1 files changed, 0 insertions, 162 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0080-policy-modules-system-systemd-systemd-make-systemd_-.patch b/recipes-security/refpolicy/refpolicy/0080-policy-modules-system-systemd-systemd-make-systemd_-.patch
deleted file mode 100644
index cb8e821..0000000
--- a/recipes-security/refpolicy/refpolicy/0080-policy-modules-system-systemd-systemd-make-systemd_-.patch
+++ /dev/null
@@ -1,162 +0,0 @@
-From 05ec2d78b44e57ecf188472b903fe66eeb568951 Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@windriver.com>
-Date: Thu, 18 Jun 2020 09:59:58 +0800
-Subject: [PATCH] policy/modules/system/systemd: systemd-*: make systemd_*_t
- MLS trusted for writing/reading from files up to its clearance
-Fixes:
-avc:  denied  { search } for  pid=219 comm="systemd-network"
-name="journal" dev="tmpfs" ino=10956
-scontext=system_u:system_r:systemd_networkd_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
-permissive=0
-avc:  denied  { search } for  pid=220 comm="systemd-resolve"
-name="journal" dev="tmpfs" ino=10956
-scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
-permissive=0
-avc:  denied  { search } for  pid=220 comm="systemd-resolve" name="/"
-dev="tmpfs" ino=15102
-scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
-avc:  denied  { search } for  pid=142 comm="systemd-modules"
-name="journal" dev="tmpfs" ino=10990
-scontext=system_u:system_r:systemd_modules_load_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
-permissive=0
-audit: type=1400 audit(1592892455.376:3): avc:  denied  { write } for
-pid=120 comm="systemd-gpt-aut" name="kmsg" dev="devtmpfs" ino=10032
-scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
-permissive=0
-audit: type=1400 audit(1592892455.381:4): avc:  denied  { write } for
-pid=119 comm="systemd-getty-g" name="kmsg" dev="devtmpfs" ino=10032
-scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
-permissive=0
-avc:  denied  { read } for  pid=125 comm="systemd-gpt-aut" name="sdb"
-dev="devtmpfs" ino=42
-scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023
-tclass=blk_file permissive=0
-avc:  denied  { search } for  pid=302 comm="systemd-hostnam"
-name="journal" dev="tmpfs" ino=14165
-scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
-permissive=0
-avc:  denied  { search } for  pid=302 comm="systemd-hostnam" name="/"
-dev="tmpfs" ino=17310
-scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
-avc:  denied  { search } for  pid=233 comm="systemd-rfkill"
-name="journal" dev="tmpfs" ino=14165
-scontext=system_u:system_r:systemd_rfkill_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
-permissive=0
-avc:  denied  { write } for  pid=233 comm="systemd-rfkill" name="kmsg"
-dev="devtmpfs" ino=2060
-scontext=system_u:system_r:systemd_rfkill_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
-permissive=0
-avc:  denied  { search } for  pid=354 comm="systemd-backlig"
-name="journal" dev="tmpfs" ino=1183
-scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
-permissive=0
-avc:  denied  { write } for  pid=354 comm="systemd-backlig" name="kmsg"
-dev="devtmpfs" ino=3081
-scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
-permissive=0
-Upstream-Status: Inappropriate [embedded specific]
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
- policy/modules/system/systemd.te | 17 +++++++++++++++++
- 1 file changed, 17 insertions(+)
-diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index f0b0e8b92..7b2d359b7 100644
--- a/policy/modules/system/systemd.te
-+++ b/policy/modules/system/systemd.te
-@@ -326,6 +326,9 @@ files_search_var_lib(systemd_backlight_t)
- 
- kernel_read_kernel_sysctls(systemd_backlight_t)
- 
-+mls_file_write_to_clearance(systemd_backlight_t)
-+mls_file_read_to_clearance(systemd_backlight_t)
-+
- #######################################
- #
- # Binfmt local policy
-@@ -460,6 +463,9 @@ systemd_log_parse_environment(systemd_generator_t)
- 
- term_use_unallocated_ttys(systemd_generator_t)
- 
-+mls_file_write_to_clearance(systemd_generator_t)
