CaROS/meta-selinux
3
0
Fork 0
mirror of git://git.yoctoproject.org/meta-selinux synced 2026-01-01 13:58:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

refpolicy: clean up old policy and patches

Browse Source 
Now that the updated refpolicy core variants are available, remove the
previous recipe and patches.

Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
This commit is contained in:
Joe MacDonald 2014-09-19 17:02:29 -04:00
parent 0834a07d00
commit 261b829453
49 changed files with 0 additions and 2156 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
recipes-security/refpolicy/refpolicy-2.20130424/Allow-ping-to-get-set-capabilities.patch
View File

@ -1,32 +0,0 @@
From 56c43144d7dcf5fec969c9aa9cb97679ccad50cc Mon Sep 17 00:00:00 2001
From: Sven Vermeulen <sven.vermeulen@siphos.be>
Date: Wed, 25 Sep 2013 20:27:34 +0200
Subject: [PATCH] Allow ping to get/set capabilities
When ping is installed with capabilities instead of being marked setuid,
then the ping_t domain needs to be allowed to getcap/setcap.
Reported-by: Luis Ressel <aranea@aixah.de>
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Upstream-Status: backport
---
policy/modules/admin/netutils.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 557da97..cfe036a 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -106,6 +106,8 @@ optional_policy(`
#
allow ping_t self:capability { setuid net_raw };
+# When ping is installed with capabilities instead of setuid
+allow ping_t self:process { getcap setcap };
dontaudit ping_t self:capability sys_tty_config;
allow ping_t self:tcp_socket create_socket_perms;
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
--
1.7.10.4

25
recipes-security/refpolicy/refpolicy-2.20130424/Allow-udev-the-block_suspend-capability.patch
View File

@ -1,25 +0,0 @@
Allow udev the block_suspend capability
Upstream-Status: backport
upstream commit: 5905067f2acf710ffbb13ba32575e6316619ddd8
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
---
policy/modules/system/udev.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 90e4ab3..efe6c02 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -39,6 +39,7 @@ ifdef(`enable_mcs',`
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
dontaudit udev_t self:capability sys_tty_config;
+allow udev_t self:capability2 block_suspend;
allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow udev_t self:process { execmem setfscreate };
allow udev_t self:fd use;
--
1.7.9.5

30
recipes-security/refpolicy/refpolicy-2.20130424/filesystem-associate-tmpfs_t-shm-to-device_t-devtmpf.patch
View File

@ -1,30 +0,0 @@
Upstream-Status: backport
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
=========================
From e3072cb7bf8f9e09598f01c9eb58d9cfb319d8a1 Mon Sep 17 00:00:00 2001
From: Dominick Grift <dominick.grift@gmail.com>
Date: Tue, 24 Sep 2013 15:39:21 +0200
Subject: [PATCH] filesystem: associate tmpfs_t (shm) to device_t (devtmpfs)
file systems
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/kernel/filesystem.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index ed59e5e..f72cde1 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -177,6 +177,7 @@ genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
# tmpfs_t is the type for tmpfs filesystems
#
type tmpfs_t;
+dev_associate(tmpfs_t)
fs_type(tmpfs_t)
files_type(tmpfs_t)
files_mountpoint(tmpfs_t)
--
1.7.10.4

39
recipes-security/refpolicy/refpolicy-2.20130424/ftp-add-ftpd_t-to-mlsfilewrite.patch
View File

@ -1,39 +0,0 @@
From e4e95b723d31c7b678a05cd81a96b10185978b4e Mon Sep 17 00:00:00 2001
From: Roy Li <rongqing.li@windriver.com>
Date: Mon, 10 Feb 2014 18:10:12 +0800
Subject: [PATCH] ftp: add ftpd_t to mls_file_write_all_levels
Proftpd will create file under /var/run, but its mls is in high, and
can not write to lowlevel
Upstream-Status: Pending
type=AVC msg=audit(1392347709.621:15): avc: denied { write } for pid=545 comm="proftpd" name="/" dev="tmpfs" ino=5853 scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir
type=AVC msg=audit(1392347709.621:15): avc: denied { add_name } for pid=545 comm="proftpd" name="proftpd.delay" scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir
type=SYSCALL msg=audit(1392347709.621:15): arch=c000003e syscall=2 success=yes exit=3 a0=471910 a1=42 a2=1b6 a3=8 items=0 ppid=539 pid=545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s15:c0.c1023 key=(null)
root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name
allow ftpd_t var_run_t : dir { ioctl read write getattr lock add_name remove_name search open } ;
root@localhost:~#
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
policy/modules/contrib/ftp.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
index 544c512..12a31dd 100644
--- a/policy/modules/contrib/ftp.te
+++ b/policy/modules/contrib/ftp.te
@@ -144,6 +144,8 @@ role ftpdctl_roles types ftpdctl_t;
type ftpdctl_tmp_t;
files_tmp_file(ftpdctl_tmp_t)
+mls_file_write_all_levels(ftpd_t)
+
type sftpd_t;
domain_type(sftpd_t)
role system_r types sftpd_t;
--
1.7.10.4

59
recipes-security/refpolicy/refpolicy-2.20130424/hostname-do-not-audit-attempts-by-hostname-to-read-a.patch
View File

@ -1,59 +0,0 @@
From 0857061b58e5ec0bf00e78839254f21519ed55d4 Mon Sep 17 00:00:00 2001
From: Dominick Grift <dominick.grift@gmail.com>
Date: Fri, 27 Sep 2013 10:36:14 +0200
Subject: [PATCH] hostname: do not audit attempts by hostname to read and
write dhcpc udp sockets (looks like a leaked fd)
Upstream-Status: backport
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/system/hostname.te | 1 +
policy/modules/system/sysnetwork.if | 19 +++++++++++++++++++
2 files changed, 20 insertions(+)
diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
index f6cbda9..380197b 100644
--- a/policy/modules/system/hostname.te
+++ b/policy/modules/system/hostname.te
@@ -51,6 +51,7 @@ logging_send_syslog_msg(hostname_t)
miscfiles_read_localization(hostname_t)
+sysnet_dontaudit_rw_dhcpc_udp_sockets(hostname_t)
sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t)
sysnet_read_config(hostname_t)
sysnet_dns_name_resolve(hostname_t)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 52b548c..2cea692 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -47,6 +47,25 @@ interface(`sysnet_run_dhcpc',`
########################################
## <summary>
+## Do not audit attempts to read and
+## write dhcpc udp socket descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`sysnet_dontaudit_rw_dhcpc_udp_sockets',`
+ gen_require(`
+ type dhcpc_t;
+ ')
+
+ dontaudit $1 dhcpc_t:udp_socket { read write };
+')
+
+########################################
+## <summary>
## Do not audit attempts to use
## the dhcp file descriptors.
## </summary>
--
1.7.10.4

22
recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-clock.patch
View File

