add-fcontext-for-init-scripts-and-systemd-service.patch b/recipes-security/refpolicy/refpolicy/0027-fc-add-fcontext-for-init-scripts-and-systemd-service.patch new file mode 100644 index 0000000..ca9b644 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0027-fc-add-fcontext-for-init-scripts-and-systemd-service.patch | |||
@@ -0,0 +1,64 @@ | |||
1 | From 7f8b07b7af0c3cd8bbec49082b42011ac433df45 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Tue, 30 Jun 2020 10:45:57 +0800 | ||
4 | Subject: [PATCH] fc: add fcontext for init scripts and systemd service files | ||
5 | |||
6 | Upstream-Status: Inappropriate [embedded specific] | ||
7 | |||
8 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
9 | --- | ||
10 | policy/modules/services/cron.fc | 1 + | ||
11 | policy/modules/services/rngd.fc | 1 + | ||
12 | policy/modules/services/rpc.fc | 2 ++ | ||
13 | policy/modules/system/logging.fc | 1 + | ||
14 | 4 files changed, 5 insertions(+) | ||
15 | |||
16 | diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc | ||
17 | index 827363d88..e8412396d 100644 | ||
18 | --- a/policy/modules/services/cron.fc | ||
19 | +++ b/policy/modules/services/cron.fc | ||
20 | @@ -1,4 +1,5 @@ | ||
21 | /etc/rc\.d/init\.d/(anacron|atd) -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) | ||
22 | +/etc/rc\.d/init\.d/crond -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) | ||
23 | |||
24 | /etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) | ||
25 | /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) | ||
26 | diff --git a/policy/modules/services/rngd.fc b/policy/modules/services/rngd.fc | ||
27 | index 382c067f9..0ecc5acc4 100644 | ||
28 | --- a/policy/modules/services/rngd.fc | ||
29 | +++ b/policy/modules/services/rngd.fc | ||
30 | @@ -1,4 +1,5 @@ | ||
31 | /etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0) | ||
32 | +/etc/rc\.d/init\.d/rng-tools -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0) | ||
33 | |||
34 | /usr/bin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0) | ||
35 | |||
36 | diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc | ||
37 | index 88d2acaf0..d9c0a4aa7 100644 | ||
38 | --- a/policy/modules/services/rpc.fc | ||
39 | +++ b/policy/modules/services/rpc.fc | ||
40 | @@ -1,7 +1,9 @@ | ||
41 | /etc/exports -- gen_context(system_u:object_r:exports_t,s0) | ||
42 | |||
43 | /etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0) | ||
44 | +/etc/rc\.d/init\.d/nfsserver -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0) | ||
45 | /etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) | ||
46 | +/etc/rc\.d/init\.d/nfscommon -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) | ||
47 | /etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) | ||
48 | |||
49 | /usr/bin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) | ||
50 | diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc | ||
51 | index 5681acb51..4ff5f990a 100644 | ||
52 | --- a/policy/modules/system/logging.fc | ||
53 | +++ b/policy/modules/system/logging.fc | ||
54 | @@ -24,6 +24,7 @@ | ||
55 | /usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0) | ||
56 | /usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0) | ||
57 | /usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0) | ||
58 | +/usr/lib/systemd/system/syslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0) | ||
59 | /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
60 | /usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
61 | |||
62 | -- | ||
63 | 2.17.1 | ||
64 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0027-fc-init-add-file-context-to-etc-network-if-files.patch b/recipes-security/refpolicy/refpolicy/0027-fc-init-add-file-context-to-etc-network-if-files.patch deleted file mode 100644 index e34abe6..0000000 --- a/recipes-security/refpolicy/refpolicy/0027-fc-init-add-file-context-to-etc-network-if-files.patch +++ /dev/null | |||
@@ -1,33 +0,0 @@ | |||
1 | From ac335f80d09f9ce4756f2e58944a975a12441fa7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Tue, 19 Nov 2019 14:33:28 +0800 | ||
4 | Subject: [PATCH] fc/init: add file context to /etc/network/if-* files | ||
5 | |||
6 | Upstream-Status: Inappropriate [embedded specific] | ||
7 | |||
8 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
9 | --- | ||
10 | policy/modules/system/init.fc | 3 ++- | ||
11 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
12 | |||
13 | diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc | ||
14 | index 5268bddb2..a6762bd00 100644 | ||
15 | --- a/policy/modules/system/init.fc | ||
16 | +++ b/policy/modules/system/init.fc | ||
17 | @@ -75,11 +75,12 @@ ifdef(`distro_redhat',` | ||
18 | ifdef(`distro_debian',` | ||
19 | /run/hotkey-setup -- gen_context(system_u:object_r:initrc_runtime_t,s0) | ||
20 | /run/kdm/.* -- gen_context(system_u:object_r:initrc_runtime_t,s0) | ||
21 | +') | ||
22 | + | ||
23 | /etc/network/if-pre-up\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) | ||
24 | /etc/network/if-up\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) | ||
25 | /etc/network/if-down\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) | ||
26 | /etc/network/if-post-down\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) | ||
27 | -') | ||
28 | |||
29 | ifdef(`distro_gentoo', ` | ||
30 | /var/lib/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0) | ||
31 | -- | ||
32 | 2.17.1 | ||
33 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0031-file_contexts.subs_dist-set-aliase-for-root-director.patch b/recipes-security/refpolicy/refpolicy/0028-file_contexts.subs_dist-set-aliase-for-root-director.patch index f65d1be..dc10350 100644 --- a/recipes-security/refpolicy/refpolicy/0031-file_contexts.subs_dist-set-aliase-for-root-director.patch +++ b/recipes-security/refpolicy/refpolicy/0028-file_contexts.subs_dist-set-aliase-for-root-director.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 8c733eff8089c24fe6885977d2bdcdfb0c453726 Mon Sep 17 00:00:00 2001 | 1 | From 0bb081084a2d12f9041bfae195481d898b5a0ba1 Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Sun, 5 Apr 2020 22:03:45 +0800 | 3 | Date: Sun, 5 Apr 2020 22:03:45 +0800 |
4 | Subject: [PATCH] file_contexts.subs_dist: set aliase for /root directory | 4 | Subject: [PATCH] file_contexts.subs_dist: set aliase for /root directory |
@@ -14,10 +14,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
14 | 1 file changed, 4 insertions(+) | 14 | 1 file changed, 4 insertions(+) |
15 | 15 | ||
16 | diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist | 16 | diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist |
17 | index a38d58e16..3e4c5720f 100644 | 17 | index 690007f22..f80499ebf 100644 |
18 | --- a/config/file_contexts.subs_dist | 18 | --- a/config/file_contexts.subs_dist |
19 | +++ b/config/file_contexts.subs_dist | 19 | +++ b/config/file_contexts.subs_dist |
20 | @@ -44,3 +44,7 @@ | 20 | @@ -45,3 +45,7 @@ |
21 | /usr/lib/busybox/bin /usr/bin | 21 | /usr/lib/busybox/bin /usr/bin |
22 | /usr/lib/busybox/sbin /usr/sbin | 22 | /usr/lib/busybox/sbin /usr/sbin |
23 | /usr/lib/busybox/usr /usr | 23 | /usr/lib/busybox/usr /usr |
diff --git a/recipes-security/refpolicy/refpolicy/0029-fc-cron-apply-policy-to-etc-init.d-crond.patch b/recipes-security/refpolicy/refpolicy/0029-fc-cron-apply-policy-to-etc-init.d-crond.patch deleted file mode 100644 index be57060..0000000 --- a/recipes-security/refpolicy/refpolicy/0029-fc-cron-apply-policy-to-etc-init.d-crond.patch +++ /dev/null | |||
@@ -1,25 +0,0 @@ | |||
1 | From a14d7d6fc54e7cf82d977c4b5c2df961c5eb1fe0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Tue, 30 Jun 2020 10:45:57 +0800 | ||
4 | Subject: [PATCH] fc/cron: apply policy to /etc/init.d/crond | ||
5 | |||
6 | Upstream-Status: Inappropriate [embedded specific] | ||
7 | |||
8 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
9 | --- | ||
10 | policy/modules/services/cron.fc | 1 + | ||
11 | 1 file changed, 1 insertion(+) | ||
12 | |||
13 | diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc | ||
14 | index 827363d88..e8412396d 100644 | ||
15 | --- a/policy/modules/services/cron.fc | ||
16 | +++ b/policy/modules/services/cron.fc | ||
17 | @@ -1,4 +1,5 @@ | ||
18 | /etc/rc\.d/init\.d/(anacron|atd) -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) | ||
19 | +/etc/rc\.d/init\.d/crond -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) | ||
20 | |||
21 | /etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) | ||
22 | /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) | ||
23 | -- | ||
24 | 2.17.1 | ||
25 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0032-policy-modules-system-logging-add-rules-for-the-syml.patch b/recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-the-syml.patch index a80bf03..f8a4cec 100644 --- a/recipes-security/refpolicy/refpolicy/0032-policy-modules-system-logging-add-rules-for-the-syml.patch +++ b/recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-the-syml.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 456bb92237aa637f506fcc56b190eb534d745e41 Mon Sep 17 00:00:00 2001 | 1 | From 9c676fe5ff2a14206f25bf8ed932c305f13dcfdc Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | 3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 |
4 | Subject: [PATCH] policy/modules/system/logging: add rules for the symlink of | 4 | Subject: [PATCH] policy/modules/system/logging: add rules for the symlink of |
@@ -18,10 +18,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
18 | 2 files changed, 10 insertions(+) | 18 | 2 files changed, 10 insertions(+) |
19 | 19 | ||
20 | diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc | 20 | diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc |
21 | index 5681acb51..a4ecd570a 100644 | 21 | index 4ff5f990a..dee26a9f4 100644 |
22 | --- a/policy/modules/system/logging.fc | 22 | --- a/policy/modules/system/logging.fc |
23 | +++ b/policy/modules/system/logging.fc | 23 | +++ b/policy/modules/system/logging.fc |
24 | @@ -52,6 +52,7 @@ ifdef(`distro_suse', ` | 24 | @@ -53,6 +53,7 @@ ifdef(`distro_suse', ` |
25 | /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) | 25 | /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) |
26 | 26 | ||
27 | /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) | 27 | /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) |
@@ -30,10 +30,10 @@ index 5681acb51..a4ecd570a 100644 | |||
30 | /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0) | 30 | /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0) |
31 | /var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0) | 31 | /var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0) |
32 | diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if | 32 | diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if |
33 | index 10dee6563..9bb3afdb2 100644 | 33 | index 341763730..30d402c75 100644 |
34 | --- a/policy/modules/system/logging.if | 34 | --- a/policy/modules/system/logging.if |
35 | +++ b/policy/modules/system/logging.if | 35 | +++ b/policy/modules/system/logging.if |
36 | @@ -1065,10 +1065,12 @@ interface(`logging_append_all_inherited_logs',` | 36 | @@ -1086,10 +1086,12 @@ interface(`logging_append_all_inherited_logs',` |
37 | interface(`logging_read_all_logs',` | 37 | interface(`logging_read_all_logs',` |
38 | gen_require(` | 38 | gen_require(` |
39 | attribute logfile; | 39 | attribute logfile; |
@@ -46,7 +46,7 @@ index 10dee6563..9bb3afdb2 100644 | |||
46 | read_files_pattern($1, logfile, logfile) | 46 | read_files_pattern($1, logfile, logfile) |
47 | ') | 47 | ') |
48 | 48 | ||
49 | @@ -1087,10 +1089,12 @@ interface(`logging_read_all_logs',` | 49 | @@ -1127,10 +1129,12 @@ interface(`logging_watch_all_logs',` |
50 | interface(`logging_exec_all_logs',` | 50 | interface(`logging_exec_all_logs',` |
51 | gen_require(` | 51 | gen_require(` |
52 | attribute logfile; | 52 | attribute logfile; |
@@ -59,7 +59,7 @@ index 10dee6563..9bb3afdb2 100644 | |||
59 | can_exec($1, logfile) | 59 | can_exec($1, logfile) |
60 | ') | 60 | ') |
61 | 61 | ||
62 | @@ -1152,6 +1156,7 @@ interface(`logging_manage_generic_log_dirs',` | 62 | @@ -1192,6 +1196,7 @@ interface(`logging_manage_generic_log_dirs',` |
63 | 63 | ||
64 | files_search_var($1) | 64 | files_search_var($1) |
65 | allow $1 var_log_t:dir manage_dir_perms; | 65 | allow $1 var_log_t:dir manage_dir_perms; |
@@ -67,7 +67,7 @@ index 10dee6563..9bb3afdb2 100644 | |||
67 | ') | 67 | ') |
68 | 68 | ||
69 | ######################################## | 69 | ######################################## |
70 | @@ -1172,6 +1177,7 @@ interface(`logging_relabel_generic_log_dirs',` | 70 | @@ -1212,6 +1217,7 @@ interface(`logging_relabel_generic_log_dirs',` |
71 | 71 | ||
72 | files_search_var($1) | 72 | files_search_var($1) |
73 | allow $1 var_log_t:dir relabel_dir_perms; | 73 | allow $1 var_log_t:dir relabel_dir_perms; |
@@ -75,7 +75,7 @@ index 10dee6563..9bb3afdb2 100644 | |||
75 | ') | 75 | ') |
76 | 76 | ||
77 | ######################################## | 77 | ######################################## |
78 | @@ -1192,6 +1198,7 @@ interface(`logging_read_generic_logs',` | 78 | @@ -1232,6 +1238,7 @@ interface(`logging_read_generic_logs',` |
79 | 79 | ||
80 | files_search_var($1) | 80 | files_search_var($1) |
81 | allow $1 var_log_t:dir list_dir_perms; | 81 | allow $1 var_log_t:dir list_dir_perms; |
@@ -83,7 +83,7 @@ index 10dee6563..9bb3afdb2 100644 | |||
83 | read_files_pattern($1, var_log_t, var_log_t) | 83 | read_files_pattern($1, var_log_t, var_log_t) |
84 | ') | 84 | ') |
85 | 85 | ||
86 | @@ -1293,6 +1300,7 @@ interface(`logging_manage_generic_logs',` | 86 | @@ -1333,6 +1340,7 @@ interface(`logging_manage_generic_logs',` |
87 | 87 | ||
88 | files_search_var($1) | 88 | files_search_var($1) |
89 | manage_files_pattern($1, var_log_t, var_log_t) | 89 | manage_files_pattern($1, var_log_t, var_log_t) |
@@ -91,7 +91,7 @@ index 10dee6563..9bb3afdb2 100644 | |||
91 | ') | 91 | ') |
92 | 92 | ||
93 | ######################################## | 93 | ######################################## |
94 | @@ -1311,6 +1319,7 @@ interface(`logging_watch_generic_logs_dir',` | 94 | @@ -1351,6 +1359,7 @@ interface(`logging_watch_generic_logs_dir',` |
95 | ') | 95 | ') |
96 | 96 | ||
97 | allow $1 var_log_t:dir watch; | 97 | allow $1 var_log_t:dir watch; |
diff --git a/recipes-security/refpolicy/refpolicy/0030-fc-sysnetwork-update-file-context-for-ifconfig.patch b/recipes-security/refpolicy/refpolicy/0030-fc-sysnetwork-update-file-context-for-ifconfig.patch deleted file mode 100644 index 6a659b2..0000000 --- a/recipes-security/refpolicy/refpolicy/0030-fc-sysnetwork-update-file-context-for-ifconfig.patch +++ /dev/null | |||
@@ -1,31 +0,0 @@ | |||
1 | From b3d2611360ddf21a3f8729766a1e4b64117ea710 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Tue, 4 Aug 2020 16:48:12 +0800 | ||
4 | Subject: [PATCH] fc/sysnetwork: update file context for ifconfig | ||
5 | |||
6 | The ifconfig was moved from sbin to bin with oe-core commit: | ||
7 | c9caff40ff61c08e24a84922f8d7c8e9cdf8883e. Update the file context for | ||
8 | it. | ||
9 | |||
10 | Upstream-Status: Inappropriate [embedded specific] | ||
11 | |||
12 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
13 | --- | ||
14 | policy/modules/system/sysnetwork.fc | 1 + | ||
15 | 1 file changed, 1 insertion(+) | ||
16 | |||
17 | diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc | ||
18 | index c3291962d..4ca151524 100644 | ||
19 | --- a/policy/modules/system/sysnetwork.fc | ||
20 | +++ b/policy/modules/system/sysnetwork.fc | ||
21 | @@ -44,6 +44,7 @@ ifdef(`distro_redhat',` | ||
22 | /usr/bin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) | ||
23 | /usr/bin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
24 | /usr/bin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
25 | +/usr/bin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
26 | /usr/bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
27 | /usr/bin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
28 | /usr/bin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
29 | -- | ||
30 | 2.17.1 | ||
31 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0033-policy-modules-system-logging-add-rules-for-syslogd-.patch b/recipes-security/refpolicy/refpolicy/0030-policy-modules-system-logging-add-rules-for-syslogd-.patch index 4e5ee51..a06b3f4 100644 --- a/recipes-security/refpolicy/refpolicy/0033-policy-modules-system-logging-add-rules-for-syslogd-.patch +++ b/recipes-security/refpolicy/refpolicy/0030-policy-modules-system-logging-add-rules-for-syslogd-.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 275597cbb54eb8007c07fc06c3d9bd3d3090f7f2 Mon Sep 17 00:00:00 2001 | 1 | From c9759b1024873819cf594fe7ac3bf06bcf0d959d Mon Sep 17 00:00:00 2001 |
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | 2 | From: Joe MacDonald <joe_macdonald@mentor.com> |
3 | Date: Fri, 29 Mar 2019 10:33:18 -0400 | 3 | Date: Fri, 29 Mar 2019 10:33:18 -0400 |
4 | Subject: [PATCH] policy/modules/system/logging: add rules for syslogd symlink | 4 | Subject: [PATCH] policy/modules/system/logging: add rules for syslogd symlink |
@@ -18,10 +18,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
18 | 1 file changed, 1 insertion(+) | 18 | 1 file changed, 1 insertion(+) |
19 | 19 | ||
20 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | 20 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te |
21 | index 031e2f40f..673046781 100644 | 21 | index 21e3285a9..abee7df9c 100644 |
22 | --- a/policy/modules/system/logging.te | 22 | --- a/policy/modules/system/logging.te |
23 | +++ b/policy/modules/system/logging.te | 23 | +++ b/policy/modules/system/logging.te |
24 | @@ -404,6 +404,7 @@ files_search_spool(syslogd_t) | 24 | @@ -411,6 +411,7 @@ files_search_spool(syslogd_t) |
25 | 25 | ||
26 | # Allow access for syslog-ng | 26 | # Allow access for syslog-ng |
27 | allow syslogd_t var_log_t:dir { create setattr }; | 27 | allow syslogd_t var_log_t:dir { create setattr }; |
diff --git a/recipes-security/refpolicy/refpolicy/0034-policy-modules-kernel-files-add-rules-for-the-symlin.patch b/recipes-security/refpolicy/refpolicy/0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch index da42fdd..ffa78ac 100644 --- a/recipes-security/refpolicy/refpolicy/0034-policy-modules-kernel-files-add-rules-for-the-symlin.patch +++ b/recipes-security/refpolicy/refpolicy/0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 491783f2ae026ac969c9f6ef6eea1bd75ac7e2a5 Mon Sep 17 00:00:00 2001 | 1 | From fd55f9f292617c7475c62c07ed6c478b4bd9eda5 Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | 3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 |
4 | Subject: [PATCH] policy/modules/kernel/files: add rules for the symlink of | 4 | Subject: [PATCH] policy/modules/kernel/files: add rules for the symlink of |
@@ -30,10 +30,10 @@ index 826722f4e..677ae96c3 100644 | |||
30 | /tmp/\.journal <<none>> | 30 | /tmp/\.journal <<none>> |
31 | 31 | ||
32 | diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if | 32 | diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if |
33 | index 34a9cd66d..7fc7e922f 100644 | 33 | index 495cbe2f4..b308eefd9 100644 |
34 | --- a/policy/modules/kernel/files.if | 34 | --- a/policy/modules/kernel/files.if |
35 | +++ b/policy/modules/kernel/files.if | 35 | +++ b/policy/modules/kernel/files.if |
36 | @@ -4533,6 +4533,7 @@ interface(`files_search_tmp',` | 36 | @@ -4555,6 +4555,7 @@ interface(`files_search_tmp',` |
37 | ') | 37 | ') |
38 | 38 | ||
39 | allow $1 tmp_t:dir search_dir_perms; | 39 | allow $1 tmp_t:dir search_dir_perms; |
@@ -41,7 +41,7 @@ index 34a9cd66d..7fc7e922f 100644 | |||
41 | ') | 41 | ') |
42 | 42 | ||
43 | ######################################## | 43 | ######################################## |
44 | @@ -4569,6 +4570,7 @@ interface(`files_list_tmp',` | 44 | @@ -4591,6 +4592,7 @@ interface(`files_list_tmp',` |
45 | ') | 45 | ') |
46 | 46 | ||
47 | allow $1 tmp_t:dir list_dir_perms; | 47 | allow $1 tmp_t:dir list_dir_perms; |
@@ -49,7 +49,7 @@ index 34a9cd66d..7fc7e922f 100644 | |||
49 | ') | 49 | ') |
50 | 50 | ||
51 | ######################################## | 51 | ######################################## |
52 | @@ -4605,6 +4607,7 @@ interface(`files_delete_tmp_dir_entry',` | 52 | @@ -4627,6 +4629,7 @@ interface(`files_delete_tmp_dir_entry',` |
53 | ') | 53 | ') |
54 | 54 | ||
55 | allow $1 tmp_t:dir del_entry_dir_perms; | 55 | allow $1 tmp_t:dir del_entry_dir_perms; |
@@ -57,7 +57,7 @@ index 34a9cd66d..7fc7e922f 100644 | |||
57 | ') | 57 | ') |
58 | 58 | ||
59 | ######################################## | 59 | ######################################## |
60 | @@ -4623,6 +4626,7 @@ interface(`files_read_generic_tmp_files',` | 60 | @@ -4645,6 +4648,7 @@ interface(`files_read_generic_tmp_files',` |
61 | ') | 61 | ') |
62 | 62 | ||
63 | read_files_pattern($1, tmp_t, tmp_t) | 63 | read_files_pattern($1, tmp_t, tmp_t) |
@@ -65,7 +65,7 @@ index 34a9cd66d..7fc7e922f 100644 | |||
65 | ') | 65 | ') |
66 | 66 | ||
67 | ######################################## | 67 | ######################################## |
68 | @@ -4641,6 +4645,7 @@ interface(`files_manage_generic_tmp_dirs',` | 68 | @@ -4663,6 +4667,7 @@ interface(`files_manage_generic_tmp_dirs',` |
69 | ') | 69 | ') |
70 | 70 | ||
71 | manage_dirs_pattern($1, tmp_t, tmp_t) | 71 | manage_dirs_pattern($1, tmp_t, tmp_t) |
@@ -73,7 +73,7 @@ index 34a9cd66d..7fc7e922f 100644 | |||
73 | ') | 73 | ') |
74 | 74 | ||
75 | ######################################## | 75 | ######################################## |
76 | @@ -4659,6 +4664,7 @@ interface(`files_manage_generic_tmp_files',` | 76 | @@ -4699,6 +4704,7 @@ interface(`files_manage_generic_tmp_files',` |
77 | ') | 77 | ') |
78 | 78 | ||
79 | manage_files_pattern($1, tmp_t, tmp_t) | 79 | manage_files_pattern($1, tmp_t, tmp_t) |
@@ -81,7 +81,7 @@ index 34a9cd66d..7fc7e922f 100644 | |||
81 | ') | 81 | ') |
82 | 82 | ||
83 | ######################################## | 83 | ######################################## |
84 | @@ -4695,6 +4701,7 @@ interface(`files_rw_generic_tmp_sockets',` | 84 | @@ -4735,6 +4741,7 @@ interface(`files_rw_generic_tmp_sockets',` |
85 | ') | 85 | ') |
86 | 86 | ||
87 | rw_sock_files_pattern($1, tmp_t, tmp_t) | 87 | rw_sock_files_pattern($1, tmp_t, tmp_t) |
@@ -89,7 +89,7 @@ index 34a9cd66d..7fc7e922f 100644 | |||
89 | ') | 89 | ') |
90 | 90 | ||
91 | ######################################## | 91 | ######################################## |
92 | @@ -4902,6 +4909,7 @@ interface(`files_tmp_filetrans',` | 92 | @@ -4942,6 +4949,7 @@ interface(`files_tmp_filetrans',` |
93 | ') | 93 | ') |
94 | 94 | ||
95 | filetrans_pattern($1, tmp_t, $2, $3, $4) | 95 | filetrans_pattern($1, tmp_t, $2, $3, $4) |
diff --git a/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-logging-fix-auditd-startup-fai.patch b/recipes-security/refpolicy/refpolicy/0032-policy-modules-system-logging-fix-auditd-startup-fai.patch index 9856fcd..3f10d06 100644 --- a/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-logging-fix-auditd-startup-fai.patch +++ b/recipes-security/refpolicy/refpolicy/0032-policy-modules-system-logging-fix-auditd-startup-fai.patch | |||
@@ -1,64 +1,41 @@ | |||
1 | From 25036d5f5c41e4215d071d9c1eb77760a0eca87c Mon Sep 17 00:00:00 2001 | 1 | From a196ae5e13b3f8e0d2e7ff27c8d481c9376b18e9 Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | 3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 |
4 | Subject: [PATCH] policy/modules/system/logging: fix auditd startup failures | 4 | Subject: [PATCH] policy/modules/system/logging: fix auditd startup failures |
5 | 5 | ||
6 | Fixes: | 6 | Fixes: |
7 | avc: denied { getattr } for pid=322 comm="auditd" | ||
8 | path="/sbin/audisp-remote" dev="vda" ino=1115 | ||
9 | scontext=system_u:system_r:auditd_t | ||
10 | tcontext=system_u:object_r:audisp_remote_exec_t tclass=file permissive=0 | ||
11 | |||
12 | avc: denied { read } for pid=321 comm="auditd" name="log" dev="vda" | 7 | avc: denied { read } for pid=321 comm="auditd" name="log" dev="vda" |
13 | ino=12552 scontext=system_u:system_r:auditd_t | 8 | ino=12552 scontext=system_u:system_r:auditd_t |
14 | tcontext=system_u:object_r:var_log_t tclass=lnk_file permissive=0 | 9 | tcontext=system_u:object_r:var_log_t tclass=lnk_file permissive=0 |
15 | 10 | ||
16 | avc: denied { getattr } for pid=183 comm="auditctl" name="/" | ||
17 | dev="proc" ino=1 scontext=system_u:system_r:auditctl_t | ||
18 | tcontext=system_u:object_r:proc_t tclass=filesystem permissive=0 | ||
19 | |||
20 | Upstream-Status: Inappropriate [embedded specific] | 11 | Upstream-Status: Inappropriate [embedded specific] |
21 | 12 | ||
22 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 13 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
23 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | 14 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> |
24 | --- | 15 | --- |
25 | policy/modules/system/logging.te | 5 +++++ | 16 | policy/modules/system/logging.te | 2 ++ |
26 | 1 file changed, 5 insertions(+) | 17 | 1 file changed, 2 insertions(+) |
27 | 18 | ||
28 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | 19 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te |
29 | index 673046781..9b3254f63 100644 | 20 | index abee7df9c..cc530a2be 100644 |
30 | --- a/policy/modules/system/logging.te | 21 | --- a/policy/modules/system/logging.te |
31 | +++ b/policy/modules/system/logging.te | 22 | +++ b/policy/modules/system/logging.te |
32 | @@ -117,6 +117,7 @@ files_read_etc_files(auditctl_t) | 23 | @@ -161,6 +161,7 @@ dontaudit auditd_t auditd_etc_t:file map; |
33 | kernel_read_kernel_sysctls(auditctl_t) | ||
34 | kernel_read_proc_symlinks(auditctl_t) | ||
35 | kernel_setsched(auditctl_t) | ||
36 | +kernel_getattr_proc(auditctl_t) | ||
37 | |||
38 | domain_read_all_domains_state(auditctl_t) | ||
39 | domain_use_interactive_fds(auditctl_t) | ||
40 | @@ -157,10 +158,13 @@ allow auditd_t auditd_etc_t:dir list_dir_perms; | ||
41 | allow auditd_t auditd_etc_t:file read_file_perms; | ||
42 | dontaudit auditd_t auditd_etc_t:file map; | ||
43 | |||
44 | +allow auditd_t audisp_remote_exec_t:file getattr; | ||
45 | + | ||
46 | manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) | 24 | manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) |
47 | allow auditd_t auditd_log_t:dir setattr; | 25 | allow auditd_t auditd_log_t:dir setattr; |
48 | manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) | 26 | manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) |
49 | allow auditd_t var_log_t:dir search_dir_perms; | ||
50 | +allow auditd_t var_log_t:lnk_file read_lnk_file_perms; | 27 | +allow auditd_t var_log_t:lnk_file read_lnk_file_perms; |
