From 0d58268e290fe9dfa1c17d97b9ca7709aa53d595 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Wed, 11 Oct 2023 10:50:24 +0800 Subject: refpolicy: upgrade 20221101+git -> 20231002+git * Switch branch to main. * Update to latest git rev. * Drop obsolete and useless patches. * Refresh patches. Signed-off-by: Yi Zhao Signed-off-by: Joe MacDonald --- ...-volatile-alias-common-var-volatile-paths.patch | 2 +- ...icy-minimum-make-sysadmin-module-optional.patch | 10 +- ...argeted-make-unconfined_u-the-default-sel.patch | 4 +- ...-busybox-set-aliases-for-bin-sbin-and-usr.patch | 2 +- ...efpolicy-minimum-make-xdg-module-optional.patch | 6 +- ...-apply-policy-to-common-yocto-hostname-al.patch | 2 +- ...ply-usr-bin-bash-context-to-bin-bash.bash.patch | 6 +- ...onf-label-resolv.conf-in-var-run-properly.patch | 2 +- ...login-apply-login-context-to-login.shadow.patch | 8 +- .../0007-fc-hwclock-add-hwclock-alternatives.patch | 2 +- ...-dmesg-apply-policy-to-dmesg-alternatives.patch | 2 +- ...9-fc-ssh-apply-policy-to-ssh-alternatives.patch | 2 +- ...rk-apply-policy-to-network-commands-alter.patch | 2 +- ...pm-apply-rpm_exec-policy-to-cpio-binaries.patch | 27 ++++++ ...c-udev-apply-policy-to-udevadm-in-libexec.patch | 29 ------ ...pm-apply-rpm_exec-policy-to-cpio-binaries.patch | 27 ------ ...012-fc-su-apply-policy-to-su-alternatives.patch | 27 ++++++ ...0013-fc-fstools-fix-real-path-for-fstools.patch | 74 +++++++++++++++ ...013-fc-su-apply-policy-to-su-alternatives.patch | 27 ------ ...0014-fc-fstools-fix-real-path-for-fstools.patch | 77 --------------- ...init-fix-update-alternatives-for-sysvinit.patch | 55 +++++++++++ ...-brctl-apply-policy-to-brctl-alternatives.patch | 24 +++++ ...init-fix-update-alternatives-for-sysvinit.patch | 55 ----------- ...-brctl-apply-policy-to-brctl-alternatives.patch | 24 ----- ...ands-apply-policy-to-nologin-alternatives.patch | 28 ++++++ ...ands-apply-policy-to-nologin-alternatives.patch | 28 ------ ...ogin-apply-policy-to-sulogin-alternatives.patch | 25 +++++ ...ogin-apply-policy-to-sulogin-alternatives.patch | 25 ----- ...-fc-ntp-apply-policy-to-ntpd-alternatives.patch | 27 ++++++ ...ros-apply-policy-to-kerberos-alternatives.patch | 50 ++++++++++ ...-fc-ntp-apply-policy-to-ntpd-alternatives.patch | 27 ------ ...ros-apply-policy-to-kerberos-alternatives.patch | 50 ---------- ...fc-ldap-apply-policy-to-ldap-alternatives.patch | 40 ++++++++ ...fc-ldap-apply-policy-to-ldap-alternatives.patch | 40 -------- ...ql-apply-policy-to-postgresql-alternative.patch | 37 ++++++++ ...ql-apply-policy-to-postgresql-alternative.patch | 37 -------- ...creen-apply-policy-to-screen-alternatives.patch | 25 +++++ ...creen-apply-policy-to-screen-alternatives.patch | 25 ----- ...ge-apply-policy-to-usermanage-alternative.patch | 57 +++++++++++ ...-fc-getty-add-file-context-to-start_getty.patch | 27 ++++++ ...ge-apply-policy-to-usermanage-alternative.patch | 57 ----------- ...-fc-getty-add-file-context-to-start_getty.patch | 27 ------ ...-vlock-apply-policy-to-vlock-alternatives.patch | 25 +++++ ...text-for-init-scripts-and-systemd-service.patch | 64 +++++++++++++ ...-vlock-apply-policy-to-vlock-alternatives.patch | 25 ----- ...text-for-init-scripts-and-systemd-service.patch | 64 ------------- ...ts.subs_dist-set-aliase-for-root-director.patch | 30 ++++++ ...ts.subs_dist-set-aliase-for-root-director.patch | 30 ------ ...les-system-logging-add-rules-for-the-syml.patch | 91 ++++++++++++++++++ ...les-system-logging-add-rules-for-syslogd-.patch | 34 +++++++ ...les-system-logging-add-rules-for-the-syml.patch | 104 --------------------- ...les-kernel-files-add-rules-for-the-symlin.patch | 102 ++++++++++++++++++++ ...les-system-logging-add-rules-for-syslogd-.patch | 34 ------- ...les-kernel-files-add-rules-for-the-symlin.patch | 102 -------------------- ...les-system-logging-fix-auditd-startup-fai.patch | 41 ++++++++ ...les-kernel-terminal-don-t-audit-tty_devic.patch | 38 ++++++++ ...les-system-logging-fix-auditd-startup-fai.patch | 41 -------- ...les-kernel-terminal-don-t-audit-tty_devic.patch | 38 -------- ...les-services-rpcbind-allow-rpcbind_t-to-c.patch | 34 +++++++ ...les-services-rpcbind-allow-rpcbind_t-to-c.patch | 34 ------- ...les-system-systemd-enable-support-for-sys.patch | 46 +++++++++ ...les-system-logging-allow-systemd-tmpfiles.patch | 43 +++++++++ ...les-system-systemd-enable-support-for-sys.patch | 64 ------------- ...les-system-systemd-allow-systemd_logind_t.patch | 6 +- ...les-roles-sysadm-allow-sysadm-to-use-init.patch | 6 +- ...modules-system-systemd-systemd-user-fixes.patch | 83 ++++++++-------- ...les-system-mount-make-mount_t-domain-MLS-.patch | 6 +- ...les-roles-sysadm-MLS-sysadm-rw-to-clearan.patch | 4 +- ...les-services-rpc-make-nfsd_t-domain-MLS-t.patch | 6 +- ...les-admin-dmesg-make-dmesg_t-MLS-trusted-.patch | 2 +- ...les-kernel-kernel-make-kernel_t-MLS-trust.patch | 6 +- ...les-system-init-make-init_t-MLS-trusted-f.patch | 6 +- ...les-system-systemd-make-systemd-tmpfiles_.patch | 6 +- ...les-system-systemd-systemd-make-systemd_-.patch | 12 +-- ...les-system-logging-add-the-syslogd_t-to-t.patch | 6 +- ...les-system-init-make-init_t-MLS-trusted-f.patch | 6 +- ...les-system-init-all-init_t-to-read-any-le.patch | 6 +- ...les-system-logging-allow-auditd_t-to-writ.patch | 6 +- ...les-kernel-kernel-make-kernel_t-MLS-trust.patch | 6 +- ...les-system-setrans-allow-setrans_t-use-fd.patch | 2 +- ...les-system-systemd-make-_systemd_t-MLS-tr.patch | 6 +- ...les-system-logging-make-syslogd_runtime_t.patch | 6 +- recipes-security/refpolicy/refpolicy_common.inc | 50 +++++----- recipes-security/refpolicy/refpolicy_git.inc | 6 +- 84 files changed, 1221 insertions(+), 1234 deletions(-) create mode 100644 recipes-security/refpolicy/refpolicy/0011-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0011-fc-udev-apply-policy-to-udevadm-in-libexec.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0012-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch create mode 100644 recipes-security/refpolicy/refpolicy/0012-fc-su-apply-policy-to-su-alternatives.patch create mode 100644 recipes-security/refpolicy/refpolicy/0013-fc-fstools-fix-real-path-for-fstools.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0013-fc-su-apply-policy-to-su-alternatives.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0014-fc-fstools-fix-real-path-for-fstools.patch create mode 100644 recipes-security/refpolicy/refpolicy/0014-fc-init-fix-update-alternatives-for-sysvinit.patch create mode 100644 recipes-security/refpolicy/refpolicy/0015-fc-brctl-apply-policy-to-brctl-alternatives.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0015-fc-init-fix-update-alternatives-for-sysvinit.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0016-fc-brctl-apply-policy-to-brctl-alternatives.patch create mode 100644 recipes-security/refpolicy/refpolicy/0016-fc-corecommands-apply-policy-to-nologin-alternatives.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0017-fc-corecommands-apply-policy-to-nologin-alternatives.patch create mode 100644 recipes-security/refpolicy/refpolicy/0017-fc-locallogin-apply-policy-to-sulogin-alternatives.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0018-fc-locallogin-apply-policy-to-sulogin-alternatives.patch create mode 100644 recipes-security/refpolicy/refpolicy/0018-fc-ntp-apply-policy-to-ntpd-alternatives.patch create mode 100644 recipes-security/refpolicy/refpolicy/0019-fc-kerberos-apply-policy-to-kerberos-alternatives.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0019-fc-ntp-apply-policy-to-ntpd-alternatives.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0020-fc-kerberos-apply-policy-to-kerberos-alternatives.patch create mode 100644 recipes-security/refpolicy/refpolicy/0020-fc-ldap-apply-policy-to-ldap-alternatives.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0021-fc-ldap-apply-policy-to-ldap-alternatives.patch create mode 100644 recipes-security/refpolicy/refpolicy/0021-fc-postgresql-apply-policy-to-postgresql-alternative.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0022-fc-postgresql-apply-policy-to-postgresql-alternative.patch create mode 100644 recipes-security/refpolicy/refpolicy/0022-fc-screen-apply-policy-to-screen-alternatives.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0023-fc-screen-apply-policy-to-screen-alternatives.patch create mode 100644 recipes-security/refpolicy/refpolicy/0023-fc-usermanage-apply-policy-to-usermanage-alternative.patch create mode 100644 recipes-security/refpolicy/refpolicy/0024-fc-getty-add-file-context-to-start_getty.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0024-fc-usermanage-apply-policy-to-usermanage-alternative.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0025-fc-getty-add-file-context-to-start_getty.patch create mode 100644 recipes-security/refpolicy/refpolicy/0025-fc-vlock-apply-policy-to-vlock-alternatives.patch create mode 100644 recipes-security/refpolicy/refpolicy/0026-fc-add-fcontext-for-init-scripts-and-systemd-service.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0026-fc-vlock-apply-policy-to-vlock-alternatives.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0027-fc-add-fcontext-for-init-scripts-and-systemd-service.patch create mode 100644 recipes-security/refpolicy/refpolicy/0027-file_contexts.subs_dist-set-aliase-for-root-director.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0028-file_contexts.subs_dist-set-aliase-for-root-director.patch create mode 100644 recipes-security/refpolicy/refpolicy/0028-policy-modules-system-logging-add-rules-for-the-syml.patch create mode 100644 recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-syslogd-.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-the-syml.patch create mode 100644 recipes-security/refpolicy/refpolicy/0030-policy-modules-kernel-files-add-rules-for-the-symlin.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0030-policy-modules-system-logging-add-rules-for-syslogd-.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch create mode 100644 recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch create mode 100644 recipes-security/refpolicy/refpolicy/0032-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0032-policy-modules-system-logging-fix-auditd-startup-fai.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch create mode 100644 recipes-security/refpolicy/refpolicy/0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0034-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch create mode 100644 recipes-security/refpolicy/refpolicy/0034-policy-modules-system-systemd-enable-support-for-sys.patch create mode 100644 recipes-security/refpolicy/refpolicy/0035-policy-modules-system-logging-allow-systemd-tmpfiles.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0035-policy-modules-system-systemd-enable-support-for-sys.patch diff --git a/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch b/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch index 1605d90..2b879d2 100644 --- a/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch +++ b/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch @@ -1,4 +1,4 @@ -From ee66387c393af77b88c833f5d271efe48036112c Mon Sep 17 00:00:00 2001 +From 1d96fd0c6906566d40cb4c4f2c8a30fe80ed4ad4 Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Thu, 28 Mar 2019 16:14:09 -0400 Subject: [PATCH] fc/subs/volatile: alias common /var/volatile paths diff --git a/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch b/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch index 657c5cd..50e0339 100644 --- a/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch +++ b/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch @@ -1,4 +1,4 @@ -From 0e3b79ae0ae468640d7092c9a91a91d258d07645 Mon Sep 17 00:00:00 2001 +From 6c5f86f8c5e5fda6ded270753d0535a31ebfbab0 Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Fri, 5 Apr 2019 11:53:28 -0400 Subject: [PATCH] refpolicy-minimum: make sysadmin module optional @@ -22,10 +22,10 @@ Signed-off-by: Yi Zhao 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 671b5aef3..8ce3d5956 100644 +index e94a29a73..6b1879bb4 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te -@@ -615,13 +615,15 @@ ifdef(`init_systemd',` +@@ -638,13 +638,15 @@ ifdef(`init_systemd',` unconfined_write_keys(init_t) ') ',` @@ -48,10 +48,10 @@ index 671b5aef3..8ce3d5956 100644 ') ') diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te -index 7728de804..a8ff403dd 100644 +index 8330be8a9..933e94b24 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te -@@ -274,7 +274,9 @@ userdom_use_unpriv_users_fds(sulogin_t) +@@ -277,7 +277,9 @@ userdom_use_unpriv_users_fds(sulogin_t) userdom_search_user_home_dirs(sulogin_t) userdom_use_user_ptys(sulogin_t) diff --git a/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch b/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch index 64e658e..fb92e6c 100644 --- a/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch +++ b/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch @@ -1,4 +1,4 @@ -From 60b4e5ea5668a71b2a0660461daecea66fd11d51 Mon Sep 17 00:00:00 2001 +From c26f856ac11b3d61aff56c4e512bedca811cf004 Mon Sep 17 00:00:00 2001 From: Xin Ouyang Date: Mon, 20 Apr 2020 11:50:03 +0800 Subject: [PATCH] refpolicy-targeted: make unconfined_u the default selinux @@ -38,7 +38,7 @@ index ce614b41b..c0903d98b 100644 +root:unconfined_u:s0-mcs_systemhigh +__default__:unconfined_u:s0 diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te -index d116a1b9b..32720f68f 100644 +index 6431d35da..922e7e285 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -20,6 +20,11 @@ type unconfined_execmem_t alias ada_t; diff --git a/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch b/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch index ef00602..26669ba 100644 --- a/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch +++ b/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch @@ -1,4 +1,4 @@ -From 8fa6c5b7b99a50b09e9dffd142c066fa41319750 Mon Sep 17 00:00:00 2001 +From c94348cbaacfdc47a50cc93c8d52295f09b3c1f2 Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Thu, 28 Mar 2019 20:48:10 -0400 Subject: [PATCH] fc/subs/busybox: set aliases for bin, sbin and usr diff --git a/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-make-xdg-module-optional.patch b/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-make-xdg-module-optional.patch index 25afa3b..75ff75e 100644 --- a/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-make-xdg-module-optional.patch +++ b/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-make-xdg-module-optional.patch @@ -1,4 +1,4 @@ -From 9a8d6b634d4f714fc63125be5e23228c565d1aaf Mon Sep 17 00:00:00 2001 +From c69e55b03777ee15701ebb9b53b288fc773dbd87 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Wed, 29 Sep 2021 11:08:49 +0800 Subject: [PATCH] refpolicy-minimum: make xdg module optional @@ -15,10 +15,10 @@ Signed-off-by: Yi Zhao 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 7b717d3ba..3b07b368d 100644 +index 52c7b5346..d9f21b6bf 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te -@@ -298,10 +298,14 @@ init_unit_file(systemd_user_manager_unit_t) +@@ -305,10 +305,14 @@ init_unit_file(systemd_user_manager_unit_t) type systemd_conf_home_t; init_unit_file(systemd_conf_home_t) diff --git a/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch b/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch index 94ac31b..140af4e 100644 --- a/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch +++ b/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch @@ -1,4 +1,4 @@ -From 5a0bbd1920205f488b6a4565f7217b9d0825067b Mon Sep 17 00:00:00 2001 +From cb1c9ffb1c8f2c615731c2afae81b687a59b94c4 Mon Sep 17 00:00:00 2001 From: Xin Ouyang Date: Thu, 22 Aug 2013 13:37:23 +0800 Subject: [PATCH] fc/hostname: apply policy to common yocto hostname diff --git a/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch b/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch index eff0255..13a0343 100644 --- a/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch +++ b/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch @@ -1,4 +1,4 @@ -From c9219d2f7be1e641b3866b770a9b570c12333b93 Mon Sep 17 00:00:00 2001 +From 23f156d0adc37eb9f6f8308c28da4db0bac48200 Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Thu, 28 Mar 2019 21:37:32 -0400 Subject: [PATCH] fc/bash: apply /usr/bin/bash context to /bin/bash.bash @@ -15,10 +15,10 @@ Signed-off-by: Yi Zhao 1 file changed, 1 insertion(+) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 0c05c693d..b70940928 100644 +index f031e1704..30ac066e4 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc -@@ -142,6 +142,7 @@ ifdef(`distro_gentoo',` +@@ -144,6 +144,7 @@ ifdef(`distro_gentoo',` /usr/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) diff --git a/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch b/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch index 06c8087..e3d9e93 100644 --- a/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch +++ b/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch @@ -1,4 +1,4 @@ -From 51631a7eaaea1fab4b36a2488497cf725317ce6e Mon Sep 17 00:00:00 2001 +From 10df3192847b50162c7f404b6c5bd1a010951112 Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Thu, 4 Apr 2019 10:45:03 -0400 Subject: [PATCH] fc/resolv.conf: label resolv.conf in var/run/ properly diff --git a/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch b/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch index 70c5566..a1125d8 100644 --- a/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch +++ b/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch @@ -1,4 +1,4 @@ -From 1c61b10d21a22d4110bc880b23477295f6cd9efb Mon Sep 17 00:00:00 2001 +From 61900d0f5576fa0cd8297a011f60cb9a40cefc7b Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Thu, 28 Mar 2019 21:43:53 -0400 Subject: [PATCH] fc/login: apply login context to login.shadow @@ -12,11 +12,11 @@ Signed-off-by: Yi Zhao 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc -index 50efcff7b..5cb48882c 100644 +index adb53a05a..a25a9d607 100644 --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc -@@ -6,6 +6,7 @@ - /etc/tcb(/.