refpolicy git: update refpolicy to git repository

A straight update from refpolicy 2.20140311 to refpolicy git repository for the core policy variants and forward-porting of policy patches as appropriate. This approach is useful for building refpolicy & refpolicy-contrib directly from the git repos, rather than release tarballs. It helps to check the refpolicy based on source commits by just updating the git repo rev. as appropriate in refpolicy_git.inc ref: https://github.com/TresysTechnology/refpolicy/wiki Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
author: Shrikant Bobade <shrikant_bobade@mentor.com> 2015-08-03 19:04:37 +0530
committer: Joe MacDonald <joe_macdonald@mentor.com> 2015-08-07 17:33:21 -0400
commit: 6a775bb8ed866fac87f2a9b11a8ff11988a40ac6 (patch)
tree: 4373dff0fef6f2ef4b7b8c8a7289d10bfc11d2cf /recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch
parent: e59f3b7d04bea0a8897a6458f5f5427a364d3388 (diff)
download: meta-selinux-6a775bb8ed866fac87f2a9b11a8ff11988a40ac6.tar.gz
1 files changed, 58 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch
new file mode 100644
index 0000000..e77a730
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch
@@ -0,0 +1,58 @@
+From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH] allow nfsd to exec shell commands.
+Upstream-Status: Inappropriate [only for Poky]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/contrib/rpc.te   |    2 +-
+ policy/modules/kernel/kernel.if |   18 ++++++++++++++++++
+ 2 files changed, 19 insertions(+), 1 deletions(-)
+diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
+index 9566932..5605205 100644
+--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
+@@ -203,7 +203,7 @@ kernel_read_network_state(nfsd_t)
+ kernel_dontaudit_getattr_core_if(nfsd_t)
+ kernel_setsched(nfsd_t)
+ kernel_request_load_module(nfsd_t)
+-# kernel_mounton_proc(nfsd_t)
+kernel_mounton_proc(nfsd_t)
+ 
+ corenet_sendrecv_nfs_server_packets(nfsd_t)
+ corenet_tcp_bind_nfs_port(nfsd_t)
+diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
+index 649e458..8a669c5 100644
+--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
+@@ -804,6 +804,24 @@ interface(`kernel_unmount_proc',`
+ 
+ ########################################
+ ## <summary>
+##     Mounton a proc filesystem.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`kernel_mounton_proc',`
+       gen_require(`
+               type proc_t;
+       ')
+
+       allow $1 proc_t:dir mounton;
+')
+
+########################################
+## <summary>
+ ##     Get the attributes of the proc filesystem.
+ ## </summary>
+ ## <param name="domain">
+-- 
+1.7.5.4
author	Shrikant Bobade <shrikant_bobade@mentor.com>	2015-08-03 19:04:37 +0530
committer	Joe MacDonald <joe_macdonald@mentor.com>	2015-08-07 17:33:21 -0400
commit	6a775bb8ed866fac87f2a9b11a8ff11988a40ac6 (patch)
tree	4373dff0fef6f2ef4b7b8c8a7289d10bfc11d2cf /recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch
parent	e59f3b7d04bea0a8897a6458f5f5427a364d3388 (diff)
download	meta-selinux-6a775bb8ed866fac87f2a9b11a8ff11988a40ac6.tar.gz

diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch new file mode 100644 index 0000000..e77a730 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch
@@ -0,0 +1,58 @@
	1	From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001
	2	From: Xin Ouyang <Xin.Ouyang@windriver.com>
	3	Date: Thu, 22 Aug 2013 13:37:23 +0800
	4	Subject: [PATCH] allow nfsd to exec shell commands.
	5
	6	Upstream-Status: Inappropriate [only for Poky]
	7
	8	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
	9	---
	10	policy/modules/contrib/rpc.te \| 2 +-
	11	policy/modules/kernel/kernel.if \| 18 ++++++++++++++++++
	12	2 files changed, 19 insertions(+), 1 deletions(-)
	13
	14	diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
	15	index 9566932..5605205 100644
	16	--- a/policy/modules/contrib/rpc.te
	17	+++ b/policy/modules/contrib/rpc.te
	18	@@ -203,7 +203,7 @@ kernel_read_network_state(nfsd_t)
	19	kernel_dontaudit_getattr_core_if(nfsd_t)
	20	kernel_setsched(nfsd_t)
	21	kernel_request_load_module(nfsd_t)
	22	-# kernel_mounton_proc(nfsd_t)
	23	+kernel_mounton_proc(nfsd_t)
	24
	25	corenet_sendrecv_nfs_server_packets(nfsd_t)
	26	corenet_tcp_bind_nfs_port(nfsd_t)
	27	diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
	28	index 649e458..8a669c5 100644
	29	--- a/policy/modules/kernel/kernel.if
	30	+++ b/policy/modules/kernel/kernel.if
	31	@@ -804,6 +804,24 @@ interface(`kernel_unmount_proc',`
	32
	33	########################################
	34	## <summary>
	35	+## Mounton a proc filesystem.
	36	+## </summary>
	37	+## <param name="domain">
	38	+## <summary>
	39	+## Domain allowed access.
	40	+## </summary>
	41	+## </param>
	42	+#
	43	+interface(`kernel_mounton_proc',`
	44	+ gen_require(`
	45	+ type proc_t;
	46	+ ')
	47	+
	48	+ allow $1 proc_t:dir mounton;
	49	+')
	50	+
	51	+########################################
	52	+## <summary>
	53	## Get the attributes of the proc filesystem.
	54	## </summary>
	55	## <param name="domain">
	56	--
	57	1.7.5.4
	58