mirror of
git://git.yoctoproject.org/meta-selinux
synced 2026-01-01 13:58:04 +00:00
refpolicy: Update to 20170204 release
This updates all of the common policies. standard, minimum, mls and targeted. Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
This commit is contained in:
Joe MacDonald
parent
0cfdbb47aa
commit
db1f0fe50d
|
|
@ -17,15 +17,16 @@ root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name
|
|||
root@localhost:~#
|
||||
|
||||
Signed-off-by: Roy Li <rongqing.li@windriver.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
---
|
||||
policy/modules/contrib/ftp.te | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
|
||||
index 544c512..12a31dd 100644
|
||||
--- a/policy/modules/contrib/ftp.te
|
||||
+++ b/policy/modules/contrib/ftp.te
|
||||
@@ -144,6 +144,8 @@ role ftpdctl_roles types ftpdctl_t;
|
||||
@@ -148,10 +148,12 @@ init_system_domain(ftpdctl_t, ftpdctl_ex
|
||||
role ftpdctl_roles types ftpdctl_t;
|
||||
|
||||
type ftpdctl_tmp_t;
|
||||
files_tmp_file(ftpdctl_tmp_t)
|
||||
|
||||
|
|
@ -34,6 +35,5 @@ index 544c512..12a31dd 100644
|
|||
type sftpd_t;
|
||||
domain_type(sftpd_t)
|
||||
role system_r types sftpd_t;
|
||||
--
|
||||
1.7.10.4
|
||||
|
||||
|
||||
type xferlog_t;
|
||||
|
|
@ -3,20 +3,18 @@ Subject: [PATCH] refpolicy: fix real path for clock
|
|||
Upstream-Status: Inappropriate [configuration]
|
||||
|
||||
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
---
|
||||
policy/modules/system/clock.fc | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc
|
||||
index c5e05ca..a74c40c 100644
|
||||
--- a/policy/modules/system/clock.fc
|
||||
+++ b/policy/modules/system/clock.fc
|
||||
@@ -2,4 +2,5 @@
|
||||
@@ -1,6 +1,7 @@
|
||||
|
||||
/etc/adjtime -- gen_context(system_u:object_r:adjtime_t,s0)
|
||||
|
||||
/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
|
||||
+/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0)
|
||||
|
||||
--
|
||||
1.7.11.7
|
||||
|
||||
/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
|
||||
|
|
@ -3,15 +3,16 @@ Subject: [PATCH] refpolicy: fix real path for corecommands
|
|||
Upstream-Status: Inappropriate [configuration]
|
||||
|
||||
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
---
|
||||
policy/modules/kernel/corecommands.fc | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
|
||||
index f051c4a..ab624f3 100644
|
||||
--- a/policy/modules/kernel/corecommands.fc
|
||||
+++ b/policy/modules/kernel/corecommands.fc
|
||||
@@ -153,6 +153,7 @@ ifdef(`distro_gentoo',`
|
||||
@@ -154,10 +154,11 @@ ifdef(`distro_gentoo',`
|
||||
/sbin -d gen_context(system_u:object_r:bin_t,s0)
|
||||
/sbin/.* gen_context(system_u:object_r:bin_t,s0)
|
||||
/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
|
|
@ -19,6 +20,5 @@ index f051c4a..ab624f3 100644
|
|||
|
||||
#
|
||||
# /opt
|
||||
--
|
||||
1.7.11.7
|
||||
|
||||
#
|
||||
/opt/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
|
@ -3,18 +3,16 @@ Subject: [PATCH] refpolicy: fix real path for dmesg
|
|||
Upstream-Status: Inappropriate [configuration]
|
||||
|
||||
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
---
|
||||
policy/modules/admin/dmesg.fc | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc
|
||||
index d6cc2d9..7f3e5b0 100644
|
||||
--- a/policy/modules/admin/dmesg.fc
|
||||
+++ b/policy/modules/admin/dmesg.fc
|
||||
@@ -1,2 +1,3 @@
|
||||
@@ -1,4 +1,5 @@
|
||||
|
||||
/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
|
||||
+/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0)
|
||||
--
|
||||
1.7.11.7
|
||||
|
||||
|
||||
/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
|
||||
|
|
@ -6,15 +6,14 @@ Subject: [PATCH] refpolicy: fix real path for bind.
|
|||
Upstream-Status: Inappropriate [configuration]
|
||||
|
||||
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
---
|
||||
policy/modules/contrib/bind.fc | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/contrib/bind.fc b/policy/modules/contrib/bind.fc
|
||||
index 2b9a3a1..fd45d53 100644
|
||||
--- a/policy/modules/contrib/bind.fc
|
||||
+++ b/policy/modules/contrib/bind.fc
|
||||
@@ -1,8 +1,10 @@
|
||||
@@ -1,10 +1,12 @@
|
||||
/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
|
||||
+/etc/rc\.d/init\.d/bind -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
|
||||
/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
|
||||
|
|
@ -25,6 +24,5 @@ index 2b9a3a1..fd45d53 100644
|
|||
/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
|
||||
/etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0)
|
||||
/etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0)
|
||||
--
|
||||
1.7.9.5
|
||||
|
||||
/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
|
||||
/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
|
||||
|
|
@ -3,15 +3,14 @@ Subject: [PATCH] fix real path for login commands.
|
|||
Upstream-Status: Inappropriate [only for Poky]
|
||||
|
||||
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
---
|
||||
policy/modules/system/authlogin.fc | 7 ++++---
|
||||
1 files changed, 4 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
|
||||
index 28ad538..c8dd17f 100644
|
||||
--- a/policy/modules/system/authlogin.fc
|
||||
+++ b/policy/modules/system/authlogin.fc
|
||||
@@ -1,5 +1,7 @@
|
||||
@@ -1,19 +1,21 @@
|
||||
|
||||
/bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
|
||||
+/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0)
|
||||
|
|
@ -19,19 +18,20 @@ index 28ad538..c8dd17f 100644
|
|||
|
||||
/etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
|
||||
/etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0)
|
||||
@@ -9,9 +11,9 @@
|
||||
/etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0)
|
||||
/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
|
||||
/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
|
||||
|
||||
/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
|
||||
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
|
||||
-/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
|
||||
-/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
|
||||
-/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
|
||||
+/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
|
||||
+/usr/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
|
||||
+/usr/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
|
||||
+/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
|
||||
+/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
|
||||
+/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
|
||||
ifdef(`distro_suse', `
|
||||
/sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
|
||||
')
|
||||
--
|
||||
1.7.5.4
|
||||
|
||||
|
||||
/usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
|
||||
|
|
@ -3,15 +3,16 @@ Subject: [PATCH] fix real path for resolv.conf
|
|||
Upstream-Status: Inappropriate [only for Poky]
|
||||
|
||||
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
---
|
||||
policy/modules/system/sysnetwork.fc | 1 +
|
||||
1 files changed, 1 insertions(+), 0 deletions(-)
|
||||
|
||||
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
|
||||
index 346a7cc..dec8632 100644
|
||||
--- a/policy/modules/system/sysnetwork.fc
|
||||
+++ b/policy/modules/system/sysnetwork.fc
|
||||
@@ -24,6 +24,7 @@ ifdef(`distro_debian',`
|
||||
@@ -23,10 +23,11 @@ ifdef(`distro_debian',`
|
||||
/etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0)
|
||||
/etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0)
|
||||
/etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0)
|
||||
/etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
|
||||
/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
|
||||
|
|
@ -19,6 +20,5 @@ index 346a7cc..dec8632 100644
|
|||
/etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
|
||||
|
||||
/etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
|
||||
--
|
||||
1.7.5.4
|
||||
|
||||
/etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)
|
||||
|
||||
|
|
@ -3,15 +3,16 @@ Subject: [PATCH] fix real path for shadow commands.
