summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorXin Ouyang <Xin.Ouyang@windriver.com>2012-09-11 14:15:57 +0800
committerXin Ouyang <Xin.Ouyang@windriver.com>2012-10-18 11:07:43 +0800
commit72e009ce78f2beb5915df0c568d20ed9913f76b3 (patch)
treea7ace3edbf93e4c9973810d07ac619ef64f5cef7
parentb95c77e3d28d77141eac6e09058ffc9fecedc7ed (diff)
downloadmeta-selinux-72e009ce78f2beb5915df0c568d20ed9913f76b3.tar.gz
refpolicy: add poky specific rules for packages.
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Diffstat
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-bsdpty_device_t.patch118
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-tmp-symlink.patch96
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-var-log-symlink.patch88
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-syslogd_t-to-trusted-object.patch28
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-dbusd-to-exec-shell-commands.patch25
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-dbusd-to-setrlimit-itself.patch29
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-nfsd-to-exec-shell-commands.patch67
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-setfiles_t-to-read-symlinks.patch26
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-don-t-audit-tty_device_t.patch32
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-new-SELINUXMNT-in-sys.patch213
-rw-r--r--recipes-security/refpolicy/refpolicy_2.20120725.inc13
11 files changed, 735 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-bsdpty_device_t.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-bsdpty_device_t.patch
new file mode 100644
index 0000000..b5d0fa8
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-bsdpty_device_t.patch
@@ -0,0 +1,118 @@
1Subject: [PATCH] add rules for bsdpty_device_t to complete pty devices.
2
3Upstream-Status: Pending
4
5Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
6---
7 policy/modules/kernel/terminal.if | 16 ++++++++++++++++
8 1 files changed, 16 insertions(+), 0 deletions(-)
9
10diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
11index 01dd2f1..f9d46cc 100644
12--- a/policy/modules/kernel/terminal.if
13+++ b/policy/modules/kernel/terminal.if
14@@ -512,9 +512,11 @@ interface(`term_dontaudit_manage_pty_dirs',`
15 interface(`term_dontaudit_getattr_generic_ptys',`
16 gen_require(`
17 type devpts_t;
18+ type bsdpty_device_t;
19 ')
20
21 dontaudit $1 devpts_t:chr_file getattr;
22+ dontaudit $1 bsdpty_device_t:chr_file getattr;
23 ')
24 ########################################
25 ## <summary>
26@@ -530,11 +532,13 @@ interface(`term_dontaudit_getattr_generic_ptys',`
27 interface(`term_ioctl_generic_ptys',`
28 gen_require(`
29 type devpts_t;
30+ type bsdpty_device_t;
31 ')
32
33 dev_list_all_dev_nodes($1)
34 allow $1 devpts_t:dir search;
35 allow $1 devpts_t:chr_file ioctl;
36+ allow $1 bsdpty_device_t:chr_file ioctl;
37 ')
38
39 ########################################
40@@ -552,9 +556,11 @@ interface(`term_ioctl_generic_ptys',`
41 interface(`term_setattr_generic_ptys',`
42 gen_require(`
43 type devpts_t;
44+ type bsdpty_device_t;
45 ')
46
47 allow $1 devpts_t:chr_file setattr;
48+ allow $1 bsdpty_device_t:chr_file setattr;
49 ')
50
51 ########################################
52@@ -572,9 +578,11 @@ interface(`term_setattr_generic_ptys',`
53 interface(`term_dontaudit_setattr_generic_ptys',`
54 gen_require(`
55 type devpts_t;
56+ type bsdpty_device_t;
57 ')
58
59 dontaudit $1 devpts_t:chr_file setattr;
60+ dontaudit $1 bsdpty_device_t:chr_file setattr;
61 ')
62
63 ########################################
64@@ -592,11 +600,13 @@ interface(`term_dontaudit_setattr_generic_ptys',`
65 interface(`term_use_generic_ptys',`
66 gen_require(`
67 type devpts_t;
68+ type bsdpty_device_t;
69 ')
70
71 dev_list_all_dev_nodes($1)
72 allow $1 devpts_t:dir list_dir_perms;
73 allow $1 devpts_t:chr_file { rw_term_perms lock append };
74+ allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append };
75 ')
76
77 ########################################
78@@ -614,9 +624,11 @@ interface(`term_use_generic_ptys',`
79 interface(`term_dontaudit_use_generic_ptys',`
80 gen_require(`
81 type devpts_t;
82+ type bsdpty_device_t;
83 ')
84
85 dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
86+ dontaudit $1 bsdpty_device_t:chr_file { getattr read write ioctl };
