diff options
| author | Philip Tricca <flihp@twobit.us> | 2015-11-08 18:29:55 +0000 |
|---|---|---|
| committer | Joe MacDonald <joe_macdonald@mentor.com> | 2015-11-27 09:18:14 -0500 |
| commit | 8864246d33150a88f351f2a07815bd02799de549 (patch) | |
| tree | 5abc9bcde06cde90397612c60f828b0a95c27391 | |
| parent | cfd609806768202a84205382bd5ed78eee161e4e (diff) | |
| download | meta-selinux-8864246d33150a88f351f2a07815bd02799de549.tar.gz | |
refpolicy-git: Refresh poky-policy-fix-new-SELINUXMNT-in-sys.patch.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
| -rw-r--r-- | recipes-security/refpolicy/refpolicy-git/poky-policy-fix-new-SELINUXMNT-in-sys.patch | 100 |
1 files changed, 25 insertions, 75 deletions
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-new-SELINUXMNT-in-sys.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-new-SELINUXMNT-in-sys.patch index 302a38f..005e28f 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-new-SELINUXMNT-in-sys.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-new-SELINUXMNT-in-sys.patch | |||
| @@ -14,8 +14,10 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
| 14 | policy/modules/kernel/selinux.if | 34 ++++++++++++++++++++++++++++++++-- | 14 | policy/modules/kernel/selinux.if | 34 ++++++++++++++++++++++++++++++++-- |
| 15 | 1 file changed, 32 insertions(+), 2 deletions(-) | 15 | 1 file changed, 32 insertions(+), 2 deletions(-) |
| 16 | 16 | ||
| 17 | --- a/policy/modules/kernel/selinux.if | 17 | Index: refpolicy/policy/modules/kernel/selinux.if |
| 18 | +++ b/policy/modules/kernel/selinux.if | 18 | =================================================================== |
| 19 | --- refpolicy.orig/policy/modules/kernel/selinux.if | ||
| 20 | +++ refpolicy/policy/modules/kernel/selinux.if | ||
| 19 | @@ -58,6 +58,10 @@ interface(`selinux_get_fs_mount',` | 21 | @@ -58,6 +58,10 @@ interface(`selinux_get_fs_mount',` |
| 20 | type security_t; | 22 | type security_t; |
| 21 | ') | 23 | ') |
| @@ -27,7 +29,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
| 27 | # starting in libselinux 2.0.5, init_selinuxmnt() will | 29 | # starting in libselinux 2.0.5, init_selinuxmnt() will |
| 28 | # attempt to short circuit by checking if SELINUXMNT | 30 | # attempt to short circuit by checking if SELINUXMNT |
| 29 | # (/selinux) is already a selinuxfs | 31 | # (/selinux) is already a selinuxfs |
| 30 | @@ -84,6 +88,7 @@ interface(`selinux_dontaudit_get_fs_moun | 32 | @@ -88,6 +92,7 @@ interface(`selinux_dontaudit_get_fs_moun |
| 31 | type security_t; | 33 | type security_t; |
| 32 | ') | 34 | ') |
| 33 | 35 | ||
| @@ -35,7 +37,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
| 35 | # starting in libselinux 2.0.5, init_selinuxmnt() will | 37 | # starting in libselinux 2.0.5, init_selinuxmnt() will |
| 36 | # attempt to short circuit by checking if SELINUXMNT | 38 | # attempt to short circuit by checking if SELINUXMNT |
| 37 | # (/selinux) is already a selinuxfs | 39 | # (/selinux) is already a selinuxfs |
| 38 | @@ -109,6 +114,8 @@ interface(`selinux_mount_fs',` | 40 | @@ -117,6 +122,8 @@ interface(`selinux_mount_fs',` |
| 39 | type security_t; | 41 | type security_t; |
| 40 | ') | 42 | ') |
| 41 | 43 | ||
| @@ -44,7 +46,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
| 44 | allow $1 security_t:filesystem mount; | 46 | allow $1 security_t:filesystem mount; |
