refpolicy: allow sysadm to run rpcbind

Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
author: Roy Li <rongqing.li@windriver.com> 2014-04-03 14:05:41 -0400
committer: Joe MacDonald <joe@deserted.net> 2014-04-03 14:46:09 -0400
commit: 4df5a5b1704ada9af6561496177401441614297b (patch)
tree: 5f022134e66a9bbe3c550e373a77e1c261cf3e3c
parent: b8b3c09a63561bc9c970f5f047cfd6fa19161877 (diff)
download: meta-selinux-4df5a5b1704ada9af6561496177401441614297b.tar.gz
2 files changed, 34 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-sysadm-to-run-rpcinfo.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-sysadm-to-run-rpcinfo.patch
new file mode 100644
index 0000000..ec3dbf4
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-sysadm-to-run-rpcinfo.patch
@@ -0,0 +1,33 @@
+From 7005533d61770fed5a3312aa9dfd1c18dae88c16 Mon Sep 17 00:00:00 2001
+From: Roy Li <rongqing.li@windriver.com>
+Date: Sat, 15 Feb 2014 09:45:00 +0800
+Subject: [PATCH] allow sysadm to run rpcinfo
+Upstream-Status: Pending
+type=AVC msg=audit(1392427946.976:264): avc:  denied  { connectto } for  pid=2111 comm="rpcinfo" path="/run/rpcbind.sock" scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tclass=unix_stream_socket
+type=SYSCALL msg=audit(1392427946.976:264): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff3aa20000 a2=17 a3=22 items=0 ppid=2108 pid=2111 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="rpcinfo" exe="/usr/sbin/rpcinfo" subj=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 key=(null)
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+---
+ policy/modules/roles/sysadm.te |    4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
+index 1767217..5502c6a 100644
+--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
+@@ -413,6 +413,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+       rpcbind_stream_connect(sysadm_t)
+')
+
+optional_policy(`
+        vmware_role(sysadm_r, sysadm_t)
+ ')
+ 
+-- 
+1.7.10.4
diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc b/recipes-security/refpolicy/refpolicy_2.20130424.inc
index 4ea61fc..8c17094 100644
--- a/recipes-security/refpolicy/refpolicy_2.20130424.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20130424.inc
@@ -45,6 +45,7 @@ SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \
            file://poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch \
            file://poky-policy-allow-setfiles_t-to-read-symlinks.patch \
            file://poky-policy-fix-new-SELINUXMNT-in-sys.patch \
+            file://poky-policy-allow-sysadm-to-run-rpcinfo.patch \
           "
 # Other policy fixes
author	Roy Li <rongqing.li@windriver.com>	2014-04-03 14:05:41 -0400
committer	Joe MacDonald <joe@deserted.net>	2014-04-03 14:46:09 -0400
commit	4df5a5b1704ada9af6561496177401441614297b (patch)
tree	5f022134e66a9bbe3c550e373a77e1c261cf3e3c
parent	b8b3c09a63561bc9c970f5f047cfd6fa19161877 (diff)
download	meta-selinux-4df5a5b1704ada9af6561496177401441614297b.tar.gz

diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-sysadm-to-run-rpcinfo.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-sysadm-to-run-rpcinfo.patch new file mode 100644 index 0000000..ec3dbf4 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-sysadm-to-run-rpcinfo.patch
@@ -0,0 +1,33 @@
		1	From 7005533d61770fed5a3312aa9dfd1c18dae88c16 Mon Sep 17 00:00:00 2001
		2	From: Roy Li <rongqing.li@windriver.com>
		3	Date: Sat, 15 Feb 2014 09:45:00 +0800
		4	Subject: [PATCH] allow sysadm to run rpcinfo
		5
		6	Upstream-Status: Pending
		7
		8	type=AVC msg=audit(1392427946.976:264): avc: denied { connectto } for pid=2111 comm="rpcinfo" path="/run/rpcbind.sock" scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tclass=unix_stream_socket
		9	type=SYSCALL msg=audit(1392427946.976:264): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff3aa20000 a2=17 a3=22 items=0 ppid=2108 pid=2111 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="rpcinfo" exe="/usr/sbin/rpcinfo" subj=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 key=(null)
		10
		11	Signed-off-by: Roy Li <rongqing.li@windriver.com>
		12	---
		13	policy/modules/roles/sysadm.te \| 4 ++++
		14	1 file changed, 4 insertions(+)
		15
		16	diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
		17	index 1767217..5502c6a 100644
		18	--- a/policy/modules/roles/sysadm.te
		19	+++ b/policy/modules/roles/sysadm.te
		20	@@ -413,6 +413,10 @@ optional_policy(`
		21	')
		22
		23	optional_policy(`
		24	+ rpcbind_stream_connect(sysadm_t)
		25	+')
		26	+
		27	+optional_policy(`
		28	vmware_role(sysadm_r, sysadm_t)
		29	')
		30
		31	--
		32	1.7.10.4
		33


diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc b/recipes-security/refpolicy/refpolicy_2.20130424.inc index 4ea61fc..8c17094 100644 --- a/recipes-security/refpolicy/refpolicy_2.20130424.inc +++ b/recipes-security/refpolicy/refpolicy_2.20130424.inc
@@ -45,6 +45,7 @@ SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \
45	file://poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch \	45	file://poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch \
46	file://poky-policy-allow-setfiles_t-to-read-symlinks.patch \	46	file://poky-policy-allow-setfiles_t-to-read-symlinks.patch \
47	file://poky-policy-fix-new-SELINUXMNT-in-sys.patch \	47	file://poky-policy-fix-new-SELINUXMNT-in-sys.patch \
		48	file://poky-policy-allow-sysadm-to-run-rpcinfo.patch \
48	"	49	"
49		50
50	# Other policy fixes	51	# Other policy fixes