1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
From c26f856ac11b3d61aff56c4e512bedca811cf004 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Mon, 20 Apr 2020 11:50:03 +0800
Subject: [PATCH] refpolicy-targeted: make unconfined_u the default selinux
user
For targeted policy type, we define unconfined_u as the default selinux
user for root and normal users, so users could login and run most
commands and services on unconfined domains.
Upstream-Status: Inappropriate [embedded specific]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
config/appconfig-mcs/failsafe_context | 2 +-
config/appconfig-mcs/seusers | 4 ++--
policy/modules/system/unconfined.te | 5 +++++
policy/users | 6 +++---
4 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/config/appconfig-mcs/failsafe_context b/config/appconfig-mcs/failsafe_context
index 999abd9a3..a50bde775 100644
--- a/config/appconfig-mcs/failsafe_context
+++ b/config/appconfig-mcs/failsafe_context
@@ -1 +1 @@
-sysadm_r:sysadm_t:s0
+unconfined_r:unconfined_t:s0
diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers
index ce614b41b..c0903d98b 100644
--- a/config/appconfig-mcs/seusers
+++ b/config/appconfig-mcs/seusers
@@ -1,2 +1,2 @@
-root:root:s0-mcs_systemhigh
-__default__:user_u:s0
+root:unconfined_u:s0-mcs_systemhigh
+__default__:unconfined_u:s0
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 6431d35da..922e7e285 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -20,6 +20,11 @@ type unconfined_execmem_t alias ada_t;
type unconfined_execmem_exec_t alias ada_exec_t;
init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
role unconfined_r types unconfined_execmem_t;
+role unconfined_r types unconfined_t;
+role system_r types unconfined_t;
+role_transition system_r unconfined_exec_t unconfined_r;
+allow system_r unconfined_r;
+allow unconfined_r system_r;
########################################
#
diff --git a/policy/users b/policy/users
index ca203758c..e737cd9cc 100644
--- a/policy/users
+++ b/policy/users
@@ -15,7 +15,7 @@
# and a user process should never be assigned the system user
# identity.
#
-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# user_u is a generic user identity for Linux users who have no
@@ -43,7 +43,7 @@ ifdef(`direct_sysadm_daemon',`
# not in the sysadm_r.
#
ifdef(`direct_sysadm_daemon',`
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+ gen_user(root, sysadm, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
',`
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
+ gen_user(root, sysadm, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
')
--
2.25.1
|
