1 files changed, 48 insertions, 30 deletions
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
index ba14851..29d3e2d 100644
--- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
+++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
@@ -20,33 +20,33 @@ Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
 policy/users                        | 16 +++++--------
 5 files changed, 55 insertions(+), 20 deletions(-)
-diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers
-index dc5f1e4..4428da8 100644
 --- a/config/appconfig-mcs/seusers
 +++ b/config/appconfig-mcs/seusers
-@@ -1,3 +1,3 @@
+@@ -1,2 +1,3 @@
- system_u:system_u:s0-mcs_systemhigh
 -root:root:s0-mcs_systemhigh
 -__default__:user_u:s0
 +root:unconfined_u:s0-mcs_systemhigh
 +__default__:unconfined_u:s0
-diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
+
-index 005afd8..4699d6a 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
-@@ -34,6 +34,7 @@ ubac_file_exempt(sysadm_t)
+@@ -37,10 +37,11 @@ ubac_process_exempt(sysadm_t)
+ ubac_file_exempt(sysadm_t)
 ubac_fd_exempt(sysadm_t)
 
 init_exec(sysadm_t)
+ init_admin(sysadm_t)
 +init_script_role_transition(sysadm_r)
- init_get_system_status(sysadm_t)
+ 
- init_disable(sysadm_t)
+ selinux_read_policy(sysadm_t)
- init_enable(sysadm_t)
+ 
-diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
+ # Add/remove user home directories
-index b68dfc1..35b4141 100644
+ userdom_manage_user_home_dirs(sysadm_t)
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
-@@ -1234,11 +1234,12 @@ interface(`init_script_file_entry_type',`
+@@ -1394,30 +1394,31 @@ interface(`init_script_file_entry_type',
+ ##     </summary>
+ ## </param>
 #
 interface(`init_spec_domtrans_script',`
        gen_require(`
@@ -61,7 +61,10 @@ index b68dfc1..35b4141 100644
 
        ifdef(`distro_gentoo',`
                gen_require(`
-@@ -1249,11 +1250,11 @@ interface(`init_spec_domtrans_script',`
+                        type rc_exec_t;
+                ')
+ 
+                domtrans_pattern($1, rc_exec_t, initrc_t)
        ')
 
        ifdef(`enable_mcs',`
@@ -75,7 +78,11 @@ index b68dfc1..35b4141 100644
        ')
 ')
 
-@@ -1269,18 +1270,19 @@ interface(`init_spec_domtrans_script',`
+ ########################################
+ ## <summary>
+@@ -1429,22 +1430,23 @@ interface(`init_spec_domtrans_script',`
+ ##     </summary>
+ ## </param>
 #
 interface(`init_domtrans_script',`
        gen_require(`
@@ -99,9 +106,13 @@ index b68dfc1..35b4141 100644
        ')
 ')
 
-@@ -2504,3 +2506,32 @@ interface(`init_reload_all_units',`
+ ########################################
- 
+ ## <summary>
-        allow $1 systemdunit:service reload;
+@@ -2972,5 +2974,34 @@ interface(`init_admin',`
+        init_stop_all_units($1)
+        init_stop_generic_units($1)
+        init_stop_system($1)
+        init_telinit($1)
 ')
 +
 +########################################
@@ -132,11 +143,11 @@ index b68dfc1..35b4141 100644
 +       role_transition $1 init_script_file_type system_r;
 +')
 +
-diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
-index ad23fce..99cab31 100644
 --- a/policy/modules/system/unconfined.te
 +++ b/policy/modules/system/unconfined.te
-@@ -20,6 +20,11 @@ type unconfined_execmem_t;
+@@ -18,10 +18,15 @@ init_system_domain(unconfined_t, unconfi
+ 
+ type unconfined_execmem_t;
 type unconfined_execmem_exec_t;
 init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
 role unconfined_r types unconfined_execmem_t;
@@ -148,7 +159,11 @@ index ad23fce..99cab31 100644
 
 ########################################
 #
-@@ -50,6 +55,8 @@ userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_f
+ # Local policy
+ #
+@@ -48,10 +53,12 @@ unconfined_domain(unconfined_t)
+ userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
+ 
 ifdef(`direct_sysadm_daemon',`
         optional_policy(`
                 init_run_daemon(unconfined_t, unconfined_r)
@@ -157,11 +172,13 @@ index ad23fce..99cab31 100644
         ')
 ',`
         ifdef(`distro_gentoo',`
-diff --git a/policy/users b/policy/users
+                 seutil_run_runinit(unconfined_t, unconfined_r)
-index ca20375..ac1ca6c 100644
+                 seutil_init_script_run_runinit(unconfined_t, unconfined_r)
 --- a/policy/users
 +++ b/policy/users
-@@ -15,7 +15,7 @@
+@@ -13,37 +13,33 @@
+ # system_u is the user identity for system processes and objects.
+ # There should be no corresponding Unix user identity for system,
 # and a user process should never be assigned the system user
 # identity.
 #
@@ -170,7 +187,9 @@ index ca20375..ac1ca6c 100644
 
