diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy_common.inc')
-rw-r--r-- | recipes-security/refpolicy/refpolicy_common.inc | 148 |
1 files changed, 59 insertions, 89 deletions
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index 3d2eb89..dffc34a 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc | |||
@@ -1,5 +1,3 @@ | |||
1 | DEFAULT_ENFORCING ??= "enforcing" | ||
2 | |||
3 | SECTION = "admin" | 1 | SECTION = "admin" |
4 | LICENSE = "GPLv2" | 2 | LICENSE = "GPLv2" |
5 | 3 | ||
@@ -24,91 +22,61 @@ SRC_URI += " \ | |||
24 | file://0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch \ | 22 | file://0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch \ |
25 | file://0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch \ | 23 | file://0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch \ |
26 | file://0006-fc-login-apply-login-context-to-login.shadow.patch \ | 24 | file://0006-fc-login-apply-login-context-to-login.shadow.patch \ |
27 | file://0007-fc-bind-fix-real-path-for-bind.patch \ | 25 | file://0007-fc-hwclock-add-hwclock-alternatives.patch \ |
28 | file://0008-fc-hwclock-add-hwclock-alternatives.patch \ | 26 | file://0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch \ |
29 | file://0009-fc-dmesg-apply-policy-to-dmesg-alternatives.patch \ | 27 | file://0009-fc-ssh-apply-policy-to-ssh-alternatives.patch \ |
30 | file://0010-fc-ssh-apply-policy-to-ssh-alternatives.patch \ | 28 | file://0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch \ |
31 | file://0011-fc-sysnetwork-apply-policy-to-ip-alternatives.patch \ | 29 | file://0011-fc-udev-apply-policy-to-udevadm-in-libexec.patch \ |
32 | file://0012-fc-udev-apply-policy-to-udevadm-in-libexec.patch \ | 30 | file://0012-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch \ |
33 | file://0013-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch \ | 31 | file://0013-fc-su-apply-policy-to-su-alternatives.patch \ |
34 | file://0014-fc-su-apply-policy-to-su-alternatives.patch \ | 32 | file://0014-fc-fstools-fix-real-path-for-fstools.patch \ |
35 | file://0015-fc-fstools-fix-real-path-for-fstools.patch \ | 33 | file://0015-fc-init-fix-update-alternatives-for-sysvinit.patch \ |
36 | file://0016-fc-init-fix-update-alternatives-for-sysvinit.patch \ | 34 | file://0016-fc-brctl-apply-policy-to-brctl-alternatives.patch \ |
37 | file://0017-fc-brctl-apply-policy-to-brctl-alternatives.patch \ | 35 | file://0017-fc-corecommands-apply-policy-to-nologin-alternatives.patch \ |
38 | file://0018-fc-corecommands-apply-policy-to-nologin-alternatives.patch \ | 36 | file://0018-fc-locallogin-apply-policy-to-sulogin-alternatives.patch \ |
39 | file://0019-fc-locallogin-apply-policy-to-sulogin-alternatives.patch \ | 37 | file://0019-fc-ntp-apply-policy-to-ntpd-alternatives.patch \ |
40 | file://0020-fc-ntp-apply-policy-to-ntpd-alternatives.patch \ | 38 | file://0020-fc-kerberos-apply-policy-to-kerberos-alternatives.patch \ |
41 | file://0021-fc-kerberos-apply-policy-to-kerberos-alternatives.patch \ | 39 | file://0021-fc-ldap-apply-policy-to-ldap-alternatives.patch \ |
42 | file://0022-fc-ldap-apply-policy-to-ldap-alternatives.patch \ | 40 | file://0022-fc-postgresql-apply-policy-to-postgresql-alternative.patch \ |
43 | file://0023-fc-postgresql-apply-policy-to-postgresql-alternative.patch \ | 41 | file://0023-fc-screen-apply-policy-to-screen-alternatives.patch \ |
44 | file://0024-fc-screen-apply-policy-to-screen-alternatives.patch \ | 42 | file://0024-fc-usermanage-apply-policy-to-usermanage-alternative.patch \ |
45 | file://0025-fc-usermanage-apply-policy-to-usermanage-alternative.patch \ | 43 | file://0025-fc-getty-add-file-context-to-start_getty.patch \ |
46 | file://0026-fc-getty-add-file-context-to-start_getty.patch \ | 44 | file://0026-fc-vlock-apply-policy-to-vlock-alternatives.patch \ |
47 | file://0027-fc-init-add-file-context-to-etc-network-if-files.patch \ | 45 | file://0027-fc-add-fcontext-for-init-scripts-and-systemd-service.patch \ |
48 | file://0028-fc-vlock-apply-policy-to-vlock-alternatives.patch \ | 46 | file://0028-file_contexts.subs_dist-set-aliase-for-root-director.patch \ |
49 | file://0029-fc-cron-apply-policy-to-etc-init.d-crond.patch \ | 47 | file://0029-policy-modules-system-logging-add-rules-for-the-syml.patch \ |
