mirror of
git://git.yoctoproject.org/meta-selinux
synced 2026-01-01 13:58:04 +00:00
refpolicy: upgrade 20200229+git -> 20210203+git
* Update to latest git rev. * Drop obsolete and unused patches. * Rebase patches. * Add patches to make systemd --user work. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
This commit is contained in:
Yi Zhao
Joe MacDonald
parent
f156bc995b
commit
e51f84912d
|
|
@ -13,6 +13,7 @@ domains are unconfined. \
|
|||
|
||||
SRC_URI += " \
|
||||
file://0001-refpolicy-minimum-make-sysadmin-module-optional.patch \
|
||||
file://0002-refpolicy-minimum-enable-nscd_use_shm.patch \
|
||||
"
|
||||
|
||||
POLICY_NAME = "minimum"
|
||||
|
|
|
|||
|
|
@ -6,8 +6,6 @@ domain, so they have the same access to the system as if SELinux was not \
|
|||
enabled. \
|
||||
"
|
||||
|
||||
FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-${PV}:"
|
||||
|
||||
POLICY_NAME = "targeted"
|
||||
POLICY_TYPE = "mcs"
|
||||
POLICY_MLS_SENS = "0"
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
From 7dc492abc2918e770b36099cf079ca9be10598c8 Mon Sep 17 00:00:00 2001
|
||||
From 8a6052604e4f39ef9cbab62372006bc6f736dbed Mon Sep 17 00:00:00 2001
|
||||
From: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
Date: Thu, 28 Mar 2019 16:14:09 -0400
|
||||
Subject: [PATCH] fc/subs/volatile: alias common /var/volatile paths
|
||||
|
|
@ -15,10 +15,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
|
||||
index 346d920e3..aeb25a5bb 100644
|
||||
index 653d25d93..652e1dd35 100644
|
||||
--- a/config/file_contexts.subs_dist
|
||||
+++ b/config/file_contexts.subs_dist
|
||||
@@ -31,3 +31,9 @@
|
||||
@@ -32,3 +32,9 @@
|
||||
# not for refpolicy intern, but for /var/run using applications,
|
||||
# like systemd tmpfiles or systemd socket configurations
|
||||
/var/run /run
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
From efe4d5472fde3d4f043f4e8660c6cc73c7fc1542 Mon Sep 17 00:00:00 2001
|
||||
From dc757d6df2314d82029b23b409df8de22a4df45e Mon Sep 17 00:00:00 2001
|
||||
From: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
Date: Fri, 5 Apr 2019 11:53:28 -0400
|
||||
Subject: [PATCH] refpolicy-minimum: make sysadmin module optional
|
||||
|
|
@ -22,10 +22,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|||
2 files changed, 11 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
||||
index feed5af5f..6b6b723b8 100644
|
||||
index aa57a5661..9b03d3767 100644
|
||||
--- a/policy/modules/system/init.te
|
||||
+++ b/policy/modules/system/init.te
|
||||
@@ -515,13 +515,15 @@ ifdef(`init_systemd',`
|
||||
@@ -527,13 +527,15 @@ ifdef(`init_systemd',`
|
||||
unconfined_write_keys(init_t)
|
||||
')
|
||||
',`
|
||||
|
|
@ -48,10 +48,10 @@ index feed5af5f..6b6b723b8 100644
|
|||
')
|
||||
')
|
||||
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
|
||||
index f629b0040..971ca40e5 100644
|
||||
index 109980e79..313112371 100644
|
||||
--- a/policy/modules/system/locallogin.te
|
||||
+++ b/policy/modules/system/locallogin.te
|
||||
@@ -267,7 +267,9 @@ userdom_use_unpriv_users_fds(sulogin_t)
|
||||
@@ -265,7 +265,9 @@ userdom_use_unpriv_users_fds(sulogin_t)
|
||||
userdom_search_user_home_dirs(sulogin_t)
|
||||
userdom_use_user_ptys(sulogin_t)
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
From 8613549f3aad37ce3bec8513057f0f893d4cc9bd Mon Sep 17 00:00:00 2001
|
||||
From 7ff6cf3766a672c4f2b7bd0dc5efa296bd6aba51 Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Mon, 20 Apr 2020 11:50:03 +0800
|
||||
Subject: [PATCH] refpolicy-targeted: make unconfined_u the default selinux
|
||||
|
|
@ -43,7 +43,7 @@ index ce614b41b..c0903d98b 100644
|
|||
+root:unconfined_u:s0-mcs_systemhigh
|
||||
+__default__:unconfined_u:s0
|
||||
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
|
||||
index ac5239d83..310a4fad2 100644
|
||||
index ce7d77d31..1aff2c31a 100644
|
||||
--- a/policy/modules/roles/sysadm.te
|
||||
+++ b/policy/modules/roles/sysadm.te
|
||||
@@ -53,6 +53,7 @@ ubac_fd_exempt(sysadm_t)
|
||||
|
|
@ -52,13 +52,13 @@ index ac5239d83..310a4fad2 100644
|
|||
init_admin(sysadm_t)
|
||||
+init_script_role_transition(sysadm_r)
|
||||
|
||||
selinux_read_policy(sysadm_t)
|
||||
|
||||
# Add/remove user home directories
|
||||
userdom_manage_user_home_dirs(sysadm_t)
|
||||
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
|
||||
index ab24b5d9b..ed441ddef 100644
|
||||
index 98e94283f..eb6d5b32d 100644
|
||||
--- a/policy/modules/system/init.if
|
||||
+++ b/policy/modules/system/init.if
|
||||
@@ -1798,11 +1798,12 @@ interface(`init_script_file_entry_type',`
|
||||
@@ -1821,11 +1821,12 @@ interface(`init_script_file_entry_type',`
|
||||
#
|
||||
interface(`init_spec_domtrans_script',`
|
||||
gen_require(`
|
||||
|
|
@ -73,7 +73,7 @@ index ab24b5d9b..ed441ddef 100644
|
|||
|
||||
ifdef(`distro_gentoo',`
|
||||
gen_require(`
|
||||
@@ -1813,11 +1814,11 @@ interface(`init_spec_domtrans_script',`
|
||||
@@ -1836,11 +1837,11 @@ interface(`init_spec_domtrans_script',`
|
||||
')
|
||||
|
||||
ifdef(`enable_mcs',`
|
||||
|
|
@ -87,7 +87,7 @@ index ab24b5d9b..ed441ddef 100644
|
|||
')
|
||||
')
|
||||
|
||||
@@ -1834,17 +1835,18 @@ interface(`init_spec_domtrans_script',`
|
||||
@@ -1857,17 +1858,18 @@ interface(`init_spec_domtrans_script',`
|
||||
interface(`init_domtrans_script',`
|
||||
gen_require(`
|
||||
type initrc_t, initrc_exec_t;
|
||||
|
|
@ -108,7 +108,7 @@ index ab24b5d9b..ed441ddef 100644
|
|||
')
|
||||
')
|
||||
|
||||
@@ -3599,3 +3601,31 @@ interface(`init_getrlimit',`
|
||||
@@ -3532,3 +3534,31 @@ interface(`init_getrlimit',`
|
||||
|
||||
allow $1 init_t:process getrlimit;
|
||||
')
|
||||
|
|
@ -141,7 +141,7 @@ index ab24b5d9b..ed441ddef 100644
|
|||
+ role_transition $1 init_script_file_type system_r;
|
||||
+')
|
||||
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
|
||||
index 3d75855b6..5aa4c0b69 100644
|
||||
index 385c88695..87adb7e9d 100644
|
||||
--- a/policy/modules/system/unconfined.te
|
||||
+++ b/policy/modules/system/unconfined.te
|
||||
@@ -20,6 +20,11 @@ type unconfined_execmem_t alias ada_t;
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
From 2a68b7539104bec76aaf2a18b399770f59d0cb28 Mon Sep 17 00:00:00 2001
|
||||
From 0ee7bc5f28ffae30b1a1f40edd96cfed993db667 Mon Sep 17 00:00:00 2001
|
||||
From: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
Date: Thu, 28 Mar 2019 20:48:10 -0400
|
||||
Subject: [PATCH] fc/subs/busybox: set aliases for bin, sbin and usr
|
||||
|
|
@ -15,10 +15,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
|
||||
index aeb25a5bb..c249c5207 100644
|
||||
index 652e1dd35..a38d58e16 100644
|
||||
--- a/config/file_contexts.subs_dist
|
||||
+++ b/config/file_contexts.subs_dist
|
||||
@@ -37,3 +37,9 @@
|
||||
@@ -38,3 +38,9 @@
|
||||
# volatile hierarchy.
|
||||
/var/volatile/log /var/log
|
||||
/var/volatile/tmp /var/tmp
|
||||
|
|
|
|||
|
|
@ -0,0 +1,35 @@
|
|||
From d71b79cc9b174181934d588f64baa5637c8e85d1 Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Fri, 26 Feb 2021 09:13:23 +0800
|
||||
Subject: [PATCH] policy/modules/services/nscd: enable nscd_use_shm
|
||||
|
||||
Fixes:
|
||||
avc: denied { listen } for pid=199 comm="systemd-resolve"
|
||||
path="/run/systemd/resolve/io.systemd.Resolve"
|
||||
scontext=system_u:system_r:systemd_resolved_t:s0
|
||||
tcontext=system_u:system_r:systemd_resolved_t:s0
|
||||
tclass=unix_stream_socket permissive=0
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/services/nscd.te | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te
|
||||
index ada67edb1..9801fc228 100644
|
||||
--- a/policy/modules/services/nscd.te
|
||||
+++ b/policy/modules/services/nscd.te
|
||||
@@ -15,7 +15,7 @@ gen_require(`
|
||||
## can use nscd shared memory.
|
||||
## </p>
|
||||
## </desc>
|
||||
-gen_tunable(nscd_use_shm, false)
|
||||
+gen_tunable(nscd_use_shm, true)
|
||||
|
||||
attribute_role nscd_roles;
|
||||
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From 9f73ec53a4a5d5bb9b7fa453f3089c55f777c2ce Mon Sep 17 00:00:00 2001
|
||||
From e0c34d0feb5305b1397f252d698501b641277517 Mon Sep 17 00:00:00 2001
|
||||
From: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Date: Thu, 22 Aug 2013 13:37:23 +0800
|
||||
Subject: [PATCH] fc/hostname: apply policy to common yocto hostname
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
From fda1e656c46b360f1023834636c460c5510acf68 Mon Sep 17 00:00:00 2001
|
||||
From 8d2c24bc1e2ef8ddf3cf7a08297cfab8a8a92b0d Mon Sep 17 00:00:00 2001
|
||||
From: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
Date: Thu, 28 Mar 2019 21:37:32 -0400
|
||||
Subject: [PATCH] fc/bash: apply /usr/bin/bash context to /bin/bash.bash
|
||||
|
|
@ -15,7 +15,7 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
|
||||
index b473850d4..7e199b7b0 100644
|
||||
index 4c18154ce..9187e50af 100644
|
||||
--- a/policy/modules/kernel/corecommands.fc
|
||||
+++ b/policy/modules/kernel/corecommands.fc
|
||||
@@ -142,6 +142,7 @@ ifdef(`distro_gentoo',`
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
From 90a9ef3adb997517f921a3524da99c966e3b00df Mon Sep 17 00:00:00 2001
|
||||
From 85a77289d193bb3335c78f6d51b4ae2b81249952 Mon Sep 17 00:00:00 2001
|
||||
From: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
Date: Thu, 4 Apr 2019 10:45:03 -0400
|
||||
Subject: [PATCH] fc/resolv.conf: label resolv.conf in var/run/ properly
|
||||
|
|
@ -13,10 +13,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
|
||||
index fddf9f693..acf539656 100644
|
||||
index 14505efe9..c9ec4e5ab 100644
|
||||
--- a/policy/modules/system/sysnetwork.fc
|
||||
+++ b/policy/modules/system/sysnetwork.fc
|
||||
@@ -83,6 +83,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -84,6 +84,7 @@ ifdef(`distro_redhat',`
|
||||
/run/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_runtime_t,s0)
|
||||
/run/netns -d gen_context(system_u:object_r:ifconfig_runtime_t,s0)
|
||||
/run/netns/[^/]+ -- <<none>>
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
From 3383027dfb8c672468a99805535eeadffbe7d332 Mon Sep 17 00:00:00 2001
|
||||
From 253ab75676232be5522fc628b0819d0c48a08c03 Mon Sep 17 00:00:00 2001
|
||||
From: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
Date: Thu, 28 Mar 2019 21:43:53 -0400
|
||||
Subject: [PATCH] fc/login: apply login context to login.shadow
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
From fcf91092015155c4a10a1d7c4dd352ead0b5698b Mon Sep 17 00:00:00 2001
|
||||
From 7e61e5d715451bafd785ec7db01e24e726e31c35 Mon Sep 17 00:00:00 2001
|
||||
From: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
Date: Thu, 28 Mar 2019 21:58:53 -0400
|
||||
Subject: [PATCH] fc/bind: fix real path for bind
|
||||
|
|
@ -13,7 +13,7 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc
|
||||
index 7c1df4895..9f87a21a6 100644
|
||||
index ce68a0af9..585103eb9 100644
|
||||
--- a/policy/modules/services/bind.fc
|
||||
+++ b/policy/modules/services/bind.fc
|
||||
@@ -1,8 +1,10 @@
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
From 2e5be9a910fc07a63efafc87a3c10bd81bd9c052 Mon Sep 17 00:00:00 2001
|
||||
From c7e69aa036d16a57709684fd2f72959f9a4ac251 Mon Sep 17 00:00:00 2001
|
||||
From: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
Date: Thu, 28 Mar 2019 21:59:18 -0400
|
||||
Subject: [PATCH] fc/hwclock: add hwclock alternatives
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
From 924ecc31c140dcd862d067849d4e11e111284165 Mon Sep 17 00:00:00 2001
|
||||
From 0fe5ae0d1b5f4268b04ba6c6134324385bb630a2 Mon Sep 17 00:00:00 2001
|
||||
From: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
Date: Fri, 29 Mar 2019 08:26:55 -0400
|
||||
Subject: [PATCH] fc/dmesg: apply policy to dmesg alternatives
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
From 261892950c5b2a40b7c3bb050ede148cbd1c7a84 Mon Sep 17 00:00:00 2001
|
||||
From e2d9462c5f26dc02f7d547548d8a94bfd79ea88f Mon Sep 17 00:00:00 2001
|
||||
From: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
Date: Fri, 29 Mar 2019 09:20:58 -0400
|
||||
Subject: [PATCH] fc/ssh: apply policy to ssh alternatives
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
From bb8832629e85af2a16800f5cfec97ca0bf8319e6 Mon Sep 17 00:00:00 2001
|
||||
From dc3edc3b65dccf57d4cb22eb220498c2a5d9685f Mon Sep 17 00:00:00 2001
|
||||
From: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Date: Tue, 9 Jun 2015 21:22:52 +0530
|
||||
Subject: [PATCH] fc/sysnetwork: apply policy to ip alternatives
|
||||
|
|
@ -14,10 +14,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
|
||||
index acf539656..d8902d725 100644
|
||||
index c9ec4e5ab..c3291962d 100644
|
||||
--- a/policy/modules/system/sysnetwork.fc
|
||||
+++ b/policy/modules/system/sysnetwork.fc
|
||||
@@ -59,13 +59,16 @@ ifdef(`distro_redhat',`
|
||||
@@ -60,13 +60,16 @@ ifdef(`distro_redhat',`
|
||||
/usr/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
|
||||
/usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
|
||||
/usr/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
From 02a3c7a06f760d3cae909d2c271d1e4fde07c09b Mon Sep 17 00:00:00 2001
|
||||
From 9afd44d1300bc858c1569344fc1271e0468edad9 Mon Sep 17 00:00:00 2001
|
||||
From: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
Date: Fri, 29 Mar 2019 09:36:08 -0400
|
||||
Subject: [PATCH] fc/udev: apply policy to udevadm in libexec
|
||||
|
|
@ -12,10 +12,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
|
||||
index 0ae7571cd..ceb5b70b3 100644
|
||||
index c88189fb7..ad4c0bba2 100644
|
||||
--- a/policy/modules/system/udev.fc
|
||||
+++ b/policy/modules/system/udev.fc
|
||||
@@ -28,6 +28,8 @@ ifdef(`distro_debian',`
|
||||
@@ -24,6 +24,8 @@ ifdef(`distro_debian',`
|
||||
/usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0)
|
||||
/usr/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0)
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
From 117884178c9ba63334f732da6f30e67e22aa898e Mon Sep 17 00:00:00 2001
|
||||
From 79e58207060c25d5f2484ed164ab74413d00792a Mon Sep 17 00:00:00 2001
|
||||
From: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
Date: Fri, 29 Mar 2019 09:54:07 -0400
|
||||
Subject: [PATCH] fc/rpm: apply rpm_exec policy to cpio binaries
|
||||
|
|
@ -12,7 +12,7 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
|
||||
index 6194a4833..ace922ac1 100644
|
||||
index aaf530c2b..618b18cec 100644
|
||||
--- a/policy/modules/admin/rpm.fc
|
||||
+++ b/policy/modules/admin/rpm.fc
|
||||
@@ -66,4 +66,6 @@ ifdef(`distro_redhat',`
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
