diff options
author | Yi Zhao <yi.zhao@windriver.com> | 2023-07-27 14:07:48 -0400 |
---|---|---|
committer | Joe MacDonald <joe@deserted.net> | 2023-07-31 15:05:30 -0400 |
commit | 1924d975283210f0c36bc3c0e8ce516ccc06961f (patch) | |
tree | 494be7575b6219b816613ddefb6072973d8e78d4 /recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch | |
parent | 4f3ec6e10f13aaf19fbca9a18547f9e72ba1ec0a (diff) | |
download | meta-selinux-dunfell.tar.gz |
refpolicy: update to 20200229+gitdunfell
* Drop obsolete and unused patches.
* Rebase patches.
* Add patches to make systemd and sysvinit can work with all policy types.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
(cherry picked from commit 15fed8756aa4828fa12a3d813754b4ca65a7607d)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Diffstat (limited to 'recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch | 92 |
1 files changed, 0 insertions, 92 deletions
diff --git a/recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch b/recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch deleted file mode 100644 index bf770d9..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch +++ /dev/null | |||
@@ -1,92 +0,0 @@ | |||
1 | From ca6644e1f1066a8354f2f6dbb068713f59225f37 Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Wed, 3 Apr 2019 14:51:29 -0400 | ||
4 | Subject: [PATCH 6/9] refpolicy-minimum: systemd: mount: enable required | ||
5 | refpolicy booleans | ||
6 | |||
7 | enable required refpolicy booleans for these modules | ||
8 | |||
9 | i. mount: allow_mount_anyfile | ||
10 | without enabling this boolean we are getting below avc denial | ||
11 | |||
12 | audit(): avc: denied { mounton } for pid=462 comm="mount" path="/run/media | ||
13 | /mmcblk2p1" dev="tmpfs" ino=11523 scontext=system_u:system_r:mount_t:s0 | ||
14 | tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=0 | ||
15 | |||
16 | This avc can be allowed using the boolean 'allow_mount_anyfile' | ||
17 | allow mount_t initrc_var_run_t:dir mounton; | ||
18 | |||
19 | ii. systemd : systemd_tmpfiles_manage_all | ||
20 | without enabling this boolean we are not getting access to mount systemd | ||
21 | essential tmpfs during bootup, also not getting access to create audit.log | ||
22 | |||
23 | audit(): avc: denied { search } for pid=168 comm="systemd-tmpfile" name= | ||
24 | "sys" dev="proc" ino=4026531855 scontext=system_u:system_r:systemd_tmpfiles | ||
25 | _t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=dir permissive=0 | ||
26 | |||
27 | ls /var/log | ||
28 | /var/log -> volatile/log | ||
29 | :~# | ||
30 | |||
31 | The old refpolicy included a pre-generated booleans.conf that could be | ||
32 | patched. That's no longer the case so we're left with a few options, | ||
33 | tweak the default directly or create a template booleans.conf file which | ||
34 | will be updated during build time. Since this is intended to be applied | ||
35 | only for specific configuraitons it seems like the same either way and | ||
36 | this avoids us playing games to work around .gitignore. | ||
37 | |||
38 | Upstream-Status: Pending | ||
39 | |||
40 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
41 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
42 | --- | ||
43 | policy/booleans.conf | 9 +++++++++ | ||
44 | policy/modules/system/mount.te | 2 +- | ||
45 | policy/modules/system/systemd.te | 2 +- | ||
46 | 3 files changed, 11 insertions(+), 2 deletions(-) | ||
47 | create mode 100644 policy/booleans.conf | ||
48 | |||
49 | diff --git a/policy/booleans.conf b/policy/booleans.conf | ||
50 | new file mode 100644 | ||
51 | index 00000000..850f56ed | ||
52 | --- /dev/null | ||
53 | +++ b/policy/booleans.conf | ||
54 | @@ -0,0 +1,9 @@ | ||
55 | +# | ||
56 | +# Allow the mount command to mount any directory or file. | ||
57 | +# | ||
58 | +allow_mount_anyfile = true | ||
59 | + | ||
60 | +# | ||
61 | +# Enable support for systemd-tmpfiles to manage all non-security files. | ||
62 | +# | ||
63 | +systemd_tmpfiles_manage_all = true | ||
64 | diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te | ||
65 | index a87d0e82..868052b7 100644 | ||
66 | --- a/policy/modules/system/mount.te | ||
67 | +++ b/policy/modules/system/mount.te | ||
68 | @@ -10,7 +10,7 @@ policy_module(mount, 1.20.0) | ||
69 | ## Allow the mount command to mount any directory or file. | ||
70 | ## </p> | ||
71 | ## </desc> | ||
72 | -gen_tunable(allow_mount_anyfile, false) | ||
73 | +gen_tunable(allow_mount_anyfile, true) | ||
74 | |||
75 | attribute_role mount_roles; | ||
76 | roleattribute system_r mount_roles; | ||
77 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
78 | index b13337b9..74f9c1cb 100644 | ||
79 | --- a/policy/modules/system/systemd.te | ||
80 | +++ b/policy/modules/system/systemd.te | ||
81 | @@ -10,7 +10,7 @@ policy_module(systemd, 1.7.5) | ||
82 | ## Enable support for systemd-tmpfiles to manage all non-security files. | ||
83 | ## </p> | ||
84 | ## </desc> | ||
85 | -gen_tunable(systemd_tmpfiles_manage_all, false) | ||
86 | +gen_tunable(systemd_tmpfiles_manage_all, true) | ||
87 | |||
88 | ## <desc> | ||
89 | ## <p> | ||
90 | -- | ||
91 | 2.19.1 | ||
92 | |||