@ -1,22 +0,0 @@
Subject: [PATCH] refpolicy: fix real path for clock
Upstream-Status: Inappropriate [configuration]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
policy/modules/system/clock.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc
index c5e05ca..a74c40c 100644
--- a/policy/modules/system/clock.fc
+++ b/policy/modules/system/clock.fc
@@ -2,4 +2,5 @@
/etc/adjtime -- gen_context(system_u:object_r:adjtime_t,s0)
/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
+/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0)
--
1.7.11.7

24
recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-corecommands.patch
View File

@ -1,24 +0,0 @@
Subject: [PATCH] refpolicy: fix real path for corecommands
Upstream-Status: Inappropriate [configuration]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
policy/modules/kernel/corecommands.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index f051c4a..ab624f3 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -153,6 +153,7 @@ ifdef(`distro_gentoo',`
/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
#
# /opt
--
1.7.11.7

20
recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-dmesg.patch
View File

@ -1,20 +0,0 @@
Subject: [PATCH] refpolicy: fix real path for dmesg
Upstream-Status: Inappropriate [configuration]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
policy/modules/admin/dmesg.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc
index d6cc2d9..7f3e5b0 100644
--- a/policy/modules/admin/dmesg.fc
+++ b/policy/modules/admin/dmesg.fc
@@ -1,2 +1,3 @@
/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
+/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0)
--
1.7.11.7

30
recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-bind.patch
View File

@ -1,30 +0,0 @@
From e438a9466a615db3f63421157d5ee3bd6d055403 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 19:09:11 +0800
Subject: [PATCH] refpolicy: fix real path for bind.
Upstream-Status: Inappropriate [configuration]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
policy/modules/contrib/bind.fc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/bind.fc b/policy/modules/contrib/bind.fc
index 2b9a3a1..fd45d53 100644
--- a/policy/modules/contrib/bind.fc
+++ b/policy/modules/contrib/bind.fc
@@ -1,8 +1,10 @@
/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/bind -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
/etc/bind/named\.conf.* -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/rndc\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
/etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0)
/etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0)
--
1.7.9.5

37
recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_login.patch
View File

@ -1,37 +0,0 @@
Subject: [PATCH] fix real path for login commands.
Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
policy/modules/system/authlogin.fc | 7 ++++---
1 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index 28ad538..c8dd17f 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -1,5 +1,7 @@
/bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
+/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0)
+/bin/login\.tinylogin -- gen_context(system_u:object_r:login_exec_t,s0)
/etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
/etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0)
@@ -9,9 +11,9 @@
/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
-/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
-/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
-/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+/usr/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
+/usr/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
ifdef(`distro_suse', `
/sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
')
--
1.7.5.4

24
recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_resolv.conf.patch
View File

@ -1,24 +0,0 @@
Subject: [PATCH] fix real path for resolv.conf
Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
policy/modules/system/sysnetwork.fc | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index 346a7cc..dec8632 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -24,6 +24,7 @@ ifdef(`distro_debian',`
/etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+/var/run/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
--
1.7.5.4

34
recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_shadow.patch
View File

@ -1,34 +0,0 @@
Subject: [PATCH] fix real path for shadow commands.
Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
policy/modules/admin/usermanage.fc | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
index f82f0ce..841ba9b 100644
--- a/policy/modules/admin/usermanage.fc
+++ b/policy/modules/admin/usermanage.fc
@@ -4,11 +4,17 @@ ifdef(`distro_gentoo',`
/usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0)
/usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0)
+/usr/bin/chfn\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0)
/usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0)
+/usr/bin/chsh\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0)
/usr/bin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0)
/usr/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0)
+/usr/bin/passwd\.shadow -- gen_context(system_u:object_r:passwd_exec_t,s0)
+/usr/bin/passwd\.tinylogin -- gen_context(system_u:object_r:passwd_exec_t,s0)
/usr/bin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+/sbin/vigr\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
/usr/bin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+/sbin/vipw\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
/usr/lib/cracklib_dict.* -- gen_context(system_u:object_r:crack_db_t,s0)
--
1.7.9.5

25
recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_su.patch
View File

@ -1,25 +0,0 @@
From 4affa5e9797f5d51597c9b8e0f2503883c766699 Mon Sep 17 00:00:00 2001
From: Wenzong Fan <wenzong.fan@windriver.com>
Date: Thu, 13 Feb 2014 00:33:07 -0500
Subject: [PATCH] fix real path for su.shadow command
Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
---
policy/modules/admin/su.fc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc
index a563687..0f43827 100644
--- a/policy/modules/admin/su.fc
+++ b/policy/modules/admin/su.fc
@@ -4,3 +4,5 @@
/usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
/usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
+
+/bin/su.shadow -- gen_context(system_u:object_r:su_exec_t,s0)
--
1.7.9.5

70
recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fstools.patch
View File

@ -1,70 +0,0 @@
From 7fdfd2ef8764ddfaeb43e53a756af83d42d8ac8b Mon Sep 17 00:00:00 2001
From: Wenzong Fan <wenzong.fan@windriver.com>
Date: Mon, 27 Jan 2014 03:54:01 -0500
Subject: [PATCH] refpolicy: fix real path for fstools
Upstream-Status: Inappropriate [configuration]
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
---
policy/modules/system/fstools.fc | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index 7a46b45..a724776 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -1,6 +1,8 @@
/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/blkid\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/blockdev\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -9,9 +11,12 @@
/sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/fdisk\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/hdparm\.hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -24,21 +29,28 @@
/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/mkswap\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/swapoff\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
--
1.7.9.5

27
recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-ftpwho-dir.patch
View File

@ -1,27 +0,0 @@
fix ftpwho install dir
Upstream-Status: Pending
ftpwho is installed into /usr/bin/, not /usr/sbin, so fix it
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
policy/modules/contrib/ftp.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/ftp.fc b/policy/modules/contrib/ftp.fc
index ddb75c1..26fec47 100644
--- a/policy/modules/contrib/ftp.fc
+++ b/policy/modules/contrib/ftp.fc
@@ -9,7 +9,7 @@
/usr/kerberos/sbin/ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
-/usr/sbin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+/usr/bin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0)
/usr/sbin/in\.ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
/usr/sbin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
/usr/sbin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
--
1.7.10.4

24
recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-iptables.patch
View File

@ -1,24 +0,0 @@
Subject: [PATCH] refpolicy: fix real path for iptables
Upstream-Status: Inappropriate [configuration]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
policy/modules/system/iptables.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index 14cffd2..84ac92b 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -13,6 +13,7 @@
/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
--
1.7.11.7

27
recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-mta.patch
View File

@ -1,27 +0,0 @@
From c0bb2996db4f55f3987967bacfb99805fc45d027 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 19:21:55 +0800
Subject: [PATCH] refpolicy: fix real path for mta
Upstream-Status: Inappropriate [configuration]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
policy/modules/contrib/mta.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/mta.fc b/policy/modules/contrib/mta.fc
index f42896c..0d4bcef 100644
--- a/policy/modules/contrib/mta.fc
+++ b/policy/modules/contrib/mta.fc
@@ -22,6 +22,7 @@ HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/sbin/msmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
--
1.7.9.5