|
|||
Upstream-Status: Inappropriate [only for Poky]
|
||||
|
||||
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
---
|
||||
policy/modules/admin/usermanage.fc | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
|
||||
index f82f0ce..841ba9b 100644
|
||||
--- a/policy/modules/admin/usermanage.fc
|
||||
+++ b/policy/modules/admin/usermanage.fc
|
||||
@@ -4,11 +4,17 @@ ifdef(`distro_gentoo',`
|
||||
@@ -6,15 +6,21 @@ ifdef(`distro_debian',`
|
||||
/etc/cron\.daily/cracklib-runtime -- gen_context(system_u:object_r:crack_exec_t,s0)
|
||||
')
|
||||
|
||||
/usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0)
|
||||
/usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0)
|
||||
|
|
@ -29,6 +30,5 @@ index f82f0ce..841ba9b 100644
|
|||
|
||||
/usr/lib/cracklib_dict.* -- gen_context(system_u:object_r:crack_db_t,s0)
|
||||
|
||||
--
|
||||
1.7.9.5
|
||||
|
||||
/usr/sbin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
|
||||
/usr/sbin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
|
||||
|
|
@ -6,20 +6,17 @@ Subject: [PATCH] fix real path for su.shadow command
|
|||
Upstream-Status: Inappropriate [only for Poky]
|
||||
|
||||
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
---
|
||||
policy/modules/admin/su.fc | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc
|
||||
index a563687..0f43827 100644
|
||||
--- a/policy/modules/admin/su.fc
|
||||
+++ b/policy/modules/admin/su.fc
|
||||
@@ -4,3 +4,5 @@
|
||||
@@ -2,5 +2,6 @@
|
||||
/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
|
||||
|
||||
/usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
|
||||
/usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
|
||||
+
|
||||
/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
|
||||
+/bin/su.shadow -- gen_context(system_u:object_r:su_exec_t,s0)
|
||||
--
|
||||
1.7.9.5
|
||||
|
||||
|
|
@ -12,11 +12,9 @@ Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
|
|||
policy/modules/system/fstools.fc | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
|
||||
index d10368d..f22761a 100644
|
||||
--- a/policy/modules/system/fstools.fc
|
||||
+++ b/policy/modules/system/fstools.fc
|
||||
@@ -1,6 +1,8 @@
|
||||
@@ -1,19 +1,23 @@
|
||||
/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
+/sbin/blkid/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
|
|
@ -25,20 +23,24 @@ index d10368d..f22761a 100644
|
|||
/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
@@ -9,9 +11,12 @@
|
||||
/sbin/dumpe2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/e2fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
+/sbin/fdisk/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
+/usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
+/sbin/hdparm/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
@@ -24,6 +29,7 @@
|
||||
/sbin/lsraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
@@ -22,20 +26,22 @@
|
||||
/sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
|
|
@ -46,25 +48,28 @@ index d10368d..f22761a 100644
|
|||
/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
@@ -32,8 +38,10 @@
|
||||
/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
+/usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
+/sbin/swapoff/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
@@ -45,6 +53,7 @@
|
||||
|
||||
/usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/zhack -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/zinject -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
@@ -83,10 +89,11 @@
|
||||
/usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/usr/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/usr/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
+/usr/sbin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
|
||||
--
|
||||
1.7.9.5
|
||||
|
||||
/usr/sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/usr/sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/usr/sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
|
|
@ -5,23 +5,23 @@ Upstream-Status: Pending
|
|||
ftpwho is installed into /usr/bin/, not /usr/sbin, so fix it
|
||||
|
||||
Signed-off-by: Roy Li <rongqing.li@windriver.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
---
|
||||
policy/modules/contrib/ftp.fc | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/policy/modules/contrib/ftp.fc b/policy/modules/contrib/ftp.fc
|
||||
index ddb75c1..26fec47 100644
|
||||
--- a/policy/modules/contrib/ftp.fc
|
||||
+++ b/policy/modules/contrib/ftp.fc
|
||||
@@ -9,7 +9,7 @@
|
||||
|
||||
@@ -10,11 +10,11 @@
|
||||
/usr/kerberos/sbin/ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
|
||||
|
||||
/usr/lib/systemd/system/proftpd.*\.service -- gen_context(system_u:object_r:ftpd_unit_t,s0)
|
||||
/usr/lib/systemd/system/vsftpd.*\.service -- gen_context(system_u:object_r:ftpd_unit_t,s0)
|
||||
|
||||
-/usr/sbin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0)
|
||||
+/usr/bin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0)
|
||||
/usr/sbin/in\.ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
|
||||
/usr/sbin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
|
||||
/usr/sbin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
|
||||
--
|
||||
1.7.10.4
|
||||
|
||||
/usr/sbin/vsftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
|
||||
|
||||
|
|
@ -3,22 +3,22 @@ Subject: [PATCH] refpolicy: fix real path for iptables
|
|||
Upstream-Status: Inappropriate [configuration]
|
||||
|
||||
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
---
|
||||
policy/modules/system/iptables.fc | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
|
||||
index 14cffd2..84ac92b 100644
|
||||
--- a/policy/modules/system/iptables.fc
|
||||
+++ b/policy/modules/system/iptables.fc
|
||||
@@ -13,6 +13,7 @@
|
||||
@@ -14,10 +14,11 @@
|
||||
/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
/sbin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
+/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
|
||||
/usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
/usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
--
|
||||
1.7.11.7
|
||||
|
||||
/usr/lib/systemd/system/[^/]*arptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
|
||||
/usr/lib/systemd/system/[^/]*ebtables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
|
||||
/usr/lib/systemd/system/[^/]*ip6tables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
|
||||
/usr/lib/systemd/system/[^/]*iptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
|
||||
|
|
@ -6,15 +6,16 @@ Subject: [PATCH] refpolicy: fix real path for mta
|
|||
Upstream-Status: Inappropriate [configuration]
|
||||
|
||||
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
---
|
||||
policy/modules/contrib/mta.fc | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/contrib/mta.fc b/policy/modules/contrib/mta.fc
|
||||
index f42896c..0d4bcef 100644
|
||||
--- a/policy/modules/contrib/mta.fc
|
||||
+++ b/policy/modules/contrib/mta.fc
|
||||
@@ -22,6 +22,7 @@ HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
|
||||
@@ -20,10 +20,11 @@ HOME_DIR/\.maildir(/.*)? gen_context(sys
|
||||
/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
||||
|
||||
/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
||||
/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
||||
/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
||||
|
|
@ -22,6 +23,5 @@ index f42896c..0d4bcef 100644
|
|||
/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
||||
|
||||
/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
|
||||
--
|
||||
1.7.9.5
|
||||
|
||||
|
||||
/var/qmail/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
||||
|
|
@ -3,22 +3,22 @@ Subject: [PATCH] refpolicy: fix real path for netutils
|
|||
Upstream-Status: Inappropriate [configuration]
|
||||
|
||||
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
---
|
||||
policy/modules/admin/netutils.fc | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
|
||||
index 407078f..f2ed3dc 100644
|
||||
--- a/policy/modules/admin/netutils.fc
|
||||
+++ b/policy/modules/admin/netutils.fc
|
||||
@@ -3,6 +3,7 @@
|
||||
@@ -1,10 +1,11 @@
|
||||
/bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
|
||||
/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
|
||||
/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
|
||||
|
||||
/sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0)
|
||||
+/bin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0)
|
||||
|
||||
/usr/bin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0)
|
||||
/usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0)
|
||||
/usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0)
|
||||
--
|
||||
1.7.11.7
|
||||
|
||||
/usr/bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
|
||||
|
|
@ -6,15 +6,14 @@ Subject: [PATCH] refpolicy: fix real path for nscd
|
|||
Upstream-Status: Inappropriate [configuration]
|
||||
|
||||
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
---
|
||||
policy/modules/contrib/nscd.fc | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/contrib/nscd.fc b/policy/modules/contrib/nscd.fc
|
||||
index ba64485..61a6f24 100644
|
||||
--- a/policy/modules/contrib/nscd.fc
|
||||
+++ b/policy/modules/contrib/nscd.fc
|
||||
@@ -1,6 +1,7 @@
|
||||
@@ -1,8 +1,9 @@
|
||||
/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0)
|
||||
|
||||
/usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
|
||||
|
|
@ -22,6 +21,5 @@ index ba64485..61a6f24 100644
|
|||
|
||||
/var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
|
||||
|
||||
--
|
||||
1.7.9.5
|
||||
|
||||
/var/db/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
|
||||
|
||||
|
|
@ -6,20 +6,18 @@ Subject: [PATCH] refpolicy: fix real path for cpio
|
|||
Upstream-Status: Inappropriate [configuration]
|
||||
|
||||
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
---
|
||||
policy/modules/contrib/rpm.fc | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/contrib/rpm.fc b/policy/modules/contrib/rpm.fc
|
||||
index ebe91fc..539063c 100644
|
||||
--- a/policy/modules/contrib/rpm.fc
|
||||
+++ b/policy/modules/contrib/rpm.fc
|
||||
@@ -58,4 +58,5 @@ ifdef(`distro_redhat',`
|
||||
@@ -61,6 +61,7 @@ ifdef(`distro_redhat',`
|
||||
/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0)
|
||||
/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
/usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
+/bin/cpio.cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
')
|
||||
--
|
||||
1.7.9.5
|
||||
|
||||
|
|
@ -6,22 +6,18 @@ Subject: [PATCH] refpolicy: fix real path for screen
|
|||
Upstream-Status: Inappropriate [configuration]
|
||||
|
||||
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
---
|
||||
policy/modules/contrib/screen.fc | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/contrib/screen.fc b/policy/modules/contrib/screen.fc
|
||||
index e7c2cf7..49ddca2 100644
|
||||
--- a/policy/modules/contrib/screen.fc
|
||||
+++ b/policy/modules/contrib/screen.fc
|
||||
@@ -3,6 +3,7 @@ HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0)
|
||||
HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0)
|
||||
@@ -4,6 +4,7 @@ HOME_DIR/\.tmux\.conf -- gen_context(sys
|
||||
|
||||
/usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0)
|
||||
/run/screen(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0)
|
||||
/run/tmux(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0)
|
||||
|
||||
/usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0)
|
||||
+/usr/bin/screen-.* -- gen_context(system_u:object_r:screen_exec_t,s0)
|
||||
/usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0)
|
||||
|
||||
/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
|
||||
--
|
||||
1.7.9.5
|
||||
|
||||
/usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0)
|
||||
|
|
@ -3,22 +3,22 @@ Subject: [PATCH] refpolicy: fix real path for ssh
|
|||
Upstream-Status: Inappropriate [configuration]
|
||||
|
||||
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
---
|
||||
policy/modules/services/ssh.fc | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
|
||||
index 078bcd7..9717428 100644
|
||||
--- a/policy/modules/services/ssh.fc
|
||||
+++ b/policy/modules/services/ssh.fc
|
||||
@@ -6,6 +6,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
|
||||
/etc/ssh/ssh_host_rsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
|
||||
@@ -2,10 +2,11 @@ HOME_DIR/\.ssh(/.*)? gen_context(syste
|
||||
|
||||
/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
|
||||
/etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0)
|
||||
|
||||
/usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
|
||||
+/usr/bin/ssh\.openssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
|
||||
/usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
|
||||
/usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
|
||||
|
||||
--
|
||||
1.7.11.7
|
||||
|
||||
/usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
|
||||
/usr/lib/ssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
|
||||
|
|
@ -3,21 +3,18 @@ Subject: [PATCH] refpolicy: fix real path for su
|
|||
Upstream-Status: Inappropriate [configuration]
|
||||
|
||||
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
---
|
||||
policy/modules/admin/su.fc | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc
|
||||
index 688abc2..a563687 100644
|
||||
--- a/policy/modules/admin/su.fc
|
||||
+++ b/policy/modules/admin/su.fc
|
||||
@@ -1,5 +1,6 @@
|
||||
@@ -1,6 +1,7 @@
|
||||
|
||||
/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
|
||||
+/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
|
||||
|
||||
/usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
|
||||
/usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
|
||||
--
|
||||
1.7.11.7
|
||||
|
||||
/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
|
||||
|
|
@ -13,10 +13,14 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|||
|
||||
--- a/config/file_contexts.subs_dist
|
||||
+++ b/config/file_contexts.subs_dist
|
||||
@@ -19,3 +19,13 @@
|
||||
/usr/local/lib64 /usr/lib
|
||||
/usr/local/lib /usr/lib
|
||||
/var/run/lock /var/lock
|
||||
@@ -21,5 +21,17 @@
|
||||
|
||||
# backward compatibility
|
||||
# not for refpolicy intern, but for /var/run using applications,
|
||||
# like systemd tmpfiles or systemd socket configurations
|
||||
/var/run /run
|
||||
+
|
||||
+# Yocto compatibility
|
||||
+/var/volatile/log /var/log
|
||||
+/var/volatile/run /var/run
|
||||
+/var/volatile/cache /var/cache
|
||||
|
|
@ -7,15 +7,16 @@ Upstream-Status: Inappropriate [configuration]
|
|||
|
||||
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
---
|
||||
policy/modules/system/sysnetwork.fc | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
|
||||
index fbb935c..a194622 100644
|
||||
--- a/policy/modules/system/sysnetwork.fc
|
||||
+++ b/policy/modules/system/sysnetwork.fc
|
||||
@@ -4,6 +4,7 @@
|
||||
@@ -2,10 +2,11 @@
|
||||
#
|
||||
# /bin
|
||||
#
|
||||
/bin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
|
||||
/bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
|
||||
|
|
@ -23,17 +24,19 @@ index fbb935c..a194622 100644
|
|||
|
||||
#
|
||||
# /dev
|
||||
@@ -43,7 +44,9 @@ ifdef(`distro_redhat',`
|
||||
#
|
||||
ifdef(`distro_debian',`
|
||||
@@ -43,17 +44,19 @@ ifdef(`distro_redhat',`
|
||||
/sbin/dhclient.* -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
|
||||
/sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
|
||||
/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
|
||||
/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
|
||||
+/usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
|
||||
/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
|
||||
+/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
|
||||
/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
|
||||
/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
|
||||
/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
|
||||
@@ -51,6 +54,7 @@ ifdef(`distro_redhat',`
|
||||
/sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
|
||||
/sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
|
||||
/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
|
||||
/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
|
||||
|
|
@ -41,6 +44,5 @@ index fbb935c..a194622 100644
|
|||
/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
|
||||
/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
|
||||
|
||||
--
|
||||
1.7.9.5
|
||||
|
||||
#
|
||||
# /usr
|
||||
|
|
@ -10,26 +10,29 @@ Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
|||
policy/modules/system/udev.fc | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
|
||||
index 40928d8..491bb23 100644
|
||||
--- a/policy/modules/system/udev.fc
|
||||
+++ b/policy/modules/system/udev.fc
|
||||
@@ -10,6 +10,7 @@
|
||||
@@ -8,10 +8,11 @@
|
||||
|
||||
/etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_rules_t,s0)
|
||||
/etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
|
||||
|
||||
/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
|
||||
+/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
|
||||
/lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0)
|
||||
@@ -27,6 +28,7 @@ ifdef(`distro_redhat',`
|
||||
')
|
||||
@@ -26,10 +27,11 @@ ifdef(`distro_debian',`
|
||||
ifdef(`distro_redhat',`
|
||||
/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
|
||||
')
|
||||
|
||||
/usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
|
||||
+/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
|
||||
|
||||
/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
|
||||
|
||||
--
|
||||
1.7.9.5
|
||||
|
||||
/usr/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
|
||||
/usr/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
|
||||
/usr/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
|
||||
/usr/sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0)
|
||||
|
|
@ -6,18 +6,16 @@ Subject: [PATCH 3/4] fix update-alternatives for hostname
|
|||
Upstream-Status: Inappropriate [only for Poky]
|
||||
|
||||
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
---
|
||||
policy/modules/system/hostname.fc | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc
|
||||
index 9dfecf7..4003b6d 100644
|
||||
--- a/policy/modules/system/hostname.fc
|
||||
+++ b/policy/modules/system/hostname.fc
|
||||
@@ -1,2 +1,3 @@
|
||||
@@ -1,4 +1,5 @@
|
||||
|
||||
/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
|
||||
+/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0)
|
||||
--
|
||||
1.7.9.5
|
||||
|
||||
|
||||
/usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
|
||||
|
|
@ -9,16 +9,16 @@ for syslogd_t to read syslog_conf_t lnk_file is needed.
