diff options
43 files changed, 391 insertions, 446 deletions
diff --git a/recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch b/recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch index 4830566..85c40a4 100644 --- a/recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch +++ b/recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch | |||
@@ -17,6 +17,7 @@ root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name | |||
17 | root@localhost:~# | 17 | root@localhost:~# |
18 | 18 | ||
19 | Signed-off-by: Roy Li <rongqing.li@windriver.com> | 19 | Signed-off-by: Roy Li <rongqing.li@windriver.com> |
20 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
20 | --- | 21 | --- |
21 | policy/modules/contrib/ftp.te | 2 ++ | 22 | policy/modules/contrib/ftp.te | 2 ++ |
22 | 1 file changed, 2 insertions(+) | 23 | 1 file changed, 2 insertions(+) |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch index b36c209..628e8a3 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch | |||
@@ -3,17 +3,15 @@ Subject: [PATCH] refpolicy: fix real path for clock | |||
3 | Upstream-Status: Inappropriate [configuration] | 3 | Upstream-Status: Inappropriate [configuration] |
4 | 4 | ||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
6 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
6 | --- | 7 | --- |
7 | policy/modules/system/clock.fc | 1 + | 8 | policy/modules/system/clock.fc | 1 + |
8 | 1 file changed, 1 insertion(+) | 9 | 1 file changed, 1 insertion(+) |
9 | 10 | ||
10 | --- a/policy/modules/system/clock.fc | 11 | --- a/policy/modules/system/clock.fc |
11 | +++ b/policy/modules/system/clock.fc | 12 | +++ b/policy/modules/system/clock.fc |
12 | @@ -1,6 +1,7 @@ | 13 | @@ -1,3 +1,4 @@ |
13 | |||
14 | /etc/adjtime -- gen_context(system_u:object_r:adjtime_t,s0) | 14 | /etc/adjtime -- gen_context(system_u:object_r:adjtime_t,s0) |
15 | 15 | ||
16 | /sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) | 16 | +/usr/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0) |
17 | +/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0) | ||
18 | |||
19 | /usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) | 17 | /usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch index 6995bb5..689c75b 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch | |||
@@ -3,15 +3,13 @@ Subject: [PATCH] refpolicy: fix real path for dmesg | |||
3 | Upstream-Status: Inappropriate [configuration] | 3 | Upstream-Status: Inappropriate [configuration] |
4 | 4 | ||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
6 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
6 | --- | 7 | --- |
7 | policy/modules/admin/dmesg.fc | 1 + | 8 | policy/modules/admin/dmesg.fc | 1 + |
8 | 1 file changed, 1 insertion(+) | 9 | 1 file changed, 1 insertion(+) |
9 | 10 | ||
10 | --- a/policy/modules/admin/dmesg.fc | 11 | --- a/policy/modules/admin/dmesg.fc |
11 | +++ b/policy/modules/admin/dmesg.fc | 12 | +++ b/policy/modules/admin/dmesg.fc |
12 | @@ -1,4 +1,5 @@ | 13 | @@ -1 +1,2 @@ |
13 | 14 | +/usr/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0) | |
14 | /bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) | ||
15 | +/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0) | ||
16 | |||
17 | /usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) | 15 | /usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-bind.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-bind.patch index a96b4a7..3218c88 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-bind.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-bind.patch | |||
@@ -6,6 +6,7 @@ Subject: [PATCH] refpolicy: fix real path for bind. | |||
6 | Upstream-Status: Inappropriate [configuration] | 6 | Upstream-Status: Inappropriate [configuration] |
7 | 7 | ||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | 10 | --- |
10 | policy/modules/contrib/bind.fc | 2 ++ | 11 | policy/modules/contrib/bind.fc | 2 ++ |
11 | 1 file changed, 2 insertions(+) | 12 | 1 file changed, 2 insertions(+) |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch index d97d58e..fc54217 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch | |||
@@ -3,31 +3,33 @@ Subject: [PATCH] fix real path for login commands. | |||
3 | Upstream-Status: Inappropriate [only for Poky] | 3 | Upstream-Status: Inappropriate [only for Poky] |
4 | 4 | ||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
6 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
6 | --- | 7 | --- |
7 | policy/modules/system/authlogin.fc | 5 ++--- | 8 | policy/modules/system/authlogin.fc | 5 ++--- |
8 | 1 file changed, 2 insertions(+), 3 deletions(-) | 9 | 1 file changed, 2 insertions(+), 3 deletions(-) |
9 | 10 | ||
10 | --- a/policy/modules/system/authlogin.fc | 11 | --- a/policy/modules/system/authlogin.fc |
11 | +++ b/policy/modules/system/authlogin.fc | 12 | +++ b/policy/modules/system/authlogin.fc |
12 | @@ -1,19 +1,18 @@ | 13 | @@ -3,20 +3,19 @@ |
13 | |||
14 | /bin/login -- gen_context(system_u:object_r:login_exec_t,s0) | ||
15 | +/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0) | ||
16 | +/bin/login\.tinylogin -- gen_context(system_u:object_r:login_exec_t,s0) | ||
17 | |||
18 | /etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) | ||
19 | /etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0) | ||
20 | /etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0) | 14 | /etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0) |
21 | /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) | 15 | /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) |
22 | /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) | 16 | /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) |
23 | 17 | ||
24 | /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) | 18 | /usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0) |
25 | /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) | 19 | +/usr/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0) |
26 | -/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) | 20 | +/usr/bin/login\.tinylogin -- gen_context(system_u:object_r:login_exec_t,s0) |
27 | -/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) | 21 | |
28 | -/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) | 22 | /usr/kerberos/sbin/login\.krb5 -- gen_context(system_u:object_r:login_exec_t,s0) |
23 | |||
24 | /usr/lib/utempter/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0) | ||
25 | |||
26 | /usr/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) | ||
27 | /usr/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) | ||
28 | -/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) | ||
29 | -/usr/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) | ||
30 | -/usr/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) | ||
31 | /usr/sbin/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0) | ||
32 | /usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0) | ||
29 | ifdef(`distro_suse', ` | 33 | ifdef(`distro_suse', ` |
30 | /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) | 34 | /usr/sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) |
31 | ') | 35 | ') |
32 | |||
33 | /usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0) | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_resolv.conf.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_resolv.conf.patch index c1cd74d..cd79f45 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_resolv.conf.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_resolv.conf.patch | |||
@@ -3,13 +3,14 @@ Subject: [PATCH] fix real path for resolv.conf | |||
3 | Upstream-Status: Inappropriate [only for Poky] | 3 | Upstream-Status: Inappropriate [only for Poky] |
4 | 4 | ||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
6 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
6 | --- | 7 | --- |
7 | policy/modules/system/sysnetwork.fc | 1 + | 8 | policy/modules/system/sysnetwork.fc | 1 + |
8 | 1 file changed, 1 insertion(+) | 9 | 1 file changed, 1 insertion(+) |
9 | 10 | ||
10 | --- a/policy/modules/system/sysnetwork.fc | 11 | --- a/policy/modules/system/sysnetwork.fc |
11 | +++ b/policy/modules/system/sysnetwork.fc | 12 | +++ b/policy/modules/system/sysnetwork.fc |
12 | @@ -23,10 +23,11 @@ ifdef(`distro_debian',` | 13 | @@ -17,10 +17,11 @@ ifdef(`distro_debian',` |
13 | /etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0) | 14 | /etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0) |
14 | /etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0) | 15 | /etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0) |
15 | /etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0) | 16 | /etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0) |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch index d74f524..a15a776 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch | |||
@@ -3,13 +3,14 @@ Subject: [PATCH] fix real path for shadow commands. | |||
3 | Upstream-Status: Inappropriate [only for Poky] | 3 | Upstream-Status: Inappropriate [only for Poky] |
4 | 4 | ||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
6 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
6 | --- | 7 | --- |
7 | policy/modules/admin/usermanage.fc | 6 ++++++ | 8 | policy/modules/admin/usermanage.fc | 6 ++++++ |
8 | 1 file changed, 6 insertions(+) | 9 | 1 file changed, 6 insertions(+) |
9 | 10 | ||
10 | --- a/policy/modules/admin/usermanage.fc | 11 | --- a/policy/modules/admin/usermanage.fc |
11 | +++ b/policy/modules/admin/usermanage.fc | 12 | +++ b/policy/modules/admin/usermanage.fc |
12 | @@ -6,15 +6,21 @@ ifdef(`distro_debian',` | 13 | @@ -2,15 +2,21 @@ ifdef(`distro_debian',` |
13 | /etc/cron\.daily/cracklib-runtime -- gen_context(system_u:object_r:crack_exec_t,s0) | 14 | /etc/cron\.daily/cracklib-runtime -- gen_context(system_u:object_r:crack_exec_t,s0) |
14 | ') | 15 | ') |
15 | 16 | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_su.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_su.patch index 23484de..41c32df 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_su.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_su.patch | |||
@@ -6,17 +6,15 @@ Subject: [PATCH] fix real path for su.shadow command | |||
6 | Upstream-Status: Inappropriate [only for Poky] | 6 | Upstream-Status: Inappropriate [only for Poky] |
7 | 7 | ||
8 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | 8 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> |
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | 10 | --- |
10 | policy/modules/admin/su.fc | 2 ++ | 11 | policy/modules/admin/su.fc | 2 ++ |
11 | 1 file changed, 2 insertions(+) | 12 | 1 file changed, 2 insertions(+) |
12 | 13 | ||
13 | --- a/policy/modules/admin/su.fc | 14 | --- a/policy/modules/admin/su.fc |
14 | +++ b/policy/modules/admin/su.fc | 15 | +++ b/policy/modules/admin/su.fc |
15 | @@ -3,5 +3,7 @@ | 16 | @@ -1,3 +1,4 @@ |
16 | /usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) | ||
17 | |||
18 | /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0) | 17 | /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0) |
19 | /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) | 18 | /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) |
20 | /usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) | 19 | /usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) |
21 | + | 20 | +/usr/bin/su.shadow -- gen_context(system_u:object_r:su_exec_t,s0) |
22 | +/bin/su.shadow -- gen_context(system_u:object_r:su_exec_t,s0) | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch index 5d3aa76..cf07b23 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch | |||
@@ -14,62 +14,57 @@ Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | |||
14 | 14 | ||
15 | --- a/policy/modules/system/fstools.fc | 15 | --- a/policy/modules/system/fstools.fc |
16 | +++ b/policy/modules/system/fstools.fc | 16 | +++ b/policy/modules/system/fstools.fc |
17 | @@ -1,19 +1,23 @@ | 17 | @@ -4,10 +4,11 @@ |
18 | /sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
19 | /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
20 | +/sbin/blkid/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
21 | /sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
22 | +/sbin/blockdev/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
23 | /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
24 | /sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
25 | /sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
26 | /sbin/dumpe2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
27 | /sbin/e2fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
28 | /sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
29 | /sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
30 | /sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
