refpolicy: add targeted policy type

This SELinux policy would targeted most of service domains for lock down, and users and admins will login in with unconfined_t domain. So they would have the same access to the system as if SELinux was not enabled, when running commands and services which are not targeted. Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
author: Wenzong Fan <wenzong.fan@windriver.com> 2014-03-24 21:07:49 -0400
committer: Joe MacDonald <joe@deserted.net> 2014-04-24 14:23:39 -0400
commit: cdb1ef995342b430141d4d052c20acda9ad054be (patch)
tree: 33157feb1f559ba99e3e738fe0441c5766f2959a
parent: 0362287928bc0a58b755488ebd74441c28eeeee2 (diff)
download: meta-selinux-cdb1ef995342b430141d4d052c20acda9ad054be.tar.gz
3 files changed, 276 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
new file mode 100644
index 0000000..44dff5e
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
@@ -0,0 +1,60 @@
+Subject: [PATCH] refpolicy: fix optional issue on sysadm module
+init and locallogin modules have a depend for sysadm module because
+they have called sysadm interfaces(sysadm_shell_domtrans). Since
+sysadm is not a core module, we could make the sysadm_shell_domtrans
+calls optionally by optional_policy.
+So, we could make the minimum policy without sysadm module.
+Upstream-Status: pending
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/init.te       | 14 ++++++++------
+ policy/modules/system/locallogin.te |  4 +++-
+ 2 files changed, 11 insertions(+), 7 deletions(-)
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 4a88fa1..4548a7e 100644
+--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
+@@ -188,12 +188,14 @@ ifdef(`distro_redhat',`
+        fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
+ ')
+ 
+-tunable_policy(`init_upstart',`
+-       corecmd_shell_domtrans(init_t, initrc_t)
+-',`
+-       # Run the shell in the sysadm role for single-user mode.
+-       # causes problems with upstart
+-       sysadm_shell_domtrans(init_t)
+# Run the shell in the sysadm role for single-user mode.
+# causes problems with upstart
+optional_policy(`
+       tunable_policy(`init_upstart',`
+               corecmd_shell_domtrans(init_t, initrc_t)
+       ',`
+               sysadm_shell_domtrans(init_t)
+       ')
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
+index f5a5de7..d942f05 100644
+--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
+@@ -239,7 +239,9 @@ userdom_use_unpriv_users_fds(sulogin_t)
+ userdom_search_user_home_dirs(sulogin_t)
+ userdom_use_user_ptys(sulogin_t)
+ 
+-sysadm_shell_domtrans(sulogin_t)
+optional_policy(`
+       sysadm_shell_domtrans(sulogin_t)
+')
+ 
+ # suse and debian do not use pam with sulogin...
+ ifdef(`distro_suse', `define(`sulogin_no_pam')')
+-- 
+1.7.11.7
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
new file mode 100644
index 0000000..e39afca
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
@@ -0,0 +1,198 @@
+Subject: [PATCH] refpolicy: make unconfined_u the default selinux user
+For targeted policy type, we define unconfined_u as the default selinux
+user for root and normal users, so users could login in and run most
+commands and services on unconfined domains.
+Also add rules for users to run init scripts directly, instead of via
+run_init.