From 522d08c0dac1cfe9e33f06bc1252b7b672d9ffd3 Mon Sep 17 00:00:00 2001
|
||||
From a1281be5b894c0c6dc3471a1e6b6c910bab7aa46 Mon Sep 17 00:00:00 2001
|
||||
From: Wenzong Fan <wenzong.fan@windriver.com>
|
||||
Date: Thu, 13 Feb 2014 00:33:07 -0500
|
||||
Subject: [PATCH] fc/su: apply policy to su alternatives
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
From c4b0ffd60873ecca2cf0b1aa898185f5f3928828 Mon Sep 17 00:00:00 2001
|
||||
From 02f6557320c60d895397650a59c39708c8e63d27 Mon Sep 17 00:00:00 2001
|
||||
From: Wenzong Fan <wenzong.fan@windriver.com>
|
||||
Date: Mon, 27 Jan 2014 03:54:01 -0500
|
||||
Subject: [PATCH] fc/fstools: fix real path for fstools
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
From 95a843719394827621e3b33c13f2696f7e498e5b Mon Sep 17 00:00:00 2001
|
||||
From f7860456e3867e6d9c24a7e07bc9e518f65ec478 Mon Sep 17 00:00:00 2001
|
||||
From: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Date: Thu, 22 Aug 2013 13:37:23 +0800
|
||||
Subject: [PATCH] fc/init: fix update-alternatives for sysvinit
|
||||
|
|
@ -26,7 +26,7 @@ index bf51c103f..91ed72be0 100644
|
|||
|
||||
/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_runtime_t,s0)
|
||||
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
|
||||
index 7e199b7b0..157eeb0d0 100644
|
||||
index 9187e50af..0ecabe34e 100644
|
||||
--- a/policy/modules/kernel/corecommands.fc
|
||||
+++ b/policy/modules/kernel/corecommands.fc
|
||||
@@ -151,6 +151,8 @@ ifdef(`distro_gentoo',`
|
||||
|
|
@ -39,7 +39,7 @@ index 7e199b7b0..157eeb0d0 100644
|
|||
/usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/usr/bin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
|
||||
index fee6ff3b6..fe72df22a 100644
|
||||
index 63cf195e6..5268bddb2 100644
|
||||
--- a/policy/modules/system/init.fc
|
||||
+++ b/policy/modules/system/init.fc
|
||||
@@ -40,6 +40,7 @@ ifdef(`distro_gentoo',`
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
From 0b05d71fea73c9fc0dc8aac6e7d096b0214db5eb Mon Sep 17 00:00:00 2001
|
||||
From 3a83de3883d0e287c0b6647e87a93d2cdc48aa10 Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Fri, 15 Nov 2019 10:19:54 +0800
|
||||
Subject: [PATCH] fc/brctl: apply policy to brctl alternatives
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
From 5f759c3d89b52e62607266c4e684d66953803d4d Mon Sep 17 00:00:00 2001
|
||||
From 5219bc4e0b3147455fecb1485e8387573207070c Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Fri, 15 Nov 2019 10:21:51 +0800
|
||||
Subject: [PATCH] fc/corecommands: apply policy to nologin alternatives
|
||||
|
|
@ -11,10 +11,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
|
||||
index 157eeb0d0..515948ea9 100644
|
||||
index 0ecabe34e..e27e701ef 100644
|
||||
--- a/policy/modules/kernel/corecommands.fc
|
||||
+++ b/policy/modules/kernel/corecommands.fc
|
||||
@@ -303,6 +303,8 @@ ifdef(`distro_debian',`
|
||||
@@ -304,6 +304,8 @@ ifdef(`distro_debian',`
|
||||
/usr/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
From 84f715b8d128bcbfdc95adf18d6bc8eb225f05cd Mon Sep 17 00:00:00 2001
|
||||
From 2b3b5d43040e939e836ea5c9803f0b27641e50a4 Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Fri, 15 Nov 2019 10:43:28 +0800
|
||||
Subject: [PATCH] fc/locallogin: apply policy to sulogin alternatives
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
From b30d9ad872f613d2b1c3aad45eac65593de37b9b Mon Sep 17 00:00:00 2001
|
||||
From 5308969204d535391cb766ba5aa4b5479f64248c Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Fri, 15 Nov 2019 10:45:23 +0800
|
||||
Subject: [PATCH] fc/ntp: apply policy to ntpd alternatives
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
From 632dcd7a700049a955082bd24af742c2780dcc38 Mon Sep 17 00:00:00 2001
|
||||
From 89a54472ea0195ec19c291374e88e55b40107ff8 Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Fri, 15 Nov 2019 10:55:05 +0800
|
||||
Subject: [PATCH] fc/kerberos: apply policy to kerberos alternatives
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
From a580b0154da9dd07369b172ed459046197e388c7 Mon Sep 17 00:00:00 2001
|
||||
From 1130a43390bf41adb7747d0cc62c85c4320806cb Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Fri, 15 Nov 2019 11:06:13 +0800
|
||||
Subject: [PATCH] fc/ldap: apply policy to ldap alternatives
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
From 926401518bca5a1e63b7f2c2cbae4a3bc42bf342 Mon Sep 17 00:00:00 2001
|
||||
From 184f1dfe4cbff9c5ff2cbe865d4e7427f100ff59 Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Fri, 15 Nov 2019 11:13:16 +0800
|
||||
Subject: [PATCH] fc/postgresql: apply policy to postgresql alternatives
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
From f3f6f0cb4857954afd8a025a1cd3f14b8a11b64d Mon Sep 17 00:00:00 2001
|
||||
From e114e09928232dd9eed568a4717dca2094f6e4ad Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Fri, 15 Nov 2019 11:15:33 +0800
|
||||
Subject: [PATCH] fc/screen: apply policy to screen alternatives
|
||||
|
|
@ -11,10 +11,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/apps/screen.fc b/policy/modules/apps/screen.fc
|
||||
index 7196c598e..cada9944e 100644
|
||||
index e51e01d97..238dc263e 100644
|
||||
--- a/policy/modules/apps/screen.fc
|
||||
+++ b/policy/modules/apps/screen.fc
|
||||
@@ -6,4 +6,5 @@ HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0)
|
||||
@@ -7,4 +7,5 @@ HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0)
|
||||
/run/tmux(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0)
|
||||
|
||||
/usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0)
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
From 0656c4b988cb700f322fb03e6639fe0b64e08d63 Mon Sep 17 00:00:00 2001
|
||||
From 62a5f9dee28411f1d88a2101e507c15780467b2f Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Fri, 15 Nov 2019 11:25:34 +0800
|
||||
Subject: [PATCH] fc/usermanage: apply policy to usermanage alternatives
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
From cc8da498e20518cc9e8f59d1a4570e073f19e88b Mon Sep 17 00:00:00 2001
|
||||
From 7be59b4d42165f7e12ccb8b2409304a2640eb898 Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Fri, 15 Nov 2019 16:07:30 +0800
|
||||
Subject: [PATCH] fc/getty: add file context to start_getty
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
From 1d6f9b62082188992bfb681632dff15d5ad608c9 Mon Sep 17 00:00:00 2001
|
||||
From ac335f80d09f9ce4756f2e58944a975a12441fa7 Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Tue, 19 Nov 2019 14:33:28 +0800
|
||||
Subject: [PATCH] fc/init: add file context to /etc/network/if-* files
|
||||
|
|
@ -11,10 +11,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
|
||||
index fe72df22a..a9d8f343a 100644
|
||||
index 5268bddb2..a6762bd00 100644
|
||||
--- a/policy/modules/system/init.fc
|
||||
+++ b/policy/modules/system/init.fc
|
||||
@@ -70,11 +70,12 @@ ifdef(`distro_redhat',`
|
||||
@@ -75,11 +75,12 @@ ifdef(`distro_redhat',`
|
||||
ifdef(`distro_debian',`
|
||||
/run/hotkey-setup -- gen_context(system_u:object_r:initrc_runtime_t,s0)
|
||||
/run/kdm/.* -- gen_context(system_u:object_r:initrc_runtime_t,s0)
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
From 8d8858bd8569db106f0feb44a0912daa872954ec Mon Sep 17 00:00:00 2001
|
||||
From 1ee2b12fa1585bf765370e3e787081fe01ad990f Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Wed, 18 Dec 2019 15:04:41 +0800
|
||||
Subject: [PATCH] fc/vlock: apply policy to vlock alternatives
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
From 25701662f7149743556bb2d5edb5c69e6de2744f Mon Sep 17 00:00:00 2001
|
||||
From a14d7d6fc54e7cf82d977c4b5c2df961c5eb1fe0 Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Tue, 30 Jun 2020 10:45:57 +0800
|
||||
Subject: [PATCH] fc/cron: apply policy to /etc/init.d/crond
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
From e6b303444988717c725a71db7b21417839321463 Mon Sep 17 00:00:00 2001
|
||||
From b3d2611360ddf21a3f8729766a1e4b64117ea710 Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Tue, 4 Aug 2020 16:48:12 +0800
|
||||
Subject: [PATCH] fc/sysnetwork: update file context for ifconfig
|
||||
|
|
@ -15,10 +15,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
|
||||
index d8902d725..9ec4eefb7 100644
|
||||
index c3291962d..4ca151524 100644
|
||||
--- a/policy/modules/system/sysnetwork.fc
|
||||
+++ b/policy/modules/system/sysnetwork.fc
|
||||
@@ -43,6 +43,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -44,6 +44,7 @@ ifdef(`distro_redhat',`
|
||||
/usr/bin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
|
||||
/usr/bin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
|
||||
/usr/bin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From 9260b04d257cdddf42d0267456d3ba2b38dc22d4 Mon Sep 17 00:00:00 2001
|
||||
From 8c733eff8089c24fe6885977d2bdcdfb0c453726 Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Sun, 5 Apr 2020 22:03:45 +0800
|
||||
Subject: [PATCH] file_contexts.subs_dist: set aliase for /root directory
|
||||
|
|
@ -14,10 +14,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
|
||||
index c249c5207..67f476868 100644
|
||||
index a38d58e16..3e4c5720f 100644
|
||||
--- a/config/file_contexts.subs_dist
|
||||
+++ b/config/file_contexts.subs_dist
|
||||
@@ -43,3 +43,7 @@
|
||||
@@ -44,3 +44,7 @@
|
||||
/usr/lib/busybox/bin /usr/bin
|
||||
/usr/lib/busybox/sbin /usr/sbin
|
||||
/usr/lib/busybox/usr /usr
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From e4bdbb101fd2af2d4fd8b87794443097b58d20ff Mon Sep 17 00:00:00 2001
|
||||
From 456bb92237aa637f506fcc56b190eb534d745e41 Mon Sep 17 00:00:00 2001
|
||||
From: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Date: Thu, 22 Aug 2013 13:37:23 +0800
|
||||
Subject: [PATCH] policy/modules/system/logging: add rules for the symlink of
|
||||
|
|
@ -15,8 +15,7 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|||
---
|
||||
policy/modules/system/logging.fc | 1 +
|
||||
policy/modules/system/logging.if | 9 +++++++++
|
||||
policy/modules/system/logging.te | 2 ++
|
||||
3 files changed, 12 insertions(+)
|
||||
2 files changed, 10 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
|
||||
index 5681acb51..a4ecd570a 100644
|
||||
|
|
@ -31,10 +30,10 @@ index 5681acb51..a4ecd570a 100644
|
|||
/var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
|
||||
/var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0)
|
||||
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
|
||||
index e5f4080ac..e3cbe4f1a 100644
|
||||
index 10dee6563..9bb3afdb2 100644
|
||||
--- a/policy/modules/system/logging.if
|
||||
+++ b/policy/modules/system/logging.if
|
||||
@@ -1066,10 +1066,12 @@ interface(`logging_append_all_inherited_logs',`
|
||||
@@ -1065,10 +1065,12 @@ interface(`logging_append_all_inherited_logs',`
|
||||
interface(`logging_read_all_logs',`
|
||||
gen_require(`
|
||||
attribute logfile;
|
||||
|
|
@ -47,7 +46,7 @@ index e5f4080ac..e3cbe4f1a 100644
|
|||
read_files_pattern($1, logfile, logfile)
|
||||
')
|
||||
|
||||
@@ -1088,10 +1090,12 @@ interface(`logging_read_all_logs',`
|
||||
@@ -1087,10 +1089,12 @@ interface(`logging_read_all_logs',`
|
||||
interface(`logging_exec_all_logs',`
|
||||
gen_require(`
|
||||
attribute logfile;
|
||||
|
|
@ -60,7 +59,7 @@ index e5f4080ac..e3cbe4f1a 100644
|
|||
can_exec($1, logfile)
|
||||
')
|
||||
|
||||
@@ -1153,6 +1157,7 @@ interface(`logging_manage_generic_log_dirs',`
|
||||
@@ -1152,6 +1156,7 @@ interface(`logging_manage_generic_log_dirs',`
|
||||
|
||||
files_search_var($1)
|
||||
allow $1 var_log_t:dir manage_dir_perms;
|
||||
|
|
@ -68,15 +67,15 @@ index e5f4080ac..e3cbe4f1a 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1173,6 +1178,7 @@ interface(`logging_relabel_generic_log_dirs',`
|
||||
@@ -1172,6 +1177,7 @@ interface(`logging_relabel_generic_log_dirs',`
|
||||
|
||||
files_search_var($1)
|
||||
allow $1 var_log_t:dir { relabelfrom relabelto };
|
||||
allow $1 var_log_t:dir relabel_dir_perms;
|
||||
+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1193,6 +1199,7 @@ interface(`logging_read_generic_logs',`
|
||||
@@ -1192,6 +1198,7 @@ interface(`logging_read_generic_logs',`
|
||||
|
||||
files_search_var($1)
|
||||
allow $1 var_log_t:dir list_dir_perms;
|
||||
|
|
@ -84,7 +83,7 @@ index e5f4080ac..e3cbe4f1a 100644
|
|||
read_files_pattern($1, var_log_t, var_log_t)
|
||||
')
|
||||
|
||||
@@ -1294,6 +1301,7 @@ interface(`logging_manage_generic_logs',`
|
||||
@@ -1293,6 +1300,7 @@ interface(`logging_manage_generic_logs',`
|
||||
|
||||
files_search_var($1)
|
||||
manage_files_pattern($1, var_log_t, var_log_t)
|
||||
|
|
@ -92,7 +91,7 @@ index e5f4080ac..e3cbe4f1a 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1312,6 +1320,7 @@ interface(`logging_watch_generic_logs_dir',`
|
||||
@@ -1311,6 +1319,7 @@ interface(`logging_watch_generic_logs_dir',`
|
||||
')
|
||||
|
||||
allow $1 var_log_t:dir watch;
|
||||
|
|
@ -100,26 +99,6 @@ index e5f4080ac..e3cbe4f1a 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
|
||||
index 3702d441a..513d811ef 100644
|
||||
--- a/policy/modules/system/logging.te
|
||||
+++ b/policy/modules/system/logging.te
|
||||
@@ -161,6 +161,7 @@ manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
|
||||
allow auditd_t auditd_log_t:dir setattr;
|
||||
manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
|
||||
allow auditd_t var_log_t:dir search_dir_perms;
|
||||
+allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
manage_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t)
|
||||
manage_sock_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t)
|
||||
@@ -288,6 +289,7 @@ allow audisp_remote_t self:capability { setpcap setuid };
|
||||
allow audisp_remote_t self:process { getcap setcap };
|
||||
allow audisp_remote_t self:tcp_socket create_socket_perms;
|
||||
allow audisp_remote_t var_log_t:dir search_dir_perms;
|
||||
+allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
|
||||
manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -1,37 +0,0 @@
|
|||
From 0385f2374297ab2b8799fe1ec28d12e1682ec074 Mon Sep 17 00:00:00 2001
|
||||
From: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Date: Fri, 23 Aug 2013 11:20:00 +0800
|
||||
Subject: [PATCH] policy/modules/system/logging: add domain rules for the
|
||||
subdir symlinks in /var/
|
||||
|
||||
Except /var/log,/var/run,/var/lock, there still other subdir symlinks in
|
||||
/var for poky, so we need allow rules for all domains to read these
|
||||
symlinks. Domains still need their practical allow rules to read the
|
||||
contents, so this is still a secure relax.
