diff options
| author | Shrikant Bobade <shrikant_bobade@mentor.com> | 2015-08-03 19:04:37 +0530 |
|---|---|---|
| committer | Joe MacDonald <joe_macdonald@mentor.com> | 2015-08-07 17:33:21 -0400 |
| commit | 6a775bb8ed866fac87f2a9b11a8ff11988a40ac6 (patch) | |
| tree | 4373dff0fef6f2ef4b7b8c8a7289d10bfc11d2cf /recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch | |
| parent | e59f3b7d04bea0a8897a6458f5f5427a364d3388 (diff) | |
| download | meta-selinux-6a775bb8ed866fac87f2a9b11a8ff11988a40ac6.tar.gz | |
refpolicy git: update refpolicy to git repository
A straight update from refpolicy 2.20140311 to refpolicy git
repository for the core policy variants and forward-porting
of policy patches as appropriate.
This approach is useful for building refpolicy & refpolicy-contrib
directly from the git repos, rather than release tarballs.
It helps to check the refpolicy based on source commits by just
updating the git repo rev. as appropriate in refpolicy_git.inc
ref: https://github.com/TresysTechnology/refpolicy/wiki
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Diffstat (limited to 'recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch')
| -rw-r--r-- | recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch b/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch new file mode 100644 index 0000000..80b420c --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch | |||
| @@ -0,0 +1,46 @@ | |||
| 1 | refpolicy: update for systemd | ||
| 2 | |||
| 3 | It provides the systemd support for refpolicy | ||
| 4 | and related allow rules. | ||
| 5 | The restorecon provides systemd init labeled | ||
| 6 | as init_exec_t. | ||
| 7 | |||
| 8 | Upstream-Status: Pending | ||
| 9 | |||
| 10 | |||
| 11 | Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> | ||
| 12 | |||
| 13 | --- a/policy/modules/contrib/shutdown.fc | ||
| 14 | +++ b/policy/modules/contrib/shutdown.fc | ||
| 15 | @@ -5,6 +5,9 @@ | ||
| 16 | /sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
| 17 | /sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
| 18 | |||
| 19 | +# systemd support | ||
| 20 | +/bin/systemctl -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
| 21 | + | ||
| 22 | /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
| 23 | |||
| 24 | /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
| 25 | --- a/policy/modules/system/init.fc | ||
| 26 | +++ b/policy/modules/system/init.fc | ||
| 27 | @@ -31,6 +31,8 @@ | ||
| 28 | # | ||
| 29 | /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) | ||
| 30 | /sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0) | ||
| 31 | +# systemd support | ||
| 32 | +/lib/systemd/systemd -- gen_context(system_u:object_r:init_exec_t,s0) | ||
| 33 | # because nowadays, /sbin/init is often a symlink to /sbin/upstart | ||
| 34 | /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) | ||
| 35 | |||
| 36 | --- a/policy/modules/system/init.te | ||
| 37 | +++ b/policy/modules/system/init.te | ||
| 38 | @@ -913,3 +913,8 @@ | ||
| 39 | optional_policy(` | ||
| 40 | zebra_read_config(initrc_t) | ||
| 41 | ') | ||
| 42 | + | ||
| 43 | +# systemd related allow rules | ||
| 44 | +allow kernel_t init_t:process dyntransition; | ||
| 45 | +allow devpts_t device_t:filesystem associate; | ||
| 46 | +allow init_t self:capability2 block_suspend; | ||