diff options
| author | Shrikant Bobade <shrikant_bobade@mentor.com> | 2015-08-03 19:05:05 +0530 |
|---|---|---|
| committer | Joe MacDonald <joe_macdonald@mentor.com> | 2015-08-07 17:33:21 -0400 |
| commit | b76d7df5522d9e41fc3e25f07d7f2d55f9e90f56 (patch) | |
| tree | 8d16bccb3552803c57d53605d3e5ca0c53db93f2 | |
| parent | 6a775bb8ed866fac87f2a9b11a8ff11988a40ac6 (diff) | |
| download | meta-selinux-b76d7df5522d9e41fc3e25f07d7f2d55f9e90f56.tar.gz | |
refpolicy git: rebase patches with code base
During forward-port of these patches from refpolicy 20140311,
requires rebase with the refpolicy git repos head master
code base,in order to resolve the patch conflicts.
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
5 files changed, 74 insertions, 77 deletions
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch index 38c96c4..9c45694 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | From 7fdfd2ef8764ddfaeb43e53a756af83d42d8ac8b Mon Sep 17 00:00:00 2001 | 1 | From b420621f7bacdb803bfd104686e9b1785d7a6309 Mon Sep 17 00:00:00 2001 |
| 2 | From: Wenzong Fan <wenzong.fan@windriver.com> | 2 | From: Wenzong Fan <wenzong.fan@windriver.com> |
| 3 | Date: Mon, 27 Jan 2014 03:54:01 -0500 | 3 | Date: Mon, 27 Jan 2014 03:54:01 -0500 |
| 4 | Subject: [PATCH] refpolicy: fix real path for fstools | 4 | Subject: [PATCH] refpolicy: fix real path for fstools |
| @@ -7,59 +7,64 @@ Upstream-Status: Inappropriate [configuration] | |||
| 7 | 7 | ||
| 8 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | 8 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> |
| 9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | 9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> |
| 10 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
| 10 | --- | 11 | --- |
| 11 | policy/modules/system/fstools.fc | 11 +++++++++++ | 12 | policy/modules/system/fstools.fc | 9 +++++++++ |
| 12 | 1 file changed, 11 insertions(+) | 13 | 1 file changed, 9 insertions(+) |
| 13 | 14 | ||
| 15 | diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc | ||
| 16 | index d10368d..f22761a 100644 | ||
| 14 | --- a/policy/modules/system/fstools.fc | 17 | --- a/policy/modules/system/fstools.fc |
| 15 | +++ b/policy/modules/system/fstools.fc | 18 | +++ b/policy/modules/system/fstools.fc |
| 16 | @@ -1,6 +1,8 @@ | 19 | @@ -1,6 +1,8 @@ |
| 17 | /sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 20 | /sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
| 18 | /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 21 | /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
| 19 | +/sbin/blkid\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 22 | +/sbin/blkid/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
| 20 | /sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 23 | /sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
| 21 | +/sbin/blockdev\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 24 | +/sbin/blockdev/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
| 22 | /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 25 | /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
| 23 | /sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 26 | /sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
| 24 | /sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 27 | /sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
| 25 | @@ -9,9 +11,11 @@ | 28 | @@ -9,9 +11,12 @@ |
| 26 | /sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 29 | /sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
| 27 | /sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 30 | /sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
| 28 | /sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 31 | /sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
| 29 | +/sbin/fdisk\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 32 | +/sbin/fdisk/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
| 30 | /sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 33 | /sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
| 34 | +/usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
| 31 | /sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 35 | /sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
| 32 | /sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 36 | /sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
| 33 | +/sbin/hdparm\.hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 37 | +/sbin/hdparm/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
| 34 | /sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 38 | /sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
| 35 | /sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 39 | /sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
| 36 | /sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 40 | /sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
| 37 | @@ -24,6 +28,7 @@ | 41 | @@ -24,6 +29,7 @@ |
