diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy')
82 files changed, 3627 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch b/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch new file mode 100644 index 0000000..be802ec --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From 7dc492abc2918e770b36099cf079ca9be10598c8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Thu, 28 Mar 2019 16:14:09 -0400 | ||
4 | Subject: [PATCH] fc/subs/volatile: alias common /var/volatile paths | ||
5 | |||
6 | Ensure /var/volatile paths get the appropriate base file context. | ||
7 | |||
8 | Upstream-Status: Inappropriate [embedded specific] | ||
9 | |||
10 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
11 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
12 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
13 | --- | ||
14 | config/file_contexts.subs_dist | 6 ++++++ | ||
15 | 1 file changed, 6 insertions(+) | ||
16 | |||
17 | diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist | ||
18 | index 346d920e3..aeb25a5bb 100644 | ||
19 | --- a/config/file_contexts.subs_dist | ||
20 | +++ b/config/file_contexts.subs_dist | ||
21 | @@ -31,3 +31,9 @@ | ||
22 | # not for refpolicy intern, but for /var/run using applications, | ||
23 | # like systemd tmpfiles or systemd socket configurations | ||
24 | /var/run /run | ||
25 | + | ||
26 | +# volatile aliases | ||
27 | +# ensure the policy applied to the base filesystem objects are reflected in the | ||
28 | +# volatile hierarchy. | ||
29 | +/var/volatile/log /var/log | ||
30 | +/var/volatile/tmp /var/tmp | ||
31 | -- | ||
32 | 2.17.1 | ||
33 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch b/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch new file mode 100644 index 0000000..deb27c0 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch | |||
@@ -0,0 +1,67 @@ | |||
1 | From efe4d5472fde3d4f043f4e8660c6cc73c7fc1542 Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Fri, 5 Apr 2019 11:53:28 -0400 | ||
4 | Subject: [PATCH] refpolicy-minimum: make sysadmin module optional | ||
5 | |||
6 | The init and locallogin modules have a depend for sysadm module | ||
7 | because they have called sysadm interfaces(sysadm_shell_domtrans). | ||
8 | Since sysadm is not a core module, we could make the | ||
9 | sysadm_shell_domtrans calls optionally by optional_policy. | ||
10 | |||
11 | So, we could make the minimum policy without sysadm module. | ||
12 | |||
13 | Upstream-Status: Inappropriate [embedded specific] | ||
14 | |||
15 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
16 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
17 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
18 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
19 | --- | ||
20 | policy/modules/system/init.te | 14 ++++++++------ | ||
21 | policy/modules/system/locallogin.te | 4 +++- | ||
22 | 2 files changed, 11 insertions(+), 7 deletions(-) | ||
23 | |||
24 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | ||
25 | index feed5af5f..6b6b723b8 100644 | ||
26 | --- a/policy/modules/system/init.te | ||
27 | +++ b/policy/modules/system/init.te | ||
28 | @@ -515,13 +515,15 @@ ifdef(`init_systemd',` | ||
29 | unconfined_write_keys(init_t) | ||
30 | ') | ||
31 | ',` | ||
32 | - tunable_policy(`init_upstart',` | ||
33 | - corecmd_shell_domtrans(init_t, initrc_t) | ||
34 | + optional_policy(` | ||
35 | + tunable_policy(`init_upstart',` | ||
36 | + corecmd_shell_domtrans(init_t, initrc_t) | ||
37 | ',` | ||
38 | - # Run the shell in the sysadm role for single-user mode. | ||
39 | - # causes problems with upstart | ||
40 | - ifndef(`distro_debian',` | ||
41 | - sysadm_shell_domtrans(init_t) | ||
42 | + # Run the shell in the sysadm role for single-user mode. | ||
43 | + # causes problems with upstart | ||
44 | + ifndef(`distro_debian',` | ||
45 | + sysadm_shell_domtrans(init_t) | ||
46 | + ') | ||
47 | ') | ||
48 | ') | ||
49 | ') | ||
50 | diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te | ||
51 | index f629b0040..971ca40e5 100644 | ||
52 | --- a/policy/modules/system/locallogin.te | ||
53 | +++ b/policy/modules/system/locallogin.te | ||
54 | @@ -267,7 +267,9 @@ userdom_use_unpriv_users_fds(sulogin_t) | ||
55 | userdom_search_user_home_dirs(sulogin_t) | ||
56 | userdom_use_user_ptys(sulogin_t) | ||
57 | |||
58 | -sysadm_shell_domtrans(sulogin_t) | ||
59 | +optional_policy(` | ||
60 | + sysadm_shell_domtrans(sulogin_t) | ||
61 | +') | ||
62 | |||
63 | # by default, sulogin does not use pam... | ||
64 | # sulogin_pam might need to be defined otherwise | ||
65 | -- | ||
66 | 2.17.1 | ||
67 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch b/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch new file mode 100644 index 0000000..f3244c6 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch | |||
@@ -0,0 +1,193 @@ | |||
1 | From 8613549f3aad37ce3bec8513057f0f893d4cc9bd Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Mon, 20 Apr 2020 11:50:03 +0800 | ||
4 | Subject: [PATCH] refpolicy-targeted: make unconfined_u the default selinux | ||
5 | user | ||
6 | |||
7 | For targeted policy type, we define unconfined_u as the default selinux | ||
8 | user for root and normal users, so users could login in and run most | ||
9 | commands and services on unconfined domains. | ||
10 | |||
11 | Also add rules for users to run init scripts directly, instead of via | ||
12 | run_init. | ||
13 | |||
14 | Upstream-Status: Inappropriate [configuration] | ||
15 | |||
16 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
17 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
18 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
19 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
20 | --- | ||
21 | config/appconfig-mcs/failsafe_context | 2 +- | ||
22 | config/appconfig-mcs/seusers | 4 +-- | ||
23 | policy/modules/roles/sysadm.te | 1 + | ||
24 | policy/modules/system/init.if | 42 +++++++++++++++++++++++---- | ||
25 | policy/modules/system/unconfined.te | 7 +++++ | ||
26 | policy/users | 6 ++-- | ||
27 | 6 files changed, 50 insertions(+), 12 deletions(-) | ||
28 | |||
29 | diff --git a/config/appconfig-mcs/failsafe_context b/config/appconfig-mcs/failsafe_context | ||
30 | index 999abd9a3..a50bde775 100644 | ||
31 | --- a/config/appconfig-mcs/failsafe_context | ||
32 | +++ b/config/appconfig-mcs/failsafe_context | ||
33 | @@ -1 +1 @@ | ||
34 | -sysadm_r:sysadm_t:s0 | ||
35 | +unconfined_r:unconfined_t:s0 | ||
36 | diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers | ||
37 | index ce614b41b..c0903d98b 100644 | ||
38 | --- a/config/appconfig-mcs/seusers | ||
39 | +++ b/config/appconfig-mcs/seusers | ||
40 | @@ -1,2 +1,2 @@ | ||
41 | -root:root:s0-mcs_systemhigh | ||
42 | -__default__:user_u:s0 | ||
43 | +root:unconfined_u:s0-mcs_systemhigh | ||
44 | +__default__:unconfined_u:s0 | ||
45 | diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te | ||
46 | index ac5239d83..310a4fad2 100644 | ||
47 | --- a/policy/modules/roles/sysadm.te | ||
48 | +++ b/policy/modules/roles/sysadm.te | ||
49 | @@ -53,6 +53,7 @@ ubac_fd_exempt(sysadm_t) | ||
50 | |||
51 | init_exec(sysadm_t) | ||
52 | init_admin(sysadm_t) | ||
53 | +init_script_role_transition(sysadm_r) | ||
54 | |||
55 | selinux_read_policy(sysadm_t) | ||
56 | |||
57 | diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if | ||
58 | index ab24b5d9b..ed441ddef 100644 | ||
59 | --- a/policy/modules/system/init.if | ||
60 | +++ b/policy/modules/system/init.if | ||
61 | @@ -1798,11 +1798,12 @@ interface(`init_script_file_entry_type',` | ||
62 | # | ||
63 | interface(`init_spec_domtrans_script',` | ||
64 | gen_require(` | ||
65 | - type initrc_t, initrc_exec_t; | ||
66 | + type initrc_t; | ||
67 | + attribute init_script_file_type; | ||
68 | ') | ||
69 | |||
70 | files_list_etc($1) | ||
71 | - spec_domtrans_pattern($1, initrc_exec_t, initrc_t) | ||
72 | + spec_domtrans_pattern($1, init_script_file_type, initrc_t) | ||
73 | |||
74 | ifdef(`distro_gentoo',` | ||
75 | gen_require(` | ||
76 | @@ -1813,11 +1814,11 @@ interface(`init_spec_domtrans_script',` | ||
77 | ') | ||
78 | |||
79 | ifdef(`enable_mcs',` | ||
80 | - range_transition $1 initrc_exec_t:process s0; | ||
81 | + range_transition $1 init_script_file_type:process s0; | ||
82 | ') | ||
83 | |||
84 | ifdef(`enable_mls',` | ||
85 | - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; | ||
86 | + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; | ||
87 | ') | ||
88 | ') | ||
89 | |||
90 | @@ -1834,17 +1835,18 @@ interface(`init_spec_domtrans_script',` | ||
91 | interface(`init_domtrans_script',` | ||
92 | gen_require(` | ||
93 | type initrc_t, initrc_exec_t; | ||
94 | + attribute init_script_file_type; | ||
95 | ') | ||
96 | |||
97 | files_list_etc($1) | ||
98 | domtrans_pattern($1, initrc_exec_t, initrc_t) | ||
99 | |||
100 | ifdef(`enable_mcs',` | ||
101 | - range_transition $1 initrc_exec_t:process s0; | ||
102 | + range_transition $1 init_script_file_type:process s0; | ||
103 | ') | ||
104 | |||
105 | ifdef(`enable_mls',` | ||
106 | - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; | ||
107 | + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; | ||
108 | ') | ||
109 | ') | ||
110 | |||
111 | @@ -3599,3 +3601,31 @@ interface(`init_getrlimit',` | ||
112 | |||
113 | allow $1 init_t:process getrlimit; | ||
114 | ') | ||
115 | + | ||
116 | +######################################## | ||
117 | +## <summary> | ||
118 | +## Transition to system_r when execute an init script | ||
119 | +## </summary> | ||
120 | +## <desc> | ||
121 | +## <p> | ||
122 | +## Execute a init script in a specified role | ||
123 | +## </p> | ||
124 | +## <p> | ||
125 | +## No interprocess communication (signals, pipes, | ||
126 | +## etc.) is provided by this interface since | ||
127 | +## the domains are not owned by this module. | ||
128 | +## </p> | ||
129 | +## </desc> | ||
130 | +## <param name="source_role"> | ||
131 | +## <summary> | ||
132 | +## Role to transition from. | ||
133 | +## </summary> | ||
134 | +## </param> | ||
135 | +# | ||
136 | +interface(`init_script_role_transition',` | ||
137 | + gen_require(` | ||
138 | + attribute init_script_file_type; | ||
139 | + ') | ||
140 | + | ||
141 | + role_transition $1 init_script_file_type system_r; | ||
142 | +') | ||
143 | diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te | ||
144 | index 3d75855b6..5aa4c0b69 100644 | ||
145 | --- a/policy/modules/system/unconfined.te | ||
146 | +++ b/policy/modules/system/unconfined.te | ||
147 | @@ -20,6 +20,11 @@ type unconfined_execmem_t alias ada_t; | ||
148 | type unconfined_execmem_exec_t alias ada_exec_t; | ||
149 | init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t) | ||
150 | role unconfined_r types unconfined_execmem_t; | ||
151 | +role unconfined_r types unconfined_t; | ||
152 | +role system_r types unconfined_t; | ||
153 | +role_transition system_r unconfined_exec_t unconfined_r; | ||
154 | +allow system_r unconfined_r; | ||
155 | +allow unconfined_r system_r; | ||
156 | |||
157 | ######################################## | ||
158 | # | ||
159 | @@ -50,6 +55,8 @@ userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_f | ||
160 | ifdef(`direct_sysadm_daemon',` | ||
161 | optional_policy(` | ||
162 | init_run_daemon(unconfined_t, unconfined_r) | ||
163 | + init_domtrans_script(unconfined_t) | ||
164 | + init_script_role_transition(unconfined_r) | ||
165 | ') | ||
166 | ',` | ||
167 | ifdef(`distro_gentoo',` | ||
168 | diff --git a/policy/users b/policy/users | ||
169 | index ca203758c..e737cd9cc 100644 | ||
170 | --- a/policy/users | ||
171 | +++ b/policy/users | ||
172 | @@ -15,7 +15,7 @@ | ||
173 | # and a user process should never be assigned the system user | ||
174 | # identity. | ||
175 | # | ||
176 | -gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
177 | +gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
178 | |||
179 | # | ||
180 | # user_u is a generic user identity for Linux users who have no | ||
181 | @@ -43,7 +43,7 @@ ifdef(`direct_sysadm_daemon',` | ||
182 | # not in the sysadm_r. | ||
183 | # | ||
184 | ifdef(`direct_sysadm_daemon',` | ||
185 | - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
186 | + gen_user(root, sysadm, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) | ||
187 | ',` | ||
188 | - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) | ||
189 | + gen_user(root, sysadm, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) | ||
190 | ') | ||
191 | -- | ||
192 | 2.17.1 | ||
193 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch b/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch new file mode 100644 index 0000000..e7b69ef --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From 2a68b7539104bec76aaf2a18b399770f59d0cb28 Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Thu, 28 Mar 2019 20:48:10 -0400 | ||
4 | Subject: [PATCH] fc/subs/busybox: set aliases for bin, sbin and usr | ||
5 | |||
6 | The objects in /usr/lib/busybox/* should have the same policy applied as | ||
7 | the corresponding objects in the / hierarchy. | ||
8 | |||
9 | Upstream-Status: Inappropriate [embedded specific] | ||
10 | |||
11 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
12 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
13 | --- | ||
14 | config/file_contexts.subs_dist | 6 ++++++ | ||
15 | 1 file changed, 6 insertions(+) | ||
16 | |||
17 | diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist | ||
18 | index aeb25a5bb..c249c5207 100644 | ||
19 | --- a/config/file_contexts.subs_dist | ||
20 | +++ b/config/file_contexts.subs_dist | ||
21 | @@ -37,3 +37,9 @@ | ||
22 | # volatile hierarchy. | ||
23 | /var/volatile/log /var/log | ||
24 | /var/volatile/tmp /var/tmp | ||
25 | + | ||
26 | +# busybox aliases | ||
27 | +# quickly match up the busybox built-in tree to the base filesystem tree | ||
28 | +/usr/lib/busybox/bin /usr/bin | ||
29 | +/usr/lib/busybox/sbin /usr/sbin | ||
30 | +/usr/lib/busybox/usr /usr | ||
31 | -- | ||
32 | 2.17.1 | ||
33 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch b/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch new file mode 100644 index 0000000..d2e650e --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch | |||
@@ -0,0 +1,26 @@ | |||
1 | From 9f73ec53a4a5d5bb9b7fa453f3089c55f777c2ce Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH] fc/hostname: apply policy to common yocto hostname | ||
5 | alternatives | ||
6 | |||
7 | Upstream-Status: Inappropriate [embedded specific] | ||
8 | |||
9 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
10 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
11 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
12 | --- | ||
13 | policy/modules/system/hostname.fc | 2 ++ | ||
14 | 1 file changed, 2 insertions(+) | ||
15 | |||
16 | diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc | ||
17 | index 83ddeb573..cf523bc4c 100644 | ||
18 | --- a/policy/modules/system/hostname.fc | ||
19 | +++ b/policy/modules/system/hostname.fc | ||
20 | @@ -1 +1,3 @@ | ||
21 | /usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) | ||
22 | +/usr/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0) | ||
23 | +/usr/bin/hostname\.coreutils -- gen_context(system_u:object_r:hostname_exec_t,s0) | ||
24 | -- | ||
25 | 2.17.1 | ||
26 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch b/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch new file mode 100644 index 0000000..3c16ac2 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch | |||
@@ -0,0 +1,31 @@ | |||
1 | From fda1e656c46b360f1023834636c460c5510acf68 Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Thu, 28 Mar 2019 21:37:32 -0400 | ||
4 | Subject: [PATCH] fc/bash: apply /usr/bin/bash context to /bin/bash.bash | ||
5 | |||
6 | We include /bin/bash.bash as a valid alias for /bin/bash, so ensure we apply | ||
7 | the proper context to the target for our policy. | ||
8 | |||
9 | Upstream-Status: Inappropriate [embedded specific] | ||
10 | |||
11 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
12 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
13 | --- | ||
14 | policy/modules/kernel/corecommands.fc | 1 + | ||
15 | 1 file changed, 1 insertion(+) | ||
16 | |||
17 | diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc | ||
18 | index b473850d4..7e199b7b0 100644 | ||
19 | --- a/policy/modules/kernel/corecommands.fc | ||
20 | +++ b/policy/modules/kernel/corecommands.fc | ||
21 | @@ -142,6 +142,7 @@ ifdef(`distro_gentoo',` | ||
22 | /usr/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) | ||
23 | /usr/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
24 | /usr/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
25 | +/usr/bin/bash\.bash -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
26 | /usr/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
27 | /usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
28 | /usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
29 | -- | ||
30 | 2.17.1 | ||
31 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch b/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch new file mode 100644 index 0000000..2fe6479 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch | |||
@@ -0,0 +1,29 @@ | |||
1 | From 90a9ef3adb997517f921a3524da99c966e3b00df Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Thu, 4 Apr 2019 10:45:03 -0400 | ||
4 | Subject: [PATCH] fc/resolv.conf: label resolv.conf in var/run/ properly | ||
5 | |||
6 | Upstream-Status: Inappropriate [embedded specific] | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
10 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
11 | --- | ||
12 | policy/modules/system/sysnetwork.fc | 1 + | ||
13 | 1 file changed, 1 insertion(+) | ||
14 | |||
15 | diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc | ||
16 | index fddf9f693..acf539656 100644 | ||
17 | --- a/policy/modules/system/sysnetwork.fc | ||
18 | +++ b/policy/modules/system/sysnetwork.fc | ||
19 | @@ -83,6 +83,7 @@ ifdef(`distro_redhat',` | ||
20 | /run/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_runtime_t,s0) | ||
21 | /run/netns -d gen_context(system_u:object_r:ifconfig_runtime_t,s0) | ||
22 | /run/netns/[^/]+ -- <<none>> | ||
23 | +/run/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) | ||
24 | |||
25 | ifdef(`distro_gentoo',` | ||
26 | /var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) | ||
27 | -- | ||
28 | 2.17.1 | ||
29 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch b/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch new file mode 100644 index 0000000..e187b9e --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch | |||
@@ -0,0 +1,28 @@ | |||
1 | From 3383027dfb8c672468a99805535eeadffbe7d332 Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Thu, 28 Mar 2019 21:43:53 -0400 | ||
4 | Subject: [PATCH] fc/login: apply login context to login.shadow | ||
5 | |||
6 | Upstream-Status: Inappropriate [embedded specific] | ||
7 | |||
8 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
10 | --- | ||
11 | policy/modules/system/authlogin.fc | 1 + | ||
12 | 1 file changed, 1 insertion(+) | ||
13 | |||
14 | diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc | ||
15 | index 7fd315706..fa86d6f92 100644 | ||
16 | --- a/policy/modules/system/authlogin.fc | ||
17 | +++ b/policy/modules/system/authlogin.fc | ||
18 | @@ -5,6 +5,7 @@ | ||
19 | /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) | ||
20 | |||
21 | /usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0) | ||
22 | +/usr/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0) | ||
23 | /usr/bin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) | ||
24 | /usr/bin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) | ||
25 | /usr/bin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) | ||
26 | -- | ||
27 | 2.17.1 | ||
28 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0007-fc-bind-fix-real-path-for-bind.patch b/recipes-security/refpolicy/refpolicy/0007-fc-bind-fix-real-path-for-bind.patch new file mode 100644 index 0000000..cfd8dfc --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0007-fc-bind-fix-real-path-for-bind.patch | |||
@@ -0,0 +1,32 @@ | |||
1 | From fcf91092015155c4a10a1d7c4dd352ead0b5698b Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Thu, 28 Mar 2019 21:58:53 -0400 | ||
4 | Subject: [PATCH] fc/bind: fix real path for bind | ||
5 | |||
6 | Upstream-Status: Inappropriate [embedded specific] | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
10 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
11 | --- | ||
12 | policy/modules/services/bind.fc | 2 ++ | ||
13 | 1 file changed, 2 insertions(+) | ||
14 | |||
15 | diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc | ||
16 | index 7c1df4895..9f87a21a6 100644 | ||
17 | --- a/policy/modules/services/bind.fc | ||
18 | +++ b/policy/modules/services/bind.fc | ||
19 | @@ -1,8 +1,10 @@ | ||
20 | /etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) | ||
21 | +/etc/rc\.d/init\.d/bind -- gen_context(system_u:object_r:named_initrc_exec_t,s0) | ||
22 | /etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) | ||
23 | |||
24 | /etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) | ||
25 | /etc/bind/named\.conf.* -- gen_context(system_u:object_r:named_conf_t,s0) | ||
26 | +/etc/bind/rndc\.conf.* -- gen_context(system_u:object_r:named_conf_t,s0) | ||
27 | /etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) | ||
28 | /etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0) | ||
29 | /etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0) | ||
30 | -- | ||
31 | 2.17.1 | ||
32 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0008-fc-hwclock-add-hwclock-alternatives.patch b/recipes-security/refpolicy/refpolicy/0008-fc-hwclock-add-hwclock-alternatives.patch new file mode 100644 index 0000000..5a09d4b --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0008-fc-hwclock-add-hwclock-alternatives.patch | |||
@@ -0,0 +1,25 @@ | |||
1 | From 2e5be9a910fc07a63efafc87a3c10bd81bd9c052 Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Thu, 28 Mar 2019 21:59:18 -0400 | ||
4 | Subject: [PATCH] fc/hwclock: add hwclock alternatives | ||
5 | |||
6 | Upstream-Status: Inappropriate [embedded specific] | ||
7 | |||
8 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
10 | --- | ||
11 | policy/modules/system/clock.fc | 1 + | ||
12 | 1 file changed, 1 insertion(+) | ||
13 | |||
14 | diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc | ||
15 | index 301965892..139485835 100644 | ||
16 | --- a/policy/modules/system/clock.fc | ||
17 | +++ b/policy/modules/system/clock.fc | ||
18 | @@ -3,3 +3,4 @@ | ||
19 | /usr/bin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) | ||
20 | |||
21 | /usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) | ||
22 | +/usr/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0) | ||
23 | -- | ||
24 | 2.17.1 | ||
25 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0009-fc-dmesg-apply-policy-to-dmesg-alternatives.patch b/recipes-security/refpolicy/refpolicy/0009-fc-dmesg-apply-policy-to-dmesg-alternatives.patch new file mode 100644 index 0000000..cc7eb7c --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0009-fc-dmesg-apply-policy-to-dmesg-alternatives.patch | |||
