1 files changed, 0 insertions, 253 deletions
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-new-SELINUXMNT-in-sys.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-new-SELINUXMNT-in-sys.patch
deleted file mode 100644
index f3adc70..0000000
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-new-SELINUXMNT-in-sys.patch
+++ /dev/null
@@ -1,253 +0,0 @@
-From 0bd1187768c79ccf7d0563fa8e2bc01494fef167 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH] fix for new SELINUXMNT in /sys
-SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should
-add rules to access sysfs.
-Upstream-Status: Inappropriate [only for Poky]
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/kernel/selinux.if |   26 ++++++++++++++++++++++++++
- 1 file changed, 26 insertions(+)
--- a/policy/modules/kernel/selinux.if
-+++ b/policy/modules/kernel/selinux.if
-@@ -56,10 +56,14 @@ interface(`selinux_labeled_boolean',`
- interface(`selinux_get_fs_mount',`
-        gen_require(`
-                type security_t;
-        ')
- 
-+       # SELINUXMNT is now /sys/fs/selinux, so we should add rules to
-+       # access sysfs
-+       dev_getattr_sysfs_dirs($1)
-+       dev_search_sysfs($1)
-        # starting in libselinux 2.0.5, init_selinuxmnt() will
-        # attempt to short circuit by checking if SELINUXMNT
-        # (/selinux) is already a selinuxfs
-        allow $1 security_t:filesystem getattr;
- 
-@@ -86,10 +90,11 @@ interface(`selinux_get_fs_mount',`
- interface(`selinux_dontaudit_get_fs_mount',`
-        gen_require(`
-                type security_t;
-        ')
- 
-+       dev_dontaudit_search_sysfs($1)
-        # starting in libselinux 2.0.5, init_selinuxmnt() will
-        # attempt to short circuit by checking if SELINUXMNT
-        # (/selinux) is already a selinuxfs
-        dontaudit $1 security_t:filesystem getattr;
- 
-@@ -115,10 +120,12 @@ interface(`selinux_dontaudit_get_fs_moun
- interface(`selinux_mount_fs',`
-        gen_require(`
-                type security_t;
-        ')
- 
-+       dev_getattr_sysfs_dirs($1)
-+       dev_search_sysfs($1)
-        allow $1 security_t:filesystem mount;
- ')
- 
- ########################################
- ## <summary>
-@@ -134,10 +141,12 @@ interface(`selinux_mount_fs',`
- interface(`selinux_remount_fs',`
-        gen_require(`
-                type security_t;
-        ')
- 
-+       dev_getattr_sysfs_dirs($1)
-+       dev_search_sysfs($1)
-        allow $1 security_t:filesystem remount;
- ')
- 
- ########################################
- ## <summary>
-@@ -152,10 +161,12 @@ interface(`selinux_remount_fs',`
- interface(`selinux_unmount_fs',`
-        gen_require(`
-                type security_t;
-        ')
- 
-+       dev_getattr_sysfs_dirs($1)
-+       dev_search_sysfs($1)
-        allow $1 security_t:filesystem unmount;
- ')
- 
- ########################################
- ## <summary>
-@@ -170,10 +181,12 @@ interface(`selinux_unmount_fs',`
- interface(`selinux_getattr_fs',`
-        gen_require(`
-                type security_t;
-        ')
- 
-+       dev_getattr_sysfs_dirs($1)
-+       dev_search_sysfs($1)
-        allow $1 security_t:filesystem getattr;
- 
-        dev_getattr_sysfs($1)
-        dev_search_sysfs($1)
- ')
-@@ -192,10 +205,11 @@ interface(`selinux_getattr_fs',`
- interface(`selinux_dontaudit_getattr_fs',`
-        gen_require(`
-                type security_t;
-        ')
- 
-+       dev_dontaudit_search_sysfs($1)
-        dontaudit $1 security_t:filesystem getattr;
- 
-        dev_dontaudit_getattr_sysfs($1)
-        dev_dontaudit_search_sysfs($1)
- ')
-@@ -214,10 +228,11 @@ interface(`selinux_dontaudit_getattr_fs'
- interface(`selinux_dontaudit_getattr_dir',`
-        gen_require(`
-                type security_t;
-        ')
- 
-+       dev_dontaudit_search_sysfs($1)
-        dontaudit $1 security_t:dir getattr;
- ')
- 
- ########################################
- ## <summary>
-@@ -232,10 +247,11 @@ interface(`selinux_dontaudit_getattr_dir
- interface(`selinux_search_fs',`
-        gen_require(`
-                type security_t;
-        ')
- 
-+       dev_getattr_sysfs_dirs($1)
-        dev_search_sysfs($1)
-        allow $1 security_t:dir search_dir_perms;
- ')
- 
- ########################################