24
recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-netutils.patch
View File

@ -1,24 +0,0 @@
Subject: [PATCH] refpolicy: fix real path for netutils
Upstream-Status: Inappropriate [configuration]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
policy/modules/admin/netutils.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
index 407078f..f2ed3dc 100644
--- a/policy/modules/admin/netutils.fc
+++ b/policy/modules/admin/netutils.fc
@@ -3,6 +3,7 @@
/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
/sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0)
+/bin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0)
/usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0)
/usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0)
--
1.7.11.7

27
recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-nscd.patch
View File

@ -1,27 +0,0 @@
From 642fab321a5f1f40495b4ca07f1fca4145024986 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 19:25:36 +0800
Subject: [PATCH] refpolicy: fix real path for nscd
Upstream-Status: Inappropriate [configuration]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
policy/modules/contrib/nscd.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/nscd.fc b/policy/modules/contrib/nscd.fc
index ba64485..61a6f24 100644
--- a/policy/modules/contrib/nscd.fc
+++ b/policy/modules/contrib/nscd.fc
@@ -1,6 +1,7 @@
/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0)
/usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
+/usr/bin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
/var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
--
1.7.9.5

25
recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-rpm.patch
View File

@ -1,25 +0,0 @@
From 3ecbd842d51a8e70b3403e857a24203285d4983b Mon Sep 17 00:00:00 2001
From: Wenzong Fan <wenzong.fan@windriver.com>
Date: Mon, 27 Jan 2014 01:13:06 -0500
Subject: [PATCH] refpolicy: fix real path for cpio
Upstream-Status: Inappropriate [configuration]
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
---
policy/modules/contrib/rpm.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/rpm.fc b/policy/modules/contrib/rpm.fc
index ebe91fc..539063c 100644
--- a/policy/modules/contrib/rpm.fc
+++ b/policy/modules/contrib/rpm.fc
@@ -58,4 +58,5 @@ ifdef(`distro_redhat',`
ifdef(`enable_mls',`
/usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/bin/cpio.cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
--
1.7.9.5

27
recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-screen.patch
View File

@ -1,27 +0,0 @@
From 3615e2d67f402a37ae7333e62b54f1d9d0a3bfd1 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 19:27:19 +0800
Subject: [PATCH] refpolicy: fix real path for screen
Upstream-Status: Inappropriate [configuration]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
policy/modules/contrib/screen.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/screen.fc b/policy/modules/contrib/screen.fc
index e7c2cf7..49ddca2 100644
--- a/policy/modules/contrib/screen.fc
+++ b/policy/modules/contrib/screen.fc
@@ -3,6 +3,7 @@ HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0)
HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0)
/usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0)
+/usr/bin/screen-.* -- gen_context(system_u:object_r:screen_exec_t,s0)
/usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0)
/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
--
1.7.9.5

24
recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-ssh.patch
View File

@ -1,24 +0,0 @@
Subject: [PATCH] refpolicy: fix real path for ssh
Upstream-Status: Inappropriate [configuration]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
policy/modules/services/ssh.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 078bcd7..9717428 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -6,6 +6,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
/etc/ssh/ssh_host_rsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
/usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
+/usr/bin/ssh\.openssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
/usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
/usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
--
1.7.11.7

23
recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-su.patch
View File

@ -1,23 +0,0 @@
Subject: [PATCH] refpolicy: fix real path for su
Upstream-Status: Inappropriate [configuration]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
policy/modules/admin/su.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc
index 688abc2..a563687 100644
--- a/policy/modules/admin/su.fc
+++ b/policy/modules/admin/su.fc
@@ -1,5 +1,6 @@
/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
+/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
/usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
/usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
--
1.7.11.7

34
recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-subs_dist.patch
View File

@ -1,34 +0,0 @@
Subject: [PATCH] fix file_contexts.subs_dist for poky
This file is used for Linux distros to define specific pathes
mapping to the pathes in file_contexts.
Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
config/file_contexts.subs_dist | 8 ++++++++
1 files changed, 11 insertions(+), 0 deletions(-)
diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
index 32b87a4..ebba73d 100644
--- a/config/file_contexts.subs_dist
+++ b/config/file_contexts.subs_dist
@@ -5,3 +5,14 @@
/usr/lib32 /usr/lib
/usr/lib64 /usr/lib
/var/run/lock /var/lock
+/etc/init.d /etc/rc.d/init.d
+/var/volatile/log /var/log
+/var/volatile/run /var/run
+/var/volatile/cache /var/cache
+/var/volatile/tmp /var/tmp
+/var/volatile/lock /var/lock
+/var/volatile/run/lock /var/lock
+/www /var/www
+/usr/lib/busybox/bin /bin
+/usr/lib/busybox/sbin /sbin
+/usr/lib/busybox/usr /usr
--
1.7.5.4

41
recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-sysnetwork.patch
View File

@ -1,41 +0,0 @@
Subject: [PATCH] refpolicy: fix real path for sysnetwork
Upstream-Status: Inappropriate [configuration]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
policy/modules/system/sysnetwork.fc | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index dec8632..2e602e4 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -3,6 +3,7 @@
# /bin
#
/bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
#
# /dev
@@ -43,13 +44,16 @@ ifdef(`distro_redhat',`
/sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
--
1.7.11.7

35
recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-udevd.patch
View File

@ -1,35 +0,0 @@
From 025bd3c77d3eeb0e316413bf7e6353f1ccd7f6b2 Mon Sep 17 00:00:00 2001
From: Wenzong Fan <wenzong.fan@windriver.com>
Date: Sat, 25 Jan 2014 23:40:05 -0500
Subject: [PATCH] refpolicy: fix real path for udevd/udevadm
Upstream-Status: Inappropriate [configuration]
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
---
policy/modules/system/udev.fc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 40928d8..491bb23 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -10,6 +10,7 @@
/etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
+/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
ifdef(`distro_debian',`
/lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0)
@@ -27,6 +28,7 @@ ifdef(`distro_redhat',`
')
/usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
--
1.7.9.5

23
recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_hostname.patch
View File

@ -1,23 +0,0 @@
From 845518a6f196e6e8c49ba38791c85e17276920e1 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH 3/4] fix update-alternatives for hostname
Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
policy/modules/system/hostname.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc
index 9dfecf7..4003b6d 100644
--- a/policy/modules/system/hostname.fc
+++ b/policy/modules/system/hostname.fc
@@ -1,2 +1,3 @@
/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
+/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0)
--
1.7.9.5

59
recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_sysklogd.patch
View File