@@ -0,0 +1,23 @@ | |||
1 | From 924ecc31c140dcd862d067849d4e11e111284165 Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Fri, 29 Mar 2019 08:26:55 -0400 | ||
4 | Subject: [PATCH] fc/dmesg: apply policy to dmesg alternatives | ||
5 | |||
6 | Upstream-Status: Inappropriate [embedded specific] | ||
7 | |||
8 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
10 | --- | ||
11 | policy/modules/admin/dmesg.fc | 1 + | ||
12 | 1 file changed, 1 insertion(+) | ||
13 | |||
14 | diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc | ||
15 | index e52fdfcf8..526b92ed2 100644 | ||
16 | --- a/policy/modules/admin/dmesg.fc | ||
17 | +++ b/policy/modules/admin/dmesg.fc | ||
18 | @@ -1 +1,2 @@ | ||
19 | /usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) | ||
20 | +/usr/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0) | ||
21 | -- | ||
22 | 2.17.1 | ||
23 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0010-fc-ssh-apply-policy-to-ssh-alternatives.patch b/recipes-security/refpolicy/refpolicy/0010-fc-ssh-apply-policy-to-ssh-alternatives.patch new file mode 100644 index 0000000..003af92 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0010-fc-ssh-apply-policy-to-ssh-alternatives.patch | |||
@@ -0,0 +1,28 @@ | |||
1 | From 261892950c5b2a40b7c3bb050ede148cbd1c7a84 Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Fri, 29 Mar 2019 09:20:58 -0400 | ||
4 | Subject: [PATCH] fc/ssh: apply policy to ssh alternatives | ||
5 | |||
6 | Upstream-Status: Inappropriate [embedded specific] | ||
7 | |||
8 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
10 | --- | ||
11 | policy/modules/services/ssh.fc | 1 + | ||
12 | 1 file changed, 1 insertion(+) | ||
13 | |||
14 | diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc | ||
15 | index 60060c35c..518043a9b 100644 | ||
16 | --- a/policy/modules/services/ssh.fc | ||
17 | +++ b/policy/modules/services/ssh.fc | ||
18 | @@ -4,6 +4,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) | ||
19 | /etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0) | ||
20 | |||
21 | /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0) | ||
22 | +/usr/bin/ssh\.openssh -- gen_context(system_u:object_r:ssh_exec_t,s0) | ||
23 | /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0) | ||
24 | /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0) | ||
25 | /usr/bin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) | ||
26 | -- | ||
27 | 2.17.1 | ||
28 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0011-fc-sysnetwork-apply-policy-to-ip-alternatives.patch b/recipes-security/refpolicy/refpolicy/0011-fc-sysnetwork-apply-policy-to-ip-alternatives.patch new file mode 100644 index 0000000..aeb63f7 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0011-fc-sysnetwork-apply-policy-to-ip-alternatives.patch | |||
@@ -0,0 +1,39 @@ | |||
1 | From bb8832629e85af2a16800f5cfec97ca0bf8319e6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Tue, 9 Jun 2015 21:22:52 +0530 | ||
4 | Subject: [PATCH] fc/sysnetwork: apply policy to ip alternatives | ||
5 | |||
6 | Upstream-Status: Inappropriate [embedded specific] | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> | ||
10 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
11 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
12 | --- | ||
13 | policy/modules/system/sysnetwork.fc | 3 +++ | ||
14 | 1 file changed, 3 insertions(+) | ||
15 | |||
16 | diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc | ||
17 | index acf539656..d8902d725 100644 | ||
18 | --- a/policy/modules/system/sysnetwork.fc | ||
19 | +++ b/policy/modules/system/sysnetwork.fc | ||
20 | @@ -59,13 +59,16 @@ ifdef(`distro_redhat',` | ||
21 | /usr/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) | ||
22 | /usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
23 | /usr/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
24 | +/usr/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
25 | /usr/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
26 | +/usr/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
27 | /usr/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
28 | /usr/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
29 | /usr/sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
30 | /usr/sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
31 | /usr/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
32 | /usr/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
33 | +/usr/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
34 | /usr/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0) | ||
35 | /usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
36 | |||
37 | -- | ||
38 | 2.17.1 | ||
39 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0012-fc-udev-apply-policy-to-udevadm-in-libexec.patch b/recipes-security/refpolicy/refpolicy/0012-fc-udev-apply-policy-to-udevadm-in-libexec.patch new file mode 100644 index 0000000..d1059df --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0012-fc-udev-apply-policy-to-udevadm-in-libexec.patch | |||
@@ -0,0 +1,29 @@ | |||
1 | From 02a3c7a06f760d3cae909d2c271d1e4fde07c09b Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Fri, 29 Mar 2019 09:36:08 -0400 | ||
4 | Subject: [PATCH] fc/udev: apply policy to udevadm in libexec | ||
5 | |||
6 | Upstream-Status: Inappropriate [embedded specific] | ||
7 | |||
8 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
10 | --- | ||
11 | policy/modules/system/udev.fc | 2 ++ | ||
12 | 1 file changed, 2 insertions(+) | ||
13 | |||
14 | diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc | ||
15 | index 0ae7571cd..ceb5b70b3 100644 | ||
16 | --- a/policy/modules/system/udev.fc | ||
17 | +++ b/policy/modules/system/udev.fc | ||
18 | @@ -28,6 +28,8 @@ ifdef(`distro_debian',` | ||
19 | /usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
20 | /usr/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
21 | |||
22 | +/usr/libexec/udevadm -- gen_context(system_u:object_r:udevadm_exec_t,s0) | ||
23 | + | ||
24 | ifdef(`distro_redhat',` | ||
25 | /usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) | ||
26 | ') | ||
27 | -- | ||
28 | 2.17.1 | ||
29 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0013-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch b/recipes-security/refpolicy/refpolicy/0013-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch new file mode 100644 index 0000000..3e61f45 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0013-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch | |||
@@ -0,0 +1,27 @@ | |||
1 | From 117884178c9ba63334f732da6f30e67e22aa898e Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Fri, 29 Mar 2019 09:54:07 -0400 | ||
4 | Subject: [PATCH] fc/rpm: apply rpm_exec policy to cpio binaries | ||
5 | |||
6 | Upstream-Status: Inappropriate [embedded specific] | ||
7 | |||
8 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
10 | --- | ||
11 | policy/modules/admin/rpm.fc | 2 ++ | ||
12 | 1 file changed, 2 insertions(+) | ||
13 | |||
14 | diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc | ||
15 | index 6194a4833..ace922ac1 100644 | ||
16 | --- a/policy/modules/admin/rpm.fc | ||
17 | +++ b/policy/modules/admin/rpm.fc | ||
18 | @@ -66,4 +66,6 @@ ifdef(`distro_redhat',` | ||
19 | |||
20 | ifdef(`enable_mls',` | ||
21 | /usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) | ||
22 | +/usr/bin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) | ||
23 | +/usr/bin/cpio\.cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) | ||
24 | ') | ||
25 | -- | ||
26 | 2.17.1 | ||
27 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0014-fc-su-apply-policy-to-su-alternatives.patch b/recipes-security/refpolicy/refpolicy/0014-fc-su-apply-policy-to-su-alternatives.patch new file mode 100644 index 0000000..da05686 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0014-fc-su-apply-policy-to-su-alternatives.patch | |||
@@ -0,0 +1,27 @@ | |||
1 | From 522d08c0dac1cfe9e33f06bc1252b7b672d9ffd3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | ||
3 | Date: Thu, 13 Feb 2014 00:33:07 -0500 | ||
4 | Subject: [PATCH] fc/su: apply policy to su alternatives | ||
5 | |||
6 | Upstream-Status: Inappropriate [embedded specific] | ||
7 | |||
8 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
10 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
11 | --- | ||
12 | policy/modules/admin/su.fc | 2 ++ | ||
13 | 1 file changed, 2 insertions(+) | ||
14 | |||
15 | diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc | ||
16 | index 3375c9692..a9868cd58 100644 | ||
17 | --- a/policy/modules/admin/su.fc | ||
18 | +++ b/policy/modules/admin/su.fc | ||
19 | @@ -1,3 +1,5 @@ | ||
20 | /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0) | ||
21 | /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) | ||
22 | /usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) | ||
23 | +/usr/bin/su\.shadow -- gen_context(system_u:object_r:su_exec_t,s0) | ||
24 | +/usr/bin/su\.util-linux -- gen_context(system_u:object_r:su_exec_t,s0) | ||
25 | -- | ||
26 | 2.17.1 | ||
27 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0015-fc-fstools-fix-real-path-for-fstools.patch b/recipes-security/refpolicy/refpolicy/0015-fc-fstools-fix-real-path-for-fstools.patch new file mode 100644 index 0000000..78260e5 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0015-fc-fstools-fix-real-path-for-fstools.patch | |||
@@ -0,0 +1,76 @@ | |||
1 | From c4b0ffd60873ecca2cf0b1aa898185f5f3928828 Mon Sep 17 00:00:00 2001 | ||
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | ||
3 | Date: Mon, 27 Jan 2014 03:54:01 -0500 | ||
4 | Subject: [PATCH] fc/fstools: fix real path for fstools | ||
5 | |||
6 | Upstream-Status: Inappropriate [embedded specific] | ||
7 | |||
8 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
9 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
10 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
11 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
12 | --- | ||
13 | policy/modules/system/fstools.fc | 10 ++++++++++ | ||
14 | 1 file changed, 10 insertions(+) | ||
15 | |||
16 | diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc | ||
17 | index d871294e8..bef711850 100644 | ||
18 | --- a/policy/modules/system/fstools.fc | ||
19 | +++ b/policy/modules/system/fstools.fc | ||
20 | @@ -59,7 +59,9 @@ | ||
21 | /usr/sbin/addpart -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
22 | /usr/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
23 | /usr/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
24 | +/usr/sbin/blkid\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
25 | /usr/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
26 | +/usr/sbin/blockdev\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
27 | /usr/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
28 | /usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
29 | /usr/sbin/delpart -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
30 | @@ -73,10 +75,12 @@ | ||
31 | /usr/sbin/efibootmgr -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
32 | /usr/sbin/fatsort -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
33 | /usr/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
34 | +/usr/sbin/fdisk\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
35 | /usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
36 | /usr/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
37 | /usr/sbin/gdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
38 | /usr/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
39 | +/usr/sbin/hdparm\.hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
40 | /usr/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
41 | /usr/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
42 | /usr/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
43 | @@ -84,24 +88,30 @@ | ||
44 | /usr/sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
45 | /usr/sbin/mkdosfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
46 | /usr/sbin/mke2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
47 | +/usr/sbin/mke2fs\.e2fsprogs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
48 | /usr/sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
49 | /usr/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
50 | /usr/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
51 | /usr/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
52 | /usr/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
53 | +/usr/sbin/mkswap\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
54 | /usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
55 | /usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
56 | +/usr/sbin/partprobe\.parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
57 | /usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
58 | /usr/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
59 | /usr/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
60 | +/usr/sbin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
61 | /usr/sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
62 | /usr/sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
63 | /usr/sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
64 | /usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
65 | /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
66 | /usr/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
67 | +/usr/sbin/swapoff\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
68 | /usr/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
69 | /usr/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
70 | +/usr/sbin/tune2fs\.e2fsprogs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
71 | /usr/sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
72 | /usr/sbin/zhack -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
73 | /usr/sbin/zinject -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
74 | -- | ||
75 | 2.17.1 | ||
76 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0016-fc-init-fix-update-alternatives-for-sysvinit.patch b/recipes-security/refpolicy/refpolicy/0016-fc-init-fix-update-alternatives-for-sysvinit.patch new file mode 100644 index 0000000..1a8e8dc --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0016-fc-init-fix-update-alternatives-for-sysvinit.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From 95a843719394827621e3b33c13f2696f7e498e5b Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH] fc/init: fix update-alternatives for sysvinit | ||
5 | |||
6 | Upstream-Status: Inappropriate [embedded specific] | ||
7 | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
10 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
11 | --- | ||
12 | policy/modules/admin/shutdown.fc | 1 + | ||
13 | policy/modules/kernel/corecommands.fc | 2 ++ | ||
14 | policy/modules/system/init.fc | 1 + | ||
15 | 3 files changed, 4 insertions(+) | ||
16 | |||
17 | diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc | ||
18 | index bf51c103f..91ed72be0 100644 | ||
19 | --- a/policy/modules/admin/shutdown.fc | ||
20 | +++ b/policy/modules/admin/shutdown.fc | ||
21 | @@ -5,5 +5,6 @@ | ||
22 | /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
23 | |||
24 | /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
25 | +/usr/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
26 | |||
27 | /run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_runtime_t,s0) | ||
28 | diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc | ||
29 | index 7e199b7b0..157eeb0d0 100644 | ||
30 | --- a/policy/modules/kernel/corecommands.fc | ||
31 | +++ b/policy/modules/kernel/corecommands.fc | ||
32 | @@ -151,6 +151,8 @@ ifdef(`distro_gentoo',` | ||
33 | /usr/bin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) | ||
34 | /usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
35 | /usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0) | ||
36 | +/usr/bin/mountpoint\.sysvinit -- gen_context(system_u:object_r:bin_t,s0) | ||
37 | +/usr/bin/mountpoint\.util-linux -- gen_context(system_u:object_r:bin_t,s0) | ||
38 | /usr/bin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
39 | /usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
40 | /usr/bin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
41 | diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc | ||
42 | index fee6ff3b6..fe72df22a 100644 | ||
43 | --- a/policy/modules/system/init.fc | ||
44 | +++ b/policy/modules/system/init.fc | ||
45 | @@ -40,6 +40,7 @@ ifdef(`distro_gentoo',` | ||
46 | /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) | ||
47 | |||
48 | /usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) | ||
49 | +/usr/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0) | ||
50 | /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) | ||
51 | /usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) | ||
52 | |||
53 | -- | ||
54 | 2.17.1 | ||
55 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0017-fc-brctl-apply-policy-to-brctl-alternatives.patch b/recipes-security/refpolicy/refpolicy/0017-fc-brctl-apply-policy-to-brctl-alternatives.patch new file mode 100644 index 0000000..6271a88 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0017-fc-brctl-apply-policy-to-brctl-alternatives.patch | |||
@@ -0,0 +1,24 @@ | |||
1 | From 0b05d71fea73c9fc0dc8aac6e7d096b0214db5eb Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Fri, 15 Nov 2019 10:19:54 +0800 | ||
4 | Subject: [PATCH] fc/brctl: apply policy to brctl alternatives | ||
5 | |||
6 | Upstream-Status: Inappropriate [embedded specific] | ||
7 | |||
8 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
9 | --- | ||
10 | policy/modules/admin/brctl.fc | 1 + | ||
11 | 1 file changed, 1 insertion(+) | ||
12 | |||
13 | diff --git a/policy/modules/admin/brctl.fc b/policy/modules/admin/brctl.fc | ||
14 | index ed472f095..2a852b0fd 100644 | ||
15 | --- a/policy/modules/admin/brctl.fc | ||
16 | +++ b/policy/modules/admin/brctl.fc | ||
17 | @@ -1,3 +1,4 @@ | ||
18 | /usr/bin/brctl -- gen_context(system_u:object_r:brctl_exec_t,s0) | ||
19 | |||
20 | /usr/sbin/brctl -- gen_context(system_u:object_r:brctl_exec_t,s0) | ||
21 | +/usr/sbin/brctl\.bridge-utils -- gen_context(system_u:object_r:brctl_exec_t,s0) | ||
22 | -- | ||
23 | 2.17.1 | ||
24 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0018-fc-corecommands-apply-policy-to-nologin-alternatives.patch b/recipes-security/refpolicy/refpolicy/0018-fc-corecommands-apply-policy-to-nologin-alternatives.patch new file mode 100644 index 0000000..442c3d8 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0018-fc-corecommands-apply-policy-to-nologin-alternatives.patch | |||
@@ -0,0 +1,28 @@ | |||
1 | From 5f759c3d89b52e62607266c4e684d66953803d4d Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Fri, 15 Nov 2019 10:21:51 +0800 | ||
4 | Subject: [PATCH] fc/corecommands: apply policy to nologin alternatives | ||
5 | |||
6 | Upstream-Status: Inappropriate [embedded specific] | ||
7 | |||
8 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
9 | --- | ||
10 | policy/modules/kernel/corecommands.fc | 2 ++ | ||
11 | 1 file changed, 2 insertions(+) | ||
12 | |||
13 | diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc | ||
14 | index 157eeb0d0..515948ea9 100644 | ||
15 | --- a/policy/modules/kernel/corecommands.fc | ||
16 | +++ b/policy/modules/kernel/corecommands.fc | ||
17 | @@ -303,6 +303,8 @@ ifdef(`distro_debian',` | ||
18 | /usr/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) | ||
19 | /usr/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) | ||
20 | /usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
21 | +/usr/sbin/nologin\.shadow -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
22 | +/usr/sbin/nologin\.util-linux -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
23 | /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
24 | /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
25 | /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) | ||
26 | -- | ||
27 | 2.17.1 | ||
28 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0019-fc-locallogin-apply-policy-to-sulogin-alternatives.patch b/recipes-security/refpolicy/refpolicy/0019-fc-locallogin-apply-policy-to-sulogin-alternatives.patch new file mode 100644 index 0000000..4303d36 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0019-fc-locallogin-apply-policy-to-sulogin-alternatives.patch | |||
@@ -0,0 +1,25 @@ | |||
1 | From 84f715b8d128bcbfdc95adf18d6bc8eb225f05cd Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Fri, 15 Nov 2019 10:43:28 +0800 | ||
4 | Subject: [PATCH] fc/locallogin: apply policy to sulogin alternatives | ||
5 | |||
6 | Upstream-Status: Inappropriate [embedded specific] | ||
7 | |||
8 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
9 | --- | ||
10 | policy/modules/system/locallogin.fc | 1 + | ||
11 | 1 file changed, 1 insertion(+) | ||
12 | |||
13 | diff --git a/policy/modules/system/locallogin.fc b/policy/modules/system/locallogin.fc | ||
14 | index fc8d58507..59e6e9601 100644 | ||
15 | --- a/policy/modules/system/locallogin.fc | ||
16 | +++ b/policy/modules/system/locallogin.fc | ||
17 | @@ -2,4 +2,5 @@ | ||
18 | /usr/bin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0) | ||
19 | |||
20 | /usr/sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0) | ||
21 | +/usr/sbin/sulogin\.util-linux -- gen_context(system_u:object_r:sulogin_exec_t,s0) | ||
22 | /usr/sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0) | ||
23 | -- | ||
24 | 2.17.1 | ||
25 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0020-fc-ntp-apply-policy-to-ntpd-alternatives.patch b/recipes-security/refpolicy/refpolicy/0020-fc-ntp-apply-policy-to-ntpd-alternatives.patch new file mode 100644 index 0000000..49c2f82 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0020-fc-ntp-apply-policy-to-ntpd-alternatives.patch | |||
@@ -0,0 +1,27 @@ | |||
1 | From b30d9ad872f613d2b1c3aad45eac65593de37b9b Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Fri, 15 Nov 2019 10:45:23 +0800 | ||
4 | Subject: [PATCH] fc/ntp: apply policy to ntpd alternatives | ||
5 | |||
6 | Upstream-Status: Inappropriate [embedded specific] | ||
7 | |||
8 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
9 | --- | ||
10 | policy/modules/services/ntp.fc | 1 + | ||
11 | 1 file changed, 1 insertion(+) | ||
12 | |||
13 | diff --git a/policy/modules/services/ntp.fc b/policy/modules/services/ntp.fc | ||
14 | index cd69ea5d5..49ffe6f68 100644 | ||
15 | --- a/policy/modules/services/ntp.fc | ||
16 | +++ b/policy/modules/services/ntp.fc | ||
17 | @@ -25,6 +25,7 @@ | ||
18 | /usr/lib/systemd/systemd-timesyncd -- gen_context(system_u:object_r:ntpd_exec_t,s0) | ||
19 | |||
20 | /usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) | ||
21 | +/usr/sbin/ntpd\.ntp -- gen_context(system_u:object_r:ntpd_exec_t,s0) | ||
22 | /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) | ||
23 | /usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0) | ||
24 | |||
25 | -- | ||
26 | 2.17.1 | ||
27 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0021-fc-kerberos-apply-policy-to-kerberos-alternatives.patch b/recipes-security/refpolicy/refpolicy/0021-fc-kerberos-apply-policy-to-kerberos-alternatives.patch new file mode 100644 index 0000000..7fe5c8f --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0021-fc-kerberos-apply-policy-to-kerberos-alternatives.patch | |||
