1 files changed, 20 insertions, 13 deletions
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
index b33e84b..3a8a95e 100644
--- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
+++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
@@ -19,10 +19,10 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
-@@ -344,17 +344,19 @@ ifdef(`init_systemd',`
+@@ -300,16 +300,18 @@ ifdef(`init_systemd',`
 
        optional_policy(`
-                modutils_domtrans(init_t)
+                modutils_domtrans_insmod(init_t)
        ')
 ',`
 -       tunable_policy(`init_upstart',`
@@ -30,25 +30,32 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 -       ',`
 -               # Run the shell in the sysadm role for single-user mode.
 -               # causes problems with upstart
-               ifndef(`distro_debian',`
+-               sysadm_shell_domtrans(init_t)
-                       sysadm_shell_domtrans(init_t)
 +       optional_policy(`
 +               tunable_policy(`init_upstart',`
 +                       corecmd_shell_domtrans(init_t, initrc_t)
 +               ',`
 +                       # Run the shell in the sysadm role for single-user mode.
 +                       # causes problems with upstart
-+                       ifndef(`distro_debian',`
+                       sysadm_shell_domtrans(init_t)
-+                               sysadm_shell_domtrans(init_t)
+               ')
-+                       ')
-                ')
        ')
 ')
 
 ifdef(`distro_debian',`
+        fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
+@@ -1109,6 +1111,6 @@ optional_policy(`
+ ')
+ 
+ # systemd related allow rules
+ allow kernel_t init_t:process dyntransition;
+ allow devpts_t device_t:filesystem associate;
+-allow init_t self:capability2 block_suspend;
+\ No newline at end of file
+allow init_t self:capability2 block_suspend;
 --- a/policy/modules/system/locallogin.te
 +++ b/policy/modules/system/locallogin.te
-@@ -260,11 +260,13 @@ seutil_read_default_contexts(sulogin_t)
+@@ -244,11 +244,13 @@ seutil_read_default_contexts(sulogin_t)
 userdom_use_unpriv_users_fds(sulogin_t)
 
 userdom_search_user_home_dirs(sulogin_t)
@@ -59,7 +66,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 +       sysadm_shell_domtrans(sulogin_t)
 +')
 
- # by default, sulogin does not use pam...
+ # suse and debian do not use pam with sulogin...
- # sulogin_pam might need to be defined otherwise
+ ifdef(`distro_suse', `define(`sulogin_no_pam')')
- ifdef(`sulogin_pam', `
+ ifdef(`distro_debian', `define(`sulogin_no_pam')')
-        selinux_get_fs_mount(sulogin_t)
+

diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch index b33e84b..3a8a95e 100644 --- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch +++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
@@ -19,10 +19,10 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
19		19
20	--- a/policy/modules/system/init.te	20	--- a/policy/modules/system/init.te
21	+++ b/policy/modules/system/init.te	21	+++ b/policy/modules/system/init.te
22	@@ -344,17 +344,19 @@ ifdef(`init_systemd',`	22	@@ -300,16 +300,18 @@ ifdef(`init_systemd',`
23		23
24	optional_policy(`	24	optional_policy(`
25	modutils_domtrans(init_t)	25	modutils_domtrans_insmod(init_t)
26	')	26	')
27	',`	27	',`
28	- tunable_policy(`init_upstart',`	28	- tunable_policy(`init_upstart',`
@@ -30,25 +30,32 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
30	- ',`	30	- ',`
31	- # Run the shell in the sysadm role for single-user mode.	31	- # Run the shell in the sysadm role for single-user mode.
32	- # causes problems with upstart	32	- # causes problems with upstart
33	- ifndef(`distro_debian',`	33	- sysadm_shell_domtrans(init_t)
34	- sysadm_shell_domtrans(init_t)
35	+ optional_policy(`	34	+ optional_policy(`
36	+ tunable_policy(`init_upstart',`	35	+ tunable_policy(`init_upstart',`
37	+ corecmd_shell_domtrans(init_t, initrc_t)	36	+ corecmd_shell_domtrans(init_t, initrc_t)
38	+ ',`	37	+ ',`
39	+ # Run the shell in the sysadm role for single-user mode.	38	+ # Run the shell in the sysadm role for single-user mode.
40	+ # causes problems with upstart	39	+ # causes problems with upstart
41	+ ifndef(`distro_debian',`	40	+ sysadm_shell_domtrans(init_t)
42	+ sysadm_shell_domtrans(init_t)	41	+ ')
43	+ ')
44	')
45	')	42	')
46	')	43	')
47		44
48	ifdef(`distro_debian',`	45	ifdef(`distro_debian',`
		46	fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
		47	@@ -1109,6 +1111,6 @@ optional_policy(`
		48	')
		49
		50	# systemd related allow rules
		51	allow kernel_t init_t:process dyntransition;
		52	allow devpts_t device_t:filesystem associate;
		53	-allow init_t self:capability2 block_suspend;
		54	\ No newline at end of file
		55	+allow init_t self:capability2 block_suspend;
49	--- a/policy/modules/system/locallogin.te	56	--- a/policy/modules/system/locallogin.te
50	+++ b/policy/modules/system/locallogin.te	57	+++ b/policy/modules/system/locallogin.te
51	@@ -260,11 +260,13 @@ seutil_read_default_contexts(sulogin_t)	58	@@ -244,11 +244,13 @@ seutil_read_default_contexts(sulogin_t)
52	userdom_use_unpriv_users_fds(sulogin_t)	59	userdom_use_unpriv_users_fds(sulogin_t)
53		60
54	userdom_search_user_home_dirs(sulogin_t)	61	userdom_search_user_home_dirs(sulogin_t)
@@ -59,7 +66,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
59	+ sysadm_shell_domtrans(sulogin_t)	66	+ sysadm_shell_domtrans(sulogin_t)
60	+')	67	+')
61		68
62	# by default, sulogin does not use pam...	69	# suse and debian do not use pam with sulogin...
63	# sulogin_pam might need to be defined otherwise	70	ifdef(`distro_suse', `define(`sulogin_no_pam')')
64	ifdef(`sulogin_pam', `	71	ifdef(`distro_debian', `define(`sulogin_no_pam')')
65	selinux_get_fs_mount(sulogin_t)	72