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/kernel/domain.te | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
|
||||
index 4e43a208d..7e5d2b458 100644
|
||||
--- a/policy/modules/kernel/domain.te
|
||||
+++ b/policy/modules/kernel/domain.te
|
||||
@@ -110,6 +110,9 @@ term_use_controlling_term(domain)
|
||||
# list the root directory
|
||||
files_list_root(domain)
|
||||
|
||||
+# Yocto/oe-core use some var volatile links
|
||||
+files_read_var_symlinks(domain)
|
||||
+
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
# This check is in the general socket
|
||||
# listen code, before protocol-specific
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From aaa818cd6d0b1d7a3ad99f911c6c21d5b30b9f49 Mon Sep 17 00:00:00 2001
|
||||
From 275597cbb54eb8007c07fc06c3d9bd3d3090f7f2 Mon Sep 17 00:00:00 2001
|
||||
From: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
Date: Fri, 29 Mar 2019 10:33:18 -0400
|
||||
Subject: [PATCH] policy/modules/system/logging: add rules for syslogd symlink
|
||||
|
|
@ -18,10 +18,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
|
||||
index 513d811ef..2d9f65d2d 100644
|
||||
index 031e2f40f..673046781 100644
|
||||
--- a/policy/modules/system/logging.te
|
||||
+++ b/policy/modules/system/logging.te
|
||||
@@ -414,6 +414,7 @@ files_search_spool(syslogd_t)
|
||||
@@ -404,6 +404,7 @@ files_search_spool(syslogd_t)
|
||||
|
||||
# Allow access for syslog-ng
|
||||
allow syslogd_t var_log_t:dir { create setattr };
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From 3ff1a004b77f44857dadfef3b78a49a55d90c665 Mon Sep 17 00:00:00 2001
|
||||
From 491783f2ae026ac969c9f6ef6eea1bd75ac7e2a5 Mon Sep 17 00:00:00 2001
|
||||
From: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Date: Thu, 22 Aug 2013 13:37:23 +0800
|
||||
Subject: [PATCH] policy/modules/kernel/files: add rules for the symlink of
|
||||
|
|
@ -18,10 +18,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|||
2 files changed, 9 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
|
||||
index a3993f5cc..f69900945 100644
|
||||
index 826722f4e..677ae96c3 100644
|
||||
--- a/policy/modules/kernel/files.fc
|
||||
+++ b/policy/modules/kernel/files.fc
|
||||
@@ -176,6 +176,7 @@ HOME_ROOT/lost\+found/.* <<none>>
|
||||
@@ -172,6 +172,7 @@ HOME_ROOT/lost\+found/.* <<none>>
|
||||
# /tmp
|
||||
#
|
||||
/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
|
||||
|
|
@ -30,10 +30,10 @@ index a3993f5cc..f69900945 100644
|
|||
/tmp/\.journal <<none>>
|
||||
|
||||
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
|
||||
index 6a53f886b..ad19738b3 100644
|
||||
index 34a9cd66d..7fc7e922f 100644
|
||||
--- a/policy/modules/kernel/files.if
|
||||
+++ b/policy/modules/kernel/files.if
|
||||
@@ -4451,6 +4451,7 @@ interface(`files_search_tmp',`
|
||||
@@ -4533,6 +4533,7 @@ interface(`files_search_tmp',`
|
||||
')
|
||||
|
||||
allow $1 tmp_t:dir search_dir_perms;
|
||||
|
|
@ -41,7 +41,7 @@ index 6a53f886b..ad19738b3 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -4487,6 +4488,7 @@ interface(`files_list_tmp',`
|
||||
@@ -4569,6 +4570,7 @@ interface(`files_list_tmp',`
|
||||
')
|
||||
|
||||
allow $1 tmp_t:dir list_dir_perms;
|
||||
|
|
@ -49,7 +49,7 @@ index 6a53f886b..ad19738b3 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -4523,6 +4525,7 @@ interface(`files_delete_tmp_dir_entry',`
|
||||
@@ -4605,6 +4607,7 @@ interface(`files_delete_tmp_dir_entry',`
|
||||
')
|
||||
|
||||
allow $1 tmp_t:dir del_entry_dir_perms;
|
||||
|
|
@ -57,7 +57,7 @@ index 6a53f886b..ad19738b3 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -4541,6 +4544,7 @@ interface(`files_read_generic_tmp_files',`
|
||||
@@ -4623,6 +4626,7 @@ interface(`files_read_generic_tmp_files',`
|
||||
')
|
||||
|
||||
read_files_pattern($1, tmp_t, tmp_t)
|
||||
|
|
@ -65,7 +65,7 @@ index 6a53f886b..ad19738b3 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -4559,6 +4563,7 @@ interface(`files_manage_generic_tmp_dirs',`
|
||||
@@ -4641,6 +4645,7 @@ interface(`files_manage_generic_tmp_dirs',`
|
||||
')
|
||||
|
||||
manage_dirs_pattern($1, tmp_t, tmp_t)
|
||||
|
|
@ -73,7 +73,7 @@ index 6a53f886b..ad19738b3 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -4577,6 +4582,7 @@ interface(`files_manage_generic_tmp_files',`
|
||||
@@ -4659,6 +4664,7 @@ interface(`files_manage_generic_tmp_files',`
|
||||
')
|
||||
|
||||
manage_files_pattern($1, tmp_t, tmp_t)
|
||||
|
|
@ -81,7 +81,7 @@ index 6a53f886b..ad19738b3 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -4613,6 +4619,7 @@ interface(`files_rw_generic_tmp_sockets',`
|
||||
@@ -4695,6 +4701,7 @@ interface(`files_rw_generic_tmp_sockets',`
|
||||
')
|
||||
|
||||
rw_sock_files_pattern($1, tmp_t, tmp_t)
|
||||
|
|
@ -89,7 +89,7 @@ index 6a53f886b..ad19738b3 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -4820,6 +4827,7 @@ interface(`files_tmp_filetrans',`
|
||||
@@ -4902,6 +4909,7 @@ interface(`files_tmp_filetrans',`
|
||||
')
|
||||
|
||||
filetrans_pattern($1, tmp_t, $2, $3, $4)
|
||||
|
|
|
|||
|
|
@ -1,124 +0,0 @@
|
|||
From cc8505dc9613a98ee8215854ece31a4aca103e8d Mon Sep 17 00:00:00 2001
|
||||
From: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Date: Thu, 22 Aug 2013 13:37:23 +0800
|
||||
Subject: [PATCH] policy/modules/kernel/terminal: add rules for bsdpty_device_t
|
||||
to complete pty devices
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/kernel/terminal.if | 16 ++++++++++++++++
|
||||
1 file changed, 16 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
|
||||
index 4bd4884f8..f70e51525 100644
|
||||
--- a/policy/modules/kernel/terminal.if
|
||||
+++ b/policy/modules/kernel/terminal.if
|
||||
@@ -623,9 +623,11 @@ interface(`term_getattr_generic_ptys',`
|
||||
interface(`term_dontaudit_getattr_generic_ptys',`
|
||||
gen_require(`
|
||||
type devpts_t;
|
||||
+ type bsdpty_device_t;
|
||||
')
|
||||
|
||||
dontaudit $1 devpts_t:chr_file getattr;
|
||||
+ dontaudit $1 bsdpty_device_t:chr_file getattr;
|
||||
')
|
||||
########################################
|
||||
## <summary>
|
||||
@@ -641,11 +643,13 @@ interface(`term_dontaudit_getattr_generic_ptys',`
|
||||
interface(`term_ioctl_generic_ptys',`
|
||||
gen_require(`
|
||||
type devpts_t;
|
||||
+ type bsdpty_device_t;
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 devpts_t:dir search;
|
||||
allow $1 devpts_t:chr_file ioctl;
|
||||
+ allow $1 bsdpty_device_t:chr_file ioctl;
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -663,9 +667,11 @@ interface(`term_ioctl_generic_ptys',`
|
||||
interface(`term_setattr_generic_ptys',`
|
||||
gen_require(`
|
||||
type devpts_t;
|
||||
+ type bsdpty_device_t;
|
||||
')
|
||||
|
||||
allow $1 devpts_t:chr_file setattr;
|
||||
+ allow $1 bsdpty_device_t:chr_file setattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -683,9 +689,11 @@ interface(`term_setattr_generic_ptys',`
|
||||
interface(`term_dontaudit_setattr_generic_ptys',`
|
||||
gen_require(`
|
||||
type devpts_t;
|
||||
+ type bsdpty_device_t;
|
||||
')
|
||||
|
||||
dontaudit $1 devpts_t:chr_file setattr;
|
||||
+ dontaudit $1 bsdpty_device_t:chr_file setattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -703,11 +711,13 @@ interface(`term_dontaudit_setattr_generic_ptys',`
|
||||
interface(`term_use_generic_ptys',`
|
||||
gen_require(`
|
||||
type devpts_t;
|
||||
+ type bsdpty_device_t;
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 devpts_t:dir list_dir_perms;
|
||||
allow $1 devpts_t:chr_file { rw_term_perms lock append };
|
||||
+ allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append };
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -725,9 +735,11 @@ interface(`term_use_generic_ptys',`
|
||||
interface(`term_dontaudit_use_generic_ptys',`
|
||||
gen_require(`
|
||||
type devpts_t;
|
||||
+ type bsdpty_device_t;
|
||||
')
|
||||
|
||||
dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
|
||||
+ dontaudit $1 bsdpty_device_t:chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -764,10 +776,12 @@ interface(`term_create_controlling_term',`
|
||||
interface(`term_setattr_controlling_term',`
|
||||
gen_require(`
|
||||
type devtty_t;
|
||||
+ type bsdpty_device_t;
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 devtty_t:chr_file setattr;
|
||||
+ allow $1 bsdpty_device_t:chr_file setattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -784,10 +798,12 @@ interface(`term_setattr_controlling_term',`
|
||||
interface(`term_use_controlling_term',`
|
||||
gen_require(`
|
||||
type devtty_t;
|
||||
+ type bsdpty_device_t;
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 devtty_t:chr_file { rw_term_perms lock append };
|
||||
+ allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append };
|
||||
')
|
||||
|
||||
#######################################
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -0,0 +1,64 @@
|
|||
From 25036d5f5c41e4215d071d9c1eb77760a0eca87c Mon Sep 17 00:00:00 2001
|
||||
From: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Date: Thu, 22 Aug 2013 13:37:23 +0800
|
||||
Subject: [PATCH] policy/modules/system/logging: fix auditd startup failures
|
||||
|
||||
Fixes:
|
||||
avc: denied { getattr } for pid=322 comm="auditd"
|
||||
path="/sbin/audisp-remote" dev="vda" ino=1115
|
||||
scontext=system_u:system_r:auditd_t
|
||||
tcontext=system_u:object_r:audisp_remote_exec_t tclass=file permissive=0
|
||||
|
||||
avc: denied { read } for pid=321 comm="auditd" name="log" dev="vda"
|
||||
ino=12552 scontext=system_u:system_r:auditd_t
|
||||
tcontext=system_u:object_r:var_log_t tclass=lnk_file permissive=0
|
||||
|
||||
avc: denied { getattr } for pid=183 comm="auditctl" name="/"
|
||||
dev="proc" ino=1 scontext=system_u:system_r:auditctl_t
|
||||
tcontext=system_u:object_r:proc_t tclass=filesystem permissive=0
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/system/logging.te | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
|
||||
index 673046781..9b3254f63 100644
|
||||
--- a/policy/modules/system/logging.te
|
||||
+++ b/policy/modules/system/logging.te
|
||||
@@ -117,6 +117,7 @@ files_read_etc_files(auditctl_t)
|
||||
kernel_read_kernel_sysctls(auditctl_t)
|
||||
kernel_read_proc_symlinks(auditctl_t)
|
||||
kernel_setsched(auditctl_t)
|
||||
+kernel_getattr_proc(auditctl_t)
|
||||
|
||||
domain_read_all_domains_state(auditctl_t)
|
||||
domain_use_interactive_fds(auditctl_t)
|
||||
@@ -157,10 +158,13 @@ allow auditd_t auditd_etc_t:dir list_dir_perms;
|
||||
allow auditd_t auditd_etc_t:file read_file_perms;
|
||||
dontaudit auditd_t auditd_etc_t:file map;
|
||||
|
||||
+allow auditd_t audisp_remote_exec_t:file getattr;
|
||||
+
|
||||
manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
|
||||
allow auditd_t auditd_log_t:dir setattr;
|
||||
manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
|
||||
allow auditd_t var_log_t:dir search_dir_perms;
|
||||
+allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
manage_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t)
|
||||
manage_sock_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t)
|
||||
@@ -284,6 +288,7 @@ allow audisp_remote_t self:capability { setpcap setuid };
|
||||
allow audisp_remote_t self:process { getcap setcap };
|
||||
allow audisp_remote_t self:tcp_socket create_socket_perms;
|
||||
allow audisp_remote_t var_log_t:dir search_dir_perms;
|
||||
+allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
|
||||
manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From a9aebca531f52818fe77b9b21f0cad425da78e43 Mon Sep 17 00:00:00 2001
|
||||
From 15773d54215587284f937b9a37b08c682949e7ab Mon Sep 17 00:00:00 2001
|
||||
From: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Date: Thu, 22 Aug 2013 13:37:23 +0800
|
||||
Subject: [PATCH] policy/modules/kernel/terminal: don't audit tty_device_t in
|
||||
|
|
@ -17,7 +17,7 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
|
||||
index f70e51525..8f9578dbc 100644
|
||||
index 55c18dffb..e8c0735eb 100644
|
||||
--- a/policy/modules/kernel/terminal.if
|
||||
+++ b/policy/modules/kernel/terminal.if
|
||||
@@ -335,9 +335,12 @@ interface(`term_use_console',`
|
||||
|
|
|
|||
|
|
@ -0,0 +1,67 @@
|
|||
From 1126ee6883d7e107b103a18d255416d542ca50f2 Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Mon, 24 Aug 2020 11:29:09 +0800
|
||||
Subject: [PATCH] policy/modules/system/modutils: allow mod_t to access
|
||||
confidentiality of class lockdown
|
||||
|
||||
The SELinux lockdown implementation was introduced since kernel 5.6 by
|
||||
commit 59438b46471ae6cdfb761afc8c9beaf1e428a331. We need to allow mod_t
|
||||
and udev_t to access confidentiality of class lockdown to mount tracefs.
|
||||
|
||||
Fixes:
|
||||
kernel: Could not create tracefs 'iwlwifi_data/filter' entry
|
||||
kernel: Could not create tracefs 'enable' entry
|
||||
kernel: Could not create tracefs 'id' entry
|
||||
kernel: Could not create tracefs 'filter' entry
|
||||
kernel: Could not create tracefs 'trigger' entry
|
||||
kernel: Could not create tracefs 'format' entry
|
||||
|
||||
audit[170]: AVC avc: denied { confidentiality } for pid=170
|
||||
comm="modprobe" lockdown_reason="use of tracefs"
|
||||
scontext=system_u:system_r:kmod_t:s15:c0.c1023
|
||||
tcontext=system_u:system_r:kmod_t:s15:c0.c1023 tclass=lockdown
|
||||
permissive=0
|
||||
|
||||
audit[190]: AVC avc: denied { confidentiality } for pid=190
|
||||
comm="systemd-udevd" lockdown_reason="use of tracefs"
|
||||
scontext=system_u:system_r:udev_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tclass=lockdown
|
||||
permissive=0
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/system/modutils.te | 2 ++
|
||||
policy/modules/system/udev.te | 2 ++
|
||||
2 files changed, 4 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
|
||||
index ef5de835e..ee249ae04 100644
|
||||
--- a/policy/modules/system/modutils.te
|
||||
+++ b/policy/modules/system/modutils.te
|
||||
@@ -41,6 +41,8 @@ dontaudit kmod_t self:capability sys_admin;
|
||||
allow kmod_t self:udp_socket create_socket_perms;
|
||||
allow kmod_t self:rawip_socket create_socket_perms;
|
||||
|
||||
+allow kmod_t self:lockdown confidentiality;
|
||||
+
|
||||
# Read module config and dependency information
|
||||
list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t)
|
||||
read_files_pattern(kmod_t, modules_conf_t, modules_conf_t)
|
||||
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
|
||||
index 4a2283b6c..daf64482f 100644
|
||||
--- a/policy/modules/system/udev.te
|
||||
+++ b/policy/modules/system/udev.te
|
||||
@@ -61,6 +61,8 @@ allow udev_t self:rawip_socket create_socket_perms;
|
||||
# for systemd-udevd to rename interfaces
|
||||
allow udev_t self:netlink_route_socket nlmsg_write;
|
||||
|
||||
+allow udev_t self:lockdown confidentiality;
|
||||
+
|
||||
can_exec(udev_t, udev_exec_t)
|
||||
|
||||
allow udev_t udev_helper_exec_t:dir list_dir_perms;
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -1,8 +1,8 @@
|
|||
From 4316f85adb1ab6e0278fb8e8ff68b358f36a933e Mon Sep 17 00:00:00 2001
|
||||
From 92571e7c066b3d91634a4c1f55542cb528f5bac4 Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Tue, 23 Jun 2020 08:19:16 +0800
|
||||
Subject: [PATCH] policy/modules/services/avahi: allow avahi_t to watch /etc
|
||||
directory
|
||||
Subject: [PATCH] policy/modules/services/avahi: allow avahi_t to watch
|
||||
/etc/avahi directory
|
||||
|
||||
Fixes:
|
||||
type=AVC msg=audit(1592813140.176:24): avc: denied { watch } for
|
||||
|
|
@ -18,7 +18,7 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
|
||||
index f77e5546d..5643349e3 100644
|
||||
index af838d8b0..674cdcb81 100644
|
||||
--- a/policy/modules/services/avahi.te
|
||||
+++ b/policy/modules/services/avahi.te
|
||||
@@ -76,6 +76,7 @@ domain_use_interactive_fds(avahi_t)
|
||||
|
|
@ -1,42 +0,0 @@
|
|||
From 383a70a87049ef5065bba4c2c4d4bc3cff914358 Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Tue, 23 Jun 2020 08:39:44 +0800
|
||||
Subject: [PATCH] policy/modules/system/getty: allow getty_t watch
|
||||
getty_runtime_t file
|
||||
|
||||
Fixes:
|
||||
type=AVC msg=audit(1592813140.280:26): avc: denied { watch } for
|
||||
pid=385 comm="getty" path="/run/agetty.reload" dev="tmpfs" ino=12247
|
||||
scontext=system_u:system_r:getty_t
|
||||
tcontext=system_u:object_r:getty_runtime_t tclass=file permissive=1
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/system/getty.te | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
|
||||
index f5316c30a..39e27e5f1 100644
|
||||
--- a/policy/modules/system/getty.te
|
||||
+++ b/policy/modules/system/getty.te
|
||||
@@ -47,6 +47,7 @@ allow getty_t getty_log_t:file { append_file_perms create_file_perms setattr_fil
|
||||
logging_log_filetrans(getty_t, getty_log_t, file)
|
||||
|
||||
allow getty_t getty_runtime_t:dir watch;
|
||||
+allow getty_t getty_runtime_t:file watch;
|
||||
manage_files_pattern(getty_t, getty_runtime_t, getty_runtime_t)
|
||||
files_runtime_filetrans(getty_t, getty_runtime_t, file)
|
||||
|
||||
@@ -65,6 +66,7 @@ dev_read_sysfs(getty_t)
|
||||
files_read_etc_runtime_files(getty_t)
|
||||
files_read_etc_files(getty_t)
|
||||
files_search_spool(getty_t)
|
||||
+fs_search_tmpfs(getty_t)
|
||||
|
||||
fs_search_auto_mountpoints(getty_t)
|
||||
# for error condition handling
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -1,65 +0,0 @@
|
|||
From dfc3e78dfee0709bcbfc2d1959e5b7c27922b1b7 Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Tue, 23 Jun 2020 08:54:20 +0800
|
||||
Subject: [PATCH] policy/modules/services/bluetooth: allow bluetooth_t to
|
||||
create and use bluetooth_socket
|
||||
|
||||
Fixes:
|
||||
type=AVC msg=audit(1592813138.485:17): avc: denied { create } for
|
||||
pid=324 comm="bluetoothd" scontext=system_u:system_r:bluetooth_t
|
||||
tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
|
||||
permissive=1
|
||||
type=AVC msg=audit(1592813138.485:18): avc: denied { bind } for
|
||||
pid=324 comm="bluetoothd" scontext=system_u:system_r:bluetooth_t
|
||||
tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
|
||||
permissive=1
|
||||
type=AVC msg=audit(1592813138.485:19): avc: denied { write } for
|
||||
pid=324 comm="bluetoothd" scontext=system_u:system_r:bluetooth_t
|
||||
tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
|
||||
permissive=1
|
||||
type=AVC msg=audit(1592813138.488:20): avc: denied { getattr } for
|
||||
pid=324 comm="bluetoothd" path="socket:[11771]" dev="sockfs" ino=11771
|
||||
scontext=system_u:system_r:bluetooth_t
|
||||
tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
|
||||
permissive=1
|
||||
type=AVC msg=audit(1592813138.488:21): avc: denied { listen } for
|
||||
pid=324 comm="bluetoothd" scontext=system_u:system_r:bluetooth_t
|
||||
tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
|
||||
permissive=1
|
||||
type=AVC msg=audit(1592813138.498:22): avc: denied { read } for
|
||||
pid=324 comm="bluetoothd" path="socket:[11771]" dev="sockfs" ino=11771
|
||||
scontext=system_u:system_r:bluetooth_t
|
||||
tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
|
||||
permissive=1
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/services/bluetooth.te | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
|
||||
index 025eff444..63e50aeda 100644
|
||||
--- a/policy/modules/services/bluetooth.te
|
||||
+++ b/policy/modules/services/bluetooth.te
|
||||
@@ -60,6 +60,7 @@ allow bluetooth_t self:socket create_stream_socket_perms;
|
||||
allow bluetooth_t self:unix_stream_socket { accept connectto listen };
|
||||
allow bluetooth_t self:tcp_socket { accept listen };
|
||||
allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
+allow bluetooth_t self:bluetooth_socket create_stream_socket_perms;
|
||||
|
||||
read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
|
||||
|
||||
@@ -127,6 +128,8 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
|
||||
userdom_dontaudit_use_user_terminals(bluetooth_t)
|
||||
userdom_dontaudit_search_user_home_dirs(bluetooth_t)
|
||||
|
||||
+init_dbus_send_script(bluetooth_t)
|
||||
+
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(bluetooth_t)
|
||||
dbus_connect_system_bus(bluetooth_t)
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -0,0 +1,32 @@
|
|||
From f23178d9d89bf39895f75867c29bda4dfb27e786 Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Tue, 23 Jun 2020 08:39:44 +0800
|
||||
Subject: [PATCH] policy/modules/system/getty: allow getty_t to search tmpfs
|
||||
|
||||
Fixes:
|
||||
avc: denied { search } for pid=211 comm="agetty" name="/" dev="tmpfs"
