refpolicy: Fix specific file contexts for poky

Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
author: Xin Ouyang <Xin.Ouyang@windriver.com> 2012-09-11 14:09:24 +0800
committer: Xin Ouyang <Xin.Ouyang@windriver.com> 2012-10-18 11:07:43 +0800
commit: b95c77e3d28d77141eac6e09058ffc9fecedc7ed (patch)
tree: 6f007f8808d8d67f4ccf3d4a08478a30a1c916e3
parent: 493195cbba8f91ecd97aef3a8fbdba1092e766a6 (diff)
download: meta-selinux-b95c77e3d28d77141eac6e09058ffc9fecedc7ed.tar.gz
8 files changed, 245 insertions, 2 deletions
diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-prefix-path_rpc.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-prefix-path_rpc.patch
new file mode 100644
index 0000000..ef7287c
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-prefix-path_rpc.patch
@@ -0,0 +1,43 @@
+Subject: [PATCH] fc: fix prefix path for rpc*
+rpc* packages have installed files with the /usr prefix in poky, so fix 
+file contexts for them.
+Upstream-Status: Inappropriate [only for Poky]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/contrib/rpc.fc     |    4 ++--
+ policy/modules/contrib/rpcbind.fc |    2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+diff --git a/policy/modules/contrib/rpc.fc b/policy/modules/contrib/rpc.fc
+index 5c70c0c..52db849 100644
+--- a/policy/modules/contrib/rpc.fc
+++ b/policy/modules/contrib/rpc.fc
+@@ -9,8 +9,8 @@
+ #
+ # /sbin
+ #
+-/sbin/rpc\..*          --      gen_context(system_u:object_r:rpcd_exec_t,s0)
+-/sbin/sm-notify                --      gen_context(system_u:object_r:rpcd_exec_t,s0)
+/usr/sbin/rpc\..*      --      gen_context(system_u:object_r:rpcd_exec_t,s0)
+/usr/sbin/sm-notify            --      gen_context(system_u:object_r:rpcd_exec_t,s0)
+ 
+ #
+ # /usr
+diff --git a/policy/modules/contrib/rpcbind.fc b/policy/modules/contrib/rpcbind.fc
+index f5c47d6..3cd9e62 100644
+--- a/policy/modules/contrib/rpcbind.fc
+++ b/policy/modules/contrib/rpcbind.fc
+@@ -1,6 +1,6 @@
+ /etc/rc\.d/init\.d/rpcbind     --      gen_context(system_u:object_r:rpcbind_initrc_exec_t,s0)
+ 
+-/sbin/rpcbind          --      gen_context(system_u:object_r:rpcbind_exec_t,s0)
+/usr/sbin/rpcbind      --      gen_context(system_u:object_r:rpcbind_exec_t,s0)
+ 
+ /var/lib/rpcbind(/.*)?         gen_context(system_u:object_r:rpcbind_var_lib_t,s0)
+ 
+-- 
+1.7.5.4
diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-real-path_login.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-real-path_login.patch
new file mode 100644
index 0000000..427181e
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-real-path_login.patch
@@ -0,0 +1,37 @@
+Subject: [PATCH] fix real path for login commands.
