diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy-git')
44 files changed, 0 insertions, 2360 deletions
diff --git a/recipes-security/refpolicy/refpolicy-git/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch b/recipes-security/refpolicy/refpolicy-git/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch deleted file mode 100644 index 5e38b8c..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch +++ /dev/null | |||
@@ -1,36 +0,0 @@ | |||
1 | From ab97bea9248f62e735526292fc1253ebb1ecfa6c Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Thu, 28 Mar 2019 16:14:09 -0400 | ||
4 | Subject: [PATCH 01/34] fc/subs/volatile: alias common /var/volatile paths | ||
5 | |||
6 | Ensure /var/volatile paths get the appropriate base file context. | ||
7 | |||
8 | Upstream-Status: Pending | ||
9 | |||
10 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
11 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
12 | --- | ||
13 | config/file_contexts.subs_dist | 10 ++++++++++ | ||
14 | 1 file changed, 10 insertions(+) | ||
15 | |||
16 | diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist | ||
17 | index 346d920e..be532d7f 100644 | ||
18 | --- a/config/file_contexts.subs_dist | ||
19 | +++ b/config/file_contexts.subs_dist | ||
20 | @@ -31,3 +31,13 @@ | ||
21 | # not for refpolicy intern, but for /var/run using applications, | ||
22 | # like systemd tmpfiles or systemd socket configurations | ||
23 | /var/run /run | ||
24 | + | ||
25 | +# volatile aliases | ||
26 | +# ensure the policy applied to the base filesystem objects are reflected in the | ||
27 | +# volatile hierarchy. | ||
28 | +/var/volatile/log /var/log | ||
29 | +/var/volatile/run /var/run | ||
30 | +/var/volatile/cache /var/cache | ||
31 | +/var/volatile/tmp /var/tmp | ||
32 | +/var/volatile/lock /var/lock | ||
33 | +/var/volatile/run/lock /var/lock | ||
34 | -- | ||
35 | 2.19.1 | ||
36 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0001-fix-update-alternatives-for-sysvinit.patch b/recipes-security/refpolicy/refpolicy-git/0001-fix-update-alternatives-for-sysvinit.patch deleted file mode 100644 index 98d98d4..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0001-fix-update-alternatives-for-sysvinit.patch +++ /dev/null | |||
@@ -1,53 +0,0 @@ | |||
1 | From cf2f08bdb2d64b38b6c83c96f409c1cd9975fe6a Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH] fix update-alternatives for sysvinit | ||
5 | |||
6 | Upstream-Status: Inappropriate [only for Poky] | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
10 | --- | ||
11 | policy/modules/admin/shutdown.fc | 1 + | ||
12 | policy/modules/kernel/corecommands.fc | 1 + | ||
13 | policy/modules/system/init.fc | 1 + | ||
14 | 3 files changed, 3 insertions(+) | ||
15 | |||
16 | diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc | ||
17 | index 03a2230c..2ba049ff 100644 | ||
18 | --- a/policy/modules/admin/shutdown.fc | ||
19 | +++ b/policy/modules/admin/shutdown.fc | ||
20 | @@ -5,5 +5,6 @@ | ||
21 | /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
22 | |||
23 | /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
24 | +/usr/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
25 | |||
26 | /run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) | ||
27 | diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc | ||
28 | index cf3848db..86920167 100644 | ||
29 | --- a/policy/modules/kernel/corecommands.fc | ||
30 | +++ b/policy/modules/kernel/corecommands.fc | ||
31 | @@ -149,6 +149,7 @@ ifdef(`distro_gentoo',` | ||
32 | /usr/bin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) | ||
33 | /usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
34 | /usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0) | ||
35 | +/usr/bin/mountpoint\.sysvinit -- gen_context(system_u:object_r:bin_t,s0) | ||
36 | /usr/bin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
37 | /usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
38 | /usr/bin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
39 | diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc | ||
40 | index 11a6ce93..93e9d2b4 100644 | ||
41 | --- a/policy/modules/system/init.fc | ||
42 | +++ b/policy/modules/system/init.fc | ||
43 | @@ -23,6 +23,7 @@ ifdef(`distro_gentoo',` | ||
44 | # /usr | ||
45 | # | ||
46 | /usr/bin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) | ||
47 | +/usr/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0) | ||
48 | /usr/bin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) | ||
49 | /usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0) | ||
50 | /usr/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0) | ||
51 | -- | ||
52 | 2.19.1 | ||
53 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch b/recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch deleted file mode 100644 index 3cc5395..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch +++ /dev/null | |||
@@ -1,68 +0,0 @@ | |||
1 | From 0f25b7c345d516eccd1c02c93f752ce073b84865 Mon Sep 17 00:00:00 2001 | ||
2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
3 | Date: Fri, 26 Aug 2016 17:51:44 +0530 | ||
4 | Subject: [PATCH 1/9] refpolicy-minimum: audit: logging: getty: audit related | ||
5 | allow rules | ||
6 | |||
7 | add allow rules for audit.log file & resolve dependent avc denials. | ||
8 | |||
9 | without this change we are getting audit avc denials mixed into bootlog & | ||
10 | audit other avc denials. | ||
11 | |||
12 | audit: type=1400 audit(): avc: denied { getattr } for pid=217 comm="mount" | ||
13 | name="/" dev="proc" ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_0 | ||
14 | audit: type=1400 audit(): avc: denied { sendto } for pid=310 comm="klogd" | ||
15 | path="/run/systemd/journal/dev-log" scontext=sy0 | ||
16 | audit: type=1400 audit(): avc: denied { sendto } for pid=310 comm="klogd" | ||
17 | path="/run/systemd/journal/dev-log" scontext=system_u:system_r:klogd_t:s0 | ||
18 | audit(): avc: denied { open } for pid=540 comm="agetty" path="/var/ | ||
19 | volatile/log/wtmp" dev="tmpfs" ino=9536 scontext=system_u:system_r:getty_t | ||
20 | :s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 | ||
21 | |||
22 | Upstream-Status: Pending | ||
23 | |||
24 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
25 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
26 | --- | ||
27 | policy/modules/system/getty.te | 3 +++ | ||
28 | policy/modules/system/logging.te | 8 ++++++++ | ||
29 | 2 files changed, 11 insertions(+) | ||
30 | |||
31 | diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te | ||
32 | index 6d3c4284..423db0cc 100644 | ||
33 | --- a/policy/modules/system/getty.te | ||
34 | +++ b/policy/modules/system/getty.te | ||
35 | @@ -129,3 +129,6 @@ optional_policy(` | ||
36 | optional_policy(` | ||
37 | udev_read_db(getty_t) | ||
38 | ') | ||
39 | + | ||
40 | +allow getty_t tmpfs_t:dir search; | ||
41 | +allow getty_t tmpfs_t:file { open write lock }; | ||
42 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
43 | index e6221a02..4cc73327 100644 | ||
44 | --- a/policy/modules/system/logging.te | ||
45 | +++ b/policy/modules/system/logging.te | ||
46 | @@ -249,6 +249,7 @@ allow audisp_t self:unix_stream_socket create_stream_socket_perms; | ||
47 | allow audisp_t self:unix_dgram_socket create_socket_perms; | ||
48 | |||
49 | allow audisp_t auditd_t:unix_stream_socket rw_socket_perms; | ||
50 | +allow audisp_t initrc_t:unix_dgram_socket sendto; | ||
51 | |||
52 | manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t) | ||
53 | files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file) | ||
54 | @@ -620,3 +621,10 @@ optional_policy(` | ||
55 | # log to the xconsole | ||
56 | xserver_rw_console(syslogd_t) | ||
57 | ') | ||
58 | + | ||
59 | + | ||
60 | +allow auditd_t tmpfs_t:file { getattr setattr create open read append }; | ||
61 | +allow auditd_t tmpfs_t:dir { open read search add_name write getattr search }; | ||
62 | +allow auditd_t initrc_t:unix_dgram_socket sendto; | ||
63 | + | ||
64 | +allow klogd_t initrc_t:unix_dgram_socket sendto; | ||
65 | \ No newline at end of file | ||
66 | -- | ||
67 | 2.19.1 | ||
68 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch b/recipes-security/refpolicy/refpolicy-git/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch deleted file mode 100644 index 22eab15..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch +++ /dev/null | |||
@@ -1,31 +0,0 @@ | |||
1 | From a47fb4d6a25574d900213ef63b5c7e3ce7182419 Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Thu, 28 Mar 2019 20:48:10 -0400 | ||
4 | Subject: [PATCH 02/34] fc/subs/busybox: set aliases for bin, sbin and usr | ||
5 | |||
6 | The objects in /usr/lib/busybox/* should have the same policy applied as | ||
7 | the corresponding objects in the / hierarchy. | ||
8 | |||
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
10 | --- | ||
11 | config/file_contexts.subs_dist | 7 +++++++ | ||
12 | 1 file changed, 7 insertions(+) | ||
13 | |||
14 | diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist | ||
15 | index be532d7f..04fca3c3 100644 | ||
16 | --- a/config/file_contexts.subs_dist | ||
17 | +++ b/config/file_contexts.subs_dist | ||
18 | @@ -41,3 +41,10 @@ | ||
19 | /var/volatile/tmp /var/tmp | ||
20 | /var/volatile/lock /var/lock | ||
21 | /var/volatile/run/lock /var/lock | ||
22 | + | ||
23 | +# busybox aliases | ||
24 | +# quickly match up the busybox built-in tree to the base filesystem tree | ||
25 | +/usr/lib/busybox/bin /bin | ||
26 | +/usr/lib/busybox/sbin /sbin | ||
27 | +/usr/lib/busybox/usr /usr | ||
28 | + | ||
29 | -- | ||
30 | 2.19.1 | ||
31 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch b/recipes-security/refpolicy/refpolicy-git/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch deleted file mode 100644 index e2c6c89..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch +++ /dev/null | |||
@@ -1,54 +0,0 @@ | |||
1 | From b69a82237ccc8de3f5b822739760f5cb6596fe51 Mon Sep 17 00:00:00 2001 | ||
2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
3 | Date: Fri, 26 Aug 2016 17:53:46 +0530 | ||
4 | Subject: [PATCH 2/9] refpolicy-minimum: locallogin: add allow rules for type | ||
5 | local_login_t | ||
6 | |||
7 | add allow rules for locallogin module avc denials. | ||
8 | |||
9 | without this change we are getting errors like these: | ||
10 | |||
11 | type=AVC msg=audit(): avc: denied { read write open } for pid=353 | ||
12 | comm="login" path="/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext | ||
13 | =system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r: | ||
14 | var_log_t:s0 tclass=file permissive=1 | ||
15 | |||
16 | type=AVC msg=audit(): avc: denied { sendto } for pid=353 comm="login" | ||
17 | path="/run/systemd/journal/dev-log" scontext=system_u:system_r: | ||
18 | local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 | ||
19 | tclass=unix_dgram_socket permissive=1 | ||
20 | |||
21 | type=AVC msg=audit(): avc: denied { lock } for pid=353 comm="login" path= | ||
22 | "/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext=system_u:system_r | ||
23 | :local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass | ||
24 | =file permissive=1 | ||
25 | |||
26 | Upstream-Status: Pending | ||
27 | |||
28 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
29 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
30 | --- | ||
31 | policy/modules/system/locallogin.te | 10 ++++++++++ | ||
32 | 1 file changed, 10 insertions(+) | ||
33 | |||
34 | diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te | ||
35 | index 4c679ff3..75750e4c 100644 | ||
36 | --- a/policy/modules/system/locallogin.te | ||
37 | +++ b/policy/modules/system/locallogin.te | ||
38 | @@ -288,3 +288,13 @@ optional_policy(` | ||
39 | optional_policy(` | ||
40 | nscd_use(sulogin_t) | ||
41 | ') | ||
42 | + | ||
43 | +allow local_login_t initrc_t:fd use; | ||
44 | +allow local_login_t initrc_t:unix_dgram_socket sendto; | ||
45 | +allow local_login_t initrc_t:unix_stream_socket connectto; | ||
46 | +allow local_login_t self:capability net_admin; | ||
47 | +allow local_login_t var_log_t:file { create lock open read write }; | ||
48 | +allow local_login_t var_run_t:file { open read write lock}; | ||
49 | +allow local_login_t var_run_t:sock_file write; | ||
50 | +allow local_login_t tmpfs_t:dir { add_name write search}; | ||
51 | +allow local_login_t tmpfs_t:file { create open read write lock }; | ||
52 | -- | ||
53 | 2.19.1 | ||
54 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch b/recipes-security/refpolicy/refpolicy-git/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch deleted file mode 100644 index f194d6d..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch +++ /dev/null | |||
@@ -1,57 +0,0 @@ | |||
1 | From d0fd07dda45b349af634e4671a70e47fef102386 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:39:41 +0800 | ||
4 | Subject: [PATCH 03/34] fc/sysklogd: apply policy to sysklogd symlink | ||
5 | |||
6 | /etc/syslog.conf is a symlink to /etc/syslog.conf.sysklogd, so a allow | ||
7 | rule for syslogd_t to read syslog_conf_t lnk_file is needed. | ||
8 | |||
9 | Upstream-Status: Inappropriate [only for Poky] | ||
10 | |||
11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
13 | --- | ||
14 | policy/modules/system/logging.fc | 3 +++ | ||
15 | policy/modules/system/logging.te | 1 + | ||
16 | 2 files changed, 4 insertions(+) | ||
17 | |||
18 | diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc | ||
19 | index 6693d87b..0cf108e0 100644 | ||
20 | --- a/policy/modules/system/logging.fc | ||
21 | +++ b/policy/modules/system/logging.fc | ||
22 | @@ -2,6 +2,7 @@ | ||
23 | |||
24 | /etc/rsyslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0) | ||
25 | /etc/syslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0) | ||
26 | +/etc/syslog\.conf\.sysklogd gen_context(system_u:object_r:syslog_conf_t,s0) | ||
27 | /etc/rsyslog\.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0) | ||
28 | /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) | ||
29 | /etc/systemd/journal.*\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0) | ||
30 | @@ -32,10 +33,12 @@ | ||
31 | /usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) | ||
