mirror of
git://git.yoctoproject.org/meta-selinux
synced 2026-01-01 13:58:04 +00:00
refpolicy: two patches for nfs-kernel-server
We still miss some rules for nfsd to bind on nfs ports, so add a patch to fix this. oe-core changed nfsd to use portmap, so also fix file contexts for portmap. Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
This commit is contained in:
Xin Ouyang
parent
7ff7d24aad
commit
e5b9f49048
|
|
@ -0,0 +1,34 @@
|
|||
Subject: [PATCH] refpolicy: fix real path for portmap.
|
||||
|
||||
Fix file contexts for portmap files to match the oe-core install
|
||||
paths.
|
||||
|
||||
Upstream-Status: Inappropriate [configuration]
|
||||
|
||||
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
---
|
||||
policy/modules/contrib/portmap.fc | 7 ++-----
|
||||
1 file changed, 2 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/policy/modules/contrib/portmap.fc b/policy/modules/contrib/portmap.fc
|
||||
index 3cdcd9f..3faf697 100644
|
||||
--- a/policy/modules/contrib/portmap.fc
|
||||
+++ b/policy/modules/contrib/portmap.fc
|
||||
@@ -5,12 +5,9 @@ ifdef(`distro_debian',`
|
||||
/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
|
||||
/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
|
||||
', `
|
||||
-/usr/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
|
||||
-/usr/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
|
||||
+/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
|
||||
+/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
|
||||
')
|
||||
|
||||
/var/run/portmap\.upgrade-state -- gen_context(system_u:object_r:portmap_var_run_t,s0)
|
||||
-
|
||||
-ifdef(`distro_debian',`
|
||||
/var/run/portmap_mapping -- gen_context(system_u:object_r:portmap_var_run_t,s0)
|
||||
-')
|
||||
--
|
||||
1.7.9.5
|
||||
|
||||
|
|
@ -0,0 +1,63 @@
|
|||
Subject: [PATCH] refpolicy: allow nfsd to bind nfs port
|
||||
|
||||
NFS server need bind to tcp/udp 2049,20048-20049 port, but no
|
||||
these rules in default refpolicy. So add the allow rules.
|
||||
|
||||
Upstream-Status: Pending
|
||||
|
||||
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
|
||||
---
|
||||
policy/modules/contrib/rpc.te | 2 ++
|
||||
policy/modules/kernel/corenetwork.te | 10 ++++++++++
|
||||
policy/modules/kernel/corenetwork.te.in | 1 +
|
||||
3 files changed, 13 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
|
||||
index 0fc7ddd..03783ae 100644
|
||||
--- a/policy/modules/contrib/rpc.te
|
||||
+++ b/policy/modules/contrib/rpc.te
|
||||
@@ -128,6 +128,8 @@ corecmd_exec_shell(nfsd_t)
|
||||
|
||||
corenet_tcp_bind_all_rpc_ports(nfsd_t)
|
||||
corenet_udp_bind_all_rpc_ports(nfsd_t)
|
||||
+corenet_tcp_bind_nfs_port(nfsd_t)
|
||||
+corenet_udp_bind_nfs_port(nfsd_t)
|
||||
|
||||
dev_dontaudit_getattr_all_blk_files(nfsd_t)
|
||||
dev_dontaudit_getattr_all_chr_files(nfsd_t)
|
||||
diff --git a/policy/modules/kernel/corenetwork.te b/policy/modules/kernel/corenetwork.te
|
||||
index a5276af..8fca50e 100644
|
||||
--- a/policy/modules/kernel/corenetwork.te
|
||||
+++ b/policy/modules/kernel/corenetwork.te
|
||||
@@ -849,6 +849,16 @@ portcon tcp 5405 gen_context(system_u:object_r:netsupport_port_t,s0)
|
||||
portcon udp 5405 gen_context(system_u:object_r:netsupport_port_t,s0)
|
||||
|
||||
|
||||
+type nfs_port_t, port_type, defined_port_type;
|
||||
+type nfs_client_packet_t, packet_type, client_packet_type;
|
||||
+type nfs_server_packet_t, packet_type, server_packet_type;
|
||||
+typeattribute nfs_port_t unreserved_port_type;