| 45 | ') | 47 | ') |
| 46 | 48 | ||
| 47 | @@ -128,6 +135,8 @@ interface(`selinux_remount_fs',` | 49 | @@ -136,6 +143,8 @@ interface(`selinux_remount_fs',` |
| 48 | type security_t; | 50 | type security_t; |
| 49 | ') | 51 | ') |
| 50 | 52 | ||
| @@ -53,7 +55,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
| 53 | allow $1 security_t:filesystem remount; | 55 | allow $1 security_t:filesystem remount; |
| 54 | ') | 56 | ') |
| 55 | 57 | ||
| 56 | @@ -146,6 +155,8 @@ interface(`selinux_unmount_fs',` | 58 | @@ -154,6 +163,8 @@ interface(`selinux_unmount_fs',` |
| 57 | type security_t; | 59 | type security_t; |
| 58 | ') | 60 | ') |
| 59 | 61 | ||
| @@ -62,24 +64,24 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
| 62 | allow $1 security_t:filesystem unmount; | 64 | allow $1 security_t:filesystem unmount; |
| 63 | ') | 65 | ') |
| 64 | 66 | ||
| 65 | @@ -164,6 +175,8 @@ interface(`selinux_getattr_fs',` | 67 | @@ -172,6 +183,8 @@ interface(`selinux_getattr_fs',` |
| 66 | type security_t; | 68 | type security_t; |
| 67 | ') | 69 | ') |
| 68 | 70 | ||
| 69 | + dev_getattr_sysfs_dirs($1) | 71 | + dev_getattr_sysfs_dirs($1) |
| 70 | + dev_search_sysfs($1) | 72 | + dev_search_sysfs($1) |
| 71 | allow $1 security_t:filesystem getattr; | 73 | allow $1 security_t:filesystem getattr; |
| 72 | ') | ||
| 73 | 74 | ||
| 74 | @@ -183,6 +196,7 @@ interface(`selinux_dontaudit_getattr_fs' | 75 | dev_getattr_sysfs($1) |
| 76 | @@ -194,6 +207,7 @@ interface(`selinux_dontaudit_getattr_fs' | ||
| 75 | type security_t; | 77 | type security_t; |
| 76 | ') | 78 | ') |
| 77 | 79 | ||
| 78 | + dev_dontaudit_search_sysfs($1) | 80 | + dev_dontaudit_search_sysfs($1) |
| 79 | dontaudit $1 security_t:filesystem getattr; | 81 | dontaudit $1 security_t:filesystem getattr; |
| 80 | ') | ||
| 81 | 82 | ||
| 82 | @@ -202,6 +216,7 @@ interface(`selinux_dontaudit_getattr_dir | 83 | dev_dontaudit_getattr_sysfs($1) |
| 84 | @@ -216,6 +230,7 @@ interface(`selinux_dontaudit_getattr_dir | ||
| 83 | type security_t; | 85 | type security_t; |
| 84 | ') | 86 | ') |
| 85 | 87 | ||
| @@ -87,7 +89,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
| 87 | dontaudit $1 security_t:dir getattr; | 89 | dontaudit $1 security_t:dir getattr; |
| 88 | ') | 90 | ') |
| 89 | 91 | ||
| 90 | @@ -220,6 +235,7 @@ interface(`selinux_search_fs',` | 92 | @@ -234,6 +249,7 @@ interface(`selinux_search_fs',` |
| 91 | type security_t; | 93 | type security_t; |
| 92 | ') | 94 | ') |
| 93 | 95 | ||
| @@ -95,7 +97,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
| 95 | dev_search_sysfs($1) | 97 | dev_search_sysfs($1) |
| 96 | allow $1 security_t:dir search_dir_perms; | 98 | allow $1 security_t:dir search_dir_perms; |
| 97 | ') | 99 | ') |
| 98 | @@ -239,6 +255,7 @@ interface(`selinux_dontaudit_search_fs', | 100 | @@ -253,6 +269,7 @@ interface(`selinux_dontaudit_search_fs', |
| 99 | type security_t; | 101 | type security_t; |
| 100 | ') | 102 | ') |
| 101 | 103 | ||
| @@ -103,7 +105,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
| 103 | dontaudit $1 security_t:dir search_dir_perms; | 105 | dontaudit $1 security_t:dir search_dir_perms; |
| 104 | ') | 106 | ') |
| 105 | 107 | ||
| 106 | @@ -258,6 +275,7 @@ interface(`selinux_dontaudit_read_fs',` | 108 | @@ -272,6 +289,7 @@ interface(`selinux_dontaudit_read_fs',` |