+Upstream-Status: Inappropriate [configuration] 
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ config/appconfig-mcs/seusers        |    4 +-
+ policy/modules/roles/sysadm.te      |    1 +
+ policy/modules/system/init.if       |   47 +++++++++++++++++++++++++++++------
+ policy/modules/system/unconfined.te |    7 +++++
+ policy/users                        |   14 +++------
+ 5 files changed, 54 insertions(+), 19 deletions(-)
+diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers
+index dc5f1e4..4428da8 100644
+--- a/config/appconfig-mcs/seusers
+++ b/config/appconfig-mcs/seusers
+@@ -1,3 +1,3 @@
+ system_u:system_u:s0-mcs_systemhigh
+-root:root:s0-mcs_systemhigh
+-__default__:user_u:s0
+root:unconfined_u:s0-mcs_systemhigh
+__default__:unconfined_u:s0
+diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
+index 85ff145..77d7bdc 100644
+--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
+@@ -37,6 +37,7 @@ ubac_file_exempt(sysadm_t)
+ ubac_fd_exempt(sysadm_t)
+ 
+ init_exec(sysadm_t)
+init_script_role_transition(sysadm_r)
+ 
+ # Add/remove user home directories
+ userdom_manage_user_home_dirs(sysadm_t)
+diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
+index d26fe81..fa46786 100644
+--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
+@@ -803,11 +803,12 @@ interface(`init_script_file_entry_type',`
+ #
+ interface(`init_spec_domtrans_script',`
+        gen_require(`
+-               type initrc_t, initrc_exec_t;
+               type initrc_t;
+               attribute init_script_file_type;
+        ')
+ 
+        files_list_etc($1)
+-       spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
+       spec_domtrans_pattern($1, init_script_file_type, initrc_t)
+ 
+        ifdef(`distro_gentoo',`
+                gen_require(`
+@@ -818,11 +819,11 @@ interface(`init_spec_domtrans_script',`
+        ')
+ 
+        ifdef(`enable_mcs',`
+-               range_transition $1 initrc_exec_t:process s0;
+               range_transition $1 init_script_file_type:process s0;
+        ')
+ 
+        ifdef(`enable_mls',`
+-               range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+               range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
+        ')
+ ')
+ 
+@@ -838,18 +839,19 @@ interface(`init_spec_domtrans_script',`
+ #
+ interface(`init_domtrans_script',`
+        gen_require(`
+-               type initrc_t, initrc_exec_t;
+               type initrc_t;
+               attribute init_script_file_type;
+        ')
+ 
+        files_list_etc($1)
+-       domtrans_pattern($1, initrc_exec_t, initrc_t)
+       domtrans_pattern($1, init_script_file_type, initrc_t)
+ 
+        ifdef(`enable_mcs',`
+-               range_transition $1 initrc_exec_t:process s0;
+               range_transition $1 init_script_file_type:process s0;
+        ')
+ 
+        ifdef(`enable_mls',`
+-               range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+               range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
+        ')
+ ')
+ 
+@@ -1792,3 +1794,32 @@ interface(`init_udp_recvfrom_all_daemons',`
+        ')
+        corenet_udp_recvfrom_labeled($1, daemon)
+ ')
+
+########################################
+## <summary>
+##     Transition to system_r when execute an init script
+## </summary>
+## <desc>
+##     <p>
+##     Execute a init script in a specified role
+##     </p>
+##     <p>
+##     No interprocess communication (signals, pipes,
+##     etc.) is provided by this interface since
+##     the domains are not owned by this module.
+##     </p>
+## </desc>
+## <param name="source_role">
+##     <summary>
+##     Role to transition from.
+##     </summary>
+## </param>
+#
+interface(`init_script_role_transition',`
+       gen_require(`
+               attribute init_script_file_type;
+       ')
+
+       role_transition $1 init_script_file_type system_r;
+')
+
+diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
+index 0280b32..00b4dcf 100644
+--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
+@@ -20,6 +20,11 @@ type unconfined_execmem_t;
+ type unconfined_execmem_exec_t;
+ init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
+ role unconfined_r types unconfined_execmem_t;
+role unconfined_r types unconfined_t;
+role system_r types unconfined_t;
+role_transition system_r unconfined_exec_t unconfined_r;
+allow system_r unconfined_r;
+allow unconfined_r system_r;
+ 
+ ########################################
+ #
+@@ -34,6 +39,8 @@ mcs_killall(unconfined_t)
+ mcs_ptrace_all(unconfined_t)
+ 
+ init_run_daemon(unconfined_t, unconfined_r)
+init_domtrans_script(unconfined_t)
+init_script_role_transition(unconfined_r)
+ 
+ libs_run_ldconfig(unconfined_t, unconfined_r)
+ 
+diff --git a/policy/users b/policy/users
+index c4ebc7e..f300f22 100644
+--- a/policy/users
+++ b/policy/users
+@@ -15,7 +15,7 @@
+ # and a user process should never be assigned the system user
+ # identity.
+ #
+-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+ 
+ #
+ # user_u is a generic user identity for Linux users who have no
+@@ -25,11 +25,11 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+ # permit any access to such users, then remove this entry.
+ #
+ gen_user(user_u, user, user_r, s0, s0)
+-gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
+-gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(staff_u, user, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
+ 
+ # Until order dependence is fixed for users:
+-gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+ 
+ #
+ # The following users correspond to Unix identities.
