1 files changed, 7 insertions, 119 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch b/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch
index 89bc68e..9939b59 100644
--- a/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch
+++ b/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch
@@ -1,4 +1,4 @@
-From 7ff6cf3766a672c4f2b7bd0dc5efa296bd6aba51 Mon Sep 17 00:00:00 2001
+From bf7b74e7c38b546e162eb5a3bd4774e3d84d593d Mon Sep 17 00:00:00 2001
 From: Yi Zhao <yi.zhao@windriver.com>
 Date: Mon, 20 Apr 2020 11:50:03 +0800
 Subject: [PATCH] refpolicy-targeted: make unconfined_u the default selinux
@@ -8,9 +8,6 @@ For targeted policy type, we define unconfined_u as the default selinux
 user for root and normal users, so users could login in and run most
 commands and services on unconfined domains.
-Also add rules for users to run init scripts directly, instead of via
-run_init.
 Upstream-Status: Inappropriate [configuration]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
@@ -18,13 +15,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
- config/appconfig-mcs/failsafe_context |  2 +-
+ config/appconfig-mcs/failsafe_context | 2 +-
- config/appconfig-mcs/seusers          |  4 +--
+ config/appconfig-mcs/seusers          | 4 ++--
- policy/modules/roles/sysadm.te        |  1 +
+ policy/modules/system/unconfined.te   | 5 +++++
- policy/modules/system/init.if         | 42 +++++++++++++++++++++++----
+ policy/users                          | 6 +++---
- policy/modules/system/unconfined.te   |  7 +++++
+ 4 files changed, 11 insertions(+), 6 deletions(-)
- policy/users                          |  6 ++--
- 6 files changed, 50 insertions(+), 12 deletions(-)
 diff --git a/config/appconfig-mcs/failsafe_context b/config/appconfig-mcs/failsafe_context
 index 999abd9a3..a50bde775 100644
@@ -42,106 +37,8 @@ index ce614b41b..c0903d98b 100644
 -__default__:user_u:s0
 +root:unconfined_u:s0-mcs_systemhigh
 +__default__:unconfined_u:s0
-diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index ce7d77d31..1aff2c31a 100644
--- a/policy/modules/roles/sysadm.te
-+++ b/policy/modules/roles/sysadm.te
-@@ -53,6 +53,7 @@ ubac_fd_exempt(sysadm_t)
- 
- init_exec(sysadm_t)
- init_admin(sysadm_t)
-+init_script_role_transition(sysadm_r)
- 
- # Add/remove user home directories
- userdom_manage_user_home_dirs(sysadm_t)
-diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 98e94283f..eb6d5b32d 100644
--- a/policy/modules/system/init.if
-+++ b/policy/modules/system/init.if
-@@ -1821,11 +1821,12 @@ interface(`init_script_file_entry_type',`
- #
- interface(`init_spec_domtrans_script',`
-        gen_require(`
-               type initrc_t, initrc_exec_t;
-+               type initrc_t;
-+               attribute init_script_file_type;
-        ')
- 
-        files_list_etc($1)
-       spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
-+       spec_domtrans_pattern($1, init_script_file_type, initrc_t)
- 
-        ifdef(`distro_gentoo',`
-                gen_require(`
-@@ -1836,11 +1837,11 @@ interface(`init_spec_domtrans_script',`
-        ')
- 
-        ifdef(`enable_mcs',`
-               range_transition $1 initrc_exec_t:process s0;
-+               range_transition $1 init_script_file_type:process s0;
-        ')
- 
-        ifdef(`enable_mls',`
-               range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
-+               range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
-        ')
- ')
- 
-@@ -1857,17 +1858,18 @@ interface(`init_spec_domtrans_script',`
- interface(`init_domtrans_script',`
-        gen_require(`
-                type initrc_t, initrc_exec_t;
-+               attribute init_script_file_type;
-        ')
- 
-        files_list_etc($1)
-        domtrans_pattern($1, initrc_exec_t, initrc_t)
- 
-        ifdef(`enable_mcs',`
-               range_transition $1 initrc_exec_t:process s0;
-+               range_transition $1 init_script_file_type:process s0;
-        ')
- 
-        ifdef(`enable_mls',`
-               range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
-+               range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
-        ')
- ')
- 
-@@ -3532,3 +3534,31 @@ interface(`init_getrlimit',`
- 
-        allow $1 init_t:process getrlimit;
- ')
-+
-+########################################
-+## <summary>
-+##     Transition to system_r when execute an init script
-+## </summary>
-+## <desc>
-+##     <p>
-+##     Execute a init script in a specified role
-+##     </p>
-+##     <p>
-+##     No interprocess communication (signals, pipes,
-+##     etc.) is provided by this interface since
-+##     the domains are not owned by this module.