@@ -0,0 +1,50 @@ | |||
1 | From 632dcd7a700049a955082bd24af742c2780dcc38 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Fri, 15 Nov 2019 10:55:05 +0800 | ||
4 | Subject: [PATCH] fc/kerberos: apply policy to kerberos alternatives | ||
5 | |||
6 | Upstream-Status: Inappropriate [embedded specific] | ||
7 | |||
8 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
9 | --- | ||
10 | policy/modules/services/kerberos.fc | 10 ++++++++++ | ||
11 | 1 file changed, 10 insertions(+) | ||
12 | |||
13 | diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc | ||
14 | index df21fcc78..ce0166edd 100644 | ||
15 | --- a/policy/modules/services/kerberos.fc | ||
16 | +++ b/policy/modules/services/kerberos.fc | ||
17 | @@ -12,6 +12,8 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) | ||
18 | /etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) | ||
19 | /etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) | ||
20 | /etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) | ||
21 | +/etc/rc\.d/init\.d/krb5-admin-server -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) | ||
22 | +/etc/rc\.d/init\.d/krb5-kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) | ||
23 | |||
24 | /usr/bin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) | ||
25 | /usr/bin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) | ||
26 | @@ -26,6 +28,8 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) | ||
27 | |||
28 | /usr/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) | ||
29 | /usr/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) | ||
30 | +/usr/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0) | ||
31 | +/usr/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0) | ||
32 | |||
33 | /usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) | ||
34 | /usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) | ||
35 | @@ -41,6 +45,12 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) | ||
36 | /var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) | ||
37 | /var/kerberos/krb5kdc/principal.*\.ok -- gen_context(system_u:object_r:krb5kdc_lock_t,s0) | ||
38 | |||
39 | +/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) | ||
40 | +/var/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0) | ||
41 | +/var/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) | ||
42 | +/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) | ||
43 | +/var/krb5kdc/principal.*\.ok -- gen_context(system_u:object_r:krb5kdc_lock_t,s0) | ||
44 | + | ||
45 | /var/log/krb5kdc\.log.* -- gen_context(system_u:object_r:krb5kdc_log_t,s0) | ||
46 | /var/log/kadmin\.log.* -- gen_context(system_u:object_r:kadmind_log_t,s0) | ||
47 | /var/log/kadmind\.log.* -- gen_context(system_u:object_r:kadmind_log_t,s0) | ||
48 | -- | ||
49 | 2.17.1 | ||
50 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0022-fc-ldap-apply-policy-to-ldap-alternatives.patch b/recipes-security/refpolicy/refpolicy/0022-fc-ldap-apply-policy-to-ldap-alternatives.patch new file mode 100644 index 0000000..c3bcabe --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0022-fc-ldap-apply-policy-to-ldap-alternatives.patch | |||
@@ -0,0 +1,40 @@ | |||
1 | From a580b0154da9dd07369b172ed459046197e388c7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Fri, 15 Nov 2019 11:06:13 +0800 | ||
4 | Subject: [PATCH] fc/ldap: apply policy to ldap alternatives | ||
5 | |||
6 | Upstream-Status: Inappropriate [embedded specific] | ||
7 | |||
8 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
9 | --- | ||
10 | policy/modules/services/ldap.fc | 5 +++++ | ||
11 | 1 file changed, 5 insertions(+) | ||
12 | |||
13 | diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc | ||
14 | index 0a1d08d0f..65b202962 100644 | ||
15 | --- a/policy/modules/services/ldap.fc | ||
16 | +++ b/policy/modules/services/ldap.fc | ||
17 | @@ -1,8 +1,10 @@ | ||
18 | /etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0) | ||
19 | /etc/openldap/certs(/.*)? gen_context(system_u:object_r:slapd_cert_t,s0) | ||
20 | /etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) | ||
21 | +/etc/openldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0) | ||
22 | |||
23 | /etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) | ||
24 | +/etc/rc\.d/init\.d/openldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) | ||
25 | |||
26 | /usr/bin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) | ||
27 | |||
28 | @@ -25,6 +27,9 @@ | ||
29 | /var/log/ldap.* gen_context(system_u:object_r:slapd_log_t,s0) | ||
30 | /var/log/slapd.* gen_context(system_u:object_r:slapd_log_t,s0) | ||
31 | |||
32 | +/var/openldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) | ||
33 | +/var/openldap/replog(/.*)? gen_context(system_u:object_r:slapd_replog_t,s0) | ||
34 | + | ||
35 | /run/ldapi -s gen_context(system_u:object_r:slapd_runtime_t,s0) | ||
36 | /run/openldap(/.*)? gen_context(system_u:object_r:slapd_runtime_t,s0) | ||
37 | /run/slapd.* -s gen_context(system_u:object_r:slapd_runtime_t,s0) | ||
38 | -- | ||
39 | 2.17.1 | ||
40 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0023-fc-postgresql-apply-policy-to-postgresql-alternative.patch b/recipes-security/refpolicy/refpolicy/0023-fc-postgresql-apply-policy-to-postgresql-alternative.patch new file mode 100644 index 0000000..0fc608b --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0023-fc-postgresql-apply-policy-to-postgresql-alternative.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | From 926401518bca5a1e63b7f2c2cbae4a3bc42bf342 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Fri, 15 Nov 2019 11:13:16 +0800 | ||
4 | Subject: [PATCH] fc/postgresql: apply policy to postgresql alternatives | ||
5 | |||
6 | Upstream-Status: Inappropriate [embedded specific] | ||
7 | |||
8 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
9 | --- | ||
10 | policy/modules/services/postgresql.fc | 11 +++++++++++ | ||
11 | 1 file changed, 11 insertions(+) | ||
12 | |||
13 | diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc | ||
14 | index f31a52cf8..f9bf46870 100644 | ||
15 | --- a/policy/modules/services/postgresql.fc | ||
16 | +++ b/policy/modules/services/postgresql.fc | ||
17 | @@ -27,6 +27,17 @@ | ||
18 | /usr/lib/postgresql(-.*)?/(.*/)?bin/postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0) | ||
19 | /usr/lib/postgresql(-.*)?/(.*/)?bin/postmaster -l gen_context(system_u:object_r:postgresql_exec_t,s0) | ||
20 | |||
21 | +/usr/bin/pg_archivecleanup -- gen_context(system_u:object_r:postgresql_exec_t,s0) | ||
22 | +/usr/bin/pg_basebackup -- gen_context(system_u:object_r:postgresql_exec_t,s0) | ||
23 | +/usr/bin/pg_controldata -- gen_context(system_u:object_r:postgresql_exec_t,s0) | ||
24 | +/usr/bin/pg_ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0) | ||
25 | +/usr/bin/pg_resetxlog -- gen_context(system_u:object_r:postgresql_exec_t,s0) | ||
26 | +/usr/bin/pg_standby -- gen_context(system_u:object_r:postgresql_exec_t,s0) | ||
27 | +/usr/bin/pg_upgrade -- gen_context(system_u:object_r:postgresql_exec_t,s0) | ||
28 | +/usr/bin/pg_xlogdump -- gen_context(system_u:object_r:postgresql_exec_t,s0) | ||
29 | +/usr/bin/postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0) | ||
30 | +/usr/bin/postmaster -l gen_context(system_u:object_r:postgresql_exec_t,s0) | ||
31 | + | ||
32 | ifdef(`distro_redhat', ` | ||
33 | /usr/share/jonas/pgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) | ||
34 | ') | ||
35 | -- | ||
36 | 2.17.1 | ||
37 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0024-fc-screen-apply-policy-to-screen-alternatives.patch b/recipes-security/refpolicy/refpolicy/0024-fc-screen-apply-policy-to-screen-alternatives.patch new file mode 100644 index 0000000..b529bbf --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0024-fc-screen-apply-policy-to-screen-alternatives.patch | |||
@@ -0,0 +1,25 @@ | |||
1 | From f3f6f0cb4857954afd8a025a1cd3f14b8a11b64d Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Fri, 15 Nov 2019 11:15:33 +0800 | ||
4 | Subject: [PATCH] fc/screen: apply policy to screen alternatives | ||
5 | |||
6 | Upstream-Status: Inappropriate [embedded specific] | ||
7 | |||
8 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
9 | --- | ||
10 | policy/modules/apps/screen.fc | 1 + | ||
11 | 1 file changed, 1 insertion(+) | ||
12 | |||
13 | diff --git a/policy/modules/apps/screen.fc b/policy/modules/apps/screen.fc | ||
14 | index 7196c598e..cada9944e 100644 | ||
15 | --- a/policy/modules/apps/screen.fc | ||
16 | +++ b/policy/modules/apps/screen.fc | ||
17 | @@ -6,4 +6,5 @@ HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0) | ||
18 | /run/tmux(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0) | ||
19 | |||
20 | /usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0) | ||
21 | +/usr/bin/screen-.* -- gen_context(system_u:object_r:screen_exec_t,s0) | ||
22 | /usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0) | ||
23 | -- | ||
24 | 2.17.1 | ||
25 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0025-fc-usermanage-apply-policy-to-usermanage-alternative.patch b/recipes-security/refpolicy/refpolicy/0025-fc-usermanage-apply-policy-to-usermanage-alternative.patch new file mode 100644 index 0000000..76278c9 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0025-fc-usermanage-apply-policy-to-usermanage-alternative.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | From 0656c4b988cb700f322fb03e6639fe0b64e08d63 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Fri, 15 Nov 2019 11:25:34 +0800 | ||
4 | Subject: [PATCH] fc/usermanage: apply policy to usermanage alternatives | ||
5 | |||
6 | Upstream-Status: Inappropriate [embedded specific] | ||
7 | |||
8 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
9 | --- | ||
10 | policy/modules/admin/usermanage.fc | 4 ++++ | ||
11 | 1 file changed, 4 insertions(+) | ||
12 | |||
13 | diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc | ||
14 | index 620eefc6f..6a051f8a5 100644 | ||
15 | --- a/policy/modules/admin/usermanage.fc | ||
16 | +++ b/policy/modules/admin/usermanage.fc | ||
17 | @@ -4,7 +4,9 @@ ifdef(`distro_debian',` | ||
18 | |||
19 | /usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0) | ||
20 | /usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0) | ||
21 | +/usr/bin/chfn\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0) | ||
22 | /usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0) | ||
23 | +/usr/bin/chsh\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0) | ||
24 | /usr/bin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) | ||
25 | /usr/bin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) | ||
26 | /usr/bin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0) | ||
27 | @@ -14,6 +16,7 @@ ifdef(`distro_debian',` | ||
28 | /usr/bin/grpconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) | ||
29 | /usr/bin/grpunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) | ||
30 | /usr/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0) | ||
31 | +/usr/bin/passwd\.shadow -- gen_context(system_u:object_r:passwd_exec_t,s0) | ||
32 | /usr/bin/pwconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) | ||
33 | /usr/bin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) | ||
34 | /usr/bin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0) | ||
35 | @@ -39,6 +42,7 @@ ifdef(`distro_debian',` | ||
36 | /usr/sbin/usermod -- gen_context(system_u:object_r:useradd_exec_t,s0) | ||
37 | /usr/sbin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) | ||
38 | /usr/sbin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) | ||
39 | +/usr/sbin/vipw\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) | ||
40 | |||
41 | /usr/share/cracklib(/.*)? gen_context(system_u:object_r:crack_db_t,s0) | ||
42 | |||
43 | -- | ||
44 | 2.17.1 | ||
45 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0026-fc-getty-add-file-context-to-start_getty.patch b/recipes-security/refpolicy/refpolicy/0026-fc-getty-add-file-context-to-start_getty.patch new file mode 100644 index 0000000..5f45438 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0026-fc-getty-add-file-context-to-start_getty.patch | |||
@@ -0,0 +1,27 @@ | |||
1 | From cc8da498e20518cc9e8f59d1a4570e073f19e88b Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Fri, 15 Nov 2019 16:07:30 +0800 | ||
4 | Subject: [PATCH] fc/getty: add file context to start_getty | ||
5 | |||
6 | Upstream-Status: Inappropriate [embedded specific] | ||
7 | |||
8 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
9 | --- | ||
10 | policy/modules/system/getty.fc | 1 + | ||
11 | 1 file changed, 1 insertion(+) | ||
12 | |||
13 | diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc | ||
14 | index 116ea6421..53ff6137b 100644 | ||
15 | --- a/policy/modules/system/getty.fc | ||
16 | +++ b/policy/modules/system/getty.fc | ||
17 | @@ -4,6 +4,7 @@ | ||
18 | /run/agetty\.reload -- gen_context(system_u:object_r:getty_runtime_t,s0) | ||
19 | |||
20 | /usr/bin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0) | ||
21 | +/usr/bin/start_getty -- gen_context(system_u:object_r:bin_t,s0) | ||
22 | |||
23 | /usr/sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0) | ||
24 | |||
25 | -- | ||
26 | 2.17.1 | ||
27 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0027-fc-init-add-file-context-to-etc-network-if-files.patch b/recipes-security/refpolicy/refpolicy/0027-fc-init-add-file-context-to-etc-network-if-files.patch new file mode 100644 index 0000000..e54777c --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0027-fc-init-add-file-context-to-etc-network-if-files.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From 1d6f9b62082188992bfb681632dff15d5ad608c9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Tue, 19 Nov 2019 14:33:28 +0800 | ||
4 | Subject: [PATCH] fc/init: add file context to /etc/network/if-* files | ||
5 | |||
6 | Upstream-Status: Inappropriate [embedded specific] | ||
7 | |||
8 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
9 | --- | ||
10 | policy/modules/system/init.fc | 3 ++- | ||
11 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
12 | |||
13 | diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc | ||
14 | index fe72df22a..a9d8f343a 100644 | ||
15 | --- a/policy/modules/system/init.fc | ||
16 | +++ b/policy/modules/system/init.fc | ||
17 | @@ -70,11 +70,12 @@ ifdef(`distro_redhat',` | ||
18 | ifdef(`distro_debian',` | ||
19 | /run/hotkey-setup -- gen_context(system_u:object_r:initrc_runtime_t,s0) | ||
20 | /run/kdm/.* -- gen_context(system_u:object_r:initrc_runtime_t,s0) | ||
21 | +') | ||
22 | + | ||
23 | /etc/network/if-pre-up\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) | ||
24 | /etc/network/if-up\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) | ||
25 | /etc/network/if-down\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) | ||
26 | /etc/network/if-post-down\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) | ||
27 | -') | ||
28 | |||
29 | ifdef(`distro_gentoo', ` | ||
30 | /var/lib/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0) | ||
31 | -- | ||
32 | 2.17.1 | ||
33 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0028-fc-vlock-apply-policy-to-vlock-alternatives.patch b/recipes-security/refpolicy/refpolicy/0028-fc-vlock-apply-policy-to-vlock-alternatives.patch new file mode 100644 index 0000000..8017392 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0028-fc-vlock-apply-policy-to-vlock-alternatives.patch | |||
@@ -0,0 +1,25 @@ | |||
1 | From 8d8858bd8569db106f0feb44a0912daa872954ec Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Wed, 18 Dec 2019 15:04:41 +0800 | ||
4 | Subject: [PATCH] fc/vlock: apply policy to vlock alternatives | ||
5 | |||
6 | Upstream-Status: Inappropriate [embedded specific] | ||
7 | |||
8 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
9 | --- | ||
10 | policy/modules/apps/vlock.fc | 1 + | ||
11 | 1 file changed, 1 insertion(+) | ||
12 | |||
13 | diff --git a/policy/modules/apps/vlock.fc b/policy/modules/apps/vlock.fc | ||
14 | index f668cde9c..c4bc50984 100644 | ||
15 | --- a/policy/modules/apps/vlock.fc | ||
16 | +++ b/policy/modules/apps/vlock.fc | ||
17 | @@ -1,4 +1,5 @@ | ||
18 | /usr/bin/vlock -- gen_context(system_u:object_r:vlock_exec_t,s0) | ||
19 | +/usr/bin/vlock\.kbd -- gen_context(system_u:object_r:vlock_exec_t,s0) | ||
20 | /usr/bin/vlock-main -- gen_context(system_u:object_r:vlock_exec_t,s0) | ||
21 | |||
22 | /usr/sbin/vlock-main -- gen_context(system_u:object_r:vlock_exec_t,s0) | ||
23 | -- | ||
24 | 2.17.1 | ||
25 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0029-fc-cron-apply-policy-to-etc-init.d-crond.patch b/recipes-security/refpolicy/refpolicy/0029-fc-cron-apply-policy-to-etc-init.d-crond.patch new file mode 100644 index 0000000..294f999 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0029-fc-cron-apply-policy-to-etc-init.d-crond.patch | |||
@@ -0,0 +1,25 @@ | |||
1 | From 25701662f7149743556bb2d5edb5c69e6de2744f Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Tue, 30 Jun 2020 10:45:57 +0800 | ||
4 | Subject: [PATCH] fc/cron: apply policy to /etc/init.d/crond | ||
5 | |||
6 | Upstream-Status: Inappropriate [embedded specific] | ||
7 | |||
8 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
9 | --- | ||
10 | policy/modules/services/cron.fc | 1 + | ||
11 | 1 file changed, 1 insertion(+) | ||
12 | |||
13 | diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc | ||
14 | index 827363d88..e8412396d 100644 | ||
15 | --- a/policy/modules/services/cron.fc | ||
16 | +++ b/policy/modules/services/cron.fc | ||
17 | @@ -1,4 +1,5 @@ | ||
18 | /etc/rc\.d/init\.d/(anacron|atd) -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) | ||
19 | +/etc/rc\.d/init\.d/crond -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) | ||
20 | |||
21 | /etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) | ||
22 | /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) | ||
23 | -- | ||
24 | 2.17.1 | ||
25 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0030-file_contexts.subs_dist-set-aliase-for-root-director.patch b/recipes-security/refpolicy/refpolicy/0030-file_contexts.subs_dist-set-aliase-for-root-director.patch new file mode 100644 index 0000000..8331955 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0030-file_contexts.subs_dist-set-aliase-for-root-director.patch | |||
@@ -0,0 +1,30 @@ | |||
1 | From 9260b04d257cdddf42d0267456d3ba2b38dc22d4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Sun, 5 Apr 2020 22:03:45 +0800 | ||
4 | Subject: [PATCH] file_contexts.subs_dist: set aliase for /root directory | ||
5 | |||
6 | The genhomedircon.py will expand /root directory to /home/root. | ||
7 | Add an aliase for it | ||
8 | |||
9 | Upstream-Status: Inappropriate [embedded specific] | ||
10 | |||
11 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
12 | --- | ||
13 | config/file_contexts.subs_dist | 4 ++++ | ||
14 | 1 file changed, 4 insertions(+) | ||
15 | |||
16 | diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist | ||
17 | index c249c5207..67f476868 100644 | ||
18 | --- a/config/file_contexts.subs_dist | ||
19 | +++ b/config/file_contexts.subs_dist | ||
20 | @@ -43,3 +43,7 @@ | ||
21 | /usr/lib/busybox/bin /usr/bin | ||
22 | /usr/lib/busybox/sbin /usr/sbin | ||
23 | /usr/lib/busybox/usr /usr | ||
24 | + | ||
25 | +# The genhomedircon.py will expand /root home directory to /home/root | ||
26 | +# Add an aliase for it | ||
27 | +/root /home/root | ||
28 | -- | ||
29 | 2.17.1 | ||
30 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-add-rules-for-the-syml.patch b/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-add-rules-for-the-syml.patch new file mode 100644 index 0000000..b05f037 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-add-rules-for-the-syml.patch | |||
@@ -0,0 +1,125 @@ | |||
1 | From e4bdbb101fd2af2d4fd8b87794443097b58d20ff Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/logging: add rules for the symlink of | ||
5 | /var/log | ||
6 | |||
7 | /var/log is a symlink in poky, so we need allow rules for files to read | ||
8 | lnk_file while doing search/list/delete/rw... in /var/log/ directory. | ||
9 | |||
10 | Upstream-Status: Inappropriate [embedded specific] | ||
11 | |||
12 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
13 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
14 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
15 | --- | ||
16 | policy/modules/system/logging.fc | 1 + | ||
17 | policy/modules/system/logging.if | 9 +++++++++ | ||
18 | policy/modules/system/logging.te | 2 ++ | ||
19 | 3 files changed, 12 insertions(+) | ||
20 | |||
21 | diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc | ||
22 | index 5681acb51..a4ecd570a 100644 | ||
23 | --- a/policy/modules/system/logging.fc | ||
24 | +++ b/policy/modules/system/logging.fc | ||
25 | @@ -52,6 +52,7 @@ ifdef(`distro_suse', ` | ||
26 | /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) | ||
27 | |||
28 | /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) | ||
29 | +/var/log -l gen_context(system_u:object_r:var_log_t,s0) | ||
30 | /var/log/.* gen_context(system_u:object_r:var_log_t,s0) | ||
31 | /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0) | ||
32 | /var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0) | ||
33 | diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if | ||
34 | index e5f4080ac..e3cbe4f1a 100644 | ||
35 | --- a/policy/modules/system/logging.if | ||
36 | +++ b/policy/modules/system/logging.if | ||
37 | @@ -1066,10 +1066,12 @@ interface(`logging_append_all_inherited_logs',` | ||
38 | interface(`logging_read_all_logs',` | ||
39 | gen_require(` | ||
40 | attribute logfile; | ||
41 | + type var_log_t; | ||
42 | ') | ||
43 | |||
44 | files_search_var($1) | ||
45 | allow $1 logfile:dir list_dir_perms; | ||
46 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
47 | read_files_pattern($1, logfile, logfile) | ||
48 | ') | ||
49 | |||
50 | @@ -1088,10 +1090,12 @@ interface(`logging_read_all_logs',` | ||
51 | interface(`logging_exec_all_logs',` | ||
52 | gen_require(` | ||
53 | attribute logfile; | ||
54 | + type var_log_t; | ||
55 | ') | ||
56 | |||
57 | files_search_var($1) | ||
58 | allow $1 logfile:dir list_dir_perms; | ||
59 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
60 | can_exec($1, logfile) | ||
61 | ') | ||
62 | |||
63 | @@ -1153,6 +1157,7 @@ interface(`logging_manage_generic_log_dirs',` | ||
64 | |||
65 | files_search_var($1) | ||
66 | allow $1 var_log_t:dir manage_dir_perms; | ||
67 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
68 | ') | ||
69 | |||
70 | ######################################## | ||
71 | @@ -1173,6 +1178,7 @@ interface(`logging_relabel_generic_log_dirs',` | ||
72 | |||
73 | files_search_var($1) | ||
74 | allow $1 var_log_t:dir { relabelfrom relabelto }; | ||
75 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
76 | ') | ||
77 | |||
78 | ######################################## | ||
79 | @@ -1193,6 +1199,7 @@ interface(`logging_read_generic_logs',` | ||
80 | |||
81 | files_search_var($1) | ||
82 | allow $1 var_log_t:dir list_dir_perms; | ||
83 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
84 | read_files_pattern($1, var_log_t, var_log_t) | ||