+@@ -38,8 +38,4 @@ gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_al
+ # role should use the staff_r role instead of the user_r role when
+ # not in the sysadm_r.
+ #
+-ifdef(`direct_sysadm_daemon',`
+-       gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+-',`
+-       gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
+-')
+gen_user(root, user, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+-- 
+1.7.1
diff --git a/recipes-security/refpolicy/refpolicy-targeted_2.20130424.bb b/recipes-security/refpolicy/refpolicy-targeted_2.20130424.bb
new file mode 100644
index 0000000..2d112b3
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-targeted_2.20130424.bb
@@ -0,0 +1,18 @@
+SUMMARY = "SELinux targeted policy"
+DESCRIPTION = "\
+This is the targeted variant of the SELinux reference policy.  Most service \
+domains are locked down. Users and admins will login in with unconfined_t \
+domain, so they have the same access to the system as if SELinux was not \
+enabled. \
+"
+FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-${PV}:"
+POLICY_NAME = "targeted"
+POLICY_TYPE = "mcs"
+POLICY_MLS_SENS = "0"
+include refpolicy_${PV}.inc
+SRC_URI += "file://refpolicy-fix-optional-issue-on-sysadm-module.patch \
+        file://refpolicy-unconfined_u-default-user.patch"
author	Wenzong Fan <wenzong.fan@windriver.com>	2014-03-24 21:07:49 -0400
committer	Joe MacDonald <joe@deserted.net>	2014-04-24 14:23:39 -0400
commit	cdb1ef995342b430141d4d052c20acda9ad054be (patch)
tree	33157feb1f559ba99e3e738fe0441c5766f2959a
parent	0362287928bc0a58b755488ebd74441c28eeeee2 (diff)
download	meta-selinux-cdb1ef995342b430141d4d052c20acda9ad054be.tar.gz

diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch new file mode 100644 index 0000000..44dff5e --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
@@ -0,0 +1,60 @@
	1	Subject: [PATCH] refpolicy: fix optional issue on sysadm module
	2
	3	init and locallogin modules have a depend for sysadm module because
	4	they have called sysadm interfaces(sysadm_shell_domtrans). Since
	5	sysadm is not a core module, we could make the sysadm_shell_domtrans
	6	calls optionally by optional_policy.
	7
	8	So, we could make the minimum policy without sysadm module.
	9
	10	Upstream-Status: pending
	11
	12	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
	13	---
	14	policy/modules/system/init.te \| 14 ++++++++------
	15	policy/modules/system/locallogin.te \| 4 +++-
	16	2 files changed, 11 insertions(+), 7 deletions(-)
	17
	18	diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
	19	index 4a88fa1..4548a7e 100644
	20	--- a/policy/modules/system/init.te
	21	+++ b/policy/modules/system/init.te
	22	@@ -188,12 +188,14 @@ ifdef(`distro_redhat',`
	23	fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
	24	')
	25
	26	-tunable_policy(`init_upstart',`
	27	- corecmd_shell_domtrans(init_t, initrc_t)
	28	-',`
	29	- # Run the shell in the sysadm role for single-user mode.
	30	- # causes problems with upstart
	31	- sysadm_shell_domtrans(init_t)
	32	+# Run the shell in the sysadm role for single-user mode.
	33	+# causes problems with upstart
	34	+optional_policy(`
	35	+ tunable_policy(`init_upstart',`
	36	+ corecmd_shell_domtrans(init_t, initrc_t)
	37	+ ',`
	38	+ sysadm_shell_domtrans(init_t)
	39	+ ')
	40	')
	41
	42	optional_policy(`
	43	diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
	44	index f5a5de7..d942f05 100644
	45	--- a/policy/modules/system/locallogin.te
	46	+++ b/policy/modules/system/locallogin.te
	47	@@ -239,7 +239,9 @@ userdom_use_unpriv_users_fds(sulogin_t)
	48	userdom_search_user_home_dirs(sulogin_t)
	49	userdom_use_user_ptys(sulogin_t)
	50
	51	-sysadm_shell_domtrans(sulogin_t)
	52	+optional_policy(`
	53	+ sysadm_shell_domtrans(sulogin_t)
	54	+')
	55
	56	# suse and debian do not use pam with sulogin...