28 | allow auditd_t var_log_t:dir search_dir_perms; | ||
51 | 29 | ||
52 | manage_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t) | 30 | manage_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t) |
53 | manage_sock_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t) | 31 | @@ -290,6 +291,7 @@ optional_policy(` |
54 | @@ -284,6 +288,7 @@ allow audisp_remote_t self:capability { setpcap setuid }; | 32 | allow audisp_remote_t self:capability { setpcap setuid }; |
55 | allow audisp_remote_t self:process { getcap setcap }; | 33 | allow audisp_remote_t self:process { getcap setcap }; |
56 | allow audisp_remote_t self:tcp_socket create_socket_perms; | 34 | allow audisp_remote_t self:tcp_socket create_socket_perms; |
57 | allow audisp_remote_t var_log_t:dir search_dir_perms; | ||
58 | +allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms; | 35 | +allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms; |
36 | allow audisp_remote_t var_log_t:dir search_dir_perms; | ||
59 | 37 | ||
60 | manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) | 38 | manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) |
61 | manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) | ||
62 | -- | 39 | -- |
63 | 2.17.1 | 40 | 2.17.1 |
64 | 41 | ||
diff --git a/recipes-security/refpolicy/refpolicy/0036-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch b/recipes-security/refpolicy/refpolicy/0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch index 855aae6..3421a43 100644 --- a/recipes-security/refpolicy/refpolicy/0036-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch +++ b/recipes-security/refpolicy/refpolicy/0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 15773d54215587284f937b9a37b08c682949e7ab Mon Sep 17 00:00:00 2001 | 1 | From bfcb86c9c9ad6a9f10a8556320443d8c96adedc9 Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | 3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 |
4 | Subject: [PATCH] policy/modules/kernel/terminal: don't audit tty_device_t in | 4 | Subject: [PATCH] policy/modules/kernel/terminal: don't audit tty_device_t in |
diff --git a/recipes-security/refpolicy/refpolicy/0037-policy-modules-system-modutils-allow-mod_t-to-access.patch b/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-modutils-allow-mod_t-to-access.patch index da03017..e7ce388 100644 --- a/recipes-security/refpolicy/refpolicy/0037-policy-modules-system-modutils-allow-mod_t-to-access.patch +++ b/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-modutils-allow-mod_t-to-access.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 1126ee6883d7e107b103a18d255416d542ca50f2 Mon Sep 17 00:00:00 2001 | 1 | From b3ff2e8572cd929c419775e57b547f309ba9d8fb Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Mon, 24 Aug 2020 11:29:09 +0800 | 3 | Date: Mon, 24 Aug 2020 11:29:09 +0800 |
4 | Subject: [PATCH] policy/modules/system/modutils: allow mod_t to access | 4 | Subject: [PATCH] policy/modules/system/modutils: allow mod_t to access |
@@ -37,7 +37,7 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
37 | 2 files changed, 4 insertions(+) | 37 | 2 files changed, 4 insertions(+) |
38 | 38 | ||
39 | diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te | 39 | diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te |
40 | index ef5de835e..ee249ae04 100644 | 40 | index b0a419dc1..5b4f0aca1 100644 |
41 | --- a/policy/modules/system/modutils.te | 41 | --- a/policy/modules/system/modutils.te |
42 | +++ b/policy/modules/system/modutils.te | 42 | +++ b/policy/modules/system/modutils.te |
43 | @@ -41,6 +41,8 @@ dontaudit kmod_t self:capability sys_admin; | 43 | @@ -41,6 +41,8 @@ dontaudit kmod_t self:capability sys_admin; |
@@ -50,10 +50,10 @@ index ef5de835e..ee249ae04 100644 | |||
50 | list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t) | 50 | list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t) |
51 | read_files_pattern(kmod_t, modules_conf_t, modules_conf_t) | 51 | read_files_pattern(kmod_t, modules_conf_t, modules_conf_t) |
52 | diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te | 52 | diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te |
53 | index 4a2283b6c..daf64482f 100644 | 53 | index c50ff68c1..4c5a690fb 100644 |
54 | --- a/policy/modules/system/udev.te | 54 | --- a/policy/modules/system/udev.te |
55 | +++ b/policy/modules/system/udev.te | 55 | +++ b/policy/modules/system/udev.te |
56 | @@ -61,6 +61,8 @@ allow udev_t self:rawip_socket create_socket_perms; | 56 | @@ -67,6 +67,8 @@ ifdef(`init_systemd',` |
57 | # for systemd-udevd to rename interfaces | 57 | # for systemd-udevd to rename interfaces |
58 | allow udev_t self:netlink_route_socket nlmsg_write; | 58 | allow udev_t self:netlink_route_socket nlmsg_write; |
59 | 59 | ||
diff --git a/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-getty-allow-getty_t-to-search-.patch b/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-getty-allow-getty_t-to-search-.patch index d673d54..0dfe0ee 100644 --- a/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-getty-allow-getty_t-to-search-.patch +++ b/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-getty-allow-getty_t-to-search-.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From f23178d9d89bf39895f75867c29bda4dfb27e786 Mon Sep 17 00:00:00 2001 | 1 | From 175b493e7fe69de274388a7f251e74ec9cd56c41 Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Tue, 23 Jun 2020 08:39:44 +0800 | 3 | Date: Tue, 23 Jun 2020 08:39:44 +0800 |
4 | Subject: [PATCH] policy/modules/system/getty: allow getty_t to search tmpfs | 4 | Subject: [PATCH] policy/modules/system/getty: allow getty_t to search tmpfs |
@@ -16,13 +16,13 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
16 | 1 file changed, 1 insertion(+) | 16 | 1 file changed, 1 insertion(+) |
17 | 17 | ||
18 | diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te | 18 | diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te |
19 | index 95b1ec632..0415e1ee7 100644 | 19 | index e6e76a93b..c704ddb82 100644 |
20 | --- a/policy/modules/system/getty.te | 20 | --- a/policy/modules/system/getty.te |
21 | +++ b/policy/modules/system/getty.te | 21 | +++ b/policy/modules/system/getty.te |
22 | @@ -66,6 +66,7 @@ dev_read_sysfs(getty_t) | 22 | @@ -68,6 +68,7 @@ files_read_etc_runtime_files(getty_t) |
23 | files_read_etc_runtime_files(getty_t) | ||
24 | files_read_etc_files(getty_t) | 23 | files_read_etc_files(getty_t) |
25 | files_search_spool(getty_t) | 24 | files_search_spool(getty_t) |
25 | files_dontaudit_search_var_lib(getty_t) | ||
26 | +fs_search_tmpfs(getty_t) | 26 | +fs_search_tmpfs(getty_t) |
27 | 27 | ||
28 | fs_search_auto_mountpoints(getty_t) | 28 | fs_search_auto_mountpoints(getty_t) |
diff --git a/recipes-security/refpolicy/refpolicy/0043-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch b/recipes-security/refpolicy/refpolicy/0036-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch index 408df05..f9aa158 100644 --- a/recipes-security/refpolicy/refpolicy/0043-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch +++ b/recipes-security/refpolicy/refpolicy/0036-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch | |||
@@ -1,12 +1,9 @@ | |||
1 | From 40101e4da939fcea2eebe3e4800d0de4e551ca26 Mon Sep 17 00:00:00 2001 | 1 | From d1352b688603b16eb6da7a30198d8b7abfc55d1e Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Wed, 1 Jul 2020 08:44:07 +0800 | 3 | Date: Wed, 1 Jul 2020 08:44:07 +0800 |
4 | Subject: [PATCH] policy/modules/services/rpcbind: allow rpcbind_t to create | 4 | Subject: [PATCH] policy/modules/services/rpcbind: allow rpcbind_t to create |
5 | directory with label rpcbind_runtime_t | 5 | directory with label rpcbind_runtime_t |
6 | 6 | ||
7 | * Allow rpcbind_t to create directory with label rpcbind_runtime_t | ||
8 | * Set context for nfsserver and nfscommon | ||
9 | |||
10 | Fixes: | 7 | Fixes: |
11 | avc: denied { create } for pid=136 comm="rpcbind" name="rpcbind" | 8 | avc: denied { create } for pid=136 comm="rpcbind" name="rpcbind" |
12 | scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 | 9 | scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 |
@@ -16,26 +13,11 @@ Upstream-Status: Inappropriate [embedded specific] | |||
16 | 13 | ||
17 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | 14 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> |
18 | --- | 15 | --- |
19 | policy/modules/services/rpc.fc | 2 ++ | ||
20 | policy/modules/services/rpcbind.te | 5 +++-- | 16 | policy/modules/services/rpcbind.te | 5 +++-- |
21 | 2 files changed, 5 insertions(+), 2 deletions(-) | 17 | 1 file changed, 3 insertions(+), 2 deletions(-) |
22 | 18 | ||
23 | diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc | ||
24 | index 88d2acaf0..d9c0a4aa7 100644 | ||
25 | --- a/policy/modules/services/rpc.fc | ||
26 | +++ b/policy/modules/services/rpc.fc | ||
27 | @@ -1,7 +1,9 @@ | ||
28 | /etc/exports -- gen_context(system_u:object_r:exports_t,s0) | ||
29 | |||
30 | /etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0) | ||
31 | +/etc/rc\.d/init\.d/nfsserver -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0) | ||
32 | /etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) | ||
33 | +/etc/rc\.d/init\.d/nfscommon -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) | ||
34 | /etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) | ||
35 | |||
36 | /usr/bin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) | ||
37 | diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te | 19 | diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te |
38 | index 370c9bce6..8972980fa 100644 | 20 | index 168c28ca3..e1eb7d5fc 100644 |
39 | --- a/policy/modules/services/rpcbind.te | 21 | --- a/policy/modules/services/rpcbind.te |
40 | +++ b/policy/modules/services/rpcbind.te | 22 | +++ b/policy/modules/services/rpcbind.te |
41 | @@ -25,16 +25,17 @@ files_type(rpcbind_var_lib_t) | 23 | @@ -25,16 +25,17 @@ files_type(rpcbind_var_lib_t) |
diff --git a/recipes-security/refpolicy/refpolicy/0037-policy-modules-admin-usermanage-allow-useradd-to-rel.patch b/recipes-security/refpolicy/refpolicy/0037-policy-modules-admin-usermanage-allow-useradd-to-rel.patch new file mode 100644 index 0000000..9465a3e --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0037-policy-modules-admin-usermanage-allow-useradd-to-rel.patch | |||
@@ -0,0 +1,71 @@ | |||
1 | From 07866ad826b299194c1bfd7978e5077dde72a68e Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Mon, 11 Oct 2021 10:10:10 +0800 | ||
4 | Subject: [PATCH] policy/modules/admin/usermanage: allow useradd to relabel | ||
5 | user home files | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { relabelfrom } for pid=491 comm="useradd" name=".bashrc" | ||
9 | dev="vda" ino=12641 scontext=root:sysadm_r:useradd_t | ||
10 | tcontext=user_u:object_r:user_home_t tclass=file permissive=0 | ||
11 | |||
12 | Upstream-Status: Inappropriate [embedded specific] | ||
13 | |||
14 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
15 | --- | ||
16 | policy/modules/admin/usermanage.te | 2 ++ | ||
17 | policy/modules/system/userdomain.if | 18 ++++++++++++++++++ | ||
18 | 2 files changed, 20 insertions(+) | ||
19 | |||
20 | diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te | ||
21 | index 98646b4b4..50c479498 100644 | ||
22 | --- a/policy/modules/admin/usermanage.te | ||
23 | +++ b/policy/modules/admin/usermanage.te | ||
24 | @@ -496,6 +496,7 @@ files_read_etc_runtime_files(useradd_t) | ||
25 | |||
26 | fs_search_auto_mountpoints(useradd_t) | ||
27 | fs_getattr_xattr_fs(useradd_t) | ||
28 | +fs_search_tmpfs(useradd_t) | ||
29 | |||
30 | mls_file_upgrade(useradd_t) | ||
31 | |||
32 | @@ -541,6 +542,7 @@ userdom_home_filetrans_user_home_dir(useradd_t) | ||
33 | userdom_manage_user_home_content_dirs(useradd_t) | ||
34 | userdom_manage_user_home_content_files(useradd_t) | ||
35 | userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set) | ||
36 | +userdom_relabel_user_home_content_files(useradd_t) | ||
37 | |||
38 | optional_policy(` | ||
39 | mta_manage_spool(useradd_t) | ||
40 | diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if | ||
41 | index 22b3c1bf7..ec625170d 100644 | ||
42 | --- a/policy/modules/system/userdomain.if | ||
43 | +++ b/policy/modules/system/userdomain.if | ||
44 | @@ -2362,6 +2362,24 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',` | ||
45 | dontaudit $1 user_home_t:file relabel_file_perms; | ||
46 | ') | ||
47 | |||
48 | +######################################## | ||
49 | +## <summary> | ||
50 | +## Relabel user home files. | ||
51 | +## </summary> | ||
52 | +## <param name="domain"> | ||
53 | +## <summary> | ||
54 | +## Domain allowed access. | ||
55 | +## </summary> | ||
56 | +## </param> | ||
57 | +# | ||
58 | +interface(`userdom_relabel_user_home_content_files',` | ||
59 | + gen_require(` | ||
60 | + type user_home_t; | ||
61 | + ') | ||
62 | + | ||
63 | + allow $1 user_home_t:file relabel_file_perms; | ||
64 | +') | ||
65 | + | ||
66 | ######################################## | ||
67 | ## <summary> | ||
68 | ## Read user home subdirectory symbolic links. | ||
69 | -- | ||
70 | 2.17.1 | ||
71 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0038-policy-modules-services-avahi-allow-avahi_t-to-watch.patch b/recipes-security/refpolicy/refpolicy/0038-policy-modules-services-avahi-allow-avahi_t-to-watch.patch deleted file mode 100644 index 1b0391d..0000000 --- a/recipes-security/refpolicy/refpolicy/0038-policy-modules-services-avahi-allow-avahi_t-to-watch.patch +++ /dev/null | |||
@@ -1,34 +0,0 @@ | |||
1 | From 92571e7c066b3d91634a4c1f55542cb528f5bac4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Tue, 23 Jun 2020 08:19:16 +0800 | ||
4 | Subject: [PATCH] policy/modules/services/avahi: allow avahi_t to watch | ||
5 | /etc/avahi directory | ||
6 | |||
7 | Fixes: | ||
8 | type=AVC msg=audit(1592813140.176:24): avc: denied { watch } for | ||
9 | pid=360 comm="avahi-daemon" path="/services" dev="vda" ino=173 | ||
10 | scontext=system_u:system_r:avahi_t tcontext=system_u:object_r:etc_t | ||
11 | tclass=dir permissive=1 | ||
12 | |||
13 | Upstream-Status: Inappropriate [embedded specific] | ||
14 | |||
15 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
16 | --- | ||
17 | policy/modules/services/avahi.te | 1 + | ||
18 | 1 file changed, 1 insertion(+) | ||
19 | |||
20 | diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te | ||
21 | index af838d8b0..674cdcb81 100644 | ||
22 | --- a/policy/modules/services/avahi.te | ||
23 | +++ b/policy/modules/services/avahi.te | ||
24 | @@ -76,6 +76,7 @@ domain_use_interactive_fds(avahi_t) | ||
25 | |||
26 | files_read_etc_runtime_files(avahi_t) | ||
27 | files_read_usr_files(avahi_t) | ||
28 | +files_watch_etc_dirs(avahi_t) | ||
29 | |||
30 | auth_use_nsswitch(avahi_t) | ||
31 | |||
32 | -- | ||
33 | 2.17.1 | ||
34 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0049-policy-modules-system-systemd-enable-support-for-sys.patch b/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-enable-support-for-sys.patch index ae1d71a..cc29c7b 100644 --- a/recipes-security/refpolicy/refpolicy/0049-policy-modules-system-systemd-enable-support-for-sys.patch +++ b/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-enable-support-for-sys.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From c2a6ad9b4eee990b79175ec1866cfe20b7c61ef3 Mon Sep 17 00:00:00 2001 | 1 | From 93d4f198bd469a8728f5ce0cc51ff18f8a58b23b Mon Sep 17 00:00:00 2001 |
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | 2 | From: Wenzong Fan <wenzong.fan@windriver.com> |
3 | Date: Thu, 4 Feb 2016 06:03:19 -0500 | 3 | Date: Thu, 4 Feb 2016 06:03:19 -0500 |
4 | Subject: [PATCH] policy/modules/system/systemd: enable support for | 4 | Subject: [PATCH] policy/modules/system/systemd: enable support for |
@@ -36,10 +36,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
36 | 1 file changed, 5 insertions(+), 1 deletion(-) | 36 | 1 file changed, 5 insertions(+), 1 deletion(-) |
37 | 37 | ||
38 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | 38 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te |
39 | index 2e08efd19..7da836136 100644 | 39 | index 3d9198342..31d28a0e3 100644 |
40 | --- a/policy/modules/system/systemd.te | 40 | --- a/policy/modules/system/systemd.te |
41 | +++ b/policy/modules/system/systemd.te | 41 | +++ b/policy/modules/system/systemd.te |
42 | @@ -10,7 +10,7 @@ policy_module(systemd, 1.11.1) | 42 | @@ -10,7 +10,7 @@ policy_module(systemd, 1.12.6) |
43 | ## Enable support for systemd-tmpfiles to manage all non-security files. | 43 | ## Enable support for systemd-tmpfiles to manage all non-security files. |
44 | ## </p> | 44 | ## </p> |
45 | ## </desc> | 45 | ## </desc> |
@@ -48,7 +48,7 @@ index 2e08efd19..7da836136 100644 | |||
48 | 48 | ||
49 | ## <desc> | 49 | ## <desc> |
50 | ## <p> | 50 | ## <p> |
51 | @@ -1332,6 +1332,10 @@ files_relabelfrom_home(systemd_tmpfiles_t) | 51 | @@ -1396,6 +1396,10 @@ files_relabelfrom_home(systemd_tmpfiles_t) |
52 | files_relabelto_home(systemd_tmpfiles_t) | 52 | files_relabelto_home(systemd_tmpfiles_t) |
53 | files_relabelto_etc_dirs(systemd_tmpfiles_t) | 53 | files_relabelto_etc_dirs(systemd_tmpfiles_t) |
54 | files_setattr_lock_dirs(systemd_tmpfiles_t) | 54 | files_setattr_lock_dirs(systemd_tmpfiles_t) |
diff --git a/recipes-security/refpolicy/refpolicy/0050-policy-modules-system-systemd-fix-systemd-resolved-s.patch b/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-systemd-fix-systemd-resolved-s.patch index a0dc9f2..ea8af31 100644 --- a/recipes-security/refpolicy/refpolicy/0050-policy-modules-system-systemd-fix-systemd-resolved-s.patch +++ b/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-systemd-fix-systemd-resolved-s.patch | |||
@@ -1,22 +1,15 @@ | |||
1 | From 8e762e1070e98a4235a70536ee6ca81725858a4b Mon Sep 17 00:00:00 2001 | 1 | From 99139408a7919282e97e1b2fcd5da33248386d73 Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Mon, 25 Jan 2021 14:14:59 +0800 | 3 | Date: Mon, 25 Jan 2021 14:14:59 +0800 |
4 | Subject: [PATCH] policy/modules/system/systemd: fix systemd-resolved startup | 4 | Subject: [PATCH] policy/modules/system/systemd: fix systemd-resolved startup |
5 | failures | 5 | failures |
6 | 6 | ||
7 | * Allow systemd_resolved_t to create socket file | ||
8 | * Allow systemd_resolved_t to manage systemd_resolved_runtime_t link | 7 | * Allow systemd_resolved_t to manage systemd_resolved_runtime_t link |
9 | files | 8 | files |
10 | * Allow systemd_resolved_t to send and recevie messages from dhcpc over | 9 | * Allow systemd_resolved_t to send and recevie messages from dhcpc over |
11 | dbus | 10 | dbus |
12 | 11 | ||
13 | Fixes: | 12 | Fixes: |
14 | avc: denied { create } for pid=258 comm="systemd-resolve" | ||
15 | name="io.systemd.Resolve" | ||
16 | scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023 | ||
17 | tcontext=system_u:object_r:systemd_resolved_runtime_t:s0 | ||
18 | tclass=sock_file permissive=0 | ||
19 | |||
20 | avc: denied { create } for pid=329 comm="systemd-resolve" | 13 | avc: denied { create } for pid=329 comm="systemd-resolve" |
21 | name=".#stub-resolv.conf53cb7f9d1e3aa72b" | 14 | name=".#stub-resolv.conf53cb7f9d1e3aa72b" |
22 | scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023 | 15 | scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023 |
@@ -39,31 +32,29 @@ Upstream-Status: Inappropriate [embedded specific] | |||
39 | 32 | ||
40 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | 33 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> |
41 | --- | 34 | --- |
42 | policy/modules/system/systemd.te | 4 ++++ | 35 | policy/modules/system/systemd.te | 2 ++ |
43 | 1 file changed, 4 insertions(+) | 36 | 1 file changed, 2 insertions(+) |
44 | 37 | ||
45 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | 38 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te |
46 | index 7da836136..0411729ea 100644 | 39 | index 31d28a0e3..448905ff7 100644 |
47 | --- a/policy/modules/system/systemd.te | 40 | --- a/policy/modules/system/systemd.te |
48 | +++ b/policy/modules/system/systemd.te | 41 | +++ b/policy/modules/system/systemd.te |
49 | @@ -1164,6 +1164,8 @@ allow systemd_resolved_t systemd_networkd_runtime_t:dir watch; | 42 | @@ -1199,6 +1199,7 @@ allow systemd_resolved_t systemd_networkd_runtime_t:dir watch; |
50 | 43 | ||
51 | manage_dirs_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t) | 44 | manage_dirs_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t) |
52 | manage_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t) | 45 | manage_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t) |
53 | +manage_sock_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t) | ||
54 | +manage_lnk_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t) | 46 | +manage_lnk_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t) |
47 | manage_sock_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t) | ||
55 | init_runtime_filetrans(systemd_resolved_t, systemd_resolved_runtime_t, dir) | 48 | init_runtime_filetrans(systemd_resolved_t, systemd_resolved_runtime_t, dir) |
56 | 49 | ||
57 | dev_read_sysfs(systemd_resolved_t) | 50 | @@ -1236,6 +1237,7 @@ optional_policy(` |
58 | @@ -1194,6 +1196,8 @@ seutil_read_file_contexts(systemd_resolved_t) | ||
59 | systemd_log_parse_environment(systemd_resolved_t) | ||
60 | systemd_read_networkd_runtime(systemd_resolved_t) | ||
61 | |||
62 | +sysnet_dbus_chat_dhcpc(systemd_resolved_t) | ||
63 | + | ||
64 | optional_policy(` | ||
65 | dbus_connect_system_bus(systemd_resolved_t) | ||
66 | dbus_system_bus_client(systemd_resolved_t) | 51 | dbus_system_bus_client(systemd_resolved_t) |
52 | dbus_watch_system_bus_runtime_dirs(systemd_resolved_t) | ||
53 | dbus_watch_system_bus_runtime_named_sockets(systemd_resolved_t) | ||
54 | + sysnet_dbus_chat_dhcpc(systemd_resolved_t) | ||
55 | ') | ||
56 | |||
57 | ######################################### | ||
67 | -- | 58 | -- |
68 | 2.17.1 | 59 | 2.17.1 |
69 | 60 | ||
diff --git a/recipes-security/refpolicy/refpolicy/0040-policy-modules-services-bluetooth-fix-bluetoothd-sta.patch b/recipes-security/refpolicy/refpolicy/0040-policy-modules-services-bluetooth-fix-bluetoothd-sta.patch deleted file mode 100644 index 8532a24..0000000 --- a/recipes-security/refpolicy/refpolicy/0040-policy-modules-services-bluetooth-fix-bluetoothd-sta.patch +++ /dev/null | |||
@@ -1,88 +0,0 @@ | |||
1 | From 21c60a1ed37aef0427dbd49f602896b09b875bca Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Tue, 23 Jun 2020 08:54:20 +0800 | ||
4 | Subject: [PATCH] policy/modules/services/bluetooth: fix bluetoothd startup | ||
5 | failures | ||
6 | |||
7 | * Allow bluetooth_t to create and use bluetooth_socket | ||
8 | * Allow bluetooth_t to create alg_socket | ||
9 | * Allow bluetooth_t to send and receive messages from systemd hostnamed | ||
10 | over dbus | ||
11 | |||
12 | Fixes: | ||
13 | avc: denied { create } for pid=324 comm="bluetoothd" | ||
14 | scontext=system_u:system_r:bluetooth_t | ||
15 | tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket | ||
16 | permissive=0 | ||
17 | |||
18 | avc: denied { bind } for pid=324 comm="bluetoothd" | ||
19 | scontext=system_u:system_r:bluetooth_t | ||
20 | tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket | ||
21 | permissive=0 | ||
22 | |||
23 | avc: denied { write } for pid=324 comm="bluetoothd" | ||
24 | scontext=system_u:system_r:bluetooth_t | ||
25 | tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket | ||
26 | permissive=0 | ||
27 | |||
28 | avc: denied { getattr } for pid=324 comm="bluetoothd" | ||
29 | path="socket:[11771]" dev="sockfs" ino=11771 | ||
30 | scontext=system_u:system_r:bluetooth_t | ||
31 | tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket | ||
32 | permissive=0 | ||
33 | |||
34 | avc: denied { listen } for pid=324 comm="bluetoothd" | ||
35 | scontext=system_u:system_r:bluetooth_t | ||
36 | tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket | ||
37 | permissive=0 | ||
38 | |||
39 | avc: denied { read } for pid=324 comm="bluetoothd" path="socket:[11771]" | ||
40 | dev="sockfs" ino=11771 scontext=system_u:system_r:bluetooth_t | ||
41 | tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket | ||
42 | permissive=0 | ||
43 | |||
44 | avc: denied { create } for pid=268 comm="bluetoothd" | ||
45 | scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 | ||
46 | tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tclass=alg_socket | ||
47 | permissive=0 | ||
48 | |||
49 | avc: denied { send_msg } for msgtype=method_call | ||
50 | interface=org.freedesktop.DBus.Properties member=GetAll | ||
51 | dest=org.freedesktop.hostname1 spid=266 tpid=312 | ||
52 | scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 | ||
53 | tcontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023 | ||
54 | tclass=dbus permissive=0 | ||
55 | |||
56 | Upstream-Status: Inappropriate [embedded specific] | ||
57 | |||
58 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
59 | --- | ||
60 | policy/modules/services/bluetooth.te | 5 +++++ | ||
61 | 1 file changed, 5 insertions(+) | ||
62 | |||
63 | diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te | ||
64 | index 69a38543e..b3df695db 100644 | ||
65 | --- a/policy/modules/services/bluetooth.te | ||
66 | +++ b/policy/modules/services/bluetooth.te | ||
67 | @@ -60,6 +60,8 @@ allow bluetooth_t self:socket create_stream_socket_perms; | ||
68 | allow bluetooth_t self:unix_stream_socket { accept connectto listen }; | ||
69 | allow bluetooth_t self:tcp_socket { accept listen }; | ||
70 | allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms; | ||
71 | +allow bluetooth_t self:bluetooth_socket create_stream_socket_perms; | ||
72 | +allow bluetooth_t self:alg_socket create; | ||
73 | |||
74 | read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t) | ||
75 | |||
76 | @@ -127,6 +129,9 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t) | ||
77 | userdom_dontaudit_use_user_terminals(bluetooth_t) | ||
78 | userdom_dontaudit_search_user_home_dirs(bluetooth_t) | ||
79 | |||
80 | +init_dbus_send_script(bluetooth_t) | ||
81 | +systemd_dbus_chat_hostnamed(bluetooth_t) | ||
82 | + | ||
83 | optional_policy(` | ||
84 | dbus_system_bus_client(bluetooth_t) | ||
85 | dbus_connect_system_bus(bluetooth_t) | ||
86 | -- | ||
87 | 2.17.1 | ||
88 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0040-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch b/recipes-security/refpolicy/refpolicy/0040-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch new file mode 100644 index 0000000..91588f1 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0040-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch | |||