85 | ') | ||
86 | |||
87 | @@ -1294,6 +1301,7 @@ interface(`logging_manage_generic_logs',` | ||
88 | |||
89 | files_search_var($1) | ||
90 | manage_files_pattern($1, var_log_t, var_log_t) | ||
91 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
92 | ') | ||
93 | |||
94 | ######################################## | ||
95 | @@ -1312,6 +1320,7 @@ interface(`logging_watch_generic_logs_dir',` | ||
96 | ') | ||
97 | |||
98 | allow $1 var_log_t:dir watch; | ||
99 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
100 | ') | ||
101 | |||
102 | ######################################## | ||
103 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
104 | index 3702d441a..513d811ef 100644 | ||
105 | --- a/policy/modules/system/logging.te | ||
106 | +++ b/policy/modules/system/logging.te | ||
107 | @@ -161,6 +161,7 @@ manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) | ||
108 | allow auditd_t auditd_log_t:dir setattr; | ||
109 | manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) | ||
110 | allow auditd_t var_log_t:dir search_dir_perms; | ||
111 | +allow auditd_t var_log_t:lnk_file read_lnk_file_perms; | ||
112 | |||
113 | manage_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t) | ||
114 | manage_sock_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t) | ||
115 | @@ -288,6 +289,7 @@ allow audisp_remote_t self:capability { setpcap setuid }; | ||
116 | allow audisp_remote_t self:process { getcap setcap }; | ||
117 | allow audisp_remote_t self:tcp_socket create_socket_perms; | ||
118 | allow audisp_remote_t var_log_t:dir search_dir_perms; | ||
119 | +allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms; | ||
120 | |||
121 | manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) | ||
122 | manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) | ||
123 | -- | ||
124 | 2.17.1 | ||
125 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0032-policy-modules-system-logging-add-rules-for-syslogd-.patch b/recipes-security/refpolicy/refpolicy/0032-policy-modules-system-logging-add-rules-for-syslogd-.patch new file mode 100644 index 0000000..c81bee7 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0032-policy-modules-system-logging-add-rules-for-syslogd-.patch | |||
@@ -0,0 +1,34 @@ | |||
1 | From aaa818cd6d0b1d7a3ad99f911c6c21d5b30b9f49 Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Fri, 29 Mar 2019 10:33:18 -0400 | ||
4 | Subject: [PATCH] policy/modules/system/logging: add rules for syslogd symlink | ||
5 | of /var/log | ||
6 | |||
7 | We have added rules for the symlink of /var/log in logging.if, while | ||
8 | syslogd_t uses /var/log but does not use the interfaces in logging.if. So | ||
9 | still need add a individual rule for syslogd_t. | ||
10 | |||
11 | Upstream-Status: Inappropriate [embedded specific] | ||
12 | |||
13 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
14 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
15 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
16 | --- | ||
17 | policy/modules/system/logging.te | 1 + | ||
18 | 1 file changed, 1 insertion(+) | ||
19 | |||
20 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
21 | index 513d811ef..2d9f65d2d 100644 | ||
22 | --- a/policy/modules/system/logging.te | ||
23 | +++ b/policy/modules/system/logging.te | ||
24 | @@ -414,6 +414,7 @@ files_search_spool(syslogd_t) | ||
25 | |||
26 | # Allow access for syslog-ng | ||
27 | allow syslogd_t var_log_t:dir { create setattr }; | ||
28 | +allow syslogd_t var_log_t:lnk_file read_lnk_file_perms; | ||
29 | |||
30 | # for systemd but can not be conditional | ||
31 | files_runtime_filetrans(syslogd_t, syslogd_tmp_t, dir, "log") | ||
32 | -- | ||
33 | 2.17.1 | ||
34 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0033-policy-modules-system-logging-add-domain-rules-for-t.patch b/recipes-security/refpolicy/refpolicy/0033-policy-modules-system-logging-add-domain-rules-for-t.patch new file mode 100644 index 0000000..90995dc --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0033-policy-modules-system-logging-add-domain-rules-for-t.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | From 0385f2374297ab2b8799fe1ec28d12e1682ec074 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Fri, 23 Aug 2013 11:20:00 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/logging: add domain rules for the | ||
5 | subdir symlinks in /var/ | ||
6 | |||
7 | Except /var/log,/var/run,/var/lock, there still other subdir symlinks in | ||
8 | /var for poky, so we need allow rules for all domains to read these | ||
9 | symlinks. Domains still need their practical allow rules to read the | ||
10 | contents, so this is still a secure relax. | ||
11 | |||
12 | Upstream-Status: Inappropriate [embedded specific] | ||
13 | |||
14 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
15 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
16 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
17 | --- | ||
18 | policy/modules/kernel/domain.te | 3 +++ | ||
19 | 1 file changed, 3 insertions(+) | ||
20 | |||
21 | diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te | ||
22 | index 4e43a208d..7e5d2b458 100644 | ||
23 | --- a/policy/modules/kernel/domain.te | ||
24 | +++ b/policy/modules/kernel/domain.te | ||
25 | @@ -110,6 +110,9 @@ term_use_controlling_term(domain) | ||
26 | # list the root directory | ||
27 | files_list_root(domain) | ||
28 | |||
29 | +# Yocto/oe-core use some var volatile links | ||
30 | +files_read_var_symlinks(domain) | ||
31 | + | ||
32 | ifdef(`hide_broken_symptoms',` | ||
33 | # This check is in the general socket | ||
34 | # listen code, before protocol-specific | ||
35 | -- | ||
36 | 2.17.1 | ||
37 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0034-policy-modules-kernel-files-add-rules-for-the-symlin.patch b/recipes-security/refpolicy/refpolicy/0034-policy-modules-kernel-files-add-rules-for-the-symlin.patch new file mode 100644 index 0000000..33dc366 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0034-policy-modules-kernel-files-add-rules-for-the-symlin.patch | |||
@@ -0,0 +1,102 @@ | |||
1 | From 3ff1a004b77f44857dadfef3b78a49a55d90c665 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH] policy/modules/kernel/files: add rules for the symlink of | ||
5 | /tmp | ||
6 | |||
7 | /tmp is a symlink in poky, so we need allow rules for files to read | ||
8 | lnk_file while doing search/list/delete/rw.. in /tmp/ directory. | ||
9 | |||
10 | Upstream-Status: Inappropriate [embedded specific] | ||
11 | |||
12 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
13 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
14 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
15 | --- | ||
16 | policy/modules/kernel/files.fc | 1 + | ||
17 | policy/modules/kernel/files.if | 8 ++++++++ | ||
18 | 2 files changed, 9 insertions(+) | ||
19 | |||
20 | diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc | ||
21 | index a3993f5cc..f69900945 100644 | ||
22 | --- a/policy/modules/kernel/files.fc | ||
23 | +++ b/policy/modules/kernel/files.fc | ||
24 | @@ -176,6 +176,7 @@ HOME_ROOT/lost\+found/.* <<none>> | ||
25 | # /tmp | ||
26 | # | ||
27 | /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) | ||
28 | +/tmp -l gen_context(system_u:object_r:tmp_t,s0) | ||
29 | /tmp/.* <<none>> | ||
30 | /tmp/\.journal <<none>> | ||
31 | |||
32 | diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if | ||
33 | index 6a53f886b..ad19738b3 100644 | ||
34 | --- a/policy/modules/kernel/files.if | ||
35 | +++ b/policy/modules/kernel/files.if | ||
36 | @@ -4451,6 +4451,7 @@ interface(`files_search_tmp',` | ||
37 | ') | ||
38 | |||
39 | allow $1 tmp_t:dir search_dir_perms; | ||
40 | + allow $1 tmp_t:lnk_file read_lnk_file_perms; | ||
41 | ') | ||
42 | |||
43 | ######################################## | ||
44 | @@ -4487,6 +4488,7 @@ interface(`files_list_tmp',` | ||
45 | ') | ||
46 | |||
47 | allow $1 tmp_t:dir list_dir_perms; | ||
48 | + allow $1 tmp_t:lnk_file read_lnk_file_perms; | ||
49 | ') | ||
50 | |||
51 | ######################################## | ||
52 | @@ -4523,6 +4525,7 @@ interface(`files_delete_tmp_dir_entry',` | ||
53 | ') | ||
54 | |||
55 | allow $1 tmp_t:dir del_entry_dir_perms; | ||
56 | + allow $1 tmp_t:lnk_file read_lnk_file_perms; | ||
57 | ') | ||
58 | |||
59 | ######################################## | ||
60 | @@ -4541,6 +4544,7 @@ interface(`files_read_generic_tmp_files',` | ||
61 | ') | ||
62 | |||
63 | read_files_pattern($1, tmp_t, tmp_t) | ||
64 | + allow $1 tmp_t:lnk_file read_lnk_file_perms; | ||
65 | ') | ||
66 | |||
67 | ######################################## | ||
68 | @@ -4559,6 +4563,7 @@ interface(`files_manage_generic_tmp_dirs',` | ||
69 | ') | ||
70 | |||
71 | manage_dirs_pattern($1, tmp_t, tmp_t) | ||
72 | + allow $1 tmp_t:lnk_file read_lnk_file_perms; | ||
73 | ') | ||
74 | |||
75 | ######################################## | ||
76 | @@ -4577,6 +4582,7 @@ interface(`files_manage_generic_tmp_files',` | ||
77 | ') | ||
78 | |||
79 | manage_files_pattern($1, tmp_t, tmp_t) | ||
80 | + allow $1 tmp_t:lnk_file read_lnk_file_perms; | ||
81 | ') | ||
82 | |||
83 | ######################################## | ||
84 | @@ -4613,6 +4619,7 @@ interface(`files_rw_generic_tmp_sockets',` | ||
85 | ') | ||
86 | |||
87 | rw_sock_files_pattern($1, tmp_t, tmp_t) | ||
88 | + allow $1 tmp_t:lnk_file read_lnk_file_perms; | ||
89 | ') | ||
90 | |||
91 | ######################################## | ||
92 | @@ -4820,6 +4827,7 @@ interface(`files_tmp_filetrans',` | ||
93 | ') | ||
94 | |||
95 | filetrans_pattern($1, tmp_t, $2, $3, $4) | ||
96 | + allow $1 tmp_t:lnk_file read_lnk_file_perms; | ||
97 | ') | ||
98 | |||
99 | ######################################## | ||
100 | -- | ||
101 | 2.17.1 | ||
102 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0035-policy-modules-kernel-terminal-add-rules-for-bsdpty_.patch b/recipes-security/refpolicy/refpolicy/0035-policy-modules-kernel-terminal-add-rules-for-bsdpty_.patch new file mode 100644 index 0000000..c6fb34f --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0035-policy-modules-kernel-terminal-add-rules-for-bsdpty_.patch | |||
@@ -0,0 +1,124 @@ | |||
1 | From cc8505dc9613a98ee8215854ece31a4aca103e8d Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH] policy/modules/kernel/terminal: add rules for bsdpty_device_t | ||
5 | to complete pty devices | ||
6 | |||
7 | Upstream-Status: Inappropriate [embedded specific] | ||
8 | |||
9 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
10 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
11 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
12 | --- | ||
13 | policy/modules/kernel/terminal.if | 16 ++++++++++++++++ | ||
14 | 1 file changed, 16 insertions(+) | ||
15 | |||
16 | diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if | ||
17 | index 4bd4884f8..f70e51525 100644 | ||
18 | --- a/policy/modules/kernel/terminal.if | ||
19 | +++ b/policy/modules/kernel/terminal.if | ||
20 | @@ -623,9 +623,11 @@ interface(`term_getattr_generic_ptys',` | ||
21 | interface(`term_dontaudit_getattr_generic_ptys',` | ||
22 | gen_require(` | ||
23 | type devpts_t; | ||
24 | + type bsdpty_device_t; | ||
25 | ') | ||
26 | |||
27 | dontaudit $1 devpts_t:chr_file getattr; | ||
28 | + dontaudit $1 bsdpty_device_t:chr_file getattr; | ||
29 | ') | ||
30 | ######################################## | ||
31 | ## <summary> | ||
32 | @@ -641,11 +643,13 @@ interface(`term_dontaudit_getattr_generic_ptys',` | ||
33 | interface(`term_ioctl_generic_ptys',` | ||
34 | gen_require(` | ||
35 | type devpts_t; | ||
36 | + type bsdpty_device_t; | ||
37 | ') | ||
38 | |||
39 | dev_list_all_dev_nodes($1) | ||
40 | allow $1 devpts_t:dir search; | ||
41 | allow $1 devpts_t:chr_file ioctl; | ||
42 | + allow $1 bsdpty_device_t:chr_file ioctl; | ||
43 | ') | ||
44 | |||
45 | ######################################## | ||
46 | @@ -663,9 +667,11 @@ interface(`term_ioctl_generic_ptys',` | ||
47 | interface(`term_setattr_generic_ptys',` | ||
48 | gen_require(` | ||
49 | type devpts_t; | ||
50 | + type bsdpty_device_t; | ||
51 | ') | ||
52 | |||
53 | allow $1 devpts_t:chr_file setattr; | ||
54 | + allow $1 bsdpty_device_t:chr_file setattr; | ||
55 | ') | ||
56 | |||
57 | ######################################## | ||
58 | @@ -683,9 +689,11 @@ interface(`term_setattr_generic_ptys',` | ||
59 | interface(`term_dontaudit_setattr_generic_ptys',` | ||
60 | gen_require(` | ||
61 | type devpts_t; | ||
62 | + type bsdpty_device_t; | ||
63 | ') | ||
64 | |||
65 | dontaudit $1 devpts_t:chr_file setattr; | ||
66 | + dontaudit $1 bsdpty_device_t:chr_file setattr; | ||
67 | ') | ||
68 | |||
69 | ######################################## | ||
70 | @@ -703,11 +711,13 @@ interface(`term_dontaudit_setattr_generic_ptys',` | ||
71 | interface(`term_use_generic_ptys',` | ||
72 | gen_require(` | ||
73 | type devpts_t; | ||
74 | + type bsdpty_device_t; | ||
75 | ') | ||
76 | |||
77 | dev_list_all_dev_nodes($1) | ||
78 | allow $1 devpts_t:dir list_dir_perms; | ||
79 | allow $1 devpts_t:chr_file { rw_term_perms lock append }; | ||
80 | + allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append }; | ||
81 | ') | ||
82 | |||
83 | ######################################## | ||
84 | @@ -725,9 +735,11 @@ interface(`term_use_generic_ptys',` | ||
85 | interface(`term_dontaudit_use_generic_ptys',` | ||
86 | gen_require(` | ||
87 | type devpts_t; | ||
88 | + type bsdpty_device_t; | ||
89 | ') | ||
90 | |||
91 | dontaudit $1 devpts_t:chr_file { getattr read write ioctl }; | ||
92 | + dontaudit $1 bsdpty_device_t:chr_file { getattr read write ioctl }; | ||
93 | ') | ||
94 | |||
95 | ####################################### | ||
96 | @@ -764,10 +776,12 @@ interface(`term_create_controlling_term',` | ||
97 | interface(`term_setattr_controlling_term',` | ||
98 | gen_require(` | ||
99 | type devtty_t; | ||
100 | + type bsdpty_device_t; | ||
101 | ') | ||
102 | |||
103 | dev_list_all_dev_nodes($1) | ||
104 | allow $1 devtty_t:chr_file setattr; | ||
105 | + allow $1 bsdpty_device_t:chr_file setattr; | ||
106 | ') | ||
107 | |||
108 | ######################################## | ||
109 | @@ -784,10 +798,12 @@ interface(`term_setattr_controlling_term',` | ||
110 | interface(`term_use_controlling_term',` | ||
111 | gen_require(` | ||
112 | type devtty_t; | ||
113 | + type bsdpty_device_t; | ||
114 | ') | ||
115 | |||
116 | dev_list_all_dev_nodes($1) | ||
117 | allow $1 devtty_t:chr_file { rw_term_perms lock append }; | ||
118 | + allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append }; | ||
119 | ') | ||
120 | |||
121 | ####################################### | ||
122 | -- | ||
123 | 2.17.1 | ||
124 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0036-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch b/recipes-security/refpolicy/refpolicy/0036-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch new file mode 100644 index 0000000..cc018fa --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0036-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch | |||
@@ -0,0 +1,38 @@ | |||
1 | From a9aebca531f52818fe77b9b21f0cad425da78e43 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH] policy/modules/kernel/terminal: don't audit tty_device_t in | ||
5 | term_dontaudit_use_console | ||
6 | |||
7 | We should also not audit terminal to rw tty_device_t and fds in | ||
8 | term_dontaudit_use_console. | ||
9 | |||
10 | Upstream-Status: Inappropriate [embedded specific] | ||
11 | |||
12 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
13 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
14 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
15 | --- | ||
16 | policy/modules/kernel/terminal.if | 3 +++ | ||
17 | 1 file changed, 3 insertions(+) | ||
18 | |||
19 | diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if | ||
20 | index f70e51525..8f9578dbc 100644 | ||
21 | --- a/policy/modules/kernel/terminal.if | ||
22 | +++ b/policy/modules/kernel/terminal.if | ||
23 | @@ -335,9 +335,12 @@ interface(`term_use_console',` | ||
24 | interface(`term_dontaudit_use_console',` | ||
25 | gen_require(` | ||
26 | type console_device_t; | ||
27 | + type tty_device_t; | ||
28 | ') | ||
29 | |||
30 | + init_dontaudit_use_fds($1) | ||
31 | dontaudit $1 console_device_t:chr_file rw_chr_file_perms; | ||
32 | + dontaudit $1 tty_device_t:chr_file rw_chr_file_perms; | ||
33 | ') | ||
34 | |||
35 | ######################################## | ||
36 | -- | ||
37 | 2.17.1 | ||
38 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0037-policy-modules-services-avahi-allow-avahi_t-to-watch.patch b/recipes-security/refpolicy/refpolicy/0037-policy-modules-services-avahi-allow-avahi_t-to-watch.patch new file mode 100644 index 0000000..52887e5 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0037-policy-modules-services-avahi-allow-avahi_t-to-watch.patch | |||
@@ -0,0 +1,34 @@ | |||
1 | From 4316f85adb1ab6e0278fb8e8ff68b358f36a933e Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Tue, 23 Jun 2020 08:19:16 +0800 | ||
4 | Subject: [PATCH] policy/modules/services/avahi: allow avahi_t to watch /etc | ||
5 | directory | ||
6 | |||
7 | Fixes: | ||
8 | type=AVC msg=audit(1592813140.176:24): avc: denied { watch } for | ||
9 | pid=360 comm="avahi-daemon" path="/services" dev="vda" ino=173 | ||
10 | scontext=system_u:system_r:avahi_t tcontext=system_u:object_r:etc_t | ||
11 | tclass=dir permissive=1 | ||
12 | |||
13 | Upstream-Status: Inappropriate [embedded specific] | ||
14 | |||
15 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
16 | --- | ||
17 | policy/modules/services/avahi.te | 1 + | ||
18 | 1 file changed, 1 insertion(+) | ||
19 | |||
20 | diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te | ||
21 | index f77e5546d..5643349e3 100644 | ||
22 | --- a/policy/modules/services/avahi.te | ||
23 | +++ b/policy/modules/services/avahi.te | ||
24 | @@ -76,6 +76,7 @@ domain_use_interactive_fds(avahi_t) | ||
25 | |||
26 | files_read_etc_runtime_files(avahi_t) | ||
27 | files_read_usr_files(avahi_t) | ||
28 | +files_watch_etc_dirs(avahi_t) | ||
29 | |||
30 | auth_use_nsswitch(avahi_t) | ||
31 | |||
32 | -- | ||
33 | 2.17.1 | ||
34 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-getty-allow-getty_t-watch-gett.patch b/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-getty-allow-getty_t-watch-gett.patch new file mode 100644 index 0000000..3be2cdc --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-getty-allow-getty_t-watch-gett.patch | |||
@@ -0,0 +1,42 @@ | |||
1 | From 383a70a87049ef5065bba4c2c4d4bc3cff914358 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Tue, 23 Jun 2020 08:39:44 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/getty: allow getty_t watch | ||
5 | getty_runtime_t file | ||
6 | |||
7 | Fixes: | ||
8 | type=AVC msg=audit(1592813140.280:26): avc: denied { watch } for | ||
9 | pid=385 comm="getty" path="/run/agetty.reload" dev="tmpfs" ino=12247 | ||
10 | scontext=system_u:system_r:getty_t | ||
11 | tcontext=system_u:object_r:getty_runtime_t tclass=file permissive=1 | ||
12 | |||
13 | Upstream-Status: Inappropriate [embedded specific] | ||
14 | |||
15 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
16 | --- | ||
17 | policy/modules/system/getty.te | 2 ++ | ||
18 | 1 file changed, 2 insertions(+) | ||
19 | |||
20 | diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te | ||
21 | index f5316c30a..39e27e5f1 100644 | ||
22 | --- a/policy/modules/system/getty.te | ||
23 | +++ b/policy/modules/system/getty.te | ||
24 | @@ -47,6 +47,7 @@ allow getty_t getty_log_t:file { append_file_perms create_file_perms setattr_fil | ||
25 | logging_log_filetrans(getty_t, getty_log_t, file) | ||
26 | |||
27 | allow getty_t getty_runtime_t:dir watch; | ||
28 | +allow getty_t getty_runtime_t:file watch; | ||
29 | manage_files_pattern(getty_t, getty_runtime_t, getty_runtime_t) | ||
30 | files_runtime_filetrans(getty_t, getty_runtime_t, file) | ||
31 | |||
32 | @@ -65,6 +66,7 @@ dev_read_sysfs(getty_t) | ||
33 | files_read_etc_runtime_files(getty_t) | ||
34 | files_read_etc_files(getty_t) | ||
35 | files_search_spool(getty_t) | ||
36 | +fs_search_tmpfs(getty_t) | ||
37 | |||
38 | fs_search_auto_mountpoints(getty_t) | ||
39 | # for error condition handling | ||
40 | -- | ||
41 | 2.17.1 | ||
42 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0039-policy-modules-services-bluetooth-allow-bluetooth_t-.patch b/recipes-security/refpolicy/refpolicy/0039-policy-modules-services-bluetooth-allow-bluetooth_t-.patch new file mode 100644 index 0000000..39e72e8 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0039-policy-modules-services-bluetooth-allow-bluetooth_t-.patch | |||
@@ -0,0 +1,65 @@ | |||
1 | From dfc3e78dfee0709bcbfc2d1959e5b7c27922b1b7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Tue, 23 Jun 2020 08:54:20 +0800 | ||
4 | Subject: [PATCH] policy/modules/services/bluetooth: allow bluetooth_t to | ||
5 | create and use bluetooth_socket | ||
6 | |||
7 | Fixes: | ||
8 | type=AVC msg=audit(1592813138.485:17): avc: denied { create } for | ||
9 | pid=324 comm="bluetoothd" scontext=system_u:system_r:bluetooth_t | ||
10 | tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket | ||
11 | permissive=1 | ||
12 | type=AVC msg=audit(1592813138.485:18): avc: denied { bind } for | ||
13 | pid=324 comm="bluetoothd" scontext=system_u:system_r:bluetooth_t | ||
14 | tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket | ||
15 | permissive=1 | ||
16 | type=AVC msg=audit(1592813138.485:19): avc: denied { write } for | ||
17 | pid=324 comm="bluetoothd" scontext=system_u:system_r:bluetooth_t | ||
18 | tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket | ||
19 | permissive=1 | ||
20 | type=AVC msg=audit(1592813138.488:20): avc: denied { getattr } for | ||
21 | pid=324 comm="bluetoothd" path="socket:[11771]" dev="sockfs" ino=11771 | ||
22 | scontext=system_u:system_r:bluetooth_t | ||
23 | tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket | ||
24 | permissive=1 | ||
25 | type=AVC msg=audit(1592813138.488:21): avc: denied { listen } for | ||
26 | pid=324 comm="bluetoothd" scontext=system_u:system_r:bluetooth_t | ||
27 | tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket | ||
28 | permissive=1 | ||
29 | type=AVC msg=audit(1592813138.498:22): avc: denied { read } for | ||
30 | pid=324 comm="bluetoothd" path="socket:[11771]" dev="sockfs" ino=11771 | ||
31 | scontext=system_u:system_r:bluetooth_t | ||
32 | tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket | ||
33 | permissive=1 | ||
34 | |||
35 | Upstream-Status: Inappropriate [embedded specific] | ||
36 | |||
37 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
38 | --- | ||
39 | policy/modules/services/bluetooth.te | 3 +++ | ||
40 | 1 file changed, 3 insertions(+) | ||
41 | |||
42 | diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te | ||
43 | index 025eff444..63e50aeda 100644 | ||
44 | --- a/policy/modules/services/bluetooth.te | ||
45 | +++ b/policy/modules/services/bluetooth.te | ||
46 | @@ -60,6 +60,7 @@ allow bluetooth_t self:socket create_stream_socket_perms; | ||
47 | allow bluetooth_t self:unix_stream_socket { accept connectto listen }; | ||
48 | allow bluetooth_t self:tcp_socket { accept listen }; | ||
49 | allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms; | ||