32 | /usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) | ||
33 | /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) | ||
34 | +/usr/sbin/klogd\.sysklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) | ||
35 | /usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
36 | /usr/sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
37 | /usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) | ||
38 | /usr/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
39 | +/usr/sbin/syslogd\.sysklogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
40 | /usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
41 | /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
42 | |||
43 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
44 | index 0c5be1cd..38ccfe3a 100644 | ||
45 | --- a/policy/modules/system/logging.te | ||
46 | +++ b/policy/modules/system/logging.te | ||
47 | @@ -399,6 +399,7 @@ allow syslogd_t self:udp_socket create_socket_perms; | ||
48 | allow syslogd_t self:tcp_socket create_stream_socket_perms; | ||
49 | |||
50 | allow syslogd_t syslog_conf_t:file read_file_perms; | ||
51 | +allow syslogd_t syslog_conf_t:lnk_file read_file_perms; | ||
52 | allow syslogd_t syslog_conf_t:dir list_dir_perms; | ||
53 | |||
54 | # Create and bind to /dev/log or /var/run/log. | ||
55 | -- | ||
56 | 2.19.1 | ||
57 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch b/recipes-security/refpolicy/refpolicy-git/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch deleted file mode 100644 index 968a9be..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch +++ /dev/null | |||
@@ -1,121 +0,0 @@ | |||
1 | From ec36df125da565fe1a9b64000151afaf40c2887d Mon Sep 17 00:00:00 2001 | ||
2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
3 | Date: Fri, 26 Aug 2016 17:51:32 +0530 | ||
4 | Subject: [PATCH 3/9] refpolicy-minimum: systemd:unconfined:lib: add systemd | ||
5 | services allow rules | ||
6 | |||
7 | systemd allow rules for systemd service file operations: start, stop, restart | ||
8 | & allow rule for unconfined systemd service. | ||
9 | |||
10 | without this change we are getting these errors: | ||
11 | :~# systemctl status selinux-init.service | ||
12 | Failed to get properties: Access denied | ||
13 | |||
14 | :~# systemctl stop selinux-init.service | ||
15 | Failed to stop selinux-init.service: Access denied | ||
16 | |||
17 | :~# systemctl restart selinux-init.service | ||
18 | audit: type=1107 audit: pid=1 uid=0 auid=4294967295 ses=4294967295 subj= | ||
19 | system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 | ||
20 | gid=0 path="/lib/systemd/system/selinux-init.service" cmdline="systemctl | ||
21 | restart selinux-init.service" scontext=unconfined_u:unconfined_r: | ||
22 | unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service | ||
23 | |||
24 | Upstream-Status: Pending | ||
25 | |||
26 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
27 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
28 | --- | ||
29 | policy/modules/system/init.te | 4 +++ | ||
30 | policy/modules/system/libraries.te | 3 +++ | ||
31 | policy/modules/system/systemd.if | 39 +++++++++++++++++++++++++++++ | ||
32 | policy/modules/system/unconfined.te | 6 +++++ | ||
33 | 4 files changed, 52 insertions(+) | ||
34 | |||
35 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | ||
36 | index d8696580..e15ec4b9 100644 | ||
37 | --- a/policy/modules/system/init.te | ||
38 | +++ b/policy/modules/system/init.te | ||
39 | @@ -1425,3 +1425,7 @@ optional_policy(` | ||
40 | allow kernel_t init_t:process dyntransition; | ||
41 | allow devpts_t device_t:filesystem associate; | ||
42 | allow init_t self:capability2 block_suspend; | ||
43 | +allow init_t self:capability2 audit_read; | ||
44 | + | ||
45 | +allow initrc_t init_t:system { start status }; | ||
46 | +allow initrc_t init_var_run_t:service { start status }; | ||
47 | diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te | ||
48 | index 422b0ea1..80b0c9a5 100644 | ||
49 | --- a/policy/modules/system/libraries.te | ||
50 | +++ b/policy/modules/system/libraries.te | ||
51 | @@ -145,3 +145,6 @@ optional_policy(` | ||
52 | optional_policy(` | ||
53 | unconfined_domain(ldconfig_t) | ||
54 | ') | ||
55 | + | ||
56 | +# systemd: init domain to start lib domain service | ||
57 | +systemd_service_lib_function(lib_t) | ||
58 | diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if | ||
59 | index 6353ca69..4519a448 100644 | ||
60 | --- a/policy/modules/system/systemd.if | ||
61 | +++ b/policy/modules/system/systemd.if | ||
62 | @@ -905,3 +905,42 @@ interface(`systemd_getattr_updated_runtime',` | ||
63 | |||
64 | getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t) | ||
65 | ') | ||
66 | + | ||
67 | +######################################## | ||
68 | +## <summary> | ||
69 | +## Allow specified domain to start stop reset systemd service | ||
70 | +## </summary> | ||
71 | +## <param name="domain"> | ||
72 | +## <summary> | ||
73 | +## Domain to not audit. | ||
74 | +## </summary> | ||
75 | +## </param> | ||
76 | +# | ||
77 | +interface(`systemd_service_file_operations',` | ||
78 | + gen_require(` | ||
79 | + class service { start status stop }; | ||
80 | + ') | ||
81 | + | ||
82 | + allow $1 lib_t:service { start status stop }; | ||
83 | + | ||
84 | +') | ||
85 | + | ||
86 | + | ||
87 | +######################################## | ||
88 | +## <summary> | ||
89 | +## Allow init domain to start lib domain service | ||
90 | +## </summary> | ||
91 | +## <param name="domain"> | ||
92 | +## <summary> | ||
93 | +## Domain to not audit. | ||
94 | +## </summary> | ||
95 | +## </param> | ||
96 | +# | ||
97 | +interface(`systemd_service_lib_function',` | ||
98 | + gen_require(` | ||
99 | + class service start; | ||
100 | + ') | ||
101 | + | ||
102 | + allow initrc_t $1:service start; | ||
103 | + | ||
104 | +') | ||
105 | diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te | ||
106 | index 12cc0d7c..c09e94a5 100644 | ||
107 | --- a/policy/modules/system/unconfined.te | ||
108 | +++ b/policy/modules/system/unconfined.te | ||
109 | @@ -240,3 +240,9 @@ unconfined_domain_noaudit(unconfined_execmem_t) | ||
110 | optional_policy(` | ||
111 | unconfined_dbus_chat(unconfined_execmem_t) | ||
112 | ') | ||
113 | + | ||
114 | + | ||
115 | +# systemd: specified domain to start stop reset systemd service | ||
116 | +systemd_service_file_operations(unconfined_t) | ||
117 | + | ||
118 | +allow unconfined_t init_t:system reload; | ||
119 | -- | ||
120 | 2.19.1 | ||
121 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch b/recipes-security/refpolicy/refpolicy-git/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch deleted file mode 100644 index 36bfdcf..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch +++ /dev/null | |||
@@ -1,27 +0,0 @@ | |||
1 | From abd7d9fa3398be45e733930ebaec9e05b1aba252 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH 04/34] fc/hostname: apply policy to common yocto hostname | ||
5 | alternatives | ||
6 | |||
7 | Upstream-Status: Inappropriate [only for Yocto] | ||
8 | |||
9 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
10 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
11 | --- | ||
12 | policy/modules/system/hostname.fc | 4 ++++ | ||
13 | 1 file changed, 4 insertions(+) | ||
14 | |||
15 | diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc | ||
16 | index 83ddeb57..653e038d 100644 | ||
17 | --- a/policy/modules/system/hostname.fc | ||
18 | +++ b/policy/modules/system/hostname.fc | ||
19 | @@ -1 +1,5 @@ | ||
20 | +/usr/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0) | ||
21 | +/usr/bin/hostname\.coreutils -- gen_context(system_u:object_r:hostname_exec_t,s0) | ||
22 | +/usr/lib/busybox/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) | ||
23 | + | ||
24 | /usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) | ||
25 | -- | ||
26 | 2.19.1 | ||
27 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch b/recipes-security/refpolicy/refpolicy-git/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch deleted file mode 100644 index 06b9192..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch +++ /dev/null | |||
@@ -1,96 +0,0 @@ | |||
1 | From 0918b156dcf4d126fd0e36de5a6c61f114448c8a Mon Sep 17 00:00:00 2001 | ||
2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
3 | Date: Fri, 26 Aug 2016 17:53:37 +0530 | ||
4 | Subject: [PATCH 4/9] refpolicy-minimum: systemd: mount: logging: authlogin: | ||
5 | add allow rules | ||
6 | |||
7 | add allow rules for avc denails for systemd, mount, logging & authlogin | ||
8 | modules. | ||
9 | |||
10 | without this change we are getting avc denial like these: | ||
11 | |||
12 | type=AVC msg=audit(): avc: denied { sendto } for pid=893 comm="systemd- | ||
13 | tmpfile" path="/run/systemd/journal/socket" scontext=system_u:system_r: | ||
14 | systemd_tmpfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass= | ||
15 | unix_dgram_socket permissive=0 | ||
16 | |||
17 | type=AVC msg=audit(): avc: denied { open } for pid=703 comm="systemd- | ||
18 | tmpfile" path="/proc/1/environ" dev="proc" ino=8841 scontext=system_u: | ||
19 | system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass= | ||
20 | file permissive=0 | ||
21 | |||
22 | type=AVC msg=audit(): avc: denied { read write } for pid=486 comm="mount" | ||
23 | path="socket:[9717]" dev="sockfs" ino=9717 scontext=system_u:system_r: | ||
24 | mount_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=udp_socket | ||
25 | |||
26 | type=AVC msg=audit(): avc: denied { unix_read unix_write } for pid=292 | ||
27 | comm="syslogd" key=1095648583 scontext=system_u:system_r:syslogd_t:s0 | ||
28 | tcontext=system_u:system_r:syslogd_t:s0 tclass=shm permissive=1 | ||
29 | |||
30 | Upstream-Status: Pending | ||
31 | |||
32 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
33 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
34 | --- | ||
35 | policy/modules/system/authlogin.te | 2 ++ | ||
36 | policy/modules/system/logging.te | 7 ++++++- | ||
37 | policy/modules/system/mount.te | 3 +++ | ||
38 | policy/modules/system/systemd.te | 5 +++++ | ||
39 | 4 files changed, 16 insertions(+), 1 deletion(-) | ||
40 | |||
41 | diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te | ||
42 | index 28f74bac..dfa46612 100644 | ||
43 | --- a/policy/modules/system/authlogin.te | ||
44 | +++ b/policy/modules/system/authlogin.te | ||
45 | @@ -479,3 +479,5 @@ optional_policy(` | ||
46 | samba_read_var_files(nsswitch_domain) | ||
47 | samba_dontaudit_write_var_files(nsswitch_domain) | ||
48 | ') | ||
49 | + | ||
50 | +allow chkpwd_t proc_t:filesystem getattr; | ||
51 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
52 | index 4cc73327..98c2bd19 100644 | ||
53 | --- a/policy/modules/system/logging.te | ||
54 | +++ b/policy/modules/system/logging.te | ||
55 | @@ -627,4 +627,9 @@ allow auditd_t tmpfs_t:file { getattr setattr create open read append }; | ||
56 | allow auditd_t tmpfs_t:dir { open read search add_name write getattr search }; | ||
57 | allow auditd_t initrc_t:unix_dgram_socket sendto; | ||
58 | |||
59 | -allow klogd_t initrc_t:unix_dgram_socket sendto; | ||
60 | \ No newline at end of file | ||
61 | +allow klogd_t initrc_t:unix_dgram_socket sendto; | ||
62 | + | ||
63 | +allow syslogd_t self:shm create; | ||
64 | +allow syslogd_t self:sem { create read unix_write write }; | ||
65 | +allow syslogd_t self:shm { read unix_read unix_write write }; | ||
66 | +allow syslogd_t tmpfs_t:file { read write }; | ||
67 | diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te | ||
68 | index 3dcb8493..a87d0e82 100644 | ||
69 | --- a/policy/modules/system/mount.te | ||
70 | +++ b/policy/modules/system/mount.te | ||
71 | @@ -231,3 +231,6 @@ optional_policy(` | ||
72 | files_etc_filetrans_etc_runtime(unconfined_mount_t, file) | ||
73 | unconfined_domain(unconfined_mount_t) | ||
74 | ') | ||
75 | + | ||
76 | +allow mount_t proc_t:filesystem getattr; | ||
77 | +allow mount_t initrc_t:udp_socket { read write }; | ||
78 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
79 | index f6455f6f..b13337b9 100644 | ||
80 | --- a/policy/modules/system/systemd.te | ||
81 | +++ b/policy/modules/system/systemd.te | ||
82 | @@ -1011,6 +1011,11 @@ allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto }; | ||
83 | allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms; | ||
84 | allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms; | ||
85 | |||
86 | +allow systemd_tmpfiles_t init_t:dir search; | ||
87 | +allow systemd_tmpfiles_t proc_t:filesystem getattr; | ||
88 | +allow systemd_tmpfiles_t init_t:file read; | ||
89 | +allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto; | ||
90 | + | ||
91 | kernel_getattr_proc(systemd_tmpfiles_t) | ||
92 | kernel_read_kernel_sysctls(systemd_tmpfiles_t) | ||
93 | kernel_read_network_state(systemd_tmpfiles_t) | ||
94 | -- | ||
95 | 2.19.1 | ||
96 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch b/recipes-security/refpolicy/refpolicy-git/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch deleted file mode 100644 index 194a474..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch +++ /dev/null | |||
@@ -1,30 +0,0 @@ | |||
1 | From 783ba03eff9d5b94363fff148aa1c745ff02ddd4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Thu, 28 Mar 2019 21:37:32 -0400 | ||
4 | Subject: [PATCH 05/34] fc/bash: apply /usr/bin/bash context to /bin/bash.bash | ||
5 | |||
6 | We include /bin/bash.bash as a valid alias for /bin/bash, so ensure we apply | ||
7 | the proper context to the target for our policy. | ||
8 | |||
9 | Upstream-Status: Inappropriate [only for Yocto] | ||
10 | |||
11 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
12 | --- | ||
13 | policy/modules/kernel/corecommands.fc | 1 + | ||
14 | 1 file changed, 1 insertion(+) | ||
15 | |||
16 | diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc | ||
17 | index e7415cac..cf3848db 100644 | ||
18 | --- a/policy/modules/kernel/corecommands.fc | ||
19 | +++ b/policy/modules/kernel/corecommands.fc | ||
20 | @@ -141,6 +141,7 @@ ifdef(`distro_gentoo',` | ||
21 | /usr/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
22 | /usr/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