+Upstream-Status: Inappropriate [only for Poky]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/authlogin.fc |    7 ++++---
+ 1 files changed, 4 insertions(+), 3 deletions(-)
+diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
+index 28ad538..c8dd17f 100644
+--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
+@@ -1,5 +1,7 @@
+ 
+ /bin/login             --      gen_context(system_u:object_r:login_exec_t,s0)
+/bin/login\.shadow     --      gen_context(system_u:object_r:login_exec_t,s0)
+/bin/login\.tinylogin  --      gen_context(system_u:object_r:login_exec_t,s0)
+ 
+ /etc/\.pwd\.lock       --      gen_context(system_u:object_r:shadow_t,s0)
+ /etc/group\.lock       --      gen_context(system_u:object_r:shadow_t,s0)
+@@ -9,9 +11,9 @@
+ 
+ /sbin/pam_console_apply         --     gen_context(system_u:object_r:pam_console_exec_t,s0)
+ /sbin/pam_timestamp_check --   gen_context(system_u:object_r:pam_exec_t,s0)
+-/sbin/unix_chkpwd      --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
+-/sbin/unix_update      --      gen_context(system_u:object_r:updpwd_exec_t,s0)
+-/sbin/unix_verify      --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
+/usr/sbin/unix_chkpwd  --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
+/usr/sbin/unix_update  --      gen_context(system_u:object_r:updpwd_exec_t,s0)
+/usr/sbin/unix_verify  --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ ifdef(`distro_suse', `
+ /sbin/unix2_chkpwd     --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ ')
+-- 
+1.7.5.4
diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-real-path_resolv.conf.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-real-path_resolv.conf.patch
new file mode 100644
index 0000000..80cca67
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-real-path_resolv.conf.patch
@@ -0,0 +1,24 @@
+Subject: [PATCH] fix real path for resolv.conf
+Upstream-Status: Inappropriate [only for Poky]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/sysnetwork.fc |    1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
+index 346a7cc..dec8632 100644
+--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
+@@ -24,6 +24,7 @@ ifdef(`distro_debian',`
+ /etc/hosts\.deny.*     --      gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/denyhosts.*       --      gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/resolv\.conf.*    --      gen_context(system_u:object_r:net_conf_t,s0)
+/var/run/resolv\.conf.*        --      gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/yp\.conf.*                --      gen_context(system_u:object_r:net_conf_t,s0)
+ 
+ /etc/dhcp3(/.*)?               gen_context(system_u:object_r:dhcp_etc_t,s0)
+-- 
+1.7.5.4
diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-subs_dist.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-subs_dist.patch
new file mode 100644
index 0000000..2eaecdf
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-subs_dist.patch
@@ -0,0 +1,31 @@
+Subject: [PATCH] fix file_contexts.subs_dist for poky
+This file is used for Linux distros to define specific pathes 
+mapping to the pathes in file_contexts.
+Upstream-Status: Inappropriate [only for Poky]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ config/file_contexts.subs_dist |    8 ++++++++
+ 1 files changed, 8 insertions(+), 0 deletions(-)
+diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
+index 32b87a4..ebba73d 100644
+--- a/config/file_contexts.subs_dist
+++ b/config/file_contexts.subs_dist
+@@ -5,3 +5,11 @@
+ /usr/lib32 /usr/lib
+ /usr/lib64 /usr/lib
+ /var/run/lock /var/lock
+/etc/init.d /etc/rc.d/init.d
+/var/volatile/log /var/log
+/var/volatile/run /var/run
+/var/volatile/cache /var/cache
+/var/volatile/tmp /var/tmp
+/var/volatile/lock /var/lock
+/var/volatile/run/lock /var/lock
+/www /var/www
+-- 
+1.7.5.4
diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_hostname.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_hostname.patch
new file mode 100644
index 0000000..e647668
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_hostname.patch
@@ -0,0 +1,20 @@
+Subject: [PATCH] fix update-alternatives for hostname
+Upstream-Status: Inappropriate [only for Poky]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/hostname.fc |    1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc
+index 9dfecf7..4003b6d 100644
+--- a/policy/modules/system/hostname.fc
+++ b/policy/modules/system/hostname.fc
+@@ -1,2 +1,3 @@
+ 
+ /bin/hostname          --      gen_context(system_u:object_r:hostname_exec_t,s0)
+/bin/hostname\.net-tools       --      gen_context(system_u:object_r:hostname_exec_t,s0)
+-- 
+1.7.5.4
diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_sysklogd.patch
new file mode 100644
index 0000000..c3c5fe1
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_sysklogd.patch
@@ -0,0 +1,55 @@
+Subject: [PATCH] fix update-alternatives for sysklogd
+/etc/syslog.conf is a symlink to /etc/syslog.conf.sysklogd, so a allow rule
+for syslogd_t to read syslog_conf_t lnk_file is needed.