87 ')
88
89 #######################################
90@@ -632,10 +644,12 @@ interface(`term_dontaudit_use_generic_ptys',`
91 interface(`term_setattr_controlling_term',`
92 gen_require(`
93 type devtty_t;
94+ type bsdpty_device_t;
95 ')
96
97 dev_list_all_dev_nodes($1)
98 allow $1 devtty_t:chr_file setattr;
99+ allow $1 bsdpty_device_t:chr_file setattr;
100 ')
101
102 ########################################
103@@ -652,10 +666,12 @@ interface(`term_setattr_controlling_term',`
104 interface(`term_use_controlling_term',`
105 gen_require(`
106 type devtty_t;
107+ type bsdpty_device_t;
108 ')
109
110 dev_list_all_dev_nodes($1)
111 allow $1 devtty_t:chr_file { rw_term_perms lock append };
112+ allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append };
113 ')
114
115 #######################################
116--
1171.7.5.4
118
diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-tmp-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-tmp-symlink.patch
new file mode 100644
index 0000000..45de2df
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-tmp-symlink.patch
@@ -0,0 +1,96 @@
1Subject: [PATCH] add rules for the symlink of /tmp
2
3/tmp is a symlink in poky, so we need allow rules for files to read
4lnk_file while doing search/list/delete/rw.. in /tmp/ directory.
5
6Upstream-Status: Inappropriate [only for Poky]
7
8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
9---
10 policy/modules/kernel/files.fc | 1 +
11 policy/modules/kernel/files.if | 8 ++++++++
12 2 files changed, 9 insertions(+), 0 deletions(-)
13
14diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
15index 8796ca3..a0db748 100644
16--- a/policy/modules/kernel/files.fc
17+++ b/policy/modules/kernel/files.fc
18@@ -185,6 +185,7 @@ ifdef(`distro_debian',`
19 # /tmp
20 #
21 /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
22+/tmp -l gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
23 /tmp/.* <<none>>
24 /tmp/\.journal <<none>>
25
26diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
27index e1e814d..a7384b0 100644
28--- a/policy/modules/kernel/files.if
29+++ b/policy/modules/kernel/files.if
30@@ -4199,6 +4199,7 @@ interface(`files_search_tmp',`
31 ')
32
33 allow $1 tmp_t:dir search_dir_perms;
34+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
35 ')
36
37 ########################################
38@@ -4235,6 +4236,7 @@ interface(`files_list_tmp',`
39 ')
40
41 allow $1 tmp_t:dir list_dir_perms;
42+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
43 ')
44
45 ########################################
46@@ -4271,6 +4273,7 @@ interface(`files_delete_tmp_dir_entry',`
47 ')
48
49 allow $1 tmp_t:dir del_entry_dir_perms;
50+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
51 ')
52
53 ########################################
54@@ -4289,6 +4292,7 @@ interface(`files_read_generic_tmp_files',`
55 ')
56
57 read_files_pattern($1, tmp_t, tmp_t)
58+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
59 ')
60
61 ########################################
62@@ -4307,6 +4311,7 @@ interface(`files_manage_generic_tmp_dirs',`
63 ')
64
65 manage_dirs_pattern($1, tmp_t, tmp_t)
66+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
67 ')
68
69 ########################################
70@@ -4325,6 +4330,7 @@ interface(`files_manage_generic_tmp_files',`
71 ')
72
73 manage_files_pattern($1, tmp_t, tmp_t)
74+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
75 ')
76
77 ########################################
78@@ -4361,6 +4367,7 @@ interface(`files_rw_generic_tmp_sockets',`
79 ')
80
81 rw_sock_files_pattern($1, tmp_t, tmp_t)
82+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
83 ')
84
85 ########################################
86@@ -4550,6 +4557,7 @@ interface(`files_tmp_filetrans',`
87 ')
88
89 filetrans_pattern($1, tmp_t, $2, $3, $4)
90+ allow $1 tmp_t:lnk_file read_lnk_file_perms;
91 ')
92
93 ########################################
94--
951.7.5.4
96
diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-var-log-symlink.patch
new file mode 100644
index 0000000..5bf4986
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-var-log-symlink.patch
@@ -0,0 +1,88 @@
1Subject: [PATCH] add rules for the symlink of /var/log
2
3/var/log is a symlink in poky, so we need allow rules for files to read
4lnk_file while doing search/list/delete/rw.. in /var/log/ directory.
