summaryrefslogtreecommitdiffstats
path: root/recipes-security/refpolicy/refpolicy/0059-policy-modules-services-rpc-fix-policy-for-nfsserver.patch
diff options
context:
space:
mode:
Diffstat (limited to 'recipes-security/refpolicy/refpolicy/0059-policy-modules-services-rpc-fix-policy-for-nfsserver.patch')
-rw-r--r--recipes-security/refpolicy/refpolicy/0059-policy-modules-services-rpc-fix-policy-for-nfsserver.patch78
1 files changed, 78 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0059-policy-modules-services-rpc-fix-policy-for-nfsserver.patch b/recipes-security/refpolicy/refpolicy/0059-policy-modules-services-rpc-fix-policy-for-nfsserver.patch
new file mode 100644
index 0000000..d4bdd37
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0059-policy-modules-services-rpc-fix-policy-for-nfsserver.patch
@@ -0,0 +1,78 @@
1From fbf98576f32e33e55f3babeb9db255a459fad711 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Fri, 23 Aug 2013 12:01:53 +0800
4Subject: [PATCH] policy/modules/services/rpc: fix policy for nfsserver to
5 mount nfsd_fs_t
6
7Upstream-Status: Inappropriate [embedded specific]
8
9Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
10Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
11Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
12---
13 policy/modules/kernel/kernel.te | 2 ++
14 policy/modules/services/rpc.fc | 2 ++
15 policy/modules/services/rpc.te | 2 ++
16 policy/modules/services/rpcbind.te | 6 ++++++
17 4 files changed, 12 insertions(+)
18
19diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
20index c8218bf8c..44c031a39 100644
21--- a/policy/modules/kernel/kernel.te
22+++ b/policy/modules/kernel/kernel.te
23@@ -356,6 +356,8 @@ mls_process_read_all_levels(kernel_t)
24 mls_process_write_all_levels(kernel_t)
25 mls_file_write_all_levels(kernel_t)
26 mls_file_read_all_levels(kernel_t)
27+mls_socket_write_all_levels(kernel_t)
28+mls_fd_use_all_levels(kernel_t)
29
30 ifdef(`distro_redhat',`
31 # Bugzilla 222337
32diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc
33index 6d3c9b68b..75999a57c 100644
34--- a/policy/modules/services/rpc.fc
35+++ b/policy/modules/services/rpc.fc
36@@ -1,7 +1,9 @@
37 /etc/exports -- gen_context(system_u:object_r:exports_t,s0)
38
39 /etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
40+/etc/rc\.d/init\.d/nfsserver -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
41 /etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
42+/etc/rc\.d/init\.d/nfscommon -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
43 /etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
44
45 /usr/bin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
46diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
47index c06ff803f..7c0b37ddc 100644
48--- a/policy/modules/services/rpc.te
49+++ b/policy/modules/services/rpc.te
50@@ -250,6 +250,8 @@ storage_raw_read_removable_device(nfsd_t)
51
52 miscfiles_read_public_files(nfsd_t)
53
54+mls_file_read_to_clearance(nfsd_t)
55+
56 tunable_policy(`allow_nfsd_anon_write',`
57 miscfiles_manage_public_files(nfsd_t)
58 ')
59diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
60index 4f110773a..3cc85a8d5 100644
61--- a/policy/modules/services/rpcbind.te
62+++ b/policy/modules/services/rpcbind.te
63@@ -73,6 +73,12 @@ logging_send_syslog_msg(rpcbind_t)
64
65 miscfiles_read_localization(rpcbind_t)
66
67+# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
68+# because the are running in different level. So add rules to allow this.
69+mls_socket_read_all_levels(rpcbind_t)
70+mls_socket_write_all_levels(rpcbind_t)
71+mls_file_read_to_clearance(rpcbind_t)
72+
73 ifdef(`distro_debian',`
74 term_dontaudit_use_unallocated_ttys(rpcbind_t)
75 ')
76--
772.17.1
78
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-06-09 11:27:59 +0000