diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy_common.inc')
-rw-r--r-- | recipes-security/refpolicy/refpolicy_common.inc | 118 |
1 files changed, 82 insertions, 36 deletions
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index 1d9ca93..46cbfa3 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc | |||
@@ -18,41 +18,87 @@ SRC_URI += "file://customizable_types \ | |||
18 | # refpolicy should provide a version of these and place them in your own | 18 | # refpolicy should provide a version of these and place them in your own |
19 | # refpolicy-${PV} directory. | 19 | # refpolicy-${PV} directory. |
20 | SRC_URI += " \ | 20 | SRC_URI += " \ |
21 | file://0001-fc-subs-volatile-alias-common-var-volatile-paths.patch \ | 21 | file://0001-fc-subs-volatile-alias-common-var-volatile-paths.patch \ |
22 | file://0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch \ | 22 | file://0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch \ |
23 | file://0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch \ | 23 | file://0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch \ |
24 | file://0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch \ | 24 | file://0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch \ |
25 | file://0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch \ | 25 | file://0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch \ |
26 | file://0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch \ | 26 | file://0006-fc-login-apply-login-context-to-login.shadow.patch \ |
27 | file://0007-fc-login-apply-login-context-to-login.shadow.patch \ | 27 | file://0007-fc-bind-fix-real-path-for-bind.patch \ |
28 | file://0008-fc-bind-fix-real-path-for-bind.patch \ | 28 | file://0008-fc-hwclock-add-hwclock-alternatives.patch \ |
29 | file://0009-fc-hwclock-add-hwclock-alternatives.patch \ | 29 | file://0009-fc-dmesg-apply-policy-to-dmesg-alternatives.patch \ |
30 | file://0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch \ | 30 | file://0010-fc-ssh-apply-policy-to-ssh-alternatives.patch \ |
31 | file://0011-fc-ssh-apply-policy-to-ssh-alternatives.patch \ | 31 | file://0011-fc-sysnetwork-apply-policy-to-ip-alternatives.patch \ |
32 | file://0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch \ | 32 | file://0012-fc-udev-apply-policy-to-udevadm-in-libexec.patch \ |
33 | file://0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch \ | 33 | file://0013-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch \ |
34 | file://0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch \ | 34 | file://0014-fc-su-apply-policy-to-su-alternatives.patch \ |
35 | file://0015-fc-su-apply-policy-to-su-alternatives.patch \ | 35 | file://0015-fc-fstools-fix-real-path-for-fstools.patch \ |
36 | file://0016-fc-fstools-fix-real-path-for-fstools.patch \ | 36 | file://0016-fc-init-fix-update-alternatives-for-sysvinit.patch \ |
37 | file://0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch \ | 37 | file://0017-fc-brctl-apply-policy-to-brctl-alternatives.patch \ |
38 | file://0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch \ | 38 | file://0018-fc-corecommands-apply-policy-to-nologin-alternatives.patch \ |
39 | file://0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch \ | 39 | file://0019-fc-locallogin-apply-policy-to-sulogin-alternatives.patch \ |
40 | file://0020-policy-module-logging-add-domain-rules-for-the-subdi.patch \ | 40 | file://0020-fc-ntp-apply-policy-to-ntpd-alternatives.patch \ |
41 | file://0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch \ | 41 | file://0021-fc-kerberos-apply-policy-to-kerberos-alternatives.patch \ |
42 | file://0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch \ | 42 | file://0022-fc-ldap-apply-policy-to-ldap-alternatives.patch \ |
43 | file://0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch \ | 43 | file://0023-fc-postgresql-apply-policy-to-postgresql-alternative.patch \ |
44 | file://0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch \ | 44 | file://0024-fc-screen-apply-policy-to-screen-alternatives.patch \ |
45 | file://0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch \ | 45 | file://0025-fc-usermanage-apply-policy-to-usermanage-alternative.patch \ |
46 | file://0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch \ | 46 | file://0026-fc-getty-add-file-context-to-start_getty.patch \ |
47 | file://0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch \ | 47 | file://0027-fc-init-add-file-context-to-etc-network-if-files.patch \ |
48 | file://0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch \ | 48 | file://0028-fc-vlock-apply-policy-to-vlock-alternatives.patch \ |
49 | file://0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch \ | 49 | file://0029-fc-cron-apply-policy-to-etc-init.d-crond.patch \ |
50 | file://0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch \ | 50 | file://0030-file_contexts.subs_dist-set-aliase-for-root-director.patch \ |
51 | file://0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch \ | 51 | file://0031-policy-modules-system-logging-add-rules-for-the-syml.patch \ |