5
6Upstream-Status: Inappropriate [only for Poky]
7
8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
9---
10 policy/modules/system/logging.fc | 1 +
11 policy/modules/system/logging.if | 7 +++++++
12 2 files changed, 8 insertions(+), 0 deletions(-)
13
14diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
15index 3cb65f1..2419cd7 100644
16--- a/policy/modules/system/logging.fc
17+++ b/policy/modules/system/logging.fc
18@@ -41,6 +41,7 @@ ifdef(`distro_suse', `
19 /var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
20
21 /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
22+/var/log -l gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
23 /var/log/.* gen_context(system_u:object_r:var_log_t,s0)
24 /var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh)
25 /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
26diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
27index 321bb13..2be355e 100644
28--- a/policy/modules/system/logging.if
29+++ b/policy/modules/system/logging.if
30@@ -626,6 +626,7 @@ interface(`logging_search_logs',`
31
32 files_search_var($1)
33 allow $1 var_log_t:dir search_dir_perms;
34+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
35 ')
36
37 #######################################
38@@ -663,6 +664,7 @@ interface(`logging_list_logs',`
39
40 files_search_var($1)
41 allow $1 var_log_t:dir list_dir_perms;
42+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
43 ')
44
45 #######################################
46@@ -682,6 +684,7 @@ interface(`logging_rw_generic_log_dirs',`
47
48 files_search_var($1)
49 allow $1 var_log_t:dir rw_dir_perms;
50+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
51 ')
52
53 #######################################
54@@ -843,6 +846,7 @@ interface(`logging_read_generic_logs',`
55
56 files_search_var($1)
57 allow $1 var_log_t:dir list_dir_perms;
58+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
59 read_files_pattern($1, var_log_t, var_log_t)
60 ')
61
62@@ -863,6 +867,7 @@ interface(`logging_write_generic_logs',`
63
64 files_search_var($1)
65 allow $1 var_log_t:dir list_dir_perms;
66+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
67 write_files_pattern($1, var_log_t, var_log_t)
68 ')
69
70@@ -901,6 +906,7 @@ interface(`logging_rw_generic_logs',`
71
72 files_search_var($1)
73 allow $1 var_log_t:dir list_dir_perms;
74+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
75 rw_files_pattern($1, var_log_t, var_log_t)
76 ')
77
78@@ -923,6 +929,7 @@ interface(`logging_manage_generic_logs',`
79
80 files_search_var($1)
81 manage_files_pattern($1, var_log_t, var_log_t)
82+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
83 ')
84
85 ########################################
86--
871.7.5.4
88
diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-syslogd_t-to-trusted-object.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-syslogd_t-to-trusted-object.patch
new file mode 100644
index 0000000..9b5db54
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-syslogd_t-to-trusted-object.patch
@@ -0,0 +1,28 @@
1Subject: [PATCH] Add the syslogd_t to trusted object
2
3We add the syslogd_t to trusted object, because other process need
4to have the right to connectto/sendto /dev/log.
5
6Upstream-Status: Inappropriate [only for Poky]
7
8Signed-off-by: Roy.Li <rongqing.li@windriver.com>
9Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
10---
11 policy/modules/system/logging.te | 1 +
12 1 files changed, 1 insertions(+), 0 deletions(-)
13
14diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
15index 0034021..b6b0ddf 100644
16--- a/policy/modules/system/logging.te
17+++ b/policy/modules/system/logging.te
18@@ -444,6 +444,7 @@ fs_getattr_all_fs(syslogd_t)
19 fs_search_auto_mountpoints(syslogd_t)
20
21 mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
22+mls_trusted_object(syslogd_t) # Other process need to have the right to connectto/sendto /dev/log
23
24 term_write_console(syslogd_t)
25 # Allow syslog to a terminal
26--
271.7.5.4
28
diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-dbusd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-dbusd-to-exec-shell-commands.patch
new file mode 100644
index 0000000..6207e40
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-dbusd-to-exec-shell-commands.patch
@@ -0,0 +1,25 @@
1Subject: [PATCH] allow dbusd to exec shell commands.
