CaROS/meta-selinux
3
0
Fork 0
mirror of git://git.yoctoproject.org/meta-selinux synced 2026-01-01 13:58:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

refpolicy: remove version 2.20190201

Browse Source 
There is no need to maintain two versions of repolicy. Drop this version
and only keep the git version.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
This commit is contained in:
Yi Zhao 2020-07-07 16:29:11 +08:00 committed by Joe MacDonald
parent 7af62c91d7
commit 9e986d7d79
50 changed files with 0 additions and 2523 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
recipes-security/refpolicy/refpolicy-2.20190201/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch
View File

@ -1,36 +0,0 @@
From 49dd08e69938debc792ac9c3ac3e81a38929d11f Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@mentor.com>
Date: Thu, 28 Mar 2019 16:14:09 -0400
Subject: [PATCH 01/34] fc/subs/volatile: alias common /var/volatile paths
Ensure /var/volatile paths get the appropriate base file context.
Upstream-Status: Pending
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
config/file_contexts.subs_dist | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
index 346d920e..be532d7f 100644
--- a/config/file_contexts.subs_dist
+++ b/config/file_contexts.subs_dist
@@ -31,3 +31,13 @@
# not for refpolicy intern, but for /var/run using applications,
# like systemd tmpfiles or systemd socket configurations
/var/run /run
+
+# volatile aliases
+# ensure the policy applied to the base filesystem objects are reflected in the
+# volatile hierarchy.
+/var/volatile/log /var/log
+/var/volatile/run /var/run
+/var/volatile/cache /var/cache
+/var/volatile/tmp /var/tmp
+/var/volatile/lock /var/lock
+/var/volatile/run/lock /var/lock
--
2.19.1

53
recipes-security/refpolicy/refpolicy-2.20190201/0001-fix-update-alternatives-for-sysvinit.patch
View File

@ -1,53 +0,0 @@
From 83508f3365277c0ef8c570e744879b904de64cd7 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH] fix update-alternatives for sysvinit
Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/admin/shutdown.fc | 1 +
policy/modules/kernel/corecommands.fc | 1 +
policy/modules/system/init.fc | 1 +
3 files changed, 3 insertions(+)
diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc
index 03a2230c..2ba049ff 100644
--- a/policy/modules/admin/shutdown.fc
+++ b/policy/modules/admin/shutdown.fc
@@ -5,5 +5,6 @@
/usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
/usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+/usr/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0)
/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index cf3848db..86920167 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -149,6 +149,7 @@ ifdef(`distro_gentoo',`
/usr/bin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
/usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0)
+/usr/bin/mountpoint\.sysvinit -- gen_context(system_u:object_r:bin_t,s0)
/usr/bin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/bin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 11a6ce93..93e9d2b4 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -23,6 +23,7 @@ ifdef(`distro_gentoo',`
# /usr
#
/usr/bin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
+/usr/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0)
/usr/bin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0)
/usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0)
/usr/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
--
2.19.1

68
recipes-security/refpolicy/refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
View File

@ -1,68 +0,0 @@
From aa79b5e7803232a4e57e2cf60613f6fb7dcfc025 Mon Sep 17 00:00:00 2001
From: Shrikant Bobade <shrikant_bobade@mentor.com>
Date: Fri, 26 Aug 2016 17:51:44 +0530
Subject: [PATCH 1/9] refpolicy-minimum: audit: logging: getty: audit related
allow rules
add allow rules for audit.log file & resolve dependent avc denials.
without this change we are getting audit avc denials mixed into bootlog &
audit other avc denials.
audit: type=1400 audit(): avc: denied { getattr } for pid=217 comm="mount"
name="/" dev="proc" ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_0
audit: type=1400 audit(): avc: denied { sendto } for pid=310 comm="klogd"
path="/run/systemd/journal/dev-log" scontext=sy0
audit: type=1400 audit(): avc: denied { sendto } for pid=310 comm="klogd"
path="/run/systemd/journal/dev-log" scontext=system_u:system_r:klogd_t:s0
audit(): avc: denied { open } for pid=540 comm="agetty" path="/var/
volatile/log/wtmp" dev="tmpfs" ino=9536 scontext=system_u:system_r:getty_t
:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
Upstream-Status: Pending
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/system/getty.te | 3 +++
policy/modules/system/logging.te | 8 ++++++++
2 files changed, 11 insertions(+)
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index 6d3c4284..423db0cc 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -129,3 +129,6 @@ optional_policy(`
optional_policy(`
udev_read_db(getty_t)
')
+
+allow getty_t tmpfs_t:dir search;
+allow getty_t tmpfs_t:file { open write lock };
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 63e92a8e..8ab46925 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -249,6 +249,7 @@ allow audisp_t self:unix_stream_socket create_stream_socket_perms;
allow audisp_t self:unix_dgram_socket create_socket_perms;
allow audisp_t auditd_t:unix_stream_socket rw_socket_perms;
+allow audisp_t initrc_t:unix_dgram_socket sendto;
manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
@@ -620,3 +621,10 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')
+
+
+allow auditd_t tmpfs_t:file { getattr setattr create open read append };
+allow auditd_t tmpfs_t:dir { open read search add_name write getattr search };
+allow auditd_t initrc_t:unix_dgram_socket sendto;
+
+allow klogd_t initrc_t:unix_dgram_socket sendto;
\ No newline at end of file
--
2.19.1

31
recipes-security/refpolicy/refpolicy-2.20190201/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch
View File

@ -1,31 +0,0 @@
From c02445a1073ca6fcb42c771c233ab8aa822cbdda Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@mentor.com>
Date: Thu, 28 Mar 2019 20:48:10 -0400
Subject: [PATCH 02/34] fc/subs/busybox: set aliases for bin, sbin and usr
The objects in /usr/lib/busybox/* should have the same policy applied as
the corresponding objects in the / hierarchy.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
config/file_contexts.subs_dist | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
index be532d7f..04fca3c3 100644
--- a/config/file_contexts.subs_dist
+++ b/config/file_contexts.subs_dist
@@ -41,3 +41,10 @@
/var/volatile/tmp /var/tmp
/var/volatile/lock /var/lock
/var/volatile/run/lock /var/lock
+
+# busybox aliases
+# quickly match up the busybox built-in tree to the base filesystem tree
+/usr/lib/busybox/bin /bin
+/usr/lib/busybox/sbin /sbin
+/usr/lib/busybox/usr /usr
+
--
2.19.1

54
recipes-security/refpolicy/refpolicy-2.20190201/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch
View File

@ -1,54 +0,0 @@
From d8fe68150ae85657b2091bc193b11bd77f7b1f31 Mon Sep 17 00:00:00 2001
From: Shrikant Bobade <shrikant_bobade@mentor.com>
Date: Fri, 26 Aug 2016 17:53:46 +0530
Subject: [PATCH 2/9] refpolicy-minimum: locallogin: add allow rules for type
local_login_t
add allow rules for locallogin module avc denials.
without this change we are getting errors like these:
type=AVC msg=audit(): avc: denied { read write open } for pid=353
comm="login" path="/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext
=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:
var_log_t:s0 tclass=file permissive=1
type=AVC msg=audit(): avc: denied { sendto } for pid=353 comm="login"
path="/run/systemd/journal/dev-log" scontext=system_u:system_r:
local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0
tclass=unix_dgram_socket permissive=1
type=AVC msg=audit(): avc: denied { lock } for pid=353 comm="login" path=
"/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext=system_u:system_r
:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass
=file permissive=1
Upstream-Status: Pending
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/system/locallogin.te | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 4c679ff3..75750e4c 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -288,3 +288,13 @@ optional_policy(`
optional_policy(`
nscd_use(sulogin_t)
')
+
+allow local_login_t initrc_t:fd use;
+allow local_login_t initrc_t:unix_dgram_socket sendto;
+allow local_login_t initrc_t:unix_stream_socket connectto;
+allow local_login_t self:capability net_admin;
+allow local_login_t var_log_t:file { create lock open read write };
+allow local_login_t var_run_t:file { open read write lock};
+allow local_login_t var_run_t:sock_file write;
+allow local_login_t tmpfs_t:dir { add_name write search};
+allow local_login_t tmpfs_t:file { create open read write lock };
--
2.19.1

57
recipes-security/refpolicy/refpolicy-2.20190201/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch
View File

@ -1,57 +0,0 @@
From fdbd4461bbd6ce8a7f2b2702f7801ed07c41d5a9 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 13:39:41 +0800
Subject: [PATCH 03/34] fc/sysklogd: apply policy to sysklogd symlink
/etc/syslog.conf is a symlink to /etc/syslog.conf.sysklogd, so a allow
rule for syslogd_t to read syslog_conf_t lnk_file is needed.
Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/system/logging.fc | 3 +++
policy/modules/system/logging.te | 1 +
2 files changed, 4 insertions(+)
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index 6693d87b..0cf108e0 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -2,6 +2,7 @@
/etc/rsyslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/syslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
+/etc/syslog\.conf\.sysklogd gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/rsyslog\.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
/etc/systemd/journal.*\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
@@ -32,10 +33,12 @@
/usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
/usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
/usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
+/usr/sbin/klogd\.sysklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
/usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/usr/sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
/usr/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+/usr/sbin/syslogd\.sysklogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index adc628f8..07ed546d 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -399,6 +399,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
allow syslogd_t syslog_conf_t:file read_file_perms;
+allow syslogd_t syslog_conf_t:lnk_file read_file_perms;
allow syslogd_t syslog_conf_t:dir list_dir_perms;
# Create and bind to /dev/log or /var/run/log.
--
2.19.1