52 | file://0032-policy-module-init-update-for-systemd-related-allow-.patch \ | 52 | file://0032-policy-modules-system-logging-add-rules-for-syslogd-.patch \ |
53 | file://0033-refpolicy-minimum-make-sysadmin-module-optional.patch \ | 53 | file://0033-policy-modules-system-logging-add-domain-rules-for-t.patch \ |
54 | file://0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch \ | 54 | file://0034-policy-modules-kernel-files-add-rules-for-the-symlin.patch \ |
55 | " | 55 | file://0035-policy-modules-kernel-terminal-add-rules-for-bsdpty_.patch \ |
56 | file://0036-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch \ | ||
57 | file://0037-policy-modules-services-avahi-allow-avahi_t-to-watch.patch \ | ||
58 | file://0038-policy-modules-system-getty-allow-getty_t-watch-gett.patch \ | ||
59 | file://0039-policy-modules-services-bluetooth-allow-bluetooth_t-.patch \ | ||
60 | file://0040-policy-modules-roles-sysadm-allow-sysadm-to-run-rpci.patch \ | ||
61 | file://0041-policy-modules-services-rpc-add-capability-dac_read_.patch \ | ||
62 | file://0042-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch \ | ||
63 | file://0043-policy-modules-services-rngd-fix-security-context-fo.patch \ | ||
64 | file://0044-policy-modules-system-authlogin-allow-chkpwd_t-to-ma.patch \ | ||
65 | file://0045-policy-modules-system-udev-allow-udevadm_t-to-search.patch \ | ||
66 | file://0046-policy-modules-udev-do-not-audit-udevadm_t-to-read-w.patch \ | ||
67 | file://0047-policy-modules-services-rdisc-allow-rdisc_t-to-searc.patch \ | ||
68 | file://0048-policy-modules-system-logging-fix-auditd-startup-fai.patch \ | ||
69 | file://0049-policy-modules-services-ssh-make-respective-init-scr.patch \ | ||
70 | file://0050-policy-modules-kernel-terminal-allow-loging-to-reset.patch \ | ||
71 | file://0051-policy-modules-system-selinuxutil-allow-semanage_t-t.patch \ | ||
72 | file://0052-policy-modules-system-sysnetwork-allow-ifconfig_t-to.patch \ | ||
73 | file://0053-policy-modules-services-ntp-allow-ntpd_t-to-watch-sy.patch \ | ||
74 | file://0054-policy-modules-system-systemd-enable-support-for-sys.patch \ | ||
75 | file://0055-policy-modules-system-logging-fix-systemd-journald-s.patch \ | ||
76 | file://0056-policy-modules-roles-sysadm-allow-sysadm_t-to-watch-.patch \ | ||
77 | file://0057-policy-modules-system-systemd-add-capability-mknod-f.patch \ | ||
78 | file://0058-policy-modules-system-systemd-systemd-gpt-auto-gener.patch \ | ||
79 | file://0059-policy-modules-services-rpc-fix-policy-for-nfsserver.patch \ | ||
80 | file://0060-policy-modules-services-rpc-make-rpcd_t-MLS-trusted-.patch \ | ||
81 | file://0061-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch \ | ||
82 | file://0062-policy-modules-system-mount-make-mount_t-domain-MLS-.patch \ | ||
83 | file://0063-policy-modules-system-setrans-allow-setrans-to-acces.patch \ | ||
84 | file://0064-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch \ | ||
85 | file://0065-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \ | ||
86 | file://0066-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \ | ||
87 | file://0067-policy-modules-system-systemd-make-systemd-tmpfiles_.patch \ | ||
88 | file://0068-policy-modules-system-logging-add-the-syslogd_t-to-t.patch \ | ||
89 | file://0069-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \ | ||
90 | file://0070-policy-modules-system-init-all-init_t-to-read-any-le.patch \ | ||
91 | file://0071-policy-modules-system-logging-allow-auditd_t-to-writ.patch \ | ||
92 | file://0072-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \ | ||
93 | file://0073-policy-modules-system-systemd-make-systemd-logind-do.patch \ | ||
94 | file://0074-policy-modules-system-systemd-systemd-user-sessions-.patch \ | ||
95 | file://0075-policy-modules-system-systemd-systemd-networkd-make-.patch \ | ||
96 | file://0076-policy-modules-system-systemd-systemd-resolved-make-.patch \ | ||
97 | file://0077-policy-modules-system-systemd-make-systemd-modules_t.patch \ | ||
98 | file://0078-policy-modules-system-systemd-systemd-gpt-auto-gener.patch \ | ||
99 | file://0079-policy-modules-services-ntp-make-nptd_t-MLS-trusted-.patch \ | ||
100 | file://0080-policy-modules-services-avahi-make-avahi_t-MLS-trust.patch \ | ||
101 | " | ||
56 | 102 | ||
57 | S = "${WORKDIR}/refpolicy" | 103 | S = "${WORKDIR}/refpolicy" |
58 | 104 | ||
@@ -85,7 +131,7 @@ POLICY_NAME ?= "${POLICY_TYPE}" | |||
85 | POLICY_DISTRO ?= "redhat" | 131 | POLICY_DISTRO ?= "redhat" |
86 | POLICY_UBAC ?= "n" | 132 | POLICY_UBAC ?= "n" |
87 | POLICY_UNK_PERMS ?= "allow" | 133 | POLICY_UNK_PERMS ?= "allow" |
88 | POLICY_DIRECT_INITRC ?= "n" | 134 | POLICY_DIRECT_INITRC ?= "y" |
89 | POLICY_SYSTEMD ?= "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'y', 'n', d)}" | 135 | POLICY_SYSTEMD ?= "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'y', 'n', d)}" |
90 | POLICY_MONOLITHIC ?= "n" | 136 | POLICY_MONOLITHIC ?= "n" |
91 | POLICY_CUSTOM_BUILDOPT ?= "" | 137 | POLICY_CUSTOM_BUILDOPT ?= "" |