2
3Upstream-Status: Inappropriate [only for Poky]
4
5Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
6---
7 policy/modules/contrib/dbus.te | 2 ++
8 1 files changed, 2 insertions(+), 0 deletions(-)
9
10diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
11index 529944b..bb76257 100644
12--- a/policy/modules/contrib/dbus.te
13+++ b/policy/modules/contrib/dbus.te
14@@ -111,6 +111,8 @@ corecmd_list_bin(system_dbusd_t)
15 corecmd_read_bin_pipes(system_dbusd_t)
16 corecmd_read_bin_sockets(system_dbusd_t)
17
18+corecmd_exec_shell(system_dbusd_t)
19+
20 domain_use_interactive_fds(system_dbusd_t)
21 domain_read_all_domains_state(system_dbusd_t)
22
23--
241.7.5.4
25
diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-dbusd-to-setrlimit-itself.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-dbusd-to-setrlimit-itself.patch
new file mode 100644
index 0000000..6eded62
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-dbusd-to-setrlimit-itself.patch
@@ -0,0 +1,29 @@
1Subject: [PATCH] allow system_dbusd_t to setrlimit itself.
2
3avc: denied { setrlimit } for pid=391 comm="dbus-daemon"
4 scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
5 tcontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 tclass=proces
6
7Upstream-Status: Inappropriate [only for Poky]
8
9Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
10---
11 policy/modules/contrib/dbus.te | 2 +-
12 1 files changed, 1 insertions(+), 1 deletions(-)
13
14diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
15index 625cb32..529944b 100644
16--- a/policy/modules/contrib/dbus.te
17+++ b/policy/modules/contrib/dbus.te
18@@ -53,7 +53,7 @@ ifdef(`enable_mls',`
19 # cjp: dac_override should probably go in a distro_debian
20 allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
21 dontaudit system_dbusd_t self:capability sys_tty_config;
22-allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
23+allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
24 allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
25 allow system_dbusd_t self:dbus { send_msg acquire_svc };
26 allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
27--
281.7.5.4
29
diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-nfsd-to-exec-shell-commands.patch
new file mode 100644
index 0000000..f1fcc4c
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-nfsd-to-exec-shell-commands.patch
@@ -0,0 +1,67 @@
1Subject: [PATCH] allow nfsd to exec shell commands.
2
3Upstream-Status: Inappropriate [only for Poky]
4
5Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
6---
7 policy/modules/contrib/rpc.te | 7 +++++++
8 policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
9 2 files changed, 25 insertions(+), 0 deletions(-)
10
11diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
12index 330d01f..fde39d2 100644
13--- a/policy/modules/contrib/rpc.te
14+++ b/policy/modules/contrib/rpc.te
15@@ -120,6 +120,11 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
16 kernel_read_system_state(nfsd_t)
17 kernel_read_network_state(nfsd_t)
18 kernel_dontaudit_getattr_core_if(nfsd_t)
19+kernel_setsched(nfsd_t)
20+kernel_request_load_module(nfsd_t)
21+kernel_mounton_proc(nfsd_t)
22+
23+corecmd_exec_shell(nfsd_t)
24
25 corenet_tcp_bind_all_rpc_ports(nfsd_t)
26 corenet_udp_bind_all_rpc_ports(nfsd_t)
27@@ -174,6 +179,8 @@ tunable_policy(`nfs_export_all_ro',`
28 files_read_non_auth_files(nfsd_t)
29 ')
30
31+mount_exec(nfsd_t)
32+
33 ########################################
34 #
35 # GSSD local policy
36diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
37index 4bf45cb..25e7b1b 100644
38--- a/policy/modules/kernel/kernel.if
39+++ b/policy/modules/kernel/kernel.if
40@@ -785,6 +785,24 @@ interface(`kernel_unmount_proc',`
41
42 ########################################
43 ## <summary>
44+## Mounton a proc filesystem.
