diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy-git/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy-git/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch | 126 |
1 files changed, 0 insertions, 126 deletions
diff --git a/recipes-security/refpolicy/refpolicy-git/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch b/recipes-security/refpolicy/refpolicy-git/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch deleted file mode 100644 index 257395a..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch +++ /dev/null | |||
@@ -1,126 +0,0 @@ | |||
1 | From 06d2bad9325fdc6b0a73858bca7ba51fe591f39d Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Fri, 29 Mar 2019 11:16:37 -0400 | ||
4 | Subject: [PATCH 26/34] policy/module/sysfs: fix for new SELINUXMNT in /sys | ||
5 | |||
6 | SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should | ||
7 | add rules to access sysfs. | ||
8 | |||
9 | Upstream-Status: Inappropriate [only for Poky] | ||
10 | |||
11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
13 | --- | ||
14 | policy/modules/kernel/selinux.if | 19 +++++++++++++++++++ | ||
15 | 1 file changed, 19 insertions(+) | ||
16 | |||
17 | diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if | ||
18 | index 6790e5d0..2c95db81 100644 | ||
19 | --- a/policy/modules/kernel/selinux.if | ||
20 | +++ b/policy/modules/kernel/selinux.if | ||
21 | @@ -117,6 +117,9 @@ interface(`selinux_mount_fs',` | ||
22 | type security_t; | ||
23 | ') | ||
24 | |||
25 | + dev_getattr_sysfs($1) | ||
26 | + dev_search_sysfs($1) | ||
27 | + | ||
28 | allow $1 security_t:filesystem mount; | ||
29 | ') | ||
30 | |||
31 | @@ -136,6 +139,9 @@ interface(`selinux_remount_fs',` | ||
32 | type security_t; | ||
33 | ') | ||
34 | |||
35 | + dev_getattr_sysfs($1) | ||
36 | + dev_search_sysfs($1) | ||
37 | + | ||
38 | allow $1 security_t:filesystem remount; | ||
39 | ') | ||
40 | |||
41 | @@ -155,6 +161,9 @@ interface(`selinux_unmount_fs',` | ||
42 | ') | ||
43 | |||
44 | allow $1 security_t:filesystem unmount; | ||
45 | + | ||
46 | + dev_getattr_sysfs($1) | ||
47 | + dev_search_sysfs($1) | ||
48 | ') | ||
49 | |||
50 | ######################################## | ||
51 | @@ -217,6 +226,8 @@ interface(`selinux_dontaudit_getattr_dir',` | ||
52 | ') | ||
53 | |||
54 | dontaudit $1 security_t:dir getattr; | ||
55 | + dev_dontaudit_getattr_sysfs($1) | ||
56 | + dev_dontaudit_search_sysfs($1) | ||
57 | ') | ||
58 | |||
59 | ######################################## | ||
60 | @@ -253,6 +264,7 @@ interface(`selinux_dontaudit_search_fs',` | ||
61 | type security_t; | ||
62 | ') | ||
63 | |||
64 | + dev_dontaudit_search_sysfs($1) | ||
65 | dontaudit $1 security_t:dir search_dir_perms; | ||
66 | ') | ||
67 | |||
68 | @@ -272,6 +284,7 @@ interface(`selinux_dontaudit_read_fs',` | ||
69 | type security_t; | ||
70 | ') | ||
71 | |||
72 | + dev_dontaudit_getattr_sysfs($1) | ||
73 | dontaudit $1 security_t:dir search_dir_perms; | ||
74 | dontaudit $1 security_t:file read_file_perms; | ||
75 | ') | ||
76 | @@ -361,6 +374,7 @@ interface(`selinux_read_policy',` | ||
77 | type security_t; | ||
78 | ') | ||
79 | |||
80 | + dev_getattr_sysfs($1) | ||
81 | dev_search_sysfs($1) | ||
82 | allow $1 security_t:dir list_dir_perms; | ||
83 | allow $1 security_t:file read_file_perms; | ||
84 | @@ -394,6 +408,7 @@ interface(`selinux_set_generic_booleans',` | ||
85 | type security_t; | ||
86 | ') | ||
87 | |||
88 | + dev_getattr_sysfs($1) | ||
89 | dev_search_sysfs($1) | ||
90 | |||
91 | allow $1 security_t:dir list_dir_perms; | ||
92 | @@ -431,6 +446,7 @@ interface(`selinux_set_all_booleans',` | ||
93 | bool secure_mode_policyload; | ||
94 | ') | ||
95 | |||
96 | + dev_getattr_sysfs($1) | ||
97 | dev_search_sysfs($1) | ||
98 | |||
99 | allow $1 security_t:dir list_dir_perms; | ||
100 | @@ -512,6 +528,7 @@ interface(`selinux_dontaudit_validate_context',` | ||
101 | type security_t; | ||
102 | ') | ||
103 | |||
104 | + dev_dontaudit_search_sysfs($1) | ||
105 | dontaudit $1 security_t:dir list_dir_perms; | ||
106 | dontaudit $1 security_t:file rw_file_perms; | ||
107 | dontaudit $1 security_t:security check_context; | ||
108 | @@ -533,6 +550,7 @@ interface(`selinux_compute_access_vector',` | ||
109 | type security_t; | ||
110 | ') | ||
111 | |||
112 | + dev_getattr_sysfs($1) | ||
113 | dev_search_sysfs($1) | ||
114 | allow $1 self:netlink_selinux_socket create_socket_perms; | ||
115 | allow $1 security_t:dir list_dir_perms; | ||
116 | @@ -629,6 +647,7 @@ interface(`selinux_compute_user_contexts',` | ||
117 | type security_t; | ||
118 | ') | ||
119 | |||
120 | + dev_getattr_sysfs($1) | ||
121 | dev_search_sysfs($1) | ||
122 | allow $1 security_t:dir list_dir_perms; | ||
123 | allow $1 security_t:file rw_file_perms; | ||
124 | -- | ||
125 | 2.19.1 | ||
126 | |||