| 38 | /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 42 | /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
| 39 | /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 43 | /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
| 40 | /sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 44 | /sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
| 41 | +/sbin/mkswap\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 45 | +/sbin/mkswap/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
| 42 | /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 46 | /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
| 43 | /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 47 | /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
| 44 | /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 48 | /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
| 45 | @@ -34,6 +39,7 @@ | 49 | @@ -32,8 +38,10 @@ |
| 50 | /sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
| 51 | /sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
| 46 | /sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 52 | /sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
| 53 | +/usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
| 47 | /sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 54 | /sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
| 48 | /sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 55 | /sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
| 49 | +/sbin/swapoff\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 56 | +/sbin/swapoff/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
| 50 | /sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 57 | /sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
| 51 | /sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 58 | /sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
| 52 | /sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 59 | /sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
| 53 | @@ -50,7 +56,12 @@ | 60 | @@ -45,6 +53,7 @@ |
| 54 | 61 | ||
| 55 | /usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 62 | /usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
| 56 | /usr/sbin/fatsort -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 63 | /usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
| 57 | +/usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
| 58 | /usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
| 59 | +/usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
| 60 | +/usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) | ||
| 61 | +/usr/sbin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 64 | +/usr/sbin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
| 62 | +/usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 65 | /usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
| 63 | /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0) | 66 | /usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0) |
| 64 | 67 | ||
| 65 | /var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0) | 68 | -- |
| 69 | 1.7.9.5 | ||
| 70 | |||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch index e0af6a1..64f497d 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch | |||
| @@ -1,41 +1,46 @@ | |||
| 1 | From 56ec3e527f2a03d217d5f07ebb708e6e26fa26ff Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
| 3 | Date: Tue, 9 Jun 2015 21:22:52 +0530 | ||
| 1 | Subject: [PATCH] refpolicy: fix real path for sysnetwork | 4 | Subject: [PATCH] refpolicy: fix real path for sysnetwork |
| 2 | 5 | ||
| 3 | Upstream-Status: Inappropriate [configuration] | 6 | Upstream-Status: Inappropriate [configuration] |
| 4 | 7 | ||
| 5 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
| 9 | Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> | ||
| 6 | --- | 10 | --- |
| 7 | policy/modules/system/sysnetwork.fc | 4 ++++ | 11 | policy/modules/system/sysnetwork.fc | 4 ++++ |
| 8 | 1 file changed, 4 insertions(+) | 12 | 1 file changed, 4 insertions(+) |
| 9 | 13 | ||
| 10 | diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc | 14 | diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc |
| 11 | index dec8632..2e602e4 100644 | 15 | index fbb935c..a194622 100644 |
| 12 | --- a/policy/modules/system/sysnetwork.fc | 16 | --- a/policy/modules/system/sysnetwork.fc |
| 13 | +++ b/policy/modules/system/sysnetwork.fc | 17 | +++ b/policy/modules/system/sysnetwork.fc |
| 14 | @@ -3,6 +3,7 @@ | 18 | @@ -4,6 +4,7 @@ |
| 15 | # /bin | ||
| 16 | # | 19 | # |
| 20 | /bin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
| 17 | /bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | 21 | /bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
| 18 | +/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | 22 | +/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
| 19 | 23 | ||
| 20 | # | 24 | # |
| 21 | # /dev | 25 | # /dev |
| 22 | @@ -43,13 +44,16 @@ ifdef(`distro_redhat',` | 26 | @@ -43,7 +44,9 @@ ifdef(`distro_redhat',` |