45+## </summary>
46+## <param name="domain">
47+## <summary>
48+## Domain allowed access.
49+## </summary>
50+## </param>
51+#
52+interface(`kernel_mounton_proc',`
53+ gen_require(`
54+ type proc_t;
55+ ')
56+
57+ allow $1 proc_t:dir mounton;
58+')
59+
60+########################################
61+## <summary>
62 ## Get the attributes of the proc filesystem.
63 ## </summary>
64 ## <param name="domain">
65--
661.7.5.4
67
diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-setfiles_t-to-read-symlinks.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-setfiles_t-to-read-symlinks.patch
new file mode 100644
index 0000000..15dc506
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-setfiles_t-to-read-symlinks.patch
@@ -0,0 +1,26 @@
1Subject: [PATCH] fix setfiles_t to read symlinks
2
3Upstream-Status: Pending
4
5Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
6---
7 policy/modules/system/selinuxutil.te | 3 +++
8 1 files changed, 3 insertions(+), 0 deletions(-)
9
10diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
11index ec01d0b..45ed81b 100644
12--- a/policy/modules/system/selinuxutil.te
13+++ b/policy/modules/system/selinuxutil.te
14@@ -553,6 +553,9 @@ files_list_all(setfiles_t)
15 files_relabel_all_files(setfiles_t)
16 files_read_usr_symlinks(setfiles_t)
17
18+# needs to be able to read symlinks to make restorecon on symlink working
19+files_read_all_symlinks(setfiles_t)
20+
21 fs_getattr_xattr_fs(setfiles_t)
22 fs_list_all(setfiles_t)
23 fs_search_auto_mountpoints(setfiles_t)
24--
251.7.5.4
26
diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-don-t-audit-tty_device_t.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-don-t-audit-tty_device_t.patch
new file mode 100644
index 0000000..d7e407b
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-don-t-audit-tty_device_t.patch
@@ -0,0 +1,32 @@
1Subject: [PATCH] don't audit tty_device_t in term_dontaudit_use_console.
2
3We should also not audit terminal to rw tty_device_t and fds in
4term_dontaudit_use_console.
5
6Upstream-Status: Inappropriate [only for Poky]
7
8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
9---
10 policy/modules/kernel/terminal.if | 3 +++
11 1 files changed, 3 insertions(+), 0 deletions(-)
12
13diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
14index f9d46cc..234e0b8 100644
15--- a/policy/modules/kernel/terminal.if
16+++ b/policy/modules/kernel/terminal.if
17@@ -299,9 +299,12 @@ interface(`term_use_console',`
18 interface(`term_dontaudit_use_console',`
19 gen_require(`
20 type console_device_t;
21+ type tty_device_t;
22 ')
23
24+ init_dontaudit_use_fds($1)
25 dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
26+ dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
27 ')
28
29 ########################################
30--
311.7.5.4
32
diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-new-SELINUXMNT-in-sys.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-new-SELINUXMNT-in-sys.patch
new file mode 100644
index 0000000..fa0a274
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-new-SELINUXMNT-in-sys.patch
@@ -0,0 +1,213 @@
1Subject: [PATCH] fix for new SELINUXMNT in /sys
2
3SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should
4add rules to access sysfs.
