diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch | 126 |
1 files changed, 7 insertions, 119 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch b/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch index 89bc68e..9939b59 100644 --- a/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch +++ b/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 7ff6cf3766a672c4f2b7bd0dc5efa296bd6aba51 Mon Sep 17 00:00:00 2001 | 1 | From bf7b74e7c38b546e162eb5a3bd4774e3d84d593d Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Mon, 20 Apr 2020 11:50:03 +0800 | 3 | Date: Mon, 20 Apr 2020 11:50:03 +0800 |
4 | Subject: [PATCH] refpolicy-targeted: make unconfined_u the default selinux | 4 | Subject: [PATCH] refpolicy-targeted: make unconfined_u the default selinux |
@@ -8,9 +8,6 @@ For targeted policy type, we define unconfined_u as the default selinux | |||
8 | user for root and normal users, so users could login in and run most | 8 | user for root and normal users, so users could login in and run most |
9 | commands and services on unconfined domains. | 9 | commands and services on unconfined domains. |
10 | 10 | ||
11 | Also add rules for users to run init scripts directly, instead of via | ||
12 | run_init. | ||
13 | |||
14 | Upstream-Status: Inappropriate [configuration] | 11 | Upstream-Status: Inappropriate [configuration] |
15 | 12 | ||
16 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 13 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
@@ -18,13 +15,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
18 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | 15 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> |
19 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | 16 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> |
20 | --- | 17 | --- |
21 | config/appconfig-mcs/failsafe_context | 2 +- | 18 | config/appconfig-mcs/failsafe_context | 2 +- |
22 | config/appconfig-mcs/seusers | 4 +-- | 19 | config/appconfig-mcs/seusers | 4 ++-- |
23 | policy/modules/roles/sysadm.te | 1 + | 20 | policy/modules/system/unconfined.te | 5 +++++ |
24 | policy/modules/system/init.if | 42 +++++++++++++++++++++++---- | 21 | policy/users | 6 +++--- |
25 | policy/modules/system/unconfined.te | 7 +++++ | 22 | 4 files changed, 11 insertions(+), 6 deletions(-) |
26 | policy/users | 6 ++-- | ||
27 | 6 files changed, 50 insertions(+), 12 deletions(-) | ||
28 | 23 | ||
29 | diff --git a/config/appconfig-mcs/failsafe_context b/config/appconfig-mcs/failsafe_context | 24 | diff --git a/config/appconfig-mcs/failsafe_context b/config/appconfig-mcs/failsafe_context |
30 | index 999abd9a3..a50bde775 100644 | 25 | index 999abd9a3..a50bde775 100644 |
@@ -42,106 +37,8 @@ index ce614b41b..c0903d98b 100644 | |||
42 | -__default__:user_u:s0 | 37 | -__default__:user_u:s0 |
43 | +root:unconfined_u:s0-mcs_systemhigh | 38 | +root:unconfined_u:s0-mcs_systemhigh |
44 | +__default__:unconfined_u:s0 | 39 | +__default__:unconfined_u:s0 |
45 | diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te | ||
46 | index ce7d77d31..1aff2c31a 100644 | ||
47 | --- a/policy/modules/roles/sysadm.te | ||
48 | +++ b/policy/modules/roles/sysadm.te | ||
49 | @@ -53,6 +53,7 @@ ubac_fd_exempt(sysadm_t) | ||
50 | |||
51 | init_exec(sysadm_t) | ||
52 | init_admin(sysadm_t) | ||
53 | +init_script_role_transition(sysadm_r) | ||
54 | |||
55 | # Add/remove user home directories | ||
56 | userdom_manage_user_home_dirs(sysadm_t) | ||
57 | diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if | ||
58 | index 98e94283f..eb6d5b32d 100644 | ||
59 | --- a/policy/modules/system/init.if | ||
60 | +++ b/policy/modules/system/init.if | ||
61 | @@ -1821,11 +1821,12 @@ interface(`init_script_file_entry_type',` | ||
62 | # | ||
63 | interface(`init_spec_domtrans_script',` | ||
64 | gen_require(` | ||
65 | - type initrc_t, initrc_exec_t; | ||
66 | + type initrc_t; | ||