31 | +/sbin/fdisk/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
32 | /sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
33 | /sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
34 | /sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
35 | +/sbin/hdparm/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
36 | /sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
37 | /sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
38 | /sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
39 | /sbin/lsraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
40 | /sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
41 | @@ -22,20 +26,22 @@ | ||
42 | /sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
43 | /sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
44 | /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
45 | /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
46 | /sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
47 | +/sbin/mkswap/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
48 | /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
49 | /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
50 | /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
51 | /sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
52 | /sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
53 | /sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
54 | /sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
55 | /sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
56 | /sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
57 | /sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
58 | +/sbin/swapoff/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
59 | /sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
60 | /sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
61 | /sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
62 | /sbin/zhack -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
63 | /sbin/zinject -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
64 | @@ -43,10 +49,11 @@ | ||
65 | /sbin/zstreamdump -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
66 | /sbin/ztest -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
67 | |||
68 | /usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
69 | /usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
70 | +/usr/sbin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
71 | /usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
72 | /usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 18 | /usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
73 | 19 | ||
74 | /usr/sbin/addpart -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 20 | /usr/sbin/addpart -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
75 | /usr/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 21 | /usr/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
22 | /usr/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
23 | +/usr/sbin/blkid/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
24 | /usr/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
25 | /usr/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
26 | /usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
27 | /usr/sbin/delpart -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
28 | /usr/sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
29 | @@ -17,14 +18,16 @@ | ||
30 | /usr/sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
31 | /usr/sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
32 | /usr/sbin/efibootmgr -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
33 | /usr/sbin/fatsort -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
34 | /usr/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
35 | +/usr/sbin/fdisk/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
36 | /usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
37 | /usr/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
38 | /usr/sbin/gdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
39 | /usr/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
40 | +/usr/sbin/hdparm/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
41 | /usr/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
42 | /usr/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
43 | /usr/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
44 | /usr/sbin/lsraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
45 | /usr/sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
46 | @@ -33,21 +36,24 @@ | ||
47 | /usr/sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
48 | /usr/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
49 | /usr/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
50 | /usr/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
51 | /usr/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
52 | +/usr/sbin/mkswap/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
53 | /usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
54 | /usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
55 | /usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
56 | /usr/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
57 | /usr/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
58 | +/usr/sbin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
59 | /usr/sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
60 | /usr/sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
61 | /usr/sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
62 | /usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
63 | /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
64 | /usr/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
65 | +/usr/sbin/swapoff/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
66 | /usr/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
67 | /usr/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
68 | /usr/sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
69 | /usr/sbin/zhack -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
70 | /usr/sbin/zinject -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch index b4ba2e2..d58de6a 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch | |||
@@ -5,6 +5,7 @@ Upstream-Status: Pending | |||
5 | ftpwho is installed into /usr/bin/, not /usr/sbin, so fix it | 5 | ftpwho is installed into /usr/bin/, not /usr/sbin, so fix it |
6 | 6 | ||
7 | Signed-off-by: Roy Li <rongqing.li@windriver.com> | 7 | Signed-off-by: Roy Li <rongqing.li@windriver.com> |
8 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
8 | --- | 9 | --- |
9 | policy/modules/contrib/ftp.fc | 2 +- | 10 | policy/modules/contrib/ftp.fc | 2 +- |
10 | 1 file changed, 1 insertion(+), 1 deletion(-) | 11 | 1 file changed, 1 insertion(+), 1 deletion(-) |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch index 1a8fbe3..72b559f 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch | |||
@@ -6,13 +6,14 @@ Subject: [PATCH] refpolicy: fix real path for mta | |||
6 | Upstream-Status: Inappropriate [configuration] | 6 | Upstream-Status: Inappropriate [configuration] |
7 | 7 | ||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | 10 | --- |
10 | policy/modules/contrib/mta.fc | 1 + | 11 | policy/modules/contrib/mta.fc | 1 + |
11 | 1 file changed, 1 insertion(+) | 12 | 1 file changed, 1 insertion(+) |
12 | 13 | ||
13 | --- a/policy/modules/contrib/mta.fc | 14 | --- a/policy/modules/contrib/mta.fc |
14 | +++ b/policy/modules/contrib/mta.fc | 15 | +++ b/policy/modules/contrib/mta.fc |
15 | @@ -20,10 +20,11 @@ HOME_DIR/\.maildir(/.*)? gen_context(sys | 16 | @@ -19,10 +19,11 @@ HOME_DIR/\.maildir(/.*)? gen_context(sys |
16 | /usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) | 17 | /usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) |
17 | 18 | ||
18 | /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) | 19 | /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-netutils.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-netutils.patch deleted file mode 100644 index fea90ad..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-netutils.patch +++ /dev/null | |||
@@ -1,23 +0,0 @@ | |||
1 | Subject: [PATCH] refpolicy: fix real path for netutils | ||
2 | |||
3 | Upstream-Status: Inappropriate [configuration] | ||
4 | |||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
6 | --- | ||
7 | policy/modules/admin/netutils.fc | 1 + | ||
8 | 1 file changed, 1 insertion(+) | ||
9 | |||
10 | --- a/policy/modules/admin/netutils.fc | ||
11 | +++ b/policy/modules/admin/netutils.fc | ||
12 | @@ -1,10 +1,11 @@ | ||
13 | /bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0) | ||
14 | /bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) | ||
15 | /bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) | ||
16 | |||
17 | /sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0) | ||
18 | +/bin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0) | ||
19 | |||
20 | /usr/bin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0) | ||
21 | /usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0) | ||
22 | /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0) | ||
23 | /usr/bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0) | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch index 5fe5062..0adf7c2 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch | |||
@@ -6,6 +6,7 @@ Subject: [PATCH] refpolicy: fix real path for nscd | |||
6 | Upstream-Status: Inappropriate [configuration] | 6 | Upstream-Status: Inappropriate [configuration] |
7 | 7 | ||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | 10 | --- |
10 | policy/modules/contrib/nscd.fc | 1 + | 11 | policy/modules/contrib/nscd.fc | 1 + |
11 | 1 file changed, 1 insertion(+) | 12 | 1 file changed, 1 insertion(+) |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch index 8680f19..922afa9 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch | |||
@@ -6,13 +6,14 @@ Subject: [PATCH] refpolicy: fix real path for cpio | |||
6 | Upstream-Status: Inappropriate [configuration] | 6 | Upstream-Status: Inappropriate [configuration] |
7 | 7 | ||
8 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | 8 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> |
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | 10 | --- |
10 | policy/modules/contrib/rpm.fc | 1 + | 11 | policy/modules/contrib/rpm.fc | 1 + |
11 | 1 file changed, 1 insertion(+) | 12 | 1 file changed, 1 insertion(+) |
12 | 13 | ||
13 | --- a/policy/modules/contrib/rpm.fc | 14 | --- a/policy/modules/contrib/rpm.fc |
14 | +++ b/policy/modules/contrib/rpm.fc | 15 | +++ b/policy/modules/contrib/rpm.fc |
15 | @@ -61,6 +61,7 @@ ifdef(`distro_redhat',` | 16 | @@ -57,6 +57,7 @@ ifdef(`distro_redhat',` |
16 | /run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0) | 17 | /run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0) |
17 | /run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) | 18 | /run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) |
18 | 19 | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch index a7301e9..8ea210e 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch | |||
@@ -6,20 +6,18 @@ Subject: [PATCH] refpolicy: fix real path for screen | |||
6 | Upstream-Status: Inappropriate [configuration] | 6 | Upstream-Status: Inappropriate [configuration] |
7 | 7 | ||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | 10 | --- |
10 | policy/modules/contrib/screen.fc | 1 + | 11 | policy/modules/contrib/screen.fc | 1 + |
11 | 1 file changed, 1 insertion(+) | 12 | 1 file changed, 1 insertion(+) |
12 | 13 | ||
13 | --- a/policy/modules/contrib/screen.fc | 14 | --- a/policy/modules/contrib/screen.fc |
14 | +++ b/policy/modules/contrib/screen.fc | 15 | +++ b/policy/modules/contrib/screen.fc |
15 | @@ -1,9 +1,10 @@ | 16 | @@ -4,6 +4,7 @@ HOME_DIR/\.tmux\.conf -- gen_context(sys |
16 | HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0) | ||
17 | HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0) | ||
18 | HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0) | ||
19 | 17 | ||
20 | /usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0) | 18 | /run/screen(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0) |
21 | +/usr/bin/screen-.* -- gen_context(system_u:object_r:screen_exec_t,s0) | 19 | /run/tmux(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0) |
22 | /usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0) | ||
23 | 20 | ||
24 | /run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) | 21 | /usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0) |
25 | /run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) | 22 | +/usr/bin/screen-.* -- gen_context(system_u:object_r:screen_exec_t,s0) |
