diff --git a/conf/distro/oe-selinux.conf b/conf/distro/oe-selinux.conf index 5f4af87..6e55a32 100644 --- a/conf/distro/oe-selinux.conf +++ b/conf/distro/oe-selinux.conf @@ -1,4 +1,4 @@ DISTRO = "oe-selinux" DISTROOVERRIDES .= ":selinux" -DISTRO_FEATURES_append = " acl xattr pam selinux compressed_policy" +DISTRO_FEATURES_append = " acl xattr pam selinux" diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/Allow-ping-to-get-set-capabilities.patch b/recipes-security/refpolicy/refpolicy-2.20130424/Allow-ping-to-get-set-capabilities.patch deleted file mode 100644 index fced84a..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/Allow-ping-to-get-set-capabilities.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 56c43144d7dcf5fec969c9aa9cb97679ccad50cc Mon Sep 17 00:00:00 2001 -From: Sven Vermeulen -Date: Wed, 25 Sep 2013 20:27:34 +0200 -Subject: [PATCH] Allow ping to get/set capabilities - -When ping is installed with capabilities instead of being marked setuid, -then the ping_t domain needs to be allowed to getcap/setcap. - -Reported-by: Luis Ressel -Signed-off-by: Sven Vermeulen - -Upstream-Status: backport ---- - policy/modules/admin/netutils.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te -index 557da97..cfe036a 100644 ---- a/policy/modules/admin/netutils.te -+++ b/policy/modules/admin/netutils.te -@@ -106,6 +106,8 @@ optional_policy(` - # - - allow ping_t self:capability { setuid net_raw }; -+# When ping is installed with capabilities instead of setuid -+allow ping_t self:process { getcap setcap }; - dontaudit ping_t self:capability sys_tty_config; - allow ping_t self:tcp_socket create_socket_perms; - allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt }; --- -1.7.10.4 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/Allow-udev-the-block_suspend-capability.patch b/recipes-security/refpolicy/refpolicy-2.20130424/Allow-udev-the-block_suspend-capability.patch deleted file mode 100644 index 3c6a979..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/Allow-udev-the-block_suspend-capability.patch +++ /dev/null @@ -1,25 +0,0 @@ -Allow udev the block_suspend capability - -Upstream-Status: backport -upstream commit: 5905067f2acf710ffbb13ba32575e6316619ddd8 - -Signed-off-by: Jackie Huang ---- - policy/modules/system/udev.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index 90e4ab3..efe6c02 100644 ---- a/policy/modules/system/udev.te -+++ b/policy/modules/system/udev.te -@@ -39,6 +39,7 @@ ifdef(`enable_mcs',` - - allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace }; - dontaudit udev_t self:capability sys_tty_config; -+allow udev_t self:capability2 block_suspend; - allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow udev_t self:process { execmem setfscreate }; - allow udev_t self:fd use; --- -1.7.9.5 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/filesystem-associate-tmpfs_t-shm-to-device_t-devtmpf.patch b/recipes-security/refpolicy/refpolicy-2.20130424/filesystem-associate-tmpfs_t-shm-to-device_t-devtmpf.patch deleted file mode 100644 index 094d9e5..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/filesystem-associate-tmpfs_t-shm-to-device_t-devtmpf.patch +++ /dev/null @@ -1,30 +0,0 @@ -Upstream-Status: backport - -Signed-off-by: Wenzong Fan -========================= -From e3072cb7bf8f9e09598f01c9eb58d9cfb319d8a1 Mon Sep 17 00:00:00 2001 -From: Dominick Grift -Date: Tue, 24 Sep 2013 15:39:21 +0200 -Subject: [PATCH] filesystem: associate tmpfs_t (shm) to device_t (devtmpfs) - file systems - -Signed-off-by: Dominick Grift ---- - policy/modules/kernel/filesystem.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index ed59e5e..f72cde1 100644 ---- a/policy/modules/kernel/filesystem.te -+++ b/policy/modules/kernel/filesystem.te -@@ -177,6 +177,7 @@ genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0) - # tmpfs_t is the type for tmpfs filesystems - # - type tmpfs_t; -+dev_associate(tmpfs_t) - fs_type(tmpfs_t) - files_type(tmpfs_t) - files_mountpoint(tmpfs_t) --- -1.7.10.4 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/hostname-do-not-audit-attempts-by-hostname-to-read-a.patch b/recipes-security/refpolicy/refpolicy-2.20130424/hostname-do-not-audit-attempts-by-hostname-to-read-a.patch deleted file mode 100644 index edba56d..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/hostname-do-not-audit-attempts-by-hostname-to-read-a.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 0857061b58e5ec0bf00e78839254f21519ed55d4 Mon Sep 17 00:00:00 2001 -From: Dominick Grift -Date: Fri, 27 Sep 2013 10:36:14 +0200 -Subject: [PATCH] hostname: do not audit attempts by hostname to read and - write dhcpc udp sockets (looks like a leaked fd) - -Upstream-Status: backport - -Signed-off-by: Dominick Grift ---- - policy/modules/system/hostname.te | 1 + - policy/modules/system/sysnetwork.if | 19 +++++++++++++++++++ - 2 files changed, 20 insertions(+) - -diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te -index f6cbda9..380197b 100644 ---- a/policy/modules/system/hostname.te -+++ b/policy/modules/system/hostname.te -@@ -51,6 +51,7 @@ logging_send_syslog_msg(hostname_t) - - miscfiles_read_localization(hostname_t) - -+sysnet_dontaudit_rw_dhcpc_udp_sockets(hostname_t) - sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t) - sysnet_read_config(hostname_t) - sysnet_dns_name_resolve(hostname_t) -diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 52b548c..2cea692 100644 ---- a/policy/modules/system/sysnetwork.if -+++ b/policy/modules/system/sysnetwork.if -@@ -47,6 +47,25 @@ interface(`sysnet_run_dhcpc',` - - ######################################## - ## -+## Do not audit attempts to read and -+## write dhcpc udp socket descriptors. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`sysnet_dontaudit_rw_dhcpc_udp_sockets',` -+ gen_require(` -+ type dhcpc_t; -+ ') -+ -+ dontaudit $1 dhcpc_t:udp_socket { read write }; -+') -+ -+######################################## -+## - ## Do not audit attempts to use - ## the dhcp file descriptors. - ## --- -1.7.10.4 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-xconsole_device_t-as-a-dev_node.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-xconsole_device_t-as-a-dev_node.patch deleted file mode 100644 index aa870f4..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-xconsole_device_t-as-a-dev_node.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 843299c135c30b036ed163a10570a1d5efe36ff8 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH 1/2] fix xconsole_device_t as a dev_node. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang ---- - policy/modules/services/xserver.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 4f6d693..b00f004 100644 ---- a/policy/modules/services/xserver.te -+++ b/policy/modules/services/xserver.te -@@ -151,6 +151,7 @@ userdom_user_tmp_file(xauth_tmp_t) - # this is not actually a device, its a pipe - type xconsole_device_t; - files_type(xconsole_device_t) -+dev_node(xconsole_device_t) - fs_associate_tmpfs(xconsole_device_t) - files_associate_tmp(xconsole_device_t) - --- -1.7.9.5 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch b/recipes-security/refpolicy/refpolicy-2.20130424/sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch deleted file mode 100644 index e95d675..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch +++ /dev/null @@ -1,41 +0,0 @@ -From b1599e01fe3f3e7a1c2048d1c466e3e842952924 Mon Sep 17 00:00:00 2001 -From: Dominick Grift -Date: Fri, 27 Sep 2013 11:35:41 +0200 -Subject: [PATCH] sysnetwork: dhcpc binds socket to random high udp ports - sysnetwork: do not audit attempts by ifconfig to read, and - write dhcpc udp sockets (looks like a leaked fd) - -Upstream-Status: backport - -Signed-off-by: Dominick Grift ---- - policy/modules/system/sysnetwork.te | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index f9dce11..67709b5 100644 ---- a/policy/modules/system/sysnetwork.te -+++ b/policy/modules/system/sysnetwork.te -@@ -111,7 +111,9 @@ corenet_tcp_bind_dhcpc_port(dhcpc_t) - corenet_udp_bind_dhcpc_port(dhcpc_t) - corenet_tcp_connect_all_ports(dhcpc_t) - corenet_sendrecv_dhcpd_client_packets(dhcpc_t) --corenet_sendrecv_dhcpc_server_packets(dhcpc_t) -+ -+corenet_sendrecv_all_server_packets(dhcpc_t) -+corenet_udp_bind_all_unreserved_ports(dhcpc_t) - - dev_read_sysfs(dhcpc_t) - # for SSP: -@@ -313,6 +315,8 @@ modutils_domtrans_insmod(ifconfig_t) - - seutil_use_runinit_fds(ifconfig_t) - -+sysnet_dontaudit_rw_dhcpc_udp_sockets(ifconfig_t) -+ - userdom_use_user_terminals(ifconfig_t) - userdom_use_all_users_fds(ifconfig_t) - --- -1.7.10.4 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/ftp-add-ftpd_t-to-mlsfilewrite.patch b/recipes-security/refpolicy/refpolicy-2.20140311/ftp-add-ftpd_t-to-mlsfilewrite.patch similarity index 100% rename from recipes-security/refpolicy/refpolicy-2.20130424/ftp-add-ftpd_t-to-mlsfilewrite.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/ftp-add-ftpd_t-to-mlsfilewrite.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-clock.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-clock.patch similarity index 100% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-clock.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-clock.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-corecommands.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-corecommands.patch similarity index 100% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-corecommands.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-corecommands.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-dmesg.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-dmesg.patch similarity index 100% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-dmesg.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-dmesg.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-bind.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-bind.patch similarity index 100% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-bind.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-bind.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_login.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_login.patch similarity index 100% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_login.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_login.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_resolv.conf.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_resolv.conf.patch similarity index 100% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_resolv.conf.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_resolv.conf.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_shadow.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_shadow.patch similarity index 100% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_shadow.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_shadow.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_su.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_su.patch similarity index 100% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_su.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_su.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fstools.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fstools.patch similarity index 77% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fstools.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fstools.patch index 5343893..38c96c4 100644 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fstools.patch +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fstools.patch @@ -6,12 +6,11 @@ Subject: [PATCH] refpolicy: fix real path for fstools Upstream-Status: Inappropriate [configuration] Signed-off-by: Wenzong Fan +Signed-off-by: Joe MacDonald --- - policy/modules/system/fstools.fc | 12 ++++++++++++ - 1 file changed, 12 insertions(+) + policy/modules/system/fstools.fc | 11 +++++++++++ + 1 file changed, 11 insertions(+) -diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc -index 7a46b45..a724776 100644 --- a/policy/modules/system/fstools.fc +++ b/policy/modules/system/fstools.fc @@ -1,6 +1,8 @@ @@ -23,48 +22,44 @@ index 7a46b45..a724776 100644 /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -9,9 +11,12 @@ +@@ -9,9 +11,11 @@ /sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/sbin/fdisk\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/sbin/hdparm\.hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -24,21 +29,28 @@ +@@ -24,6 +28,7 @@ /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/sbin/mkswap\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) +@@ -34,6 +39,7 @@ /sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/sbin/swapoff\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0) +@@ -50,7 +56,12 @@ - /usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/fatsort -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0) --- -1.7.9.5 - + /var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0) diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-ftpwho-dir.