1 files changed, 53 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0063-policy-modules-system-setrans-allow-setrans-to-acces.patch b/recipes-security/refpolicy/refpolicy/0063-policy-modules-system-setrans-allow-setrans-to-acces.patch
new file mode 100644
index 0000000..55d92f0
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0063-policy-modules-system-setrans-allow-setrans-to-acces.patch
@@ -0,0 +1,53 @@
+From fc77db62ce54a33ee04bfc3e4c68b9cbed7251c6 Mon Sep 17 00:00:00 2001
+From: Roy Li <rongqing.li@windriver.com>
+Date: Sat, 22 Feb 2014 13:35:38 +0800
+Subject: [PATCH] policy/modules/system/setrans: allow setrans to access
+ /sys/fs/selinux
+1. mcstransd failed to boot-up since the below permission is denied
+statfs("/sys/fs/selinux", 0x7ffff2b80370) = -1 EACCES (Permission denied)
+2. other programs can not connect to /run/setrans/.setrans-unix
+avc:  denied  { connectto } for  pid=2055 comm="ls"
+path="/run/setrans/.setrans-unix"
+scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023
+tcontext=system_u:system_r:setrans_t:s15:c0.c1023
+tclass=unix_stream_socket
+3. allow setrans_t use fd at any level
+Upstream-Status: Inappropriate [embedded specific]
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/setrans.te | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
+index 5f020ef78..7f618f212 100644
+--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
+@@ -23,9 +23,7 @@ mls_trusted_object(setrans_runtime_t)
+ type setrans_unit_t;
+ init_unit_file(setrans_unit_t)
+ 
+-ifdef(`distro_debian',`
+-       init_daemon_runtime_file(setrans_runtime_t, dir, "setrans")
+-')
+init_daemon_runtime_file(setrans_runtime_t, dir, "setrans")
+ 
+ ifdef(`enable_mcs',`
+        init_ranged_daemon_domain(setrans_t, setrans_exec_t, s0 - mcs_systemhigh)
+@@ -73,6 +71,8 @@ mls_net_receive_all_levels(setrans_t)
+ mls_socket_write_all_levels(setrans_t)
+ mls_process_read_all_levels(setrans_t)
+ mls_socket_read_all_levels(setrans_t)
+mls_fd_use_all_levels(setrans_t)
+mls_trusted_object(setrans_t)
+ 
+ selinux_compute_access_vector(setrans_t)
+ 
+-- 
+2.17.1

diff --git a/recipes-security/refpolicy/refpolicy/0063-policy-modules-system-setrans-allow-setrans-to-acces.patch b/recipes-security/refpolicy/refpolicy/0063-policy-modules-system-setrans-allow-setrans-to-acces.patch new file mode 100644 index 0000000..55d92f0 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0063-policy-modules-system-setrans-allow-setrans-to-acces.patch
@@ -0,0 +1,53 @@
	1	From fc77db62ce54a33ee04bfc3e4c68b9cbed7251c6 Mon Sep 17 00:00:00 2001
	2	From: Roy Li <rongqing.li@windriver.com>
	3	Date: Sat, 22 Feb 2014 13:35:38 +0800
	4	Subject: [PATCH] policy/modules/system/setrans: allow setrans to access
	5	/sys/fs/selinux
	6
	7	1. mcstransd failed to boot-up since the below permission is denied
	8	statfs("/sys/fs/selinux", 0x7ffff2b80370) = -1 EACCES (Permission denied)
	9
	10	2. other programs can not connect to /run/setrans/.setrans-unix
	11	avc: denied { connectto } for pid=2055 comm="ls"
	12	path="/run/setrans/.setrans-unix"
	13	scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023
	14	tcontext=system_u:system_r:setrans_t:s15:c0.c1023
	15	tclass=unix_stream_socket
	16
	17	3. allow setrans_t use fd at any level
	18
	19	Upstream-Status: Inappropriate [embedded specific]
	20
	21	Signed-off-by: Roy Li <rongqing.li@windriver.com>
	22	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
	23	---
	24	policy/modules/system/setrans.te \| 6 +++---
	25	1 file changed, 3 insertions(+), 3 deletions(-)
	26
	27	diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
	28	index 5f020ef78..7f618f212 100644
	29	--- a/policy/modules/system/setrans.te
	30	+++ b/policy/modules/system/setrans.te
	31	@@ -23,9 +23,7 @@ mls_trusted_object(setrans_runtime_t)
	32	type setrans_unit_t;
	33	init_unit_file(setrans_unit_t)
	34
	35	-ifdef(`distro_debian',`
	36	- init_daemon_runtime_file(setrans_runtime_t, dir, "setrans")
	37	-')
	38	+init_daemon_runtime_file(setrans_runtime_t, dir, "setrans")
	39
	40	ifdef(`enable_mcs',`
	41	init_ranged_daemon_domain(setrans_t, setrans_exec_t, s0 - mcs_systemhigh)
	42	@@ -73,6 +71,8 @@ mls_net_receive_all_levels(setrans_t)
	43	mls_socket_write_all_levels(setrans_t)
	44	mls_process_read_all_levels(setrans_t)
	45	mls_socket_read_all_levels(setrans_t)
	46	+mls_fd_use_all_levels(setrans_t)
	47	+mls_trusted_object(setrans_t)
	48
	49	selinux_compute_access_vector(setrans_t)
	50
	51	--
	52	2.17.1
	53