23 | /usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0) | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch index 35bbc9e..648b21b 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch | |||
@@ -3,6 +3,7 @@ Subject: [PATCH] refpolicy: fix real path for ssh | |||
3 | Upstream-Status: Inappropriate [configuration] | 3 | Upstream-Status: Inappropriate [configuration] |
4 | 4 | ||
5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
6 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
6 | --- | 7 | --- |
7 | policy/modules/services/ssh.fc | 1 + | 8 | policy/modules/services/ssh.fc | 1 + |
8 | 1 file changed, 1 insertion(+) | 9 | 1 file changed, 1 insertion(+) |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch index f82f359..8aec193 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch | |||
@@ -13,7 +13,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
13 | 13 | ||
14 | --- a/config/file_contexts.subs_dist | 14 | --- a/config/file_contexts.subs_dist |
15 | +++ b/config/file_contexts.subs_dist | 15 | +++ b/config/file_contexts.subs_dist |
16 | @@ -21,5 +21,16 @@ | 16 | @@ -26,5 +26,16 @@ |
17 | 17 | ||
18 | # backward compatibility | 18 | # backward compatibility |
19 | # not for refpolicy intern, but for /var/run using applications, | 19 | # not for refpolicy intern, but for /var/run using applications, |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch index 7f8f368..0b148b5 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch | |||
@@ -7,41 +7,31 @@ Upstream-Status: Inappropriate [configuration] | |||
7 | 7 | ||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
9 | Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> | 9 | Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> |
10 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
10 | --- | 11 | --- |
11 | policy/modules/system/sysnetwork.fc | 3 +++ | 12 | policy/modules/system/sysnetwork.fc | 3 +++ |
12 | 1 file changed, 3 insertions(+) | 13 | 1 file changed, 3 insertions(+) |
13 | 14 | ||
14 | --- a/policy/modules/system/sysnetwork.fc | 15 | --- a/policy/modules/system/sysnetwork.fc |
15 | +++ b/policy/modules/system/sysnetwork.fc | 16 | +++ b/policy/modules/system/sysnetwork.fc |
16 | @@ -2,10 +2,11 @@ | 17 | @@ -41,17 +41,20 @@ ifdef(`distro_redhat',` |
17 | # | 18 | /usr/sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) |
18 | # /bin | 19 | /usr/sbin/dhcp6c -- gen_context(system_u:object_r:dhcpc_exec_t,s0) |
19 | # | 20 | /usr/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) |
20 | /bin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | 21 | /usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
21 | /bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | 22 | /usr/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
22 | +/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | 23 | +/usr/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
23 | 24 | +/usr/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | |
24 | # | 25 | /usr/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
25 | # /dev | 26 | /usr/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
26 | # | 27 | /usr/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
27 | ifdef(`distro_debian',` | 28 | /usr/sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
28 | @@ -43,17 +44,19 @@ ifdef(`distro_redhat',` | 29 | /usr/sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
29 | /sbin/dhclient.* -- gen_context(system_u:object_r:dhcpc_exec_t,s0) | 30 | /usr/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
30 | /sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) | 31 | /usr/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
31 | /sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) | 32 | +/usr/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
32 | /sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | 33 | /usr/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0) |
33 | /sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | 34 | /usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
34 | +/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
35 | /sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
36 | /sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
37 | /sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
38 | /sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
39 | /sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
40 | /sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
41 | /sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
42 | +/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
43 | /sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0) | ||
44 | /sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
45 | 35 | ||
46 | # | 36 | # |
47 | # /usr | 37 | # /var |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch index 8e2cb1b..2271a05 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch | |||
@@ -6,6 +6,7 @@ Subject: [PATCH] refpolicy: fix real path for udevd/udevadm | |||
6 | Upstream-Status: Inappropriate [configuration] | 6 | Upstream-Status: Inappropriate [configuration] |
7 | 7 | ||
8 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | 8 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> |
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | 10 | --- |
10 | policy/modules/system/udev.fc | 2 ++ | 11 | policy/modules/system/udev.fc | 2 ++ |
11 | 1 file changed, 2 insertions(+) | 12 | 1 file changed, 2 insertions(+) |
@@ -17,22 +18,22 @@ Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | |||
17 | /etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_rules_t,s0) | 18 | /etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_rules_t,s0) |
18 | /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) | 19 | /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) |
19 | 20 | ||
20 | /lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0) | 21 | /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) |
21 | +/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) | 22 | +/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) |
22 | 23 | ||
23 | ifdef(`distro_debian',` | 24 | ifdef(`distro_debian',` |
24 | /bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) | 25 | /usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) |
25 | /lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
26 | ') | 26 | ') |
27 | @@ -26,10 +27,11 @@ ifdef(`distro_debian',` | 27 | |
28 | ifdef(`distro_redhat',` | 28 | @@ -30,10 +31,11 @@ ifdef(`distro_redhat',` |
29 | /sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) | 29 | /usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) |
30 | ') | 30 | ') |
31 | 31 | ||
32 | /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) | 32 | /usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0) |
33 | +/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) | 33 | /usr/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0) |
34 | +/usr/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
35 | |||
36 | /usr/share/virtualbox/VBoxCreateUSBNode\.sh -- gen_context(system_u:object_r:udev_helper_exec_t,s0) | ||
37 | |||
38 | /run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) | ||
34 | 39 | ||
35 | /usr/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
36 | /usr/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
37 | /usr/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
38 | /usr/sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch index 80c40d0..e3edce1 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch | |||
@@ -6,15 +6,14 @@ Subject: [PATCH 3/4] fix update-alternatives for hostname | |||
6 | Upstream-Status: Inappropriate [only for Poky] | 6 | Upstream-Status: Inappropriate [only for Poky] |
7 | 7 | ||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | 10 | --- |
10 | policy/modules/system/hostname.fc | 1 + | 11 | policy/modules/system/hostname.fc | 1 + |
11 | 1 file changed, 1 insertion(+) | 12 | 1 file changed, 1 insertion(+) |
12 | 13 | ||
13 | --- a/policy/modules/system/hostname.fc | 14 | --- a/policy/modules/system/hostname.fc |
14 | +++ b/policy/modules/system/hostname.fc | 15 | +++ b/policy/modules/system/hostname.fc |
15 | @@ -1,4 +1,5 @@ | 16 | @@ -1 +1,3 @@ |
16 | 17 | +/usr/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0) | |
17 | /bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) | 18 | + |
18 | +/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0) | ||
19 | |||
20 | /usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) | 19 | /usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch index 03284cd..dfa67a6 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch | |||
@@ -9,6 +9,7 @@ for syslogd_t to read syslog_conf_t lnk_file is needed. | |||
9 | Upstream-Status: Inappropriate [only for Poky] | 9 | Upstream-Status: Inappropriate [only for Poky] |
10 | 10 | ||
11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
12 | --- | 13 | --- |
13 | policy/modules/system/logging.fc | 4 ++++ | 14 | policy/modules/system/logging.fc | 4 ++++ |
14 | policy/modules/system/logging.te | 1 + | 15 | policy/modules/system/logging.te | 1 + |
@@ -16,7 +17,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
16 | 17 | ||
17 | --- a/policy/modules/system/logging.fc | 18 | --- a/policy/modules/system/logging.fc |
18 | +++ b/policy/modules/system/logging.fc | 19 | +++ b/policy/modules/system/logging.fc |
19 | @@ -1,22 +1,26 @@ | 20 | @@ -1,12 +1,14 @@ |
20 | /dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) | 21 | /dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) |
21 | 22 | ||
22 | /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) | 23 | /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) |
@@ -27,25 +28,30 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
27 | /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) | 28 | /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) |
28 | +/etc/rc\.d/init\.d/syslog\.sysklogd -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) | 29 | +/etc/rc\.d/init\.d/syslog\.sysklogd -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) |
29 | 30 | ||
30 | /sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) | ||
31 | /sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) | ||
32 | /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) | ||
33 | /sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) | ||
34 | /sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) | ||
35 | +/sbin/klogd\.sysklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) | ||
36 | /sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
37 | /sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) | ||
38 | /sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
39 | /sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
40 | +/sbin/syslogd\.sysklogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
41 | /sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
42 | |||
43 | /usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0) | 31 | /usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0) |
44 | /usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0) | 32 | /usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0) |
33 | /usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0) | ||
45 | /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0) | 34 | /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0) |
35 | @@ -15,14 +17,16 @@ | ||
36 | /usr/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) | ||
37 | /usr/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) | ||
38 | /usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) | ||
39 | /usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) | ||
40 | /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) | ||
41 | +/usr/sbin/klogd\.sysklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) | ||
42 | /usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
43 | /usr/sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
44 | /usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) | ||
45 | /usr/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
46 | +/usr/sbin/syslogd\.sysklogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
47 | /usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
48 | /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
49 | |||
50 | /var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0) | ||
51 | /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) | ||
46 | --- a/policy/modules/system/logging.te | 52 | --- a/policy/modules/system/logging.te |
47 | +++ b/policy/modules/system/logging.te | 53 | +++ b/policy/modules/system/logging.te |
48 | @@ -386,10 +386,11 @@ allow syslogd_t self:unix_dgram_socket s | 54 | @@ -390,10 +390,11 @@ allow syslogd_t self:unix_dgram_socket s |