|
||||
ino=1 scontext=system_u:system_r:getty_t
|
||||
tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=0
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/system/getty.te | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
|
||||
index 95b1ec632..0415e1ee7 100644
|
||||
--- a/policy/modules/system/getty.te
|
||||
+++ b/policy/modules/system/getty.te
|
||||
@@ -66,6 +66,7 @@ dev_read_sysfs(getty_t)
|
||||
files_read_etc_runtime_files(getty_t)
|
||||
files_read_etc_files(getty_t)
|
||||
files_search_spool(getty_t)
|
||||
+fs_search_tmpfs(getty_t)
|
||||
|
||||
fs_search_auto_mountpoints(getty_t)
|
||||
# for error condition handling
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -0,0 +1,88 @@
|
|||
From 21c60a1ed37aef0427dbd49f602896b09b875bca Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Tue, 23 Jun 2020 08:54:20 +0800
|
||||
Subject: [PATCH] policy/modules/services/bluetooth: fix bluetoothd startup
|
||||
failures
|
||||
|
||||
* Allow bluetooth_t to create and use bluetooth_socket
|
||||
* Allow bluetooth_t to create alg_socket
|
||||
* Allow bluetooth_t to send and receive messages from systemd hostnamed
|
||||
over dbus
|
||||
|
||||
Fixes:
|
||||
avc: denied { create } for pid=324 comm="bluetoothd"
|
||||
scontext=system_u:system_r:bluetooth_t
|
||||
tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
|
||||
permissive=0
|
||||
|
||||
avc: denied { bind } for pid=324 comm="bluetoothd"
|
||||
scontext=system_u:system_r:bluetooth_t
|
||||
tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
|
||||
permissive=0
|
||||
|
||||
avc: denied { write } for pid=324 comm="bluetoothd"
|
||||
scontext=system_u:system_r:bluetooth_t
|
||||
tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
|
||||
permissive=0
|
||||
|
||||
avc: denied { getattr } for pid=324 comm="bluetoothd"
|
||||
path="socket:[11771]" dev="sockfs" ino=11771
|
||||
scontext=system_u:system_r:bluetooth_t
|
||||
tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
|
||||
permissive=0
|
||||
|
||||
avc: denied { listen } for pid=324 comm="bluetoothd"
|
||||
scontext=system_u:system_r:bluetooth_t
|
||||
tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
|
||||
permissive=0
|
||||
|
||||
avc: denied { read } for pid=324 comm="bluetoothd" path="socket:[11771]"
|
||||
dev="sockfs" ino=11771 scontext=system_u:system_r:bluetooth_t
|
||||
tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
|
||||
permissive=0
|
||||
|
||||
avc: denied { create } for pid=268 comm="bluetoothd"
|
||||
scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tclass=alg_socket
|
||||
permissive=0
|
||||
|
||||
avc: denied { send_msg } for msgtype=method_call
|
||||
interface=org.freedesktop.DBus.Properties member=GetAll
|
||||
dest=org.freedesktop.hostname1 spid=266 tpid=312
|
||||
scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023
|
||||
tclass=dbus permissive=0
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/services/bluetooth.te | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
|
||||
index 69a38543e..b3df695db 100644
|
||||
--- a/policy/modules/services/bluetooth.te
|
||||
+++ b/policy/modules/services/bluetooth.te
|
||||
@@ -60,6 +60,8 @@ allow bluetooth_t self:socket create_stream_socket_perms;
|
||||
allow bluetooth_t self:unix_stream_socket { accept connectto listen };
|
||||
allow bluetooth_t self:tcp_socket { accept listen };
|
||||
allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
+allow bluetooth_t self:bluetooth_socket create_stream_socket_perms;
|
||||
+allow bluetooth_t self:alg_socket create;
|
||||
|
||||
read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
|
||||
|
||||
@@ -127,6 +129,9 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
|
||||
userdom_dontaudit_use_user_terminals(bluetooth_t)
|
||||
userdom_dontaudit_search_user_home_dirs(bluetooth_t)
|
||||
|
||||
+init_dbus_send_script(bluetooth_t)
|
||||
+systemd_dbus_chat_hostnamed(bluetooth_t)
|
||||
+
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(bluetooth_t)
|
||||
dbus_connect_system_bus(bluetooth_t)
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From 354389c93e26bb8d8e8c1c126b01d838a6a214c8 Mon Sep 17 00:00:00 2001
|
||||
From e67fe4fa79d59be7bcefd256c1966ea8c034a3d9 Mon Sep 17 00:00:00 2001
|
||||
From: Roy Li <rongqing.li@windriver.com>
|
||||
Date: Sat, 15 Feb 2014 09:45:00 +0800
|
||||
Subject: [PATCH] policy/modules/roles/sysadm: allow sysadm to run rpcinfo
|
||||
|
|
@ -22,10 +22,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
|
||||
index f0370b426..fc0945fe4 100644
|
||||
index ddf973693..1642f3b93 100644
|
||||
--- a/policy/modules/roles/sysadm.te
|
||||
+++ b/policy/modules/roles/sysadm.te
|
||||
@@ -962,6 +962,7 @@ optional_policy(`
|
||||
@@ -947,6 +947,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From fbc8f3140bf6b519bad568fc1d840c9043fc13db Mon Sep 17 00:00:00 2001
|
||||
From 7c94b6aa3c679dc201ed5a907f713c0857d8b8ca Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Tue, 14 May 2019 15:22:08 +0800
|
||||
Subject: [PATCH] policy/modules/services/rpc: add capability dac_read_search
|
||||
|
|
@ -17,10 +17,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
|
||||
index 020dbc4ad..c06ff803f 100644
|
||||
index c3e37177b..87b6b4561 100644
|
||||
--- a/policy/modules/services/rpc.te
|
||||
+++ b/policy/modules/services/rpc.te
|
||||
@@ -142,7 +142,7 @@ optional_policy(`
|
||||
@@ -232,7 +232,7 @@ optional_policy(`
|
||||
# Local policy
|
||||
#
|
||||
|
||||
|
|
@ -1,9 +1,12 @@
|
|||
From dfe79338ee9915527afd9e0943ed84e0347c4d66 Mon Sep 17 00:00:00 2001
|
||||
From 40101e4da939fcea2eebe3e4800d0de4e551ca26 Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Wed, 1 Jul 2020 08:44:07 +0800
|
||||
Subject: [PATCH] policy/modules/services/rpcbind: allow rpcbind_t to create
|
||||
directory with label rpcbind_runtime_t
|
||||
|
||||
* Allow rpcbind_t to create directory with label rpcbind_runtime_t
|
||||
* Set context for nfsserver and nfscommon
|
||||
|
||||
Fixes:
|
||||
avc: denied { create } for pid=136 comm="rpcbind" name="rpcbind"
|
||||
scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023
|
||||
|
|
@ -13,11 +16,26 @@ Upstream-Status: Inappropriate [embedded specific]
|
|||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/services/rpc.fc | 2 ++
|
||||
policy/modules/services/rpcbind.te | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
2 files changed, 5 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc
|
||||
index 88d2acaf0..d9c0a4aa7 100644
|
||||
--- a/policy/modules/services/rpc.fc
|
||||
+++ b/policy/modules/services/rpc.fc
|
||||
@@ -1,7 +1,9 @@
|
||||
/etc/exports -- gen_context(system_u:object_r:exports_t,s0)
|
||||
|
||||
/etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
|
||||
+/etc/rc\.d/init\.d/nfsserver -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
|
||||
/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
|
||||
+/etc/rc\.d/init\.d/nfscommon -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
|
||||
/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
|
||||
|
||||
/usr/bin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
|
||||
diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
|
||||
index 69ed49d8b..4f110773a 100644
|
||||
index 370c9bce6..8972980fa 100644
|
||||
--- a/policy/modules/services/rpcbind.te
|
||||
+++ b/policy/modules/services/rpcbind.te
|
||||
@@ -25,16 +25,17 @@ files_type(rpcbind_var_lib_t)
|
||||
|
|
@ -1,23 +1,24 @@
|
|||
From 617b8b558674a77cd2b1eff9155f276985456684 Mon Sep 17 00:00:00 2001
|
||||
From 5dbfff582a9c7745f8517adefb27c5f90653f8fa Mon Sep 17 00:00:00 2001
|
||||
From: Wenzong Fan <wenzong.fan@windriver.com>
|
||||
Date: Wed, 25 May 2016 03:16:24 -0400
|
||||
Subject: [PATCH] policy/modules/services/rngd: fix security context for
|
||||
rng-tools
|
||||
|
||||
* fix security context for /etc/init.d/rng-tools
|
||||
* allow rngd_t to search /run/systemd/journal
|
||||
* Fix security context for /etc/init.d/rng-tools
|
||||
* Allow rngd_t to read sysfs
|
||||
|
||||
Fixes:
|
||||
audit: type=1400 audit(1592874699.503:11): avc: denied { read } for
|
||||
pid=355 comm="rngd" name="cpu" dev="sysfs" ino=36
|
||||
scontext=system_u:system_r:rngd_t tcontext=system_u:object_r:sysfs_t
|
||||
tclass=dir permissive=1
|
||||
audit: type=1400 audit(1592874699.505:12): avc: denied { getsched }
|
||||
for pid=355 comm="rngd" scontext=system_u:system_r:rngd_t
|
||||
tcontext=system_u:system_r:rngd_t tclass=process permissive=1
|
||||
audit: type=1400 audit(1592874699.508:13): avc: denied { setsched }
|
||||
for pid=355 comm="rngd" scontext=system_u:system_r:rngd_t
|
||||
tcontext=system_u:system_r:rngd_t tclass=process permissive=1
|
||||
avc: denied { read } for pid=355 comm="rngd" name="cpu" dev="sysfs"
|
||||
ino=36 scontext=system_u:system_r:rngd_t
|
||||
tcontext=system_u:object_r:sysfs_t tclass=dir permissive=1
|
||||
|
||||
avc: denied { getsched } for pid=355 comm="rngd"
|
||||
scontext=system_u:system_r:rngd_t tcontext=system_u:system_r:rngd_t
|
||||
tclass=process permissive=1
|
||||
|
||||
avc: denied { setsched } for pid=355 comm="rngd"
|
||||
scontext=system_u:system_r:rngd_t tcontext=system_u:system_r:rngd_t
|
||||
tclass=process permissive=1
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
|
|
@ -39,7 +40,7 @@ index 382c067f9..0ecc5acc4 100644
|
|||
/usr/bin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0)
|
||||
|
||||
diff --git a/policy/modules/services/rngd.te b/policy/modules/services/rngd.te
|
||||
index 839813216..c4ffafb5d 100644
|
||||
index 4540e4ec7..48f08fb48 100644
|
||||
--- a/policy/modules/services/rngd.te
|
||||
+++ b/policy/modules/services/rngd.te
|
||||
@@ -21,7 +21,7 @@ files_runtime_file(rngd_runtime_t)
|
||||
|
|
@ -1,34 +0,0 @@
|
|||
From 0e3199f243a47853452a877ebad5360bc8c1f2f1 Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Thu, 21 Nov 2019 13:58:28 +0800
|
||||
Subject: [PATCH] policy/modules/system/authlogin: allow chkpwd_t to map
|
||||
shadow_t
|
||||
|
||||
Fixes:
|
||||
avc: denied { map } for pid=244 comm="unix_chkpwd" path="/etc/shadow"
|
||||
dev="vda" ino=443 scontext=system_u:system_r:chkpwd_t
|
||||
tcontext=system_u:object_r:shadow_t tclass=file permissive=0
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/system/authlogin.te | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
|
||||
index 0fc5951e9..e999fa798 100644
|
||||
--- a/policy/modules/system/authlogin.te
|
||||
+++ b/policy/modules/system/authlogin.te
|
||||
@@ -100,7 +100,7 @@ allow chkpwd_t self:capability { dac_override setuid };
|
||||
dontaudit chkpwd_t self:capability sys_tty_config;
|
||||
allow chkpwd_t self:process { getattr signal };
|
||||
|
||||
-allow chkpwd_t shadow_t:file read_file_perms;
|
||||
+allow chkpwd_t shadow_t:file { read_file_perms map };
|
||||
files_list_etc(chkpwd_t)
|
||||
|
||||
kernel_read_crypto_sysctls(chkpwd_t)
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
From be61411d6d7d3bb2c700ec24f42661ce9c728df4 Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Fri, 29 Jan 2021 10:32:00 +0800
|
||||
Subject: [PATCH] policy/modules/services/ssh: allow ssh_keygen_t to read
|
||||
proc_t
|
||||
|
||||
Fixes:
|
||||
avc: denied { read } for pid=353 comm="ssh-keygen" name="filesystems"
|
||||
dev="proc" ino=4026532078 scontext=system_u:system_r:ssh_keygen_t
|
||||
tcontext=system_u:object_r:proc_t tclass=file permissive=0
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/services/ssh.te | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
|
||||
index 238c45ed8..2bbf50e84 100644
|
||||
--- a/policy/modules/services/ssh.te
|
||||
+++ b/policy/modules/services/ssh.te
|
||||
@@ -330,6 +330,8 @@ allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
|
||||
|
||||
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
+allow ssh_keygen_t proc_t:file read_file_perms;
|
||||
+
|
||||
allow ssh_keygen_t sshd_key_t:file manage_file_perms;
|
||||
files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
|
||||
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -1,34 +0,0 @@
|
|||
From bd03c34ab3c193d6c21a6c0b951e89dd4e24eee6 Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Fri, 19 Jun 2020 15:21:26 +0800
|
||||
Subject: [PATCH] policy/modules/system/udev: allow udevadm_t to search bin dir
|
||||
|
||||
Fixes:
|
||||
audit: type=1400 audit(1592894099.930:6): avc: denied { search } for
|
||||
pid=153 comm="udevadm" name="bin" dev="vda" ino=13
|
||||
scontext=system_u:system_r:udevadm_t tcontext=system_u:object_r:bin_t
|
||||
tclass=dir permissive=0
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/system/udev.te | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
|
||||
index 52da11acd..3a4d7362c 100644
|
||||
--- a/policy/modules/system/udev.te
|
||||
+++ b/policy/modules/system/udev.te
|
||||
@@ -415,6 +415,8 @@ dev_read_urand(udevadm_t)
|
||||
files_read_etc_files(udevadm_t)
|
||||
files_read_usr_files(udevadm_t)
|
||||
|
||||
+corecmd_search_bin(udevadm_t)
|
||||
+
|
||||
init_list_runtime(udevadm_t)
|
||||
init_read_state(udevadm_t)
|
||||
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From 878f3eb8e0716764ea4d42b996f58ea9072204fc Mon Sep 17 00:00:00 2001
|
||||
From 20e6395a7e8bce552fb0190dbc57d836d763fc18 Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Sun, 28 Jun 2020 16:14:45 +0800
|
||||
Subject: [PATCH] policy/modules/services/ssh: make respective init scripts
|
||||
|
|
@ -14,7 +14,7 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|||
1 file changed, 1 insertion(+), 3 deletions(-)
|
||||
|
||||
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
|
||||
index fefca0c20..db62eaa18 100644
|
||||
index 2bbf50e84..ad0a1b7ad 100644
|
||||
--- a/policy/modules/services/ssh.te
|
||||
+++ b/policy/modules/services/ssh.te
|
||||
@@ -80,9 +80,7 @@ userdom_user_home_content(ssh_home_t)
|
||||
|
|
@ -1,37 +0,0 @@
|
|||
From 8b5eb5b2e01a7686c43ba7b53cc76f465f9e8f56 Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Tue, 30 Jun 2020 09:27:45 +0800
|
||||
Subject: [PATCH] policy/modules/udev: do not audit udevadm_t to read/write
|
||||
/dev/console
|
||||
|
||||
Fixes:
|
||||
avc: denied { read write } for pid=162 comm="udevadm"
|
||||
path="/dev/console" dev="devtmpfs" ino=10034
|
||||
scontext=system_u:system_r:udevadm_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file
|
||||
permissive=0
|
||||
avc: denied { use } for pid=162 comm="udevadm" path="/dev/console"
|
||||
dev="devtmpfs" ino=10034
|
||||
scontext=system_u:system_r:udevadm_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=fd permissive=0
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/system/udev.te | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
|
||||
index 3a4d7362c..e483d63d3 100644
|
||||
--- a/policy/modules/system/udev.te
|
||||
+++ b/policy/modules/system/udev.te
|
||||
@@ -425,3 +425,5 @@ kernel_read_system_state(udevadm_t)
|
||||
|
||||
seutil_read_file_contexts(udevadm_t)
|
||||
|
||||
+init_dontaudit_use_fds(udevadm_t)
|
||||
+term_dontaudit_use_console(udevadm_t)
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From fb900b71d7e1fa5c3bd997e6deadcaae2b65b05a Mon Sep 17 00:00:00 2001
|
||||
From f0249cb5802af7f9113786940d0c49e786f774ae Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Mon, 29 Jun 2020 14:27:02 +0800
|
||||
Subject: [PATCH] policy/modules/kernel/terminal: allow loging to reset tty
|
||||
|
|
@ -12,7 +12,7 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|||
1 file changed, 1 insertion(+), 3 deletions(-)
|
||||
|
||||
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
|
||||
index 8f9578dbc..3821ab9b0 100644
|
||||
index e8c0735eb..9ccecfa0d 100644
|
||||
--- a/policy/modules/kernel/terminal.if
|
||||
+++ b/policy/modules/kernel/terminal.if
|
||||
@@ -119,9 +119,7 @@ interface(`term_user_tty',`
|
||||
|
|
@ -1,34 +0,0 @@
|
|||
From 6bcf62e310931e8be943520a7e1a5686f54a8e34 Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Tue, 23 Jun 2020 15:44:43 +0800
|
||||
Subject: [PATCH] policy/modules/services/rdisc: allow rdisc_t to search sbin
|
||||
dir
|
||||
|
||||
Fixes:
|
||||
avc: denied { search } for pid=225 comm="rdisc" name="sbin" dev="vda"
|
||||
ino=1478 scontext=system_u:system_r:rdisc_t
|
||||
tcontext=system_u:object_r:bin_t tclass=dir permissive=0
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/services/rdisc.te | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/services/rdisc.te b/policy/modules/services/rdisc.te
|
||||
index 82d54dbb7..1dd458f8e 100644
|
||||
--- a/policy/modules/services/rdisc.te
|
||||
+++ b/policy/modules/services/rdisc.te
|
||||
@@ -47,6 +47,8 @@ sysnet_read_config(rdisc_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(rdisc_t)
|
||||
|
||||
+corecmd_search_bin(rdisc_t)
|
||||
+
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(rdisc_t)
|
||||
')
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -1,52 +0,0 @@
|
|||
From b585008cec90386903e7613a4a22286c0a94be8c Mon Sep 17 00:00:00 2001
|
||||
From: Wenzong Fan <wenzong.fan@windriver.com>
|
||||
Date: Tue, 24 Jan 2017 08:45:35 +0000
|
||||
Subject: [PATCH] policy/modules/system/logging: fix auditd startup failures
|
||||
|
||||
Fixes:
|
||||
avc: denied { getcap } for pid=849 comm="auditctl" \
|
||||
scontext=system_u:system_r:auditctl_t:s0-s15:c0.c1023 \
|
||||
tcontext=system_u:system_r:auditctl_t:s0-s15:c0.c1023 \
|
||||
tclass=process
|
||||
|
||||
avc: denied { setattr } for pid=848 comm="auditd" \
|
||||
name="audit" dev="tmpfs" ino=9569 \
|
||||
scontext=system_u:system_r:auditd_t:s15:c0.c1023 \
|
||||
tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 \
|
||||
tclass=dir
|
||||
|
||||
avc: denied { search } for pid=731 comm="auditd" \
|
||||
name="/" dev="tmpfs" ino=9399 \
|
||||
scontext=system_u:system_r:auditd_t:s15:c0.c1023 \
|
||||
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
||||
---
|
||||
policy/modules/system/logging.te | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
|
||||
index 2d9f65d2d..95309f334 100644
|
||||
--- a/policy/modules/system/logging.te
|
||||
+++ b/policy/modules/system/logging.te
|
||||
@@ -157,6 +157,7 @@ allow auditd_t auditd_etc_t:dir list_dir_perms;
|
||||
allow auditd_t auditd_etc_t:file read_file_perms;
|
||||
dontaudit auditd_t auditd_etc_t:file map;
|
||||
|
||||
+manage_dirs_pattern(auditd_t, auditd_log_t, auditd_log_t)
|
||||
manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
|
||||
allow auditd_t auditd_log_t:dir setattr;
|
||||
manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
|
||||
@@ -177,6 +178,7 @@ dev_read_sysfs(auditd_t)
|
||||
fs_getattr_all_fs(auditd_t)
|
||||
fs_search_auto_mountpoints(auditd_t)
|
||||
fs_rw_anon_inodefs_files(auditd_t)
|
||||
+fs_search_tmpfs(auditd_t)
|
||||
|
||||
selinux_search_fs(auditctl_t)
|
||||
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From 2c8464254adf0b2635e5abf4ccc4473c96fa0006 Mon Sep 17 00:00:00 2001
|
||||
From 74f611538d63cdf4157e6b5f4b982cafe0378b9a Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Mon, 29 Jun 2020 14:30:58 +0800
|
||||
Subject: [PATCH] policy/modules/system/selinuxutil: allow semanage_t to read
|
||||
|
|
@ -12,10 +12,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|||
1 file changed, 2 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
|
||||
index fad28f179..09fef149b 100644
|
||||
index 8f8f42ec7..a505b3987 100644
|
||||
--- a/policy/modules/system/selinuxutil.te
|
||||
+++ b/policy/modules/system/selinuxutil.te
|
||||
@@ -544,10 +544,8 @@ userdom_map_user_home_content_files(semanage_t)
|
||||
@@ -549,10 +549,8 @@ userdom_map_user_home_content_files(semanage_t)
|
||||
userdom_read_user_tmp_files(semanage_t)
|
||||
userdom_map_user_tmp_files(semanage_t)
|
||||
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From 9eee952a306000eaa5e92b578f3caa35b6a35699 Mon Sep 17 00:00:00 2001
|
||||
From c2a6ad9b4eee990b79175ec1866cfe20b7c61ef3 Mon Sep 17 00:00:00 2001
|
||||
From: Wenzong Fan <wenzong.fan@windriver.com>
|
||||
Date: Thu, 4 Feb 2016 06:03:19 -0500
|
||||
Subject: [PATCH] policy/modules/system/systemd: enable support for
|
||||
|
|
@ -36,10 +36,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
index 136990d08..c7fe51b62 100644
|
||||
index 2e08efd19..7da836136 100644
|
||||
--- a/policy/modules/system/systemd.te
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -10,7 +10,7 @@ policy_module(systemd, 1.9.14)
|
||||
@@ -10,7 +10,7 @@ policy_module(systemd, 1.11.1)