	57	ifdef(`distro_suse', `define(`sulogin_no_pam')')
	58	--
	59	1.7.11.7
	60


diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch new file mode 100644 index 0000000..e39afca --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
@@ -0,0 +1,198 @@
	1	Subject: [PATCH] refpolicy: make unconfined_u the default selinux user
	2
	3	For targeted policy type, we define unconfined_u as the default selinux
	4	user for root and normal users, so users could login in and run most
	5	commands and services on unconfined domains.
	6
	7	Also add rules for users to run init scripts directly, instead of via
	8	run_init.
	9
	10	Upstream-Status: Inappropriate [configuration]
	11
	12	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
	13	---
	14	config/appconfig-mcs/seusers \| 4 +-
	15	policy/modules/roles/sysadm.te \| 1 +
	16	policy/modules/system/init.if \| 47 +++++++++++++++++++++++++++++------
	17	policy/modules/system/unconfined.te \| 7 +++++
	18	policy/users \| 14 +++------
	19	5 files changed, 54 insertions(+), 19 deletions(-)
	20
	21	diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers
	22	index dc5f1e4..4428da8 100644
	23	--- a/config/appconfig-mcs/seusers
	24	+++ b/config/appconfig-mcs/seusers
	25	@@ -1,3 +1,3 @@
	26	system_u:system_u:s0-mcs_systemhigh
	27	-root:root:s0-mcs_systemhigh
	28	-__default__:user_u:s0
	29	+root:unconfined_u:s0-mcs_systemhigh
	30	+__default__:unconfined_u:s0
	31	diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
	32	index 85ff145..77d7bdc 100644
	33	--- a/policy/modules/roles/sysadm.te
	34	+++ b/policy/modules/roles/sysadm.te
	35	@@ -37,6 +37,7 @@ ubac_file_exempt(sysadm_t)
	36	ubac_fd_exempt(sysadm_t)
	37
	38	init_exec(sysadm_t)
	39	+init_script_role_transition(sysadm_r)
	40
	41	# Add/remove user home directories
	42	userdom_manage_user_home_dirs(sysadm_t)
	43	diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
	44	index d26fe81..fa46786 100644
	45	--- a/policy/modules/system/init.if
	46	+++ b/policy/modules/system/init.if
	47	@@ -803,11 +803,12 @@ interface(`init_script_file_entry_type',`
	48	#
	49	interface(`init_spec_domtrans_script',`
	50	gen_require(`
	51	- type initrc_t, initrc_exec_t;
	52	+ type initrc_t;
	53	+ attribute init_script_file_type;
	54	')
	55
	56	files_list_etc($1)
	57	- spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
	58	+ spec_domtrans_pattern($1, init_script_file_type, initrc_t)
	59
	60	ifdef(`distro_gentoo',`
	61	gen_require(`
	62	@@ -818,11 +819,11 @@ interface(`init_spec_domtrans_script',`
	63	')
	64
	65	ifdef(`enable_mcs',`
	66	- range_transition $1 initrc_exec_t:process s0;
	67	+ range_transition $1 init_script_file_type:process s0;
	68	')
	69
	70	ifdef(`enable_mls',`
	71	- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
	72	+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
	73	')
	74	')
	75
	76	@@ -838,18 +839,19 @@ interface(`init_spec_domtrans_script',`
	77	#
	78	interface(`init_domtrans_script',`
	79	gen_require(`
	80	- type initrc_t, initrc_exec_t;
	81	+ type initrc_t;
	82	+ attribute init_script_file_type;
	83	')
	84
	85	files_list_etc($1)
	86	- domtrans_pattern($1, initrc_exec_t, initrc_t)
	87	+ domtrans_pattern($1, init_script_file_type, initrc_t)
	88
	89	ifdef(`enable_mcs',`
	90	- range_transition $1 initrc_exec_t:process s0;
	91	+ range_transition $1 init_script_file_type:process s0;
	92	')
	93
	94	ifdef(`enable_mls',`
	95	- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
	96	+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
	97	')
	98	')
	99
	100	@@ -1792,3 +1794,32 @@ interface(`init_udp_recvfrom_all_daemons',`
	101	')
	102	corenet_udp_recvfrom_labeled($1, daemon)
	103	')
	104	+
	105	+########################################
	106	+## <summary>
	107	+## Transition to system_r when execute an init script
	108	+## </summary>
	109	+## <desc>
	110	+## <p>
	111	+## Execute a init script in a specified role
	112	+## </p>
	113	+## <p>
	114	+## No interprocess communication (signals, pipes,
	115	+## etc.) is provided by this interface since
	116	+## the domains are not owned by this module.