-+##     </p>
-+## </desc>
-+## <param name="source_role">
-+##     <summary>
-+##     Role to transition from.
-+##     </summary>
-+## </param>
-+#
-+interface(`init_script_role_transition',`
-+       gen_require(`
-+               attribute init_script_file_type;
-+       ')
-+
-+       role_transition $1 init_script_file_type system_r;
-+')
 diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
-index 385c88695..87adb7e9d 100644
+index 4972094cb..b6d769412 100644
 --- a/policy/modules/system/unconfined.te
 +++ b/policy/modules/system/unconfined.te
 @@ -20,6 +20,11 @@ type unconfined_execmem_t alias ada_t;
@@ -156,15 +53,6 @@ index 385c88695..87adb7e9d 100644
 
 ########################################
 #
-@@ -50,6 +55,8 @@ userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_f
- ifdef(`direct_sysadm_daemon',`
-         optional_policy(`
-                 init_run_daemon(unconfined_t, unconfined_r)
-+                init_domtrans_script(unconfined_t)
-+                init_script_role_transition(unconfined_r)
-         ')
- ',`
-         ifdef(`distro_gentoo',`
 diff --git a/policy/users b/policy/users
 index ca203758c..e737cd9cc 100644
 --- a/policy/users

diff --git a/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch b/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch index 89bc68e..9939b59 100644 --- a/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch +++ b/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch
@@ -1,4 +1,4 @@
1	From 7ff6cf3766a672c4f2b7bd0dc5efa296bd6aba51 Mon Sep 17 00:00:00 2001	1	From bf7b74e7c38b546e162eb5a3bd4774e3d84d593d Mon Sep 17 00:00:00 2001
2	From: Yi Zhao <yi.zhao@windriver.com>	2	From: Yi Zhao <yi.zhao@windriver.com>
3	Date: Mon, 20 Apr 2020 11:50:03 +0800	3	Date: Mon, 20 Apr 2020 11:50:03 +0800
4	Subject: [PATCH] refpolicy-targeted: make unconfined_u the default selinux	4	Subject: [PATCH] refpolicy-targeted: make unconfined_u the default selinux
@@ -8,9 +8,6 @@ For targeted policy type, we define unconfined_u as the default selinux
8	user for root and normal users, so users could login in and run most	8	user for root and normal users, so users could login in and run most
9	commands and services on unconfined domains.	9	commands and services on unconfined domains.
10		10
11	Also add rules for users to run init scripts directly, instead of via
12	run_init.
13
14	Upstream-Status: Inappropriate [configuration]	11	Upstream-Status: Inappropriate [configuration]
15		12
16	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>	13	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
@@ -18,13 +15,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
18	Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>	15	Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
19	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	16	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
20	---	17	---
21	config/appconfig-mcs/failsafe_context \| 2 +-	18	config/appconfig-mcs/failsafe_context \| 2 +-
22	config/appconfig-mcs/seusers \| 4 +--	19	config/appconfig-mcs/seusers \| 4 ++--
23	policy/modules/roles/sysadm.te \| 1 +	20	policy/modules/system/unconfined.te \| 5 +++++
24	policy/modules/system/init.if \| 42 +++++++++++++++++++++++----	21	policy/users \| 6 +++---
25	policy/modules/system/unconfined.te \| 7 +++++	22	4 files changed, 11 insertions(+), 6 deletions(-)
26	policy/users \| 6 ++--
27	6 files changed, 50 insertions(+), 12 deletions(-)
28		23
29	diff --git a/config/appconfig-mcs/failsafe_context b/config/appconfig-mcs/failsafe_context	24	diff --git a/config/appconfig-mcs/failsafe_context b/config/appconfig-mcs/failsafe_context
30	index 999abd9a3..a50bde775 100644	25	index 999abd9a3..a50bde775 100644
@@ -42,106 +37,8 @@ index ce614b41b..c0903d98b 100644
42	-__default__:user_u:s0	37	-__default__:user_u:s0
43	+root:unconfined_u:s0-mcs_systemhigh	38	+root:unconfined_u:s0-mcs_systemhigh
44	+__default__:unconfined_u:s0	39	+__default__:unconfined_u:s0