50 | +allow bluetooth_t self:bluetooth_socket create_stream_socket_perms; | ||
51 | |||
52 | read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t) | ||
53 | |||
54 | @@ -127,6 +128,8 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t) | ||
55 | userdom_dontaudit_use_user_terminals(bluetooth_t) | ||
56 | userdom_dontaudit_search_user_home_dirs(bluetooth_t) | ||
57 | |||
58 | +init_dbus_send_script(bluetooth_t) | ||
59 | + | ||
60 | optional_policy(` | ||
61 | dbus_system_bus_client(bluetooth_t) | ||
62 | dbus_connect_system_bus(bluetooth_t) | ||
63 | -- | ||
64 | 2.17.1 | ||
65 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0040-policy-modules-roles-sysadm-allow-sysadm-to-run-rpci.patch b/recipes-security/refpolicy/refpolicy/0040-policy-modules-roles-sysadm-allow-sysadm-to-run-rpci.patch new file mode 100644 index 0000000..e5ad291 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0040-policy-modules-roles-sysadm-allow-sysadm-to-run-rpci.patch | |||
@@ -0,0 +1,38 @@ | |||
1 | From 354389c93e26bb8d8e8c1c126b01d838a6a214c8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Roy Li <rongqing.li@windriver.com> | ||
3 | Date: Sat, 15 Feb 2014 09:45:00 +0800 | ||
4 | Subject: [PATCH] policy/modules/roles/sysadm: allow sysadm to run rpcinfo | ||
5 | |||
6 | Fixes: | ||
7 | $ rpcinfo | ||
8 | rpcinfo: can't contact rpcbind: RPC: Remote system error - Permission denied | ||
9 | |||
10 | avc: denied { connectto } for pid=406 comm="rpcinfo" | ||
11 | path="/run/rpcbind.sock" scontext=root:sysadm_r:sysadm_t | ||
12 | tcontext=system_u:system_r:rpcbind_t tclass=unix_stream_socket | ||
13 | permissive=0 | ||
14 | |||
15 | Upstream-Status: Inappropriate [embedded specific] | ||
16 | |||
17 | Signed-off-by: Roy Li <rongqing.li@windriver.com> | ||
18 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
19 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
20 | --- | ||
21 | policy/modules/roles/sysadm.te | 1 + | ||
22 | 1 file changed, 1 insertion(+) | ||
23 | |||
24 | diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te | ||
25 | index f0370b426..fc0945fe4 100644 | ||
26 | --- a/policy/modules/roles/sysadm.te | ||
27 | +++ b/policy/modules/roles/sysadm.te | ||
28 | @@ -962,6 +962,7 @@ optional_policy(` | ||
29 | ') | ||
30 | |||
31 | optional_policy(` | ||
32 | + rpcbind_stream_connect(sysadm_t) | ||
33 | rpcbind_admin(sysadm_t, sysadm_r) | ||
34 | ') | ||
35 | |||
36 | -- | ||
37 | 2.17.1 | ||
38 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0041-policy-modules-services-rpc-add-capability-dac_read_.patch b/recipes-security/refpolicy/refpolicy/0041-policy-modules-services-rpc-add-capability-dac_read_.patch new file mode 100644 index 0000000..074647d --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0041-policy-modules-services-rpc-add-capability-dac_read_.patch | |||
@@ -0,0 +1,34 @@ | |||
1 | From fbc8f3140bf6b519bad568fc1d840c9043fc13db Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Tue, 14 May 2019 15:22:08 +0800 | ||
4 | Subject: [PATCH] policy/modules/services/rpc: add capability dac_read_search | ||
5 | for rpcd_t | ||
6 | |||
7 | Fixes: | ||
8 | type=AVC msg=audit(1558592079.931:494): avc: denied { dac_read_search } | ||
9 | for pid=585 comm="sm-notify" capability=2 scontext=system_u:system_r:rpcd_t | ||
10 | tcontext=system_u:system_r:rpcd_t tclass=capability permissive=0 | ||
11 | |||
12 | Upstream-Status: Inappropriate [embedded specific] | ||
13 | |||
14 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
15 | --- | ||
16 | policy/modules/services/rpc.te | 2 +- | ||
17 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
18 | |||
19 | diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te | ||
20 | index 020dbc4ad..c06ff803f 100644 | ||
21 | --- a/policy/modules/services/rpc.te | ||
22 | +++ b/policy/modules/services/rpc.te | ||
23 | @@ -142,7 +142,7 @@ optional_policy(` | ||
24 | # Local policy | ||
25 | # | ||
26 | |||
27 | -allow rpcd_t self:capability { chown dac_override setgid setpcap setuid sys_admin }; | ||
28 | +allow rpcd_t self:capability { chown dac_override dac_read_search setgid setpcap setuid sys_admin }; | ||
29 | allow rpcd_t self:capability2 block_suspend; | ||
30 | allow rpcd_t self:process { getcap setcap }; | ||
31 | allow rpcd_t self:fifo_file rw_fifo_file_perms; | ||
32 | -- | ||
33 | 2.17.1 | ||
34 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0042-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch b/recipes-security/refpolicy/refpolicy/0042-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch new file mode 100644 index 0000000..7ef81fe --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0042-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | From dfe79338ee9915527afd9e0943ed84e0347c4d66 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Wed, 1 Jul 2020 08:44:07 +0800 | ||
4 | Subject: [PATCH] policy/modules/services/rpcbind: allow rpcbind_t to create | ||
5 | directory with label rpcbind_runtime_t | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { create } for pid=136 comm="rpcbind" name="rpcbind" | ||
9 | scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 | ||
10 | tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=0 | ||
11 | |||
12 | Upstream-Status: Inappropriate [embedded specific] | ||
13 | |||
14 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
15 | --- | ||
16 | policy/modules/services/rpcbind.te | 5 +++-- | ||
17 | 1 file changed, 3 insertions(+), 2 deletions(-) | ||
18 | |||
19 | diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te | ||
20 | index 69ed49d8b..4f110773a 100644 | ||
21 | --- a/policy/modules/services/rpcbind.te | ||
22 | +++ b/policy/modules/services/rpcbind.te | ||
23 | @@ -25,16 +25,17 @@ files_type(rpcbind_var_lib_t) | ||
24 | # Local policy | ||
25 | # | ||
26 | |||
27 | -allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config }; | ||
28 | +allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config chown }; | ||
29 | # net_admin is for SO_SNDBUFFORCE | ||
30 | dontaudit rpcbind_t self:capability net_admin; | ||
31 | allow rpcbind_t self:fifo_file rw_fifo_file_perms; | ||
32 | allow rpcbind_t self:unix_stream_socket { accept listen }; | ||
33 | allow rpcbind_t self:tcp_socket { accept listen }; | ||
34 | |||
35 | +manage_dirs_pattern(rpcbind_t, rpcbind_runtime_t, rpcbind_runtime_t) | ||
36 | manage_files_pattern(rpcbind_t, rpcbind_runtime_t, rpcbind_runtime_t) | ||
37 | manage_sock_files_pattern(rpcbind_t, rpcbind_runtime_t, rpcbind_runtime_t) | ||
38 | -files_runtime_filetrans(rpcbind_t, rpcbind_runtime_t, { file sock_file }) | ||
39 | +files_runtime_filetrans(rpcbind_t, rpcbind_runtime_t, { file sock_file dir }) | ||
40 | |||
41 | manage_dirs_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t) | ||
42 | manage_files_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t) | ||
43 | -- | ||
44 | 2.17.1 | ||
45 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0043-policy-modules-services-rngd-fix-security-context-fo.patch b/recipes-security/refpolicy/refpolicy/0043-policy-modules-services-rngd-fix-security-context-fo.patch new file mode 100644 index 0000000..491cf02 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0043-policy-modules-services-rngd-fix-security-context-fo.patch | |||
@@ -0,0 +1,64 @@ | |||
1 | From 617b8b558674a77cd2b1eff9155f276985456684 Mon Sep 17 00:00:00 2001 | ||
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | ||
3 | Date: Wed, 25 May 2016 03:16:24 -0400 | ||
4 | Subject: [PATCH] policy/modules/services/rngd: fix security context for | ||
5 | rng-tools | ||
6 | |||
7 | * fix security context for /etc/init.d/rng-tools | ||
8 | * allow rngd_t to search /run/systemd/journal | ||
9 | |||
10 | Fixes: | ||
11 | audit: type=1400 audit(1592874699.503:11): avc: denied { read } for | ||
12 | pid=355 comm="rngd" name="cpu" dev="sysfs" ino=36 | ||
13 | scontext=system_u:system_r:rngd_t tcontext=system_u:object_r:sysfs_t | ||
14 | tclass=dir permissive=1 | ||
15 | audit: type=1400 audit(1592874699.505:12): avc: denied { getsched } | ||
16 | for pid=355 comm="rngd" scontext=system_u:system_r:rngd_t | ||
17 | tcontext=system_u:system_r:rngd_t tclass=process permissive=1 | ||
18 | audit: type=1400 audit(1592874699.508:13): avc: denied { setsched } | ||
19 | for pid=355 comm="rngd" scontext=system_u:system_r:rngd_t | ||
20 | tcontext=system_u:system_r:rngd_t tclass=process permissive=1 | ||
21 | |||
22 | Upstream-Status: Inappropriate [embedded specific] | ||
23 | |||
24 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
25 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
26 | --- | ||
27 | policy/modules/services/rngd.fc | 1 + | ||
28 | policy/modules/services/rngd.te | 3 ++- | ||
29 | 2 files changed, 3 insertions(+), 1 deletion(-) | ||
30 | |||
31 | diff --git a/policy/modules/services/rngd.fc b/policy/modules/services/rngd.fc | ||
32 | index 382c067f9..0ecc5acc4 100644 | ||
33 | --- a/policy/modules/services/rngd.fc | ||
34 | +++ b/policy/modules/services/rngd.fc | ||
35 | @@ -1,4 +1,5 @@ | ||
36 | /etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0) | ||
37 | +/etc/rc\.d/init\.d/rng-tools -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0) | ||
38 | |||
39 | /usr/bin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0) | ||
40 | |||
41 | diff --git a/policy/modules/services/rngd.te b/policy/modules/services/rngd.te | ||
42 | index 839813216..c4ffafb5d 100644 | ||
43 | --- a/policy/modules/services/rngd.te | ||
44 | +++ b/policy/modules/services/rngd.te | ||
45 | @@ -21,7 +21,7 @@ files_runtime_file(rngd_runtime_t) | ||
46 | # | ||
47 | |||
48 | allow rngd_t self:capability { ipc_lock sys_admin }; | ||
49 | -allow rngd_t self:process signal; | ||
50 | +allow rngd_t self:process { signal getsched setsched }; | ||
51 | allow rngd_t self:fifo_file rw_fifo_file_perms; | ||
52 | allow rngd_t self:unix_stream_socket { accept listen }; | ||
53 | |||
54 | @@ -34,6 +34,7 @@ dev_read_rand(rngd_t) | ||
55 | dev_read_urand(rngd_t) | ||
56 | dev_rw_tpm(rngd_t) | ||
57 | dev_write_rand(rngd_t) | ||
58 | +dev_read_sysfs(rngd_t) | ||
59 | |||
60 | files_read_etc_files(rngd_t) | ||
61 | |||
62 | -- | ||
63 | 2.17.1 | ||
64 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-authlogin-allow-chkpwd_t-to-ma.patch b/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-authlogin-allow-chkpwd_t-to-ma.patch new file mode 100644 index 0000000..f929df2 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-authlogin-allow-chkpwd_t-to-ma.patch | |||
@@ -0,0 +1,34 @@ | |||
1 | From 0e3199f243a47853452a877ebad5360bc8c1f2f1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Thu, 21 Nov 2019 13:58:28 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/authlogin: allow chkpwd_t to map | ||
5 | shadow_t | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { map } for pid=244 comm="unix_chkpwd" path="/etc/shadow" | ||
9 | dev="vda" ino=443 scontext=system_u:system_r:chkpwd_t | ||
10 | tcontext=system_u:object_r:shadow_t tclass=file permissive=0 | ||
11 | |||
12 | Upstream-Status: Inappropriate [embedded specific] | ||
13 | |||
14 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
15 | --- | ||
16 | policy/modules/system/authlogin.te | 2 +- | ||
17 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
18 | |||
19 | diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te | ||
20 | index 0fc5951e9..e999fa798 100644 | ||
21 | --- a/policy/modules/system/authlogin.te | ||
22 | +++ b/policy/modules/system/authlogin.te | ||
23 | @@ -100,7 +100,7 @@ allow chkpwd_t self:capability { dac_override setuid }; | ||
24 | dontaudit chkpwd_t self:capability sys_tty_config; | ||
25 | allow chkpwd_t self:process { getattr signal }; | ||
26 | |||
27 | -allow chkpwd_t shadow_t:file read_file_perms; | ||
28 | +allow chkpwd_t shadow_t:file { read_file_perms map }; | ||
29 | files_list_etc(chkpwd_t) | ||
30 | |||
31 | kernel_read_crypto_sysctls(chkpwd_t) | ||
32 | -- | ||
33 | 2.17.1 | ||
34 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0045-policy-modules-system-udev-allow-udevadm_t-to-search.patch b/recipes-security/refpolicy/refpolicy/0045-policy-modules-system-udev-allow-udevadm_t-to-search.patch new file mode 100644 index 0000000..03d9552 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0045-policy-modules-system-udev-allow-udevadm_t-to-search.patch | |||
@@ -0,0 +1,34 @@ | |||
1 | From bd03c34ab3c193d6c21a6c0b951e89dd4e24eee6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Fri, 19 Jun 2020 15:21:26 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/udev: allow udevadm_t to search bin dir | ||
5 | |||
6 | Fixes: | ||
7 | audit: type=1400 audit(1592894099.930:6): avc: denied { search } for | ||
8 | pid=153 comm="udevadm" name="bin" dev="vda" ino=13 | ||
9 | scontext=system_u:system_r:udevadm_t tcontext=system_u:object_r:bin_t | ||
10 | tclass=dir permissive=0 | ||
11 | |||
12 | Upstream-Status: Inappropriate [embedded specific] | ||
13 | |||
14 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
15 | --- | ||
16 | policy/modules/system/udev.te | 2 ++ | ||
17 | 1 file changed, 2 insertions(+) | ||
18 | |||
19 | diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te | ||
20 | index 52da11acd..3a4d7362c 100644 | ||
21 | --- a/policy/modules/system/udev.te | ||
22 | +++ b/policy/modules/system/udev.te | ||
23 | @@ -415,6 +415,8 @@ dev_read_urand(udevadm_t) | ||
24 | files_read_etc_files(udevadm_t) | ||
25 | files_read_usr_files(udevadm_t) | ||
26 | |||
27 | +corecmd_search_bin(udevadm_t) | ||
28 | + | ||
29 | init_list_runtime(udevadm_t) | ||
30 | init_read_state(udevadm_t) | ||
31 | |||
32 | -- | ||
33 | 2.17.1 | ||
34 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0046-policy-modules-udev-do-not-audit-udevadm_t-to-read-w.patch b/recipes-security/refpolicy/refpolicy/0046-policy-modules-udev-do-not-audit-udevadm_t-to-read-w.patch new file mode 100644 index 0000000..9397287 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0046-policy-modules-udev-do-not-audit-udevadm_t-to-read-w.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | From 8b5eb5b2e01a7686c43ba7b53cc76f465f9e8f56 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Tue, 30 Jun 2020 09:27:45 +0800 | ||
4 | Subject: [PATCH] policy/modules/udev: do not audit udevadm_t to read/write | ||
5 | /dev/console | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { read write } for pid=162 comm="udevadm" | ||
9 | path="/dev/console" dev="devtmpfs" ino=10034 | ||
10 | scontext=system_u:system_r:udevadm_t:s0-s15:c0.c1023 | ||
11 | tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file | ||
12 | permissive=0 | ||
13 | avc: denied { use } for pid=162 comm="udevadm" path="/dev/console" | ||
14 | dev="devtmpfs" ino=10034 | ||
15 | scontext=system_u:system_r:udevadm_t:s0-s15:c0.c1023 | ||
16 | tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=fd permissive=0 | ||
17 | |||
18 | Upstream-Status: Inappropriate [embedded specific] | ||
19 | |||
20 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
21 | --- | ||
22 | policy/modules/system/udev.te | 2 ++ | ||
23 | 1 file changed, 2 insertions(+) | ||
24 | |||
25 | diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te | ||
26 | index 3a4d7362c..e483d63d3 100644 | ||
27 | --- a/policy/modules/system/udev.te | ||
28 | +++ b/policy/modules/system/udev.te | ||
29 | @@ -425,3 +425,5 @@ kernel_read_system_state(udevadm_t) | ||
30 | |||
31 | seutil_read_file_contexts(udevadm_t) | ||
32 | |||
33 | +init_dontaudit_use_fds(udevadm_t) | ||
34 | +term_dontaudit_use_console(udevadm_t) | ||
35 | -- | ||
36 | 2.17.1 | ||
37 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0047-policy-modules-services-rdisc-allow-rdisc_t-to-searc.patch b/recipes-security/refpolicy/refpolicy/0047-policy-modules-services-rdisc-allow-rdisc_t-to-searc.patch new file mode 100644 index 0000000..bfb50cc --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0047-policy-modules-services-rdisc-allow-rdisc_t-to-searc.patch | |||
@@ -0,0 +1,34 @@ | |||
1 | From 6bcf62e310931e8be943520a7e1a5686f54a8e34 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Tue, 23 Jun 2020 15:44:43 +0800 | ||
4 | Subject: [PATCH] policy/modules/services/rdisc: allow rdisc_t to search sbin | ||
5 | dir | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { search } for pid=225 comm="rdisc" name="sbin" dev="vda" | ||
9 | ino=1478 scontext=system_u:system_r:rdisc_t | ||
10 | tcontext=system_u:object_r:bin_t tclass=dir permissive=0 | ||
11 | |||
12 | Upstream-Status: Inappropriate [embedded specific] | ||
13 | |||
14 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
15 | --- | ||
16 | policy/modules/services/rdisc.te | 2 ++ | ||
17 | 1 file changed, 2 insertions(+) | ||
18 | |||
19 | diff --git a/policy/modules/services/rdisc.te b/policy/modules/services/rdisc.te | ||
20 | index 82d54dbb7..1dd458f8e 100644 | ||
21 | --- a/policy/modules/services/rdisc.te | ||
22 | +++ b/policy/modules/services/rdisc.te | ||
23 | @@ -47,6 +47,8 @@ sysnet_read_config(rdisc_t) | ||
24 | |||
25 | userdom_dontaudit_use_unpriv_user_fds(rdisc_t) | ||
26 | |||
27 | +corecmd_search_bin(rdisc_t) | ||
28 | + | ||
29 | optional_policy(` | ||
30 | seutil_sigchld_newrole(rdisc_t) | ||
31 | ') | ||
32 | -- | ||
33 | 2.17.1 | ||
34 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-logging-fix-auditd-startup-fai.patch b/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-logging-fix-auditd-startup-fai.patch new file mode 100644 index 0000000..cb5b88d --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-logging-fix-auditd-startup-fai.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From b585008cec90386903e7613a4a22286c0a94be8c Mon Sep 17 00:00:00 2001 | ||
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | ||
3 | Date: Tue, 24 Jan 2017 08:45:35 +0000 | ||
4 | Subject: [PATCH] policy/modules/system/logging: fix auditd startup failures | ||
5 | |||
6 | Fixes: | ||
7 | avc: denied { getcap } for pid=849 comm="auditctl" \ | ||
8 | scontext=system_u:system_r:auditctl_t:s0-s15:c0.c1023 \ | ||
9 | tcontext=system_u:system_r:auditctl_t:s0-s15:c0.c1023 \ | ||
10 | tclass=process | ||
11 | |||
12 | avc: denied { setattr } for pid=848 comm="auditd" \ | ||
13 | name="audit" dev="tmpfs" ino=9569 \ | ||
14 | scontext=system_u:system_r:auditd_t:s15:c0.c1023 \ | ||
15 | tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 \ | ||
16 | tclass=dir | ||
17 | |||
18 | avc: denied { search } for pid=731 comm="auditd" \ | ||
19 | name="/" dev="tmpfs" ino=9399 \ | ||
20 | scontext=system_u:system_r:auditd_t:s15:c0.c1023 \ | ||
21 | tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir | ||
22 | |||
23 | Upstream-Status: Inappropriate [embedded specific] | ||
24 | |||
25 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
26 | --- | ||
27 | policy/modules/system/logging.te | 2 ++ | ||
28 | 1 file changed, 2 insertions(+) | ||
29 | |||
30 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
31 | index 2d9f65d2d..95309f334 100644 | ||
32 | --- a/policy/modules/system/logging.te | ||
33 | +++ b/policy/modules/system/logging.te | ||
34 | @@ -157,6 +157,7 @@ allow auditd_t auditd_etc_t:dir list_dir_perms; | ||
35 | allow auditd_t auditd_etc_t:file read_file_perms; | ||
36 | dontaudit auditd_t auditd_etc_t:file map; | ||
37 | |||
38 | +manage_dirs_pattern(auditd_t, auditd_log_t, auditd_log_t) | ||
39 | manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) | ||
40 | allow auditd_t auditd_log_t:dir setattr; | ||
41 | manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) | ||
42 | @@ -177,6 +178,7 @@ dev_read_sysfs(auditd_t) | ||
43 | fs_getattr_all_fs(auditd_t) | ||
44 | fs_search_auto_mountpoints(auditd_t) | ||
45 | fs_rw_anon_inodefs_files(auditd_t) | ||
46 | +fs_search_tmpfs(auditd_t) | ||
47 | |||
48 | selinux_search_fs(auditctl_t) | ||
49 | |||
50 | -- | ||
51 | 2.17.1 | ||
52 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0049-policy-modules-services-ssh-make-respective-init-scr.patch b/recipes-security/refpolicy/refpolicy/0049-policy-modules-services-ssh-make-respective-init-scr.patch new file mode 100644 index 0000000..86df765 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0049-policy-modules-services-ssh-make-respective-init-scr.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From 878f3eb8e0716764ea4d42b996f58ea9072204fc Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Sun, 28 Jun 2020 16:14:45 +0800 | ||
4 | Subject: [PATCH] policy/modules/services/ssh: make respective init scripts | ||
5 | create pid dirs with proper contexts | ||
6 | |||
7 | Fix sshd starup failure. | ||
8 | |||
9 | Upstream-Status: Inappropriate [embedded specific] | ||
10 | |||
11 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
12 | --- | ||
13 | policy/modules/services/ssh.te | 4 +--- | ||
14 | 1 file changed, 1 insertion(+), 3 deletions(-) | ||
15 | |||
16 | diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te | ||
17 | index fefca0c20..db62eaa18 100644 | ||
18 | --- a/policy/modules/services/ssh.te | ||
19 | +++ b/policy/modules/services/ssh.te | ||
20 | @@ -80,9 +80,7 @@ userdom_user_home_content(ssh_home_t) | ||
21 | type sshd_keytab_t; | ||
22 | files_type(sshd_keytab_t) | ||
23 | |||
24 | -ifdef(`distro_debian',` | ||
25 | - init_daemon_runtime_file(sshd_runtime_t, dir, "sshd") | ||
26 | -') | ||
27 | +init_daemon_runtime_file(sshd_runtime_t, dir, "sshd") | ||
28 | |||
29 | ############################## | ||
30 | # | ||
31 | -- | ||
32 | 2.17.1 | ||
33 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0050-policy-modules-kernel-terminal-allow-loging-to-reset.patch b/recipes-security/refpolicy/refpolicy/0050-policy-modules-kernel-terminal-allow-loging-to-reset.patch new file mode 100644 index 0000000..e15e57b --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0050-policy-modules-kernel-terminal-allow-loging-to-reset.patch | |||
@@ -0,0 +1,31 @@ | |||
1 | From fb900b71d7e1fa5c3bd997e6deadcaae2b65b05a Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Mon, 29 Jun 2020 14:27:02 +0800 | ||
4 | Subject: [PATCH] policy/modules/kernel/terminal: allow loging to reset tty | ||
5 | perms | ||
6 | |||
7 | Upstream-Status: Inappropriate [embedded specific] | ||
8 | |||
9 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
10 | --- | ||
11 | policy/modules/kernel/terminal.if | 4 +--- | ||
12 | 1 file changed, 1 insertion(+), 3 deletions(-) | ||
13 | |||
14 | diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if | ||
15 | index 8f9578dbc..3821ab9b0 100644 | ||
16 | --- a/policy/modules/kernel/terminal.if | ||
17 | +++ b/policy/modules/kernel/terminal.if | ||
18 | @@ -119,9 +119,7 @@ interface(`term_user_tty',` | ||
19 | |||
20 | # Debian login is from shadow utils and does not allow resetting the perms. | ||
21 | # have to fix this! | ||
22 | - ifdef(`distro_debian',` | ||
23 | - type_change $1 ttynode:chr_file $2; | ||
24 | - ') | ||
25 | + type_change $1 ttynode:chr_file $2; | ||
26 | |||
27 | tunable_policy(`console_login',` | ||
28 | # When user logs in from /dev/console, relabel it | ||
29 | -- | ||
30 | 2.17.1 | ||
