refpolicy: fix policy to allow nfsd works.

Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
author: Xin Ouyang <Xin.Ouyang@windriver.com> 2012-11-26 18:39:59 +0800
committer: Xin Ouyang <Xin.Ouyang@windriver.com> 2012-11-27 09:50:18 +0800
commit: 6974239e6015b6cb84e9625b870835626b1b02fe (patch)
tree: 2e479ec24f9c7d2a8b5ecf959fde88590f4a166a
parent: 4da31aaf7a76777b3f1d0e6bb029a89f42189150 (diff)
download: meta-selinux-6974239e6015b6cb84e9625b870835626b1b02fe.tar.gz
4 files changed, 72 insertions, 2 deletions
diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-nfsd_t.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-nfsd_t.patch
new file mode 100644
index 0000000..bf509bc
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-nfsd_t.patch
@@ -0,0 +1,69 @@
+Subject: [PATCH] fix policy to allow nfsserver to work fine.
+Upstream-Status: Pending
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/contrib/rpc.te       |    6 +++++-
+ policy/modules/contrib/rpcbind.te   |    5 +++++
+ policy/modules/kernel/filesystem.te |    1 +
+ policy/modules/kernel/kernel.te     |    1 +
+ 4 files changed, 12 insertions(+), 1 deletions(-)
+diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
+index fde39d2..0fc7ddd 100644
+--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
+@@ -179,7 +179,11 @@ tunable_policy(`nfs_export_all_ro',`
+        files_read_non_auth_files(nfsd_t)
+ ')
+ 
+-mount_exec(nfsd_t)
+# Should domtrans to mount_t while mounting nfsd_fs_t.
+mount_domtrans(nfsd_t)
+# nfsd_t need to chdir to /var/lib/nfs and read files.
+files_list_var(nfsd_t)
+rpc_read_nfs_state_data(nfsd_t)
+ 
+ ########################################
+ #
+diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
+index a63e9ee..55397d9 100644
+--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
+@@ -67,3 +67,8 @@ logging_send_syslog_msg(rpcbind_t)
+ miscfiles_read_localization(rpcbind_t)
+ 
+ sysnet_dns_name_resolve(rpcbind_t)
+
+# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
+# because the are running in different level. So add rules to allow this.
+mls_socket_read_all_levels(rpcbind_t)
+mls_socket_write_all_levels(rpcbind_t)
+diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
+index 376bae8..310d992 100644
+--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
+@@ -118,6 +118,7 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
+ 
+ type nfsd_fs_t;
+ fs_type(nfsd_fs_t)
+files_mountpoint(nfsd_fs_t)
+ genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
+ 
+ type oprofilefs_t;
+diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
+index ab9b6cd..15d3814 100644
+--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
+@@ -284,6 +284,7 @@ mls_process_read_up(kernel_t)
+ mls_process_write_down(kernel_t)
+ mls_file_write_all_levels(kernel_t)
+ mls_file_read_all_levels(kernel_t)
+mls_socket_write_all_levels(kernel_t)
+ 
+ ifdef(`distro_redhat',`
+        # Bugzilla 222337
+-- 
+1.7.5.4
diff --git a/recipes-security/refpolicy/refpolicy-mls_2.20120725.bb b/recipes-security/refpolicy/refpolicy-mls_2.20120725.bb
index bfb08be..77b7e0f 100644
--- a/recipes-security/refpolicy/refpolicy-mls_2.20120725.bb
+++ b/recipes-security/refpolicy/refpolicy-mls_2.20120725.bb
@@ -5,7 +5,7 @@ It allows giving data labels such as \"Top Secret\" and preventing \
 such data from leaking to processes or files with lower classification. \
 "
-PR = "r1"
+PR = "r2"
 POLICY_NAME = "mls"
 POLICY_TYPE = "mls"
diff --git a/recipes-security/refpolicy/refpolicy-standard_2.20120725.bb b/recipes-security/refpolicy/refpolicy-standard_2.20120725.bb
index fdd289a..25e94c6 100644
--- a/recipes-security/refpolicy/refpolicy-standard_2.20120725.bb
+++ b/recipes-security/refpolicy/refpolicy-standard_2.20120725.bb
@@ -3,7 +3,7 @@ DESCRIPTION = "\
 This is the reference policy for SELinux built with type enforcement \
 only."
-PR = "r1"
+PR = "r2"
 POLICY_NAME = "standard"
 POLICY_TYPE = "standard"
diff --git a/recipes-security/refpolicy/refpolicy_2.20120725.inc b/recipes-security/refpolicy/refpolicy_2.20120725.inc
index 54a571a..57f2046 100644
--- a/recipes-security/refpolicy/refpolicy_2.20120725.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20120725.inc
@@ -30,6 +30,7 @@ SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \
 # Other policy fixes 
 SRC_URI += "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \
+            file://poky-policy-fix-nfsd_t.patch \
           "
 include refpolicy_common.inc
author	Xin Ouyang <Xin.Ouyang@windriver.com>	2012-11-26 18:39:59 +0800
committer	Xin Ouyang <Xin.Ouyang@windriver.com>	2012-11-27 09:50:18 +0800
commit	6974239e6015b6cb84e9625b870835626b1b02fe (patch)
tree	2e479ec24f9c7d2a8b5ecf959fde88590f4a166a
parent	4da31aaf7a76777b3f1d0e6bb029a89f42189150 (diff)
download	meta-selinux-6974239e6015b6cb84e9625b870835626b1b02fe.tar.gz

diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-nfsd_t.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-nfsd_t.patch new file mode 100644 index 0000000..bf509bc --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-nfsd_t.patch
@@ -0,0 +1,69 @@
		1	Subject: [PATCH] fix policy to allow nfsserver to work fine.
		2
		3	Upstream-Status: Pending
		4
		5	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
		6	---
		7	policy/modules/contrib/rpc.te \| 6 +++++-
		8	policy/modules/contrib/rpcbind.te \| 5 +++++
		9	policy/modules/kernel/filesystem.te \| 1 +
		10	policy/modules/kernel/kernel.te \| 1 +
		11	4 files changed, 12 insertions(+), 1 deletions(-)
		12
		13	diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
		14	index fde39d2..0fc7ddd 100644
		15	--- a/policy/modules/contrib/rpc.te
		16	+++ b/policy/modules/contrib/rpc.te
		17	@@ -179,7 +179,11 @@ tunable_policy(`nfs_export_all_ro',`
		18	files_read_non_auth_files(nfsd_t)
		19	')
		20
		21	-mount_exec(nfsd_t)
		22	+# Should domtrans to mount_t while mounting nfsd_fs_t.
		23	+mount_domtrans(nfsd_t)
		24	+# nfsd_t need to chdir to /var/lib/nfs and read files.
		25	+files_list_var(nfsd_t)
		26	+rpc_read_nfs_state_data(nfsd_t)
		27
		28	########################################
		29	#
		30	diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
		31	index a63e9ee..55397d9 100644
		32	--- a/policy/modules/contrib/rpcbind.te
		33	+++ b/policy/modules/contrib/rpcbind.te
		34	@@ -67,3 +67,8 @@ logging_send_syslog_msg(rpcbind_t)
		35	miscfiles_read_localization(rpcbind_t)
		36
		37	sysnet_dns_name_resolve(rpcbind_t)
		38	+
		39	+# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
		40	+# because the are running in different level. So add rules to allow this.
		41	+mls_socket_read_all_levels(rpcbind_t)
		42	+mls_socket_write_all_levels(rpcbind_t)
		43	diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
		44	index 376bae8..310d992 100644
		45	--- a/policy/modules/kernel/filesystem.te
		46	+++ b/policy/modules/kernel/filesystem.te
		47	@@ -118,6 +118,7 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
		48
		49	type nfsd_fs_t;
		50	fs_type(nfsd_fs_t)
		51	+files_mountpoint(nfsd_fs_t)
		52	genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
		53
		54	type oprofilefs_t;
		55	diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
		56	index ab9b6cd..15d3814 100644
		57	--- a/policy/modules/kernel/kernel.te
		58	+++ b/policy/modules/kernel/kernel.te
		59	@@ -284,6 +284,7 @@ mls_process_read_up(kernel_t)
		60	mls_process_write_down(kernel_t)
		61	mls_file_write_all_levels(kernel_t)
		62	mls_file_read_all_levels(kernel_t)
		63	+mls_socket_write_all_levels(kernel_t)
		64
		65	ifdef(`distro_redhat',`
		66	# Bugzilla 222337
		67	--
		68	1.7.5.4
		69


diff --git a/recipes-security/refpolicy/refpolicy-mls_2.20120725.bb b/recipes-security/refpolicy/refpolicy-mls_2.20120725.bb index bfb08be..77b7e0f 100644 --- a/recipes-security/refpolicy/refpolicy-mls_2.20120725.bb +++ b/recipes-security/refpolicy/refpolicy-mls_2.20120725.bb
@@ -5,7 +5,7 @@ It allows giving data labels such as \"Top Secret\" and preventing \
5	such data from leaking to processes or files with lower classification. \	5	such data from leaking to processes or files with lower classification. \
6	"	6	"
7		7
8	PR = "r1"	8	PR = "r2"
9		9
10	POLICY_NAME = "mls"	10	POLICY_NAME = "mls"
11	POLICY_TYPE = "mls"	11	POLICY_TYPE = "mls"


diff --git a/recipes-security/refpolicy/refpolicy-standard_2.20120725.bb b/recipes-security/refpolicy/refpolicy-standard_2.20120725.bb index fdd289a..25e94c6 100644 --- a/recipes-security/refpolicy/refpolicy-standard_2.20120725.bb +++ b/recipes-security/refpolicy/refpolicy-standard_2.20120725.bb
@@ -3,7 +3,7 @@ DESCRIPTION = "\
3	This is the reference policy for SELinux built with type enforcement \	3	This is the reference policy for SELinux built with type enforcement \
4	only."	4	only."
5		5
6	PR = "r1"	6	PR = "r2"
7		7
8	POLICY_NAME = "standard"	8	POLICY_NAME = "standard"
9	POLICY_TYPE = "standard"	9	POLICY_TYPE = "standard"


diff --git a/recipes-security/refpolicy/refpolicy_2.20120725.inc b/recipes-security/refpolicy/refpolicy_2.20120725.inc index 54a571a..57f2046 100644 --- a/recipes-security/refpolicy/refpolicy_2.20120725.inc +++ b/recipes-security/refpolicy/refpolicy_2.20120725.inc
@@ -30,6 +30,7 @@ SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \
30		30
31	# Other policy fixes	31	# Other policy fixes
32	SRC_URI += "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \	32	SRC_URI += "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \
		33	file://poky-policy-fix-nfsd_t.patch \
33	"	34	"
34		35
35	include refpolicy_common.inc	36	include refpolicy_common.inc