refpolicy: update git recipes

The targeted, mls and minimum recipes had fallen far behind the upstream refpolicy repository. Refresh all patches and discard ones that are obviously no longer needed. This should not have any functional change on the policies. Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
author: Joe MacDonald <joe_macdonald@mentor.com> 2017-05-03 21:05:44 -0400
committer: Joe MacDonald <joe_macdonald@mentor.com> 2017-05-03 21:05:44 -0400
commit: 0cfdbb47aafef9e9af562c9dffebd0aefefe5457 (patch)
tree: 3ab165035cc90e193aeb0de686fb3a80fa4d9285 /recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch
parent: 849cd74b5ff3c915356ae7411746194728594212 (diff)
download: meta-selinux-0cfdbb47aafef9e9af562c9dffebd0aefefe5457.tar.gz
1 files changed, 40 insertions, 18 deletions
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch
index 189dc6e..a9a0a55 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch
@@ -6,6 +6,7 @@ Subject: [PATCH] allow nfsd to exec shell commands.
 Upstream-Status: Inappropriate [only for Poky]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/contrib/rpc.te   |    2 +-
 policy/modules/kernel/kernel.if |   18 ++++++++++++++++++
@@ -13,7 +14,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 --- a/policy/modules/contrib/rpc.te
 +++ b/policy/modules/contrib/rpc.te
-@@ -222,11 +222,11 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir
+@@ -224,11 +224,11 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir
 
 kernel_read_network_state(nfsd_t)
 kernel_dontaudit_getattr_core_if(nfsd_t)
@@ -28,32 +29,53 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 
 --- a/policy/modules/kernel/kernel.if
 +++ b/policy/modules/kernel/kernel.if
-@@ -844,10 +844,28 @@ interface(`kernel_unmount_proc',`
+@@ -880,43 +880,42 @@ interface(`kernel_unmount_proc',`
        allow $1 proc_t:filesystem unmount;
 ')
 
 ########################################
 ## <summary>
+-##     Get the attributes of the proc filesystem.
 +##     Mounton a proc filesystem.
-+## </summary>
+ ## </summary>
-+## <param name="domain">
+ ## <param name="domain">
-+##     <summary>
+ ##     <summary>
-+##     Domain allowed access.
+ ##     Domain allowed access.
-+##     </summary>
+ ##     </summary>
-+## </param>
+ ## </param>
-+#
+ #
+-interface(`kernel_getattr_proc',`
 +interface(`kernel_mounton_proc',`
-+       gen_require(`
+        gen_require(`
-+               type proc_t;
+                type proc_t;
-+       ')
+        ')
-+
+ 
+-       allow $1 proc_t:filesystem getattr;
 +       allow $1 proc_t:dir mounton;
-+')
+ ')
-+
+ 
-+########################################
+ ########################################
-+## <summary>
+ ## <summary>
- ##     Get the attributes of the proc filesystem.
+-##     Mount on proc directories.
+##     Get the attributes of the proc filesystem.
 ## </summary>
 ## <param name="domain">
 ##     <summary>
 ##     Domain allowed access.
+ ##     </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`kernel_mounton_proc',`
+interface(`kernel_getattr_proc',`
+        gen_require(`
+                type proc_t;
+        ')
+ 
+-       allow $1 proc_t:dir mounton;
+       allow $1 proc_t:filesystem getattr;
+ ')
+ 
+ ########################################
+ ## <summary>
+ ##     Do not audit attempts to set the
author	Joe MacDonald <joe_macdonald@mentor.com>	2017-05-03 21:05:44 -0400
committer	Joe MacDonald <joe_macdonald@mentor.com>	2017-05-03 21:05:44 -0400
commit	0cfdbb47aafef9e9af562c9dffebd0aefefe5457 (patch)
tree	3ab165035cc90e193aeb0de686fb3a80fa4d9285 /recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch
parent	849cd74b5ff3c915356ae7411746194728594212 (diff)
download	meta-selinux-0cfdbb47aafef9e9af562c9dffebd0aefefe5457.tar.gz

diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch index 189dc6e..a9a0a55 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch
@@ -6,6 +6,7 @@ Subject: [PATCH] allow nfsd to exec shell commands.
6	Upstream-Status: Inappropriate [only for Poky]	6	Upstream-Status: Inappropriate [only for Poky]
7		7
8	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>	8	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
		9	Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
9	---	10	---
10	policy/modules/contrib/rpc.te \| 2 +-	11	policy/modules/contrib/rpc.te \| 2 +-
11	policy/modules/kernel/kernel.if \| 18 ++++++++++++++++++	12	policy/modules/kernel/kernel.if \| 18 ++++++++++++++++++
@@ -13,7 +14,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
13		14
14	--- a/policy/modules/contrib/rpc.te	15	--- a/policy/modules/contrib/rpc.te
15	+++ b/policy/modules/contrib/rpc.te	16	+++ b/policy/modules/contrib/rpc.te
16	@@ -222,11 +222,11 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir	17	@@ -224,11 +224,11 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir
17		18
18	kernel_read_network_state(nfsd_t)	19	kernel_read_network_state(nfsd_t)
19	kernel_dontaudit_getattr_core_if(nfsd_t)	20	kernel_dontaudit_getattr_core_if(nfsd_t)
@@ -28,32 +29,53 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
28		29
29	--- a/policy/modules/kernel/kernel.if	30	--- a/policy/modules/kernel/kernel.if
30	+++ b/policy/modules/kernel/kernel.if	31	+++ b/policy/modules/kernel/kernel.if
31	@@ -844,10 +844,28 @@ interface(`kernel_unmount_proc',`	32	@@ -880,43 +880,42 @@ interface(`kernel_unmount_proc',`
32	allow $1 proc_t:filesystem unmount;	33	allow $1 proc_t:filesystem unmount;
33	')	34	')
34		35
35	########################################	36	########################################
36	## <summary>	37	## <summary>
		38	-## Get the attributes of the proc filesystem.
37	+## Mounton a proc filesystem.	39	+## Mounton a proc filesystem.
38	+## </summary>	40	## </summary>
39	+## <param name="domain">	41	## <param name="domain">
40	+## <summary>	42	## <summary>
41	+## Domain allowed access.	43	## Domain allowed access.
42	+## </summary>	44	## </summary>
43	+## </param>	45	## </param>
44	+#	46	#
		47	-interface(`kernel_getattr_proc',`
45	+interface(`kernel_mounton_proc',`	48	+interface(`kernel_mounton_proc',`
46	+ gen_require(`	49	gen_require(`
47	+ type proc_t;	50	type proc_t;
48	+ ')	51	')
49	+	52
		53	- allow $1 proc_t:filesystem getattr;
50	+ allow $1 proc_t:dir mounton;	54	+ allow $1 proc_t:dir mounton;
51	+')	55	')
52	+	56
53	+########################################	57	########################################
54	+## <summary>	58	## <summary>
55	## Get the attributes of the proc filesystem.	59	-## Mount on proc directories.
		60	+## Get the attributes of the proc filesystem.
56	## </summary>	61	## </summary>
57	## <param name="domain">	62	## <param name="domain">
58	## <summary>	63	## <summary>
59	## Domain allowed access.	64	## Domain allowed access.
		65	## </summary>
		66	## </param>
		67	-## <rolecap/>
		68	#
		69	-interface(`kernel_mounton_proc',`
		70	+interface(`kernel_getattr_proc',`
		71	gen_require(`
		72	type proc_t;
		73	')
		74
		75	- allow $1 proc_t:dir mounton;
		76	+ allow $1 proc_t:filesystem getattr;
		77	')
		78
		79	########################################
		80	## <summary>
		81	## Do not audit attempts to set the