121
recipes-security/refpolicy/refpolicy-2.20190201/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch
View File

@ -1,121 +0,0 @@
From 53aaf2acb8bc3fb115e5d5327f6e7a994cfbf0bd Mon Sep 17 00:00:00 2001
From: Shrikant Bobade <shrikant_bobade@mentor.com>
Date: Fri, 26 Aug 2016 17:51:32 +0530
Subject: [PATCH 3/9] refpolicy-minimum: systemd:unconfined:lib: add systemd
services allow rules
systemd allow rules for systemd service file operations: start, stop, restart
& allow rule for unconfined systemd service.
without this change we are getting these errors:
:~# systemctl status selinux-init.service
Failed to get properties: Access denied
:~# systemctl stop selinux-init.service
Failed to stop selinux-init.service: Access denied
:~# systemctl restart selinux-init.service
audit: type=1107 audit: pid=1 uid=0 auid=4294967295 ses=4294967295 subj=
system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0
gid=0 path="/lib/systemd/system/selinux-init.service" cmdline="systemctl
restart selinux-init.service" scontext=unconfined_u:unconfined_r:
unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service
Upstream-Status: Pending
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/system/init.te | 4 +++
policy/modules/system/libraries.te | 3 +++
policy/modules/system/systemd.if | 39 +++++++++++++++++++++++++++++
policy/modules/system/unconfined.te | 6 +++++
4 files changed, 52 insertions(+)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 8352428a..15745c83 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1425,3 +1425,7 @@ optional_policy(`
allow kernel_t init_t:process dyntransition;
allow devpts_t device_t:filesystem associate;
allow init_t self:capability2 block_suspend;
+allow init_t self:capability2 audit_read;
+
+allow initrc_t init_t:system { start status };
+allow initrc_t init_var_run_t:service { start status };
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index 422b0ea1..80b0c9a5 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -145,3 +145,6 @@ optional_policy(`
optional_policy(`
unconfined_domain(ldconfig_t)
')
+
+# systemd: init domain to start lib domain service
+systemd_service_lib_function(lib_t)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 8d2bb8da..8fc61843 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -887,3 +887,42 @@ interface(`systemd_getattr_updated_runtime',`
getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t)
')
+
+########################################
+## <summary>
+## Allow specified domain to start stop reset systemd service
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`systemd_service_file_operations',`
+ gen_require(`
+ class service { start status stop };
+ ')
+
+ allow $1 lib_t:service { start status stop };
+
+')
+
+
+########################################
+## <summary>
+## Allow init domain to start lib domain service
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`systemd_service_lib_function',`
+ gen_require(`
+ class service start;
+ ')
+
+ allow initrc_t $1:service start;
+
+')
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 12cc0d7c..c09e94a5 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -240,3 +240,9 @@ unconfined_domain_noaudit(unconfined_execmem_t)
optional_policy(`
unconfined_dbus_chat(unconfined_execmem_t)
')
+
+
+# systemd: specified domain to start stop reset systemd service
+systemd_service_file_operations(unconfined_t)
+
+allow unconfined_t init_t:system reload;
--
2.19.1

27
recipes-security/refpolicy/refpolicy-2.20190201/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch
View File

@ -1,27 +0,0 @@
From 85f5825111d4c6d6b276ed07fec2292804b97a39 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH 04/34] fc/hostname: apply policy to common yocto hostname
alternatives
Upstream-Status: Inappropriate [only for Yocto]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/system/hostname.fc | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc
index 83ddeb57..653e038d 100644
--- a/policy/modules/system/hostname.fc
+++ b/policy/modules/system/hostname.fc
@@ -1 +1,5 @@
+/usr/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0)
+/usr/bin/hostname\.coreutils -- gen_context(system_u:object_r:hostname_exec_t,s0)
+/usr/lib/busybox/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
+
/usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
--
2.19.1

96
recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
View File

@ -1,96 +0,0 @@
From 5694d5bdc5ff824c4d5848dcd61cf021305b5e00 Mon Sep 17 00:00:00 2001
From: Shrikant Bobade <shrikant_bobade@mentor.com>
Date: Fri, 26 Aug 2016 17:53:37 +0530
Subject: [PATCH 4/9] refpolicy-minimum: systemd: mount: logging: authlogin:
add allow rules
add allow rules for avc denails for systemd, mount, logging & authlogin
modules.
without this change we are getting avc denial like these:
type=AVC msg=audit(): avc: denied { sendto } for pid=893 comm="systemd-
tmpfile" path="/run/systemd/journal/socket" scontext=system_u:system_r:
systemd_tmpfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=
unix_dgram_socket permissive=0
type=AVC msg=audit(): avc: denied { open } for pid=703 comm="systemd-
tmpfile" path="/proc/1/environ" dev="proc" ino=8841 scontext=system_u:
system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=
file permissive=0
type=AVC msg=audit(): avc: denied { read write } for pid=486 comm="mount"
path="socket:[9717]" dev="sockfs" ino=9717 scontext=system_u:system_r:
mount_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=udp_socket
type=AVC msg=audit(): avc: denied { unix_read unix_write } for pid=292
comm="syslogd" key=1095648583 scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:system_r:syslogd_t:s0 tclass=shm permissive=1
Upstream-Status: Pending
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/system/authlogin.te | 2 ++
policy/modules/system/logging.te | 7 ++++++-
policy/modules/system/mount.te | 3 +++
policy/modules/system/systemd.te | 5 +++++
4 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 345e07f3..39f860e0 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -472,3 +472,5 @@ optional_policy(`
samba_read_var_files(nsswitch_domain)
samba_dontaudit_write_var_files(nsswitch_domain)
')
+
+allow chkpwd_t proc_t:filesystem getattr;
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 8ab46925..520f7da6 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -627,4 +627,9 @@ allow auditd_t tmpfs_t:file { getattr setattr create open read append };
allow auditd_t tmpfs_t:dir { open read search add_name write getattr search };
allow auditd_t initrc_t:unix_dgram_socket sendto;
-allow klogd_t initrc_t:unix_dgram_socket sendto;
\ No newline at end of file
+allow klogd_t initrc_t:unix_dgram_socket sendto;
+
+allow syslogd_t self:shm create;
+allow syslogd_t self:sem { create read unix_write write };
+allow syslogd_t self:shm { read unix_read unix_write write };
+allow syslogd_t tmpfs_t:file { read write };
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 3dcb8493..a87d0e82 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -231,3 +231,6 @@ optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
unconfined_domain(unconfined_mount_t)
')
+
+allow mount_t proc_t:filesystem getattr;
+allow mount_t initrc_t:udp_socket { read write };
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index a6f09dfd..68b80de3 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -993,6 +993,11 @@ allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
+allow systemd_tmpfiles_t init_t:dir search;
+allow systemd_tmpfiles_t proc_t:filesystem getattr;
+allow systemd_tmpfiles_t init_t:file read;
+allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto;
+
kernel_getattr_proc(systemd_tmpfiles_t)
kernel_read_kernel_sysctls(systemd_tmpfiles_t)
kernel_read_network_state(systemd_tmpfiles_t)
--
2.19.1

30
recipes-security/refpolicy/refpolicy-2.20190201/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch
View File

@ -1,30 +0,0 @@
From ed53bb0452aab6aee11c6d6442b8524d3b27fa6f Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@mentor.com>
Date: Thu, 28 Mar 2019 21:37:32 -0400
Subject: [PATCH 05/34] fc/bash: apply /usr/bin/bash context to /bin/bash.bash
We include /bin/bash.bash as a valid alias for /bin/bash, so ensure we apply
the proper context to the target for our policy.
Upstream-Status: Inappropriate [only for Yocto]
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/kernel/corecommands.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index e7415cac..cf3848db 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -141,6 +141,7 @@ ifdef(`distro_gentoo',`
/usr/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/bash.bash -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/bin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
--
2.19.1

37
recipes-security/refpolicy/refpolicy-2.20190201/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch
View File

@ -1,37 +0,0 @@
From bf8da1fd057ce11e8ce6e445ccd532fde11868a6 Mon Sep 17 00:00:00 2001
From: Shrikant Bobade <shrikant_bobade@mentor.com>
Date: Fri, 26 Aug 2016 17:53:53 +0530
Subject: [PATCH 5/9] refpolicy-minimum: init: fix reboot with systemd as init
manager.
add allow rule to fix avc denial during system reboot.
without this change we are getting:
audit: type=1107 audit(): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=
system_u:system_r:init_t:s0 msg='avc: denied { reboot } for auid=n/a uid=0
gid=0 cmdline="/bin/systemctl --force reboot" scontext=system_u:system_r:
initrc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system
Upstream-Status: Pending
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/system/init.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 15745c83..d6a0270a 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1427,5 +1427,5 @@ allow devpts_t device_t:filesystem associate;
allow init_t self:capability2 block_suspend;
allow init_t self:capability2 audit_read;
-allow initrc_t init_t:system { start status };
+allow initrc_t init_t:system { start status reboot };
allow initrc_t init_var_run_t:service { start status };
--
2.19.1

