1 files changed, 46 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch b/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch
new file mode 100644
index 0000000..80b420c
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch
@@ -0,0 +1,46 @@
+refpolicy: update for systemd
+ 
+It provides the systemd support for refpolicy 
+and related allow rules. 
+The restorecon provides systemd init labeled 
+as init_exec_t.
+Upstream-Status: Pending
+Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
+--- a/policy/modules/contrib/shutdown.fc
+++ b/policy/modules/contrib/shutdown.fc
+@@ -5,6 +5,9 @@
+ /sbin/shutdown --      gen_context(system_u:object_r:shutdown_exec_t,s0)
+ /sbin/shutdown\.sysvinit       --      gen_context(system_u:object_r:shutdown_exec_t,s0)
+ 
+# systemd support
+/bin/systemctl --      gen_context(system_u:object_r:shutdown_exec_t,s0)
+
+ /usr/lib/upstart/shutdown      --      gen_context(system_u:object_r:shutdown_exec_t,s0)
+ 
+ /usr/sbin/shutdown     --      gen_context(system_u:object_r:shutdown_exec_t,s0)
+--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
+@@ -31,6 +31,8 @@
+ #
+ /sbin/init(ng)?                --      gen_context(system_u:object_r:init_exec_t,s0)
+ /sbin/init\.sysvinit   --      gen_context(system_u:object_r:init_exec_t,s0)
+# systemd support
+/lib/systemd/systemd   --      gen_context(system_u:object_r:init_exec_t,s0)
+ # because nowadays, /sbin/init is often a symlink to /sbin/upstart
+ /sbin/upstart          --      gen_context(system_u:object_r:init_exec_t,s0)
+ 
+--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
+@@ -913,3 +913,8 @@
+ optional_policy(`
+        zebra_read_config(initrc_t)
+ ')
+
+# systemd related allow rules
+allow kernel_t init_t:process dyntransition;
+allow devpts_t device_t:filesystem associate;
+allow init_t self:capability2 block_suspend;

diff --git a/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch b/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch new file mode 100644 index 0000000..80b420c --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch
@@ -0,0 +1,46 @@
	1	refpolicy: update for systemd
	2
	3	It provides the systemd support for refpolicy
	4	and related allow rules.
	5	The restorecon provides systemd init labeled
	6	as init_exec_t.
	7
	8	Upstream-Status: Pending
	9
	10
	11	Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
	12
	13	--- a/policy/modules/contrib/shutdown.fc
	14	+++ b/policy/modules/contrib/shutdown.fc
	15	@@ -5,6 +5,9 @@
	16	/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
	17	/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0)
	18
	19	+# systemd support
	20	+/bin/systemctl -- gen_context(system_u:object_r:shutdown_exec_t,s0)
	21	+
	22	/usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
	23
	24	/usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
	25	--- a/policy/modules/system/init.fc
	26	+++ b/policy/modules/system/init.fc
	27	@@ -31,6 +31,8 @@
	28	#
	29	/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
	30	/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0)
	31	+# systemd support
	32	+/lib/systemd/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
	33	# because nowadays, /sbin/init is often a symlink to /sbin/upstart
	34	/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
	35
	36	--- a/policy/modules/system/init.te
	37	+++ b/policy/modules/system/init.te
	38	@@ -913,3 +913,8 @@
	39	optional_policy(`
	40	zebra_read_config(initrc_t)
	41	')
	42	+
	43	+# systemd related allow rules
	44	+allow kernel_t init_t:process dyntransition;
	45	+allow devpts_t device_t:filesystem associate;
	46	+allow init_t self:capability2 block_suspend;