*)? -- gen_context(system_u:object_r:shadow_t,s0) +@@ -8,6 +8,7 @@ + /etc/security/opasswd\.old -- gen_context(system_u:object_r:shadow_history_t,s0) /usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0) +/usr/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0) diff --git a/recipes-security/refpolicy/refpolicy/0007-fc-hwclock-add-hwclock-alternatives.patch b/recipes-security/refpolicy/refpolicy/0007-fc-hwclock-add-hwclock-alternatives.patch index 2f9f703..26bc8a0 100644 --- a/recipes-security/refpolicy/refpolicy/0007-fc-hwclock-add-hwclock-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0007-fc-hwclock-add-hwclock-alternatives.patch @@ -1,4 +1,4 @@ -From e4d7d9fb1cb157bf205874e1a81d5719017866a1 Mon Sep 17 00:00:00 2001 +From e393201b6f3c0242ccc41dd86eada8be97326a08 Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Thu, 28 Mar 2019 21:59:18 -0400 Subject: [PATCH] fc/hwclock: add hwclock alternatives diff --git a/recipes-security/refpolicy/refpolicy/0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch b/recipes-security/refpolicy/refpolicy/0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch index 6e576a8..5449754 100644 --- a/recipes-security/refpolicy/refpolicy/0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch @@ -1,4 +1,4 @@ -From ac6536f04674ccc051744e6eb3644e68fe38da33 Mon Sep 17 00:00:00 2001 +From 2d5ca79ed3f775878b91d76e952644b1347d5f9e Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Fri, 29 Mar 2019 08:26:55 -0400 Subject: [PATCH] fc/dmesg: apply policy to dmesg alternatives diff --git a/recipes-security/refpolicy/refpolicy/0009-fc-ssh-apply-policy-to-ssh-alternatives.patch b/recipes-security/refpolicy/refpolicy/0009-fc-ssh-apply-policy-to-ssh-alternatives.patch index 611c0d3..7fada95 100644 --- a/recipes-security/refpolicy/refpolicy/0009-fc-ssh-apply-policy-to-ssh-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0009-fc-ssh-apply-policy-to-ssh-alternatives.patch @@ -1,4 +1,4 @@ -From a56887ca448b60ad6715348b2cfe533e8109a040 Mon Sep 17 00:00:00 2001 +From d676349ee55f8c1c16b9d5c6770b9137391d396e Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Fri, 29 Mar 2019 09:20:58 -0400 Subject: [PATCH] fc/ssh: apply policy to ssh alternatives diff --git a/recipes-security/refpolicy/refpolicy/0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch b/recipes-security/refpolicy/refpolicy/0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch index 7af147d..5886168 100644 --- a/recipes-security/refpolicy/refpolicy/0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch +++ b/recipes-security/refpolicy/refpolicy/0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch @@ -1,4 +1,4 @@ -From 47a5e9a0bd4960534998798ab1a5ab62e77b2b61 Mon Sep 17 00:00:00 2001 +From 6730f53849cce4d2586a6e6540f3e7aae1117236 Mon Sep 17 00:00:00 2001 From: Xin Ouyang Date: Tue, 9 Jun 2015 21:22:52 +0530 Subject: [PATCH] fc/sysnetwork: apply policy to network commands alternatives diff --git a/recipes-security/refpolicy/refpolicy/0011-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch b/recipes-security/refpolicy/refpolicy/0011-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch new file mode 100644 index 0000000..2d1d287 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0011-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch @@ -0,0 +1,27 @@ +From cfb5cec05c98a65d8eb086868444a6e74e1f96bf Mon Sep 17 00:00:00 2001 +From: Joe MacDonald +Date: Fri, 29 Mar 2019 09:54:07 -0400 +Subject: [PATCH] fc/rpm: apply rpm_exec policy to cpio binaries + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Joe MacDonald +Signed-off-by: Yi Zhao +--- + policy/modules/admin/rpm.fc | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc +index 3f842f942..12973ac8b 100644 +--- a/policy/modules/admin/rpm.fc ++++ b/policy/modules/admin/rpm.fc +@@ -71,4 +71,6 @@ ifdef(`distro_redhat',` + + ifdef(`enable_mls',` + /usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/bin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/bin/cpio\.cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) + ') +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0011-fc-udev-apply-policy-to-udevadm-in-libexec.patch b/recipes-security/refpolicy/refpolicy/0011-fc-udev-apply-policy-to-udevadm-in-libexec.patch deleted file mode 100644 index 434fc1d..0000000 --- a/recipes-security/refpolicy/refpolicy/0011-fc-udev-apply-policy-to-udevadm-in-libexec.patch +++ /dev/null @@ -1,29 +0,0 @@ -From bbc6eb20e9509a61236051df7a5fa552a8f2654d Mon Sep 17 00:00:00 2001 -From: Joe MacDonald -Date: Fri, 29 Mar 2019 09:36:08 -0400 -Subject: [PATCH] fc/udev: apply policy to udevadm in libexec - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Joe MacDonald -Signed-off-by: Yi Zhao ---- - policy/modules/system/udev.fc | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc -index 7898ff01c..bc717e60c 100644 ---- a/policy/modules/system/udev.fc -+++ b/policy/modules/system/udev.fc -@@ -24,6 +24,8 @@ ifdef(`distro_debian',` - /usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0) - /usr/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0) - -+/usr/libexec/udevadm -- gen_context(system_u:object_r:udevadm_exec_t,s0) -+ - ifdef(`distro_redhat',` - /usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) - ') --- -2.25.1 - diff --git a/recipes-security/refpolicy/refpolicy/0012-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch b/recipes-security/refpolicy/refpolicy/0012-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch deleted file mode 100644 index bf562d6..0000000 --- a/recipes-security/refpolicy/refpolicy/0012-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 00533fded8e2264f8bdc68c8ed79644a10e4e2ad Mon Sep 17 00:00:00 2001 -From: Joe MacDonald -Date: Fri, 29 Mar 2019 09:54:07 -0400 -Subject: [PATCH] fc/rpm: apply rpm_exec policy to cpio binaries - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Joe MacDonald -Signed-off-by: Yi Zhao ---- - policy/modules/admin/rpm.fc | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc -index 3f842f942..12973ac8b 100644 ---- a/policy/modules/admin/rpm.fc -+++ b/policy/modules/admin/rpm.fc -@@ -71,4 +71,6 @@ ifdef(`distro_redhat',` - - ifdef(`enable_mls',` - /usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/bin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/bin/cpio\.cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) - ') --- -2.25.1 - diff --git a/recipes-security/refpolicy/refpolicy/0012-fc-su-apply-policy-to-su-alternatives.patch b/recipes-security/refpolicy/refpolicy/0012-fc-su-apply-policy-to-su-alternatives.patch new file mode 100644 index 0000000..f1138d6 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0012-fc-su-apply-policy-to-su-alternatives.patch @@ -0,0 +1,27 @@ +From dd1663aaffec1f7b36097c742094c9c239342d9f Mon Sep 17 00:00:00 2001 +From: Wenzong Fan +Date: Thu, 13 Feb 2014 00:33:07 -0500 +Subject: [PATCH] fc/su: apply policy to su alternatives + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Wenzong Fan +Signed-off-by: Joe MacDonald +Signed-off-by: Yi Zhao +--- + policy/modules/admin/su.fc | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc +index 3375c9692..a9868cd58 100644 +--- a/policy/modules/admin/su.fc ++++ b/policy/modules/admin/su.fc +@@ -1,3 +1,5 @@ + /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0) + /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) + /usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) ++/usr/bin/su\.shadow -- gen_context(system_u:object_r:su_exec_t,s0) ++/usr/bin/su\.util-linux -- gen_context(system_u:object_r:su_exec_t,s0) +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0013-fc-fstools-fix-real-path-for-fstools.patch b/recipes-security/refpolicy/refpolicy/0013-fc-fstools-fix-real-path-for-fstools.patch new file mode 100644 index 0000000..4bc2bbc --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0013-fc-fstools-fix-real-path-for-fstools.patch @@ -0,0 +1,74 @@ +From 9cd6000d7d01cee2eb92038bf4361f603736200b Mon Sep 17 00:00:00 2001 +From: Wenzong Fan +Date: Mon, 27 Jan 2014 03:54:01 -0500 +Subject: [PATCH] fc/fstools: fix real path for fstools + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Wenzong Fan +Signed-off-by: Shrikant Bobade +Signed-off-by: Joe MacDonald +Signed-off-by: Yi Zhao +--- + policy/modules/system/fstools.fc | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc +index 63423802d..124109a68 100644 +--- a/policy/modules/system/fstools.fc ++++ b/policy/modules/system/fstools.fc +@@ -58,7 +58,9 @@ + /usr/sbin/addpart -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/blkid\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/blockdev\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/delpart -- gen_context(system_u:object_r:fsadm_exec_t,s0) +@@ -72,10 +74,13 @@ + /usr/sbin/efibootmgr -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/fatsort -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/fdisk\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/findfs\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/gdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/hdparm\.hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) +@@ -83,13 +88,16 @@ + /usr/sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/mkdosfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/mke2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/mke2fs\.e2fsprogs -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/mkswap\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/partprobe\.parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0) +@@ -99,8 +107,10 @@ + /usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/swapoff\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/tune2fs\.e2fsprogs -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/zhack -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/zinject -- gen_context(system_u:object_r:fsadm_exec_t,s0) +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0013-fc-su-apply-policy-to-su-alternatives.patch b/recipes-security/refpolicy/refpolicy/0013-fc-su-apply-policy-to-su-alternatives.patch deleted file mode 100644 index 32d38f1..0000000 --- a/recipes-security/refpolicy/refpolicy/0013-fc-su-apply-policy-to-su-alternatives.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 4b202554e646a60000c1acad7bbdfae1078bdc10 Mon Sep 17 00:00:00 2001 -From: Wenzong Fan -Date: Thu, 13 Feb 2014 00:33:07 -0500 -Subject: [PATCH] fc/su: apply policy to su alternatives - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Wenzong Fan -Signed-off-by: Joe MacDonald -Signed-off-by: Yi Zhao ---- - policy/modules/admin/su.fc | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc -index 3375c9692..a9868cd58 100644 ---- a/policy/modules/admin/su.fc -+++ b/policy/modules/admin/su.fc -@@ -1,3 +1,5 @@ - /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0) - /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) - /usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) -+/usr/bin/su\.shadow -- gen_context(system_u:object_r:su_exec_t,s0) -+/usr/bin/su\.util-linux -- gen_context(system_u:object_r:su_exec_t,s0) --- -2.25.1 - diff --git a/recipes-security/refpolicy/refpolicy/0014-fc-fstools-fix-real-path-for-fstools.patch b/recipes-security/refpolicy/refpolicy/0014-fc-fstools-fix-real-path-for-fstools.patch deleted file mode 100644 index de0aad7..0000000 --- a/recipes-security/refpolicy/refpolicy/0014-fc-fstools-fix-real-path-for-fstools.patch +++ /dev/null @@ -1,77 +0,0 @@ -From f64a5d6a2f2e72ae6c5122220eb759117b6384c8 Mon Sep 17 00:00:00 2001 -From: Wenzong Fan -Date: Mon, 27 Jan 2014 03:54:01 -0500 -Subject: [PATCH] fc/fstools: fix real path for fstools - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Wenzong Fan -Signed-off-by: Shrikant Bobade -Signed-off-by: Joe MacDonald -Signed-off-by: Yi Zhao ---- - policy/modules/system/fstools.fc | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc -index 8fbd5ce44..2842afbcc 100644 ---- a/policy/modules/system/fstools.fc -+++ b/policy/modules/system/fstools.fc -@@ -58,7 +58,9 @@ - /usr/sbin/addpart -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/blkid\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/blockdev\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/delpart -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -72,10 +74,13 @@ - /usr/sbin/efibootmgr -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/fatsort -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/fdisk\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/findfs\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/gdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/hdparm\.hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -83,24 +88,30 @@ - /usr/sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/mkdosfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/mke2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/mke2fs\.e2fsprogs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/mkswap\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/partprobe\.parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/swapoff\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/tune2fs\.e2fsprogs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/zhack -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/zinject -- gen_context(system_u:object_r:fsadm_exec_t,s0) --- -2.25.1 - diff --git a/recipes-security/refpolicy/refpolicy/0014-fc-init-fix-update-alternatives-for-sysvinit.patch b/recipes-security/refpolicy/refpolicy/0014-fc-init-fix-update-alternatives-for-sysvinit.patch new file mode 100644 index 0000000..746a8be --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0014-fc-init-fix-update-alternatives-for-sysvinit.patch @@ -0,0 +1,55 @@ +From 4c6db6e9d637c6ecde7d104ae3544d18004d2a2c Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Thu, 22 Aug 2013 13:37:23 +0800 +Subject: [PATCH] fc/init: fix update-alternatives for sysvinit + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald +Signed-off-by: Yi Zhao +--- + policy/modules/admin/shutdown.fc | 1 + + policy/modules/kernel/corecommands.fc | 2 ++ + policy/modules/system/init.fc | 1 + + 3 files changed, 4 insertions(+) + +diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc +index 89d682d36..354f4d1d9 100644 +--- a/policy/modules/admin/shutdown.fc ++++ b/policy/modules/admin/shutdown.fc +@@ -7,5 +7,6 @@ + + /usr/sbin/halt -- gen_context(system_u:object_r:shutdown_exec_t,s0) + /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) ++/usr/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0) + + /run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_runtime_t,s0) +diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc +index 30ac066e4..1edc035f3 100644 +--- a/policy/modules/kernel/corecommands.fc ++++ b/policy/modules/kernel/corecommands.fc +@@ -153,6 +153,8 @@ ifdef(`distro_gentoo',` + /usr/bin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) + /usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) + /usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0) ++/usr/bin/mountpoint\.sysvinit -- gen_context(system_u:object_r:bin_t,s0) ++/usr/bin/mountpoint\.util-linux -- gen_context(system_u:object_r:bin_t,s0) + /usr/bin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) + /usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) + /usr/bin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) +diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc +index 9ebd6094c..e9e9eae85 100644 +--- a/policy/modules/system/init.fc ++++ b/policy/modules/system/init.fc +@@ -48,6 +48,7 @@ ifdef(`distro_gentoo',` + /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) + + /usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) ++/usr/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0) + /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) + /usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) + +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0015-fc-brctl-apply-policy-to-brctl-alternatives.patch b/recipes-security/refpolicy/refpolicy/0015-fc-brctl-apply-policy-to-brctl-alternatives.patch new file mode 100644 index 0000000..c592e8e --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0015-fc-brctl-apply-policy-to-brctl-alternatives.patch @@ -0,0 +1,24 @@ +From e95592bb4138b7bbf3e7725144ac2cbe9cecc4cd Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Fri, 15 Nov 2019 10:19:54 +0800 +Subject: [PATCH] fc/brctl: apply policy to brctl alternatives + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/admin/brctl.