+Upstream-Status: Inappropriate [only for Poky]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/logging.fc |    4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
+index 02f4c97..3cb65f1 100644
+--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
+@@ -2,19 +2,23 @@
+ 
+ /etc/rsyslog.conf              gen_context(system_u:object_r:syslog_conf_t,s0)
+ /etc/syslog.conf               gen_context(system_u:object_r:syslog_conf_t,s0)
+/etc/syslog.conf\.sysklogd     gen_context(system_u:object_r:syslog_conf_t,s0)
+ /etc/audit(/.*)?               gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
+ /etc/rc\.d/init\.d/auditd --   gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/rsyslog --  gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/syslog\.sysklogd -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
+ 
+ /sbin/audispd          --      gen_context(system_u:object_r:audisp_exec_t,s0)
+ /sbin/audisp-remote    --      gen_context(system_u:object_r:audisp_remote_exec_t,s0)
+ /sbin/auditctl         --      gen_context(system_u:object_r:auditctl_exec_t,s0)
+ /sbin/auditd           --      gen_context(system_u:object_r:auditd_exec_t,s0)
+ /sbin/klogd            --      gen_context(system_u:object_r:klogd_exec_t,s0)
+/sbin/klogd\.sysklogd  --      gen_context(system_u:object_r:klogd_exec_t,s0)
+ /sbin/minilogd         --      gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /sbin/rklogd           --      gen_context(system_u:object_r:klogd_exec_t,s0)
+ /sbin/rsyslogd         --      gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /sbin/syslogd          --      gen_context(system_u:object_r:syslogd_exec_t,s0)
+/sbin/syslogd\.sysklogd        --      gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /sbin/syslog-ng                --      gen_context(system_u:object_r:syslogd_exec_t,s0)
+ 
+ /usr/sbin/klogd                --      gen_context(system_u:object_r:klogd_exec_t,s0)
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index b6b0ddf..a3a25c2 100644
+--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
+@@ -369,6 +369,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
+ allow syslogd_t self:tcp_socket create_stream_socket_perms;
+ allow syslogd_t syslog_conf_t:file read_file_perms;
+allow syslogd_t syslog_conf_t:lnk_file read_file_perms;
+ # Create and bind to /dev/log or /var/run/log.
+ allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
+-- 
+1.7.5.4
diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_tinylogin.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_tinylogin.patch
new file mode 100644
index 0000000..ae06dfa
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_tinylogin.patch
@@ -0,0 +1,24 @@
+Subject: [PATCH] fix update-alternatives for tinylogin getty
+Upstream-Status: Inappropriate [only for Poky]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/getty.fc |    1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc
+index e1a1848..a0bfd2e 100644
+--- a/policy/modules/system/getty.fc
+++ b/policy/modules/system/getty.fc
+@@ -2,6 +2,7 @@
+ /etc/mgetty(/.*)?              gen_context(system_u:object_r:getty_etc_t,s0)
+ 
+ /sbin/.*getty          --      gen_context(system_u:object_r:getty_exec_t,s0)
+/sbin/getty\.tinylogin --      gen_context(system_u:object_r:getty_exec_t,s0)
+ 
+ /var/log/mgetty\.log.* --      gen_context(system_u:object_r:getty_log_t,s0)
+ /var/log/vgetty\.log\..* --    gen_context(system_u:object_r:getty_log_t,s0)
+-- 
+1.7.5.4