|
||||
## Enable support for systemd-tmpfiles to manage all non-security files.
|
||||
## </p>
|
||||
## </desc>
|
||||
|
|
@ -48,10 +48,10 @@ index 136990d08..c7fe51b62 100644
|
|||
|
||||
## <desc>
|
||||
## <p>
|
||||
@@ -1196,6 +1196,10 @@ files_relabel_var_lib_dirs(systemd_tmpfiles_t)
|
||||
files_relabelfrom_home(systemd_tmpfiles_t)
|
||||
@@ -1332,6 +1332,10 @@ files_relabelfrom_home(systemd_tmpfiles_t)
|
||||
files_relabelto_home(systemd_tmpfiles_t)
|
||||
files_relabelto_etc_dirs(systemd_tmpfiles_t)
|
||||
files_setattr_lock_dirs(systemd_tmpfiles_t)
|
||||
+
|
||||
+files_manage_non_auth_files(systemd_tmpfiles_t)
|
||||
+files_relabel_non_auth_files(systemd_tmpfiles_t)
|
||||
|
|
@ -0,0 +1,69 @@
|
|||
From 8e762e1070e98a4235a70536ee6ca81725858a4b Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Mon, 25 Jan 2021 14:14:59 +0800
|
||||
Subject: [PATCH] policy/modules/system/systemd: fix systemd-resolved startup
|
||||
failures
|
||||
|
||||
* Allow systemd_resolved_t to create socket file
|
||||
* Allow systemd_resolved_t to manage systemd_resolved_runtime_t link
|
||||
files
|
||||
* Allow systemd_resolved_t to send and recevie messages from dhcpc over
|
||||
dbus
|
||||
|
||||
Fixes:
|
||||
avc: denied { create } for pid=258 comm="systemd-resolve"
|
||||
name="io.systemd.Resolve"
|
||||
scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:object_r:systemd_resolved_runtime_t:s0
|
||||
tclass=sock_file permissive=0
|
||||
|
||||
avc: denied { create } for pid=329 comm="systemd-resolve"
|
||||
name=".#stub-resolv.conf53cb7f9d1e3aa72b"
|
||||
scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:object_r:systemd_resolved_runtime_t:s0 tclass=lnk_file
|
||||
permissive=0
|
||||
|
||||
avc: denied { send_msg } for msgtype=method_call
|
||||
interface=org.freedesktop.resolve1.Manager member=RevertLink
|
||||
dest=org.freedesktop.resolve1 spid=340 tpid=345
|
||||
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023
|
||||
tclass=dbus permissive=0
|
||||
|
||||
avc: denied { send_msg } for msgtype=method_return dest=:1.6 spid=345
|
||||
tpid=340 scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=dbus
|
||||
permissive=0
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/system/systemd.te | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
index 7da836136..0411729ea 100644
|
||||
--- a/policy/modules/system/systemd.te
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -1164,6 +1164,8 @@ allow systemd_resolved_t systemd_networkd_runtime_t:dir watch;
|
||||
|
||||
manage_dirs_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
|
||||
manage_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
|
||||
+manage_sock_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
|
||||
+manage_lnk_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
|
||||
init_runtime_filetrans(systemd_resolved_t, systemd_resolved_runtime_t, dir)
|
||||
|
||||
dev_read_sysfs(systemd_resolved_t)
|
||||
@@ -1194,6 +1196,8 @@ seutil_read_file_contexts(systemd_resolved_t)
|
||||
systemd_log_parse_environment(systemd_resolved_t)
|
||||
systemd_read_networkd_runtime(systemd_resolved_t)
|
||||
|
||||
+sysnet_dbus_chat_dhcpc(systemd_resolved_t)
|
||||
+
|
||||
optional_policy(`
|
||||
dbus_connect_system_bus(systemd_resolved_t)
|
||||
dbus_system_bus_client(systemd_resolved_t)
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -0,0 +1,37 @@
|
|||
From 2d932ba7140d91cf2a8386b0240f4f1014124746 Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Wed, 3 Feb 2021 09:47:59 +0800
|
||||
Subject: [PATCH] policy/modules/system/init: add capability2 bpf and perfmon
|
||||
for init_t
|
||||
|
||||
Fixes:
|
||||
avc: denied { bpf } for pid=1 comm="systemd" capability=39
|
||||
scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t
|
||||
tclass=capability2 permissive=0
|
||||
avc: denied { perfmon } for pid=1 comm="systemd" capability=38
|
||||
scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t
|
||||
tclass=capability2 permissive=0
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/system/init.te | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
||||
index e82177938..b7d494398 100644
|
||||
--- a/policy/modules/system/init.te
|
||||
+++ b/policy/modules/system/init.te
|
||||
@@ -134,7 +134,7 @@ ifdef(`enable_mls',`
|
||||
|
||||
# Use capabilities. old rule:
|
||||
allow init_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap };
|
||||
-allow init_t self:capability2 { wake_alarm block_suspend };
|
||||
+allow init_t self:capability2 { wake_alarm block_suspend bpf perfmon };
|
||||
# is ~sys_module really needed? observed:
|
||||
# sys_boot
|
||||
# sys_tty_config
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -1,35 +0,0 @@
|
|||
From a3e4135c543be8d3a054e6f74629240370d111ed Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Mon, 27 May 2019 15:55:19 +0800
|
||||
Subject: [PATCH] policy/modules/system/sysnetwork: allow ifconfig_t to read
|
||||
dhcp client state files
|
||||
|
||||
Fixes:
|
||||
type=AVC msg=audit(1558942740.789:50): avc: denied { read } for
|
||||
pid=221 comm="ip" path="/var/lib/dhcp/dhclient.leases" dev="vda"
|
||||
ino=29858 scontext=system_u:system_r:ifconfig_t
|
||||
tcontext=system_u:object_r:dhcpc_state_t tclass=file permissive=1
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/system/sysnetwork.te | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
|
||||
index bbdbcdc7e..a77738924 100644
|
||||
--- a/policy/modules/system/sysnetwork.te
|
||||
+++ b/policy/modules/system/sysnetwork.te
|
||||
@@ -319,6 +319,8 @@ kernel_request_load_module(ifconfig_t)
|
||||
kernel_search_network_sysctl(ifconfig_t)
|
||||
kernel_rw_net_sysctls(ifconfig_t)
|
||||
|
||||
+sysnet_read_dhcpc_state(ifconfig_t)
|
||||
+
|
||||
corenet_rw_tun_tap_dev(ifconfig_t)
|
||||
|
||||
dev_read_sysfs(ifconfig_t)
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -0,0 +1,37 @@
|
|||
From 5db5b20728dff6c5e75dc07ea4feb6c507661b62 Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Wed, 8 Jul 2020 13:53:28 +0800
|
||||
Subject: [PATCH] policy/modules/system/systemd: allow systemd_logind_t to
|
||||
watch initrc_runtime_t
|
||||
|
||||
Fixes:
|
||||
avc: denied { watch } for pid=200 comm="systemd-logind"
|
||||
path="/run/utmp" dev="tmpfs" ino=12766
|
||||
scontext=system_u:system_r:systemd_logind_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:object_r:initrc_runtime_t:s0 tclass=file permissive=0
|
||||
|
||||
systemd-logind[200]: Failed to create inotify watch on /var/run/utmp, ignoring: Permission denied
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/system/systemd.te | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
index 0411729ea..2d9d7d331 100644
|
||||
--- a/policy/modules/system/systemd.te
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -651,6 +651,8 @@ init_stop_all_units(systemd_logind_t)
|
||||
init_start_system(systemd_logind_t)
|
||||
init_stop_system(systemd_logind_t)
|
||||
|
||||
+allow systemd_logind_t initrc_runtime_t:file watch;
|
||||
+
|
||||
locallogin_read_state(systemd_logind_t)
|
||||
|
||||
seutil_libselinux_linked(systemd_logind_t)
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -1,55 +0,0 @@
|
|||
From f23bb02c92bcbf7afa0c6b445719df6b06df15ea Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Mon, 6 Jul 2020 09:06:08 +0800
|
||||
Subject: [PATCH] policy/modules/services/ntp: allow ntpd_t to watch system bus
|
||||
runtime directories and named sockets
|
||||
|
||||
Fixes:
|
||||
avc: denied { read } for pid=197 comm="systemd-timesyn" name="dbus"
|
||||
dev="tmpfs" ino=14064 scontext=system_u:system_r:ntpd_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:object_r:system_dbusd_runtime_t:s0 tclass=dir
|
||||
permissive=0
|
||||
|
||||
avc: denied { watch } for pid=197 comm="systemd-timesyn"
|
||||
path="/run/dbus" dev="tmpfs" ino=14064
|
||||
scontext=system_u:system_r:ntpd_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:object_r:system_dbusd_runtime_t:s0 tclass=dir
|
||||
permissive=0
|
||||
|
||||
avc: denied { read } for pid=197 comm="systemd-timesyn"
|
||||
name="system_bus_socket" dev="tmpfs" ino=14067
|
||||
scontext=system_u:system_r:ntpd_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:object_r:system_dbusd_runtime_t:s0 tclass=sock_file
|
||||
permissive=0
|
||||
|
||||
avc: denied { watch } for pid=197 comm="systemd-timesyn"
|
||||
path="/run/dbus/system_bus_socket" dev="tmpfs" ino=14067
|
||||
scontext=system_u:system_r:ntpd_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:object_r:system_dbusd_runtime_t:s0 tclass=sock_file
|
||||
permissive=0
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/services/ntp.te | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
|
||||
index 81f8c76bb..75603e16b 100644
|
||||
--- a/policy/modules/services/ntp.te
|
||||
+++ b/policy/modules/services/ntp.te
|
||||
@@ -141,6 +141,10 @@ userdom_list_user_home_dirs(ntpd_t)
|
||||
ifdef(`init_systemd',`
|
||||
allow ntpd_t ntpd_unit_t:file read_file_perms;
|
||||
|
||||
+ dbus_watch_system_bus_runtime_dirs(ntpd_t)
|
||||
+ allow ntpd_t system_dbusd_runtime_t:dir read;
|
||||
+ dbus_watch_system_bus_runtime_named_sockets(ntpd_t)
|
||||
+ allow ntpd_t system_dbusd_runtime_t:sock_file read;
|
||||
dbus_system_bus_client(ntpd_t)
|
||||
dbus_connect_system_bus(ntpd_t)
|
||||
init_dbus_chat(ntpd_t)
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -0,0 +1,86 @@
|
|||
From a92be78e20a0838c2f04cf8d2781dcf918f8d7ab Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Tue, 14 May 2019 16:02:19 +0800
|
||||
Subject: [PATCH] policy/modules/system/logging: set label devlog_t to symlink
|
||||
/dev/log
|
||||
|
||||
* Set labe devlog_t to symlink /dev/log
|
||||
* Allow syslogd_t to manage devlog_t link file
|
||||
|
||||
Fixes:
|
||||
avc: denied { unlink } for pid=250 comm="rsyslogd" name="log"
|
||||
dev="devtmpfs" ino=10997
|
||||
scontext=system_u:system_r:syslogd_t:s15:c0.c1023
|
||||
tcontext=system_u:object_r:device_t:s0 tclass=lnk_file permissive=0
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/system/logging.fc | 2 ++
|
||||
policy/modules/system/logging.if | 4 ++++
|
||||
policy/modules/system/logging.te | 1 +
|
||||
3 files changed, 7 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
|
||||
index a4ecd570a..02f0b6270 100644
|
||||
--- a/policy/modules/system/logging.fc
|
||||
+++ b/policy/modules/system/logging.fc
|
||||
@@ -1,4 +1,5 @@
|
||||
/dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
|
||||
+/dev/log -l gen_context(system_u:object_r:devlog_t,s0)
|
||||
|
||||
/etc/rsyslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
|
||||
/etc/syslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
|
||||
@@ -24,6 +25,7 @@
|
||||
/usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
|
||||
/usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0)
|
||||
/usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
|
||||
+/usr/lib/systemd/system/syslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
|
||||
/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
|
||||
/usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
|
||||
|
||||
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
|
||||
index 9bb3afdb2..7233a108c 100644
|
||||
--- a/policy/modules/system/logging.if
|
||||
+++ b/policy/modules/system/logging.if
|
||||
@@ -661,6 +661,7 @@ interface(`logging_send_syslog_msg',`
|
||||
')
|
||||
|
||||
allow $1 devlog_t:sock_file write_sock_file_perms;
|
||||
+ allow $1 devlog_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
# systemd journal socket is in /run/systemd/journal/dev-log
|
||||
init_search_run($1)
|
||||
@@ -722,6 +723,7 @@ interface(`logging_relabelto_devlog_sock_files',`
|
||||
')
|
||||
|
||||
allow $1 devlog_t:sock_file relabelto_sock_file_perms;
|
||||
+ allow $1 devlog_t:lnk_file relabelto_lnk_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -741,6 +743,8 @@ interface(`logging_create_devlog',`
|
||||
|
||||
allow $1 devlog_t:sock_file manage_sock_file_perms;
|
||||
dev_filetrans($1, devlog_t, sock_file)
|
||||
+ allow $1 devlog_t:lnk_file manage_lnk_file_perms;
|
||||
+ dev_filetrans($1, devlog_t, lnk_file)
|
||||
init_runtime_filetrans($1, devlog_t, sock_file, "syslog")
|
||||
')
|
||||
|
||||
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
|
||||
index 9b3254f63..d864cfd3d 100644
|
||||
--- a/policy/modules/system/logging.te
|
||||
+++ b/policy/modules/system/logging.te
|
||||
@@ -398,6 +398,7 @@ allow syslogd_t syslog_conf_t:dir list_dir_perms;
|
||||
|
||||
# Create and bind to /dev/log or /var/run/log.
|
||||
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
|
||||
+allow syslogd_t devlog_t:lnk_file manage_lnk_file_perms;
|
||||
files_runtime_filetrans(syslogd_t, devlog_t, sock_file)
|
||||
init_runtime_filetrans(syslogd_t, devlog_t, sock_file, "dev-log")
|
||||
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -0,0 +1,189 @@
|
|||
From bd77e8e51962bb6a8c5708f3e5362007c915498e Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Thu, 4 Feb 2021 10:48:54 +0800
|
||||
Subject: [PATCH] policy/modules/system/systemd: support systemd --user
|
||||
|
||||
Fixes:
|
||||
$ systemctl status user@0.service
|
||||
* user@0.service - User Manager for UID 0
|
||||
Loaded: loaded (/lib/systemd/system/user@.service; static)
|
||||
Active: failed (Result: exit-code) since Thu 2021-02-04 02:57:32 UTC; 11s ago
|
||||
Docs: man:user@.service(5)
|
||||
Process: 1502 ExecStart=/lib/systemd/systemd --user (code=exited, status=1/FAILURE)
|
||||
Main PID: 1502 (code=exited, status=1/FAILURE)
|
||||
|
||||
Feb 04 02:57:32 intel-x86-64 systemd[1]: Starting User Manager for UID 0...
|
||||
Feb 04 02:57:32 intel-x86-64 systemd[1502]: selinux_status_open() failed to open the status page, using the netlink fallback.
|
||||
Feb 04 02:57:32 intel-x86-64 systemd[1502]: Failed to initialize SELinux labeling handle: Permission denied
|
||||
Feb 04 02:57:32 intel-x86-64 systemd[1]: user@0.service: Main process exited, code=exited, status=1/FAILURE
|
||||
Feb 04 02:57:32 intel-x86-64 systemd[1]: user@0.service: Failed with result 'exit-code'.
|
||||
Feb 04 02:57:32 intel-x86-64 systemd[1]: Failed to start User Manager for UID 0.