30
recipes-security/refpolicy/refpolicy-2.20190201/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch
View File

@ -1,30 +0,0 @@
From 8614bc85ab13b72f7f83892ffd227c73b3df42bc Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@mentor.com>
Date: Thu, 4 Apr 2019 10:45:03 -0400
Subject: [PATCH 06/34] fc/resolv.conf: label resolv.conf in var/run/ properly
Upstream-Status: Pending
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/system/sysnetwork.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index 1e5432a4..ac7c2dd1 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -22,6 +22,7 @@ ifdef(`distro_debian',`
/etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+/var/run/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)
--
2.19.1

92
recipes-security/refpolicy/refpolicy-2.20190201/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch
View File

@ -1,92 +0,0 @@
From 853b6611e50369b386a77d5bd8a28eeb9ef4cb9b Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@mentor.com>
Date: Wed, 3 Apr 2019 14:51:29 -0400
Subject: [PATCH 6/9] refpolicy-minimum: systemd: mount: enable required
refpolicy booleans
enable required refpolicy booleans for these modules
i. mount: allow_mount_anyfile
without enabling this boolean we are getting below avc denial
audit(): avc: denied { mounton } for pid=462 comm="mount" path="/run/media
/mmcblk2p1" dev="tmpfs" ino=11523 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=0
This avc can be allowed using the boolean 'allow_mount_anyfile'
allow mount_t initrc_var_run_t:dir mounton;
ii. systemd : systemd_tmpfiles_manage_all
without enabling this boolean we are not getting access to mount systemd
essential tmpfs during bootup, also not getting access to create audit.log
audit(): avc: denied { search } for pid=168 comm="systemd-tmpfile" name=
"sys" dev="proc" ino=4026531855 scontext=system_u:system_r:systemd_tmpfiles
_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=dir permissive=0
ls /var/log
/var/log -> volatile/log
:~#
The old refpolicy included a pre-generated booleans.conf that could be
patched. That's no longer the case so we're left with a few options,
tweak the default directly or create a template booleans.conf file which
will be updated during build time. Since this is intended to be applied
only for specific configuraitons it seems like the same either way and
this avoids us playing games to work around .gitignore.
Upstream-Status: Pending
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/booleans.conf | 9 +++++++++
policy/modules/system/mount.te | 2 +-
policy/modules/system/systemd.te | 2 +-
3 files changed, 11 insertions(+), 2 deletions(-)
create mode 100644 policy/booleans.conf
diff --git a/policy/booleans.conf b/policy/booleans.conf
new file mode 100644
index 00000000..850f56ed
--- /dev/null
+++ b/policy/booleans.conf
@@ -0,0 +1,9 @@
+#
+# Allow the mount command to mount any directory or file.
+#
+allow_mount_anyfile = true
+
+#
+# Enable support for systemd-tmpfiles to manage all non-security files.
+#
+systemd_tmpfiles_manage_all = true
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index a87d0e82..868052b7 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -10,7 +10,7 @@ policy_module(mount, 1.20.0)
## Allow the mount command to mount any directory or file.
## </p>
## </desc>
-gen_tunable(allow_mount_anyfile, false)
+gen_tunable(allow_mount_anyfile, true)
attribute_role mount_roles;
roleattribute system_r mount_roles;
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 68b80de3..a1ef6990 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -10,7 +10,7 @@ policy_module(systemd, 1.7.0)
## Enable support for systemd-tmpfiles to manage all non-security files.
## </p>
## </desc>
-gen_tunable(systemd_tmpfiles_manage_all, false)
+gen_tunable(systemd_tmpfiles_manage_all, true)
## <desc>
## <p>
--
2.19.1

27
recipes-security/refpolicy/refpolicy-2.20190201/0007-fc-login-apply-login-context-to-login.shadow.patch
View File

@ -1,27 +0,0 @@
From c1f7e3033057dfb613bd92d723094b06c00e82f8 Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@mentor.com>
Date: Thu, 28 Mar 2019 21:43:53 -0400
Subject: [PATCH 07/34] fc/login: apply login context to login.shadow
Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/system/authlogin.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index e22945cd..a42bc0da 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -5,6 +5,7 @@
/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
/usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
+/usr/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0)
/usr/bin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
/usr/bin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
/usr/bin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
--
2.19.1

103
recipes-security/refpolicy/refpolicy-2.20190201/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch
View File

@ -1,103 +0,0 @@
From 34630eecb211199c60c9b01fd77f0ede6e182712 Mon Sep 17 00:00:00 2001
From: Shrikant Bobade <shrikant_bobade@mentor.com>
Date: Fri, 26 Aug 2016 17:54:09 +0530
Subject: [PATCH 7/9] refpolicy-minimum: systemd: fix for login & journal
service
1. fix for systemd services: login & journal wile using refpolicy-minimum and
systemd as init manager.
2. fix login duration after providing root password.
without these changes we are getting avc denails like these and below
systemd services failure:
audit[]: AVC avc: denied { write } for pid=422 comm="login" path="/run/
systemd/sessions/c1.ref" dev="tmpfs" ino=13455 scontext=system_u:system_r:
local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0
tclass=fifo_file permissive=0
audit[]: AVC avc: denied { open } for pid=216 comm="systemd-tmpfile" path
="/proc/1/environ" dev="proc" ino=9221 scontext=system_u:system_r:
systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file
audit[]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:
system_r:init_t:s0 msg='avc: denied { stop } for auid=n/a uid=0 gid=0 path
="/lib/systemd/system/systemd-journald.service" cmdline="/bin/journalctl
--flush" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:
lib_t:s0 tclass=service
[FAILED] Failed to start Flush Journal to Persistent Storage.
See 'systemctl status systemd-journal-flush.service' for details.
[FAILED] Failed to start Login Service.
See 'systemctl status systemd-logind.service' for details.
[FAILED] Failed to start Avahi mDNS/DNS-SD Stack.
See 'systemctl status avahi-daemon.service' for details.
Upstream-Status: Pending
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/system/init.te | 2 ++
policy/modules/system/locallogin.te | 3 +++
policy/modules/system/systemd.if | 6 ++++--
policy/modules/system/systemd.te | 2 +-
4 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index d6a0270a..035c7ad2 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1429,3 +1429,5 @@ allow init_t self:capability2 audit_read;
allow initrc_t init_t:system { start status reboot };
allow initrc_t init_var_run_t:service { start status };
+
+allow initrc_t init_var_run_t:service stop;
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 75750e4c..2c2cfc7d 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -298,3 +298,6 @@ allow local_login_t var_run_t:file { open read write lock};
allow local_login_t var_run_t:sock_file write;
allow local_login_t tmpfs_t:dir { add_name write search};
allow local_login_t tmpfs_t:file { create open read write lock };
+allow local_login_t init_var_run_t:fifo_file write;
+allow local_login_t initrc_t:dbus send_msg;
+allow initrc_t local_login_t:dbus send_msg;
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 8fc61843..1166505f 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -920,9 +920,11 @@ interface(`systemd_service_file_operations',`
#
interface(`systemd_service_lib_function',`
gen_require(`
- class service start;
+ class service { start status stop };
+ class file { execmod open };
')
- allow initrc_t $1:service start;
+ allow initrc_t $1:service { start status stop };
+ allow initrc_t $1:file execmod;
')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index a1ef6990..a62c3c38 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -995,7 +995,7 @@ allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
allow systemd_tmpfiles_t init_t:dir search;
allow systemd_tmpfiles_t proc_t:filesystem getattr;
-allow systemd_tmpfiles_t init_t:file read;
+allow systemd_tmpfiles_t init_t:file { open getattr read };
allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto;
kernel_getattr_proc(systemd_tmpfiles_t)
--
2.19.1

31
recipes-security/refpolicy/refpolicy-2.20190201/0008-fc-bind-fix-real-path-for-bind.patch
View File

@ -1,31 +0,0 @@
From 878b005462f7b2208427af60ed6b670dca697b6c Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@mentor.com>
Date: Thu, 28 Mar 2019 21:58:53 -0400
Subject: [PATCH 08/34] fc/bind: fix real path for bind
Upstream-Status: Pending
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/services/bind.fc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc
index b4879dc1..59498e25 100644
--- a/policy/modules/services/bind.fc
+++ b/policy/modules/services/bind.fc
@@ -1,8 +1,10 @@
/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/bind -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
/etc/bind/named\.conf.* -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/rndc\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
/etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0)
/etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0)
--
2.19.1

109
recipes-security/refpolicy/refpolicy-2.20190201/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch
View File