diff --git a/recipes-security/refpolicy/refpolicy_2.20120725.inc b/recipes-security/refpolicy/refpolicy_2.20120725.inc
index 06ea436..b588010 100644
--- a/recipes-security/refpolicy/refpolicy_2.20120725.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20120725.inc
@@ -3,7 +3,16 @@ SRC_URI[md5sum] = "8aaa8a23cc1b7b7045f6f134e879ddb7"
 SRC_URI[sha256sum] = "7cd46ed908a4001368e6509d93e306ec6c9af2bfa6b70db88c9eaaefe257c635"
 FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-${PV}:"
-SRC_URI += "file://poky-fc-update-alternatives_sysvinit.patch \
-            "
+# Fix file contexts for Poky
+SRC_URI += "file://poky-fc-subs_dist.patch \
+            file://poky-fc-update-alternatives_sysvinit.patch \
+            file://poky-fc-update-alternatives_tinylogin.patch \
+            file://poky-fc-update-alternatives_sysklogd.patch \
+            file://poky-fc-update-alternatives_hostname.patch \
+            file://poky-fc-fix-prefix-path_rpc.patch \
+            file://poky-fc-fix-real-path_resolv.conf.patch \
+            file://poky-fc-fix-real-path_login.patch \
+           "
 include refpolicy_common.inc
author	Xin Ouyang <Xin.Ouyang@windriver.com>	2012-09-11 14:09:24 +0800
committer	Xin Ouyang <Xin.Ouyang@windriver.com>	2012-10-18 11:07:43 +0800
commit	b95c77e3d28d77141eac6e09058ffc9fecedc7ed (patch)
tree	6f007f8808d8d67f4ccf3d4a08478a30a1c916e3
parent	493195cbba8f91ecd97aef3a8fbdba1092e766a6 (diff)
download	meta-selinux-b95c77e3d28d77141eac6e09058ffc9fecedc7ed.tar.gz

diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-prefix-path_rpc.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-prefix-path_rpc.patch new file mode 100644 index 0000000..ef7287c --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-prefix-path_rpc.patch
@@ -0,0 +1,43 @@
		1	Subject: [PATCH] fc: fix prefix path for rpc*
		2
		3	rpc* packages have installed files with the /usr prefix in poky, so fix
		4	file contexts for them.
		5
		6	Upstream-Status: Inappropriate [only for Poky]
		7
		8	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
		9	---
		10	policy/modules/contrib/rpc.fc \| 4 ++--
		11	policy/modules/contrib/rpcbind.fc \| 2 +-
		12	2 files changed, 3 insertions(+), 3 deletions(-)
		13
		14	diff --git a/policy/modules/contrib/rpc.fc b/policy/modules/contrib/rpc.fc
		15	index 5c70c0c..52db849 100644
		16	--- a/policy/modules/contrib/rpc.fc
		17	+++ b/policy/modules/contrib/rpc.fc
		18	@@ -9,8 +9,8 @@
		19	#
		20	# /sbin
		21	#
		22	-/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
		23	-/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
		24	+/usr/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
		25	+/usr/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
		26
		27	#
		28	# /usr
		29	diff --git a/policy/modules/contrib/rpcbind.fc b/policy/modules/contrib/rpcbind.fc
		30	index f5c47d6..3cd9e62 100644
		31	--- a/policy/modules/contrib/rpcbind.fc
		32	+++ b/policy/modules/contrib/rpcbind.fc
		33	@@ -1,6 +1,6 @@
		34	/etc/rc\.d/init\.d/rpcbind -- gen_context(system_u:object_r:rpcbind_initrc_exec_t,s0)
		35
		36	-/sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
		37	+/usr/sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
		38
		39	/var/lib/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0)
		40
		41	--
		42	1.7.5.4
		43


diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-real-path_login.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-real-path_login.patch new file mode 100644 index 0000000..427181e --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-real-path_login.patch