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/roles/sysadm.te | 2 +
|
||||
policy/modules/system/init.if | 1 +
|
||||
policy/modules/system/logging.te | 5 ++-
|
||||
policy/modules/system/systemd.if | 75 +++++++++++++++++++++++++++++++-
|
||||
4 files changed, 81 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
|
||||
index 1642f3b93..1de7e441d 100644
|
||||
--- a/policy/modules/roles/sysadm.te
|
||||
+++ b/policy/modules/roles/sysadm.te
|
||||
@@ -81,6 +81,8 @@ ifdef(`init_systemd',`
|
||||
# Allow sysadm to resolve the username of dynamic users by calling
|
||||
# LookupDynamicUserByUID on org.freedesktop.systemd1.
|
||||
init_dbus_chat(sysadm_t)
|
||||
+
|
||||
+ systemd_sysadm_user(sysadm_t)
|
||||
')
|
||||
|
||||
tunable_policy(`allow_ptrace',`
|
||||
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
|
||||
index ba533ba1a..98e94283f 100644
|
||||
--- a/policy/modules/system/init.if
|
||||
+++ b/policy/modules/system/init.if
|
||||
@@ -943,6 +943,7 @@ interface(`init_unix_stream_socket_connectto',`
|
||||
')
|
||||
|
||||
allow $1 init_t:unix_stream_socket connectto;
|
||||
+ allow $1 initrc_t:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
########################################
|
||||
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
|
||||
index d864cfd3d..bdd97631c 100644
|
||||
--- a/policy/modules/system/logging.te
|
||||
+++ b/policy/modules/system/logging.te
|
||||
@@ -519,7 +519,7 @@ ifdef(`init_systemd',`
|
||||
# for systemd-journal
|
||||
allow syslogd_t self:netlink_audit_socket connected_socket_perms;
|
||||
allow syslogd_t self:capability2 audit_read;
|
||||
- allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
|
||||
+ allow syslogd_t self:capability { chown setgid setuid sys_ptrace dac_read_search };
|
||||
allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write nlmsg_write };
|
||||
|
||||
# remove /run/log/journal when switching to permanent storage
|
||||
@@ -555,6 +555,9 @@ ifdef(`init_systemd',`
|
||||
systemd_manage_journal_files(syslogd_t)
|
||||
|
||||
udev_read_runtime_files(syslogd_t)
|
||||
+
|
||||
+ userdom_search_user_runtime(syslogd_t)
|
||||
+ systemd_search_user_runtime(syslogd_t)
|
||||
')
|
||||
|
||||
ifdef(`distro_gentoo',`
|
||||
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
|
||||
index 6a66a2d79..152139261 100644
|
||||
--- a/policy/modules/system/systemd.if
|
||||
+++ b/policy/modules/system/systemd.if
|
||||
@@ -30,6 +30,7 @@ template(`systemd_role_template',`
|
||||
attribute systemd_user_session_type, systemd_log_parse_env_type;
|
||||
type systemd_user_runtime_t, systemd_user_runtime_notify_t;
|
||||
type systemd_run_exec_t, systemd_analyze_exec_t;
|
||||
+ type session_dbusd_runtime_t, systemd_user_runtime_dir_t;
|
||||
')
|
||||
|
||||
#################################
|
||||
@@ -55,10 +56,42 @@ template(`systemd_role_template',`
|
||||
|
||||
allow $3 systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
|
||||
|
||||
+ allow $1_systemd_t systemd_user_runtime_t:dir { manage_dir_perms relabel_dir_perms };
|
||||
+ allow $1_systemd_t systemd_user_runtime_t:file { manage_file_perms relabel_file_perms };
|
||||
+ allow $1_systemd_t systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
|
||||
+ allow $1_systemd_t systemd_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
|
||||
+ allow $1_systemd_t systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
|
||||
+ allow $1_systemd_t systemd_user_runtime_t:blk_file { manage_blk_file_perms relabel_blk_file_perms };
|
||||
+ allow $1_systemd_t systemd_user_runtime_t:chr_file { manage_chr_file_perms relabel_chr_file_perms };
|
||||
+ allow $1_systemd_t systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
|
||||
+ allow $1_systemd_t session_dbusd_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
|
||||
+ allow $1_systemd_t self:netlink_kobject_uevent_socket getopt;
|
||||
+ allow $1_systemd_t self:process setrlimit;
|
||||
+
|
||||
+ kernel_getattr_proc($1_systemd_t)
|
||||
+ fs_watch_cgroup_files($1_systemd_t)
|
||||
+ files_watch_etc_dirs($1_systemd_t)
|
||||
+
|
||||
+ userdom_search_user_home_dirs($1_systemd_t)
|
||||
+ allow $1_systemd_t $3:dir search_dir_perms;
|
||||
+ allow $1_systemd_t $3:file read_file_perms;
|
||||
+
|
||||
+ allow $3 $1_systemd_t:unix_stream_socket { getattr read write };
|
||||
+
|
||||
+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:dir { manage_dir_perms relabel_dir_perms };
|
||||
+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:file { manage_file_perms relabel_file_perms };
|
||||
+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
|
||||
+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
|
||||
+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
|
||||
+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:blk_file { manage_blk_file_perms relabel_blk_file_perms };
|
||||
+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:chr_file { manage_chr_file_perms relabel_chr_file_perms };
|
||||
+ allow systemd_user_runtime_dir_t systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
|
||||
+ allow systemd_user_runtime_dir_t session_dbusd_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
|
||||
+
|
||||
# This domain is per-role because of the below transitions.
|
||||
# See the systemd --user section of systemd.te for the
|
||||
# remainder of the rules.
|
||||
- allow $1_systemd_t $3:process { setsched rlimitinh };
|
||||
+ allow $1_systemd_t $3:process { setsched rlimitinh noatsecure siginh };
|
||||
corecmd_shell_domtrans($1_systemd_t, $3)
|
||||
corecmd_bin_domtrans($1_systemd_t, $3)
|
||||
allow $1_systemd_t self:process signal;
|
||||
@@ -479,6 +512,7 @@ interface(`systemd_stream_connect_userdb', `
|
||||
init_search_runtime($1)
|
||||
allow $1 systemd_userdb_runtime_t:dir list_dir_perms;
|
||||
allow $1 systemd_userdb_runtime_t:sock_file write_sock_file_perms;
|
||||
+ allow $1 systemd_userdb_runtime_t:lnk_file read_lnk_file_perms;
|
||||
init_unix_stream_socket_connectto($1)
|
||||
')
|
||||
|
||||
@@ -1353,3 +1387,42 @@ interface(`systemd_use_inherited_machined_ptys', `
|
||||
allow $1 systemd_machined_t:fd use;
|
||||
allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms;
|
||||
')
|
||||
+
|
||||
+#########################################
|
||||
+## <summary>
|
||||
+## sysadm user for systemd --user
|
||||
+## </summary>
|
||||
+## <param name="role">
|
||||
+## <summary>
|
||||
+## Role allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`systemd_sysadm_user',`
|
||||
+ gen_require(`
|
||||
+ type sysadm_systemd_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow sysadm_systemd_t self:capability { mknod sys_admin };
|
||||
+ allow sysadm_systemd_t self:capability2 { bpf perfmon };
|
||||
+ allow $1 sysadm_systemd_t:system reload;
|
||||
+')
|
||||
+
|
||||
+#######################################
|
||||
+## <summary>
|
||||
+## Search systemd users runtime directories.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`systemd_search_user_runtime',`
|
||||
+ gen_require(`
|
||||
+ type systemd_user_runtime_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 systemd_user_runtime_t:dir search_dir_perms;
|
||||
+ allow $1 systemd_user_runtime_t:lnk_file read_lnk_file_perms;
|
||||
+')
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -1,74 +0,0 @@
|
|||
From e10a4ea43bb756bdecc30a3c14f0d2fe980405bd Mon Sep 17 00:00:00 2001
|
||||
From: Wenzong Fan <wenzong.fan@windriver.com>
|
||||
Date: Thu, 4 Feb 2016 02:10:15 -0500
|
||||
Subject: [PATCH] policy/modules/system/logging: fix systemd-journald startup
|
||||
failures
|
||||
|
||||
Fixes:
|
||||
avc: denied { search } for pid=233 comm="systemd-journal" name="/"
|
||||
dev="tmpfs" ino=12398 scontext=system_u:system_r:syslogd_t
|
||||
tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=0
|
||||
|
||||
avc: denied { nlmsg_write } for pid=110 comm="systemd-journal"
|
||||
scontext=system_u:system_r:syslogd_t
|
||||
tcontext=system_u:system_r:syslogd_t tclass=netlink_audit_socket
|
||||
permissive=0
|
||||
|
||||
avc: denied { audit_control } for pid=109 comm="systemd-journal"
|
||||
capability=30 scontext=system_u:system_r:syslogd_t
|
||||
tcontext=system_u:system_r:syslogd_t tclass=capability permissive=0
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/system/logging.fc | 1 +
|
||||
policy/modules/system/logging.te | 5 ++++-
|
||||
2 files changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
|
||||
index a4ecd570a..dee26a9f4 100644
|
||||
--- a/policy/modules/system/logging.fc
|
||||
+++ b/policy/modules/system/logging.fc
|
||||
@@ -24,6 +24,7 @@
|
||||
/usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
|
||||
/usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0)
|
||||
/usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
|
||||
+/usr/lib/systemd/system/syslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
|
||||
/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
|
||||
/usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
|
||||
|
||||
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
|
||||
index 95309f334..1d45a5fa9 100644
|
||||
--- a/policy/modules/system/logging.te
|
||||
+++ b/policy/modules/system/logging.te
|
||||
@@ -438,6 +438,7 @@ allow syslogd_t syslogd_runtime_t:sock_file { create setattr unlink };
|
||||
allow syslogd_t syslogd_runtime_t:file map;
|
||||
manage_files_pattern(syslogd_t, syslogd_runtime_t, syslogd_runtime_t)
|
||||
files_runtime_filetrans(syslogd_t, syslogd_runtime_t, file)
|
||||
+fs_search_tmpfs(syslogd_t)
|
||||
|
||||
kernel_read_crypto_sysctls(syslogd_t)
|
||||
kernel_read_system_state(syslogd_t)
|
||||
@@ -517,6 +518,8 @@ init_use_fds(syslogd_t)
|
||||
# cjp: this doesnt make sense
|
||||
logging_send_syslog_msg(syslogd_t)
|
||||
|
||||
+logging_set_loginuid(syslogd_t)
|
||||
+
|
||||
miscfiles_read_localization(syslogd_t)
|
||||
|
||||
seutil_read_config(syslogd_t)
|
||||
@@ -529,7 +532,7 @@ ifdef(`init_systemd',`
|
||||
allow syslogd_t self:netlink_audit_socket connected_socket_perms;
|
||||
allow syslogd_t self:capability2 audit_read;
|
||||
allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
|
||||
- allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write };
|
||||
+ allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write nlmsg_write };
|
||||
|
||||
# remove /run/log/journal when switching to permanent storage
|
||||
allow syslogd_t var_log_t:dir rmdir;
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -0,0 +1,69 @@
|
|||
From 954a49ec0a4dc64fd9e513abe7a737d956b337ca Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Tue, 9 Feb 2021 17:50:24 +0800
|
||||
Subject: [PATCH] policy/modules/system/systemd: allow systemd-generators to
|
||||
get the attributes of tmpfs and cgroup
|
||||
|
||||
* Allow systemd-generators to get the attributes of a tmpfs
|
||||
* Allow systemd-generators to get the attributes of cgroup filesystems
|
||||
|
||||
Fixes:
|
||||
systemd[95]: /lib/systemd/system-generators/systemd-fstab-generator failed with exit status 1.