| 23 | /sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) | 27 | /sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) |
| 24 | /sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) | 28 | /sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) |
| 25 | /sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | 29 | /sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
| 26 | +/usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | 30 | +/usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
| 27 | /sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | 31 | /sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
| 28 | +/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | 32 | +/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
| 29 | /sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | 33 | /sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
| 30 | /sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | 34 | /sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
| 31 | /sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | 35 | /sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
| 32 | /sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | 36 | @@ -51,6 +54,7 @@ ifdef(`distro_redhat',` |
| 37 | /sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | ||
| 33 | /sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | 38 | /sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
| 34 | /sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | 39 | /sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
| 35 | +/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | 40 | +/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
| 36 | /sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0) | 41 | /sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0) |
| 37 | /sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) | 42 | /sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) |
| 38 | 43 | ||
| 39 | -- | 44 | -- |
| 40 | 1.7.11.7 | 45 | 1.7.9.5 |
| 41 | 46 | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch index 71497fb..9ef61b4 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch | |||
| @@ -1,29 +1,30 @@ | |||
| 1 | From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001 | 1 | From 87b6daf87a07350a58c1724db8fc0a99b849818a Mon Sep 17 00:00:00 2001 |
| 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
| 3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | 3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 |
| 4 | Subject: [PATCH] fix setfiles_t to read symlinks | 4 | Subject: [PATCH] fix setfiles_t to read symlinks |
| 5 | 5 | ||
| 6 | Upstream-Status: Pending | 6 | Upstream-Status: Pending |
| 7 | 7 | ||
| 8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
| 9 | Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> | ||
| 9 | --- | 10 | --- |
| 10 | policy/modules/system/selinuxutil.te | 3 +++ | 11 | policy/modules/system/selinuxutil.te | 3 +++ |
| 11 | 1 files changed, 3 insertions(+), 0 deletions(-) | 12 | 1 file changed, 3 insertions(+) |
| 12 | 13 | ||
| 13 | diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te | 14 | diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te |
| 14 | index ec01d0b..45ed81b 100644 | 15 | index 9058dd8..f998491 100644 |
| 15 | --- a/policy/modules/system/selinuxutil.te | 16 | --- a/policy/modules/system/selinuxutil.te |
| 16 | +++ b/policy/modules/system/selinuxutil.te | 17 | +++ b/policy/modules/system/selinuxutil.te |
| 17 | @@ -553,6 +553,9 @@ files_list_all(setfiles_t) | 18 | @@ -552,6 +552,9 @@ files_relabel_all_files(setfiles_t) |
| 18 | files_relabel_all_files(setfiles_t) | ||
| 19 | files_read_usr_symlinks(setfiles_t) | 19 | files_read_usr_symlinks(setfiles_t) |
| 20 | files_dontaudit_read_all_symlinks(setfiles_t) | ||
| 20 | 21 | ||
| 21 | +# needs to be able to read symlinks to make restorecon on symlink working | 22 | +# needs to be able to read symlinks to make restorecon on symlink working |
| 22 | +files_read_all_symlinks(setfiles_t) | 23 | +files_read_all_symlinks(setfiles_t) |
| 23 | + | 24 | + |
| 24 | fs_getattr_xattr_fs(setfiles_t) | 25 | fs_getattr_all_xattr_fs(setfiles_t) |
| 25 | fs_list_all(setfiles_t) | 26 | fs_list_all(setfiles_t) |
| 26 | fs_search_auto_mountpoints(setfiles_t) | 27 | fs_search_auto_mountpoints(setfiles_t) |
| 27 | -- | 28 | -- |
| 28 | 1.7.5.4 | 29 | 1.7.9.5 |
| 29 | 30 | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch index 90efbd8..0b8cc5d 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | From 4d2c4c358602b246881210889756f229730505d3 Mon Sep 17 00:00:00 2001 | 1 | From f4e034d6996c5b1f88a9262828dac2ad6ee09b7b Mon Sep 17 00:00:00 2001 |
| 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> |
| 3 | Date: Fri, 23 Aug 2013 14:38:53 +0800 | 3 | Date: Fri, 23 Aug 2013 14:38:53 +0800 |
| 4 | Subject: [PATCH] fix setfiles statvfs to get file count | 4 | Subject: [PATCH] fix setfiles statvfs to get file count |