@ -1,109 +0,0 @@
From 6ac3c261a7cfc3a5d38ccc420f1ea371258c49fa Mon Sep 17 00:00:00 2001
From: Shrikant Bobade <shrikant_bobade@mentor.com>
Date: Fri, 26 Aug 2016 17:54:17 +0530
Subject: [PATCH 8/9] refpolicy-minimum: systemd: fix for systemd tmp-files
services
fix for systemd tmp files setup service while using refpolicy-minimum and
systemd as init manager.
these allow rules require kernel domain & files access, so added interfaces
at systemd.te to merge these allow rules.
without these changes we are getting avc denails like these and below
systemd services failure:
audit[]: AVC avc: denied { getattr } for pid=232 comm="systemd-tmpfile"
path="/var/tmp" dev="mmcblk2p2" ino=4993 scontext=system_u:system_r:systemd
_tmpfiles_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=lnk_file
audit[]: AVC avc: denied { search } for pid=232 comm="systemd-tmpfile"
name="kernel" dev="proc" ino=9341 scontext=system_u:system_r:
systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0
tclass=dir permissive=0
[FAILED] Failed to start Create Static Device Nodes in /dev.
See 'systemctl status systemd-tmpfiles-setup-dev.service' for details.
[FAILED] Failed to start Create Volatile Files and Directories.
See 'systemctl status systemd-tmpfiles-setup.service' for details.
Upstream-Status: Pending
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/kernel/files.if | 19 +++++++++++++++++++
policy/modules/kernel/kernel.if | 21 +++++++++++++++++++++
policy/modules/system/systemd.te | 2 ++
3 files changed, 42 insertions(+)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index eb067ad3..ff74f55a 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -7076,3 +7076,22 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
+
+########################################
+## <summary>
+## systemd tmp files access to kernel tmp files domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_service_allow_kernel_files_domain_to_tmp_t',`
+ gen_require(`
+ type tmp_t;
+ class lnk_file getattr;
+ ')
+
+ allow $1 tmp_t:lnk_file getattr;
+')
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 1ad282aa..342eb033 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -3584,3 +3584,24 @@ interface(`kernel_ib_manage_subnet_unlabeled_endports',`
allow $1 unlabeled_t:infiniband_endport manage_subnet;
')
+########################################
+## <summary>
+## systemd tmp files access to kernel sysctl domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t',`
+ gen_require(`
+ type sysctl_kernel_t;
+ class dir search;
+ class file { open read };
+ ')
+
+ allow $1 sysctl_kernel_t:dir search;
+ allow $1 sysctl_kernel_t:file { open read };
+
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index a62c3c38..9b696823 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1121,3 +1121,5 @@ files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated
kernel_read_system_state(systemd_update_done_t)
+systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t(systemd_tmpfiles_t)
+systemd_service_allow_kernel_files_domain_to_tmp_t(systemd_tmpfiles_t)
--
2.19.1

28
recipes-security/refpolicy/refpolicy-2.20190201/0009-fc-hwclock-add-hwclock-alternatives.patch
View File

@ -1,28 +0,0 @@
From d21287d2c0b63e19e1004f098a1934b6b02a0c05 Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@mentor.com>
Date: Thu, 28 Mar 2019 21:59:18 -0400
Subject: [PATCH 09/34] fc/hwclock: add hwclock alternatives
Upstream-Status: Pending
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/system/clock.fc | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc
index 30196589..e0dc4b6f 100644
--- a/policy/modules/system/clock.fc
+++ b/policy/modules/system/clock.fc
@@ -2,4 +2,7 @@
/usr/bin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
-/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
+/usr/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0)
+/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
+/usr/lib/busybox/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
+/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
--
2.19.1

70
recipes-security/refpolicy/refpolicy-2.20190201/0009-refpolicy-minimum-systemd-fix-for-syslog.patch
View File

@ -1,70 +0,0 @@
From 57d554187619e32ecf925ecb015a60f1fca26fb8 Mon Sep 17 00:00:00 2001
From: Shrikant Bobade <shrikant_bobade@mentor.com>
Date: Fri, 26 Aug 2016 17:54:29 +0530
Subject: [PATCH 9/9] refpolicy-minimum: systemd: fix for syslog
syslog & getty related allow rules required to fix the syslog mixup with
boot log, while using systemd as init manager.
without this change we are getting these avc denials:
audit: avc: denied { search } for pid=484 comm="syslogd" name="/"
dev="tmpfs" ino=7269 scontext=system_u:system_r:syslogd_t:s0 tcontext=
system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
audit: avc: denied { write } for pid=372 comm="syslogd" name="log" dev=
"tmpfs" ino=954 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:
object_r:tmpfs_t:s0 tclass=dir permissive=0
audit: avc: denied { add_name } for pid=390 comm="syslogd" name=
"messages" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r
:tmpfs_t:s0 tclass=dir permissive=0
audit: avc: denied { sendto } for pid=558 comm="agetty" path="/run/systemd
/journal/dev-log" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:
system_r:initrc_t:s0 tclass=unix_dgram_socket permissive=0
audit: avc: denied { create } for pid=374 comm="syslogd" name="messages"
scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:
s0 tclass=file permissive=0
audit: avc: denied { append } for pid=423 comm="syslogd" name="messages"
dev="tmpfs" ino=7995 scontext=system_u:system_r:syslogd_t:s0 tcontext=
system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
audit: avc: denied { getattr } for pid=425 comm="syslogd" path="/var/
volatile/log/messages" dev="tmpfs" ino=8857 scontext=system_u:system_r:
syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
Upstream-Status: Pending
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/system/getty.te | 1 +
policy/modules/system/logging.te | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index 423db0cc..9ab03956 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -132,3 +132,4 @@ optional_policy(`
allow getty_t tmpfs_t:dir search;
allow getty_t tmpfs_t:file { open write lock };
+allow getty_t initrc_t:unix_dgram_socket sendto;
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 520f7da6..4e02dab8 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -632,4 +632,5 @@ allow klogd_t initrc_t:unix_dgram_socket sendto;
allow syslogd_t self:shm create;
allow syslogd_t self:sem { create read unix_write write };
allow syslogd_t self:shm { read unix_read unix_write write };
-allow syslogd_t tmpfs_t:file { read write };
+allow syslogd_t tmpfs_t:file { read write create getattr append open };
+allow syslogd_t tmpfs_t:dir { search write add_name };
--
2.19.1

24
recipes-security/refpolicy/refpolicy-2.20190201/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch
View File

@ -1,24 +0,0 @@
From 0ee40e0a68645e23f59842929629a94ebe9873b4 Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@mentor.com>
Date: Fri, 29 Mar 2019 08:26:55 -0400
Subject: [PATCH 10/34] fc/dmesg: apply policy to dmesg alternatives
Upstream-Status: Pending
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/admin/dmesg.fc | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc
index e52fdfcf..85d15127 100644
--- a/policy/modules/admin/dmesg.fc
+++ b/policy/modules/admin/dmesg.fc
@@ -1 +1,3 @@
-/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
+/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
+/usr/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0)
+/usr/lib/busybox/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
--
2.19.1

27
recipes-security/refpolicy/refpolicy-2.20190201/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch
View File

@ -1,27 +0,0 @@
From 10548eeaba694ff4320fdcbddc9e6cbb71856280 Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@mentor.com>
Date: Fri, 29 Mar 2019 09:20:58 -0400
Subject: [PATCH 11/34] fc/ssh: apply policy to ssh alternatives
Upstream-Status: Pending
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/services/ssh.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 4ac3e733..1f453091 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -4,6 +4,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
/etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0)
/usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
+/usr/bin/ssh\.openssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
/usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
/usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
/usr/bin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
--
2.19.1

48
recipes-security/refpolicy/refpolicy-2.20190201/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch
View File

@ -1,48 +0,0 @@
From 457f278717ef53e19392c40ea8645ca216c0ae83 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Tue, 9 Jun 2015 21:22:52 +0530
Subject: [PATCH 12/34] fc/sysnetwork: apply policy to ip alternatives
Upstream-Status: Pending
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/system/sysnetwork.fc | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index ac7c2dd1..4e441503 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -60,6 +60,8 @@ ifdef(`distro_redhat',`
/usr/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
/usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/usr/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/usr/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/usr/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/usr/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/usr/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/usr/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
@@ -67,9 +69,17 @@ ifdef(`distro_redhat',`
/usr/sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/usr/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/usr/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/usr/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/usr/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
/usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+#
+# /usr/lib/busybox
+#
+/usr/lib/busybox/bin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/usr/lib/busybox/bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/usr/lib/busybox/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+
#
# /var
#
--
2.19.1

28
recipes-security/refpolicy/refpolicy-2.20190201/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch
View File

@ -1,28 +0,0 @@
From e38e269b172ec75dcd218cfeac64271fbb3d17db Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@mentor.com>
Date: Fri, 29 Mar 2019 09:36:08 -0400
Subject: [PATCH 13/34] fc/udev: apply policy to udevadm in libexec
Upstream-Status: Pending
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/system/udev.fc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 009d821a..cc438609 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -28,6 +28,8 @@ ifdef(`distro_debian',`
/usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0)
/usr/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/libexec/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
+
ifdef(`distro_redhat',`
/usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
')
--
2.19.1