|
||||
+portcon tcp 2049 gen_context(system_u:object_r:nfs_port_t,s0)
|
||||
+portcon udp 2049 gen_context(system_u:object_r:nfs_port_t,s0)
|
||||
+portcon tcp 20048-20049 gen_context(system_u:object_r:nfs_port_t,s0)
|
||||
+portcon udp 20048-20049 gen_context(system_u:object_r:nfs_port_t,s0)
|
||||
+
|
||||
+
|
||||
type nmbd_port_t, port_type, defined_port_type;
|
||||
type nmbd_client_packet_t, packet_type, client_packet_type;
|
||||
type nmbd_server_packet_t, packet_type, server_packet_type;
|
||||
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
|
||||
index fe2ee5e..fca0bc3 100644
|
||||
--- a/policy/modules/kernel/corenetwork.te.in
|
||||
+++ b/policy/modules/kernel/corenetwork.te.in
|
||||
@@ -164,6 +164,7 @@ network_port(mysqlmanagerd, tcp,2273,s0)
|
||||
network_port(nessus, tcp,1241,s0)
|
||||
network_port(netport, tcp,3129,s0, udp,3129,s0)
|
||||
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
|
||||
+network_port(nfs, tcp,2049,s0, udp,2049,s0, tcp,20048-20049,s0, udp,20048-20049,s0)
|
||||
network_port(nmbd, udp,137,s0, udp,138,s0)
|
||||
network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0)
|
||||
network_port(ntp, udp,123,s0)
|
||||
--
|
||||
1.7.11.7
|
||||
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
Subject: [PATCH] fix policy to allow nfsserver to work fine.
|
||||
Subject: [PATCH] fix policy for nfsserver to mount nfsd_fs_t.
|
||||
|
||||
Upstream-Status: Pending
|
||||
|
||||
|
|
@ -56,11 +56,12 @@ diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
|
|||
index ab9b6cd..15d3814 100644
|
||||
--- a/policy/modules/kernel/kernel.te
|
||||
+++ b/policy/modules/kernel/kernel.te
|
||||
@@ -284,6 +284,7 @@ mls_process_read_up(kernel_t)
|
||||
@@ -284,6 +284,8 @@ mls_process_read_up(kernel_t)
|
||||
mls_process_write_down(kernel_t)
|
||||
mls_file_write_all_levels(kernel_t)
|
||||
mls_file_read_all_levels(kernel_t)
|
||||
+mls_socket_write_all_levels(kernel_t)
|
||||
+mls_fd_use_all_levels(kernel_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
# Bugzilla 222337
|
||||
|
|
@ -15,6 +15,7 @@ SRC_URI += "file://poky-fc-subs_dist.patch \
|
|||
file://poky-fc-fix-real-path_login.patch \
|
||||
file://poky-fc-fix-real-path_shadow.patch \
|
||||
file://poky-fc-fix-bind.patch \
|
||||
file://poky-fc-fix-portmap.patch \
|
||||
"
|
||||
|
||||
# Specific policy for Poky
|
||||
|
|
@ -27,6 +28,8 @@ SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \
|
|||
file://poky-policy-allow-dbusd-to-setrlimit-itself.patch \
|
||||
file://poky-policy-allow-dbusd-to-exec-shell-commands.patch \
|
||||
file://poky-policy-allow-nfsd-to-exec-shell-commands.patch \
|
||||
file://poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch \
|
||||
file://poky-policy-allow-nfsd-to-bind-nfs-port.patch \
|
||||
file://poky-policy-allow-setfiles_t-to-read-symlinks.patch \
|
||||
file://poky-policy-fix-new-SELINUXMNT-in-sys.patch \
|
||||
"
|
||||
|
|
@ -34,7 +37,6 @@ SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \
|
|||
# Other policy fixes
|
||||
SRC_URI += "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \
|
||||
file://poky-policy-fix-seutils-manage-config-files.patch \
|
||||
file://poky-policy-fix-nfsd_t.patch \
|
||||
"
|
||||
|
||||
include refpolicy_common.inc
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
PRINC = "2"
|
||||
PRINC = "3"
|
||||
|
||||
SECTION = "base"
|
||||
LICENSE = "GPLv2"
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user