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/admin/brctl.fc b/policy/modules/admin/brctl.fc +index ed472f095..2a852b0fd 100644 +--- a/policy/modules/admin/brctl.fc ++++ b/policy/modules/admin/brctl.fc +@@ -1,3 +1,4 @@ + /usr/bin/brctl -- gen_context(system_u:object_r:brctl_exec_t,s0) + + /usr/sbin/brctl -- gen_context(system_u:object_r:brctl_exec_t,s0) ++/usr/sbin/brctl\.bridge-utils -- gen_context(system_u:object_r:brctl_exec_t,s0) +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0015-fc-init-fix-update-alternatives-for-sysvinit.patch b/recipes-security/refpolicy/refpolicy/0015-fc-init-fix-update-alternatives-for-sysvinit.patch deleted file mode 100644 index 5e9c197..0000000 --- a/recipes-security/refpolicy/refpolicy/0015-fc-init-fix-update-alternatives-for-sysvinit.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 6d2a96abd1e292d0c34ff77501e618cfc193655f Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH] fc/init: fix update-alternatives for sysvinit - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Xin Ouyang -Signed-off-by: Joe MacDonald -Signed-off-by: Yi Zhao ---- - policy/modules/admin/shutdown.fc | 1 + - policy/modules/kernel/corecommands.fc | 2 ++ - policy/modules/system/init.fc | 1 + - 3 files changed, 4 insertions(+) - -diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc -index bf51c103f..91ed72be0 100644 ---- a/policy/modules/admin/shutdown.fc -+++ b/policy/modules/admin/shutdown.fc -@@ -5,5 +5,6 @@ - /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) - - /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) -+/usr/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0) - - /run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_runtime_t,s0) -diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index b70940928..e6077fd5b 100644 ---- a/policy/modules/kernel/corecommands.fc -+++ b/policy/modules/kernel/corecommands.fc -@@ -151,6 +151,8 @@ ifdef(`distro_gentoo',` - /usr/bin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) - /usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) - /usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0) -+/usr/bin/mountpoint\.sysvinit -- gen_context(system_u:object_r:bin_t,s0) -+/usr/bin/mountpoint\.util-linux -- gen_context(system_u:object_r:bin_t,s0) - /usr/bin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) - /usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) - /usr/bin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) -diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc -index 1a99e5824..7f0b7c699 100644 ---- a/policy/modules/system/init.fc -+++ b/policy/modules/system/init.fc -@@ -41,6 +41,7 @@ ifdef(`distro_gentoo',` - /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) - - /usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) -+/usr/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0) - /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) - /usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) - --- -2.25.1 - diff --git a/recipes-security/refpolicy/refpolicy/0016-fc-brctl-apply-policy-to-brctl-alternatives.patch b/recipes-security/refpolicy/refpolicy/0016-fc-brctl-apply-policy-to-brctl-alternatives.patch deleted file mode 100644 index b0ba609..0000000 --- a/recipes-security/refpolicy/refpolicy/0016-fc-brctl-apply-policy-to-brctl-alternatives.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 2e9c22ee83b7d4fea7b177ca8111c06e69338db9 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Fri, 15 Nov 2019 10:19:54 +0800 -Subject: [PATCH] fc/brctl: apply policy to brctl alternatives - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/admin/brctl.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/admin/brctl.fc b/policy/modules/admin/brctl.fc -index ed472f095..2a852b0fd 100644 ---- a/policy/modules/admin/brctl.fc -+++ b/policy/modules/admin/brctl.fc -@@ -1,3 +1,4 @@ - /usr/bin/brctl -- gen_context(system_u:object_r:brctl_exec_t,s0) - - /usr/sbin/brctl -- gen_context(system_u:object_r:brctl_exec_t,s0) -+/usr/sbin/brctl\.bridge-utils -- gen_context(system_u:object_r:brctl_exec_t,s0) --- -2.25.1 - diff --git a/recipes-security/refpolicy/refpolicy/0016-fc-corecommands-apply-policy-to-nologin-alternatives.patch b/recipes-security/refpolicy/refpolicy/0016-fc-corecommands-apply-policy-to-nologin-alternatives.patch new file mode 100644 index 0000000..8047863 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0016-fc-corecommands-apply-policy-to-nologin-alternatives.patch @@ -0,0 +1,28 @@ +From 788d2c125f18dce9e0871fb260b4a0c394b9db53 Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Fri, 15 Nov 2019 10:21:51 +0800 +Subject: [PATCH] fc/corecommands: apply policy to nologin alternatives + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/kernel/corecommands.fc | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc +index 1edc035f3..258d97c3c 100644 +--- a/policy/modules/kernel/corecommands.fc ++++ b/policy/modules/kernel/corecommands.fc +@@ -308,6 +308,8 @@ ifdef(`distro_debian',` + /usr/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) + /usr/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) + /usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/sbin/nologin\.shadow -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/sbin/nologin\.util-linux -- gen_context(system_u:object_r:shell_exec_t,s0) + /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) + /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) + /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0017-fc-corecommands-apply-policy-to-nologin-alternatives.patch b/recipes-security/refpolicy/refpolicy/0017-fc-corecommands-apply-policy-to-nologin-alternatives.patch deleted file mode 100644 index 58ac463..0000000 --- a/recipes-security/refpolicy/refpolicy/0017-fc-corecommands-apply-policy-to-nologin-alternatives.patch +++ /dev/null @@ -1,28 +0,0 @@ -From c43f2d7ddf1d0c2185796e0297dd9f85b9663aaf Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Fri, 15 Nov 2019 10:21:51 +0800 -Subject: [PATCH] fc/corecommands: apply policy to nologin alternatives - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/kernel/corecommands.fc | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index e6077fd5b..0df59e837 100644 ---- a/policy/modules/kernel/corecommands.fc -+++ b/policy/modules/kernel/corecommands.fc -@@ -306,6 +306,8 @@ ifdef(`distro_debian',` - /usr/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) - /usr/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) - /usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) -+/usr/sbin/nologin\.shadow -- gen_context(system_u:object_r:shell_exec_t,s0) -+/usr/sbin/nologin\.util-linux -- gen_context(system_u:object_r:shell_exec_t,s0) - /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) - /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) - /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) --- -2.25.1 - diff --git a/recipes-security/refpolicy/refpolicy/0017-fc-locallogin-apply-policy-to-sulogin-alternatives.patch b/recipes-security/refpolicy/refpolicy/0017-fc-locallogin-apply-policy-to-sulogin-alternatives.patch new file mode 100644 index 0000000..3dd959c --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0017-fc-locallogin-apply-policy-to-sulogin-alternatives.patch @@ -0,0 +1,25 @@ +From 03199ca4933ef2760c0e575a76e90521117ea4c3 Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Fri, 15 Nov 2019 10:43:28 +0800 +Subject: [PATCH] fc/locallogin: apply policy to sulogin alternatives + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/system/locallogin.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/locallogin.fc b/policy/modules/system/locallogin.fc +index fc8d58507..59e6e9601 100644 +--- a/policy/modules/system/locallogin.fc ++++ b/policy/modules/system/locallogin.fc +@@ -2,4 +2,5 @@ + /usr/bin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0) + + /usr/sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0) ++/usr/sbin/sulogin\.util-linux -- gen_context(system_u:object_r:sulogin_exec_t,s0) + /usr/sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0) +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0018-fc-locallogin-apply-policy-to-sulogin-alternatives.patch b/recipes-security/refpolicy/refpolicy/0018-fc-locallogin-apply-policy-to-sulogin-alternatives.patch deleted file mode 100644 index 3c43254..0000000 --- a/recipes-security/refpolicy/refpolicy/0018-fc-locallogin-apply-policy-to-sulogin-alternatives.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 11c95928e325aea7e4c41a9cdf969f9bdd306611 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Fri, 15 Nov 2019 10:43:28 +0800 -Subject: [PATCH] fc/locallogin: apply policy to sulogin alternatives - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/system/locallogin.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/locallogin.fc b/policy/modules/system/locallogin.fc -index fc8d58507..59e6e9601 100644 ---- a/policy/modules/system/locallogin.fc -+++ b/policy/modules/system/locallogin.fc -@@ -2,4 +2,5 @@ - /usr/bin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0) - - /usr/sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0) -+/usr/sbin/sulogin\.util-linux -- gen_context(system_u:object_r:sulogin_exec_t,s0) - /usr/sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0) --- -2.25.1 - diff --git a/recipes-security/refpolicy/refpolicy/0018-fc-ntp-apply-policy-to-ntpd-alternatives.patch b/recipes-security/refpolicy/refpolicy/0018-fc-ntp-apply-policy-to-ntpd-alternatives.patch new file mode 100644 index 0000000..1d902f2 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0018-fc-ntp-apply-policy-to-ntpd-alternatives.patch @@ -0,0 +1,27 @@ +From ee9c65a2d3db145309bd2898223f8229915c304c Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Fri, 15 Nov 2019 10:45:23 +0800 +Subject: [PATCH] fc/ntp: apply policy to ntpd alternatives + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/services/ntp.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/services/ntp.fc b/policy/modules/services/ntp.fc +index 9243f3304..e13cf6a9b 100644 +--- a/policy/modules/services/ntp.fc ++++ b/policy/modules/services/ntp.fc +@@ -25,6 +25,7 @@ + /usr/lib/systemd/systemd-timesyncd -- gen_context(system_u:object_r:ntpd_exec_t,s0) + + /usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) ++/usr/sbin/ntpd\.ntp -- gen_context(system_u:object_r:ntpd_exec_t,s0) + /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) + /usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0) + +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0019-fc-kerberos-apply-policy-to-kerberos-alternatives.patch b/recipes-security/refpolicy/refpolicy/0019-fc-kerberos-apply-policy-to-kerberos-alternatives.patch new file mode 100644 index 0000000..778ed43 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0019-fc-kerberos-apply-policy-to-kerberos-alternatives.patch @@ -0,0 +1,50 @@ +From 435ae64d593cc09b1109d0457f7ba084259090e8 Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Fri, 15 Nov 2019 10:55:05 +0800 +Subject: [PATCH] fc/kerberos: apply policy to kerberos alternatives + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/services/kerberos.fc | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc +index df21fcc78..ce0166edd 100644 +--- a/policy/modules/services/kerberos.fc ++++ b/policy/modules/services/kerberos.fc +@@ -12,6 +12,8 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) + /etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) + /etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) + /etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/krb5-admin-server -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/krb5-kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) + + /usr/bin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) + /usr/bin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) +@@ -26,6 +28,8 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) + + /usr/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) + /usr/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) ++/usr/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0) ++/usr/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0) + + /usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) + /usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) +@@ -41,6 +45,12 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) + /var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) + /var/kerberos/krb5kdc/principal.*\.ok -- gen_context(system_u:object_r:krb5kdc_lock_t,s0) + ++/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) ++/var/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0) ++/var/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) ++/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) ++/var/krb5kdc/principal.*\.ok -- gen_context(system_u:object_r:krb5kdc_lock_t,s0) ++ + /var/log/krb5kdc\.log.* -- gen_context(system_u:object_r:krb5kdc_log_t,s0) + /var/log/kadmin\.log.* -- gen_context(system_u:object_r:kadmind_log_t,s0) + /var/log/kadmind\.log.* -- gen_context(system_u:object_r:kadmind_log_t,s0) +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0019-fc-ntp-apply-policy-to-ntpd-alternatives.patch b/recipes-security/refpolicy/refpolicy/0019-fc-ntp-apply-policy-to-ntpd-alternatives.patch deleted file mode 100644 index cbae4c5..0000000 --- a/recipes-security/refpolicy/refpolicy/0019-fc-ntp-apply-policy-to-ntpd-alternatives.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 5841a5bd25e6017b6ccff4f56628ad6e950eadad Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Fri, 15 Nov 2019 10:45:23 +0800 -Subject: [PATCH] fc/ntp: apply policy to ntpd alternatives - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/services/ntp.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/services/ntp.fc b/policy/modules/services/ntp.fc -index cd69ea5d5..49ffe6f68 100644 ---- a/policy/modules/services/ntp.fc -+++ b/policy/modules/services/ntp.fc -@@ -25,6 +25,7 @@ - /usr/lib/systemd/systemd-timesyncd -- gen_context(system_u:object_r:ntpd_exec_t,s0) - - /usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) -+/usr/sbin/ntpd\.ntp -- gen_context(system_u:object_r:ntpd_exec_t,s0) - /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) - /usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0) - --- -2.25.1 - diff --git a/recipes-security/refpolicy/refpolicy/0020-fc-kerberos-apply-policy-to-kerberos-alternatives.patch b/recipes-security/refpolicy/refpolicy/0020-fc-kerberos-apply-policy-to-kerberos-alternatives.patch deleted file mode 100644 index 76e7fe9..0000000 --- a/recipes-security/refpolicy/refpolicy/0020-fc-kerberos-apply-policy-to-kerberos-alternatives.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 8126ec521e5a0f72da098f5d90b5b5b392006b7c Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Fri, 15 Nov 2019 10:55:05 +0800 -Subject: [PATCH] fc/kerberos: apply policy to kerberos alternatives - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/services/kerberos.fc | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc -index df21fcc78..ce0166edd 100644 ---- a/policy/modules/services/kerberos.fc -+++ b/policy/modules/services/kerberos.fc -@@ -12,6 +12,8 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) - /etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) - /etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) - /etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/krb5-admin-server -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/krb5-kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) - - /usr/bin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) - /usr/bin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) -@@ -26,6 +28,8 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) - - /usr/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) - /usr/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) -+/usr/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0) -+/usr/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0) - - /usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) - /usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) -@@ -41,6 +45,12 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) - /var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) - /var/kerberos/krb5kdc/principal.*\.ok -- gen_context(system_u:object_r:krb5kdc_lock_t,s0) - -+/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) -+/var/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0) -+/var/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) -+/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) -+/var/krb5kdc/principal.*\.ok -- gen_context(system_u:object_r:krb5kdc_lock_t,s0) -+ - /var/log/krb5kdc\.log.* -- gen_context(system_u:object_r:krb5kdc_log_t,s0) - /var/log/kadmin\.log.* -- gen_context(system_u:object_r:kadmind_log_t,s0) - /var/log/kadmind\.log.* -- gen_context(system_u:object_r:kadmind_log_t,s0) --- -2.25.1 - diff --git a/recipes-security/refpolicy/refpolicy/0020-fc-ldap-apply-policy-to-ldap-alternatives.patch b/recipes-security/refpolicy/refpolicy/0020-fc-ldap-apply-policy-to-ldap-alternatives.patch new file mode 100644 index 0000000..baad70c --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0020-fc-ldap-apply-policy-to-ldap-alternatives.patch @@ -0,0 +1,40 @@ +From a1c0776ac6405d1b6aeadf07cc222f5cc9daa424 Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Fri, 15 Nov 2019 11:06:13 +0800 +Subject: [PATCH] fc/ldap: apply policy to ldap alternatives + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/services/ldap.fc | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc +index 0a1d08d0f..65b202962 100644 +--- a/policy/modules/services/ldap.fc ++++ b/policy/modules/services/ldap.fc +@@ -1,8 +1,10 @@ + /etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0) + /etc/openldap/certs(/.