23 | /usr/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
24 | +/usr/bin/bash.bash -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
25 | /usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
26 | /usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
27 | /usr/bin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) | ||
28 | -- | ||
29 | 2.19.1 | ||
30 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch b/recipes-security/refpolicy/refpolicy-git/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch deleted file mode 100644 index aec54cd..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch +++ /dev/null | |||
@@ -1,37 +0,0 @@ | |||
1 | From 54a00a22a0d9aca794440bf51511f5477e9249d2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
3 | Date: Fri, 26 Aug 2016 17:53:53 +0530 | ||
4 | Subject: [PATCH 5/9] refpolicy-minimum: init: fix reboot with systemd as init | ||
5 | manager. | ||
6 | |||
7 | add allow rule to fix avc denial during system reboot. | ||
8 | |||
9 | without this change we are getting: | ||
10 | |||
11 | audit: type=1107 audit(): pid=1 uid=0 auid=4294967295 ses=4294967295 subj= | ||
12 | system_u:system_r:init_t:s0 msg='avc: denied { reboot } for auid=n/a uid=0 | ||
13 | gid=0 cmdline="/bin/systemctl --force reboot" scontext=system_u:system_r: | ||
14 | initrc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system | ||
15 | |||
16 | Upstream-Status: Pending | ||
17 | |||
18 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
19 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
20 | --- | ||
21 | policy/modules/system/init.te | 2 +- | ||
22 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
23 | |||
24 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | ||
25 | index e15ec4b9..843fdcff 100644 | ||
26 | --- a/policy/modules/system/init.te | ||
27 | +++ b/policy/modules/system/init.te | ||
28 | @@ -1427,5 +1427,5 @@ allow devpts_t device_t:filesystem associate; | ||
29 | allow init_t self:capability2 block_suspend; | ||
30 | allow init_t self:capability2 audit_read; | ||
31 | |||
32 | -allow initrc_t init_t:system { start status }; | ||
33 | +allow initrc_t init_t:system { start status reboot }; | ||
34 | allow initrc_t init_var_run_t:service { start status }; | ||
35 | -- | ||
36 | 2.19.1 | ||
37 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch b/recipes-security/refpolicy/refpolicy-git/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch deleted file mode 100644 index d098118..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch +++ /dev/null | |||
@@ -1,30 +0,0 @@ | |||
1 | From 9818faa2a732d6d1cda72926526f104de74bd992 Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Thu, 4 Apr 2019 10:45:03 -0400 | ||
4 | Subject: [PATCH 06/34] fc/resolv.conf: label resolv.conf in var/run/ properly | ||
5 | |||
6 | Upstream-Status: Pending | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
10 | |||
11 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
12 | --- | ||
13 | policy/modules/system/sysnetwork.fc | 1 + | ||
14 | 1 file changed, 1 insertion(+) | ||
15 | |||
16 | diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc | ||
17 | index 1e5432a4..ac7c2dd1 100644 | ||
18 | --- a/policy/modules/system/sysnetwork.fc | ||
19 | +++ b/policy/modules/system/sysnetwork.fc | ||
20 | @@ -22,6 +22,7 @@ ifdef(`distro_debian',` | ||
21 | /etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0) | ||
22 | /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) | ||
23 | /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) | ||
24 | +/var/run/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) | ||
25 | |||
26 | /etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0) | ||
27 | /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0) | ||
28 | -- | ||
29 | 2.19.1 | ||
30 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch b/recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch deleted file mode 100644 index bf770d9..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch +++ /dev/null | |||
@@ -1,92 +0,0 @@ | |||
1 | From ca6644e1f1066a8354f2f6dbb068713f59225f37 Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Wed, 3 Apr 2019 14:51:29 -0400 | ||
4 | Subject: [PATCH 6/9] refpolicy-minimum: systemd: mount: enable required | ||
5 | refpolicy booleans | ||
6 | |||
7 | enable required refpolicy booleans for these modules | ||
8 | |||
9 | i. mount: allow_mount_anyfile | ||
10 | without enabling this boolean we are getting below avc denial | ||
11 | |||
12 | audit(): avc: denied { mounton } for pid=462 comm="mount" path="/run/media | ||
13 | /mmcblk2p1" dev="tmpfs" ino=11523 scontext=system_u:system_r:mount_t:s0 | ||
14 | tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=0 | ||
15 | |||
16 | This avc can be allowed using the boolean 'allow_mount_anyfile' | ||
17 | allow mount_t initrc_var_run_t:dir mounton; | ||
18 | |||
19 | ii. systemd : systemd_tmpfiles_manage_all | ||
20 | without enabling this boolean we are not getting access to mount systemd | ||
21 | essential tmpfs during bootup, also not getting access to create audit.log | ||
22 | |||
23 | audit(): avc: denied { search } for pid=168 comm="systemd-tmpfile" name= | ||
24 | "sys" dev="proc" ino=4026531855 scontext=system_u:system_r:systemd_tmpfiles | ||
25 | _t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=dir permissive=0 | ||
26 | |||
27 | ls /var/log | ||
28 | /var/log -> volatile/log | ||
29 | :~# | ||
30 | |||
31 | The old refpolicy included a pre-generated booleans.conf that could be | ||
32 | patched. That's no longer the case so we're left with a few options, | ||
33 | tweak the default directly or create a template booleans.conf file which | ||
34 | will be updated during build time. Since this is intended to be applied | ||
35 | only for specific configuraitons it seems like the same either way and | ||
36 | this avoids us playing games to work around .gitignore. | ||
37 | |||
38 | Upstream-Status: Pending | ||
39 | |||
40 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
41 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
42 | --- | ||
43 | policy/booleans.conf | 9 +++++++++ | ||
44 | policy/modules/system/mount.te | 2 +- | ||
45 | policy/modules/system/systemd.te | 2 +- | ||
46 | 3 files changed, 11 insertions(+), 2 deletions(-) | ||
47 | create mode 100644 policy/booleans.conf | ||
48 | |||
49 | diff --git a/policy/booleans.conf b/policy/booleans.conf | ||
50 | new file mode 100644 | ||
51 | index 00000000..850f56ed | ||
52 | --- /dev/null | ||
53 | +++ b/policy/booleans.conf | ||
54 | @@ -0,0 +1,9 @@ | ||
55 | +# | ||
56 | +# Allow the mount command to mount any directory or file. | ||
57 | +# | ||
58 | +allow_mount_anyfile = true | ||
59 | + | ||
60 | +# | ||
61 | +# Enable support for systemd-tmpfiles to manage all non-security files. | ||
62 | +# | ||
63 | +systemd_tmpfiles_manage_all = true | ||
64 | diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te | ||
65 | index a87d0e82..868052b7 100644 | ||
66 | --- a/policy/modules/system/mount.te | ||
67 | +++ b/policy/modules/system/mount.te | ||
68 | @@ -10,7 +10,7 @@ policy_module(mount, 1.20.0) | ||
69 | ## Allow the mount command to mount any directory or file. | ||
70 | ## </p> | ||
71 | ## </desc> | ||
72 | -gen_tunable(allow_mount_anyfile, false) | ||
73 | +gen_tunable(allow_mount_anyfile, true) | ||
74 | |||
75 | attribute_role mount_roles; | ||
76 | roleattribute system_r mount_roles; | ||
77 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
78 | index b13337b9..74f9c1cb 100644 | ||
79 | --- a/policy/modules/system/systemd.te | ||
80 | +++ b/policy/modules/system/systemd.te | ||
81 | @@ -10,7 +10,7 @@ policy_module(systemd, 1.7.5) | ||
82 | ## Enable support for systemd-tmpfiles to manage all non-security files. | ||
83 | ## </p> | ||
84 | ## </desc> | ||
85 | -gen_tunable(systemd_tmpfiles_manage_all, false) | ||
86 | +gen_tunable(systemd_tmpfiles_manage_all, true) | ||
87 | |||
88 | ## <desc> | ||
89 | ## <p> | ||
90 | -- | ||
91 | 2.19.1 | ||
92 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0007-fc-login-apply-login-context-to-login.shadow.patch b/recipes-security/refpolicy/refpolicy-git/0007-fc-login-apply-login-context-to-login.shadow.patch deleted file mode 100644 index 824c136..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0007-fc-login-apply-login-context-to-login.shadow.patch +++ /dev/null | |||
@@ -1,27 +0,0 @@ | |||
1 | From 3323cd185bd27a010fb4353d16cb6c3a8608fd20 Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Thu, 28 Mar 2019 21:43:53 -0400 | ||
4 | Subject: [PATCH 07/34] fc/login: apply login context to login.shadow | ||
5 | |||
6 | Upstream-Status: Inappropriate [only for Poky] | ||
7 | |||
8 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | ||
10 | policy/modules/system/authlogin.fc | 1 + | ||
11 | 1 file changed, 1 insertion(+) | ||
12 | |||
13 | diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc | ||
14 | index e22945cd..a42bc0da 100644 | ||
15 | --- a/policy/modules/system/authlogin.fc | ||
16 | +++ b/policy/modules/system/authlogin.fc | ||
17 | @@ -5,6 +5,7 @@ | ||
18 | /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) | ||
19 | |||
20 | /usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0) | ||
21 | +/usr/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0) | ||
22 | /usr/bin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) | ||
23 | /usr/bin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) | ||
24 | /usr/bin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) | ||
25 | -- | ||
26 | 2.19.1 | ||
27 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch b/recipes-security/refpolicy/refpolicy-git/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch deleted file mode 100644 index 307574c..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch +++ /dev/null | |||
@@ -1,103 +0,0 @@ | |||
1 | From a1b92a176fe791468e750b95fa8299e8beecf2b1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
3 | Date: Fri, 26 Aug 2016 17:54:09 +0530 | ||
4 | Subject: [PATCH 7/9] refpolicy-minimum: systemd: fix for login & journal | ||
5 | service | ||
6 | |||
7 | 1. fix for systemd services: login & journal wile using refpolicy-minimum and | ||
8 | systemd as init manager. | ||
9 | 2. fix login duration after providing root password. | ||
10 | |||
11 | without these changes we are getting avc denails like these and below | ||
12 | systemd services failure: | ||
13 | |||
14 | audit[]: AVC avc: denied { write } for pid=422 comm="login" path="/run/ | ||
15 | systemd/sessions/c1.ref" dev="tmpfs" ino=13455 scontext=system_u:system_r: | ||
16 | local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0 | ||
17 | tclass=fifo_file permissive=0 | ||
18 | |||
19 | audit[]: AVC avc: denied { open } for pid=216 comm="systemd-tmpfile" path | ||
20 | ="/proc/1/environ" dev="proc" ino=9221 scontext=system_u:system_r: | ||
21 | systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file | ||
22 | |||
23 | audit[]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u: | ||
24 | system_r:init_t:s0 msg='avc: denied { stop } for auid=n/a uid=0 gid=0 path | ||
25 | ="/lib/systemd/system/systemd-journald.service" cmdline="/bin/journalctl | ||
26 | --flush" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r: | ||
27 | lib_t:s0 tclass=service | ||
28 | |||
29 | [FAILED] Failed to start Flush Journal to Persistent Storage. | ||
30 | See 'systemctl status systemd-journal-flush.service' for details. | ||
31 | |||
32 | [FAILED] Failed to start Login Service. | ||
33 | See 'systemctl status systemd-logind.service' for details. | ||
34 | |||
35 | [FAILED] Failed to start Avahi mDNS/DNS-SD Stack. | ||
36 | See 'systemctl status avahi-daemon.service' for details. | ||
37 | |||
38 | Upstream-Status: Pending | ||
39 | |||
40 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
41 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
42 | --- | ||
43 | policy/modules/system/init.te | 2 ++ | ||
44 | policy/modules/system/locallogin.te | 3 +++ | ||
45 | policy/modules/system/systemd.if | 6 ++++-- | ||
46 | policy/modules/system/systemd.te | 2 +- | ||
47 | 4 files changed, 10 insertions(+), 3 deletions(-) | ||
48 | |||
49 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | ||
50 | index 843fdcff..ca8678b8 100644 | ||
51 | --- a/policy/modules/system/init.te | ||
52 | +++ b/policy/modules/system/init.te | ||
53 | @@ -1429,3 +1429,5 @@ allow init_t self:capability2 audit_read; | ||
54 | |||
55 | allow initrc_t init_t:system { start status reboot }; | ||
56 | allow initrc_t init_var_run_t:service { start status }; | ||
57 | + | ||
58 | +allow initrc_t init_var_run_t:service stop; | ||
59 | diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te | ||
60 | index 75750e4c..2c2cfc7d 100644 | ||
61 | --- a/policy/modules/system/locallogin.te | ||
62 | +++ b/policy/modules/system/locallogin.te | ||
63 | @@ -298,3 +298,6 @@ allow local_login_t var_run_t:file { open read write lock}; | ||
64 | allow local_login_t var_run_t:sock_file write; | ||
65 | allow local_login_t tmpfs_t:dir { add_name write search}; | ||
66 | allow local_login_t tmpfs_t:file { create open read write lock }; | ||
67 | +allow local_login_t init_var_run_t:fifo_file write; | ||
68 | +allow local_login_t initrc_t:dbus send_msg; | ||
69 | +allow initrc_t local_login_t:dbus send_msg; | ||
70 | diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if | ||
71 | index 4519a448..79133e6f 100644 | ||
72 | --- a/policy/modules/system/systemd.if | ||
73 | +++ b/policy/modules/system/systemd.if | ||
74 | @@ -938,9 +938,11 @@ interface(`systemd_service_file_operations',` | ||
75 | # | ||
76 | interface(`systemd_service_lib_function',` | ||
77 | gen_require(` | ||
78 | - class service start; | ||
79 | + class service { start status stop }; | ||
80 | + class file { execmod open }; | ||
81 | ') | ||
82 | |||
83 | - allow initrc_t $1:service start; | ||
84 | + allow initrc_t $1:service { start status stop }; | ||
85 | + allow initrc_t $1:file execmod; | ||
86 | |||
87 | ') | ||
88 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
89 | index 74f9c1cb..f1d26a44 100644 | ||
90 | --- a/policy/modules/system/systemd.te | ||
91 | +++ b/policy/modules/system/systemd.te | ||