 #
 # user_u is a generic user identity for Linux users who have no
-@@ -25,14 +25,14 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+ # SELinux user identity defined.  The modified daemons will use
+ # this user identity in the security context if there is no matching
+ # SELinux user identity for a Linux user.  If you do not want to
 # permit any access to such users, then remove this entry.
 #
 gen_user(user_u, user, user_r, s0, s0)
@@ -189,7 +208,9 @@ index ca20375..ac1ca6c 100644
 ')
 
 #
-@@ -42,8 +42,4 @@ ifdef(`direct_sysadm_daemon',`
+ # The following users correspond to Unix identities.
+ # These identities are typically assigned as the user attribute
+ # when login starts the user shell.  Users with access to the sysadm_r
 # role should use the staff_r role instead of the user_r role when
 # not in the sysadm_r.
 #
@@ -199,6 +220,3 @@ index ca20375..ac1ca6c 100644
 -       gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
 -')
 +gen_user(root, user, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-- 
-1.9.1

diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch index ba14851..29d3e2d 100644 --- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch +++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
@@ -20,33 +20,33 @@ Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
20	policy/users \| 16 +++++--------	20	policy/users \| 16 +++++--------
21	5 files changed, 55 insertions(+), 20 deletions(-)	21	5 files changed, 55 insertions(+), 20 deletions(-)
22		22
23	diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers
24	index dc5f1e4..4428da8 100644
25	--- a/config/appconfig-mcs/seusers	23	--- a/config/appconfig-mcs/seusers
26	+++ b/config/appconfig-mcs/seusers	24	+++ b/config/appconfig-mcs/seusers
27	@@ -1,3 +1,3 @@	25	@@ -1,2 +1,3 @@
28	system_u:system_u:s0-mcs_systemhigh
29	-root:root:s0-mcs_systemhigh	26	-root:root:s0-mcs_systemhigh
30	-__default__:user_u:s0	27	-__default__:user_u:s0
31	+root:unconfined_u:s0-mcs_systemhigh	28	+root:unconfined_u:s0-mcs_systemhigh
32	+__default__:unconfined_u:s0	29	+__default__:unconfined_u:s0
33	diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te	30	+
34	index 005afd8..4699d6a 100644
35	--- a/policy/modules/roles/sysadm.te	31	--- a/policy/modules/roles/sysadm.te
36	+++ b/policy/modules/roles/sysadm.te	32	+++ b/policy/modules/roles/sysadm.te
37	@@ -34,6 +34,7 @@ ubac_file_exempt(sysadm_t)	33	@@ -37,10 +37,11 @@ ubac_process_exempt(sysadm_t)
		34	ubac_file_exempt(sysadm_t)
38	ubac_fd_exempt(sysadm_t)	35	ubac_fd_exempt(sysadm_t)
39		36
40	init_exec(sysadm_t)	37	init_exec(sysadm_t)
		38	init_admin(sysadm_t)
41	+init_script_role_transition(sysadm_r)	39	+init_script_role_transition(sysadm_r)
42	init_get_system_status(sysadm_t)	40
43	init_disable(sysadm_t)	41	selinux_read_policy(sysadm_t)
44	init_enable(sysadm_t)	42
45	diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if	43	# Add/remove user home directories
46	index b68dfc1..35b4141 100644	44	userdom_manage_user_home_dirs(sysadm_t)
47	--- a/policy/modules/system/init.if	45	--- a/policy/modules/system/init.if
48	+++ b/policy/modules/system/init.if	46	+++ b/policy/modules/system/init.if
49	@@ -1234,11 +1234,12 @@ interface(`init_script_file_entry_type',`	47	@@ -1394,30 +1394,31 @@ interface(`init_script_file_entry_type',
		48	## </summary>
		49	## </param>
50	#	50	#
51	interface(`init_spec_domtrans_script',`	51	interface(`init_spec_domtrans_script',`
52	gen_require(`	52	gen_require(`
@@ -61,7 +61,10 @@ index b68dfc1..35b4141 100644
61		61
62	ifdef(`distro_gentoo',`	62	ifdef(`distro_gentoo',`
63	gen_require(`	63	gen_require(`
64	@@ -1249,11 +1250,11 @@ interface(`init_spec_domtrans_script',`	64	type rc_exec_t;
		65	')
		66
		67	domtrans_pattern($1, rc_exec_t, initrc_t)
65	')	68	')
66		69
67	ifdef(`enable_mcs',`	70	ifdef(`enable_mcs',`
@@ -75,7 +78,11 @@ index b68dfc1..35b4141 100644
75	')	78	')
76	')	79	')
77		80
78	@@ -1269,18 +1270,19 @@ interface(`init_spec_domtrans_script',`	81	########################################
		82	## <summary>
		83	@@ -1429,22 +1430,23 @@ interface(`init_spec_domtrans_script',`
		84	## </summary>
		85	## </param>
79	#	86	#
80	interface(`init_domtrans_script',`	87	interface(`init_domtrans_script',`
81	gen_require(`	88	gen_require(`
@@ -99,9 +106,13 @@ index b68dfc1..35b4141 100644
99	')	106	')
100	')	107	')
101		108
