1 files changed, 102 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0034-policy-modules-kernel-files-add-rules-for-the-symlin.patch b/recipes-security/refpolicy/refpolicy/0034-policy-modules-kernel-files-add-rules-for-the-symlin.patch
new file mode 100644
index 0000000..33dc366
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0034-policy-modules-kernel-files-add-rules-for-the-symlin.patch
@@ -0,0 +1,102 @@
+From 3ff1a004b77f44857dadfef3b78a49a55d90c665 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH] policy/modules/kernel/files: add rules for the symlink of
+ /tmp
+/tmp is a symlink in poky, so we need allow rules for files to read
+lnk_file while doing search/list/delete/rw.. in /tmp/ directory.
+Upstream-Status: Inappropriate [embedded specific]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/kernel/files.fc | 1 +
+ policy/modules/kernel/files.if | 8 ++++++++
+ 2 files changed, 9 insertions(+)
+diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
+index a3993f5cc..f69900945 100644
+--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
+@@ -176,6 +176,7 @@ HOME_ROOT/lost\+found/.*    <<none>>
+ # /tmp
+ #
+ /tmp                   -d      gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+/tmp                   -l      gen_context(system_u:object_r:tmp_t,s0)
+ /tmp/.*                                <<none>>
+ /tmp/\.journal                 <<none>>
+ 
+diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
+index 6a53f886b..ad19738b3 100644
+--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
+@@ -4451,6 +4451,7 @@ interface(`files_search_tmp',`
+        ')
+ 
+        allow $1 tmp_t:dir search_dir_perms;
+       allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -4487,6 +4488,7 @@ interface(`files_list_tmp',`
+        ')
+ 
+        allow $1 tmp_t:dir list_dir_perms;
+       allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -4523,6 +4525,7 @@ interface(`files_delete_tmp_dir_entry',`
+        ')
+ 
+        allow $1 tmp_t:dir del_entry_dir_perms;
+       allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -4541,6 +4544,7 @@ interface(`files_read_generic_tmp_files',`
+        ')
+ 
+        read_files_pattern($1, tmp_t, tmp_t)
+       allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -4559,6 +4563,7 @@ interface(`files_manage_generic_tmp_dirs',`
+        ')
+ 
+        manage_dirs_pattern($1, tmp_t, tmp_t)
+       allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -4577,6 +4582,7 @@ interface(`files_manage_generic_tmp_files',`
+        ')
+ 
+        manage_files_pattern($1, tmp_t, tmp_t)
+       allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -4613,6 +4619,7 @@ interface(`files_rw_generic_tmp_sockets',`
+        ')
+ 
+        rw_sock_files_pattern($1, tmp_t, tmp_t)
+       allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -4820,6 +4827,7 @@ interface(`files_tmp_filetrans',`
+        ')
+ 
+        filetrans_pattern($1, tmp_t, $2, $3, $4)
+       allow $1 tmp_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+-- 
+2.17.1

diff --git a/recipes-security/refpolicy/refpolicy/0034-policy-modules-kernel-files-add-rules-for-the-symlin.patch b/recipes-security/refpolicy/refpolicy/0034-policy-modules-kernel-files-add-rules-for-the-symlin.patch new file mode 100644 index 0000000..33dc366 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0034-policy-modules-kernel-files-add-rules-for-the-symlin.patch
@@ -0,0 +1,102 @@
	1	From 3ff1a004b77f44857dadfef3b78a49a55d90c665 Mon Sep 17 00:00:00 2001
	2	From: Xin Ouyang <Xin.Ouyang@windriver.com>
	3	Date: Thu, 22 Aug 2013 13:37:23 +0800
	4	Subject: [PATCH] policy/modules/kernel/files: add rules for the symlink of
	5	/tmp
	6
	7	/tmp is a symlink in poky, so we need allow rules for files to read
	8	lnk_file while doing search/list/delete/rw.. in /tmp/ directory.
	9
	10	Upstream-Status: Inappropriate [embedded specific]
	11
	12	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
	13	Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
	14	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
	15	---
	16	policy/modules/kernel/files.fc \| 1 +
	17	policy/modules/kernel/files.if \| 8 ++++++++
	18	2 files changed, 9 insertions(+)
	19
	20	diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
	21	index a3993f5cc..f69900945 100644
	22	--- a/policy/modules/kernel/files.fc
	23	+++ b/policy/modules/kernel/files.fc
	24	@@ -176,6 +176,7 @@ HOME_ROOT/lost\+found/.* <<none>>
	25	# /tmp
	26	#
	27	/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
	28	+/tmp -l gen_context(system_u:object_r:tmp_t,s0)
	29	/tmp/.* <<none>>
	30	/tmp/\.journal <<none>>
	31
	32	diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
	33	index 6a53f886b..ad19738b3 100644
	34	--- a/policy/modules/kernel/files.if
	35	+++ b/policy/modules/kernel/files.if
	36	@@ -4451,6 +4451,7 @@ interface(`files_search_tmp',`
	37	')
	38
	39	allow $1 tmp_t:dir search_dir_perms;
	40	+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
	41	')
	42
	43	########################################
	44	@@ -4487,6 +4488,7 @@ interface(`files_list_tmp',`
	45	')
	46
	47	allow $1 tmp_t:dir list_dir_perms;
	48	+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
	49	')
	50
	51	########################################
	52	@@ -4523,6 +4525,7 @@ interface(`files_delete_tmp_dir_entry',`
	53	')
	54
	55	allow $1 tmp_t:dir del_entry_dir_perms;
	56	+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
	57	')
	58
	59	########################################
	60	@@ -4541,6 +4544,7 @@ interface(`files_read_generic_tmp_files',`
	61	')
	62
	63	read_files_pattern($1, tmp_t, tmp_t)
	64	+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
	65	')
	66
	67	########################################
	68	@@ -4559,6 +4563,7 @@ interface(`files_manage_generic_tmp_dirs',`
	69	')
	70
	71	manage_dirs_pattern($1, tmp_t, tmp_t)
	72	+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
	73	')
	74
	75	########################################
	76	@@ -4577,6 +4582,7 @@ interface(`files_manage_generic_tmp_files',`
	77	')
	78
	79	manage_files_pattern($1, tmp_t, tmp_t)
	80	+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
	81	')
	82
	83	########################################
	84	@@ -4613,6 +4619,7 @@ interface(`files_rw_generic_tmp_sockets',`
	85	')
	86
	87	rw_sock_files_pattern($1, tmp_t, tmp_t)
	88	+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
	89	')
	90
	91	########################################
	92	@@ -4820,6 +4827,7 @@ interface(`files_tmp_filetrans',`
	93	')
	94
	95	filetrans_pattern($1, tmp_t, $2, $3, $4)
	96	+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
	97	')
	98
	99	########################################
	100	--
	101	2.17.1
	102