@@ -0,0 +1,37 @@
		1	Subject: [PATCH] fix real path for login commands.
		2
		3	Upstream-Status: Inappropriate [only for Poky]
		4
		5	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
		6	---
		7	policy/modules/system/authlogin.fc \| 7 ++++---
		8	1 files changed, 4 insertions(+), 3 deletions(-)
		9
		10	diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
		11	index 28ad538..c8dd17f 100644
		12	--- a/policy/modules/system/authlogin.fc
		13	+++ b/policy/modules/system/authlogin.fc
		14	@@ -1,5 +1,7 @@
		15
		16	/bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
		17	+/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0)
		18	+/bin/login\.tinylogin -- gen_context(system_u:object_r:login_exec_t,s0)
		19
		20	/etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
		21	/etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0)
		22	@@ -9,9 +11,9 @@
		23
		24	/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
		25	/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
		26	-/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
		27	-/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
		28	-/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
		29	+/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
		30	+/usr/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
		31	+/usr/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
		32	ifdef(`distro_suse', `
		33	/sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
		34	')
		35	--
		36	1.7.5.4
		37


diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-real-path_resolv.conf.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-real-path_resolv.conf.patch new file mode 100644 index 0000000..80cca67 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-real-path_resolv.conf.patch
@@ -0,0 +1,24 @@
		1	Subject: [PATCH] fix real path for resolv.conf
		2
		3	Upstream-Status: Inappropriate [only for Poky]
		4
		5	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
		6	---
		7	policy/modules/system/sysnetwork.fc \| 1 +
		8	1 files changed, 1 insertions(+), 0 deletions(-)
		9
		10	diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
		11	index 346a7cc..dec8632 100644
		12	--- a/policy/modules/system/sysnetwork.fc
		13	+++ b/policy/modules/system/sysnetwork.fc
		14	@@ -24,6 +24,7 @@ ifdef(`distro_debian',`
		15	/etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0)
		16	/etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
		17	/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
		18	+/var/run/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
		19	/etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
		20
		21	/etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
		22	--
		23	1.7.5.4
		24


diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-subs_dist.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-subs_dist.patch new file mode 100644 index 0000000..2eaecdf --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-subs_dist.patch
@@ -0,0 +1,31 @@
		1	Subject: [PATCH] fix file_contexts.subs_dist for poky
		2
		3	This file is used for Linux distros to define specific pathes
		4	mapping to the pathes in file_contexts.
		5
		6	Upstream-Status: Inappropriate [only for Poky]
		7
		8	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
		9	---
		10	config/file_contexts.subs_dist \| 8 ++++++++
		11	1 files changed, 8 insertions(+), 0 deletions(-)
		12
		13	diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
		14	index 32b87a4..ebba73d 100644
		15	--- a/config/file_contexts.subs_dist
		16	+++ b/config/file_contexts.subs_dist
		17	@@ -5,3 +5,11 @@
		18	/usr/lib32 /usr/lib
		19	/usr/lib64 /usr/lib
		20	/var/run/lock /var/lock
		21	+/etc/init.d /etc/rc.d/init.d
		22	+/var/volatile/log /var/log
		23	+/var/volatile/run /var/run
		24	+/var/volatile/cache /var/cache
		25	+/var/volatile/tmp /var/tmp
		26	+/var/volatile/lock /var/lock
		27	+/var/volatile/run/lock /var/lock
		28	+/www /var/www
		29	--
		30	1.7.5.4
		31


diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_hostname.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_hostname.patch new file mode 100644 index 0000000..e647668 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_hostname.patch
@@ -0,0 +1,20 @@
		1	Subject: [PATCH] fix update-alternatives for hostname
		2
		3	Upstream-Status: Inappropriate [only for Poky]
		4
		5	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
		6	---
		7	policy/modules/system/hostname.fc \| 1 +
		8	1 files changed, 1 insertions(+), 0 deletions(-)
		9
		10	diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc
		11	index 9dfecf7..4003b6d 100644
		12	--- a/policy/modules/system/hostname.fc
		13	+++ b/policy/modules/system/hostname.fc
		14	@@ -1,2 +1,3 @@
		15
		16	/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
		17	+/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0)
		18	--
		19	1.7.5.4
		20


diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_sysklogd.patch new file mode 100644 index 0000000..c3c5fe1 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_sysklogd.patch
@@ -0,0 +1,55 @@
		1	Subject: [PATCH] fix update-alternatives for sysklogd
		2
		3	/etc/syslog.conf is a symlink to /etc/syslog.conf.sysklogd, so a allow rule
		4	for syslogd_t to read syslog_conf_t lnk_file is needed.