31 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-selinuxutil-allow-semanage_t-t.patch b/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-selinuxutil-allow-semanage_t-t.patch new file mode 100644 index 0000000..d4f996d --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-selinuxutil-allow-semanage_t-t.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From 2c8464254adf0b2635e5abf4ccc4473c96fa0006 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Mon, 29 Jun 2020 14:30:58 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/selinuxutil: allow semanage_t to read | ||
5 | /var/lib | ||
6 | |||
7 | Upstream-Status: Inappropriate [embedded specific] | ||
8 | |||
9 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
10 | --- | ||
11 | policy/modules/system/selinuxutil.te | 6 ++---- | ||
12 | 1 file changed, 2 insertions(+), 4 deletions(-) | ||
13 | |||
14 | diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te | ||
15 | index fad28f179..09fef149b 100644 | ||
16 | --- a/policy/modules/system/selinuxutil.te | ||
17 | +++ b/policy/modules/system/selinuxutil.te | ||
18 | @@ -544,10 +544,8 @@ userdom_map_user_home_content_files(semanage_t) | ||
19 | userdom_read_user_tmp_files(semanage_t) | ||
20 | userdom_map_user_tmp_files(semanage_t) | ||
21 | |||
22 | -ifdef(`distro_debian',` | ||
23 | - files_read_var_lib_files(semanage_t) | ||
24 | - files_read_var_lib_symlinks(semanage_t) | ||
25 | -') | ||
26 | +files_read_var_lib_files(semanage_t) | ||
27 | +files_read_var_lib_symlinks(semanage_t) | ||
28 | |||
29 | ifdef(`distro_ubuntu',` | ||
30 | optional_policy(` | ||
31 | -- | ||
32 | 2.17.1 | ||
33 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-sysnetwork-allow-ifconfig_t-to.patch b/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-sysnetwork-allow-ifconfig_t-to.patch new file mode 100644 index 0000000..5e606d7 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-sysnetwork-allow-ifconfig_t-to.patch | |||
@@ -0,0 +1,35 @@ | |||
1 | From a3e4135c543be8d3a054e6f74629240370d111ed Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Mon, 27 May 2019 15:55:19 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/sysnetwork: allow ifconfig_t to read | ||
5 | dhcp client state files | ||
6 | |||
7 | Fixes: | ||
8 | type=AVC msg=audit(1558942740.789:50): avc: denied { read } for | ||
9 | pid=221 comm="ip" path="/var/lib/dhcp/dhclient.leases" dev="vda" | ||
10 | ino=29858 scontext=system_u:system_r:ifconfig_t | ||
11 | tcontext=system_u:object_r:dhcpc_state_t tclass=file permissive=1 | ||
12 | |||
13 | Upstream-Status: Inappropriate [embedded specific] | ||
14 | |||
15 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
16 | --- | ||
17 | policy/modules/system/sysnetwork.te | 2 ++ | ||
18 | 1 file changed, 2 insertions(+) | ||
19 | |||
20 | diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te | ||
21 | index bbdbcdc7e..a77738924 100644 | ||
22 | --- a/policy/modules/system/sysnetwork.te | ||
23 | +++ b/policy/modules/system/sysnetwork.te | ||
24 | @@ -319,6 +319,8 @@ kernel_request_load_module(ifconfig_t) | ||
25 | kernel_search_network_sysctl(ifconfig_t) | ||
26 | kernel_rw_net_sysctls(ifconfig_t) | ||
27 | |||
28 | +sysnet_read_dhcpc_state(ifconfig_t) | ||
29 | + | ||
30 | corenet_rw_tun_tap_dev(ifconfig_t) | ||
31 | |||
32 | dev_read_sysfs(ifconfig_t) | ||
33 | -- | ||
34 | 2.17.1 | ||
35 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0053-policy-modules-services-ntp-allow-ntpd_t-to-watch-sy.patch b/recipes-security/refpolicy/refpolicy/0053-policy-modules-services-ntp-allow-ntpd_t-to-watch-sy.patch new file mode 100644 index 0000000..85a6d63 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0053-policy-modules-services-ntp-allow-ntpd_t-to-watch-sy.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From f23bb02c92bcbf7afa0c6b445719df6b06df15ea Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Mon, 6 Jul 2020 09:06:08 +0800 | ||
4 | Subject: [PATCH] policy/modules/services/ntp: allow ntpd_t to watch system bus | ||
5 | runtime directories and named sockets | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { read } for pid=197 comm="systemd-timesyn" name="dbus" | ||
9 | dev="tmpfs" ino=14064 scontext=system_u:system_r:ntpd_t:s0-s15:c0.c1023 | ||
10 | tcontext=system_u:object_r:system_dbusd_runtime_t:s0 tclass=dir | ||
11 | permissive=0 | ||
12 | |||
13 | avc: denied { watch } for pid=197 comm="systemd-timesyn" | ||
14 | path="/run/dbus" dev="tmpfs" ino=14064 | ||
15 | scontext=system_u:system_r:ntpd_t:s0-s15:c0.c1023 | ||
16 | tcontext=system_u:object_r:system_dbusd_runtime_t:s0 tclass=dir | ||
17 | permissive=0 | ||
18 | |||
19 | avc: denied { read } for pid=197 comm="systemd-timesyn" | ||
20 | name="system_bus_socket" dev="tmpfs" ino=14067 | ||
21 | scontext=system_u:system_r:ntpd_t:s0-s15:c0.c1023 | ||
22 | tcontext=system_u:object_r:system_dbusd_runtime_t:s0 tclass=sock_file | ||
23 | permissive=0 | ||
24 | |||
25 | avc: denied { watch } for pid=197 comm="systemd-timesyn" | ||
26 | path="/run/dbus/system_bus_socket" dev="tmpfs" ino=14067 | ||
27 | scontext=system_u:system_r:ntpd_t:s0-s15:c0.c1023 | ||
28 | tcontext=system_u:object_r:system_dbusd_runtime_t:s0 tclass=sock_file | ||
29 | permissive=0 | ||
30 | |||
31 | Upstream-Status: Inappropriate [embedded specific] | ||
32 | |||
33 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
34 | --- | ||
35 | policy/modules/services/ntp.te | 4 ++++ | ||
36 | 1 file changed, 4 insertions(+) | ||
37 | |||
38 | diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te | ||
39 | index 81f8c76bb..75603e16b 100644 | ||
40 | --- a/policy/modules/services/ntp.te | ||
41 | +++ b/policy/modules/services/ntp.te | ||
42 | @@ -141,6 +141,10 @@ userdom_list_user_home_dirs(ntpd_t) | ||
43 | ifdef(`init_systemd',` | ||
44 | allow ntpd_t ntpd_unit_t:file read_file_perms; | ||
45 | |||
46 | + dbus_watch_system_bus_runtime_dirs(ntpd_t) | ||
47 | + allow ntpd_t system_dbusd_runtime_t:dir read; | ||
48 | + dbus_watch_system_bus_runtime_named_sockets(ntpd_t) | ||
49 | + allow ntpd_t system_dbusd_runtime_t:sock_file read; | ||
50 | dbus_system_bus_client(ntpd_t) | ||
51 | dbus_connect_system_bus(ntpd_t) | ||
52 | init_dbus_chat(ntpd_t) | ||
53 | -- | ||
54 | 2.17.1 | ||
55 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-systemd-enable-support-for-sys.patch b/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-systemd-enable-support-for-sys.patch new file mode 100644 index 0000000..9dde899 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-systemd-enable-support-for-sys.patch | |||
@@ -0,0 +1,64 @@ | |||
1 | From 9eee952a306000eaa5e92b578f3caa35b6a35699 Mon Sep 17 00:00:00 2001 | ||
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | ||
3 | Date: Thu, 4 Feb 2016 06:03:19 -0500 | ||
4 | Subject: [PATCH] policy/modules/system/systemd: enable support for | ||
5 | systemd-tmpfiles to manage all non-security files | ||
6 | |||
7 | Fixes: | ||
8 | systemd-tmpfiles[137]: Failed to create directory or subvolume "/var/volatile/log": Permission denied | ||
9 | systemd-tmpfiles[137]: Failed to create directory or subvolume "/var/volatile/tmp": Permission denied | ||
10 | systemd-tmpfiles[137]: Failed to create directory or subvolume "/var/log/audit": Permission denied | ||
11 | |||
12 | avc: denied { write } for pid=137 comm="systemd-tmpfile" name="/" | ||
13 | dev="tmpfs" ino=12400 scontext=system_u:system_r:systemd_tmpfiles_t | ||
14 | tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=0 | ||
15 | |||
16 | avc: denied { read } for pid=137 comm="systemd-tmpfile" name="dbus" | ||
17 | dev="vda" ino=12363 scontext=system_u:system_r:systemd_tmpfiles_t | ||
18 | tcontext=system_u:object_r:system_dbusd_var_lib_t tclass=dir | ||
19 | permissive=0 | ||
20 | |||
21 | avc: denied { relabelfrom } for pid=137 comm="systemd-tmpfile" | ||
22 | name="log" dev="vda" ino=14129 | ||
23 | scontext=system_u:system_r:systemd_tmpfiles_t | ||
24 | tcontext=system_u:object_r:var_log_t tclass=lnk_file permissive=0 | ||
25 | |||
26 | avc: denied { create } for pid=137 comm="systemd-tmpfile" | ||
27 | name="audit" scontext=system_u:system_r:systemd_tmpfiles_t | ||
28 | tcontext=system_u:object_r:auditd_log_t tclass=dir permissive=0 | ||
29 | |||
30 | Upstream-Status: Inappropriate [embedded specific] | ||
31 | |||
32 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
33 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
34 | --- | ||
35 | policy/modules/system/systemd.te | 6 +++++- | ||
36 | 1 file changed, 5 insertions(+), 1 deletion(-) | ||
37 | |||
38 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
39 | index 136990d08..c7fe51b62 100644 | ||
40 | --- a/policy/modules/system/systemd.te | ||
41 | +++ b/policy/modules/system/systemd.te | ||
42 | @@ -10,7 +10,7 @@ policy_module(systemd, 1.9.14) | ||
43 | ## Enable support for systemd-tmpfiles to manage all non-security files. | ||
44 | ## </p> | ||
45 | ## </desc> | ||
46 | -gen_tunable(systemd_tmpfiles_manage_all, false) | ||
47 | +gen_tunable(systemd_tmpfiles_manage_all, true) | ||
48 | |||
49 | ## <desc> | ||
50 | ## <p> | ||
51 | @@ -1196,6 +1196,10 @@ files_relabel_var_lib_dirs(systemd_tmpfiles_t) | ||
52 | files_relabelfrom_home(systemd_tmpfiles_t) | ||
53 | files_relabelto_home(systemd_tmpfiles_t) | ||
54 | files_relabelto_etc_dirs(systemd_tmpfiles_t) | ||
55 | + | ||
56 | +files_manage_non_auth_files(systemd_tmpfiles_t) | ||
57 | +files_relabel_non_auth_files(systemd_tmpfiles_t) | ||
58 | + | ||
59 | # for /etc/mtab | ||
60 | files_manage_etc_symlinks(systemd_tmpfiles_t) | ||
61 | |||
62 | -- | ||
63 | 2.17.1 | ||
64 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-logging-fix-systemd-journald-s.patch b/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-logging-fix-systemd-journald-s.patch new file mode 100644 index 0000000..7291d2e --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-logging-fix-systemd-journald-s.patch | |||
@@ -0,0 +1,74 @@ | |||
1 | From e10a4ea43bb756bdecc30a3c14f0d2fe980405bd Mon Sep 17 00:00:00 2001 | ||
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | ||
3 | Date: Thu, 4 Feb 2016 02:10:15 -0500 | ||
4 | Subject: [PATCH] policy/modules/system/logging: fix systemd-journald startup | ||
5 | failures | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { search } for pid=233 comm="systemd-journal" name="/" | ||
9 | dev="tmpfs" ino=12398 scontext=system_u:system_r:syslogd_t | ||
10 | tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=0 | ||
11 | |||
12 | avc: denied { nlmsg_write } for pid=110 comm="systemd-journal" | ||
13 | scontext=system_u:system_r:syslogd_t | ||
14 | tcontext=system_u:system_r:syslogd_t tclass=netlink_audit_socket | ||
15 | permissive=0 | ||
16 | |||
17 | avc: denied { audit_control } for pid=109 comm="systemd-journal" | ||
18 | capability=30 scontext=system_u:system_r:syslogd_t | ||
19 | tcontext=system_u:system_r:syslogd_t tclass=capability permissive=0 | ||
20 | |||
21 | Upstream-Status: Inappropriate [embedded specific] | ||
22 | |||
23 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
24 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
25 | --- | ||
26 | policy/modules/system/logging.fc | 1 + | ||
27 | policy/modules/system/logging.te | 5 ++++- | ||
28 | 2 files changed, 5 insertions(+), 1 deletion(-) | ||
29 | |||
30 | diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc | ||
31 | index a4ecd570a..dee26a9f4 100644 | ||
32 | --- a/policy/modules/system/logging.fc | ||
33 | +++ b/policy/modules/system/logging.fc | ||
34 | @@ -24,6 +24,7 @@ | ||
35 | /usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0) | ||
36 | /usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0) | ||
37 | /usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0) | ||
38 | +/usr/lib/systemd/system/syslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0) | ||
39 | /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
40 | /usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
41 | |||
42 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
43 | index 95309f334..1d45a5fa9 100644 | ||
44 | --- a/policy/modules/system/logging.te | ||
45 | +++ b/policy/modules/system/logging.te | ||
46 | @@ -438,6 +438,7 @@ allow syslogd_t syslogd_runtime_t:sock_file { create setattr unlink }; | ||
47 | allow syslogd_t syslogd_runtime_t:file map; | ||
48 | manage_files_pattern(syslogd_t, syslogd_runtime_t, syslogd_runtime_t) | ||
49 | files_runtime_filetrans(syslogd_t, syslogd_runtime_t, file) | ||
50 | +fs_search_tmpfs(syslogd_t) | ||
51 | |||
52 | kernel_read_crypto_sysctls(syslogd_t) | ||
53 | kernel_read_system_state(syslogd_t) | ||
54 | @@ -517,6 +518,8 @@ init_use_fds(syslogd_t) | ||
55 | # cjp: this doesnt make sense | ||
56 | logging_send_syslog_msg(syslogd_t) | ||
57 | |||
58 | +logging_set_loginuid(syslogd_t) | ||
59 | + | ||
60 | miscfiles_read_localization(syslogd_t) | ||
61 | |||
62 | seutil_read_config(syslogd_t) | ||
63 | @@ -529,7 +532,7 @@ ifdef(`init_systemd',` | ||
64 | allow syslogd_t self:netlink_audit_socket connected_socket_perms; | ||
65 | allow syslogd_t self:capability2 audit_read; | ||
66 | allow syslogd_t self:capability { chown setgid setuid sys_ptrace }; | ||
67 | - allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write }; | ||
68 | + allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write nlmsg_write }; | ||
69 | |||
70 | # remove /run/log/journal when switching to permanent storage | ||
71 | allow syslogd_t var_log_t:dir rmdir; | ||
72 | -- | ||
73 | 2.17.1 | ||
74 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0056-policy-modules-roles-sysadm-allow-sysadm_t-to-watch-.patch b/recipes-security/refpolicy/refpolicy/0056-policy-modules-roles-sysadm-allow-sysadm_t-to-watch-.patch new file mode 100644 index 0000000..7cf3763 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0056-policy-modules-roles-sysadm-allow-sysadm_t-to-watch-.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | From 7fd830d6b2c60dcf5b8ee0b2ff94436de63d5b8c Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Mon, 29 Jun 2020 10:32:25 +0800 | ||
4 | Subject: [PATCH] policy/modules/roles/sysadm: allow sysadm_t to watch runtime | ||
5 | dirs | ||
6 | |||
7 | Fixes: | ||
8 | Failed to add a watch for /run/systemd/ask-password: Permission denied | ||
9 | |||
10 | Upstream-Status: Inappropriate [embedded specific] | ||
11 | |||
12 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
13 | --- | ||
14 | policy/modules/roles/sysadm.te | 6 ++++++ | ||
15 | 1 file changed, 6 insertions(+) | ||
16 | |||
17 | diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te | ||
18 | index fc0945fe4..07b9faf30 100644 | ||
19 | --- a/policy/modules/roles/sysadm.te | ||
20 | +++ b/policy/modules/roles/sysadm.te | ||
21 | @@ -83,6 +83,12 @@ ifdef(`init_systemd',` | ||
22 | # Allow sysadm to resolve the username of dynamic users by calling | ||
23 | # LookupDynamicUserByUID on org.freedesktop.systemd1. | ||
24 | init_dbus_chat(sysadm_t) | ||
25 | + | ||
26 | + fs_watch_cgroup_files(sysadm_t) | ||
27 | + files_watch_etc_symlinks(sysadm_t) | ||
28 | + mount_watch_runtime_dirs(sysadm_t) | ||
29 | + systemd_filetrans_passwd_runtime_dirs(sysadm_t) | ||
30 | + allow sysadm_t systemd_passwd_runtime_t:dir watch; | ||
31 | ') | ||
32 | |||
33 | tunable_policy(`allow_ptrace',` | ||
34 | -- | ||
35 | 2.17.1 | ||
36 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-systemd-add-capability-mknod-f.patch b/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-systemd-add-capability-mknod-f.patch new file mode 100644 index 0000000..b1a72d6 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-systemd-add-capability-mknod-f.patch | |||
@@ -0,0 +1,35 @@ | |||
1 | From 4782b27839064438f103b77c31e5db75189025a8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Thu, 18 Jun 2020 16:14:45 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/systemd: add capability mknod for | ||
5 | systemd_user_runtime_dir_t | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { mknod } for pid=266 comm="systemd-user-ru" capability=27 | ||
9 | scontext=system_u:system_r:systemd_user_runtime_dir_t:s0-s15:c0.c1023 | ||
10 | tcontext=system_u:system_r:systemd_user_runtime_dir_t:s0-s15:c0.c1023 | ||
11 | tclass=capability permissive=0 | ||
12 | |||
13 | Upstream-Status: Inappropriate [embedded specific] | ||
14 | |||
15 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
16 | --- | ||
17 | policy/modules/system/systemd.te | 2 +- | ||
18 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
19 | |||
20 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
21 | index c7fe51b62..f82031a09 100644 | ||
22 | --- a/policy/modules/system/systemd.te | ||
23 | +++ b/policy/modules/system/systemd.te | ||
24 | @@ -1372,7 +1372,7 @@ seutil_libselinux_linked(systemd_user_session_type) | ||
25 | # systemd-user-runtime-dir local policy | ||
26 | # | ||
27 | |||
28 | -allow systemd_user_runtime_dir_t self:capability { fowner chown sys_admin dac_read_search dac_override }; | ||
29 | +allow systemd_user_runtime_dir_t self:capability { fowner chown sys_admin dac_read_search dac_override mknod }; | ||
30 | allow systemd_user_runtime_dir_t self:process setfscreate; | ||
31 | |||
32 | domain_obj_id_change_exemption(systemd_user_runtime_dir_t) | ||
33 | -- | ||
34 | 2.17.1 | ||
35 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0058-policy-modules-system-systemd-systemd-gpt-auto-gener.patch b/recipes-security/refpolicy/refpolicy/0058-policy-modules-system-systemd-systemd-gpt-auto-gener.patch new file mode 100644 index 0000000..fc1684f --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0058-policy-modules-system-systemd-systemd-gpt-auto-gener.patch | |||
@@ -0,0 +1,35 @@ | |||
1 | From 0607a935759fe3143f473d4a444f92e01aaa2a45 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Tue, 23 Jun 2020 14:52:43 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/systemd: systemd-gpt-auto-generator: do | ||
5 | not audit attempts to read or write unallocated ttys | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { read write } for pid=87 comm="systemd-getty-g" | ||
9 | name="ttyS0" dev="devtmpfs" ino=10128 | ||
10 | scontext=system_u:system_r:systemd_generator_t | ||
11 | tcontext=system_u:object_r:tty_device_t tclass=chr_file permissive=0 | ||
12 | |||
13 | Upstream-Status: Inappropriate [embedded specific] | ||
14 | |||
15 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
16 | --- | ||
17 | policy/modules/system/systemd.te | 2 ++ | ||
18 | 1 file changed, 2 insertions(+) | ||
19 | |||
20 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
21 | index f82031a09..fb8d4960f 100644 | ||
22 | --- a/policy/modules/system/systemd.te | ||
23 | +++ b/policy/modules/system/systemd.te | ||
24 | @@ -400,6 +400,8 @@ storage_raw_read_fixed_disk(systemd_generator_t) | ||
25 | |||
26 | systemd_log_parse_environment(systemd_generator_t) | ||
27 | |||
28 | +term_dontaudit_use_unallocated_ttys(systemd_generator_t) | ||
29 | + | ||
30 | optional_policy(` | ||
31 | fstools_exec(systemd_generator_t) | ||
32 | ') | ||
33 | -- | ||
34 | 2.17.1 | ||
35 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0059-policy-modules-services-rpc-fix-policy-for-nfsserver.patch b/recipes-security/refpolicy/refpolicy/0059-policy-modules-services-rpc-fix-policy-for-nfsserver.patch new file mode 100644 index 0000000..d4bdd37 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0059-policy-modules-services-rpc-fix-policy-for-nfsserver.patch | |||
@@ -0,0 +1,78 @@ | |||
1 | From fbf98576f32e33e55f3babeb9db255a459fad711 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Fri, 23 Aug 2013 12:01:53 +0800 | ||
4 | Subject: [PATCH] policy/modules/services/rpc: fix policy for nfsserver to | ||
5 | mount nfsd_fs_t | ||
6 | |||
7 | Upstream-Status: Inappropriate [embedded specific] | ||
8 | |||
9 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
10 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
11 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
12 | --- | ||
13 | policy/modules/kernel/kernel.te | 2 ++ | ||
14 | policy/modules/services/rpc.fc | 2 ++ | ||
15 | policy/modules/services/rpc.te | 2 ++ | ||
16 | policy/modules/services/rpcbind.te | 6 ++++++ | ||
17 | 4 files changed, 12 insertions(+) | ||
18 | |||
19 | diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te | ||
20 | index c8218bf8c..44c031a39 100644 | ||
21 | --- a/policy/modules/kernel/kernel.te | ||
22 | +++ b/policy/modules/kernel/kernel.te | ||
23 | @@ -356,6 +356,8 @@ mls_process_read_all_levels(kernel_t) | ||
24 | mls_process_write_all_levels(kernel_t) | ||
25 | mls_file_write_all_levels(kernel_t) | ||
26 | mls_file_read_all_levels(kernel_t) | ||
27 | +mls_socket_write_all_levels(kernel_t) | ||
28 | +mls_fd_use_all_levels(kernel_t) | ||
29 | |||
30 | ifdef(`distro_redhat',` | ||
31 | # Bugzilla 222337 | ||
32 | diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc | ||
33 | index 6d3c9b68b..75999a57c 100644 | ||
34 | --- a/policy/modules/services/rpc.fc | ||
35 | +++ b/policy/modules/services/rpc.fc | ||
36 | @@ -1,7 +1,9 @@ | ||
37 | /etc/exports -- gen_context(system_u:object_r:exports_t,s0) | ||
38 | |||
39 | /etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0) | ||
40 | +/etc/rc\.d/init\.d/nfsserver -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0) | ||
41 | /etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) | ||
42 | +/etc/rc\.d/init\.d/nfscommon -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) | ||
43 | /etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) | ||
44 | |||
45 | /usr/bin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) | ||
46 | diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te | ||
47 | index c06ff803f..7c0b37ddc 100644 | ||
48 | --- a/policy/modules/services/rpc.te | ||
49 | +++ b/policy/modules/services/rpc.te | ||
50 | @@ -250,6 +250,8 @@ storage_raw_read_removable_device(nfsd_t) | ||
51 | |||
52 | miscfiles_read_public_files(nfsd_t) | ||
53 | |||
54 | +mls_file_read_to_clearance(nfsd_t) | ||
55 | + | ||
56 | tunable_policy(`allow_nfsd_anon_write',` | ||
57 | miscfiles_manage_public_files(nfsd_t) | ||
58 | ') | ||
59 | diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te | ||
60 | index 4f110773a..3cc85a8d5 100644 | ||
61 | --- a/policy/modules/services/rpcbind.te | ||
62 | +++ b/policy/modules/services/rpcbind.te | ||
63 | @@ -73,6 +73,12 @@ logging_send_syslog_msg(rpcbind_t) | ||
64 | |||
65 | miscfiles_read_localization(rpcbind_t) | ||
66 | |||
67 | +# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t, | ||
68 | +# because the are running in different level. So add rules to allow this. | ||
69 | +mls_socket_read_all_levels(rpcbind_t) | ||
70 | +mls_socket_write_all_levels(rpcbind_t) | ||
71 | +mls_file_read_to_clearance(rpcbind_t) | ||
72 | + | ||
73 | ifdef(`distro_debian',` | ||
74 | term_dontaudit_use_unallocated_ttys(rpcbind_t) | ||
75 | ') | ||
76 | -- | ||
77 | 2.17.1 | ||
78 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0060-policy-modules-services-rpc-make-rpcd_t-MLS-trusted-.patch b/recipes-security/refpolicy/refpolicy/0060-policy-modules-services-rpc-make-rpcd_t-MLS-trusted-.patch new file mode 100644 index 0000000..8f68d66 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0060-policy-modules-services-rpc-make-rpcd_t-MLS-trusted-.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | From 1c71d74635c2b39a15c449e75eacae23b3d4f1b8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Thu, 30 May 2019 08:30:06 +0800 | ||