@ -1,59 +0,0 @@
From 4964fa5593349916d8f5c69edb0b16f611586098 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 13:39:41 +0800
Subject: [PATCH 2/4] fix update-alternatives for sysklogd
/etc/syslog.conf is a symlink to /etc/syslog.conf.sysklogd, so a allow rule
for syslogd_t to read syslog_conf_t lnk_file is needed.
Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
policy/modules/system/logging.fc | 4 ++++
policy/modules/system/logging.te | 1 +
2 files changed, 5 insertions(+)
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index b50c5fe..c005f33 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -2,19 +2,23 @@
/etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
+/etc/syslog.conf\.sysklogd gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/syslog\.sysklogd -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
+/sbin/klogd\.sysklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
/sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+/sbin/syslogd\.sysklogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 87e3db2..2914b0b 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -371,6 +371,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
allow syslogd_t syslog_conf_t:file read_file_perms;
+allow syslogd_t syslog_conf_t:lnk_file read_file_perms;
# Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
--
1.7.9.5

53
recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_sysvinit.patch
View File

@ -1,53 +0,0 @@
From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH 1/4] fix update-alternatives for sysvinit
Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
policy/modules/contrib/shutdown.fc | 1 +
policy/modules/kernel/corecommands.fc | 1 +
policy/modules/system/init.fc | 1 +
3 files changed, 3 insertions(+)
diff --git a/policy/modules/contrib/shutdown.fc b/policy/modules/contrib/shutdown.fc
index a91f33b..90e51e0 100644
--- a/policy/modules/contrib/shutdown.fc
+++ b/policy/modules/contrib/shutdown.fc
@@ -3,6 +3,7 @@
/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0)
/usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index bcfdba7..87502a3 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -10,6 +10,7 @@
/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0)
+/bin/mountpoint\.sysvinit -- gen_context(system_u:object_r:bin_t,s0)
/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0)
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index bc0ffc8..020b9fe 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -30,6 +30,7 @@ ifdef(`distro_gentoo', `
# /sbin
#
/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
+/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0)
# because nowadays, /sbin/init is often a symlink to /sbin/upstart
/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
--
1.7.9.5

121
recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-bsdpty_device_t.patch
View File

@ -1,121 +0,0 @@
From c0b65c327b9354ee5c403cbde428e762ce3f327e Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH 5/6] add rules for bsdpty_device_t to complete pty devices.
Upstream-Status: Pending
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
policy/modules/kernel/terminal.if | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 771bce1..7519d0e 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -531,9 +531,11 @@ interface(`term_dontaudit_manage_pty_dirs',`
interface(`term_dontaudit_getattr_generic_ptys',`
gen_require(`
type devpts_t;
+ type bsdpty_device_t;
')
dontaudit $1 devpts_t:chr_file getattr;
+ dontaudit $1 bsdpty_device_t:chr_file getattr;
')
########################################
## <summary>
@@ -549,11 +551,13 @@ interface(`term_dontaudit_getattr_generic_ptys',`
interface(`term_ioctl_generic_ptys',`
gen_require(`
type devpts_t;
+ type bsdpty_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir search;
allow $1 devpts_t:chr_file ioctl;
+ allow $1 bsdpty_device_t:chr_file ioctl;
')
########################################
@@ -571,9 +575,11 @@ interface(`term_ioctl_generic_ptys',`
interface(`term_setattr_generic_ptys',`
gen_require(`
type devpts_t;
+ type bsdpty_device_t;
')
allow $1 devpts_t:chr_file setattr;
+ allow $1 bsdpty_device_t:chr_file setattr;
')
########################################
@@ -591,9 +597,11 @@ interface(`term_setattr_generic_ptys',`
interface(`term_dontaudit_setattr_generic_ptys',`
gen_require(`
type devpts_t;
+ type bsdpty_device_t;
')
dontaudit $1 devpts_t:chr_file setattr;
+ dontaudit $1 bsdpty_device_t:chr_file setattr;
')
########################################
@@ -611,11 +619,13 @@ interface(`term_dontaudit_setattr_generic_ptys',`
interface(`term_use_generic_ptys',`
gen_require(`
type devpts_t;
+ type bsdpty_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir list_dir_perms;
allow $1 devpts_t:chr_file { rw_term_perms lock append };
+ allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append };
')
########################################
@@ -633,9 +643,11 @@ interface(`term_use_generic_ptys',`
interface(`term_dontaudit_use_generic_ptys',`
gen_require(`
type devpts_t;
+ type bsdpty_device_t;
')
dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
+ dontaudit $1 bsdpty_device_t:chr_file { getattr read write ioctl };
')
#######################################
@@ -651,10 +663,12 @@ interface(`term_dontaudit_use_generic_ptys',`
interface(`term_setattr_controlling_term',`
gen_require(`
type devtty_t;
+ type bsdpty_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 devtty_t:chr_file setattr;
+ allow $1 bsdpty_device_t:chr_file setattr;
')
########################################
@@ -671,10 +685,12 @@ interface(`term_setattr_controlling_term',`
interface(`term_use_controlling_term',`
gen_require(`
type devtty_t;
+ type bsdpty_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 devtty_t:chr_file { rw_term_perms lock append };
+ allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append };
')
#######################################
--
1.7.9.5

30
recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-syslogd_t-symlink.patch
View File

@ -1,30 +0,0 @@
Subject: [PATCH] add rules for the symlink of /var/log - syslogd_t
We have added rules for the symlink of /var/log in logging.if,
while syslogd_t uses /var/log but does not use the
interfaces in logging.if. So still need add a individual rule for
syslogd_t.
Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
policy/modules/system/logging.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 2ad9ea5..70427d8 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -384,6 +384,8 @@ rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
+allow syslogd_t var_log_t:lnk_file read_lnk_file_perms;
+
# manage temporary files
manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
--
1.7.11.7

99
recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-tmp-symlink.patch
View File

@ -1,99 +0,0 @@
From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH] add rules for the symlink of /tmp
/tmp is a symlink in poky, so we need allow rules for files to read
lnk_file while doing search/list/delete/rw.. in /tmp/ directory.
Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
policy/modules/kernel/files.fc | 1 +
policy/modules/kernel/files.if | 8 ++++++++
2 files changed, 9 insertions(+), 0 deletions(-)
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index 8796ca3..a0db748 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -185,6 +185,7 @@ ifdef(`distro_debian',`
# /tmp
#
/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+/tmp -l gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
/tmp/.* <<none>>
/tmp/\.journal <<none>>
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index e1e814d..a7384b0 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -4199,6 +4199,7 @@ interface(`files_search_tmp',`
')
allow $1 tmp_t:dir search_dir_perms;
+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
')
########################################
@@ -4235,6 +4236,7 @@ interface(`files_list_tmp',`
')
allow $1 tmp_t:dir list_dir_perms;
+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
')
########################################
@@ -4271,6 +4273,7 @@ interface(`files_delete_tmp_dir_entry',`
')
allow $1 tmp_t:dir del_entry_dir_perms;
+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
')
########################################
@@ -4289,6 +4292,7 @@ interface(`files_read_generic_tmp_files',`
')
read_files_pattern($1, tmp_t, tmp_t)
+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
')
########################################
@@ -4307,6 +4311,7 @@ interface(`files_manage_generic_tmp_dirs',`
')
manage_dirs_pattern($1, tmp_t, tmp_t)
+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
')
########################################
@@ -4325,6 +4330,7 @@ interface(`files_manage_generic_tmp_files',`
')
manage_files_pattern($1, tmp_t, tmp_t)
+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
')
########################################
@@ -4361,6 +4367,7 @@ interface(`files_rw_generic_tmp_sockets',`
')
rw_sock_files_pattern($1, tmp_t, tmp_t)
+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
')
########################################
@@ -4550,6 +4557,7 @@ interface(`files_tmp_filetrans',`
')
filetrans_pattern($1, tmp_t, $2, $3, $4)
+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
')
########################################
--
1.7.5.4