|
|||
Upstream-Status: Inappropriate [only for Poky]
|
||||
|
||||
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
---
|
||||
policy/modules/system/logging.fc | 4 ++++
|
||||
policy/modules/system/logging.te | 1 +
|
||||
2 files changed, 5 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
|
||||
index b50c5fe..c005f33 100644
|
||||
--- a/policy/modules/system/logging.fc
|
||||
+++ b/policy/modules/system/logging.fc
|
||||
@@ -2,19 +2,23 @@
|
||||
@@ -1,22 +1,26 @@
|
||||
/dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
|
||||
|
||||
/etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
|
||||
/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
|
||||
|
|
@ -41,12 +41,14 @@ index b50c5fe..c005f33 100644
|
|||
+/sbin/syslogd\.sysklogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
|
||||
/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
|
||||
|
||||
/usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
|
||||
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
|
||||
index 87e3db2..2914b0b 100644
|
||||
/usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
|
||||
/usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0)
|
||||
/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
|
||||
--- a/policy/modules/system/logging.te
|
||||
+++ b/policy/modules/system/logging.te
|
||||
@@ -371,6 +371,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
|
||||
@@ -388,10 +388,11 @@ allow syslogd_t self:unix_dgram_socket s
|
||||
allow syslogd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow syslogd_t self:udp_socket create_socket_perms;
|
||||
allow syslogd_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
allow syslogd_t syslog_conf_t:file read_file_perms;
|
||||
|
|
@ -54,6 +56,5 @@ index 87e3db2..2914b0b 100644
|
|||
|
||||
# Create and bind to /dev/log or /var/run/log.
|
||||
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
|
||||
--
|
||||
1.7.9.5
|
||||
|
||||
files_pid_filetrans(syslogd_t, devlog_t, sock_file)
|
||||
|
||||
|
|
@ -6,17 +6,18 @@ Subject: [PATCH 1/4] fix update-alternatives for sysvinit
|
|||
Upstream-Status: Inappropriate [only for Poky]
|
||||
|
||||
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
---
|
||||
policy/modules/contrib/shutdown.fc | 1 +
|
||||
policy/modules/kernel/corecommands.fc | 1 +
|
||||
policy/modules/system/init.fc | 1 +
|
||||
3 files changed, 3 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/contrib/shutdown.fc b/policy/modules/contrib/shutdown.fc
|
||||
index a91f33b..90e51e0 100644
|
||||
--- a/policy/modules/contrib/shutdown.fc
|
||||
+++ b/policy/modules/contrib/shutdown.fc
|
||||
@@ -3,6 +3,7 @@
|
||||
@@ -1,10 +1,11 @@
|
||||
/etc/nologin -- gen_context(system_u:object_r:shutdown_etc_t,s0)
|
||||
|
||||
/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
|
||||
|
||||
/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
|
||||
|
|
@ -24,11 +25,13 @@ index a91f33b..90e51e0 100644
|
|||
|
||||
/usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
|
||||
|
||||
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
|
||||
index bcfdba7..87502a3 100644
|
||||
/usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
|
||||
|
||||
--- a/policy/modules/kernel/corecommands.fc
|
||||
+++ b/policy/modules/kernel/corecommands.fc
|
||||
@@ -10,6 +10,7 @@
|
||||
@@ -8,10 +8,11 @@
|
||||
/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
|
@ -36,11 +39,13 @@ index bcfdba7..87502a3 100644
|
|||
/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
|
||||
index bc0ffc8..020b9fe 100644
|
||||
/bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
|
||||
--- a/policy/modules/system/init.fc
|
||||
+++ b/policy/modules/system/init.fc
|
||||
@@ -30,6 +30,7 @@ ifdef(`distro_gentoo', `
|
||||
@@ -30,10 +30,11 @@ ifdef(`distro_gentoo', `
|
||||
|
||||
#
|
||||
# /sbin
|
||||
#
|
||||
/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
|
||||
|
|
@ -48,6 +53,5 @@ index bc0ffc8..020b9fe 100644
|
|||
# because nowadays, /sbin/init is often a symlink to /sbin/upstart
|
||||
/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
|
||||
|
||||
--
|
||||
1.7.9.5
|
||||
|
||||
ifdef(`distro_gentoo', `
|
||||
/sbin/rc -- gen_context(system_u:object_r:rc_exec_t,s0)
|
||||
|
|
@ -6,15 +6,16 @@ Subject: [PATCH 5/6] add rules for bsdpty_device_t to complete pty devices.
|
|||
Upstream-Status: Pending
|
||||
|
||||
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
---
|
||||
policy/modules/kernel/terminal.if | 16 ++++++++++++++++
|
||||
1 file changed, 16 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
|
||||
index 771bce1..7519d0e 100644
|
||||
--- a/policy/modules/kernel/terminal.if
|
||||
+++ b/policy/modules/kernel/terminal.if
|
||||
@@ -531,9 +531,11 @@ interface(`term_dontaudit_manage_pty_dirs',`
|
||||
@@ -585,13 +585,15 @@ interface(`term_getattr_generic_ptys',`
|
||||
## </param>
|
||||
#
|
||||
interface(`term_dontaudit_getattr_generic_ptys',`
|
||||
gen_require(`
|
||||
type devpts_t;
|
||||
|
|
@ -26,7 +27,11 @@ index 771bce1..7519d0e 100644
|
|||
')
|
||||
########################################
|
||||
## <summary>
|
||||
@@ -549,11 +551,13 @@ interface(`term_dontaudit_getattr_generic_ptys',`
|
||||
## ioctl of generic pty devices.
|
||||
## </summary>
|
||||
@@ -603,15 +605,17 @@ interface(`term_dontaudit_getattr_generi
|
||||
#
|
||||
# cjp: added for ppp
|
||||
interface(`term_ioctl_generic_ptys',`
|
||||
gen_require(`
|
||||
type devpts_t;
|
||||
|
|
@ -40,7 +45,11 @@ index 771bce1..7519d0e 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -571,9 +575,11 @@ interface(`term_ioctl_generic_ptys',`
|
||||
## <summary>
|
||||
## Allow setting the attributes of
|
||||
@@ -625,13 +629,15 @@ interface(`term_ioctl_generic_ptys',`
|
||||
#
|
||||
# dwalsh: added for rhgb
|
||||
interface(`term_setattr_generic_ptys',`
|
||||
gen_require(`
|
||||
type devpts_t;
|
||||
|
|
@ -52,7 +61,11 @@ index 771bce1..7519d0e 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -591,9 +597,11 @@ interface(`term_setattr_generic_ptys',`
|
||||
## <summary>
|
||||
## Dontaudit setting the attributes of
|
||||
@@ -645,13 +651,15 @@ interface(`term_setattr_generic_ptys',`
|
||||
#
|
||||
# dwalsh: added for rhgb
|
||||
interface(`term_dontaudit_setattr_generic_ptys',`
|
||||
gen_require(`
|
||||
type devpts_t;
|
||||
|
|
@ -64,7 +77,11 @@ index 771bce1..7519d0e 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -611,11 +619,13 @@ interface(`term_dontaudit_setattr_generic_ptys',`
|
||||
## <summary>
|
||||
## Read and write the generic pty
|
||||
@@ -665,15 +673,17 @@ interface(`term_dontaudit_setattr_generi
|
||||
## </param>
|
||||
#
|
||||
interface(`term_use_generic_ptys',`
|
||||
gen_require(`
|
||||
type devpts_t;
|
||||
|
|
@ -78,7 +95,11 @@ index 771bce1..7519d0e 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -633,9 +643,11 @@ interface(`term_use_generic_ptys',`
|
||||
## <summary>
|
||||
## Dot not audit attempts to read and
|
||||
@@ -687,13 +697,15 @@ interface(`term_use_generic_ptys',`
|
||||
## </param>
|
||||
#
|
||||
interface(`term_dontaudit_use_generic_ptys',`
|
||||
gen_require(`
|
||||
type devpts_t;
|
||||
|
|
@ -90,7 +111,11 @@ index 771bce1..7519d0e 100644
|
|||
')
|
||||
|
||||
#######################################
|
||||
@@ -651,10 +663,12 @@ interface(`term_dontaudit_use_generic_ptys',`
|
||||
## <summary>
|
||||
## Set the attributes of the tty device
|
||||
@@ -705,14 +717,16 @@ interface(`term_dontaudit_use_generic_pt
|
||||
## </param>
|
||||
#
|
||||
interface(`term_setattr_controlling_term',`
|
||||
gen_require(`
|
||||
type devtty_t;
|
||||
|
|
@ -103,7 +128,11 @@ index 771bce1..7519d0e 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -671,10 +685,12 @@ interface(`term_setattr_controlling_term',`
|
||||
## <summary>
|
||||
## Read and write the controlling
|
||||
@@ -725,14 +739,16 @@ interface(`term_setattr_controlling_term
|
||||
## </param>
|
||||
#
|
||||
interface(`term_use_controlling_term',`
|
||||
gen_require(`
|
||||
type devtty_t;
|
||||
|
|
@ -116,6 +145,5 @@ index 771bce1..7519d0e 100644
|
|||
')
|
||||
|
||||
#######################################
|
||||
--
|
||||
1.7.9.5
|
||||
|
||||
## <summary>
|
||||
## Get the attributes of the pty multiplexor (/dev/ptmx).
|
||||
|
|
@ -8,15 +8,16 @@ syslogd_t.