92 | @@ -1013,7 +1013,7 @@ allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms; | ||
93 | |||
94 | allow systemd_tmpfiles_t init_t:dir search; | ||
95 | allow systemd_tmpfiles_t proc_t:filesystem getattr; | ||
96 | -allow systemd_tmpfiles_t init_t:file read; | ||
97 | +allow systemd_tmpfiles_t init_t:file { open getattr read }; | ||
98 | allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto; | ||
99 | |||
100 | kernel_getattr_proc(systemd_tmpfiles_t) | ||
101 | -- | ||
102 | 2.19.1 | ||
103 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0008-fc-bind-fix-real-path-for-bind.patch b/recipes-security/refpolicy/refpolicy-git/0008-fc-bind-fix-real-path-for-bind.patch deleted file mode 100644 index 6472a21..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0008-fc-bind-fix-real-path-for-bind.patch +++ /dev/null | |||
@@ -1,31 +0,0 @@ | |||
1 | From 9207386c0a860b3b6520eca5e509b9633c67c1e4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Thu, 28 Mar 2019 21:58:53 -0400 | ||
4 | Subject: [PATCH 08/34] fc/bind: fix real path for bind | ||
5 | |||
6 | Upstream-Status: Pending | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
10 | --- | ||
11 | policy/modules/services/bind.fc | 2 ++ | ||
12 | 1 file changed, 2 insertions(+) | ||
13 | |||
14 | diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc | ||
15 | index b4879dc1..59498e25 100644 | ||
16 | --- a/policy/modules/services/bind.fc | ||
17 | +++ b/policy/modules/services/bind.fc | ||
18 | @@ -1,8 +1,10 @@ | ||
19 | /etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) | ||
20 | +/etc/rc\.d/init\.d/bind -- gen_context(system_u:object_r:named_initrc_exec_t,s0) | ||
21 | /etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) | ||
22 | |||
23 | /etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) | ||
24 | /etc/bind/named\.conf.* -- gen_context(system_u:object_r:named_conf_t,s0) | ||
25 | +/etc/bind/rndc\.conf -- gen_context(system_u:object_r:named_conf_t,s0) | ||
26 | /etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) | ||
27 | /etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0) | ||
28 | /etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0) | ||
29 | -- | ||
30 | 2.19.1 | ||
31 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch b/recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch deleted file mode 100644 index 05543da..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch +++ /dev/null | |||
@@ -1,110 +0,0 @@ | |||
1 | From c268b15ec696aa23be73e040daae433b509fa82f Mon Sep 17 00:00:00 2001 | ||
2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
3 | Date: Fri, 26 Aug 2016 17:54:17 +0530 | ||
4 | Subject: [PATCH 8/9] refpolicy-minimum: systemd: fix for systemd tmp-files | ||
5 | services | ||
6 | |||
7 | fix for systemd tmp files setup service while using refpolicy-minimum and | ||
8 | systemd as init manager. | ||
9 | |||
10 | these allow rules require kernel domain & files access, so added interfaces | ||
11 | at systemd.te to merge these allow rules. | ||
12 | |||
13 | without these changes we are getting avc denails like these and below | ||
14 | systemd services failure: | ||
15 | |||
16 | audit[]: AVC avc: denied { getattr } for pid=232 comm="systemd-tmpfile" | ||
17 | path="/var/tmp" dev="mmcblk2p2" ino=4993 scontext=system_u:system_r:systemd | ||
18 | _tmpfiles_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=lnk_file | ||
19 | |||
20 | audit[]: AVC avc: denied { search } for pid=232 comm="systemd-tmpfile" | ||
21 | name="kernel" dev="proc" ino=9341 scontext=system_u:system_r: | ||
22 | systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 | ||
23 | tclass=dir permissive=0 | ||
24 | |||
25 | [FAILED] Failed to start Create Static Device Nodes in /dev. | ||
26 | See 'systemctl status systemd-tmpfiles-setup-dev.service' for details. | ||
27 | |||
28 | [FAILED] Failed to start Create Volatile Files and Directories. | ||
29 | See 'systemctl status systemd-tmpfiles-setup.service' for details. | ||
30 | |||
31 | Upstream-Status: Pending | ||
32 | |||
33 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
34 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
35 | --- | ||
36 | policy/modules/kernel/files.if | 19 +++++++++++++++++++ | ||
37 | policy/modules/kernel/kernel.if | 21 +++++++++++++++++++++ | ||
38 | policy/modules/system/systemd.te | 2 ++ | ||
39 | 3 files changed, 42 insertions(+) | ||
40 | |||
41 | diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if | ||
42 | index eb067ad3..ff74f55a 100644 | ||
43 | --- a/policy/modules/kernel/files.if | ||
44 | +++ b/policy/modules/kernel/files.if | ||
45 | @@ -7076,3 +7076,22 @@ interface(`files_unconfined',` | ||
46 | |||
47 | typeattribute $1 files_unconfined_type; | ||
48 | ') | ||
49 | + | ||
50 | +######################################## | ||
51 | +## <summary> | ||
52 | +## systemd tmp files access to kernel tmp files domain | ||
53 | +## </summary> | ||
54 | +## <param name="domain"> | ||
55 | +## <summary> | ||
56 | +## Domain allowed access. | ||
57 | +## </summary> | ||
58 | +## </param> | ||
59 | +# | ||
60 | +interface(`systemd_service_allow_kernel_files_domain_to_tmp_t',` | ||
61 | + gen_require(` | ||
62 | + type tmp_t; | ||
63 | + class lnk_file getattr; | ||
64 | + ') | ||
65 | + | ||
66 | + allow $1 tmp_t:lnk_file getattr; | ||
67 | +') | ||
68 | diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if | ||
69 | index 1ad282aa..342eb033 100644 | ||
70 | --- a/policy/modules/kernel/kernel.if | ||
71 | +++ b/policy/modules/kernel/kernel.if | ||
72 | @@ -3584,3 +3584,24 @@ interface(`kernel_ib_manage_subnet_unlabeled_endports',` | ||
73 | allow $1 unlabeled_t:infiniband_endport manage_subnet; | ||
74 | ') | ||
75 | |||
76 | +######################################## | ||
77 | +## <summary> | ||
78 | +## systemd tmp files access to kernel sysctl domain | ||
79 | +## </summary> | ||
80 | +## <param name="domain"> | ||
81 | +## <summary> | ||
82 | +## Domain allowed access. | ||
83 | +## </summary> | ||
84 | +## </param> | ||
85 | +# | ||
86 | +interface(`systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t',` | ||
87 | + gen_require(` | ||
88 | + type sysctl_kernel_t; | ||
89 | + class dir search; | ||
90 | + class file { open read }; | ||
91 | + ') | ||
92 | + | ||
93 | + allow $1 sysctl_kernel_t:dir search; | ||
94 | + allow $1 sysctl_kernel_t:file { open read }; | ||
95 | + | ||
96 | +') | ||
97 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
98 | index f1d26a44..b4c64bc1 100644 | ||
99 | --- a/policy/modules/system/systemd.te | ||
100 | +++ b/policy/modules/system/systemd.te | ||
101 | @@ -1139,4 +1139,6 @@ files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated | ||
102 | |||
103 | seutil_read_file_contexts(systemd_update_done_t) | ||
104 | |||
105 | +systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t(systemd_tmpfiles_t) | ||
106 | +systemd_service_allow_kernel_files_domain_to_tmp_t(systemd_tmpfiles_t) | ||
107 | systemd_log_parse_environment(systemd_update_done_t) | ||
108 | -- | ||
109 | 2.19.1 | ||
110 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0009-fc-hwclock-add-hwclock-alternatives.patch b/recipes-security/refpolicy/refpolicy-git/0009-fc-hwclock-add-hwclock-alternatives.patch deleted file mode 100644 index 382a62c..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0009-fc-hwclock-add-hwclock-alternatives.patch +++ /dev/null | |||
@@ -1,28 +0,0 @@ | |||
1 | From afaee985ce8cb915905b9cbef141db5d4b7f228c Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Thu, 28 Mar 2019 21:59:18 -0400 | ||
4 | Subject: [PATCH 09/34] fc/hwclock: add hwclock alternatives | ||
5 | |||
6 | Upstream-Status: Pending | ||
7 | |||
8 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | ||
10 | policy/modules/system/clock.fc | 5 ++++- | ||
11 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
12 | |||
13 | diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc | ||
14 | index 30196589..e0dc4b6f 100644 | ||
15 | --- a/policy/modules/system/clock.fc | ||
16 | +++ b/policy/modules/system/clock.fc | ||
17 | @@ -2,4 +2,7 @@ | ||
18 | |||
19 | /usr/bin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) | ||
20 | |||
21 | -/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) | ||
22 | +/usr/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0) | ||
23 | +/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) | ||
24 | +/usr/lib/busybox/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) | ||
25 | +/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) | ||
26 | -- | ||
27 | 2.19.1 | ||
28 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0009-refpolicy-minimum-systemd-fix-for-syslog.patch b/recipes-security/refpolicy/refpolicy-git/0009-refpolicy-minimum-systemd-fix-for-syslog.patch deleted file mode 100644 index de9180a..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0009-refpolicy-minimum-systemd-fix-for-syslog.patch +++ /dev/null | |||
@@ -1,70 +0,0 @@ | |||
1 | From 3c7c492f060212bf7c854a27ffa6afa5035f4862 Mon Sep 17 00:00:00 2001 | ||
2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
3 | Date: Fri, 26 Aug 2016 17:54:29 +0530 | ||
4 | Subject: [PATCH 9/9] refpolicy-minimum: systemd: fix for syslog | ||
5 | |||
6 | syslog & getty related allow rules required to fix the syslog mixup with | ||
7 | boot log, while using systemd as init manager. | ||
8 | |||
9 | without this change we are getting these avc denials: | ||
10 | |||
11 | audit: avc: denied { search } for pid=484 comm="syslogd" name="/" | ||
12 | dev="tmpfs" ino=7269 scontext=system_u:system_r:syslogd_t:s0 tcontext= | ||
13 | system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 | ||
14 | |||
15 | audit: avc: denied { write } for pid=372 comm="syslogd" name="log" dev= | ||
16 | "tmpfs" ino=954 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u: | ||
17 | object_r:tmpfs_t:s0 tclass=dir permissive=0 | ||
18 | |||
19 | audit: avc: denied { add_name } for pid=390 comm="syslogd" name= | ||
20 | "messages" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r | ||
21 | :tmpfs_t:s0 tclass=dir permissive=0 | ||
22 | |||
23 | audit: avc: denied { sendto } for pid=558 comm="agetty" path="/run/systemd | ||
24 | /journal/dev-log" scontext=system_u:system_r:getty_t:s0 tcontext=system_u: | ||
25 | system_r:initrc_t:s0 tclass=unix_dgram_socket permissive=0 | ||
26 | |||
27 | audit: avc: denied { create } for pid=374 comm="syslogd" name="messages" | ||
28 | scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t: | ||
29 | s0 tclass=file permissive=0 | ||
30 | |||
31 | audit: avc: denied { append } for pid=423 comm="syslogd" name="messages" | ||
32 | dev="tmpfs" ino=7995 scontext=system_u:system_r:syslogd_t:s0 tcontext= | ||
33 | system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 | ||
34 | |||
35 | audit: avc: denied { getattr } for pid=425 comm="syslogd" path="/var/ | ||
36 | volatile/log/messages" dev="tmpfs" ino=8857 scontext=system_u:system_r: | ||
37 | syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 | ||
38 | |||
39 | Upstream-Status: Pending | ||
40 | |||
41 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
42 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
43 | --- | ||
44 | policy/modules/system/getty.te | 1 + | ||
45 | policy/modules/system/logging.te | 3 ++- | ||
46 | 2 files changed, 3 insertions(+), 1 deletion(-) | ||
47 | |||
48 | diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te | ||
49 | index 423db0cc..9ab03956 100644 | ||
50 | --- a/policy/modules/system/getty.te | ||
51 | +++ b/policy/modules/system/getty.te | ||
52 | @@ -132,3 +132,4 @@ optional_policy(` | ||
53 | |||
54 | allow getty_t tmpfs_t:dir search; | ||
55 | allow getty_t tmpfs_t:file { open write lock }; | ||
56 | +allow getty_t initrc_t:unix_dgram_socket sendto; | ||
57 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
58 | index 98c2bd19..6a94ac12 100644 | ||
59 | --- a/policy/modules/system/logging.te | ||
60 | +++ b/policy/modules/system/logging.te | ||
61 | @@ -632,4 +632,5 @@ allow klogd_t initrc_t:unix_dgram_socket sendto; | ||
62 | allow syslogd_t self:shm create; | ||
63 | allow syslogd_t self:sem { create read unix_write write }; | ||
64 | allow syslogd_t self:shm { read unix_read unix_write write }; | ||
65 | -allow syslogd_t tmpfs_t:file { read write }; | ||
66 | +allow syslogd_t tmpfs_t:file { read write create getattr append open }; | ||
67 | +allow syslogd_t tmpfs_t:dir { search write add_name }; | ||
68 | -- | ||
69 | 2.19.1 | ||
70 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch b/recipes-security/refpolicy/refpolicy-git/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch deleted file mode 100644 index 5de6d0d..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch +++ /dev/null | |||
@@ -1,24 +0,0 @@ | |||
1 | From 9f8b5359ce85eab23a5c46157497c44fd3bc4335 Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Fri, 29 Mar 2019 08:26:55 -0400 | ||
4 | Subject: [PATCH 10/34] fc/dmesg: apply policy to dmesg alternatives | ||
5 | |||
6 | Upstream-Status: Pending | ||
7 | |||
8 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | ||
10 | policy/modules/admin/dmesg.fc | 4 +++- | ||
11 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
12 | |||
13 | diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc | ||
14 | index e52fdfcf..85d15127 100644 | ||
15 | --- a/policy/modules/admin/dmesg.fc | ||
16 | +++ b/policy/modules/admin/dmesg.fc | ||
17 | @@ -1 +1,3 @@ | ||
18 | -/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) | ||
19 | +/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) | ||
20 | +/usr/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0) | ||
21 | +/usr/lib/busybox/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) | ||
22 | -- | ||
23 | 2.19.1 | ||
24 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch b/recipes-security/refpolicy/refpolicy-git/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch deleted file mode 100644 index ab81b31..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch +++ /dev/null | |||
@@ -1,27 +0,0 @@ | |||
1 | From c7002e990710f83763a1481ddaa56a1f658defee Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Fri, 29 Mar 2019 09:20:58 -0400 | ||