49 | allow syslogd_t self:fifo_file rw_fifo_file_perms; | 55 | allow syslogd_t self:fifo_file rw_fifo_file_perms; |
50 | allow syslogd_t self:udp_socket create_socket_perms; | 56 | allow syslogd_t self:udp_socket create_socket_perms; |
51 | allow syslogd_t self:tcp_socket create_stream_socket_perms; | 57 | allow syslogd_t self:tcp_socket create_stream_socket_perms; |
@@ -56,4 +62,4 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
56 | # Create and bind to /dev/log or /var/run/log. | 62 | # Create and bind to /dev/log or /var/run/log. |
57 | allow syslogd_t devlog_t:sock_file manage_sock_file_perms; | 63 | allow syslogd_t devlog_t:sock_file manage_sock_file_perms; |
58 | files_pid_filetrans(syslogd_t, devlog_t, sock_file) | 64 | files_pid_filetrans(syslogd_t, devlog_t, sock_file) |
59 | 65 | init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log") | |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch index 0c09825..81fe141 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch | |||
@@ -6,51 +6,45 @@ Subject: [PATCH 1/4] fix update-alternatives for sysvinit | |||
6 | Upstream-Status: Inappropriate [only for Poky] | 6 | Upstream-Status: Inappropriate [only for Poky] |
7 | 7 | ||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | 10 | --- |
10 | policy/modules/contrib/shutdown.fc | 1 + | 11 | policy/modules/contrib/shutdown.fc | 1 + |
11 | policy/modules/kernel/corecommands.fc | 1 + | 12 | policy/modules/kernel/corecommands.fc | 1 + |
12 | policy/modules/system/init.fc | 1 + | 13 | policy/modules/system/init.fc | 1 + |
13 | 3 files changed, 3 insertions(+) | 14 | 3 files changed, 3 insertions(+) |
14 | 15 | ||
15 | --- a/policy/modules/contrib/shutdown.fc | 16 | Index: refpolicy/policy/modules/contrib/shutdown.fc |
16 | +++ b/policy/modules/contrib/shutdown.fc | 17 | =================================================================== |
17 | @@ -1,10 +1,11 @@ | 18 | --- refpolicy.orig/policy/modules/contrib/shutdown.fc |
18 | /etc/nologin -- gen_context(system_u:object_r:shutdown_etc_t,s0) | 19 | +++ refpolicy/policy/modules/contrib/shutdown.fc |
19 | 20 | @@ -3,5 +3,6 @@ | |
20 | /lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
21 | |||
22 | /sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
23 | +/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
24 | |||
25 | /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) | 21 | /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) |
26 | 22 | ||
27 | /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) | 23 | /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) |
24 | +/usr/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
25 | |||
26 | /run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) | ||
27 | Index: refpolicy/policy/modules/kernel/corecommands.fc | ||
28 | =================================================================== | ||
29 | --- refpolicy.orig/policy/modules/kernel/corecommands.fc | ||
30 | +++ refpolicy/policy/modules/kernel/corecommands.fc | ||
31 | @@ -144,6 +144,7 @@ ifdef(`distro_gentoo',` | ||
32 | /usr/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
33 | /usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
34 | /usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0) | ||
35 | +/usr/bin/mountpoint\.sysvinit -- gen_context(system_u:object_r:bin_t,s0) | ||
36 | /usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
37 | /usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
38 | /usr/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
39 | Index: refpolicy/policy/modules/system/init.fc | ||
40 | =================================================================== | ||
41 | --- refpolicy.orig/policy/modules/system/init.fc | ||
42 | +++ refpolicy/policy/modules/system/init.fc | ||
43 | @@ -39,6 +39,7 @@ ifdef(`distro_gentoo', ` | ||
44 | /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) | ||
45 | |||
46 | /usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) | ||
47 | +/usr/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0) | ||
48 | /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) | ||
49 | /usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) | ||
28 | 50 | ||
29 | --- a/policy/modules/kernel/corecommands.fc | ||
30 | +++ b/policy/modules/kernel/corecommands.fc | ||
31 | @@ -8,10 +8,11 @@ | ||
32 | /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
33 | /bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
34 | /bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
35 | /bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
36 | /bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0) | ||
37 | +/bin/mountpoint\.sysvinit -- gen_context(system_u:object_r:bin_t,s0) | ||
38 | /bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
39 | /bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
40 | /bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
41 | /bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
42 | |||
43 | --- a/policy/modules/system/init.fc | ||
44 | +++ b/policy/modules/system/init.fc | ||
45 | @@ -30,10 +30,11 @@ ifdef(`distro_gentoo', ` | ||
46 | |||
47 | # | ||
48 | # /sbin | ||
49 | # | ||
50 | /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) | ||
51 | +/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0) | ||
52 | # because nowadays, /sbin/init is often a symlink to /sbin/upstart | ||
53 | /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) | ||
54 | |||
55 | ifdef(`distro_gentoo', ` | ||
56 | /sbin/rc -- gen_context(system_u:object_r:rc_exec_t,s0) | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-bsdpty_device_t.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-bsdpty_device_t.patch index fee4068..ad7b5a6 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-bsdpty_device_t.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-bsdpty_device_t.patch | |||
@@ -6,13 +6,14 @@ Subject: [PATCH 5/6] add rules for bsdpty_device_t to complete pty devices. | |||
6 | Upstream-Status: Pending | 6 | Upstream-Status: Pending |
7 | 7 | ||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | 10 | --- |
10 | policy/modules/kernel/terminal.if | 16 ++++++++++++++++ | 11 | policy/modules/kernel/terminal.if | 16 ++++++++++++++++ |
11 | 1 file changed, 16 insertions(+) | 12 | 1 file changed, 16 insertions(+) |
12 | 13 | ||
13 | --- a/policy/modules/kernel/terminal.if | 14 | --- a/policy/modules/kernel/terminal.if |
14 | +++ b/policy/modules/kernel/terminal.if | 15 | +++ b/policy/modules/kernel/terminal.if |
15 | @@ -585,13 +585,15 @@ interface(`term_getattr_generic_ptys',` | 16 | @@ -603,13 +603,15 @@ interface(`term_getattr_generic_ptys',` |
16 | ## </param> | 17 | ## </param> |
17 | # | 18 | # |
18 | interface(`term_dontaudit_getattr_generic_ptys',` | 19 | interface(`term_dontaudit_getattr_generic_ptys',` |
@@ -28,7 +29,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
28 | ## <summary> | 29 | ## <summary> |
29 | ## ioctl of generic pty devices. | 30 | ## ioctl of generic pty devices. |
30 | ## </summary> | 31 | ## </summary> |
31 | @@ -603,15 +605,17 @@ interface(`term_dontaudit_getattr_generi | 32 | @@ -621,15 +623,17 @@ interface(`term_dontaudit_getattr_generi |
32 | # | 33 | # |
33 | # cjp: added for ppp | 34 | # cjp: added for ppp |
34 | interface(`term_ioctl_generic_ptys',` | 35 | interface(`term_ioctl_generic_ptys',` |
@@ -46,7 +47,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
46 | ######################################## | 47 | ######################################## |
47 | ## <summary> | 48 | ## <summary> |
48 | ## Allow setting the attributes of | 49 | ## Allow setting the attributes of |
49 | @@ -625,13 +629,15 @@ interface(`term_ioctl_generic_ptys',` | 50 | @@ -643,13 +647,15 @@ interface(`term_ioctl_generic_ptys',` |
50 | # | 51 | # |
51 | # dwalsh: added for rhgb | 52 | # dwalsh: added for rhgb |
52 | interface(`term_setattr_generic_ptys',` | 53 | interface(`term_setattr_generic_ptys',` |
@@ -62,7 +63,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
62 | ######################################## | 63 | ######################################## |
63 | ## <summary> | 64 | ## <summary> |
64 | ## Dontaudit setting the attributes of | 65 | ## Dontaudit setting the attributes of |
65 | @@ -645,13 +651,15 @@ interface(`term_setattr_generic_ptys',` | 66 | @@ -663,13 +669,15 @@ interface(`term_setattr_generic_ptys',` |
66 | # | 67 | # |
67 | # dwalsh: added for rhgb | 68 | # dwalsh: added for rhgb |
68 | interface(`term_dontaudit_setattr_generic_ptys',` | 69 | interface(`term_dontaudit_setattr_generic_ptys',` |
@@ -78,7 +79,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
78 | ######################################## | 79 | ######################################## |
79 | ## <summary> | 80 | ## <summary> |
80 | ## Read and write the generic pty | 81 | ## Read and write the generic pty |
81 | @@ -665,15 +673,17 @@ interface(`term_dontaudit_setattr_generi | 82 | @@ -683,15 +691,17 @@ interface(`term_dontaudit_setattr_generi |
82 | ## </param> | 83 | ## </param> |
83 | # | 84 | # |
84 | interface(`term_use_generic_ptys',` | 85 | interface(`term_use_generic_ptys',` |
@@ -96,7 +97,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
96 | ######################################## | 97 | ######################################## |
97 | ## <summary> | 98 | ## <summary> |
98 | ## Dot not audit attempts to read and | 99 | ## Dot not audit attempts to read and |
99 | @@ -687,13 +697,15 @@ interface(`term_use_generic_ptys',` | 100 | @@ -705,13 +715,15 @@ interface(`term_use_generic_ptys',` |
100 | ## </param> | 101 | ## </param> |
101 | # | 102 | # |
102 | interface(`term_dontaudit_use_generic_ptys',` | 103 | interface(`term_dontaudit_use_generic_ptys',` |
@@ -112,7 +113,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
112 | ####################################### | 113 | ####################################### |
113 | ## <summary> | 114 | ## <summary> |
114 | ## Set the attributes of the tty device | 115 | ## Set the attributes of the tty device |
115 | @@ -705,14 +717,16 @@ interface(`term_dontaudit_use_generic_pt | 116 | @@ -723,14 +735,16 @@ interface(`term_dontaudit_use_generic_pt |
116 | ## </param> | 117 | ## </param> |
117 | # | 118 | # |
118 | interface(`term_setattr_controlling_term',` | 119 | interface(`term_setattr_controlling_term',` |
@@ -129,7 +130,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
129 | ######################################## | 130 | ######################################## |
130 | ## <summary> | 131 | ## <summary> |
131 | ## Read and write the controlling | 132 | ## Read and write the controlling |
132 | @@ -725,14 +739,16 @@ interface(`term_setattr_controlling_term | 133 | @@ -743,14 +757,16 @@ interface(`term_setattr_controlling_term |
133 | ## </param> | 134 | ## </param> |
134 | # | 135 | # |
135 | interface(`term_use_controlling_term',` | 136 | interface(`term_use_controlling_term',` |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch index d3aa705..b12ee9d 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch | |||
@@ -8,22 +8,22 @@ syslogd_t. | |||
8 | Upstream-Status: Inappropriate [only for Poky] | 8 | Upstream-Status: Inappropriate [only for Poky] |
9 | 9 | ||
10 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 10 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
11 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
11 | --- | 12 | --- |
12 | policy/modules/system/logging.te | 2 ++ | 13 | policy/modules/system/logging.te | 2 ++ |
13 | 1 file changed, 2 insertions(+) | 14 | 1 file changed, 2 insertions(+) |
14 | 15 | ||
15 | --- a/policy/modules/system/logging.te | 16 | --- a/policy/modules/system/logging.te |
16 | +++ b/policy/modules/system/logging.te | 17 | +++ b/policy/modules/system/logging.te |
17 | @@ -402,10 +402,12 @@ rw_fifo_files_pattern(syslogd_t, var_log | 18 | @@ -406,10 +406,11 @@ manage_files_pattern(syslogd_t, var_log_ |
19 | rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) | ||
18 | files_search_spool(syslogd_t) | 20 | files_search_spool(syslogd_t) |
19 | 21 | ||
20 | # Allow access for syslog-ng | 22 | # Allow access for syslog-ng |
21 | allow syslogd_t var_log_t:dir { create setattr }; | 23 | allow syslogd_t var_log_t:dir { create setattr }; |
22 | |||
23 | +allow syslogd_t var_log_t:lnk_file read_lnk_file_perms; | 24 | +allow syslogd_t var_log_t:lnk_file read_lnk_file_perms; |
24 | + | ||
25 | # manage temporary files | ||
26 | manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) | ||
27 | manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) | ||
28 | files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) | ||
29 | 25 | ||
26 | # for systemd but can not be conditional | ||
27 | files_pid_filetrans(syslogd_t, syslogd_tmp_t, dir, "log") | ||
