diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch | 78 |
1 files changed, 48 insertions, 30 deletions
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch index ba14851..29d3e2d 100644 --- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch +++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch | |||
@@ -20,33 +20,33 @@ Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | |||
20 | policy/users | 16 +++++-------- | 20 | policy/users | 16 +++++-------- |
21 | 5 files changed, 55 insertions(+), 20 deletions(-) | 21 | 5 files changed, 55 insertions(+), 20 deletions(-) |
22 | 22 | ||
23 | diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers | ||
24 | index dc5f1e4..4428da8 100644 | ||
25 | --- a/config/appconfig-mcs/seusers | 23 | --- a/config/appconfig-mcs/seusers |
26 | +++ b/config/appconfig-mcs/seusers | 24 | +++ b/config/appconfig-mcs/seusers |
27 | @@ -1,3 +1,3 @@ | 25 | @@ -1,2 +1,3 @@ |
28 | system_u:system_u:s0-mcs_systemhigh | ||
29 | -root:root:s0-mcs_systemhigh | 26 | -root:root:s0-mcs_systemhigh |
30 | -__default__:user_u:s0 | 27 | -__default__:user_u:s0 |
31 | +root:unconfined_u:s0-mcs_systemhigh | 28 | +root:unconfined_u:s0-mcs_systemhigh |
32 | +__default__:unconfined_u:s0 | 29 | +__default__:unconfined_u:s0 |
33 | diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te | 30 | + |
34 | index 005afd8..4699d6a 100644 | ||
35 | --- a/policy/modules/roles/sysadm.te | 31 | --- a/policy/modules/roles/sysadm.te |
36 | +++ b/policy/modules/roles/sysadm.te | 32 | +++ b/policy/modules/roles/sysadm.te |
37 | @@ -34,6 +34,7 @@ ubac_file_exempt(sysadm_t) | 33 | @@ -37,10 +37,11 @@ ubac_process_exempt(sysadm_t) |
34 | ubac_file_exempt(sysadm_t) | ||
38 | ubac_fd_exempt(sysadm_t) | 35 | ubac_fd_exempt(sysadm_t) |
39 | 36 | ||
40 | init_exec(sysadm_t) | 37 | init_exec(sysadm_t) |
38 | init_admin(sysadm_t) | ||
41 | +init_script_role_transition(sysadm_r) | 39 | +init_script_role_transition(sysadm_r) |
42 | init_get_system_status(sysadm_t) | 40 | |
43 | init_disable(sysadm_t) | 41 | selinux_read_policy(sysadm_t) |
44 | init_enable(sysadm_t) | 42 | |
45 | diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if | 43 | # Add/remove user home directories |
46 | index b68dfc1..35b4141 100644 | 44 | userdom_manage_user_home_dirs(sysadm_t) |
47 | --- a/policy/modules/system/init.if | 45 | --- a/policy/modules/system/init.if |
48 | +++ b/policy/modules/system/init.if | 46 | +++ b/policy/modules/system/init.if |
49 | @@ -1234,11 +1234,12 @@ interface(`init_script_file_entry_type',` | 47 | @@ -1394,30 +1394,31 @@ interface(`init_script_file_entry_type', |
48 | ## </summary> | ||
49 | ## </param> | ||
50 | # | 50 | # |
51 | interface(`init_spec_domtrans_script',` | 51 | interface(`init_spec_domtrans_script',` |
52 | gen_require(` | 52 | gen_require(` |
@@ -61,7 +61,10 @@ index b68dfc1..35b4141 100644 | |||
61 | 61 | ||
62 | ifdef(`distro_gentoo',` | 62 | ifdef(`distro_gentoo',` |
63 | gen_require(` | 63 | gen_require(` |
64 | @@ -1249,11 +1250,11 @@ interface(`init_spec_domtrans_script',` | 64 | type rc_exec_t; |
65 | ') | ||
66 | |||
67 | domtrans_pattern($1, rc_exec_t, initrc_t) | ||
65 | ') | 68 | ') |
66 | 69 | ||
67 | ifdef(`enable_mcs',` | 70 | ifdef(`enable_mcs',` |
@@ -75,7 +78,11 @@ index b68dfc1..35b4141 100644 | |||
75 | ') | 78 | ') |
76 | ') | 79 | ') |
77 | 80 | ||
78 | @@ -1269,18 +1270,19 @@ interface(`init_spec_domtrans_script',` | 81 | ######################################## |
82 | ## <summary> | ||
83 | @@ -1429,22 +1430,23 @@ interface(`init_spec_domtrans_script',` | ||
84 | ## </summary> | ||
85 | ## </param> | ||
79 | # | 86 | # |
80 | interface(`init_domtrans_script',` | 87 | interface(`init_domtrans_script',` |
81 | gen_require(` | 88 | gen_require(` |
@@ -99,9 +106,13 @@ index b68dfc1..35b4141 100644 | |||
99 | ') | 106 | ') |
100 | ') | 107 | ') |
101 | 108 | ||
102 | @@ -2504,3 +2506,32 @@ interface(`init_reload_all_units',` | 109 | ######################################## |
103 | 110 | ## <summary> | |
104 | allow $1 systemdunit:service reload; | 111 | @@ -2972,5 +2974,34 @@ interface(`init_admin',` |
112 | init_stop_all_units($1) | ||
113 | init_stop_generic_units($1) | ||
114 | init_stop_system($1) | ||
115 | init_telinit($1) | ||
105 | ') | 116 | ') |
106 | + | 117 | + |
107 | +######################################## | 118 | +######################################## |
