From 1924d975283210f0c36bc3c0e8ce516ccc06961f Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Thu, 27 Jul 2023 14:07:48 -0400
Subject: refpolicy: update to 20200229+git

* Drop obsolete and unused patches.
* Rebase patches.
* Add patches to make systemd and sysvinit can work with all policy types.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
(cherry picked from commit 15fed8756aa4828fa12a3d813754b4ca65a7607d)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
---
 ...les-roles-sysadm-allow-sysadm_t-to-watch-.patch | 36 ++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy/0056-policy-modules-roles-sysadm-allow-sysadm_t-to-watch-.patch

(limited to 'recipes-security/refpolicy/refpolicy/0056-policy-modules-roles-sysadm-allow-sysadm_t-to-watch-.patch')

diff --git a/recipes-security/refpolicy/refpolicy/0056-policy-modules-roles-sysadm-allow-sysadm_t-to-watch-.patch b/recipes-security/refpolicy/refpolicy/0056-policy-modules-roles-sysadm-allow-sysadm_t-to-watch-.patch
new file mode 100644
index 0000000..7cf3763
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0056-policy-modules-roles-sysadm-allow-sysadm_t-to-watch-.patch
@@ -0,0 +1,36 @@
+From 7fd830d6b2c60dcf5b8ee0b2ff94436de63d5b8c Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Mon, 29 Jun 2020 10:32:25 +0800
+Subject: [PATCH] policy/modules/roles/sysadm: allow sysadm_t to watch runtime
+ dirs
+
+Fixes:
+Failed to add a watch for /run/systemd/ask-password: Permission denied
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/roles/sysadm.te | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
+index fc0945fe4..07b9faf30 100644
+--- a/policy/modules/roles/sysadm.te
++++ b/policy/modules/roles/sysadm.te
+@@ -83,6 +83,12 @@ ifdef(`init_systemd',`
+ 	# Allow sysadm to resolve the username of dynamic users by calling
+ 	# LookupDynamicUserByUID on org.freedesktop.systemd1.
+ 	init_dbus_chat(sysadm_t)
++
++	fs_watch_cgroup_files(sysadm_t)
++	files_watch_etc_symlinks(sysadm_t)
++	mount_watch_runtime_dirs(sysadm_t)
++	systemd_filetrans_passwd_runtime_dirs(sysadm_t)
++	allow sysadm_t systemd_passwd_runtime_t:dir watch;
+ ')
+ 
+ tunable_policy(`allow_ptrace',`
+-- 
+2.17.1
+
-- 
cgit v1.2.3-54-g00ecf