4 | Subject: [PATCH] policy/modules/services/rpc: make rpcd_t MLS trusted for | ||
5 | reading from files up to its clearance | ||
6 | |||
7 | Fixes: | ||
8 | type=AVC msg=audit(1559176077.169:242): avc: denied { search } for | ||
9 | pid=374 comm="rpc.statd" name="journal" dev="tmpfs" ino=9854 | ||
10 | scontext=system_u:system_r:rpcd_t:s0-s15:c0.c1023 | ||
11 | tcontext=system_u:object_r:syslogd_var_run_t:s15:c0.c1023 tclass=dir | ||
12 | permissive=0 | ||
13 | |||
14 | Upstream-Status: Inappropriate [embedded specific] | ||
15 | |||
16 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
17 | --- | ||
18 | policy/modules/services/rpc.te | 2 ++ | ||
19 | 1 file changed, 2 insertions(+) | ||
20 | |||
21 | diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te | ||
22 | index 7c0b37ddc..ef6cb9b63 100644 | ||
23 | --- a/policy/modules/services/rpc.te | ||
24 | +++ b/policy/modules/services/rpc.te | ||
25 | @@ -185,6 +185,8 @@ seutil_dontaudit_search_config(rpcd_t) | ||
26 | |||
27 | userdom_signal_all_users(rpcd_t) | ||
28 | |||
29 | +mls_file_read_to_clearance(rpcd_t) | ||
30 | + | ||
31 | ifdef(`distro_debian',` | ||
32 | term_dontaudit_use_unallocated_ttys(rpcd_t) | ||
33 | ') | ||
34 | -- | ||
35 | 2.17.1 | ||
36 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0061-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch b/recipes-security/refpolicy/refpolicy/0061-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch new file mode 100644 index 0000000..af7f3ad --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0061-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch | |||
@@ -0,0 +1,41 @@ | |||
1 | From 0404c4ad3f92408edcdbf46ac0665bf09d4b2516 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Mon, 28 Jan 2019 14:05:18 +0800 | ||
4 | Subject: [PATCH] policy/modules/roles/sysadm: MLS - sysadm rw to clearance | ||
5 | |||
6 | The two new rules make sysadm_t domain MLS trusted for: | ||
7 | - reading from files at all levels. | ||
8 | - writing to processes up to its clearance(s0-s15). | ||
9 | |||
10 | With default MLS policy, root user would login in as sysadm_t:s0 by | ||
11 | default. Most processes will run in sysadm_t:s0 because no | ||
12 | domtrans/rangetrans rules, as a result, even root could not access | ||
13 | high level files/processes. | ||
14 | |||
15 | So with the two new rules, root user could work easier in MLS policy. | ||
16 | |||
17 | Upstream-Status: Inappropriate [embedded specific] | ||
18 | |||
19 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
20 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
21 | --- | ||
22 | policy/modules/roles/sysadm.te | 3 +++ | ||
23 | 1 file changed, 3 insertions(+) | ||
24 | |||
25 | diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te | ||
26 | index 07b9faf30..ac5239d83 100644 | ||
27 | --- a/policy/modules/roles/sysadm.te | ||
28 | +++ b/policy/modules/roles/sysadm.te | ||
29 | @@ -42,6 +42,9 @@ dev_read_kmsg(sysadm_t) | ||
30 | |||
31 | mls_process_read_all_levels(sysadm_t) | ||
32 | |||
33 | +mls_file_read_all_levels(sysadm_t) | ||
34 | +mls_process_write_to_clearance(sysadm_t) | ||
35 | + | ||
36 | selinux_read_policy(sysadm_t) | ||
37 | |||
38 | ubac_process_exempt(sysadm_t) | ||
39 | -- | ||
40 | 2.17.1 | ||
41 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0062-policy-modules-system-mount-make-mount_t-domain-MLS-.patch b/recipes-security/refpolicy/refpolicy/0062-policy-modules-system-mount-make-mount_t-domain-MLS-.patch new file mode 100644 index 0000000..1e7d963 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0062-policy-modules-system-mount-make-mount_t-domain-MLS-.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | From 7789f70ee3506f11b6bc1954469915214bcb9c58 Mon Sep 17 00:00:00 2001 | ||
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | ||
3 | Date: Sat, 15 Feb 2014 04:22:47 -0500 | ||
4 | Subject: [PATCH] policy/modules/system/mount: make mount_t domain MLS trusted | ||
5 | for writing to processes up to its clearance | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { setsched } for pid=148 comm="mount" | ||
9 | scontext=system_u:system_r:mount_t:s0-s15:c0.c1023 | ||
10 | tcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=process | ||
11 | permissive=1 | ||
12 | |||
13 | Upstream-Status: Inappropriate [embedded specific] | ||
14 | |||
15 | Signen-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
16 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
17 | --- | ||
18 | policy/modules/system/mount.te | 2 ++ | ||
19 | 1 file changed, 2 insertions(+) | ||
20 | |||
21 | diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te | ||
22 | index 282eb3ada..5bb4fe631 100644 | ||
23 | --- a/policy/modules/system/mount.te | ||
24 | +++ b/policy/modules/system/mount.te | ||
25 | @@ -116,6 +116,8 @@ fs_dontaudit_write_tmpfs_dirs(mount_t) | ||
26 | mls_file_read_all_levels(mount_t) | ||
27 | mls_file_write_all_levels(mount_t) | ||
28 | |||
29 | +mls_process_write_to_clearance(mount_t) | ||
30 | + | ||
31 | selinux_get_enforce_mode(mount_t) | ||
32 | |||
33 | storage_raw_read_fixed_disk(mount_t) | ||
34 | -- | ||
35 | 2.17.1 | ||
36 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0063-policy-modules-system-setrans-allow-setrans-to-acces.patch b/recipes-security/refpolicy/refpolicy/0063-policy-modules-system-setrans-allow-setrans-to-acces.patch new file mode 100644 index 0000000..55d92f0 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0063-policy-modules-system-setrans-allow-setrans-to-acces.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From fc77db62ce54a33ee04bfc3e4c68b9cbed7251c6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Roy Li <rongqing.li@windriver.com> | ||
3 | Date: Sat, 22 Feb 2014 13:35:38 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/setrans: allow setrans to access | ||
5 | /sys/fs/selinux | ||
6 | |||
7 | 1. mcstransd failed to boot-up since the below permission is denied | ||
8 | statfs("/sys/fs/selinux", 0x7ffff2b80370) = -1 EACCES (Permission denied) | ||
9 | |||
10 | 2. other programs can not connect to /run/setrans/.setrans-unix | ||
11 | avc: denied { connectto } for pid=2055 comm="ls" | ||
12 | path="/run/setrans/.setrans-unix" | ||
13 | scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 | ||
14 | tcontext=system_u:system_r:setrans_t:s15:c0.c1023 | ||
15 | tclass=unix_stream_socket | ||
16 | |||
17 | 3. allow setrans_t use fd at any level | ||
18 | |||
19 | Upstream-Status: Inappropriate [embedded specific] | ||
20 | |||
21 | Signed-off-by: Roy Li <rongqing.li@windriver.com> | ||
22 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
23 | --- | ||
24 | policy/modules/system/setrans.te | 6 +++--- | ||
25 | 1 file changed, 3 insertions(+), 3 deletions(-) | ||
26 | |||
27 | diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te | ||
28 | index 5f020ef78..7f618f212 100644 | ||
29 | --- a/policy/modules/system/setrans.te | ||
30 | +++ b/policy/modules/system/setrans.te | ||
31 | @@ -23,9 +23,7 @@ mls_trusted_object(setrans_runtime_t) | ||
32 | type setrans_unit_t; | ||
33 | init_unit_file(setrans_unit_t) | ||
34 | |||
35 | -ifdef(`distro_debian',` | ||
36 | - init_daemon_runtime_file(setrans_runtime_t, dir, "setrans") | ||
37 | -') | ||
38 | +init_daemon_runtime_file(setrans_runtime_t, dir, "setrans") | ||
39 | |||
40 | ifdef(`enable_mcs',` | ||
41 | init_ranged_daemon_domain(setrans_t, setrans_exec_t, s0 - mcs_systemhigh) | ||
42 | @@ -73,6 +71,8 @@ mls_net_receive_all_levels(setrans_t) | ||
43 | mls_socket_write_all_levels(setrans_t) | ||
44 | mls_process_read_all_levels(setrans_t) | ||
45 | mls_socket_read_all_levels(setrans_t) | ||
46 | +mls_fd_use_all_levels(setrans_t) | ||
47 | +mls_trusted_object(setrans_t) | ||
48 | |||
49 | selinux_compute_access_vector(setrans_t) | ||
50 | |||
51 | -- | ||
52 | 2.17.1 | ||
53 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0064-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch b/recipes-security/refpolicy/refpolicy/0064-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch new file mode 100644 index 0000000..4fa9968 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0064-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | From a51cec2a8d8f47b7a06c59b8af73d96edcc2a993 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Tue, 30 Jun 2020 10:18:20 +0800 | ||
4 | Subject: [PATCH] policy/modules/admin/dmesg: make dmesg_t MLS trusted reading | ||
5 | from files up to its clearance | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { read } for pid=255 comm="dmesg" name="kmsg" | ||
9 | dev="devtmpfs" ino=10032 | ||
10 | scontext=system_u:system_r:dmesg_t:s0-s15:c0.c1023 | ||
11 | tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file | ||
12 | permissive=0 | ||
13 | |||
14 | Upstream-Status: Inappropriate [embedded specific] | ||
15 | |||
16 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
17 | --- | ||
18 | policy/modules/admin/dmesg.te | 2 ++ | ||
19 | 1 file changed, 2 insertions(+) | ||
20 | |||
21 | diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te | ||
22 | index 5bbe71b26..228baecd8 100644 | ||
23 | --- a/policy/modules/admin/dmesg.te | ||
24 | +++ b/policy/modules/admin/dmesg.te | ||
25 | @@ -51,6 +51,8 @@ miscfiles_read_localization(dmesg_t) | ||
26 | userdom_dontaudit_use_unpriv_user_fds(dmesg_t) | ||
27 | userdom_use_user_terminals(dmesg_t) | ||
28 | |||
29 | +mls_file_read_to_clearance(dmesg_t) | ||
30 | + | ||
31 | optional_policy(` | ||
32 | seutil_sigchld_newrole(dmesg_t) | ||
33 | ') | ||
34 | -- | ||
35 | 2.17.1 | ||
36 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0065-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch b/recipes-security/refpolicy/refpolicy/0065-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch new file mode 100644 index 0000000..3a2c235 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0065-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch | |||
@@ -0,0 +1,77 @@ | |||
1 | From fdc58fd666915aba89cb07fe6e7eb43a7fbec2ec Mon Sep 17 00:00:00 2001 | ||
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | ||
3 | Date: Fri, 13 Oct 2017 07:20:40 +0000 | ||
4 | Subject: [PATCH] policy/modules/kernel/kernel: make kernel_t MLS trusted for | ||
5 | lowering the level of files | ||
6 | |||
7 | The boot process hangs with the error while using MLS policy: | ||
8 | |||
9 | [!!!!!!] Failed to mount API filesystems, freezing. | ||
10 | [ 4.085349] systemd[1]: Freezing execution. | ||
11 | |||
12 | Make kernel_t mls trusted for lowering the level of files to fix below | ||
13 | avc denials and remove the hang issue. | ||
14 | |||
15 | op=security_validate_transition seresult=denied \ | ||
16 | oldcontext=system_u:object_r:device_t:s15:c0.c1023 \ | ||
17 | newcontext=system_u:object_r:device_t:s0 \ | ||
18 | taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir | ||
19 | systemd[1]: Unable to fix SELinux security context of /dev: Operation not permitted | ||
20 | |||
21 | avc: denied { create } for pid=1 comm="systemd" name="shm" \ | ||
22 | scontext=system_u:system_r:kernel_t:s15:c0.c1023 \ | ||
23 | tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 | ||
24 | systemd[1]: Failed to mount tmpfs at /dev/shm: No such file or directory | ||
25 | |||
26 | avc: denied { create } for pid=1 comm="systemd" name="pts" \ | ||
27 | scontext=system_u:system_r:kernel_t:s15:c0.c1023 \ | ||
28 | tcontext=system_u:object_r:devpts_t:s0-s15:c0.c1023 tclass=dir permissive=0 | ||
29 | |||
30 | op=security_validate_transition seresult=denied \ | ||
31 | oldcontext=system_u:object_r:unlabeled_t:s0 \ | ||
32 | newcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 \ | ||
33 | taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir | ||
34 | |||
35 | op=security_validate_transition seresult=denied \ | ||
36 | oldcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 \ | ||
37 | newcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 \ | ||
38 | taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir | ||
39 | systemd[1]: Unable to fix SELinux security context of /run: Operation not permitted | ||
40 | |||
41 | op=security_validate_transition seresult=denied \ | ||
42 | oldcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 \ | ||
43 | newcontext=system_u:object_r:cgroup_t:s0 \ | ||
44 | taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir | ||
45 | systemd[1]: Unable to fix SELinux security context of /sys/fs/cgroup: Operation not permitted | ||
46 | |||
47 | avc: denied { create } for pid=1 comm="systemd" name="pstore" \ | ||
48 | scontext=system_u:system_r:kernel_t:s15:c0.c1023 \ | ||
49 | tcontext=system_u:object_r:pstore_t:s0 tclass=dir permissive=0 | ||
50 | |||
51 | Reference: https://bugzilla.redhat.com/show_bug.cgi?id=667370 | ||
52 | |||
53 | Upstream-Status: Inappropriate [embedded specific] | ||
54 | |||
55 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
56 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
57 | --- | ||
58 | policy/modules/kernel/kernel.te | 3 +++ | ||
59 | 1 file changed, 3 insertions(+) | ||
60 | |||
61 | diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te | ||
62 | index 44c031a39..4dffaef76 100644 | ||
63 | --- a/policy/modules/kernel/kernel.te | ||
64 | +++ b/policy/modules/kernel/kernel.te | ||
65 | @@ -359,6 +359,9 @@ mls_file_read_all_levels(kernel_t) | ||
66 | mls_socket_write_all_levels(kernel_t) | ||
67 | mls_fd_use_all_levels(kernel_t) | ||
68 | |||
69 | +# https://bugzilla.redhat.com/show_bug.cgi?id=667370 | ||
70 | +mls_file_downgrade(kernel_t) | ||
71 | + | ||
72 | ifdef(`distro_redhat',` | ||
73 | # Bugzilla 222337 | ||
74 | fs_rw_tmpfs_chr_files(kernel_t) | ||
75 | -- | ||
76 | 2.17.1 | ||
77 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0066-policy-modules-system-init-make-init_t-MLS-trusted-f.patch b/recipes-security/refpolicy/refpolicy/0066-policy-modules-system-init-make-init_t-MLS-trusted-f.patch new file mode 100644 index 0000000..09e9af2 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0066-policy-modules-system-init-make-init_t-MLS-trusted-f.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | From 3aa784896315d269be4f43a281d59ad7671b2d07 Mon Sep 17 00:00:00 2001 | ||
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | ||
3 | Date: Fri, 15 Jan 2016 03:47:05 -0500 | ||
4 | Subject: [PATCH] policy/modules/system/init: make init_t MLS trusted for | ||
5 | lowering/raising the leve of files | ||
6 | |||
7 | Fix security_validate_transition issues: | ||
8 | |||
9 | op=security_validate_transition seresult=denied \ | ||
10 | oldcontext=system_u:object_r:device_t:s15:c0.c1023 \ | ||
11 | newcontext=system_u:object_r:device_t:s0 \ | ||
12 | taskcontext=system_u:system_r:init_t:s0-s15:c0.c1023 \ | ||
13 | tclass=dir | ||
14 | |||
15 | op=security_validate_transition seresult=denied \ | ||
16 | oldcontext=system_u:object_r:var_run_t:s0 \ | ||
17 | newcontext=system_u:object_r:var_log_t:s0-s15:c0.c1023 \ | ||
18 | taskcontext=system_u:system_r:init_t:s0-s15:c0.c1023 \ | ||
19 | tclass=dir | ||
20 | |||
21 | Upstream-Status: Inappropriate [embedded specific] | ||
22 | |||
23 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
24 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
25 | --- | ||
26 | policy/modules/system/init.te | 4 ++++ | ||
27 | 1 file changed, 4 insertions(+) | ||
28 | |||
29 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | ||
30 | index fe3fcf011..8e85dde72 100644 | ||
31 | --- a/policy/modules/system/init.te | ||
32 | +++ b/policy/modules/system/init.te | ||
33 | @@ -208,6 +208,10 @@ mls_process_write_all_levels(init_t) | ||
34 | mls_fd_use_all_levels(init_t) | ||
35 | mls_process_set_level(init_t) | ||
36 | |||
37 | +# MLS trusted for lowering/raising the level of files | ||
38 | +mls_file_downgrade(init_t) | ||
39 | +mls_file_upgrade(init_t) | ||
40 | + | ||
41 | # the following one is needed for libselinux:is_selinux_enabled() | ||
42 | # otherwise the call fails and sysvinit tries to load the policy | ||
43 | # again when using the initramfs | ||
44 | -- | ||
45 | 2.17.1 | ||
46 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0067-policy-modules-system-systemd-make-systemd-tmpfiles_.patch b/recipes-security/refpolicy/refpolicy/0067-policy-modules-system-systemd-make-systemd-tmpfiles_.patch new file mode 100644 index 0000000..b4245ab --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0067-policy-modules-system-systemd-make-systemd-tmpfiles_.patch | |||
@@ -0,0 +1,63 @@ | |||
1 | From fb69dde2c8783e0602dcce3509b69ded9e6331a2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | ||
3 | Date: Thu, 4 Feb 2016 06:03:19 -0500 | ||
4 | Subject: [PATCH] policy/modules/system/systemd: make systemd-tmpfiles_t domain | ||
5 | MLS trusted for raising/lowering the level of files | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { search } for pid=92 comm="systemd-tmpfile" name="1" \ | ||
9 | dev="proc" ino=7987 \ | ||
10 | scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \ | ||
11 | tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 \ | ||
12 | tclass=dir | ||
13 | |||
14 | avc: denied { search } for pid=92 comm="systemd-tmpfile" \ | ||
15 | name="journal" dev="tmpfs" ino=8226 \ | ||
16 | scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \ | ||
17 | tcontext=system_u:object_r:syslogd_var_run_t:s15:c0.c1023 \ | ||
18 | tclass=dir | ||
19 | |||
20 | avc: denied { write } for pid=92 comm="systemd-tmpfile" \ | ||
21 | name="kmsg" dev="devtmpfs" ino=7242 \ | ||
22 | scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \ | ||
23 | tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 \ | ||
24 | tclass=chr_file | ||
25 | |||
26 | avc: denied { read } for pid=92 comm="systemd-tmpfile" \ | ||
27 | name="kmod.conf" dev="tmpfs" ino=8660 \ | ||
28 | scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \ | ||
29 | tcontext=system_u:object_r:var_run_t:s0 \ | ||
30 | tclass=file | ||
31 | |||
32 | avc: denied { search } for pid=92 comm="systemd-tmpfile" \ | ||
33 | name="kernel" dev="proc" ino=8731 \ | ||
34 | scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \ | ||
35 | tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir | ||
36 | |||
37 | Upstream-Status: Inappropriate [embedded specific] | ||
38 | |||
39 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
40 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
41 | --- | ||
42 | policy/modules/system/systemd.te | 5 +++++ | ||
43 | 1 file changed, 5 insertions(+) | ||
44 | |||
45 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
46 | index fb8d4960f..57f4dc40d 100644 | ||
47 | --- a/policy/modules/system/systemd.te | ||
48 | +++ b/policy/modules/system/systemd.te | ||
49 | @@ -1249,6 +1249,11 @@ sysnet_relabel_config(systemd_tmpfiles_t) | ||
50 | |||
51 | systemd_log_parse_environment(systemd_tmpfiles_t) | ||
52 | |||
53 | +mls_file_write_all_levels(systemd_tmpfiles_t) | ||
54 | +mls_file_read_all_levels(systemd_tmpfiles_t) | ||
55 | +mls_file_downgrade(systemd_tmpfiles_t) | ||
56 | +mls_file_upgrade(systemd_tmpfiles_t) | ||
57 | + | ||
58 | userdom_manage_user_runtime_root_dirs(systemd_tmpfiles_t) | ||
59 | userdom_relabel_user_runtime_root_dirs(systemd_tmpfiles_t) | ||
60 | |||
61 | -- | ||
62 | 2.17.1 | ||
63 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0068-policy-modules-system-logging-add-the-syslogd_t-to-t.patch b/recipes-security/refpolicy/refpolicy/0068-policy-modules-system-logging-add-the-syslogd_t-to-t.patch new file mode 100644 index 0000000..921305e --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0068-policy-modules-system-logging-add-the-syslogd_t-to-t.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | From f5a6c667186850ba8c5057742195c46d9f7ff8cf Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/logging: add the syslogd_t to trusted | ||
5 | object | ||
6 | |||
7 | We add the syslogd_t to trusted object, because other process need | ||
8 | to have the right to connectto/sendto /dev/log. | ||
9 | |||
10 | Upstream-Status: Inappropriate [embedded specific] | ||
11 | |||
12 | Signed-off-by: Roy.Li <rongqing.li@windriver.com> | ||
13 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
14 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
15 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
16 | --- | ||
17 | policy/modules/system/logging.te | 4 ++++ | ||
18 | 1 file changed, 4 insertions(+) | ||
19 | |||
20 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
21 | index 1d45a5fa9..eec0560d1 100644 | ||
22 | --- a/policy/modules/system/logging.te | ||
23 | +++ b/policy/modules/system/logging.te | ||
24 | @@ -501,6 +501,10 @@ fs_getattr_all_fs(syslogd_t) | ||
25 | fs_search_auto_mountpoints(syslogd_t) | ||
26 | |||
27 | mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories | ||
28 | +mls_file_read_all_levels(syslogd_t) | ||
29 | +mls_socket_write_all_levels(syslogd_t) # Neet to be able to sendto dgram | ||
30 | +mls_trusted_object(syslogd_t) # Other process need to have the right to connectto/sendto /dev/log | ||
31 | +mls_fd_use_all_levels(syslogd_t) | ||
32 | |||
33 | term_write_console(syslogd_t) | ||
34 | # Allow syslog to a terminal | ||
35 | -- | ||
36 | 2.17.1 | ||
37 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0069-policy-modules-system-init-make-init_t-MLS-trusted-f.patch b/recipes-security/refpolicy/refpolicy/0069-policy-modules-system-init-make-init_t-MLS-trusted-f.patch new file mode 100644 index 0000000..74ef580 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0069-policy-modules-system-init-make-init_t-MLS-trusted-f.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From b74b8052fd654d6a242bf3d8773a42f376d08fed Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Tue, 28 May 2019 16:41:37 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/init: make init_t MLS trusted for | ||
5 | writing to keys at all levels | ||
6 | |||
7 | Fixes: | ||
8 | type=AVC msg=audit(1559024138.454:31): avc: denied { link } for | ||
9 | pid=190 comm="(mkdir)" scontext=system_u:system_r:init_t:s0-s15:c0.c1023 | ||
10 | tcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=key permissive=1 | ||
11 | |||
12 | Upstream-Status: Inappropriate [embedded specific] | ||
13 | |||
14 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
15 | --- | ||
16 | policy/modules/system/init.te | 1 + | ||
17 | 1 file changed, 1 insertion(+) | ||
18 | |||
19 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | ||
20 | index 8e85dde72..453ae9b6b 100644 | ||
21 | --- a/policy/modules/system/init.te | ||
22 | +++ b/policy/modules/system/init.te | ||
23 | @@ -207,6 +207,7 @@ mls_file_write_all_levels(init_t) | ||
24 | mls_process_write_all_levels(init_t) | ||
25 | mls_fd_use_all_levels(init_t) | ||
26 | mls_process_set_level(init_t) | ||
27 | +mls_key_write_all_levels(init_t) | ||
28 | |||
29 | # MLS trusted for lowering/raising the level of files | ||
30 | mls_file_downgrade(init_t) | ||
31 | -- | ||
32 | 2.17.1 | ||
33 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0070-policy-modules-system-init-all-init_t-to-read-any-le.patch b/recipes-security/refpolicy/refpolicy/0070-policy-modules-system-init-all-init_t-to-read-any-le.patch new file mode 100644 index 0000000..38a8076 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0070-policy-modules-system-init-all-init_t-to-read-any-le.patch | |||
