1 files changed, 40 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-all-init_t-to-read-any-le.patch b/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-all-init_t-to-read-any-le.patch
new file mode 100644
index 0000000..687e1c9
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-all-init_t-to-read-any-le.patch
@@ -0,0 +1,40 @@
+From 980d9d3f3c3e1e3517971715c351ec7b747105d0 Mon Sep 17 00:00:00 2001
+From: Wenzong Fan <wenzong.fan@windriver.com>
+Date: Wed, 3 Feb 2016 04:16:06 -0500
+Subject: [PATCH] policy/modules/system/init: all init_t to read any level
+ sockets
+Fixes:
+  avc: denied { listen } for pid=1 comm="systemd" \
+  path="/run/systemd/journal/stdout" \
+  scontext=system_u:system_r:init_t:s0-s15:c0.c1023 \
+  tcontext=system_u:system_r:syslogd_t:s15:c0.c1023 \
+  tclass=unix_stream_socket permissive=1
+  systemd[1]: Failded to listen on Journal Socket
+Upstream-Status: Inappropriate [embedded specific]
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/init.te | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 458906ac5..c2380d8b4 100644
+--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
+@@ -243,6 +243,9 @@ mls_key_write_all_levels(init_t)
+ mls_file_downgrade(init_t)
+ mls_file_upgrade(init_t)
+ 
+# MLS trusted for reading from sockets at any level
+mls_socket_read_all_levels(init_t)
+
+ # the following one is needed for libselinux:is_selinux_enabled()
+ # otherwise the call fails and sysvinit tries to load the policy
+ # again when using the initramfs
+-- 
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-all-init_t-to-read-any-le.patch b/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-all-init_t-to-read-any-le.patch new file mode 100644 index 0000000..687e1c9 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-all-init_t-to-read-any-le.patch
@@ -0,0 +1,40 @@
	1	From 980d9d3f3c3e1e3517971715c351ec7b747105d0 Mon Sep 17 00:00:00 2001
	2	From: Wenzong Fan <wenzong.fan@windriver.com>
	3	Date: Wed, 3 Feb 2016 04:16:06 -0500
	4	Subject: [PATCH] policy/modules/system/init: all init_t to read any level
	5	sockets
	6
	7	Fixes:
	8	avc: denied { listen } for pid=1 comm="systemd" \
	9	path="/run/systemd/journal/stdout" \
	10	scontext=system_u:system_r:init_t:s0-s15:c0.c1023 \
	11	tcontext=system_u:system_r:syslogd_t:s15:c0.c1023 \
	12	tclass=unix_stream_socket permissive=1
	13
	14	systemd[1]: Failded to listen on Journal Socket
	15
	16	Upstream-Status: Inappropriate [embedded specific]
	17
	18	Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
	19	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
	20	---
	21	policy/modules/system/init.te \| 3 +++
	22	1 file changed, 3 insertions(+)
	23
	24	diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
	25	index 458906ac5..c2380d8b4 100644
	26	--- a/policy/modules/system/init.te
	27	+++ b/policy/modules/system/init.te
	28	@@ -243,6 +243,9 @@ mls_key_write_all_levels(init_t)
	29	mls_file_downgrade(init_t)
	30	mls_file_upgrade(init_t)
	31
	32	+# MLS trusted for reading from sockets at any level
	33	+mls_socket_read_all_levels(init_t)
	34	+
	35	# the following one is needed for libselinux:is_selinux_enabled()
	36	# otherwise the call fails and sysvinit tries to load the policy
	37	# again when using the initramfs
	38	--
	39	2.25.1
	40