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-ftpwho-dir.patch similarity index 100% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-ftpwho-dir.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-ftpwho-dir.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-iptables.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-iptables.patch similarity index 100% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-iptables.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-iptables.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-mta.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-mta.patch similarity index 100% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-mta.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-mta.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-netutils.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-netutils.patch similarity index 100% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-netutils.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-netutils.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-nscd.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-nscd.patch similarity index 100% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-nscd.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-nscd.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-rpm.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-rpm.patch similarity index 100% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-rpm.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-rpm.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-screen.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-screen.patch similarity index 100% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-screen.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-screen.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-ssh.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-ssh.patch similarity index 100% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-ssh.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-ssh.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-su.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-su.patch similarity index 100% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-su.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-su.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-subs_dist.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-subs_dist.patch similarity index 67% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-subs_dist.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-subs_dist.patch index 4058b18..cfec7d9 100644 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-subs_dist.patch +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-subs_dist.patch @@ -6,19 +6,17 @@ mapping to the pathes in file_contexts. Upstream-Status: Inappropriate [only for Poky] Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald --- - config/file_contexts.subs_dist | 8 ++++++++ - 1 files changed, 11 insertions(+), 0 deletions(-) + config/file_contexts.subs_dist | 10 ++++++++++ + 1 file changed, 10 insertions(+) -diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist -index 32b87a4..ebba73d 100644 --- a/config/file_contexts.subs_dist +++ b/config/file_contexts.subs_dist -@@ -5,3 +5,14 @@ - /usr/lib32 /usr/lib - /usr/lib64 /usr/lib +@@ -19,3 +19,13 @@ + /usr/local/lib64 /usr/lib + /usr/local/lib /usr/lib /var/run/lock /var/lock -+/etc/init.d /etc/rc.d/init.d +/var/volatile/log /var/log +/var/volatile/run /var/run +/var/volatile/cache /var/cache @@ -29,6 +27,3 @@ index 32b87a4..ebba73d 100644 +/usr/lib/busybox/bin /bin +/usr/lib/busybox/sbin /sbin +/usr/lib/busybox/usr /usr --- -1.7.5.4 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-sysnetwork.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-sysnetwork.patch similarity index 100% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-sysnetwork.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-sysnetwork.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-udevd.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-udevd.patch similarity index 100% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-udevd.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-udevd.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_hostname.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-update-alternatives_hostname.patch similarity index 100% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_hostname.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-update-alternatives_hostname.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-update-alternatives_sysklogd.patch similarity index 100% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_sysklogd.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-update-alternatives_sysklogd.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_sysvinit.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-update-alternatives_sysvinit.patch similarity index 100% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_sysvinit.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-update-alternatives_sysvinit.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-bsdpty_device_t.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-bsdpty_device_t.patch similarity index 100% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-bsdpty_device_t.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-bsdpty_device_t.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-syslogd_t-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-syslogd_t-symlink.patch similarity index 100% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-syslogd_t-symlink.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-syslogd_t-symlink.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-tmp-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-tmp-symlink.patch similarity index 100% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-tmp-symlink.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-tmp-symlink.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-cache-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-cache-symlink.patch similarity index 100% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-cache-symlink.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-cache-symlink.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-apache.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-log-symlink-apache.patch similarity index 100% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-apache.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-log-symlink-apache.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch similarity index 100% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-log-symlink.patch similarity index 100% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-log-symlink.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-syslogd_t-to-trusted-object.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-syslogd_t-to-trusted-object.patch similarity index 100% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-syslogd_t-to-trusted-object.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-syslogd_t-to-trusted-object.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-allow-nfsd-to-exec-shell-commands.patch similarity index 100% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-nfsd-to-exec-shell-commands.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-allow-nfsd-to-exec-shell-commands.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-setfiles_t-to-read-symlinks.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-allow-setfiles_t-to-read-symlinks.patch similarity index 100% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-setfiles_t-to-read-symlinks.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-allow-setfiles_t-to-read-symlinks.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-sysadm-to-run-rpcinfo.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-allow-sysadm-to-run-rpcinfo.patch similarity index 100% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-sysadm-to-run-rpcinfo.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-allow-sysadm-to-run-rpcinfo.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-don-t-audit-tty_device_t.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-don-t-audit-tty_device_t.patch similarity index 100% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-don-t-audit-tty_device_t.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-don-t-audit-tty_device_t.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-dmesg-to-use-dev-kmsg.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-dmesg-to-use-dev-kmsg.patch similarity index 100% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-dmesg-to-use-dev-kmsg.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-dmesg-to-use-dev-kmsg.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-new-SELINUXMNT-in-sys.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-new-SELINUXMNT-in-sys.patch similarity index 65% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-new-SELINUXMNT-in-sys.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-new-SELINUXMNT-in-sys.patch index 557af04..302a38f 100644 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-new-SELINUXMNT-in-sys.patch +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-new-SELINUXMNT-in-sys.patch @@ -9,12 +9,11 @@ add rules to access sysfs. Upstream-Status: Inappropriate [only for Poky] Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald --- - policy/modules/kernel/selinux.if | 40 ++++++++++++++++++++++++++++++++++++++ - 1 file changed, 40 insertions(+) + policy/modules/kernel/selinux.if | 34 ++++++++++++++++++++++++++++++++-- + 1 file changed, 32 insertions(+), 2 deletions(-) -diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if -index 81440c5..ee4e86b 100644 --- a/policy/modules/kernel/selinux.if +++ b/policy/modules/kernel/selinux.if @@ -58,6 +58,10 @@ interface(`selinux_get_fs_mount',` @@ -28,7 +27,7 @@ index 81440c5..ee4e86b 100644 # starting in libselinux 2.0.5, init_selinuxmnt() will # attempt to short circuit by checking if SELINUXMNT # (/selinux) is already a selinuxfs -@@ -84,6 +88,7 @@ interface(`selinux_dontaudit_get_fs_mount',` +@@ -84,6 +88,7 @@ interface(`selinux_dontaudit_get_fs_moun type security_t; ') @@ -72,7 +71,7 @@ index 81440c5..ee4e86b 100644 allow $1 security_t:filesystem getattr; ') -@@ -183,6 +196,7 @@ interface(`selinux_dontaudit_getattr_fs',` +@@ -183,6 +196,7 @@ interface(`selinux_dontaudit_getattr_fs' type security_t; ') @@ -80,7 +79,7 @@ index 81440c5..ee4e86b 100644 dontaudit $1 security_t:filesystem getattr; ') -@@ -202,6 +216,7 @@ interface(`selinux_dontaudit_getattr_dir',` +@@ -202,6 +216,7 @@ interface(`selinux_dontaudit_getattr_dir type security_t; ') @@ -88,16 +87,15 @@ index 81440c5..ee4e86b 100644 dontaudit $1 security_t:dir getattr; ') -@@ -220,6 +235,8 @@ interface(`selinux_search_fs',` +@@ -220,6 +235,7 @@ interface(`selinux_search_fs',` type security_t; ') + dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) + dev_search_sysfs($1) allow $1 security_t:dir search_dir_perms; ') - -@@ -238,6 +255,7 @@ interface(`selinux_dontaudit_search_fs',` +@@ -239,6 +255,7 @@ interface(`selinux_dontaudit_search_fs', type security_t; ') @@ -105,7 +103,7 @@ index 81440c5..ee4e86b 100644 dontaudit $1 security_t:dir search_dir_perms; ') -@@ -257,6 +275,7 @@ interface(`selinux_dontaudit_read_fs',` +@@ -258,6 +275,7 @@ interface(`selinux_dontaudit_read_fs',` type security_t; ') @@ -113,52 +111,75 @@ index 81440c5..ee4e86b 100644 dontaudit $1 security_t:dir search_dir_perms; dontaudit $1 security_t:file read_file_perms; ') -@@ -342,6 +361,8 @@ interface(`selinux_load_policy',` - bool secure_mode_policyload; - ') - -+ dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - typeattribute $1 can_load_policy; -@@ -371,6 +392,8 @@ interface(`selinux_read_policy',` +@@ -279,6 +297,7 @@ interface(`selinux_get_enforce_mode',` type security_t; ') + dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) + dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file read_file_perms; - allow $1 security_t:security read_policy; -@@ -435,6 +458,8 @@ interface(`selinux_set_generic_booleans',` - type security_t; - ') - -+ dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - -@@ -475,6 +500,8 @@ interface(`selinux_set_all_booleans',` +@@ -313,6 +332,7 @@ interface(`selinux_set_enforce_mode',` bool secure_mode_policyload; ') + dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) + dev_search_sysfs($1) + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file rw_file_perms; +@@ -345,6 +365,7 @@ interface(`selinux_load_policy',` + bool secure_mode_policyload; + ') + ++ dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file rw_file_perms; +@@ -375,6 +396,7 @@ interface(`selinux_read_policy',` + type security_t; + ') + ++ dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file read_file_perms; +@@ -440,8 +462,8 @@ interface(`selinux_set_generic_booleans' + type security_t; + ') + ++ dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) +- + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file rw_file_perms; + +@@ -482,8 +504,8 @@ interface(`selinux_set_all_booleans',` + bool secure_mode_policyload; + ') + ++ dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) +- allow $1 security_t:dir list_dir_perms; allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms; allow $1 secure_mode_policyload_t:file read_file_perms; -@@ -519,6 +546,8 @@ interface(`selinux_set_parameters',` +@@ -528,6 +550,7 @@ interface(`selinux_set_parameters',` attribute can_setsecparam; ') + dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) + dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; - allow $1 security_t:security setsecparam; -@@ -563,6 +592,7 @@ interface(`selinux_dontaudit_validate_context',` +@@ -552,6 +575,7 @@ interface(`selinux_validate_context',` + type security_t; + ') + ++ dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file rw_file_perms; +@@ -574,6 +598,7 @@ interface(`selinux_dontaudit_validate_co type security_t; ') @@ -166,51 +187,43 @@ index 81440c5..ee4e86b 100644 dontaudit $1 security_t:dir list_dir_perms; dontaudit $1 security_t:file rw_file_perms; dontaudit $1 security_t:security check_context; -@@ -584,6 +614,8 @@ interface(`selinux_compute_access_vector',` +@@ -595,6 +620,7 @@ interface(`selinux_compute_access_vector type security_t; ') + dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) + dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; - allow $1 security_t:security compute_av; -@@ -605,6 +637,8 @@ interface(`selinux_compute_create_context',` +@@ -617,6 +643,7 @@ interface(`selinux_compute_create_contex type security_t; ') + dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) + dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; - allow $1 security_t:security compute_create; -@@ -626,6 +660,8 @@ interface(`selinux_compute_member',` +@@ -639,6 +666,7 @@ interface(`selinux_compute_member',` type security_t; ') + dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) + dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; - allow $1 security_t:security compute_member; -@@ -655,6 +691,8 @@ interface(`selinux_compute_relabel_context',` +@@ -669,6 +697,7 @@ interface(`selinux_compute_relabel_conte type security_t; ') + dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) + dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; - allow $1 security_t:security compute_relabel; -@@ -675,6 +713,8 @@ interface(`selinux_compute_user_contexts',` +@@ -690,6 +719,7 @@ interface(`selinux_compute_user_contexts type security_t; ') + dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) + dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; - allow $1 security_t:security compute_user; --- -1.7.9.5 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch similarity index 68% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch index 19e2516..f04ebec 100644 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch @@ -6,6 +6,7 @@ Subject: [PATCH] fix policy for nfsserver to mount nfsd_fs_t. Upstream-Status: Pending Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald --- policy/modules/contrib/rpc.te | 5 +++++ policy/modules/contrib/rpcbind.te | 5 +++++ @@ -13,11 +14,9 @@ Signed-off-by: Xin Ouyang policy/modules/kernel/kernel.te | 2 ++ 4 files changed, 13 insertions(+) -diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te -index 5605205..9e9f468 100644 --- a/policy/modules/contrib/rpc.te +++ b/policy/modules/contrib/rpc.te -@@ -256,6 +256,11 @@ tunable_policy(`nfs_export_all_ro',` +@@ -263,6 +263,11 @@ tunable_policy(`nfs_export_all_ro',` optional_policy(` mount_exec(nfsd_t) @@ -29,27 +28,23 @@ index 5605205..9e9f468 100644 ') ######################################## -diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te -index 196f168..9c75677 100644 --- a/policy/modules/contrib/rpcbind.te +++ b/policy/modules/contrib/rpcbind.te -@@ -71,6 +71,11 @@ miscfiles_read_localization(rpcbind_t) +@@ -70,6 +70,11 @@ logging_send_syslog_msg(rpcbind_t) - sysnet_dns_name_resolve(rpcbind_t) + miscfiles_read_localization(rpcbind_t) +# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t, +# because the are running in different level. So add rules to allow this. +mls_socket_read_all_levels(rpcbind_t) +mls_socket_write_all_levels(rpcbind_t) + - optional_policy(` - nis_use_ypbind(rpcbind_t) + ifdef(`distro_debian',` + term_dontaudit_use_unallocated_ttys(rpcbind_t) ') -diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index 1c66416..2b9e7ce 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te -@@ -119,6 +119,7 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) +@@ -119,6 +119,7 @@ genfscon mvfs / gen_context(system_u:obj type nfsd_fs_t; fs_type(nfsd_fs_t) @@ -57,11 +52,9 @@ index 1c66416..2b9e7ce 100644 genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0) type oprofilefs_t; -diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 49fde6e..a731078 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te -@@ -284,6 +284,8 @@ mls_process_read_up(kernel_t) +@@ -293,6 +293,8 @@ mls_process_read_up(kernel_t) mls_process_write_down(kernel_t) mls_file_write_all_levels(kernel_t) mls_file_read_all_levels(kernel_t) @@ -70,6 +63,3 @@ index 49fde6e..a731078 100644 ifdef(`distro_redhat',` # Bugzilla 222337 --- -1.7.9.5 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-setfiles-statvfs-get-file-count.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-setfiles-statvfs-get-file-count.patch similarity index 100% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-setfiles-statvfs-get-file-count.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-setfiles-statvfs-get-file-count.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-seutils-manage-config-files.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-seutils-manage-config-files.patch similarity index 100% rename from recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-seutils-manage-config-files.patch rename to recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-seutils-manage-config-files.patch diff --git a/recipes-security/refpolicy/refpolicy-mcs_2.20130424.bb b/recipes-security/refpolicy/refpolicy-mcs_2.20140311.bb similarity index 97% rename from recipes-security/refpolicy/refpolicy-mcs_2.20130424.bb rename to recipes-security/refpolicy/refpolicy-mcs_2.20140311.bb index 9288e2a..062727b 100644 --- a/recipes-security/refpolicy/refpolicy-mcs_2.20130424.bb +++ b/recipes-security/refpolicy/refpolicy-mcs_2.20140311.bb @@ -6,8 +6,6 @@ level. This is useful on systems where a hierarchical policy (MLS) isn't \ needed (pretty much all systems) but the non-hierarchical categories are. \ " -PR = "r99" - POLICY_TYPE = "mcs" include refpolicy_${PV}.inc diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20130424.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20140311.bb similarity index 69% rename from recipes-security/refpolicy/refpolicy-minimum_2.20130424.bb rename to recipes-security/refpolicy/refpolicy-minimum_2.20140311.bb index fc83fd5..b275821 100644 --- a/recipes-security/refpolicy/refpolicy-minimum_2.20130424.bb +++ b/recipes-security/refpolicy/refpolicy-minimum_2.20140311.bb @@ -1,5 +1,3 @@ -PR = "r99" - include refpolicy-targeted_${PV}.bb SUMMARY = "SELinux minimum policy" @@ -40,19 +38,11 @@ prepare_policy_store () { mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files touch ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.local - if ${@bb.utils.contains('DISTRO_FEATURES','compressed_policy','true','false',d)}; then - bzip2 base.pp - cp base.pp.bz2 ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp - for i in ${POLICY_MODULES_MIN}; do - bzip2 $i - cp ${i}.bz2 ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i` - done - else - bzip2 -c ${D}${datadir}/selinux/${POLICY_NAME}/base.pp > \ - ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp - for i in ${POLICY_MODULES_MIN}; do - bzip2 -c ${D}${datadir}/selinux/${POLICY_NAME}/$i.pp > \ - ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/$i.pp - done - fi + for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do + bzip2 -f $i && mv -f $i.bz2 $i + done + cp base.pp ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp + for i in ${POLICY_MODULES_MIN}; do + cp ${i}.pp ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i.pp` + done } diff --git a/recipes-security/refpolicy/refpolicy-mls_2.20130424.bb b/recipes-security/refpolicy/refpolicy-mls_2.20140311.bb similarity index 96% rename from recipes-security/refpolicy/refpolicy-mls_2.20130424.bb rename to recipes-security/refpolicy/refpolicy-mls_2.20140311.bb index e586ac2..7388232 100644 --- a/recipes-security/refpolicy/refpolicy-mls_2.20130424.bb +++ b/recipes-security/refpolicy/refpolicy-mls_2.20140311.bb @@ -5,8 +5,6 @@ It allows giving data labels such as \"Top Secret\" and preventing \ such data from leaking to processes or files with lower classification. \ " -PR = "r99" - POLICY_TYPE = "mls" include refpolicy_${PV}.inc diff --git a/recipes-security/refpolicy/refpolicy-standard_2.20130424.bb b/recipes-security/refpolicy/refpolicy-standard_2.20140311.bb similarity index 94% rename from recipes-security/refpolicy/refpolicy-standard_2.20130424.bb rename to recipes-security/refpolicy/refpolicy-standard_2.20140311.bb index 98bc26b..3674fdd 100644 --- a/recipes-security/refpolicy/refpolicy-standard_2.20130424.bb +++ b/recipes-security/refpolicy/refpolicy-standard_2.20140311.bb @@ -3,8 +3,6 @@ DESCRIPTION = "\ This is the reference policy for SELinux built with type enforcement \ only." -PR = "r99" - POLICY_TYPE = "standard" include refpolicy_${PV}.inc diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch index e39afca..51edcd2 100644 --- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch +++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch @@ -1,4 +1,4 @@ -Subject: [PATCH] refpolicy: make unconfined_u the default selinux user +refpolicy: make unconfined_u the default selinux user For targeted policy type, we define unconfined_u as the default selinux user for root and normal users, so users could login in and run most @@ -10,16 +10,15 @@ run_init. Upstream-Status: Inappropriate [configuration] Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald --- - config/appconfig-mcs/seusers | 4 +- - policy/modules/roles/sysadm.te | 1 + - policy/modules/system/init.if | 47 +++++++++++++++++++++++++++++------ + config/appconfig-mcs/seusers | 4 +-- + policy/modules/roles/sysadm.te | 1 + policy/modules/system/init.if | 47 +++++++++++++++++++++++++++++------- policy/modules/system/unconfined.te | 7 +++++ - policy/users | 14 +++------ - 5 files changed, 54 insertions(+), 19 deletions(-) + policy/users | 16 ++++-------- + 5 files changed, 55 insertions(+), 20 deletions(-) -diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers -index dc5f1e4..4428da8 100644 --- a/config/appconfig-mcs/seusers +++ b/config/appconfig-mcs/seusers @@ -1,3 +1,3 @@ @@ -28,11 +27,9 @@ index dc5f1e4..4428da8 100644 -__default__:user_u:s0 +root:unconfined_u:s0-mcs_systemhigh +__default__:unconfined_u:s0 -diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 85ff145..77d7bdc 