1 files changed, 193 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch b/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch
new file mode 100644
index 0000000..f3244c6
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch
@@ -0,0 +1,193 @@
+From 8613549f3aad37ce3bec8513057f0f893d4cc9bd Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Mon, 20 Apr 2020 11:50:03 +0800
+Subject: [PATCH] refpolicy-targeted: make unconfined_u the default selinux
+ user
+For targeted policy type, we define unconfined_u as the default selinux
+user for root and normal users, so users could login in and run most
+commands and services on unconfined domains.
+Also add rules for users to run init scripts directly, instead of via
+run_init.
+Upstream-Status: Inappropriate [configuration]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ config/appconfig-mcs/failsafe_context |  2 +-
+ config/appconfig-mcs/seusers          |  4 +--
+ policy/modules/roles/sysadm.te        |  1 +
+ policy/modules/system/init.if         | 42 +++++++++++++++++++++++----
+ policy/modules/system/unconfined.te   |  7 +++++
+ policy/users                          |  6 ++--
+ 6 files changed, 50 insertions(+), 12 deletions(-)
+diff --git a/config/appconfig-mcs/failsafe_context b/config/appconfig-mcs/failsafe_context
+index 999abd9a3..a50bde775 100644
+--- a/config/appconfig-mcs/failsafe_context
+++ b/config/appconfig-mcs/failsafe_context
+@@ -1 +1 @@
+-sysadm_r:sysadm_t:s0
+unconfined_r:unconfined_t:s0
+diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers
+index ce614b41b..c0903d98b 100644
+--- a/config/appconfig-mcs/seusers
+++ b/config/appconfig-mcs/seusers
+@@ -1,2 +1,2 @@
+-root:root:s0-mcs_systemhigh
+-__default__:user_u:s0
+root:unconfined_u:s0-mcs_systemhigh
+__default__:unconfined_u:s0
+diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
+index ac5239d83..310a4fad2 100644
+--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
+@@ -53,6 +53,7 @@ ubac_fd_exempt(sysadm_t)
+ 
+ init_exec(sysadm_t)
+ init_admin(sysadm_t)
+init_script_role_transition(sysadm_r)
+ 
+ selinux_read_policy(sysadm_t)
+ 
+diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
+index ab24b5d9b..ed441ddef 100644
+--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
+@@ -1798,11 +1798,12 @@ interface(`init_script_file_entry_type',`
+ #
+ interface(`init_spec_domtrans_script',`
+        gen_require(`
+-               type initrc_t, initrc_exec_t;
+               type initrc_t;
+               attribute init_script_file_type;
+        ')
+ 
+        files_list_etc($1)
+-       spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
+       spec_domtrans_pattern($1, init_script_file_type, initrc_t)
+ 
+        ifdef(`distro_gentoo',`
+                gen_require(`
+@@ -1813,11 +1814,11 @@ interface(`init_spec_domtrans_script',`
+        ')
+ 
+        ifdef(`enable_mcs',`
+-               range_transition $1 initrc_exec_t:process s0;
+               range_transition $1 init_script_file_type:process s0;
+        ')
+ 
+        ifdef(`enable_mls',`
+-               range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+               range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
+        ')
+ ')
+ 
+@@ -1834,17 +1835,18 @@ interface(`init_spec_domtrans_script',`
+ interface(`init_domtrans_script',`
+        gen_require(`
+                type initrc_t, initrc_exec_t;
+               attribute init_script_file_type;
+        ')
+ 
+        files_list_etc($1)
+        domtrans_pattern($1, initrc_exec_t, initrc_t)
+ 
+        ifdef(`enable_mcs',`
+-               range_transition $1 initrc_exec_t:process s0;
+               range_transition $1 init_script_file_type:process s0;
+        ')
+ 
+        ifdef(`enable_mls',`
+-               range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+               range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
+        ')
+ ')
+ 
+@@ -3599,3 +3601,31 @@ interface(`init_getrlimit',`
+ 
+        allow $1 init_t:process getrlimit;
+ ')
+
+########################################
+## <summary>
+##     Transition to system_r when execute an init script
+## </summary>
+## <desc>
+##     <p>
+##     Execute a init script in a specified role
+##     </p>
+##     <p>
+##     No interprocess communication (signals, pipes,
+##     etc.) is provided by this interface since
+##     the domains are not owned by this module.
+##     </p>
+## </desc>
+## <param name="source_role">
+##     <summary>
+##     Role to transition from.