*)? gen_context(system_u:object_r:slapd_cert_t,s0) + /etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) ++/etc/openldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0) + + /etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/openldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) + + /usr/bin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) + +@@ -25,6 +27,9 @@ + /var/log/ldap.* gen_context(system_u:object_r:slapd_log_t,s0) + /var/log/slapd.* gen_context(system_u:object_r:slapd_log_t,s0) + ++/var/openldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) ++/var/openldap/replog(/.*)? gen_context(system_u:object_r:slapd_replog_t,s0) ++ + /run/ldapi -s gen_context(system_u:object_r:slapd_runtime_t,s0) + /run/openldap(/.*)? gen_context(system_u:object_r:slapd_runtime_t,s0) + /run/slapd.* -s gen_context(system_u:object_r:slapd_runtime_t,s0) +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0021-fc-ldap-apply-policy-to-ldap-alternatives.patch b/recipes-security/refpolicy/refpolicy/0021-fc-ldap-apply-policy-to-ldap-alternatives.patch deleted file mode 100644 index a46c9c9..0000000 --- a/recipes-security/refpolicy/refpolicy/0021-fc-ldap-apply-policy-to-ldap-alternatives.patch +++ /dev/null @@ -1,40 +0,0 @@ -From c71ea08245069001b56aadd7bb0af28e019f45e4 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Fri, 15 Nov 2019 11:06:13 +0800 -Subject: [PATCH] fc/ldap: apply policy to ldap alternatives - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/services/ldap.fc | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc -index 0a1d08d0f..65b202962 100644 ---- a/policy/modules/services/ldap.fc -+++ b/policy/modules/services/ldap.fc -@@ -1,8 +1,10 @@ - /etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0) - /etc/openldap/certs(/.*)? gen_context(system_u:object_r:slapd_cert_t,s0) - /etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) -+/etc/openldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0) - - /etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/openldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) - - /usr/bin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) - -@@ -25,6 +27,9 @@ - /var/log/ldap.* gen_context(system_u:object_r:slapd_log_t,s0) - /var/log/slapd.* gen_context(system_u:object_r:slapd_log_t,s0) - -+/var/openldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) -+/var/openldap/replog(/.*)? gen_context(system_u:object_r:slapd_replog_t,s0) -+ - /run/ldapi -s gen_context(system_u:object_r:slapd_runtime_t,s0) - /run/openldap(/.*)? gen_context(system_u:object_r:slapd_runtime_t,s0) - /run/slapd.* -s gen_context(system_u:object_r:slapd_runtime_t,s0) --- -2.25.1 - diff --git a/recipes-security/refpolicy/refpolicy/0021-fc-postgresql-apply-policy-to-postgresql-alternative.patch b/recipes-security/refpolicy/refpolicy/0021-fc-postgresql-apply-policy-to-postgresql-alternative.patch new file mode 100644 index 0000000..8bce781 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0021-fc-postgresql-apply-policy-to-postgresql-alternative.patch @@ -0,0 +1,37 @@ +From dd6dc74388daffba5c336059fbc046e632bee0f6 Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Fri, 15 Nov 2019 11:13:16 +0800 +Subject: [PATCH] fc/postgresql: apply policy to postgresql alternatives + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/services/postgresql.fc | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc +index f31a52cf8..f9bf46870 100644 +--- a/policy/modules/services/postgresql.fc ++++ b/policy/modules/services/postgresql.fc +@@ -27,6 +27,17 @@ + /usr/lib/postgresql(-.*)?/(.*/)?bin/postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0) + /usr/lib/postgresql(-.*)?/(.*/)?bin/postmaster -l gen_context(system_u:object_r:postgresql_exec_t,s0) + ++/usr/bin/pg_archivecleanup -- gen_context(system_u:object_r:postgresql_exec_t,s0) ++/usr/bin/pg_basebackup -- gen_context(system_u:object_r:postgresql_exec_t,s0) ++/usr/bin/pg_controldata -- gen_context(system_u:object_r:postgresql_exec_t,s0) ++/usr/bin/pg_ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0) ++/usr/bin/pg_resetxlog -- gen_context(system_u:object_r:postgresql_exec_t,s0) ++/usr/bin/pg_standby -- gen_context(system_u:object_r:postgresql_exec_t,s0) ++/usr/bin/pg_upgrade -- gen_context(system_u:object_r:postgresql_exec_t,s0) ++/usr/bin/pg_xlogdump -- gen_context(system_u:object_r:postgresql_exec_t,s0) ++/usr/bin/postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0) ++/usr/bin/postmaster -l gen_context(system_u:object_r:postgresql_exec_t,s0) ++ + ifdef(`distro_redhat', ` + /usr/share/jonas/pgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) + ') +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0022-fc-postgresql-apply-policy-to-postgresql-alternative.patch b/recipes-security/refpolicy/refpolicy/0022-fc-postgresql-apply-policy-to-postgresql-alternative.patch deleted file mode 100644 index 0a0464f..0000000 --- a/recipes-security/refpolicy/refpolicy/0022-fc-postgresql-apply-policy-to-postgresql-alternative.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 72726c1bc51628e6eb56e758f1e334f9b9a0f17e Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Fri, 15 Nov 2019 11:13:16 +0800 -Subject: [PATCH] fc/postgresql: apply policy to postgresql alternatives - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/services/postgresql.fc | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc -index f31a52cf8..f9bf46870 100644 ---- a/policy/modules/services/postgresql.fc -+++ b/policy/modules/services/postgresql.fc -@@ -27,6 +27,17 @@ - /usr/lib/postgresql(-.*)?/(.*/)?bin/postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0) - /usr/lib/postgresql(-.*)?/(.*/)?bin/postmaster -l gen_context(system_u:object_r:postgresql_exec_t,s0) - -+/usr/bin/pg_archivecleanup -- gen_context(system_u:object_r:postgresql_exec_t,s0) -+/usr/bin/pg_basebackup -- gen_context(system_u:object_r:postgresql_exec_t,s0) -+/usr/bin/pg_controldata -- gen_context(system_u:object_r:postgresql_exec_t,s0) -+/usr/bin/pg_ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0) -+/usr/bin/pg_resetxlog -- gen_context(system_u:object_r:postgresql_exec_t,s0) -+/usr/bin/pg_standby -- gen_context(system_u:object_r:postgresql_exec_t,s0) -+/usr/bin/pg_upgrade -- gen_context(system_u:object_r:postgresql_exec_t,s0) -+/usr/bin/pg_xlogdump -- gen_context(system_u:object_r:postgresql_exec_t,s0) -+/usr/bin/postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0) -+/usr/bin/postmaster -l gen_context(system_u:object_r:postgresql_exec_t,s0) -+ - ifdef(`distro_redhat', ` - /usr/share/jonas/pgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) - ') --- -2.25.1 - diff --git a/recipes-security/refpolicy/refpolicy/0022-fc-screen-apply-policy-to-screen-alternatives.patch b/recipes-security/refpolicy/refpolicy/0022-fc-screen-apply-policy-to-screen-alternatives.patch new file mode 100644 index 0000000..7fba90e --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0022-fc-screen-apply-policy-to-screen-alternatives.patch @@ -0,0 +1,25 @@ +From 7d78632d5553fcddf12dd57de56ff15b057625ab Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Fri, 15 Nov 2019 11:15:33 +0800 +Subject: [PATCH] fc/screen: apply policy to screen alternatives + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/apps/screen.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/apps/screen.fc b/policy/modules/apps/screen.fc +index e51e01d97..238dc263e 100644 +--- a/policy/modules/apps/screen.fc ++++ b/policy/modules/apps/screen.fc +@@ -7,4 +7,5 @@ HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0) + /run/tmux(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0) + + /usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0) ++/usr/bin/screen-.* -- gen_context(system_u:object_r:screen_exec_t,s0) + /usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0) +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0023-fc-screen-apply-policy-to-screen-alternatives.patch b/recipes-security/refpolicy/refpolicy/0023-fc-screen-apply-policy-to-screen-alternatives.patch deleted file mode 100644 index e95cb3c..0000000 --- a/recipes-security/refpolicy/refpolicy/0023-fc-screen-apply-policy-to-screen-alternatives.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 003a22f73563ef7b8b4ab6a6a0cb4a920a43570f Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Fri, 15 Nov 2019 11:15:33 +0800 -Subject: [PATCH] fc/screen: apply policy to screen alternatives - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/apps/screen.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/apps/screen.fc b/policy/modules/apps/screen.fc -index e51e01d97..238dc263e 100644 ---- a/policy/modules/apps/screen.fc -+++ b/policy/modules/apps/screen.fc -@@ -7,4 +7,5 @@ HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0) - /run/tmux(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0) - - /usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0) -+/usr/bin/screen-.* -- gen_context(system_u:object_r:screen_exec_t,s0) - /usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0) --- -2.25.1 - diff --git a/recipes-security/refpolicy/refpolicy/0023-fc-usermanage-apply-policy-to-usermanage-alternative.patch b/recipes-security/refpolicy/refpolicy/0023-fc-usermanage-apply-policy-to-usermanage-alternative.patch new file mode 100644 index 0000000..b65e3b0 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0023-fc-usermanage-apply-policy-to-usermanage-alternative.patch @@ -0,0 +1,57 @@ +From 074eff7d27765a1f489f3a787d7f6f64a890f07e Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Fri, 15 Nov 2019 11:25:34 +0800 +Subject: [PATCH] fc/usermanage: apply policy to usermanage alternatives + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/admin/usermanage.fc | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc +index 7209a8dd0..c9dc1f000 100644 +--- a/policy/modules/admin/usermanage.fc ++++ b/policy/modules/admin/usermanage.fc +@@ -4,8 +4,13 @@ ifdef(`distro_debian',` + + /usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0) + /usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0) ++/usr/bin/chfn\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0) ++/usr/bin/chfn\.util-linux -- gen_context(system_u:object_r:chfn_exec_t,s0) + /usr/bin/chpasswd -- gen_context(system_u:object_r:passwd_exec_t,s0) ++/usr/bin/chpasswd\.shadow -- gen_context(system_u:object_r:passwd_exec_t,s0) + /usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0) ++/usr/bin/chsh\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0) ++/usr/bin/chsh\.util-linux -- gen_context(system_u:object_r:chfn_exec_t,s0) + /usr/bin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) + /usr/bin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) + /usr/bin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0) +@@ -15,6 +20,7 @@ ifdef(`distro_debian',` + /usr/bin/grpconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) + /usr/bin/grpunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) + /usr/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0) ++/usr/bin/passwd\.shadow -- gen_context(system_u:object_r:passwd_exec_t,s0) + /usr/bin/pwconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) + /usr/bin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) + /usr/bin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0) +@@ -26,6 +32,7 @@ ifdef(`distro_debian',` + /usr/lib/cracklib_dict.* -- gen_context(system_u:object_r:crack_db_t,s0) + + /usr/sbin/chpasswd -- gen_context(system_u:object_r:passwd_exec_t,s0) ++/usr/sbin/chpasswd\.shadow -- gen_context(system_u:object_r:passwd_exec_t,s0) + /usr/sbin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) + /usr/sbin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) + /usr/sbin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0) +@@ -41,6 +48,7 @@ ifdef(`distro_debian',` + /usr/sbin/usermod -- gen_context(system_u:object_r:useradd_exec_t,s0) + /usr/sbin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) + /usr/sbin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) ++/usr/sbin/vipw\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) + + /usr/share/cracklib(/.*)? gen_context(system_u:object_r:crack_db_t,s0) + +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0024-fc-getty-add-file-context-to-start_getty.patch b/recipes-security/refpolicy/refpolicy/0024-fc-getty-add-file-context-to-start_getty.patch new file mode 100644 index 0000000..b1a85b4 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0024-fc-getty-add-file-context-to-start_getty.patch @@ -0,0 +1,27 @@ +From dca38e304bb64a5c3a18d02521f56ffe461ec126 Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Fri, 15 Nov 2019 16:07:30 +0800 +Subject: [PATCH] fc/getty: add file context to start_getty + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/system/getty.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc +index 116ea6421..53ff6137b 100644 +--- a/policy/modules/system/getty.fc ++++ b/policy/modules/system/getty.fc +@@ -4,6 +4,7 @@ + /run/agetty\.reload -- gen_context(system_u:object_r:getty_runtime_t,s0) + + /usr/bin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0) ++/usr/bin/start_getty -- gen_context(system_u:object_r:bin_t,s0) + + /usr/sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0) + +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0024-fc-usermanage-apply-policy-to-usermanage-alternative.patch b/recipes-security/refpolicy/refpolicy/0024-fc-usermanage-apply-policy-to-usermanage-alternative.patch deleted file mode 100644 index a92b809..0000000 --- a/recipes-security/refpolicy/refpolicy/0024-fc-usermanage-apply-policy-to-usermanage-alternative.patch +++ /dev/null @@ -1,57 +0,0 @@ -From fdf7c2d27b6ecf08c88bb98e52a7d8284ac828af Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Fri, 15 Nov 2019 11:25:34 +0800 -Subject: [PATCH] fc/usermanage: apply policy to usermanage alternatives - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/admin/usermanage.fc | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc -index 7209a8dd0..c9dc1f000 100644 ---- a/policy/modules/admin/usermanage.fc -+++ b/policy/modules/admin/usermanage.fc -@@ -4,8 +4,13 @@ ifdef(`distro_debian',` - - /usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0) - /usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0) -+/usr/bin/chfn\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0) -+/usr/bin/chfn\.util-linux -- gen_context(system_u:object_r:chfn_exec_t,s0) - /usr/bin/chpasswd -- gen_context(system_u:object_r:passwd_exec_t,s0) -+/usr/bin/chpasswd\.shadow -- gen_context(system_u:object_r:passwd_exec_t,s0) - /usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0) -+/usr/bin/chsh\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0) -+/usr/bin/chsh\.util-linux -- gen_context(system_u:object_r:chfn_exec_t,s0) - /usr/bin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) - /usr/bin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) - /usr/bin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0) -@@ -15,6 +20,7 @@ ifdef(`distro_debian',` - /usr/bin/grpconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) - /usr/bin/grpunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) - /usr/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0) -+/usr/bin/passwd\.shadow -- gen_context(system_u:object_r:passwd_exec_t,s0) - /usr/bin/pwconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) - /usr/bin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) - /usr/bin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0) -@@ -26,6 +32,7 @@ ifdef(`distro_debian',` - /usr/lib/cracklib_dict.* -- gen_context(system_u:object_r:crack_db_t,s0) - - /usr/sbin/chpasswd -- gen_context(system_u:object_r:passwd_exec_t,s0) -+/usr/sbin/chpasswd\.shadow -- gen_context(system_u:object_r:passwd_exec_t,s0) - /usr/sbin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) - /usr/sbin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) - /usr/sbin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0) -@@ -41,6 +48,7 @@ ifdef(`distro_debian',` - /usr/sbin/usermod -- gen_context(system_u:object_r:useradd_exec_t,s0) - /usr/sbin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) - /usr/sbin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) -+/usr/sbin/vipw\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) - - /usr/share/cracklib(/.*)? gen_context(system_u:object_r:crack_db_t,s0) - --- -2.25.1 - diff --git a/recipes-security/refpolicy/refpolicy/0025-fc-getty-add-file-context-to-start_getty.patch b/recipes-security/refpolicy/refpolicy/0025-fc-getty-add-file-context-to-start_getty.patch deleted file mode 100644 index f6fa8a0..0000000 --- a/recipes-security/refpolicy/refpolicy/0025-fc-getty-add-file-context-to-start_getty.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 863ece4fd9815997486c04ce89180707435669e4 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Fri, 15 Nov 2019 16:07:30 +0800 -Subject: [PATCH] fc/getty: add file context to start_getty - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/system/getty.