45	diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
46	index ce7d77d31..1aff2c31a 100644
47	--- a/policy/modules/roles/sysadm.te
48	+++ b/policy/modules/roles/sysadm.te
49	@@ -53,6 +53,7 @@ ubac_fd_exempt(sysadm_t)
50
51	init_exec(sysadm_t)
52	init_admin(sysadm_t)
53	+init_script_role_transition(sysadm_r)
54
55	# Add/remove user home directories
56	userdom_manage_user_home_dirs(sysadm_t)
57	diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
58	index 98e94283f..eb6d5b32d 100644
59	--- a/policy/modules/system/init.if
60	+++ b/policy/modules/system/init.if
61	@@ -1821,11 +1821,12 @@ interface(`init_script_file_entry_type',`
62	#
63	interface(`init_spec_domtrans_script',`
64	gen_require(`
65	- type initrc_t, initrc_exec_t;
66	+ type initrc_t;
67	+ attribute init_script_file_type;
68	')
69
70	files_list_etc($1)
71	- spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
72	+ spec_domtrans_pattern($1, init_script_file_type, initrc_t)
73
74	ifdef(`distro_gentoo',`
75	gen_require(`
76	@@ -1836,11 +1837,11 @@ interface(`init_spec_domtrans_script',`
77	')
78
79	ifdef(`enable_mcs',`
80	- range_transition $1 initrc_exec_t:process s0;
81	+ range_transition $1 init_script_file_type:process s0;
82	')
83
84	ifdef(`enable_mls',`
85	- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
86	+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
87	')
88	')
89
90	@@ -1857,17 +1858,18 @@ interface(`init_spec_domtrans_script',`
91	interface(`init_domtrans_script',`
92	gen_require(`
93	type initrc_t, initrc_exec_t;
94	+ attribute init_script_file_type;
95	')
96
97	files_list_etc($1)
98	domtrans_pattern($1, initrc_exec_t, initrc_t)
99
100	ifdef(`enable_mcs',`
101	- range_transition $1 initrc_exec_t:process s0;
102	+ range_transition $1 init_script_file_type:process s0;
103	')
104
105	ifdef(`enable_mls',`
106	- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
107	+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
108	')
109	')
110
111	@@ -3532,3 +3534,31 @@ interface(`init_getrlimit',`
112
113	allow $1 init_t:process getrlimit;
114	')
115	+
116	+########################################
117	+## <summary>
118	+## Transition to system_r when execute an init script
119	+## </summary>
120	+## <desc>
121	+## <p>
122	+## Execute a init script in a specified role
123	+## </p>
124	+## <p>
125	+## No interprocess communication (signals, pipes,
126	+## etc.) is provided by this interface since
127	+## the domains are not owned by this module.
128	+## </p>
129	+## </desc>
130	+## <param name="source_role">
131	+## <summary>
132	+## Role to transition from.
133	+## </summary>
134	+## </param>
135	+#
136	+interface(`init_script_role_transition',`
137	+ gen_require(`
138	+ attribute init_script_file_type;
139	+ ')
140	+
141	+ role_transition $1 init_script_file_type system_r;
142	+')
143	diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te	40	diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
144	index 385c88695..87adb7e9d 100644	41	index 4972094cb..b6d769412 100644
145	--- a/policy/modules/system/unconfined.te	42	--- a/policy/modules/system/unconfined.te
146	+++ b/policy/modules/system/unconfined.te	43	+++ b/policy/modules/system/unconfined.te
147	@@ -20,6 +20,11 @@ type unconfined_execmem_t alias ada_t;	44	@@ -20,6 +20,11 @@ type unconfined_execmem_t alias ada_t;
@@ -156,15 +53,6 @@ index 385c88695..87adb7e9d 100644
156		53
157	########################################	54	########################################
158	#	55	#
159	@@ -50,6 +55,8 @@ userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_f
160	ifdef(`direct_sysadm_daemon',`
161	optional_policy(`
162	init_run_daemon(unconfined_t, unconfined_r)
163	+ init_domtrans_script(unconfined_t)
164	+ init_script_role_transition(unconfined_r)
165	')
166	',`
167	ifdef(`distro_gentoo',`
168	diff --git a/policy/users b/policy/users	56	diff --git a/policy/users b/policy/users
169	index ca203758c..e737cd9cc 100644	57	index ca203758c..e737cd9cc 100644
170	--- a/policy/users	58	--- a/policy/users