4 | Subject: [PATCH 11/34] fc/ssh: apply policy to ssh alternatives | ||
5 | |||
6 | Upstream-Status: Pending | ||
7 | |||
8 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | ||
10 | policy/modules/services/ssh.fc | 1 + | ||
11 | 1 file changed, 1 insertion(+) | ||
12 | |||
13 | diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc | ||
14 | index 4ac3e733..1f453091 100644 | ||
15 | --- a/policy/modules/services/ssh.fc | ||
16 | +++ b/policy/modules/services/ssh.fc | ||
17 | @@ -4,6 +4,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) | ||
18 | /etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0) | ||
19 | |||
20 | /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0) | ||
21 | +/usr/bin/ssh\.openssh -- gen_context(system_u:object_r:ssh_exec_t,s0) | ||
22 | /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0) | ||
23 | /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0) | ||
24 | /usr/bin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) | ||
25 | -- | ||
26 | 2.19.1 | ||
27 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch b/recipes-security/refpolicy/refpolicy-git/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch deleted file mode 100644 index 8346fcf..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch +++ /dev/null | |||
@@ -1,48 +0,0 @@ | |||
1 | From 881a9f637b6eec90d1fa20bf4c102bb595225aaf Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Tue, 9 Jun 2015 21:22:52 +0530 | ||
4 | Subject: [PATCH 12/34] fc/sysnetwork: apply policy to ip alternatives | ||
5 | |||
6 | Upstream-Status: Pending | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> | ||
10 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
11 | --- | ||
12 | policy/modules/system/sysnetwork.fc | 10 ++++++++++ | ||
13 | 1 file changed, 10 insertions(+) | ||
14 | |||
15 | diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc | ||
16 | index ac7c2dd1..4e441503 100644 | ||
17 | --- a/policy/modules/system/sysnetwork.fc | ||
18 | +++ b/policy/modules/system/sysnetwork.fc | ||
19 | @@ -60,6 +60,8 @@ ifdef(`distro_redhat',` | ||
20 | /usr/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) | ||
21 | /usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
22 | /usr/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
23 | +/usr/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
24 | +/usr/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
25 | /usr/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
26 | /usr/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
27 | /usr/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
28 | @@ -67,9 +69,17 @@ ifdef(`distro_redhat',` | ||
29 | /usr/sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
30 | /usr/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
31 | /usr/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
32 | +/usr/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
33 | /usr/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0) | ||
34 | /usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
35 | |||
36 | +# | ||
37 | +# /usr/lib/busybox | ||
38 | +# | ||
39 | +/usr/lib/busybox/bin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
40 | +/usr/lib/busybox/bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
41 | +/usr/lib/busybox/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
42 | + | ||
43 | # | ||
44 | # /var | ||
45 | # | ||
46 | -- | ||
47 | 2.19.1 | ||
48 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch b/recipes-security/refpolicy/refpolicy-git/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch deleted file mode 100644 index 9ec2e21..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch +++ /dev/null | |||
@@ -1,28 +0,0 @@ | |||
1 | From 434fe791713127cea8a796529266b87763833117 Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Fri, 29 Mar 2019 09:36:08 -0400 | ||
4 | Subject: [PATCH 13/34] fc/udev: apply policy to udevadm in libexec | ||
5 | |||
6 | Upstream-Status: Pending | ||
7 | |||
8 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | ||
10 | policy/modules/system/udev.fc | 2 ++ | ||
11 | 1 file changed, 2 insertions(+) | ||
12 | |||
13 | diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc | ||
14 | index 606ad517..2919c0bd 100644 | ||
15 | --- a/policy/modules/system/udev.fc | ||
16 | +++ b/policy/modules/system/udev.fc | ||
17 | @@ -28,6 +28,8 @@ ifdef(`distro_debian',` | ||
18 | /usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
19 | /usr/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
20 | |||
21 | +/usr/libexec/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
22 | + | ||
23 | ifdef(`distro_redhat',` | ||
24 | /usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
25 | ') | ||
26 | -- | ||
27 | 2.19.1 | ||
28 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch b/recipes-security/refpolicy/refpolicy-git/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch deleted file mode 100644 index fff816a..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch +++ /dev/null | |||
@@ -1,29 +0,0 @@ | |||
1 | From c8dbbbaed4371c600d057736d1dab78371066fdd Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Fri, 29 Mar 2019 09:54:07 -0400 | ||
4 | Subject: [PATCH 14/34] fc/rpm: apply rpm_exec policy to cpio binaries | ||
5 | |||
6 | Upstream-Status: Pending | ||
7 | |||
8 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | ||
10 | policy/modules/admin/rpm.fc | 5 ++++- | ||
11 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
12 | |||
13 | diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc | ||
14 | index 578d465c..f2b8003a 100644 | ||
15 | --- a/policy/modules/admin/rpm.fc | ||
16 | +++ b/policy/modules/admin/rpm.fc | ||
17 | @@ -65,5 +65,8 @@ ifdef(`distro_redhat',` | ||
18 | /run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) | ||
19 | |||
20 | ifdef(`enable_mls',` | ||
21 | -/usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) | ||
22 | +/usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) | ||
23 | +/usr/bin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) | ||
24 | +/usr/bin/cpio.cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) | ||
25 | ') | ||
26 | + | ||
27 | -- | ||
28 | 2.19.1 | ||
29 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0015-fc-su-apply-policy-to-su-alternatives.patch b/recipes-security/refpolicy/refpolicy-git/0015-fc-su-apply-policy-to-su-alternatives.patch deleted file mode 100644 index b26eeea..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0015-fc-su-apply-policy-to-su-alternatives.patch +++ /dev/null | |||
@@ -1,26 +0,0 @@ | |||
1 | From d6eb7326773a01cea4cb6949e8e8f94e12d145ca Mon Sep 17 00:00:00 2001 | ||
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | ||
3 | Date: Thu, 13 Feb 2014 00:33:07 -0500 | ||
4 | Subject: [PATCH 15/34] fc/su: apply policy to su alternatives | ||
5 | |||
6 | Upstream-Status: Pending | ||
7 | |||
8 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
10 | --- | ||
11 | policy/modules/admin/su.fc | 2 ++ | ||
12 | 1 file changed, 2 insertions(+) | ||
13 | |||
14 | diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc | ||
15 | index 3375c969..435a6892 100644 | ||
16 | --- a/policy/modules/admin/su.fc | ||
17 | +++ b/policy/modules/admin/su.fc | ||
18 | @@ -1,3 +1,5 @@ | ||
19 | /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0) | ||
20 | /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) | ||
21 | /usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) | ||
22 | +/usr/bin/su\.shadow -- gen_context(system_u:object_r:su_exec_t,s0) | ||
23 | +/usr/bin/su\.util-linux -- gen_context(system_u:object_r:su_exec_t,s0) | ||
24 | -- | ||
25 | 2.19.1 | ||
26 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0016-fc-fstools-fix-real-path-for-fstools.patch b/recipes-security/refpolicy/refpolicy-git/0016-fc-fstools-fix-real-path-for-fstools.patch deleted file mode 100644 index 35676f8..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0016-fc-fstools-fix-real-path-for-fstools.patch +++ /dev/null | |||
@@ -1,76 +0,0 @@ | |||
1 | From 4cc043905534403d2c6c5882ed982bd09a6c605f Mon Sep 17 00:00:00 2001 | ||
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | ||
3 | Date: Mon, 27 Jan 2014 03:54:01 -0500 | ||
4 | Subject: [PATCH 16/34] fc/fstools: fix real path for fstools | ||
5 | |||
6 | Upstream-Status: Pending | ||
7 | |||
8 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
9 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
10 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
11 | --- | ||
12 | policy/modules/system/fstools.fc | 12 ++++++++++++ | ||
13 | 1 file changed, 12 insertions(+) | ||
14 | |||
15 | diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc | ||
16 | index 8fbd5ce4..d719e22c 100644 | ||
17 | --- a/policy/modules/system/fstools.fc | ||
18 | +++ b/policy/modules/system/fstools.fc | ||
19 | @@ -58,6 +58,7 @@ | ||
20 | /usr/sbin/addpart -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
21 | /usr/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
22 | /usr/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
23 | +/usr/sbin/blkid\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
24 | /usr/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
25 | /usr/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
26 | /usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
27 | @@ -72,10 +73,12 @@ | ||
28 | /usr/sbin/efibootmgr -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
29 | /usr/sbin/fatsort -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
30 | /usr/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
31 | +/usr/sbin/fdisk\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
32 | /usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
33 | /usr/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
34 | /usr/sbin/gdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
35 | /usr/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
36 | +/usr/sbin/hdparm\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
37 | /usr/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
38 | /usr/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
39 | /usr/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
40 | @@ -88,17 +91,20 @@ | ||
41 | /usr/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
42 | /usr/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
43 | /usr/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
44 | +/usr/sbin/mkswap\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
45 | /usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
46 | /usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
47 | /usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
48 | /usr/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
49 | /usr/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
50 | +/usr/sbin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
51 | /usr/sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
52 | /usr/sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
53 | /usr/sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
54 | /usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
55 | /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
56 | /usr/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
57 | +/usr/sbin/swapoff\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
58 | /usr/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
59 | /usr/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
60 | /usr/sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
61 | @@ -108,6 +114,12 @@ | ||
62 | /usr/sbin/zstreamdump -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
63 | /usr/sbin/ztest -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
64 | |||
65 | +/usr/lib/busybox/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
66 | +/usr/lib/busybox/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
67 | +/usr/lib/busybox/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
68 | +/usr/lib/busybox/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
69 | +/usr/lib/busybox/sbin/swapon -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
70 | + | ||
71 | /var/swap -- gen_context(system_u:object_r:swapfile_t,s0) | ||
72 | |||
73 | /var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0) | ||
74 | -- | ||
75 | 2.19.1 | ||
76 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch b/recipes-security/refpolicy/refpolicy-git/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch deleted file mode 100644 index af24d90..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch +++ /dev/null | |||
@@ -1,33 +0,0 @@ | |||
1 | From f84b1809e45bf08ce2a603827de3ade876ce8683 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH 17/34] policy/module/logging: Add the syslogd_t to trusted | ||
5 | object | ||
6 | |||
7 | We add the syslogd_t to trusted object, because other process need | ||
8 | to have the right to connectto/sendto /dev/log. | ||
9 | |||
10 | Upstream-Status: Inappropriate [only for Poky] | ||
11 | |||
12 | Signed-off-by: Roy.Li <rongqing.li@windriver.com> | ||
13 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
14 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
15 | --- | ||
16 | policy/modules/system/logging.te | 1 + | ||
17 | 1 file changed, 1 insertion(+) | ||
18 | |||
19 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
20 | index 38ccfe3a..c892f547 100644 | ||
21 | --- a/policy/modules/system/logging.te | ||
22 | +++ b/policy/modules/system/logging.te | ||
23 | @@ -501,6 +501,7 @@ fs_getattr_all_fs(syslogd_t) | ||
24 | fs_search_auto_mountpoints(syslogd_t) | ||
25 | |||
26 | mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories | ||
27 | +mls_trusted_object(syslogd_t) # Other process need to have the right to connectto/sendto /dev/log | ||
28 | |||
29 | term_write_console(syslogd_t) | ||
30 | # Allow syslog to a terminal | ||
31 | -- | ||
32 | 2.19.1 | ||
33 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch b/recipes-security/refpolicy/refpolicy-git/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch deleted file mode 100644 index 6dca744..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch +++ /dev/null | |||
@@ -1,100 +0,0 @@ | |||