@@ -0,0 +1,156 @@ | |||
1 | From 81e63f86d6d030eaf0204796e32011c08e7b5e52 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Tue, 28 Sep 2021 10:03:04 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/systemd: allow systemd_*_t to get the | ||
5 | attributes of tmpfs and cgroups | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { getattr } for pid=245 comm="systemd-network" name="/" | ||
9 | dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_networkd_t | ||
10 | tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0 | ||
11 | |||
12 | avc: denied { getattr } for pid=252 comm="systemd-resolve" name="/" | ||
13 | dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_resolved_t | ||
14 | tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0 | ||
15 | |||
16 | avc: denied { getattr } for pid=260 comm="systemd-user-se" name="/" | ||
17 | dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_sessions_t | ||
18 | tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0 | ||
19 | |||
20 | avc: denied { search } for pid=293 comm="systemd-user-ru" name="/" | ||
21 | dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_user_runtime_dir_t | ||
22 | tcontext=system_u:object_r:cgroup_t tclass=dir permissive=0 | ||
23 | |||
24 | Upstream-Status: Inappropriate [embedded specific] | ||
25 | |||
26 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
27 | --- | ||
28 | policy/modules/system/systemd.te | 35 ++++++++++++++++++++++++++++++++ | ||
29 | 1 file changed, 35 insertions(+) | ||
30 | |||
31 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
32 | index 448905ff7..847895e63 100644 | ||
33 | --- a/policy/modules/system/systemd.te | ||
34 | +++ b/policy/modules/system/systemd.te | ||
35 | @@ -337,6 +337,10 @@ udev_read_runtime_files(systemd_backlight_t) | ||
36 | |||
37 | files_search_var_lib(systemd_backlight_t) | ||
38 | |||
39 | +fs_getattr_tmpfs(systemd_backlight_t) | ||
40 | +fs_search_cgroup_dirs(systemd_backlight_t) | ||
41 | +fs_getattr_cgroup(systemd_backlight_t) | ||
42 | + | ||
43 | ####################################### | ||
44 | # | ||
45 | # Binfmt local policy | ||
46 | @@ -447,6 +451,7 @@ files_list_usr(systemd_generator_t) | ||
47 | fs_list_efivars(systemd_generator_t) | ||
48 | fs_getattr_cgroup(systemd_generator_t) | ||
49 | fs_getattr_xattr_fs(systemd_generator_t) | ||
50 | +fs_getattr_tmpfs(systemd_generator_t) | ||
51 | |||
52 | init_create_runtime_files(systemd_generator_t) | ||
53 | init_manage_runtime_dirs(systemd_generator_t) | ||
54 | @@ -515,6 +520,10 @@ systemd_log_parse_environment(systemd_hostnamed_t) | ||
55 | # Allow reading /run/udev/data/+dmi:id | ||
56 | udev_read_runtime_files(systemd_hostnamed_t) | ||
57 | |||
58 | +fs_getattr_tmpfs(systemd_hostnamed_t) | ||
59 | +fs_search_cgroup_dirs(systemd_hostnamed_t) | ||
60 | +fs_getattr_cgroup(systemd_hostnamed_t) | ||
61 | + | ||
62 | optional_policy(` | ||
63 | dbus_connect_system_bus(systemd_hostnamed_t) | ||
64 | dbus_system_bus_client(systemd_hostnamed_t) | ||
65 | @@ -835,6 +844,10 @@ dev_read_sysfs(systemd_modules_load_t) | ||
66 | files_mmap_read_kernel_modules(systemd_modules_load_t) | ||
67 | files_read_etc_files(systemd_modules_load_t) | ||
68 | |||
69 | +fs_getattr_tmpfs(systemd_modules_load_t) | ||
70 | +fs_search_cgroup_dirs(systemd_modules_load_t) | ||
71 | +fs_getattr_cgroup(systemd_modules_load_t) | ||
72 | + | ||
73 | modutils_read_module_config(systemd_modules_load_t) | ||
74 | modutils_read_module_deps(systemd_modules_load_t) | ||
75 | |||
76 | @@ -885,6 +898,7 @@ files_watch_runtime_dirs(systemd_networkd_t) | ||
77 | files_watch_root_dirs(systemd_networkd_t) | ||
78 | files_list_runtime(systemd_networkd_t) | ||
79 | fs_getattr_xattr_fs(systemd_networkd_t) | ||
80 | +fs_getattr_tmpfs(systemd_networkd_t) | ||
81 | fs_getattr_cgroup(systemd_networkd_t) | ||
82 | fs_search_cgroup_dirs(systemd_networkd_t) | ||
83 | fs_read_nsfs_files(systemd_networkd_t) | ||
84 | @@ -1185,6 +1199,10 @@ udev_read_runtime_files(systemd_rfkill_t) | ||
85 | |||
86 | systemd_log_parse_environment(systemd_rfkill_t) | ||
87 | |||
88 | +fs_getattr_tmpfs(systemd_rfkill_t) | ||
89 | +fs_search_cgroup_dirs(systemd_rfkill_t) | ||
90 | +fs_getattr_cgroup(systemd_rfkill_t) | ||
91 | + | ||
92 | ######################################### | ||
93 | # | ||
94 | # Resolved local policy | ||
95 | @@ -1224,6 +1242,9 @@ auth_use_nsswitch(systemd_resolved_t) | ||
96 | files_watch_root_dirs(systemd_resolved_t) | ||
97 | files_watch_runtime_dirs(systemd_resolved_t) | ||
98 | files_list_runtime(systemd_resolved_t) | ||
99 | +fs_getattr_tmpfs(systemd_resolved_t) | ||
100 | +fs_search_cgroup_dirs(systemd_resolved_t) | ||
101 | +fs_getattr_cgroup(systemd_resolved_t) | ||
102 | |||
103 | init_dgram_send(systemd_resolved_t) | ||
104 | |||
105 | @@ -1288,6 +1309,10 @@ seutil_read_file_contexts(systemd_sessions_t) | ||
106 | |||
107 | systemd_log_parse_environment(systemd_sessions_t) | ||
108 | |||
109 | +fs_getattr_tmpfs(systemd_sessions_t) | ||
110 | +fs_search_cgroup_dirs(systemd_sessions_t) | ||
111 | +fs_getattr_cgroup(systemd_sessions_t) | ||
112 | + | ||
113 | ######################################## | ||
114 | # | ||
115 | # sysctl local policy | ||
116 | @@ -1304,6 +1329,9 @@ kernel_rw_all_sysctls(systemd_sysctl_t) | ||
117 | kernel_dontaudit_getattr_proc(systemd_sysctl_t) | ||
118 | |||
119 | files_read_etc_files(systemd_sysctl_t) | ||
120 | +fs_getattr_tmpfs(systemd_sysctl_t) | ||
121 | +fs_search_cgroup_dirs(systemd_sysctl_t) | ||
122 | +fs_getattr_cgroup(systemd_sysctl_t) | ||
123 | |||
124 | systemd_log_parse_environment(systemd_sysctl_t) | ||
125 | |||
126 | @@ -1409,6 +1437,8 @@ fs_getattr_tmpfs(systemd_tmpfiles_t) | ||
127 | fs_getattr_xattr_fs(systemd_tmpfiles_t) | ||
128 | fs_list_tmpfs(systemd_tmpfiles_t) | ||
129 | fs_relabelfrom_tmpfs_dirs(systemd_tmpfiles_t) | ||
130 | +fs_search_cgroup_dirs(systemd_tmpfiles_t) | ||
131 | +fs_getattr_cgroup(systemd_tmpfiles_t) | ||
132 | |||
133 | selinux_get_fs_mount(systemd_tmpfiles_t) | ||
134 | selinux_use_status_page(systemd_tmpfiles_t) | ||
135 | @@ -1497,6 +1527,10 @@ allow systemd_update_done_t systemd_update_run_t:file manage_file_perms; | ||
136 | files_etc_filetrans(systemd_update_done_t, systemd_update_run_t, file) | ||
137 | files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file) | ||
138 | |||
139 | +fs_getattr_tmpfs(systemd_update_done_t) | ||
140 | +fs_search_cgroup_dirs(systemd_update_done_t) | ||
141 | +fs_getattr_cgroup(systemd_update_done_t) | ||
142 | + | ||
143 | kernel_read_kernel_sysctls(systemd_update_done_t) | ||
144 | |||
145 | selinux_use_status_page(systemd_update_done_t) | ||
146 | @@ -1601,6 +1635,7 @@ fs_unmount_tmpfs(systemd_user_runtime_dir_t) | ||
147 | fs_relabelfrom_tmpfs_dirs(systemd_user_runtime_dir_t) | ||
148 | fs_read_cgroup_files(systemd_user_runtime_dir_t) | ||
149 | fs_getattr_cgroup(systemd_user_runtime_dir_t) | ||
150 | +fs_search_cgroup_dirs(systemd_user_runtime_dir_t) | ||
151 | |||
152 | kernel_read_kernel_sysctls(systemd_user_runtime_dir_t) | ||
153 | kernel_dontaudit_getattr_proc(systemd_user_runtime_dir_t) | ||
154 | -- | ||
155 | 2.17.1 | ||
156 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0041-policy-modules-roles-sysadm-allow-sysadm-to-run-rpci.patch b/recipes-security/refpolicy/refpolicy/0041-policy-modules-roles-sysadm-allow-sysadm-to-run-rpci.patch deleted file mode 100644 index bd06065..0000000 --- a/recipes-security/refpolicy/refpolicy/0041-policy-modules-roles-sysadm-allow-sysadm-to-run-rpci.patch +++ /dev/null | |||
@@ -1,38 +0,0 @@ | |||
1 | From e67fe4fa79d59be7bcefd256c1966ea8c034a3d9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Roy Li <rongqing.li@windriver.com> | ||
3 | Date: Sat, 15 Feb 2014 09:45:00 +0800 | ||
4 | Subject: [PATCH] policy/modules/roles/sysadm: allow sysadm to run rpcinfo | ||
5 | |||
6 | Fixes: | ||
7 | $ rpcinfo | ||
8 | rpcinfo: can't contact rpcbind: RPC: Remote system error - Permission denied | ||
9 | |||
10 | avc: denied { connectto } for pid=406 comm="rpcinfo" | ||
11 | path="/run/rpcbind.sock" scontext=root:sysadm_r:sysadm_t | ||
12 | tcontext=system_u:system_r:rpcbind_t tclass=unix_stream_socket | ||
13 | permissive=0 | ||
14 | |||
15 | Upstream-Status: Inappropriate [embedded specific] | ||
16 | |||
17 | Signed-off-by: Roy Li <rongqing.li@windriver.com> | ||
18 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
19 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
20 | --- | ||
21 | policy/modules/roles/sysadm.te | 1 + | ||
22 | 1 file changed, 1 insertion(+) | ||
23 | |||
24 | diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te | ||
25 | index ddf973693..1642f3b93 100644 | ||
26 | --- a/policy/modules/roles/sysadm.te | ||
27 | +++ b/policy/modules/roles/sysadm.te | ||
28 | @@ -947,6 +947,7 @@ optional_policy(` | ||
29 | ') | ||
30 | |||
31 | optional_policy(` | ||
32 | + rpcbind_stream_connect(sysadm_t) | ||
33 | rpcbind_admin(sysadm_t, sysadm_r) | ||
34 | ') | ||
35 | |||
36 | -- | ||
37 | 2.17.1 | ||
38 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0041-policy-modules-system-logging-fix-syslogd-failures-f.patch b/recipes-security/refpolicy/refpolicy/0041-policy-modules-system-logging-fix-syslogd-failures-f.patch new file mode 100644 index 0000000..2232d48 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0041-policy-modules-system-logging-fix-syslogd-failures-f.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From dc2c9c91219311f6c4d985169dff6c5931a465d7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | ||
3 | Date: Thu, 4 Feb 2016 02:10:15 -0500 | ||
4 | Subject: [PATCH] policy/modules/system/logging: fix syslogd failures for | ||
5 | systemd | ||
6 | |||
7 | Fixes: | ||
8 | syslogd[243]: Error opening log file: /var/log/auth.log: Permission denied | ||
9 | syslogd[243]: Error opening log file: /var/log/syslog: Permission denied | ||
10 | syslogd[243]: Error opening log file: /var/log/kern.log: Permission denied | ||
11 | syslogd[243]: Error opening log file: /var/log/mail.log: Permission denied | ||
12 | syslogd[243]: Error opening log file: /var/log/mail.err: Permission denied | ||
13 | syslogd[243]: Error opening log file: /var/log/messages: Permission denied | ||
14 | |||
15 | avc: denied { search } for pid=243 comm="syslogd" name="/" | ||
16 | dev="tmpfs" ino=1 scontext=system_u:system_r:syslogd_t | ||
17 | tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=0 | ||
18 | |||
19 | avc: denied { write } for pid=162 comm="systemd-journal" | ||
20 | name="syslog" dev="tmpfs" ino=515 scontext=system_u:system_r:syslogd_t | ||
21 | tcontext=system_u:object_r:syslogd_runtime_t tclass=sock_file | ||
22 | permissive=0 | ||
23 | |||
24 | Upstream-Status: Inappropriate [embedded specific] | ||
25 | |||
26 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
27 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
28 | --- | ||
29 | policy/modules/system/logging.te | 3 ++- | ||
30 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
31 | |||
32 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
33 | index cc530a2be..5b4b5ec5d 100644 | ||
34 | --- a/policy/modules/system/logging.te | ||
35 | +++ b/policy/modules/system/logging.te | ||
36 | @@ -431,7 +431,7 @@ files_search_var_lib(syslogd_t) | ||
37 | |||
38 | # manage runtime files | ||
39 | allow syslogd_t syslogd_runtime_t:dir create_dir_perms; | ||
40 | -allow syslogd_t syslogd_runtime_t:sock_file { create setattr unlink }; | ||
41 | +allow syslogd_t syslogd_runtime_t:sock_file { create setattr unlink write }; | ||
42 | allow syslogd_t syslogd_runtime_t:file map; | ||
43 | manage_files_pattern(syslogd_t, syslogd_runtime_t, syslogd_runtime_t) | ||
44 | files_runtime_filetrans(syslogd_t, syslogd_runtime_t, file) | ||
45 | @@ -495,6 +495,7 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) | ||
46 | |||
47 | fs_getattr_all_fs(syslogd_t) | ||
48 | fs_search_auto_mountpoints(syslogd_t) | ||
49 | +fs_search_tmpfs(syslogd_t) | ||
50 | |||
51 | mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories | ||
52 | |||
53 | -- | ||
54 | 2.17.1 | ||
55 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0042-policy-modules-services-rpc-add-capability-dac_read_.patch b/recipes-security/refpolicy/refpolicy/0042-policy-modules-services-rpc-add-capability-dac_read_.patch deleted file mode 100644 index 534c280..0000000 --- a/recipes-security/refpolicy/refpolicy/0042-policy-modules-services-rpc-add-capability-dac_read_.patch +++ /dev/null | |||
@@ -1,34 +0,0 @@ | |||
1 | From 7c94b6aa3c679dc201ed5a907f713c0857d8b8ca Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Tue, 14 May 2019 15:22:08 +0800 | ||
4 | Subject: [PATCH] policy/modules/services/rpc: add capability dac_read_search | ||
5 | for rpcd_t | ||
6 | |||
7 | Fixes: | ||
8 | type=AVC msg=audit(1558592079.931:494): avc: denied { dac_read_search } | ||
9 | for pid=585 comm="sm-notify" capability=2 scontext=system_u:system_r:rpcd_t | ||
10 | tcontext=system_u:system_r:rpcd_t tclass=capability permissive=0 | ||
11 | |||
12 | Upstream-Status: Inappropriate [embedded specific] | ||
13 | |||
14 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
15 | --- | ||
16 | policy/modules/services/rpc.te | 2 +- | ||
17 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
18 | |||
19 | diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te | ||
20 | index c3e37177b..87b6b4561 100644 | ||
21 | --- a/policy/modules/services/rpc.te | ||
22 | +++ b/policy/modules/services/rpc.te | ||
23 | @@ -232,7 +232,7 @@ optional_policy(` | ||
24 | # Local policy | ||
25 | # | ||
26 | |||
27 | -allow rpcd_t self:capability { chown dac_override setgid setpcap setuid sys_admin }; | ||
28 | +allow rpcd_t self:capability { chown dac_override dac_read_search setgid setpcap setuid sys_admin }; | ||
29 | allow rpcd_t self:capability2 block_suspend; | ||
30 | allow rpcd_t self:process { getcap setcap }; | ||
31 | allow rpcd_t self:fifo_file rw_fifo_file_perms; | ||
32 | -- | ||
33 | 2.17.1 | ||
34 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0042-policy-modules-system-systemd-systemd-user-fixes.patch b/recipes-security/refpolicy/refpolicy/0042-policy-modules-system-systemd-systemd-user-fixes.patch new file mode 100644 index 0000000..108f62f --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0042-policy-modules-system-systemd-systemd-user-fixes.patch | |||
@@ -0,0 +1,172 @@ | |||
1 | From 20b2608718064a92f9255adb459a97d95fdbc22e Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Thu, 4 Feb 2021 10:48:54 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/systemd: systemd --user fixes | ||
5 | |||
6 | Fixes: | ||
7 | systemctl[1598]: Failed to connect to bus: $DBUS_SESSION_BUS_ADDRESS and | ||
8 | $XDG_RUNTIME_DIR not defined (consider using --machine=<user>@.host | ||
9 | --user to connect to bus of other user) | ||
10 | |||
11 | avc: denied { connectto } for pid=293 comm="login" | ||
12 | path="/run/systemd/userdb/io.systemd.Multiplexer" | ||
13 | scontext=system_u:system_r:local_login_t | ||
14 | tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket | ||
15 | permissive=0 | ||
16 | |||
17 | avc: denied { read } for pid=293 comm="login" name="io.systemd.DropIn" | ||
18 | dev="tmpfs" ino=44 scontext=system_u:system_r:local_login_t | ||
19 | tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file | ||
20 | permissive=0 | ||
21 | |||
22 | avc: denied { read } for pid=293 comm="login" | ||
23 | name="io.systemd.NameServiceSwitch" dev="tmpfs" ino=43 | ||
24 | scontext=system_u:system_r:local_login_t | ||
25 | tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file | ||
26 | permissive=0 | ||
27 | |||
28 | avc: denied { connectto } for pid=244 comm="systemd-logind" | ||
29 | path="/run/systemd/userdb/io.systemd.Multiplexer" | ||
30 | scontext=system_u:system_r:systemd_logind_t | ||
31 | tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket | ||
32 | permissive=0 | ||
33 | |||
34 | avc: denied { read } for pid=244 comm="systemd-logind" | ||
35 | name="io.systemd.DropIn" dev="tmpfs" ino=44 | ||
36 | scontext=system_u:system_r:systemd_logind_t | ||
37 | tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file | ||
38 | permissive=0 | ||
39 | |||
40 | avc: denied { read } for pid=244 comm="systemd-logind" | ||
41 | name="io.systemd.NameServiceSwitch" dev="tmpfs" ino=43 | ||
42 | scontext=system_u:system_r:systemd_logind_t | ||
43 | tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file | ||
44 | permissive=0 | ||
45 | |||
46 | avc: denied { mknod } for pid=297 comm="systemd" capability=27 | ||
47 | scontext=root:sysadm_r:sysadm_systemd_t | ||
48 | tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability permissive=0 | ||
49 | |||
50 | avc: denied { setrlimit } for pid=297 comm="systemd" | ||
51 | scontext=root:sysadm_r:sysadm_systemd_t | ||
52 | tcontext=root:sysadm_r:sysadm_systemd_t tclass=process permissive=0 | ||
53 | |||
54 | avc: denied { bpf } for pid=297 comm="systemd" capability=39 | ||
55 | scontext=root:sysadm_r:sysadm_systemd_t | ||
56 | tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability2 permissive=0 | ||
57 | |||
58 | avc: denied { sys_admin } for pid=297 comm="systemd" capability=21 | ||
59 | scontext=root:sysadm_r:sysadm_systemd_t | ||
60 | tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability permissive=0 | ||
61 | |||
62 | avc: denied { perfmon } for pid=297 comm="systemd" capability=38 | ||
63 | scontext=root:sysadm_r:sysadm_systemd_t | ||
64 | tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability2 permissive=0 | ||
65 | |||
66 | avc: denied { watch } for pid=297 comm="systemd" path="/etc" dev="vda" | ||
67 | ino=173 scontext=root:sysadm_r:sysadm_systemd_t | ||
68 | tcontext=system_u:object_r:etc_t tclass=dir permissive=0 | ||
69 | |||
70 | avc: denied { getattr } for pid=297 comm="systemd" name="/" dev="vda" | ||
71 | ino=2 scontext=root:sysadm_r:sysadm_systemd_t | ||
72 | tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0 | ||
73 | |||
74 | avc: denied { read } for pid=297 comm="systemd" name="unix" dev="proc" | ||
75 | ino=4026532057 scontext=root:sysadm_r:sysadm_systemd_t | ||
76 | tcontext=system_u:object_r:proc_net_t tclass=file permissive=0 | ||
77 | |||
78 | Upstream-Status: Inappropriate [embedded specific] | ||
79 | |||
80 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
81 | --- | ||
82 | policy/modules/roles/sysadm.te | 2 ++ | ||
83 | policy/modules/system/init.if | 1 + | ||
84 | policy/modules/system/systemd.if | 27 ++++++++++++++++++++++++++- | ||
85 | 3 files changed, 29 insertions(+), 1 deletion(-) | ||
86 | |||
87 | diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te | ||
88 | index 46d3e2f0b..e1933a5bd 100644 | ||
89 | --- a/policy/modules/roles/sysadm.te | ||
90 | +++ b/policy/modules/roles/sysadm.te | ||
91 | @@ -92,6 +92,8 @@ ifdef(`init_systemd',` | ||
92 | # Allow sysadm to query and set networking settings on the system. | ||
93 | systemd_dbus_chat_networkd(sysadm_t) | ||
94 | fs_read_nsfs_files(sysadm_t) | ||
95 | + | ||
96 | + systemd_sysadm_user(sysadm_t) | ||
97 | ') | ||
98 | |||
99 | tunable_policy(`allow_ptrace',` | ||
100 | diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if | ||
101 | index 0171ee299..8ca29f654 100644 | ||
102 | --- a/policy/modules/system/init.if | ||
103 | +++ b/policy/modules/system/init.if | ||
104 | @@ -959,6 +959,7 @@ interface(`init_unix_stream_socket_connectto',` | ||
105 | ') | ||
106 | |||
107 | allow $1 init_t:unix_stream_socket connectto; | ||
108 | + allow $1 initrc_t:unix_stream_socket connectto; | ||
109 | ') | ||
110 | |||
111 | ######################################## | ||
112 | diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if | ||
113 | index 38adf050c..5c44d8d8a 100644 | ||
114 | --- a/policy/modules/system/systemd.if | ||
115 | +++ b/policy/modules/system/systemd.if | ||
116 | @@ -57,7 +57,7 @@ template(`systemd_role_template',` | ||
117 | allow $1_systemd_t self:process { getsched signal }; | ||
118 | allow $1_systemd_t self:netlink_kobject_uevent_socket create_socket_perms; | ||
119 | allow $1_systemd_t self:unix_stream_socket create_stream_socket_perms; | ||
120 | - allow $1_systemd_t $3:process { setsched rlimitinh signal_perms }; | ||
121 | + allow $1_systemd_t $3:process { setsched rlimitinh signal_perms noatsecure }; | ||
122 | corecmd_shell_domtrans($1_systemd_t, $3) | ||
123 | corecmd_bin_domtrans($1_systemd_t, $3) | ||
124 | |||
125 | @@ -88,8 +88,11 @@ template(`systemd_role_template',` | ||
126 | |||
127 | fs_manage_cgroup_files($1_systemd_t) | ||
128 | fs_watch_cgroup_files($1_systemd_t) | ||
129 | + files_watch_etc_dirs($1_systemd_t) | ||
130 | + fs_getattr_xattr_fs($1_systemd_t) | ||
131 | |||
132 | kernel_dontaudit_getattr_proc($1_systemd_t) | ||
133 | + kernel_read_network_state($1_systemd_t) | ||
134 | |||
135 | selinux_use_status_page($1_systemd_t) | ||
136 | |||
137 | @@ -1052,6 +1055,7 @@ interface(`systemd_stream_connect_userdb', ` | ||
138 | init_search_runtime($1) | ||
139 | allow $1 systemd_userdb_runtime_t:dir list_dir_perms; | ||
140 | allow $1 systemd_userdb_runtime_t:sock_file write_sock_file_perms; | ||
141 | + allow $1 systemd_userdb_runtime_t:lnk_file read_lnk_file_perms; | ||
142 | init_unix_stream_socket_connectto($1) | ||
143 | ') | ||
144 | |||
145 | @@ -2003,3 +2007,24 @@ interface(`systemd_use_inherited_machined_ptys', ` | ||
146 | allow $1 systemd_machined_t:fd use; | ||
147 | allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms; | ||
148 | ') | ||
149 | + | ||
150 | +######################################### | ||
151 | +## <summary> | ||
152 | +## sysadm user for systemd --user | ||
153 | +## </summary> | ||
154 | +## <param name="role"> | ||
155 | +## <summary> | ||
156 | +## Role allowed access. | ||
157 | +## </summary> | ||
158 | +## </param> | ||
159 | +# | ||
160 | +interface(`systemd_sysadm_user',` | ||
161 | + gen_require(` | ||
162 | + type sysadm_systemd_t; | ||
163 | + ') | ||
164 | + | ||
165 | + allow sysadm_systemd_t self:capability { mknod sys_admin }; | ||
166 | + allow sysadm_systemd_t self:capability2 { bpf perfmon }; | ||
167 | + allow sysadm_systemd_t self:process setrlimit; | ||
168 | + allow $1 sysadm_systemd_t:system reload; | ||
169 | +') | ||
170 | -- | ||
171 | 2.17.1 | ||
172 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0060-policy-modules-system-sysnetwork-support-priviledge-.patch b/recipes-security/refpolicy/refpolicy/0043-policy-modules-system-sysnetwork-support-priviledge-.patch index 64cc90e..504e028 100644 --- a/recipes-security/refpolicy/refpolicy/0060-policy-modules-system-sysnetwork-support-priviledge-.patch +++ b/recipes-security/refpolicy/refpolicy/0043-policy-modules-system-sysnetwork-support-priviledge-.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From ab462f0022c35fde984dbe792ce386f5d507aeeb Mon Sep 17 00:00:00 2001 | 1 | From d1c159d4400722e783d12cc3684c1cf15004f7a9 Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Thu, 24 Sep 2020 14:05:52 +0800 | 3 | Date: Thu, 24 Sep 2020 14:05:52 +0800 |
4 | Subject: [PATCH] policy/modules/system/sysnetwork: support priviledge | 4 | Subject: [PATCH] policy/modules/system/sysnetwork: support priviledge |
@@ -80,26 +80,38 @@ Upstream-Status: Inappropriate [embedded specific] | |||
80 | 80 | ||
81 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | 81 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> |
82 | --- | 82 | --- |
83 | policy/modules/system/sysnetwork.te | 7 +++++++ | 83 | policy/modules/system/sysnetwork.te | 7 ++++++- |
84 | 1 file changed, 7 insertions(+) | 84 | 1 file changed, 6 insertions(+), 1 deletion(-) |
85 | 85 | ||
86 | diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te | 86 | diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te |
87 | index cb1434180..a9297f976 100644 | 87 | index 4c317cc4c..05a9a52b8 100644 |
88 | --- a/policy/modules/system/sysnetwork.te | 88 | --- a/policy/modules/system/sysnetwork.te |
89 | +++ b/policy/modules/system/sysnetwork.te | 89 | +++ b/policy/modules/system/sysnetwork.te |
90 | @@ -72,6 +72,11 @@ allow dhcpc_t self:netlink_route_socket create_netlink_socket_perms; | 90 | @@ -58,10 +58,11 @@ ifdef(`distro_debian',` |
91 | allow dhcpc_t self:rawip_socket create_socket_perms; | 91 | # DHCP client local policy |
92 | allow dhcpc_t self:unix_dgram_socket { create_socket_perms sendto }; | 92 | # |
93 | 93 | allow dhcpc_t self:capability { dac_override fsetid net_admin net_bind_service net_raw setpcap sys_nice sys_resource sys_tty_config }; | |
94 | +allow dhcpc_t self:capability { setgid setuid sys_chroot kill }; | 94 | +allow dhcpc_t self:capability { setgid setuid sys_chroot kill }; |
95 | dontaudit dhcpc_t self:capability { sys_ptrace sys_tty_config }; | ||
96 | # for access("/etc/bashrc", X_OK) on Red Hat | ||
97 | dontaudit dhcpc_t self:capability { dac_read_search sys_module }; | ||
98 | -allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms }; | ||
99 | +allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms setrlimit }; | ||
100 | |||
101 | allow dhcpc_t self:fifo_file rw_fifo_file_perms; | ||
102 | allow dhcpc_t self:tcp_socket create_stream_socket_perms; | ||
103 | @@ -69,8 +70,10 @@ allow dhcpc_t self:udp_socket create_socket_perms; | ||
104 | allow dhcpc_t self:packet_socket create_socket_perms; | ||
105 | allow dhcpc_t self:netlink_generic_socket create_socket_perms; | ||
106 | allow dhcpc_t self:netlink_route_socket create_netlink_socket_perms; | ||
95 | +allow dhcpc_t self:netlink_kobject_uevent_socket create_socket_perms; | 107 | +allow dhcpc_t self:netlink_kobject_uevent_socket create_socket_perms; |
96 | +allow dhcpc_t self:process setrlimit; | 108 | allow dhcpc_t self:rawip_socket create_socket_perms; |
109 | allow dhcpc_t self:unix_dgram_socket { create_socket_perms sendto }; | ||
97 | +allow dhcpc_t self:unix_stream_socket connectto; | 110 | +allow dhcpc_t self:unix_stream_socket connectto; |
98 | + | 111 | |
99 | allow dhcpc_t dhcp_etc_t:dir list_dir_perms; | 112 | allow dhcpc_t dhcp_etc_t:dir list_dir_perms; |
100 | read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) | 113 | read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) |
101 | exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) | 114 | @@ -146,6 +149,7 @@ files_manage_var_files(dhcpc_t) |
102 | @@ -145,6 +150,7 @@ files_manage_var_files(dhcpc_t) | ||
103 | fs_getattr_all_fs(dhcpc_t) | 115 | fs_getattr_all_fs(dhcpc_t) |
104 | fs_search_auto_mountpoints(dhcpc_t) | 116 | fs_search_auto_mountpoints(dhcpc_t) |