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te -@@ -37,6 +37,7 @@ ubac_file_exempt(sysadm_t) +@@ -34,6 +34,7 @@ ubac_file_exempt(sysadm_t) ubac_fd_exempt(sysadm_t) init_exec(sysadm_t) @@ -40,11 +37,9 @@ index 85ff145..77d7bdc 100644 # Add/remove user home directories userdom_manage_user_home_dirs(sysadm_t) -diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index d26fe81..fa46786 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if -@@ -803,11 +803,12 @@ interface(`init_script_file_entry_type',` +@@ -825,11 +825,12 @@ interface(`init_script_file_entry_type', # interface(`init_spec_domtrans_script',` gen_require(` @@ -59,7 +54,7 @@ index d26fe81..fa46786 100644 ifdef(`distro_gentoo',` gen_require(` -@@ -818,11 +819,11 @@ interface(`init_spec_domtrans_script',` +@@ -840,11 +841,11 @@ interface(`init_spec_domtrans_script',` ') ifdef(`enable_mcs',` @@ -73,7 +68,7 @@ index d26fe81..fa46786 100644 ') ') -@@ -838,18 +839,19 @@ interface(`init_spec_domtrans_script',` +@@ -860,18 +861,19 @@ interface(`init_spec_domtrans_script',` # interface(`init_domtrans_script',` gen_require(` @@ -97,7 +92,7 @@ index d26fe81..fa46786 100644 ') ') -@@ -1792,3 +1794,32 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1837,3 +1839,32 @@ interface(`init_udp_recvfrom_all_daemons ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -130,8 +125,6 @@ index d26fe81..fa46786 100644 + role_transition $1 init_script_file_type system_r; +') + -diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te -index 0280b32..00b4dcf 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -20,6 +20,11 @@ type unconfined_execmem_t; @@ -146,17 +139,15 @@ index 0280b32..00b4dcf 100644 ######################################## # -@@ -34,6 +39,8 @@ mcs_killall(unconfined_t) - mcs_ptrace_all(unconfined_t) - - init_run_daemon(unconfined_t, unconfined_r) -+init_domtrans_script(unconfined_t) -+init_script_role_transition(unconfined_r) - - libs_run_ldconfig(unconfined_t, unconfined_r) - -diff --git a/policy/users b/policy/users -index c4ebc7e..f300f22 100644 +@@ -50,6 +55,8 @@ userdom_user_home_dir_filetrans_user_hom + ifdef(`direct_sysadm_daemon',` + optional_policy(` + init_run_daemon(unconfined_t, unconfined_r) ++ init_domtrans_script(unconfined_t) ++ init_script_role_transition(unconfined_r) + ') + ',` + ifdef(`distro_gentoo',` --- a/policy/users +++ b/policy/users @@ -15,7 +15,7 @@ @@ -168,7 +159,7 @@ index c4ebc7e..f300f22 100644 # # user_u is a generic user identity for Linux users who have no -@@ -25,11 +25,11 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) +@@ -25,14 +25,14 @@ gen_user(system_u,, system_r, s0, s0 - m # permit any access to such users, then remove this entry. # gen_user(user_u, user, user_r, s0, s0) @@ -178,12 +169,16 @@ index c4ebc7e..f300f22 100644 +gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # Until order dependence is fixed for users: --gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) -+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) + ifdef(`direct_sysadm_daemon',` +- gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) ++ gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) + ',` +- gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) ++ gen_user(unconfined_u, user, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) + ') # - # The following users correspond to Unix identities. -@@ -38,8 +38,4 @@ gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_al +@@ -42,8 +42,4 @@ ifdef(`direct_sysadm_daemon',` # role should use the staff_r role instead of the user_r role when # not in the sysadm_r. # @@ -193,6 +188,3 @@ index c4ebc7e..f300f22 100644 - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) -') +gen_user(root, user, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) --- -1.7.1 - diff --git a/recipes-security/refpolicy/refpolicy-targeted_2.20130424.bb b/recipes-security/refpolicy/refpolicy-targeted_2.20140311.bb similarity index 74% rename from recipes-security/refpolicy/refpolicy-targeted_2.20130424.bb rename to recipes-security/refpolicy/refpolicy-targeted_2.20140311.bb index 1f20caa..b169604 100644 --- a/recipes-security/refpolicy/refpolicy-targeted_2.20130424.bb +++ b/recipes-security/refpolicy/refpolicy-targeted_2.20140311.bb @@ -12,8 +12,9 @@ POLICY_NAME = "targeted" POLICY_TYPE = "mcs" POLICY_MLS_SENS = "0" -PR = "r99" include refpolicy_${PV}.inc -SRC_URI += "file://refpolicy-fix-optional-issue-on-sysadm-module.patch \ - file://refpolicy-unconfined_u-default-user.patch" +SRC_URI += " \ + file://refpolicy-fix-optional-issue-on-sysadm-module.patch \ + file://refpolicy-unconfined_u-default-user.patch \ + " diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc b/recipes-security/refpolicy/refpolicy_2.20140311.inc similarity index 76% rename from recipes-security/refpolicy/refpolicy_2.20130424.inc rename to recipes-security/refpolicy/refpolicy_2.20140311.inc index 0e7419d..8894583 100644 --- a/recipes-security/refpolicy/refpolicy_2.20130424.inc +++ b/recipes-security/refpolicy/refpolicy_2.20140311.inc @@ -1,8 +1,8 @@ -SRC_URI = "http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2;" -SRC_URI[md5sum] = "6a5c975258cc8eb92c122f11b11a5085" -SRC_URI[sha256sum] = "6039ba854f244a39dc727cc7db25632f7b933bb271c803772d754d4354f5aef4" +SRC_URI = "https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2;" +SRC_URI[md5sum] = "418f8d2a6ada3a299816153e70970449" +SRC_URI[sha256sum] = "f69437db95548c78a5dec44c236397146b144153149009ea554d2e536e5436f7" -FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-2.20130424:" +FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-2.20140311:" # Fix file contexts for Poky SRC_URI += "file://poky-fc-subs_dist.patch \ @@ -49,19 +49,11 @@ SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \ " # Other policy fixes -SRC_URI += "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \ +SRC_URI += " \ file://poky-policy-fix-seutils-manage-config-files.patch \ file://poky-policy-fix-setfiles-statvfs-get-file-count.patch \ file://poky-policy-fix-dmesg-to-use-dev-kmsg.patch \ - file://hostname-do-not-audit-attempts-by-hostname-to-read-a.patch \ - file://sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch \ file://ftp-add-ftpd_t-to-mlsfilewrite.patch \ " -# Backport from upstream -SRC_URI += "file://Allow-ping-to-get-set-capabilities.patch \ - file://filesystem-associate-tmpfs_t-shm-to-device_t-devtmpf.patch \ - file://Allow-udev-the-block_suspend-capability.patch \ - " - include refpolicy_common.inc diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index abadb2a..0dc055e 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc @@ -13,7 +13,7 @@ S = "${WORKDIR}/refpolicy" FILES_${PN} = " \ ${sysconfdir}/selinux/${POLICY_NAME}/ \ - ${@bb.utils.contains('DISTRO_FEATURES', 'compressed_policy', '${datadir}/selinux/${POLICY_NAME}/*.pp.bz2', '${datadir}/selinux/${POLICY_NAME}/*.pp', d)} \ + ${datadir}/selinux/${POLICY_NAME}/*.pp \ " FILES_${PN}-dev =+ "${datadir}/selinux/${POLICY_NAME}/include/" @@ -69,24 +69,14 @@ prepare_policy_store () { mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files touch ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.local - if ${@bb.utils.contains('DISTRO_FEATURES','compressed_policy','true','false',d)}; then - for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do - bzip2 $i - if [ "`basename $i`" != "base.pp" ]; then - cp ${i}.bz2 ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i` - else - cp ${i}.bz2 ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/`basename $i` - fi - done - else - bzip2 -c ${D}${datadir}/selinux/${POLICY_NAME}/base.pp >\ - ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp - for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do - if [ "`basename $i`" != "base.pp" ]; then - bzip2 -c $i > ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i`; - fi - done - fi + for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do + bzip2 -f $i && mv -f $i.bz2 $i + if [ "`basename $i`" != "base.pp" ]; then + cp $i ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i` + else + cp $i ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/`basename $i` + fi + done } rebuild_policy () { diff --git a/recipes-security/selinux/checkpolicy.inc b/recipes-security/selinux/checkpolicy.inc index e0c7377..1a21680 100644 --- a/recipes-security/selinux/checkpolicy.inc +++ b/recipes-security/selinux/checkpolicy.inc @@ -11,7 +11,7 @@ LICENSE = "GPLv2+" DEPENDS += "libsepol libselinux bison-native flex-native" -SRC_URI += "file://checkpolicy-Do-not-link-against-libfl.patch" +#SRC_URI += "file://checkpolicy-Do-not-link-against-libfl.patch" EXTRA_OEMAKE += "PREFIX=${D}" EXTRA_OEMAKE += "LEX='flex'" diff --git a/recipes-security/selinux/checkpolicy_2.2.bb b/recipes-security/selinux/checkpolicy_2.2.bb deleted file mode 100644 index 23d57c1..0000000 --- a/recipes-security/selinux/checkpolicy_2.2.bb +++ /dev/null @@ -1,9 +0,0 @@ -PR = "r99" - -include selinux_20131030.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" - -SRC_URI[md5sum] = "d76d5c70cd594fdb15f8d319c6536324" -SRC_URI[sha256sum] = "5d74075379cbaf17135c2a113a3053bd2e7b2a2c54ac04458de652457306c020" diff --git a/recipes-security/selinux/checkpolicy_2.3.bb b/recipes-security/selinux/checkpolicy_2.3.bb new file mode 100644 index 0000000..9f68487 --- /dev/null +++ b/recipes-security/selinux/checkpolicy_2.3.bb @@ -0,0 +1,7 @@ +include selinux_20140506.inc +include ${BPN}.inc + +LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" + +SRC_URI[md5sum] = "920f1a048b6023a22e1bae7b40fd413c" +SRC_URI[sha256sum] = "8072c12121613ba943417bbb6d33224d12373ea19d75c5acd1846a35e0e05b74" diff --git a/recipes-security/selinux/libselinux_2.2.2.bb b/recipes-security/selinux/libselinux_2.3.bb similarity index 67% rename from recipes-security/selinux/libselinux_2.2.2.bb rename to recipes-security/selinux/libselinux_2.3.bb index d6502ad..81e599d 100644 --- a/recipes-security/selinux/libselinux_2.2.2.bb +++ b/recipes-security/selinux/libselinux_2.3.bb @@ -1,12 +1,10 @@ -PR = "r99" - -include selinux_20131030.inc +include selinux_20140506.inc include ${BPN}.inc LIC_FILES_CHKSUM = "file://LICENSE;md5=84b4d2c6ef954a2d4081e775a270d0d0" -SRC_URI[md5sum] = "c13ea5de171f21fee399abfd4aef9481" -SRC_URI[sha256sum] = "cc8354d67d7bef11fb2a03d23e788c6f4e8510b6760c3778dc7baf6dcfa97539" +SRC_URI[md5sum] = "d27e249ad8450e7182203134cf4d85e2" +SRC_URI[sha256sum] = "03fe2baa7ceeea531a64fd321b44ecf09a55f3af5ef66a58a4135944f34e9851" SRC_URI += "\ file://libselinux-drop-Wno-unused-but-set-variable.patch \ diff --git a/recipes-security/selinux/libsemanage_2.2.bb b/recipes-security/selinux/libsemanage_2.3.bb similarity index 74% rename from recipes-security/selinux/libsemanage_2.2.bb rename to recipes-security/selinux/libsemanage_2.3.bb index 1f00d07..5eada94 100644 --- a/recipes-security/selinux/libsemanage_2.2.bb +++ b/recipes-security/selinux/libsemanage_2.3.bb @@ -1,12 +1,10 @@ -PR = "r99" - -include selinux_20131030.inc +include selinux_20140506.inc include ${BPN}.inc LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343" -SRC_URI[md5sum] = "2bb8f4b728a5667519764297b7725c19" -SRC_URI[sha256sum] = "9b421ce1df10594cb467eef37faeb403d5c6b341a4b7e4b407ac4cb77df95cba" +SRC_URI[md5sum] = "cc313b400637d94e3a549bf77555d8c3" +SRC_URI[sha256sum] = "4c984379a98ee9f05b80ff6e57dd2de886273d7136146456cabdce21ac32ed7f" SRC_URI += "\ file://libsemanage-Fix-execve-segfaults-on-Ubuntu.patch \ diff --git a/recipes-security/selinux/libsepol_2.2.bb b/recipes-security/selinux/libsepol_2.2.bb deleted file mode 100644 index a0b7df7..0000000 --- a/recipes-security/selinux/libsepol_2.2.bb +++ /dev/null @@ -1,9 +0,0 @@ -PR = "r99" - -include selinux_20131030.