29
recipes-security/refpolicy/refpolicy-2.20190201/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch
View File

@ -1,29 +0,0 @@
From 8d730316e752601949346c9ebd4aff8a3cb2b1bf Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@mentor.com>
Date: Fri, 29 Mar 2019 09:54:07 -0400
Subject: [PATCH 14/34] fc/rpm: apply rpm_exec policy to cpio binaries
Upstream-Status: Pending
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/admin/rpm.fc | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
index 578d465c..f2b8003a 100644
--- a/policy/modules/admin/rpm.fc
+++ b/policy/modules/admin/rpm.fc
@@ -65,5 +65,8 @@ ifdef(`distro_redhat',`
/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
ifdef(`enable_mls',`
-/usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/cpio.cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
+
--
2.19.1

26
recipes-security/refpolicy/refpolicy-2.20190201/0015-fc-su-apply-policy-to-su-alternatives.patch
View File

@ -1,26 +0,0 @@
From d9f2d5857c1d558fa09f7e7864bba8427437bea6 Mon Sep 17 00:00:00 2001
From: Wenzong Fan <wenzong.fan@windriver.com>
Date: Thu, 13 Feb 2014 00:33:07 -0500
Subject: [PATCH 15/34] fc/su: apply policy to su alternatives
Upstream-Status: Pending
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/admin/su.fc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc
index 3375c969..435a6892 100644
--- a/policy/modules/admin/su.fc
+++ b/policy/modules/admin/su.fc
@@ -1,3 +1,5 @@
/usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
/usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
+/usr/bin/su\.shadow -- gen_context(system_u:object_r:su_exec_t,s0)
+/usr/bin/su\.util-linux -- gen_context(system_u:object_r:su_exec_t,s0)
--
2.19.1

76
recipes-security/refpolicy/refpolicy-2.20190201/0016-fc-fstools-fix-real-path-for-fstools.patch
View File

@ -1,76 +0,0 @@
From 5d8f2e090c9dbb270156c2f76f1614b03f3b0191 Mon Sep 17 00:00:00 2001
From: Wenzong Fan <wenzong.fan@windriver.com>
Date: Mon, 27 Jan 2014 03:54:01 -0500
Subject: [PATCH 16/34] fc/fstools: fix real path for fstools
Upstream-Status: Pending
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/system/fstools.fc | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index 8fbd5ce4..d719e22c 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -58,6 +58,7 @@
/usr/sbin/addpart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/blkid\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -72,10 +73,12 @@
/usr/sbin/efibootmgr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/fatsort -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/fdisk\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/gdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/hdparm\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -88,17 +91,20 @@
/usr/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/mkswap\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/swapoff\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -108,6 +114,12 @@
/usr/sbin/zstreamdump -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/ztest -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/lib/busybox/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/lib/busybox/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/lib/busybox/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/lib/busybox/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/lib/busybox/sbin/swapon -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+
/var/swap -- gen_context(system_u:object_r:swapfile_t,s0)
/var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0)
--
2.19.1

33
recipes-security/refpolicy/refpolicy-2.20190201/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch
View File

@ -1,33 +0,0 @@
From 628281e2e192269468cbe2c2818b6cab40975532 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH 17/34] policy/module/logging: Add the syslogd_t to trusted
object
We add the syslogd_t to trusted object, because other process need
to have the right to connectto/sendto /dev/log.
Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Roy.Li <rongqing.li@windriver.com>
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/system/logging.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 07ed546d..a7b69932 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -501,6 +501,7 @@ fs_getattr_all_fs(syslogd_t)
fs_search_auto_mountpoints(syslogd_t)
mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
+mls_trusted_object(syslogd_t) # Other process need to have the right to connectto/sendto /dev/log
term_write_console(syslogd_t)
# Allow syslog to a terminal
--
2.19.1

100
recipes-security/refpolicy/refpolicy-2.20190201/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch
View File

@ -1,100 +0,0 @@
From 0036dfb42db831e2dd6c6dc71c093e983a30dbd6 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH 18/34] policy/module/logging: add rules for the symlink of
/var/log
/var/log is a symlink in poky, so we need allow rules for files to read
lnk_file while doing search/list/delete/rw... in /var/log/ directory.
Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/system/logging.fc | 1 +
policy/modules/system/logging.if | 6 ++++++
policy/modules/system/logging.te | 2 ++
3 files changed, 9 insertions(+)
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index 0cf108e0..5bec7e99 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -55,6 +55,7 @@ ifdef(`distro_suse', `
/var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
+/var/log -l gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
/var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
/var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 16091eb6..e83cb5b5 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -948,10 +948,12 @@ interface(`logging_append_all_inherited_logs',`
interface(`logging_read_all_logs',`
gen_require(`
attribute logfile;
+ type var_log_t;
')
files_search_var($1)
allow $1 logfile:dir list_dir_perms;
+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
read_files_pattern($1, logfile, logfile)
')
@@ -970,10 +972,12 @@ interface(`logging_read_all_logs',`
interface(`logging_exec_all_logs',`
gen_require(`
attribute logfile;
+ type var_log_t;
')
files_search_var($1)
allow $1 logfile:dir list_dir_perms;
+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
can_exec($1, logfile)
')
@@ -1075,6 +1079,7 @@ interface(`logging_read_generic_logs',`
files_search_var($1)
allow $1 var_log_t:dir list_dir_perms;
+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
read_files_pattern($1, var_log_t, var_log_t)
')
@@ -1176,6 +1181,7 @@ interface(`logging_manage_generic_logs',`
files_search_var($1)
manage_files_pattern($1, var_log_t, var_log_t)
+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
')
########################################
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index a7b69932..fa5664b0 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -161,6 +161,7 @@ manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
allow auditd_t auditd_log_t:dir setattr;
manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
allow auditd_t var_log_t:dir search_dir_perms;
+allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
@@ -288,6 +289,7 @@ allow audisp_remote_t self:capability { setpcap setuid };
allow audisp_remote_t self:process { getcap setcap };
allow audisp_remote_t self:tcp_socket create_socket_perms;
allow audisp_remote_t var_log_t:dir search_dir_perms;
+allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
--
2.19.1

33
recipes-security/refpolicy/refpolicy-2.20190201/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch
View File

@ -1,33 +0,0 @@
From 51e282aa2730e4c6e038d42a84a561c080f41187 Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@mentor.com>
Date: Fri, 29 Mar 2019 10:33:18 -0400
Subject: [PATCH 19/34] policy/module/logging: add rules for syslogd symlink of
/var/log
We have added rules for the symlink of /var/log in logging.if, while
syslogd_t uses /var/log but does not use the interfaces in logging.if. So
still need add a individual rule for syslogd_t.
Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/system/logging.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index fa5664b0..63e92a8e 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -417,6 +417,7 @@ files_search_spool(syslogd_t)
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
+allow syslogd_t var_log_t:lnk_file read_lnk_file_perms;
# for systemd but can not be conditional
files_pid_filetrans(syslogd_t, syslogd_tmp_t, dir, "log")
--
2.19.1

36
recipes-security/refpolicy/refpolicy-2.20190201/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch
View File

@ -1,36 +0,0 @@
From 6a0b9c735253a2596bfb2a453694e620a1fdc50b Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Fri, 23 Aug 2013 11:20:00 +0800
Subject: [PATCH 20/34] policy/module/logging: add domain rules for the subdir
symlinks in /var/
Except /var/log,/var/run,/var/lock, there still other subdir symlinks in
/var for poky, so we need allow rules for all domains to read these
symlinks. Domains still need their practical allow rules to read the
contents, so this is still a secure relax.
Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/kernel/domain.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 1a55e3d2..babb794f 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -110,6 +110,9 @@ term_use_controlling_term(domain)
# list the root directory
files_list_root(domain)
+# Yocto/oe-core use some var volatile links
+files_read_var_symlinks(domain)
+
ifdef(`hide_broken_symptoms',`
# This check is in the general socket
# listen code, before protocol-specific
--
2.19.1

100
recipes-security/refpolicy/refpolicy-2.20190201/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch
View File