-+mls_file_read_to_clearance(systemd_generator_t)
-+
- ifdef(`distro_gentoo',`
-        corecmd_shell_entry_type(systemd_generator_t)
- ')
-@@ -497,6 +503,8 @@ sysnet_manage_config(systemd_hostnamed_t)
- 
- systemd_log_parse_environment(systemd_hostnamed_t)
- 
-+mls_file_read_to_clearance(systemd_hostnamed_t)
-+
- optional_policy(`
-        dbus_connect_system_bus(systemd_hostnamed_t)
-        dbus_system_bus_client(systemd_hostnamed_t)
-@@ -818,6 +826,8 @@ modutils_read_module_deps(systemd_modules_load_t)
- 
- systemd_log_parse_environment(systemd_modules_load_t)
- 
-+mls_file_read_to_clearance(systemd_modules_load_t)
-+
- ########################################
- #
- # networkd local policy
-@@ -876,6 +886,8 @@ sysnet_read_config(systemd_networkd_t)
- 
- systemd_log_parse_environment(systemd_networkd_t)
- 
-+mls_file_read_to_clearance(systemd_networkd_t)
-+
- optional_policy(`
-        dbus_system_bus_client(systemd_networkd_t)
-        dbus_connect_system_bus(systemd_networkd_t)
-@@ -1159,6 +1171,9 @@ udev_read_runtime_files(systemd_rfkill_t)
- 
- systemd_log_parse_environment(systemd_rfkill_t)
- 
-+mls_file_write_to_clearance(systemd_rfkill_t)
-+mls_file_read_to_clearance(systemd_rfkill_t)
-+
- #########################################
- #
- # Resolved local policy
-@@ -1202,6 +1217,8 @@ init_dgram_send(systemd_resolved_t)
- 
- seutil_read_file_contexts(systemd_resolved_t)
- 
-+mls_file_read_to_clearance(systemd_resolved_t)
-+
- systemd_log_parse_environment(systemd_resolved_t)
- systemd_read_networkd_runtime(systemd_resolved_t)
- 
-- 
-2.17.1

diff --git a/recipes-security/refpolicy/refpolicy/0080-policy-modules-system-systemd-systemd-make-systemd_-.patch b/recipes-security/refpolicy/refpolicy/0080-policy-modules-system-systemd-systemd-make-systemd_-.patch deleted file mode 100644 index cb8e821..0000000 --- a/recipes-security/refpolicy/refpolicy/0080-policy-modules-system-systemd-systemd-make-systemd_-.patch +++ /dev/null
@@ -1,162 +0,0 @@
1	From 05ec2d78b44e57ecf188472b903fe66eeb568951 Mon Sep 17 00:00:00 2001
2	From: Yi Zhao <yi.zhao@windriver.com>
3	Date: Thu, 18 Jun 2020 09:59:58 +0800
4	Subject: [PATCH] policy/modules/system/systemd: systemd-: make systemd__t
5	MLS trusted for writing/reading from files up to its clearance
6
7	Fixes:
8	avc: denied { search } for pid=219 comm="systemd-network"
9	name="journal" dev="tmpfs" ino=10956
10	scontext=system_u:system_r:systemd_networkd_t:s0-s15:c0.c1023
11	tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
12	permissive=0
13
14	avc: denied { search } for pid=220 comm="systemd-resolve"
15	name="journal" dev="tmpfs" ino=10956
16	scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023
17	tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
18	permissive=0
19	avc: denied { search } for pid=220 comm="systemd-resolve" name="/"
20	dev="tmpfs" ino=15102
21	scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023
22	tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
23
24	avc: denied { search } for pid=142 comm="systemd-modules"
25	name="journal" dev="tmpfs" ino=10990
26	scontext=system_u:system_r:systemd_modules_load_t:s0-s15:c0.c1023
27	tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
28	permissive=0
29
30	audit: type=1400 audit(1592892455.376:3): avc: denied { write } for
31	pid=120 comm="systemd-gpt-aut" name="kmsg" dev="devtmpfs" ino=10032
32	scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023
33	tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
34	permissive=0
35
36	audit: type=1400 audit(1592892455.381:4): avc: denied { write } for
37	pid=119 comm="systemd-getty-g" name="kmsg" dev="devtmpfs" ino=10032
38	scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023
39	tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
40	permissive=0
41
42	avc: denied { read } for pid=125 comm="systemd-gpt-aut" name="sdb"
43	dev="devtmpfs" ino=42
44	scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023
45	tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023
