1 files changed, 0 insertions, 222 deletions
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
deleted file mode 100644
index 29d3e2d..0000000
--- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
+++ /dev/null
@@ -1,222 +0,0 @@
-Subject: [PATCH] refpolicy: make unconfined_u the default selinux user
-For targeted policy type, we define unconfined_u as the default selinux
-user for root and normal users, so users could login in and run most
-commands and services on unconfined domains.
-Also add rules for users to run init scripts directly, instead of via
-run_init.
-Upstream-Status: Inappropriate [configuration]
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
---
- config/appconfig-mcs/seusers        |  4 ++--
- policy/modules/roles/sysadm.te      |  1 +
- policy/modules/system/init.if       | 47 ++++++++++++++++++++++++++++++-------
- policy/modules/system/unconfined.te |  7 ++++++
- policy/users                        | 16 +++++--------
- 5 files changed, 55 insertions(+), 20 deletions(-)
--- a/config/appconfig-mcs/seusers
-+++ b/config/appconfig-mcs/seusers
-@@ -1,2 +1,3 @@
-root:root:s0-mcs_systemhigh
-__default__:user_u:s0
-+root:unconfined_u:s0-mcs_systemhigh
-+__default__:unconfined_u:s0
-+
--- a/policy/modules/roles/sysadm.te
-+++ b/policy/modules/roles/sysadm.te
-@@ -37,10 +37,11 @@ ubac_process_exempt(sysadm_t)
- ubac_file_exempt(sysadm_t)
- ubac_fd_exempt(sysadm_t)
- 
- init_exec(sysadm_t)
- init_admin(sysadm_t)
-+init_script_role_transition(sysadm_r)
- 
- selinux_read_policy(sysadm_t)
- 
- # Add/remove user home directories
- userdom_manage_user_home_dirs(sysadm_t)
--- a/policy/modules/system/init.if
-+++ b/policy/modules/system/init.if
-@@ -1394,30 +1394,31 @@ interface(`init_script_file_entry_type',
- ##     </summary>
- ## </param>
- #
- interface(`init_spec_domtrans_script',`
-        gen_require(`
-               type initrc_t, initrc_exec_t;
-+               type initrc_t;
-+               attribute init_script_file_type;
-        ')
- 
-        files_list_etc($1)
-       spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
-+       spec_domtrans_pattern($1, init_script_file_type, initrc_t)
- 
-        ifdef(`distro_gentoo',`
-                gen_require(`
-                        type rc_exec_t;
-                ')
- 
-                domtrans_pattern($1, rc_exec_t, initrc_t)
-        ')
- 
-        ifdef(`enable_mcs',`
-               range_transition $1 initrc_exec_t:process s0;
-+               range_transition $1 init_script_file_type:process s0;
-        ')
- 
-        ifdef(`enable_mls',`
-               range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
-+               range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
-        ')
- ')
- 
- ########################################
- ## <summary>
-@@ -1429,22 +1430,23 @@ interface(`init_spec_domtrans_script',`
- ##     </summary>
- ## </param>
- #
- interface(`init_domtrans_script',`
-        gen_require(`
-               type initrc_t, initrc_exec_t;
-+               type initrc_t;
-+               attribute init_script_file_type;
-        ')
- 
-        files_list_etc($1)
-       domtrans_pattern($1, initrc_exec_t, initrc_t)
-+       domtrans_pattern($1, init_script_file_type, initrc_t)
- 
-        ifdef(`enable_mcs',`
-               range_transition $1 initrc_exec_t:process s0;
-+               range_transition $1 init_script_file_type:process s0;
-        ')
- 
-        ifdef(`enable_mls',`
-               range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
-+               range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
-        ')
- ')
- 
- ########################################
- ## <summary>
-@@ -2972,5 +2974,34 @@ interface(`init_admin',`
-        init_stop_all_units($1)
-        init_stop_generic_units($1)
-        init_stop_system($1)
-        init_telinit($1)
- ')
-+
-+########################################
-+## <summary>
-+##     Transition to system_r when execute an init script
-+## </summary>
-+## <desc>
-+##     <p>
-+##     Execute a init script in a specified role
-+##     </p>
-+##     <p>
-+##     No interprocess communication (signals, pipes,
-+##     etc.) is provided by this interface since
-+##     the domains are not owned by this module.
-+##     </p>
-+## </desc>
-+## <param name="source_role">
-+##     <summary>
-+##     Role to transition from.
