diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-tmp-symlink.patch')
| -rw-r--r-- | recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-tmp-symlink.patch | 129 |
1 files changed, 0 insertions, 129 deletions
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-tmp-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-tmp-symlink.patch deleted file mode 100644 index 07ebf58..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-tmp-symlink.patch +++ /dev/null | |||
| @@ -1,129 +0,0 @@ | |||
| 1 | From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
| 3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
| 4 | Subject: [PATCH] add rules for the symlink of /tmp | ||
| 5 | |||
| 6 | /tmp is a symlink in poky, so we need allow rules for files to read | ||
| 7 | lnk_file while doing search/list/delete/rw.. in /tmp/ directory. | ||
| 8 | |||
| 9 | Upstream-Status: Inappropriate [only for Poky] | ||
| 10 | |||
| 11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
| 12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
| 13 | --- | ||
| 14 | policy/modules/kernel/files.fc | 1 + | ||
| 15 | policy/modules/kernel/files.if | 8 ++++++++ | ||
| 16 | 2 files changed, 9 insertions(+), 0 deletions(-) | ||
| 17 | |||
| 18 | --- a/policy/modules/kernel/files.fc | ||
| 19 | +++ b/policy/modules/kernel/files.fc | ||
| 20 | @@ -191,10 +191,11 @@ ifdef(`distro_debian',` | ||
| 21 | |||
| 22 | # | ||
| 23 | # /tmp | ||
| 24 | # | ||
| 25 | /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) | ||
| 26 | +/tmp -l gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) | ||
| 27 | /tmp/.* <<none>> | ||
| 28 | /tmp/\.journal <<none>> | ||
| 29 | |||
| 30 | /tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) | ||
| 31 | /tmp/lost\+found/.* <<none>> | ||
| 32 | --- a/policy/modules/kernel/files.if | ||
| 33 | +++ b/policy/modules/kernel/files.if | ||
| 34 | @@ -4471,10 +4471,11 @@ interface(`files_search_tmp',` | ||
| 35 | gen_require(` | ||
| 36 | type tmp_t; | ||
| 37 | ') | ||
| 38 | |||
| 39 | allow $1 tmp_t:dir search_dir_perms; | ||
| 40 | + allow $1 tmp_t:lnk_file read_lnk_file_perms; | ||
| 41 | ') | ||
| 42 | |||
| 43 | ######################################## | ||
| 44 | ## <summary> | ||
| 45 | ## Do not audit attempts to search the tmp directory (/tmp). | ||
| 46 | @@ -4507,10 +4508,11 @@ interface(`files_list_tmp',` | ||
| 47 | gen_require(` | ||
| 48 | type tmp_t; | ||
| 49 | ') | ||
| 50 | |||
| 51 | allow $1 tmp_t:dir list_dir_perms; | ||
| 52 | + allow $1 tmp_t:lnk_file read_lnk_file_perms; | ||
| 53 | ') | ||
| 54 | |||
| 55 | ######################################## | ||
| 56 | ## <summary> | ||
| 57 | ## Do not audit listing of the tmp directory (/tmp). | ||
| 58 | @@ -4543,10 +4545,11 @@ interface(`files_delete_tmp_dir_entry',` | ||
| 59 | gen_require(` | ||
| 60 | type tmp_t; | ||
| 61 | ') | ||
| 62 | |||
| 63 | allow $1 tmp_t:dir del_entry_dir_perms; | ||
| 64 | + allow $1 tmp_t:lnk_file read_lnk_file_perms; | ||
| 65 | ') | ||
| 66 | |||
| 67 | ######################################## | ||
| 68 | ## <summary> | ||
| 69 | ## Read files in the tmp directory (/tmp). | ||
| 70 | @@ -4561,10 +4564,11 @@ interface(`files_read_generic_tmp_files' | ||
| 71 | gen_require(` | ||
| 72 | type tmp_t; | ||
| 73 | ') | ||
| 74 | |||
| 75 | read_files_pattern($1, tmp_t, tmp_t) | ||
| 76 | + allow $1 tmp_t:lnk_file read_lnk_file_perms; | ||
| 77 | ') | ||
| 78 | |||
| 79 | ######################################## | ||
| 80 | ## <summary> | ||
| 81 | ## Manage temporary directories in /tmp. | ||
| 82 | @@ -4579,10 +4583,11 @@ interface(`files_manage_generic_tmp_dirs | ||
| 83 | gen_require(` | ||
| 84 | type tmp_t; | ||
| 85 | ') | ||
| 86 | |||
| 87 | manage_dirs_pattern($1, tmp_t, tmp_t) | ||
| 88 | + allow $1 tmp_t:lnk_file read_lnk_file_perms; | ||
| 89 | ') | ||
| 90 | |||
| 91 | ######################################## | ||
| 92 | ## <summary> | ||
| 93 | ## Manage temporary files and directories in /tmp. | ||
| 94 | @@ -4597,10 +4602,11 @@ interface(`files_manage_generic_tmp_file | ||
| 95 | gen_require(` | ||
| 96 | type tmp_t; | ||
| 97 | ') | ||
| 98 | |||
| 99 | manage_files_pattern($1, tmp_t, tmp_t) | ||
| 100 | + allow $1 tmp_t:lnk_file read_lnk_file_perms; | ||
| 101 | ') | ||
| 102 | |||
| 103 | ######################################## | ||
| 104 | ## <summary> | ||
| 105 | ## Read symbolic links in the tmp directory (/tmp). | ||
| 106 | @@ -4633,10 +4639,11 @@ interface(`files_rw_generic_tmp_sockets' | ||
| 107 | gen_require(` | ||
| 108 | type tmp_t; | ||
| 109 | ') | ||
| 110 | |||
| 111 | rw_sock_files_pattern($1, tmp_t, tmp_t) | ||
| 112 | + allow $1 tmp_t:lnk_file read_lnk_file_perms; | ||
| 113 | ') | ||
| 114 | |||
| 115 | ######################################## | ||
| 116 | ## <summary> | ||
| 117 | ## Mount filesystems in the tmp directory (/tmp) | ||
| 118 | @@ -4840,10 +4847,11 @@ interface(`files_tmp_filetrans',` | ||
| 119 | gen_require(` | ||
| 120 | type tmp_t; | ||
| 121 | ') | ||
| 122 | |||
| 123 | filetrans_pattern($1, tmp_t, $2, $3, $4) | ||
| 124 | + allow $1 tmp_t:lnk_file read_lnk_file_perms; | ||
| 125 | ') | ||
| 126 | |||
| 127 | ######################################## | ||
| 128 | ## <summary> | ||
| 129 | ## Delete the contents of /tmp. | ||