summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRoy Li <rongqing.li@windriver.com>2014-02-10 11:07:23 +0800
committerJoe MacDonald <joe@deserted.net>2014-02-12 19:45:35 -0500
commit33e54aa891626c10f7cb865cc263b708c060fc85 (patch)
tree8140351fe59b00c26f78b486bb4200c906f4a4ab
parent184d49bb1240dbfbc2bf11d13b431e34e4dcfcb1 (diff)
downloadmeta-selinux-33e54aa891626c10f7cb865cc263b708c060fc85.tar.gz
refpolicy: backport two patches to fix dhclient, hostname and ifconfig
Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
Diffstat
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20130424/hostname-do-not-audit-attempts-by-hostname-to-read-a.patch59
-rw-r--r--recipes-security/refpolicy/refpolicy-2.20130424/sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch41
-rw-r--r--recipes-security/refpolicy/refpolicy_2.20130424.inc2
3 files changed, 102 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/hostname-do-not-audit-attempts-by-hostname-to-read-a.patch b/recipes-security/refpolicy/refpolicy-2.20130424/hostname-do-not-audit-attempts-by-hostname-to-read-a.patch
new file mode 100644
index 0000000..edba56d
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/hostname-do-not-audit-attempts-by-hostname-to-read-a.patch
@@ -0,0 +1,59 @@
1From 0857061b58e5ec0bf00e78839254f21519ed55d4 Mon Sep 17 00:00:00 2001
2From: Dominick Grift <dominick.grift@gmail.com>
3Date: Fri, 27 Sep 2013 10:36:14 +0200
4Subject: [PATCH] hostname: do not audit attempts by hostname to read and
5 write dhcpc udp sockets (looks like a leaked fd)
6
7Upstream-Status: backport
8
9Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
10---
11 policy/modules/system/hostname.te | 1 +
12 policy/modules/system/sysnetwork.if | 19 +++++++++++++++++++
13 2 files changed, 20 insertions(+)
14
15diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
16index f6cbda9..380197b 100644
17--- a/policy/modules/system/hostname.te
18+++ b/policy/modules/system/hostname.te
19@@ -51,6 +51,7 @@ logging_send_syslog_msg(hostname_t)
20
21 miscfiles_read_localization(hostname_t)
22
23+sysnet_dontaudit_rw_dhcpc_udp_sockets(hostname_t)
24 sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t)
25 sysnet_read_config(hostname_t)
26 sysnet_dns_name_resolve(hostname_t)
27diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
28index 52b548c..2cea692 100644
29--- a/policy/modules/system/sysnetwork.if
30+++ b/policy/modules/system/sysnetwork.if
31@@ -47,6 +47,25 @@ interface(`sysnet_run_dhcpc',`
32
33 ########################################
34 ## <summary>
35+## Do not audit attempts to read and
36+## write dhcpc udp socket descriptors.
37+## </summary>
38+## <param name="domain">
39+## <summary>
40+## Domain to not audit.
41+## </summary>
42+## </param>
43+#
44+interface(`sysnet_dontaudit_rw_dhcpc_udp_sockets',`
45+ gen_require(`
46+ type dhcpc_t;
47+ ')
48+
49+ dontaudit $1 dhcpc_t:udp_socket { read write };
50+')
51+
52+########################################
53+## <summary>
54 ## Do not audit attempts to use
55 ## the dhcp file descriptors.
56 ## </summary>
57--
581.7.10.4
59
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch b/recipes-security/refpolicy/refpolicy-2.20130424/sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch
new file mode 100644
index 0000000..e95d675
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch
@@ -0,0 +1,41 @@
1From b1599e01fe3f3e7a1c2048d1c466e3e842952924 Mon Sep 17 00:00:00 2001
2From: Dominick Grift <dominick.grift@gmail.com>
3Date: Fri, 27 Sep 2013 11:35:41 +0200
4Subject: [PATCH] sysnetwork: dhcpc binds socket to random high udp ports
5 sysnetwork: do not audit attempts by ifconfig to read, and
6 write dhcpc udp sockets (looks like a leaked fd)
7
8Upstream-Status: backport
9
10Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
11---
12 policy/modules/system/sysnetwork.te | 6 +++++-
13 1 file changed, 5 insertions(+), 1 deletion(-)
14
15diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
16index f9dce11..67709b5 100644
17--- a/policy/modules/system/sysnetwork.te
18+++ b/policy/modules/system/sysnetwork.te
19@@ -111,7 +111,9 @@ corenet_tcp_bind_dhcpc_port(dhcpc_t)
20 corenet_udp_bind_dhcpc_port(dhcpc_t)
21 corenet_tcp_connect_all_ports(dhcpc_t)
22 corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
23-corenet_sendrecv_dhcpc_server_packets(dhcpc_t)
24+
25+corenet_sendrecv_all_server_packets(dhcpc_t)
26+corenet_udp_bind_all_unreserved_ports(dhcpc_t)
27
28 dev_read_sysfs(dhcpc_t)
29 # for SSP:
30@@ -313,6 +315,8 @@ modutils_domtrans_insmod(ifconfig_t)
31
32 seutil_use_runinit_fds(ifconfig_t)
33
34+sysnet_dontaudit_rw_dhcpc_udp_sockets(ifconfig_t)
35+
36 userdom_use_user_terminals(ifconfig_t)
37 userdom_use_all_users_fds(ifconfig_t)
38
39--
401.7.10.4
41
diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc b/recipes-security/refpolicy/refpolicy_2.20130424.inc
index 7ecfdc1..23339e3 100644
--- a/recipes-security/refpolicy/refpolicy_2.20130424.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20130424.inc
@@ -51,6 +51,8 @@ SRC_URI += "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \
51 file://poky-policy-fix-seutils-manage-config-files.patch \ 51 file://poky-policy-fix-seutils-manage-config-files.patch \
52 file://poky-policy-fix-setfiles-statvfs-get-file-count.patch \ 52 file://poky-policy-fix-setfiles-statvfs-get-file-count.patch \
53 file://poky-policy-fix-dmesg-to-use-dev-kmsg.patch \ 53 file://poky-policy-fix-dmesg-to-use-dev-kmsg.patch \
54 file://hostname-do-not-audit-attempts-by-hostname-to-read-a.patch \
55 file://sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch \
54 " 56 "
55 57
56# Backport from upstream 58# Backport from upstream
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-07-25 23:13:22 +0000