|
|||
Upstream-Status: Inappropriate [only for Poky]
|
||||
|
||||
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
---
|
||||
policy/modules/system/logging.te | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
|
||||
index 2ad9ea5..70427d8 100644
|
||||
--- a/policy/modules/system/logging.te
|
||||
+++ b/policy/modules/system/logging.te
|
||||
@@ -384,6 +384,8 @@ rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
|
||||
@@ -404,10 +404,12 @@ rw_fifo_files_pattern(syslogd_t, var_log
|
||||
files_search_spool(syslogd_t)
|
||||
|
||||
# Allow access for syslog-ng
|
||||
allow syslogd_t var_log_t:dir { create setattr };
|
||||
|
||||
|
|
@ -25,6 +26,5 @@ index 2ad9ea5..70427d8 100644
|
|||
# manage temporary files
|
||||
manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
|
||||
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
|
||||
--
|
||||
1.7.11.7
|
||||
|
||||
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
|
||||
|
||||
|
|
@ -9,16 +9,17 @@ lnk_file while doing search/list/delete/rw.. in /tmp/ directory.
|
|||
Upstream-Status: Inappropriate [only for Poky]
|
||||
|
||||
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
---
|
||||
policy/modules/kernel/files.fc | 1 +
|
||||
policy/modules/kernel/files.if | 8 ++++++++
|
||||
2 files changed, 9 insertions(+), 0 deletions(-)
|
||||
|
||||
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
|
||||
index 8796ca3..a0db748 100644
|
||||
--- a/policy/modules/kernel/files.fc
|
||||
+++ b/policy/modules/kernel/files.fc
|
||||
@@ -185,6 +185,7 @@ ifdef(`distro_debian',`
|
||||
@@ -191,10 +191,11 @@ ifdef(`distro_debian',`
|
||||
|
||||
#
|
||||
# /tmp
|
||||
#
|
||||
/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
|
||||
|
|
@ -26,11 +27,13 @@ index 8796ca3..a0db748 100644
|
|||
/tmp/.* <<none>>
|
||||
/tmp/\.journal <<none>>
|
||||
|
||||
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
|
||||
index e1e814d..a7384b0 100644
|
||||
/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
|
||||
/tmp/lost\+found/.* <<none>>
|
||||
--- a/policy/modules/kernel/files.if
|
||||
+++ b/policy/modules/kernel/files.if
|
||||
@@ -4199,6 +4199,7 @@ interface(`files_search_tmp',`
|
||||
@@ -4471,10 +4471,11 @@ interface(`files_search_tmp',`
|
||||
gen_require(`
|
||||
type tmp_t;
|
||||
')
|
||||
|
||||
allow $1 tmp_t:dir search_dir_perms;
|
||||
|
|
@ -38,7 +41,11 @@ index e1e814d..a7384b0 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -4235,6 +4236,7 @@ interface(`files_list_tmp',`
|
||||
## <summary>
|
||||
## Do not audit attempts to search the tmp directory (/tmp).
|
||||
@@ -4507,10 +4508,11 @@ interface(`files_list_tmp',`
|
||||
gen_require(`
|
||||
type tmp_t;
|
||||
')
|
||||
|
||||
allow $1 tmp_t:dir list_dir_perms;
|
||||
|
|
@ -46,7 +53,11 @@ index e1e814d..a7384b0 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -4271,6 +4273,7 @@ interface(`files_delete_tmp_dir_entry',`
|
||||
## <summary>
|
||||
## Do not audit listing of the tmp directory (/tmp).
|
||||
@@ -4543,10 +4545,11 @@ interface(`files_delete_tmp_dir_entry',`
|
||||
gen_require(`
|
||||
type tmp_t;
|
||||
')
|
||||
|
||||
allow $1 tmp_t:dir del_entry_dir_perms;
|
||||
|
|
@ -54,7 +65,11 @@ index e1e814d..a7384b0 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -4289,6 +4292,7 @@ interface(`files_read_generic_tmp_files',`
|
||||
## <summary>
|
||||
## Read files in the tmp directory (/tmp).
|
||||
@@ -4561,10 +4564,11 @@ interface(`files_read_generic_tmp_files'
|
||||
gen_require(`
|
||||
type tmp_t;
|
||||
')
|
||||
|
||||
read_files_pattern($1, tmp_t, tmp_t)
|
||||
|
|
@ -62,7 +77,11 @@ index e1e814d..a7384b0 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -4307,6 +4311,7 @@ interface(`files_manage_generic_tmp_dirs',`
|
||||
## <summary>
|
||||
## Manage temporary directories in /tmp.
|
||||
@@ -4579,10 +4583,11 @@ interface(`files_manage_generic_tmp_dirs
|
||||
gen_require(`
|
||||
type tmp_t;
|
||||
')
|
||||
|
||||
manage_dirs_pattern($1, tmp_t, tmp_t)
|
||||
|
|
@ -70,7 +89,11 @@ index e1e814d..a7384b0 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -4325,6 +4330,7 @@ interface(`files_manage_generic_tmp_files',`
|
||||
## <summary>
|
||||
## Manage temporary files and directories in /tmp.
|
||||
@@ -4597,10 +4602,11 @@ interface(`files_manage_generic_tmp_file
|
||||
gen_require(`
|
||||
type tmp_t;
|
||||
')
|
||||
|
||||
manage_files_pattern($1, tmp_t, tmp_t)
|
||||
|
|
@ -78,7 +101,11 @@ index e1e814d..a7384b0 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -4361,6 +4367,7 @@ interface(`files_rw_generic_tmp_sockets',`
|
||||
## <summary>
|
||||
## Read symbolic links in the tmp directory (/tmp).
|
||||
@@ -4633,10 +4639,11 @@ interface(`files_rw_generic_tmp_sockets'
|
||||
gen_require(`
|
||||
type tmp_t;
|
||||
')
|
||||
|
||||
rw_sock_files_pattern($1, tmp_t, tmp_t)
|
||||
|
|
@ -86,7 +113,11 @@ index e1e814d..a7384b0 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -4550,6 +4557,7 @@ interface(`files_tmp_filetrans',`
|
||||
## <summary>
|
||||
## Mount filesystems in the tmp directory (/tmp)
|
||||
@@ -4840,10 +4847,11 @@ interface(`files_tmp_filetrans',`
|
||||
gen_require(`
|
||||
type tmp_t;
|
||||
')
|
||||
|
||||
filetrans_pattern($1, tmp_t, $2, $3, $4)
|
||||
|
|
@ -94,6 +125,5 @@ index e1e814d..a7384b0 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
--
|
||||
1.7.5.4
|
||||
|
||||
## <summary>
|
||||
## Delete the contents of /tmp.
|
||||
|
|
@ -11,15 +11,16 @@ contents, so this is still a secure relax.
|
|||
Upstream-Status: Inappropriate [only for Poky]
|
||||
|
||||
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
---
|
||||
policy/modules/kernel/domain.te | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
|
||||
index cf04cb5..9ffe6b0 100644
|
||||
--- a/policy/modules/kernel/domain.te
|
||||
+++ b/policy/modules/kernel/domain.te
|
||||
@@ -104,6 +104,9 @@ term_use_controlling_term(domain)
|
||||
@@ -108,10 +108,13 @@ dev_rw_zero(domain)
|
||||
term_use_controlling_term(domain)
|
||||
|
||||
# list the root directory
|
||||
files_list_root(domain)
|
||||
|
||||
|
|
@ -29,6 +30,5 @@ index cf04cb5..9ffe6b0 100644
|
|||
ifdef(`hide_broken_symptoms',`
|
||||
# This check is in the general socket
|
||||
# listen code, before protocol-specific
|
||||
--
|
||||
1.7.9.5
|
||||
|
||||
# listen function is called, so bad calls
|
||||
# to listen on UDP sockets should be silenced
|
||||
|
|
@ -10,15 +10,16 @@ logging.if. So still need add a individual rule for apache.te.
|
|||
Upstream-Status: Inappropriate [only for Poky]
|
||||
|
||||
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
---
|
||||
policy/modules/contrib/apache.te | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
|
||||
index ec8bd13..06f2e95 100644
|
||||
--- a/policy/modules/contrib/apache.te
|
||||
+++ b/policy/modules/contrib/apache.te
|
||||
@@ -400,6 +400,7 @@ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
|
||||
@@ -409,10 +409,11 @@ allow httpd_t httpd_log_t:dir setattr_di
|
||||
create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
|
||||
create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
|
||||
append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
|
||||
read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
|
||||
read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
|
||||
|
|
@ -26,6 +27,5 @@ index ec8bd13..06f2e95 100644
|
|||
logging_log_filetrans(httpd_t, httpd_log_t, file)
|
||||
|
||||
allow httpd_t httpd_modules_t:dir list_dir_perms;
|
||||
--
|
||||
1.7.9.5
|
||||
|
||||
mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
|
||||
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
|
||||
|
|
@ -8,15 +8,16 @@ audisp_remote_t.
|
|||
Upstream-Status: Inappropriate [only for Poky]
|
||||
|
||||
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
---
|
||||
policy/modules/system/logging.te | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
|
||||
index 8426a49..2ad9ea5 100644
|
||||
--- a/policy/modules/system/logging.te
|
||||
+++ b/policy/modules/system/logging.te
|
||||
@@ -262,6 +262,7 @@ allow audisp_remote_t self:capability { setuid setpcap };
|
||||
@@ -278,10 +278,11 @@ optional_policy(`
|
||||
|
||||
allow audisp_remote_t self:capability { setuid setpcap };
|
||||
allow audisp_remote_t self:process { getcap setcap };
|
||||
allow audisp_remote_t self:tcp_socket create_socket_perms;
|
||||
allow audisp_remote_t var_log_t:dir search_dir_perms;
|
||||
|
|
@ -24,6 +25,5 @@ index 8426a49..2ad9ea5 100644
|
|||
|
||||
manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
|
||||
manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
|
||||
--
|
||||
1.7.11.7
|
||||
|
||||
files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
|
||||
|
||||
|
|
@ -9,17 +9,18 @@ lnk_file while doing search/list/delete/rw.. in /var/log/ directory.