50 | file://0030-fc-sysnetwork-update-file-context-for-ifconfig.patch \ | 48 | file://0030-policy-modules-system-logging-add-rules-for-syslogd-.patch \ |
51 | file://0031-file_contexts.subs_dist-set-aliase-for-root-director.patch \ | 49 | file://0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch \ |
52 | file://0032-policy-modules-system-logging-add-rules-for-the-syml.patch \ | 50 | file://0032-policy-modules-system-logging-fix-auditd-startup-fai.patch \ |
53 | file://0033-policy-modules-system-logging-add-rules-for-syslogd-.patch \ | 51 | file://0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch \ |
54 | file://0034-policy-modules-kernel-files-add-rules-for-the-symlin.patch \ | 52 | file://0034-policy-modules-system-modutils-allow-mod_t-to-access.patch \ |
55 | file://0035-policy-modules-system-logging-fix-auditd-startup-fai.patch \ | 53 | file://0035-policy-modules-system-getty-allow-getty_t-to-search-.patch \ |
56 | file://0036-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch \ | 54 | file://0036-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch \ |
57 | file://0037-policy-modules-system-modutils-allow-mod_t-to-access.patch \ | 55 | file://0037-policy-modules-admin-usermanage-allow-useradd-to-rel.patch \ |
58 | file://0038-policy-modules-services-avahi-allow-avahi_t-to-watch.patch \ | 56 | file://0038-policy-modules-system-systemd-enable-support-for-sys.patch \ |
59 | file://0039-policy-modules-system-getty-allow-getty_t-to-search-.patch \ | 57 | file://0039-policy-modules-system-systemd-fix-systemd-resolved-s.patch \ |
60 | file://0040-policy-modules-services-bluetooth-fix-bluetoothd-sta.patch \ | 58 | file://0040-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch \ |
61 | file://0041-policy-modules-roles-sysadm-allow-sysadm-to-run-rpci.patch \ | 59 | file://0041-policy-modules-system-logging-fix-syslogd-failures-f.patch \ |
62 | file://0042-policy-modules-services-rpc-add-capability-dac_read_.patch \ | 60 | file://0042-policy-modules-system-systemd-systemd-user-fixes.patch \ |
63 | file://0043-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch \ | 61 | file://0043-policy-modules-system-sysnetwork-support-priviledge-.patch \ |
64 | file://0044-policy-modules-services-rngd-fix-security-context-fo.patch \ | 62 | file://0044-policy-modules-system-modutils-allow-kmod_t-to-write.patch \ |
65 | file://0045-policy-modules-services-ssh-allow-ssh_keygen_t-to-re.patch \ | 63 | file://0045-policy-modules-system-systemd-allow-systemd_logind_t.patch \ |
66 | file://0046-policy-modules-services-ssh-make-respective-init-scr.patch \ | 64 | file://0046-policy-modules-system-mount-make-mount_t-domain-MLS-.patch \ |
67 | file://0047-policy-modules-kernel-terminal-allow-loging-to-reset.patch \ | 65 | file://0047-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch \ |
68 | file://0048-policy-modules-system-selinuxutil-allow-semanage_t-t.patch \ | 66 | file://0048-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch \ |
69 | file://0049-policy-modules-system-systemd-enable-support-for-sys.patch \ | 67 | file://0049-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch \ |
70 | file://0050-policy-modules-system-systemd-fix-systemd-resolved-s.patch \ | 68 | file://0050-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \ |
71 | file://0051-policy-modules-system-init-add-capability2-bpf-and-p.patch \ | 69 | file://0051-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \ |
72 | file://0052-policy-modules-system-systemd-allow-systemd_logind_t.patch \ | 70 | file://0052-policy-modules-system-systemd-make-systemd-tmpfiles_.patch \ |
73 | file://0053-policy-modules-system-logging-set-label-devlog_t-to-.patch \ | 71 | file://0053-policy-modules-system-systemd-systemd-make-systemd_-.patch \ |
74 | file://0054-policy-modules-system-systemd-support-systemd-user.patch \ | 72 | file://0054-policy-modules-system-logging-add-the-syslogd_t-to-t.patch \ |
75 | file://0055-policy-modules-system-systemd-allow-systemd-generato.patch \ | 73 | file://0055-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \ |
76 | file://0056-policy-modules-system-systemd-allow-systemd_backligh.patch \ | 74 | file://0056-policy-modules-system-init-all-init_t-to-read-any-le.patch \ |
