1 files changed, 0 insertions, 121 deletions
diff --git a/recipes-security/refpolicy/refpolicy-git/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch b/recipes-security/refpolicy/refpolicy-git/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch
deleted file mode 100644
index 968a9be..0000000
--- a/recipes-security/refpolicy/refpolicy-git/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch
+++ /dev/null
@@ -1,121 +0,0 @@
-From ec36df125da565fe1a9b64000151afaf40c2887d Mon Sep 17 00:00:00 2001
-From: Shrikant Bobade <shrikant_bobade@mentor.com>
-Date: Fri, 26 Aug 2016 17:51:32 +0530
-Subject: [PATCH 3/9] refpolicy-minimum: systemd:unconfined:lib: add systemd
- services allow rules
-systemd allow rules for systemd service file operations: start, stop, restart
-& allow rule for unconfined systemd service.
-without this change we are getting these errors:
-:~# systemctl status selinux-init.service
-Failed to get properties: Access denied
-:~# systemctl stop selinux-init.service
-Failed to stop selinux-init.service: Access denied
-:~# systemctl restart  selinux-init.service
-audit: type=1107 audit: pid=1 uid=0 auid=4294967295 ses=4294967295 subj=
-system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0
-gid=0 path="/lib/systemd/system/selinux-init.service" cmdline="systemctl
-restart selinux-init.service" scontext=unconfined_u:unconfined_r:
-unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service
-Upstream-Status: Pending
-Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/system/init.te       |  4 +++
- policy/modules/system/libraries.te  |  3 +++
- policy/modules/system/systemd.if    | 39 +++++++++++++++++++++++++++++
- policy/modules/system/unconfined.te |  6 +++++
- 4 files changed, 52 insertions(+)
-diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index d8696580..e15ec4b9 100644
--- a/policy/modules/system/init.te
-+++ b/policy/modules/system/init.te
-@@ -1425,3 +1425,7 @@ optional_policy(`
- allow kernel_t init_t:process dyntransition;
- allow devpts_t device_t:filesystem associate;
- allow init_t self:capability2 block_suspend;
-+allow init_t self:capability2 audit_read;
-+
-+allow initrc_t init_t:system { start status };
-+allow initrc_t init_var_run_t:service { start status };
-diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index 422b0ea1..80b0c9a5 100644
--- a/policy/modules/system/libraries.te
-+++ b/policy/modules/system/libraries.te
-@@ -145,3 +145,6 @@ optional_policy(`
- optional_policy(`
-        unconfined_domain(ldconfig_t)
- ')
-+
-+# systemd: init domain to start lib domain service
-+systemd_service_lib_function(lib_t)
-diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
-index 6353ca69..4519a448 100644
--- a/policy/modules/system/systemd.if
-+++ b/policy/modules/system/systemd.if
-@@ -905,3 +905,42 @@ interface(`systemd_getattr_updated_runtime',`
- 
-        getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t)
- ')
-+
-+########################################
-+## <summary>
-+## Allow specified domain to start stop reset systemd service
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`systemd_service_file_operations',`
-+         gen_require(`
-+               class service { start status stop };
-+         ')
-+
-+       allow $1 lib_t:service { start status stop };
-+
-+')
-+
-+
-+########################################
-+## <summary>
-+## Allow init domain to start lib domain service
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`systemd_service_lib_function',`
-+         gen_require(`
-+               class service start;
-+         ')
-+
-+       allow initrc_t $1:service start;
-+
-+')
-diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
-index 12cc0d7c..c09e94a5 100644
--- a/policy/modules/system/unconfined.te
-+++ b/policy/modules/system/unconfined.te
-@@ -240,3 +240,9 @@ unconfined_domain_noaudit(unconfined_execmem_t)
- optional_policy(`
-        unconfined_dbus_chat(unconfined_execmem_t)
- ')
-+
-+
-+# systemd: specified domain to start stop reset systemd service
-+systemd_service_file_operations(unconfined_t)
-+
-+allow unconfined_t init_t:system reload;
-- 
-2.19.1

diff --git a/recipes-security/refpolicy/refpolicy-git/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch b/recipes-security/refpolicy/refpolicy-git/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch deleted file mode 100644 index 968a9be..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch +++ /dev/null
@@ -1,121 +0,0 @@
1	From ec36df125da565fe1a9b64000151afaf40c2887d Mon Sep 17 00:00:00 2001
2	From: Shrikant Bobade <shrikant_bobade@mentor.com>
3	Date: Fri, 26 Aug 2016 17:51:32 +0530
4	Subject: [PATCH 3/9] refpolicy-minimum: systemd:unconfined:lib: add systemd
5	services allow rules
6
7	systemd allow rules for systemd service file operations: start, stop, restart
8	& allow rule for unconfined systemd service.