34
recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-cache-symlink.patch
View File

@ -1,34 +0,0 @@
From bad816bc752369a6c1bf40231c505d21d95cab08 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Fri, 23 Aug 2013 11:20:00 +0800
Subject: [PATCH 4/6] add rules for the subdir symlinks in /var/
Except /var/log,/var/run,/var/lock, there still other subdir symlinks in
/var for poky, so we need allow rules for all domains to read these
symlinks. Domains still need their practical allow rules to read the
contents, so this is still a secure relax.
Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
policy/modules/kernel/domain.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index cf04cb5..9ffe6b0 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -104,6 +104,9 @@ term_use_controlling_term(domain)
# list the root directory
files_list_root(domain)
+# Yocto/oe-core use some var volatile links
+files_read_var_symlinks(domain)
+
ifdef(`hide_broken_symptoms',`
# This check is in the general socket
# listen code, before protocol-specific
--
1.7.9.5

31
recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-apache.patch
View File

@ -1,31 +0,0 @@
From ed2b0a00e2fb78056041b03c7e198e8f5adaf939 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 19:36:44 +0800
Subject: [PATCH 3/6] add rules for the symlink of /var/log - apache2
We have added rules for the symlink of /var/log in logging.if,
while apache.te uses /var/log but does not use the interfaces in
logging.if. So still need add a individual rule for apache.te.
Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
policy/modules/contrib/apache.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index ec8bd13..06f2e95 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -400,6 +400,7 @@ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+read_lnk_files_pattern(httpd_t, var_log_t, var_log_t)
logging_log_filetrans(httpd_t, httpd_log_t, file)
allow httpd_t httpd_modules_t:dir list_dir_perms;
--
1.7.9.5

29
recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
View File

@ -1,29 +0,0 @@
Subject: [PATCH] add rules for the symlink of /var/log - audisp_remote_t
We have added rules for the symlink of /var/log in logging.if,
while audisp_remote_t uses /var/log but does not use the
interfaces in logging.if. So still need add a individual rule for
audisp_remote_t.
Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
policy/modules/system/logging.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 8426a49..2ad9ea5 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -262,6 +262,7 @@ allow audisp_remote_t self:capability { setuid setpcap };
allow audisp_remote_t self:process { getcap setcap };
allow audisp_remote_t self:tcp_socket create_socket_perms;
allow audisp_remote_t var_log_t:dir search_dir_perms;
+allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
--
1.7.11.7

145
recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink.patch
View File

@ -1,145 +0,0 @@
From 03cb6534f75812f3a33ac768fe83861e0805b0e0 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH 2/6] add rules for the symlink of /var/log
/var/log is a symlink in poky, so we need allow rules for files to read
lnk_file while doing search/list/delete/rw.. in /var/log/ directory.
Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
policy/modules/system/logging.fc | 1 +
policy/modules/system/logging.if | 14 +++++++++++++-
policy/modules/system/logging.te | 1 +
3 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index c005f33..9529e40 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -41,6 +41,7 @@ ifdef(`distro_suse', `
/var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
+/var/log -l gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
/var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 4e94884..9a6f599 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -136,12 +136,13 @@ interface(`logging_set_audit_parameters',`
#
interface(`logging_read_audit_log',`
gen_require(`
- type auditd_log_t;
+ type auditd_log_t, var_log_t;
')
files_search_var($1)
read_files_pattern($1, auditd_log_t, auditd_log_t)
allow $1 auditd_log_t:dir list_dir_perms;
+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
')
########################################
@@ -626,6 +627,7 @@ interface(`logging_search_logs',`
files_search_var($1)
allow $1 var_log_t:dir search_dir_perms;
+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
')
#######################################
@@ -663,6 +665,7 @@ interface(`logging_list_logs',`
files_search_var($1)
allow $1 var_log_t:dir list_dir_perms;
+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
')
#######################################
@@ -682,6 +685,7 @@ interface(`logging_rw_generic_log_dirs',`
files_search_var($1)
allow $1 var_log_t:dir rw_dir_perms;
+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
')
#######################################
@@ -793,10 +797,12 @@ interface(`logging_append_all_logs',`
interface(`logging_read_all_logs',`
gen_require(`
attribute logfile;
+ type var_log_t;
')
files_search_var($1)
allow $1 logfile:dir list_dir_perms;
+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
read_files_pattern($1, logfile, logfile)
')
@@ -815,10 +821,12 @@ interface(`logging_read_all_logs',`
interface(`logging_exec_all_logs',`
gen_require(`
attribute logfile;
+ type var_log_t;
')
files_search_var($1)
allow $1 logfile:dir list_dir_perms;
+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
can_exec($1, logfile)
')
@@ -880,6 +888,7 @@ interface(`logging_read_generic_logs',`
files_search_var($1)
allow $1 var_log_t:dir list_dir_perms;
+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
read_files_pattern($1, var_log_t, var_log_t)
')
@@ -900,6 +909,7 @@ interface(`logging_write_generic_logs',`
files_search_var($1)
allow $1 var_log_t:dir list_dir_perms;
+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
write_files_pattern($1, var_log_t, var_log_t)
')
@@ -938,6 +948,7 @@ interface(`logging_rw_generic_logs',`
files_search_var($1)
allow $1 var_log_t:dir list_dir_perms;
+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
rw_files_pattern($1, var_log_t, var_log_t)
')
@@ -960,6 +971,7 @@ interface(`logging_manage_generic_logs',`
files_search_var($1)
manage_files_pattern($1, var_log_t, var_log_t)
+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
')
########################################
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 2ab0a49..2795d89 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -139,6 +139,7 @@ allow auditd_t auditd_etc_t:file read_file_perms;
manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
allow auditd_t var_log_t:dir search_dir_perms;
+allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
--
1.7.9.5

31
recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-syslogd_t-to-trusted-object.patch
View File