46	tclass=blk_file permissive=0
47
48	avc: denied { search } for pid=302 comm="systemd-hostnam"
49	name="journal" dev="tmpfs" ino=14165
50	scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023
51	tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
52	permissive=0
53
54	avc: denied { search } for pid=302 comm="systemd-hostnam" name="/"
55	dev="tmpfs" ino=17310
56	scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023
57	tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
58
59	avc: denied { search } for pid=233 comm="systemd-rfkill"
60	name="journal" dev="tmpfs" ino=14165
61	scontext=system_u:system_r:systemd_rfkill_t:s0-s15:c0.c1023
62	tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
63	permissive=0
64
65	avc: denied { write } for pid=233 comm="systemd-rfkill" name="kmsg"
66	dev="devtmpfs" ino=2060
67	scontext=system_u:system_r:systemd_rfkill_t:s0-s15:c0.c1023
68	tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
69	permissive=0
70
71	avc: denied { search } for pid=354 comm="systemd-backlig"
72	name="journal" dev="tmpfs" ino=1183
73	scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023
74	tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
75	permissive=0
76
77	avc: denied { write } for pid=354 comm="systemd-backlig" name="kmsg"
78	dev="devtmpfs" ino=3081
79	scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023
80	tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
81	permissive=0
82
83	Upstream-Status: Inappropriate [embedded specific]
84
85	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
86	---
87	policy/modules/system/systemd.te \| 17 +++++++++++++++++
88	1 file changed, 17 insertions(+)
89
90	diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
91	index f0b0e8b92..7b2d359b7 100644
92	--- a/policy/modules/system/systemd.te
93	+++ b/policy/modules/system/systemd.te
94	@@ -326,6 +326,9 @@ files_search_var_lib(systemd_backlight_t)
95
96	kernel_read_kernel_sysctls(systemd_backlight_t)
97
98	+mls_file_write_to_clearance(systemd_backlight_t)
99	+mls_file_read_to_clearance(systemd_backlight_t)
100	+
101	#######################################
102	#
103	# Binfmt local policy
104	@@ -460,6 +463,9 @@ systemd_log_parse_environment(systemd_generator_t)
105
106	term_use_unallocated_ttys(systemd_generator_t)
107
108	+mls_file_write_to_clearance(systemd_generator_t)
109	+mls_file_read_to_clearance(systemd_generator_t)
110	+
111	ifdef(`distro_gentoo',`
112	corecmd_shell_entry_type(systemd_generator_t)
113	')
114	@@ -497,6 +503,8 @@ sysnet_manage_config(systemd_hostnamed_t)
115
116	systemd_log_parse_environment(systemd_hostnamed_t)
117
118	+mls_file_read_to_clearance(systemd_hostnamed_t)
119	+
120	optional_policy(`
121	dbus_connect_system_bus(systemd_hostnamed_t)
122	dbus_system_bus_client(systemd_hostnamed_t)
123	@@ -818,6 +826,8 @@ modutils_read_module_deps(systemd_modules_load_t)
124
125	systemd_log_parse_environment(systemd_modules_load_t)
126
127	+mls_file_read_to_clearance(systemd_modules_load_t)
128	+
129	########################################
130	#
131	# networkd local policy
132	@@ -876,6 +886,8 @@ sysnet_read_config(systemd_networkd_t)
133
134	systemd_log_parse_environment(systemd_networkd_t)
135
136	+mls_file_read_to_clearance(systemd_networkd_t)
137	+
138	optional_policy(`
139	dbus_system_bus_client(systemd_networkd_t)
140	dbus_connect_system_bus(systemd_networkd_t)
141	@@ -1159,6 +1171,9 @@ udev_read_runtime_files(systemd_rfkill_t)
142
143	systemd_log_parse_environment(systemd_rfkill_t)
144
145	+mls_file_write_to_clearance(systemd_rfkill_t)
146	+mls_file_read_to_clearance(systemd_rfkill_t)
147	+
148	#########################################
149	#
150	# Resolved local policy
151	@@ -1202,6 +1217,8 @@ init_dgram_send(systemd_resolved_t)
152
153	seutil_read_file_contexts(systemd_resolved_t)
154
155	+mls_file_read_to_clearance(systemd_resolved_t)
156	+
157	systemd_log_parse_environment(systemd_resolved_t)
158	systemd_read_networkd_runtime(systemd_resolved_t)
159
160	--
161	2.17.1
162