		5
		6	Upstream-Status: Inappropriate [only for Poky]
		7
		8	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
		9	---
		10	policy/modules/system/logging.fc \| 4 ++++
		11	1 files changed, 4 insertions(+), 0 deletions(-)
		12
		13	diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
		14	index 02f4c97..3cb65f1 100644
		15	--- a/policy/modules/system/logging.fc
		16	+++ b/policy/modules/system/logging.fc
		17	@@ -2,19 +2,23 @@
		18
		19	/etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
		20	/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
		21	+/etc/syslog.conf\.sysklogd gen_context(system_u:object_r:syslog_conf_t,s0)
		22	/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
		23	/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
		24	/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
		25	+/etc/rc\.d/init\.d/syslog\.sysklogd -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
		26
		27	/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
		28	/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
		29	/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
		30	/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
		31	/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
		32	+/sbin/klogd\.sysklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
		33	/sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
		34	/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
		35	/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
		36	/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
		37	+/sbin/syslogd\.sysklogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
		38	/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
		39
		40	/usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
		41	diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
		42	index b6b0ddf..a3a25c2 100644
		43	--- a/policy/modules/system/logging.te
		44	+++ b/policy/modules/system/logging.te
		45	@@ -369,6 +369,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
		46	allow syslogd_t self:tcp_socket create_stream_socket_perms;
		47
		48	allow syslogd_t syslog_conf_t:file read_file_perms;
		49	+allow syslogd_t syslog_conf_t:lnk_file read_file_perms;
		50
		51	# Create and bind to /dev/log or /var/run/log.
		52	allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
		53	--
		54	1.7.5.4
		55


diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_tinylogin.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_tinylogin.patch new file mode 100644 index 0000000..ae06dfa --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_tinylogin.patch
@@ -0,0 +1,24 @@
		1	Subject: [PATCH] fix update-alternatives for tinylogin getty
		2
		3	Upstream-Status: Inappropriate [only for Poky]
		4
		5	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
		6	---
		7	policy/modules/system/getty.fc \| 1 +
		8	1 files changed, 1 insertions(+), 0 deletions(-)
		9
		10	diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc
		11	index e1a1848..a0bfd2e 100644
		12	--- a/policy/modules/system/getty.fc
		13	+++ b/policy/modules/system/getty.fc
		14	@@ -2,6 +2,7 @@
		15	/etc/mgetty(/.*)? gen_context(system_u:object_r:getty_etc_t,s0)
		16
		17	/sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0)
		18	+/sbin/getty\.tinylogin -- gen_context(system_u:object_r:getty_exec_t,s0)
		19
		20	/var/log/mgetty\.log.* -- gen_context(system_u:object_r:getty_log_t,s0)
		21	/var/log/vgetty\.log\..* -- gen_context(system_u:object_r:getty_log_t,s0)
		22	--
		23	1.7.5.4
		24


diff --git a/recipes-security/refpolicy/refpolicy_2.20120725.inc b/recipes-security/refpolicy/refpolicy_2.20120725.inc index 06ea436..b588010 100644 --- a/recipes-security/refpolicy/refpolicy_2.20120725.inc +++ b/recipes-security/refpolicy/refpolicy_2.20120725.inc
@@ -3,7 +3,16 @@ SRC_URI[md5sum] = "8aaa8a23cc1b7b7045f6f134e879ddb7"
3	SRC_URI[sha256sum] = "7cd46ed908a4001368e6509d93e306ec6c9af2bfa6b70db88c9eaaefe257c635"	3	SRC_URI[sha256sum] = "7cd46ed908a4001368e6509d93e306ec6c9af2bfa6b70db88c9eaaefe257c635"
4		4
5	FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-${PV}:"	5	FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-${PV}:"
6	SRC_URI += "file://poky-fc-update-alternatives_sysvinit.patch \	6
7	"	7	# Fix file contexts for Poky
		8	SRC_URI += "file://poky-fc-subs_dist.patch \
		9	file://poky-fc-update-alternatives_sysvinit.patch \
		10	file://poky-fc-update-alternatives_tinylogin.patch \
		11	file://poky-fc-update-alternatives_sysklogd.patch \
		12	file://poky-fc-update-alternatives_hostname.patch \
		13	file://poky-fc-fix-prefix-path_rpc.patch \
		14	file://poky-fc-fix-real-path_resolv.conf.patch \
		15	file://poky-fc-fix-real-path_login.patch \
		16	"
8		17
9	include refpolicy_common.inc	18	include refpolicy_common.inc