-+##     </summary>
-+## </param>
-+#
-+interface(`init_script_role_transition',`
-+       gen_require(`
-+               attribute init_script_file_type;
-+       ')
-+
-+       role_transition $1 init_script_file_type system_r;
-+')
-+
--- a/policy/modules/system/unconfined.te
-+++ b/policy/modules/system/unconfined.te
-@@ -18,10 +18,15 @@ init_system_domain(unconfined_t, unconfi
- 
- type unconfined_execmem_t;
- type unconfined_execmem_exec_t;
- init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
- role unconfined_r types unconfined_execmem_t;
-+role unconfined_r types unconfined_t;
-+role system_r types unconfined_t;
-+role_transition system_r unconfined_exec_t unconfined_r;
-+allow system_r unconfined_r;
-+allow unconfined_r system_r;
- 
- ########################################
- #
- # Local policy
- #
-@@ -48,10 +53,12 @@ unconfined_domain(unconfined_t)
- userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
- 
- ifdef(`direct_sysadm_daemon',`
-         optional_policy(`
-                 init_run_daemon(unconfined_t, unconfined_r)
-+                init_domtrans_script(unconfined_t)
-+                init_script_role_transition(unconfined_r)
-         ')
- ',`
-         ifdef(`distro_gentoo',`
-                 seutil_run_runinit(unconfined_t, unconfined_r)
-                 seutil_init_script_run_runinit(unconfined_t, unconfined_r)
--- a/policy/users
-+++ b/policy/users
-@@ -13,37 +13,33 @@
- # system_u is the user identity for system processes and objects.
- # There should be no corresponding Unix user identity for system,
- # and a user process should never be assigned the system user
- # identity.
- #
-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-+gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
- 
- #
- # user_u is a generic user identity for Linux users who have no
- # SELinux user identity defined.  The modified daemons will use
- # this user identity in the security context if there is no matching
- # SELinux user identity for a Linux user.  If you do not want to
- # permit any access to such users, then remove this entry.
- #
- gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-+gen_user(staff_u, user, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-+gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
- 
- # Until order dependence is fixed for users:
- ifdef(`direct_sysadm_daemon',`
-        gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-+        gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
- ',`
-        gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-+        gen_user(unconfined_u, user, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
- ')
- 
- #
- # The following users correspond to Unix identities.
- # These identities are typically assigned as the user attribute
- # when login starts the user shell.  Users with access to the sysadm_r
- # role should use the staff_r role instead of the user_r role when
- # not in the sysadm_r.
- #
-ifdef(`direct_sysadm_daemon',`
-       gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-',`
-       gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-')
-+gen_user(root, user, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)

diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch deleted file mode 100644 index 29d3e2d..0000000 --- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch +++ /dev/null
@@ -1,222 +0,0 @@
1	Subject: [PATCH] refpolicy: make unconfined_u the default selinux user
2
3	For targeted policy type, we define unconfined_u as the default selinux
4	user for root and normal users, so users could login in and run most
5	commands and services on unconfined domains.
6
7	Also add rules for users to run init scripts directly, instead of via
8	run_init.
9
10	Upstream-Status: Inappropriate [configuration]
11
12	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
13	Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
14	Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
15	---
16	config/appconfig-mcs/seusers \| 4 ++--
17	policy/modules/roles/sysadm.te \| 1 +
18	policy/modules/system/init.if \| 47 ++++++++++++++++++++++++++++++-------
19	policy/modules/system/unconfined.te \| 7 ++++++
20	policy/users \| 16 +++++--------
21	5 files changed, 55 insertions(+), 20 deletions(-)
22
23	--- a/config/appconfig-mcs/seusers
24	+++ b/config/appconfig-mcs/seusers
25	@@ -1,2 +1,3 @@
26	-root:root:s0-mcs_systemhigh
27	-__default__:user_u:s0
28	+root:unconfined_u:s0-mcs_systemhigh
29	+__default__:unconfined_u:s0
30	+
31	--- a/policy/modules/roles/sysadm.te
32	+++ b/policy/modules/roles/sysadm.te
33	@@ -37,10 +37,11 @@ ubac_process_exempt(sysadm_t)
34	ubac_file_exempt(sysadm_t)
35	ubac_fd_exempt(sysadm_t)
36
37	init_exec(sysadm_t)
38	init_admin(sysadm_t)
39	+init_script_role_transition(sysadm_r)
40
41	selinux_read_policy(sysadm_t)
42
43	# Add/remove user home directories
44	userdom_manage_user_home_dirs(sysadm_t)
45	--- a/policy/modules/system/init.if
46	+++ b/policy/modules/system/init.if
47	@@ -1394,30 +1394,31 @@ interface(`init_script_file_entry_type',
48	## </summary>
49	## </param>
50	#
51	interface(`init_spec_domtrans_script',`
52	gen_require(`
53	- type initrc_t, initrc_exec_t;
54	+ type initrc_t;
55	+ attribute init_script_file_type;
56	')
57
58	files_list_etc($1)
59	- spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
