diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch | 193 |
1 files changed, 193 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch b/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch new file mode 100644 index 0000000..f3244c6 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch | |||
@@ -0,0 +1,193 @@ | |||
1 | From 8613549f3aad37ce3bec8513057f0f893d4cc9bd Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Mon, 20 Apr 2020 11:50:03 +0800 | ||
4 | Subject: [PATCH] refpolicy-targeted: make unconfined_u the default selinux | ||
5 | user | ||
6 | |||
7 | For targeted policy type, we define unconfined_u as the default selinux | ||
8 | user for root and normal users, so users could login in and run most | ||
9 | commands and services on unconfined domains. | ||
10 | |||
11 | Also add rules for users to run init scripts directly, instead of via | ||
12 | run_init. | ||
13 | |||
14 | Upstream-Status: Inappropriate [configuration] | ||
15 | |||
16 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
17 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
18 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
19 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
20 | --- | ||
21 | config/appconfig-mcs/failsafe_context | 2 +- | ||
22 | config/appconfig-mcs/seusers | 4 +-- | ||
23 | policy/modules/roles/sysadm.te | 1 + | ||
24 | policy/modules/system/init.if | 42 +++++++++++++++++++++++---- | ||
25 | policy/modules/system/unconfined.te | 7 +++++ | ||
26 | policy/users | 6 ++-- | ||
27 | 6 files changed, 50 insertions(+), 12 deletions(-) | ||
28 | |||
29 | diff --git a/config/appconfig-mcs/failsafe_context b/config/appconfig-mcs/failsafe_context | ||
30 | index 999abd9a3..a50bde775 100644 | ||
31 | --- a/config/appconfig-mcs/failsafe_context | ||
32 | +++ b/config/appconfig-mcs/failsafe_context | ||
33 | @@ -1 +1 @@ | ||
34 | -sysadm_r:sysadm_t:s0 | ||
35 | +unconfined_r:unconfined_t:s0 | ||
36 | diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers | ||
37 | index ce614b41b..c0903d98b 100644 | ||
38 | --- a/config/appconfig-mcs/seusers | ||
39 | +++ b/config/appconfig-mcs/seusers | ||
40 | @@ -1,2 +1,2 @@ | ||
41 | -root:root:s0-mcs_systemhigh | ||
42 | -__default__:user_u:s0 | ||
43 | +root:unconfined_u:s0-mcs_systemhigh | ||
44 | +__default__:unconfined_u:s0 | ||
45 | diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te | ||
46 | index ac5239d83..310a4fad2 100644 | ||
47 | --- a/policy/modules/roles/sysadm.te | ||
48 | +++ b/policy/modules/roles/sysadm.te | ||
49 | @@ -53,6 +53,7 @@ ubac_fd_exempt(sysadm_t) | ||
50 | |||
51 | init_exec(sysadm_t) | ||
52 | init_admin(sysadm_t) | ||
53 | +init_script_role_transition(sysadm_r) | ||
54 | |||
55 | selinux_read_policy(sysadm_t) | ||
56 | |||
57 | diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if | ||
58 | index ab24b5d9b..ed441ddef 100644 | ||
59 | --- a/policy/modules/system/init.if | ||
60 | +++ b/policy/modules/system/init.if | ||
61 | @@ -1798,11 +1798,12 @@ interface(`init_script_file_entry_type',` | ||
62 | # | ||
63 | interface(`init_spec_domtrans_script',` | ||
64 | gen_require(` | ||
65 | - type initrc_t, initrc_exec_t; | ||
66 | + type initrc_t; | ||
67 | + attribute init_script_file_type; | ||
68 | ') | ||
69 | |||
70 | files_list_etc($1) | ||
71 | - spec_domtrans_pattern($1, initrc_exec_t, initrc_t) | ||
72 | + spec_domtrans_pattern($1, init_script_file_type, initrc_t) | ||
73 | |||
74 | ifdef(`distro_gentoo',` | ||
75 | gen_require(` | ||
76 | @@ -1813,11 +1814,11 @@ interface(`init_spec_domtrans_script',` | ||
77 | ') | ||
78 | |||
79 | ifdef(`enable_mcs',` | ||
80 | - range_transition $1 initrc_exec_t:process s0; | ||
81 | + range_transition $1 init_script_file_type:process s0; | ||
82 | ') | ||
83 | |||
84 | ifdef(`enable_mls',` | ||
85 | - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; | ||
86 | + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; | ||
87 | ') | ||
88 | ') | ||
89 | |||