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc -index 116ea6421..53ff6137b 100644 ---- a/policy/modules/system/getty.fc -+++ b/policy/modules/system/getty.fc -@@ -4,6 +4,7 @@ - /run/agetty\.reload -- gen_context(system_u:object_r:getty_runtime_t,s0) - - /usr/bin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0) -+/usr/bin/start_getty -- gen_context(system_u:object_r:bin_t,s0) - - /usr/sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0) - --- -2.25.1 - diff --git a/recipes-security/refpolicy/refpolicy/0025-fc-vlock-apply-policy-to-vlock-alternatives.patch b/recipes-security/refpolicy/refpolicy/0025-fc-vlock-apply-policy-to-vlock-alternatives.patch new file mode 100644 index 0000000..de97331 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0025-fc-vlock-apply-policy-to-vlock-alternatives.patch @@ -0,0 +1,25 @@ +From ae142b7d993a7f03b6ff1cf4f7a49c3aec77fe1c Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Wed, 18 Dec 2019 15:04:41 +0800 +Subject: [PATCH] fc/vlock: apply policy to vlock alternatives + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/apps/vlock.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/apps/vlock.fc b/policy/modules/apps/vlock.fc +index f668cde9c..c4bc50984 100644 +--- a/policy/modules/apps/vlock.fc ++++ b/policy/modules/apps/vlock.fc +@@ -1,4 +1,5 @@ + /usr/bin/vlock -- gen_context(system_u:object_r:vlock_exec_t,s0) ++/usr/bin/vlock\.kbd -- gen_context(system_u:object_r:vlock_exec_t,s0) + /usr/bin/vlock-main -- gen_context(system_u:object_r:vlock_exec_t,s0) + + /usr/sbin/vlock-main -- gen_context(system_u:object_r:vlock_exec_t,s0) +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0026-fc-add-fcontext-for-init-scripts-and-systemd-service.patch b/recipes-security/refpolicy/refpolicy/0026-fc-add-fcontext-for-init-scripts-and-systemd-service.patch new file mode 100644 index 0000000..c47984d --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0026-fc-add-fcontext-for-init-scripts-and-systemd-service.patch @@ -0,0 +1,64 @@ +From 1096b2eb1172506006691e90769e51a086b8374f Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Tue, 30 Jun 2020 10:45:57 +0800 +Subject: [PATCH] fc: add fcontext for init scripts and systemd service files + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/services/cron.fc | 1 + + policy/modules/services/rngd.fc | 1 + + policy/modules/services/rpc.fc | 2 ++ + policy/modules/system/logging.fc | 1 + + 4 files changed, 5 insertions(+) + +diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc +index 827363d88..e8412396d 100644 +--- a/policy/modules/services/cron.fc ++++ b/policy/modules/services/cron.fc +@@ -1,4 +1,5 @@ + /etc/rc\.d/init\.d/(anacron|atd) -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/crond -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) + + /etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) + /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) +diff --git a/policy/modules/services/rngd.fc b/policy/modules/services/rngd.fc +index 382c067f9..0ecc5acc4 100644 +--- a/policy/modules/services/rngd.fc ++++ b/policy/modules/services/rngd.fc +@@ -1,4 +1,5 @@ + /etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/rng-tools -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0) + + /usr/bin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0) + +diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc +index 75c2f0617..fa881ba2e 100644 +--- a/policy/modules/services/rpc.fc ++++ b/policy/modules/services/rpc.fc +@@ -1,7 +1,9 @@ + /etc/exports -- gen_context(system_u:object_r:exports_t,s0) + + /etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/nfsserver -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0) + /etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/nfscommon -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) + /etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) + + /usr/bin/nfsdcld -- gen_context(system_u:object_r:rpcd_exec_t,s0) +diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc +index 3b0dea51b..0ce2bec4b 100644 +--- a/policy/modules/system/logging.fc ++++ b/policy/modules/system/logging.fc +@@ -24,6 +24,7 @@ + /usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0) + /usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0) + /usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0) ++/usr/lib/systemd/system/syslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0) + /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0) + /usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) + +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0026-fc-vlock-apply-policy-to-vlock-alternatives.patch b/recipes-security/refpolicy/refpolicy/0026-fc-vlock-apply-policy-to-vlock-alternatives.patch deleted file mode 100644 index 7f63b14..0000000 --- a/recipes-security/refpolicy/refpolicy/0026-fc-vlock-apply-policy-to-vlock-alternatives.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 5bb33b7d9d7915399cca7d8c6fbdd9c0e27c1cd8 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Wed, 18 Dec 2019 15:04:41 +0800 -Subject: [PATCH] fc/vlock: apply policy to vlock alternatives - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/apps/vlock.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/apps/vlock.fc b/policy/modules/apps/vlock.fc -index f668cde9c..c4bc50984 100644 ---- a/policy/modules/apps/vlock.fc -+++ b/policy/modules/apps/vlock.fc -@@ -1,4 +1,5 @@ - /usr/bin/vlock -- gen_context(system_u:object_r:vlock_exec_t,s0) -+/usr/bin/vlock\.kbd -- gen_context(system_u:object_r:vlock_exec_t,s0) - /usr/bin/vlock-main -- gen_context(system_u:object_r:vlock_exec_t,s0) - - /usr/sbin/vlock-main -- gen_context(system_u:object_r:vlock_exec_t,s0) --- -2.25.1 - diff --git a/recipes-security/refpolicy/refpolicy/0027-fc-add-fcontext-for-init-scripts-and-systemd-service.patch b/recipes-security/refpolicy/refpolicy/0027-fc-add-fcontext-for-init-scripts-and-systemd-service.patch deleted file mode 100644 index cfb2fd5..0000000 --- a/recipes-security/refpolicy/refpolicy/0027-fc-add-fcontext-for-init-scripts-and-systemd-service.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 574df1810c8f32bbf24b223f72f6622b0df7e82c Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Tue, 30 Jun 2020 10:45:57 +0800 -Subject: [PATCH] fc: add fcontext for init scripts and systemd service files - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/services/cron.fc | 1 + - policy/modules/services/rngd.fc | 1 + - policy/modules/services/rpc.fc | 2 ++ - policy/modules/system/logging.fc | 1 + - 4 files changed, 5 insertions(+) - -diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc -index 827363d88..e8412396d 100644 ---- a/policy/modules/services/cron.fc -+++ b/policy/modules/services/cron.fc -@@ -1,4 +1,5 @@ - /etc/rc\.d/init\.d/(anacron|atd) -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/crond -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) - - /etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) - /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) -diff --git a/policy/modules/services/rngd.fc b/policy/modules/services/rngd.fc -index 382c067f9..0ecc5acc4 100644 ---- a/policy/modules/services/rngd.fc -+++ b/policy/modules/services/rngd.fc -@@ -1,4 +1,5 @@ - /etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/rng-tools -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0) - - /usr/bin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0) - -diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc -index 75c2f0617..fa881ba2e 100644 ---- a/policy/modules/services/rpc.fc -+++ b/policy/modules/services/rpc.fc -@@ -1,7 +1,9 @@ - /etc/exports -- gen_context(system_u:object_r:exports_t,s0) - - /etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/nfsserver -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0) - /etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/nfscommon -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) - /etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) - - /usr/bin/nfsdcld -- gen_context(system_u:object_r:rpcd_exec_t,s0) -diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc -index 5681acb51..4ff5f990a 100644 ---- a/policy/modules/system/logging.fc -+++ b/policy/modules/system/logging.fc -@@ -24,6 +24,7 @@ - /usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0) - /usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0) - /usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0) -+/usr/lib/systemd/system/syslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0) - /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0) - /usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) - --- -2.25.1 - diff --git a/recipes-security/refpolicy/refpolicy/0027-file_contexts.subs_dist-set-aliase-for-root-director.patch b/recipes-security/refpolicy/refpolicy/0027-file_contexts.subs_dist-set-aliase-for-root-director.patch new file mode 100644 index 0000000..a527d94 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0027-file_contexts.subs_dist-set-aliase-for-root-director.patch @@ -0,0 +1,30 @@ +From 153bdbda047a3e769983000b4c8263eb4bfd2031 Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Sun, 5 Apr 2020 22:03:45 +0800 +Subject: [PATCH] file_contexts.subs_dist: set aliase for /root directory + +The genhomedircon.py will expand /root directory to /home/root. +Add an aliase for it + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + config/file_contexts.subs_dist | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist +index 690007f22..f80499ebf 100644 +--- a/config/file_contexts.subs_dist ++++ b/config/file_contexts.subs_dist +@@ -45,3 +45,7 @@ + /usr/lib/busybox/bin /usr/bin + /usr/lib/busybox/sbin /usr/sbin + /usr/lib/busybox/usr /usr ++ ++# The genhomedircon.py will expand /root home directory to /home/root ++# Add an aliase for it ++/root /home/root +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0028-file_contexts.subs_dist-set-aliase-for-root-director.patch b/recipes-security/refpolicy/refpolicy/0028-file_contexts.subs_dist-set-aliase-for-root-director.patch deleted file mode 100644 index 82b4708..0000000 --- a/recipes-security/refpolicy/refpolicy/0028-file_contexts.subs_dist-set-aliase-for-root-director.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 01f57c996e09fb68daf3d97805c46c27a6d34304 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Sun, 5 Apr 2020 22:03:45 +0800 -Subject: [PATCH] file_contexts.subs_dist: set aliase for /root directory - -The genhomedircon.py will expand /root directory to /home/root. -Add an aliase for it - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - config/file_contexts.subs_dist | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist -index 690007f22..f80499ebf 100644 ---- a/config/file_contexts.subs_dist -+++ b/config/file_contexts.subs_dist -@@ -45,3 +45,7 @@ - /usr/lib/busybox/bin /usr/bin - /usr/lib/busybox/sbin /usr/sbin - /usr/lib/busybox/usr /usr -+ -+# The genhomedircon.py will expand /root home directory to /home/root -+# Add an aliase for it -+/root /home/root --- -2.25.1 - diff --git a/recipes-security/refpolicy/refpolicy/0028-policy-modules-system-logging-add-rules-for-the-syml.patch b/recipes-security/refpolicy/refpolicy/0028-policy-modules-system-logging-add-rules-for-the-syml.patch new file mode 100644 index 0000000..5c4e023 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0028-policy-modules-system-logging-add-rules-for-the-syml.patch @@ -0,0 +1,91 @@ +From f08f3c554d70c9cd11f0297678bb4a29b8ab034b Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Thu, 22 Aug 2013 13:37:23 +0800 +Subject: [PATCH] policy/modules/system/logging: add rules for the symlink of + /var/log + +/var/log is a symlink in poky, so we need allow rules for files to read +lnk_file while doing search/list/delete/rw... in /var/log/ directory. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald +Signed-off-by: Yi Zhao +--- + policy/modules/system/logging.fc | 1 + + policy/modules/system/logging.if | 7 +++++++ + 2 files changed, 8 insertions(+) + +diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc +index 0ce2bec4b..8957366b0 100644 +--- a/policy/modules/system/logging.fc ++++ b/policy/modules/system/logging.fc +@@ -53,6 +53,7 @@ ifdef(`distro_suse', ` + /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) + + /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) ++/var/log -l gen_context(system_u:object_r:var_log_t,s0) + /var/log/.* gen_context(system_u:object_r:var_log_t,s0) + /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0) + /var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0) +diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if +index 49028a0cb..4381d2e83 100644 +--- a/policy/modules/system/logging.if ++++ b/policy/modules/system/logging.if +@@ -1091,10 +1091,12 @@ interface(`logging_append_all_inherited_logs',` + interface(`logging_read_all_logs',` + gen_require(` + attribute logfile; ++ type var_log_t; + ') + + files_search_var($1) + allow $1 logfile:dir list_dir_perms; ++ allow $1 var_log_t:lnk_file read_lnk_file_perms; + read_files_pattern($1, logfile, logfile) + ') + +@@ -1175,6 +1177,7 @@ interface(`logging_manage_generic_log_dirs',` + + files_search_var($1) + allow $1 var_log_t:dir manage_dir_perms; ++ allow $1 var_log_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -1195,6 +1198,7 @@ interface(`logging_relabel_generic_log_dirs',` + + files_search_var($1) + allow $1 var_log_t:dir relabel_dir_perms; ++ allow $1 var_log_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -1215,6 +1219,7 @@ interface(`logging_read_generic_logs',` + + files_search_var($1) + allow $1 var_log_t:dir list_dir_perms; ++ allow $1 var_log_t:lnk_file read_lnk_file_perms; + read_files_pattern($1, var_log_t, var_log_t) + ') + +@@ -1316,6 +1321,7 @@ interface(`logging_manage_generic_logs',` + + files_search_var($1) + manage_files_pattern($1, var_log_t, var_log_t) ++ allow $1 var_log_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -1334,6 +1340,7 @@ interface(`logging_watch_generic_logs_dir',` + ') + + allow $1 var_log_t:dir watch; ++ allow $1 var_log_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-syslogd-.patch b/recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-syslogd-.patch new file mode 100644 index 0000000..2889ee8 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-syslogd-.patch @@ -0,0 +1,34 @@ +From a40442cbc570b9b028ebc1da0115bc368e165c29 Mon Sep 17 00:00:00 2001 +From: Joe MacDonald +Date: Fri, 29 Mar 2019 10:33:18 -0400 +Subject: [PATCH] policy/modules/system/logging: add rules for syslogd symlink + of /var/log + +We have added rules for the symlink of /var/log in logging.if, while +syslogd_t uses /var/log but does not use the interfaces in logging.if. So +still need add a individual rule for syslogd_t. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald +Signed-off-by: Yi Zhao +--- + policy/modules/system/logging.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index 9d9a01fcc..45584dba6 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -425,6 +425,7 @@ files_search_spool(syslogd_t) + + # Allow access for syslog-ng + allow syslogd_t var_log_t:dir { create setattr }; ++allow syslogd_t var_log_t:lnk_file read_lnk_file_perms; + + # for systemd but can not be conditional + files_runtime_filetrans(syslogd_t, syslogd_tmp_t, dir, "log") +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-the-syml.patch b/recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-the-syml.patch deleted file mode 100644 index 06b792a..0000000 --- a/recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-the-syml.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 2e9b42143ccb92f04d8d57430b3ae1e9f55eb00e Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH] policy/modules/system/logging: add rules for the symlink of - /var/log - -/var/log is a symlink in poky, so we need allow rules for files to read -lnk_file while doing search/list/delete/rw... in /var/log/ directory. - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Xin Ouyang -Signed-off-by: Joe MacDonald -Signed-off-by: Yi Zhao ---- - policy/modules/system/logging.fc | 1 + - policy/modules/system/logging.if | 9 +++++++++ - 2 files changed, 10 insertions(+) - -diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc -index 4ff5f990a..dee26a9f4 100644 ---- a/policy/modules/system/logging.fc -+++ b/policy/modules/system/logging.fc -@@ -53,6 +53,7 @@ ifdef(`distro_suse', ` - /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) - - /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) -+/var/log -l gen_context(system_u:object_r:var_log_t,s0) - /var/log/.