diff options
-rw-r--r-- | recipes-security/selinux/policycoreutils.inc | 11 | ||||
-rw-r--r-- | recipes-security/selinux/policycoreutils/policycoreutils-pp-builtin-roles.patch | 70 | ||||
-rw-r--r-- | recipes-security/selinux/policycoreutils_2.4.bb (renamed from recipes-security/selinux/policycoreutils_2.3.bb) | 7 |
3 files changed, 83 insertions, 5 deletions
diff --git a/recipes-security/selinux/policycoreutils.inc b/recipes-security/selinux/policycoreutils.inc index 3427bec..7b75efe 100644 --- a/recipes-security/selinux/policycoreutils.inc +++ b/recipes-security/selinux/policycoreutils.inc | |||
@@ -126,6 +126,7 @@ PACKAGES =+ "\ | |||
126 | ${PN}-chcat \ | 126 | ${PN}-chcat \ |
127 | ${PN}-fixfiles \ | 127 | ${PN}-fixfiles \ |
128 | ${PN}-genhomedircon \ | 128 | ${PN}-genhomedircon \ |
129 | ${PN}-hll \ | ||
129 | ${PN}-loadpolicy \ | 130 | ${PN}-loadpolicy \ |
130 | ${PN}-newrole \ | 131 | ${PN}-newrole \ |
131 | ${PN}-python \ | 132 | ${PN}-python \ |
@@ -195,7 +196,7 @@ FILES_${PN}-runinit += "\ | |||
195 | ${sbindir}/open_init_pty \ | 196 | ${sbindir}/open_init_pty \ |
196 | ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${sysconfdir}/pam.d/run_init', '', d)} \ | 197 | ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${sysconfdir}/pam.d/run_init', '', d)} \ |
197 | " | 198 | " |
198 | FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy/.debug/*" | 199 | FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy/.debug/* ${prefix}/libexec/selinux/hll/.debug" |
199 | FILES_${PN}-sandbox += "\ | 200 | FILES_${PN}-sandbox += "\ |
200 | ${datadir}/sandbox/* \ | 201 | ${datadir}/sandbox/* \ |
201 | ${bindir}/sandbox \ | 202 | ${bindir}/sandbox \ |
@@ -215,6 +216,8 @@ FILES_${PN}-semodule-package += "\ | |||
215 | ${bindir}/semodule_package \ | 216 | ${bindir}/semodule_package \ |
216 | ${bindir}/semodule_unpackage \ | 217 | ${bindir}/semodule_unpackage \ |
217 | " | 218 | " |
219 | FILES_${PN}-hll += "${prefix}/libexec/selinux/hll/*" | ||
220 | |||
218 | FILES_${PN}-sepolicy += "\ | 221 | FILES_${PN}-sepolicy += "\ |
219 | ${bindir}/sepolicy \ | 222 | ${bindir}/sepolicy \ |
220 | ${datadir}/bash-completion/completions/sepolicy \ | 223 | ${datadir}/bash-completion/completions/sepolicy \ |
@@ -274,7 +277,7 @@ EXTRA_OEMAKE += "INITDIR=${D}/etc/init.d" | |||
274 | 277 | ||
275 | BBCLASSEXTEND = "native" | 278 | BBCLASSEXTEND = "native" |
276 | 279 | ||
277 | PCU_NATIVE_CMDS = "setfiles semodule_package semodule semodule_link semodule_expand semodule_deps" | 280 | PCU_NATIVE_CMDS = "setfiles semodule_package semodule semodule_link semodule_expand semodule_deps hll" |
278 | 281 | ||
279 | do_compile_virtclass-native() { | 282 | do_compile_virtclass-native() { |
280 | for PCU_CMD in ${PCU_NATIVE_CMDS} ; do | 283 | for PCU_CMD in ${PCU_NATIVE_CMDS} ; do |
@@ -284,6 +287,10 @@ do_compile_virtclass-native() { | |||
284 | done | 287 | done |
285 | } | 288 | } |
286 | 289 | ||
290 | sysroot_stage_dirs_append_virtclass-native() { | ||
291 | cp -R $from/${prefix}/libexec $to/${prefix}/libexec | ||
292 | } | ||
293 | |||
287 | do_compile_prepend() { | 294 | do_compile_prepend() { |
288 | export PYTHON=python | 295 | export PYTHON=python |
289 | export PYLIBVER='python${PYTHON_BASEVERSION}' | 296 | export PYLIBVER='python${PYTHON_BASEVERSION}' |
diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-pp-builtin-roles.patch b/recipes-security/selinux/policycoreutils/policycoreutils-pp-builtin-roles.patch new file mode 100644 index 0000000..f01cc3a --- /dev/null +++ b/recipes-security/selinux/policycoreutils/policycoreutils-pp-builtin-roles.patch | |||
@@ -0,0 +1,70 @@ | |||
1 | libsepol: with pp to CIL, always write auditadm_r and secadm_r roles to the base module | ||
2 | |||
3 | In fedora and refpolicy, the auditadm_r and secadm_r roles can be in | ||
4 | either the base module or a non-base module, or they could be in both. | ||
5 | This means that it is possible for duplicate role declarations to exist. | ||
6 | CIL does not allow duplicate declarations of anything, but there is no | ||
7 | way for the pp compiler to know if the roles are declared in which | ||
8 | module, or if they are in both when compiling a single module. This | ||