28 | |||
29 | # manage temporary files | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-tmp-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-tmp-symlink.patch index 7a30460..d3c1ee5 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-tmp-symlink.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-tmp-symlink.patch | |||
@@ -9,6 +9,7 @@ lnk_file while doing search/list/delete/rw.. in /tmp/ directory. | |||
9 | Upstream-Status: Inappropriate [only for Poky] | 9 | Upstream-Status: Inappropriate [only for Poky] |
10 | 10 | ||
11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
12 | --- | 13 | --- |
13 | policy/modules/kernel/files.fc | 1 + | 14 | policy/modules/kernel/files.fc | 1 + |
14 | policy/modules/kernel/files.if | 8 ++++++++ | 15 | policy/modules/kernel/files.if | 8 ++++++++ |
@@ -16,7 +17,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
16 | 17 | ||
17 | --- a/policy/modules/kernel/files.fc | 18 | --- a/policy/modules/kernel/files.fc |
18 | +++ b/policy/modules/kernel/files.fc | 19 | +++ b/policy/modules/kernel/files.fc |
19 | @@ -191,10 +191,11 @@ ifdef(`distro_debian',` | 20 | @@ -172,10 +172,11 @@ HOME_ROOT/lost\+found/.* <<none>> |
20 | 21 | ||
21 | # | 22 | # |
22 | # /tmp | 23 | # /tmp |
@@ -30,7 +31,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
30 | /tmp/lost\+found/.* <<none>> | 31 | /tmp/lost\+found/.* <<none>> |
31 | --- a/policy/modules/kernel/files.if | 32 | --- a/policy/modules/kernel/files.if |
32 | +++ b/policy/modules/kernel/files.if | 33 | +++ b/policy/modules/kernel/files.if |
33 | @@ -4471,10 +4471,11 @@ interface(`files_search_tmp',` | 34 | @@ -4579,10 +4579,11 @@ interface(`files_search_tmp',` |
34 | gen_require(` | 35 | gen_require(` |
35 | type tmp_t; | 36 | type tmp_t; |
36 | ') | 37 | ') |
@@ -42,7 +43,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
42 | ######################################## | 43 | ######################################## |
43 | ## <summary> | 44 | ## <summary> |
44 | ## Do not audit attempts to search the tmp directory (/tmp). | 45 | ## Do not audit attempts to search the tmp directory (/tmp). |
45 | @@ -4507,10 +4508,11 @@ interface(`files_list_tmp',` | 46 | @@ -4615,10 +4616,11 @@ interface(`files_list_tmp',` |
46 | gen_require(` | 47 | gen_require(` |
47 | type tmp_t; | 48 | type tmp_t; |
48 | ') | 49 | ') |
@@ -54,7 +55,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
54 | ######################################## | 55 | ######################################## |
55 | ## <summary> | 56 | ## <summary> |
56 | ## Do not audit listing of the tmp directory (/tmp). | 57 | ## Do not audit listing of the tmp directory (/tmp). |
57 | @@ -4543,10 +4545,11 @@ interface(`files_delete_tmp_dir_entry',` | 58 | @@ -4651,10 +4653,11 @@ interface(`files_delete_tmp_dir_entry',` |
58 | gen_require(` | 59 | gen_require(` |
59 | type tmp_t; | 60 | type tmp_t; |
60 | ') | 61 | ') |
@@ -66,7 +67,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
66 | ######################################## | 67 | ######################################## |
67 | ## <summary> | 68 | ## <summary> |
68 | ## Read files in the tmp directory (/tmp). | 69 | ## Read files in the tmp directory (/tmp). |
69 | @@ -4561,10 +4564,11 @@ interface(`files_read_generic_tmp_files' | 70 | @@ -4669,10 +4672,11 @@ interface(`files_read_generic_tmp_files' |
70 | gen_require(` | 71 | gen_require(` |
71 | type tmp_t; | 72 | type tmp_t; |
72 | ') | 73 | ') |
@@ -78,7 +79,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
78 | ######################################## | 79 | ######################################## |
79 | ## <summary> | 80 | ## <summary> |
80 | ## Manage temporary directories in /tmp. | 81 | ## Manage temporary directories in /tmp. |
81 | @@ -4579,10 +4583,11 @@ interface(`files_manage_generic_tmp_dirs | 82 | @@ -4687,10 +4691,11 @@ interface(`files_manage_generic_tmp_dirs |
82 | gen_require(` | 83 | gen_require(` |
83 | type tmp_t; | 84 | type tmp_t; |
84 | ') | 85 | ') |
@@ -90,7 +91,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
90 | ######################################## | 91 | ######################################## |
91 | ## <summary> | 92 | ## <summary> |
92 | ## Manage temporary files and directories in /tmp. | 93 | ## Manage temporary files and directories in /tmp. |
93 | @@ -4597,10 +4602,11 @@ interface(`files_manage_generic_tmp_file | 94 | @@ -4705,10 +4710,11 @@ interface(`files_manage_generic_tmp_file |
94 | gen_require(` | 95 | gen_require(` |
95 | type tmp_t; | 96 | type tmp_t; |
96 | ') | 97 | ') |
@@ -102,7 +103,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
102 | ######################################## | 103 | ######################################## |
103 | ## <summary> | 104 | ## <summary> |
104 | ## Read symbolic links in the tmp directory (/tmp). | 105 | ## Read symbolic links in the tmp directory (/tmp). |
105 | @@ -4633,10 +4639,11 @@ interface(`files_rw_generic_tmp_sockets' | 106 | @@ -4741,10 +4747,11 @@ interface(`files_rw_generic_tmp_sockets' |
106 | gen_require(` | 107 | gen_require(` |
107 | type tmp_t; | 108 | type tmp_t; |
108 | ') | 109 | ') |
@@ -114,7 +115,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
114 | ######################################## | 115 | ######################################## |
115 | ## <summary> | 116 | ## <summary> |
116 | ## Mount filesystems in the tmp directory (/tmp) | 117 | ## Mount filesystems in the tmp directory (/tmp) |
117 | @@ -4840,10 +4847,11 @@ interface(`files_tmp_filetrans',` | 118 | @@ -4948,10 +4955,11 @@ interface(`files_tmp_filetrans',` |
118 | gen_require(` | 119 | gen_require(` |
119 | type tmp_t; | 120 | type tmp_t; |
120 | ') | 121 | ') |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-cache-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-cache-symlink.patch index fc6dea0..b828b7a 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-cache-symlink.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-cache-symlink.patch | |||
@@ -11,6 +11,7 @@ contents, so this is still a secure relax. | |||
11 | Upstream-Status: Inappropriate [only for Poky] | 11 | Upstream-Status: Inappropriate [only for Poky] |
12 | 12 | ||
13 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 13 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
14 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
14 | --- | 15 | --- |
15 | policy/modules/kernel/domain.te | 3 +++ | 16 | policy/modules/kernel/domain.te | 3 +++ |
16 | 1 file changed, 3 insertions(+) | 17 | 1 file changed, 3 insertions(+) |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch index d907095..fb912b5 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch | |||
@@ -10,17 +10,18 @@ logging.if. So still need add a individual rule for apache.te. | |||
10 | Upstream-Status: Inappropriate [only for Poky] | 10 | Upstream-Status: Inappropriate [only for Poky] |
11 | 11 | ||
12 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 12 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
13 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
13 | --- | 14 | --- |
14 | policy/modules/contrib/apache.te | 1 + | 15 | policy/modules/contrib/apache.te | 1 + |
15 | 1 file changed, 1 insertion(+) | 16 | 1 file changed, 1 insertion(+) |
16 | 17 | ||
17 | --- a/policy/modules/contrib/apache.te | 18 | --- a/policy/modules/contrib/apache.te |
18 | +++ b/policy/modules/contrib/apache.te | 19 | +++ b/policy/modules/contrib/apache.te |
19 | @@ -409,10 +409,11 @@ allow httpd_t httpd_log_t:dir setattr_di | 20 | @@ -407,10 +407,11 @@ allow httpd_t httpd_lock_t:file manage_f |
20 | create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t) | 21 | files_lock_filetrans(httpd_t, httpd_lock_t, { file dir }) |
21 | create_files_pattern(httpd_t, httpd_log_t, httpd_log_t) | 22 | |
22 | append_files_pattern(httpd_t, httpd_log_t, httpd_log_t) | 23 | manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t) |
23 | read_files_pattern(httpd_t, httpd_log_t, httpd_log_t) | 24 | manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t) |
24 | read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t) | 25 | read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t) |
25 | +read_lnk_files_pattern(httpd_t, var_log_t, var_log_t) | 26 | +read_lnk_files_pattern(httpd_t, var_log_t, var_log_t) |
26 | logging_log_filetrans(httpd_t, httpd_log_t, file) | 27 | logging_log_filetrans(httpd_t, httpd_log_t, file) |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch index 90c8f36..7c7355f 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch | |||
@@ -8,15 +8,16 @@ audisp_remote_t. | |||
8 | Upstream-Status: Inappropriate [only for Poky] | 8 | Upstream-Status: Inappropriate [only for Poky] |
9 | 9 | ||
10 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 10 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
11 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
11 | --- | 12 | --- |
12 | policy/modules/system/logging.te | 1 + | 13 | policy/modules/system/logging.te | 1 + |
13 | 1 file changed, 1 insertion(+) | 14 | 1 file changed, 1 insertion(+) |
14 | 15 | ||
15 | --- a/policy/modules/system/logging.te | 16 | --- a/policy/modules/system/logging.te |
16 | +++ b/policy/modules/system/logging.te | 17 | +++ b/policy/modules/system/logging.te |
17 | @@ -276,10 +276,11 @@ optional_policy(` | 18 | @@ -280,10 +280,11 @@ optional_policy(` |
18 | 19 | ||
19 | allow audisp_remote_t self:capability { setuid setpcap }; | 20 | allow audisp_remote_t self:capability { setpcap setuid }; |
20 | allow audisp_remote_t self:process { getcap setcap }; | 21 | allow audisp_remote_t self:process { getcap setcap }; |
21 | allow audisp_remote_t self:tcp_socket create_socket_perms; | 22 | allow audisp_remote_t self:tcp_socket create_socket_perms; |
22 | allow audisp_remote_t var_log_t:dir search_dir_perms; | 23 | allow audisp_remote_t var_log_t:dir search_dir_perms; |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch index a9ae381..19342f5 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch | |||
@@ -9,6 +9,7 @@ lnk_file while doing search/list/delete/rw.. in /var/log/ directory. | |||
9 | Upstream-Status: Inappropriate [only for Poky] | 9 | Upstream-Status: Inappropriate [only for Poky] |
10 | 10 | ||
11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
12 | --- | 13 | --- |
13 | policy/modules/system/logging.fc | 1 + | 14 | policy/modules/system/logging.fc | 1 + |
14 | policy/modules/system/logging.if | 14 +++++++++++++- | 15 | policy/modules/system/logging.if | 14 +++++++++++++- |
@@ -17,7 +18,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
17 | 18 | ||
18 | --- a/policy/modules/system/logging.fc | 19 | --- a/policy/modules/system/logging.fc |
19 | +++ b/policy/modules/system/logging.fc | 20 | +++ b/policy/modules/system/logging.fc |
20 | @@ -49,10 +49,11 @@ ifdef(`distro_suse', ` | 21 | @@ -39,10 +39,11 @@ ifdef(`distro_suse', ` |
21 | 22 | ||
22 | /var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) | 23 | /var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) |
23 | /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) | 24 | /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) |
@@ -50,43 +51,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
50 | ######################################## | 51 | ######################################## |
51 | ## <summary> | 52 | ## <summary> |
52 | ## Execute auditctl in the auditctl domain. | 53 | ## Execute auditctl in the auditctl domain. |
53 | @@ -665,10 +666,11 @@ interface(`logging_search_logs',` | 54 | @@ -950,14 +951,16 @@ interface(`logging_append_all_inherited_ |
54 | type var_log_t; | ||
55 | ') | ||
56 | |||
57 | files_search_var($1) | ||
58 | allow $1 var_log_t:dir search_dir_perms; | ||
59 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
60 | ') | ||
61 | |||
62 | ####################################### | ||
63 | ## <summary> | ||
64 | ## Do not audit attempts to search the var log directory. | ||
65 | @@ -702,10 +704,11 @@ interface(`logging_list_logs',` | ||
66 | type var_log_t; | ||
67 | ') | ||
68 | |||
69 | files_search_var($1) | ||
70 | allow $1 var_log_t:dir list_dir_perms; | ||
71 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
72 | ') | ||
73 | |||
74 | ####################################### | ||
75 | ## <summary> | ||
76 | ## Read and write the generic log directory (/var/log). | ||
77 | @@ -721,10 +724,11 @@ interface(`logging_rw_generic_log_dirs', | ||
78 | type var_log_t; | ||
79 | ') | ||
80 | |||
81 | files_search_var($1) | ||
82 | allow $1 var_log_t:dir rw_dir_perms; | ||
83 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
84 | ') | ||
85 | |||
86 | ####################################### | ||
87 | ## <summary> | ||
88 | ## Search through all log dirs. | ||