| @@ -9,19 +9,20 @@ file_system_count() to get file count of filesystems. | |||
| 9 | Upstream-Status: pending | 9 | Upstream-Status: pending |
| 10 | 10 | ||
| 11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
| 12 | Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> | ||
| 12 | --- | 13 | --- |
| 13 | policy/modules/system/selinuxutil.te | 2 +- | 14 | policy/modules/system/selinuxutil.te | 2 +- |
| 14 | 1 file changed, 1 insertion(+), 1 deletion(-) | 15 | 1 file changed, 1 insertion(+), 1 deletion(-) |
| 15 | 16 | ||
| 16 | diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te | 17 | diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te |
| 17 | index 45ed81b..12c3d2e 100644 | 18 | index f998491..1a4e565 100644 |
| 18 | --- a/policy/modules/system/selinuxutil.te | 19 | --- a/policy/modules/system/selinuxutil.te |
| 19 | +++ b/policy/modules/system/selinuxutil.te | 20 | +++ b/policy/modules/system/selinuxutil.te |
| 20 | @@ -556,7 +556,7 @@ files_read_usr_symlinks(setfiles_t) | 21 | @@ -555,7 +555,7 @@ files_dontaudit_read_all_symlinks(setfiles_t) |
| 21 | # needs to be able to read symlinks to make restorecon on symlink working | 22 | # needs to be able to read symlinks to make restorecon on symlink working |
| 22 | files_read_all_symlinks(setfiles_t) | 23 | files_read_all_symlinks(setfiles_t) |
| 23 | 24 | ||
| 24 | -fs_getattr_xattr_fs(setfiles_t) | 25 | -fs_getattr_all_xattr_fs(setfiles_t) |
| 25 | +fs_getattr_all_fs(setfiles_t) | 26 | +fs_getattr_all_fs(setfiles_t) |
| 26 | fs_list_all(setfiles_t) | 27 | fs_list_all(setfiles_t) |
| 27 | fs_search_auto_mountpoints(setfiles_t) | 28 | fs_search_auto_mountpoints(setfiles_t) |
diff --git a/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch b/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch index 80b420c..9693345 100644 --- a/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch +++ b/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch | |||
| @@ -1,41 +1,22 @@ | |||
| 1 | refpolicy: update for systemd | 1 | From 07553727dca51631c93bca482442da8d0c50ac94 Mon Sep 17 00:00:00 2001 |
| 2 | 2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | |
| 3 | It provides the systemd support for refpolicy | 3 | Date: Fri, 12 Jun 2015 19:37:52 +0530 |
| 4 | and related allow rules. | 4 | Subject: [PATCH] refpolicy: update for systemd related allow rules |
| 5 | The restorecon provides systemd init labeled | ||
| 6 | as init_exec_t. | ||
| 7 | 5 | ||
| 8 | Upstream-Status: Pending | 6 | It provide, the systemd support related allow rules |
| 9 | 7 | ||
| 8 | Upstream-Status: Pending | ||
| 10 | 9 | ||
| 11 | Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> | 10 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> |
| 11 | --- | ||
| 12 | policy/modules/system/init.te | 5 +++++ | ||
| 13 | 1 file changed, 5 insertions(+) | ||
| 12 | 14 | ||
| 13 | --- a/policy/modules/contrib/shutdown.fc | 15 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
| 14 | +++ b/policy/modules/contrib/shutdown.fc | 16 | index c8f007d..a9675f6 100644 |
| 15 | @@ -5,6 +5,9 @@ | ||
| 16 | /sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
| 17 | /sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
| 18 | |||
| 19 | +# systemd support | ||
| 20 | +/bin/systemctl -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
| 21 | + | ||
| 22 | /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
| 23 | |||
| 24 | /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) | ||
| 25 | --- a/policy/modules/system/init.fc | ||
| 26 | +++ b/policy/modules/system/init.fc | ||
| 27 | @@ -31,6 +31,8 @@ | ||
| 28 | # | ||
| 29 | /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) | ||
| 30 | /sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0) | ||
| 31 | +# systemd support | ||
| 32 | +/lib/systemd/systemd -- gen_context(system_u:object_r:init_exec_t,s0) | ||
| 33 | # because nowadays, /sbin/init is often a symlink to /sbin/upstart | ||
| 34 | /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) | ||
| 35 | |||
| 36 | --- a/policy/modules/system/init.te | 17 | --- a/policy/modules/system/init.te |
| 37 | +++ b/policy/modules/system/init.te | 18 | +++ b/policy/modules/system/init.te |
| 38 | @@ -913,3 +913,8 @@ | 19 | @@ -929,3 +929,8 @@ optional_policy(` |
| 39 | optional_policy(` | 20 | optional_policy(` |
| 40 | zebra_read_config(initrc_t) | 21 | zebra_read_config(initrc_t) |
| 41 | ') | 22 | ') |
| @@ -44,3 +25,7 @@ Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> | |||
| 44 | +allow kernel_t init_t:process dyntransition; | 25 | +allow kernel_t init_t:process dyntransition; |
| 45 | +allow devpts_t device_t:filesystem associate; | 26 | +allow devpts_t device_t:filesystem associate; |
| 46 | +allow init_t self:capability2 block_suspend; | 27 | +allow init_t self:capability2 block_suspend; |
| 28 | \ No newline at end of file | ||
| 29 | -- | ||
| 30 | 1.7.9.5 | ||
| 31 | |||