diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy/0046-policy-modules-system-init-make-init_t-MLS-trusted-f.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy/0046-policy-modules-system-init-make-init_t-MLS-trusted-f.patch | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-init-make-init_t-MLS-trusted-f.patch b/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-init-make-init_t-MLS-trusted-f.patch new file mode 100644 index 0000000..b996aa3 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-init-make-init_t-MLS-trusted-f.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | From f2ff5081b1a98272c803ccfd24aeea91e8d5c368 Mon Sep 17 00:00:00 2001 | ||
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | ||
3 | Date: Fri, 15 Jan 2016 03:47:05 -0500 | ||
4 | Subject: [PATCH] policy/modules/system/init: make init_t MLS trusted for | ||
5 | lowering/raising the leve of files | ||
6 | |||
7 | Fix security_validate_transition issues: | ||
8 | |||
9 | op=security_validate_transition seresult=denied \ | ||
10 | oldcontext=system_u:object_r:device_t:s15:c0.c1023 \ | ||
11 | newcontext=system_u:object_r:device_t:s0 \ | ||
12 | taskcontext=system_u:system_r:init_t:s0-s15:c0.c1023 \ | ||
13 | tclass=dir | ||
14 | |||
15 | op=security_validate_transition seresult=denied \ | ||
16 | oldcontext=system_u:object_r:var_run_t:s0 \ | ||
17 | newcontext=system_u:object_r:var_log_t:s0-s15:c0.c1023 \ | ||
18 | taskcontext=system_u:system_r:init_t:s0-s15:c0.c1023 \ | ||
19 | tclass=dir | ||
20 | |||
21 | Upstream-Status: Inappropriate [embedded specific] | ||
22 | |||
23 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
24 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
25 | --- | ||
26 | policy/modules/system/init.te | 4 ++++ | ||
27 | 1 file changed, 4 insertions(+) | ||
28 | |||
29 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | ||
30 | index 809019873..be9c75155 100644 | ||
31 | --- a/policy/modules/system/init.te | ||
32 | +++ b/policy/modules/system/init.te | ||
33 | @@ -238,6 +238,10 @@ mls_process_write_all_levels(init_t) | ||
34 | mls_fd_use_all_levels(init_t) | ||
35 | mls_process_set_level(init_t) | ||
36 | |||
37 | +# MLS trusted for lowering/raising the level of files | ||
38 | +mls_file_downgrade(init_t) | ||
39 | +mls_file_upgrade(init_t) | ||
40 | + | ||
41 | # the following one is needed for libselinux:is_selinux_enabled() | ||
42 | # otherwise the call fails and sysvinit tries to load the policy | ||
43 | # again when using the initramfs | ||
44 | -- | ||
45 | 2.25.1 | ||
46 | |||