1 files changed, 64 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0026-fc-add-fcontext-for-init-scripts-and-systemd-service.patch b/recipes-security/refpolicy/refpolicy/0026-fc-add-fcontext-for-init-scripts-and-systemd-service.patch
new file mode 100644
index 0000000..c47984d
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0026-fc-add-fcontext-for-init-scripts-and-systemd-service.patch
@@ -0,0 +1,64 @@
+From 1096b2eb1172506006691e90769e51a086b8374f Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Tue, 30 Jun 2020 10:45:57 +0800
+Subject: [PATCH] fc: add fcontext for init scripts and systemd service files
+Upstream-Status: Inappropriate [embedded specific]
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/services/cron.fc  | 1 +
+ policy/modules/services/rngd.fc  | 1 +
+ policy/modules/services/rpc.fc   | 2 ++
+ policy/modules/system/logging.fc | 1 +
+ 4 files changed, 5 insertions(+)
+diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
+index 827363d88..e8412396d 100644
+--- a/policy/modules/services/cron.fc
+++ b/policy/modules/services/cron.fc
+@@ -1,4 +1,5 @@
+ /etc/rc\.d/init\.d/(anacron|atd)       --      gen_context(system_u:object_r:crond_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/crond       --      gen_context(system_u:object_r:crond_initrc_exec_t,s0)
+ 
+ /etc/cron\.d(/.*)?     gen_context(system_u:object_r:system_cron_spool_t,s0)
+ /etc/crontab   --      gen_context(system_u:object_r:system_cron_spool_t,s0)
+diff --git a/policy/modules/services/rngd.fc b/policy/modules/services/rngd.fc
+index 382c067f9..0ecc5acc4 100644
+--- a/policy/modules/services/rngd.fc
+++ b/policy/modules/services/rngd.fc
+@@ -1,4 +1,5 @@
+ /etc/rc\.d/init\.d/rngd        --      gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/rng-tools   --      gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
+ 
+ /usr/bin/rngd  --      gen_context(system_u:object_r:rngd_exec_t,s0)
+ 
+diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc
+index 75c2f0617..fa881ba2e 100644
+--- a/policy/modules/services/rpc.fc
+++ b/policy/modules/services/rpc.fc
+@@ -1,7 +1,9 @@
+ /etc/exports   --      gen_context(system_u:object_r:exports_t,s0)
+ 
+ /etc/rc\.d/init\.d/nfs --      gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/nfsserver   --      gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/nfslock     --      gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/nfscommon   --      gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/rpcidmapd   --      gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+ 
+ /usr/bin/nfsdcld       --      gen_context(system_u:object_r:rpcd_exec_t,s0)
+diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
+index 3b0dea51b..0ce2bec4b 100644
+--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
+@@ -24,6 +24,7 @@
+ /usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
+ /usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0)
+ /usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
+/usr/lib/systemd/system/syslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
+ /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/lib/systemd/systemd-kmsg-syslogd  --      gen_context(system_u:object_r:syslogd_exec_t,s0)
+ 
+-- 
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0026-fc-add-fcontext-for-init-scripts-and-systemd-service.patch b/recipes-security/refpolicy/refpolicy/0026-fc-add-fcontext-for-init-scripts-and-systemd-service.patch new file mode 100644 index 0000000..c47984d --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0026-fc-add-fcontext-for-init-scripts-and-systemd-service.patch
@@ -0,0 +1,64 @@
	1	From 1096b2eb1172506006691e90769e51a086b8374f Mon Sep 17 00:00:00 2001
	2	From: Yi Zhao <yi.zhao@windriver.com>
	3	Date: Tue, 30 Jun 2020 10:45:57 +0800
	4	Subject: [PATCH] fc: add fcontext for init scripts and systemd service files
	5
	6	Upstream-Status: Inappropriate [embedded specific]
	7
	8	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
	9	---
	10	policy/modules/services/cron.fc \| 1 +
	11	policy/modules/services/rngd.fc \| 1 +
	12	policy/modules/services/rpc.fc \| 2 ++
	13	policy/modules/system/logging.fc \| 1 +
	14	4 files changed, 5 insertions(+)
	15
	16	diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
	17	index 827363d88..e8412396d 100644
	18	--- a/policy/modules/services/cron.fc
	19	+++ b/policy/modules/services/cron.fc
	20	@@ -1,4 +1,5 @@
	21	/etc/rc\.d/init\.d/(anacron\|atd) -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
	22	+/etc/rc\.d/init\.d/crond -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
	23
	24	/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
	25	/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
	26	diff --git a/policy/modules/services/rngd.fc b/policy/modules/services/rngd.fc
	27	index 382c067f9..0ecc5acc4 100644
	28	--- a/policy/modules/services/rngd.fc
	29	+++ b/policy/modules/services/rngd.fc
	30	@@ -1,4 +1,5 @@
	31	/etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
	32	+/etc/rc\.d/init\.d/rng-tools -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
	33
	34	/usr/bin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0)
	35
	36	diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc
	37	index 75c2f0617..fa881ba2e 100644
	38	--- a/policy/modules/services/rpc.fc
	39	+++ b/policy/modules/services/rpc.fc
	40	@@ -1,7 +1,9 @@
	41	/etc/exports -- gen_context(system_u:object_r:exports_t,s0)
	42
	43	/etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
	44	+/etc/rc\.d/init\.d/nfsserver -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
	45	/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
	46	+/etc/rc\.d/init\.d/nfscommon -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
	47	/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
	48
	49	/usr/bin/nfsdcld -- gen_context(system_u:object_r:rpcd_exec_t,s0)
	50	diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
	51	index 3b0dea51b..0ce2bec4b 100644
	52	--- a/policy/modules/system/logging.fc
	53	+++ b/policy/modules/system/logging.fc
	54	@@ -24,6 +24,7 @@
	55	/usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
	56	/usr/lib/systemd/system/[^/]systemd-journal. -- gen_context(system_u:object_r:syslogd_unit_t,s0)
	57	/usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
	58	+/usr/lib/systemd/system/syslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
	59	/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
	60	/usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
	61
	62	--
	63	2.25.1
	64