105 | fs_search_cgroup_dirs(dhcpc_t) | 117 | fs_search_cgroup_dirs(dhcpc_t) |
@@ -107,7 +119,7 @@ index cb1434180..a9297f976 100644 | |||
107 | 119 | ||
108 | term_dontaudit_use_all_ttys(dhcpc_t) | 120 | term_dontaudit_use_all_ttys(dhcpc_t) |
109 | term_dontaudit_use_all_ptys(dhcpc_t) | 121 | term_dontaudit_use_all_ptys(dhcpc_t) |
110 | @@ -180,6 +186,7 @@ ifdef(`init_systemd',` | 122 | @@ -181,6 +185,7 @@ ifdef(`init_systemd',` |
111 | init_stream_connect(dhcpc_t) | 123 | init_stream_connect(dhcpc_t) |
112 | init_get_all_units_status(dhcpc_t) | 124 | init_get_all_units_status(dhcpc_t) |
113 | init_search_units(dhcpc_t) | 125 | init_search_units(dhcpc_t) |
diff --git a/recipes-security/refpolicy/refpolicy/0044-policy-modules-services-rngd-fix-security-context-fo.patch b/recipes-security/refpolicy/refpolicy/0044-policy-modules-services-rngd-fix-security-context-fo.patch deleted file mode 100644 index 7bd1402..0000000 --- a/recipes-security/refpolicy/refpolicy/0044-policy-modules-services-rngd-fix-security-context-fo.patch +++ /dev/null | |||
@@ -1,65 +0,0 @@ | |||
1 | From 5dbfff582a9c7745f8517adefb27c5f90653f8fa Mon Sep 17 00:00:00 2001 | ||
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | ||
3 | Date: Wed, 25 May 2016 03:16:24 -0400 | ||
4 | Subject: [PATCH] policy/modules/services/rngd: fix security context for | ||
5 | rng-tools | ||
6 | |||
7 | * Fix security context for /etc/init.d/rng-tools | ||
8 | * Allow rngd_t to read sysfs | ||
9 | |||
10 | Fixes: | ||
11 | avc: denied { read } for pid=355 comm="rngd" name="cpu" dev="sysfs" | ||
12 | ino=36 scontext=system_u:system_r:rngd_t | ||
13 | tcontext=system_u:object_r:sysfs_t tclass=dir permissive=1 | ||
14 | |||
15 | avc: denied { getsched } for pid=355 comm="rngd" | ||
16 | scontext=system_u:system_r:rngd_t tcontext=system_u:system_r:rngd_t | ||
17 | tclass=process permissive=1 | ||
18 | |||
19 | avc: denied { setsched } for pid=355 comm="rngd" | ||
20 | scontext=system_u:system_r:rngd_t tcontext=system_u:system_r:rngd_t | ||
21 | tclass=process permissive=1 | ||
22 | |||
23 | Upstream-Status: Inappropriate [embedded specific] | ||
24 | |||
25 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
26 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
27 | --- | ||
28 | policy/modules/services/rngd.fc | 1 + | ||
29 | policy/modules/services/rngd.te | 3 ++- | ||
30 | 2 files changed, 3 insertions(+), 1 deletion(-) | ||
31 | |||
32 | diff --git a/policy/modules/services/rngd.fc b/policy/modules/services/rngd.fc | ||
33 | index 382c067f9..0ecc5acc4 100644 | ||
34 | --- a/policy/modules/services/rngd.fc | ||
35 | +++ b/policy/modules/services/rngd.fc | ||
36 | @@ -1,4 +1,5 @@ | ||
37 | /etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0) | ||
38 | +/etc/rc\.d/init\.d/rng-tools -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0) | ||
39 | |||
40 | /usr/bin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0) | ||
41 | |||
42 | diff --git a/policy/modules/services/rngd.te b/policy/modules/services/rngd.te | ||
43 | index 4540e4ec7..48f08fb48 100644 | ||
44 | --- a/policy/modules/services/rngd.te | ||
45 | +++ b/policy/modules/services/rngd.te | ||
46 | @@ -21,7 +21,7 @@ files_runtime_file(rngd_runtime_t) | ||
47 | # | ||
48 | |||
49 | allow rngd_t self:capability { ipc_lock sys_admin }; | ||
50 | -allow rngd_t self:process signal; | ||
51 | +allow rngd_t self:process { signal getsched setsched }; | ||
52 | allow rngd_t self:fifo_file rw_fifo_file_perms; | ||
53 | allow rngd_t self:unix_stream_socket { accept listen }; | ||
54 | |||
55 | @@ -34,6 +34,7 @@ dev_read_rand(rngd_t) | ||
56 | dev_read_urand(rngd_t) | ||
57 | dev_rw_tpm(rngd_t) | ||
58 | dev_write_rand(rngd_t) | ||
59 | +dev_read_sysfs(rngd_t) | ||
60 | |||
61 | files_read_etc_files(rngd_t) | ||
62 | |||
63 | -- | ||
64 | 2.17.1 | ||
65 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0063-policy-modules-system-modutils-allow-kmod_t-to-write.patch b/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-modutils-allow-kmod_t-to-write.patch index b644571..2f94974 100644 --- a/recipes-security/refpolicy/refpolicy/0063-policy-modules-system-modutils-allow-kmod_t-to-write.patch +++ b/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-modutils-allow-kmod_t-to-write.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 7002b4e33b949b474a0ce0b78a7f2e180dbbc9bb Mon Sep 17 00:00:00 2001 | 1 | From 8343ff97a265836ba1e1e2f4159f888c21e5cabe Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Tue, 9 Feb 2021 17:31:55 +0800 | 3 | Date: Tue, 9 Feb 2021 17:31:55 +0800 |
4 | Subject: [PATCH] policy/modules/system/modutils: allow kmod_t to write keys | 4 | Subject: [PATCH] policy/modules/system/modutils: allow kmod_t to write keys |
@@ -14,22 +14,21 @@ Upstream-Status: Inappropriate [embedded specific] | |||
14 | 14 | ||
15 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | 15 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> |
16 | --- | 16 | --- |
17 | policy/modules/system/modutils.te | 2 ++ | 17 | policy/modules/system/modutils.te | 1 + |
18 | 1 file changed, 2 insertions(+) | 18 | 1 file changed, 1 insertion(+) |
19 | 19 | ||
20 | diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te | 20 | diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te |
21 | index ee249ae04..b8769bc02 100644 | 21 | index 5b4f0aca1..008f286a8 100644 |
22 | --- a/policy/modules/system/modutils.te | 22 | --- a/policy/modules/system/modutils.te |
23 | +++ b/policy/modules/system/modutils.te | 23 | +++ b/policy/modules/system/modutils.te |
24 | @@ -43,6 +43,8 @@ allow kmod_t self:rawip_socket create_socket_perms; | 24 | @@ -42,6 +42,7 @@ allow kmod_t self:udp_socket create_socket_perms; |
25 | allow kmod_t self:rawip_socket create_socket_perms; | ||
25 | 26 | ||
26 | allow kmod_t self:lockdown confidentiality; | 27 | allow kmod_t self:lockdown confidentiality; |
27 | |||
28 | +allow kmod_t self:key write; | 28 | +allow kmod_t self:key write; |
29 | + | 29 | |
30 | # Read module config and dependency information | 30 | # Read module config and dependency information |
31 | list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t) | 31 | list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t) |
32 | read_files_pattern(kmod_t, modules_conf_t, modules_conf_t) | ||
33 | -- | 32 | -- |
34 | 2.17.1 | 33 | 2.17.1 |
35 | 34 | ||
diff --git a/recipes-security/refpolicy/refpolicy/0045-policy-modules-services-ssh-allow-ssh_keygen_t-to-re.patch b/recipes-security/refpolicy/refpolicy/0045-policy-modules-services-ssh-allow-ssh_keygen_t-to-re.patch deleted file mode 100644 index 4b7e2b5..0000000 --- a/recipes-security/refpolicy/refpolicy/0045-policy-modules-services-ssh-allow-ssh_keygen_t-to-re.patch +++ /dev/null | |||
@@ -1,34 +0,0 @@ | |||
1 | From be61411d6d7d3bb2c700ec24f42661ce9c728df4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Fri, 29 Jan 2021 10:32:00 +0800 | ||
4 | Subject: [PATCH] policy/modules/services/ssh: allow ssh_keygen_t to read | ||
5 | proc_t | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { read } for pid=353 comm="ssh-keygen" name="filesystems" | ||
9 | dev="proc" ino=4026532078 scontext=system_u:system_r:ssh_keygen_t | ||
10 | tcontext=system_u:object_r:proc_t tclass=file permissive=0 | ||
11 | |||
12 | Upstream-Status: Inappropriate [embedded specific] | ||
13 | |||
14 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
15 | --- | ||
16 | policy/modules/services/ssh.te | 2 ++ | ||
17 | 1 file changed, 2 insertions(+) | ||
18 | |||
19 | diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te | ||
20 | index 238c45ed8..2bbf50e84 100644 | ||
21 | --- a/policy/modules/services/ssh.te | ||
22 | +++ b/policy/modules/services/ssh.te | ||
23 | @@ -330,6 +330,8 @@ allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; | ||
24 | |||
25 | allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; | ||
26 | |||
27 | +allow ssh_keygen_t proc_t:file read_file_perms; | ||
28 | + | ||
29 | allow ssh_keygen_t sshd_key_t:file manage_file_perms; | ||
30 | files_etc_filetrans(ssh_keygen_t, sshd_key_t, file) | ||
31 | |||
32 | -- | ||
33 | 2.17.1 | ||
34 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0045-policy-modules-system-systemd-allow-systemd_logind_t.patch b/recipes-security/refpolicy/refpolicy/0045-policy-modules-system-systemd-allow-systemd_logind_t.patch new file mode 100644 index 0000000..49aa7a6 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0045-policy-modules-system-systemd-allow-systemd_logind_t.patch | |||
@@ -0,0 +1,43 @@ | |||
1 | From 4e2df7ca542b6c94e74345daaecb33efc82d749a Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Sat, 18 Dec 2021 09:26:43 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/systemd: allow systemd_logind_t to read | ||
5 | the process state of all domains | ||
6 | |||
7 | We encountered the following su runtime error: | ||
8 | $ useradd user1 | ||
9 | $ passwd user1 | ||
10 | New password: | ||
11 | Retype new password: | ||
12 | passwd: password updated successfully | ||
13 | $ su - user1 | ||
14 | Session terminated, terminating shell...Hangup | ||
15 | |||
16 | Fixes: | ||
17 | avc: denied { use } for pid=344 comm="su" | ||
18 | path="/run/systemd/sessions/c4.ref" dev="tmpfs" ino=661 | ||
19 | scontext=root:sysadm_r:sysadm_su_t | ||
20 | tcontext=system_u:system_r:systemd_logind_t tclass=fd permissive=0 | ||
21 | |||
22 | Upstream-Status: Pending | ||
23 | |||
24 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
25 | --- | ||
26 | policy/modules/system/systemd.te | 1 + | ||
27 | 1 file changed, 1 insertion(+) | ||
28 | |||
29 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
30 | index 847895e63..1a83148c1 100644 | ||
31 | --- a/policy/modules/system/systemd.te | ||
32 | +++ b/policy/modules/system/systemd.te | ||
33 | @@ -721,6 +721,7 @@ userdom_relabelfrom_user_runtime_dirs(systemd_logind_t) | ||
34 | userdom_relabelto_user_runtime_dirs(systemd_logind_t) | ||
35 | userdom_setattr_user_ttys(systemd_logind_t) | ||
36 | userdom_use_user_ttys(systemd_logind_t) | ||
37 | +domain_read_all_domains_state(systemd_logind_t) | ||
38 | |||
39 | # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x | ||
40 | # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96 | ||
41 | -- | ||
42 | 2.17.1 | ||
43 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0046-policy-modules-services-ssh-make-respective-init-scr.patch b/recipes-security/refpolicy/refpolicy/0046-policy-modules-services-ssh-make-respective-init-scr.patch deleted file mode 100644 index fd8d527..0000000 --- a/recipes-security/refpolicy/refpolicy/0046-policy-modules-services-ssh-make-respective-init-scr.patch +++ /dev/null | |||
@@ -1,33 +0,0 @@ | |||
1 | From 20e6395a7e8bce552fb0190dbc57d836d763fc18 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Sun, 28 Jun 2020 16:14:45 +0800 | ||
4 | Subject: [PATCH] policy/modules/services/ssh: make respective init scripts | ||
5 | create pid dirs with proper contexts | ||
6 | |||
7 | Fix sshd starup failure. | ||
8 | |||
9 | Upstream-Status: Inappropriate [embedded specific] | ||
10 | |||
11 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
12 | --- | ||
13 | policy/modules/services/ssh.te | 4 +--- | ||
14 | 1 file changed, 1 insertion(+), 3 deletions(-) | ||
15 | |||
16 | diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te | ||
17 | index 2bbf50e84..ad0a1b7ad 100644 | ||
18 | --- a/policy/modules/services/ssh.te | ||
19 | +++ b/policy/modules/services/ssh.te | ||
20 | @@ -80,9 +80,7 @@ userdom_user_home_content(ssh_home_t) | ||
21 | type sshd_keytab_t; | ||
22 | files_type(sshd_keytab_t) | ||
23 | |||
24 | -ifdef(`distro_debian',` | ||
25 | - init_daemon_runtime_file(sshd_runtime_t, dir, "sshd") | ||
26 | -') | ||
27 | +init_daemon_runtime_file(sshd_runtime_t, dir, "sshd") | ||
28 | |||
29 | ############################## | ||
30 | # | ||
31 | -- | ||
32 | 2.17.1 | ||
33 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0066-policy-modules-system-mount-make-mount_t-domain-MLS-.patch b/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-mount-make-mount_t-domain-MLS-.patch index 1d6a3c4..4cae8c6 100644 --- a/recipes-security/refpolicy/refpolicy/0066-policy-modules-system-mount-make-mount_t-domain-MLS-.patch +++ b/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-mount-make-mount_t-domain-MLS-.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 0d69354886e0b635dd069876b9d53890a5a9cab1 Mon Sep 17 00:00:00 2001 | 1 | From 705008ba8ef960cf2e4813b4b8c5a87b919d545f Mon Sep 17 00:00:00 2001 |
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | 2 | From: Wenzong Fan <wenzong.fan@windriver.com> |
3 | Date: Sat, 15 Feb 2014 04:22:47 -0500 | 3 | Date: Sat, 15 Feb 2014 04:22:47 -0500 |
4 | Subject: [PATCH] policy/modules/system/mount: make mount_t domain MLS trusted | 4 | Subject: [PATCH] policy/modules/system/mount: make mount_t domain MLS trusted |
@@ -15,22 +15,21 @@ Upstream-Status: Inappropriate [embedded specific] | |||
15 | Signen-off-by: Wenzong Fan <wenzong.fan@windriver.com> | 15 | Signen-off-by: Wenzong Fan <wenzong.fan@windriver.com> |
16 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | 16 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> |
17 | --- | 17 | --- |
18 | policy/modules/system/mount.te | 2 ++ | 18 | policy/modules/system/mount.te | 1 + |
19 | 1 file changed, 2 insertions(+) | 19 | 1 file changed, 1 insertion(+) |
20 | 20 | ||
21 | diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te | 21 | diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te |
22 | index b628c3b2f..f55457bb0 100644 | 22 | index e39ab41a8..3481f9294 100644 |
23 | --- a/policy/modules/system/mount.te | 23 | --- a/policy/modules/system/mount.te |
24 | +++ b/policy/modules/system/mount.te | 24 | +++ b/policy/modules/system/mount.te |
25 | @@ -116,6 +116,8 @@ fs_dontaudit_write_all_image_files(mount_t) | 25 | @@ -116,6 +116,7 @@ fs_dontaudit_write_all_image_files(mount_t) |
26 | |||
26 | mls_file_read_all_levels(mount_t) | 27 | mls_file_read_all_levels(mount_t) |
27 | mls_file_write_all_levels(mount_t) | 28 | mls_file_write_all_levels(mount_t) |
28 | |||
29 | +mls_process_write_to_clearance(mount_t) | 29 | +mls_process_write_to_clearance(mount_t) |
30 | + | 30 | |
31 | selinux_get_enforce_mode(mount_t) | 31 | selinux_get_enforce_mode(mount_t) |
32 | 32 | ||
33 | storage_raw_read_fixed_disk(mount_t) | ||
34 | -- | 33 | -- |
35 | 2.17.1 | 34 | 2.17.1 |
36 | 35 | ||
diff --git a/recipes-security/refpolicy/refpolicy/0047-policy-modules-kernel-terminal-allow-loging-to-reset.patch b/recipes-security/refpolicy/refpolicy/0047-policy-modules-kernel-terminal-allow-loging-to-reset.patch deleted file mode 100644 index cafdd61..0000000 --- a/recipes-security/refpolicy/refpolicy/0047-policy-modules-kernel-terminal-allow-loging-to-reset.patch +++ /dev/null | |||
@@ -1,31 +0,0 @@ | |||
1 | From f0249cb5802af7f9113786940d0c49e786f774ae Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Mon, 29 Jun 2020 14:27:02 +0800 | ||
4 | Subject: [PATCH] policy/modules/kernel/terminal: allow loging to reset tty | ||
5 | perms | ||
6 | |||
7 | Upstream-Status: Inappropriate [embedded specific] | ||
8 | |||
9 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
10 | --- | ||
11 | policy/modules/kernel/terminal.if | 4 +--- | ||
12 | 1 file changed, 1 insertion(+), 3 deletions(-) | ||
13 | |||
14 | diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if | ||
15 | index e8c0735eb..9ccecfa0d 100644 | ||
16 | --- a/policy/modules/kernel/terminal.if | ||
17 | +++ b/policy/modules/kernel/terminal.if | ||
18 | @@ -119,9 +119,7 @@ interface(`term_user_tty',` | ||
19 | |||
20 | # Debian login is from shadow utils and does not allow resetting the perms. | ||
21 | # have to fix this! | ||
22 | - ifdef(`distro_debian',` | ||
23 | - type_change $1 ttynode:chr_file $2; | ||
24 | - ') | ||
25 | + type_change $1 ttynode:chr_file $2; | ||
26 | |||
27 | tunable_policy(`console_login',` | ||
28 | # When user logs in from /dev/console, relabel it | ||
29 | -- | ||
30 | 2.17.1 | ||
31 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0067-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch b/recipes-security/refpolicy/refpolicy/0047-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch index f441742..86317b3 100644 --- a/recipes-security/refpolicy/refpolicy/0067-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch +++ b/recipes-security/refpolicy/refpolicy/0047-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From b83147aa97fe6f51c997256539dff827e3a44edc Mon Sep 17 00:00:00 2001 | 1 | From ef2b9196f3a51745a3644489d316bda7cd67f72d Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
3 | Date: Mon, 28 Jan 2019 14:05:18 +0800 | 3 | Date: Mon, 28 Jan 2019 14:05:18 +0800 |
4 | Subject: [PATCH] policy/modules/roles/sysadm: MLS - sysadm rw to clearance | 4 | Subject: [PATCH] policy/modules/roles/sysadm: MLS - sysadm rw to clearance |
@@ -19,23 +19,22 @@ Upstream-Status: Inappropriate [embedded specific] | |||
19 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 19 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
20 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | 20 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> |
21 | --- | 21 | --- |
22 | policy/modules/roles/sysadm.te | 3 +++ | 22 | policy/modules/roles/sysadm.te | 2 ++ |
23 | 1 file changed, 3 insertions(+) | 23 | 1 file changed, 2 insertions(+) |
24 | 24 | ||
25 | diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te | 25 | diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te |
26 | index a4abaefe4..aaae73fc3 100644 | 26 | index e1933a5bd..0682ed31a 100644 |
27 | --- a/policy/modules/roles/sysadm.te | 27 | --- a/policy/modules/roles/sysadm.te |
28 | +++ b/policy/modules/roles/sysadm.te | 28 | +++ b/policy/modules/roles/sysadm.te |
29 | @@ -42,6 +42,9 @@ dev_read_kmsg(sysadm_t) | 29 | @@ -44,6 +44,8 @@ logging_watch_all_logs(sysadm_t) |
30 | logging_watch_audit_log(sysadm_t) | ||
30 | 31 | ||
31 | mls_process_read_all_levels(sysadm_t) | 32 | mls_process_read_all_levels(sysadm_t) |
32 | |||
33 | +mls_file_read_all_levels(sysadm_t) | 33 | +mls_file_read_all_levels(sysadm_t) |
34 | +mls_process_write_to_clearance(sysadm_t) | 34 | +mls_process_write_to_clearance(sysadm_t) |
35 | + | 35 | |
36 | selinux_read_policy(sysadm_t) | 36 | selinux_read_policy(sysadm_t) |
37 | 37 | ||
38 | ubac_process_exempt(sysadm_t) | ||
39 | -- | 38 | -- |
40 | 2.17.1 | 39 | 2.17.1 |
41 | 40 | ||
diff --git a/recipes-security/refpolicy/refpolicy/0068-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch b/recipes-security/refpolicy/refpolicy/0048-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch index 4403997..f659e7e 100644 --- a/recipes-security/refpolicy/refpolicy/0068-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch +++ b/recipes-security/refpolicy/refpolicy/0048-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 7b8290ba52052f90b6221c1b3ccb8f7536f4c41e Mon Sep 17 00:00:00 2001 | 1 | From 18ad027229a06fdcb833482dff0c2ae637d08e78 Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
3 | Date: Fri, 23 Aug 2013 12:01:53 +0800 | 3 | Date: Fri, 23 Aug 2013 12:01:53 +0800 |
4 | Subject: [PATCH] policy/modules/services/rpc: make nfsd_t domain MLS trusted | 4 | Subject: [PATCH] policy/modules/services/rpc: make nfsd_t domain MLS trusted |
@@ -11,12 +11,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
11 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | 11 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> |
12 | --- | 12 | --- |
13 | policy/modules/kernel/kernel.te | 2 ++ | 13 | policy/modules/kernel/kernel.te | 2 ++ |
14 | policy/modules/services/rpc.te | 2 ++ | 14 | policy/modules/services/rpcbind.te | 5 +++++ |
15 | policy/modules/services/rpcbind.te | 6 ++++++ | 15 | 2 files changed, 7 insertions(+) |
16 | 3 files changed, 10 insertions(+) | ||
17 | 16 | ||
18 | diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te | 17 | diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te |
19 | index 5ce6e041b..c1557ddb2 100644 | 18 | index ca951cb44..a32c59eb1 100644 |
20 | --- a/policy/modules/kernel/kernel.te | 19 | --- a/policy/modules/kernel/kernel.te |
21 | +++ b/policy/modules/kernel/kernel.te | 20 | +++ b/policy/modules/kernel/kernel.te |
22 | @@ -356,6 +356,8 @@ mls_process_read_all_levels(kernel_t) | 21 | @@ -356,6 +356,8 @@ mls_process_read_all_levels(kernel_t) |
@@ -28,24 +27,11 @@ index 5ce6e041b..c1557ddb2 100644 | |||
28 | 27 | ||
29 | ifdef(`distro_redhat',` | 28 | ifdef(`distro_redhat',` |
30 | # Bugzilla 222337 | 29 | # Bugzilla 222337 |
31 | diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te | ||
32 | index 87b6b4561..9618df04e 100644 | ||
33 | --- a/policy/modules/services/rpc.te | ||
34 | +++ b/policy/modules/services/rpc.te | ||
35 | @@ -341,6 +341,8 @@ storage_raw_read_removable_device(nfsd_t) | ||
36 | |||
37 | miscfiles_read_public_files(nfsd_t) | ||
38 | |||
39 | +mls_file_read_to_clearance(nfsd_t) | ||
40 | + | ||
41 | tunable_policy(`allow_nfsd_anon_write',` | ||
42 | miscfiles_manage_public_files(nfsd_t) | ||
43 | ') | ||
44 | diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te | 30 | diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te |
45 | index 8972980fa..5c89a1343 100644 | 31 | index e1eb7d5fc..da0994749 100644 |
46 | --- a/policy/modules/services/rpcbind.te | 32 | --- a/policy/modules/services/rpcbind.te |
47 | +++ b/policy/modules/services/rpcbind.te | 33 | +++ b/policy/modules/services/rpcbind.te |
48 | @@ -73,6 +73,12 @@ logging_send_syslog_msg(rpcbind_t) | 34 | @@ -73,6 +73,11 @@ logging_send_syslog_msg(rpcbind_t) |
49 | 35 | ||
50 | miscfiles_read_localization(rpcbind_t) | 36 | miscfiles_read_localization(rpcbind_t) |
51 | 37 | ||
@@ -53,7 +39,6 @@ index 8972980fa..5c89a1343 100644 | |||
53 | +# because the are running in different level. So add rules to allow this. | 39 | +# because the are running in different level. So add rules to allow this. |
54 | +mls_socket_read_all_levels(rpcbind_t) | 40 | +mls_socket_read_all_levels(rpcbind_t) |
55 | +mls_socket_write_all_levels(rpcbind_t) | 41 | +mls_socket_write_all_levels(rpcbind_t) |
56 | +mls_file_read_to_clearance(rpcbind_t) | ||
57 | + | 42 | + |
58 | ifdef(`distro_debian',` | 43 | ifdef(`distro_debian',` |
59 | term_dontaudit_use_unallocated_ttys(rpcbind_t) | 44 | term_dontaudit_use_unallocated_ttys(rpcbind_t) |
diff --git a/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-selinuxutil-allow-semanage_t-t.patch b/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-selinuxutil-allow-semanage_t-t.patch deleted file mode 100644 index 54dd451..0000000 --- a/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-selinuxutil-allow-semanage_t-t.patch +++ /dev/null | |||
@@ -1,33 +0,0 @@ | |||
1 | From 74f611538d63cdf4157e6b5f4b982cafe0378b9a Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Mon, 29 Jun 2020 14:30:58 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/selinuxutil: allow semanage_t to read | ||
5 | /var/lib | ||
6 | |||
7 | Upstream-Status: Inappropriate [embedded specific] | ||
8 | |||
9 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
10 | --- | ||
11 | policy/modules/system/selinuxutil.te | 6 ++---- | ||
12 | 1 file changed, 2 insertions(+), 4 deletions(-) | ||
13 | |||
14 | diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te | ||
15 | index 8f8f42ec7..a505b3987 100644 | ||
16 | --- a/policy/modules/system/selinuxutil.te | ||
17 | +++ b/policy/modules/system/selinuxutil.te | ||
18 | @@ -549,10 +549,8 @@ userdom_map_user_home_content_files(semanage_t) | ||
19 | userdom_read_user_tmp_files(semanage_t) | ||
20 | userdom_map_user_tmp_files(semanage_t) | ||
21 | |||
22 | -ifdef(`distro_debian',` | ||
23 | - files_read_var_lib_files(semanage_t) | ||
24 | - files_read_var_lib_symlinks(semanage_t) | ||
25 | -') | ||
26 | +files_read_var_lib_files(semanage_t) | ||
27 | +files_read_var_lib_symlinks(semanage_t) | ||
28 | |||
29 | ifdef(`distro_ubuntu',` | ||
30 | optional_policy(` | ||
31 | -- | ||
32 | 2.17.1 | ||
33 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0069-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch b/recipes-security/refpolicy/refpolicy/0049-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch index 02aa5e3..ace056a 100644 --- a/recipes-security/refpolicy/refpolicy/0069-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch +++ b/recipes-security/refpolicy/refpolicy/0049-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From bc6872d164d09355ee82dc97c4e3d99a6b6669b3 Mon Sep 17 00:00:00 2001 | 1 | From b41a910654f5c5fe198b1695df18b6f6a1af7904 Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Tue, 30 Jun 2020 10:18:20 +0800 | 3 | Date: Tue, 30 Jun 2020 10:18:20 +0800 |
4 | Subject: [PATCH] policy/modules/admin/dmesg: make dmesg_t MLS trusted reading | 4 | Subject: [PATCH] policy/modules/admin/dmesg: make dmesg_t MLS trusted reading |
@@ -19,10 +19,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
19 | 1 file changed, 2 insertions(+) | 19 | 1 file changed, 2 insertions(+) |
20 | 20 | ||
21 | diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te | 21 | diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te |
22 | index 0f2835575..9f4f11397 100644 | 22 | index f3421fdbb..d87ee5583 100644 |
23 | --- a/policy/modules/admin/dmesg.te | 23 | --- a/policy/modules/admin/dmesg.te |
24 | +++ b/policy/modules/admin/dmesg.te | 24 | +++ b/policy/modules/admin/dmesg.te |
25 | @@ -51,6 +51,8 @@ miscfiles_read_localization(dmesg_t) | 25 | @@ -52,6 +52,8 @@ miscfiles_read_localization(dmesg_t) |
26 | userdom_dontaudit_use_unpriv_user_fds(dmesg_t) | 26 | userdom_dontaudit_use_unpriv_user_fds(dmesg_t) |
27 | userdom_use_user_terminals(dmesg_t) | 27 | userdom_use_user_terminals(dmesg_t) |
28 | 28 | ||
diff --git a/recipes-security/refpolicy/refpolicy/0070-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch b/recipes-security/refpolicy/refpolicy/0050-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch index 733fbad..8b9f98c 100644 --- a/recipes-security/refpolicy/refpolicy/0070-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch +++ b/recipes-security/refpolicy/refpolicy/0050-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From e7b9af24946f5f76e8e6831bfeb444c0153298be Mon Sep 17 00:00:00 2001 | 1 | From c2e99e27acc1454d792b3e8d6f24d3a2a3be29e3 Mon Sep 17 00:00:00 2001 |
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | 2 | From: Wenzong Fan <wenzong.fan@windriver.com> |
3 | Date: Fri, 13 Oct 2017 07:20:40 +0000 | 3 | Date: Fri, 13 Oct 2017 07:20:40 +0000 |