+##     </summary>
+## </param>
+#
+interface(`init_script_role_transition',`
+       gen_require(`
+               attribute init_script_file_type;
+       ')
+
+       role_transition $1 init_script_file_type system_r;
+')
+diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
+index 3d75855b6..5aa4c0b69 100644
+--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
+@@ -20,6 +20,11 @@ type unconfined_execmem_t alias ada_t;
+ type unconfined_execmem_exec_t alias ada_exec_t;
+ init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
+ role unconfined_r types unconfined_execmem_t;
+role unconfined_r types unconfined_t;
+role system_r types unconfined_t;
+role_transition system_r unconfined_exec_t unconfined_r;
+allow system_r unconfined_r;
+allow unconfined_r system_r;
+ 
+ ########################################
+ #
+@@ -50,6 +55,8 @@ userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_f
+ ifdef(`direct_sysadm_daemon',`
+         optional_policy(`
+                 init_run_daemon(unconfined_t, unconfined_r)
+                init_domtrans_script(unconfined_t)
+                init_script_role_transition(unconfined_r)
+         ')
+ ',`
+         ifdef(`distro_gentoo',`
+diff --git a/policy/users b/policy/users
+index ca203758c..e737cd9cc 100644
+--- a/policy/users
+++ b/policy/users
+@@ -15,7 +15,7 @@
+ # and a user process should never be assigned the system user
+ # identity.
+ #
+-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+ 
+ #
+ # user_u is a generic user identity for Linux users who have no
+@@ -43,7 +43,7 @@ ifdef(`direct_sysadm_daemon',`
+ # not in the sysadm_r.
+ #
+ ifdef(`direct_sysadm_daemon',`
+-       gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+       gen_user(root, sysadm, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+ ',`
+-       gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
+       gen_user(root, sysadm, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
+ ')
+-- 
+2.17.1

diff --git a/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch b/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch new file mode 100644 index 0000000..f3244c6 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch
@@ -0,0 +1,193 @@
	1	From 8613549f3aad37ce3bec8513057f0f893d4cc9bd Mon Sep 17 00:00:00 2001
	2	From: Yi Zhao <yi.zhao@windriver.com>
	3	Date: Mon, 20 Apr 2020 11:50:03 +0800
	4	Subject: [PATCH] refpolicy-targeted: make unconfined_u the default selinux
	5	user
	6
	7	For targeted policy type, we define unconfined_u as the default selinux
	8	user for root and normal users, so users could login in and run most
	9	commands and services on unconfined domains.
	10
	11	Also add rules for users to run init scripts directly, instead of via
	12	run_init.
	13
	14	Upstream-Status: Inappropriate [configuration]
	15
	16	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
	17	Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
	18	Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
	19	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
	20	---
	21	config/appconfig-mcs/failsafe_context \| 2 +-
	22	config/appconfig-mcs/seusers \| 4 +--
	23	policy/modules/roles/sysadm.te \| 1 +
	24	policy/modules/system/init.if \| 42 +++++++++++++++++++++++----
	25	policy/modules/system/unconfined.te \| 7 +++++
	26	policy/users \| 6 ++--
	27	6 files changed, 50 insertions(+), 12 deletions(-)
	28
	29	diff --git a/config/appconfig-mcs/failsafe_context b/config/appconfig-mcs/failsafe_context
	30	index 999abd9a3..a50bde775 100644
	31	--- a/config/appconfig-mcs/failsafe_context
	32	+++ b/config/appconfig-mcs/failsafe_context
	33	@@ -1 +1 @@
	34	-sysadm_r:sysadm_t:s0
	35	+unconfined_r:unconfined_t:s0
	36	diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers
	37	index ce614b41b..c0903d98b 100644
	38	--- a/config/appconfig-mcs/seusers
	39	+++ b/config/appconfig-mcs/seusers
	40	@@ -1,2 +1,2 @@
	41	-root:root:s0-mcs_systemhigh
	42	-__default__:user_u:s0
	43	+root:unconfined_u:s0-mcs_systemhigh
	44	+__default__:unconfined_u:s0
	45	diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
	46	index ac5239d83..310a4fad2 100644
	47	--- a/policy/modules/roles/sysadm.te
	48	+++ b/policy/modules/roles/sysadm.te
	49	@@ -53,6 +53,7 @@ ubac_fd_exempt(sysadm_t)
	50
	51	init_exec(sysadm_t)
	52	init_admin(sysadm_t)
	53	+init_script_role_transition(sysadm_r)
	54
	55	selinux_read_policy(sysadm_t)
	56
