1 files changed, 0 insertions, 67 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-modutils-allow-mod_t-to-access.patch b/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-modutils-allow-mod_t-to-access.patch
deleted file mode 100644
index e7ce388..0000000
--- a/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-modutils-allow-mod_t-to-access.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From b3ff2e8572cd929c419775e57b547f309ba9d8fb Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@windriver.com>
-Date: Mon, 24 Aug 2020 11:29:09 +0800
-Subject: [PATCH] policy/modules/system/modutils: allow mod_t to access
- confidentiality of class lockdown
-The SELinux lockdown implementation was introduced since kernel 5.6 by
-commit 59438b46471ae6cdfb761afc8c9beaf1e428a331. We need to allow mod_t
-and udev_t to access confidentiality of class lockdown to mount tracefs.
-Fixes:
-kernel: Could not create tracefs 'iwlwifi_data/filter' entry
-kernel: Could not create tracefs 'enable' entry
-kernel: Could not create tracefs 'id' entry
-kernel: Could not create tracefs 'filter' entry
-kernel: Could not create tracefs 'trigger' entry
-kernel: Could not create tracefs 'format' entry
-audit[170]: AVC avc:  denied  { confidentiality } for  pid=170
-comm="modprobe" lockdown_reason="use of tracefs"
-scontext=system_u:system_r:kmod_t:s15:c0.c1023
-tcontext=system_u:system_r:kmod_t:s15:c0.c1023 tclass=lockdown
-permissive=0
-audit[190]: AVC avc:  denied  { confidentiality } for  pid=190
-comm="systemd-udevd" lockdown_reason="use of tracefs"
-scontext=system_u:system_r:udev_t:s0-s15:c0.c1023
-tcontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tclass=lockdown
-permissive=0
-Upstream-Status: Inappropriate [embedded specific]
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
- policy/modules/system/modutils.te | 2 ++
- policy/modules/system/udev.te     | 2 ++
- 2 files changed, 4 insertions(+)
-diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index b0a419dc1..5b4f0aca1 100644
--- a/policy/modules/system/modutils.te
-+++ b/policy/modules/system/modutils.te
-@@ -41,6 +41,8 @@ dontaudit kmod_t self:capability sys_admin;
- allow kmod_t self:udp_socket create_socket_perms;
- allow kmod_t self:rawip_socket create_socket_perms;
- 
-+allow kmod_t self:lockdown confidentiality;
-+
- # Read module config and dependency information
- list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t)
- read_files_pattern(kmod_t, modules_conf_t, modules_conf_t)
-diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index c50ff68c1..4c5a690fb 100644
--- a/policy/modules/system/udev.te
-+++ b/policy/modules/system/udev.te
-@@ -67,6 +67,8 @@ ifdef(`init_systemd',`
- # for systemd-udevd to rename interfaces
- allow udev_t self:netlink_route_socket nlmsg_write;
- 
-+allow udev_t self:lockdown confidentiality;
-+
- can_exec(udev_t, udev_exec_t)
- 
- allow udev_t udev_helper_exec_t:dir list_dir_perms;
-- 
-2.17.1

diff --git a/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-modutils-allow-mod_t-to-access.patch b/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-modutils-allow-mod_t-to-access.patch deleted file mode 100644 index e7ce388..0000000 --- a/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-modutils-allow-mod_t-to-access.patch +++ /dev/null
@@ -1,67 +0,0 @@
1	From b3ff2e8572cd929c419775e57b547f309ba9d8fb Mon Sep 17 00:00:00 2001
2	From: Yi Zhao <yi.zhao@windriver.com>
3	Date: Mon, 24 Aug 2020 11:29:09 +0800
4	Subject: [PATCH] policy/modules/system/modutils: allow mod_t to access
5	confidentiality of class lockdown
6
7	The SELinux lockdown implementation was introduced since kernel 5.6 by
8	commit 59438b46471ae6cdfb761afc8c9beaf1e428a331. We need to allow mod_t
9	and udev_t to access confidentiality of class lockdown to mount tracefs.
10
11	Fixes:
12	kernel: Could not create tracefs 'iwlwifi_data/filter' entry
13	kernel: Could not create tracefs 'enable' entry
14	kernel: Could not create tracefs 'id' entry
15	kernel: Could not create tracefs 'filter' entry
16	kernel: Could not create tracefs 'trigger' entry
17	kernel: Could not create tracefs 'format' entry
18
19	audit[170]: AVC avc: denied { confidentiality } for pid=170
20	comm="modprobe" lockdown_reason="use of tracefs"
21	scontext=system_u:system_r:kmod_t:s15:c0.c1023
22	tcontext=system_u:system_r:kmod_t:s15:c0.c1023 tclass=lockdown
23	permissive=0
24
25	audit[190]: AVC avc: denied { confidentiality } for pid=190
26	comm="systemd-udevd" lockdown_reason="use of tracefs"
27	scontext=system_u:system_r:udev_t:s0-s15:c0.c1023
28	tcontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tclass=lockdown
29	permissive=0
30
31	Upstream-Status: Inappropriate [embedded specific]
32
33	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
34	---
35	policy/modules/system/modutils.te \| 2 ++
36	policy/modules/system/udev.te \| 2 ++
37	2 files changed, 4 insertions(+)
38
39	diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
40	index b0a419dc1..5b4f0aca1 100644
41	--- a/policy/modules/system/modutils.te
42	+++ b/policy/modules/system/modutils.te
43	@@ -41,6 +41,8 @@ dontaudit kmod_t self:capability sys_admin;
44	allow kmod_t self:udp_socket create_socket_perms;
45	allow kmod_t self:rawip_socket create_socket_perms;
46
47	+allow kmod_t self:lockdown confidentiality;
48	+
49	# Read module config and dependency information
50	list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t)
51	read_files_pattern(kmod_t, modules_conf_t, modules_conf_t)
52	diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
53	index c50ff68c1..4c5a690fb 100644
54	--- a/policy/modules/system/udev.te
55	+++ b/policy/modules/system/udev.te
56	@@ -67,6 +67,8 @@ ifdef(`init_systemd',`
57	# for systemd-udevd to rename interfaces
58	allow udev_t self:netlink_route_socket nlmsg_write;
59
60	+allow udev_t self:lockdown confidentiality;
61	+
62	can_exec(udev_t, udev_exec_t)
63
64	allow udev_t udev_helper_exec_t:dir list_dir_perms;
65	--
66	2.17.1
67