@@ -0,0 +1,40 @@ | |||
1 | From 0e29b493136115b9bf397cc59424552c5b354385 Mon Sep 17 00:00:00 2001 | ||
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | ||
3 | Date: Wed, 3 Feb 2016 04:16:06 -0500 | ||
4 | Subject: [PATCH] policy/modules/system/init: all init_t to read any level | ||
5 | sockets | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { listen } for pid=1 comm="systemd" \ | ||
9 | path="/run/systemd/journal/stdout" \ | ||
10 | scontext=system_u:system_r:init_t:s0-s15:c0.c1023 \ | ||
11 | tcontext=system_u:system_r:syslogd_t:s15:c0.c1023 \ | ||
12 | tclass=unix_stream_socket permissive=1 | ||
13 | |||
14 | systemd[1]: Failded to listen on Journal Socket | ||
15 | |||
16 | Upstream-Status: Inappropriate [embedded specific] | ||
17 | |||
18 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
19 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
20 | --- | ||
21 | policy/modules/system/init.te | 3 +++ | ||
22 | 1 file changed, 3 insertions(+) | ||
23 | |||
24 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | ||
25 | index 453ae9b6b..feed5af5f 100644 | ||
26 | --- a/policy/modules/system/init.te | ||
27 | +++ b/policy/modules/system/init.te | ||
28 | @@ -213,6 +213,9 @@ mls_key_write_all_levels(init_t) | ||
29 | mls_file_downgrade(init_t) | ||
30 | mls_file_upgrade(init_t) | ||
31 | |||
32 | +# MLS trusted for reading from sockets at any level | ||
33 | +mls_socket_read_all_levels(init_t) | ||
34 | + | ||
35 | # the following one is needed for libselinux:is_selinux_enabled() | ||
36 | # otherwise the call fails and sysvinit tries to load the policy | ||
37 | # again when using the initramfs | ||
38 | -- | ||
39 | 2.17.1 | ||
40 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0071-policy-modules-system-logging-allow-auditd_t-to-writ.patch b/recipes-security/refpolicy/refpolicy/0071-policy-modules-system-logging-allow-auditd_t-to-writ.patch new file mode 100644 index 0000000..2f7eb44 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0071-policy-modules-system-logging-allow-auditd_t-to-writ.patch | |||
@@ -0,0 +1,39 @@ | |||
1 | From 71a217de05a084899537462f8b432825b12ab187 Mon Sep 17 00:00:00 2001 | ||
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | ||
3 | Date: Thu, 25 Feb 2016 04:25:08 -0500 | ||
4 | Subject: [PATCH] policy/modules/system/logging: allow auditd_t to write socket | ||
5 | at any level | ||
6 | |||
7 | Allow auditd_t to write init_t:unix_stream_socket at any level. | ||
8 | |||
9 | Fixes: | ||
10 | avc: denied { write } for pid=748 comm="auditd" \ | ||
11 | path="socket:[17371]" dev="sockfs" ino=17371 \ | ||
12 | scontext=system_u:system_r:auditd_t:s15:c0.c1023 \ | ||
13 | tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 \ | ||
14 | tclass=unix_stream_socket permissive=1 | ||
15 | |||
16 | Upstream-Status: Inappropriate [embedded specific] | ||
17 | |||
18 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
19 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
20 | --- | ||
21 | policy/modules/system/logging.te | 2 ++ | ||
22 | 1 file changed, 2 insertions(+) | ||
23 | |||
24 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
25 | index eec0560d1..c22613c0b 100644 | ||
26 | --- a/policy/modules/system/logging.te | ||
27 | +++ b/policy/modules/system/logging.te | ||
28 | @@ -210,6 +210,8 @@ miscfiles_read_localization(auditd_t) | ||
29 | |||
30 | mls_file_read_all_levels(auditd_t) | ||
31 | mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory | ||
32 | +mls_fd_use_all_levels(auditd_t) | ||
33 | +mls_socket_write_all_levels(auditd_t) | ||
34 | |||
35 | seutil_dontaudit_read_config(auditd_t) | ||
36 | |||
37 | -- | ||
38 | 2.17.1 | ||
39 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0072-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch b/recipes-security/refpolicy/refpolicy/0072-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch new file mode 100644 index 0000000..f32bb74 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0072-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch | |||
@@ -0,0 +1,32 @@ | |||
1 | From 8d1a8ffca75ada3dc576a4013644c9e9cdb45947 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Thu, 31 Oct 2019 17:35:59 +0800 | ||
4 | Subject: [PATCH] policy/modules/kernel/kernel: make kernel_t MLS trusted for | ||
5 | writing to keys at all levels. | ||
6 | |||
7 | Fixes: | ||
8 | systemd-udevd[216]: regulatory.0: Process '/usr/sbin/crda' failed with exit code 254. | ||
9 | |||
10 | Upstream-Status: Inappropriate [embedded specific] | ||
11 | |||
12 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
13 | --- | ||
14 | policy/modules/kernel/kernel.te | 2 ++ | ||
15 | 1 file changed, 2 insertions(+) | ||
16 | |||
17 | diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te | ||
18 | index 4dffaef76..34444a2f9 100644 | ||
19 | --- a/policy/modules/kernel/kernel.te | ||
20 | +++ b/policy/modules/kernel/kernel.te | ||
21 | @@ -362,6 +362,8 @@ mls_fd_use_all_levels(kernel_t) | ||
22 | # https://bugzilla.redhat.com/show_bug.cgi?id=667370 | ||
23 | mls_file_downgrade(kernel_t) | ||
24 | |||
25 | +mls_key_write_all_levels(kernel_t) | ||
26 | + | ||
27 | ifdef(`distro_redhat',` | ||
28 | # Bugzilla 222337 | ||
29 | fs_rw_tmpfs_chr_files(kernel_t) | ||
30 | -- | ||
31 | 2.17.1 | ||
32 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0073-policy-modules-system-systemd-make-systemd-logind-do.patch b/recipes-security/refpolicy/refpolicy/0073-policy-modules-system-systemd-make-systemd-logind-do.patch new file mode 100644 index 0000000..1e5b474 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0073-policy-modules-system-systemd-make-systemd-logind-do.patch | |||
@@ -0,0 +1,42 @@ | |||
1 | From 212156df805a24852a4762737f7040f1c7bb9b9a Mon Sep 17 00:00:00 2001 | ||
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | ||
3 | Date: Mon, 23 Jan 2017 08:42:44 +0000 | ||
4 | Subject: [PATCH] policy/modules/system/systemd: make systemd-logind domain MLS | ||
5 | trusted for reading from files up to its clearance. | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { search } for pid=184 comm="systemd-logind" | ||
9 | name="journal" dev="tmpfs" ino=10949 | ||
10 | scontext=system_u:system_r:systemd_logind_t:s0-s15:c0.c1023 | ||
11 | tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir | ||
12 | permissive=1 | ||
13 | |||
14 | avc: denied { watch } for pid=184 comm="systemd-logind" | ||
15 | path="/run/utmp" dev="tmpfs" ino=12725 | ||
16 | scontext=system_u:system_r:systemd_logind_t:s0-s15:c0.c1023 | ||
17 | tcontext=system_u:object_r:initrc_runtime_t:s0 tclass=file permissive=1 | ||
18 | |||
19 | Upstream-Status: Inappropriate [embedded specific] | ||
20 | |||
21 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
22 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
23 | --- | ||
24 | policy/modules/system/systemd.te | 2 ++ | ||
25 | 1 file changed, 2 insertions(+) | ||
26 | |||
27 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
28 | index 57f4dc40d..1449d2808 100644 | ||
29 | --- a/policy/modules/system/systemd.te | ||
30 | +++ b/policy/modules/system/systemd.te | ||
31 | @@ -621,6 +621,8 @@ userdom_relabelto_user_runtime_dirs(systemd_logind_t) | ||
32 | userdom_setattr_user_ttys(systemd_logind_t) | ||
33 | userdom_use_user_ttys(systemd_logind_t) | ||
34 | |||
35 | +mls_file_read_to_clearance(systemd_logind_t) | ||
36 | + | ||
37 | # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x | ||
38 | # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96 | ||
39 | # should fix the problem where user directories in /run/user/$UID/ are not getting the proper context | ||
40 | -- | ||
41 | 2.17.1 | ||
42 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0074-policy-modules-system-systemd-systemd-user-sessions-.patch b/recipes-security/refpolicy/refpolicy/0074-policy-modules-system-systemd-systemd-user-sessions-.patch new file mode 100644 index 0000000..ebe2b52 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0074-policy-modules-system-systemd-systemd-user-sessions-.patch | |||
@@ -0,0 +1,41 @@ | |||
1 | From bea1f53ae2ba7608503051b874db9aecb97d4f00 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Thu, 18 Jun 2020 09:39:23 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/systemd: systemd-user-sessions: make | ||
5 | systemd_sessions_t MLS trusted for reading/writing from files at all levels | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { search } for pid=229 comm="systemd-user-se" | ||
9 | name="journal" dev="tmpfs" ino=10956 | ||
10 | scontext=system_u:system_r:systemd_sessions_t:s0-s15:c0.c1023 | ||
11 | tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir | ||
12 | permissive=0 | ||
13 | avc: denied { write } for pid=229 comm="systemd-user-se" name="kmsg" | ||
14 | dev="devtmpfs" ino=10032 | ||
15 | scontext=system_u:system_r:systemd_sessions_t:s0-s15:c0.c1023 | ||
16 | tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file | ||
17 | permissive=0 | ||
18 | |||
19 | Upstream-Status: Inappropriate [embedded specific] | ||
20 | |||
21 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
22 | --- | ||
23 | policy/modules/system/systemd.te | 2 ++ | ||
24 | 1 file changed, 2 insertions(+) | ||
25 | |||
26 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
27 | index 1449d2808..6b0f52d15 100644 | ||
28 | --- a/policy/modules/system/systemd.te | ||
29 | +++ b/policy/modules/system/systemd.te | ||
30 | @@ -1125,6 +1125,8 @@ seutil_read_file_contexts(systemd_sessions_t) | ||
31 | |||
32 | systemd_log_parse_environment(systemd_sessions_t) | ||
33 | |||
34 | +mls_file_read_to_clearance(systemd_sessions_t) | ||
35 | +mls_file_write_all_levels(systemd_sessions_t) | ||
36 | |||
37 | ######################################### | ||
38 | # | ||
39 | -- | ||
40 | 2.17.1 | ||
41 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0075-policy-modules-system-systemd-systemd-networkd-make-.patch b/recipes-security/refpolicy/refpolicy/0075-policy-modules-system-systemd-systemd-networkd-make-.patch new file mode 100644 index 0000000..addb480 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0075-policy-modules-system-systemd-systemd-networkd-make-.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | From a75847eb2a5a34c18a4fd24383a696d6c077a117 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Thu, 18 Jun 2020 09:59:58 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/systemd: systemd-networkd: make | ||
5 | systemd_networkd_t MLS trusted for reading from files up to its clearance | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { search } for pid=219 comm="systemd-network" | ||
9 | name="journal" dev="tmpfs" ino=10956 | ||
10 | scontext=system_u:system_r:systemd_networkd_t:s0-s15:c0.c1023 | ||
11 | tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir | ||
12 | permissive=0 | ||
13 | |||
14 | Upstream-Status: Inappropriate [embedded specific] | ||
15 | |||
16 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
17 | --- | ||
18 | policy/modules/system/systemd.te | 2 ++ | ||
19 | 1 file changed, 2 insertions(+) | ||
20 | |||
21 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
22 | index 6b0f52d15..cfbd9196a 100644 | ||
23 | --- a/policy/modules/system/systemd.te | ||
24 | +++ b/policy/modules/system/systemd.te | ||
25 | @@ -795,6 +795,8 @@ sysnet_read_config(systemd_networkd_t) | ||
26 | |||
27 | systemd_log_parse_environment(systemd_networkd_t) | ||
28 | |||
29 | +mls_file_read_to_clearance(systemd_networkd_t) | ||
30 | + | ||
31 | optional_policy(` | ||
32 | dbus_system_bus_client(systemd_networkd_t) | ||
33 | dbus_connect_system_bus(systemd_networkd_t) | ||
34 | -- | ||
35 | 2.17.1 | ||
36 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0076-policy-modules-system-systemd-systemd-resolved-make-.patch b/recipes-security/refpolicy/refpolicy/0076-policy-modules-system-systemd-systemd-resolved-make-.patch new file mode 100644 index 0000000..908fe64 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0076-policy-modules-system-systemd-systemd-resolved-make-.patch | |||
@@ -0,0 +1,40 @@ | |||
1 | From fac0583bea8eb74c43cd715cf5029d3243e38f95 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Thu, 18 Jun 2020 09:47:25 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/systemd: systemd-resolved: make | ||
5 | systemd_resolved_t MLS trusted for reading from files up to its clearance | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { search } for pid=220 comm="systemd-resolve" | ||
9 | name="journal" dev="tmpfs" ino=10956 | ||
10 | scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023 | ||
11 | tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir | ||
12 | permissive=0 | ||
13 | avc: denied { search } for pid=220 comm="systemd-resolve" name="/" | ||
14 | dev="tmpfs" ino=15102 | ||
15 | scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023 | ||
16 | tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 | ||
17 | |||
18 | Upstream-Status: Inappropriate [embedded specific] | ||
19 | |||
20 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
21 | --- | ||
22 | policy/modules/system/systemd.te | 2 ++ | ||
23 | 1 file changed, 2 insertions(+) | ||
24 | |||
25 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
26 | index cfbd9196a..806468109 100644 | ||
27 | --- a/policy/modules/system/systemd.te | ||
28 | +++ b/policy/modules/system/systemd.te | ||
29 | @@ -1096,6 +1096,8 @@ init_dgram_send(systemd_resolved_t) | ||
30 | |||
31 | seutil_read_file_contexts(systemd_resolved_t) | ||
32 | |||
33 | +mls_file_read_to_clearance(systemd_resolved_t) | ||
34 | + | ||
35 | systemd_log_parse_environment(systemd_resolved_t) | ||
36 | systemd_read_networkd_runtime(systemd_resolved_t) | ||
37 | |||
38 | -- | ||
39 | 2.17.1 | ||
40 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0077-policy-modules-system-systemd-make-systemd-modules_t.patch b/recipes-security/refpolicy/refpolicy/0077-policy-modules-system-systemd-make-systemd-modules_t.patch new file mode 100644 index 0000000..a1013a1 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0077-policy-modules-system-systemd-make-systemd-modules_t.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | From 569033512340d791a13c1ee2f269788c55fff63c Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Sun, 28 Jun 2020 15:19:44 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/systemd: make systemd-modules_t domain | ||
5 | MLS trusted for reading from files up to its clearance | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { search } for pid=142 comm="systemd-modules" | ||
9 | name="journal" dev="tmpfs" ino=10990 | ||
10 | scontext=system_u:system_r:systemd_modules_load_t:s0-s15:c0.c1023 | ||
11 | tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir | ||
12 | permissive=0 | ||
13 | |||
14 | Upstream-Status: Inappropriate [embedded specific] | ||
15 | |||
16 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
17 | --- | ||
18 | policy/modules/system/systemd.te | 2 ++ | ||
19 | 1 file changed, 2 insertions(+) | ||
20 | |||
21 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
22 | index 806468109..e82a1e64a 100644 | ||
23 | --- a/policy/modules/system/systemd.te | ||
24 | +++ b/policy/modules/system/systemd.te | ||
25 | @@ -739,6 +739,8 @@ modutils_read_module_objects(systemd_modules_load_t) | ||
26 | |||
27 | systemd_log_parse_environment(systemd_modules_load_t) | ||
28 | |||
29 | +mls_file_read_to_clearance(systemd_modules_load_t) | ||
30 | + | ||
31 | ######################################## | ||
32 | # | ||
33 | # networkd local policy | ||
34 | -- | ||
35 | 2.17.1 | ||
36 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0078-policy-modules-system-systemd-systemd-gpt-auto-gener.patch b/recipes-security/refpolicy/refpolicy/0078-policy-modules-system-systemd-systemd-gpt-auto-gener.patch new file mode 100644 index 0000000..303e7cf --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0078-policy-modules-system-systemd-systemd-gpt-auto-gener.patch | |||
@@ -0,0 +1,70 @@ | |||
1 | From 84b86b1a4dd6f8e535c4b9b4ac2bfa38d202d9d3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Tue, 23 Jun 2020 14:52:43 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/systemd: systemd-gpt-auto-generator: | ||
5 | make systemd_generator_t MLS trusted for writing from files up to its | ||
6 | clearance | ||
7 | |||
8 | Fixes: | ||
9 | audit: type=1400 audit(1592892455.376:3): avc: denied { write } for | ||
10 | pid=120 comm="systemd-gpt-aut" name="kmsg" dev="devtmpfs" ino=10032 | ||
11 | scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023 | ||
12 | tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file | ||
13 | permissive=0 | ||
14 | audit: type=1400 audit(1592892455.381:4): avc: denied { write } for | ||
15 | pid=119 comm="systemd-getty-g" name="kmsg" dev="devtmpfs" ino=10032 | ||
16 | scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023 | ||
17 | tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file | ||
18 | permissive=0 | ||
19 | audit: type=1400 audit(1592892455.382:5): avc: denied { read write } | ||
20 | for pid=119 comm="systemd-getty-g" name="ttyS0" dev="devtmpfs" | ||
21 | ino=10127 scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023 | ||
22 | tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0 | ||
23 | audit: type=1400 audit(1592892455.382:6): avc: denied { write } for | ||
24 | pid=124 comm="systemd-system-" name="kmsg" dev="devtmpfs" ino=10032 | ||
25 | scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023 | ||
26 | tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file | ||
27 | permissive=0 | ||
28 | audit: type=1400 audit(1592892455.383:7): avc: denied { write } for | ||
29 | pid=122 comm="systemd-rc-loca" name="kmsg" dev="devtmpfs" ino=10032 | ||
30 | scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023 | ||
31 | tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file | ||
32 | permissive=0 | ||
33 | audit: type=1400 audit(1592892455.385:8): avc: denied { write } for | ||
34 | pid=118 comm="systemd-fstab-g" name="kmsg" dev="devtmpfs" ino=10032 | ||
35 | scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023 | ||
36 | tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file | ||
37 | permissive=0 | ||
38 | audit: type=1400 audit(1592892455.385:9): avc: denied { write } for | ||
39 | pid=121 comm="systemd-hiberna" name="kmsg" dev="devtmpfs" ino=10032 | ||
40 | scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023 | ||
41 | tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file | ||
42 | permissive=0 | ||
43 | audit: type=1400 audit(1592892455.386:10): avc: denied { write } for | ||
44 | pid=123 comm="systemd-run-gen" name="kmsg" dev="devtmpfs" ino=10032 | ||
45 | scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023 | ||
46 | tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file | ||
47 | permissive=0 | ||
48 | |||
49 | Upstream-Status: Inappropriate [embedded specific] | ||
50 | |||
51 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
52 | --- | ||
53 | policy/modules/system/systemd.te | 1 + | ||
54 | 1 file changed, 1 insertion(+) | ||
55 | |||
56 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
57 | index e82a1e64a..7e573645b 100644 | ||
58 | --- a/policy/modules/system/systemd.te | ||
59 | +++ b/policy/modules/system/systemd.te | ||
60 | @@ -401,6 +401,7 @@ storage_raw_read_fixed_disk(systemd_generator_t) | ||
61 | systemd_log_parse_environment(systemd_generator_t) | ||
62 | |||
63 | term_dontaudit_use_unallocated_ttys(systemd_generator_t) | ||
64 | +mls_file_write_to_clearance(systemd_generator_t) | ||
65 | |||
66 | optional_policy(` | ||
67 | fstools_exec(systemd_generator_t) | ||
68 | -- | ||
69 | 2.17.1 | ||
70 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0079-policy-modules-services-ntp-make-nptd_t-MLS-trusted-.patch b/recipes-security/refpolicy/refpolicy/0079-policy-modules-services-ntp-make-nptd_t-MLS-trusted-.patch new file mode 100644 index 0000000..b939c37 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0079-policy-modules-services-ntp-make-nptd_t-MLS-trusted-.patch | |||
@@ -0,0 +1,40 @@ | |||
1 | From cb455496193d01761175f35297038f7cf468ebed Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Thu, 18 Jun 2020 10:21:04 +0800 | ||
4 | Subject: [PATCH] policy/modules/services/ntp: make nptd_t MLS trusted for | ||
5 | reading from files at all levels | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { search } for pid=193 comm="systemd-timesyn" | ||
9 | name="journal" dev="tmpfs" ino=10956 | ||
10 | scontext=system_u:system_r:ntpd_t:s0-s15:c0.c1023 | ||
11 | tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir | ||
12 | permissive=0 | ||
13 | avc: denied { read } for pid=193 comm="systemd-timesyn" name="dbus" | ||
14 | dev="tmpfs" ino=13971 scontext=system_u:system_r:ntpd_t:s0-s15:c0.c1023 | ||
15 | tcontext=system_u:object_r:system_dbusd_runtime_t:s0 tclass=dir | ||
16 | permissive=0 | ||
17 | |||
18 | Upstream-Status: Inappropriate [embedded specific] | ||
19 | |||
20 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
21 | --- | ||
22 | policy/modules/services/ntp.te | 2 ++ | ||
23 | 1 file changed, 2 insertions(+) | ||
24 | |||
25 | diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te | ||
26 | index 75603e16b..8886cb3bf 100644 | ||
27 | --- a/policy/modules/services/ntp.te | ||
28 | +++ b/policy/modules/services/ntp.te | ||
29 | @@ -138,6 +138,8 @@ miscfiles_read_localization(ntpd_t) | ||
30 | userdom_dontaudit_use_unpriv_user_fds(ntpd_t) | ||
31 | userdom_list_user_home_dirs(ntpd_t) | ||
32 | |||
33 | +mls_file_read_all_levels(ntpd_t) | ||
34 | + | ||
35 | ifdef(`init_systemd',` | ||
36 | allow ntpd_t ntpd_unit_t:file read_file_perms; | ||
37 | |||
38 | -- | ||
39 | 2.17.1 | ||
40 | |||
diff --git a/recipes-security/refpolicy/refpolicy/0080-policy-modules-services-avahi-make-avahi_t-MLS-trust.patch b/recipes-security/refpolicy/refpolicy/0080-policy-modules-services-avahi-make-avahi_t-MLS-trust.patch new file mode 100644 index 0000000..2b1ab6f --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0080-policy-modules-services-avahi-make-avahi_t-MLS-trust.patch | |||
@@ -0,0 +1,29 @@ | |||
1 | From 0a2e2a58a645bd99242ac5ec60f17fab26a80bf9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Tue, 23 Jun 2020 08:19:16 +0800 | ||
4 | Subject: [PATCH] policy/modules/services/avahi: make avahi_t MLS trusted for | ||
5 | reading from files up to its clearance | ||
6 | |||
7 | Upstream-Status: Inappropriate [embedded specific] | ||
8 | |||
9 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
10 | --- | ||
11 | policy/modules/services/avahi.te | 2 ++ | ||
12 | 1 file changed, 2 insertions(+) | ||
13 | |||
14 | diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te | ||
15 | index 5643349e3..5994ff3d5 100644 | ||
16 | --- a/policy/modules/services/avahi.te | ||
17 | +++ b/policy/modules/services/avahi.te | ||
18 | @@ -95,6 +95,8 @@ sysnet_etc_filetrans_config(avahi_t) | ||
19 | userdom_dontaudit_use_unpriv_user_fds(avahi_t) | ||
20 | userdom_dontaudit_search_user_home_dirs(avahi_t) | ||
21 | |||
22 | +mls_file_read_to_clearance(avahi_t) | ||
23 | + | ||
24 | optional_policy(` | ||
25 | dbus_system_domain(avahi_t, avahi_exec_t) | ||
26 | |||
27 | -- | ||
28 | 2.17.1 | ||
29 | |||