@@ -132,11 +143,11 @@ index b68dfc1..35b4141 100644 | |||
132 | + role_transition $1 init_script_file_type system_r; | 143 | + role_transition $1 init_script_file_type system_r; |
133 | +') | 144 | +') |
134 | + | 145 | + |
135 | diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te | ||
136 | index ad23fce..99cab31 100644 | ||
137 | --- a/policy/modules/system/unconfined.te | 146 | --- a/policy/modules/system/unconfined.te |
138 | +++ b/policy/modules/system/unconfined.te | 147 | +++ b/policy/modules/system/unconfined.te |
139 | @@ -20,6 +20,11 @@ type unconfined_execmem_t; | 148 | @@ -18,10 +18,15 @@ init_system_domain(unconfined_t, unconfi |
149 | |||
150 | type unconfined_execmem_t; | ||
140 | type unconfined_execmem_exec_t; | 151 | type unconfined_execmem_exec_t; |
141 | init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t) | 152 | init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t) |
142 | role unconfined_r types unconfined_execmem_t; | 153 | role unconfined_r types unconfined_execmem_t; |
@@ -148,7 +159,11 @@ index ad23fce..99cab31 100644 | |||
148 | 159 | ||
149 | ######################################## | 160 | ######################################## |
150 | # | 161 | # |
151 | @@ -50,6 +55,8 @@ userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_f | 162 | # Local policy |
163 | # | ||
164 | @@ -48,10 +53,12 @@ unconfined_domain(unconfined_t) | ||
165 | userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file }) | ||
166 | |||
152 | ifdef(`direct_sysadm_daemon',` | 167 | ifdef(`direct_sysadm_daemon',` |
153 | optional_policy(` | 168 | optional_policy(` |
154 | init_run_daemon(unconfined_t, unconfined_r) | 169 | init_run_daemon(unconfined_t, unconfined_r) |
@@ -157,11 +172,13 @@ index ad23fce..99cab31 100644 | |||
157 | ') | 172 | ') |
158 | ',` | 173 | ',` |
159 | ifdef(`distro_gentoo',` | 174 | ifdef(`distro_gentoo',` |
160 | diff --git a/policy/users b/policy/users | 175 | seutil_run_runinit(unconfined_t, unconfined_r) |
161 | index ca20375..ac1ca6c 100644 | 176 | seutil_init_script_run_runinit(unconfined_t, unconfined_r) |
162 | --- a/policy/users | 177 | --- a/policy/users |
163 | +++ b/policy/users | 178 | +++ b/policy/users |
164 | @@ -15,7 +15,7 @@ | 179 | @@ -13,37 +13,33 @@ |
180 | # system_u is the user identity for system processes and objects. | ||
181 | # There should be no corresponding Unix user identity for system, | ||
165 | # and a user process should never be assigned the system user | 182 | # and a user process should never be assigned the system user |
166 | # identity. | 183 | # identity. |
167 | # | 184 | # |
@@ -170,7 +187,9 @@ index ca20375..ac1ca6c 100644 | |||
170 | 187 | ||
171 | # | 188 | # |
172 | # user_u is a generic user identity for Linux users who have no | 189 | # user_u is a generic user identity for Linux users who have no |
173 | @@ -25,14 +25,14 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) | 190 | # SELinux user identity defined. The modified daemons will use |
191 | # this user identity in the security context if there is no matching | ||
192 | # SELinux user identity for a Linux user. If you do not want to | ||
174 | # permit any access to such users, then remove this entry. | 193 | # permit any access to such users, then remove this entry. |
175 | # | 194 | # |
176 | gen_user(user_u, user, user_r, s0, s0) | 195 | gen_user(user_u, user, user_r, s0, s0) |
@@ -189,7 +208,9 @@ index ca20375..ac1ca6c 100644 | |||
189 | ') | 208 | ') |
190 | 209 | ||
191 | # | 210 | # |
192 | @@ -42,8 +42,4 @@ ifdef(`direct_sysadm_daemon',` | 211 | # The following users correspond to Unix identities. |
212 | # These identities are typically assigned as the user attribute | ||
213 | # when login starts the user shell. Users with access to the sysadm_r | ||
193 | # role should use the staff_r role instead of the user_r role when | 214 | # role should use the staff_r role instead of the user_r role when |
194 | # not in the sysadm_r. | 215 | # not in the sysadm_r. |
195 | # | 216 | # |
@@ -199,6 +220,3 @@ index ca20375..ac1ca6c 100644 | |||
199 | - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) | 220 | - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) |
200 | -') | 221 | -') |
201 | +gen_user(root, user, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) | 222 | +gen_user(root, user, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) |
202 | -- | ||
203 | 1.9.1 | ||
204 | |||