77 | file://0057-policy-modules-system-logging-fix-systemd-journald-s.patch \ | 75 | file://0057-policy-modules-system-logging-allow-auditd_t-to-writ.patch \ |
78 | file://0058-policy-modules-services-cron-allow-crond_t-to-search.patch \ | 76 | file://0058-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \ |
79 | file://0059-policy-modules-services-crontab-allow-sysadm_r-to-ru.patch \ | 77 | file://0059-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \ |
80 | file://0060-policy-modules-system-sysnetwork-support-priviledge-.patch \ | 78 | file://0060-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \ |
81 | file://0061-policy-modules-services-acpi-allow-acpid-to-watch-th.patch \ | 79 | file://0061-policy-modules-system-logging-make-syslogd_runtime_t.patch \ |
82 | file://0062-policy-modules-system-setrans-allow-setrans-to-acces.patch \ | ||
83 | file://0063-policy-modules-system-modutils-allow-kmod_t-to-write.patch \ | ||
84 | file://0064-policy-modules-roles-sysadm-allow-sysadm_t-to-watch-.patch \ | ||
85 | file://0065-policy-modules-system-selinux-allow-setfiles_t-to-re.patch \ | ||
86 | file://0066-policy-modules-system-mount-make-mount_t-domain-MLS-.patch \ | ||
87 | file://0067-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch \ | ||
88 | file://0068-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch \ | ||
89 | file://0069-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch \ | ||
90 | file://0070-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \ | ||
91 | file://0071-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \ | ||
92 | file://0072-policy-modules-system-systemd-make-systemd-tmpfiles_.patch \ | ||
93 | file://0073-policy-modules-system-logging-add-the-syslogd_t-to-t.patch \ | ||
94 | file://0074-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \ | ||
95 | file://0075-policy-modules-system-init-all-init_t-to-read-any-le.patch \ | ||
96 | file://0076-policy-modules-system-logging-allow-auditd_t-to-writ.patch \ | ||
97 | file://0077-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \ | ||
98 | file://0078-policy-modules-system-systemd-make-systemd-logind-do.patch \ | ||
99 | file://0079-policy-modules-system-systemd-systemd-user-sessions-.patch \ | ||
100 | file://0080-policy-modules-system-systemd-systemd-make-systemd_-.patch \ | ||
101 | file://0081-policy-modules-services-ntp-make-nptd_t-MLS-trusted-.patch \ | ||
102 | file://0082-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \ | ||
103 | file://0083-policy-modules-services-acpi-make-acpid_t-domain-MLS.patch \ | ||
104 | file://0084-policy-modules-services-avahi-make-avahi_t-MLS-trust.patch \ | ||
105 | file://0085-policy-modules-services-bluetooth-make-bluetooth_t-d.patch \ | ||
106 | file://0086-policy-modules-system-sysnetwork-make-dhcpc_t-domain.patch \ | ||
107 | file://0087-policy-modules-services-inetd-make-inetd_t-domain-ML.patch \ | ||
108 | file://0088-policy-modules-services-bind-make-named_t-domain-MLS.patch \ | ||
109 | file://0089-policy-modules-services-rpc-make-rpcd_t-MLS-trusted-.patch \ | ||
110 | file://0090-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \ | ||
111 | file://0091-fc-usermanage-update-file-context-for-chfn-chsh.patch \ | ||
112 | " | 80 | " |
113 | 81 | ||
114 | S = "${WORKDIR}/refpolicy" | 82 | S = "${WORKDIR}/refpolicy" |
@@ -138,8 +106,10 @@ inherit python3native | |||
138 | 106 | ||
139 | PARALLEL_MAKE = "" | 107 | PARALLEL_MAKE = "" |
140 | 108 | ||
109 | DEFAULT_ENFORCING ??= "enforcing" | ||
110 | |||
141 | POLICY_NAME ?= "${POLICY_TYPE}" | 111 | POLICY_NAME ?= "${POLICY_TYPE}" |
142 | POLICY_DISTRO ?= "redhat" | 112 | POLICY_DISTRO ?= "debian" |
143 | POLICY_UBAC ?= "n" | 113 | POLICY_UBAC ?= "n" |
144 | POLICY_UNK_PERMS ?= "allow" | 114 | POLICY_UNK_PERMS ?= "allow" |
145 | POLICY_DIRECT_INITRC ?= "y" | 115 | POLICY_DIRECT_INITRC ?= "y" |
@@ -238,7 +208,7 @@ path = ${STAGING_DIR_NATIVE}${sbindir_native}/sefcontext_compile | |||
238 | args = \$@ | 208 | args = \$@ |
239 | [end] | 209 | [end] |
240 | 210 | ||
241 | policy-version = 31 | 211 | policy-version = 33 |
242 | EOF | 212 | EOF |
243 | 213 | ||
244 | # Create policy store and build the policy | 214 | # Create policy store and build the policy |