|
|||
Upstream-Status: Inappropriate [only for Poky]
|
||||
|
||||
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
---
|
||||
policy/modules/system/logging.fc | 1 +
|
||||
policy/modules/system/logging.if | 14 +++++++++++++-
|
||||
policy/modules/system/logging.te | 1 +
|
||||
3 files changed, 15 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
|
||||
index c005f33..9529e40 100644
|
||||
--- a/policy/modules/system/logging.fc
|
||||
+++ b/policy/modules/system/logging.fc
|
||||
@@ -41,6 +41,7 @@ ifdef(`distro_suse', `
|
||||
@@ -49,10 +49,11 @@ ifdef(`distro_suse', `
|
||||
|
||||
/var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||
/var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||
|
||||
/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
|
||||
|
|
@ -27,11 +28,13 @@ index c005f33..9529e40 100644
|
|||
/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
|
||||
/var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh)
|
||||
/var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
|
||||
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
|
||||
index 4e94884..9a6f599 100644
|
||||
/var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
|
||||
/var/log/maillog[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
|
||||
--- a/policy/modules/system/logging.if
|
||||
+++ b/policy/modules/system/logging.if
|
||||
@@ -136,12 +136,13 @@ interface(`logging_set_audit_parameters',`
|
||||
@@ -134,16 +134,17 @@ interface(`logging_set_audit_parameters'
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`logging_read_audit_log',`
|
||||
gen_require(`
|
||||
|
|
@ -46,7 +49,11 @@ index 4e94884..9a6f599 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -626,6 +627,7 @@ interface(`logging_search_logs',`
|
||||
## <summary>
|
||||
## Execute auditctl in the auditctl domain.
|
||||
@@ -665,10 +666,11 @@ interface(`logging_search_logs',`
|
||||
type var_log_t;
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
allow $1 var_log_t:dir search_dir_perms;
|
||||
|
|
@ -54,7 +61,11 @@ index 4e94884..9a6f599 100644
|
|||
')
|
||||
|
||||
#######################################
|
||||
@@ -663,6 +665,7 @@ interface(`logging_list_logs',`
|
||||
## <summary>
|
||||
## Do not audit attempts to search the var log directory.
|
||||
@@ -702,10 +704,11 @@ interface(`logging_list_logs',`
|
||||
type var_log_t;
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
allow $1 var_log_t:dir list_dir_perms;
|
||||
|
|
@ -62,7 +73,11 @@ index 4e94884..9a6f599 100644
|
|||
')
|
||||
|
||||
#######################################
|
||||
@@ -682,6 +685,7 @@ interface(`logging_rw_generic_log_dirs',`
|
||||
## <summary>
|
||||
## Read and write the generic log directory (/var/log).
|
||||
@@ -721,10 +724,11 @@ interface(`logging_rw_generic_log_dirs',
|
||||
type var_log_t;
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
allow $1 var_log_t:dir rw_dir_perms;
|
||||
|
|
@ -70,7 +85,11 @@ index 4e94884..9a6f599 100644
|
|||
')
|
||||
|
||||
#######################################
|
||||
@@ -793,10 +797,12 @@ interface(`logging_append_all_logs',`
|
||||
## <summary>
|
||||
## Search through all log dirs.
|
||||
@@ -832,14 +836,16 @@ interface(`logging_append_all_logs',`
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`logging_read_all_logs',`
|
||||
gen_require(`
|
||||
attribute logfile;
|
||||
|
|
@ -83,7 +102,11 @@ index 4e94884..9a6f599 100644
|
|||
read_files_pattern($1, logfile, logfile)
|
||||
')
|
||||
|
||||
@@ -815,10 +821,12 @@ interface(`logging_read_all_logs',`
|
||||
########################################
|
||||
## <summary>
|
||||
@@ -854,14 +860,16 @@ interface(`logging_read_all_logs',`
|
||||
# cjp: not sure why this is needed. This was added
|
||||
# because of logrotate.
|
||||
interface(`logging_exec_all_logs',`
|
||||
gen_require(`
|
||||
attribute logfile;
|
||||
|
|
@ -96,7 +119,11 @@ index 4e94884..9a6f599 100644
|
|||
can_exec($1, logfile)
|
||||
')
|
||||
|
||||
@@ -880,6 +888,7 @@ interface(`logging_read_generic_logs',`
|
||||
########################################
|
||||
## <summary>
|
||||
@@ -919,10 +927,11 @@ interface(`logging_read_generic_logs',`
|
||||
type var_log_t;
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
allow $1 var_log_t:dir list_dir_perms;
|
||||
|
|
@ -104,7 +131,11 @@ index 4e94884..9a6f599 100644
|
|||
read_files_pattern($1, var_log_t, var_log_t)
|
||||
')
|
||||
|
||||
@@ -900,6 +909,7 @@ interface(`logging_write_generic_logs',`
|
||||
########################################
|
||||
## <summary>
|
||||
@@ -939,10 +948,11 @@ interface(`logging_write_generic_logs',`
|
||||
type var_log_t;
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
allow $1 var_log_t:dir list_dir_perms;
|
||||
|
|
@ -112,7 +143,11 @@ index 4e94884..9a6f599 100644
|
|||
write_files_pattern($1, var_log_t, var_log_t)
|
||||
')
|
||||
|
||||
@@ -938,6 +948,7 @@ interface(`logging_rw_generic_logs',`
|
||||
########################################
|
||||
## <summary>
|
||||
@@ -977,10 +987,11 @@ interface(`logging_rw_generic_logs',`
|
||||
type var_log_t;
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
allow $1 var_log_t:dir list_dir_perms;
|
||||
|
|
@ -120,7 +155,11 @@ index 4e94884..9a6f599 100644
|
|||
rw_files_pattern($1, var_log_t, var_log_t)
|
||||
')
|
||||
|
||||
@@ -960,6 +971,7 @@ interface(`logging_manage_generic_logs',`
|
||||
########################################
|
||||
## <summary>
|
||||
@@ -999,10 +1010,11 @@ interface(`logging_manage_generic_logs',
|
||||
type var_log_t;
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
manage_files_pattern($1, var_log_t, var_log_t)
|
||||
|
|
@ -128,18 +167,19 @@ index 4e94884..9a6f599 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
|
||||
index 2ab0a49..2795d89 100644
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
--- a/policy/modules/system/logging.te
|
||||
+++ b/policy/modules/system/logging.te
|
||||
@@ -139,6 +139,7 @@ allow auditd_t auditd_etc_t:file read_file_perms;
|
||||
@@ -151,10 +151,11 @@ allow auditd_t auditd_etc_t:file read_fi
|
||||
|
||||
manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
|
||||
allow auditd_t auditd_log_t:dir setattr;
|
||||
manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
|
||||
allow auditd_t var_log_t:dir search_dir_perms;
|
||||
+allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
|
||||
manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
|
||||
--
|
||||
1.7.9.5
|
||||
|
||||
files_pid_filetrans(auditd_t, auditd_var_run_t, { file sock_file })
|
||||
|
||||
|
|
@ -10,15 +10,16 @@ Upstream-Status: Inappropriate [only for Poky]
|
|||
|
||||
Signed-off-by: Roy.Li <rongqing.li@windriver.com>
|
||||
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
---
|
||||
policy/modules/system/logging.te | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
|
||||
index 2914b0b..2ab0a49 100644
|
||||
--- a/policy/modules/system/logging.te
|
||||
+++ b/policy/modules/system/logging.te
|
||||
@@ -450,6 +450,7 @@ fs_getattr_all_fs(syslogd_t)
|
||||
@@ -477,10 +477,11 @@ files_var_lib_filetrans(syslogd_t, syslo
|
||||
|
||||
fs_getattr_all_fs(syslogd_t)
|
||||
fs_search_auto_mountpoints(syslogd_t)
|
||||
|
||||
mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
|
||||
|
|
@ -26,6 +27,5 @@ index 2914b0b..2ab0a49 100644
|
|||
|
||||
term_write_console(syslogd_t)
|
||||
# Allow syslog to a terminal
|
||||
--
|
||||
1.7.9.5
|
||||
|
||||
term_write_unallocated_ttys(syslogd_t)
|
||||
|
||||
|
|
@ -6,16 +6,17 @@ Subject: [PATCH] allow nfsd to exec shell commands.
|
|||
Upstream-Status: Inappropriate [only for Poky]
|
||||
|
||||
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
---
|
||||
policy/modules/contrib/rpc.te | 2 +-
|
||||
policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
|
||||
2 files changed, 19 insertions(+), 1 deletions(-)
|
||||
|
||||
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
|
||||
index 9566932..5605205 100644
|
||||
--- a/policy/modules/contrib/rpc.te
|
||||
+++ b/policy/modules/contrib/rpc.te
|
||||
@@ -203,7 +203,7 @@ kernel_read_network_state(nfsd_t)
|
||||
@@ -222,11 +222,11 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir
|
||||
|
||||
kernel_read_network_state(nfsd_t)
|
||||
kernel_dontaudit_getattr_core_if(nfsd_t)
|
||||
kernel_setsched(nfsd_t)
|
||||
kernel_request_load_module(nfsd_t)
|
||||
|
|
@ -24,11 +25,13 @@ index 9566932..5605205 100644
|
|||
|
||||
corenet_sendrecv_nfs_server_packets(nfsd_t)
|
||||
corenet_tcp_bind_nfs_port(nfsd_t)
|
||||
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
|
||||
index 649e458..8a669c5 100644
|
||||
corenet_udp_bind_nfs_port(nfsd_t)
|
||||
|
||||
--- a/policy/modules/kernel/kernel.if
|
||||
+++ b/policy/modules/kernel/kernel.if
|
||||
@@ -804,6 +804,24 @@ interface(`kernel_unmount_proc',`
|
||||
@@ -844,10 +844,28 @@ interface(`kernel_unmount_proc',`
|
||||
allow $1 proc_t:filesystem unmount;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -53,6 +56,5 @@ index 649e458..8a669c5 100644
|
|||
## Get the attributes of the proc filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
--
|
||||
1.7.5.4
|
||||
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
|
|
@ -7,15 +7,16 @@ Upstream-Status: Pending
|
|||
|
||||
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
---
|
||||
policy/modules/system/selinuxutil.te | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
|
||||
index 9058dd8..f998491 100644
|
||||
--- a/policy/modules/system/selinuxutil.te
|
||||
+++ b/policy/modules/system/selinuxutil.te
|
||||
@@ -552,6 +552,9 @@ files_relabel_all_files(setfiles_t)
|
||||
@@ -553,10 +553,13 @@ files_read_etc_files(setfiles_t)
|
||||
files_list_all(setfiles_t)
|
||||
files_relabel_all_files(setfiles_t)
|
||||
files_read_usr_symlinks(setfiles_t)
|
||||
files_dontaudit_read_all_symlinks(setfiles_t)
|
||||
|
||||
|
|
@ -25,6 +26,5 @@ index 9058dd8..f998491 100644
|
|||
fs_getattr_all_xattr_fs(setfiles_t)
|
||||
fs_list_all(setfiles_t)
|
||||
fs_search_auto_mountpoints(setfiles_t)
|
||||
--
|
||||
1.7.9.5
|
||||
|
||||
fs_relabelfrom_noxattr_fs(setfiles_t)
|
||||
|
||||
|
|
@ -9,15 +9,16 @@ type=AVC msg=audit(1392427946.976:264): avc: denied { connectto } for pid=211
|
|||
type=SYSCALL msg=audit(1392427946.976:264): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff3aa20000 a2=17 a3=22 items=0 ppid=2108 pid=2111 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="rpcinfo" exe="/usr/sbin/rpcinfo" subj=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 key=(null)
|
||||
|
||||
Signed-off-by: Roy Li <rongqing.li@windriver.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
---
|
||||
policy/modules/roles/sysadm.te | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
|
||||
index 1767217..5502c6a 100644
|
||||
--- a/policy/modules/roles/sysadm.te
|
||||
+++ b/policy/modules/roles/sysadm.te
|
||||
@@ -413,6 +413,10 @@ optional_policy(`
|
||||
@@ -1169,10 +1169,14 @@ optional_policy(`
|
||||
virt_admin(sysadm_t, sysadm_r)
|
||||
virt_stream_connect(sysadm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -28,6 +29,5 @@ index 1767217..5502c6a 100644
|
|||
vmware_role(sysadm_r, sysadm_t)
|
||||
')
|
||||
|
||||
--
|
||||
1.7.10.4
|
||||
|
||||
optional_policy(`
|
||||
vnstatd_admin(sysadm_t, sysadm_r)
|
||||
|
|
@ -9,15 +9,16 @@ term_dontaudit_use_console.