60	+ spec_domtrans_pattern($1, init_script_file_type, initrc_t)
61
62	ifdef(`distro_gentoo',`
63	gen_require(`
64	type rc_exec_t;
65	')
66
67	domtrans_pattern($1, rc_exec_t, initrc_t)
68	')
69
70	ifdef(`enable_mcs',`
71	- range_transition $1 initrc_exec_t:process s0;
72	+ range_transition $1 init_script_file_type:process s0;
73	')
74
75	ifdef(`enable_mls',`
76	- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
77	+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
78	')
79	')
80
81	########################################
82	## <summary>
83	@@ -1429,22 +1430,23 @@ interface(`init_spec_domtrans_script',`
84	## </summary>
85	## </param>
86	#
87	interface(`init_domtrans_script',`
88	gen_require(`
89	- type initrc_t, initrc_exec_t;
90	+ type initrc_t;
91	+ attribute init_script_file_type;
92	')
93
94	files_list_etc($1)
95	- domtrans_pattern($1, initrc_exec_t, initrc_t)
96	+ domtrans_pattern($1, init_script_file_type, initrc_t)
97
98	ifdef(`enable_mcs',`
99	- range_transition $1 initrc_exec_t:process s0;
100	+ range_transition $1 init_script_file_type:process s0;
101	')
102
103	ifdef(`enable_mls',`
104	- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
105	+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
106	')
107	')
108
109	########################################
110	## <summary>
111	@@ -2972,5 +2974,34 @@ interface(`init_admin',`
112	init_stop_all_units($1)
113	init_stop_generic_units($1)
114	init_stop_system($1)
115	init_telinit($1)
116	')
117	+
118	+########################################
119	+## <summary>
120	+## Transition to system_r when execute an init script
121	+## </summary>
122	+## <desc>
123	+## <p>
124	+## Execute a init script in a specified role
125	+## </p>
126	+## <p>
127	+## No interprocess communication (signals, pipes,
128	+## etc.) is provided by this interface since
129	+## the domains are not owned by this module.
130	+## </p>
131	+## </desc>
132	+## <param name="source_role">
133	+## <summary>
134	+## Role to transition from.
135	+## </summary>
136	+## </param>
137	+#
138	+interface(`init_script_role_transition',`
139	+ gen_require(`
140	+ attribute init_script_file_type;
141	+ ')
142	+
143	+ role_transition $1 init_script_file_type system_r;
144	+')
145	+
146	--- a/policy/modules/system/unconfined.te
147	+++ b/policy/modules/system/unconfined.te
148	@@ -18,10 +18,15 @@ init_system_domain(unconfined_t, unconfi
149
150	type unconfined_execmem_t;
151	type unconfined_execmem_exec_t;
152	init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
153	role unconfined_r types unconfined_execmem_t;
154	+role unconfined_r types unconfined_t;
155	+role system_r types unconfined_t;
156	+role_transition system_r unconfined_exec_t unconfined_r;
157	+allow system_r unconfined_r;
158	+allow unconfined_r system_r;
159
160	########################################
161	#
162	# Local policy
163	#
164	@@ -48,10 +53,12 @@ unconfined_domain(unconfined_t)
165	userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
166
167	ifdef(`direct_sysadm_daemon',`
168	optional_policy(`
169	init_run_daemon(unconfined_t, unconfined_r)
170	+ init_domtrans_script(unconfined_t)
171	+ init_script_role_transition(unconfined_r)
172	')
173	',`
174	ifdef(`distro_gentoo',`
175	seutil_run_runinit(unconfined_t, unconfined_r)
176	seutil_init_script_run_runinit(unconfined_t, unconfined_r)
177	--- a/policy/users
178	+++ b/policy/users
179	@@ -13,37 +13,33 @@
180	# system_u is the user identity for system processes and objects.
181	# There should be no corresponding Unix user identity for system,
182	# and a user process should never be assigned the system user
183	# identity.
184	#
185	-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
186	+gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
187
188	#
189	# user_u is a generic user identity for Linux users who have no
190	# SELinux user identity defined. The modified daemons will use
191	# this user identity in the security context if there is no matching
192	# SELinux user identity for a Linux user. If you do not want to
193	# permit any access to such users, then remove this entry.
194	#
195	gen_user(user_u, user, user_r, s0, s0)
196	-gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
197	-gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
198	+gen_user(staff_u, user, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
199	+gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
200
201	# Until order dependence is fixed for users:
202	ifdef(`direct_sysadm_daemon',`
203	- gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
204	+ gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
205	',`
206	- gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
207	+ gen_user(unconfined_u, user, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
208	')
209
210	#
211	# The following users correspond to Unix identities.
212	# These identities are typically assigned as the user attribute
213	# when login starts the user shell. Users with access to the sysadm_r
214	# role should use the staff_r role instead of the user_r role when
215	# not in the sysadm_r.
216	#
217	-ifdef(`direct_sysadm_daemon',`
218	- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
219	-',`
220	- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
221	-')
222	+gen_user(root, user, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)