89 | @@ -832,14 +836,16 @@ interface(`logging_append_all_logs',` | ||
90 | ## <rolecap/> | 55 | ## <rolecap/> |
91 | # | 56 | # |
92 | interface(`logging_read_all_logs',` | 57 | interface(`logging_read_all_logs',` |
@@ -103,7 +68,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
103 | 68 | ||
104 | ######################################## | 69 | ######################################## |
105 | ## <summary> | 70 | ## <summary> |
106 | @@ -854,14 +860,16 @@ interface(`logging_read_all_logs',` | 71 | @@ -972,14 +975,16 @@ interface(`logging_read_all_logs',` |
107 | # cjp: not sure why this is needed. This was added | 72 | # cjp: not sure why this is needed. This was added |
108 | # because of logrotate. | 73 | # because of logrotate. |
109 | interface(`logging_exec_all_logs',` | 74 | interface(`logging_exec_all_logs',` |
@@ -120,7 +85,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
120 | 85 | ||
121 | ######################################## | 86 | ######################################## |
122 | ## <summary> | 87 | ## <summary> |
123 | @@ -919,10 +927,11 @@ interface(`logging_read_generic_logs',` | 88 | @@ -1077,10 +1082,11 @@ interface(`logging_read_generic_logs',` |
124 | type var_log_t; | 89 | type var_log_t; |
125 | ') | 90 | ') |
126 | 91 | ||
@@ -132,31 +97,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
132 | 97 | ||
133 | ######################################## | 98 | ######################################## |
134 | ## <summary> | 99 | ## <summary> |
135 | @@ -939,10 +948,11 @@ interface(`logging_write_generic_logs',` | 100 | @@ -1159,10 +1165,11 @@ interface(`logging_manage_generic_logs', |
136 | type var_log_t; | ||
137 | ') | ||
138 | |||
139 | files_search_var($1) | ||
140 | allow $1 var_log_t:dir list_dir_perms; | ||
141 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
142 | write_files_pattern($1, var_log_t, var_log_t) | ||
143 | ') | ||
144 | |||
145 | ######################################## | ||
146 | ## <summary> | ||
147 | @@ -977,10 +987,11 @@ interface(`logging_rw_generic_logs',` | ||
148 | type var_log_t; | ||
149 | ') | ||
150 | |||
151 | files_search_var($1) | ||
152 | allow $1 var_log_t:dir list_dir_perms; | ||
153 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
154 | rw_files_pattern($1, var_log_t, var_log_t) | ||
155 | ') | ||
156 | |||
157 | ######################################## | ||
158 | ## <summary> | ||
159 | @@ -999,10 +1010,11 @@ interface(`logging_manage_generic_logs', | ||
160 | type var_log_t; | 101 | type var_log_t; |
161 | ') | 102 | ') |
162 | 103 | ||
@@ -170,10 +111,10 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
170 | ## All of the rules required to administrate | 111 | ## All of the rules required to administrate |
171 | --- a/policy/modules/system/logging.te | 112 | --- a/policy/modules/system/logging.te |
172 | +++ b/policy/modules/system/logging.te | 113 | +++ b/policy/modules/system/logging.te |
173 | @@ -149,10 +149,11 @@ allow auditd_t auditd_etc_t:dir list_dir | 114 | @@ -153,10 +153,11 @@ allow auditd_t auditd_etc_t:file read_fi |
174 | allow auditd_t auditd_etc_t:file read_file_perms; | ||
175 | 115 | ||
176 | manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) | 116 | manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) |
117 | allow auditd_t auditd_log_t:dir setattr; | ||
177 | manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) | 118 | manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) |
178 | allow auditd_t var_log_t:dir search_dir_perms; | 119 | allow auditd_t var_log_t:dir search_dir_perms; |
179 | +allow auditd_t var_log_t:lnk_file read_lnk_file_perms; | 120 | +allow auditd_t var_log_t:lnk_file read_lnk_file_perms; |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-syslogd_t-to-trusted-object.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-syslogd_t-to-trusted-object.patch index c2cba9a..b755b45 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-syslogd_t-to-trusted-object.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-syslogd_t-to-trusted-object.patch | |||
@@ -10,13 +10,14 @@ Upstream-Status: Inappropriate [only for Poky] | |||
10 | 10 | ||
11 | Signed-off-by: Roy.Li <rongqing.li@windriver.com> | 11 | Signed-off-by: Roy.Li <rongqing.li@windriver.com> |
12 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 12 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
13 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
13 | --- | 14 | --- |
14 | policy/modules/system/logging.te | 1 + | 15 | policy/modules/system/logging.te | 1 + |
15 | 1 file changed, 1 insertion(+) | 16 | 1 file changed, 1 insertion(+) |
16 | 17 | ||
17 | --- a/policy/modules/system/logging.te | 18 | --- a/policy/modules/system/logging.te |
18 | +++ b/policy/modules/system/logging.te | 19 | +++ b/policy/modules/system/logging.te |
19 | @@ -475,10 +475,11 @@ files_var_lib_filetrans(syslogd_t, syslo | 20 | @@ -484,10 +484,11 @@ files_var_lib_filetrans(syslogd_t, syslo |
20 | 21 | ||
21 | fs_getattr_all_fs(syslogd_t) | 22 | fs_getattr_all_fs(syslogd_t) |
22 | fs_search_auto_mountpoints(syslogd_t) | 23 | fs_search_auto_mountpoints(syslogd_t) |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch index 189dc6e..a9a0a55 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch | |||
@@ -6,6 +6,7 @@ Subject: [PATCH] allow nfsd to exec shell commands. | |||
6 | Upstream-Status: Inappropriate [only for Poky] | 6 | Upstream-Status: Inappropriate [only for Poky] |
7 | 7 | ||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | 10 | --- |
10 | policy/modules/contrib/rpc.te | 2 +- | 11 | policy/modules/contrib/rpc.te | 2 +- |
11 | policy/modules/kernel/kernel.if | 18 ++++++++++++++++++ | 12 | policy/modules/kernel/kernel.if | 18 ++++++++++++++++++ |
@@ -13,7 +14,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
13 | 14 | ||
14 | --- a/policy/modules/contrib/rpc.te | 15 | --- a/policy/modules/contrib/rpc.te |
15 | +++ b/policy/modules/contrib/rpc.te | 16 | +++ b/policy/modules/contrib/rpc.te |
16 | @@ -222,11 +222,11 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir | 17 | @@ -224,11 +224,11 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir |
17 | 18 | ||
18 | kernel_read_network_state(nfsd_t) | 19 | kernel_read_network_state(nfsd_t) |
19 | kernel_dontaudit_getattr_core_if(nfsd_t) | 20 | kernel_dontaudit_getattr_core_if(nfsd_t) |
@@ -28,32 +29,53 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
28 | 29 | ||
29 | --- a/policy/modules/kernel/kernel.if | 30 | --- a/policy/modules/kernel/kernel.if |
30 | +++ b/policy/modules/kernel/kernel.if | 31 | +++ b/policy/modules/kernel/kernel.if |
31 | @@ -844,10 +844,28 @@ interface(`kernel_unmount_proc',` | 32 | @@ -880,43 +880,42 @@ interface(`kernel_unmount_proc',` |
32 | allow $1 proc_t:filesystem unmount; | 33 | allow $1 proc_t:filesystem unmount; |
33 | ') | 34 | ') |
34 | 35 | ||
35 | ######################################## | 36 | ######################################## |
36 | ## <summary> | 37 | ## <summary> |
38 | -## Get the attributes of the proc filesystem. | ||
37 | +## Mounton a proc filesystem. | 39 | +## Mounton a proc filesystem. |
38 | +## </summary> | 40 | ## </summary> |
39 | +## <param name="domain"> | 41 | ## <param name="domain"> |
40 | +## <summary> | 42 | ## <summary> |
41 | +## Domain allowed access. | 43 | ## Domain allowed access. |
42 | +## </summary> | 44 | ## </summary> |
43 | +## </param> | 45 | ## </param> |
44 | +# | 46 | # |
47 | -interface(`kernel_getattr_proc',` | ||
45 | +interface(`kernel_mounton_proc',` | 48 | +interface(`kernel_mounton_proc',` |
46 | + gen_require(` | 49 | gen_require(` |
47 | + type proc_t; | 50 | type proc_t; |
48 | + ') | 51 | ') |
49 | + | 52 | |
53 | - allow $1 proc_t:filesystem getattr; | ||
50 | + allow $1 proc_t:dir mounton; | 54 | + allow $1 proc_t:dir mounton; |
51 | +') | 55 | ') |
52 | + | 56 | |
53 | +######################################## | 57 | ######################################## |
54 | +## <summary> | 58 | ## <summary> |
55 | ## Get the attributes of the proc filesystem. | 59 | -## Mount on proc directories. |
60 | +## Get the attributes of the proc filesystem. | ||
56 | ## </summary> | 61 | ## </summary> |
57 | ## <param name="domain"> | 62 | ## <param name="domain"> |
58 | ## <summary> | 63 | ## <summary> |
59 | ## Domain allowed access. | 64 | ## Domain allowed access. |
65 | ## </summary> | ||
66 | ## </param> | ||
67 | -## <rolecap/> | ||
68 | # | ||
69 | -interface(`kernel_mounton_proc',` | ||
70 | +interface(`kernel_getattr_proc',` | ||
71 | gen_require(` | ||
72 | type proc_t; | ||
73 | ') | ||
74 | |||
75 | - allow $1 proc_t:dir mounton; | ||
76 | + allow $1 proc_t:filesystem getattr; | ||
77 | ') | ||
78 | |||
79 | ######################################## | ||
80 | ## <summary> | ||
81 | ## Do not audit attempts to set the | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch index 766b3df..08e9398 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch | |||
@@ -7,13 +7,14 @@ Upstream-Status: Pending | |||
7 | 7 | ||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
9 | Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> | 9 | Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> |
10 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
10 | --- | 11 | --- |
11 | policy/modules/system/selinuxutil.te | 3 +++ | 12 | policy/modules/system/selinuxutil.te | 3 +++ |
12 | 1 file changed, 3 insertions(+) | 13 | 1 file changed, 3 insertions(+) |
13 | 14 | ||
14 | --- a/policy/modules/system/selinuxutil.te | 15 | --- a/policy/modules/system/selinuxutil.te |
15 | +++ b/policy/modules/system/selinuxutil.te | 16 | +++ b/policy/modules/system/selinuxutil.te |
16 | @@ -553,10 +553,13 @@ files_read_etc_files(setfiles_t) | 17 | @@ -591,10 +591,13 @@ files_read_etc_files(setfiles_t) |
17 | files_list_all(setfiles_t) | 18 | files_list_all(setfiles_t) |
18 | files_relabel_all_files(setfiles_t) | 19 | files_relabel_all_files(setfiles_t) |
19 | files_read_usr_symlinks(setfiles_t) | 20 | files_read_usr_symlinks(setfiles_t) |
@@ -23,7 +24,7 @@ Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> | |||
23 | +files_read_all_symlinks(setfiles_t) | 24 | +files_read_all_symlinks(setfiles_t) |
24 | + | 25 | + |
25 | fs_getattr_all_xattr_fs(setfiles_t) | 26 | fs_getattr_all_xattr_fs(setfiles_t) |
26 | fs_list_all(setfiles_t) | 27 | fs_getattr_nfs(setfiles_t) |
27 | fs_search_auto_mountpoints(setfiles_t) | 28 | fs_getattr_pstore_dirs(setfiles_t) |
28 | fs_relabelfrom_noxattr_fs(setfiles_t) | 29 | fs_getattr_pstorefs(setfiles_t) |
29 | 30 | fs_getattr_tracefs(setfiles_t) | |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-sysadm-to-run-rpcinfo.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-sysadm-to-run-rpcinfo.patch index 8ce2f62..a1fda13 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-sysadm-to-run-rpcinfo.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-sysadm-to-run-rpcinfo.patch | |||
@@ -9,6 +9,7 @@ type=AVC msg=audit(1392427946.976:264): avc: denied { connectto } for pid=211 | |||
9 | type=SYSCALL msg=audit(1392427946.976:264): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff3aa20000 a2=17 a3=22 items=0 ppid=2108 pid=2111 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="rpcinfo" exe="/usr/sbin/rpcinfo" subj=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 key=(null) | 9 | type=SYSCALL msg=audit(1392427946.976:264): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff3aa20000 a2=17 a3=22 items=0 ppid=2108 pid=2111 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="rpcinfo" exe="/usr/sbin/rpcinfo" subj=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 key=(null) |
10 | 10 | ||
11 | Signed-off-by: Roy Li <rongqing.li@windriver.com> | 11 | Signed-off-by: Roy Li <rongqing.li@windriver.com> |
12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
12 | --- | 13 | --- |
13 | policy/modules/roles/sysadm.te | 4 ++++ | 14 | policy/modules/roles/sysadm.te | 4 ++++ |
14 | 1 file changed, 4 insertions(+) | 15 | 1 file changed, 4 insertions(+) |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-don-t-audit-tty_device_t.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-don-t-audit-tty_device_t.patch index 998bfa0..e3ea75e 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-don-t-audit-tty_device_t.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-don-t-audit-tty_device_t.patch | |||
@@ -9,13 +9,14 @@ term_dontaudit_use_console. | |||
9 | Upstream-Status: Inappropriate [only for Poky] | 9 | Upstream-Status: Inappropriate [only for Poky] |
10 | 10 | ||
11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
12 | --- | 13 | --- |
13 | policy/modules/kernel/terminal.if | 3 +++ | 14 | policy/modules/kernel/terminal.if | 3 +++ |