@ -1,31 +0,0 @@
From 27e62a5d9ab9993760369ccdad83673e9148cbb2 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH 1/6] Add the syslogd_t to trusted object
We add the syslogd_t to trusted object, because other process need
to have the right to connectto/sendto /dev/log.
Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Roy.Li <rongqing.li@windriver.com>
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
policy/modules/system/logging.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 2914b0b..2ab0a49 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -450,6 +450,7 @@ fs_getattr_all_fs(syslogd_t)
fs_search_auto_mountpoints(syslogd_t)
mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
+mls_trusted_object(syslogd_t) # Other process need to have the right to connectto/sendto /dev/log
term_write_console(syslogd_t)
# Allow syslog to a terminal
--
1.7.9.5

58
recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-nfsd-to-exec-shell-commands.patch
View File

@ -1,58 +0,0 @@
From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH] allow nfsd to exec shell commands.
Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
policy/modules/contrib/rpc.te | 2 +-
policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
2 files changed, 19 insertions(+), 1 deletions(-)
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 9566932..5605205 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -203,7 +203,7 @@ kernel_read_network_state(nfsd_t)
kernel_dontaudit_getattr_core_if(nfsd_t)
kernel_setsched(nfsd_t)
kernel_request_load_module(nfsd_t)
-# kernel_mounton_proc(nfsd_t)
+kernel_mounton_proc(nfsd_t)
corenet_sendrecv_nfs_server_packets(nfsd_t)
corenet_tcp_bind_nfs_port(nfsd_t)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 649e458..8a669c5 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -804,6 +804,24 @@ interface(`kernel_unmount_proc',`
########################################
## <summary>
+## Mounton a proc filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_mounton_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:dir mounton;
+')
+
+########################################
+## <summary>
## Get the attributes of the proc filesystem.
## </summary>
## <param name="domain">
--
1.7.5.4

29
recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-setfiles_t-to-read-symlinks.patch
View File

@ -1,29 +0,0 @@
From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH] fix setfiles_t to read symlinks
Upstream-Status: Pending
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
policy/modules/system/selinuxutil.te | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index ec01d0b..45ed81b 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -553,6 +553,9 @@ files_list_all(setfiles_t)
files_relabel_all_files(setfiles_t)
files_read_usr_symlinks(setfiles_t)
+# needs to be able to read symlinks to make restorecon on symlink working
+files_read_all_symlinks(setfiles_t)
+
fs_getattr_xattr_fs(setfiles_t)
fs_list_all(setfiles_t)
fs_search_auto_mountpoints(setfiles_t)
--
1.7.5.4

33
recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-sysadm-to-run-rpcinfo.patch
View File

@ -1,33 +0,0 @@
From 7005533d61770fed5a3312aa9dfd1c18dae88c16 Mon Sep 17 00:00:00 2001
From: Roy Li <rongqing.li@windriver.com>
Date: Sat, 15 Feb 2014 09:45:00 +0800
Subject: [PATCH] allow sysadm to run rpcinfo
Upstream-Status: Pending
type=AVC msg=audit(1392427946.976:264): avc: denied { connectto } for pid=2111 comm="rpcinfo" path="/run/rpcbind.sock" scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tclass=unix_stream_socket
type=SYSCALL msg=audit(1392427946.976:264): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff3aa20000 a2=17 a3=22 items=0 ppid=2108 pid=2111 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="rpcinfo" exe="/usr/sbin/rpcinfo" subj=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 key=(null)
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
policy/modules/roles/sysadm.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 1767217..5502c6a 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -413,6 +413,10 @@ optional_policy(`
')
optional_policy(`
+ rpcbind_stream_connect(sysadm_t)
+')
+
+optional_policy(`
vmware_role(sysadm_r, sysadm_t)
')
--
1.7.10.4

35
recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-don-t-audit-tty_device_t.patch
View File

@ -1,35 +0,0 @@
From 29a0d287880f8f83cf4337a3db7c8b94c0c36e1d Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH 6/6] don't audit tty_device_t in term_dontaudit_use_console.
We should also not audit terminal to rw tty_device_t and fds in
term_dontaudit_use_console.
Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
policy/modules/kernel/terminal.if | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 7519d0e..45de1ac 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -299,9 +299,12 @@ interface(`term_use_console',`
interface(`term_dontaudit_use_console',`
gen_require(`
type console_device_t;
+ type tty_device_t;
')
+ init_dontaudit_use_fds($1)
dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
+ dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
')
########################################
--
1.7.9.5

37
recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-dmesg-to-use-dev-kmsg.patch
View File

@ -1,37 +0,0 @@
From 2f5981f2244289a1cc79748e9ffdaaea168b1df2 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Fri, 23 Aug 2013 16:36:09 +0800
Subject: [PATCH] fix dmesg to use /dev/kmsg as default input
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
policy/modules/admin/dmesg.if | 1 +
policy/modules/admin/dmesg.te | 2 ++
2 files changed, 3 insertions(+)
diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if
index e1973c7..739a4bc 100644
--- a/policy/modules/admin/dmesg.if
+++ b/policy/modules/admin/dmesg.if
@@ -37,4 +37,5 @@ interface(`dmesg_exec',`
corecmd_search_bin($1)
can_exec($1, dmesg_exec_t)
+ dev_read_kmsg($1)
')
diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
index 72bc6d8..c591aea 100644
--- a/policy/modules/admin/dmesg.te
+++ b/policy/modules/admin/dmesg.te
@@ -28,6 +28,8 @@ kernel_read_proc_symlinks(dmesg_t)
dev_read_sysfs(dmesg_t)
+dev_read_kmsg(dmesg_t)
+
fs_search_auto_mountpoints(dmesg_t)
term_dontaudit_use_console(dmesg_t)
--
1.7.9.5

216
recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-new-SELINUXMNT-in-sys.patch
View File

