diff options
| author | Yi Zhao <yi.zhao@windriver.com> | 2023-07-27 14:07:48 -0400 |
|---|---|---|
| committer | Joe MacDonald <joe@deserted.net> | 2023-07-31 15:05:30 -0400 |
| commit | 1924d975283210f0c36bc3c0e8ce516ccc06961f (patch) | |
| tree | 494be7575b6219b816613ddefb6072973d8e78d4 /recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch | |
| parent | 4f3ec6e10f13aaf19fbca9a18547f9e72ba1ec0a (diff) | |
| download | meta-selinux-dunfell.tar.gz | |
refpolicy: update to 20200229+gitdunfell
* Drop obsolete and unused patches.
* Rebase patches.
* Add patches to make systemd and sysvinit can work with all policy types.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
(cherry picked from commit 15fed8756aa4828fa12a3d813754b4ca65a7607d)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Diffstat (limited to 'recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch')
| -rw-r--r-- | recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch | 92 |
1 files changed, 0 insertions, 92 deletions
diff --git a/recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch b/recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch deleted file mode 100644 index bf770d9..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch +++ /dev/null | |||
| @@ -1,92 +0,0 @@ | |||
| 1 | From ca6644e1f1066a8354f2f6dbb068713f59225f37 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
| 3 | Date: Wed, 3 Apr 2019 14:51:29 -0400 | ||
| 4 | Subject: [PATCH 6/9] refpolicy-minimum: systemd: mount: enable required | ||
| 5 | refpolicy booleans | ||
| 6 | |||
| 7 | enable required refpolicy booleans for these modules | ||
| 8 | |||
| 9 | i. mount: allow_mount_anyfile | ||
| 10 | without enabling this boolean we are getting below avc denial | ||
| 11 | |||
| 12 | audit(): avc: denied { mounton } for pid=462 comm="mount" path="/run/media | ||
| 13 | /mmcblk2p1" dev="tmpfs" ino=11523 scontext=system_u:system_r:mount_t:s0 | ||
| 14 | tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=0 | ||
| 15 | |||
| 16 | This avc can be allowed using the boolean 'allow_mount_anyfile' | ||
| 17 | allow mount_t initrc_var_run_t:dir mounton; | ||
| 18 | |||
| 19 | ii. systemd : systemd_tmpfiles_manage_all | ||
| 20 | without enabling this boolean we are not getting access to mount systemd | ||
| 21 | essential tmpfs during bootup, also not getting access to create audit.log | ||
| 22 | |||
| 23 | audit(): avc: denied { search } for pid=168 comm="systemd-tmpfile" name= | ||
| 24 | "sys" dev="proc" ino=4026531855 scontext=system_u:system_r:systemd_tmpfiles | ||
| 25 | _t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=dir permissive=0 | ||
| 26 | |||
| 27 | ls /var/log | ||
| 28 | /var/log -> volatile/log | ||
| 29 | :~# | ||
| 30 | |||
| 31 | The old refpolicy included a pre-generated booleans.conf that could be | ||
| 32 | patched. That's no longer the case so we're left with a few options, | ||
| 33 | tweak the default directly or create a template booleans.conf file which | ||
| 34 | will be updated during build time. Since this is intended to be applied | ||
| 35 | only for specific configuraitons it seems like the same either way and | ||
| 36 | this avoids us playing games to work around .gitignore. | ||
| 37 | |||
| 38 | Upstream-Status: Pending | ||
| 39 | |||
| 40 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
| 41 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
| 42 | --- | ||
| 43 | policy/booleans.conf | 9 +++++++++ | ||
| 44 | policy/modules/system/mount.te | 2 +- | ||
| 45 | policy/modules/system/systemd.te | 2 +- | ||
| 46 | 3 files changed, 11 insertions(+), 2 deletions(-) | ||
| 47 | create mode 100644 policy/booleans.conf | ||
| 48 | |||
| 49 | diff --git a/policy/booleans.conf b/policy/booleans.conf | ||
| 50 | new file mode 100644 | ||
| 51 | index 00000000..850f56ed | ||
| 52 | --- /dev/null | ||
| 53 | +++ b/policy/booleans.conf | ||
| 54 | @@ -0,0 +1,9 @@ | ||
| 55 | +# | ||
| 56 | +# Allow the mount command to mount any directory or file. | ||
| 57 | +# | ||
| 58 | +allow_mount_anyfile = true | ||
| 59 | + | ||
| 60 | +# | ||
| 61 | +# Enable support for systemd-tmpfiles to manage all non-security files. | ||
| 62 | +# | ||
| 63 | +systemd_tmpfiles_manage_all = true | ||
| 64 | diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te | ||
| 65 | index a87d0e82..868052b7 100644 | ||
| 66 | --- a/policy/modules/system/mount.te | ||
| 67 | +++ b/policy/modules/system/mount.te | ||
| 68 | @@ -10,7 +10,7 @@ policy_module(mount, 1.20.0) | ||
| 69 | ## Allow the mount command to mount any directory or file. | ||
| 70 | ## </p> | ||
| 71 | ## </desc> | ||
| 72 | -gen_tunable(allow_mount_anyfile, false) | ||
| 73 | +gen_tunable(allow_mount_anyfile, true) | ||
| 74 | |||
| 75 | attribute_role mount_roles; | ||
| 76 | roleattribute system_r mount_roles; | ||
| 77 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
| 78 | index b13337b9..74f9c1cb 100644 | ||
| 79 | --- a/policy/modules/system/systemd.te | ||
| 80 | +++ b/policy/modules/system/systemd.te | ||
| 81 | @@ -10,7 +10,7 @@ policy_module(systemd, 1.7.5) | ||
| 82 | ## Enable support for systemd-tmpfiles to manage all non-security files. | ||
| 83 | ## </p> | ||
| 84 | ## </desc> | ||
| 85 | -gen_tunable(systemd_tmpfiles_manage_all, false) | ||
| 86 | +gen_tunable(systemd_tmpfiles_manage_all, true) | ||
| 87 | |||
| 88 | ## <desc> | ||
| 89 | ## <p> | ||
| 90 | -- | ||
| 91 | 2.19.1 | ||
| 92 | |||