|
|||
Upstream-Status: Inappropriate [only for Poky]
|
||||
|
||||
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
---
|
||||
policy/modules/kernel/terminal.if | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
|
||||
index 7519d0e..45de1ac 100644
|
||||
--- a/policy/modules/kernel/terminal.if
|
||||
+++ b/policy/modules/kernel/terminal.if
|
||||
@@ -299,9 +299,12 @@ interface(`term_use_console',`
|
||||
@@ -297,13 +297,16 @@ interface(`term_use_console',`
|
||||
## </param>
|
||||
#
|
||||
interface(`term_dontaudit_use_console',`
|
||||
gen_require(`
|
||||
type console_device_t;
|
||||
|
|
@ -30,6 +31,5 @@ index 7519d0e..45de1ac 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
--
|
||||
1.7.9.5
|
||||
|
||||
## <summary>
|
||||
## Set the attributes of the console
|
||||
|
|
@ -4,26 +4,27 @@ Date: Fri, 23 Aug 2013 16:36:09 +0800
|
|||
Subject: [PATCH] fix dmesg to use /dev/kmsg as default input
|
||||
|
||||
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
---
|
||||
policy/modules/admin/dmesg.if | 1 +
|
||||
policy/modules/admin/dmesg.te | 2 ++
|
||||
2 files changed, 3 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if
|
||||
index e1973c7..739a4bc 100644
|
||||
--- a/policy/modules/admin/dmesg.if
|
||||
+++ b/policy/modules/admin/dmesg.if
|
||||
@@ -37,4 +37,5 @@ interface(`dmesg_exec',`
|
||||
@@ -35,6 +35,7 @@ interface(`dmesg_exec',`
|
||||
type dmesg_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
can_exec($1, dmesg_exec_t)
|
||||
+ dev_read_kmsg($1)
|
||||
')
|
||||
diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
|
||||
index 72bc6d8..c591aea 100644
|
||||
--- a/policy/modules/admin/dmesg.te
|
||||
+++ b/policy/modules/admin/dmesg.te
|
||||
@@ -28,6 +28,8 @@ kernel_read_proc_symlinks(dmesg_t)
|
||||
@@ -28,10 +28,12 @@ kernel_read_proc_symlinks(dmesg_t)
|
||||
# for when /usr is not mounted:
|
||||
kernel_dontaudit_search_unlabeled(dmesg_t)
|
||||
|
||||
dev_read_sysfs(dmesg_t)
|
||||
|
||||
|
|
@ -32,6 +33,5 @@ index 72bc6d8..c591aea 100644
|
|||
fs_search_auto_mountpoints(dmesg_t)
|
||||
|
||||
term_dontaudit_use_console(dmesg_t)
|
||||
--
|
||||
1.7.9.5
|
||||
|
||||
|
||||
domain_use_interactive_fds(dmesg_t)
|
||||
|
|
@ -14,11 +14,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|||
policy/modules/kernel/selinux.if | 34 ++++++++++++++++++++++++++++++++--
|
||||
1 file changed, 32 insertions(+), 2 deletions(-)
|
||||
|
||||
Index: refpolicy/policy/modules/kernel/selinux.if
|
||||
===================================================================
|
||||
--- refpolicy.orig/policy/modules/kernel/selinux.if
|
||||
+++ refpolicy/policy/modules/kernel/selinux.if
|
||||
@@ -58,6 +58,10 @@ interface(`selinux_get_fs_mount',`
|
||||
--- a/policy/modules/kernel/selinux.if
|
||||
+++ b/policy/modules/kernel/selinux.if
|
||||
@@ -56,10 +56,14 @@ interface(`selinux_labeled_boolean',`
|
||||
interface(`selinux_get_fs_mount',`
|
||||
gen_require(`
|
||||
type security_t;
|
||||
')
|
||||
|
||||
|
|
@ -29,7 +29,11 @@ Index: refpolicy/policy/modules/kernel/selinux.if
|
|||
# starting in libselinux 2.0.5, init_selinuxmnt() will
|
||||
# attempt to short circuit by checking if SELINUXMNT
|
||||
# (/selinux) is already a selinuxfs
|
||||
@@ -88,6 +92,7 @@ interface(`selinux_dontaudit_get_fs_moun
|
||||
allow $1 security_t:filesystem getattr;
|
||||
|
||||
@@ -86,10 +90,11 @@ interface(`selinux_get_fs_mount',`
|
||||
interface(`selinux_dontaudit_get_fs_mount',`
|
||||
gen_require(`
|
||||
type security_t;
|
||||
')
|
||||
|
||||
|
|
@ -37,7 +41,11 @@ Index: refpolicy/policy/modules/kernel/selinux.if
|
|||
# starting in libselinux 2.0.5, init_selinuxmnt() will
|
||||
# attempt to short circuit by checking if SELINUXMNT
|
||||
# (/selinux) is already a selinuxfs
|
||||
@@ -117,6 +122,8 @@ interface(`selinux_mount_fs',`
|
||||
dontaudit $1 security_t:filesystem getattr;
|
||||
|
||||
@@ -115,10 +120,12 @@ interface(`selinux_dontaudit_get_fs_moun
|
||||
interface(`selinux_mount_fs',`
|
||||
gen_require(`
|
||||
type security_t;
|
||||
')
|
||||
|
||||
|
|
@ -46,7 +54,11 @@ Index: refpolicy/policy/modules/kernel/selinux.if
|
|||
allow $1 security_t:filesystem mount;
|
||||
')
|
||||
|
||||
@@ -136,6 +143,8 @@ interface(`selinux_remount_fs',`
|
||||
########################################
|
||||
## <summary>
|
||||
@@ -134,10 +141,12 @@ interface(`selinux_mount_fs',`
|
||||
interface(`selinux_remount_fs',`
|
||||
gen_require(`
|
||||
type security_t;
|
||||
')
|
||||
|
||||
|
|
@ -55,7 +67,11 @@ Index: refpolicy/policy/modules/kernel/selinux.if
|
|||
allow $1 security_t:filesystem remount;
|
||||
')
|
||||
|
||||
@@ -154,6 +163,8 @@ interface(`selinux_unmount_fs',`
|
||||
########################################
|
||||
## <summary>
|
||||
@@ -152,10 +161,12 @@ interface(`selinux_remount_fs',`
|
||||
interface(`selinux_unmount_fs',`
|
||||
gen_require(`
|
||||
type security_t;
|
||||
')
|
||||
|
||||
|
|
@ -64,7 +80,11 @@ Index: refpolicy/policy/modules/kernel/selinux.if
|
|||
allow $1 security_t:filesystem unmount;
|
||||
')
|
||||
|
||||
@@ -172,6 +183,8 @@ interface(`selinux_getattr_fs',`
|
||||
########################################
|
||||
## <summary>
|
||||
@@ -170,10 +181,12 @@ interface(`selinux_unmount_fs',`
|
||||
interface(`selinux_getattr_fs',`
|
||||
gen_require(`
|
||||
type security_t;
|
||||
')
|
||||
|
||||
|
|
@ -73,7 +93,11 @@ Index: refpolicy/policy/modules/kernel/selinux.if
|
|||
allow $1 security_t:filesystem getattr;
|
||||
|
||||
dev_getattr_sysfs($1)
|
||||
@@ -194,6 +207,7 @@ interface(`selinux_dontaudit_getattr_fs'
|
||||
dev_search_sysfs($1)
|
||||
')
|
||||
@@ -192,10 +205,11 @@ interface(`selinux_getattr_fs',`
|
||||
interface(`selinux_dontaudit_getattr_fs',`
|
||||
gen_require(`
|
||||
type security_t;
|
||||
')
|
||||
|
||||
|
|
@ -81,7 +105,11 @@ Index: refpolicy/policy/modules/kernel/selinux.if
|
|||
dontaudit $1 security_t:filesystem getattr;
|
||||
|
||||
dev_dontaudit_getattr_sysfs($1)
|
||||
@@ -216,6 +230,7 @@ interface(`selinux_dontaudit_getattr_dir
|
||||
dev_dontaudit_search_sysfs($1)
|
||||
')
|
||||
@@ -214,10 +228,11 @@ interface(`selinux_dontaudit_getattr_fs'
|
||||
interface(`selinux_dontaudit_getattr_dir',`
|
||||
gen_require(`
|
||||
type security_t;
|
||||
')
|
||||
|
||||
|
|
@ -89,7 +117,11 @@ Index: refpolicy/policy/modules/kernel/selinux.if
|
|||
dontaudit $1 security_t:dir getattr;
|
||||
')
|
||||
|
||||
@@ -234,6 +249,7 @@ interface(`selinux_search_fs',`
|
||||
########################################
|
||||
## <summary>
|
||||
@@ -232,10 +247,11 @@ interface(`selinux_dontaudit_getattr_dir
|
||||
interface(`selinux_search_fs',`
|
||||
gen_require(`
|
||||
type security_t;
|
||||
')
|
||||
|
||||
|
|