@ -1,100 +0,0 @@
From 437bb5a3318fd0fb268f6e015564b006135368d1 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH 21/34] policy/module/files: add rules for the symlink of /tmp
/tmp is a symlink in poky, so we need allow rules for files to read
lnk_file while doing search/list/delete/rw.. in /tmp/ directory.
Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/kernel/files.fc | 1 +
policy/modules/kernel/files.if | 8 ++++++++
2 files changed, 9 insertions(+)
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index c3496c21..05b1734b 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -176,6 +176,7 @@ HOME_ROOT/lost\+found/.* <<none>>
# /tmp
#
/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+/tmp -l gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
/tmp/.* <<none>>
/tmp/\.journal <<none>>
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index f1c94411..eb067ad3 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -4350,6 +4350,7 @@ interface(`files_search_tmp',`
')
allow $1 tmp_t:dir search_dir_perms;
+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
')
########################################
@@ -4386,6 +4387,7 @@ interface(`files_list_tmp',`
')
allow $1 tmp_t:dir list_dir_perms;
+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
')
########################################
@@ -4422,6 +4424,7 @@ interface(`files_delete_tmp_dir_entry',`
')
allow $1 tmp_t:dir del_entry_dir_perms;
+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
')
########################################
@@ -4440,6 +4443,7 @@ interface(`files_read_generic_tmp_files',`
')
read_files_pattern($1, tmp_t, tmp_t)
+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
')
########################################
@@ -4458,6 +4462,7 @@ interface(`files_manage_generic_tmp_dirs',`
')
manage_dirs_pattern($1, tmp_t, tmp_t)
+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
')
########################################
@@ -4476,6 +4481,7 @@ interface(`files_manage_generic_tmp_files',`
')
manage_files_pattern($1, tmp_t, tmp_t)
+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
')
########################################
@@ -4512,6 +4518,7 @@ interface(`files_rw_generic_tmp_sockets',`
')
rw_sock_files_pattern($1, tmp_t, tmp_t)
+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
')
########################################
@@ -4719,6 +4726,7 @@ interface(`files_tmp_filetrans',`
')
filetrans_pattern($1, tmp_t, $2, $3, $4)
+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
')
########################################
--
2.19.1

123
recipes-security/refpolicy/refpolicy-2.20190201/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch
View File

@ -1,123 +0,0 @@
From 2512a367f4c16d4af6dd90d5f93f223466595d86 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH 22/34] policy/module/terminals: add rules for bsdpty_device_t
to complete pty devices.
Upstream-Status: Pending
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/kernel/terminal.if | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 61308843..a84787e6 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -623,9 +623,11 @@ interface(`term_getattr_generic_ptys',`
interface(`term_dontaudit_getattr_generic_ptys',`
gen_require(`
type devpts_t;
+ type bsdpty_device_t;
')
dontaudit $1 devpts_t:chr_file getattr;
+ dontaudit $1 bsdpty_device_t:chr_file getattr;
')
########################################
## <summary>
@@ -641,11 +643,13 @@ interface(`term_dontaudit_getattr_generic_ptys',`
interface(`term_ioctl_generic_ptys',`
gen_require(`
type devpts_t;
+ type bsdpty_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir search;
allow $1 devpts_t:chr_file ioctl;
+ allow $1 bsdpty_device_t:chr_file ioctl;
')
########################################
@@ -663,9 +667,11 @@ interface(`term_ioctl_generic_ptys',`
interface(`term_setattr_generic_ptys',`
gen_require(`
type devpts_t;
+ type bsdpty_device_t;
')
allow $1 devpts_t:chr_file setattr;
+ allow $1 bsdpty_device_t:chr_file setattr;
')
########################################
@@ -683,9 +689,11 @@ interface(`term_setattr_generic_ptys',`
interface(`term_dontaudit_setattr_generic_ptys',`
gen_require(`
type devpts_t;
+ type bsdpty_device_t;
')
dontaudit $1 devpts_t:chr_file setattr;
+ dontaudit $1 bsdpty_device_t:chr_file setattr;
')
########################################
@@ -703,11 +711,13 @@ interface(`term_dontaudit_setattr_generic_ptys',`
interface(`term_use_generic_ptys',`
gen_require(`
type devpts_t;
+ type bsdpty_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 devpts_t:dir list_dir_perms;
allow $1 devpts_t:chr_file { rw_term_perms lock append };
+ allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append };
')
########################################
@@ -725,9 +735,11 @@ interface(`term_use_generic_ptys',`
interface(`term_dontaudit_use_generic_ptys',`
gen_require(`
type devpts_t;
+ type bsdpty_device_t;
')
dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
+ dontaudit $1 bsdpty_device_t:chr_file { getattr read write ioctl };
')
#######################################
@@ -743,10 +755,12 @@ interface(`term_dontaudit_use_generic_ptys',`
interface(`term_setattr_controlling_term',`
gen_require(`
type devtty_t;
+ type bsdpty_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 devtty_t:chr_file setattr;
+ allow $1 bsdpty_device_t:chr_file setattr;
')
########################################
@@ -763,10 +777,12 @@ interface(`term_setattr_controlling_term',`
interface(`term_use_controlling_term',`
gen_require(`
type devtty_t;
+ type bsdpty_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 devtty_t:chr_file { rw_term_perms lock append };
+ allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append };
')
#######################################
--
2.19.1

37
recipes-security/refpolicy/refpolicy-2.20190201/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch
View File

@ -1,37 +0,0 @@
From fcf756e6906bba50d09224184d64ac56f40b6424 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH 23/34] policy/module/terminals: don't audit tty_device_t in
term_dontaudit_use_console.
We should also not audit terminal to rw tty_device_t and fds in
term_dontaudit_use_console.
Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/kernel/terminal.if | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index a84787e6..cf66da2f 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -335,9 +335,12 @@ interface(`term_use_console',`
interface(`term_dontaudit_use_console',`
gen_require(`
type console_device_t;
+ type tty_device_t;
')
+ init_dontaudit_use_fds($1)
dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
+ dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
')
########################################
--
2.19.1

29
recipes-security/refpolicy/refpolicy-2.20190201/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch
View File

@ -1,29 +0,0 @@
From 85d5fc695ae69956715b502a8f1d95e9070dfbcc Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH 24/34] policy/module/rpc: allow nfsd to exec shell commands.
Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/services/rpc.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 47fa2fd0..d4209231 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -227,7 +227,7 @@ kernel_read_network_state(nfsd_t)
kernel_dontaudit_getattr_core_if(nfsd_t)
kernel_setsched(nfsd_t)
kernel_request_load_module(nfsd_t)
-# kernel_mounton_proc(nfsd_t)
+kernel_mounton_proc(nfsd_t)
corenet_sendrecv_nfs_server_packets(nfsd_t)
corenet_tcp_bind_nfs_port(nfsd_t)
--
2.19.1

77
recipes-security/refpolicy/refpolicy-2.20190201/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch
View File

@ -1,77 +0,0 @@
From 97a6eec0d2ea437b5155090ba880a88666f40059 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Fri, 23 Aug 2013 12:01:53 +0800
Subject: [PATCH 25/34] policy/module/rpc: fix policy for nfsserver to mount
nfsd_fs_t.
Upstream-Status: Pending
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/kernel/filesystem.te | 1 +
policy/modules/kernel/kernel.te | 2 ++
policy/modules/services/rpc.te | 5 +++++
policy/modules/services/rpcbind.te | 5 +++++
4 files changed, 13 insertions(+)
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 1db0c652..bf1c0173 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -129,6 +129,7 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
type nfsd_fs_t;
fs_type(nfsd_fs_t)
+files_mountpoint(nfsd_fs_t)
genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
type nsfs_t;
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index e971c533..ad7c823a 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -334,6 +334,8 @@ mls_process_read_all_levels(kernel_t)
mls_process_write_all_levels(kernel_t)
mls_file_write_all_levels(kernel_t)
mls_file_read_all_levels(kernel_t)
+mls_socket_write_all_levels(kernel_t)
+mls_fd_use_all_levels(kernel_t)
ifdef(`distro_redhat',`
# Bugzilla 222337
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index d4209231..a2327b44 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -280,6 +280,11 @@ tunable_policy(`nfs_export_all_ro',`
optional_policy(`
mount_exec(nfsd_t)
+ # Should domtrans to mount_t while mounting nfsd_fs_t.
+ mount_domtrans(nfsd_t)
+ # nfsd_t need to chdir to /var/lib/nfs and read files.
+ files_list_var(nfsd_t)
+ rpc_read_nfs_state_data(nfsd_t)
')
########################################
diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
index 5914af99..2055c114 100644
--- a/policy/modules/services/rpcbind.te
+++ b/policy/modules/services/rpcbind.te
@@ -75,6 +75,11 @@ logging_send_syslog_msg(rpcbind_t)
miscfiles_read_localization(rpcbind_t)
+# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
+# because the are running in different level. So add rules to allow this.
+mls_socket_read_all_levels(rpcbind_t)
+mls_socket_write_all_levels(rpcbind_t)
+
ifdef(`distro_debian',`
term_dontaudit_use_unallocated_ttys(rpcbind_t)
')
--
2.19.1

126
recipes-security/refpolicy/refpolicy-2.20190201/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch
View File