5
6Upstream-Status: Inappropriate [only for Poky]
7
8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
9---
10 policy/modules/kernel/selinux.if | 40 ++++++++++++++++++++++++++++++++++++++
11 1 files changed, 40 insertions(+), 0 deletions(-)
12
13diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
14index 81440c5..b57ec34 100644
15--- a/policy/modules/kernel/selinux.if
16+++ b/policy/modules/kernel/selinux.if
17@@ -58,6 +58,10 @@ interface(`selinux_get_fs_mount',`
18 type security_t;
19 ')
20
21+ # SELINUXMNT is now /sys/fs/selinux, so we should add rules to
22+ # access sysfs
23+ dev_getattr_sysfs_dirs($1)
24+ dev_search_sysfs($1)
25 # starting in libselinux 2.0.5, init_selinuxmnt() will
26 # attempt to short circuit by checking if SELINUXMNT
27 # (/selinux) is already a selinuxfs
28@@ -84,6 +88,7 @@ interface(`selinux_dontaudit_get_fs_mount',`
29 type security_t;
30 ')
31
32+ dev_dontaudit_search_sysfs($1)
33 # starting in libselinux 2.0.5, init_selinuxmnt() will
34 # attempt to short circuit by checking if SELINUXMNT
35 # (/selinux) is already a selinuxfs
36@@ -109,6 +114,8 @@ interface(`selinux_mount_fs',`
37 type security_t;
38 ')
39
40+ dev_getattr_sysfs_dirs($1)
41+ dev_search_sysfs($1)
42 allow $1 security_t:filesystem mount;
43 ')
44
45@@ -128,6 +135,8 @@ interface(`selinux_remount_fs',`
46 type security_t;
47 ')
48
49+ dev_getattr_sysfs_dirs($1)
50+ dev_search_sysfs($1)
51 allow $1 security_t:filesystem remount;
52 ')
53
54@@ -146,6 +155,8 @@ interface(`selinux_unmount_fs',`
55 type security_t;
56 ')
57
58+ dev_getattr_sysfs_dirs($1)
59+ dev_search_sysfs($1)
60 allow $1 security_t:filesystem unmount;
61 ')
62
63@@ -164,6 +175,8 @@ interface(`selinux_getattr_fs',`
64 type security_t;
65 ')
66
67+ dev_getattr_sysfs_dirs($1)
68+ dev_search_sysfs($1)
69 allow $1 security_t:filesystem getattr;
70 ')
71
72@@ -183,6 +196,7 @@ interface(`selinux_dontaudit_getattr_fs',`
73 type security_t;
74 ')
75
76+ dev_dontaudit_search_sysfs($1)
77 dontaudit $1 security_t:filesystem getattr;
78 ')
79
80@@ -202,6 +216,7 @@ interface(`selinux_dontaudit_getattr_dir',`
81 type security_t;
82 ')
83
84+ dev_dontaudit_search_sysfs($1)
85 dontaudit $1 security_t:dir getattr;
86 ')
87
88@@ -220,6 +235,8 @@ interface(`selinux_search_fs',`
89 type security_t;
90 ')
91
92+ dev_getattr_sysfs_dirs($1)
93+ dev_search_sysfs($1)
94 allow $1 security_t:dir search_dir_perms;
95 ')
96
97@@ -238,6 +255,7 @@ interface(`selinux_dontaudit_search_fs',`
98 type security_t;
99 ')
100
101+ dev_dontaudit_search_sysfs($1)
102 dontaudit $1 security_t:dir search_dir_perms;
103 ')
104
105@@ -257,6 +275,7 @@ interface(`selinux_dontaudit_read_fs',`
106 type security_t;
107 ')
108
109+ dev_dontaudit_search_sysfs($1)
110 dontaudit $1 security_t:dir search_dir_perms;
111 dontaudit $1 security_t:file read_file_perms;
112 ')
113@@ -342,6 +361,8 @@ interface(`selinux_load_policy',`
114 bool secure_mode_policyload;
115 ')
116
117+ dev_getattr_sysfs_dirs($1)
118+ dev_search_sysfs($1)
119 allow $1 security_t:dir list_dir_perms;
120 allow $1 security_t:file rw_file_perms;
121 typeattribute $1 can_load_policy;
122@@ -371,6 +392,8 @@ interface(`selinux_read_policy',`
123 type security_t;
124 ')
125
126+ dev_getattr_sysfs_dirs($1)
127+ dev_search_sysfs($1)
128 allow $1 security_t:dir list_dir_perms;
129 allow $1 security_t:file read_file_perms;
130 allow $1 security_t:security read_policy;
131@@ -435,6 +458,8 @@ interface(`selinux_set_generic_booleans',`
132 type security_t;
133 ')
134
135+ dev_getattr_sysfs_dirs($1)
136+ dev_search_sysfs($1)
137 allow $1 security_t:dir list_dir_perms;
138 allow $1 security_t:file rw_file_perms;