* gen_context(system_u:object_r:var_log_t,s0) - /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0) - /var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0) -diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index cf7ef1721..b627cacb8 100644 ---- a/policy/modules/system/logging.if -+++ b/policy/modules/system/logging.if -@@ -1086,10 +1086,12 @@ interface(`logging_append_all_inherited_logs',` - interface(`logging_read_all_logs',` - gen_require(` - attribute logfile; -+ type var_log_t; - ') - - files_search_var($1) - allow $1 logfile:dir list_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - read_files_pattern($1, logfile, logfile) - ') - -@@ -1127,10 +1129,12 @@ interface(`logging_watch_all_logs',` - interface(`logging_exec_all_logs',` - gen_require(` - attribute logfile; -+ type var_log_t; - ') - - files_search_var($1) - allow $1 logfile:dir list_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - can_exec($1, logfile) - ') - -@@ -1192,6 +1196,7 @@ interface(`logging_manage_generic_log_dirs',` - - files_search_var($1) - allow $1 var_log_t:dir manage_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -1212,6 +1217,7 @@ interface(`logging_relabel_generic_log_dirs',` - - files_search_var($1) - allow $1 var_log_t:dir relabel_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -1232,6 +1238,7 @@ interface(`logging_read_generic_logs',` - - files_search_var($1) - allow $1 var_log_t:dir list_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - read_files_pattern($1, var_log_t, var_log_t) - ') - -@@ -1333,6 +1340,7 @@ interface(`logging_manage_generic_logs',` - - files_search_var($1) - manage_files_pattern($1, var_log_t, var_log_t) -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -1351,6 +1359,7 @@ interface(`logging_watch_generic_logs_dir',` - ') - - allow $1 var_log_t:dir watch; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - ') - - ######################################## --- -2.25.1 - diff --git a/recipes-security/refpolicy/refpolicy/0030-policy-modules-kernel-files-add-rules-for-the-symlin.patch b/recipes-security/refpolicy/refpolicy/0030-policy-modules-kernel-files-add-rules-for-the-symlin.patch new file mode 100644 index 0000000..ee329b1 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0030-policy-modules-kernel-files-add-rules-for-the-symlin.patch @@ -0,0 +1,102 @@ +From b4110d4f30f6dc82c810ceaf24911b1fadb0e7c4 Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Thu, 22 Aug 2013 13:37:23 +0800 +Subject: [PATCH] policy/modules/kernel/files: add rules for the symlink of + /tmp + +/tmp is a symlink in poky, so we need allow rules for files to read +lnk_file while doing search/list/delete/rw.. in /tmp/ directory. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald +Signed-off-by: Yi Zhao +--- + policy/modules/kernel/files.fc | 1 + + policy/modules/kernel/files.if | 8 ++++++++ + 2 files changed, 9 insertions(+) + +diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc +index 9a6f9d2d4..0f511c830 100644 +--- a/policy/modules/kernel/files.fc ++++ b/policy/modules/kernel/files.fc +@@ -171,6 +171,7 @@ HOME_ROOT/lost\+found/.* <> + # /tmp + # + /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) ++/tmp -l gen_context(system_u:object_r:tmp_t,s0) + /tmp/.* <> + /tmp/\.journal <> + +diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if +index 9e4344d24..14b34a467 100644 +--- a/policy/modules/kernel/files.if ++++ b/policy/modules/kernel/files.if +@@ -4780,6 +4780,7 @@ interface(`files_search_tmp',` + ') + + allow $1 tmp_t:dir search_dir_perms; ++ allow $1 tmp_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -4816,6 +4817,7 @@ interface(`files_list_tmp',` + ') + + allow $1 tmp_t:dir list_dir_perms; ++ allow $1 tmp_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -4852,6 +4854,7 @@ interface(`files_delete_tmp_dir_entry',` + ') + + allow $1 tmp_t:dir del_entry_dir_perms; ++ allow $1 tmp_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -4870,6 +4873,7 @@ interface(`files_read_generic_tmp_files',` + ') + + read_files_pattern($1, tmp_t, tmp_t) ++ allow $1 tmp_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -4888,6 +4892,7 @@ interface(`files_manage_generic_tmp_dirs',` + ') + + manage_dirs_pattern($1, tmp_t, tmp_t) ++ allow $1 tmp_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -4924,6 +4929,7 @@ interface(`files_manage_generic_tmp_files',` + ') + + manage_files_pattern($1, tmp_t, tmp_t) ++ allow $1 tmp_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -4960,6 +4966,7 @@ interface(`files_rw_generic_tmp_sockets',` + ') + + rw_sock_files_pattern($1, tmp_t, tmp_t) ++ allow $1 tmp_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -5167,6 +5174,7 @@ interface(`files_tmp_filetrans',` + ') + + filetrans_pattern($1, tmp_t, $2, $3, $4) ++ allow $1 tmp_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0030-policy-modules-system-logging-add-rules-for-syslogd-.patch b/recipes-security/refpolicy/refpolicy/0030-policy-modules-system-logging-add-rules-for-syslogd-.patch deleted file mode 100644 index ecfc018..0000000 --- a/recipes-security/refpolicy/refpolicy/0030-policy-modules-system-logging-add-rules-for-syslogd-.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 26dc5529db7664ae248eba4dbc5d17915c371137 Mon Sep 17 00:00:00 2001 -From: Joe MacDonald -Date: Fri, 29 Mar 2019 10:33:18 -0400 -Subject: [PATCH] policy/modules/system/logging: add rules for syslogd symlink - of /var/log - -We have added rules for the symlink of /var/log in logging.if, while -syslogd_t uses /var/log but does not use the interfaces in logging.if. So -still need add a individual rule for syslogd_t. - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Xin Ouyang -Signed-off-by: Joe MacDonald -Signed-off-by: Yi Zhao ---- - policy/modules/system/logging.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index abd61e6bd..90d8ccd31 100644 ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -420,6 +420,7 @@ files_search_spool(syslogd_t) - - # Allow access for syslog-ng - allow syslogd_t var_log_t:dir { create setattr }; -+allow syslogd_t var_log_t:lnk_file read_lnk_file_perms; - - # for systemd but can not be conditional - files_runtime_filetrans(syslogd_t, syslogd_tmp_t, dir, "log") --- -2.25.1 - diff --git a/recipes-security/refpolicy/refpolicy/0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch b/recipes-security/refpolicy/refpolicy/0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch deleted file mode 100644 index 48e8acf..0000000 --- a/recipes-security/refpolicy/refpolicy/0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch +++ /dev/null @@ -1,102 +0,0 @@ -From 9052089dfc4f7466fcf304ab282c2e32933a5881 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH] policy/modules/kernel/files: add rules for the symlink of - /tmp - -/tmp is a symlink in poky, so we need allow rules for files to read -lnk_file while doing search/list/delete/rw.. in /tmp/ directory. - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Xin Ouyang -Signed-off-by: Joe MacDonald -Signed-off-by: Yi Zhao ---- - policy/modules/kernel/files.fc | 1 + - policy/modules/kernel/files.if | 8 ++++++++ - 2 files changed, 9 insertions(+) - -diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index f6ff6b079..279df3d3c 100644 ---- a/policy/modules/kernel/files.fc -+++ b/policy/modules/kernel/files.fc -@@ -170,6 +170,7 @@ HOME_ROOT/lost\+found/.* <> - # /tmp - # - /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) -+/tmp -l gen_context(system_u:object_r:tmp_t,s0) - /tmp/.* <> - /tmp/\.journal <> - -diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f7217b226..451f302af 100644 ---- a/policy/modules/kernel/files.if -+++ b/policy/modules/kernel/files.if -@@ -4750,6 +4750,7 @@ interface(`files_search_tmp',` - ') - - allow $1 tmp_t:dir search_dir_perms; -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -4786,6 +4787,7 @@ interface(`files_list_tmp',` - ') - - allow $1 tmp_t:dir list_dir_perms; -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -4822,6 +4824,7 @@ interface(`files_delete_tmp_dir_entry',` - ') - - allow $1 tmp_t:dir del_entry_dir_perms; -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -4840,6 +4843,7 @@ interface(`files_read_generic_tmp_files',` - ') - - read_files_pattern($1, tmp_t, tmp_t) -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -4858,6 +4862,7 @@ interface(`files_manage_generic_tmp_dirs',` - ') - - manage_dirs_pattern($1, tmp_t, tmp_t) -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -4894,6 +4899,7 @@ interface(`files_manage_generic_tmp_files',` - ') - - manage_files_pattern($1, tmp_t, tmp_t) -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -4930,6 +4936,7 @@ interface(`files_rw_generic_tmp_sockets',` - ') - - rw_sock_files_pattern($1, tmp_t, tmp_t) -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -5137,6 +5144,7 @@ interface(`files_tmp_filetrans',` - ') - - filetrans_pattern($1, tmp_t, $2, $3, $4) -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## --- -2.25.1 - diff --git a/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch b/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch new file mode 100644 index 0000000..ae6e5cf --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch @@ -0,0 +1,41 @@ +From bd4f7608f50da4a829d9042311163922776146ca Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Thu, 22 Aug 2013 13:37:23 +0800 +Subject: [PATCH] policy/modules/system/logging: fix auditd startup failures + +Fixes: +avc: denied { read } for pid=321 comm="auditd" name="log" dev="vda" +ino=12552 scontext=system_u:system_r:auditd_t +tcontext=system_u:object_r:var_log_t tclass=lnk_file permissive=0 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Xin Ouyang +Signed-off-by: Yi Zhao +--- + policy/modules/system/logging.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index 45584dba6..8bc70b81d 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -177,6 +177,7 @@ dontaudit auditd_t auditd_etc_t:file map; + manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) + allow auditd_t auditd_log_t:dir setattr; + manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) ++allow auditd_t var_log_t:lnk_file read_lnk_file_perms; + allow auditd_t var_log_t:dir search_dir_perms; + + manage_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t) +@@ -306,6 +307,7 @@ optional_policy(` + allow audisp_remote_t self:capability { setpcap setuid }; + allow audisp_remote_t self:process { getcap setcap }; + allow audisp_remote_t self:tcp_socket create_socket_perms; ++allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms; + allow audisp_remote_t var_log_t:dir search_dir_perms; + + manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0032-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch b/recipes-security/refpolicy/refpolicy/0032-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch new file mode 100644 index 0000000..9648dfd --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0032-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch @@ -0,0 +1,38 @@ +From a23028f17d5e56e20ed3930b3075ba2d1c211b16 Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Thu, 22 Aug 2013 13:37:23 +0800 +Subject: [PATCH] policy/modules/kernel/terminal: don't audit tty_device_t in + term_dontaudit_use_console + +We should also not audit terminal to rw tty_device_t and fds in +term_dontaudit_use_console. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald +Signed-off-by: Yi Zhao +--- + policy/modules/kernel/terminal.if | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if +index e5645c7c5..6e9f654ac 100644 +--- a/policy/modules/kernel/terminal.if ++++ b/policy/modules/kernel/terminal.if +@@ -335,9 +335,12 @@ interface(`term_use_console',` + interface(`term_dontaudit_use_console',` + gen_require(` + type console_device_t; ++ type tty_device_t; + ') + ++ init_dontaudit_use_fds($1) + dontaudit $1 console_device_t:chr_file rw_chr_file_perms; ++ dontaudit $1 tty_device_t:chr_file rw_chr_file_perms; + ') + + ######################################## +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0032-policy-modules-system-logging-fix-auditd-startup-fai.patch b/recipes-security/refpolicy/refpolicy/0032-policy-modules-system-logging-fix-auditd-startup-fai.patch deleted file mode 100644 index 22ce8f2..0000000 --- a/recipes-security/refpolicy/refpolicy/0032-policy-modules-system-logging-fix-auditd-startup-fai.patch +++ /dev/null @@ -1,41 +0,0 @@ -From eed095029b270bbc49dc67d6b7b6b2fe9c3bca07 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH] policy/modules/system/logging: fix auditd startup failures - -Fixes: -avc: denied { read } for pid=321 comm="auditd" name="log" dev="vda" -ino=12552 scontext=system_u:system_r:auditd_t -tcontext=system_u:object_r:var_log_t tclass=lnk_file permissive=0 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Xin Ouyang -Signed-off-by: Yi Zhao ---- - policy/modules/system/logging.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 90d8ccd31..d3b06db7d 100644 ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -169,6 +169,7 @@ dontaudit auditd_t auditd_etc_t:file map; - manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) - allow auditd_t auditd_log_t:dir setattr; - manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) -+allow auditd_t var_log_t:lnk_file read_lnk_file_perms; - allow auditd_t var_log_t:dir search_dir_perms; - - manage_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t) -@@ -298,6 +299,7 @@ optional_policy(` - allow audisp_remote_t self:capability { setpcap setuid }; - allow audisp_remote_t self:process { getcap setcap }; - allow audisp_remote_t self:tcp_socket create_socket_perms; -+allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms; - allow audisp_remote_t var_log_t:dir search_dir_perms; - - manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) --- -2.25.1 - diff --git a/recipes-security/refpolicy/refpolicy/0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch b/recipes-security/refpolicy/refpolicy/0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch deleted file mode 100644 index f62db74..0000000 --- a/recipes-security/refpolicy/refpolicy/0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 3f24b88886fcd1a17248d8d674a02d01061d937a Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH] policy/modules/kernel/terminal: don't audit tty_device_t in - term_dontaudit_use_console - -We should also not audit terminal to rw tty_device_t and fds in -term_dontaudit_use_console. - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Xin Ouyang -Signed-off-by: Joe MacDonald -Signed-off-by: Yi Zhao ---- - policy/modules/kernel/terminal.if | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if -index e5645c7c5..6e9f654ac 100644 ---- a/policy/modules/kernel/terminal.if -+++ b/policy/modules/kernel/terminal.if -@@ -335,9 +335,12 @@ interface(`term_use_console',` - interface(`term_dontaudit_use_console',` - gen_require(` - type console_device_t; -+ type tty_device_t; - ') - -+ init_dontaudit_use_fds($1) - dontaudit $1 console_device_t:chr_file rw_chr_file_perms; -+ dontaudit $1 tty_device_t:chr_file rw_chr_file_perms; - ') - - ######################################## --- -2.25.1 - diff --git a/recipes-security/refpolicy/refpolicy/0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch b/recipes-security/refpolicy/refpolicy/0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch new file mode 100644 index 0000000..e7b993e --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch @@ -0,0 +1,34 @@ +From 288c0c4b20a80846691d113a1759325b214d64f9 Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Wed, 1 Jul 2020 08:44:07 +0800 +Subject: [PATCH] policy/modules/services/rpcbind: allow rpcbind_t to create + directory with label rpcbind_runtime_t + +Fixes: +avc: denied { create } for pid=136 comm="rpcbind" name="rpcbind" +scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=0 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/services/rpcbind.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te +index 137c21ece..2a712192b 100644 +--- a/policy/modules/services/rpcbind.te ++++ b/policy/modules/services/rpcbind.te +@@ -25,7 +25,7 @@ files_type(rpcbind_var_lib_t) + # Local policy + # + +-allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config }; ++allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config chown }; + # net_admin is for SO_SNDBUFFORCE + dontaudit rpcbind_t self:capability net_admin; + allow rpcbind_t self:fifo_file rw_fifo_file_perms; +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0034-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch b/recipes-security/refpolicy/refpolicy/0034-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch deleted file mode 100644 index 0b00f5a..0000000 --- a/recipes-security/refpolicy/refpolicy/0034-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 9c84425bbcaef5913fb6e309b8811639134714ed Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Wed, 1 Jul 2020 08:44:07 +0800 -Subject: [PATCH] policy/modules/services/rpcbind: allow rpcbind_t to create - directory with label rpcbind_runtime_t - -Fixes: -avc: denied { create } for pid=136 comm="rpcbind" name="rpcbind" -scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=0 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/services/rpcbind.te | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te -index 137c21ece..2a712192b 100644 ---- a/policy/modules/services/rpcbind.te -+++ b/policy/modules/services/rpcbind.te -@@ -25,7 +25,7 @@ files_type(rpcbind_var_lib_t) - # Local policy - # - --allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config }; -+allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config chown }; - # net_admin is for SO_SNDBUFFORCE - dontaudit rpcbind_t self:capability net_admin; - allow rpcbind_t self:fifo_file rw_fifo_file_perms; --- -2.25.1 - diff --git a/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-systemd-enable-support-for-sys.patch b/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-systemd-enable-support-for-sys.patch new file mode 100644 index 0000000..e54d69e --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-systemd-enable-support-for-sys.patch @@ -0,0 +1,46 @@ +From 48da8a2589b1d5bce2609fd307ca009605d801c3 Mon Sep 17 00:00:00 2001 +From: Wenzong Fan +Date: Thu, 4 Feb 2016 06:03:19 -0500 +Subject: [PATCH] policy/modules/system/systemd: enable support for + systemd-tmpfiles to manage all non-security files + +Fixes: +systemd-tmpfiles[226]: Failed to create directory or subvolume "/root/.ssh", ignoring: Permission denied +systemd-tmpfiles[226]: Failed to create directory or subvolume "/var/lib/systemd/ephemeral-trees": Permission denied + +AVC avc: denied { relabelfrom } for pid=226 comm="systemd-tmpfile" +name="root" dev="vda" ino=643 scontext=system_u:system_r:systemd_tmpfiles_t +tcontext=root:object_r:user_home_dir_t tclass=dir permissive=0 + +AVC avc: denied { write } for pid=226 comm="systemd-tmpfile" +name="root" dev="vda" ino=643 scontext=system_u:system_r:systemd_tmpfiles_t +tcontext=root:object_r:user_home_dir_t tclass=dir permissive=0 + +AVC avc: denied { create } for pid=226 comm="systemd-tmpfile" +name="ephemeral-trees" scontext=system_u:system_r:systemd_tmpfiles_t +tcontext=system_u:object_r:init_var_lib_t tclass=dir permissive=0 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Wenzong Fan +Signed-off-by: Yi Zhao +--- + policy/modules/system/systemd.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index b6d575f87..70a45ac58 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -10,7 +10,7 @@ policy_module(systemd) + ## Enable support for systemd-tmpfiles to manage all non-security files. + ##