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343" - -SRC_URI[md5sum] = "2d43599ed29fea9ef41218ec9635ef64" -SRC_URI[sha256sum] = "fbd77459fd03979a9020289b10c89a0af56a52bcd0f7ae0a78455713bb04878b" diff --git a/recipes-security/selinux/libsepol_2.3.bb b/recipes-security/selinux/libsepol_2.3.bb new file mode 100644 index 0000000..0c07d41 --- /dev/null +++ b/recipes-security/selinux/libsepol_2.3.bb @@ -0,0 +1,7 @@ +include selinux_20140506.inc +include ${BPN}.inc + +LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343" + +SRC_URI[md5sum] = "c6b3dc07bf19ab4f364f21bbecb44beb" +SRC_URI[sha256sum] = "5a4481bfd0fad6fdad1511c786d69de1fc3eddc28154eae1691e1bf4e9e505c3" diff --git a/recipes-security/selinux/policycoreutils.inc b/recipes-security/selinux/policycoreutils.inc index 153b688..44a5861 100644 --- a/recipes-security/selinux/policycoreutils.inc +++ b/recipes-security/selinux/policycoreutils.inc @@ -211,7 +211,7 @@ FILES_${PN}-setsebool += "\ FILES_system-config-selinux = " \ ${bindir}/sepolgen \ ${datadir}/system-config-selinux/* \ - ${datadir}/icons/hicolor/24x24/apps/system-config-selinux.png \ + ${datadir}/icons/hicolor/ \ ${datadir}/polkit-1/actions/org.selinux.config.policy \ " diff --git a/recipes-security/selinux/policycoreutils_2.2.5.bb b/recipes-security/selinux/policycoreutils_2.3.bb similarity index 71% rename from recipes-security/selinux/policycoreutils_2.2.5.bb rename to recipes-security/selinux/policycoreutils_2.3.bb index 96cf354..447e6c9 100644 --- a/recipes-security/selinux/policycoreutils_2.2.5.bb +++ b/recipes-security/selinux/policycoreutils_2.3.bb @@ -1,12 +1,10 @@ -PR = "r99" - -include selinux_20131030.inc +include selinux_20140506.inc include ${BPN}.inc LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" -SRC_URI[md5sum] = "f330a90c566c8b564858d45399ce3dd1" -SRC_URI[sha256sum] = "3d2c8806742004693c2d4726abbc4f412340ee07bed407976dd8abeda09a4333" +SRC_URI[md5sum] = "4f5c508e3c3867c8beb343e993d353dd" +SRC_URI[sha256sum] = "11e8815ac13debb87897d2781381b89ec5c6c746a3d44223a493bc7ace6cc71f" SRC_URI += "\ file://policycoreutils-fix-sepolicy-install-path.patch \ diff --git a/recipes-security/selinux/selinux_20131030.inc b/recipes-security/selinux/selinux_20140506.inc similarity index 100% rename from recipes-security/selinux/selinux_20131030.inc rename to recipes-security/selinux/selinux_20140506.inc diff --git a/recipes-security/selinux/selinux_git.inc b/recipes-security/selinux/selinux_git.inc index d56f25b..6112d7d 100644 --- a/recipes-security/selinux/selinux_git.inc +++ b/recipes-security/selinux/selinux_git.inc @@ -1,6 +1,6 @@ SRCREV = "edc2e99687b050d5be21a78a66d038aa1fc068d9" -SRC_URI = "git://oss.tresys.com/git/selinux.git;protocol=http" +SRC_URI = "git://github.com/SELinuxProject/selinux.git;protocol=http" include selinux_common.inc diff --git a/recipes-security/selinux/sepolgen_1.2.1.bb b/recipes-security/selinux/sepolgen_1.2.1.bb index 21dff41..b47ff26 100644 --- a/recipes-security/selinux/sepolgen_1.2.1.bb +++ b/recipes-security/selinux/sepolgen_1.2.1.bb @@ -1,6 +1,4 @@ -PR = "r99" - -include selinux_20131030.inc +include selinux_20140506.inc include ${BPN}.inc LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" diff --git a/recipes-security/setools/setools/setools-Changes-to-support-named-file_trans-rules.patch b/recipes-security/setools/setools/setools-Changes-to-support-named-file_trans-rules.patch deleted file mode 100644 index d44ae21..0000000 --- a/recipes-security/setools/setools/setools-Changes-to-support-named-file_trans-rules.patch +++ /dev/null @@ -1,1511 +0,0 @@ -From e0f74aa934140ccc6f5a51aa2df6fd19f0c0ee08 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Wed, 7 Mar 2012 11:00:19 +0800 -Subject: [PATCH 5/7] setools: Changes to support named file_trans rules - -Integrated from Fedora: -https://community.dev.fedoraproject.org/packages/setools/sources/patches/ ---- - libapol/include/apol/Makefile.am | 1 + - libapol/include/apol/ftrule-query.h | 198 +++++++++++++++++++ - libapol/include/apol/policy-query.h | 1 + - libapol/src/Makefile.am | 1 + - libapol/src/ftrule-query.c | 363 +++++++++++++++++++++++++++++++++++ - libapol/src/libapol.map | 1 + - libqpol/include/qpol/Makefile.am | 1 + - libqpol/include/qpol/ftrule_query.h | 116 +++++++++++ - libqpol/include/qpol/policy.h | 1 + - libqpol/src/Makefile.am | 1 + - libqpol/src/ftrule_query.c | 277 ++++++++++++++++++++++++++ - libqpol/src/libqpol.map | 1 + - libqpol/src/module_compiler.c | 12 ++ - libqpol/src/policy_define.c | 186 ++++++++++++++++++- - libqpol/src/policy_parse.y | 13 +- - libqpol/src/policy_scan.l | 1 + - secmds/sesearch.c | 101 ++++++++++ - 17 files changed, 1272 insertions(+), 3 deletions(-) - create mode 100644 libapol/include/apol/ftrule-query.h - create mode 100644 libapol/src/ftrule-query.c - create mode 100644 libqpol/include/qpol/ftrule_query.h - create mode 100644 libqpol/src/ftrule_query.c - -diff --git a/libapol/include/apol/Makefile.am b/libapol/include/apol/Makefile.am -index 0883c10..e398ff2 100644 ---- a/libapol/include/apol/Makefile.am -+++ b/libapol/include/apol/Makefile.am -@@ -27,6 +27,7 @@ apol_HEADERS = \ - relabel-analysis.h \ - render.h \ - role-query.h \ -+ ftrule-query.h \ - terule-query.h \ - type-query.h \ - types-relation-analysis.h \ -diff --git a/libapol/include/apol/ftrule-query.h b/libapol/include/apol/ftrule-query.h -new file mode 100644 -index 0000000..119c52f ---- /dev/null -+++ b/libapol/include/apol/ftrule-query.h -@@ -0,0 +1,198 @@ -+/** -+ * @file -+ * -+ * Routines to query filename_transition rules of a -+ * policy. -+ * -+ * @author Jeremy A. Mowery jmowery@tresys.com -+ * @author Jason Tang jtang@tresys.com -+ * -+ * Copyright (C) 2006-2007 Tresys Technology, LLC -+ * -+ * This library is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public -+ * License as published by the Free Software Foundation; either -+ * version 2.1 of the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public -+ * License along with this library; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA -+ */ -+ -+#ifndef APOL_FILENAMERULE_QUERY_H -+#define APOL_FILENAMERULE_QUERY_H -+ -+#ifdef __cplusplus -+extern "C" -+{ -+#endif -+ -+#include "policy.h" -+#include "vector.h" -+#include -+ -+ typedef struct apol_filename_trans_query apol_filename_trans_query_t; -+ -+ -+/******************** filename_transition queries ********************/ -+ -+/** -+ * Execute a query against all filename_transition rules within the -+ * policy. -+ * -+ * @param p Policy within which to look up filename_transition rules. -+ * @param r Structure containing parameters for query. If this is -+ * NULL then return all filename_transition rules. -+ * @param v Reference to a vector of qpol_filename_trans_t. The vector -+ * will be allocated by this function. The caller must call -+ * apol_vector_destroy() afterwards. This will be set to NULL upon no -+ * results or upon error. -+ * -+ * @return 0 on success (including none found), negative on error. -+ */ -+ extern int apol_filename_trans_get_by_query(const apol_policy_t * p, const apol_filename_trans_query_t * r, apol_vector_t ** v); -+ -+/** -+ * Allocate and return a new filename trans query structure. All fields -+ * are initialized, such that running this blank query results in -+ * returning all filename_transitions within the policy. The caller must -+ * call apol_filename_trans_query_destroy() upon the return value -+ * afterwards. -+ * -+ * @return An initialized filename trans query structure, or NULL upon -+ * error. -+ */ -+ extern apol_filename_trans_query_t *apol_filename_trans_query_create(void); -+ -+/** -+ * Deallocate all memory associated with the referenced filename trans -+ * query, and then set it to NULL. This function does nothing if the -+ * query is already NULL. -+ * -+ * @param r Reference to a filename trans query structure to destroy. -+ */ -+ extern void apol_filename_trans_query_destroy(apol_filename_trans_query_t ** r); -+ -+/** -+ * Set a filename_trans query to return rules whose source symbol matches -+ * symbol. Symbol may be a type or attribute; if it is an alias then -+ * the query will convert it to its primary prior to searching. If -+ * is_indirect is non-zero then the search will be done indirectly. -+ * If the symbol is a type, then the query matches rules with one of -+ * the type's attributes. If the symbol is an attribute, then it -+ * matches rule with any of the attribute's types. -+ * -+ * @param p Policy handler, to report errors. -+ * @param t TE rule query to set. -+ * @param symbol Limit query to rules with this symbol as their -+ * source, or NULL to unset this field. -+ * @param is_indirect If non-zero, perform indirect matching. -+ * -+ * @return 0 on success, negative on error. -+ */ -+ extern int apol_filename_trans_query_set_source(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *symbol, -+ int is_indirect); -+ -+/** -+ * Set a filename trans query to return rules with a particular target -+ * symbol. Symbol may be a type or attribute; if it is an alias then -+ * the query will convert it to its primary prior to searching. If -+ * is_indirect is non-zero then the search will be done indirectly. -+ * If the symbol is a type, then the query matches rules with one of -+ * the type's attributes. If the symbol is an attribute, then it -+ * matches rule with any of the attribute's types. -+ * -+ * @param p Policy handler, to report errors. -+ * @param r Role trans query to set. -+ * @param symbol Limit query to rules with this type or attribute as -+ * their target, or NULL to unset this field. -+ * @param is_indirect If non-zero, perform indirect matching. -+ * -+ * @return 0 on success, negative on error. -+ */ -+ extern int apol_filename_trans_query_set_target(const apol_policy_t * p, apol_filename_trans_query_t * r, const char *symbol, -+ int is_indirect); -+ -+/** -+ * Set a filename trans query to return rules with a particular default -+ * filename. This field is ignored if -+ * apol_filename_trans_query_set_source_any() is set to non-zero. -+ * -+ * @param p Policy handler, to report errors. -+ * @param r Role trans query to set. -+ * @param filename Limit query to rules with this filename as their default, or -+ * NULL to unset this field. -+ * -+ * @return 0 on success, negative on error. -+ */ -+ extern int apol_filename_trans_query_set_default(const apol_policy_t * p, apol_filename_trans_query_t * r, const char *filename); -+ -+/** -+ * Set at filename_trans query to return rules with this object (non-common) -+ * class. If more than one class are appended to the query, the -+ * rule's class must be one of those appended. (I.e., the rule's -+ * class must be a member of the query's classes.) Pass a NULL to -+ * clear all classes. Note that this performs straight string -+ * comparison, ignoring the regex flag. -+ -+ * -+ * @param p Policy handler, to report errors. -+ * @param t TE rule query to set. -+ * @param obj_class Name of object class to add to search set. -+ * -+ * @return 0 on success, negative on error. -+ */ -+ extern int apol_filename_trans_query_append_class(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *obj_class); -+ -+/** -+ * Set a filename trans query to treat the source filename as any. That is, -+ * use the same symbol for either source or default of a -+ * filename_transition rule. This flag does nothing if the source filename is -+ * not set. Note that a filename_transition's target is a type, so thus -+ * this flag does not affect its searching. -+ * -+ * @param p Policy handler, to report errors. -+ * @param r Role trans query to set. -+ * @param is_any Non-zero to use source symbol for source or default -+ * field, 0 to keep source as only source. -+ * -+ * @return Always 0. -+ */ -+ extern int apol_filename_trans_query_set_source_any(const apol_policy_t * p, apol_filename_trans_query_t * r, int is_any); -+ -+/** -+ * Set a filename trans query to use regular expression searching for -+ * source, target, and default fields. Strings will be treated as -+ * regexes instead of literals. For the target type, matching will -+ * occur against the type name or any of its aliases. -+ * -+ * @param p Policy handler, to report errors. -+ * @param r Role trans query to set. -+ * @param is_regex Non-zero to enable regex searching, 0 to disable. -+ * -+ * @return Always 0. -+ */ -+ extern int apol_filename_trans_query_set_regex(const apol_policy_t * p, apol_filename_trans_query_t * r, int is_regex); -+ -+/** -+ * Render a filename_transition rule to a string. -+ * -+ * @param policy Policy handler, to report errors. -+ * @param rule The rule to render. -+ * -+ * @return A newly malloc()'d string representation of the rule, or NULL on -+ * failure; if the call fails, errno will be set. The caller is responsible -+ * for calling free() on the returned string. -+ */ -+ extern char *apol_filename_trans_render(const apol_policy_t * policy, const qpol_filename_trans_t * rule); -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif -diff --git a/libapol/include/apol/policy-query.h b/libapol/include/apol/policy-query.h -index 315f70e..665e4cb 100644 ---- a/libapol/include/apol/policy-query.h -+++ b/libapol/include/apol/policy-query.h -@@ -71,6 +71,7 @@ extern "C" - #include "terule-query.h" - #include "condrule-query.h" - #include "rbacrule-query.h" -+#include "ftrule-query.h" - #include "range_trans-query.h" - #include "constraint-query.h" - -diff --git a/libapol/src/Makefile.am b/libapol/src/Makefile.am -index 3fa4f06..baaa4f6 100644 ---- a/libapol/src/Makefile.am -+++ b/libapol/src/Makefile.am -@@ -40,6 +40,7 @@ libapol_a_SOURCES = \ - render.c \ - role-query.c \ - terule-query.c \ -+ ftrule-query.c \ - type-query.c \ - types-relation-analysis.c \ - user-query.c \ -diff --git a/libapol/src/ftrule-query.c b/libapol/src/ftrule-query.c -new file mode 100644 -index 0000000..dc248de ---- /dev/null -+++ b/libapol/src/ftrule-query.c -@@ -0,0 +1,363 @@ -+/** -+ * @file -+ * -+ * Provides a way for setools to make queries about type enforcement -+ * filename_transs within a policy. The caller obtains a query object, fills in -+ * its parameters, and then runs the query; it obtains a vector of -+ * results. Searches are conjunctive -- all fields of the search -+ * query must match for a datum to be added to the results query. -+ * -+ * @author Jeremy A. Mowery jmowery@tresys.com -+ * @author Jason Tang jtang@tresys.com -+ * -+ * Copyright (C) 2006-2007 Tresys Technology, LLC -+ * -+ * This library is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public -+ * License as published by the Free Software Foundation; either -+ * version 2.1 of the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public -+ * License along with this library; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA -+ */ -+ -+#include "policy-query-internal.h" -+ -+#include -+#include -+ -+struct apol_filename_trans_query -+{ -+ char *source, *target, *default_type, *name; -+ apol_vector_t *classes; -+ unsigned int flags; -+}; -+ -+ -+/******************** filename_transition queries ********************/ -+ -+int apol_filename_trans_get_by_query(const apol_policy_t * p, const apol_filename_trans_query_t * t, apol_vector_t ** v) -+{ -+ apol_vector_t *source_list = NULL, *target_list = NULL, *class_list = NULL, *default_list = NULL; -+ int retval = -1, source_as_any = 0, is_regex = 0, append_filename_trans; -+ char *bool_name = NULL; -+ *v = NULL; -+ unsigned int flags = 0; -+ qpol_iterator_t *iter = NULL, *type_iter = NULL; -+ -+ if (t != NULL) { -+ flags = t->flags; -+ is_regex = t->flags & APOL_QUERY_REGEX; -+ if (t->source != NULL && -+ (source_list = -+ apol_query_create_candidate_type_list(p, t->source, is_regex, -+ t->flags & APOL_QUERY_SOURCE_INDIRECT, -+ ((t->flags & (APOL_QUERY_SOURCE_TYPE | APOL_QUERY_SOURCE_ATTRIBUTE)) / -+ APOL_QUERY_SOURCE_TYPE))) == NULL) { -+ goto cleanup; -+ } -+ -+ if ((t->flags & APOL_QUERY_SOURCE_AS_ANY) && t->source != NULL) { -+ default_list = target_list = source_list; -+ source_as_any = 1; -+ } else { -+ if (t->target != NULL && -+ (target_list = -+ apol_query_create_candidate_type_list(p, t->target, is_regex, -+ t->flags & APOL_QUERY_TARGET_INDIRECT, -+ ((t-> -+ flags & (APOL_QUERY_TARGET_TYPE | APOL_QUERY_TARGET_ATTRIBUTE)) -+ / APOL_QUERY_TARGET_TYPE))) == NULL) { -+ goto cleanup; -+ } -+ if (t->default_type != NULL && -+ (default_list = -+ apol_query_create_candidate_type_list(p, t->default_type, is_regex, 0, -+ APOL_QUERY_SYMBOL_IS_TYPE)) == NULL) { -+ goto cleanup; -+ } -+ } -+ if (t->classes != NULL && -+ apol_vector_get_size(t->classes) > 0 && -+ (class_list = apol_query_create_candidate_class_list(p, t->classes)) == NULL) { -+ goto cleanup; -+ } -+ } -+ -+ if (qpol_policy_get_filename_trans_iter(p->p, &iter) < 0) { -+ return -1; -+ } -+ -+ if ((*v = apol_vector_create(NULL)) == NULL) { -+ ERR(p, "%s", strerror(errno)); -+ goto cleanup; -+ } -+ -+ for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) { -+ qpol_filename_trans_t *filename_trans; -+ if (qpol_iterator_get_item(iter, (void **)&filename_trans) < 0) { -+ goto cleanup; -+ } -+ int match_source = 0, match_target = 0, match_default = 0, match_bool = 0; -+ size_t i; -+ -+ if (source_list == NULL) { -+ match_source = 1; -+ } else { -+ const qpol_type_t *source_type; -+ if (qpol_filename_trans_get_source_type(p->p, filename_trans, &source_type) < 0) { -+ goto cleanup; -+ } -+ if (apol_vector_get_index(source_list, source_type, NULL, NULL, &i) == 0) { -+ match_source = 1; -+ } -+ } -+ -+ /* if source did not match, but treating source symbol -+ * as any field, then delay rejecting this filename_trans until -+ * the target and default have been checked */ -+ if (!source_as_any && !match_source) { -+ continue; -+ } -+ -+ if (target_list == NULL || (source_as_any && match_source)) { -+ match_target = 1; -+ } else { -+ const qpol_type_t *target_type; -+ if (qpol_filename_trans_get_target_type(p->p, filename_trans, &target_type) < 0) { -+ goto cleanup; -+ } -+ if (apol_vector_get_index(target_list, target_type, NULL, NULL, &i) == 0) { -+ match_target = 1; -+ } -+ } -+ -+ if (!source_as_any && !match_target) { -+ continue; -+ } -+ -+ if (default_list == NULL || (source_as_any && match_source) || (source_as_any && match_target)) { -+ match_default = 1; -+ } else { -+ const qpol_type_t *default_type; -+ if (qpol_filename_trans_get_default_type(p->p, filename_trans, &default_type) < 0) { -+ goto cleanup; -+ } -+ if (apol_vector_get_index(default_list, default_type, NULL, NULL, &i) == 0) { -+ match_default = 1; -+ } -+ } -+ -+ if (!source_as_any && !match_default) { -+ continue; -+ } -+ /* at least one thing must match if source_as_any was given */ -+ if (source_as_any && (!match_source && !match_target && !match_default)) { -+ continue; -+ } -+ -+ if (class_list != NULL) { -+ const qpol_class_t *obj_class; -+ if (qpol_filename_trans_get_object_class(p->p, filename_trans, &obj_class) < 0) { -+ goto cleanup; -+ } -+ if (apol_vector_get_index(class_list, obj_class, NULL, NULL, &i) < 0) { -+ continue; -+ } -+ } -+ -+ if (apol_vector_append(*v, filename_trans)) { -+ ERR(p, "%s", strerror(ENOMEM)); -+ goto cleanup; -+ } -+ } -+ -+ retval = 0; -+ cleanup: -+ if (retval != 0) { -+ apol_vector_destroy(v); -+ } -+ apol_vector_destroy(&source_list); -+ if (!source_as_any) { -+ apol_vector_destroy(&target_list); -+ apol_vector_destroy(&default_list); -+ } -+ apol_vector_destroy(&class_list); -+ return retval; -+} -+ -+apol_filename_trans_query_t *apol_filename_trans_query_create(void) -+{ -+ apol_filename_trans_query_t *t = calloc(1, sizeof(apol_filename_trans_query_t)); -+ if (t != NULL) { -+ t->flags = -+ (APOL_QUERY_SOURCE_TYPE | APOL_QUERY_SOURCE_ATTRIBUTE | APOL_QUERY_TARGET_TYPE | -+ APOL_QUERY_TARGET_ATTRIBUTE); -+ } -+ return t; -+} -+ -+void apol_filename_trans_query_destroy(apol_filename_trans_query_t ** r) -+{ -+ if (r != NULL && *r != NULL) { -+ free((*r)->source); -+ free((*r)->target); -+ free((*r)->default_type); -+ free((*r)->name); -+ free(*r); -+ *r = NULL; -+ } -+} -+ -+int apol_filename_trans_query_set_source(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *filename, int is_indirect) -+{ -+ apol_query_set_flag(p, &t->flags, is_indirect, APOL_QUERY_TARGET_INDIRECT); -+ return apol_query_set(p, &t->source, NULL, filename); -+} -+ -+int apol_filename_trans_query_set_target(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *type, int is_indirect) -+{ -+ apol_query_set_flag(p, &t->flags, is_indirect, APOL_QUERY_TARGET_INDIRECT); -+ return apol_query_set(p, &t->target, NULL, type); -+} -+ -+int apol_filename_trans_query_set_default(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *symbol) -+{ -+ return apol_query_set(p, &t->default_type, NULL, symbol); -+} -+ -+int apol_filename_trans_query_append_class(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *obj_class) -+{ -+ char *s = NULL; -+ if (obj_class == NULL) { -+ apol_vector_destroy(&t->classes); -+ } else if ((s = strdup(obj_class)) == NULL || (t->classes == NULL && (t->classes = apol_vector_create(free)) == NULL) -+ || apol_vector_append(t->classes, s) < 0) { -+ ERR(p, "%s", strerror(errno)); -+ free(s); -+ return -1; -+ } -+ return 0; -+} -+ -+int apol_filename_trans_query_set_name(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *filename) -+{ -+ return apol_query_set(p, &t->name, NULL, filename); -+} -+ -+int apol_filename_trans_query_set_source_any(const apol_policy_t * p, apol_filename_trans_query_t * t, int is_any) -+{ -+ return apol_query_set_flag(p, &t->flags, is_any, APOL_QUERY_SOURCE_AS_ANY); -+} -+ -+int apol_filename_trans_query_set_regex(const apol_policy_t * p, apol_filename_trans_query_t * t, int is_regex) -+{ -+ return apol_query_set_regex(p, &t->flags, is_regex); -+} -+ -+char *apol_filename_trans_render(const apol_policy_t * policy, const qpol_filename_trans_t * filename_trans) -+{ -+ char *tmp = NULL; -+ const char *tmp_name = NULL; -+ const char *filename_trans_type_str; -+ int error = 0; -+ size_t tmp_sz = 0; -+ uint32_t filename_trans_type = 0; -+ const qpol_type_t *type = NULL; -+ const qpol_class_t *obj_class = NULL; -+ -+ if (!policy || !filename_trans) { -+ ERR(policy, "%s", strerror(EINVAL)); -+ errno = EINVAL; -+ return NULL; -+ } -+ -+ /* source type */ -+ if (qpol_filename_trans_get_source_type(policy->p, filename_trans, &type)) { -+ error = errno; -+ goto err; -+ } -+ if (qpol_type_get_name(policy->p, type, &tmp_name)) { -+ error = errno; -+ goto err; -+ } -+ if (apol_str_appendf(&tmp, &tmp_sz, "transition_type %s ", tmp_name)) { -+ error = errno; -+ ERR(policy, "%s", strerror(error)); -+ goto err; -+ } -+ -+ /* target type */ -+ if (qpol_filename_trans_get_target_type(policy->p, filename_trans, &type)) { -+ error = errno; -+ goto err; -+ } -+ if (qpol_type_get_name(policy->p, type, &tmp_name)) { -+ error = errno; -+ goto err; -+ } -+ if (apol_str_appendf(&tmp, &tmp_sz, "%s : ", tmp_name)) { -+ error = errno; -+ ERR(policy, "%s", strerror(error)); -+ goto err; -+ } -+ -+ /* object class */ -+ if (qpol_filename_trans_get_object_class(policy->p, filename_trans, &obj_class)) { -+ error = errno; -+ goto err; -+ } -+ if (qpol_class_get_name(policy->p, obj_class, &tmp_name)) { -+ error = errno; -+ goto err; -+ } -+ if (apol_str_appendf(&tmp, &tmp_sz, "%s ", tmp_name)) { -+ error = errno; -+ ERR(policy, "%s", strerror(error)); -+ goto err; -+ } -+ -+ /* default type */ -+ if (qpol_filename_trans_get_default_type(policy->p, filename_trans, &type)) { -+ error = errno; -+ goto err; -+ } -+ if (qpol_type_get_name(policy->p, type, &tmp_name)) { -+ error = errno; -+ goto err; -+ } -+ if (apol_str_appendf(&tmp, &tmp_sz, "%s", tmp_name)) { -+ error = errno; -+ ERR(policy, "%s", strerror(error)); -+ goto err; -+ } -+ -+ if (qpol_filename_trans_get_filename(policy->p, filename_trans, &tmp_name)) { -+ error = errno; -+ goto err; -+ } -+ -+ if (apol_str_appendf(&tmp, &tmp_sz, " %s", tmp_name)) { -+ error = errno; -+ ERR(policy, "%s", strerror(error)); -+ goto err; -+ } -+ -+ if (apol_str_appendf(&tmp, &tmp_sz, ";")) { -+ error = errno; -+ ERR(policy, "%s", strerror(error)); -+ goto err; -+ } -+ return tmp; -+ -+ err: -+ free(tmp); -+ errno = error; -+ return NULL; -+} -diff --git a/libapol/src/libapol.map b/libapol/src/libapol.map -index 4894374..7657a2d 100644 ---- a/libapol/src/libapol.map -+++ b/libapol/src/libapol.map -@@ -34,6 +34,7 @@ VERS_4.0{ - apol_protocol_to_str; - apol_qpol_context_render; - apol_range_trans_*; -+ apol_filename_trans_*; - apol_relabel_*; - apol_role_*; - apol_role_allow_*; -diff --git a/libqpol/include/qpol/Makefile.am b/libqpol/include/qpol/Makefile.am -index b55acb7..9b570e1 100644 ---- a/libqpol/include/qpol/Makefile.am -+++ b/libqpol/include/qpol/Makefile.am -@@ -25,6 +25,7 @@ qpol_HEADERS = \ - role_query.h \ - syn_rule_query.h \ - terule_query.h \ -+ ftrule_query.h \ - type_query.h \ - user_query.h \ - util.h -diff --git a/libqpol/include/qpol/ftrule_query.h b/libqpol/include/qpol/ftrule_query.h -new file mode 100644 -index 0000000..1f533a4 ---- /dev/null -+++ b/libqpol/include/qpol/ftrule_query.h -@@ -0,0 +1,116 @@ -+/** -+ * @file -+ * Defines public interface for iterating over FTRULE rules. -+ * -+ * @author Kevin Carr kcarr@tresys.com -+ * @author Jeremy A. Mowery jmowery@tresys.com -+ * @author Jason Tang jtang@tresys.com -+ * -+ * Copyright (C) 2006-2007 Tresys Technology, LLC -+ * -+ * This library is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public -+ * License as published by the Free Software Foundation; either -+ * version 2.1 of the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public -+ * License along with this library; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA -+ */ -+ -+#ifndef QPOL_FTRULERULE_QUERY -+#define QPOL_FTRULERULE_QUERY -+ -+#ifdef __cplusplus -+extern "C" -+{ -+#endif -+ -+#include -+#include -+ -+ typedef struct qpol_filename_trans qpol_filename_trans_t; -+ -+/** -+ * Get an iterator over all filename transition rules in the policy. -+ * @param policy Policy from which to create the iterator. -+ * @param iter Iterator over items of type qpol_filename_trans_t returned. -+ * The caller is responsible for calling qpol_iterator_destroy() -+ * to free memory used by this iterator. -+ * It is important to note that this iterator is only valid as long as -+ * the policy is unmodifed. -+ * @returm 0 on success and < 0 on failure; if the call fails, -+ * errno will be set and *iter will be NULL. -+ */ -+ extern int qpol_policy_get_filename_trans_iter(const qpol_policy_t * policy, qpol_iterator_t ** iter); -+ -+/** -+ * Get the source type from a filename transition rule. -+ * @param policy The policy from which the rule comes. -+ * @param rule The rule from which to get the source type. -+ * @param source Pointer in which to store the source type. -+ * The caller should not free this pointer. -+ * @return 0 on success and < 0 on failure; if the call fails, -+ * errno will be set and *source will be NULL. -+ */ -+ extern int qpol_filename_trans_get_source_type(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, -+ const qpol_type_t ** source); -+ -+/** -+ * Get the target type from a filename transition rule. -+ * @param policy The policy from which the rule comes. -+ * @param rule The rule from which to get the target type. -+ * @param target Pointer in which to store the target type. -+ * The caller should not free this pointer. -+ * @return 0 on success and < 0 on failure; if the call fails, -+ * errno will be set and *target will be NULL. -+ */ -+ extern int qpol_filename_trans_get_target_type(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, -+ const qpol_type_t ** target); -+ -+/** -+ * Get the default type from a type rule. -+ * @param policy Policy from which the rule comes. -+ * @param rule The rule from which to get the default type. -+ * @param dflt Pointer in which to store the default type. -+ * The caller should not free this pointer. -+ * @returm 0 on success and < 0 on failure; if the call fails, -+ * errno will be set and *dflt will be NULL. -+ */ -+ extern int qpol_filename_trans_get_default_type(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, -+ const qpol_type_t ** dflt); -+ -+/** -+ * Get the object class from a type rule. -+ * @param policy Policy from which the rule comes. -+ * @param rule The rule from which to get the object class. -+ * @param obj_class Pointer in which to store the object class. -+ * The caller should not free this pointer. -+ * @returm 0 on success and < 0 on failure; if the call fails, -+ * errno will be set and *obj_class will be NULL. -+ */ -+ extern int qpol_filename_trans_get_object_class(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, -+ const qpol_class_t ** obj_class); -+ -+/** -+ * Get the transition filename type from a type rule. -+ * @param policy Policy from which the rule comes. -+ * @param rule The rule from which to get the transition filename. -+ * @param target Pointer in which to store the transition filename. -+ * The caller should not free this pointer. -+ * @returm 0 on success and < 0 on failure; if the call fails, -+ * errno will be set and *target will be NULL. -+ */ -+ extern int qpol_filename_trans_get_filename(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, -+ const char ** name); -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* QPOL_FTRULERULE_QUERY */ -diff --git a/libqpol/include/qpol/policy.h b/libqpol/include/qpol/policy.h -index ae4ea08..bf85718 100644 ---- a/libqpol/include/qpol/policy.h -+++ b/libqpol/include/qpol/policy.h -@@ -55,6 +55,7 @@ extern "C" - #include - #include - #include -+#include - #include - #include - #include -diff --git a/libqpol/src/Makefile.am b/libqpol/src/Makefile.am -index 34d87a6..0889a61 100644 ---- a/libqpol/src/Makefile.am -+++ b/libqpol/src/Makefile.am -@@ -48,6 +48,7 @@ libqpol_a_SOURCES = \ - syn_rule_internal.h \ - syn_rule_query.c \ - terule_query.c \ -+ ftrule_query.c \ - type_query.c \ - user_query.c \ - util.c \ -diff --git a/libqpol/src/ftrule_query.c b/libqpol/src/ftrule_query.c -new file mode 100644 -index 0000000..d6db848 ---- /dev/null -+++ b/libqpol/src/ftrule_query.c -@@ -0,0 +1,277 @@ -+/** -+ * @file -+ * Defines public interface for iterating over RBAC rules. -+ * -+ * @author Jeremy A. Mowery jmowery@tresys.com -+ * @author Jason Tang jtang@tresys.com -+ * -+ * Copyright (C) 2006-2007 Tresys Technology, LLC -+ * -+ * This library is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public -+ * License as published by the Free Software Foundation; either -+ * version 2.1 of the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public -+ * License along with this library; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA -+ */ -+ -+#include -+#include -+#include -+#include -+#include "iterator_internal.h" -+#include "qpol_internal.h" -+#include -+ -+typedef struct filename_trans_state -+{ -+ filename_trans_t *head; -+ filename_trans_t *cur; -+} filename_trans_state_t; -+ -+static int filename_trans_state_end(const qpol_iterator_t * iter) -+{ -+ filename_trans_state_t *fts = NULL; -+ -+ if (!iter || !(fts = qpol_iterator_state(iter))) { -+ errno = EINVAL; -+ return STATUS_ERR; -+ } -+ -+ return fts->cur ? 0 : 1; -+} -+ -+static void *filename_trans_state_get_cur(const qpol_iterator_t * iter) -+{ -+ filename_trans_state_t *fts = NULL; -+ const policydb_t *db = NULL; -+ -+ if (!iter || !(fts = qpol_iterator_state(iter)) || !(db = qpol_iterator_policy(iter)) || filename_trans_state_end(iter)) { -+ errno = EINVAL; -+ return NULL; -+ } -+ -+ return fts->cur; -+} -+ -+static int filename_trans_state_next(qpol_iterator_t * iter) -+{ -+ filename_trans_state_t *fts = NULL; -+ const policydb_t *db = NULL; -+ -+ if (!iter || !(fts = qpol_iterator_state(iter)) || !(db = qpol_iterator_policy(iter))) { -+ errno = EINVAL; -+ return STATUS_ERR; -+ } -+ -+ if (filename_trans_state_end(iter)) { -+ errno = ERANGE; -+ return STATUS_ERR; -+ } -+ -+ fts->cur = fts->cur->next; -+ -+ return STATUS_SUCCESS; -+} -+ -+static size_t filename_trans_state_size(const qpol_iterator_t * iter) -+{ -+ filename_trans_state_t *fts = NULL; -+ const policydb_t *db = NULL; -+ filename_trans_t *tmp = NULL; -+ size_t count = 0; -+ -+ if (!iter || !(fts = qpol_iterator_state(iter)) || !(db = qpol_iterator_policy(iter))) { -+ errno = EINVAL; -+ return STATUS_ERR; -+ } -+ -+ for (tmp = fts->head; tmp; tmp = tmp->next) -+ count++; -+ -+ return count; -+} -+ -+int qpol_policy_get_filename_trans_iter(const qpol_policy_t * policy, qpol_iterator_t ** iter) -+{ -+ policydb_t *db = NULL; -+ filename_trans_state_t *fts = NULL; -+ int error = 0; -+ -+ if (iter) -+ *iter = NULL; -+ -+ if (!policy || !iter) { -+ ERR(policy, "%s", strerror(EINVAL)); -+ errno = EINVAL; -+ return STATUS_ERR; -+ } -+ -+ db = &policy->p->p; -+ -+ fts = calloc(1, sizeof(filename_trans_state_t)); -+ if (!fts) { -+ /* errno set by calloc */ -+ ERR(policy, "%s", strerror(errno)); -+ return STATUS_ERR; -+ } -+ fts->head = fts->cur = db->filename_trans; -+ -+ if (qpol_iterator_create -+ (policy, (void *)fts, filename_trans_state_get_cur, filename_trans_state_next, filename_trans_state_end, filename_trans_state_size, -+ free, iter)) { -+ error = errno; -+ free(fts); -+ errno = error; -+ return STATUS_ERR; -+ } -+ -+ return STATUS_SUCCESS; -+} -+ -+int qpol_filename_trans_get_source_type(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, const qpol_type_t ** source) -+{ -+ policydb_t *db = NULL; -+ filename_trans_t *ft = NULL; -+ -+ if (source) { -+ *source = NULL; -+ } -+ -+ if (!policy || !rule || !source) { -+ ERR(policy, "%s", strerror(EINVAL)); -+ errno = EINVAL; -+ return STATUS_ERR; -+ } -+ -+ db = &policy->p->p; -+ ft = (filename_trans_t *) rule; -+ -+ *source = (qpol_type_t *) db->type_val_to_struct[ft->stype - 1]; -+ -+ return STATUS_SUCCESS; -+} -+ -+int qpol_filename_trans_get_target_type(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, const qpol_type_t ** target) -+{ -+ policydb_t *db = NULL; -+ filename_trans_t *ft = NULL; -+ -+ if (target) { -+ *target = NULL; -+ } -+ -+ if (!policy || !rule || !target) { -+ ERR(policy, "%s", strerror(EINVAL)); -+ errno = EINVAL; -+ return STATUS_ERR; -+ } -+ -+ db = &policy->p->p; -+ ft = (filename_trans_t *) rule; -+ -+ *target = (qpol_type_t *) db->type_val_to_struct[ft->ttype - 1]; -+ -+ return STATUS_SUCCESS; -+} -+ -+int qpol_filename_trans_get_object_class(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, -+ const qpol_class_t ** obj_class) -+{ -+ policydb_t *db = NULL; -+ filename_trans_t *ft = NULL; -+ -+ if (obj_class) { -+ *obj_class = NULL; -+ } -+ -+ if (!policy || !rule || !obj_class) { -+ ERR(policy, "%s", strerror(EINVAL)); -+ errno = EINVAL; -+ return STATUS_ERR; -+ } -+ -+ db = &policy->p->p; -+ ft = (filename_trans_t *) rule; -+ -+ *obj_class = (qpol_class_t *) db->class_val_to_struct[ft->tclass - 1]; -+ -+ return STATUS_SUCCESS; -+} -+ -+int qpol_filename_trans_get_trans_type(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, const qpol_type_t ** output_type) -+{ -+ policydb_t *db = NULL; -+ filename_trans_t *ft = NULL; -+ -+ if (output_type) { -+ *output_type = NULL; -+ } -+ -+ if (!policy || !rule || !output_type) { -+ ERR(policy, "%s", strerror(EINVAL)); -+ errno = EINVAL; -+ return STATUS_ERR; -+ } -+ -+ db = &policy->p->p; -+ ft = (filename_trans_t *) rule; -+ -+ *output_type = (qpol_type_t *) db->type_val_to_struct[ft->otype - 1]; -+ -+ return STATUS_SUCCESS; -+} -+ -+int qpol_filename_trans_get_default_type(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, const qpol_type_t ** dflt) -+{ -+ policydb_t *db = NULL; -+ filename_trans_t *ft = NULL; -+ -+ if (dflt) { -+ *dflt = NULL; -+ } -+ -+ if (!policy || !rule || !dflt) { -+ ERR(policy, "%s", strerror(EINVAL)); -+ errno = EINVAL; -+ return STATUS_ERR; -+ } -+ -+ db = &policy->p->p; -+ ft = (filename_trans_t *) rule; -+ -+ *dflt = (qpol_type_t *) db->type_val_to_struct[ft->otype - 1]; -+ -+ return STATUS_SUCCESS; -+} -+ -+int qpol_filename_trans_get_filename(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, const char ** name) -+{ -+ policydb_t *db = NULL; -+ filename_trans_t *ft = NULL; -+ -+ if (name) { -+ *name = NULL; -+ } -+ -+ if (!policy || !rule || !name) { -+ ERR(policy, "%s", strerror(EINVAL)); -+ errno = EINVAL; -+ return STATUS_ERR; -+ } -+ -+ db = &policy->p->p; -+ ft = (filename_trans_t *) rule; -+ -+ *name = ft->name; -+ -+ return STATUS_SUCCESS; -+} -+ -diff --git a/libqpol/src/libqpol.map b/libqpol/src/libqpol.map -index dd293bc..6973cca 100644 ---- a/libqpol/src/libqpol.map -+++ b/libqpol/src/libqpol.map -@@ -34,6 +34,7 @@ VERS_1.2 { - qpol_policy_reevaluate_conds; - qpol_portcon_*; - qpol_range_trans_*; -+ qpol_filename_trans_*; - qpol_role_*; - qpol_syn_avrule_*; - qpol_syn_terule_*; -diff --git a/libqpol/src/module_compiler.c b/libqpol/src/module_compiler.c -index dc19798..b06e285 100644 ---- a/libqpol/src/module_compiler.c -+++ b/libqpol/src/module_compiler.c -@@ -1247,6 +1247,18 @@ void append_role_allow(role_allow_rule_t * role_allow_rules) - } - - /* this doesn't actually append, but really prepends it */ -+void append_filename_trans(filename_trans_rule_t * filename_trans_rules) -+{ -+ avrule_decl_t *decl = stack_top->decl; -+ -+ /* filename transitions are not allowed within conditionals */ -+ assert(stack_top->type == 1); -+ -+ filename_trans_rules->next = decl->filename_trans_rules; -+ decl->filename_trans_rules = filename_trans_rules; -+} -+ -+/* this doesn't actually append, but really prepends it */ - void append_range_trans(range_trans_rule_t * range_tr_rules) - { - avrule_decl_t *decl = stack_top->decl; -diff --git a/libqpol/src/policy_define.c b/libqpol/src/policy_define.c -index c94f7aa..0f3a45a 100644 ---- a/libqpol/src/policy_define.c -+++ b/libqpol/src/policy_define.c -@@ -2133,7 +2133,7 @@ int define_role_trans(void) - - /* This ebitmap business is just to ensure that there are not conflicting role_trans rules */ - #ifdef HAVE_SEPOL_USER_ROLE_MAPPING -- if (role_set_expand(&roles, &e_roles, policydbp, NULL)) -+ if (role_set_expand(&roles, &e_roles, policydbp, NULL, NULL)) - #else - if (role_set_expand(&roles, &e_roles, policydbp)) - #endif -@@ -2226,6 +2226,190 @@ int define_role_allow(void) - return 0; - } - -+avrule_t *define_cond_filename_trans(void) -+{ -+ yyerror("type transitions with a filename not allowed inside " -+ "conditionals\n"); -+ return COND_ERR; -+} -+ -+int define_filename_trans(void) -+{ -+ char *id, *name = NULL; -+ type_set_t stypes, ttypes; -+ ebitmap_t e_stypes, e_ttypes; -+ ebitmap_t e_tclasses; -+ ebitmap_node_t *snode, *tnode, *cnode; -+ filename_trans_t *ft; -+ filename_trans_rule_t *ftr; -+ class_datum_t *cladatum; -+ type_datum_t *typdatum; -+ uint32_t otype; -+ unsigned int c, s, t; -+ int add; -+ -+ if (pass == 1) { -+ /* stype */ -+ while ((id = queue_remove(id_queue))) -+ free(id); -+ /* ttype */ -+ while ((id = queue_remove(id_queue))) -+ free(id); -+ /* tclass */ -+ while ((id = queue_remove(id_queue))) -+ free(id); -+ /* otype */ -+ id = queue_remove(id_queue); -+ free(id); -+ /* name */ -+ id = queue_remove(id_queue); -+ free(id); -+ return 0; -+ } -+ -+ -+ add = 1; -+ type_set_init(&stypes); -+ while ((id = queue_remove(id_queue))) { -+ if (set_types(&stypes, id, &add, 0)) -+ goto bad; -+ } -+ -+ add =1; -+ type_set_init(&ttypes); -+ while ((id = queue_remove(id_queue))) { -+ if (set_types(&ttypes, id, &add, 0)) -+ goto bad; -+ } -+ -+ ebitmap_init(&e_tclasses); -+ while ((id = queue_remove(id_queue))) { -+ if (!is_id_in_scope(SYM_CLASSES, id)) { -+ yyerror2("class %s is not within scope", id); -+ free(id); -+ goto bad; -+ } -+ cladatum = hashtab_search(policydbp->p_classes.table, id); -+ if (!cladatum) { -+ yyerror2("unknown class %s", id); -+ goto bad; -+ } -+ if (ebitmap_set_bit(&e_tclasses, cladatum->s.value - 1, TRUE)) { -+ yyerror("Out of memory"); -+ goto bad; -+ } -+ free(id); -+ } -+ -+ id = (char *)queue_remove(id_queue); -+ if (!id) { -+ yyerror("no otype in transition definition?"); -+ goto bad; -+ } -+ if (!is_id_in_scope(SYM_TYPES, id)) { -+ yyerror2("type %s is not within scope", id); -+ free(id); -+ goto bad; -+ } -+ typdatum = hashtab_search(policydbp->p_types.table, id); -+ if (!typdatum) { -+ yyerror2("unknown type %s used in transition definition", id); -+ goto bad; -+ } -+ free(id); -+ otype = typdatum->s.value; -+ -+ name = queue_remove(id_queue); -+ if (!name) { -+ yyerror("no pathname specified in filename_trans definition?"); -+ goto bad; -+ } -+ -+ /* We expand the class set into seperate rules. We expand the types -+ * just to make sure there are not duplicates. They will get turned -+ * into seperate rules later */ -+ ebitmap_init(&e_stypes); -+ if (type_set_expand(&stypes, &e_stypes, policydbp, 1)) -+ goto bad; -+ -+ ebitmap_init(&e_ttypes); -+ if (type_set_expand(&ttypes, &e_ttypes, policydbp, 1)) -+ goto bad; -+ -+ ebitmap_for_each_bit(&e_tclasses, cnode, c) { -+ if (!ebitmap_node_get_bit(cnode, c)) -+ continue; -+ ebitmap_for_each_bit(&e_stypes, snode, s) { -+ if (!ebitmap_node_get_bit(snode, s)) -+ continue; -+ ebitmap_for_each_bit(&e_ttypes, tnode, t) { -+ if (!ebitmap_node_get_bit(tnode, t)) -+ continue; -+ -+ for (ft = policydbp->filename_trans; ft; ft = ft->next) { -+ if (ft->stype == (s + 1) && -+ ft->ttype == (t + 1) && -+ ft->tclass == (c + 1) && -+ !strcmp(ft->name, name)) { -+ yyerror2("duplicate filename transition for: filename_trans %s %s %s:%s", -+ name, -+ policydbp->p_type_val_to_name[s], -+ policydbp->p_type_val_to_name[t], -+ policydbp->p_class_val_to_name[c]); -+ goto bad; -+ } -+ } -+ -+ ft = malloc(sizeof(*ft)); -+ if (!ft) { -+ yyerror("out of memory"); -+ goto bad; -+ } -+ memset(ft, 0, sizeof(*ft)); -+ -+ ft->next = policydbp->filename_trans; -+ policydbp->filename_trans = ft; -+ -+ ft->name = strdup(name); -+ if (!ft->name) { -+ yyerror("out of memory"); -+ goto bad; -+ } -+ ft->stype = s + 1; -+ ft->ttype = t + 1; -+ ft->tclass = c + 1; -+ ft->otype = otype; -+ } -+ } -+ -+ /* Now add the real rule since we didn't find any duplicates */ -+ ftr = malloc(sizeof(*ftr)); -+ if (!ftr) { -+ yyerror("out of memory"); -+ goto bad; -+ } -+ filename_trans_rule_init(ftr); -+ append_filename_trans(ftr); -+ -+ ftr->name = strdup(name); -+ ftr->stypes = stypes; -+ ftr->ttypes = ttypes; -+ ftr->tclass = c + 1; -+ ftr->otype = otype; -+ } -+ -+ free(name); -+ ebitmap_destroy(&e_stypes); -+ ebitmap_destroy(&e_ttypes); -+ ebitmap_destroy(&e_tclasses); -+ -+ return 0; -+ -+bad: -+ free(name); -+ return -1; -+} -+ - static constraint_expr_t *constraint_expr_clone(constraint_expr_t * expr) - { - constraint_expr_t *h = NULL, *l = NULL, *e, *newe; -diff --git a/libqpol/src/policy_parse.y b/libqpol/src/policy_parse.y -index 84f4114..dc16c6f 100644 ---- a/libqpol/src/policy_parse.y -+++ b/libqpol/src/policy_parse.y -@@ -98,6 +98,7 @@ extern char *qpol_src_inputlim;/* end of data */ - %type require_decl_def - - %token PATH -+%token FILENAME - %token CLONE - %token COMMON - %token CLASS -@@ -360,7 +361,10 @@ cond_rule_def : cond_transition_def - | require_block - { $$ = NULL; } - ; --cond_transition_def : TYPE_TRANSITION names names ':' names identifier ';' -+cond_transition_def : TYPE_TRANSITION names names ':' names identifier filename ';' -+ { $$ = define_cond_filename_trans() ; -+ if ($$ == COND_ERR) return -1;} -+ | TYPE_TRANSITION names names ':' names identifier ';' - { $$ = define_cond_compute_type(AVRULE_TRANSITION) ; - if ($$ == COND_ERR) return -1;} - | TYPE_MEMBER names names ':' names identifier ';' -@@ -395,7 +399,9 @@ cond_dontaudit_def : DONTAUDIT names names ':' names names ';' - { $$ = define_cond_te_avtab(AVRULE_DONTAUDIT); - if ($$ == COND_ERR) return -1; } - ; --transition_def : TYPE_TRANSITION names names ':' names identifier ';' -+transition_def : TYPE_TRANSITION names names ':' names identifier filename ';' -+ {if (define_filename_trans()) return -1; } -+ | TYPE_TRANSITION names names ':' names identifier ';' - {if (define_compute_type(AVRULE_TRANSITION)) return -1;} - | TYPE_MEMBER names names ':' names identifier ';' - {if (define_compute_type(AVRULE_MEMBER)) return -1;} -@@ -752,6 +758,9 @@ identifier : IDENTIFIER - path : PATH - { if (insert_id(yytext,0)) return -1; } - ; -+filename : FILENAME -+ { yytext[strlen(yytext) - 1] = '\0'; if (insert_id(yytext + 1,0)) return -1; } -+ ; - number : NUMBER - { $$ = strtoul(yytext,NULL,0); } - ; -diff --git a/libqpol/src/policy_scan.l b/libqpol/src/policy_scan.l -index 75485f3..30203cd 100644 ---- a/libqpol/src/policy_scan.l -+++ b/libqpol/src/policy_scan.l -@@ -235,6 +235,7 @@ POLICYCAP { return(POLICYCAP); } - permissive | - PERMISSIVE { return(PERMISSIVE); } - "/"({alnum}|[_\.\-/])* { return(PATH); } -+\"({alnum}|[_\.\-])+\" { return(FILENAME); } - {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); } - {digit}+|0x{hexval}+ { return(NUMBER); } - {digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); } -diff --git a/secmds/sesearch.c b/secmds/sesearch.c -index ec0315f..e44b3bc 100644 ---- a/secmds/sesearch.c -+++ b/secmds/sesearch.c -@@ -575,6 +575,95 @@ static void print_te_results(const apol_policy_t * policy, const options_t * opt - free(expr); - } - -+static int perform_ft_query(const apol_policy_t * policy, const options_t * opt, apol_vector_t ** v) -+{ -+ apol_filename_trans_query_t *ftq = NULL; -+ int error = 0; -+ -+ if (!policy || !opt || !v) { -+ ERR(policy, "%s", strerror(EINVAL)); -+ errno = EINVAL; -+ return -1; -+ } -+ -+ if (!opt->type == QPOL_RULE_TYPE_TRANS && !opt->all) { -+ *v = NULL; -+ return 0; /* no search to do */ -+ } -+ -+ ftq = apol_filename_trans_query_create(); -+ if (!ftq) { -+ ERR(policy, "%s", strerror(ENOMEM)); -+ errno = ENOMEM; -+ return -1; -+ } -+ -+ apol_filename_trans_query_set_regex(policy, ftq, opt->useregex); -+ if (opt->src_name) { -+ if (apol_filename_trans_query_set_source(policy, ftq, opt->src_name)) { -+ error = errno; -+ goto err; -+ } -+ } -+ if (opt->tgt_name) { -+ if (apol_filename_trans_query_set_target(policy, ftq, opt->tgt_name, opt->indirect)) { -+ error = errno; -+ goto err; -+ } -+ } -+ -+ if (apol_filename_trans_get_by_query(policy, ftq, v)) { -+ error = errno; -+ goto err; -+ } -+ -+ apol_filename_trans_query_destroy(&ftq); -+ return 0; -+ -+ err: -+ apol_vector_destroy(v); -+ apol_filename_trans_query_destroy(&ftq); -+ ERR(policy, "%s", strerror(error)); -+ errno = error; -+ return -1; -+} -+ -+static void print_ft_results(const apol_policy_t * policy, const options_t * opt, const apol_vector_t * v) -+{ -+ qpol_policy_t *q = apol_policy_get_qpol(policy); -+ size_t i, num_rules = 0; -+ const qpol_filename_trans_t *rule = NULL; -+ char *tmp = NULL, *rule_str = NULL, *expr = NULL; -+ char enable_char = ' ', branch_char = ' '; -+ qpol_iterator_t *iter = NULL; -+ const qpol_cond_t *cond = NULL; -+ uint32_t enabled = 0, list = 0; -+ -+ if (!(num_rules = apol_vector_get_size(v))) -+ goto cleanup; -+ -+ fprintf(stdout, "Found %zd named file transition rules:\n", num_rules); -+ -+ for (i = 0; i < num_rules; i++) { -+ enable_char = branch_char = ' '; -+ if (!(rule = apol_vector_get_element(v, i))) -+ goto cleanup; -+ -+ if (!(rule_str = apol_filename_trans_render(policy, rule))) -+ goto cleanup; -+ fprintf(stdout, "%s %s\n", rule_str, expr ? expr : ""); -+ free(rule_str); -+ rule_str = NULL; -+ free(expr); -+ expr = NULL; -+ } -+ -+ cleanup: -+ free(tmp); -+ free(rule_str); -+ free(expr); -+} -+ - static int perform_ra_query(const apol_policy_t * policy, const options_t * opt, apol_vector_t ** v) - { - apol_role_allow_query_t *raq = NULL; -@@ -1128,6 +1217,18 @@ int main(int argc, char **argv) - print_te_results(policy, &cmd_opts, v); - fprintf(stdout, "\n"); - } -+ -+ if (cmd_opts.all || cmd_opts.type == QPOL_RULE_TYPE_TRANS) { -+ apol_vector_destroy(&v); -+ if (perform_ft_query(policy, &cmd_opts, &v)) { -+ rt = 1; -+ goto cleanup; -+ } -+ -+ print_ft_results(policy, &cmd_opts, v); -+ fprintf(stdout, "\n"); -+ } -+ - apol_vector_destroy(&v); - if (perform_ra_query(policy, &cmd_opts, &v)) { - rt = 1; --- -1.7.5.4 - diff --git a/recipes-security/setools/setools/setools-replcon-correct-invalid-prototype-for-lsetfilecon_ra.patch b/recipes-security/setools/setools/setools-replcon-correct-invalid-prototype-for-lsetfilecon_ra.patch new file mode 100644 index 0000000..c9bacbd --- /dev/null +++ b/recipes-security/setools/setools/setools-replcon-correct-invalid-prototype-for-lsetfilecon_ra.patch @@ -0,0 +1,34 @@ +From 74680dfb3df4c0c5b0e4bcf41717a9ea16fd8680 Mon Sep 17 00:00:00 2001 +From: Joe MacDonald +Date: Mon, 29 Sep 2014 14:19:48 -0400 +Subject: [PATCH] replcon: correct invalid prototype for lsetfilecon_raw + +Port debian patch from: + + git://anonscm.debian.org/selinux/setools.git + commit a3ab84b35efd9c42641d53ec2236ad01f7411df7 + +Upstream-Status: Denied [ the setools3 tree is in stasis and the focus is + only on setools4 now ] + +Signed-off-by: Joe MacDonald +--- + secmds/replcon.cc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/secmds/replcon.cc b/secmds/replcon.cc +index 34f7c1a..307c39f 100644 +--- a/secmds/replcon.cc ++++ b/secmds/replcon.cc +@@ -60,7 +60,7 @@ static struct option const longopts[] = { + {NULL, 0, NULL, 0} + }; + +-extern int lsetfilecon_raw(const char *, security_context_t) __attribute__ ((weak)); ++extern int lsetfilecon_raw(const char *, const char *) __attribute__ ((weak)); + + /** + * As that setools must work with older libselinux versions that may +-- +1.9.1 + diff --git a/recipes-security/setools/setools_3.3.8.bb b/recipes-security/setools/setools_3.3.8.bb index 6f3b1dd..050f4ff 100644 --- a/recipes-security/setools/setools_3.3.8.bb +++ b/recipes-security/setools/setools_3.3.8.bb @@ -14,7 +14,6 @@ SRC_URI[sha256sum] = "44387ecc9a231ec536a937783440cd8960a72c51f14bffc1604b7525e3 SRC_URI += "file://setools-neverallow-rules-all-always-fail.patch" SRC_URI += "file://setools-Fix-sepol-calls-to-work-with-latest-libsepol.patch" -#SRC_URI += "file://setools-Changes-to-support-named-file_trans-rules.patch" SRC_URI += "file://setools-Don-t-check-selinux-policies-if-disabled.patch" SRC_URI += "file://setools-configure-ac.patch" @@ -23,6 +22,8 @@ SRC_URI += "file://setools-cross-ar.patch" SRC_URI += "file://setools-Fix-test-bug-for-unary-operator.patch" SRC_URI += "file://setools-Fix-python-setools-Makefile.am-for-cross.patch" +SRC_URI += "file://setools-replcon-correct-invalid-prototype-for-lsetfilecon_ra.patch" + LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=26035c503c68ae1098177934ac0cc795 \ file://${S}/COPYING.GPL;md5=751419260aa954499f7abaabaa882bbe \ file://${S}/COPYING.LGPL;md5=fbc093901857fcd118f065f900982c24"