@ -1,126 +0,0 @@
From 00d81a825519cac67d88e513d75e82ab3269124c Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@mentor.com>
Date: Fri, 29 Mar 2019 11:16:37 -0400
Subject: [PATCH 26/34] policy/module/sysfs: fix for new SELINUXMNT in /sys
SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should
add rules to access sysfs.
Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/kernel/selinux.if | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 6790e5d0..2c95db81 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -117,6 +117,9 @@ interface(`selinux_mount_fs',`
type security_t;
')
+ dev_getattr_sysfs($1)
+ dev_search_sysfs($1)
+
allow $1 security_t:filesystem mount;
')
@@ -136,6 +139,9 @@ interface(`selinux_remount_fs',`
type security_t;
')
+ dev_getattr_sysfs($1)
+ dev_search_sysfs($1)
+
allow $1 security_t:filesystem remount;
')
@@ -155,6 +161,9 @@ interface(`selinux_unmount_fs',`
')
allow $1 security_t:filesystem unmount;
+
+ dev_getattr_sysfs($1)
+ dev_search_sysfs($1)
')
########################################
@@ -217,6 +226,8 @@ interface(`selinux_dontaudit_getattr_dir',`
')
dontaudit $1 security_t:dir getattr;
+ dev_dontaudit_getattr_sysfs($1)
+ dev_dontaudit_search_sysfs($1)
')
########################################
@@ -253,6 +264,7 @@ interface(`selinux_dontaudit_search_fs',`
type security_t;
')
+ dev_dontaudit_search_sysfs($1)
dontaudit $1 security_t:dir search_dir_perms;
')
@@ -272,6 +284,7 @@ interface(`selinux_dontaudit_read_fs',`
type security_t;
')
+ dev_dontaudit_getattr_sysfs($1)
dontaudit $1 security_t:dir search_dir_perms;
dontaudit $1 security_t:file read_file_perms;
')
@@ -361,6 +374,7 @@ interface(`selinux_read_policy',`
type security_t;
')
+ dev_getattr_sysfs($1)
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file read_file_perms;
@@ -394,6 +408,7 @@ interface(`selinux_set_generic_booleans',`
type security_t;
')
+ dev_getattr_sysfs($1)
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
@@ -431,6 +446,7 @@ interface(`selinux_set_all_booleans',`
bool secure_mode_policyload;
')
+ dev_getattr_sysfs($1)
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
@@ -512,6 +528,7 @@ interface(`selinux_dontaudit_validate_context',`
type security_t;
')
+ dev_dontaudit_search_sysfs($1)
dontaudit $1 security_t:dir list_dir_perms;
dontaudit $1 security_t:file rw_file_perms;
dontaudit $1 security_t:security check_context;
@@ -533,6 +550,7 @@ interface(`selinux_compute_access_vector',`
type security_t;
')
+ dev_getattr_sysfs($1)
dev_search_sysfs($1)
allow $1 self:netlink_selinux_socket create_socket_perms;
allow $1 security_t:dir list_dir_perms;
@@ -629,6 +647,7 @@ interface(`selinux_compute_user_contexts',`
type security_t;
')
+ dev_getattr_sysfs($1)
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
--
2.19.1

31
recipes-security/refpolicy/refpolicy-2.20190201/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch
View File

@ -1,31 +0,0 @@
From fbb7431a4288c7dd2739bc3adfa521d427e6375a Mon Sep 17 00:00:00 2001
From: Roy Li <rongqing.li@windriver.com>
Date: Sat, 15 Feb 2014 09:45:00 +0800
Subject: [PATCH 27/34] policy/module/rpc: allow sysadm to run rpcinfo
Upstream-Status: Pending
type=AVC msg=audit(1392427946.976:264): avc: denied { connectto } for pid=2111 comm="rpcinfo" path="/run/rpcbind.sock" scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tclass=unix_stream_socket
type=SYSCALL msg=audit(1392427946.976:264): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff3aa20000 a2=17 a3=22 items=0 ppid=2108 pid=2111 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="rpcinfo" exe="/usr/sbin/rpcinfo" subj=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 key=(null)
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/roles/sysadm.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index e411d4fd..f326d1d7 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -939,6 +939,7 @@ optional_policy(`
')
optional_policy(`
+ rpcbind_stream_connect(sysadm_t)
rpcbind_admin(sysadm_t, sysadm_r)
')
--
2.19.1

45
recipes-security/refpolicy/refpolicy-2.20190201/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch
View File

@ -1,45 +0,0 @@
From 8a3c685c1f868f04cb4a7953d14443527b920310 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH 28/34] policy/module/userdomain: fix selinux utils to manage
config files
Upstream-Status: Pending
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/system/selinuxutil.if | 1 +
policy/modules/system/userdomain.if | 4 ++++
2 files changed, 5 insertions(+)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 20024993..0fdc8c10 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -674,6 +674,7 @@ interface(`seutil_manage_config',`
')
files_search_etc($1)
+ manage_dirs_pattern($1, selinux_config_t, selinux_config_t)
manage_files_pattern($1, selinux_config_t, selinux_config_t)
read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
')
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 5221bd13..4cf987d1 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1431,6 +1431,10 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
+ seutil_manage_default_contexts($1)
+ seutil_manage_file_contexts($1)
+ seutil_manage_module_store($1)
+ seutil_manage_config($1)
seutil_run_checkpolicy($1, $2)
seutil_run_loadpolicy($1, $2)
seutil_run_semanage($1, $2)
--
2.19.1

33
recipes-security/refpolicy/refpolicy-2.20190201/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch
View File

@ -1,33 +0,0 @@
From 524f823bb07e0eb763683b72f18999ef29ae43c9 Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@mentor.com>
Date: Fri, 29 Mar 2019 11:30:27 -0400
Subject: [PATCH 29/34] policy/module/selinuxutil: fix setfiles statvfs to get
file count
New setfiles will read /proc/mounts and use statvfs in
file_system_count() to get file count of filesystems.
Upstream-Status: Pending
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/system/selinuxutil.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index db6bb368..98fed2d0 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -607,6 +607,7 @@ files_relabel_all_files(setfiles_t)
files_read_usr_symlinks(setfiles_t)
files_dontaudit_read_all_symlinks(setfiles_t)
+fs_getattr_all_fs(setfiles_t)
fs_getattr_all_xattr_fs(setfiles_t)
fs_getattr_cgroup(setfiles_t)
fs_getattr_nfs(setfiles_t)
--
2.19.1

25
recipes-security/refpolicy/refpolicy-2.20190201/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch
View File

@ -1,25 +0,0 @@
From 78210f371391ccfad1d18b89a91ffb5a83f451e0 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Fri, 23 Aug 2013 16:36:09 +0800
Subject: [PATCH 30/34] policy/module/admin: fix dmesg to use /dev/kmsg as
default input
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/admin/dmesg.if | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if
index e1973c78..739a4bc5 100644
--- a/policy/modules/admin/dmesg.if
+++ b/policy/modules/admin/dmesg.if
@@ -37,4 +37,5 @@ interface(`dmesg_exec',`
corecmd_search_bin($1)
can_exec($1, dmesg_exec_t)
+ dev_read_kmsg($1)
')
--
2.19.1

41
recipes-security/refpolicy/refpolicy-2.20190201/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch
View File

@ -1,41 +0,0 @@
From a406bcd2838772573e2cdde1a408ea52a60adc87 Mon Sep 17 00:00:00 2001
From: Roy Li <rongqing.li@windriver.com>
Date: Mon, 10 Feb 2014 18:10:12 +0800
Subject: [PATCH 31/34] policy/module/ftp: add ftpd_t to
mls_file_write_all_levels
Proftpd will create file under /var/run, but its mls is in high, and
can not write to lowlevel
Upstream-Status: Pending
type=AVC msg=audit(1392347709.621:15): avc: denied { write } for pid=545 comm="proftpd" name="/" dev="tmpfs" ino=5853 scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir
type=AVC msg=audit(1392347709.621:15): avc: denied { add_name } for pid=545 comm="proftpd" name="proftpd.delay" scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir
type=SYSCALL msg=audit(1392347709.621:15): arch=c000003e syscall=2 success=yes exit=3 a0=471910 a1=42 a2=1b6 a3=8 items=0 ppid=539 pid=545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s15:c0.c1023 key=(null)
root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name
allow ftpd_t var_run_t : dir { ioctl read write getattr lock add_name remove_name search open } ;
root@localhost:~#
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/services/ftp.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index 29bc077c..d582cf80 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -150,6 +150,8 @@ role ftpdctl_roles types ftpdctl_t;
type ftpdctl_tmp_t;
files_tmp_file(ftpdctl_tmp_t)
+mls_file_write_all_levels(ftpd_t)
+
type sftpd_t;
domain_type(sftpd_t)
role system_r types sftpd_t;
--
2.19.1

32
recipes-security/refpolicy/refpolicy-2.20190201/0032-policy-module-init-update-for-systemd-related-allow-.patch
View File

@ -1,32 +0,0 @@
From dfbda15401f92e5d1b9b55c7ba24a543deea18e8 Mon Sep 17 00:00:00 2001
From: Shrikant Bobade <shrikant_bobade@mentor.com>
Date: Fri, 12 Jun 2015 19:37:52 +0530
Subject: [PATCH 32/34] policy/module/init: update for systemd related allow
rules
It provide, the systemd support related allow rules
Upstream-Status: Pending
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/system/init.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index eabba1ed..5da25cd6 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1418,3 +1418,8 @@ optional_policy(`
userdom_dontaudit_rw_all_users_stream_sockets(systemprocess)
userdom_dontaudit_write_user_tmp_files(systemprocess)
')
+
+# systemd related allow rules
+allow kernel_t init_t:process dyntransition;
+allow devpts_t device_t:filesystem associate;
+allow init_t self:capability2 block_suspend;
--
2.19.1

67
recipes-security/refpolicy/refpolicy-2.20190201/0033-refpolicy-minimum-make-sysadmin-module-optional.patch
View File