| 107 | type security_t; | 109 | type security_t; |
| 108 | ') | 110 | ') |
| 109 | 111 | ||
| @@ -111,7 +113,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
| 111 | dontaudit $1 security_t:dir search_dir_perms; | 113 | dontaudit $1 security_t:dir search_dir_perms; |
| 112 | dontaudit $1 security_t:file read_file_perms; | 114 | dontaudit $1 security_t:file read_file_perms; |
| 113 | ') | 115 | ') |
| 114 | @@ -279,6 +297,7 @@ interface(`selinux_get_enforce_mode',` | 116 | @@ -293,6 +311,7 @@ interface(`selinux_get_enforce_mode',` |
| 115 | type security_t; | 117 | type security_t; |
| 116 | ') | 118 | ') |
| 117 | 119 | ||
| @@ -119,23 +121,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
| 119 | dev_search_sysfs($1) | 121 | dev_search_sysfs($1) |
| 120 | allow $1 security_t:dir list_dir_perms; | 122 | allow $1 security_t:dir list_dir_perms; |
| 121 | allow $1 security_t:file read_file_perms; | 123 | allow $1 security_t:file read_file_perms; |
| 122 | @@ -313,6 +332,7 @@ interface(`selinux_set_enforce_mode',` | 124 | @@ -361,6 +380,7 @@ interface(`selinux_read_policy',` |
| 123 | bool secure_mode_policyload; | ||
| 124 | ') | ||
| 125 | |||
| 126 | + dev_getattr_sysfs_dirs($1) | ||
| 127 | dev_search_sysfs($1) | ||
| 128 | allow $1 security_t:dir list_dir_perms; | ||
| 129 | allow $1 security_t:file rw_file_perms; | ||
| 130 | @@ -345,6 +365,7 @@ interface(`selinux_load_policy',` | ||
| 131 | bool secure_mode_policyload; | ||
| 132 | ') | ||
| 133 | |||
| 134 | + dev_getattr_sysfs_dirs($1) | ||
| 135 | dev_search_sysfs($1) | ||
| 136 | allow $1 security_t:dir list_dir_perms; | ||
| 137 | allow $1 security_t:file rw_file_perms; | ||
| 138 | @@ -375,6 +396,7 @@ interface(`selinux_read_policy',` | ||
| 139 | type security_t; | 125 | type security_t; |
| 140 | ') | 126 | ') |
| 141 | 127 | ||
| @@ -143,35 +129,23 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
| 143 | dev_search_sysfs($1) | 129 | dev_search_sysfs($1) |
| 144 | allow $1 security_t:dir list_dir_perms; | 130 | allow $1 security_t:dir list_dir_perms; |
| 145 | allow $1 security_t:file read_file_perms; | 131 | allow $1 security_t:file read_file_perms; |
| 146 | @@ -440,8 +462,8 @@ interface(`selinux_set_generic_booleans' | 132 | @@ -426,6 +446,7 @@ interface(`selinux_set_generic_booleans' |
| 147 | type security_t; | 133 | type security_t; |
| 148 | ') | 134 | ') |
| 149 | 135 | ||
| 150 | + dev_getattr_sysfs_dirs($1) | 136 | + dev_getattr_sysfs_dirs($1) |
| 151 | dev_search_sysfs($1) | 137 | dev_search_sysfs($1) |
| 152 | - | ||
| 153 | allow $1 security_t:dir list_dir_perms; | ||
| 154 | allow $1 security_t:file rw_file_perms; | ||
| 155 | 138 | ||
| 156 | @@ -482,8 +504,8 @@ interface(`selinux_set_all_booleans',` | 139 | allow $1 security_t:dir list_dir_perms; |
| 140 | @@ -463,6 +484,7 @@ interface(`selinux_set_all_booleans',` | ||
| 157 | bool secure_mode_policyload; | 141 | bool secure_mode_policyload; |
| 158 | ') | 142 | ') |
| 159 | 143 | ||
| 160 | + dev_getattr_sysfs_dirs($1) | 144 | + dev_getattr_sysfs_dirs($1) |
| 161 | dev_search_sysfs($1) | 145 | dev_search_sysfs($1) |
| 162 | - | ||
| 163 | allow $1 security_t:dir list_dir_perms; | ||
| 164 | allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms; | ||