102	@@ -2504,3 +2506,32 @@ interface(`init_reload_all_units',`	109	########################################
103		110	## <summary>
104	allow $1 systemdunit:service reload;	111	@@ -2972,5 +2974,34 @@ interface(`init_admin',`
		112	init_stop_all_units($1)
		113	init_stop_generic_units($1)
		114	init_stop_system($1)
		115	init_telinit($1)
105	')	116	')
106	+	117	+
107	+########################################	118	+########################################
@@ -132,11 +143,11 @@ index b68dfc1..35b4141 100644
132	+ role_transition $1 init_script_file_type system_r;	143	+ role_transition $1 init_script_file_type system_r;
133	+')	144	+')
134	+	145	+
135	diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
136	index ad23fce..99cab31 100644
137	--- a/policy/modules/system/unconfined.te	146	--- a/policy/modules/system/unconfined.te
138	+++ b/policy/modules/system/unconfined.te	147	+++ b/policy/modules/system/unconfined.te
139	@@ -20,6 +20,11 @@ type unconfined_execmem_t;	148	@@ -18,10 +18,15 @@ init_system_domain(unconfined_t, unconfi
		149
		150	type unconfined_execmem_t;
140	type unconfined_execmem_exec_t;	151	type unconfined_execmem_exec_t;
141	init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)	152	init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
142	role unconfined_r types unconfined_execmem_t;	153	role unconfined_r types unconfined_execmem_t;
@@ -148,7 +159,11 @@ index ad23fce..99cab31 100644
148		159
149	########################################	160	########################################
150	#	161	#
151	@@ -50,6 +55,8 @@ userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_f	162	# Local policy
		163	#
		164	@@ -48,10 +53,12 @@ unconfined_domain(unconfined_t)
		165	userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
		166
152	ifdef(`direct_sysadm_daemon',`	167	ifdef(`direct_sysadm_daemon',`
153	optional_policy(`	168	optional_policy(`
154	init_run_daemon(unconfined_t, unconfined_r)	169	init_run_daemon(unconfined_t, unconfined_r)
@@ -157,11 +172,13 @@ index ad23fce..99cab31 100644
157	')	172	')
158	',`	173	',`
159	ifdef(`distro_gentoo',`	174	ifdef(`distro_gentoo',`
160	diff --git a/policy/users b/policy/users	175	seutil_run_runinit(unconfined_t, unconfined_r)
161	index ca20375..ac1ca6c 100644	176	seutil_init_script_run_runinit(unconfined_t, unconfined_r)
162	--- a/policy/users	177	--- a/policy/users
163	+++ b/policy/users	178	+++ b/policy/users
164	@@ -15,7 +15,7 @@	179	@@ -13,37 +13,33 @@
		180	# system_u is the user identity for system processes and objects.
		181	# There should be no corresponding Unix user identity for system,
165	# and a user process should never be assigned the system user	182	# and a user process should never be assigned the system user
166	# identity.	183	# identity.
167	#	184	#
@@ -170,7 +187,9 @@ index ca20375..ac1ca6c 100644
170		187
171	#	188	#
172	# user_u is a generic user identity for Linux users who have no	189	# user_u is a generic user identity for Linux users who have no
173	@@ -25,14 +25,14 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)	190	# SELinux user identity defined. The modified daemons will use
		191	# this user identity in the security context if there is no matching
		192	# SELinux user identity for a Linux user. If you do not want to
174	# permit any access to such users, then remove this entry.	193	# permit any access to such users, then remove this entry.
175	#	194	#
176	gen_user(user_u, user, user_r, s0, s0)	195	gen_user(user_u, user, user_r, s0, s0)
@@ -189,7 +208,9 @@ index ca20375..ac1ca6c 100644
189	')	208	')
190		209
191	#	210	#
192	@@ -42,8 +42,4 @@ ifdef(`direct_sysadm_daemon',`	211	# The following users correspond to Unix identities.
		212	# These identities are typically assigned as the user attribute
		213	# when login starts the user shell. Users with access to the sysadm_r
193	# role should use the staff_r role instead of the user_r role when	214	# role should use the staff_r role instead of the user_r role when
194	# not in the sysadm_r.	215	# not in the sysadm_r.
195	#	216	#
@@ -199,6 +220,3 @@ index ca20375..ac1ca6c 100644
199	- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)	220	- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
200	-')	221	-')
201	+gen_user(root, user, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)	222	+gen_user(root, user, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
202	--
203	1.9.1
204