@ -1,216 +0,0 @@
From 0bd1187768c79ccf7d0563fa8e2bc01494fef167 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH] fix for new SELINUXMNT in /sys
SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should
add rules to access sysfs.
Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
policy/modules/kernel/selinux.if | 40 ++++++++++++++++++++++++++++++++++++++
1 file changed, 40 insertions(+)
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 81440c5..ee4e86b 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -58,6 +58,10 @@ interface(`selinux_get_fs_mount',`
type security_t;
')
+ # SELINUXMNT is now /sys/fs/selinux, so we should add rules to
+ # access sysfs
+ dev_getattr_sysfs_dirs($1)
+ dev_search_sysfs($1)
# starting in libselinux 2.0.5, init_selinuxmnt() will
# attempt to short circuit by checking if SELINUXMNT
# (/selinux) is already a selinuxfs
@@ -84,6 +88,7 @@ interface(`selinux_dontaudit_get_fs_mount',`
type security_t;
')
+ dev_dontaudit_search_sysfs($1)
# starting in libselinux 2.0.5, init_selinuxmnt() will
# attempt to short circuit by checking if SELINUXMNT
# (/selinux) is already a selinuxfs
@@ -109,6 +114,8 @@ interface(`selinux_mount_fs',`
type security_t;
')
+ dev_getattr_sysfs_dirs($1)
+ dev_search_sysfs($1)
allow $1 security_t:filesystem mount;
')
@@ -128,6 +135,8 @@ interface(`selinux_remount_fs',`
type security_t;
')
+ dev_getattr_sysfs_dirs($1)
+ dev_search_sysfs($1)
allow $1 security_t:filesystem remount;
')
@@ -146,6 +155,8 @@ interface(`selinux_unmount_fs',`
type security_t;
')
+ dev_getattr_sysfs_dirs($1)
+ dev_search_sysfs($1)
allow $1 security_t:filesystem unmount;
')
@@ -164,6 +175,8 @@ interface(`selinux_getattr_fs',`
type security_t;
')
+ dev_getattr_sysfs_dirs($1)
+ dev_search_sysfs($1)
allow $1 security_t:filesystem getattr;
')
@@ -183,6 +196,7 @@ interface(`selinux_dontaudit_getattr_fs',`
type security_t;
')
+ dev_dontaudit_search_sysfs($1)
dontaudit $1 security_t:filesystem getattr;
')
@@ -202,6 +216,7 @@ interface(`selinux_dontaudit_getattr_dir',`
type security_t;
')
+ dev_dontaudit_search_sysfs($1)
dontaudit $1 security_t:dir getattr;
')
@@ -220,6 +235,8 @@ interface(`selinux_search_fs',`
type security_t;
')
+ dev_getattr_sysfs_dirs($1)
+ dev_search_sysfs($1)
allow $1 security_t:dir search_dir_perms;
')
@@ -238,6 +255,7 @@ interface(`selinux_dontaudit_search_fs',`
type security_t;
')
+ dev_dontaudit_search_sysfs($1)
dontaudit $1 security_t:dir search_dir_perms;
')
@@ -257,6 +275,7 @@ interface(`selinux_dontaudit_read_fs',`
type security_t;
')
+ dev_dontaudit_search_sysfs($1)
dontaudit $1 security_t:dir search_dir_perms;
dontaudit $1 security_t:file read_file_perms;
')
@@ -342,6 +361,8 @@ interface(`selinux_load_policy',`
bool secure_mode_policyload;
')
+ dev_getattr_sysfs_dirs($1)
+ dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
typeattribute $1 can_load_policy;
@@ -371,6 +392,8 @@ interface(`selinux_read_policy',`
type security_t;
')
+ dev_getattr_sysfs_dirs($1)
+ dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file read_file_perms;
allow $1 security_t:security read_policy;
@@ -435,6 +458,8 @@ interface(`selinux_set_generic_booleans',`
type security_t;
')
+ dev_getattr_sysfs_dirs($1)
+ dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
@@ -475,6 +500,8 @@ interface(`selinux_set_all_booleans',`
bool secure_mode_policyload;
')
+ dev_getattr_sysfs_dirs($1)
+ dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms;
allow $1 secure_mode_policyload_t:file read_file_perms;
@@ -519,6 +546,8 @@ interface(`selinux_set_parameters',`
attribute can_setsecparam;
')
+ dev_getattr_sysfs_dirs($1)
+ dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security setsecparam;
@@ -563,6 +592,7 @@ interface(`selinux_dontaudit_validate_context',`
type security_t;
')
+ dev_dontaudit_search_sysfs($1)
dontaudit $1 security_t:dir list_dir_perms;
dontaudit $1 security_t:file rw_file_perms;
dontaudit $1 security_t:security check_context;
@@ -584,6 +614,8 @@ interface(`selinux_compute_access_vector',`
type security_t;
')
+ dev_getattr_sysfs_dirs($1)
+ dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_av;
@@ -605,6 +637,8 @@ interface(`selinux_compute_create_context',`
type security_t;
')
+ dev_getattr_sysfs_dirs($1)
+ dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_create;
@@ -626,6 +660,8 @@ interface(`selinux_compute_member',`
type security_t;
')
+ dev_getattr_sysfs_dirs($1)
+ dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_member;
@@ -655,6 +691,8 @@ interface(`selinux_compute_relabel_context',`
type security_t;
')
+ dev_getattr_sysfs_dirs($1)
+ dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_relabel;
@@ -675,6 +713,8 @@ interface(`selinux_compute_user_contexts',`
type security_t;
')
+ dev_getattr_sysfs_dirs($1)
+ dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_user;
--
1.7.9.5

75
recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch
View File

@ -1,75 +0,0 @@
From 054a2d81a42bc127d29a916c64b43ad5a7c97f21 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Fri, 23 Aug 2013 12:01:53 +0800
Subject: [PATCH] fix policy for nfsserver to mount nfsd_fs_t.
Upstream-Status: Pending
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
policy/modules/contrib/rpc.te | 5 +++++
policy/modules/contrib/rpcbind.te | 5 +++++
policy/modules/kernel/filesystem.te | 1 +
policy/modules/kernel/kernel.te | 2 ++
4 files changed, 13 insertions(+)
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 5605205..9e9f468 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -256,6 +256,11 @@ tunable_policy(`nfs_export_all_ro',`
optional_policy(`
mount_exec(nfsd_t)
+ # Should domtrans to mount_t while mounting nfsd_fs_t.
+ mount_domtrans(nfsd_t)
+ # nfsd_t need to chdir to /var/lib/nfs and read files.
+ files_list_var(nfsd_t)
+ rpc_read_nfs_state_data(nfsd_t)
')
########################################
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index 196f168..9c75677 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -71,6 +71,11 @@ miscfiles_read_localization(rpcbind_t)
sysnet_dns_name_resolve(rpcbind_t)
+# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
+# because the are running in different level. So add rules to allow this.
+mls_socket_read_all_levels(rpcbind_t)
+mls_socket_write_all_levels(rpcbind_t)
+
optional_policy(`
nis_use_ypbind(rpcbind_t)
')
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 1c66416..2b9e7ce 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -119,6 +119,7 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
type nfsd_fs_t;
fs_type(nfsd_fs_t)
+files_mountpoint(nfsd_fs_t)
genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
type oprofilefs_t;
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 49fde6e..a731078 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -284,6 +284,8 @@ mls_process_read_up(kernel_t)
mls_process_write_down(kernel_t)
mls_file_write_all_levels(kernel_t)
mls_file_read_all_levels(kernel_t)
+mls_socket_write_all_levels(kernel_t)
+mls_fd_use_all_levels(kernel_t)
ifdef(`distro_redhat',`
# Bugzilla 222337
--
1.7.9.5

31
recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-setfiles-statvfs-get-file-count.patch
View File

@ -1,31 +0,0 @@
From 4d2c4c358602b246881210889756f229730505d3 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Fri, 23 Aug 2013 14:38:53 +0800
Subject: [PATCH] fix setfiles statvfs to get file count
New setfiles will read /proc/mounts and use statvfs in
file_system_count() to get file count of filesystems.
Upstream-Status: pending
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
policy/modules/system/selinuxutil.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 45ed81b..12c3d2e 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -556,7 +556,7 @@ files_read_usr_symlinks(setfiles_t)
# needs to be able to read symlinks to make restorecon on symlink working
files_read_all_symlinks(setfiles_t)
-fs_getattr_xattr_fs(setfiles_t)
+fs_getattr_all_fs(setfiles_t)
fs_list_all(setfiles_t)
fs_search_auto_mountpoints(setfiles_t)
fs_relabelfrom_noxattr_fs(setfiles_t)
--
1.7.9.5