9
10	without this change we are getting these errors:
11	:~# systemctl status selinux-init.service
12	Failed to get properties: Access denied
13
14	:~# systemctl stop selinux-init.service
15	Failed to stop selinux-init.service: Access denied
16
17	:~# systemctl restart selinux-init.service
18	audit: type=1107 audit: pid=1 uid=0 auid=4294967295 ses=4294967295 subj=
19	system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0
20	gid=0 path="/lib/systemd/system/selinux-init.service" cmdline="systemctl
21	restart selinux-init.service" scontext=unconfined_u:unconfined_r:
22	unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service
23
24	Upstream-Status: Pending
25
26	Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
27	Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
28	---
29	policy/modules/system/init.te \| 4 +++
30	policy/modules/system/libraries.te \| 3 +++
31	policy/modules/system/systemd.if \| 39 +++++++++++++++++++++++++++++
32	policy/modules/system/unconfined.te \| 6 +++++
33	4 files changed, 52 insertions(+)
34
35	diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
36	index d8696580..e15ec4b9 100644
37	--- a/policy/modules/system/init.te
38	+++ b/policy/modules/system/init.te
39	@@ -1425,3 +1425,7 @@ optional_policy(`
40	allow kernel_t init_t:process dyntransition;
41	allow devpts_t device_t:filesystem associate;
42	allow init_t self:capability2 block_suspend;
43	+allow init_t self:capability2 audit_read;
44	+
45	+allow initrc_t init_t:system { start status };
46	+allow initrc_t init_var_run_t:service { start status };
47	diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
48	index 422b0ea1..80b0c9a5 100644
49	--- a/policy/modules/system/libraries.te
50	+++ b/policy/modules/system/libraries.te
51	@@ -145,3 +145,6 @@ optional_policy(`
52	optional_policy(`
53	unconfined_domain(ldconfig_t)
54	')
55	+
56	+# systemd: init domain to start lib domain service
57	+systemd_service_lib_function(lib_t)
58	diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
59	index 6353ca69..4519a448 100644
60	--- a/policy/modules/system/systemd.if
61	+++ b/policy/modules/system/systemd.if
62	@@ -905,3 +905,42 @@ interface(`systemd_getattr_updated_runtime',`
63
64	getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t)
65	')
66	+
67	+########################################
68	+## <summary>
69	+## Allow specified domain to start stop reset systemd service
70	+## </summary>
71	+## <param name="domain">
72	+## <summary>
73	+## Domain to not audit.
74	+## </summary>
75	+## </param>
76	+#
77	+interface(`systemd_service_file_operations',`
78	+ gen_require(`
79	+ class service { start status stop };
80	+ ')
81	+
82	+ allow $1 lib_t:service { start status stop };
83	+
84	+')
85	+
86	+
87	+########################################
88	+## <summary>
89	+## Allow init domain to start lib domain service
90	+## </summary>
91	+## <param name="domain">
92	+## <summary>
93	+## Domain to not audit.
94	+## </summary>
95	+## </param>
96	+#
97	+interface(`systemd_service_lib_function',`
98	+ gen_require(`
99	+ class service start;
100	+ ')
101	+
102	+ allow initrc_t $1:service start;
103	+
104	+')
105	diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
106	index 12cc0d7c..c09e94a5 100644
107	--- a/policy/modules/system/unconfined.te
108	+++ b/policy/modules/system/unconfined.te
109	@@ -240,3 +240,9 @@ unconfined_domain_noaudit(unconfined_execmem_t)
110	optional_policy(`
111	unconfined_dbus_chat(unconfined_execmem_t)
112	')
113	+
114	+
115	+# systemd: specified domain to start stop reset systemd service
116	+systemd_service_file_operations(unconfined_t)
117	+
118	+allow unconfined_t init_t:system reload;
119	--
120	2.19.1
121