1 files changed, 77 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0065-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch b/recipes-security/refpolicy/refpolicy/0065-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
new file mode 100644
index 0000000..3a2c235
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0065-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
@@ -0,0 +1,77 @@
+From fdc58fd666915aba89cb07fe6e7eb43a7fbec2ec Mon Sep 17 00:00:00 2001
+From: Wenzong Fan <wenzong.fan@windriver.com>
+Date: Fri, 13 Oct 2017 07:20:40 +0000
+Subject: [PATCH] policy/modules/kernel/kernel: make kernel_t MLS trusted for
+ lowering the level of files
+The boot process hangs with the error while using MLS policy:
+  [!!!!!!] Failed to mount API filesystems, freezing.
+  [    4.085349] systemd[1]: Freezing execution.
+Make kernel_t mls trusted for lowering the level of files to fix below
+avc denials and remove the hang issue.
+  op=security_validate_transition seresult=denied \
+  oldcontext=system_u:object_r:device_t:s15:c0.c1023 \
+  newcontext=system_u:object_r:device_t:s0 \
+  taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir
+  systemd[1]: Unable to fix SELinux security context of /dev: Operation not permitted
+  avc: denied { create } for pid=1 comm="systemd" name="shm" \
+  scontext=system_u:system_r:kernel_t:s15:c0.c1023 \
+  tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
+  systemd[1]: Failed to mount tmpfs at /dev/shm: No such file or directory
+  avc: denied { create } for pid=1 comm="systemd" name="pts" \
+  scontext=system_u:system_r:kernel_t:s15:c0.c1023 \
+  tcontext=system_u:object_r:devpts_t:s0-s15:c0.c1023 tclass=dir permissive=0
+  op=security_validate_transition seresult=denied \
+  oldcontext=system_u:object_r:unlabeled_t:s0 \
+  newcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 \
+  taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir
+  op=security_validate_transition seresult=denied \
+  oldcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 \
+  newcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 \
+  taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir
+  systemd[1]: Unable to fix SELinux security context of /run: Operation not permitted
+  op=security_validate_transition seresult=denied \
+  oldcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 \
+  newcontext=system_u:object_r:cgroup_t:s0 \
+  taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir
+  systemd[1]: Unable to fix SELinux security context of /sys/fs/cgroup: Operation not permitted
+  avc: denied { create } for pid=1 comm="systemd" name="pstore" \
+  scontext=system_u:system_r:kernel_t:s15:c0.c1023 \
+  tcontext=system_u:object_r:pstore_t:s0 tclass=dir permissive=0
+Reference: https://bugzilla.redhat.com/show_bug.cgi?id=667370
+Upstream-Status: Inappropriate [embedded specific]
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/kernel/kernel.te | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
+index 44c031a39..4dffaef76 100644
+--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
+@@ -359,6 +359,9 @@ mls_file_read_all_levels(kernel_t)
+ mls_socket_write_all_levels(kernel_t)
+ mls_fd_use_all_levels(kernel_t)
+ 
+# https://bugzilla.redhat.com/show_bug.cgi?id=667370
+mls_file_downgrade(kernel_t)
+
+ ifdef(`distro_redhat',`
+        # Bugzilla 222337
+        fs_rw_tmpfs_chr_files(kernel_t)
+-- 
+2.17.1

diff --git a/recipes-security/refpolicy/refpolicy/0065-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch b/recipes-security/refpolicy/refpolicy/0065-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch new file mode 100644 index 0000000..3a2c235 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0065-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch
@@ -0,0 +1,77 @@
	1	From fdc58fd666915aba89cb07fe6e7eb43a7fbec2ec Mon Sep 17 00:00:00 2001
	2	From: Wenzong Fan <wenzong.fan@windriver.com>
	3	Date: Fri, 13 Oct 2017 07:20:40 +0000
	4	Subject: [PATCH] policy/modules/kernel/kernel: make kernel_t MLS trusted for
	5	lowering the level of files
	6
	7	The boot process hangs with the error while using MLS policy:
	8
	9	[!!!!!!] Failed to mount API filesystems, freezing.
	10	[ 4.085349] systemd[1]: Freezing execution.
	11
	12	Make kernel_t mls trusted for lowering the level of files to fix below
	13	avc denials and remove the hang issue.
	14
	15	op=security_validate_transition seresult=denied \
	16	oldcontext=system_u:object_r:device_t:s15:c0.c1023 \
	17	newcontext=system_u:object_r:device_t:s0 \
	18	taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir
	19	systemd[1]: Unable to fix SELinux security context of /dev: Operation not permitted
	20
	21	avc: denied { create } for pid=1 comm="systemd" name="shm" \
	22	scontext=system_u:system_r:kernel_t:s15:c0.c1023 \
	23	tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
	24	systemd[1]: Failed to mount tmpfs at /dev/shm: No such file or directory
	25
	26	avc: denied { create } for pid=1 comm="systemd" name="pts" \
	27	scontext=system_u:system_r:kernel_t:s15:c0.c1023 \
	28	tcontext=system_u:object_r:devpts_t:s0-s15:c0.c1023 tclass=dir permissive=0
	29
	30	op=security_validate_transition seresult=denied \
	31	oldcontext=system_u:object_r:unlabeled_t:s0 \
	32	newcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 \
	33	taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir
	34
	35	op=security_validate_transition seresult=denied \
	36	oldcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 \
	37	newcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 \
	38	taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir
	39	systemd[1]: Unable to fix SELinux security context of /run: Operation not permitted
	40
	41	op=security_validate_transition seresult=denied \
	42	oldcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 \
	43	newcontext=system_u:object_r:cgroup_t:s0 \
	44	taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir
	45	systemd[1]: Unable to fix SELinux security context of /sys/fs/cgroup: Operation not permitted
	46
	47	avc: denied { create } for pid=1 comm="systemd" name="pstore" \
	48	scontext=system_u:system_r:kernel_t:s15:c0.c1023 \
	49	tcontext=system_u:object_r:pstore_t:s0 tclass=dir permissive=0
	50
	51	Reference: https://bugzilla.redhat.com/show_bug.cgi?id=667370
	52
	53	Upstream-Status: Inappropriate [embedded specific]
	54
	55	Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
	56	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
	57	---
	58	policy/modules/kernel/kernel.te \| 3 +++
	59	1 file changed, 3 insertions(+)
	60
	61	diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
	62	index 44c031a39..4dffaef76 100644
	63	--- a/policy/modules/kernel/kernel.te
	64	+++ b/policy/modules/kernel/kernel.te
	65	@@ -359,6 +359,9 @@ mls_file_read_all_levels(kernel_t)
	66	mls_socket_write_all_levels(kernel_t)
	67	mls_fd_use_all_levels(kernel_t)
	68
	69	+# https://bugzilla.redhat.com/show_bug.cgi?id=667370
	70	+mls_file_downgrade(kernel_t)
	71	+
	72	ifdef(`distro_redhat',`
	73	# Bugzilla 222337
	74	fs_rw_tmpfs_chr_files(kernel_t)
	75	--
	76	2.17.1
	77