139
140@@ -475,6 +500,8 @@ interface(`selinux_set_all_booleans',`
141 bool secure_mode_policyload;
142 ')
143
144+ dev_getattr_sysfs_dirs($1)
145+ dev_search_sysfs($1)
146 allow $1 security_t:dir list_dir_perms;
147 allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms;
148 allow $1 secure_mode_policyload_t:file read_file_perms;
149@@ -519,6 +546,8 @@ interface(`selinux_set_parameters',`
150 attribute can_setsecparam;
151 ')
152
153+ dev_getattr_sysfs_dirs($1)
154+ dev_search_sysfs($1)
155 allow $1 security_t:dir list_dir_perms;
156 allow $1 security_t:file rw_file_perms;
157 allow $1 security_t:security setsecparam;
158@@ -563,6 +592,7 @@ interface(`selinux_dontaudit_validate_context',`
159 type security_t;
160 ')
161
162+ dev_dontaudit_search_sysfs($1)
163 dontaudit $1 security_t:dir list_dir_perms;
164 dontaudit $1 security_t:file rw_file_perms;
165 dontaudit $1 security_t:security check_context;
166@@ -584,6 +614,8 @@ interface(`selinux_compute_access_vector',`
167 type security_t;
168 ')
169
170+ dev_getattr_sysfs_dirs($1)
171+ dev_search_sysfs($1)
172 allow $1 security_t:dir list_dir_perms;
173 allow $1 security_t:file rw_file_perms;
174 allow $1 security_t:security compute_av;
175@@ -605,6 +637,8 @@ interface(`selinux_compute_create_context',`
176 type security_t;
177 ')
178
179+ dev_getattr_sysfs_dirs($1)
180+ dev_search_sysfs($1)
181 allow $1 security_t:dir list_dir_perms;
182 allow $1 security_t:file rw_file_perms;
183 allow $1 security_t:security compute_create;
184@@ -626,6 +660,8 @@ interface(`selinux_compute_member',`
185 type security_t;
186 ')
187
188+ dev_getattr_sysfs_dirs($1)
189+ dev_search_sysfs($1)
190 allow $1 security_t:dir list_dir_perms;
191 allow $1 security_t:file rw_file_perms;
192 allow $1 security_t:security compute_member;
193@@ -655,6 +691,8 @@ interface(`selinux_compute_relabel_context',`
194 type security_t;
195 ')
196
197+ dev_getattr_sysfs_dirs($1)
198+ dev_search_sysfs($1)
199 allow $1 security_t:dir list_dir_perms;
200 allow $1 security_t:file rw_file_perms;
201 allow $1 security_t:security compute_relabel;
202@@ -675,6 +713,8 @@ interface(`selinux_compute_user_contexts',`
203 type security_t;
204 ')
205
206+ dev_getattr_sysfs_dirs($1)
207+ dev_search_sysfs($1)
208 allow $1 security_t:dir list_dir_perms;
209 allow $1 security_t:file rw_file_perms;
210 allow $1 security_t:security compute_user;
211--
2121.7.5.4
213
diff --git a/recipes-security/refpolicy/refpolicy_2.20120725.inc b/recipes-security/refpolicy/refpolicy_2.20120725.inc
index b588010..3582ddf 100644
--- a/recipes-security/refpolicy/refpolicy_2.20120725.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20120725.inc
@@ -15,4 +15,17 @@ SRC_URI += "file://poky-fc-subs_dist.patch \
15 file://poky-fc-fix-real-path_login.patch \ 15 file://poky-fc-fix-real-path_login.patch \
16 " 16 "
17 17
18# Specific policy for Poky
19SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \
20 file://poky-policy-add-rules-for-var-log-symlink.patch \
21 file://poky-policy-add-rules-for-tmp-symlink.patch \
22 file://poky-policy-add-rules-for-bsdpty_device_t.patch \
23 file://poky-policy-don-t-audit-tty_device_t.patch \
24 file://poky-policy-allow-dbusd-to-setrlimit-itself.patch \
25 file://poky-policy-allow-dbusd-to-exec-shell-commands.patch \
26 file://poky-policy-allow-nfsd-to-exec-shell-commands.patch \
27 file://poky-policy-allow-setfiles_t-to-read-symlinks.patch \
28 file://poky-policy-fix-new-SELINUXMNT-in-sys.patch \
29 "
30
18include refpolicy_common.inc 31include refpolicy_common.inc
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-07-25 22:37:34 +0000