4 | Subject: [PATCH] policy/modules/kernel/kernel: make kernel_t MLS trusted for | 4 | Subject: [PATCH] policy/modules/kernel/kernel: make kernel_t MLS trusted for |
@@ -55,23 +55,22 @@ Upstream-Status: Inappropriate [embedded specific] | |||
55 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | 55 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> |
56 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | 56 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> |
57 | --- | 57 | --- |
58 | policy/modules/kernel/kernel.te | 3 +++ | 58 | policy/modules/kernel/kernel.te | 2 ++ |
59 | 1 file changed, 3 insertions(+) | 59 | 1 file changed, 2 insertions(+) |
60 | 60 | ||
61 | diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te | 61 | diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te |
62 | index c1557ddb2..8f67c6ec9 100644 | 62 | index a32c59eb1..1c53754ee 100644 |
63 | --- a/policy/modules/kernel/kernel.te | 63 | --- a/policy/modules/kernel/kernel.te |
64 | +++ b/policy/modules/kernel/kernel.te | 64 | +++ b/policy/modules/kernel/kernel.te |
65 | @@ -359,6 +359,9 @@ mls_file_read_all_levels(kernel_t) | 65 | @@ -358,6 +358,8 @@ mls_file_write_all_levels(kernel_t) |
66 | mls_file_read_all_levels(kernel_t) | ||
66 | mls_socket_write_all_levels(kernel_t) | 67 | mls_socket_write_all_levels(kernel_t) |
67 | mls_fd_use_all_levels(kernel_t) | 68 | mls_fd_use_all_levels(kernel_t) |
68 | |||
69 | +# https://bugzilla.redhat.com/show_bug.cgi?id=667370 | 69 | +# https://bugzilla.redhat.com/show_bug.cgi?id=667370 |
70 | +mls_file_downgrade(kernel_t) | 70 | +mls_file_downgrade(kernel_t) |
71 | + | 71 | |
72 | ifdef(`distro_redhat',` | 72 | ifdef(`distro_redhat',` |
73 | # Bugzilla 222337 | 73 | # Bugzilla 222337 |
74 | fs_rw_tmpfs_chr_files(kernel_t) | ||
75 | -- | 74 | -- |
76 | 2.17.1 | 75 | 2.17.1 |
77 | 76 | ||
diff --git a/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-add-capability2-bpf-and-p.patch b/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-add-capability2-bpf-and-p.patch deleted file mode 100644 index f7758c5..0000000 --- a/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-add-capability2-bpf-and-p.patch +++ /dev/null | |||
@@ -1,37 +0,0 @@ | |||
1 | From 2d932ba7140d91cf2a8386b0240f4f1014124746 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Wed, 3 Feb 2021 09:47:59 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/init: add capability2 bpf and perfmon | ||
5 | for init_t | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { bpf } for pid=1 comm="systemd" capability=39 | ||
9 | scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t | ||
10 | tclass=capability2 permissive=0 | ||
11 | avc: denied { perfmon } for pid=1 comm="systemd" capability=38 | ||
12 | scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t | ||
13 | tclass=capability2 permissive=0 | ||
14 | |||
15 | Upstream-Status: Inappropriate [embedded specific] | ||
16 | |||
17 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
18 | --- | ||
19 | policy/modules/system/init.te | 2 +- | ||
20 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
21 | |||
22 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | ||
23 | index e82177938..b7d494398 100644 | ||
24 | --- a/policy/modules/system/init.te | ||
25 | +++ b/policy/modules/system/init.te | ||
26 | @@ -134,7 +134,7 @@ ifdef(`enable_mls',` | ||
27 | |||
28 | # Use capabilities. old rule: | ||
29 | allow init_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }; | ||
30 | -allow init_t self:capability2 { wake_alarm block_suspend }; | ||
31 | +allow init_t self:capability2 { wake_alarm block_suspend bpf perfmon }; | ||
32 | # is ~sys_module really needed? observed: | ||
33 | # sys_boot | ||
34 | # sys_tty_config | ||
35 | -- | ||
36 | 2.17.1 | ||
37 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0071-policy-modules-system-init-make-init_t-MLS-trusted-f.patch b/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-make-init_t-MLS-trusted-f.patch index 74d7428..b4da47d 100644 --- a/recipes-security/refpolicy/refpolicy/0071-policy-modules-system-init-make-init_t-MLS-trusted-f.patch +++ b/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-make-init_t-MLS-trusted-f.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From ee3e2bbaf3b94902aadebbb085c7e86b8d074e98 Mon Sep 17 00:00:00 2001 | 1 | From 7bcc117ea39532427df297299c10ca1d2948a70c Mon Sep 17 00:00:00 2001 |
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | 2 | From: Wenzong Fan <wenzong.fan@windriver.com> |
3 | Date: Fri, 15 Jan 2016 03:47:05 -0500 | 3 | Date: Fri, 15 Jan 2016 03:47:05 -0500 |
4 | Subject: [PATCH] policy/modules/system/init: make init_t MLS trusted for | 4 | Subject: [PATCH] policy/modules/system/init: make init_t MLS trusted for |
@@ -27,10 +27,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
27 | 1 file changed, 4 insertions(+) | 27 | 1 file changed, 4 insertions(+) |
28 | 28 | ||
29 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | 29 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
30 | index b7d494398..b6750015e 100644 | 30 | index 932d1f7b3..36becaa6e 100644 |
31 | --- a/policy/modules/system/init.te | 31 | --- a/policy/modules/system/init.te |
32 | +++ b/policy/modules/system/init.te | 32 | +++ b/policy/modules/system/init.te |
33 | @@ -210,6 +210,10 @@ mls_process_write_all_levels(init_t) | 33 | @@ -219,6 +219,10 @@ mls_process_write_all_levels(init_t) |
34 | mls_fd_use_all_levels(init_t) | 34 | mls_fd_use_all_levels(init_t) |
35 | mls_process_set_level(init_t) | 35 | mls_process_set_level(init_t) |
36 | 36 | ||
diff --git a/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-systemd-allow-systemd_logind_t.patch b/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-systemd-allow-systemd_logind_t.patch deleted file mode 100644 index aa49ac7..0000000 --- a/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-systemd-allow-systemd_logind_t.patch +++ /dev/null | |||
@@ -1,37 +0,0 @@ | |||
1 | From 5db5b20728dff6c5e75dc07ea4feb6c507661b62 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Wed, 8 Jul 2020 13:53:28 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/systemd: allow systemd_logind_t to | ||
5 | watch initrc_runtime_t | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { watch } for pid=200 comm="systemd-logind" | ||
9 | path="/run/utmp" dev="tmpfs" ino=12766 | ||
10 | scontext=system_u:system_r:systemd_logind_t:s0-s15:c0.c1023 | ||
11 | tcontext=system_u:object_r:initrc_runtime_t:s0 tclass=file permissive=0 | ||
12 | |||
13 | systemd-logind[200]: Failed to create inotify watch on /var/run/utmp, ignoring: Permission denied | ||
14 | |||
15 | Upstream-Status: Inappropriate [embedded specific] | ||
16 | |||
17 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
18 | --- | ||
19 | policy/modules/system/systemd.te | 2 ++ | ||
20 | 1 file changed, 2 insertions(+) | ||
21 | |||
22 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
23 | index 0411729ea..2d9d7d331 100644 | ||
24 | --- a/policy/modules/system/systemd.te | ||
25 | +++ b/policy/modules/system/systemd.te | ||
26 | @@ -651,6 +651,8 @@ init_stop_all_units(systemd_logind_t) | ||
27 | init_start_system(systemd_logind_t) | ||
28 | init_stop_system(systemd_logind_t) | ||
29 | |||
30 | +allow systemd_logind_t initrc_runtime_t:file watch; | ||
31 | + | ||
32 | locallogin_read_state(systemd_logind_t) | ||
33 | |||
34 | seutil_libselinux_linked(systemd_logind_t) | ||
35 | -- | ||
36 | 2.17.1 | ||
37 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0072-policy-modules-system-systemd-make-systemd-tmpfiles_.patch b/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-systemd-make-systemd-tmpfiles_.patch index 2832681..4b768e0 100644 --- a/recipes-security/refpolicy/refpolicy/0072-policy-modules-system-systemd-make-systemd-tmpfiles_.patch +++ b/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-systemd-make-systemd-tmpfiles_.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 8cdcca3702d69ed5f3aa9ce9d769ad483f977094 Mon Sep 17 00:00:00 2001 | 1 | From d965e6a02854a07c4783cf33e95bf3c7cf9f56f1 Mon Sep 17 00:00:00 2001 |
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | 2 | From: Wenzong Fan <wenzong.fan@windriver.com> |
3 | Date: Thu, 4 Feb 2016 06:03:19 -0500 | 3 | Date: Thu, 4 Feb 2016 06:03:19 -0500 |
4 | Subject: [PATCH] policy/modules/system/systemd: make systemd-tmpfiles_t domain | 4 | Subject: [PATCH] policy/modules/system/systemd: make systemd-tmpfiles_t domain |
@@ -43,10 +43,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
43 | 1 file changed, 5 insertions(+) | 43 | 1 file changed, 5 insertions(+) |
44 | 44 | ||
45 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | 45 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te |
46 | index 7d2ba2796..c50a2ba64 100644 | 46 | index 1a83148c1..736107fad 100644 |
47 | --- a/policy/modules/system/systemd.te | 47 | --- a/policy/modules/system/systemd.te |
48 | +++ b/policy/modules/system/systemd.te | 48 | +++ b/policy/modules/system/systemd.te |
49 | @@ -1396,6 +1396,11 @@ sysnet_relabel_config(systemd_tmpfiles_t) | 49 | @@ -1483,6 +1483,11 @@ sysnet_relabel_config(systemd_tmpfiles_t) |
50 | 50 | ||
51 | systemd_log_parse_environment(systemd_tmpfiles_t) | 51 | systemd_log_parse_environment(systemd_tmpfiles_t) |
52 | 52 | ||
diff --git a/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-logging-set-label-devlog_t-to-.patch b/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-logging-set-label-devlog_t-to-.patch deleted file mode 100644 index a4b387a..0000000 --- a/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-logging-set-label-devlog_t-to-.patch +++ /dev/null | |||
@@ -1,86 +0,0 @@ | |||
1 | From a92be78e20a0838c2f04cf8d2781dcf918f8d7ab Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Tue, 14 May 2019 16:02:19 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/logging: set label devlog_t to symlink | ||
5 | /dev/log | ||
6 | |||
7 | * Set labe devlog_t to symlink /dev/log | ||
8 | * Allow syslogd_t to manage devlog_t link file | ||
9 | |||
10 | Fixes: | ||
11 | avc: denied { unlink } for pid=250 comm="rsyslogd" name="log" | ||
12 | dev="devtmpfs" ino=10997 | ||
13 | scontext=system_u:system_r:syslogd_t:s15:c0.c1023 | ||
14 | tcontext=system_u:object_r:device_t:s0 tclass=lnk_file permissive=0 | ||
15 | |||
16 | Upstream-Status: Inappropriate [embedded specific] | ||
17 | |||
18 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
19 | --- | ||
20 | policy/modules/system/logging.fc | 2 ++ | ||
21 | policy/modules/system/logging.if | 4 ++++ | ||
22 | policy/modules/system/logging.te | 1 + | ||
23 | 3 files changed, 7 insertions(+) | ||
24 | |||
25 | diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc | ||
26 | index a4ecd570a..02f0b6270 100644 | ||
27 | --- a/policy/modules/system/logging.fc | ||
28 | +++ b/policy/modules/system/logging.fc | ||
29 | @@ -1,4 +1,5 @@ | ||
30 | /dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) | ||
31 | +/dev/log -l gen_context(system_u:object_r:devlog_t,s0) | ||
32 | |||
33 | /etc/rsyslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0) | ||
34 | /etc/syslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0) | ||
35 | @@ -24,6 +25,7 @@ | ||
36 | /usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0) | ||
37 | /usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0) | ||
38 | /usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0) | ||
39 | +/usr/lib/systemd/system/syslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0) | ||
40 | /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
41 | /usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
42 | |||
43 | diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if | ||
44 | index 9bb3afdb2..7233a108c 100644 | ||
45 | --- a/policy/modules/system/logging.if | ||
46 | +++ b/policy/modules/system/logging.if | ||
47 | @@ -661,6 +661,7 @@ interface(`logging_send_syslog_msg',` | ||
48 | ') | ||
49 | |||
50 | allow $1 devlog_t:sock_file write_sock_file_perms; | ||
51 | + allow $1 devlog_t:lnk_file read_lnk_file_perms; | ||
52 | |||
53 | # systemd journal socket is in /run/systemd/journal/dev-log | ||
54 | init_search_run($1) | ||
55 | @@ -722,6 +723,7 @@ interface(`logging_relabelto_devlog_sock_files',` | ||
56 | ') | ||
57 | |||
58 | allow $1 devlog_t:sock_file relabelto_sock_file_perms; | ||
59 | + allow $1 devlog_t:lnk_file relabelto_lnk_file_perms; | ||
60 | ') | ||
61 | |||
62 | ######################################## | ||
63 | @@ -741,6 +743,8 @@ interface(`logging_create_devlog',` | ||
64 | |||
65 | allow $1 devlog_t:sock_file manage_sock_file_perms; | ||
66 | dev_filetrans($1, devlog_t, sock_file) | ||
67 | + allow $1 devlog_t:lnk_file manage_lnk_file_perms; | ||
68 | + dev_filetrans($1, devlog_t, lnk_file) | ||
69 | init_runtime_filetrans($1, devlog_t, sock_file, "syslog") | ||
70 | ') | ||
71 | |||
72 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
73 | index 9b3254f63..d864cfd3d 100644 | ||
74 | --- a/policy/modules/system/logging.te | ||
75 | +++ b/policy/modules/system/logging.te | ||
76 | @@ -398,6 +398,7 @@ allow syslogd_t syslog_conf_t:dir list_dir_perms; | ||
77 | |||
78 | # Create and bind to /dev/log or /var/run/log. | ||
79 | allow syslogd_t devlog_t:sock_file manage_sock_file_perms; | ||
80 | +allow syslogd_t devlog_t:lnk_file manage_lnk_file_perms; | ||
81 | files_runtime_filetrans(syslogd_t, devlog_t, sock_file) | ||
82 | init_runtime_filetrans(syslogd_t, devlog_t, sock_file, "dev-log") | ||
83 | |||
84 | -- | ||
85 | 2.17.1 | ||
86 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-systemd-systemd-make-systemd_-.patch b/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-systemd-systemd-make-systemd_-.patch new file mode 100644 index 0000000..60f7dae --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-systemd-systemd-make-systemd_-.patch | |||
@@ -0,0 +1,91 @@ | |||
1 | From 71986d0c6775408a1c89415dd5d4e7ea03302248 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Thu, 18 Jun 2020 09:59:58 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/systemd: systemd-*: make systemd_*_t | ||
5 | MLS trusted for writing/reading from files up to its clearance | ||
6 | |||
7 | Fixes: | ||
8 | audit: type=1400 audit(1592892455.376:3): avc: denied { write } for | ||
9 | pid=120 comm="systemd-gpt-aut" name="kmsg" dev="devtmpfs" ino=10032 | ||
10 | scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023 | ||
11 | tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file | ||
12 | permissive=0 | ||
13 | |||
14 | audit: type=1400 audit(1592892455.381:4): avc: denied { write } for | ||
15 | pid=119 comm="systemd-getty-g" name="kmsg" dev="devtmpfs" ino=10032 | ||
16 | scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023 | ||
17 | tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file | ||
18 | permissive=0 | ||
19 | |||
20 | avc: denied { read } for pid=125 comm="systemd-gpt-aut" name="sdb" | ||
21 | dev="devtmpfs" ino=42 | ||
22 | scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023 | ||
23 | tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 | ||
24 | tclass=blk_file permissive=0 | ||
25 | |||
26 | avc: denied { write } for pid=233 comm="systemd-rfkill" name="kmsg" | ||
27 | dev="devtmpfs" ino=2060 | ||
28 | scontext=system_u:system_r:systemd_rfkill_t:s0-s15:c0.c1023 | ||
29 | tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file | ||
30 | permissive=0 | ||
31 | |||
32 | avc: denied { write } for pid=354 comm="systemd-backlig" name="kmsg" | ||
33 | dev="devtmpfs" ino=3081 | ||
34 | scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023 | ||
35 | tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file | ||
36 | permissive=0 | ||
37 | |||
38 | Upstream-Status: Inappropriate [embedded specific] | ||
39 | |||
40 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
41 | --- | ||
42 | policy/modules/system/systemd.te | 12 ++++++++++++ | ||
43 | 1 file changed, 12 insertions(+) | ||
44 | |||
45 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
46 | index 736107fad..8cea6baa1 100644 | ||
47 | --- a/policy/modules/system/systemd.te | ||
48 | +++ b/policy/modules/system/systemd.te | ||
49 | @@ -341,6 +341,9 @@ fs_getattr_tmpfs(systemd_backlight_t) | ||
50 | fs_search_cgroup_dirs(systemd_backlight_t) | ||
51 | fs_getattr_cgroup(systemd_backlight_t) | ||
52 | |||
53 | +mls_file_read_to_clearance(systemd_backlight_t) | ||
54 | +mls_file_write_to_clearance(systemd_backlight_t) | ||
55 | + | ||
56 | ####################################### | ||
57 | # | ||
58 | # Binfmt local policy | ||
59 | @@ -479,6 +482,9 @@ term_use_unallocated_ttys(systemd_generator_t) | ||
60 | |||
61 | udev_search_runtime(systemd_generator_t) | ||
62 | |||
63 | +mls_file_read_to_clearance(systemd_generator_t) | ||
64 | +mls_file_write_to_clearance(systemd_generator_t) | ||
65 | + | ||
66 | ifdef(`distro_gentoo',` | ||
67 | corecmd_shell_entry_type(systemd_generator_t) | ||
68 | ') | ||
69 | @@ -723,6 +729,9 @@ userdom_setattr_user_ttys(systemd_logind_t) | ||
70 | userdom_use_user_ttys(systemd_logind_t) | ||
71 | domain_read_all_domains_state(systemd_logind_t) | ||
72 | |||
73 | +mls_file_read_to_clearance(systemd_logind_t) | ||
74 | +mls_file_write_to_clearance(systemd_logind_t) | ||
75 | + | ||
76 | # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x | ||
77 | # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96 | ||
78 | # should fix the problem where user directories in /run/user/$UID/ are not getting the proper context | ||
79 | @@ -1204,6 +1213,9 @@ fs_getattr_tmpfs(systemd_rfkill_t) | ||
80 | fs_search_cgroup_dirs(systemd_rfkill_t) | ||
81 | fs_getattr_cgroup(systemd_rfkill_t) | ||
82 | |||
83 | +mls_file_read_to_clearance(systemd_rfkill_t) | ||
84 | +mls_file_write_to_clearance(systemd_rfkill_t) | ||
85 | + | ||
86 | ######################################### | ||
87 | # | ||
88 | # Resolved local policy | ||
89 | -- | ||
90 | 2.17.1 | ||
91 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0073-policy-modules-system-logging-add-the-syslogd_t-to-t.patch b/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-logging-add-the-syslogd_t-to-t.patch index d208752..75be11d 100644 --- a/recipes-security/refpolicy/refpolicy/0073-policy-modules-system-logging-add-the-syslogd_t-to-t.patch +++ b/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-logging-add-the-syslogd_t-to-t.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 4e7b0040ff558f2d69c8b9a30e73223acb20f35f Mon Sep 17 00:00:00 2001 | 1 | From 511f7fdad45a150f7ea3666eb51463573eabab0a Mon Sep 17 00:00:00 2001 |
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | 3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 |
4 | Subject: [PATCH] policy/modules/system/logging: add the syslogd_t to trusted | 4 | Subject: [PATCH] policy/modules/system/logging: add the syslogd_t to trusted |
@@ -18,15 +18,15 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
18 | 1 file changed, 4 insertions(+) | 18 | 1 file changed, 4 insertions(+) |
19 | 19 | ||
20 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | 20 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te |
21 | index 62caa7a56..e608327fe 100644 | 21 | index 5b4b5ec5d..e67c25a9e 100644 |
22 | --- a/policy/modules/system/logging.te | 22 | --- a/policy/modules/system/logging.te |
23 | +++ b/policy/modules/system/logging.te | 23 | +++ b/policy/modules/system/logging.te |
24 | @@ -495,6 +495,10 @@ fs_search_auto_mountpoints(syslogd_t) | 24 | @@ -498,6 +498,10 @@ fs_search_auto_mountpoints(syslogd_t) |
25 | fs_search_tmpfs(syslogd_t) | 25 | fs_search_tmpfs(syslogd_t) |
26 | 26 | ||
27 | mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories | 27 | mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories |
28 | +mls_file_read_all_levels(syslogd_t) | 28 | +mls_file_read_all_levels(syslogd_t) |
29 | +mls_socket_write_all_levels(syslogd_t) # Neet to be able to sendto dgram | 29 | +mls_socket_write_all_levels(syslogd_t) # Need to be able to sendto dgram |
30 | +mls_trusted_object(syslogd_t) # Other process need to have the right to connectto/sendto /dev/log | 30 | +mls_trusted_object(syslogd_t) # Other process need to have the right to connectto/sendto /dev/log |
31 | +mls_fd_use_all_levels(syslogd_t) | 31 | +mls_fd_use_all_levels(syslogd_t) |
32 | 32 | ||
diff --git a/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-systemd-support-systemd-user.patch b/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-systemd-support-systemd-user.patch deleted file mode 100644 index f7abefb..0000000 --- a/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-systemd-support-systemd-user.patch +++ /dev/null | |||
@@ -1,189 +0,0 @@ | |||
1 | From bd77e8e51962bb6a8c5708f3e5362007c915498e Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Thu, 4 Feb 2021 10:48:54 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/systemd: support systemd --user | ||
5 | |||
6 | Fixes: | ||
7 | $ systemctl status user@0.service | ||
8 | * user@0.service - User Manager for UID 0 | ||
9 | Loaded: loaded (/lib/systemd/system/user@.service; static) | ||
10 | Active: failed (Result: exit-code) since Thu 2021-02-04 02:57:32 UTC; 11s ago | ||
11 | Docs: man:user@.service(5) | ||
12 | Process: 1502 ExecStart=/lib/systemd/systemd --user (code=exited, status=1/FAILURE) | ||
13 | Main PID: 1502 (code=exited, status=1/FAILURE) | ||
14 | |||
15 | Feb 04 02:57:32 intel-x86-64 systemd[1]: Starting User Manager for UID 0... | ||
16 | Feb 04 02:57:32 intel-x86-64 systemd[1502]: selinux_status_open() failed to open the status page, using the netlink fallback. | ||
17 | Feb 04 02:57:32 intel-x86-64 systemd[1502]: Failed to initialize SELinux labeling handle: Permission denied | ||
18 | Feb 04 02:57:32 intel-x86-64 systemd[1]: user@0.service: Main process exited, code=exited, status=1/FAILURE | ||
19 | Feb 04 02:57:32 intel-x86-64 systemd[1]: user@0.service: Failed with result 'exit-code'. | ||
20 | Feb 04 02:57:32 intel-x86-64 systemd[1]: Failed to start User Manager for UID 0. | ||
21 | |||
22 | Upstream-Status: Inappropriate [embedded specific] | ||
23 | |||
24 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
25 | --- | ||
26 | policy/modules/roles/sysadm.te | 2 + | ||
27 | policy/modules/system/init.if | 1 + | ||
28 | policy/modules/system/logging.te | 5 ++- | ||
29 | policy/modules/system/systemd.if | 75 +++++++++++++++++++++++++++++++- | ||
30 | 4 files changed, 81 insertions(+), 2 deletions(-) | ||
31 | |||
32 | diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te | ||
33 | index 1642f3b93..1de7e441d 100644 | ||
34 | --- a/policy/modules/roles/sysadm.te | ||
35 | +++ b/policy/modules/roles/sysadm.te | ||
36 | @@ -81,6 +81,8 @@ ifdef(`init_systemd',` | ||
37 | # Allow sysadm to resolve the username of dynamic users by calling | ||
38 | # LookupDynamicUserByUID on org.freedesktop.systemd1. | ||
39 | init_dbus_chat(sysadm_t) | ||
40 | + | ||
41 | + systemd_sysadm_user(sysadm_t) | ||
42 | ') | ||
43 | |||
44 | tunable_policy(`allow_ptrace',` | ||
45 | diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if | ||
46 | index ba533ba1a..98e94283f 100644 | ||
47 | --- a/policy/modules/system/init.if | ||
48 | +++ b/policy/modules/system/init.if | ||
49 | @@ -943,6 +943,7 @@ interface(`init_unix_stream_socket_connectto',` | ||
50 | ') | ||
51 | |||
52 | allow $1 init_t:unix_stream_socket connectto; | ||
53 | + allow $1 initrc_t:unix_stream_socket connectto; | ||
54 | ') | ||
55 | |||
56 | ######################################## | ||
57 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
58 | index d864cfd3d..bdd97631c 100644 | ||
59 | --- a/policy/modules/system/logging.te | ||
60 | +++ b/policy/modules/system/logging.te | ||
61 | @@ -519,7 +519,7 @@ ifdef(`init_systemd',` | ||
62 | # for systemd-journal | ||
63 | allow syslogd_t self:netlink_audit_socket connected_socket_perms; | ||
64 | allow syslogd_t self:capability2 audit_read; | ||
65 | - allow syslogd_t self:capability { chown setgid setuid sys_ptrace }; | ||
66 | + allow syslogd_t self:capability { chown setgid setuid sys_ptrace dac_read_search }; | ||
67 | allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write nlmsg_write }; | ||
68 | |||
69 | # remove /run/log/journal when switching to permanent storage | ||
70 | @@ -555,6 +555,9 @@ ifdef(`init_systemd',` | ||
71 | systemd_manage_journal_files(syslogd_t) | ||
72 | |||
73 | udev_read_runtime_files(syslogd_t) | ||
74 | + | ||
75 | + userdom_search_user_runtime(syslogd_t) | ||
76 | + systemd_search_user_runtime(syslogd_t) | ||
77 | ') | ||
78 | |||
79 | ifdef(`distro_gentoo',` | ||
80 | diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if | ||
81 | index 6a66a2d79..152139261 100644 | ||
82 | --- a/policy/modules/system/systemd.if | ||
83 | +++ b/policy/modules/system/systemd.if | ||
84 | @@ -30,6 +30,7 @@ template(`systemd_role_template',` | ||
85 | attribute systemd_user_session_type, systemd_log_parse_env_type; | ||
86 | type systemd_user_runtime_t, systemd_user_runtime_notify_t; | ||
87 | type systemd_run_exec_t, systemd_analyze_exec_t; | ||
88 | + type session_dbusd_runtime_t, systemd_user_runtime_dir_t; | ||
89 | ') | ||
90 | |||
91 | ################################# | ||
92 | @@ -55,10 +56,42 @@ template(`systemd_role_template',` | ||
93 | |||
94 | allow $3 systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; | ||
95 | |||
96 | + allow $1_systemd_t systemd_user_runtime_t:dir { manage_dir_perms relabel_dir_perms }; | ||
97 | + allow $1_systemd_t systemd_user_runtime_t:file { manage_file_perms relabel_file_perms }; | ||
98 | + allow $1_systemd_t systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; | ||
99 | + allow $1_systemd_t systemd_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; | ||
100 | + allow $1_systemd_t systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; | ||
101 | + allow $1_systemd_t systemd_user_runtime_t:blk_file { manage_blk_file_perms relabel_blk_file_perms }; | ||
102 | + allow $1_systemd_t systemd_user_runtime_t:chr_file { manage_chr_file_perms relabel_chr_file_perms }; | ||
103 | + allow $1_systemd_t systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; | ||
104 | + allow $1_systemd_t session_dbusd_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; | ||
105 | + allow $1_systemd_t self:netlink_kobject_uevent_socket getopt; | ||
106 | + allow $1_systemd_t self:process setrlimit; | ||
107 | + | ||
108 | + kernel_getattr_proc($1_systemd_t) | ||
109 | + fs_watch_cgroup_files($1_systemd_t) | ||
110 | + files_watch_etc_dirs($1_systemd_t) | ||
111 | + | ||
112 | + userdom_search_user_home_dirs($1_systemd_t) | ||
113 | + allow $1_systemd_t $3:dir search_dir_perms; | ||
114 | + allow $1_systemd_t $3:file read_file_perms; | ||