|
||||
|
||||
avc: denied { getattr } for pid=102 comm="systemd-run-gen" name="/"
|
||||
dev="tmpfs" ino=11208 scontext=system_u:system_r:systemd_generator_t
|
||||
tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
|
||||
|
||||
avc: denied { getattr } for pid=98 comm="systemd-getty-g" name="/"
|
||||
dev="tmpfs" ino=11208 scontext=system_u:system_r:systemd_generator_t
|
||||
tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
|
||||
|
||||
avc: denied { getattr } for pid=104 comm="systemd-sysv-ge" name="/"
|
||||
dev="tmpfs" ino=11208 scontext=system_u:system_r:systemd_generator_t
|
||||
tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
|
||||
|
||||
avc: denied { getattr } for pid=97 comm="systemd-fstab-g" name="/"
|
||||
dev="tmpfs" ino=11208 scontext=system_u:system_r:systemd_generator_t
|
||||
tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
|
||||
|
||||
avc: denied { getattr } for pid=102 comm="systemd-run-gen" name="/"
|
||||
dev="cgroup" ino=1 scontext=system_u:system_r:systemd_generator_t
|
||||
tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=0
|
||||
|
||||
avc: denied { getattr } for pid=100 comm="systemd-hiberna" name="/"
|
||||
dev="cgroup" ino=1 scontext=system_u:system_r:systemd_generator_t
|
||||
tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=0
|
||||
|
||||
avc: denied { getattr } for pid=99 comm="systemd-gpt-aut" name="/"
|
||||
dev="cgroup2" ino=1 scontext=system_u:system_r:systemd_generator_t
|
||||
tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=0
|
||||
|
||||
avc: denied { getattr } for pid=97 comm="systemd-fstab-g"
|
||||
path="/var/volatile" dev="vda" ino=37131
|
||||
scontext=system_u:system_r:systemd_generator_t
|
||||
tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=0
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/system/systemd.te | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
index 2d9d7d331..c1111198d 100644
|
||||
--- a/policy/modules/system/systemd.te
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -431,6 +431,9 @@ files_list_usr(systemd_generator_t)
|
||||
|
||||
fs_list_efivars(systemd_generator_t)
|
||||
fs_getattr_xattr_fs(systemd_generator_t)
|
||||
+fs_getattr_tmpfs(systemd_generator_t)
|
||||
+fs_getattr_cgroup(systemd_generator_t)
|
||||
+kernel_getattr_unlabeled_dirs(systemd_generator_t)
|
||||
|
||||
init_create_runtime_files(systemd_generator_t)
|
||||
init_manage_runtime_dirs(systemd_generator_t)
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
From 8b0bb1e349e2ea021acec1639be0802ac4d7d0c2 Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Thu, 4 Feb 2021 15:13:50 +0800
|
||||
Subject: [PATCH] policy/modules/system/systemd: allow systemd_backlight_t to
|
||||
read kernel sysctl
|
||||
|
||||
Fixes:
|
||||
avc: denied { search } for pid=354 comm="systemd-backlig" name="sys"
|
||||
dev="proc" ino=4026531854
|
||||
scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:object_r:sysctl_t:s0 tclass=dir permissive=0
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/system/systemd.te | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
index c1111198d..7d2ba2796 100644
|
||||
--- a/policy/modules/system/systemd.te
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -324,6 +324,8 @@ udev_read_runtime_files(systemd_backlight_t)
|
||||
|
||||
files_search_var_lib(systemd_backlight_t)
|
||||
|
||||
+kernel_read_kernel_sysctls(systemd_backlight_t)
|
||||
+
|
||||
#######################################
|
||||
#
|
||||
# Binfmt local policy
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -0,0 +1,47 @@
|
|||
From 5973dc3824b395ce9f6620e3ae432664cc357b66 Mon Sep 17 00:00:00 2001
|
||||
From: Wenzong Fan <wenzong.fan@windriver.com>
|
||||
Date: Thu, 4 Feb 2016 02:10:15 -0500
|
||||
Subject: [PATCH] policy/modules/system/logging: fix systemd-journald startup
|
||||
failures
|
||||
|
||||
Fixes:
|
||||
avc: denied { audit_control } for pid=109 comm="systemd-journal"
|
||||
capability=30 scontext=system_u:system_r:syslogd_t
|
||||
tcontext=system_u:system_r:syslogd_t tclass=capability permissive=0
|
||||
|
||||
avc: denied { search } for pid=233 comm="systemd-journal" name="/"
|
||||
dev="tmpfs" ino=12398 scontext=system_u:system_r:syslogd_t
|
||||
tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=0
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/system/logging.te | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
|
||||
index bdd97631c..62caa7a56 100644
|
||||
--- a/policy/modules/system/logging.te
|
||||
+++ b/policy/modules/system/logging.te
|
||||
@@ -492,6 +492,7 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
|
||||
|
||||
fs_getattr_all_fs(syslogd_t)
|
||||
fs_search_auto_mountpoints(syslogd_t)
|
||||
+fs_search_tmpfs(syslogd_t)
|
||||
|
||||
mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
|
||||
|
||||
@@ -552,6 +553,8 @@ ifdef(`init_systemd',`
|
||||
# needed for systemd-initrd case when syslog socket is unlabelled
|
||||
logging_send_syslog_msg(syslogd_t)
|
||||
|
||||
+ logging_set_loginuid(syslogd_t)
|
||||
+
|
||||
systemd_manage_journal_files(syslogd_t)
|
||||
|
||||
udev_read_runtime_files(syslogd_t)
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -1,35 +0,0 @@
|
|||
From 4782b27839064438f103b77c31e5db75189025a8 Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Thu, 18 Jun 2020 16:14:45 +0800
|
||||
Subject: [PATCH] policy/modules/system/systemd: add capability mknod for
|
||||
systemd_user_runtime_dir_t
|
||||
|
||||
Fixes:
|
||||
avc: denied { mknod } for pid=266 comm="systemd-user-ru" capability=27
|
||||
scontext=system_u:system_r:systemd_user_runtime_dir_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:system_r:systemd_user_runtime_dir_t:s0-s15:c0.c1023
|
||||
tclass=capability permissive=0
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/system/systemd.te | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
index c7fe51b62..f82031a09 100644
|
||||
--- a/policy/modules/system/systemd.te
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -1372,7 +1372,7 @@ seutil_libselinux_linked(systemd_user_session_type)
|
||||
# systemd-user-runtime-dir local policy
|
||||
#
|
||||
|
||||
-allow systemd_user_runtime_dir_t self:capability { fowner chown sys_admin dac_read_search dac_override };
|
||||
+allow systemd_user_runtime_dir_t self:capability { fowner chown sys_admin dac_read_search dac_override mknod };
|
||||
allow systemd_user_runtime_dir_t self:process setfscreate;
|
||||
|
||||
domain_obj_id_change_exemption(systemd_user_runtime_dir_t)
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
From e8ff96c9bb98305d1b50fccce67025df3ebbf184 Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Thu, 23 May 2019 15:52:17 +0800
|
||||
Subject: [PATCH] policy/modules/services/cron: allow crond_t to search
|
||||
logwatch_cache_t
|
||||
|
||||
Fixes:
|
||||
avc: denied { search } for pid=234 comm="crond" name="logcheck"
|
||||
dev="vda" ino=29080 scontext=system_u:system_r:crond_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:object_r:logwatch_cache_t:s0 tclass=dir permissive=0
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/services/cron.te | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
|
||||
index 2902820b0..36eb33060 100644
|
||||
--- a/policy/modules/services/cron.te
|
||||
+++ b/policy/modules/services/cron.te
|
||||
@@ -318,6 +318,8 @@ miscfiles_read_localization(crond_t)
|
||||
|
||||
userdom_list_user_home_dirs(crond_t)
|
||||
|
||||
+logwatch_search_cache_dir(crond_t)
|
||||
+
|
||||
tunable_policy(`cron_userdomain_transition',`
|
||||
dontaudit crond_t cronjob_t:process transition;
|
||||
dontaudit crond_t cronjob_t:fd use;
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -1,35 +0,0 @@
|
|||
From 0607a935759fe3143f473d4a444f92e01aaa2a45 Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Tue, 23 Jun 2020 14:52:43 +0800
|
||||
Subject: [PATCH] policy/modules/system/systemd: systemd-gpt-auto-generator: do
|
||||
not audit attempts to read or write unallocated ttys
|
||||
|
||||
Fixes:
|
||||
avc: denied { read write } for pid=87 comm="systemd-getty-g"
|
||||
name="ttyS0" dev="devtmpfs" ino=10128
|
||||
scontext=system_u:system_r:systemd_generator_t
|
||||
tcontext=system_u:object_r:tty_device_t tclass=chr_file permissive=0
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/system/systemd.te | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
index f82031a09..fb8d4960f 100644
|
||||
--- a/policy/modules/system/systemd.te
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -400,6 +400,8 @@ storage_raw_read_fixed_disk(systemd_generator_t)
|
||||
|
||||
systemd_log_parse_environment(systemd_generator_t)
|
||||
|
||||
+term_dontaudit_use_unallocated_ttys(systemd_generator_t)
|
||||
+
|
||||
optional_policy(`
|
||||
fstools_exec(systemd_generator_t)
|
||||
')
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -0,0 +1,46 @@
|
|||
From 1571e6da8a90bb325a94330dcd130d56bae30b37 Mon Sep 17 00:00:00 2001
|
||||
From: Roy Li <rongqing.li@windriver.com>
|
||||
Date: Thu, 20 Feb 2014 17:07:05 +0800
|
||||
Subject: [PATCH] policy/modules/services/crontab: allow sysadm_r to run
|
||||
crontab
|
||||
|
||||
This permission has been given if release is not redhat; but we want it
|
||||
even we define distro_redhat
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Roy Li <rongqing.li@windriver.com>
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/roles/sysadm.te | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
|
||||
index 1de7e441d..129e94229 100644
|
||||
--- a/policy/modules/roles/sysadm.te
|
||||
+++ b/policy/modules/roles/sysadm.te
|
||||
@@ -1277,6 +1277,10 @@ optional_policy(`
|
||||
zebra_admin(sysadm_t, sysadm_r)
|
||||
')
|
||||
|
||||
+optional_policy(`
|
||||
+ cron_admin_role(sysadm_r, sysadm_t)
|
||||
+')
|
||||
+
|
||||
ifndef(`distro_redhat',`
|
||||
optional_policy(`
|
||||
auth_role(sysadm_r, sysadm_t)
|
||||
@@ -1295,10 +1299,6 @@ ifndef(`distro_redhat',`
|
||||
chromium_role(sysadm_r, sysadm_t)
|
||||
')
|
||||
|
||||
- optional_policy(`
|
||||
- cron_admin_role(sysadm_r, sysadm_t)
|
||||
- ')
|
||||
-
|
||||
optional_policy(`
|
||||
cryfs_role(sysadm_r, sysadm_t)
|
||||
')
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -0,0 +1,120 @@
|
|||
From ab462f0022c35fde984dbe792ce386f5d507aeeb Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Thu, 24 Sep 2020 14:05:52 +0800
|
||||
Subject: [PATCH] policy/modules/system/sysnetwork: support priviledge
|
||||
separation for dhcpcd
|
||||
|
||||
Fixes:
|
||||
|
||||
avc: denied { sys_chroot } for pid=332 comm="dhcpcd" capability=18
|
||||
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability
|
||||
permissive=0
|
||||
|
||||
avc: denied { setgid } for pid=332 comm="dhcpcd" capability=6
|
||||
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability
|
||||
permissive=0
|
||||
|
||||
avc: denied { setuid } for pid=332 comm="dhcpcd" capability=7
|
||||
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability
|
||||
permissive=0
|
||||
|
||||
avc: denied { setrlimit } for pid=332 comm="dhcpcd"
|
||||
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=process
|
||||
permissive=0
|
||||
|
||||
avc: denied { create } for pid=330 comm="dhcpcd"
|
||||
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
|
||||
tclass=netlink_kobject_uevent_socket permissive=0
|
||||
|
||||
avc: denied { setopt } for pid=330 comm="dhcpcd"
|
||||
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
|
||||
tclass=netlink_kobject_uevent_socket permissive=0
|
||||
|
||||
avc: denied { bind } for pid=330 comm="dhcpcd"
|
||||
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
|
||||
tclass=netlink_kobject_uevent_socket permissive=0
|
||||
|
||||
avc: denied { getattr } for pid=330 comm="dhcpcd"
|
||||
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
|
||||
tclass=netlink_kobject_uevent_socket permissive=0
|
||||
|
||||
avc: denied { read } for pid=330 comm="dhcpcd" name="n1" dev="tmpfs"
|
||||
ino=15616 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=0
|
||||
|
||||
avc: denied { open } for pid=330 comm="dhcpcd"
|
||||
path="/run/udev/data/n1" dev="tmpfs" ino=15616
|
||||
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=0
|
||||
|
||||
avc: denied { getattr } for pid=330 comm="dhcpcd"
|
||||
path="/run/udev/data/n1" dev="tmpfs" ino=15616
|
||||
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=0
|
||||
|
||||
avc: denied { connectto } for pid=1600 comm="dhcpcd"
|
||||
path="/run/dhcpcd/unpriv.sock"
|
||||
scontext=root:sysadm_r:dhcpc_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
|
||||
tclass=unix_stream_socket permissive=0
|
||||
|
||||
avc: denied { kill } for pid=314 comm="dhcpcd" capability=5
|
||||
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability
|
||||
permissive=0
|
||||
|
||||
avc: denied { getattr } for pid=300 comm="dhcpcd"
|
||||
path="net:[4026532008]" dev="nsfs" ino=4026532008
|
||||
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/system/sysnetwork.te | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
|
||||
index cb1434180..a9297f976 100644
|
||||
--- a/policy/modules/system/sysnetwork.te
|
||||
+++ b/policy/modules/system/sysnetwork.te
|
||||
@@ -72,6 +72,11 @@ allow dhcpc_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
allow dhcpc_t self:rawip_socket create_socket_perms;
|
||||
allow dhcpc_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
|
||||
+allow dhcpc_t self:capability { setgid setuid sys_chroot kill };
|
||||
+allow dhcpc_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
+allow dhcpc_t self:process setrlimit;
|
||||
+allow dhcpc_t self:unix_stream_socket connectto;
|
||||
+
|
||||
allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
|
||||
read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
|
||||
exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
|
||||
@@ -145,6 +150,7 @@ files_manage_var_files(dhcpc_t)
|
||||
fs_getattr_all_fs(dhcpc_t)
|
||||
fs_search_auto_mountpoints(dhcpc_t)
|
||||
fs_search_cgroup_dirs(dhcpc_t)
|
||||
+fs_read_nsfs_files(dhcpc_t)
|
||||
|
||||
term_dontaudit_use_all_ttys(dhcpc_t)
|
||||
term_dontaudit_use_all_ptys(dhcpc_t)
|
||||
@@ -180,6 +186,7 @@ ifdef(`init_systemd',`
|
||||
init_stream_connect(dhcpc_t)
|
||||
init_get_all_units_status(dhcpc_t)
|
||||
init_search_units(dhcpc_t)
|
||||
+ udev_read_runtime_files(dhcpc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
From 7418cd97f2c92579bd4d18cbd9063f811ff9a81e Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Tue, 9 Feb 2021 16:42:36 +0800
|
||||
Subject: [PATCH] policy/modules/services/acpi: allow acpid to watch the
|
||||
directories in /dev
|
||||
|
||||
Fixes:
|
||||
acpid: inotify_add_watch() failed: Permission denied (13)
|
||||
|
||||
avc: denied { watch } for pid=269 comm="acpid" path="/dev/input"
|
||||
dev="devtmpfs" ino=35 scontext=system_u:system_r:acpid_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:object_r:device_t:s0 tclass=dir permissive=0
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/services/acpi.te | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/services/acpi.te b/policy/modules/services/acpi.te
|
||||
index 69f1dab4a..5c22adecd 100644
|
||||
--- a/policy/modules/services/acpi.te
|
||||
+++ b/policy/modules/services/acpi.te
|
||||
@@ -105,6 +105,7 @@ dev_rw_acpi_bios(acpid_t)
|
||||
dev_rw_sysfs(acpid_t)
|
||||
dev_dontaudit_getattr_all_chr_files(acpid_t)
|
||||
dev_dontaudit_getattr_all_blk_files(acpid_t)
|
||||
+dev_watch_dev_dirs(acpid_t)
|
||||
|
||||
files_exec_etc_files(acpid_t)
|
||||
files_read_etc_runtime_files(acpid_t)
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From fc77db62ce54a33ee04bfc3e4c68b9cbed7251c6 Mon Sep 17 00:00:00 2001
|
||||
From 84c69d220ffdd039b88a34f9afc127274a985541 Mon Sep 17 00:00:00 2001
|
||||
From: Roy Li <rongqing.li@windriver.com>
|
||||
Date: Sat, 22 Feb 2014 13:35:38 +0800
|
||||
Subject: [PATCH] policy/modules/system/setrans: allow setrans to access
|
||||
|
|
@ -14,18 +14,16 @@ scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023
|
|||
tcontext=system_u:system_r:setrans_t:s15:c0.c1023
|
||||
tclass=unix_stream_socket
|
||||
|
||||
3. allow setrans_t use fd at any level
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Roy Li <rongqing.li@windriver.com>
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/system/setrans.te | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
policy/modules/system/setrans.te | 4 +---
|
||||
1 file changed, 1 insertion(+), 3 deletions(-)
|
||||
|
||||
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
|
||||
index 5f020ef78..7f618f212 100644
|
||||
index 25aadfc5f..78bd6e2eb 100644
|
||||
--- a/policy/modules/system/setrans.te
|
||||
+++ b/policy/modules/system/setrans.te
|
||||
@@ -23,9 +23,7 @@ mls_trusted_object(setrans_runtime_t)
|
||||
|
|
@ -39,15 +37,6 @@ index 5f020ef78..7f618f212 100644
|
|||
|
||||
ifdef(`enable_mcs',`
|
||||
init_ranged_daemon_domain(setrans_t, setrans_exec_t, s0 - mcs_systemhigh)
|
||||
@@ -73,6 +71,8 @@ mls_net_receive_all_levels(setrans_t)
|
||||
mls_socket_write_all_levels(setrans_t)
|
||||
mls_process_read_all_levels(setrans_t)
|
||||
mls_socket_read_all_levels(setrans_t)
|
||||
+mls_fd_use_all_levels(setrans_t)
|
||||
+mls_trusted_object(setrans_t)
|
||||
|
||||
selinux_compute_access_vector(setrans_t)
|
||||
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
From 7002b4e33b949b474a0ce0b78a7f2e180dbbc9bb Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Tue, 9 Feb 2021 17:31:55 +0800
|
||||
Subject: [PATCH] policy/modules/system/modutils: allow kmod_t to write keys
|
||||
|
||||
Fixes:
|
||||
kernel: cfg80211: Problem loading in-kernel X.509 certificate (-13)
|
||||
|
||||
avc: denied { write } for pid=219 comm="modprobe"
|
||||
scontext=system_u:system_r:kmod_t tcontext=system_u:system_r:kmod_t
|
||||
tclass=key permissive=0
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/system/modutils.te | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
|
||||
index ee249ae04..b8769bc02 100644
|
||||
--- a/policy/modules/system/modutils.te
|
||||
+++ b/policy/modules/system/modutils.te
|
||||
@@ -43,6 +43,8 @@ allow kmod_t self:rawip_socket create_socket_perms;
|
||||
|
||||
allow kmod_t self:lockdown confidentiality;
|
||||
|
||||
+allow kmod_t self:key write;
|
||||
+
|
||||
# Read module config and dependency information
|
||||
list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t)
|
||||
read_files_pattern(kmod_t, modules_conf_t, modules_conf_t)
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From 7fd830d6b2c60dcf5b8ee0b2ff94436de63d5b8c Mon Sep 17 00:00:00 2001
|
||||
From 291d3329c280b6b8b70fcc3092ac4d3399936825 Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Mon, 29 Jun 2020 10:32:25 +0800
|
||||
Subject: [PATCH] policy/modules/roles/sysadm: allow sysadm_t to watch runtime
|
||||
|
|
@ -11,21 +11,18 @@ Upstream-Status: Inappropriate [embedded specific]
|
|||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/roles/sysadm.te | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
policy/modules/roles/sysadm.te | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