| 165 | allow $1 secure_mode_policyload_t:file read_file_perms; | ||
| 166 | @@ -528,6 +550,7 @@ interface(`selinux_set_parameters',` | ||
| 167 | attribute can_setsecparam; | ||
| 168 | ') | ||
| 169 | 146 | ||
| 170 | + dev_getattr_sysfs_dirs($1) | ||
| 171 | dev_search_sysfs($1) | ||
| 172 | allow $1 security_t:dir list_dir_perms; | 147 | allow $1 security_t:dir list_dir_perms; |
| 173 | allow $1 security_t:file rw_file_perms; | 148 | @@ -522,6 +544,7 @@ interface(`selinux_validate_context',` |
| 174 | @@ -552,6 +575,7 @@ interface(`selinux_validate_context',` | ||
| 175 | type security_t; | 149 | type security_t; |
| 176 | ') | 150 | ') |
| 177 | 151 | ||
| @@ -179,7 +153,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
| 179 | dev_search_sysfs($1) | 153 | dev_search_sysfs($1) |
| 180 | allow $1 security_t:dir list_dir_perms; | 154 | allow $1 security_t:dir list_dir_perms; |
| 181 | allow $1 security_t:file rw_file_perms; | 155 | allow $1 security_t:file rw_file_perms; |
| 182 | @@ -574,6 +598,7 @@ interface(`selinux_dontaudit_validate_co | 156 | @@ -544,6 +567,7 @@ interface(`selinux_dontaudit_validate_co |
| 183 | type security_t; | 157 | type security_t; |
| 184 | ') | 158 | ') |
| 185 | 159 | ||
| @@ -187,31 +161,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
| 187 | dontaudit $1 security_t:dir list_dir_perms; | 161 | dontaudit $1 security_t:dir list_dir_perms; |
| 188 | dontaudit $1 security_t:file rw_file_perms; | 162 | dontaudit $1 security_t:file rw_file_perms; |
| 189 | dontaudit $1 security_t:security check_context; | 163 | dontaudit $1 security_t:security check_context; |
| 190 | @@ -595,6 +620,7 @@ interface(`selinux_compute_access_vector | 164 | @@ -565,6 +589,7 @@ interface(`selinux_compute_access_vector |
| 191 | type security_t; | ||
| 192 | ') | ||
| 193 | |||
| 194 | + dev_getattr_sysfs_dirs($1) | ||
| 195 | dev_search_sysfs($1) | ||
| 196 | allow $1 security_t:dir list_dir_perms; | ||
| 197 | allow $1 security_t:file rw_file_perms; | ||
| 198 | @@ -617,6 +643,7 @@ interface(`selinux_compute_create_contex | ||
| 199 | type security_t; | ||
| 200 | ') | ||
| 201 | |||
| 202 | + dev_getattr_sysfs_dirs($1) | ||
| 203 | dev_search_sysfs($1) | ||
| 204 | allow $1 security_t:dir list_dir_perms; | ||
| 205 | allow $1 security_t:file rw_file_perms; | ||
| 206 | @@ -639,6 +666,7 @@ interface(`selinux_compute_member',` | ||
| 207 | type security_t; | ||
| 208 | ') | ||
| 209 | |||
| 210 | + dev_getattr_sysfs_dirs($1) | ||
| 211 | dev_search_sysfs($1) | ||
| 212 | allow $1 security_t:dir list_dir_perms; | ||
| 213 | allow $1 security_t:file rw_file_perms; | ||
| 214 | @@ -669,6 +697,7 @@ interface(`selinux_compute_relabel_conte | ||
| 215 | type security_t; | 165 | type security_t; |
| 216 | ') | 166 | ') |
| 217 | 167 | ||
| @@ -219,7 +169,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
| 219 | dev_search_sysfs($1) | 169 | dev_search_sysfs($1) |
| 220 | allow $1 security_t:dir list_dir_perms; | 170 | allow $1 security_t:dir list_dir_perms; |
| 221 | allow $1 security_t:file rw_file_perms; | 171 | allow $1 security_t:file rw_file_perms; |
| 222 | @@ -690,6 +719,7 @@ interface(`selinux_compute_user_contexts | 172 | @@ -660,6 +685,7 @@ interface(`selinux_compute_user_contexts |
| 223 | type security_t; | 173 | type security_t; |
| 224 | ') | 174 | ') |
| 225 | 175 | ||