115 | + | ||
116 | + allow $3 $1_systemd_t:unix_stream_socket { getattr read write }; | ||
117 | + | ||
118 | + allow systemd_user_runtime_dir_t systemd_user_runtime_t:dir { manage_dir_perms relabel_dir_perms }; | ||
119 | + allow systemd_user_runtime_dir_t systemd_user_runtime_t:file { manage_file_perms relabel_file_perms }; | ||
120 | + allow systemd_user_runtime_dir_t systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; | ||
121 | + allow systemd_user_runtime_dir_t systemd_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; | ||
122 | + allow systemd_user_runtime_dir_t systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; | ||
123 | + allow systemd_user_runtime_dir_t systemd_user_runtime_t:blk_file { manage_blk_file_perms relabel_blk_file_perms }; | ||
124 | + allow systemd_user_runtime_dir_t systemd_user_runtime_t:chr_file { manage_chr_file_perms relabel_chr_file_perms }; | ||
125 | + allow systemd_user_runtime_dir_t systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; | ||
126 | + allow systemd_user_runtime_dir_t session_dbusd_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; | ||
127 | + | ||
128 | # This domain is per-role because of the below transitions. | ||
129 | # See the systemd --user section of systemd.te for the | ||
130 | # remainder of the rules. | ||
131 | - allow $1_systemd_t $3:process { setsched rlimitinh }; | ||
132 | + allow $1_systemd_t $3:process { setsched rlimitinh noatsecure siginh }; | ||
133 | corecmd_shell_domtrans($1_systemd_t, $3) | ||
134 | corecmd_bin_domtrans($1_systemd_t, $3) | ||
135 | allow $1_systemd_t self:process signal; | ||
136 | @@ -479,6 +512,7 @@ interface(`systemd_stream_connect_userdb', ` | ||
137 | init_search_runtime($1) | ||
138 | allow $1 systemd_userdb_runtime_t:dir list_dir_perms; | ||
139 | allow $1 systemd_userdb_runtime_t:sock_file write_sock_file_perms; | ||
140 | + allow $1 systemd_userdb_runtime_t:lnk_file read_lnk_file_perms; | ||
141 | init_unix_stream_socket_connectto($1) | ||
142 | ') | ||
143 | |||
144 | @@ -1353,3 +1387,42 @@ interface(`systemd_use_inherited_machined_ptys', ` | ||
145 | allow $1 systemd_machined_t:fd use; | ||
146 | allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms; | ||
147 | ') | ||
148 | + | ||
149 | +######################################### | ||
150 | +## <summary> | ||
151 | +## sysadm user for systemd --user | ||
152 | +## </summary> | ||
153 | +## <param name="role"> | ||
154 | +## <summary> | ||
155 | +## Role allowed access. | ||
156 | +## </summary> | ||
157 | +## </param> | ||
158 | +# | ||
159 | +interface(`systemd_sysadm_user',` | ||
160 | + gen_require(` | ||
161 | + type sysadm_systemd_t; | ||
162 | + ') | ||
163 | + | ||
164 | + allow sysadm_systemd_t self:capability { mknod sys_admin }; | ||
165 | + allow sysadm_systemd_t self:capability2 { bpf perfmon }; | ||
166 | + allow $1 sysadm_systemd_t:system reload; | ||
167 | +') | ||
168 | + | ||
169 | +####################################### | ||
170 | +## <summary> | ||
171 | +## Search systemd users runtime directories. | ||
172 | +## </summary> | ||
173 | +## <param name="domain"> | ||
174 | +## <summary> | ||
175 | +## Domain allowed access. | ||
176 | +## </summary> | ||
177 | +## </param> | ||
178 | +# | ||
179 | +interface(`systemd_search_user_runtime',` | ||
180 | + gen_require(` | ||
181 | + type systemd_user_runtime_t; | ||
182 | + ') | ||
183 | + | ||
184 | + allow $1 systemd_user_runtime_t:dir search_dir_perms; | ||
185 | + allow $1 systemd_user_runtime_t:lnk_file read_lnk_file_perms; | ||
186 | +') | ||
187 | -- | ||
188 | 2.17.1 | ||
189 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0074-policy-modules-system-init-make-init_t-MLS-trusted-f.patch b/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-init-make-init_t-MLS-trusted-f.patch index b7dcaa8..5c01ef4 100644 --- a/recipes-security/refpolicy/refpolicy/0074-policy-modules-system-init-make-init_t-MLS-trusted-f.patch +++ b/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-init-make-init_t-MLS-trusted-f.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From bbb405ac6270ef945db21cfddda63d283ee5d8af Mon Sep 17 00:00:00 2001 | 1 | From 3f875fae6d9a4538b3e7d33f30dd2a98fc9ea2bd Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Tue, 28 May 2019 16:41:37 +0800 | 3 | Date: Tue, 28 May 2019 16:41:37 +0800 |
4 | Subject: [PATCH] policy/modules/system/init: make init_t MLS trusted for | 4 | Subject: [PATCH] policy/modules/system/init: make init_t MLS trusted for |
@@ -17,10 +17,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
17 | 1 file changed, 1 insertion(+) | 17 | 1 file changed, 1 insertion(+) |
18 | 18 | ||
19 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | 19 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
20 | index b6750015e..962c675b0 100644 | 20 | index 36becaa6e..9c0a98eb7 100644 |
21 | --- a/policy/modules/system/init.te | 21 | --- a/policy/modules/system/init.te |
22 | +++ b/policy/modules/system/init.te | 22 | +++ b/policy/modules/system/init.te |
23 | @@ -209,6 +209,7 @@ mls_file_write_all_levels(init_t) | 23 | @@ -218,6 +218,7 @@ mls_file_write_all_levels(init_t) |
24 | mls_process_write_all_levels(init_t) | 24 | mls_process_write_all_levels(init_t) |
25 | mls_fd_use_all_levels(init_t) | 25 | mls_fd_use_all_levels(init_t) |
26 | mls_process_set_level(init_t) | 26 | mls_process_set_level(init_t) |
diff --git a/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-systemd-allow-systemd-generato.patch b/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-systemd-allow-systemd-generato.patch deleted file mode 100644 index 9d4bbf7..0000000 --- a/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-systemd-allow-systemd-generato.patch +++ /dev/null | |||
@@ -1,69 +0,0 @@ | |||
1 | From 954a49ec0a4dc64fd9e513abe7a737d956b337ca Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Tue, 9 Feb 2021 17:50:24 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/systemd: allow systemd-generators to | ||
5 | get the attributes of tmpfs and cgroup | ||
6 | |||
7 | * Allow systemd-generators to get the attributes of a tmpfs | ||
8 | * Allow systemd-generators to get the attributes of cgroup filesystems | ||
9 | |||
10 | Fixes: | ||
11 | systemd[95]: /lib/systemd/system-generators/systemd-fstab-generator failed with exit status 1. | ||
12 | |||
13 | avc: denied { getattr } for pid=102 comm="systemd-run-gen" name="/" | ||
14 | dev="tmpfs" ino=11208 scontext=system_u:system_r:systemd_generator_t | ||
15 | tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0 | ||
16 | |||
17 | avc: denied { getattr } for pid=98 comm="systemd-getty-g" name="/" | ||
18 | dev="tmpfs" ino=11208 scontext=system_u:system_r:systemd_generator_t | ||
19 | tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0 | ||
20 | |||
21 | avc: denied { getattr } for pid=104 comm="systemd-sysv-ge" name="/" | ||
22 | dev="tmpfs" ino=11208 scontext=system_u:system_r:systemd_generator_t | ||
23 | tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0 | ||
24 | |||
25 | avc: denied { getattr } for pid=97 comm="systemd-fstab-g" name="/" | ||
26 | dev="tmpfs" ino=11208 scontext=system_u:system_r:systemd_generator_t | ||
27 | tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0 | ||
28 | |||
29 | avc: denied { getattr } for pid=102 comm="systemd-run-gen" name="/" | ||
30 | dev="cgroup" ino=1 scontext=system_u:system_r:systemd_generator_t | ||
31 | tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=0 | ||
32 | |||
33 | avc: denied { getattr } for pid=100 comm="systemd-hiberna" name="/" | ||
34 | dev="cgroup" ino=1 scontext=system_u:system_r:systemd_generator_t | ||
35 | tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=0 | ||
36 | |||
37 | avc: denied { getattr } for pid=99 comm="systemd-gpt-aut" name="/" | ||
38 | dev="cgroup2" ino=1 scontext=system_u:system_r:systemd_generator_t | ||
39 | tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=0 | ||
40 | |||
41 | avc: denied { getattr } for pid=97 comm="systemd-fstab-g" | ||
42 | path="/var/volatile" dev="vda" ino=37131 | ||
43 | scontext=system_u:system_r:systemd_generator_t | ||
44 | tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=0 | ||
45 | |||
46 | Upstream-Status: Inappropriate [embedded specific] | ||
47 | |||
48 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
49 | --- | ||
50 | policy/modules/system/systemd.te | 3 +++ | ||
51 | 1 file changed, 3 insertions(+) | ||
52 | |||
53 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
54 | index 2d9d7d331..c1111198d 100644 | ||
55 | --- a/policy/modules/system/systemd.te | ||
56 | +++ b/policy/modules/system/systemd.te | ||
57 | @@ -431,6 +431,9 @@ files_list_usr(systemd_generator_t) | ||
58 | |||
59 | fs_list_efivars(systemd_generator_t) | ||
60 | fs_getattr_xattr_fs(systemd_generator_t) | ||
61 | +fs_getattr_tmpfs(systemd_generator_t) | ||
62 | +fs_getattr_cgroup(systemd_generator_t) | ||
63 | +kernel_getattr_unlabeled_dirs(systemd_generator_t) | ||
64 | |||
65 | init_create_runtime_files(systemd_generator_t) | ||
66 | init_manage_runtime_dirs(systemd_generator_t) | ||
67 | -- | ||
68 | 2.17.1 | ||
69 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0075-policy-modules-system-init-all-init_t-to-read-any-le.patch b/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-init-all-init_t-to-read-any-le.patch index de7271f..d3ddcd2 100644 --- a/recipes-security/refpolicy/refpolicy/0075-policy-modules-system-init-all-init_t-to-read-any-le.patch +++ b/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-init-all-init_t-to-read-any-le.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 2780811e48663df0265676749a4041c077ae6a89 Mon Sep 17 00:00:00 2001 | 1 | From a59dae035b7d5063e0f25c4cf40b5b180ad69022 Mon Sep 17 00:00:00 2001 |
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | 2 | From: Wenzong Fan <wenzong.fan@windriver.com> |
3 | Date: Wed, 3 Feb 2016 04:16:06 -0500 | 3 | Date: Wed, 3 Feb 2016 04:16:06 -0500 |
4 | Subject: [PATCH] policy/modules/system/init: all init_t to read any level | 4 | Subject: [PATCH] policy/modules/system/init: all init_t to read any level |
@@ -22,10 +22,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
22 | 1 file changed, 3 insertions(+) | 22 | 1 file changed, 3 insertions(+) |
23 | 23 | ||
24 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | 24 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
25 | index 962c675b0..aa57a5661 100644 | 25 | index 9c0a98eb7..5a19f0e43 100644 |
26 | --- a/policy/modules/system/init.te | 26 | --- a/policy/modules/system/init.te |
27 | +++ b/policy/modules/system/init.te | 27 | +++ b/policy/modules/system/init.te |
28 | @@ -215,6 +215,9 @@ mls_key_write_all_levels(init_t) | 28 | @@ -224,6 +224,9 @@ mls_key_write_all_levels(init_t) |
29 | mls_file_downgrade(init_t) | 29 | mls_file_downgrade(init_t) |
30 | mls_file_upgrade(init_t) | 30 | mls_file_upgrade(init_t) |
31 | 31 | ||
diff --git a/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-systemd-allow-systemd_backligh.patch b/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-systemd-allow-systemd_backligh.patch deleted file mode 100644 index 1c1b459..0000000 --- a/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-systemd-allow-systemd_backligh.patch +++ /dev/null | |||
@@ -1,35 +0,0 @@ | |||
1 | From 8b0bb1e349e2ea021acec1639be0802ac4d7d0c2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Thu, 4 Feb 2021 15:13:50 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/systemd: allow systemd_backlight_t to | ||
5 | read kernel sysctl | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { search } for pid=354 comm="systemd-backlig" name="sys" | ||
9 | dev="proc" ino=4026531854 | ||
10 | scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023 | ||
11 | tcontext=system_u:object_r:sysctl_t:s0 tclass=dir permissive=0 | ||
12 | |||
13 | Upstream-Status: Inappropriate [embedded specific] | ||
14 | |||
15 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
16 | --- | ||
17 | policy/modules/system/systemd.te | 2 ++ | ||
18 | 1 file changed, 2 insertions(+) | ||
19 | |||
20 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
21 | index c1111198d..7d2ba2796 100644 | ||
22 | --- a/policy/modules/system/systemd.te | ||
23 | +++ b/policy/modules/system/systemd.te | ||
24 | @@ -324,6 +324,8 @@ udev_read_runtime_files(systemd_backlight_t) | ||
25 | |||
26 | files_search_var_lib(systemd_backlight_t) | ||
27 | |||
28 | +kernel_read_kernel_sysctls(systemd_backlight_t) | ||
29 | + | ||
30 | ####################################### | ||
31 | # | ||
32 | # Binfmt local policy | ||
33 | -- | ||
34 | 2.17.1 | ||
35 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0076-policy-modules-system-logging-allow-auditd_t-to-writ.patch b/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-allow-auditd_t-to-writ.patch index cd93c08..47328be 100644 --- a/recipes-security/refpolicy/refpolicy/0076-policy-modules-system-logging-allow-auditd_t-to-writ.patch +++ b/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-allow-auditd_t-to-writ.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From a74584ba424cd5e392db2a64b4ec66ebb307eb4c Mon Sep 17 00:00:00 2001 | 1 | From 96437ba860d352304246fbe3381030da0665f239 Mon Sep 17 00:00:00 2001 |
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | 2 | From: Wenzong Fan <wenzong.fan@windriver.com> |
3 | Date: Thu, 25 Feb 2016 04:25:08 -0500 | 3 | Date: Thu, 25 Feb 2016 04:25:08 -0500 |
4 | Subject: [PATCH] policy/modules/system/logging: allow auditd_t to write socket | 4 | Subject: [PATCH] policy/modules/system/logging: allow auditd_t to write socket |
@@ -22,10 +22,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
22 | 1 file changed, 2 insertions(+) | 22 | 1 file changed, 2 insertions(+) |
23 | 23 | ||
24 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | 24 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te |
25 | index e608327fe..bdd5c9dff 100644 | 25 | index e67c25a9e..f8d8b73f0 100644 |
26 | --- a/policy/modules/system/logging.te | 26 | --- a/policy/modules/system/logging.te |
27 | +++ b/policy/modules/system/logging.te | 27 | +++ b/policy/modules/system/logging.te |
28 | @@ -211,6 +211,8 @@ miscfiles_read_localization(auditd_t) | 28 | @@ -215,6 +215,8 @@ miscfiles_read_localization(auditd_t) |
29 | 29 | ||
30 | mls_file_read_all_levels(auditd_t) | 30 | mls_file_read_all_levels(auditd_t) |
31 | mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory | 31 | mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory |
diff --git a/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-fix-systemd-journald-s.patch b/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-fix-systemd-journald-s.patch deleted file mode 100644 index d283879..0000000 --- a/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-fix-systemd-journald-s.patch +++ /dev/null | |||
@@ -1,47 +0,0 @@ | |||
1 | From 5973dc3824b395ce9f6620e3ae432664cc357b66 Mon Sep 17 00:00:00 2001 | ||
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | ||
3 | Date: Thu, 4 Feb 2016 02:10:15 -0500 | ||
4 | Subject: [PATCH] policy/modules/system/logging: fix systemd-journald startup | ||
5 | failures | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { audit_control } for pid=109 comm="systemd-journal" | ||
9 | capability=30 scontext=system_u:system_r:syslogd_t | ||
10 | tcontext=system_u:system_r:syslogd_t tclass=capability permissive=0 | ||
11 | |||
12 | avc: denied { search } for pid=233 comm="systemd-journal" name="/" | ||
13 | dev="tmpfs" ino=12398 scontext=system_u:system_r:syslogd_t | ||
14 | tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=0 | ||
15 | |||
16 | Upstream-Status: Inappropriate [embedded specific] | ||
17 | |||
18 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
19 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
20 | --- | ||
21 | policy/modules/system/logging.te | 3 +++ | ||
22 | 1 file changed, 3 insertions(+) | ||
23 | |||
24 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
25 | index bdd97631c..62caa7a56 100644 | ||
26 | --- a/policy/modules/system/logging.te | ||
27 | +++ b/policy/modules/system/logging.te | ||
28 | @@ -492,6 +492,7 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) | ||
29 | |||
30 | fs_getattr_all_fs(syslogd_t) | ||
31 | fs_search_auto_mountpoints(syslogd_t) | ||
32 | +fs_search_tmpfs(syslogd_t) | ||
33 | |||
34 | mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories | ||
35 | |||
36 | @@ -552,6 +553,8 @@ ifdef(`init_systemd',` | ||
37 | # needed for systemd-initrd case when syslog socket is unlabelled | ||
38 | logging_send_syslog_msg(syslogd_t) | ||
39 | |||
40 | + logging_set_loginuid(syslogd_t) | ||
41 | + | ||
42 | systemd_manage_journal_files(syslogd_t) | ||
43 | |||
44 | udev_read_runtime_files(syslogd_t) | ||
45 | -- | ||
46 | 2.17.1 | ||
47 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0077-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch b/recipes-security/refpolicy/refpolicy/0058-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch index 6b84403..ad92c7f 100644 --- a/recipes-security/refpolicy/refpolicy/0077-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch +++ b/recipes-security/refpolicy/refpolicy/0058-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 1bcb41c20d666761bb407bf34c9e3391e16449a7 Mon Sep 17 00:00:00 2001 | 1 | From 102255e89863c5a31d0d6c8df67b258d819b9a68 Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Thu, 31 Oct 2019 17:35:59 +0800 | 3 | Date: Thu, 31 Oct 2019 17:35:59 +0800 |
4 | Subject: [PATCH] policy/modules/kernel/kernel: make kernel_t MLS trusted for | 4 | Subject: [PATCH] policy/modules/kernel/kernel: make kernel_t MLS trusted for |
@@ -11,22 +11,21 @@ Upstream-Status: Inappropriate [embedded specific] | |||
11 | 11 | ||
12 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | 12 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> |
13 | --- | 13 | --- |
14 | policy/modules/kernel/kernel.te | 2 ++ | 14 | policy/modules/kernel/kernel.te | 1 + |
15 | 1 file changed, 2 insertions(+) | 15 | 1 file changed, 1 insertion(+) |
16 | 16 | ||
17 | diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te | 17 | diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te |
18 | index 8f67c6ec9..fbcf1413f 100644 | 18 | index 1c53754ee..2031576e0 100644 |
19 | --- a/policy/modules/kernel/kernel.te | 19 | --- a/policy/modules/kernel/kernel.te |
20 | +++ b/policy/modules/kernel/kernel.te | 20 | +++ b/policy/modules/kernel/kernel.te |
21 | @@ -362,6 +362,8 @@ mls_fd_use_all_levels(kernel_t) | 21 | @@ -360,6 +360,7 @@ mls_socket_write_all_levels(kernel_t) |
22 | mls_fd_use_all_levels(kernel_t) | ||
22 | # https://bugzilla.redhat.com/show_bug.cgi?id=667370 | 23 | # https://bugzilla.redhat.com/show_bug.cgi?id=667370 |
23 | mls_file_downgrade(kernel_t) | 24 | mls_file_downgrade(kernel_t) |
24 | |||
25 | +mls_key_write_all_levels(kernel_t) | 25 | +mls_key_write_all_levels(kernel_t) |
26 | + | 26 | |
27 | ifdef(`distro_redhat',` | 27 | ifdef(`distro_redhat',` |
28 | # Bugzilla 222337 | 28 | # Bugzilla 222337 |
29 | fs_rw_tmpfs_chr_files(kernel_t) | ||
30 | -- | 29 | -- |
31 | 2.17.1 | 30 | 2.17.1 |
32 | 31 | ||
diff --git a/recipes-security/refpolicy/refpolicy/0058-policy-modules-services-cron-allow-crond_t-to-search.patch b/recipes-security/refpolicy/refpolicy/0058-policy-modules-services-cron-allow-crond_t-to-search.patch deleted file mode 100644 index b7e7c1d..0000000 --- a/recipes-security/refpolicy/refpolicy/0058-policy-modules-services-cron-allow-crond_t-to-search.patch +++ /dev/null | |||
@@ -1,34 +0,0 @@ | |||
1 | From e8ff96c9bb98305d1b50fccce67025df3ebbf184 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Thu, 23 May 2019 15:52:17 +0800 | ||
4 | Subject: [PATCH] policy/modules/services/cron: allow crond_t to search | ||
5 | logwatch_cache_t | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { search } for pid=234 comm="crond" name="logcheck" | ||
9 | dev="vda" ino=29080 scontext=system_u:system_r:crond_t:s0-s15:c0.c1023 | ||
10 | tcontext=system_u:object_r:logwatch_cache_t:s0 tclass=dir permissive=0 | ||
11 | |||
12 | Upstream-Status: Inappropriate [embedded specific] | ||
13 | |||
14 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
15 | --- | ||
16 | policy/modules/services/cron.te | 2 ++ | ||
17 | 1 file changed, 2 insertions(+) | ||
18 | |||
19 | diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te | ||
20 | index 2902820b0..36eb33060 100644 | ||
21 | --- a/policy/modules/services/cron.te | ||
22 | +++ b/policy/modules/services/cron.te | ||
23 | @@ -318,6 +318,8 @@ miscfiles_read_localization(crond_t) | ||
24 | |||
25 | userdom_list_user_home_dirs(crond_t) | ||
26 | |||
27 | +logwatch_search_cache_dir(crond_t) | ||
28 | + | ||
29 | tunable_policy(`cron_userdomain_transition',` | ||
30 | dontaudit crond_t cronjob_t:process transition; | ||
31 | dontaudit crond_t cronjob_t:fd use; | ||
32 | -- | ||
33 | 2.17.1 | ||
34 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0059-policy-modules-services-crontab-allow-sysadm_r-to-ru.patch b/recipes-security/refpolicy/refpolicy/0059-policy-modules-services-crontab-allow-sysadm_r-to-ru.patch deleted file mode 100644 index d5e40d0..0000000 --- a/recipes-security/refpolicy/refpolicy/0059-policy-modules-services-crontab-allow-sysadm_r-to-ru.patch +++ /dev/null | |||
@@ -1,46 +0,0 @@ | |||
1 | From 1571e6da8a90bb325a94330dcd130d56bae30b37 Mon Sep 17 00:00:00 2001 | ||
2 | From: Roy Li <rongqing.li@windriver.com> | ||
3 | Date: Thu, 20 Feb 2014 17:07:05 +0800 | ||
4 | Subject: [PATCH] policy/modules/services/crontab: allow sysadm_r to run | ||
5 | crontab | ||
6 | |||
7 | This permission has been given if release is not redhat; but we want it | ||
8 | even we define distro_redhat | ||
9 | |||
10 | Upstream-Status: Inappropriate [embedded specific] | ||
11 | |||
12 | Signed-off-by: Roy Li <rongqing.li@windriver.com> | ||
13 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
14 | --- | ||
15 | policy/modules/roles/sysadm.te | 8 ++++---- | ||
16 | 1 file changed, 4 insertions(+), 4 deletions(-) | ||
17 | |||
18 | diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te | ||
19 | index 1de7e441d..129e94229 100644 | ||
20 | --- a/policy/modules/roles/sysadm.te | ||
21 | +++ b/policy/modules/roles/sysadm.te | ||
22 | @@ -1277,6 +1277,10 @@ optional_policy(` | ||
23 | zebra_admin(sysadm_t, sysadm_r) | ||
24 | ') | ||
25 | |||
26 | +optional_policy(` | ||
27 | + cron_admin_role(sysadm_r, sysadm_t) | ||
28 | +') | ||
29 | + | ||
30 | ifndef(`distro_redhat',` | ||
31 | optional_policy(` | ||
32 | auth_role(sysadm_r, sysadm_t) | ||
33 | @@ -1295,10 +1299,6 @@ ifndef(`distro_redhat',` | ||
34 | chromium_role(sysadm_r, sysadm_t) | ||
35 | ') | ||
36 | |||
37 | - optional_policy(` | ||
38 | - cron_admin_role(sysadm_r, sysadm_t) | ||
39 | - ') | ||
40 | - | ||
41 | optional_policy(` | ||
42 | cryfs_role(sysadm_r, sysadm_t) | ||
43 | ') | ||
44 | -- | ||
45 | 2.17.1 | ||
46 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0082-policy-modules-system-setrans-allow-setrans_t-use-fd.patch b/recipes-security/refpolicy/refpolicy/0059-policy-modules-system-setrans-allow-setrans_t-use-fd.patch index b67f069..96d0588 100644 --- a/recipes-security/refpolicy/refpolicy/0082-policy-modules-system-setrans-allow-setrans_t-use-fd.patch +++ b/recipes-security/refpolicy/refpolicy/0059-policy-modules-system-setrans-allow-setrans_t-use-fd.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From e6a08769138d68582c72fe28ed7dd51c118654a5 Mon Sep 17 00:00:00 2001 | 1 | From 5fa9e03a3b90f97e573a7724cd9d49b53730d083 Mon Sep 17 00:00:00 2001 |
2 | From: Roy Li <rongqing.li@windriver.com> | 2 | From: Roy Li <rongqing.li@windriver.com> |
3 | Date: Sat, 22 Feb 2014 13:35:38 +0800 | 3 | Date: Sat, 22 Feb 2014 13:35:38 +0800 |
4 | Subject: [PATCH] policy/modules/system/setrans: allow setrans_t use fd at any | 4 | Subject: [PATCH] policy/modules/system/setrans: allow setrans_t use fd at any |
@@ -13,10 +13,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
13 | 1 file changed, 2 insertions(+) | 13 | 1 file changed, 2 insertions(+) |
14 | 14 | ||
15 | diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te | 15 | diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te |
16 | index 78bd6e2eb..0dd3a63cd 100644 | 16 | index 25aadfc5f..564e2d4d1 100644 |
17 | --- a/policy/modules/system/setrans.te | 17 | --- a/policy/modules/system/setrans.te |
18 | +++ b/policy/modules/system/setrans.te | 18 | +++ b/policy/modules/system/setrans.te |
19 | @@ -71,6 +71,8 @@ mls_net_receive_all_levels(setrans_t) | 19 | @@ -73,6 +73,8 @@ mls_net_receive_all_levels(setrans_t) |
20 | mls_socket_write_all_levels(setrans_t) | 20 | mls_socket_write_all_levels(setrans_t) |
21 | mls_process_read_all_levels(setrans_t) | 21 | mls_process_read_all_levels(setrans_t) |
22 | mls_socket_read_all_levels(setrans_t) | 22 | mls_socket_read_all_levels(setrans_t) |
diff --git a/recipes-security/refpolicy/refpolicy/0090-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch b/recipes-security/refpolicy/refpolicy/0060-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch index 0a18ca3..8bfe607 100644 --- a/recipes-security/refpolicy/refpolicy/0090-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch +++ b/recipes-security/refpolicy/refpolicy/0060-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From abb0ef8967130c6a31b45d6dfb0970cf8415fec6 Mon Sep 17 00:00:00 2001 | 1 | From fe70aaf9a104b4b0c3439d2767eccb0136951f08 Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Mon, 22 Feb 2021 11:28:12 +0800 | 3 | Date: Mon, 22 Feb 2021 11:28:12 +0800 |
4 | Subject: [PATCH] policy/modules/system/systemd: make *_systemd_t MLS trusted | 4 | Subject: [PATCH] policy/modules/system/systemd: make *_systemd_t MLS trusted |
@@ -24,13 +24,13 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | |||
24 | 1 file changed, 3 insertions(+) | 24 | 1 file changed, 3 insertions(+) |
25 | 25 | ||
26 | diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if | 26 | diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if |
27 | index 152139261..320619289 100644 | 27 | index 5c44d8d8a..5f2038f22 100644 |
28 | --- a/policy/modules/system/systemd.if | 28 | --- a/policy/modules/system/systemd.if |
29 | +++ b/policy/modules/system/systemd.if | 29 | +++ b/policy/modules/system/systemd.if |
30 | @@ -113,6 +113,9 @@ template(`systemd_role_template',` | 30 | @@ -171,6 +171,9 @@ template(`systemd_role_template',` |
31 | 31 | xdg_read_config_files($1_systemd_t) | |
32 | seutil_read_file_contexts($1_systemd_t) | 32 | xdg_read_data_files($1_systemd_t) |
