From 776da889b550ac9e5be414a8cc10fd86b1923264 Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Mon, 8 Apr 2019 13:50:40 -0400 Subject: refpolicy: update to 2.20190201 and git HEAD policies Additionally, the README has fallen out of date, update it to reflect the current reality of layer dependencies. Signed-off-by: Joe MacDonald --- ...inimum-systemd-mount-enable-required-refp.patch | 92 ++++++++++++++++++++++ 1 file changed, 92 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch (limited to 'recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch') diff --git a/recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch b/recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch new file mode 100644 index 0000000..bf770d9 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch @@ -0,0 +1,92 @@ +From ca6644e1f1066a8354f2f6dbb068713f59225f37 Mon Sep 17 00:00:00 2001 +From: Joe MacDonald +Date: Wed, 3 Apr 2019 14:51:29 -0400 +Subject: [PATCH 6/9] refpolicy-minimum: systemd: mount: enable required + refpolicy booleans + +enable required refpolicy booleans for these modules + +i. mount: allow_mount_anyfile +without enabling this boolean we are getting below avc denial + +audit(): avc: denied { mounton } for pid=462 comm="mount" path="/run/media +/mmcblk2p1" dev="tmpfs" ino=11523 scontext=system_u:system_r:mount_t:s0 +tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=0 + +This avc can be allowed using the boolean 'allow_mount_anyfile' +allow mount_t initrc_var_run_t:dir mounton; + +ii. systemd : systemd_tmpfiles_manage_all +without enabling this boolean we are not getting access to mount systemd +essential tmpfs during bootup, also not getting access to create audit.log + +audit(): avc: denied { search } for pid=168 comm="systemd-tmpfile" name= +"sys" dev="proc" ino=4026531855 scontext=system_u:system_r:systemd_tmpfiles +_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=dir permissive=0 + + ls /var/log + /var/log -> volatile/log +:~# + +The old refpolicy included a pre-generated booleans.conf that could be +patched. That's no longer the case so we're left with a few options, +tweak the default directly or create a template booleans.conf file which +will be updated during build time. Since this is intended to be applied +only for specific configuraitons it seems like the same either way and +this avoids us playing games to work around .gitignore. + +Upstream-Status: Pending + +Signed-off-by: Shrikant Bobade +Signed-off-by: Joe MacDonald +--- + policy/booleans.conf | 9 +++++++++ + policy/modules/system/mount.te | 2 +- + policy/modules/system/systemd.te | 2 +- + 3 files changed, 11 insertions(+), 2 deletions(-) + create mode 100644 policy/booleans.conf + +diff --git a/policy/booleans.conf b/policy/booleans.conf +new file mode 100644 +index 00000000..850f56ed +--- /dev/null ++++ b/policy/booleans.conf +@@ -0,0 +1,9 @@ ++# ++# Allow the mount command to mount any directory or file. ++# ++allow_mount_anyfile = true ++ ++# ++# Enable support for systemd-tmpfiles to manage all non-security files. ++# ++systemd_tmpfiles_manage_all = true +diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te +index a87d0e82..868052b7 100644 +--- a/policy/modules/system/mount.te ++++ b/policy/modules/system/mount.te +@@ -10,7 +10,7 @@ policy_module(mount, 1.20.0) + ## Allow the mount command to mount any directory or file. + ##

+ ## +-gen_tunable(allow_mount_anyfile, false) ++gen_tunable(allow_mount_anyfile, true) + + attribute_role mount_roles; + roleattribute system_r mount_roles; +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index b13337b9..74f9c1cb 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -10,7 +10,7 @@ policy_module(systemd, 1.7.5) + ## Enable support for systemd-tmpfiles to manage all non-security files. + ##

+ ## +-gen_tunable(systemd_tmpfiles_manage_all, false) ++gen_tunable(systemd_tmpfiles_manage_all, true) + + ## + ##

+-- +2.19.1 + -- cgit v1.2.3-54-g00ecf