diff options
| author | Yi Zhao <yi.zhao@windriver.com> | 2024-03-04 15:18:22 +0800 |
|---|---|---|
| committer | Joe MacDonald <joe@deserted.net> | 2024-03-12 08:34:35 -0400 |
| commit | 7fc76cf77b007a3f79b7369ce578d11270aef9c2 (patch) | |
| tree | 4d9052fd0bb94d6e777b806d7cc3a0a7083f05be /recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-all-init_t-to-read-any-le.patch | |
| parent | 4544e817a1b549976749b0b9e355834cc54d6ea0 (diff) | |
| download | meta-selinux-7fc76cf77b007a3f79b7369ce578d11270aef9c2.tar.gz | |
refpolicy: upgrade 20231002+git -> 20240226+git
ChangeLog:
https://github.com/SELinuxProject/refpolicy/blob/main/Changelog
Notable Changes:
Many systemd updates up to v255
RPM and dnf fixes
Tighten private key handling for Apache
Many container and kubernetes improvements
Add support for Cilium
Update object class definitions up to io_uring:cmd
Add additional rules to cloud-init based on sysadm_t
* Update to latest git rev.
* Refresh patches.
* Add a patch to fix reboot timeout error.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Diffstat (limited to 'recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-all-init_t-to-read-any-le.patch')
| -rw-r--r-- | recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-all-init_t-to-read-any-le.patch | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-all-init_t-to-read-any-le.patch b/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-all-init_t-to-read-any-le.patch new file mode 100644 index 0000000..687e1c9 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-all-init_t-to-read-any-le.patch | |||
| @@ -0,0 +1,40 @@ | |||
| 1 | From 980d9d3f3c3e1e3517971715c351ec7b747105d0 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Wenzong Fan <wenzong.fan@windriver.com> | ||
| 3 | Date: Wed, 3 Feb 2016 04:16:06 -0500 | ||
| 4 | Subject: [PATCH] policy/modules/system/init: all init_t to read any level | ||
| 5 | sockets | ||
| 6 | |||
| 7 | Fixes: | ||
| 8 | avc: denied { listen } for pid=1 comm="systemd" \ | ||
| 9 | path="/run/systemd/journal/stdout" \ | ||
| 10 | scontext=system_u:system_r:init_t:s0-s15:c0.c1023 \ | ||
| 11 | tcontext=system_u:system_r:syslogd_t:s15:c0.c1023 \ | ||
| 12 | tclass=unix_stream_socket permissive=1 | ||
| 13 | |||
| 14 | systemd[1]: Failded to listen on Journal Socket | ||
| 15 | |||
| 16 | Upstream-Status: Inappropriate [embedded specific] | ||
| 17 | |||
| 18 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
| 19 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
| 20 | --- | ||
| 21 | policy/modules/system/init.te | 3 +++ | ||
| 22 | 1 file changed, 3 insertions(+) | ||
| 23 | |||
| 24 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | ||
| 25 | index 458906ac5..c2380d8b4 100644 | ||
| 26 | --- a/policy/modules/system/init.te | ||
| 27 | +++ b/policy/modules/system/init.te | ||
| 28 | @@ -243,6 +243,9 @@ mls_key_write_all_levels(init_t) | ||
| 29 | mls_file_downgrade(init_t) | ||
| 30 | mls_file_upgrade(init_t) | ||
| 31 | |||
| 32 | +# MLS trusted for reading from sockets at any level | ||
| 33 | +mls_socket_read_all_levels(init_t) | ||
| 34 | + | ||
| 35 | # the following one is needed for libselinux:is_selinux_enabled() | ||
| 36 | # otherwise the call fails and sysvinit tries to load the policy | ||
| 37 | # again when using the initramfs | ||
| 38 | -- | ||
| 39 | 2.25.1 | ||
| 40 | |||