33 | seutil_search_default_contexts($1_systemd_t) | 33 | ') |
34 | + | 34 | + |
35 | + mls_file_read_all_levels($1_systemd_t) | 35 | + mls_file_read_all_levels($1_systemd_t) |
36 | + mls_file_write_all_levels($1_systemd_t) | 36 | + mls_file_write_all_levels($1_systemd_t) |
diff --git a/recipes-security/refpolicy/refpolicy/0061-policy-modules-services-acpi-allow-acpid-to-watch-th.patch b/recipes-security/refpolicy/refpolicy/0061-policy-modules-services-acpi-allow-acpid-to-watch-th.patch deleted file mode 100644 index 8de3d5f..0000000 --- a/recipes-security/refpolicy/refpolicy/0061-policy-modules-services-acpi-allow-acpid-to-watch-th.patch +++ /dev/null | |||
@@ -1,35 +0,0 @@ | |||
1 | From 7418cd97f2c92579bd4d18cbd9063f811ff9a81e Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Tue, 9 Feb 2021 16:42:36 +0800 | ||
4 | Subject: [PATCH] policy/modules/services/acpi: allow acpid to watch the | ||
5 | directories in /dev | ||
6 | |||
7 | Fixes: | ||
8 | acpid: inotify_add_watch() failed: Permission denied (13) | ||
9 | |||
10 | avc: denied { watch } for pid=269 comm="acpid" path="/dev/input" | ||
11 | dev="devtmpfs" ino=35 scontext=system_u:system_r:acpid_t:s0-s15:c0.c1023 | ||
12 | tcontext=system_u:object_r:device_t:s0 tclass=dir permissive=0 | ||
13 | |||
14 | Upstream-Status: Inappropriate [embedded specific] | ||
15 | |||
16 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
17 | --- | ||
18 | policy/modules/services/acpi.te | 1 + | ||
19 | 1 file changed, 1 insertion(+) | ||
20 | |||
21 | diff --git a/policy/modules/services/acpi.te b/policy/modules/services/acpi.te | ||
22 | index 69f1dab4a..5c22adecd 100644 | ||
23 | --- a/policy/modules/services/acpi.te | ||
24 | +++ b/policy/modules/services/acpi.te | ||
25 | @@ -105,6 +105,7 @@ dev_rw_acpi_bios(acpid_t) | ||
26 | dev_rw_sysfs(acpid_t) | ||
27 | dev_dontaudit_getattr_all_chr_files(acpid_t) | ||
28 | dev_dontaudit_getattr_all_blk_files(acpid_t) | ||
29 | +dev_watch_dev_dirs(acpid_t) | ||
30 | |||
31 | files_exec_etc_files(acpid_t) | ||
32 | files_read_etc_runtime_files(acpid_t) | ||
33 | -- | ||
34 | 2.17.1 | ||
35 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0061-policy-modules-system-logging-make-syslogd_runtime_t.patch b/recipes-security/refpolicy/refpolicy/0061-policy-modules-system-logging-make-syslogd_runtime_t.patch new file mode 100644 index 0000000..7bdc9d6 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0061-policy-modules-system-logging-make-syslogd_runtime_t.patch | |||
@@ -0,0 +1,48 @@ | |||
1 | From f8a12b28b70689ab520e7ae94d306afe9dcbb556 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Sat, 18 Dec 2021 17:31:45 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/logging: make syslogd_runtime_t MLS | ||
5 | trusted. | ||
6 | |||
7 | Make syslogd_runtime_t MLS trusted to allow all levels to read and write | ||
8 | the object. | ||
9 | |||
10 | Fixes: | ||
11 | avc: denied { search } for pid=314 comm="useradd" name="journal" | ||
12 | dev="tmpfs" ino=34 scontext=root:sysadm_r:useradd_t:s0-s15:c0.c1023 | ||
13 | tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir | ||
14 | permissive=0 | ||
15 | |||
16 | avc: denied { search } for pid=319 comm="passwd" name="journal" | ||
17 | dev="tmpfs" ino=34 scontext=root:sysadm_r:passwd_t:s0-s15:c0.c1023 | ||
18 | tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir | ||
19 | permissive=0 | ||
20 | |||
21 | avc: denied { search } for pid=374 comm="rpc.statd" name="journal" | ||
22 | dev="tmpfs" ino=9854 scontext=system_u:system_r:rpcd_t:s0-s15:c0.c1023 | ||
23 | tcontext=system_u:object_r:syslogd_var_run_t:s15:c0.c1023 tclass=dir | ||
24 | permissive=0 | ||
25 | |||
26 | Upstream-Status: Pending | ||
27 | |||
28 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
29 | --- | ||
30 | policy/modules/system/logging.te | 2 ++ | ||
31 | 1 file changed, 2 insertions(+) | ||
32 | |||
33 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
34 | index f8d8b73f0..badf56f16 100644 | ||
35 | --- a/policy/modules/system/logging.te | ||
36 | +++ b/policy/modules/system/logging.te | ||
37 | @@ -438,6 +438,8 @@ allow syslogd_t syslogd_runtime_t:file map; | ||
38 | manage_files_pattern(syslogd_t, syslogd_runtime_t, syslogd_runtime_t) | ||
39 | files_runtime_filetrans(syslogd_t, syslogd_runtime_t, file) | ||
40 | |||
41 | +mls_trusted_object(syslogd_runtime_t) | ||
42 | + | ||
43 | kernel_read_crypto_sysctls(syslogd_t) | ||
44 | kernel_read_system_state(syslogd_t) | ||
45 | kernel_read_network_state(syslogd_t) | ||
46 | -- | ||
47 | 2.17.1 | ||
48 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0062-policy-modules-system-setrans-allow-setrans-to-acces.patch b/recipes-security/refpolicy/refpolicy/0062-policy-modules-system-setrans-allow-setrans-to-acces.patch deleted file mode 100644 index b692012..0000000 --- a/recipes-security/refpolicy/refpolicy/0062-policy-modules-system-setrans-allow-setrans-to-acces.patch +++ /dev/null | |||
@@ -1,42 +0,0 @@ | |||
1 | From 84c69d220ffdd039b88a34f9afc127274a985541 Mon Sep 17 00:00:00 2001 | ||
2 | From: Roy Li <rongqing.li@windriver.com> | ||
3 | Date: Sat, 22 Feb 2014 13:35:38 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/setrans: allow setrans to access | ||
5 | /sys/fs/selinux | ||
6 | |||
7 | 1. mcstransd failed to boot-up since the below permission is denied | ||
8 | statfs("/sys/fs/selinux", 0x7ffff2b80370) = -1 EACCES (Permission denied) | ||
9 | |||
10 | 2. other programs can not connect to /run/setrans/.setrans-unix | ||
11 | avc: denied { connectto } for pid=2055 comm="ls" | ||
12 | path="/run/setrans/.setrans-unix" | ||
13 | scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 | ||
14 | tcontext=system_u:system_r:setrans_t:s15:c0.c1023 | ||
15 | tclass=unix_stream_socket | ||
16 | |||
17 | Upstream-Status: Inappropriate [embedded specific] | ||
18 | |||
19 | Signed-off-by: Roy Li <rongqing.li@windriver.com> | ||
20 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
21 | --- | ||
22 | policy/modules/system/setrans.te | 4 +--- | ||
23 | 1 file changed, 1 insertion(+), 3 deletions(-) | ||
24 | |||
25 | diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te | ||
26 | index 25aadfc5f..78bd6e2eb 100644 | ||
27 | --- a/policy/modules/system/setrans.te | ||
28 | +++ b/policy/modules/system/setrans.te | ||
29 | @@ -23,9 +23,7 @@ mls_trusted_object(setrans_runtime_t) | ||
30 | type setrans_unit_t; | ||
31 | init_unit_file(setrans_unit_t) | ||
32 | |||
33 | -ifdef(`distro_debian',` | ||
34 | - init_daemon_runtime_file(setrans_runtime_t, dir, "setrans") | ||
35 | -') | ||
36 | +init_daemon_runtime_file(setrans_runtime_t, dir, "setrans") | ||
37 | |||
38 | ifdef(`enable_mcs',` | ||
39 | init_ranged_daemon_domain(setrans_t, setrans_exec_t, s0 - mcs_systemhigh) | ||
40 | -- | ||
41 | 2.17.1 | ||
42 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0064-policy-modules-roles-sysadm-allow-sysadm_t-to-watch-.patch b/recipes-security/refpolicy/refpolicy/0064-policy-modules-roles-sysadm-allow-sysadm_t-to-watch-.patch deleted file mode 100644 index dbd1390..0000000 --- a/recipes-security/refpolicy/refpolicy/0064-policy-modules-roles-sysadm-allow-sysadm_t-to-watch-.patch +++ /dev/null | |||
@@ -1,33 +0,0 @@ | |||
1 | From 291d3329c280b6b8b70fcc3092ac4d3399936825 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Mon, 29 Jun 2020 10:32:25 +0800 | ||
4 | Subject: [PATCH] policy/modules/roles/sysadm: allow sysadm_t to watch runtime | ||
5 | dirs | ||
6 | |||
7 | Fixes: | ||
8 | Failed to add a watch for /run/systemd/ask-password: Permission denied | ||
9 | |||
10 | Upstream-Status: Inappropriate [embedded specific] | ||
11 | |||
12 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
13 | --- | ||
14 | policy/modules/roles/sysadm.te | 3 +++ | ||
15 | 1 file changed, 3 insertions(+) | ||
16 | |||
17 | diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te | ||
18 | index 129e94229..a4abaefe4 100644 | ||
19 | --- a/policy/modules/roles/sysadm.te | ||
20 | +++ b/policy/modules/roles/sysadm.te | ||
21 | @@ -83,6 +83,9 @@ ifdef(`init_systemd',` | ||
22 | init_dbus_chat(sysadm_t) | ||
23 | |||
24 | systemd_sysadm_user(sysadm_t) | ||
25 | + | ||
26 | + systemd_filetrans_passwd_runtime_dirs(sysadm_t) | ||
27 | + allow sysadm_t systemd_passwd_runtime_t:dir watch; | ||
28 | ') | ||
29 | |||
30 | tunable_policy(`allow_ptrace',` | ||
31 | -- | ||
32 | 2.17.1 | ||
33 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0065-policy-modules-system-selinux-allow-setfiles_t-to-re.patch b/recipes-security/refpolicy/refpolicy/0065-policy-modules-system-selinux-allow-setfiles_t-to-re.patch deleted file mode 100644 index a824004..0000000 --- a/recipes-security/refpolicy/refpolicy/0065-policy-modules-system-selinux-allow-setfiles_t-to-re.patch +++ /dev/null | |||
@@ -1,44 +0,0 @@ | |||
1 | From bc821718f7e9575a67c4667decad937cbe5f8514 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Tue, 2 Mar 2021 14:25:03 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/selinux: allow setfiles_t to read | ||
5 | kernel sysctl | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { read } for pid=171 comm="restorecon" name="cap_last_cap" | ||
9 | dev="proc" ino=1241 | ||
10 | scontext=system_u:system_r:setfiles_t:s0-s15:c0.c1023 | ||
11 | tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0 | ||
12 | |||
13 | avc: denied { open } for pid=171 comm="restorecon" | ||
14 | path="/proc/sys/kernel/cap_last_cap" dev="proc" ino=1241 | ||
15 | scontext=system_u:system_r:setfiles_t:s0-s15:c0.c1023 | ||
16 | tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0 | ||
17 | |||
18 | avc: denied { getattr } for pid=171 comm="restorecon" name="/" | ||
19 | dev="proc" ino=1 scontext=system_u:system_r:setfiles_t:s0-s15:c0.c1023 | ||
20 | tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0 | ||
21 | |||
22 | Upstream-Status: Inappropriate [embedded specific] | ||
23 | |||
24 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
25 | --- | ||
26 | policy/modules/system/selinuxutil.te | 2 ++ | ||
27 | 1 file changed, 2 insertions(+) | ||
28 | |||
29 | diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te | ||
30 | index a505b3987..a26f8db03 100644 | ||
31 | --- a/policy/modules/system/selinuxutil.te | ||
32 | +++ b/policy/modules/system/selinuxutil.te | ||
33 | @@ -597,6 +597,8 @@ kernel_rw_unix_dgram_sockets(setfiles_t) | ||
34 | kernel_dontaudit_list_all_proc(setfiles_t) | ||
35 | kernel_dontaudit_list_all_sysctls(setfiles_t) | ||
36 | kernel_getattr_debugfs(setfiles_t) | ||
37 | +kernel_read_kernel_sysctls(setfiles_t) | ||
38 | +kernel_getattr_proc(setfiles_t) | ||
39 | |||
40 | dev_read_urand(setfiles_t) | ||
41 | dev_relabel_all_dev_nodes(setfiles_t) | ||
42 | -- | ||
43 | 2.17.1 | ||
44 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0078-policy-modules-system-systemd-make-systemd-logind-do.patch b/recipes-security/refpolicy/refpolicy/0078-policy-modules-system-systemd-make-systemd-logind-do.patch deleted file mode 100644 index 5ac5a19..0000000 --- a/recipes-security/refpolicy/refpolicy/0078-policy-modules-system-systemd-make-systemd-logind-do.patch +++ /dev/null | |||
@@ -1,42 +0,0 @@ | |||
1 | From 7021844f20c5d5c885edf87abf8ce3329bcc5836 Mon Sep 17 00:00:00 2001 | ||
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | ||
3 | Date: Mon, 23 Jan 2017 08:42:44 +0000 | ||
4 | Subject: [PATCH] policy/modules/system/systemd: make systemd-logind domain MLS | ||
5 | trusted for reading from files up to its clearance. | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { search } for pid=184 comm="systemd-logind" | ||
9 | name="journal" dev="tmpfs" ino=10949 | ||
10 | scontext=system_u:system_r:systemd_logind_t:s0-s15:c0.c1023 | ||
11 | tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir | ||
12 | permissive=1 | ||
13 | |||
14 | avc: denied { watch } for pid=184 comm="systemd-logind" | ||
15 | path="/run/utmp" dev="tmpfs" ino=12725 | ||
16 | scontext=system_u:system_r:systemd_logind_t:s0-s15:c0.c1023 | ||
17 | tcontext=system_u:object_r:initrc_runtime_t:s0 tclass=file permissive=1 | ||
18 | |||
19 | Upstream-Status: Inappropriate [embedded specific] | ||
20 | |||
21 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
22 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
23 | --- | ||
24 | policy/modules/system/systemd.te | 2 ++ | ||
25 | 1 file changed, 2 insertions(+) | ||
26 | |||
27 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
28 | index c50a2ba64..a7390b1cd 100644 | ||
29 | --- a/policy/modules/system/systemd.te | ||
30 | +++ b/policy/modules/system/systemd.te | ||
31 | @@ -693,6 +693,8 @@ userdom_relabelto_user_runtime_dirs(systemd_logind_t) | ||
32 | userdom_setattr_user_ttys(systemd_logind_t) | ||
33 | userdom_use_user_ttys(systemd_logind_t) | ||
34 | |||
35 | +mls_file_read_to_clearance(systemd_logind_t) | ||
36 | + | ||
37 | # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x | ||
38 | # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96 | ||
39 | # should fix the problem where user directories in /run/user/$UID/ are not getting the proper context | ||
40 | -- | ||
41 | 2.17.1 | ||
42 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0079-policy-modules-system-systemd-systemd-user-sessions-.patch b/recipes-security/refpolicy/refpolicy/0079-policy-modules-system-systemd-systemd-user-sessions-.patch deleted file mode 100644 index 3ea0085..0000000 --- a/recipes-security/refpolicy/refpolicy/0079-policy-modules-system-systemd-systemd-user-sessions-.patch +++ /dev/null | |||
@@ -1,41 +0,0 @@ | |||
1 | From 6e3e1a5f79d6deab2966fc74c64720e90d248f3d Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Thu, 18 Jun 2020 09:39:23 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/systemd: systemd-user-sessions: make | ||
5 | systemd_sessions_t MLS trusted for reading/writing from files at all levels | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { search } for pid=229 comm="systemd-user-se" | ||
9 | name="journal" dev="tmpfs" ino=10956 | ||
10 | scontext=system_u:system_r:systemd_sessions_t:s0-s15:c0.c1023 | ||
11 | tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir | ||
12 | permissive=0 | ||
13 | avc: denied { write } for pid=229 comm="systemd-user-se" name="kmsg" | ||
14 | dev="devtmpfs" ino=10032 | ||
15 | scontext=system_u:system_r:systemd_sessions_t:s0-s15:c0.c1023 | ||
16 | tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file | ||
17 | permissive=0 | ||
18 | |||
19 | Upstream-Status: Inappropriate [embedded specific] | ||
20 | |||
21 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
22 | --- | ||
23 | policy/modules/system/systemd.te | 2 ++ | ||
24 | 1 file changed, 2 insertions(+) | ||
25 | |||
26 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
27 | index a7390b1cd..f0b0e8b92 100644 | ||
28 | --- a/policy/modules/system/systemd.te | ||
29 | +++ b/policy/modules/system/systemd.te | ||
30 | @@ -1261,6 +1261,8 @@ seutil_read_file_contexts(systemd_sessions_t) | ||
31 | |||
32 | systemd_log_parse_environment(systemd_sessions_t) | ||
33 | |||
34 | +mls_file_read_to_clearance(systemd_sessions_t) | ||
35 | +mls_file_write_all_levels(systemd_sessions_t) | ||
36 | |||
37 | ######################################### | ||
38 | # | ||
39 | -- | ||
40 | 2.17.1 | ||
41 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0080-policy-modules-system-systemd-systemd-make-systemd_-.patch b/recipes-security/refpolicy/refpolicy/0080-policy-modules-system-systemd-systemd-make-systemd_-.patch deleted file mode 100644 index cb8e821..0000000 --- a/recipes-security/refpolicy/refpolicy/0080-policy-modules-system-systemd-systemd-make-systemd_-.patch +++ /dev/null | |||
@@ -1,162 +0,0 @@ | |||
1 | From 05ec2d78b44e57ecf188472b903fe66eeb568951 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Thu, 18 Jun 2020 09:59:58 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/systemd: systemd-*: make systemd_*_t | ||
5 | MLS trusted for writing/reading from files up to its clearance | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { search } for pid=219 comm="systemd-network" | ||
9 | name="journal" dev="tmpfs" ino=10956 | ||
10 | scontext=system_u:system_r:systemd_networkd_t:s0-s15:c0.c1023 | ||
11 | tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir | ||
12 | permissive=0 | ||
13 | |||
14 | avc: denied { search } for pid=220 comm="systemd-resolve" | ||
15 | name="journal" dev="tmpfs" ino=10956 | ||
16 | scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023 | ||
17 | tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir | ||
18 | permissive=0 | ||
19 | avc: denied { search } for pid=220 comm="systemd-resolve" name="/" | ||
20 | dev="tmpfs" ino=15102 | ||
21 | scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023 | ||
22 | tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 | ||
23 | |||
24 | avc: denied { search } for pid=142 comm="systemd-modules" | ||
25 | name="journal" dev="tmpfs" ino=10990 | ||
26 | scontext=system_u:system_r:systemd_modules_load_t:s0-s15:c0.c1023 | ||
27 | tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir | ||
28 | permissive=0 | ||
29 | |||
30 | audit: type=1400 audit(1592892455.376:3): avc: denied { write } for | ||
31 | pid=120 comm="systemd-gpt-aut" name="kmsg" dev="devtmpfs" ino=10032 | ||
32 | scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023 | ||
33 | tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file | ||
34 | permissive=0 | ||
35 | |||
36 | audit: type=1400 audit(1592892455.381:4): avc: denied { write } for | ||
37 | pid=119 comm="systemd-getty-g" name="kmsg" dev="devtmpfs" ino=10032 | ||
38 | scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023 | ||
39 | tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file | ||
40 | permissive=0 | ||
41 | |||
42 | avc: denied { read } for pid=125 comm="systemd-gpt-aut" name="sdb" | ||
43 | dev="devtmpfs" ino=42 | ||
44 | scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023 | ||
45 | tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 | ||
46 | tclass=blk_file permissive=0 | ||
47 | |||
48 | avc: denied { search } for pid=302 comm="systemd-hostnam" | ||
49 | name="journal" dev="tmpfs" ino=14165 | ||
50 | scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023 | ||
51 | tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir | ||
52 | permissive=0 | ||
53 | |||
54 | avc: denied { search } for pid=302 comm="systemd-hostnam" name="/" | ||
55 | dev="tmpfs" ino=17310 | ||
56 | scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023 | ||
57 | tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 | ||
58 | |||
59 | avc: denied { search } for pid=233 comm="systemd-rfkill" | ||
60 | name="journal" dev="tmpfs" ino=14165 | ||
61 | scontext=system_u:system_r:systemd_rfkill_t:s0-s15:c0.c1023 | ||
62 | tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir | ||
63 | permissive=0 | ||
64 | |||
65 | avc: denied { write } for pid=233 comm="systemd-rfkill" name="kmsg" | ||
66 | dev="devtmpfs" ino=2060 | ||
67 | scontext=system_u:system_r:systemd_rfkill_t:s0-s15:c0.c1023 | ||
68 | tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file | ||
69 | permissive=0 | ||
70 | |||
71 | avc: denied { search } for pid=354 comm="systemd-backlig" | ||
72 | name="journal" dev="tmpfs" ino=1183 | ||
73 | scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023 | ||
74 | tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir | ||
75 | permissive=0 | ||
76 | |||
77 | avc: denied { write } for pid=354 comm="systemd-backlig" name="kmsg" | ||
78 | dev="devtmpfs" ino=3081 | ||
79 | scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023 | ||
80 | tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file | ||
81 | permissive=0 | ||
82 | |||
83 | Upstream-Status: Inappropriate [embedded specific] | ||
84 | |||
85 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
86 | --- | ||
87 | policy/modules/system/systemd.te | 17 +++++++++++++++++ | ||
88 | 1 file changed, 17 insertions(+) | ||
89 | |||
90 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
91 | index f0b0e8b92..7b2d359b7 100644 | ||
92 | --- a/policy/modules/system/systemd.te | ||
93 | +++ b/policy/modules/system/systemd.te | ||
94 | @@ -326,6 +326,9 @@ files_search_var_lib(systemd_backlight_t) | ||
95 | |||
96 | kernel_read_kernel_sysctls(systemd_backlight_t) | ||
97 | |||
98 | +mls_file_write_to_clearance(systemd_backlight_t) | ||
99 | +mls_file_read_to_clearance(systemd_backlight_t) | ||
100 | + | ||
101 | ####################################### | ||
102 | # | ||
103 | # Binfmt local policy | ||
104 | @@ -460,6 +463,9 @@ systemd_log_parse_environment(systemd_generator_t) | ||
105 | |||
106 | term_use_unallocated_ttys(systemd_generator_t) | ||
107 | |||
108 | +mls_file_write_to_clearance(systemd_generator_t) | ||
109 | +mls_file_read_to_clearance(systemd_generator_t) | ||
110 | + | ||
111 | ifdef(`distro_gentoo',` | ||
112 | corecmd_shell_entry_type(systemd_generator_t) | ||
113 | ') | ||
114 | @@ -497,6 +503,8 @@ sysnet_manage_config(systemd_hostnamed_t) | ||
115 | |||
116 | systemd_log_parse_environment(systemd_hostnamed_t) | ||
117 | |||
118 | +mls_file_read_to_clearance(systemd_hostnamed_t) | ||
119 | + | ||
120 | optional_policy(` | ||
121 | dbus_connect_system_bus(systemd_hostnamed_t) | ||
122 | dbus_system_bus_client(systemd_hostnamed_t) | ||
123 | @@ -818,6 +826,8 @@ modutils_read_module_deps(systemd_modules_load_t) | ||
124 | |||
125 | systemd_log_parse_environment(systemd_modules_load_t) | ||
126 | |||
127 | +mls_file_read_to_clearance(systemd_modules_load_t) | ||
128 | + | ||
129 | ######################################## | ||
130 | # | ||
131 | # networkd local policy | ||
132 | @@ -876,6 +886,8 @@ sysnet_read_config(systemd_networkd_t) | ||
133 | |||
134 | systemd_log_parse_environment(systemd_networkd_t) | ||
135 | |||
136 | +mls_file_read_to_clearance(systemd_networkd_t) | ||
137 | + | ||
138 | optional_policy(` | ||
139 | dbus_system_bus_client(systemd_networkd_t) | ||
140 | dbus_connect_system_bus(systemd_networkd_t) | ||
141 | @@ -1159,6 +1171,9 @@ udev_read_runtime_files(systemd_rfkill_t) | ||
142 | |||
143 | systemd_log_parse_environment(systemd_rfkill_t) | ||
144 | |||
145 | +mls_file_write_to_clearance(systemd_rfkill_t) | ||
146 | +mls_file_read_to_clearance(systemd_rfkill_t) | ||
147 | + | ||
148 | ######################################### | ||
149 | # | ||
150 | # Resolved local policy | ||
151 | @@ -1202,6 +1217,8 @@ init_dgram_send(systemd_resolved_t) | ||
152 | |||
153 | seutil_read_file_contexts(systemd_resolved_t) | ||
154 | |||
155 | +mls_file_read_to_clearance(systemd_resolved_t) | ||
156 | + | ||
157 | systemd_log_parse_environment(systemd_resolved_t) | ||
158 | systemd_read_networkd_runtime(systemd_resolved_t) | ||
159 | |||
160 | -- | ||
161 | 2.17.1 | ||
162 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0081-policy-modules-services-ntp-make-nptd_t-MLS-trusted-.patch b/recipes-security/refpolicy/refpolicy/0081-policy-modules-services-ntp-make-nptd_t-MLS-trusted-.patch deleted file mode 100644 index 250d89b..0000000 --- a/recipes-security/refpolicy/refpolicy/0081-policy-modules-services-ntp-make-nptd_t-MLS-trusted-.patch +++ /dev/null | |||
@@ -1,40 +0,0 @@ | |||
1 | From a105ea8b48c5e9ada567c7f6347f3875df7098a0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Thu, 18 Jun 2020 10:21:04 +0800 | ||
4 | Subject: [PATCH] policy/modules/services/ntp: make nptd_t MLS trusted for | ||
5 | reading from files at all levels | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { search } for pid=193 comm="systemd-timesyn" | ||
9 | name="journal" dev="tmpfs" ino=10956 | ||
10 | scontext=system_u:system_r:ntpd_t:s0-s15:c0.c1023 | ||
11 | tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir | ||
12 | permissive=0 | ||
13 | avc: denied { read } for pid=193 comm="systemd-timesyn" name="dbus" | ||
14 | dev="tmpfs" ino=13971 scontext=system_u:system_r:ntpd_t:s0-s15:c0.c1023 | ||
15 | tcontext=system_u:object_r:system_dbusd_runtime_t:s0 tclass=dir | ||
16 | permissive=0 | ||
17 | |||
18 | Upstream-Status: Inappropriate [embedded specific] | ||
19 | |||
20 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
21 | --- | ||
22 | policy/modules/services/ntp.te | 2 ++ | ||
23 | 1 file changed, 2 insertions(+) | ||
24 | |||
25 | diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te | ||
26 | index 1626ae87a..c8a1f041b 100644 | ||
27 | --- a/policy/modules/services/ntp.te | ||
28 | +++ b/policy/modules/services/ntp.te | ||
29 | @@ -138,6 +138,8 @@ miscfiles_read_localization(ntpd_t) | ||
30 | userdom_dontaudit_use_unpriv_user_fds(ntpd_t) | ||
31 | userdom_list_user_home_dirs(ntpd_t) | ||
32 | |||
33 | +mls_file_read_all_levels(ntpd_t) | ||
34 | + | ||
35 | ifdef(`init_systemd',` | ||
36 | allow ntpd_t self:process setfscreate; | ||
37 | |||
38 | -- | ||
39 | 2.17.1 | ||
40 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0083-policy-modules-services-acpi-make-acpid_t-domain-MLS.patch b/recipes-security/refpolicy/refpolicy/0083-policy-modules-services-acpi-make-acpid_t-domain-MLS.patch deleted file mode 100644 index cc2d5dd..0000000 --- a/recipes-security/refpolicy/refpolicy/0083-policy-modules-services-acpi-make-acpid_t-domain-MLS.patch +++ /dev/null | |||
@@ -1,35 +0,0 @@ | |||
1 | From 15c99854aa21564a6eb1121f58f55a9626ba6297 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Fri, 10 Jul 2020 09:07:00 +0800 | ||
4 | Subject: [PATCH] policy/modules/services/acpi: make acpid_t domain MLS trusted | ||
5 | for reading from files up to its clearance | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { search } for pid=265 comm="acpid" name="journal" | ||
9 | dev="tmpfs" ino=14165 scontext=system_u:system_r:acpid_t:s0-s15:c0.c1023 | ||
10 | tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir | ||
11 | permissive=0 | ||
12 | |||
13 | Upstream-Status: Inappropriate [embedded specific] | ||
14 | |||
15 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
16 | --- | ||
17 | policy/modules/services/acpi.te | 2 ++ | ||
18 | 1 file changed, 2 insertions(+) | ||
19 | |||
20 | diff --git a/policy/modules/services/acpi.te b/policy/modules/services/acpi.te | ||
21 | index 5c22adecd..bd442ff8a 100644 | ||
22 | --- a/policy/modules/services/acpi.te | ||
23 | +++ b/policy/modules/services/acpi.te | ||
24 | @@ -157,6 +157,8 @@ userdom_dontaudit_use_unpriv_user_fds(acpid_t) | ||
25 | userdom_dontaudit_search_user_home_dirs(acpid_t) | ||
26 | userdom_dontaudit_search_user_home_content(acpid_t) | ||
27 | |||
28 | +mls_file_read_to_clearance(acpid_t) | ||
29 | + | ||
30 | optional_policy(` | ||
31 | automount_domtrans(acpid_t) | ||
32 | ') | ||
33 | -- | ||