@ -97,7 +129,11 @@ Index: refpolicy/policy/modules/kernel/selinux.if
|
|||
dev_search_sysfs($1)
|
||||
allow $1 security_t:dir search_dir_perms;
|
||||
')
|
||||
@@ -253,6 +269,7 @@ interface(`selinux_dontaudit_search_fs',
|
||||
|
||||
########################################
|
||||
@@ -251,10 +267,11 @@ interface(`selinux_search_fs',`
|
||||
interface(`selinux_dontaudit_search_fs',`
|
||||
gen_require(`
|
||||
type security_t;
|
||||
')
|
||||
|
||||
|
|
@ -105,7 +141,11 @@ Index: refpolicy/policy/modules/kernel/selinux.if
|
|||
dontaudit $1 security_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
@@ -272,6 +289,7 @@ interface(`selinux_dontaudit_read_fs',`
|
||||
########################################
|
||||
## <summary>
|
||||
@@ -270,10 +287,11 @@ interface(`selinux_dontaudit_search_fs',
|
||||
interface(`selinux_dontaudit_read_fs',`
|
||||
gen_require(`
|
||||
type security_t;
|
||||
')
|
||||
|
||||
|
|
@ -113,7 +153,11 @@ Index: refpolicy/policy/modules/kernel/selinux.if
|
|||
dontaudit $1 security_t:dir search_dir_perms;
|
||||
dontaudit $1 security_t:file read_file_perms;
|
||||
')
|
||||
@@ -293,6 +311,7 @@ interface(`selinux_get_enforce_mode',`
|
||||
|
||||
########################################
|
||||
@@ -291,10 +309,11 @@ interface(`selinux_dontaudit_read_fs',`
|
||||
interface(`selinux_get_enforce_mode',`
|
||||
gen_require(`
|
||||
type security_t;
|
||||
')
|
||||
|
||||
|
|
@ -121,7 +165,11 @@ Index: refpolicy/policy/modules/kernel/selinux.if
|
|||
dev_search_sysfs($1)
|
||||
allow $1 security_t:dir list_dir_perms;
|
||||
allow $1 security_t:file read_file_perms;
|
||||
@@ -361,6 +380,7 @@ interface(`selinux_read_policy',`
|
||||
')
|
||||
|
||||
@@ -359,10 +378,11 @@ interface(`selinux_load_policy',`
|
||||
interface(`selinux_read_policy',`
|
||||
gen_require(`
|
||||
type security_t;
|
||||
')
|
||||
|
||||
|
|
@ -129,7 +177,11 @@ Index: refpolicy/policy/modules/kernel/selinux.if
|
|||
dev_search_sysfs($1)
|
||||
allow $1 security_t:dir list_dir_perms;
|
||||
allow $1 security_t:file read_file_perms;
|
||||
@@ -426,6 +446,7 @@ interface(`selinux_set_generic_booleans'
|
||||
allow $1 security_t:security read_policy;
|
||||
')
|
||||
@@ -424,10 +444,11 @@ interface(`selinux_set_boolean',`
|
||||
interface(`selinux_set_generic_booleans',`
|
||||
gen_require(`
|
||||
type security_t;
|
||||
')
|
||||
|
||||
|
|
@ -137,7 +189,11 @@ Index: refpolicy/policy/modules/kernel/selinux.if
|
|||
dev_search_sysfs($1)
|
||||
|
||||
allow $1 security_t:dir list_dir_perms;
|
||||
@@ -463,6 +484,7 @@ interface(`selinux_set_all_booleans',`
|
||||
allow $1 security_t:file rw_file_perms;
|
||||
|
||||
@@ -461,10 +482,11 @@ interface(`selinux_set_all_booleans',`
|
||||
type security_t, secure_mode_policyload_t;
|
||||
attribute boolean_type;
|
||||
bool secure_mode_policyload;
|
||||
')
|
||||
|
||||
|
|
@ -145,7 +201,11 @@ Index: refpolicy/policy/modules/kernel/selinux.if
|
|||
dev_search_sysfs($1)
|
||||
|
||||
allow $1 security_t:dir list_dir_perms;
|
||||
@@ -522,6 +544,7 @@ interface(`selinux_validate_context',`
|
||||
allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms;
|
||||
allow $1 secure_mode_policyload_t:file read_file_perms;
|
||||
@@ -520,10 +542,11 @@ interface(`selinux_set_parameters',`
|
||||
interface(`selinux_validate_context',`
|
||||
gen_require(`
|
||||
type security_t;
|
||||
')
|
||||
|
||||
|
|
@ -153,7 +213,11 @@ Index: refpolicy/policy/modules/kernel/selinux.if
|
|||
dev_search_sysfs($1)
|
||||
allow $1 security_t:dir list_dir_perms;
|
||||
allow $1 security_t:file rw_file_perms;
|
||||
@@ -544,6 +567,7 @@ interface(`selinux_dontaudit_validate_co
|
||||
allow $1 security_t:security check_context;
|
||||
')
|
||||
@@ -542,10 +565,11 @@ interface(`selinux_validate_context',`
|
||||
interface(`selinux_dontaudit_validate_context',`
|
||||
gen_require(`
|
||||
type security_t;
|
||||
')
|
||||
|
||||
|
|
@ -161,7 +225,11 @@ Index: refpolicy/policy/modules/kernel/selinux.if
|
|||
dontaudit $1 security_t:dir list_dir_perms;
|
||||
dontaudit $1 security_t:file rw_file_perms;
|
||||
dontaudit $1 security_t:security check_context;
|
||||
@@ -565,6 +589,7 @@ interface(`selinux_compute_access_vector
|
||||
')
|
||||
|
||||
@@ -563,10 +587,11 @@ interface(`selinux_dontaudit_validate_co
|
||||
interface(`selinux_compute_access_vector',`
|
||||
gen_require(`
|
||||
type security_t;
|
||||
')
|
||||
|
||||
|
|
@ -169,7 +237,11 @@ Index: refpolicy/policy/modules/kernel/selinux.if
|
|||
dev_search_sysfs($1)
|
||||
allow $1 security_t:dir list_dir_perms;
|
||||
allow $1 security_t:file rw_file_perms;
|
||||
@@ -660,6 +685,13 @@ interface(`selinux_compute_user_contexts
|
||||
allow $1 security_t:security compute_av;
|
||||
')
|
||||
@@ -658,10 +683,17 @@ interface(`selinux_compute_relabel_conte
|
||||
interface(`selinux_compute_user_contexts',`
|
||||
gen_require(`
|
||||
type security_t;
|
||||
')
|
||||
|
||||
|
|
@ -183,3 +255,5 @@ Index: refpolicy/policy/modules/kernel/selinux.if
|
|||
dev_search_sysfs($1)
|
||||
allow $1 security_t:dir list_dir_perms;
|
||||
allow $1 security_t:file rw_file_perms;
|
||||
allow $1 security_t:security compute_user;
|
||||
')
|
||||
|
|
@ -14,23 +14,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|||
policy/modules/kernel/kernel.te | 2 ++
|
||||
4 files changed, 13 insertions(+)
|
||||
|
||||
--- a/policy/modules/contrib/rpc.te
|
||||
+++ b/policy/modules/contrib/rpc.te
|
||||
@@ -263,6 +263,11 @@ tunable_policy(`nfs_export_all_ro',`
|
||||
|
||||
optional_policy(`
|
||||
mount_exec(nfsd_t)
|
||||
+ # Should domtrans to mount_t while mounting nfsd_fs_t.
|
||||
+ mount_domtrans(nfsd_t)
|
||||
+ # nfsd_t need to chdir to /var/lib/nfs and read files.
|
||||
+ files_list_var(nfsd_t)
|
||||
+ rpc_read_nfs_state_data(nfsd_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
--- a/policy/modules/contrib/rpcbind.te
|
||||
+++ b/policy/modules/contrib/rpcbind.te
|
||||
@@ -70,6 +70,11 @@ logging_send_syslog_msg(rpcbind_t)
|
||||
@@ -71,8 +71,13 @@ auth_use_nsswitch(rpcbind_t)
|
||||
|
||||
logging_send_syslog_msg(rpcbind_t)
|
||||
|
||||
miscfiles_read_localization(rpcbind_t)
|
||||
|
||||
|
|
@ -42,20 +30,44 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|||
ifdef(`distro_debian',`
|
||||
term_dontaudit_use_unallocated_ttys(rpcbind_t)
|
||||
')
|
||||
--- a/policy/modules/contrib/rpc.te
|
||||
+++ b/policy/modules/contrib/rpc.te
|
||||
@@ -275,10 +275,15 @@ tunable_policy(`nfs_export_all_ro',`
|
||||
files_read_non_auth_files(nfsd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
mount_exec(nfsd_t)
|
||||
+ # Should domtrans to mount_t while mounting nfsd_fs_t.
|
||||
+ mount_domtrans(nfsd_t)
|
||||
+ # nfsd_t need to chdir to /var/lib/nfs and read files.