	57	diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
	58	index ab24b5d9b..ed441ddef 100644
	59	--- a/policy/modules/system/init.if
	60	+++ b/policy/modules/system/init.if
	61	@@ -1798,11 +1798,12 @@ interface(`init_script_file_entry_type',`
	62	#
	63	interface(`init_spec_domtrans_script',`
	64	gen_require(`
	65	- type initrc_t, initrc_exec_t;
	66	+ type initrc_t;
	67	+ attribute init_script_file_type;
	68	')
	69
	70	files_list_etc($1)
	71	- spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
	72	+ spec_domtrans_pattern($1, init_script_file_type, initrc_t)
	73
	74	ifdef(`distro_gentoo',`
	75	gen_require(`
	76	@@ -1813,11 +1814,11 @@ interface(`init_spec_domtrans_script',`
	77	')
	78
	79	ifdef(`enable_mcs',`
	80	- range_transition $1 initrc_exec_t:process s0;
	81	+ range_transition $1 init_script_file_type:process s0;
	82	')
	83
	84	ifdef(`enable_mls',`
	85	- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
	86	+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
	87	')
	88	')
	89
	90	@@ -1834,17 +1835,18 @@ interface(`init_spec_domtrans_script',`
	91	interface(`init_domtrans_script',`
	92	gen_require(`
	93	type initrc_t, initrc_exec_t;
	94	+ attribute init_script_file_type;
	95	')
	96
	97	files_list_etc($1)
	98	domtrans_pattern($1, initrc_exec_t, initrc_t)
	99
	100	ifdef(`enable_mcs',`
	101	- range_transition $1 initrc_exec_t:process s0;
	102	+ range_transition $1 init_script_file_type:process s0;
	103	')
	104
	105	ifdef(`enable_mls',`
	106	- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
	107	+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
	108	')
	109	')
	110
	111	@@ -3599,3 +3601,31 @@ interface(`init_getrlimit',`
	112
	113	allow $1 init_t:process getrlimit;
	114	')
	115	+
	116	+########################################
	117	+## <summary>
	118	+## Transition to system_r when execute an init script
	119	+## </summary>
	120	+## <desc>
	121	+## <p>
	122	+## Execute a init script in a specified role
	123	+## </p>
	124	+## <p>
	125	+## No interprocess communication (signals, pipes,
	126	+## etc.) is provided by this interface since
	127	+## the domains are not owned by this module.
	128	+## </p>
	129	+## </desc>
	130	+## <param name="source_role">
	131	+## <summary>
	132	+## Role to transition from.
	133	+## </summary>
	134	+## </param>
	135	+#
	136	+interface(`init_script_role_transition',`
	137	+ gen_require(`
	138	+ attribute init_script_file_type;
	139	+ ')
	140	+
	141	+ role_transition $1 init_script_file_type system_r;
	142	+')
	143	diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
	144	index 3d75855b6..5aa4c0b69 100644
	145	--- a/policy/modules/system/unconfined.te
	146	+++ b/policy/modules/system/unconfined.te
	147	@@ -20,6 +20,11 @@ type unconfined_execmem_t alias ada_t;
	148	type unconfined_execmem_exec_t alias ada_exec_t;
	149	init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
	150	role unconfined_r types unconfined_execmem_t;
	151	+role unconfined_r types unconfined_t;
	152	+role system_r types unconfined_t;
	153	+role_transition system_r unconfined_exec_t unconfined_r;
	154	+allow system_r unconfined_r;
	155	+allow unconfined_r system_r;
	156
	157	########################################
	158	#
	159	@@ -50,6 +55,8 @@ userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_f
	160	ifdef(`direct_sysadm_daemon',`
	161	optional_policy(`
	162	init_run_daemon(unconfined_t, unconfined_r)
	163	+ init_domtrans_script(unconfined_t)
	164	+ init_script_role_transition(unconfined_r)
	165	')
	166	',`
	167	ifdef(`distro_gentoo',`
	168	diff --git a/policy/users b/policy/users
	169	index ca203758c..e737cd9cc 100644
	170	--- a/policy/users
	171	+++ b/policy/users
	172	@@ -15,7 +15,7 @@
	173	# and a user process should never be assigned the system user
	174	# identity.
	175	#
	176	-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
	177	+gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
	178
	179	#
	180	# user_u is a generic user identity for Linux users who have no
	181	@@ -43,7 +43,7 @@ ifdef(`direct_sysadm_daemon',`
	182	# not in the sysadm_r.
	183	#
	184	ifdef(`direct_sysadm_daemon',`
	185	- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
	186	+ gen_user(root, sysadm, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
	187	',`
	188	- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
	189	+ gen_user(root, sysadm, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
	190	')
	191	--
	192	2.17.1
	193