34 | 2.17.1 | ||
35 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0084-policy-modules-services-avahi-make-avahi_t-MLS-trust.patch b/recipes-security/refpolicy/refpolicy/0084-policy-modules-services-avahi-make-avahi_t-MLS-trust.patch deleted file mode 100644 index 3cfe2c0..0000000 --- a/recipes-security/refpolicy/refpolicy/0084-policy-modules-services-avahi-make-avahi_t-MLS-trust.patch +++ /dev/null | |||
@@ -1,29 +0,0 @@ | |||
1 | From 5cd8a1121685c269238c89ea22743441541cf108 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Tue, 23 Jun 2020 08:19:16 +0800 | ||
4 | Subject: [PATCH] policy/modules/services/avahi: make avahi_t MLS trusted for | ||
5 | reading from files up to its clearance | ||
6 | |||
7 | Upstream-Status: Inappropriate [embedded specific] | ||
8 | |||
9 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
10 | --- | ||
11 | policy/modules/services/avahi.te | 2 ++ | ||
12 | 1 file changed, 2 insertions(+) | ||
13 | |||
14 | diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te | ||
15 | index 674cdcb81..8ddd922e5 100644 | ||
16 | --- a/policy/modules/services/avahi.te | ||
17 | +++ b/policy/modules/services/avahi.te | ||
18 | @@ -95,6 +95,8 @@ sysnet_etc_filetrans_config(avahi_t) | ||
19 | userdom_dontaudit_use_unpriv_user_fds(avahi_t) | ||
20 | userdom_dontaudit_search_user_home_dirs(avahi_t) | ||
21 | |||
22 | +mls_file_read_to_clearance(avahi_t) | ||
23 | + | ||
24 | optional_policy(` | ||
25 | dbus_system_domain(avahi_t, avahi_exec_t) | ||
26 | |||
27 | -- | ||
28 | 2.17.1 | ||
29 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0085-policy-modules-services-bluetooth-make-bluetooth_t-d.patch b/recipes-security/refpolicy/refpolicy/0085-policy-modules-services-bluetooth-make-bluetooth_t-d.patch deleted file mode 100644 index a784657..0000000 --- a/recipes-security/refpolicy/refpolicy/0085-policy-modules-services-bluetooth-make-bluetooth_t-d.patch +++ /dev/null | |||
@@ -1,36 +0,0 @@ | |||
1 | From 3c74f403cb38410ea7e1de0e61dafa80a60c5ba5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Fri, 10 Jul 2020 09:18:12 +0800 | ||
4 | Subject: [PATCH] policy/modules/services/bluetooth: make bluetooth_t domain | ||
5 | MLS trusted for reading from files up to its clearance | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { search } for pid=268 comm="bluetoothd" name="journal" | ||
9 | dev="tmpfs" ino=14165 | ||
10 | scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 | ||
11 | tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir | ||
12 | permissive=0 | ||
13 | |||
14 | Upstream-Status: Inappropriate [embedded specific] | ||
15 | |||
16 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
17 | --- | ||
18 | policy/modules/services/bluetooth.te | 2 ++ | ||
19 | 1 file changed, 2 insertions(+) | ||
20 | |||
21 | diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te | ||
22 | index b3df695db..931021346 100644 | ||
23 | --- a/policy/modules/services/bluetooth.te | ||
24 | +++ b/policy/modules/services/bluetooth.te | ||
25 | @@ -132,6 +132,8 @@ userdom_dontaudit_search_user_home_dirs(bluetooth_t) | ||
26 | init_dbus_send_script(bluetooth_t) | ||
27 | systemd_dbus_chat_hostnamed(bluetooth_t) | ||
28 | |||
29 | +mls_file_read_to_clearance(bluetooth_t) | ||
30 | + | ||
31 | optional_policy(` | ||
32 | dbus_system_bus_client(bluetooth_t) | ||
33 | dbus_connect_system_bus(bluetooth_t) | ||
34 | -- | ||
35 | 2.17.1 | ||
36 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0086-policy-modules-system-sysnetwork-make-dhcpc_t-domain.patch b/recipes-security/refpolicy/refpolicy/0086-policy-modules-system-sysnetwork-make-dhcpc_t-domain.patch deleted file mode 100644 index 2ba3100..0000000 --- a/recipes-security/refpolicy/refpolicy/0086-policy-modules-system-sysnetwork-make-dhcpc_t-domain.patch +++ /dev/null | |||
@@ -1,38 +0,0 @@ | |||
1 | From 1ab2ca67db9205f484ebce022be9c9a42bacc802 Mon Sep 17 00:00:00 2001 | ||
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | ||
3 | Date: Thu, 23 Feb 2017 08:18:36 +0000 | ||
4 | Subject: [PATCH] policy/modules/system/sysnetwork: make dhcpc_t domain MLS | ||
5 | trusted for reading from files up to its clearance | ||
6 | |||
7 | Allow dhcpc_t to search /run/systemd/journal | ||
8 | |||
9 | Fixes: | ||
10 | avc: denied { search } for pid=218 comm="dhclient" name="journal" | ||
11 | dev="tmpfs" ino=10990 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 | ||
12 | tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir | ||
13 | permissive=0 | ||
14 | |||
15 | Upstream-Status: Inappropriate [embedded specific] | ||
16 | |||
17 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
18 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
19 | --- | ||
20 | policy/modules/system/sysnetwork.te | 2 ++ | ||
21 | 1 file changed, 2 insertions(+) | ||
22 | |||
23 | diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te | ||
24 | index a9297f976..b6fd3f907 100644 | ||
25 | --- a/policy/modules/system/sysnetwork.te | ||
26 | +++ b/policy/modules/system/sysnetwork.te | ||
27 | @@ -170,6 +170,8 @@ sysnet_run_ifconfig(dhcpc_t, dhcpc_roles) | ||
28 | userdom_use_user_terminals(dhcpc_t) | ||
29 | userdom_dontaudit_search_user_home_dirs(dhcpc_t) | ||
30 | |||
31 | +mls_file_read_to_clearance(dhcpc_t) | ||
32 | + | ||
33 | ifdef(`distro_redhat', ` | ||
34 | files_exec_etc_files(dhcpc_t) | ||
35 | ') | ||
36 | -- | ||
37 | 2.17.1 | ||
38 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0087-policy-modules-services-inetd-make-inetd_t-domain-ML.patch b/recipes-security/refpolicy/refpolicy/0087-policy-modules-services-inetd-make-inetd_t-domain-ML.patch deleted file mode 100644 index abf5cd9..0000000 --- a/recipes-security/refpolicy/refpolicy/0087-policy-modules-services-inetd-make-inetd_t-domain-ML.patch +++ /dev/null | |||
@@ -1,36 +0,0 @@ | |||
1 | From 2a54a7cab41aaddc113ed71d68f82e37661c3487 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Fri, 3 Jul 2020 08:57:51 +0800 | ||
4 | Subject: [PATCH] policy/modules/services/inetd: make inetd_t domain MLS | ||
5 | trusted for reading from files up to its clearance | ||
6 | |||
7 | Allow inetd_t to search /run/systemd/journal | ||
8 | |||
9 | Fixes: | ||
10 | avc: denied { search } for pid=286 comm="xinetd" name="journal" | ||
11 | dev="tmpfs" ino=10990 scontext=system_u:system_r:inetd_t:s0-s15:c0.c1023 | ||
12 | tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir | ||
13 | permissive=0 | ||
14 | |||
15 | Upstream-Status: Inappropriate [embedded specific] | ||
16 | |||
17 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
18 | --- | ||
19 | policy/modules/services/inetd.te | 1 + | ||
20 | 1 file changed, 1 insertion(+) | ||
21 | |||
22 | diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te | ||
23 | index 1a6ad6e1a..8d1fc0241 100644 | ||
24 | --- a/policy/modules/services/inetd.te | ||
25 | +++ b/policy/modules/services/inetd.te | ||
26 | @@ -161,6 +161,7 @@ mls_socket_read_to_clearance(inetd_t) | ||
27 | mls_socket_write_to_clearance(inetd_t) | ||
28 | mls_net_outbound_all_levels(inetd_t) | ||
29 | mls_process_set_level(inetd_t) | ||
30 | +mls_file_read_to_clearance(inetd_t) | ||
31 | |||
32 | userdom_dontaudit_use_unpriv_user_fds(inetd_t) | ||
33 | userdom_dontaudit_search_user_home_dirs(inetd_t) | ||
34 | -- | ||
35 | 2.17.1 | ||
36 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0088-policy-modules-services-bind-make-named_t-domain-MLS.patch b/recipes-security/refpolicy/refpolicy/0088-policy-modules-services-bind-make-named_t-domain-MLS.patch deleted file mode 100644 index 5be48df..0000000 --- a/recipes-security/refpolicy/refpolicy/0088-policy-modules-services-bind-make-named_t-domain-MLS.patch +++ /dev/null | |||
@@ -1,38 +0,0 @@ | |||
1 | From 0e93ad162cda033935fbac584787417b97b4bc17 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Fri, 3 Jul 2020 09:42:21 +0800 | ||
4 | Subject: [PATCH] policy/modules/services/bind: make named_t domain MLS trusted | ||
5 | for reading from files up to its clearance | ||
6 | |||
7 | Allow named_t to search /run/systemd/journal | ||
8 | |||
9 | Fixes: | ||
10 | avc: denied { search } for pid=295 comm="isc-worker0000" | ||
11 | name="journal" dev="tmpfs" ino=10990 | ||
12 | scontext=system_u:system_r:named_t:s0-s15:c0.c1023 | ||
13 | tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir | ||
14 | permissive=0 | ||
15 | |||
16 | Upstream-Status: Inappropriate [embedded specific] | ||
17 | |||
18 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
19 | --- | ||
20 | policy/modules/services/bind.te | 2 ++ | ||
21 | 1 file changed, 2 insertions(+) | ||
22 | |||
23 | diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te | ||
24 | index bf50763bd..be1813cb9 100644 | ||
25 | --- a/policy/modules/services/bind.te | ||
26 | +++ b/policy/modules/services/bind.te | ||
27 | @@ -165,6 +165,8 @@ miscfiles_read_generic_tls_privkey(named_t) | ||
28 | userdom_dontaudit_use_unpriv_user_fds(named_t) | ||
29 | userdom_dontaudit_search_user_home_dirs(named_t) | ||
30 | |||
31 | +mls_file_read_to_clearance(named_t) | ||
32 | + | ||
33 | tunable_policy(`named_tcp_bind_http_port',` | ||
34 | corenet_sendrecv_http_server_packets(named_t) | ||
35 | corenet_tcp_bind_http_port(named_t) | ||
36 | -- | ||
37 | 2.17.1 | ||
38 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0089-policy-modules-services-rpc-make-rpcd_t-MLS-trusted-.patch b/recipes-security/refpolicy/refpolicy/0089-policy-modules-services-rpc-make-rpcd_t-MLS-trusted-.patch deleted file mode 100644 index 7adaea0..0000000 --- a/recipes-security/refpolicy/refpolicy/0089-policy-modules-services-rpc-make-rpcd_t-MLS-trusted-.patch +++ /dev/null | |||
@@ -1,36 +0,0 @@ | |||
1 | From 58cdf21546b973b458a26ea4b3a523275a80aca5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Thu, 30 May 2019 08:30:06 +0800 | ||
4 | Subject: [PATCH] policy/modules/services/rpc: make rpcd_t MLS trusted for | ||
5 | reading from files up to its clearance | ||
6 | |||
7 | Fixes: | ||
8 | type=AVC msg=audit(1559176077.169:242): avc: denied { search } for | ||
9 | pid=374 comm="rpc.statd" name="journal" dev="tmpfs" ino=9854 | ||
10 | scontext=system_u:system_r:rpcd_t:s0-s15:c0.c1023 | ||
11 | tcontext=system_u:object_r:syslogd_var_run_t:s15:c0.c1023 tclass=dir | ||
12 | permissive=0 | ||
13 | |||
14 | Upstream-Status: Inappropriate [embedded specific] | ||
15 | |||
16 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
17 | --- | ||
18 | policy/modules/services/rpc.te | 2 ++ | ||
19 | 1 file changed, 2 insertions(+) | ||
20 | |||
21 | diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te | ||
22 | index 9618df04e..84caefbbb 100644 | ||
23 | --- a/policy/modules/services/rpc.te | ||
24 | +++ b/policy/modules/services/rpc.te | ||
25 | @@ -275,6 +275,8 @@ seutil_dontaudit_search_config(rpcd_t) | ||
26 | |||
27 | userdom_signal_all_users(rpcd_t) | ||
28 | |||
29 | +mls_file_read_to_clearance(rpcd_t) | ||
30 | + | ||
31 | ifdef(`distro_debian',` | ||
32 | term_dontaudit_use_unallocated_ttys(rpcd_t) | ||
33 | ') | ||
34 | -- | ||
35 | 2.17.1 | ||
36 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0091-fc-usermanage-update-file-context-for-chfn-chsh.patch b/recipes-security/refpolicy/refpolicy/0091-fc-usermanage-update-file-context-for-chfn-chsh.patch deleted file mode 100644 index 370bc64..0000000 --- a/recipes-security/refpolicy/refpolicy/0091-fc-usermanage-update-file-context-for-chfn-chsh.patch +++ /dev/null | |||
@@ -1,34 +0,0 @@ | |||
1 | From 311d4759340f2af1e1e157d571802e4367e0a46b Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Mon, 2 Aug 2021 09:38:39 +0800 | ||
4 | Subject: [PATCH] fc/usermanage: update file context for chfn/chsh | ||
5 | |||
6 | The util-linux has provided chfn and chsh since oe-core commit | ||
7 | 804c6b5bd3d398d5ea2a45d6bcc23c76e328ea3f. Update the file context for | ||
8 | them. | ||
9 | |||
10 | Upstream-Status: Inappropriate [embedded specific] | ||
11 | |||
12 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
13 | --- | ||
14 | policy/modules/admin/usermanage.fc | 2 ++ | ||
15 | 1 file changed, 2 insertions(+) | ||
16 | |||
17 | diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc | ||
18 | index 6a051f8a5..bf1ff09ab 100644 | ||
19 | --- a/policy/modules/admin/usermanage.fc | ||
20 | +++ b/policy/modules/admin/usermanage.fc | ||
21 | @@ -5,8 +5,10 @@ ifdef(`distro_debian',` | ||
22 | /usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0) | ||
23 | /usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0) | ||
24 | /usr/bin/chfn\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0) | ||
25 | +/usr/bin/chfn\.util-linux -- gen_context(system_u:object_r:chfn_exec_t,s0) | ||
26 | /usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0) | ||
27 | /usr/bin/chsh\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0) | ||
28 | +/usr/bin/chsh\.util-linux -- gen_context(system_u:object_r:chfn_exec_t,s0) | ||
29 | /usr/bin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) | ||
30 | /usr/bin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) | ||
31 | /usr/bin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0) | ||
32 | -- | ||
33 | 2.17.1 | ||
34 | |||
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index 3d2eb89..dffc34a 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc | |||
@@ -1,5 +1,3 @@ | |||
1 | DEFAULT_ENFORCING ??= "enforcing" | ||
2 | |||
3 | SECTION = "admin" | 1 | SECTION = "admin" |
4 | LICENSE = "GPLv2" | 2 | LICENSE = "GPLv2" |
5 | 3 | ||
@@ -24,91 +22,61 @@ SRC_URI += " \ | |||
24 | file://0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch \ | 22 | file://0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch \ |
25 | file://0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch \ | 23 | file://0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch \ |
26 | file://0006-fc-login-apply-login-context-to-login.shadow.patch \ | 24 | file://0006-fc-login-apply-login-context-to-login.shadow.patch \ |
27 | file://0007-fc-bind-fix-real-path-for-bind.patch \ | 25 | file://0007-fc-hwclock-add-hwclock-alternatives.patch \ |
28 | file://0008-fc-hwclock-add-hwclock-alternatives.patch \ | 26 | file://0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch \ |
29 | file://0009-fc-dmesg-apply-policy-to-dmesg-alternatives.patch \ | 27 | file://0009-fc-ssh-apply-policy-to-ssh-alternatives.patch \ |
30 | file://0010-fc-ssh-apply-policy-to-ssh-alternatives.patch \ | 28 | file://0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch \ |
31 | file://0011-fc-sysnetwork-apply-policy-to-ip-alternatives.patch \ | 29 | file://0011-fc-udev-apply-policy-to-udevadm-in-libexec.patch \ |
32 | file://0012-fc-udev-apply-policy-to-udevadm-in-libexec.patch \ | 30 | file://0012-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch \ |
33 | file://0013-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch \ | 31 | file://0013-fc-su-apply-policy-to-su-alternatives.patch \ |
34 | file://0014-fc-su-apply-policy-to-su-alternatives.patch \ | 32 | file://0014-fc-fstools-fix-real-path-for-fstools.patch \ |
35 | file://0015-fc-fstools-fix-real-path-for-fstools.patch \ | 33 | file://0015-fc-init-fix-update-alternatives-for-sysvinit.patch \ |
36 | file://0016-fc-init-fix-update-alternatives-for-sysvinit.patch \ | 34 | file://0016-fc-brctl-apply-policy-to-brctl-alternatives.patch \ |
37 | file://0017-fc-brctl-apply-policy-to-brctl-alternatives.patch \ | 35 | file://0017-fc-corecommands-apply-policy-to-nologin-alternatives.patch \ |
38 | file://0018-fc-corecommands-apply-policy-to-nologin-alternatives.patch \ | 36 | file://0018-fc-locallogin-apply-policy-to-sulogin-alternatives.patch \ |
39 | file://0019-fc-locallogin-apply-policy-to-sulogin-alternatives.patch \ | 37 | file://0019-fc-ntp-apply-policy-to-ntpd-alternatives.patch \ |
40 | file://0020-fc-ntp-apply-policy-to-ntpd-alternatives.patch \ | 38 | file://0020-fc-kerberos-apply-policy-to-kerberos-alternatives.patch \ |
41 | file://0021-fc-kerberos-apply-policy-to-kerberos-alternatives.patch \ | 39 | file://0021-fc-ldap-apply-policy-to-ldap-alternatives.patch \ |
42 | file://0022-fc-ldap-apply-policy-to-ldap-alternatives.patch \ | 40 | file://0022-fc-postgresql-apply-policy-to-postgresql-alternative.patch \ |
43 | file://0023-fc-postgresql-apply-policy-to-postgresql-alternative.patch \ | 41 | file://0023-fc-screen-apply-policy-to-screen-alternatives.patch \ |
44 | file://0024-fc-screen-apply-policy-to-screen-alternatives.patch \ | 42 | file://0024-fc-usermanage-apply-policy-to-usermanage-alternative.patch \ |
45 | file://0025-fc-usermanage-apply-policy-to-usermanage-alternative.patch \ | 43 | file://0025-fc-getty-add-file-context-to-start_getty.patch \ |
46 | file://0026-fc-getty-add-file-context-to-start_getty.patch \ | 44 | file://0026-fc-vlock-apply-policy-to-vlock-alternatives.patch \ |
47 | file://0027-fc-init-add-file-context-to-etc-network-if-files.patch \ | 45 | file://0027-fc-add-fcontext-for-init-scripts-and-systemd-service.patch \ |
48 | file://0028-fc-vlock-apply-policy-to-vlock-alternatives.patch \ | 46 | file://0028-file_contexts.subs_dist-set-aliase-for-root-director.patch \ |
49 | file://0029-fc-cron-apply-policy-to-etc-init.d-crond.patch \ | 47 | file://0029-policy-modules-system-logging-add-rules-for-the-syml.patch \ |
50 | file://0030-fc-sysnetwork-update-file-context-for-ifconfig.patch \ | 48 | file://0030-policy-modules-system-logging-add-rules-for-syslogd-.patch \ |
51 | file://0031-file_contexts.subs_dist-set-aliase-for-root-director.patch \ | 49 | file://0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch \ |
52 | file://0032-policy-modules-system-logging-add-rules-for-the-syml.patch \ | 50 | file://0032-policy-modules-system-logging-fix-auditd-startup-fai.patch \ |
53 | file://0033-policy-modules-system-logging-add-rules-for-syslogd-.patch \ | 51 | file://0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch \ |
54 | file://0034-policy-modules-kernel-files-add-rules-for-the-symlin.patch \ | 52 | file://0034-policy-modules-system-modutils-allow-mod_t-to-access.patch \ |
55 | file://0035-policy-modules-system-logging-fix-auditd-startup-fai.patch \ | 53 | file://0035-policy-modules-system-getty-allow-getty_t-to-search-.patch \ |
56 | file://0036-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch \ | 54 | file://0036-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch \ |
57 | file://0037-policy-modules-system-modutils-allow-mod_t-to-access.patch \ | 55 | file://0037-policy-modules-admin-usermanage-allow-useradd-to-rel.patch \ |
58 | file://0038-policy-modules-services-avahi-allow-avahi_t-to-watch.patch \ | 56 | file://0038-policy-modules-system-systemd-enable-support-for-sys.patch \ |
59 | file://0039-policy-modules-system-getty-allow-getty_t-to-search-.patch \ | 57 | file://0039-policy-modules-system-systemd-fix-systemd-resolved-s.patch \ |
60 | file://0040-policy-modules-services-bluetooth-fix-bluetoothd-sta.patch \ | 58 | file://0040-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch \ |
61 | file://0041-policy-modules-roles-sysadm-allow-sysadm-to-run-rpci.patch \ | 59 | file://0041-policy-modules-system-logging-fix-syslogd-failures-f.patch \ |
62 | file://0042-policy-modules-services-rpc-add-capability-dac_read_.patch \ | 60 | file://0042-policy-modules-system-systemd-systemd-user-fixes.patch \ |
63 | file://0043-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch \ | 61 | file://0043-policy-modules-system-sysnetwork-support-priviledge-.patch \ |
64 | file://0044-policy-modules-services-rngd-fix-security-context-fo.patch \ | 62 | file://0044-policy-modules-system-modutils-allow-kmod_t-to-write.patch \ |
65 | file://0045-policy-modules-services-ssh-allow-ssh_keygen_t-to-re.patch \ | 63 | file://0045-policy-modules-system-systemd-allow-systemd_logind_t.patch \ |
66 | file://0046-policy-modules-services-ssh-make-respective-init-scr.patch \ | 64 | file://0046-policy-modules-system-mount-make-mount_t-domain-MLS-.patch \ |
67 | file://0047-policy-modules-kernel-terminal-allow-loging-to-reset.patch \ | 65 | file://0047-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch \ |
68 | file://0048-policy-modules-system-selinuxutil-allow-semanage_t-t.patch \ | 66 | file://0048-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch \ |
69 | file://0049-policy-modules-system-systemd-enable-support-for-sys.patch \ | 67 | file://0049-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch \ |
70 | file://0050-policy-modules-system-systemd-fix-systemd-resolved-s.patch \ | 68 | file://0050-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \ |
71 | file://0051-policy-modules-system-init-add-capability2-bpf-and-p.patch \ | 69 | file://0051-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \ |
72 | file://0052-policy-modules-system-systemd-allow-systemd_logind_t.patch \ | 70 | file://0052-policy-modules-system-systemd-make-systemd-tmpfiles_.patch \ |
73 | file://0053-policy-modules-system-logging-set-label-devlog_t-to-.patch \ | 71 | file://0053-policy-modules-system-systemd-systemd-make-systemd_-.patch \ |
74 | file://0054-policy-modules-system-systemd-support-systemd-user.patch \ | 72 | file://0054-policy-modules-system-logging-add-the-syslogd_t-to-t.patch \ |
75 | file://0055-policy-modules-system-systemd-allow-systemd-generato.patch \ | 73 | file://0055-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \ |
76 | file://0056-policy-modules-system-systemd-allow-systemd_backligh.patch \ | 74 | file://0056-policy-modules-system-init-all-init_t-to-read-any-le.patch \ |
77 | file://0057-policy-modules-system-logging-fix-systemd-journald-s.patch \ | 75 | file://0057-policy-modules-system-logging-allow-auditd_t-to-writ.patch \ |
78 | file://0058-policy-modules-services-cron-allow-crond_t-to-search.patch \ | 76 | file://0058-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \ |
79 | file://0059-policy-modules-services-crontab-allow-sysadm_r-to-ru.patch \ | 77 | file://0059-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \ |
80 | file://0060-policy-modules-system-sysnetwork-support-priviledge-.patch \ | 78 | file://0060-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \ |
81 | file://0061-policy-modules-services-acpi-allow-acpid-to-watch-th.patch \ | 79 | file://0061-policy-modules-system-logging-make-syslogd_runtime_t.patch \ |
82 | file://0062-policy-modules-system-setrans-allow-setrans-to-acces.patch \ | ||
83 | file://0063-policy-modules-system-modutils-allow-kmod_t-to-write.patch \ | ||
84 | file://0064-policy-modules-roles-sysadm-allow-sysadm_t-to-watch-.patch \ | ||
85 | file://0065-policy-modules-system-selinux-allow-setfiles_t-to-re.patch \ | ||
86 | file://0066-policy-modules-system-mount-make-mount_t-domain-MLS-.patch \ | ||
87 | file://0067-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch \ | ||
88 | file://0068-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch \ | ||
89 | file://0069-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch \ | ||
90 | file://0070-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \ | ||
91 | file://0071-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \ | ||
92 | file://0072-policy-modules-system-systemd-make-systemd-tmpfiles_.patch \ | ||
93 | file://0073-policy-modules-system-logging-add-the-syslogd_t-to-t.patch \ | ||
94 | file://0074-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \ | ||
95 | file://0075-policy-modules-system-init-all-init_t-to-read-any-le.patch \ | ||
96 | file://0076-policy-modules-system-logging-allow-auditd_t-to-writ.patch \ | ||
97 | file://0077-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \ | ||
98 | file://0078-policy-modules-system-systemd-make-systemd-logind-do.patch \ | ||
99 | file://0079-policy-modules-system-systemd-systemd-user-sessions-.patch \ | ||
100 | file://0080-policy-modules-system-systemd-systemd-make-systemd_-.patch \ | ||
101 | file://0081-policy-modules-services-ntp-make-nptd_t-MLS-trusted-.patch \ | ||
102 | file://0082-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \ | ||
103 | file://0083-policy-modules-services-acpi-make-acpid_t-domain-MLS.patch \ | ||
104 | file://0084-policy-modules-services-avahi-make-avahi_t-MLS-trust.patch \ | ||
105 | file://0085-policy-modules-services-bluetooth-make-bluetooth_t-d.patch \ | ||
106 | file://0086-policy-modules-system-sysnetwork-make-dhcpc_t-domain.patch \ | ||
107 | file://0087-policy-modules-services-inetd-make-inetd_t-domain-ML.patch \ | ||
108 | file://0088-policy-modules-services-bind-make-named_t-domain-MLS.patch \ | ||
109 | file://0089-policy-modules-services-rpc-make-rpcd_t-MLS-trusted-.patch \ | ||
110 | file://0090-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \ | ||
111 | file://0091-fc-usermanage-update-file-context-for-chfn-chsh.patch \ | ||
112 | " | 80 | " |
113 | 81 | ||
114 | S = "${WORKDIR}/refpolicy" | 82 | S = "${WORKDIR}/refpolicy" |
@@ -138,8 +106,10 @@ inherit python3native | |||
138 | 106 | ||
139 | PARALLEL_MAKE = "" | 107 | PARALLEL_MAKE = "" |
140 | 108 | ||
109 | DEFAULT_ENFORCING ??= "enforcing" | ||
110 | |||
141 | POLICY_NAME ?= "${POLICY_TYPE}" | 111 | POLICY_NAME ?= "${POLICY_TYPE}" |
142 | POLICY_DISTRO ?= "redhat" | 112 | POLICY_DISTRO ?= "debian" |
143 | POLICY_UBAC ?= "n" | 113 | POLICY_UBAC ?= "n" |
144 | POLICY_UNK_PERMS ?= "allow" | 114 | POLICY_UNK_PERMS ?= "allow" |
145 | POLICY_DIRECT_INITRC ?= "y" | 115 | POLICY_DIRECT_INITRC ?= "y" |
@@ -238,7 +208,7 @@ path = ${STAGING_DIR_NATIVE}${sbindir_native}/sefcontext_compile | |||
238 | args = \$@ | 208 | args = \$@ |
239 | [end] | 209 | [end] |
240 | 210 | ||
241 | policy-version = 31 | 211 | policy-version = 33 |
242 | EOF | 212 | EOF |
243 | 213 | ||
244 | # Create policy store and build the policy | 214 | # Create policy store and build the policy |
diff --git a/recipes-security/refpolicy/refpolicy_git.inc b/recipes-security/refpolicy/refpolicy_git.inc index 1d56403..9e78aed 100644 --- a/recipes-security/refpolicy/refpolicy_git.inc +++ b/recipes-security/refpolicy/refpolicy_git.inc | |||
@@ -1,8 +1,8 @@ | |||
1 | PV = "2.20210203+git${SRCPV}" | 1 | PV = "2.20210908+git${SRCPV}" |
2 | 2 | ||
3 | SRC_URI = "git://github.com/SELinuxProject/refpolicy.git;protocol=https;branch=master;name=refpolicy;destsuffix=refpolicy" | 3 | SRC_URI = "git://github.com/SELinuxProject/refpolicy.git;protocol=https;branch=master;name=refpolicy;destsuffix=refpolicy" |
4 | 4 | ||
5 | SRCREV_refpolicy ?= "1167739da1882f9c89281095d2595da5ea2d9d6b" | 5 | SRCREV_refpolicy ?= "23a8d103f379361cfe63a9ee064564624e108196" |
6 | 6 | ||
7 | UPSTREAM_CHECK_GITTAGREGEX = "RELEASE_(?P<pver>\d+_\d+)" | 7 | UPSTREAM_CHECK_GITTAGREGEX = "RELEASE_(?P<pver>\d+_\d+)" |
8 | 8 | ||