|
||||
+ files_list_var(nfsd_t)
|
||||
+ rpc_read_nfs_state_data(nfsd_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# GSSD local policy
|
||||
--- a/policy/modules/kernel/filesystem.te
|
||||
+++ b/policy/modules/kernel/filesystem.te
|
||||
@@ -119,6 +119,7 @@ genfscon mvfs / gen_context(system_u:obj
|
||||
@@ -127,10 +127,11 @@ fs_noxattr_type(mvfs_t)
|
||||
allow mvfs_t self:filesystem associate;
|
||||
genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
|
||||
|
||||
type nfsd_fs_t;
|
||||
fs_type(nfsd_fs_t)
|
||||
+files_mountpoint(nfsd_fs_t)
|
||||
genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
|
||||
|
||||
type oprofilefs_t;
|
||||
type nsfs_t;
|
||||
fs_type(nsfs_t)
|
||||
genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0)
|
||||
--- a/policy/modules/kernel/kernel.te
|
||||
+++ b/policy/modules/kernel/kernel.te
|
||||
@@ -293,6 +293,8 @@ mls_process_read_up(kernel_t)
|
||||
mls_process_write_down(kernel_t)
|
||||
@@ -324,10 +324,12 @@ mcs_process_set_categories(kernel_t)
|
||||
|
||||
mls_process_read_all_levels(kernel_t)
|
||||
mls_process_write_all_levels(kernel_t)
|
||||
mls_file_write_all_levels(kernel_t)
|
||||
mls_file_read_all_levels(kernel_t)
|
||||
+mls_socket_write_all_levels(kernel_t)
|
||||
|
|
@ -63,3 +75,5 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|||
|
||||
ifdef(`distro_redhat',`
|
||||
# Bugzilla 222337
|
||||
fs_rw_tmpfs_chr_files(kernel_t)
|
||||
')
|
||||
|
|
@ -10,15 +10,16 @@ Upstream-Status: pending
|
|||
|
||||
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
---
|
||||
policy/modules/system/selinuxutil.te | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
|
||||
index f998491..1a4e565 100644
|
||||
--- a/policy/modules/system/selinuxutil.te
|
||||
+++ b/policy/modules/system/selinuxutil.te
|
||||
@@ -555,7 +555,7 @@ files_dontaudit_read_all_symlinks(setfiles_t)
|
||||
@@ -556,11 +556,11 @@ files_read_usr_symlinks(setfiles_t)
|
||||
files_dontaudit_read_all_symlinks(setfiles_t)
|
||||
|
||||
# needs to be able to read symlinks to make restorecon on symlink working
|
||||
files_read_all_symlinks(setfiles_t)
|
||||
|
||||
|
|
@ -27,6 +28,5 @@ index f998491..1a4e565 100644
|
|||
fs_list_all(setfiles_t)
|
||||
fs_search_auto_mountpoints(setfiles_t)
|
||||
fs_relabelfrom_noxattr_fs(setfiles_t)
|
||||
--
|
||||
1.7.9.5
|
||||
|
||||
|
||||
mls_file_read_all_levels(setfiles_t)
|
||||
|
|
@ -6,16 +6,17 @@ Subject: [PATCH 2/2] refpolicy: fix selinux utils to manage config files
|
|||
Upstream-Status: Pending
|
||||
|
||||
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
---
|
||||
policy/modules/system/selinuxutil.if | 1 +
|
||||
policy/modules/system/userdomain.if | 4 ++++
|
||||
2 files changed, 5 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
|
||||
index 3822072..db03ca1 100644
|
||||
--- a/policy/modules/system/selinuxutil.if
|
||||
+++ b/policy/modules/system/selinuxutil.if
|
||||
@@ -680,6 +680,7 @@ interface(`seutil_manage_config',`
|
||||
@@ -753,10 +753,11 @@ interface(`seutil_manage_config',`
|
||||
gen_require(`
|
||||
type selinux_config_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
|
|
@ -23,11 +24,13 @@ index 3822072..db03ca1 100644
|
|||
manage_files_pattern($1, selinux_config_t, selinux_config_t)
|
||||
read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
|
||||
')
|
||||
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
|
||||
index b4a691d..20c8bf8 100644
|
||||
|
||||
#######################################
|
||||
--- a/policy/modules/system/userdomain.if
|
||||
+++ b/policy/modules/system/userdomain.if
|
||||
@@ -1277,6 +1277,10 @@ template(`userdom_security_admin_template',`
|
||||
@@ -1327,10 +1327,14 @@ template(`userdom_security_admin_templat
|
||||
logging_read_audit_log($1)
|
||||
logging_read_generic_logs($1)
|
||||
logging_read_audit_config($1)
|
||||
|
||||
seutil_manage_bin_policy($1)
|
||||
|
|
@ -38,6 +41,5 @@ index b4a691d..20c8bf8 100644
|
|||
seutil_run_checkpolicy($1, $2)
|
||||
seutil_run_loadpolicy($1, $2)
|
||||
seutil_run_semanage($1, $2)
|
||||
--
|
||||
1.7.9.5
|
||||
|
||||
seutil_run_setfiles($1, $2)
|
||||
|
||||
|
|
@ -6,15 +6,16 @@ Subject: [PATCH] refpolicy: update for systemd related allow rules
|
|||
It provide, the systemd support related allow rules
|
||||
|
||||
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
---
|
||||
policy/modules/system/init.te | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
||||
index c8f007d..a9675f6 100644
|
||||
--- a/policy/modules/system/init.te
|
||||
+++ b/policy/modules/system/init.te
|
||||
@@ -929,3 +929,8 @@ optional_policy(`
|
||||
@@ -1105,5 +1105,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
zebra_read_config(initrc_t)
|
||||
')
|
||||
|
|
@ -24,6 +25,3 @@ index c8f007d..a9675f6 100644
|
|||
+allow devpts_t device_t:filesystem associate;
|
||||
+allow init_t self:capability2 block_suspend;
|
||||
\ No newline at end of file
|
||||
--
|
||||
1.7.9.5
|
||||
|
||||
|
|
@ -19,10 +19,10 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|||
|
||||
--- a/policy/modules/system/init.te
|
||||
+++ b/policy/modules/system/init.te
|
||||
@@ -344,17 +344,19 @@ ifdef(`init_systemd',`
|
||||
@@ -300,16 +300,18 @@ ifdef(`init_systemd',`
|
||||
|
||||
optional_policy(`
|
||||
modutils_domtrans(init_t)
|
||||
modutils_domtrans_insmod(init_t)
|
||||
')
|
||||
',`
|
||||
- tunable_policy(`init_upstart',`
|
||||
|
|
@ -30,25 +30,32 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|||
- ',`
|
||||
- # Run the shell in the sysadm role for single-user mode.
|
||||
- # causes problems with upstart
|
||||
- ifndef(`distro_debian',`
|
||||
- sysadm_shell_domtrans(init_t)
|
||||
- sysadm_shell_domtrans(init_t)
|
||||
+ optional_policy(`
|
||||
+ tunable_policy(`init_upstart',`
|
||||
+ corecmd_shell_domtrans(init_t, initrc_t)
|
||||
+ ',`
|
||||
+ # Run the shell in the sysadm role for single-user mode.
|
||||
+ # causes problems with upstart
|
||||
+ ifndef(`distro_debian',`
|
||||
+ sysadm_shell_domtrans(init_t)
|
||||
+ ')
|
||||
')
|
||||
+ sysadm_shell_domtrans(init_t)
|
||||
+ ')
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
|
||||
@@ -1109,6 +1111,6 @@ optional_policy(`
|
||||
')
|
||||
|
||||
# systemd related allow rules
|
||||
allow kernel_t init_t:process dyntransition;
|
||||
allow devpts_t device_t:filesystem associate;
|
||||
-allow init_t self:capability2 block_suspend;
|
||||
\ No newline at end of file
|
||||
+allow init_t self:capability2 block_suspend;
|
||||
--- a/policy/modules/system/locallogin.te
|
||||
+++ b/policy/modules/system/locallogin.te
|
||||
@@ -260,11 +260,13 @@ seutil_read_default_contexts(sulogin_t)
|
||||
@@ -244,11 +244,13 @@ seutil_read_default_contexts(sulogin_t)
|
||||
userdom_use_unpriv_users_fds(sulogin_t)
|
||||
|
||||
userdom_search_user_home_dirs(sulogin_t)
|
||||
|
|
@ -59,7 +66,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|||
+ sysadm_shell_domtrans(sulogin_t)
|
||||
+')
|
||||
|
||||
# by default, sulogin does not use pam...
|
||||
# sulogin_pam might need to be defined otherwise
|
||||
ifdef(`sulogin_pam', `
|
||||
selinux_get_fs_mount(sulogin_t)
|
||||
# suse and debian do not use pam with sulogin...
|
||||
ifdef(`distro_suse', `define(`sulogin_no_pam')')
|
||||
ifdef(`distro_debian', `define(`sulogin_no_pam')')
|
||||
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|||
|
||||
--- a/policy/modules/system/init.if
|
||||
+++ b/policy/modules/system/init.if
|
||||
@@ -1430,16 +1430,16 @@ interface(`init_spec_domtrans_script',`
|
||||
@@ -1268,16 +1268,16 @@ interface(`init_spec_domtrans_script',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
|
|
|
|||
|
|
@ -30,21 +30,21 @@ Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
|||
+
|
||||
--- a/policy/modules/roles/sysadm.te
|
||||
+++ b/policy/modules/roles/sysadm.te
|
||||
@@ -37,10 +37,11 @@ ubac_process_exempt(sysadm_t)
|
||||
ubac_file_exempt(sysadm_t)
|
||||
ubac_fd_exempt(sysadm_t)
|
||||
|
||||
init_exec(sysadm_t)
|
||||
init_admin(sysadm_t)
|
||||
@@ -41,10 +41,11 @@ init_reload(sysadm_t)
|
||||
init_reboot_system(sysadm_t)
|
||||
init_shutdown_system(sysadm_t)
|
||||
init_start_generic_units(sysadm_t)
|
||||
init_stop_generic_units(sysadm_t)
|
||||
init_reload_generic_units(sysadm_t)
|
||||
+init_script_role_transition(sysadm_r)
|
||||
|
||||
selinux_read_policy(sysadm_t)
|
||||
|
||||
# Add/remove user home directories
|
||||
userdom_manage_user_home_dirs(sysadm_t)
|
||||
userdom_home_filetrans_user_home_dir(sysadm_t)
|
||||
|
||||
--- a/policy/modules/system/init.if
|
||||
+++ b/policy/modules/system/init.if
|
||||
@@ -1394,30 +1394,31 @@ interface(`init_script_file_entry_type',
|
||||
@@ -1232,30 +1232,31 @@ interface(`init_script_file_entry_type',
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
|
|
@ -80,7 +80,7 @@ Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
|||
|
||||
########################################
|
||||
## <summary>
|
||||
@@ -1429,22 +1430,23 @@ interface(`init_spec_domtrans_script',`
|
||||
@@ -1267,22 +1268,23 @@ interface(`init_spec_domtrans_script',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
|
|
@ -108,11 +108,11 @@ Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
|||
|
||||
########################################
|
||||
## <summary>
|
||||
@@ -2972,5 +2974,34 @@ interface(`init_admin',`
|
||||
init_stop_all_units($1)
|
||||
init_stop_generic_units($1)
|
||||
init_stop_system($1)
|
||||
init_telinit($1)
|
||||
@@ -2502,5 +2504,34 @@ interface(`init_reload_all_units',`
|
||||
class service reload;
|
||||
')
|
||||
|
||||
allow $1 systemdunit:service reload;
|
||||
')
|
||||
+
|
||||
+########################################
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
SRC_URI = "https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2;"
|
||||
SRC_URI[md5sum] = "7b1ca12e9ea0254508391559cb8f2c41"
|
||||
SRC_URI[sha256sum] = "2dd2f45a7132137afe8302805c3b7839739759b9ab73dd1815c01afe34ac99de"
|
||||
SRC_URI[md5sum] = "76a7a455289c9216ee0fbb8de71c9799"
|
||||
SRC_URI[sha256sum] = "5e4daee61d89dfdc8c7bf369f81c99845931e337916dc6401e301c5de57ea336"
|
||||
|
||||
FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-2.20151208:"
|
||||
FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-2.20170204:"
|
||||
|
||||
# Fix file contexts for Poky
|
||||
SRC_URI += "file://poky-fc-subs_dist.patch \
|
||||
|
|
@ -14,16 +14,13 @@ SRC_URI += "file://poky-fc-subs_dist.patch \
|
|||
file://poky-fc-fix-real-path_shadow.patch \
|
||||
file://poky-fc-fix-bind.patch \
|
||||
file://poky-fc-clock.patch \
|
||||
file://poky-fc-corecommands.patch \
|
||||
file://poky-fc-dmesg.patch \
|
||||
file://poky-fc-fstools.patch \
|
||||
file://poky-fc-iptables.patch \
|
||||
file://poky-fc-mta.patch \
|
||||
file://poky-fc-netutils.patch \
|
||||
file://poky-fc-nscd.patch \
|
||||
file://poky-fc-screen.patch \
|
||||
file://poky-fc-ssh.patch \
|
||||
file://poky-fc-su.patch \
|
||||
file://poky-fc-sysnetwork.patch \
|
||||
file://poky-fc-udevd.patch \
|
||||
file://poky-fc-rpm.patch \
|
||||
Loading…
Reference in New Issue
Block a user