|
||||
index fc0945fe4..07b9faf30 100644
|
||||
index 129e94229..a4abaefe4 100644
|
||||
--- a/policy/modules/roles/sysadm.te
|
||||
+++ b/policy/modules/roles/sysadm.te
|
||||
@@ -83,6 +83,12 @@ ifdef(`init_systemd',`
|
||||
# Allow sysadm to resolve the username of dynamic users by calling
|
||||
# LookupDynamicUserByUID on org.freedesktop.systemd1.
|
||||
@@ -83,6 +83,9 @@ ifdef(`init_systemd',`
|
||||
init_dbus_chat(sysadm_t)
|
||||
|
||||
systemd_sysadm_user(sysadm_t)
|
||||
+
|
||||
+ fs_watch_cgroup_files(sysadm_t)
|
||||
+ files_watch_etc_symlinks(sysadm_t)
|
||||
+ mount_watch_runtime_dirs(sysadm_t)
|
||||
+ systemd_filetrans_passwd_runtime_dirs(sysadm_t)
|
||||
+ allow sysadm_t systemd_passwd_runtime_t:dir watch;
|
||||
')
|
||||
|
|
@ -0,0 +1,44 @@
|
|||
From bc821718f7e9575a67c4667decad937cbe5f8514 Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Tue, 2 Mar 2021 14:25:03 +0800
|
||||
Subject: [PATCH] policy/modules/system/selinux: allow setfiles_t to read
|
||||
kernel sysctl
|
||||
|
||||
Fixes:
|
||||
avc: denied { read } for pid=171 comm="restorecon" name="cap_last_cap"
|
||||
dev="proc" ino=1241
|
||||
scontext=system_u:system_r:setfiles_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0
|
||||
|
||||
avc: denied { open } for pid=171 comm="restorecon"
|
||||
path="/proc/sys/kernel/cap_last_cap" dev="proc" ino=1241
|
||||
scontext=system_u:system_r:setfiles_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0
|
||||
|
||||
avc: denied { getattr } for pid=171 comm="restorecon" name="/"
|
||||
dev="proc" ino=1 scontext=system_u:system_r:setfiles_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/system/selinuxutil.te | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
|
||||
index a505b3987..a26f8db03 100644
|
||||
--- a/policy/modules/system/selinuxutil.te
|
||||
+++ b/policy/modules/system/selinuxutil.te
|
||||
@@ -597,6 +597,8 @@ kernel_rw_unix_dgram_sockets(setfiles_t)
|
||||
kernel_dontaudit_list_all_proc(setfiles_t)
|
||||
kernel_dontaudit_list_all_sysctls(setfiles_t)
|
||||
kernel_getattr_debugfs(setfiles_t)
|
||||
+kernel_read_kernel_sysctls(setfiles_t)
|
||||
+kernel_getattr_proc(setfiles_t)
|
||||
|
||||
dev_read_urand(setfiles_t)
|
||||
dev_relabel_all_dev_nodes(setfiles_t)
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From 7789f70ee3506f11b6bc1954469915214bcb9c58 Mon Sep 17 00:00:00 2001
|
||||
From 0d69354886e0b635dd069876b9d53890a5a9cab1 Mon Sep 17 00:00:00 2001
|
||||
From: Wenzong Fan <wenzong.fan@windriver.com>
|
||||
Date: Sat, 15 Feb 2014 04:22:47 -0500
|
||||
Subject: [PATCH] policy/modules/system/mount: make mount_t domain MLS trusted
|
||||
|
|
@ -19,10 +19,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
|
||||
index 282eb3ada..5bb4fe631 100644
|
||||
index b628c3b2f..f55457bb0 100644
|
||||
--- a/policy/modules/system/mount.te
|
||||
+++ b/policy/modules/system/mount.te
|
||||
@@ -116,6 +116,8 @@ fs_dontaudit_write_tmpfs_dirs(mount_t)
|
||||
@@ -116,6 +116,8 @@ fs_dontaudit_write_all_image_files(mount_t)
|
||||
mls_file_read_all_levels(mount_t)
|
||||
mls_file_write_all_levels(mount_t)
|
||||
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From 0404c4ad3f92408edcdbf46ac0665bf09d4b2516 Mon Sep 17 00:00:00 2001
|
||||
From b83147aa97fe6f51c997256539dff827e3a44edc Mon Sep 17 00:00:00 2001
|
||||
From: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Date: Mon, 28 Jan 2019 14:05:18 +0800
|
||||
Subject: [PATCH] policy/modules/roles/sysadm: MLS - sysadm rw to clearance
|
||||
|
|
@ -23,7 +23,7 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
|
||||
index 07b9faf30..ac5239d83 100644
|
||||
index a4abaefe4..aaae73fc3 100644
|
||||
--- a/policy/modules/roles/sysadm.te
|
||||
+++ b/policy/modules/roles/sysadm.te
|
||||
@@ -42,6 +42,9 @@ dev_read_kmsg(sysadm_t)
|
||||
|
|
@ -1,8 +1,8 @@
|
|||
From fbf98576f32e33e55f3babeb9db255a459fad711 Mon Sep 17 00:00:00 2001
|
||||
From 7b8290ba52052f90b6221c1b3ccb8f7536f4c41e Mon Sep 17 00:00:00 2001
|
||||
From: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Date: Fri, 23 Aug 2013 12:01:53 +0800
|
||||
Subject: [PATCH] policy/modules/services/rpc: fix policy for nfsserver to
|
||||
mount nfsd_fs_t
|
||||
Subject: [PATCH] policy/modules/services/rpc: make nfsd_t domain MLS trusted
|
||||
for reading from files up to its clearance
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
|
|
@ -11,13 +11,12 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/kernel/kernel.te | 2 ++
|
||||
policy/modules/services/rpc.fc | 2 ++
|
||||
policy/modules/services/rpc.te | 2 ++
|
||||
policy/modules/services/rpcbind.te | 6 ++++++
|
||||
4 files changed, 12 insertions(+)
|
||||
3 files changed, 10 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
|
||||
index c8218bf8c..44c031a39 100644
|
||||
index 5ce6e041b..c1557ddb2 100644
|
||||
--- a/policy/modules/kernel/kernel.te
|
||||
+++ b/policy/modules/kernel/kernel.te
|
||||
@@ -356,6 +356,8 @@ mls_process_read_all_levels(kernel_t)
|
||||
|
|
@ -29,25 +28,11 @@ index c8218bf8c..44c031a39 100644
|
|||
|
||||
ifdef(`distro_redhat',`
|
||||
# Bugzilla 222337
|
||||
diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc
|
||||
index 6d3c9b68b..75999a57c 100644
|
||||
--- a/policy/modules/services/rpc.fc
|
||||
+++ b/policy/modules/services/rpc.fc
|
||||
@@ -1,7 +1,9 @@
|
||||
/etc/exports -- gen_context(system_u:object_r:exports_t,s0)
|
||||
|
||||
/etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
|
||||
+/etc/rc\.d/init\.d/nfsserver -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
|
||||
/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
|
||||
+/etc/rc\.d/init\.d/nfscommon -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
|
||||
/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
|
||||
|
||||
/usr/bin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
|
||||
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
|
||||
index c06ff803f..7c0b37ddc 100644
|
||||
index 87b6b4561..9618df04e 100644
|
||||
--- a/policy/modules/services/rpc.te
|
||||
+++ b/policy/modules/services/rpc.te
|
||||
@@ -250,6 +250,8 @@ storage_raw_read_removable_device(nfsd_t)
|
||||
@@ -341,6 +341,8 @@ storage_raw_read_removable_device(nfsd_t)
|
||||
|
||||
miscfiles_read_public_files(nfsd_t)
|
||||
|
||||
|
|
@ -57,7 +42,7 @@ index c06ff803f..7c0b37ddc 100644
|
|||
miscfiles_manage_public_files(nfsd_t)
|
||||
')
|
||||
diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
|
||||
index 4f110773a..3cc85a8d5 100644
|
||||
index 8972980fa..5c89a1343 100644
|
||||
--- a/policy/modules/services/rpcbind.te
|
||||
+++ b/policy/modules/services/rpcbind.te
|
||||
@@ -73,6 +73,12 @@ logging_send_syslog_msg(rpcbind_t)
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From a51cec2a8d8f47b7a06c59b8af73d96edcc2a993 Mon Sep 17 00:00:00 2001
|
||||
From bc6872d164d09355ee82dc97c4e3d99a6b6669b3 Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Tue, 30 Jun 2020 10:18:20 +0800
|
||||
Subject: [PATCH] policy/modules/admin/dmesg: make dmesg_t MLS trusted reading
|
||||
|
|
@ -19,7 +19,7 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
|
||||
index 5bbe71b26..228baecd8 100644
|
||||
index 0f2835575..9f4f11397 100644
|
||||
--- a/policy/modules/admin/dmesg.te
|
||||
+++ b/policy/modules/admin/dmesg.te
|
||||
@@ -51,6 +51,8 @@ miscfiles_read_localization(dmesg_t)
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From fdc58fd666915aba89cb07fe6e7eb43a7fbec2ec Mon Sep 17 00:00:00 2001
|
||||
From e7b9af24946f5f76e8e6831bfeb444c0153298be Mon Sep 17 00:00:00 2001
|
||||
From: Wenzong Fan <wenzong.fan@windriver.com>
|
||||
Date: Fri, 13 Oct 2017 07:20:40 +0000
|
||||
Subject: [PATCH] policy/modules/kernel/kernel: make kernel_t MLS trusted for
|
||||
|
|
@ -59,7 +59,7 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
|
||||
index 44c031a39..4dffaef76 100644
|
||||
index c1557ddb2..8f67c6ec9 100644
|
||||
--- a/policy/modules/kernel/kernel.te
|
||||
+++ b/policy/modules/kernel/kernel.te
|
||||
@@ -359,6 +359,9 @@ mls_file_read_all_levels(kernel_t)
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From 3aa784896315d269be4f43a281d59ad7671b2d07 Mon Sep 17 00:00:00 2001
|
||||
From ee3e2bbaf3b94902aadebbb085c7e86b8d074e98 Mon Sep 17 00:00:00 2001
|
||||
From: Wenzong Fan <wenzong.fan@windriver.com>
|
||||
Date: Fri, 15 Jan 2016 03:47:05 -0500
|
||||
Subject: [PATCH] policy/modules/system/init: make init_t MLS trusted for
|
||||
|
|
@ -27,10 +27,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
||||
index fe3fcf011..8e85dde72 100644
|
||||
index b7d494398..b6750015e 100644
|
||||
--- a/policy/modules/system/init.te
|
||||
+++ b/policy/modules/system/init.te
|
||||
@@ -208,6 +208,10 @@ mls_process_write_all_levels(init_t)
|
||||
@@ -210,6 +210,10 @@ mls_process_write_all_levels(init_t)
|
||||
mls_fd_use_all_levels(init_t)
|
||||
mls_process_set_level(init_t)
|
||||
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From fb69dde2c8783e0602dcce3509b69ded9e6331a2 Mon Sep 17 00:00:00 2001
|
||||
From 8cdcca3702d69ed5f3aa9ce9d769ad483f977094 Mon Sep 17 00:00:00 2001
|
||||
From: Wenzong Fan <wenzong.fan@windriver.com>
|
||||
Date: Thu, 4 Feb 2016 06:03:19 -0500
|
||||
Subject: [PATCH] policy/modules/system/systemd: make systemd-tmpfiles_t domain
|
||||
|
|
@ -43,10 +43,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
index fb8d4960f..57f4dc40d 100644
|
||||
index 7d2ba2796..c50a2ba64 100644
|
||||
--- a/policy/modules/system/systemd.te
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -1249,6 +1249,11 @@ sysnet_relabel_config(systemd_tmpfiles_t)
|
||||
@@ -1396,6 +1396,11 @@ sysnet_relabel_config(systemd_tmpfiles_t)
|
||||
|
||||
systemd_log_parse_environment(systemd_tmpfiles_t)
|
||||
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From f5a6c667186850ba8c5057742195c46d9f7ff8cf Mon Sep 17 00:00:00 2001
|
||||
From 4e7b0040ff558f2d69c8b9a30e73223acb20f35f Mon Sep 17 00:00:00 2001
|
||||
From: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
Date: Thu, 22 Aug 2013 13:37:23 +0800
|
||||
Subject: [PATCH] policy/modules/system/logging: add the syslogd_t to trusted
|
||||
|
|
@ -18,11 +18,11 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
|
||||
index 1d45a5fa9..eec0560d1 100644
|
||||
index 62caa7a56..e608327fe 100644
|
||||
--- a/policy/modules/system/logging.te
|
||||
+++ b/policy/modules/system/logging.te
|
||||
@@ -501,6 +501,10 @@ fs_getattr_all_fs(syslogd_t)
|
||||
fs_search_auto_mountpoints(syslogd_t)
|
||||
@@ -495,6 +495,10 @@ fs_search_auto_mountpoints(syslogd_t)
|
||||
fs_search_tmpfs(syslogd_t)
|
||||
|
||||
mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
|
||||
+mls_file_read_all_levels(syslogd_t)
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From b74b8052fd654d6a242bf3d8773a42f376d08fed Mon Sep 17 00:00:00 2001
|
||||
From bbb405ac6270ef945db21cfddda63d283ee5d8af Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Tue, 28 May 2019 16:41:37 +0800
|
||||
Subject: [PATCH] policy/modules/system/init: make init_t MLS trusted for
|
||||
|
|
@ -17,10 +17,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
||||
index 8e85dde72..453ae9b6b 100644
|
||||
index b6750015e..962c675b0 100644
|
||||
--- a/policy/modules/system/init.te
|
||||
+++ b/policy/modules/system/init.te
|
||||
@@ -207,6 +207,7 @@ mls_file_write_all_levels(init_t)
|
||||
@@ -209,6 +209,7 @@ mls_file_write_all_levels(init_t)
|
||||
mls_process_write_all_levels(init_t)
|
||||
mls_fd_use_all_levels(init_t)
|
||||
mls_process_set_level(init_t)
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From 0e29b493136115b9bf397cc59424552c5b354385 Mon Sep 17 00:00:00 2001
|
||||
From 2780811e48663df0265676749a4041c077ae6a89 Mon Sep 17 00:00:00 2001
|
||||
From: Wenzong Fan <wenzong.fan@windriver.com>
|
||||
Date: Wed, 3 Feb 2016 04:16:06 -0500
|
||||
Subject: [PATCH] policy/modules/system/init: all init_t to read any level
|
||||
|
|
@ -22,10 +22,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
||||
index 453ae9b6b..feed5af5f 100644
|
||||
index 962c675b0..aa57a5661 100644
|
||||
--- a/policy/modules/system/init.te
|
||||
+++ b/policy/modules/system/init.te
|
||||
@@ -213,6 +213,9 @@ mls_key_write_all_levels(init_t)
|
||||
@@ -215,6 +215,9 @@ mls_key_write_all_levels(init_t)
|
||||
mls_file_downgrade(init_t)
|
||||
mls_file_upgrade(init_t)
|
||||
|
||||
|
|
@ -1,36 +0,0 @@
|
|||
From a75847eb2a5a34c18a4fd24383a696d6c077a117 Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Thu, 18 Jun 2020 09:59:58 +0800
|
||||
Subject: [PATCH] policy/modules/system/systemd: systemd-networkd: make
|
||||
systemd_networkd_t MLS trusted for reading from files up to its clearance
|
||||
|
||||
Fixes:
|
||||
avc: denied { search } for pid=219 comm="systemd-network"
|
||||
name="journal" dev="tmpfs" ino=10956
|
||||
scontext=system_u:system_r:systemd_networkd_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
|
||||
permissive=0
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/system/systemd.te | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
index 6b0f52d15..cfbd9196a 100644
|
||||
--- a/policy/modules/system/systemd.te
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -795,6 +795,8 @@ sysnet_read_config(systemd_networkd_t)
|
||||
|
||||
systemd_log_parse_environment(systemd_networkd_t)
|
||||
|
||||
+mls_file_read_to_clearance(systemd_networkd_t)
|
||||
+
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(systemd_networkd_t)
|
||||
dbus_connect_system_bus(systemd_networkd_t)
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From 71a217de05a084899537462f8b432825b12ab187 Mon Sep 17 00:00:00 2001
|
||||
From a74584ba424cd5e392db2a64b4ec66ebb307eb4c Mon Sep 17 00:00:00 2001
|
||||
From: Wenzong Fan <wenzong.fan@windriver.com>
|
||||
Date: Thu, 25 Feb 2016 04:25:08 -0500
|
||||
Subject: [PATCH] policy/modules/system/logging: allow auditd_t to write socket
|
||||
|
|
@ -22,10 +22,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
|
||||
index eec0560d1..c22613c0b 100644
|
||||
index e608327fe..bdd5c9dff 100644
|
||||
--- a/policy/modules/system/logging.te
|
||||
+++ b/policy/modules/system/logging.te
|
||||
@@ -210,6 +210,8 @@ miscfiles_read_localization(auditd_t)
|
||||
@@ -211,6 +211,8 @@ miscfiles_read_localization(auditd_t)
|
||||
|
||||
mls_file_read_all_levels(auditd_t)
|
||||
mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
|
||||
|
|
@ -1,40 +0,0 @@
|
|||
From fac0583bea8eb74c43cd715cf5029d3243e38f95 Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Thu, 18 Jun 2020 09:47:25 +0800
|
||||
Subject: [PATCH] policy/modules/system/systemd: systemd-resolved: make
|
||||
systemd_resolved_t MLS trusted for reading from files up to its clearance
|
||||
|
||||
Fixes:
|
||||
avc: denied { search } for pid=220 comm="systemd-resolve"
|
||||
name="journal" dev="tmpfs" ino=10956
|
||||
scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
|
||||
permissive=0
|
||||
avc: denied { search } for pid=220 comm="systemd-resolve" name="/"
|
||||
dev="tmpfs" ino=15102
|
||||
scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/system/systemd.te | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
index cfbd9196a..806468109 100644
|
||||
--- a/policy/modules/system/systemd.te
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -1096,6 +1096,8 @@ init_dgram_send(systemd_resolved_t)
|
||||
|
||||
seutil_read_file_contexts(systemd_resolved_t)
|
||||
|
||||
+mls_file_read_to_clearance(systemd_resolved_t)
|
||||
+
|
||||
systemd_log_parse_environment(systemd_resolved_t)
|
||||
systemd_read_networkd_runtime(systemd_resolved_t)
|
||||
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From 8d1a8ffca75ada3dc576a4013644c9e9cdb45947 Mon Sep 17 00:00:00 2001
|
||||
From 1bcb41c20d666761bb407bf34c9e3391e16449a7 Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Thu, 31 Oct 2019 17:35:59 +0800
|
||||
Subject: [PATCH] policy/modules/kernel/kernel: make kernel_t MLS trusted for
|
||||
|
|
@ -15,7 +15,7 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
|
||||
index 4dffaef76..34444a2f9 100644
|
||||
index 8f67c6ec9..fbcf1413f 100644
|
||||
--- a/policy/modules/kernel/kernel.te
|
||||
+++ b/policy/modules/kernel/kernel.te
|
||||
@@ -362,6 +362,8 @@ mls_fd_use_all_levels(kernel_t)
|
||||
|
|
@ -1,36 +0,0 @@
|
|||
From 569033512340d791a13c1ee2f269788c55fff63c Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Sun, 28 Jun 2020 15:19:44 +0800
|
||||
Subject: [PATCH] policy/modules/system/systemd: make systemd-modules_t domain
|
||||
MLS trusted for reading from files up to its clearance
|
||||
|
||||
Fixes:
|
||||
avc: denied { search } for pid=142 comm="systemd-modules"
|
||||
name="journal" dev="tmpfs" ino=10990
|
||||
scontext=system_u:system_r:systemd_modules_load_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
|
||||
permissive=0
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/system/systemd.te | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
index 806468109..e82a1e64a 100644
|
||||
--- a/policy/modules/system/systemd.te
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -739,6 +739,8 @@ modutils_read_module_objects(systemd_modules_load_t)
|
||||
|
||||
systemd_log_parse_environment(systemd_modules_load_t)
|
||||
|
||||
+mls_file_read_to_clearance(systemd_modules_load_t)
|
||||
+
|
||||
########################################
|
||||
#
|
||||
# networkd local policy
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From 212156df805a24852a4762737f7040f1c7bb9b9a Mon Sep 17 00:00:00 2001
|
||||
From 7021844f20c5d5c885edf87abf8ce3329bcc5836 Mon Sep 17 00:00:00 2001
|
||||
From: Wenzong Fan <wenzong.fan@windriver.com>
|
||||
Date: Mon, 23 Jan 2017 08:42:44 +0000
|
||||
Subject: [PATCH] policy/modules/system/systemd: make systemd-logind domain MLS
|
||||
|
|
@ -25,10 +25,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
index 57f4dc40d..1449d2808 100644
|
||||
index c50a2ba64..a7390b1cd 100644
|
||||
--- a/policy/modules/system/systemd.te
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -621,6 +621,8 @@ userdom_relabelto_user_runtime_dirs(systemd_logind_t)
|
||||
@@ -693,6 +693,8 @@ userdom_relabelto_user_runtime_dirs(systemd_logind_t)
|
||||
userdom_setattr_user_ttys(systemd_logind_t)
|
||||
userdom_use_user_ttys(systemd_logind_t)
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user