diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy/0063-policy-modules-system-setrans-allow-setrans-to-acces.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy/0063-policy-modules-system-setrans-allow-setrans-to-acces.patch | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0063-policy-modules-system-setrans-allow-setrans-to-acces.patch b/recipes-security/refpolicy/refpolicy/0063-policy-modules-system-setrans-allow-setrans-to-acces.patch new file mode 100644 index 0000000..55d92f0 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0063-policy-modules-system-setrans-allow-setrans-to-acces.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From fc77db62ce54a33ee04bfc3e4c68b9cbed7251c6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Roy Li <rongqing.li@windriver.com> | ||
3 | Date: Sat, 22 Feb 2014 13:35:38 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/setrans: allow setrans to access | ||
5 | /sys/fs/selinux | ||
6 | |||
7 | 1. mcstransd failed to boot-up since the below permission is denied | ||
8 | statfs("/sys/fs/selinux", 0x7ffff2b80370) = -1 EACCES (Permission denied) | ||
9 | |||
10 | 2. other programs can not connect to /run/setrans/.setrans-unix | ||
11 | avc: denied { connectto } for pid=2055 comm="ls" | ||
12 | path="/run/setrans/.setrans-unix" | ||
13 | scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 | ||
14 | tcontext=system_u:system_r:setrans_t:s15:c0.c1023 | ||
15 | tclass=unix_stream_socket | ||
16 | |||
17 | 3. allow setrans_t use fd at any level | ||
18 | |||
19 | Upstream-Status: Inappropriate [embedded specific] | ||
20 | |||
21 | Signed-off-by: Roy Li <rongqing.li@windriver.com> | ||
22 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
23 | --- | ||
24 | policy/modules/system/setrans.te | 6 +++--- | ||
25 | 1 file changed, 3 insertions(+), 3 deletions(-) | ||
26 | |||
27 | diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te | ||
28 | index 5f020ef78..7f618f212 100644 | ||
29 | --- a/policy/modules/system/setrans.te | ||
30 | +++ b/policy/modules/system/setrans.te | ||
31 | @@ -23,9 +23,7 @@ mls_trusted_object(setrans_runtime_t) | ||
32 | type setrans_unit_t; | ||
33 | init_unit_file(setrans_unit_t) | ||
34 | |||
35 | -ifdef(`distro_debian',` | ||
36 | - init_daemon_runtime_file(setrans_runtime_t, dir, "setrans") | ||
37 | -') | ||
38 | +init_daemon_runtime_file(setrans_runtime_t, dir, "setrans") | ||
39 | |||
40 | ifdef(`enable_mcs',` | ||
41 | init_ranged_daemon_domain(setrans_t, setrans_exec_t, s0 - mcs_systemhigh) | ||
42 | @@ -73,6 +71,8 @@ mls_net_receive_all_levels(setrans_t) | ||
43 | mls_socket_write_all_levels(setrans_t) | ||
44 | mls_process_read_all_levels(setrans_t) | ||
45 | mls_socket_read_all_levels(setrans_t) | ||
46 | +mls_fd_use_all_levels(setrans_t) | ||
47 | +mls_trusted_object(setrans_t) | ||
48 | |||
49 | selinux_compute_access_vector(setrans_t) | ||
50 | |||
51 | -- | ||
52 | 2.17.1 | ||
53 | |||