9 | means we cannot use the same hack that we use for user_r, staff_r, etc., | ||
10 | to generate CIL role declarations (i.e. only create role declarations | ||
11 | for these when defined in base). | ||
12 | |||
13 | So only for these two roles, always declare them as part of base, | ||
14 | regardless of where or if they are defined. This means that turning off | ||
15 | the auditadm module will never remove the auditamd_r role (likewise for | ||
16 | secadm), whereas right now, in some cases it would. This also means that | ||
17 | role allow rules will still exist for these roles even with the modules | ||
18 | removed. However, this is okay because the roles would not have any | ||
19 | types associated with them so no access would be allowed. | ||
20 | |||
21 | Signed-off-by: Steve Lawrence <slawrence@tresys.com> | ||
22 | Reported-by: Miroslav Grepl <mgrepl@redhat.com> | ||
23 | |||
24 | Index: policycoreutils-2.4/hll/pp/pp.c | ||
25 | =================================================================== | ||
26 | --- policycoreutils-2.4.orig/hll/pp/pp.c | ||
27 | +++ policycoreutils-2.4/hll/pp/pp.c | ||
28 | @@ -2000,7 +2000,10 @@ static int role_to_cil(int indent, struc | ||
29 | !strcmp(key, "sysadm_r") || | ||
30 | !strcmp(key, "system_r") || | ||
31 | !strcmp(key, "unconfined_r")); | ||
32 | - if ((is_base_role && pdb->policy_type == SEPOL_POLICY_BASE) || !is_base_role) { | ||
33 | + int is_builtin_role = (!strcmp(key, "auditadm_r") || | ||
34 | + !strcmp(key, "secadm_r")); | ||
35 | + if ((is_base_role && pdb->policy_type == SEPOL_POLICY_BASE) || | ||
36 | + (!is_base_role && !is_builtin_role)) { | ||
37 | cil_println(indent, "(role %s)", key); | ||
38 | } | ||
39 | } | ||
40 | @@ -3594,6 +3597,17 @@ static int generate_default_object(void) | ||
41 | return 0; | ||
42 | } | ||
43 | |||
44 | +static int generate_builtin_roles(void) | ||
45 | +{ | ||
46 | + // due to inconsistentencies between policies and CIL not allowing | ||
47 | + // duplicate roles, some roles are always created, regardless of if they | ||
48 | + // are declared in modules or not | ||
49 | + cil_println(0, "(role auditadm_r)"); | ||
50 | + cil_println(0, "(role secadm_r)"); | ||
51 | + | ||
52 | + return 0; | ||
53 | +} | ||
54 | + | ||
55 | static int generate_gen_require_attribute(void) | ||
56 | { | ||
57 | cil_println(0, "(typeattribute " GEN_REQUIRE_ATTR ")"); | ||
58 | @@ -3678,6 +3692,12 @@ static int module_package_to_cil(struct | ||
59 | if (rc != 0) { | ||
60 | goto exit; | ||
61 | } | ||
62 | + | ||
63 | + // roles that can exist in base, non-base module or both | ||
64 | + rc = generate_builtin_roles(); | ||
65 | + if (rc != 0) { | ||
66 | + goto exit; | ||
67 | + } | ||
68 | |||
69 | // default attribute to be used to mimic gen_require in CIL | ||
70 | rc = generate_gen_require_attribute(); | ||
diff --git a/recipes-security/selinux/policycoreutils_2.3.bb b/recipes-security/selinux/policycoreutils_2.4.bb index c001ba0..2937c62 100644 --- a/recipes-security/selinux/policycoreutils_2.3.bb +++ b/recipes-security/selinux/policycoreutils_2.4.bb | |||
@@ -1,10 +1,10 @@ | |||
1 | include selinux_20140506.inc | 1 | include selinux_20150202.inc |
2 | include ${BPN}.inc | 2 | include ${BPN}.inc |
3 | 3 | ||
4 | LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" | 4 | LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" |
5 | 5 | ||
6 | SRC_URI[md5sum] = "9a5db20adfe2250f53833b277ac796ae" | 6 | SRC_URI[md5sum] = "795b05c3ad58253cba61249ec65b28ef" |
7 | SRC_URI[sha256sum] = "864cfaee58b5d2f15b140c354e59666e57143293c89f2b2e85bc0d0e4beefcd2" | 7 | SRC_URI[sha256sum] = "b819f876f12473783ccce9f63b9a79cd77177477cd6d46818441f808cc4c3479" |
8 | 8 | ||
9 | SRC_URI += "\ | 9 | SRC_URI += "\ |
10 | file://policycoreutils-fix-sepolicy-install-path.patch \ | 10 | file://policycoreutils-fix-sepolicy-install-path.patch \ |
@@ -16,4 +16,5 @@ SRC_URI += "\ | |||
16 | file://0001-mcstrans-fix-the-init-script.patch \ | 16 | file://0001-mcstrans-fix-the-init-script.patch \ |
17 | file://enable-mcstrans.patch \ | 17 | file://enable-mcstrans.patch \ |
18 | file://policycoreutils-fts_flags-FTS_NOCHDIR.patch \ | 18 | file://policycoreutils-fts_flags-FTS_NOCHDIR.patch \ |
19 | file://policycoreutils-pp-builtin-roles.patch \ | ||
19 | " | 20 | " |