1 files changed, 19 insertions, 15 deletions
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
index 2dd8291..b33e84b 100644
--- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
+++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
@@ -11,17 +11,18 @@ Upstream-Status: pending
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/system/init.te       | 14 ++++++++------
 policy/modules/system/locallogin.te |  4 +++-
 2 files changed, 11 insertions(+), 7 deletions(-)
-diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index c058f0c..d710fb0 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
-@@ -292,12 +292,14 @@ ifdef(`init_systemd',`
+@@ -344,17 +344,19 @@ ifdef(`init_systemd',`
-                modutils_domtrans_insmod(init_t)
+ 
+        optional_policy(`
+                modutils_domtrans(init_t)
        ')
 ',`
 -       tunable_policy(`init_upstart',`
@@ -29,23 +30,27 @@ index c058f0c..d710fb0 100644
 -       ',`
 -               # Run the shell in the sysadm role for single-user mode.
 -               # causes problems with upstart
-               sysadm_shell_domtrans(init_t)
+-               ifndef(`distro_debian',`
+-                       sysadm_shell_domtrans(init_t)
 +       optional_policy(`
 +               tunable_policy(`init_upstart',`
 +                       corecmd_shell_domtrans(init_t, initrc_t)
 +               ',`
 +                       # Run the shell in the sysadm role for single-user mode.
 +                       # causes problems with upstart
-+                       sysadm_shell_domtrans(init_t)
+                       ifndef(`distro_debian',`
-+               ')
+                               sysadm_shell_domtrans(init_t)
+                       ')
+                ')
        ')
 ')
 
-diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
+ ifdef(`distro_debian',`
-index 0781eae..ea2493a 100644
 --- a/policy/modules/system/locallogin.te
 +++ b/policy/modules/system/locallogin.te
-@@ -246,7 +246,9 @@ userdom_use_unpriv_users_fds(sulogin_t)
+@@ -260,11 +260,13 @@ seutil_read_default_contexts(sulogin_t)
+ userdom_use_unpriv_users_fds(sulogin_t)
+ 
 userdom_search_user_home_dirs(sulogin_t)
 userdom_use_user_ptys(sulogin_t)
 
@@ -54,8 +59,7 @@ index 0781eae..ea2493a 100644
 +       sysadm_shell_domtrans(sulogin_t)
 +')
 
- # suse and debian do not use pam with sulogin...
+ # by default, sulogin does not use pam...
- ifdef(`distro_suse', `define(`sulogin_no_pam')')
+ # sulogin_pam might need to be defined otherwise
-- 
+ ifdef(`sulogin_pam', `
-1.9.1
+        selinux_get_fs_mount(sulogin_t)

diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch index 2dd8291..b33e84b 100644 --- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch +++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
@@ -11,17 +11,18 @@ Upstream-Status: pending
11		11
12	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>	12	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
13	Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>	13	Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
		14	Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
14	---	15	---
15	policy/modules/system/init.te \| 14 ++++++++------	16	policy/modules/system/init.te \| 14 ++++++++------
16	policy/modules/system/locallogin.te \| 4 +++-	17	policy/modules/system/locallogin.te \| 4 +++-
17	2 files changed, 11 insertions(+), 7 deletions(-)	18	2 files changed, 11 insertions(+), 7 deletions(-)
18		19
19	diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
20	index c058f0c..d710fb0 100644
21	--- a/policy/modules/system/init.te	20	--- a/policy/modules/system/init.te
22	+++ b/policy/modules/system/init.te	21	+++ b/policy/modules/system/init.te
23	@@ -292,12 +292,14 @@ ifdef(`init_systemd',`	22	@@ -344,17 +344,19 @@ ifdef(`init_systemd',`
24	modutils_domtrans_insmod(init_t)	23
		24	optional_policy(`
		25	modutils_domtrans(init_t)
25	')	26	')
26	',`	27	',`
27	- tunable_policy(`init_upstart',`	28	- tunable_policy(`init_upstart',`
@@ -29,23 +30,27 @@ index c058f0c..d710fb0 100644
29	- ',`	30	- ',`
30	- # Run the shell in the sysadm role for single-user mode.	31	- # Run the shell in the sysadm role for single-user mode.
31	- # causes problems with upstart	32	- # causes problems with upstart
32	- sysadm_shell_domtrans(init_t)	33	- ifndef(`distro_debian',`
		34	- sysadm_shell_domtrans(init_t)
33	+ optional_policy(`	35	+ optional_policy(`
34	+ tunable_policy(`init_upstart',`	36	+ tunable_policy(`init_upstart',`
35	+ corecmd_shell_domtrans(init_t, initrc_t)	37	+ corecmd_shell_domtrans(init_t, initrc_t)
36	+ ',`	38	+ ',`
37	+ # Run the shell in the sysadm role for single-user mode.	39	+ # Run the shell in the sysadm role for single-user mode.
38	+ # causes problems with upstart	40	+ # causes problems with upstart
39	+ sysadm_shell_domtrans(init_t)	41	+ ifndef(`distro_debian',`
40	+ ')	42	+ sysadm_shell_domtrans(init_t)
		43	+ ')
		44	')
41	')	45	')
42	')	46	')
43		47
44	diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te	48	ifdef(`distro_debian',`
45	index 0781eae..ea2493a 100644
46	--- a/policy/modules/system/locallogin.te	49	--- a/policy/modules/system/locallogin.te
47	+++ b/policy/modules/system/locallogin.te	50	+++ b/policy/modules/system/locallogin.te
48	@@ -246,7 +246,9 @@ userdom_use_unpriv_users_fds(sulogin_t)	51	@@ -260,11 +260,13 @@ seutil_read_default_contexts(sulogin_t)
		52	userdom_use_unpriv_users_fds(sulogin_t)
		53
49	userdom_search_user_home_dirs(sulogin_t)	54	userdom_search_user_home_dirs(sulogin_t)
50	userdom_use_user_ptys(sulogin_t)	55	userdom_use_user_ptys(sulogin_t)
51		56
@@ -54,8 +59,7 @@ index 0781eae..ea2493a 100644
54	+ sysadm_shell_domtrans(sulogin_t)	59	+ sysadm_shell_domtrans(sulogin_t)
55	+')	60	+')
56		61
57	# suse and debian do not use pam with sulogin...	62	# by default, sulogin does not use pam...
58	ifdef(`distro_suse', `define(`sulogin_no_pam')')	63	# sulogin_pam might need to be defined otherwise
59	--	64	ifdef(`sulogin_pam', `
60	1.9.1	65	selinux_get_fs_mount(sulogin_t)
61