43
recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-seutils-manage-config-files.patch
View File

@ -1,43 +0,0 @@
From be8e015aec19553d3753af132861d24da9ed0265 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH 2/2] refpolicy: fix selinux utils to manage config files
Upstream-Status: Pending
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
policy/modules/system/selinuxutil.if | 1 +
policy/modules/system/userdomain.if | 4 ++++
2 files changed, 5 insertions(+)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 3822072..db03ca1 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -680,6 +680,7 @@ interface(`seutil_manage_config',`
')
files_search_etc($1)
+ manage_dirs_pattern($1, selinux_config_t, selinux_config_t)
manage_files_pattern($1, selinux_config_t, selinux_config_t)
read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
')
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index b4a691d..20c8bf8 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1277,6 +1277,10 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
+ seutil_manage_default_contexts($1)
+ seutil_manage_file_contexts($1)
+ seutil_manage_module_store($1)
+ seutil_manage_config($1)
seutil_run_checkpolicy($1, $2)
seutil_run_loadpolicy($1, $2)
seutil_run_semanage($1, $2)
--
1.7.9.5

27
recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-xconsole_device_t-as-a-dev_node.patch
View File

@ -1,27 +0,0 @@
From 843299c135c30b036ed163a10570a1d5efe36ff8 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH 1/2] fix xconsole_device_t as a dev_node.
Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
policy/modules/services/xserver.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 4f6d693..b00f004 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -151,6 +151,7 @@ userdom_user_tmp_file(xauth_tmp_t)
# this is not actually a device, its a pipe
type xconsole_device_t;
files_type(xconsole_device_t)
+dev_node(xconsole_device_t)
fs_associate_tmpfs(xconsole_device_t)
files_associate_tmp(xconsole_device_t)
--
1.7.9.5

41
recipes-security/refpolicy/refpolicy-2.20130424/sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch
View File

@ -1,41 +0,0 @@
From b1599e01fe3f3e7a1c2048d1c466e3e842952924 Mon Sep 17 00:00:00 2001
From: Dominick Grift <dominick.grift@gmail.com>
Date: Fri, 27 Sep 2013 11:35:41 +0200
Subject: [PATCH] sysnetwork: dhcpc binds socket to random high udp ports
sysnetwork: do not audit attempts by ifconfig to read, and
write dhcpc udp sockets (looks like a leaked fd)
Upstream-Status: backport
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/system/sysnetwork.te | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index f9dce11..67709b5 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -111,7 +111,9 @@ corenet_tcp_bind_dhcpc_port(dhcpc_t)
corenet_udp_bind_dhcpc_port(dhcpc_t)
corenet_tcp_connect_all_ports(dhcpc_t)
corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
-corenet_sendrecv_dhcpc_server_packets(dhcpc_t)
+
+corenet_sendrecv_all_server_packets(dhcpc_t)
+corenet_udp_bind_all_unreserved_ports(dhcpc_t)
dev_read_sysfs(dhcpc_t)
# for SSP:
@@ -313,6 +315,8 @@ modutils_domtrans_insmod(ifconfig_t)
seutil_use_runinit_fds(ifconfig_t)
+sysnet_dontaudit_rw_dhcpc_udp_sockets(ifconfig_t)
+
userdom_use_user_terminals(ifconfig_t)
userdom_use_all_users_fds(ifconfig_t)
--
1.7.10.4

67
recipes-security/refpolicy/refpolicy_2.20130424.inc
View File

@ -1,67 +0,0 @@
SRC_URI = "http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2;"
SRC_URI[md5sum] = "6a5c975258cc8eb92c122f11b11a5085"
SRC_URI[sha256sum] = "6039ba854f244a39dc727cc7db25632f7b933bb271c803772d754d4354f5aef4"
FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-2.20130424:"
# Fix file contexts for Poky
SRC_URI += "file://poky-fc-subs_dist.patch \
file://poky-fc-update-alternatives_sysvinit.patch \
file://poky-fc-update-alternatives_sysklogd.patch \
file://poky-fc-update-alternatives_hostname.patch \
file://poky-fc-fix-real-path_resolv.conf.patch \
file://poky-fc-fix-real-path_login.patch \
file://poky-fc-fix-real-path_shadow.patch \
file://poky-fc-fix-bind.patch \
file://poky-fc-clock.patch \
file://poky-fc-corecommands.patch \
file://poky-fc-dmesg.patch \
file://poky-fc-fstools.patch \
file://poky-fc-iptables.patch \
file://poky-fc-mta.patch \
file://poky-fc-netutils.patch \
file://poky-fc-nscd.patch \
file://poky-fc-screen.patch \
file://poky-fc-ssh.patch \
file://poky-fc-su.patch \
file://poky-fc-sysnetwork.patch \
file://poky-fc-udevd.patch \
file://poky-fc-rpm.patch \
file://poky-fc-ftpwho-dir.patch \
file://poky-fc-fix-real-path_su.patch \
"
# Specific policy for Poky
SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \
file://poky-policy-add-rules-for-var-log-symlink.patch \
file://poky-policy-add-rules-for-var-log-symlink-apache.patch \
file://poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch \
file://poky-policy-add-rules-for-syslogd_t-symlink.patch \
file://poky-policy-add-rules-for-var-cache-symlink.patch \
file://poky-policy-add-rules-for-tmp-symlink.patch \
file://poky-policy-add-rules-for-bsdpty_device_t.patch \
file://poky-policy-don-t-audit-tty_device_t.patch \
file://poky-policy-allow-nfsd-to-exec-shell-commands.patch \
file://poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch \
file://poky-policy-allow-setfiles_t-to-read-symlinks.patch \
file://poky-policy-fix-new-SELINUXMNT-in-sys.patch \
file://poky-policy-allow-sysadm-to-run-rpcinfo.patch \
"
# Other policy fixes
SRC_URI += "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \
file://poky-policy-fix-seutils-manage-config-files.patch \
file://poky-policy-fix-setfiles-statvfs-get-file-count.patch \
file://poky-policy-fix-dmesg-to-use-dev-kmsg.patch \
file://hostname-do-not-audit-attempts-by-hostname-to-read-a.patch \
file://sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch \
file://ftp-add-ftpd_t-to-mlsfilewrite.patch \
"
# Backport from upstream
SRC_URI += "file://Allow-ping-to-get-set-capabilities.patch \
file://filesystem-associate-tmpfs_t-shm-to-device_t-devtmpf.patch \
file://Allow-udev-the-block_suspend-capability.patch \
"
include refpolicy_common.inc