	117	+## </p>
	118	+## </desc>
	119	+## <param name="source_role">
	120	+## <summary>
	121	+## Role to transition from.
	122	+## </summary>
	123	+## </param>
	124	+#
	125	+interface(`init_script_role_transition',`
	126	+ gen_require(`
	127	+ attribute init_script_file_type;
	128	+ ')
	129	+
	130	+ role_transition $1 init_script_file_type system_r;
	131	+')
	132	+
	133	diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
	134	index 0280b32..00b4dcf 100644
	135	--- a/policy/modules/system/unconfined.te
	136	+++ b/policy/modules/system/unconfined.te
	137	@@ -20,6 +20,11 @@ type unconfined_execmem_t;
	138	type unconfined_execmem_exec_t;
	139	init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
	140	role unconfined_r types unconfined_execmem_t;
	141	+role unconfined_r types unconfined_t;
	142	+role system_r types unconfined_t;
	143	+role_transition system_r unconfined_exec_t unconfined_r;
	144	+allow system_r unconfined_r;
	145	+allow unconfined_r system_r;
	146
	147	########################################
	148	#
	149	@@ -34,6 +39,8 @@ mcs_killall(unconfined_t)
	150	mcs_ptrace_all(unconfined_t)
	151
	152	init_run_daemon(unconfined_t, unconfined_r)
	153	+init_domtrans_script(unconfined_t)
	154	+init_script_role_transition(unconfined_r)
	155
	156	libs_run_ldconfig(unconfined_t, unconfined_r)
	157
	158	diff --git a/policy/users b/policy/users
	159	index c4ebc7e..f300f22 100644
	160	--- a/policy/users
	161	+++ b/policy/users
	162	@@ -15,7 +15,7 @@
	163	# and a user process should never be assigned the system user
	164	# identity.
	165	#
	166	-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
	167	+gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
	168
	169	#
	170	# user_u is a generic user identity for Linux users who have no
	171	@@ -25,11 +25,11 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
	172	# permit any access to such users, then remove this entry.
	173	#
	174	gen_user(user_u, user, user_r, s0, s0)
	175	-gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
	176	-gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
	177	+gen_user(staff_u, user, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
	178	+gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
	179
	180	# Until order dependence is fixed for users:
	181	-gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
	182	+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
	183
	184	#
	185	# The following users correspond to Unix identities.
	186	@@ -38,8 +38,4 @@ gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_al
	187	# role should use the staff_r role instead of the user_r role when
	188	# not in the sysadm_r.
	189	#
	190	-ifdef(`direct_sysadm_daemon',`
	191	- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
	192	-',`
	193	- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
	194	-')
	195	+gen_user(root, user, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
	196	--
	197	1.7.1
	198


diff --git a/recipes-security/refpolicy/refpolicy-targeted_2.20130424.bb b/recipes-security/refpolicy/refpolicy-targeted_2.20130424.bb new file mode 100644 index 0000000..2d112b3 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-targeted_2.20130424.bb
@@ -0,0 +1,18 @@
	1	SUMMARY = "SELinux targeted policy"
	2	DESCRIPTION = "\
	3	This is the targeted variant of the SELinux reference policy. Most service \
	4	domains are locked down. Users and admins will login in with unconfined_t \
	5	domain, so they have the same access to the system as if SELinux was not \
	6	enabled. \
	7	"
	8
	9	FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-${PV}:"
	10
	11	POLICY_NAME = "targeted"
	12	POLICY_TYPE = "mcs"
	13	POLICY_MLS_SENS = "0"
	14
	15	include refpolicy_${PV}.inc
	16
	17	SRC_URI += "file://refpolicy-fix-optional-issue-on-sysadm-module.patch \
	18	file://refpolicy-unconfined_u-default-user.patch"