+ ## +-gen_tunable(systemd_tmpfiles_manage_all, false) ++gen_tunable(systemd_tmpfiles_manage_all, true) + + ## + ##

+-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-logging-allow-systemd-tmpfiles.patch b/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-logging-allow-systemd-tmpfiles.patch new file mode 100644 index 0000000..05a0887 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-logging-allow-systemd-tmpfiles.patch @@ -0,0 +1,43 @@ +From 1f7fb5de202cb30c45b4051b0bce6e9b1aa53ea8 Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Sat, 30 Sep 2023 17:20:29 +0800 +Subject: [PATCH] policy/modules/system/logging: allow systemd-tmpfiles to + create /var/log/audit + +Fixes: +systemd[1]: Starting Security Auditing Service... +auditd[246]: Could not open dir /var/log/audit (No such file or directory) +auditd[246]: The audit daemon is exiting. +systemd[1]: auditd.service: Control process exited, code=exited, status=6/NOTCONFIGURED +systemd[1]: auditd.service: Failed with result 'exit-code'. +systemd[1]: Failed to start Security Auditing Service. + +AVC avc: denied { create } for pid=224 comm="systemd-tmpfile" +name="audit" scontext=system_u:system_r:systemd_tmpfiles_t +tcontext=system_u:object_r:auditd_log_t tclass=dir permissive=0 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/system/logging.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index 8bc70b81d..3cab14381 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -27,6 +27,10 @@ type auditd_log_t; + files_security_file(auditd_log_t) + files_security_mountpoint(auditd_log_t) + ++optional_policy(` ++ systemd_tmpfilesd_managed(auditd_log_t) ++') ++ + type audit_spool_t; + files_security_file(audit_spool_t) + files_security_mountpoint(audit_spool_t) +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-systemd-enable-support-for-sys.patch b/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-systemd-enable-support-for-sys.patch deleted file mode 100644 index 43b2f4d..0000000 --- a/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-systemd-enable-support-for-sys.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 6465e39b6dfe8daa88cab321e3cf44ccc9f1441d Mon Sep 17 00:00:00 2001 -From: Wenzong Fan -Date: Thu, 4 Feb 2016 06:03:19 -0500 -Subject: [PATCH] policy/modules/system/systemd: enable support for - systemd-tmpfiles to manage all non-security files - -Fixes: -systemd-tmpfiles[137]: Failed to create directory or subvolume "/var/volatile/log": Permission denied -systemd-tmpfiles[137]: Failed to create directory or subvolume "/var/volatile/tmp": Permission denied -systemd-tmpfiles[137]: Failed to create directory or subvolume "/var/log/audit": Permission denied - -avc: denied { write } for pid=137 comm="systemd-tmpfile" name="/" -dev="tmpfs" ino=12400 scontext=system_u:system_r:systemd_tmpfiles_t -tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=0 - -avc: denied { read } for pid=137 comm="systemd-tmpfile" name="dbus" -dev="vda" ino=12363 scontext=system_u:system_r:systemd_tmpfiles_t -tcontext=system_u:object_r:system_dbusd_var_lib_t tclass=dir -permissive=0 - -avc: denied { relabelfrom } for pid=137 comm="systemd-tmpfile" -name="log" dev="vda" ino=14129 -scontext=system_u:system_r:systemd_tmpfiles_t -tcontext=system_u:object_r:var_log_t tclass=lnk_file permissive=0 - -avc: denied { create } for pid=137 comm="systemd-tmpfile" -name="audit" scontext=system_u:system_r:systemd_tmpfiles_t -tcontext=system_u:object_r:auditd_log_t tclass=dir permissive=0 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Wenzong Fan -Signed-off-by: Yi Zhao ---- - policy/modules/system/systemd.te | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index ef25974ac..362248d17 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -10,7 +10,7 @@ policy_module(systemd) - ## Enable support for systemd-tmpfiles to manage all non-security files. - ##

- ## --gen_tunable(systemd_tmpfiles_manage_all, false) -+gen_tunable(systemd_tmpfiles_manage_all, true) - - ## - ##

-@@ -1640,6 +1640,10 @@ files_relabelfrom_home(systemd_tmpfiles_t) - files_relabelto_home(systemd_tmpfiles_t) - files_relabelto_etc_dirs(systemd_tmpfiles_t) - files_setattr_lock_dirs(systemd_tmpfiles_t) -+ -+files_manage_non_auth_files(systemd_tmpfiles_t) -+files_relabel_non_auth_files(systemd_tmpfiles_t) -+ - # for /etc/mtab - files_manage_etc_symlinks(systemd_tmpfiles_t) - --- -2.25.1 - diff --git a/recipes-security/refpolicy/refpolicy/0036-policy-modules-system-systemd-allow-systemd_logind_t.patch b/recipes-security/refpolicy/refpolicy/0036-policy-modules-system-systemd-allow-systemd_logind_t.patch index 56b6119..8f218ca 100644 --- a/recipes-security/refpolicy/refpolicy/0036-policy-modules-system-systemd-allow-systemd_logind_t.patch +++ b/recipes-security/refpolicy/refpolicy/0036-policy-modules-system-systemd-allow-systemd_logind_t.patch @@ -1,4 +1,4 @@ -From 2acb5ddbd04c578a420418e3bcb572bbd2dfbae6 Mon Sep 17 00:00:00 2001 +From 5d53b5ab28038eb7e326ab577e0b5e0799c9500b Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Sat, 18 Dec 2021 09:26:43 +0800 Subject: [PATCH] policy/modules/system/systemd: allow systemd_logind_t to read @@ -27,10 +27,10 @@ Signed-off-by: Yi Zhao 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 362248d17..4a1e06640 100644 +index 70a45ac58..42520f9f8 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te -@@ -920,6 +920,7 @@ userdom_relabelfrom_user_runtime_dirs(systemd_logind_t) +@@ -980,6 +980,7 @@ userdom_relabelfrom_user_runtime_dirs(systemd_logind_t) userdom_relabelto_user_runtime_dirs(systemd_logind_t) userdom_setattr_user_ttys(systemd_logind_t) userdom_use_user_ttys(systemd_logind_t) diff --git a/recipes-security/refpolicy/refpolicy/0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch b/recipes-security/refpolicy/refpolicy/0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch index 78c4dc8..e7406e5 100644 --- a/recipes-security/refpolicy/refpolicy/0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch +++ b/recipes-security/refpolicy/refpolicy/0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch @@ -1,4 +1,4 @@ -From 51a7f8058fee569322c1a0597fccd36c318ad943 Mon Sep 17 00:00:00 2001 +From 11c172fe44a22341b686dc537fde4991b7a49ed5 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Fri, 28 Oct 2022 11:56:09 +0800 Subject: [PATCH] policy/modules/roles/sysadm: allow sysadm to use init file @@ -19,10 +19,10 @@ Signed-off-by: Yi Zhao 1 file changed, 2 insertions(+) diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index bb715a847..088c954f5 100644 +index 936381f25..a6b0c35f3 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te -@@ -86,6 +86,8 @@ ifdef(`init_systemd',` +@@ -92,6 +92,8 @@ ifdef(`init_systemd',` # LookupDynamicUserByUID on org.freedesktop.systemd1. init_dbus_chat(sysadm_t) diff --git a/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch b/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch index 85bb82b..6a48b3d 100644 --- a/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch +++ b/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch @@ -1,4 +1,4 @@ -From 5b6f3fcb1ddabd0a66541959306e7b0adfe2b2b0 Mon Sep 17 00:00:00 2001 +From 9dcbec008d4213c6649f894fda0e87b0829c56de Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Thu, 4 Feb 2021 10:48:54 +0800 Subject: [PATCH] policy/modules/system/systemd: systemd --user fixes @@ -26,59 +26,66 @@ Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Yi Zhao --- - policy/modules/roles/sysadm.te | 2 ++ - policy/modules/system/systemd.if | 21 ++++++++++++++++++++- - 2 files changed, 22 insertions(+), 1 deletion(-) + policy/modules/system/systemd.if | 30 +++++++++++++++++++++++++++++ + policy/modules/system/userdomain.if | 4 ++++ + 2 files changed, 34 insertions(+) -diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 088c954f5..92f50fd5a 100644 ---- a/policy/modules/roles/sysadm.te -+++ b/policy/modules/roles/sysadm.te -@@ -98,6 +98,8 @@ ifdef(`init_systemd',` - - # Allow sysadm to follow logs in the journal, i.e. with podman logs -f - systemd_watch_journal_dirs(sysadm_t) -+ -+ systemd_sysadm_user(sysadm_t) - ') - - tunable_policy(`allow_ptrace',` diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if -index 9dc91fbb7..325ca548b 100644 +index 6054b5038..d89ad35b1 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if -@@ -58,7 +58,7 @@ template(`systemd_role_template',` - allow $1_systemd_t self:process { getsched signal }; - allow $1_systemd_t self:netlink_kobject_uevent_socket create_socket_perms; - allow $1_systemd_t self:unix_stream_socket create_stream_socket_perms; -- allow $1_systemd_t $3:process { setsched rlimitinh signal_perms }; -+ allow $1_systemd_t $3:process { setsched rlimitinh signal_perms noatsecure }; - corecmd_shell_domtrans($1_systemd_t, $3) - corecmd_bin_domtrans($1_systemd_t, $3) - -@@ -2613,3 +2613,22 @@ interface(`systemd_use_inherited_machined_ptys', ` - allow $1 systemd_machined_t:fd use; - allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms; +@@ -199,6 +199,36 @@ template(`systemd_role_template',` + ') ') -+ -+######################################### + ++###################################### +##

-+## sysadm user for systemd --user ++## Admin role for systemd --user +## ++## ++## ++## Prefix for generated types ++## ++## +## +## -+## Role allowed access. ++## The admin role. ++## ++## ++## ++## ++## The amdin domain for the role. +## +## +# -+interface(`systemd_sysadm_user',` ++template(`systemd_admin_role_extra',` + gen_require(` -+ type sysadm_systemd_t; ++ type $1_systemd_t; + ') + -+ allow sysadm_systemd_t self:capability { mknod sys_admin }; -+ allow sysadm_systemd_t self:capability2 { bpf perfmon }; ++ allow $1_systemd_t $3:process noatsecure; ++ allow $1_systemd_t self:capability { mknod sys_admin }; ++ allow $1_systemd_t self:capability2 { bpf perfmon }; +') ++ + ###################################### + ## + ## Allow the specified domain to be started as a daemon by the +diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if +index 24c3cb012..80072c03e 100644 +--- a/policy/modules/system/userdomain.if ++++ b/policy/modules/system/userdomain.if +@@ -1455,6 +1455,10 @@ template(`userdom_admin_user_template',` + optional_policy(` + userhelper_exec($1_t) + ') ++ ++ optional_policy(` ++ systemd_admin_role_extra($1, $1_r, $1_t) ++ ') + ') + + ######################################## -- 2.25.1 diff --git a/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-mount-make-mount_t-domain-MLS-.patch b/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-mount-make-mount_t-domain-MLS-.patch index c3b4b55..d3f035e 100644 --- a/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-mount-make-mount_t-domain-MLS-.patch +++ b/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-mount-make-mount_t-domain-MLS-.patch @@ -1,4 +1,4 @@ -From ccdd22cc2776b695f96faffc88699aa2b182e085 Mon Sep 17 00:00:00 2001 +From 15e29022299d44fbb172560b448c531b9714616b Mon Sep 17 00:00:00 2001 From: Wenzong Fan Date: Sat, 15 Feb 2014 04:22:47 -0500 Subject: [PATCH] policy/modules/system/mount: make mount_t domain MLS trusted @@ -19,10 +19,10 @@ Signed-off-by: Yi Zhao 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index d028723ce..97f49e58e 100644 +index e08df77a5..30b26841f 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te -@@ -112,6 +112,7 @@ fs_dontaudit_write_all_image_files(mount_t) +@@ -113,6 +113,7 @@ fs_dontaudit_write_all_image_files(mount_t) mls_file_read_all_levels(mount_t) mls_file_write_all_levels(mount_t) diff --git a/recipes-security/refpolicy/refpolicy/0040-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch b/recipes-security/refpolicy/refpolicy/0040-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch index d711612..46d4851 100644 --- a/recipes-security/refpolicy/refpolicy/0040-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch +++ b/recipes-security/refpolicy/refpolicy/0040-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch @@ -1,4 +1,4 @@ -From 64498d6cd30a0a65a24e3e7ab22cca5921c2db89 Mon Sep 17 00:00:00 2001 +From 183070b02b5ca9aeb8fd58c8c737b5f9589e9a12 Mon Sep 17 00:00:00 2001 From: Xin Ouyang Date: Mon, 28 Jan 2019 14:05:18 +0800 Subject: [PATCH] policy/modules/roles/sysadm: MLS - sysadm rw to clearance @@ -23,7 +23,7 @@ Signed-off-by: Yi Zhao 1 file changed, 2 insertions(+) diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 92f50fd5a..8c154d474 100644 +index a6b0c35f3..68f7ab381 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -45,6 +45,8 @@ logging_watch_all_logs(sysadm_t) diff --git a/recipes-security/refpolicy/refpolicy/0041-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch b/recipes-security/refpolicy/refpolicy/0041-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch index d22dacf..9c602fe 100644 --- a/recipes-security/refpolicy/refpolicy/0041-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch +++ b/recipes-security/refpolicy/refpolicy/0041-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch @@ -1,4 +1,4 @@ -From e82c43e60ef52ba00e8f2af5b46b2a6d49331209 Mon Sep 17 00:00:00 2001 +From 3b93adc08461ebea92d018bf7704386426f129d3 Mon Sep 17 00:00:00 2001 From: Xin Ouyang Date: Fri, 23 Aug 2013 12:01:53 +0800 Subject: [PATCH] policy/modules/services/rpc: make nfsd_t domain MLS trusted @@ -15,10 +15,10 @@ Signed-off-by: Yi Zhao 2 files changed, 7 insertions(+) diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 5124ae016..a40db8507 100644 +index e449160d8..9ef5e0b6f 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te -@@ -368,6 +368,8 @@ mls_process_read_all_levels(kernel_t) +@@ -373,6 +373,8 @@ mls_process_read_all_levels(kernel_t) mls_process_write_all_levels(kernel_t) mls_file_write_all_levels(kernel_t) mls_file_read_all_levels(kernel_t) diff --git a/recipes-security/refpolicy/refpolicy/0042-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch b/recipes-security/refpolicy/refpolicy/0042-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch index 30c84f6..9598a41 100644 --- a/recipes-security/refpolicy/refpolicy/0042-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch +++ b/recipes-security/refpolicy/refpolicy/0042-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch @@ -1,4 +1,4 @@ -From 9343914c0486b5aa6ff7cceeb8f6c399115e5fb3 Mon Sep 17 00:00:00 2001 +From 7b5cac323ea0638fcd5d35658f49c644f32d3442 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Tue, 30 Jun 2020 10:18:20 +0800 Subject: [PATCH] policy/modules/admin/dmesg: make dmesg_t MLS trusted reading diff --git a/recipes-security/refpolicy/refpolicy/0043-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch b/recipes-security/refpolicy/refpolicy/0043-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch index 932047a..fec9532 100644 --- a/recipes-security/refpolicy/refpolicy/0043-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch +++ b/recipes-security/refpolicy/refpolicy/0043-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch @@ -1,4 +1,4 @@ -From 057e4e6a6e2e87edcd6a93dd533620700b00b1c2 Mon Sep 17 00:00:00 2001 +From fd0d3887275237c1f1968d20972b535b9fdc9954 Mon Sep 17 00:00:00 2001 From: Wenzong Fan Date: Fri, 13 Oct 2017 07:20:40 +0000 Subject: [PATCH] policy/modules/kernel/kernel: make kernel_t MLS trusted for @@ -59,10 +59,10 @@ Signed-off-by: Yi Zhao 1 file changed, 2 insertions(+) diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index a40db8507..40cd52825 100644 +index 9ef5e0b6f..8082cf6b7 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te -@@ -370,6 +370,8 @@ mls_file_write_all_levels(kernel_t) +@@ -375,6 +375,8 @@ mls_file_write_all_levels(kernel_t) mls_file_read_all_levels(kernel_t) mls_socket_write_all_levels(kernel_t) mls_fd_use_all_levels(kernel_t) diff --git a/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-init-make-init_t-MLS-trusted-f.patch b/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-init-make-init_t-MLS-trusted-f.patch index 9e52b7f..5457079 100644 --- a/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-init-make-init_t-MLS-trusted-f.patch +++ b/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-init-make-init_t-MLS-trusted-f.patch @@ -1,4 +1,4 @@ -From c47e288e8950e7e92e3c90972ca7ef8ef9fc6a7f Mon Sep 17 00:00:00 2001 +From f2fcbcde9dc16985f1ffa43329fb47d36d132bd3 Mon Sep 17 00:00:00 2001 From: Wenzong Fan Date: Fri, 15 Jan 2016 03:47:05 -0500 Subject: [PATCH] policy/modules/system/init: make init_t MLS trusted for @@ -27,10 +27,10 @@ Signed-off-by: Yi Zhao 1 file changed, 4 insertions(+) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 97a75cf86..fee846cb5 100644 +index d19734d6f..8b9b8aa9a 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te -@@ -229,6 +229,10 @@ mls_process_write_all_levels(init_t) +@@ -238,6 +238,10 @@ mls_process_write_all_levels(init_t) mls_fd_use_all_levels(init_t) mls_process_set_level(init_t) diff --git a/recipes-security/refpolicy/refpolicy/0045-policy-modules-system-systemd-make-systemd-tmpfiles_.patch b/recipes-security/refpolicy/refpolicy/0045-policy-modules-system-systemd-make-systemd-tmpfiles_.patch index 1bfbb16..c61b403 100644 --- a/recipes-security/refpolicy/refpolicy/0045-policy-modules-system-systemd-make-systemd-tmpfiles_.patch +++ b/recipes-security/refpolicy/refpolicy/0045-policy-modules-system-systemd-make-systemd-tmpfiles_.patch @@ -1,4 +1,4 @@ -From afd35f6c73551c674e5bfe7cc1832b6a0ea717a6 Mon Sep 17 00:00:00 2001 +From ff749bb5ba3786283c348bb2db160794ba74e20c Mon Sep 17 00:00:00 2001 From: Wenzong Fan Date: Thu, 4 Feb 2016 06:03:19 -0500 Subject: [PATCH] policy/modules/system/systemd: make systemd-tmpfiles_t domain @@ -43,10 +43,10 @@ Signed-off-by: Yi Zhao 1 file changed, 5 insertions(+) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 4a1e06640..b44b9b2d7 100644 +index 42520f9f8..7a2041956 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te -@@ -1694,6 +1694,11 @@ sysnet_relabel_config(systemd_tmpfiles_t) +@@ -1813,6 +1813,11 @@ sysnet_relabel_config(systemd_tmpfiles_t) systemd_log_parse_environment(systemd_tmpfiles_t) diff --git a/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-systemd-systemd-make-systemd_-.patch b/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-systemd-systemd-make-systemd_-.patch index 800439c..da588ed 100644 --- a/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-systemd-systemd-make-systemd_-.patch +++ b/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-systemd-systemd-make-systemd_-.patch @@ -1,4 +1,4 @@ -From 8aa70c13d63e093bff87ea938d35dcc76e5bdd56 Mon Sep 17 00:00:00 2001 +From a1d15d213fee3e40129968dbd9928d5012d541f7 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Thu, 18 Jun 2020 09:59:58 +0800 Subject: [PATCH] policy/modules/system/systemd: systemd-*: make systemd_*_t @@ -43,10 +43,10 @@ Signed-off-by: Yi Zhao 1 file changed, 12 insertions(+) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index b44b9b2d7..7b717d3ba 100644 +index 7a2041956..52c7b5346 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te -@@ -373,6 +373,9 @@ files_search_var_lib(systemd_backlight_t) +@@ -383,6 +383,9 @@ files_search_var_lib(systemd_backlight_t) fs_getattr_all_fs(systemd_backlight_t) fs_search_cgroup_dirs(systemd_backlight_t) @@ -56,7 +56,7 @@ index b44b9b2d7..7b717d3ba 100644 ####################################### # # Binfmt local policy -@@ -528,6 +531,9 @@ term_use_unallocated_ttys(systemd_generator_t) +@@ -545,6 +548,9 @@ term_use_unallocated_ttys(systemd_generator_t) udev_read_runtime_files(systemd_generator_t) @@ -66,7 +66,7 @@ index b44b9b2d7..7b717d3ba 100644 ifdef(`distro_gentoo',` corecmd_shell_entry_type(systemd_generator_t) ') -@@ -922,6 +928,9 @@ userdom_setattr_user_ttys(systemd_logind_t) +@@ -982,6 +988,9 @@ userdom_setattr_user_ttys(systemd_logind_t) userdom_use_user_ttys(systemd_logind_t) domain_read_all_domains_state(systemd_logind_t) @@ -76,7 +76,7 @@ index b44b9b2d7..7b717d3ba 100644 # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96 # should fix the problem where user directories in /run/user/$UID/ are not getting the proper context -@@ -1412,6 +1421,9 @@ udev_read_runtime_files(systemd_rfkill_t) +@@ -1527,6 +1536,9 @@ udev_read_runtime_files(systemd_rfkill_t) systemd_log_parse_environment(systemd_rfkill_t) diff --git a/recipes-security/refpolicy/refpolicy/0047-policy-modules-system-logging-add-the-syslogd_t-to-t.patch b/recipes-security/refpolicy/refpolicy/0047-policy-modules-system-logging-add-the-syslogd_t-to-t.patch index cb3894c..451e6bc 100644 --- a/recipes-security/refpolicy/refpolicy/0047-policy-modules-system-logging-add-the-syslogd_t-to-t.patch +++ b/recipes-security/refpolicy/refpolicy/0047-policy-modules-system-logging-add-the-syslogd_t-to-t.patch @@ -1,4 +1,4 @@ -From 2afa5753f2ef8c7cee5ad0511c521d252bedf3e5 Mon Sep 17 00:00:00 2001 +From 8c45c5d48f7125ce47252c6ea36ed771c9baaf4d Mon Sep 17 00:00:00 2001 From: Xin Ouyang Date: Thu, 22 Aug 2013 13:37:23 +0800 Subject: [PATCH] policy/modules/system/logging: add the syslogd_t to trusted @@ -18,10 +18,10 @@ Signed-off-by: Yi Zhao 1 file changed, 3 insertions(+) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index d3b06db7d..f63965d4d 100644 +index 3cab14381..caf319f04 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te -@@ -505,6 +505,9 @@ fs_getattr_all_fs(syslogd_t) +@@ -491,6 +491,9 @@ fs_getattr_all_fs(syslogd_t) fs_search_auto_mountpoints(syslogd_t) mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories diff --git a/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-init-make-init_t-MLS-trusted-f.patch b/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-init-make-init_t-MLS-trusted-f.patch index 16f0e4e..ebeee4f 100644 --- a/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-init-make-init_t-MLS-trusted-f.patch +++ b/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-init-make-init_t-MLS-trusted-f.patch @@ -1,4 +1,4 @@ -From f87bb3cb0843af69f9aecaef0a4052e04b15a630 Mon Sep 17 00:00:00 2001 +From 6867f764b99e48cfa6557e664c9ee8ae8947eb08 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Tue, 28 May 2019 16:41:37 +0800 Subject: [PATCH] policy/modules/system/init: make init_t MLS trusted for @@ -17,10 +17,10 @@ Signed-off-by: Yi Zhao 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index fee846cb5..df7f87f17 100644 +index 8b9b8aa9a..bd2ca0802 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te -@@ -228,6 +228,7 @@ mls_file_write_all_levels(init_t) +@@ -237,6 +237,7 @@ mls_file_write_all_levels(init_t) mls_process_write_all_levels(init_t) mls_fd_use_all_levels(init_t) mls_process_set_level(init_t) diff --git a/recipes-security/refpolicy/refpolicy/0049-policy-modules-system-init-all-init_t-to-read-any-le.patch b/recipes-security/refpolicy/refpolicy/0049-policy-modules-system-init-all-init_t-to-read-any-le.patch index fb56eca..3c418dd 100644 --- a/recipes-security/refpolicy/refpolicy/0049-policy-modules-system-init-all-init_t-to-read-any-le.patch +++ b/recipes-security/refpolicy/refpolicy/0049-policy-modules-system-init-all-init_t-to-read-any-le.patch @@ -1,4 +1,4 @@ -From f3c0f18b647631fd2ffc1e86c9e3f51cbf74d60f Mon Sep 17 00:00:00 2001 +From ad9b0e1542804060ac3cea69129c224074da6766 Mon Sep 17 00:00:00 2001 From: Wenzong Fan Date: Wed, 3 Feb 2016 04:16:06 -0500 Subject: [PATCH] policy/modules/system/init: all init_t to read any level @@ -22,10 +22,10 @@ Signed-off-by: Yi Zhao 1 file changed, 3 insertions(+) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index df7f87f17..671b5aef3 100644 +index bd2ca0802..e94a29a73 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te -@@ -234,6 +234,9 @@ mls_key_write_all_levels(init_t) +@@ -243,6 +243,9 @@ mls_key_write_all_levels(init_t) mls_file_downgrade(init_t) mls_file_upgrade(init_t) diff --git a/recipes-security/refpolicy/refpolicy/0050-policy-modules-system-logging-allow-auditd_t-to-writ.patch b/recipes-security/refpolicy/refpolicy/0050-policy-modules-system-logging-allow-auditd_t-to-writ.patch index aa02eb1..3931641 100644 --- a/recipes-security/refpolicy/refpolicy/0050-policy-modules-system-logging-allow-auditd_t-to-writ.patch +++ b/recipes-security/refpolicy/refpolicy/0050-policy-modules-system-logging-allow-auditd_t-to-writ.patch @@ -1,4 +1,4 @@ -From cb7a4ff6081f19d05b109512275ec9a537f2f6d2 Mon Sep 17 00:00:00 2001 +From 315a53e50dd8957787e3a71c57ffc8ac46d0c474 Mon Sep 17 00:00:00 2001 From: Wenzong Fan Date: Thu, 25 Feb 2016 04:25:08 -0500 Subject: [PATCH] policy/modules/system/logging: allow auditd_t to write socket @@ -22,10 +22,10 @@ Signed-off-by: Yi Zhao 1 file changed, 2 insertions(+) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index f63965d4d..7e41596f4 100644 +index caf319f04..25e1d1397 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te -@@ -223,6 +223,8 @@ miscfiles_read_localization(auditd_t) +@@ -235,6 +235,8 @@ miscfiles_read_localization(auditd_t) mls_file_read_all_levels(auditd_t) mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory diff --git a/recipes-security/refpolicy/refpolicy/0051-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch b/recipes-security/refpolicy/refpolicy/0051-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch index 16bdf84..9c38e7d 100644 --- a/recipes-security/refpolicy/refpolicy/0051-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch +++ b/recipes-security/refpolicy/refpolicy/0051-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch @@ -1,4 +1,4 @@ -From 023e7b92a805103c54aec06bbd9465e4fbf7a6f2 Mon Sep 17 00:00:00 2001 +From 1c275b335fd047c678b449bf90a75a7ac48c2b38 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Thu, 31 Oct 2019 17:35:59 +0800 Subject: [PATCH] policy/modules/kernel/kernel: make kernel_t MLS trusted for @@ -15,10 +15,10 @@ Signed-off-by: Yi Zhao 1 file changed, 1 insertion(+) diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 40cd52825..d08610543 100644 +index 8082cf6b7..63c2087f7 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te -@@ -372,6 +372,7 @@ mls_socket_write_all_levels(kernel_t) +@@ -377,6 +377,7 @@ mls_socket_write_all_levels(kernel_t) mls_fd_use_all_levels(kernel_t) # https://bugzilla.redhat.com/show_bug.cgi?id=667370 mls_file_downgrade(kernel_t) diff --git a/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-setrans-allow-setrans_t-use-fd.patch b/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-setrans-allow-setrans_t-use-fd.patch index b916084..a0a726d 100644 --- a/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-setrans-allow-setrans_t-use-fd.patch +++ b/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-setrans-allow-setrans_t-use-fd.patch @@ -1,4 +1,4 @@ -From 55fe90eba640e6d52bb269176f45a3a5e2c3ed80 Mon Sep 17 00:00:00 2001 +From 95f5c28ce9ed0a6d955afa758988ef8542644a64 Mon Sep 17 00:00:00 2001 From: Roy Li Date: Sat, 22 Feb 2014 13:35:38 +0800 Subject: [PATCH] policy/modules/system/setrans: allow setrans_t use fd at any diff --git a/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch b/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch index c4dc87b..d1c0775 100644 --- a/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch +++ b/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch @@ -1,4 +1,4 @@ -From c9afe0dc30f51f7ad7b93b8878c88df1146272a0 Mon Sep 17 00:00:00 2001 +From 7af0a6b367cb21943d111c9f6386e40efdc02907 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Mon, 22 Feb 2021 11:28:12 +0800 Subject: [PATCH] policy/modules/system/systemd: make *_systemd_t MLS trusted @@ -24,10 +24,10 @@ Signed-off-by: Yi Zhao 1 file changed, 3 insertions(+) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if -index 325ca548b..b23b9bb0a 100644 +index d89ad35b1..00ac2f27e 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if -@@ -196,6 +196,9 @@ template(`systemd_role_template',` +@@ -197,6 +197,9 @@ template(`systemd_role_template',` xdg_read_config_files($1_systemd_t) xdg_read_data_files($1_systemd_t) ') diff --git a/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-logging-make-syslogd_runtime_t.patch b/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-logging-make-syslogd_runtime_t.patch index ab87039..3be7027 100644 --- a/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-logging-make-syslogd_runtime_t.patch +++ b/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-logging-make-syslogd_runtime_t.patch @@ -1,4 +1,4 @@ -From 7a65c9f3636b43f3a29349ea1c045d5281efa5aa Mon Sep 17 00:00:00 2001 +From 1536eaea2cc68074f55ca50eff2d129b7e1894d8 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Sat, 18 Dec 2021 17:31:45 +0800 Subject: [PATCH] policy/modules/system/logging: make syslogd_runtime_t MLS @@ -31,10 +31,10 @@ Signed-off-by: Yi Zhao 1 file changed, 2 insertions(+) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 7e41596f4..0c25457d6 100644 +index 25e1d1397..ba0fd10e0 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te -@@ -447,6 +447,8 @@ allow syslogd_t syslogd_runtime_t:file map; +@@ -456,6 +456,8 @@ allow syslogd_t syslogd_runtime_t:file map; manage_files_pattern(syslogd_t, syslogd_runtime_t, syslogd_runtime_t) files_runtime_filetrans(syslogd_t, syslogd_runtime_t, file) diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index a51312f..e9b0b1a 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc @@ -26,31 +26,31 @@ SRC_URI += " \ file://0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch \ file://0009-fc-ssh-apply-policy-to-ssh-alternatives.patch \ file://0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch \ - file://0011-fc-udev-apply-policy-to-udevadm-in-libexec.patch \ - file://0012-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch \ - file://0013-fc-su-apply-policy-to-su-alternatives.patch \ - file://0014-fc-fstools-fix-real-path-for-fstools.patch \ - file://0015-fc-init-fix-update-alternatives-for-sysvinit.patch \ - file://0016-fc-brctl-apply-policy-to-brctl-alternatives.patch \ - file://0017-fc-corecommands-apply-policy-to-nologin-alternatives.patch \ - file://0018-fc-locallogin-apply-policy-to-sulogin-alternatives.patch \ - file://0019-fc-ntp-apply-policy-to-ntpd-alternatives.patch \ - file://0020-fc-kerberos-apply-policy-to-kerberos-alternatives.patch \ - file://0021-fc-ldap-apply-policy-to-ldap-alternatives.patch \ - file://0022-fc-postgresql-apply-policy-to-postgresql-alternative.patch \ - file://0023-fc-screen-apply-policy-to-screen-alternatives.patch \ - file://0024-fc-usermanage-apply-policy-to-usermanage-alternative.patch \ - file://0025-fc-getty-add-file-context-to-start_getty.patch \ - file://0026-fc-vlock-apply-policy-to-vlock-alternatives.patch \ - file://0027-fc-add-fcontext-for-init-scripts-and-systemd-service.patch \ - file://0028-file_contexts.subs_dist-set-aliase-for-root-director.patch \ - file://0029-policy-modules-system-logging-add-rules-for-the-syml.patch \ - file://0030-policy-modules-system-logging-add-rules-for-syslogd-.patch \ - file://0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch \ - file://0032-policy-modules-system-logging-fix-auditd-startup-fai.patch \ - file://0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch \ - file://0034-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch \ - file://0035-policy-modules-system-systemd-enable-support-for-sys.patch \ + file://0011-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch \ + file://0012-fc-su-apply-policy-to-su-alternatives.patch \ + file://0013-fc-fstools-fix-real-path-for-fstools.patch \ + file://0014-fc-init-fix-update-alternatives-for-sysvinit.patch \ + file://0015-fc-brctl-apply-policy-to-brctl-alternatives.patch \ + file://0016-fc-corecommands-apply-policy-to-nologin-alternatives.patch \ + file://0017-fc-locallogin-apply-policy-to-sulogin-alternatives.patch \ + file://0018-fc-ntp-apply-policy-to-ntpd-alternatives.patch \ + file://0019-fc-kerberos-apply-policy-to-kerberos-alternatives.patch \ + file://0020-fc-ldap-apply-policy-to-ldap-alternatives.patch \ + file://0021-fc-postgresql-apply-policy-to-postgresql-alternative.patch \ + file://0022-fc-screen-apply-policy-to-screen-alternatives.patch \ + file://0023-fc-usermanage-apply-policy-to-usermanage-alternative.patch \ + file://0024-fc-getty-add-file-context-to-start_getty.patch \ + file://0025-fc-vlock-apply-policy-to-vlock-alternatives.patch \ + file://0026-fc-add-fcontext-for-init-scripts-and-systemd-service.patch \ + file://0027-file_contexts.subs_dist-set-aliase-for-root-director.patch \ + file://0028-policy-modules-system-logging-add-rules-for-the-syml.patch \ + file://0029-policy-modules-system-logging-add-rules-for-syslogd-.patch \ + file://0030-policy-modules-kernel-files-add-rules-for-the-symlin.patch \ + file://0031-policy-modules-system-logging-fix-auditd-startup-fai.patch \ + file://0032-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch \ + file://0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch \ + file://0034-policy-modules-system-systemd-enable-support-for-sys.patch \ + file://0035-policy-modules-system-logging-allow-systemd-tmpfiles.patch \ file://0036-policy-modules-system-systemd-allow-systemd_logind_t.patch \ file://0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch \ file://0038-policy-modules-system-systemd-systemd-user-fixes.patch \ diff --git a/recipes-security/refpolicy/refpolicy_git.inc b/recipes-security/refpolicy/refpolicy_git.inc index af3413b..1913ec8 100644 --- a/recipes-security/refpolicy/refpolicy_git.inc +++ b/recipes-security/refpolicy/refpolicy_git.inc @@ -1,8 +1,8 @@ -PV = "2.20221101+git${SRCPV}" +PV = "2.20231002+git${SRCPV}" -SRC_URI = "git://github.com/SELinuxProject/refpolicy.git;protocol=https;branch=master;name=refpolicy;destsuffix=refpolicy" +SRC_URI = "git://github.com/SELinuxProject/refpolicy.git;protocol=https;branch=main;name=refpolicy;destsuffix=refpolicy" -SRCREV_refpolicy ?= "8e8f5e3ca3e5900cad126cb8b4fadaa8adb8caac" +SRCREV_refpolicy ?= "f3865abfc25a395c877a27074bd03c5fc22992dd" UPSTREAM_CHECK_GITTAGREGEX = "RELEASE_(?P\d+_\d+)" -- cgit v1.2.3-54-g00ecf