14 | 1 file changed, 3 insertions(+) | 15 | 1 file changed, 3 insertions(+) |
15 | 16 | ||
16 | --- a/policy/modules/kernel/terminal.if | 17 | --- a/policy/modules/kernel/terminal.if |
17 | +++ b/policy/modules/kernel/terminal.if | 18 | +++ b/policy/modules/kernel/terminal.if |
18 | @@ -297,13 +297,16 @@ interface(`term_use_console',` | 19 | @@ -315,13 +315,16 @@ interface(`term_use_console',` |
19 | ## </param> | 20 | ## </param> |
20 | # | 21 | # |
21 | interface(`term_dontaudit_use_console',` | 22 | interface(`term_dontaudit_use_console',` |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch index 131a9bb..11a6963 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch | |||
@@ -4,6 +4,7 @@ Date: Fri, 23 Aug 2013 16:36:09 +0800 | |||
4 | Subject: [PATCH] fix dmesg to use /dev/kmsg as default input | 4 | Subject: [PATCH] fix dmesg to use /dev/kmsg as default input |
5 | 5 | ||
6 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 6 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
7 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
7 | --- | 8 | --- |
8 | policy/modules/admin/dmesg.if | 1 + | 9 | policy/modules/admin/dmesg.if | 1 + |
9 | policy/modules/admin/dmesg.te | 2 ++ | 10 | policy/modules/admin/dmesg.te | 2 ++ |
@@ -19,18 +20,3 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
19 | can_exec($1, dmesg_exec_t) | 20 | can_exec($1, dmesg_exec_t) |
20 | + dev_read_kmsg($1) | 21 | + dev_read_kmsg($1) |
21 | ') | 22 | ') |
22 | --- a/policy/modules/admin/dmesg.te | ||
23 | +++ b/policy/modules/admin/dmesg.te | ||
24 | @@ -28,10 +28,12 @@ kernel_read_proc_symlinks(dmesg_t) | ||
25 | # for when /usr is not mounted: | ||
26 | kernel_dontaudit_search_unlabeled(dmesg_t) | ||
27 | |||
28 | dev_read_sysfs(dmesg_t) | ||
29 | |||
30 | +dev_read_kmsg(dmesg_t) | ||
31 | + | ||
32 | fs_search_auto_mountpoints(dmesg_t) | ||
33 | |||
34 | term_dontaudit_use_console(dmesg_t) | ||
35 | |||
36 | domain_use_interactive_fds(dmesg_t) | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch index 016685c..d0b0073 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch | |||
@@ -14,9 +14,25 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
14 | policy/modules/kernel/kernel.te | 2 ++ | 14 | policy/modules/kernel/kernel.te | 2 ++ |
15 | 4 files changed, 13 insertions(+) | 15 | 4 files changed, 13 insertions(+) |
16 | 16 | ||
17 | --- a/policy/modules/contrib/rpcbind.te | ||
18 | +++ b/policy/modules/contrib/rpcbind.te | ||
19 | @@ -73,8 +73,13 @@ auth_use_nsswitch(rpcbind_t) | ||
20 | |||
21 | logging_send_syslog_msg(rpcbind_t) | ||
22 | |||
23 | miscfiles_read_localization(rpcbind_t) | ||
24 | |||
25 | +# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t, | ||
26 | +# because the are running in different level. So add rules to allow this. | ||
27 | +mls_socket_read_all_levels(rpcbind_t) | ||
28 | +mls_socket_write_all_levels(rpcbind_t) | ||
29 | + | ||
30 | ifdef(`distro_debian',` | ||
31 | term_dontaudit_use_unallocated_ttys(rpcbind_t) | ||
32 | ') | ||
17 | --- a/policy/modules/contrib/rpc.te | 33 | --- a/policy/modules/contrib/rpc.te |
18 | +++ b/policy/modules/contrib/rpc.te | 34 | +++ b/policy/modules/contrib/rpc.te |
19 | @@ -275,10 +275,15 @@ tunable_policy(`nfs_export_all_ro',` | 35 | @@ -277,10 +277,15 @@ tunable_policy(`nfs_export_all_ro',` |
20 | files_read_non_auth_files(nfsd_t) | 36 | files_read_non_auth_files(nfsd_t) |
21 | ') | 37 | ') |
22 | 38 | ||
@@ -32,22 +48,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
32 | ######################################## | 48 | ######################################## |
33 | # | 49 | # |
34 | # GSSD local policy | 50 | # GSSD local policy |
35 | --- a/policy/modules/contrib/rpcbind.te | ||
36 | +++ b/policy/modules/contrib/rpcbind.te | ||
37 | @@ -71,8 +71,13 @@ auth_use_nsswitch(rpcbind_t) | ||
38 | |||
39 | logging_send_syslog_msg(rpcbind_t) | ||
40 | |||
41 | miscfiles_read_localization(rpcbind_t) | ||
42 | |||
43 | +# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t, | ||
44 | +# because the are running in different level. So add rules to allow this. | ||
45 | +mls_socket_read_all_levels(rpcbind_t) | ||
46 | +mls_socket_write_all_levels(rpcbind_t) | ||
47 | + | ||
48 | ifdef(`distro_debian',` | ||
49 | term_dontaudit_use_unallocated_ttys(rpcbind_t) | ||
50 | ') | ||
51 | --- a/policy/modules/kernel/filesystem.te | 51 | --- a/policy/modules/kernel/filesystem.te |
52 | +++ b/policy/modules/kernel/filesystem.te | 52 | +++ b/policy/modules/kernel/filesystem.te |
53 | @@ -127,10 +127,11 @@ fs_noxattr_type(mvfs_t) | 53 | @@ -127,10 +127,11 @@ fs_noxattr_type(mvfs_t) |
@@ -64,7 +64,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
64 | genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0) | 64 | genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0) |
65 | --- a/policy/modules/kernel/kernel.te | 65 | --- a/policy/modules/kernel/kernel.te |
66 | +++ b/policy/modules/kernel/kernel.te | 66 | +++ b/policy/modules/kernel/kernel.te |
67 | @@ -324,10 +324,12 @@ mcs_process_set_categories(kernel_t) | 67 | @@ -325,10 +325,12 @@ mcs_process_set_categories(kernel_t) |
68 | 68 | ||
69 | mls_process_read_all_levels(kernel_t) | 69 | mls_process_read_all_levels(kernel_t) |
70 | mls_process_write_all_levels(kernel_t) | 70 | mls_process_write_all_levels(kernel_t) |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch index 950f525..0cd8bf9 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch | |||
@@ -10,22 +10,22 @@ Upstream-Status: pending | |||
10 | 10 | ||
11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
12 | Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> | 12 | Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> |
13 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
13 | --- | 14 | --- |
14 | policy/modules/system/selinuxutil.te | 2 +- | 15 | policy/modules/system/selinuxutil.te | 2 +- |
15 | 1 file changed, 1 insertion(+), 1 deletion(-) | 16 | 1 file changed, 1 insertion(+), 1 deletion(-) |
16 | 17 | ||
17 | --- a/policy/modules/system/selinuxutil.te | 18 | --- a/policy/modules/system/selinuxutil.te |
18 | +++ b/policy/modules/system/selinuxutil.te | 19 | +++ b/policy/modules/system/selinuxutil.te |
19 | @@ -556,11 +556,11 @@ files_read_usr_symlinks(setfiles_t) | 20 | @@ -594,10 +594,11 @@ files_read_usr_symlinks(setfiles_t) |
20 | files_dontaudit_read_all_symlinks(setfiles_t) | 21 | files_dontaudit_read_all_symlinks(setfiles_t) |
21 | 22 | ||
22 | # needs to be able to read symlinks to make restorecon on symlink working | 23 | # needs to be able to read symlinks to make restorecon on symlink working |
23 | files_read_all_symlinks(setfiles_t) | 24 | files_read_all_symlinks(setfiles_t) |
24 | 25 | ||
25 | -fs_getattr_all_xattr_fs(setfiles_t) | ||
26 | +fs_getattr_all_fs(setfiles_t) | 26 | +fs_getattr_all_fs(setfiles_t) |
27 | fs_list_all(setfiles_t) | 27 | fs_getattr_all_xattr_fs(setfiles_t) |
28 | fs_search_auto_mountpoints(setfiles_t) | 28 | fs_getattr_nfs(setfiles_t) |
29 | fs_relabelfrom_noxattr_fs(setfiles_t) | 29 | fs_getattr_pstore_dirs(setfiles_t) |
30 | 30 | fs_getattr_pstorefs(setfiles_t) | |
31 | mls_file_read_all_levels(setfiles_t) | 31 | fs_getattr_tracefs(setfiles_t) |
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-seutils-manage-config-files.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-seutils-manage-config-files.patch index c9a877b..e0f8c1a 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-seutils-manage-config-files.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-seutils-manage-config-files.patch | |||
@@ -6,6 +6,7 @@ Subject: [PATCH 2/2] refpolicy: fix selinux utils to manage config files | |||
6 | Upstream-Status: Pending | 6 | Upstream-Status: Pending |
7 | 7 | ||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | 10 | --- |
10 | policy/modules/system/selinuxutil.if | 1 + | 11 | policy/modules/system/selinuxutil.if | 1 + |
11 | policy/modules/system/userdomain.if | 4 ++++ | 12 | policy/modules/system/userdomain.if | 4 ++++ |
@@ -27,7 +28,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
27 | ####################################### | 28 | ####################################### |
28 | --- a/policy/modules/system/userdomain.if | 29 | --- a/policy/modules/system/userdomain.if |
29 | +++ b/policy/modules/system/userdomain.if | 30 | +++ b/policy/modules/system/userdomain.if |
30 | @@ -1327,10 +1327,14 @@ template(`userdom_security_admin_templat | 31 | @@ -1361,10 +1361,14 @@ template(`userdom_security_admin_templat |
31 | logging_read_audit_log($1) | 32 | logging_read_audit_log($1) |
32 | logging_read_generic_logs($1) | 33 | logging_read_generic_logs($1) |
33 | logging_read_audit_config($1) | 34 | logging_read_audit_config($1) |
diff --git a/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch b/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch index 86ff0d2..6eba356 100644 --- a/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch +++ b/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch | |||
@@ -8,21 +8,21 @@ It provide, the systemd support related allow rules | |||
8 | Upstream-Status: Pending | 8 | Upstream-Status: Pending |
9 | 9 | ||
10 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | 10 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> |
11 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
11 | --- | 12 | --- |
12 | policy/modules/system/init.te | 5 +++++ | 13 | policy/modules/system/init.te | 5 +++++ |
13 | 1 file changed, 5 insertions(+) | 14 | 1 file changed, 5 insertions(+) |
14 | 15 | ||
15 | --- a/policy/modules/system/init.te | 16 | --- a/policy/modules/system/init.te |
16 | +++ b/policy/modules/system/init.te | 17 | +++ b/policy/modules/system/init.te |
17 | @@ -1105,5 +1105,10 @@ optional_policy(` | 18 | @@ -1387,5 +1387,10 @@ dontaudit systemprocess init_t:unix_stre |
18 | ') | ||
19 | |||
20 | optional_policy(` | 19 | optional_policy(` |
21 | zebra_read_config(initrc_t) | 20 | userdom_dontaudit_search_user_home_dirs(systemprocess) |
21 | userdom_dontaudit_rw_all_users_stream_sockets(systemprocess) | ||
22 | userdom_dontaudit_write_user_tmp_files(systemprocess) | ||
22 | ') | 23 | ') |
23 | + | 24 | + |
24 | +# systemd related allow rules | 25 | +# systemd related allow rules |
25 | +allow kernel_t init_t:process dyntransition; | 26 | +allow kernel_t init_t:process dyntransition; |
26 | +allow devpts_t device_t:filesystem associate; | 27 | +allow devpts_t device_t:filesystem associate; |
27 | +allow init_t self:capability2 block_suspend; | 28 | +allow init_t self:capability2 block_suspend; |
28 | \ No newline at end of file | ||
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch index 2dd8291..b33e84b 100644 --- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch +++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch | |||
@@ -11,17 +11,18 @@ Upstream-Status: pending | |||
11 | 11 | ||
12 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 12 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
13 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | 13 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> |
14 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
14 | --- | 15 | --- |
15 | policy/modules/system/init.te | 14 ++++++++------ | 16 | policy/modules/system/init.te | 14 ++++++++------ |
16 | policy/modules/system/locallogin.te | 4 +++- | 17 | policy/modules/system/locallogin.te | 4 +++- |
17 | 2 files changed, 11 insertions(+), 7 deletions(-) | 18 | 2 files changed, 11 insertions(+), 7 deletions(-) |
18 | 19 | ||
19 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | ||
20 | index c058f0c..d710fb0 100644 | ||
21 | --- a/policy/modules/system/init.te | 20 | --- a/policy/modules/system/init.te |
22 | +++ b/policy/modules/system/init.te | 21 | +++ b/policy/modules/system/init.te |
23 | @@ -292,12 +292,14 @@ ifdef(`init_systemd',` | 22 | @@ -344,17 +344,19 @@ ifdef(`init_systemd',` |
24 | modutils_domtrans_insmod(init_t) | 23 | |
24 | optional_policy(` | ||
25 | modutils_domtrans(init_t) | ||
25 | ') | 26 | ') |
26 | ',` | 27 | ',` |
27 | - tunable_policy(`init_upstart',` | 28 | - tunable_policy(`init_upstart',` |
@@ -29,23 +30,27 @@ index c058f0c..d710fb0 100644 | |||
29 | - ',` | 30 | - ',` |
30 | - # Run the shell in the sysadm role for single-user mode. | 31 | - # Run the shell in the sysadm role for single-user mode. |
31 | - # causes problems with upstart | 32 | - # causes problems with upstart |
32 | - sysadm_shell_domtrans(init_t) | 33 | - ifndef(`distro_debian',` |
34 | - sysadm_shell_domtrans(init_t) | ||
33 | + optional_policy(` | 35 | + optional_policy(` |
34 | + tunable_policy(`init_upstart',` | 36 | + tunable_policy(`init_upstart',` |
35 | + corecmd_shell_domtrans(init_t, initrc_t) | 37 | + corecmd_shell_domtrans(init_t, initrc_t) |
36 | + ',` | 38 | + ',` |