1 | From ccb0b3884513829a2ab344f1682df6ea6ff4e7de Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH 18/34] policy/module/logging: add rules for the symlink of | ||
5 | /var/log | ||
6 | |||
7 | /var/log is a symlink in poky, so we need allow rules for files to read | ||
8 | lnk_file while doing search/list/delete/rw... in /var/log/ directory. | ||
9 | |||
10 | Upstream-Status: Inappropriate [only for Poky] | ||
11 | |||
12 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
13 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
14 | --- | ||
15 | policy/modules/system/logging.fc | 1 + | ||
16 | policy/modules/system/logging.if | 6 ++++++ | ||
17 | policy/modules/system/logging.te | 2 ++ | ||
18 | 3 files changed, 9 insertions(+) | ||
19 | |||
20 | diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc | ||
21 | index 0cf108e0..5bec7e99 100644 | ||
22 | --- a/policy/modules/system/logging.fc | ||
23 | +++ b/policy/modules/system/logging.fc | ||
24 | @@ -55,6 +55,7 @@ ifdef(`distro_suse', ` | ||
25 | /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) | ||
26 | |||
27 | /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) | ||
28 | +/var/log -l gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) | ||
29 | /var/log/.* gen_context(system_u:object_r:var_log_t,s0) | ||
30 | /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0) | ||
31 | /var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0) | ||
32 | diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if | ||
33 | index 7b7644f7..0c7268ff 100644 | ||
34 | --- a/policy/modules/system/logging.if | ||
35 | +++ b/policy/modules/system/logging.if | ||
36 | @@ -972,10 +972,12 @@ interface(`logging_append_all_inherited_logs',` | ||
37 | interface(`logging_read_all_logs',` | ||
38 | gen_require(` | ||
39 | attribute logfile; | ||
40 | + type var_log_t; | ||
41 | ') | ||
42 | |||
43 | files_search_var($1) | ||
44 | allow $1 logfile:dir list_dir_perms; | ||
45 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
46 | read_files_pattern($1, logfile, logfile) | ||
47 | ') | ||
48 | |||
49 | @@ -994,10 +996,12 @@ interface(`logging_read_all_logs',` | ||
50 | interface(`logging_exec_all_logs',` | ||
51 | gen_require(` | ||
52 | attribute logfile; | ||
53 | + type var_log_t; | ||
54 | ') | ||
55 | |||
56 | files_search_var($1) | ||
57 | allow $1 logfile:dir list_dir_perms; | ||
58 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
59 | can_exec($1, logfile) | ||
60 | ') | ||
61 | |||
62 | @@ -1099,6 +1103,7 @@ interface(`logging_read_generic_logs',` | ||
63 | |||
64 | files_search_var($1) | ||
65 | allow $1 var_log_t:dir list_dir_perms; | ||
66 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
67 | read_files_pattern($1, var_log_t, var_log_t) | ||
68 | ') | ||
69 | |||
70 | @@ -1200,6 +1205,7 @@ interface(`logging_manage_generic_logs',` | ||
71 | |||
72 | files_search_var($1) | ||
73 | manage_files_pattern($1, var_log_t, var_log_t) | ||
74 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
75 | ') | ||
76 | |||
77 | ######################################## | ||
78 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
79 | index c892f547..499a4552 100644 | ||
80 | --- a/policy/modules/system/logging.te | ||
81 | +++ b/policy/modules/system/logging.te | ||
82 | @@ -161,6 +161,7 @@ manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) | ||
83 | allow auditd_t auditd_log_t:dir setattr; | ||
84 | manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) | ||
85 | allow auditd_t var_log_t:dir search_dir_perms; | ||
86 | +allow auditd_t var_log_t:lnk_file read_lnk_file_perms; | ||
87 | |||
88 | manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) | ||
89 | manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) | ||
90 | @@ -288,6 +289,7 @@ allow audisp_remote_t self:capability { setpcap setuid }; | ||
91 | allow audisp_remote_t self:process { getcap setcap }; | ||
92 | allow audisp_remote_t self:tcp_socket create_socket_perms; | ||
93 | allow audisp_remote_t var_log_t:dir search_dir_perms; | ||
94 | +allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms; | ||
95 | |||
96 | manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) | ||
97 | manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) | ||
98 | -- | ||
99 | 2.19.1 | ||
100 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch b/recipes-security/refpolicy/refpolicy-git/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch deleted file mode 100644 index a532316..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch +++ /dev/null | |||
@@ -1,33 +0,0 @@ | |||
1 | From b52614cce12e4a7d3437350bb35688d5470f92fc Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Fri, 29 Mar 2019 10:33:18 -0400 | ||
4 | Subject: [PATCH 19/34] policy/module/logging: add rules for syslogd symlink of | ||
5 | /var/log | ||
6 | |||
7 | We have added rules for the symlink of /var/log in logging.if, while | ||
8 | syslogd_t uses /var/log but does not use the interfaces in logging.if. So | ||
9 | still need add a individual rule for syslogd_t. | ||
10 | |||
11 | Upstream-Status: Inappropriate [only for Poky] | ||
12 | |||
13 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
14 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
15 | --- | ||
16 | policy/modules/system/logging.te | 1 + | ||
17 | 1 file changed, 1 insertion(+) | ||
18 | |||
19 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
20 | index 499a4552..e6221a02 100644 | ||
21 | --- a/policy/modules/system/logging.te | ||
22 | +++ b/policy/modules/system/logging.te | ||
23 | @@ -417,6 +417,7 @@ files_search_spool(syslogd_t) | ||
24 | |||
25 | # Allow access for syslog-ng | ||
26 | allow syslogd_t var_log_t:dir { create setattr }; | ||
27 | +allow syslogd_t var_log_t:lnk_file read_lnk_file_perms; | ||
28 | |||
29 | # for systemd but can not be conditional | ||
30 | files_pid_filetrans(syslogd_t, syslogd_tmp_t, dir, "log") | ||
31 | -- | ||
32 | 2.19.1 | ||
33 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch b/recipes-security/refpolicy/refpolicy-git/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch deleted file mode 100644 index a494671..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch +++ /dev/null | |||
@@ -1,36 +0,0 @@ | |||
1 | From 07456143d9478b345dbe480e1b418b744de96751 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Fri, 23 Aug 2013 11:20:00 +0800 | ||
4 | Subject: [PATCH 20/34] policy/module/logging: add domain rules for the subdir | ||
5 | symlinks in /var/ | ||
6 | |||
7 | Except /var/log,/var/run,/var/lock, there still other subdir symlinks in | ||
8 | /var for poky, so we need allow rules for all domains to read these | ||
9 | symlinks. Domains still need their practical allow rules to read the | ||
10 | contents, so this is still a secure relax. | ||
11 | |||
12 | Upstream-Status: Inappropriate [only for Poky] | ||
13 | |||
14 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
15 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
16 | --- | ||
17 | policy/modules/kernel/domain.te | 3 +++ | ||
18 | 1 file changed, 3 insertions(+) | ||
19 | |||
20 | diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te | ||
21 | index 1a55e3d2..babb794f 100644 | ||
22 | --- a/policy/modules/kernel/domain.te | ||
23 | +++ b/policy/modules/kernel/domain.te | ||
24 | @@ -110,6 +110,9 @@ term_use_controlling_term(domain) | ||
25 | # list the root directory | ||
26 | files_list_root(domain) | ||
27 | |||
28 | +# Yocto/oe-core use some var volatile links | ||
29 | +files_read_var_symlinks(domain) | ||
30 | + | ||
31 | ifdef(`hide_broken_symptoms',` | ||
32 | # This check is in the general socket | ||
33 | # listen code, before protocol-specific | ||
34 | -- | ||
35 | 2.19.1 | ||
36 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch b/recipes-security/refpolicy/refpolicy-git/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch deleted file mode 100644 index aa61a80..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch +++ /dev/null | |||
@@ -1,100 +0,0 @@ | |||
1 | From edcfc7eb98658352f3ffdeb8079517c54ba7f984 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH 21/34] policy/module/files: add rules for the symlink of /tmp | ||
5 | |||
6 | /tmp is a symlink in poky, so we need allow rules for files to read | ||
7 | lnk_file while doing search/list/delete/rw.. in /tmp/ directory. | ||
8 | |||
9 | Upstream-Status: Inappropriate [only for Poky] | ||
10 | |||
11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
13 | --- | ||
14 | policy/modules/kernel/files.fc | 1 + | ||
15 | policy/modules/kernel/files.if | 8 ++++++++ | ||
16 | 2 files changed, 9 insertions(+) | ||
17 | |||
18 | diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc | ||
19 | index c3496c21..05b1734b 100644 | ||
20 | --- a/policy/modules/kernel/files.fc | ||
21 | +++ b/policy/modules/kernel/files.fc | ||
22 | @@ -176,6 +176,7 @@ HOME_ROOT/lost\+found/.* <<none>> | ||
23 | # /tmp | ||
24 | # | ||
25 | /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) | ||
26 | +/tmp -l gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) | ||
27 | /tmp/.* <<none>> | ||
28 | /tmp/\.journal <<none>> | ||
29 | |||
30 | diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if | ||
31 | index f1c94411..eb067ad3 100644 | ||
32 | --- a/policy/modules/kernel/files.if | ||
33 | +++ b/policy/modules/kernel/files.if | ||
34 | @@ -4350,6 +4350,7 @@ interface(`files_search_tmp',` | ||
35 | ') | ||
36 | |||
37 | allow $1 tmp_t:dir search_dir_perms; | ||
38 | + allow $1 tmp_t:lnk_file read_lnk_file_perms; | ||
39 | ') | ||
40 | |||
41 | ######################################## | ||
42 | @@ -4386,6 +4387,7 @@ interface(`files_list_tmp',` | ||
43 | ') | ||
44 | |||
45 | allow $1 tmp_t:dir list_dir_perms; | ||
46 | + allow $1 tmp_t:lnk_file read_lnk_file_perms; | ||
47 | ') | ||
48 | |||
49 | ######################################## | ||
50 | @@ -4422,6 +4424,7 @@ interface(`files_delete_tmp_dir_entry',` | ||
51 | ') | ||
52 | |||
53 | allow $1 tmp_t:dir del_entry_dir_perms; | ||
54 | + allow $1 tmp_t:lnk_file read_lnk_file_perms; | ||
55 | ') | ||
56 | |||
57 | ######################################## | ||
58 | @@ -4440,6 +4443,7 @@ interface(`files_read_generic_tmp_files',` | ||
59 | ') | ||
60 | |||
61 | read_files_pattern($1, tmp_t, tmp_t) | ||
62 | + allow $1 tmp_t:lnk_file read_lnk_file_perms; | ||
63 | ') | ||
64 | |||
65 | ######################################## | ||
66 | @@ -4458,6 +4462,7 @@ interface(`files_manage_generic_tmp_dirs',` | ||
67 | ') | ||
68 | |||
69 | manage_dirs_pattern($1, tmp_t, tmp_t) | ||
70 | + allow $1 tmp_t:lnk_file read_lnk_file_perms; | ||
71 | ') | ||
72 | |||
73 | ######################################## | ||
74 | @@ -4476,6 +4481,7 @@ interface(`files_manage_generic_tmp_files',` | ||
75 | ') | ||
76 | |||
77 | manage_files_pattern($1, tmp_t, tmp_t) | ||
78 | + allow $1 tmp_t:lnk_file read_lnk_file_perms; | ||
79 | ') | ||
80 | |||
81 | ######################################## | ||
82 | @@ -4512,6 +4518,7 @@ interface(`files_rw_generic_tmp_sockets',` | ||
83 | ') | ||
84 | |||
85 | rw_sock_files_pattern($1, tmp_t, tmp_t) | ||
86 | + allow $1 tmp_t:lnk_file read_lnk_file_perms; | ||
87 | ') | ||
88 | |||
89 | ######################################## | ||
90 | @@ -4719,6 +4726,7 @@ interface(`files_tmp_filetrans',` | ||
91 | ') | ||
92 | |||
93 | filetrans_pattern($1, tmp_t, $2, $3, $4) | ||
94 | + allow $1 tmp_t:lnk_file read_lnk_file_perms; | ||
95 | ') | ||
96 | |||
97 | ######################################## | ||
98 | -- | ||
99 | 2.19.1 | ||
100 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch b/recipes-security/refpolicy/refpolicy-git/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch deleted file mode 100644 index 68235b1..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch +++ /dev/null | |||
@@ -1,123 +0,0 @@ | |||
1 | From 938ae00d2358d6ebad8173fce274ebb70d95cf72 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH 22/34] policy/module/terminals: add rules for bsdpty_device_t | ||
5 | to complete pty devices. | ||
6 | |||
7 | Upstream-Status: Pending | ||
8 | |||
9 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
10 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
11 | --- | ||
12 | policy/modules/kernel/terminal.if | 16 ++++++++++++++++ | ||
13 | 1 file changed, 16 insertions(+) | ||
14 | |||
15 | diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if | ||
16 | index 61308843..a84787e6 100644 | ||
17 | --- a/policy/modules/kernel/terminal.if | ||
18 | +++ b/policy/modules/kernel/terminal.if | ||
19 | @@ -623,9 +623,11 @@ interface(`term_getattr_generic_ptys',` | ||
20 | interface(`term_dontaudit_getattr_generic_ptys',` | ||
21 | gen_require(` | ||
22 | type devpts_t; | ||
23 | + type bsdpty_device_t; | ||
24 | ') | ||
25 | |||
26 | dontaudit $1 devpts_t:chr_file getattr; | ||
27 | + dontaudit $1 bsdpty_device_t:chr_file getattr; | ||
28 | ') | ||
29 | ######################################## | ||
30 | ## <summary> | ||
31 | @@ -641,11 +643,13 @@ interface(`term_dontaudit_getattr_generic_ptys',` | ||
32 | interface(`term_ioctl_generic_ptys',` | ||
33 | gen_require(` | ||
34 | type devpts_t; | ||
35 | + type bsdpty_device_t; | ||
36 | ') | ||
37 | |||
38 | dev_list_all_dev_nodes($1) | ||
39 | allow $1 devpts_t:dir search; | ||
40 | allow $1 devpts_t:chr_file ioctl; | ||
41 | + allow $1 bsdpty_device_t:chr_file ioctl; | ||
42 | ') | ||
43 | |||
44 | ######################################## | ||
45 | @@ -663,9 +667,11 @@ interface(`term_ioctl_generic_ptys',` | ||
46 | interface(`term_setattr_generic_ptys',` | ||
47 | gen_require(` | ||
48 | type devpts_t; | ||
49 | + type bsdpty_device_t; | ||
50 | ') | ||
51 | |||
52 | allow $1 devpts_t:chr_file setattr; | ||
53 | + allow $1 bsdpty_device_t:chr_file setattr; | ||
54 | ') | ||
55 | |||
56 | ######################################## | ||
57 | @@ -683,9 +689,11 @@ interface(`term_setattr_generic_ptys',` | ||
58 | interface(`term_dontaudit_setattr_generic_ptys',` | ||
59 | gen_require(` | ||
60 | type devpts_t; | ||
61 | + type bsdpty_device_t; | ||
62 | ') | ||
63 | |||
64 | dontaudit $1 devpts_t:chr_file setattr; | ||
65 | + dontaudit $1 bsdpty_device_t:chr_file setattr; | ||