90 | @@ -1834,17 +1835,18 @@ interface(`init_spec_domtrans_script',` | ||
91 | interface(`init_domtrans_script',` | ||
92 | gen_require(` | ||
93 | type initrc_t, initrc_exec_t; | ||
94 | + attribute init_script_file_type; | ||
95 | ') | ||
96 | |||
97 | files_list_etc($1) | ||
98 | domtrans_pattern($1, initrc_exec_t, initrc_t) | ||
99 | |||
100 | ifdef(`enable_mcs',` | ||
101 | - range_transition $1 initrc_exec_t:process s0; | ||
102 | + range_transition $1 init_script_file_type:process s0; | ||
103 | ') | ||
104 | |||
105 | ifdef(`enable_mls',` | ||
106 | - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; | ||
107 | + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; | ||
108 | ') | ||
109 | ') | ||
110 | |||
111 | @@ -3599,3 +3601,31 @@ interface(`init_getrlimit',` | ||
112 | |||
113 | allow $1 init_t:process getrlimit; | ||
114 | ') | ||
115 | + | ||
116 | +######################################## | ||
117 | +## <summary> | ||
118 | +## Transition to system_r when execute an init script | ||
119 | +## </summary> | ||
120 | +## <desc> | ||
121 | +## <p> | ||
122 | +## Execute a init script in a specified role | ||
123 | +## </p> | ||
124 | +## <p> | ||
125 | +## No interprocess communication (signals, pipes, | ||
126 | +## etc.) is provided by this interface since | ||
127 | +## the domains are not owned by this module. | ||
128 | +## </p> | ||
129 | +## </desc> | ||
130 | +## <param name="source_role"> | ||
131 | +## <summary> | ||
132 | +## Role to transition from. | ||
133 | +## </summary> | ||
134 | +## </param> | ||
135 | +# | ||
136 | +interface(`init_script_role_transition',` | ||
137 | + gen_require(` | ||
138 | + attribute init_script_file_type; | ||
139 | + ') | ||
140 | + | ||
141 | + role_transition $1 init_script_file_type system_r; | ||
142 | +') | ||
143 | diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te | ||
144 | index 3d75855b6..5aa4c0b69 100644 | ||
145 | --- a/policy/modules/system/unconfined.te | ||
146 | +++ b/policy/modules/system/unconfined.te | ||
147 | @@ -20,6 +20,11 @@ type unconfined_execmem_t alias ada_t; | ||
148 | type unconfined_execmem_exec_t alias ada_exec_t; | ||
149 | init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t) | ||
150 | role unconfined_r types unconfined_execmem_t; | ||
151 | +role unconfined_r types unconfined_t; | ||
152 | +role system_r types unconfined_t; | ||
153 | +role_transition system_r unconfined_exec_t unconfined_r; | ||
154 | +allow system_r unconfined_r; | ||
155 | +allow unconfined_r system_r; | ||
156 | |||
157 | ######################################## | ||
158 | # | ||
159 | @@ -50,6 +55,8 @@ userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_f | ||
160 | ifdef(`direct_sysadm_daemon',` | ||
161 | optional_policy(` | ||
162 | init_run_daemon(unconfined_t, unconfined_r) | ||
163 | + init_domtrans_script(unconfined_t) | ||
164 | + init_script_role_transition(unconfined_r) | ||
165 | ') | ||
166 | ',` | ||
167 | ifdef(`distro_gentoo',` | ||
168 | diff --git a/policy/users b/policy/users | ||
169 | index ca203758c..e737cd9cc 100644 | ||
170 | --- a/policy/users | ||
171 | +++ b/policy/users | ||
172 | @@ -15,7 +15,7 @@ | ||
173 | # and a user process should never be assigned the system user | ||
174 | # identity. | ||
175 | # | ||
176 | -gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
177 | +gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
178 | |||
179 | # | ||
180 | # user_u is a generic user identity for Linux users who have no | ||
181 | @@ -43,7 +43,7 @@ ifdef(`direct_sysadm_daemon',` | ||
182 | # not in the sysadm_r. | ||
183 | # | ||
184 | ifdef(`direct_sysadm_daemon',` | ||
185 | - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
186 | + gen_user(root, sysadm, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
187 | ',` | ||
188 | - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) | ||
189 | + gen_user(root, sysadm, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) | ||
190 | ') | ||
191 | -- | ||
192 | 2.17.1 | ||
193 | |||