37 | + # Run the shell in the sysadm role for single-user mode. | 39 | + # Run the shell in the sysadm role for single-user mode. |
38 | + # causes problems with upstart | 40 | + # causes problems with upstart |
39 | + sysadm_shell_domtrans(init_t) | 41 | + ifndef(`distro_debian',` |
40 | + ') | 42 | + sysadm_shell_domtrans(init_t) |
43 | + ') | ||
44 | ') | ||
41 | ') | 45 | ') |
42 | ') | 46 | ') |
43 | 47 | ||
44 | diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te | 48 | ifdef(`distro_debian',` |
45 | index 0781eae..ea2493a 100644 | ||
46 | --- a/policy/modules/system/locallogin.te | 49 | --- a/policy/modules/system/locallogin.te |
47 | +++ b/policy/modules/system/locallogin.te | 50 | +++ b/policy/modules/system/locallogin.te |
48 | @@ -246,7 +246,9 @@ userdom_use_unpriv_users_fds(sulogin_t) | 51 | @@ -260,11 +260,13 @@ seutil_read_default_contexts(sulogin_t) |
52 | userdom_use_unpriv_users_fds(sulogin_t) | ||
53 | |||
49 | userdom_search_user_home_dirs(sulogin_t) | 54 | userdom_search_user_home_dirs(sulogin_t) |
50 | userdom_use_user_ptys(sulogin_t) | 55 | userdom_use_user_ptys(sulogin_t) |
51 | 56 | ||
@@ -54,8 +59,7 @@ index 0781eae..ea2493a 100644 | |||
54 | + sysadm_shell_domtrans(sulogin_t) | 59 | + sysadm_shell_domtrans(sulogin_t) |
55 | +') | 60 | +') |
56 | 61 | ||
57 | # suse and debian do not use pam with sulogin... | 62 | # by default, sulogin does not use pam... |
58 | ifdef(`distro_suse', `define(`sulogin_no_pam')') | 63 | # sulogin_pam might need to be defined otherwise |
59 | -- | 64 | ifdef(`sulogin_pam', ` |
60 | 1.9.1 | 65 | selinux_get_fs_mount(sulogin_t) |
61 | |||
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch index b6c64c6..17a8199 100644 --- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch +++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch | |||
@@ -18,15 +18,16 @@ support is enabled: | |||
18 | Upstream-Status: Inappropriate | 18 | Upstream-Status: Inappropriate |
19 | 19 | ||
20 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | 20 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> |
21 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
21 | --- | 22 | --- |
22 | policy/modules/system/init.if | 4 ++-- | 23 | policy/modules/system/init.if | 4 ++-- |
23 | 1 file changed, 2 insertions(+), 2 deletions(-) | 24 | 1 file changed, 2 insertions(+), 2 deletions(-) |
24 | 25 | ||
25 | diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if | ||
26 | index f50c6e1..b445886 100644 | ||
27 | --- a/policy/modules/system/init.if | 26 | --- a/policy/modules/system/init.if |
28 | +++ b/policy/modules/system/init.if | 27 | +++ b/policy/modules/system/init.if |
29 | @@ -1307,12 +1307,12 @@ interface(`init_spec_domtrans_script',` | 28 | @@ -1430,16 +1430,16 @@ interface(`init_spec_domtrans_script',` |
29 | ## </summary> | ||
30 | ## </param> | ||
30 | # | 31 | # |
31 | interface(`init_domtrans_script',` | 32 | interface(`init_domtrans_script',` |
32 | gen_require(` | 33 | gen_require(` |
@@ -41,6 +42,5 @@ index f50c6e1..b445886 100644 | |||
41 | 42 | ||
42 | ifdef(`enable_mcs',` | 43 | ifdef(`enable_mcs',` |
43 | range_transition $1 init_script_file_type:process s0; | 44 | range_transition $1 init_script_file_type:process s0; |
44 | -- | 45 | ') |
45 | 1.9.1 | 46 | |
46 | |||
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch index ba14851..29d3e2d 100644 --- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch +++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch | |||
@@ -20,33 +20,33 @@ Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | |||
20 | policy/users | 16 +++++-------- | 20 | policy/users | 16 +++++-------- |
21 | 5 files changed, 55 insertions(+), 20 deletions(-) | 21 | 5 files changed, 55 insertions(+), 20 deletions(-) |
22 | 22 | ||
23 | diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers | ||
24 | index dc5f1e4..4428da8 100644 | ||
25 | --- a/config/appconfig-mcs/seusers | 23 | --- a/config/appconfig-mcs/seusers |
26 | +++ b/config/appconfig-mcs/seusers | 24 | +++ b/config/appconfig-mcs/seusers |
27 | @@ -1,3 +1,3 @@ | 25 | @@ -1,2 +1,3 @@ |
28 | system_u:system_u:s0-mcs_systemhigh | ||
29 | -root:root:s0-mcs_systemhigh | 26 | -root:root:s0-mcs_systemhigh |
30 | -__default__:user_u:s0 | 27 | -__default__:user_u:s0 |
31 | +root:unconfined_u:s0-mcs_systemhigh | 28 | +root:unconfined_u:s0-mcs_systemhigh |
32 | +__default__:unconfined_u:s0 | 29 | +__default__:unconfined_u:s0 |
33 | diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te | 30 | + |
34 | index 005afd8..4699d6a 100644 | ||
35 | --- a/policy/modules/roles/sysadm.te | 31 | --- a/policy/modules/roles/sysadm.te |
36 | +++ b/policy/modules/roles/sysadm.te | 32 | +++ b/policy/modules/roles/sysadm.te |
37 | @@ -34,6 +34,7 @@ ubac_file_exempt(sysadm_t) | 33 | @@ -37,10 +37,11 @@ ubac_process_exempt(sysadm_t) |
34 | ubac_file_exempt(sysadm_t) | ||
38 | ubac_fd_exempt(sysadm_t) | 35 | ubac_fd_exempt(sysadm_t) |
39 | 36 | ||
40 | init_exec(sysadm_t) | 37 | init_exec(sysadm_t) |
38 | init_admin(sysadm_t) | ||
41 | +init_script_role_transition(sysadm_r) | 39 | +init_script_role_transition(sysadm_r) |
42 | init_get_system_status(sysadm_t) | 40 | |
43 | init_disable(sysadm_t) | 41 | selinux_read_policy(sysadm_t) |
44 | init_enable(sysadm_t) | 42 | |
45 | diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if | 43 | # Add/remove user home directories |
46 | index b68dfc1..35b4141 100644 | 44 | userdom_manage_user_home_dirs(sysadm_t) |
47 | --- a/policy/modules/system/init.if | 45 | --- a/policy/modules/system/init.if |
48 | +++ b/policy/modules/system/init.if | 46 | +++ b/policy/modules/system/init.if |
49 | @@ -1234,11 +1234,12 @@ interface(`init_script_file_entry_type',` | 47 | @@ -1394,30 +1394,31 @@ interface(`init_script_file_entry_type', |
48 | ## </summary> | ||
49 | ## </param> | ||
50 | # | 50 | # |
51 | interface(`init_spec_domtrans_script',` | 51 | interface(`init_spec_domtrans_script',` |
52 | gen_require(` | 52 | gen_require(` |
@@ -61,7 +61,10 @@ index b68dfc1..35b4141 100644 | |||
61 | 61 | ||
62 | ifdef(`distro_gentoo',` | 62 | ifdef(`distro_gentoo',` |
63 | gen_require(` | 63 | gen_require(` |
64 | @@ -1249,11 +1250,11 @@ interface(`init_spec_domtrans_script',` | 64 | type rc_exec_t; |
65 | ') | ||
66 | |||
67 | domtrans_pattern($1, rc_exec_t, initrc_t) | ||
65 | ') | 68 | ') |
66 | 69 | ||
67 | ifdef(`enable_mcs',` | 70 | ifdef(`enable_mcs',` |
@@ -75,7 +78,11 @@ index b68dfc1..35b4141 100644 | |||
75 | ') | 78 | ') |
76 | ') | 79 | ') |
77 | 80 | ||
78 | @@ -1269,18 +1270,19 @@ interface(`init_spec_domtrans_script',` | 81 | ######################################## |
82 | ## <summary> | ||
83 | @@ -1429,22 +1430,23 @@ interface(`init_spec_domtrans_script',` | ||
84 | ## </summary> | ||
85 | ## </param> | ||
79 | # | 86 | # |
80 | interface(`init_domtrans_script',` | 87 | interface(`init_domtrans_script',` |
81 | gen_require(` | 88 | gen_require(` |
@@ -99,9 +106,13 @@ index b68dfc1..35b4141 100644 | |||
99 | ') | 106 | ') |
100 | ') | 107 | ') |
101 | 108 | ||
102 | @@ -2504,3 +2506,32 @@ interface(`init_reload_all_units',` | 109 | ######################################## |
103 | 110 | ## <summary> | |
104 | allow $1 systemdunit:service reload; | 111 | @@ -2972,5 +2974,34 @@ interface(`init_admin',` |
112 | init_stop_all_units($1) | ||
113 | init_stop_generic_units($1) | ||
114 | init_stop_system($1) | ||
115 | init_telinit($1) | ||
105 | ') | 116 | ') |
106 | + | 117 | + |
107 | +######################################## | 118 | +######################################## |
@@ -132,11 +143,11 @@ index b68dfc1..35b4141 100644 | |||
132 | + role_transition $1 init_script_file_type system_r; | 143 | + role_transition $1 init_script_file_type system_r; |
133 | +') | 144 | +') |
134 | + | 145 | + |
135 | diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te | ||
136 | index ad23fce..99cab31 100644 | ||
137 | --- a/policy/modules/system/unconfined.te | 146 | --- a/policy/modules/system/unconfined.te |
138 | +++ b/policy/modules/system/unconfined.te | 147 | +++ b/policy/modules/system/unconfined.te |
139 | @@ -20,6 +20,11 @@ type unconfined_execmem_t; | 148 | @@ -18,10 +18,15 @@ init_system_domain(unconfined_t, unconfi |
149 | |||
150 | type unconfined_execmem_t; | ||
140 | type unconfined_execmem_exec_t; | 151 | type unconfined_execmem_exec_t; |
141 | init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t) | 152 | init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t) |
142 | role unconfined_r types unconfined_execmem_t; | 153 | role unconfined_r types unconfined_execmem_t; |
@@ -148,7 +159,11 @@ index ad23fce..99cab31 100644 | |||
148 | 159 | ||
149 | ######################################## | 160 | ######################################## |
150 | # | 161 | # |
151 | @@ -50,6 +55,8 @@ userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_f | 162 | # Local policy |
163 | # | ||
164 | @@ -48,10 +53,12 @@ unconfined_domain(unconfined_t) | ||
165 | userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file }) | ||
166 | |||
152 | ifdef(`direct_sysadm_daemon',` | 167 | ifdef(`direct_sysadm_daemon',` |
153 | optional_policy(` | 168 | optional_policy(` |
154 | init_run_daemon(unconfined_t, unconfined_r) | 169 | init_run_daemon(unconfined_t, unconfined_r) |
@@ -157,11 +172,13 @@ index ad23fce..99cab31 100644 | |||
157 | ') | 172 | ') |
158 | ',` | 173 | ',` |
159 | ifdef(`distro_gentoo',` | 174 | ifdef(`distro_gentoo',` |
160 | diff --git a/policy/users b/policy/users | 175 | seutil_run_runinit(unconfined_t, unconfined_r) |
161 | index ca20375..ac1ca6c 100644 | 176 | seutil_init_script_run_runinit(unconfined_t, unconfined_r) |
162 | --- a/policy/users | 177 | --- a/policy/users |
163 | +++ b/policy/users | 178 | +++ b/policy/users |
164 | @@ -15,7 +15,7 @@ | 179 | @@ -13,37 +13,33 @@ |
180 | # system_u is the user identity for system processes and objects. | ||
181 | # There should be no corresponding Unix user identity for system, | ||
165 | # and a user process should never be assigned the system user | 182 | # and a user process should never be assigned the system user |
166 | # identity. | 183 | # identity. |
167 | # | 184 | # |
@@ -170,7 +187,9 @@ index ca20375..ac1ca6c 100644 | |||
170 | 187 | ||
171 | # | 188 | # |
172 | # user_u is a generic user identity for Linux users who have no | 189 | # user_u is a generic user identity for Linux users who have no |
173 | @@ -25,14 +25,14 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) | 190 | # SELinux user identity defined. The modified daemons will use |
191 | # this user identity in the security context if there is no matching | ||
192 | # SELinux user identity for a Linux user. If you do not want to | ||
174 | # permit any access to such users, then remove this entry. | 193 | # permit any access to such users, then remove this entry. |
175 | # | 194 | # |
176 | gen_user(user_u, user, user_r, s0, s0) | 195 | gen_user(user_u, user, user_r, s0, s0) |
@@ -189,7 +208,9 @@ index ca20375..ac1ca6c 100644 | |||
189 | ') | 208 | ') |
190 | 209 | ||
191 | # | 210 | # |
192 | @@ -42,8 +42,4 @@ ifdef(`direct_sysadm_daemon',` | 211 | # The following users correspond to Unix identities. |
212 | # These identities are typically assigned as the user attribute | ||
213 | # when login starts the user shell. Users with access to the sysadm_r | ||
193 | # role should use the staff_r role instead of the user_r role when | 214 | # role should use the staff_r role instead of the user_r role when |
194 | # not in the sysadm_r. | 215 | # not in the sysadm_r. |
195 | # | 216 | # |
@@ -199,6 +220,3 @@ index ca20375..ac1ca6c 100644 | |||
199 | - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) | 220 | - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) |
200 | -') | 221 | -') |
201 | +gen_user(root, user, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) | 222 | +gen_user(root, user, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) |
202 | -- | ||
203 | 1.9.1 | ||
204 | |||
diff --git a/recipes-security/refpolicy/refpolicy_git.inc b/recipes-security/refpolicy/refpolicy_git.inc index e6e63c9..b320e4d 100644 --- a/recipes-security/refpolicy/refpolicy_git.inc +++ b/recipes-security/refpolicy/refpolicy_git.inc | |||
@@ -20,7 +20,6 @@ SRC_URI += "file://poky-fc-subs_dist.patch \ | |||
20 | file://poky-fc-dmesg.patch \ | 20 | file://poky-fc-dmesg.patch \ |
21 | file://poky-fc-fstools.patch \ | 21 | file://poky-fc-fstools.patch \ |
22 | file://poky-fc-mta.patch \ | 22 | file://poky-fc-mta.patch \ |
23 | file://poky-fc-netutils.patch \ | ||
24 | file://poky-fc-nscd.patch \ | 23 | file://poky-fc-nscd.patch \ |
25 | file://poky-fc-screen.patch \ | 24 | file://poky-fc-screen.patch \ |
26 | file://poky-fc-ssh.patch \ | 25 | file://poky-fc-ssh.patch \ |