66 | ') | ||
67 | |||
68 | ######################################## | ||
69 | @@ -703,11 +711,13 @@ interface(`term_dontaudit_setattr_generic_ptys',` | ||
70 | interface(`term_use_generic_ptys',` | ||
71 | gen_require(` | ||
72 | type devpts_t; | ||
73 | + type bsdpty_device_t; | ||
74 | ') | ||
75 | |||
76 | dev_list_all_dev_nodes($1) | ||
77 | allow $1 devpts_t:dir list_dir_perms; | ||
78 | allow $1 devpts_t:chr_file { rw_term_perms lock append }; | ||
79 | + allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append }; | ||
80 | ') | ||
81 | |||
82 | ######################################## | ||
83 | @@ -725,9 +735,11 @@ interface(`term_use_generic_ptys',` | ||
84 | interface(`term_dontaudit_use_generic_ptys',` | ||
85 | gen_require(` | ||
86 | type devpts_t; | ||
87 | + type bsdpty_device_t; | ||
88 | ') | ||
89 | |||
90 | dontaudit $1 devpts_t:chr_file { getattr read write ioctl }; | ||
91 | + dontaudit $1 bsdpty_device_t:chr_file { getattr read write ioctl }; | ||
92 | ') | ||
93 | |||
94 | ####################################### | ||
95 | @@ -743,10 +755,12 @@ interface(`term_dontaudit_use_generic_ptys',` | ||
96 | interface(`term_setattr_controlling_term',` | ||
97 | gen_require(` | ||
98 | type devtty_t; | ||
99 | + type bsdpty_device_t; | ||
100 | ') | ||
101 | |||
102 | dev_list_all_dev_nodes($1) | ||
103 | allow $1 devtty_t:chr_file setattr; | ||
104 | + allow $1 bsdpty_device_t:chr_file setattr; | ||
105 | ') | ||
106 | |||
107 | ######################################## | ||
108 | @@ -763,10 +777,12 @@ interface(`term_setattr_controlling_term',` | ||
109 | interface(`term_use_controlling_term',` | ||
110 | gen_require(` | ||
111 | type devtty_t; | ||
112 | + type bsdpty_device_t; | ||
113 | ') | ||
114 | |||
115 | dev_list_all_dev_nodes($1) | ||
116 | allow $1 devtty_t:chr_file { rw_term_perms lock append }; | ||
117 | + allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append }; | ||
118 | ') | ||
119 | |||
120 | ####################################### | ||
121 | -- | ||
122 | 2.19.1 | ||
123 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch b/recipes-security/refpolicy/refpolicy-git/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch deleted file mode 100644 index 06f9207..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch +++ /dev/null | |||
@@ -1,37 +0,0 @@ | |||
1 | From 3f5a9b987211ef511bfd1c76b1a7dffad51fba0c Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH 23/34] policy/module/terminals: don't audit tty_device_t in | ||
5 | term_dontaudit_use_console. | ||
6 | |||
7 | We should also not audit terminal to rw tty_device_t and fds in | ||
8 | term_dontaudit_use_console. | ||
9 | |||
10 | Upstream-Status: Inappropriate [only for Poky] | ||
11 | |||
12 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
13 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
14 | --- | ||
15 | policy/modules/kernel/terminal.if | 3 +++ | ||
16 | 1 file changed, 3 insertions(+) | ||
17 | |||
18 | diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if | ||
19 | index a84787e6..cf66da2f 100644 | ||
20 | --- a/policy/modules/kernel/terminal.if | ||
21 | +++ b/policy/modules/kernel/terminal.if | ||
22 | @@ -335,9 +335,12 @@ interface(`term_use_console',` | ||
23 | interface(`term_dontaudit_use_console',` | ||
24 | gen_require(` | ||
25 | type console_device_t; | ||
26 | + type tty_device_t; | ||
27 | ') | ||
28 | |||
29 | + init_dontaudit_use_fds($1) | ||
30 | dontaudit $1 console_device_t:chr_file rw_chr_file_perms; | ||
31 | + dontaudit $1 tty_device_t:chr_file rw_chr_file_perms; | ||
32 | ') | ||
33 | |||
34 | ######################################## | ||
35 | -- | ||
36 | 2.19.1 | ||
37 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-git/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch deleted file mode 100644 index 01f6c8b..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch +++ /dev/null | |||
@@ -1,29 +0,0 @@ | |||
1 | From bc1f2fba24fb63cd9a65ec22b34fcc59798bbaff Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH 24/34] policy/module/rpc: allow nfsd to exec shell commands. | ||
5 | |||
6 | Upstream-Status: Inappropriate [only for Poky] | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
10 | --- | ||
11 | policy/modules/services/rpc.te | 2 +- | ||
12 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
13 | |||
14 | diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te | ||
15 | index 47fa2fd0..d4209231 100644 | ||
16 | --- a/policy/modules/services/rpc.te | ||
17 | +++ b/policy/modules/services/rpc.te | ||
18 | @@ -227,7 +227,7 @@ kernel_read_network_state(nfsd_t) | ||
19 | kernel_dontaudit_getattr_core_if(nfsd_t) | ||
20 | kernel_setsched(nfsd_t) | ||
21 | kernel_request_load_module(nfsd_t) | ||
22 | -# kernel_mounton_proc(nfsd_t) | ||
23 | +kernel_mounton_proc(nfsd_t) | ||
24 | |||
25 | corenet_sendrecv_nfs_server_packets(nfsd_t) | ||
26 | corenet_tcp_bind_nfs_port(nfsd_t) | ||
27 | -- | ||
28 | 2.19.1 | ||
29 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch b/recipes-security/refpolicy/refpolicy-git/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch deleted file mode 100644 index 78a4328..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch +++ /dev/null | |||
@@ -1,77 +0,0 @@ | |||
1 | From f24c277f622d1ae72275525c6d5863f1ddce1d58 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Fri, 23 Aug 2013 12:01:53 +0800 | ||
4 | Subject: [PATCH 25/34] policy/module/rpc: fix policy for nfsserver to mount | ||
5 | nfsd_fs_t. | ||
6 | |||
7 | Upstream-Status: Pending | ||
8 | |||
9 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
10 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
11 | --- | ||
12 | policy/modules/kernel/filesystem.te | 1 + | ||
13 | policy/modules/kernel/kernel.te | 2 ++ | ||
14 | policy/modules/services/rpc.te | 5 +++++ | ||
15 | policy/modules/services/rpcbind.te | 5 +++++ | ||
16 | 4 files changed, 13 insertions(+) | ||
17 | |||
18 | diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te | ||
19 | index 41037951..b341ba83 100644 | ||
20 | --- a/policy/modules/kernel/filesystem.te | ||
21 | +++ b/policy/modules/kernel/filesystem.te | ||
22 | @@ -129,6 +129,7 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) | ||
23 | |||
24 | type nfsd_fs_t; | ||
25 | fs_type(nfsd_fs_t) | ||
26 | +files_mountpoint(nfsd_fs_t) | ||
27 | genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0) | ||
28 | |||
29 | type nsfs_t; | ||
30 | diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te | ||
31 | index 8e958074..7b81c732 100644 | ||
32 | --- a/policy/modules/kernel/kernel.te | ||
33 | +++ b/policy/modules/kernel/kernel.te | ||
34 | @@ -334,6 +334,8 @@ mls_process_read_all_levels(kernel_t) | ||
35 | mls_process_write_all_levels(kernel_t) | ||
36 | mls_file_write_all_levels(kernel_t) | ||
37 | mls_file_read_all_levels(kernel_t) | ||
38 | +mls_socket_write_all_levels(kernel_t) | ||
39 | +mls_fd_use_all_levels(kernel_t) | ||
40 | |||
41 | ifdef(`distro_redhat',` | ||
42 | # Bugzilla 222337 | ||
43 | diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te | ||
44 | index d4209231..a2327b44 100644 | ||
45 | --- a/policy/modules/services/rpc.te | ||
46 | +++ b/policy/modules/services/rpc.te | ||
47 | @@ -280,6 +280,11 @@ tunable_policy(`nfs_export_all_ro',` | ||
48 | |||
49 | optional_policy(` | ||
50 | mount_exec(nfsd_t) | ||
51 | + # Should domtrans to mount_t while mounting nfsd_fs_t. | ||
52 | + mount_domtrans(nfsd_t) | ||
53 | + # nfsd_t need to chdir to /var/lib/nfs and read files. | ||
54 | + files_list_var(nfsd_t) | ||
55 | + rpc_read_nfs_state_data(nfsd_t) | ||
56 | ') | ||
57 | |||
58 | ######################################## | ||
59 | diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te | ||
60 | index 5914af99..2055c114 100644 | ||
61 | --- a/policy/modules/services/rpcbind.te | ||
62 | +++ b/policy/modules/services/rpcbind.te | ||
63 | @@ -75,6 +75,11 @@ logging_send_syslog_msg(rpcbind_t) | ||
64 | |||
65 | miscfiles_read_localization(rpcbind_t) | ||
66 | |||
67 | +# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t, | ||
68 | +# because the are running in different level. So add rules to allow this. | ||
69 | +mls_socket_read_all_levels(rpcbind_t) | ||
70 | +mls_socket_write_all_levels(rpcbind_t) | ||
71 | + | ||
72 | ifdef(`distro_debian',` | ||
73 | term_dontaudit_use_unallocated_ttys(rpcbind_t) | ||
74 | ') | ||
75 | -- | ||
76 | 2.19.1 | ||
77 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch b/recipes-security/refpolicy/refpolicy-git/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch deleted file mode 100644 index 257395a..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch +++ /dev/null | |||
@@ -1,126 +0,0 @@ | |||
1 | From 06d2bad9325fdc6b0a73858bca7ba51fe591f39d Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Fri, 29 Mar 2019 11:16:37 -0400 | ||
4 | Subject: [PATCH 26/34] policy/module/sysfs: fix for new SELINUXMNT in /sys | ||
5 | |||
6 | SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should | ||
7 | add rules to access sysfs. | ||
8 | |||
9 | Upstream-Status: Inappropriate [only for Poky] | ||
10 | |||
11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
13 | --- | ||
14 | policy/modules/kernel/selinux.if | 19 +++++++++++++++++++ | ||
15 | 1 file changed, 19 insertions(+) | ||
16 | |||
17 | diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if | ||
18 | index 6790e5d0..2c95db81 100644 | ||
19 | --- a/policy/modules/kernel/selinux.if | ||
20 | +++ b/policy/modules/kernel/selinux.if | ||
21 | @@ -117,6 +117,9 @@ interface(`selinux_mount_fs',` | ||
22 | type security_t; | ||
23 | ') | ||
24 | |||
25 | + dev_getattr_sysfs($1) | ||
26 | + dev_search_sysfs($1) | ||
27 | + | ||
28 | allow $1 security_t:filesystem mount; | ||
29 | ') | ||
30 | |||
31 | @@ -136,6 +139,9 @@ interface(`selinux_remount_fs',` | ||
32 | type security_t; | ||
33 | ') | ||
34 | |||
35 | + dev_getattr_sysfs($1) | ||
36 | + dev_search_sysfs($1) | ||
37 | + | ||
38 | allow $1 security_t:filesystem remount; | ||
39 | ') | ||
40 | |||
41 | @@ -155,6 +161,9 @@ interface(`selinux_unmount_fs',` | ||
42 | ') | ||
43 | |||
44 | allow $1 security_t:filesystem unmount; | ||
45 | + | ||
46 | + dev_getattr_sysfs($1) | ||
47 | + dev_search_sysfs($1) | ||
48 | ') | ||
49 | |||
50 | ######################################## | ||
51 | @@ -217,6 +226,8 @@ interface(`selinux_dontaudit_getattr_dir',` | ||
52 | ') | ||
53 | |||
54 | dontaudit $1 security_t:dir getattr; | ||
55 | + dev_dontaudit_getattr_sysfs($1) | ||
56 | + dev_dontaudit_search_sysfs($1) | ||
57 | ') | ||
58 | |||
59 | ######################################## | ||
60 | @@ -253,6 +264,7 @@ interface(`selinux_dontaudit_search_fs',` | ||
61 | type security_t; | ||
62 | ') | ||
63 | |||
64 | + dev_dontaudit_search_sysfs($1) | ||
65 | dontaudit $1 security_t:dir search_dir_perms; | ||
66 | ') | ||
67 | |||
68 | @@ -272,6 +284,7 @@ interface(`selinux_dontaudit_read_fs',` | ||
69 | type security_t; | ||
70 | ') | ||
71 | |||
72 | + dev_dontaudit_getattr_sysfs($1) | ||
73 | dontaudit $1 security_t:dir search_dir_perms; | ||
74 | dontaudit $1 security_t:file read_file_perms; | ||
75 | ') | ||
76 | @@ -361,6 +374,7 @@ interface(`selinux_read_policy',` | ||
77 | type security_t; | ||
78 | ') | ||
79 | |||
80 | + dev_getattr_sysfs($1) | ||
81 | dev_search_sysfs($1) | ||
82 | allow $1 security_t:dir list_dir_perms; | ||
83 | allow $1 security_t:file read_file_perms; | ||
84 | @@ -394,6 +408,7 @@ interface(`selinux_set_generic_booleans',` | ||
85 | type security_t; | ||
86 | ') | ||
87 | |||
88 | + dev_getattr_sysfs($1) | ||
89 | dev_search_sysfs($1) | ||
90 | |||
91 | allow $1 security_t:dir list_dir_perms; | ||
92 | @@ -431,6 +446,7 @@ interface(`selinux_set_all_booleans',` | ||
93 | bool secure_mode_policyload; | ||
94 | ') | ||
95 | |||
96 | + dev_getattr_sysfs($1) | ||
97 | dev_search_sysfs($1) | ||
98 | |||
99 | allow $1 security_t:dir list_dir_perms; | ||
100 | @@ -512,6 +528,7 @@ interface(`selinux_dontaudit_validate_context',` | ||
101 | type security_t; | ||
102 | ') | ||
103 | |||
104 | + dev_dontaudit_search_sysfs($1) | ||
105 | dontaudit $1 security_t:dir list_dir_perms; | ||
106 | dontaudit $1 security_t:file rw_file_perms; | ||
107 | dontaudit $1 security_t:security check_context; | ||
108 | @@ -533,6 +550,7 @@ interface(`selinux_compute_access_vector',` | ||
109 | type security_t; | ||
110 | ') | ||
111 | |||
112 | + dev_getattr_sysfs($1) | ||
113 | dev_search_sysfs($1) | ||
114 | allow $1 self:netlink_selinux_socket create_socket_perms; | ||
115 | allow $1 security_t:dir list_dir_perms; | ||
116 | @@ -629,6 +647,7 @@ interface(`selinux_compute_user_contexts',` | ||
117 | type security_t; | ||
118 | ') | ||
119 | |||
120 | + dev_getattr_sysfs($1) | ||
121 | dev_search_sysfs($1) | ||
122 | allow $1 security_t:dir list_dir_perms; | ||
123 | allow $1 security_t:file rw_file_perms; | ||
124 | -- | ||
125 | 2.19.1 | ||
126 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch b/recipes-security/refpolicy/refpolicy-git/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch deleted file mode 100644 index 23226a0..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch +++ /dev/null | |||
@@ -1,31 +0,0 @@ | |||
1 | From 447036f5ead83977933b375f5587595b85307a7d Mon Sep 17 00:00:00 2001 | ||
2 | From: Roy Li <rongqing.li@windriver.com> | ||
3 | Date: Sat, 15 Feb 2014 09:45:00 +0800 | ||
4 | Subject: [PATCH 27/34] policy/module/rpc: allow sysadm to run rpcinfo | ||
5 | |||
6 | Upstream-Status: Pending | ||
7 | |||
8 | type=AVC msg=audit(1392427946.976:264): avc: denied { connectto } for pid=2111 comm="rpcinfo" path="/run/rpcbind.sock" scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tclass=unix_stream_socket | ||
9 | type=SYSCALL msg=audit(1392427946.976:264): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff3aa20000 a2=17 a3=22 items=0 ppid=2108 pid=2111 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="rpcinfo" exe="/usr/sbin/rpcinfo" subj=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 key=(null) | ||
10 | |||
11 | Signed-off-by: Roy Li <rongqing.li@windriver.com> | ||
12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
13 | --- | ||
14 | policy/modules/roles/sysadm.te | 1 + | ||