67 | + attribute init_script_file_type; | ||
68 | ') | ||
69 | |||
70 | files_list_etc($1) | ||
71 | - spec_domtrans_pattern($1, initrc_exec_t, initrc_t) | ||
72 | + spec_domtrans_pattern($1, init_script_file_type, initrc_t) | ||
73 | |||
74 | ifdef(`distro_gentoo',` | ||
75 | gen_require(` | ||
76 | @@ -1836,11 +1837,11 @@ interface(`init_spec_domtrans_script',` | ||
77 | ') | ||
78 | |||
79 | ifdef(`enable_mcs',` | ||
80 | - range_transition $1 initrc_exec_t:process s0; | ||
81 | + range_transition $1 init_script_file_type:process s0; | ||
82 | ') | ||
83 | |||
84 | ifdef(`enable_mls',` | ||
85 | - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; | ||
86 | + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; | ||
87 | ') | ||
88 | ') | ||
89 | |||
90 | @@ -1857,17 +1858,18 @@ interface(`init_spec_domtrans_script',` | ||
91 | interface(`init_domtrans_script',` | ||
92 | gen_require(` | ||
93 | type initrc_t, initrc_exec_t; | ||
94 | + attribute init_script_file_type; | ||
95 | ') | ||
96 | |||
97 | files_list_etc($1) | ||
98 | domtrans_pattern($1, initrc_exec_t, initrc_t) | ||
99 | |||
100 | ifdef(`enable_mcs',` | ||
101 | - range_transition $1 initrc_exec_t:process s0; | ||
102 | + range_transition $1 init_script_file_type:process s0; | ||
103 | ') | ||
104 | |||
105 | ifdef(`enable_mls',` | ||
106 | - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; | ||
107 | + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; | ||
108 | ') | ||
109 | ') | ||
110 | |||
111 | @@ -3532,3 +3534,31 @@ interface(`init_getrlimit',` | ||
112 | |||
113 | allow $1 init_t:process getrlimit; | ||
114 | ') | ||
115 | + | ||
116 | +######################################## | ||
117 | +## <summary> | ||
118 | +## Transition to system_r when execute an init script | ||
119 | +## </summary> | ||
120 | +## <desc> | ||
121 | +## <p> | ||
122 | +## Execute a init script in a specified role | ||
123 | +## </p> | ||
124 | +## <p> | ||
125 | +## No interprocess communication (signals, pipes, | ||
126 | +## etc.) is provided by this interface since | ||
127 | +## the domains are not owned by this module. | ||
128 | +## </p> | ||
129 | +## </desc> | ||
130 | +## <param name="source_role"> | ||
131 | +## <summary> | ||
132 | +## Role to transition from. | ||
133 | +## </summary> | ||
134 | +## </param> | ||
135 | +# | ||
136 | +interface(`init_script_role_transition',` | ||
137 | + gen_require(` | ||
138 | + attribute init_script_file_type; | ||
139 | + ') | ||
140 | + | ||
141 | + role_transition $1 init_script_file_type system_r; | ||
142 | +') | ||
143 | diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te | 40 | diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te |
144 | index 385c88695..87adb7e9d 100644 | 41 | index 4972094cb..b6d769412 100644 |
145 | --- a/policy/modules/system/unconfined.te | 42 | --- a/policy/modules/system/unconfined.te |
146 | +++ b/policy/modules/system/unconfined.te | 43 | +++ b/policy/modules/system/unconfined.te |
147 | @@ -20,6 +20,11 @@ type unconfined_execmem_t alias ada_t; | 44 | @@ -20,6 +20,11 @@ type unconfined_execmem_t alias ada_t; |
@@ -156,15 +53,6 @@ index 385c88695..87adb7e9d 100644 | |||
156 | 53 | ||
157 | ######################################## | 54 | ######################################## |
158 | # | 55 | # |
159 | @@ -50,6 +55,8 @@ userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_f | ||
160 | ifdef(`direct_sysadm_daemon',` | ||
161 | optional_policy(` | ||
162 | init_run_daemon(unconfined_t, unconfined_r) | ||
163 | + init_domtrans_script(unconfined_t) | ||
164 | + init_script_role_transition(unconfined_r) | ||
165 | ') | ||
166 | ',` | ||
167 | ifdef(`distro_gentoo',` | ||
168 | diff --git a/policy/users b/policy/users | 56 | diff --git a/policy/users b/policy/users |
169 | index ca203758c..e737cd9cc 100644 | 57 | index ca203758c..e737cd9cc 100644 |
170 | --- a/policy/users | 58 | --- a/policy/users |