@ -1,67 +0,0 @@
From 937924e34c516c4a18d183084958b2612439ba52 Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@mentor.com>
Date: Fri, 5 Apr 2019 11:53:28 -0400
Subject: [PATCH 33/34] refpolicy/minimum: make sysadmin module optional
init and locallogin modules have a depend for sysadm module because
they have called sysadm interfaces(sysadm_shell_domtrans). Since
sysadm is not a core module, we could make the sysadm_shell_domtrans
calls optionally by optional_policy.
So, we could make the minimum policy without sysadm module.
Upstream-Status: pending
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/system/init.te | 16 +++++++++-------
policy/modules/system/locallogin.te | 4 +++-
2 files changed, 12 insertions(+), 8 deletions(-)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 5da25cd6..8352428a 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -446,13 +446,15 @@ ifdef(`init_systemd',`
modutils_domtrans(init_t)
')
',`
- tunable_policy(`init_upstart',`
- corecmd_shell_domtrans(init_t, initrc_t)
- ',`
- # Run the shell in the sysadm role for single-user mode.
- # causes problems with upstart
- ifndef(`distro_debian',`
- sysadm_shell_domtrans(init_t)
+ optional_policy(`
+ tunable_policy(`init_upstart',`
+ corecmd_shell_domtrans(init_t, initrc_t)
+ ',`
+ # Run the shell in the sysadm role for single-user mode.
+ # causes problems with upstart
+ ifndef(`distro_debian',`
+ sysadm_shell_domtrans(init_t)
+ ')
')
')
')
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index a56f3d1f..4c679ff3 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -266,7 +266,9 @@ userdom_use_unpriv_users_fds(sulogin_t)
userdom_search_user_home_dirs(sulogin_t)
userdom_use_user_ptys(sulogin_t)
-sysadm_shell_domtrans(sulogin_t)
+optional_policy(`
+ sysadm_shell_domtrans(sulogin_t)
+')
# by default, sulogin does not use pam...
# sulogin_pam might need to be defined otherwise
--
2.19.1

33
recipes-security/refpolicy/refpolicy-2.20190201/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch
View File

@ -1,33 +0,0 @@
From bbad13d008ab4df827ac2ba8dfc6dd3e430f6dd6 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 19:36:44 +0800
Subject: [PATCH 34/34] policy/module/apache: add rules for the symlink of
/var/log - apache2
We have added rules for the symlink of /var/log in logging.if,
while apache.te uses /var/log but does not use the interfaces in
logging.if. So still need add a individual rule for apache.te.
Upstream-Status: Pending
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/services/apache.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index 15c4ea53..596370b1 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -412,6 +412,7 @@ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+read_lnk_files_pattern(httpd_t, var_log_t, var_log_t)
logging_log_filetrans(httpd_t, httpd_log_t, file)
allow httpd_t httpd_modules_t:dir list_dir_perms;
--
2.19.1

11
recipes-security/refpolicy/refpolicy-mcs_2.20190201.bb
View File

@ -1,11 +0,0 @@
SUMMARY = "MCS (Multi Category Security) variant of the SELinux policy"
DESCRIPTION = "\
This is the reference policy for SE Linux built with MCS support. \
An MCS policy is the same as an MLS policy but with only one sensitivity \
level. This is useful on systems where a hierarchical policy (MLS) isn't \
needed (pretty much all systems) but the non-hierarchical categories are. \
"
POLICY_TYPE = "mcs"
include refpolicy_${PV}.inc

91
recipes-security/refpolicy/refpolicy-minimum_2.20190201.bb
View File

@ -1,91 +0,0 @@
################################################################################
# Note that -minimum specifically inherits from -targeted. Key policy pieces
# will be missing if you do not preserve this relationship.
include refpolicy-targeted_${PV}.bb
SUMMARY = "SELinux minimum policy"
DESCRIPTION = "\
This is a minimum reference policy with just core policy modules, and \
could be used as a base for customizing targeted policy. \
Pretty much everything runs as initrc_t or unconfined_t so all of the \
domains are unconfined. \
"
POLICY_NAME = "minimum"
CORE_POLICY_MODULES = "unconfined \
selinuxutil \
storage \
sysnetwork \
application \
libraries \
miscfiles \
logging \
userdomain \
init \
mount \
modutils \
getty \
authlogin \
locallogin \
"
#systemd dependent policy modules
CORE_POLICY_MODULES += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'clock systemd udev fstools', '', d)}"
# nscd caches libc-issued requests to the name service.
# Without nscd.pp, commands want to use these caches will be blocked.
EXTRA_POLICY_MODULES += "nscd"
# pam_mail module enables checking and display of mailbox status upon
# "login", so "login" process will access to /var/spool/mail.
EXTRA_POLICY_MODULES += "mta"
# sysnetwork requires type definitions (insmod_t, consoletype_t,
# hostname_t, ping_t, netutils_t) from modules:
EXTRA_POLICY_MODULES += "modutils consoletype hostname netutils"
# Add specific policy modules here that should be purged from the system
# policy. Purged modules will not be built and will not be installed on the
# target. To use them at some later time you must specifically build and load
# the modules by hand on the target.
#
# USE WITH CARE! With this feature it is easy to break your policy by purging
# core modules (eg. userdomain)
#
# PURGE_POLICY_MODULES += "xdg xen"
POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}"
# re-write the same func from refpolicy_common.inc
prepare_policy_store () {
oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install
POL_PRIORITY=100
POL_SRC=${D}${datadir}/selinux/${POLICY_NAME}
POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME}
POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY}
# Prepare to create policy store
mkdir -p ${POL_STORE}
mkdir -p ${POL_ACTIVE_MODS}
# get hll type from suffix on base policy module
HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print $NF}}')
HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE}
for i in base ${POLICY_MODULES_MIN}; do
MOD_FILE=${POL_SRC}/${i}.${HLL_TYPE}
MOD_DIR=${POL_ACTIVE_MODS}/${i}
mkdir -p ${MOD_DIR}
echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext
if ! bzip2 -t ${MOD_FILE} >/dev/null 2>&1; then
${HLL_BIN} ${MOD_FILE} | bzip2 --stdout > ${MOD_DIR}/cil
bzip2 -f ${MOD_FILE} && mv -f ${MOD_FILE}.bz2 ${MOD_FILE}
else
bunzip2 --stdout ${MOD_FILE} | \
${HLL_BIN} | \
bzip2 --stdout > ${MOD_DIR}/cil
fi
cp ${MOD_FILE} ${MOD_DIR}/hll
done
}

10
recipes-security/refpolicy/refpolicy-mls_2.20190201.bb
View File

@ -1,10 +0,0 @@
SUMMARY = "MLS (Multi Level Security) variant of the SELinux policy"
DESCRIPTION = "\
This is the reference policy for SE Linux built with MLS support. \
It allows giving data labels such as \"Top Secret\" and preventing \
such data from leaking to processes or files with lower classification. \
"
POLICY_TYPE = "mls"
include refpolicy_${PV}.inc

8
recipes-security/refpolicy/refpolicy-standard_2.20190201.bb
View File

@ -1,8 +0,0 @@
SUMMARY = "Standard variants of the SELinux policy"
DESCRIPTION = "\
This is the reference policy for SELinux built with type enforcement \
only."
POLICY_TYPE = "standard"
include refpolicy_${PV}.inc

35
recipes-security/refpolicy/refpolicy-targeted_2.20190201.bb
View File

@ -1,35 +0,0 @@
SUMMARY = "SELinux targeted policy"
DESCRIPTION = "\
This is the targeted variant of the SELinux reference policy. Most service \
domains are locked down. Users and admins will login in with unconfined_t \
domain, so they have the same access to the system as if SELinux was not \
enabled. \
"
FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-${PV}:"
POLICY_NAME = "targeted"
POLICY_TYPE = "mcs"
POLICY_MLS_SENS = "0"
include refpolicy_${PV}.inc
SYSTEMD_REFPOLICY_PATCHES = " \
file://0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch \
file://0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch \
file://0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch \
file://0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch \
file://0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch \
file://0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch \
file://0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch \
file://0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch \
file://0009-refpolicy-minimum-systemd-fix-for-syslog.patch \
"
SYSVINIT_REFPOLICY_PATCHES = " \
file://0001-fix-update-alternatives-for-sysvinit.patch \
"
SRC_URI += " \
${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '${SYSTEMD_REFPOLICY_PATCHES}', '${SYSVINIT_REFPOLICY_PATCHES}', d)} \
"

9
recipes-security/refpolicy/refpolicy_2.20190201.inc
View File

@ -1,9 +0,0 @@
SRC_URI = "https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_20190201/refpolicy-${PV}.tar.bz2"
SRC_URI[md5sum] = "babb0d5ca2ae333631d25392b2b3ce8d"
SRC_URI[sha256sum] = "ed620dc91c4e09eee6271b373f7c61a364a82ea57bd2dc86ca1f7075304e2843"
UPSTREAM_CHECK_GITTAGREGEX = "RELEASE_(?P<pver>\d+_\d+)"
FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-2.20190201:"
include refpolicy_common.inc