15 | 1 file changed, 1 insertion(+) | ||
16 | |||
17 | diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te | ||
18 | index 2ae952bf..d781378f 100644 | ||
19 | --- a/policy/modules/roles/sysadm.te | ||
20 | +++ b/policy/modules/roles/sysadm.te | ||
21 | @@ -945,6 +945,7 @@ optional_policy(` | ||
22 | ') | ||
23 | |||
24 | optional_policy(` | ||
25 | + rpcbind_stream_connect(sysadm_t) | ||
26 | rpcbind_admin(sysadm_t, sysadm_r) | ||
27 | ') | ||
28 | |||
29 | -- | ||
30 | 2.19.1 | ||
31 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch b/recipes-security/refpolicy/refpolicy-git/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch deleted file mode 100644 index 732eaaf..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch +++ /dev/null | |||
@@ -1,45 +0,0 @@ | |||
1 | From 391ab30556a3276bac131b3d4bd6c5e52b49c77c Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH 28/34] policy/module/userdomain: fix selinux utils to manage | ||
5 | config files | ||
6 | |||
7 | Upstream-Status: Pending | ||
8 | |||
9 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
10 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
11 | --- | ||
12 | policy/modules/system/selinuxutil.if | 1 + | ||
13 | policy/modules/system/userdomain.if | 4 ++++ | ||
14 | 2 files changed, 5 insertions(+) | ||
15 | |||
16 | diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if | ||
17 | index 20024993..0fdc8c10 100644 | ||
18 | --- a/policy/modules/system/selinuxutil.if | ||
19 | +++ b/policy/modules/system/selinuxutil.if | ||
20 | @@ -674,6 +674,7 @@ interface(`seutil_manage_config',` | ||
21 | ') | ||
22 | |||
23 | files_search_etc($1) | ||
24 | + manage_dirs_pattern($1, selinux_config_t, selinux_config_t) | ||
25 | manage_files_pattern($1, selinux_config_t, selinux_config_t) | ||
26 | read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) | ||
27 | ') | ||
28 | diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if | ||
29 | index 5221bd13..4cf987d1 100644 | ||
30 | --- a/policy/modules/system/userdomain.if | ||
31 | +++ b/policy/modules/system/userdomain.if | ||
32 | @@ -1431,6 +1431,10 @@ template(`userdom_security_admin_template',` | ||
33 | logging_read_audit_config($1) | ||
34 | |||
35 | seutil_manage_bin_policy($1) | ||
36 | + seutil_manage_default_contexts($1) | ||
37 | + seutil_manage_file_contexts($1) | ||
38 | + seutil_manage_module_store($1) | ||
39 | + seutil_manage_config($1) | ||
40 | seutil_run_checkpolicy($1, $2) | ||
41 | seutil_run_loadpolicy($1, $2) | ||
42 | seutil_run_semanage($1, $2) | ||
43 | -- | ||
44 | 2.19.1 | ||
45 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch b/recipes-security/refpolicy/refpolicy-git/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch deleted file mode 100644 index 14734b2..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch +++ /dev/null | |||
@@ -1,33 +0,0 @@ | |||
1 | From d97aef0ecdb2ff964b1ed3d0b18ce83c2ab42f14 Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Fri, 29 Mar 2019 11:30:27 -0400 | ||
4 | Subject: [PATCH 29/34] policy/module/selinuxutil: fix setfiles statvfs to get | ||
5 | file count | ||
6 | |||
7 | New setfiles will read /proc/mounts and use statvfs in | ||
8 | file_system_count() to get file count of filesystems. | ||
9 | |||
10 | Upstream-Status: Pending | ||
11 | |||
12 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
13 | Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> | ||
14 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
15 | --- | ||
16 | policy/modules/system/selinuxutil.te | 1 + | ||
17 | 1 file changed, 1 insertion(+) | ||
18 | |||
19 | diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te | ||
20 | index 8a1688cc..a9930e9e 100644 | ||
21 | --- a/policy/modules/system/selinuxutil.te | ||
22 | +++ b/policy/modules/system/selinuxutil.te | ||
23 | @@ -607,6 +607,7 @@ files_relabel_all_files(setfiles_t) | ||
24 | files_read_usr_symlinks(setfiles_t) | ||
25 | files_dontaudit_read_all_symlinks(setfiles_t) | ||
26 | |||
27 | +fs_getattr_all_fs(setfiles_t) | ||
28 | fs_getattr_all_xattr_fs(setfiles_t) | ||
29 | fs_getattr_cgroup(setfiles_t) | ||
30 | fs_getattr_nfs(setfiles_t) | ||
31 | -- | ||
32 | 2.19.1 | ||
33 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch b/recipes-security/refpolicy/refpolicy-git/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch deleted file mode 100644 index aebdcb3..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch +++ /dev/null | |||
@@ -1,25 +0,0 @@ | |||
1 | From 43eba9b9205c5e63f634d60ab8eb5302f7bf4408 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Fri, 23 Aug 2013 16:36:09 +0800 | ||
4 | Subject: [PATCH 30/34] policy/module/admin: fix dmesg to use /dev/kmsg as | ||
5 | default input | ||
6 | |||
7 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
8 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | ||
10 | policy/modules/admin/dmesg.if | 1 + | ||
11 | 1 file changed, 1 insertion(+) | ||
12 | |||
13 | diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if | ||
14 | index e1973c78..739a4bc5 100644 | ||
15 | --- a/policy/modules/admin/dmesg.if | ||
16 | +++ b/policy/modules/admin/dmesg.if | ||
17 | @@ -37,4 +37,5 @@ interface(`dmesg_exec',` | ||
18 | |||
19 | corecmd_search_bin($1) | ||
20 | can_exec($1, dmesg_exec_t) | ||
21 | + dev_read_kmsg($1) | ||
22 | ') | ||
23 | -- | ||
24 | 2.19.1 | ||
25 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch b/recipes-security/refpolicy/refpolicy-git/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch deleted file mode 100644 index afba90f..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch +++ /dev/null | |||
@@ -1,41 +0,0 @@ | |||
1 | From 2d81043e7c98b31b37a1ecd1f037a04c60e662aa Mon Sep 17 00:00:00 2001 | ||
2 | From: Roy Li <rongqing.li@windriver.com> | ||
3 | Date: Mon, 10 Feb 2014 18:10:12 +0800 | ||
4 | Subject: [PATCH 31/34] policy/module/ftp: add ftpd_t to | ||
5 | mls_file_write_all_levels | ||
6 | |||
7 | Proftpd will create file under /var/run, but its mls is in high, and | ||
8 | can not write to lowlevel | ||
9 | |||
10 | Upstream-Status: Pending | ||
11 | |||
12 | type=AVC msg=audit(1392347709.621:15): avc: denied { write } for pid=545 comm="proftpd" name="/" dev="tmpfs" ino=5853 scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir | ||
13 | type=AVC msg=audit(1392347709.621:15): avc: denied { add_name } for pid=545 comm="proftpd" name="proftpd.delay" scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir | ||
14 | type=SYSCALL msg=audit(1392347709.621:15): arch=c000003e syscall=2 success=yes exit=3 a0=471910 a1=42 a2=1b6 a3=8 items=0 ppid=539 pid=545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s15:c0.c1023 key=(null) | ||
15 | |||
16 | root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name | ||
17 | allow ftpd_t var_run_t : dir { ioctl read write getattr lock add_name remove_name search open } ; | ||
18 | root@localhost:~# | ||
19 | |||
20 | Signed-off-by: Roy Li <rongqing.li@windriver.com> | ||
21 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
22 | --- | ||
23 | policy/modules/services/ftp.te | 2 ++ | ||
24 | 1 file changed, 2 insertions(+) | ||
25 | |||
26 | diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te | ||
27 | index 29bc077c..d582cf80 100644 | ||
28 | --- a/policy/modules/services/ftp.te | ||
29 | +++ b/policy/modules/services/ftp.te | ||
30 | @@ -150,6 +150,8 @@ role ftpdctl_roles types ftpdctl_t; | ||
31 | type ftpdctl_tmp_t; | ||
32 | files_tmp_file(ftpdctl_tmp_t) | ||
33 | |||
34 | +mls_file_write_all_levels(ftpd_t) | ||
35 | + | ||
36 | type sftpd_t; | ||
37 | domain_type(sftpd_t) | ||
38 | role system_r types sftpd_t; | ||
39 | -- | ||
40 | 2.19.1 | ||
41 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0032-policy-module-init-update-for-systemd-related-allow-.patch b/recipes-security/refpolicy/refpolicy-git/0032-policy-module-init-update-for-systemd-related-allow-.patch deleted file mode 100644 index ced90be..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0032-policy-module-init-update-for-systemd-related-allow-.patch +++ /dev/null | |||
@@ -1,32 +0,0 @@ | |||
1 | From ddb7393018483be0ce1cfc4734043b413e3b8a04 Mon Sep 17 00:00:00 2001 | ||
2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
3 | Date: Fri, 12 Jun 2015 19:37:52 +0530 | ||
4 | Subject: [PATCH 32/34] policy/module/init: update for systemd related allow | ||
5 | rules | ||
6 | |||
7 | It provide, the systemd support related allow rules | ||
8 | |||
9 | Upstream-Status: Pending | ||
10 | |||
11 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
13 | --- | ||
14 | policy/modules/system/init.te | 5 +++++ | ||
15 | 1 file changed, 5 insertions(+) | ||
16 | |||
17 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | ||
18 | index f7635d6f..2e6b57a6 100644 | ||
19 | --- a/policy/modules/system/init.te | ||
20 | +++ b/policy/modules/system/init.te | ||
21 | @@ -1418,3 +1418,8 @@ optional_policy(` | ||
22 | userdom_dontaudit_rw_all_users_stream_sockets(systemprocess) | ||
23 | userdom_dontaudit_write_user_tmp_files(systemprocess) | ||
24 | ') | ||
25 | + | ||
26 | +# systemd related allow rules | ||
27 | +allow kernel_t init_t:process dyntransition; | ||
28 | +allow devpts_t device_t:filesystem associate; | ||
29 | +allow init_t self:capability2 block_suspend; | ||
30 | -- | ||
31 | 2.19.1 | ||
32 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0033-refpolicy-minimum-make-sysadmin-module-optional.patch b/recipes-security/refpolicy/refpolicy-git/0033-refpolicy-minimum-make-sysadmin-module-optional.patch deleted file mode 100644 index 09a16fb..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0033-refpolicy-minimum-make-sysadmin-module-optional.patch +++ /dev/null | |||
@@ -1,67 +0,0 @@ | |||
1 | From a45624beb571ad5dadfca95d53ff69925c9f628c Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Fri, 5 Apr 2019 11:53:28 -0400 | ||
4 | Subject: [PATCH 33/34] refpolicy/minimum: make sysadmin module optional | ||
5 | |||
6 | init and locallogin modules have a depend for sysadm module because | ||
7 | they have called sysadm interfaces(sysadm_shell_domtrans). Since | ||
8 | sysadm is not a core module, we could make the sysadm_shell_domtrans | ||
9 | calls optionally by optional_policy. | ||
10 | |||
11 | So, we could make the minimum policy without sysadm module. | ||
12 | |||
13 | Upstream-Status: pending | ||
14 | |||
15 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
16 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
17 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
18 | --- | ||
19 | policy/modules/system/init.te | 16 +++++++++------- | ||
20 | policy/modules/system/locallogin.te | 4 +++- | ||
21 | 2 files changed, 12 insertions(+), 8 deletions(-) | ||
22 | |||
23 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | ||
24 | index 2e6b57a6..d8696580 100644 | ||
25 | --- a/policy/modules/system/init.te | ||
26 | +++ b/policy/modules/system/init.te | ||
27 | @@ -448,13 +448,15 @@ ifdef(`init_systemd',` | ||
28 | modutils_domtrans(init_t) | ||
29 | ') | ||
30 | ',` | ||
31 | - tunable_policy(`init_upstart',` | ||
32 | - corecmd_shell_domtrans(init_t, initrc_t) | ||
33 | - ',` | ||
34 | - # Run the shell in the sysadm role for single-user mode. | ||
35 | - # causes problems with upstart | ||
36 | - ifndef(`distro_debian',` | ||
37 | - sysadm_shell_domtrans(init_t) | ||
38 | + optional_policy(` | ||
39 | + tunable_policy(`init_upstart',` | ||
40 | + corecmd_shell_domtrans(init_t, initrc_t) | ||
41 | + ',` | ||
42 | + # Run the shell in the sysadm role for single-user mode. | ||
43 | + # causes problems with upstart | ||
44 | + ifndef(`distro_debian',` | ||
45 | + sysadm_shell_domtrans(init_t) | ||
46 | + ') | ||
47 | ') | ||
48 | ') | ||
49 | ') | ||
50 | diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te | ||
51 | index a56f3d1f..4c679ff3 100644 | ||
52 | --- a/policy/modules/system/locallogin.te | ||
53 | +++ b/policy/modules/system/locallogin.te | ||
54 | @@ -266,7 +266,9 @@ userdom_use_unpriv_users_fds(sulogin_t) | ||
55 | userdom_search_user_home_dirs(sulogin_t) | ||
56 | userdom_use_user_ptys(sulogin_t) | ||
57 | |||
58 | -sysadm_shell_domtrans(sulogin_t) | ||
59 | +optional_policy(` | ||
60 | + sysadm_shell_domtrans(sulogin_t) | ||
61 | +') | ||
62 | |||
63 | # by default, sulogin does not use pam... | ||
64 | # sulogin_pam might need to be defined otherwise | ||
65 | -- | ||
66 | 2.19.1 | ||
67 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch b/recipes-security/refpolicy/refpolicy-git/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch deleted file mode 100644 index 03b1439..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch +++ /dev/null | |||
@@ -1,33 +0,0 @@ | |||
1 | From 2e2abdbc7a0e57a27518de0d879ecc84053203d8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 19:36:44 +0800 | ||
4 | Subject: [PATCH 34/34] policy/module/apache: add rules for the symlink of | ||
5 | /var/log - apache2 | ||
6 | |||
7 | We have added rules for the symlink of /var/log in logging.if, | ||
8 | while apache.te uses /var/log but does not use the interfaces in | ||
9 | logging.if. So still need add a individual rule for apache.te. | ||
10 | |||
11 | Upstream-Status: Inappropriate [only for Poky] | ||
12 | |||
13 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
14 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
15 | --- | ||
16 | policy/modules/services/apache.te | 1 + | ||
17 | 1 file changed, 1 insertion(+) | ||
18 | |||
19 | diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te | ||
20 | index 15c4ea53..596370b1 100644 | ||
21 | --- a/policy/modules/services/apache.te | ||
22 | +++ b/policy/modules/services/apache.te | ||
23 | @@ -412,6 +412,7 @@ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t) | ||
24 | read_files_pattern(httpd_t, httpd_log_t, httpd_log_t) | ||
25 | setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t) | ||
26 | read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t) | ||
27 | +read_lnk_files_pattern(httpd_t, var_log_t, var_log_t) | ||
28 | logging_log_filetrans(httpd_t, httpd_log_t, file) | ||
29 | |||
30 | allow httpd_t httpd_modules_t:dir list_dir_perms; | ||
31 | -- | ||
32 | 2.19.1 | ||
33 | |||