-@@ -251,10 +267,11 @@ interface(`selinux_search_fs',`
- interface(`selinux_dontaudit_search_fs',`
-        gen_require(`
-                type security_t;
-        ')
- 
-+       dev_dontaudit_search_sysfs($1)
-        dontaudit $1 security_t:dir search_dir_perms;
- ')
- 
- ########################################
- ## <summary>
-@@ -270,10 +287,11 @@ interface(`selinux_dontaudit_search_fs',
- interface(`selinux_dontaudit_read_fs',`
-        gen_require(`
-                type security_t;
-        ')
- 
-+       dev_dontaudit_search_sysfs($1)
-        dontaudit $1 security_t:dir search_dir_perms;
-        dontaudit $1 security_t:file read_file_perms;
- ')
- 
- ########################################
-@@ -291,10 +309,11 @@ interface(`selinux_dontaudit_read_fs',`
- interface(`selinux_get_enforce_mode',`
-        gen_require(`
-                type security_t;
-        ')
- 
-+       dev_getattr_sysfs_dirs($1)
-        dev_search_sysfs($1)
-        allow $1 security_t:dir list_dir_perms;
-        allow $1 security_t:file read_file_perms;
- ')
- 
-@@ -359,10 +378,11 @@ interface(`selinux_load_policy',`
- interface(`selinux_read_policy',`
-        gen_require(`
-                type security_t;
-        ')
- 
-+       dev_getattr_sysfs_dirs($1)
-        dev_search_sysfs($1)
-        allow $1 security_t:dir list_dir_perms;
-        allow $1 security_t:file read_file_perms;
-        allow $1 security_t:security read_policy;
- ')
-@@ -424,10 +444,11 @@ interface(`selinux_set_boolean',`
- interface(`selinux_set_generic_booleans',`
-        gen_require(`
-                type security_t;
-        ')
- 
-+       dev_getattr_sysfs_dirs($1)
-        dev_search_sysfs($1)
- 
-        allow $1 security_t:dir list_dir_perms;
-        allow $1 security_t:file rw_file_perms;
- 
-@@ -461,10 +482,11 @@ interface(`selinux_set_all_booleans',`
-                type security_t, secure_mode_policyload_t;
-                attribute boolean_type;
-                bool secure_mode_policyload;
-        ')
- 
-+       dev_getattr_sysfs_dirs($1)
-        dev_search_sysfs($1)
- 
-        allow $1 security_t:dir list_dir_perms;
-        allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms;
-        allow $1 secure_mode_policyload_t:file read_file_perms;
-@@ -520,10 +542,11 @@ interface(`selinux_set_parameters',`
- interface(`selinux_validate_context',`
-        gen_require(`
-                type security_t;
-        ')
- 
-+       dev_getattr_sysfs_dirs($1)
-        dev_search_sysfs($1)
-        allow $1 security_t:dir list_dir_perms;
-        allow $1 security_t:file rw_file_perms;
-        allow $1 security_t:security check_context;
- ')
-@@ -542,10 +565,11 @@ interface(`selinux_validate_context',`
- interface(`selinux_dontaudit_validate_context',`
-        gen_require(`
-                type security_t;
-        ')
- 
-+       dev_dontaudit_search_sysfs($1)
-        dontaudit $1 security_t:dir list_dir_perms;
-        dontaudit $1 security_t:file rw_file_perms;
-        dontaudit $1 security_t:security check_context;
- ')
- 
-@@ -563,10 +587,11 @@ interface(`selinux_dontaudit_validate_co
- interface(`selinux_compute_access_vector',`
-        gen_require(`
-                type security_t;
-        ')
- 
-+       dev_getattr_sysfs_dirs($1)
-        dev_search_sysfs($1)
-        allow $1 security_t:dir list_dir_perms;
-        allow $1 security_t:file rw_file_perms;
-        allow $1 security_t:security compute_av;
- ')
-@@ -658,10 +683,11 @@ interface(`selinux_compute_relabel_conte
- interface(`selinux_compute_user_contexts',`
-        gen_require(`
-                type security_t;
-        ')
- 
-+       dev_getattr_sysfs_dirs($1)
-        dev_search_sysfs($1)
-        allow $1 security_t:dir list_dir_perms;
-        allow $1 security_t:file rw_file_perms;
-        allow $1 security_t:security compute_user;
- ')

diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-new-SELINUXMNT-in-sys.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-new-SELINUXMNT-in-sys.patch deleted file mode 100644 index f3adc70..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-new-SELINUXMNT-in-sys.patch +++ /dev/null
@@ -1,253 +0,0 @@
1	From 0bd1187768c79ccf7d0563fa8e2bc01494fef167 Mon Sep 17 00:00:00 2001
2	From: Xin Ouyang <Xin.Ouyang@windriver.com>
3	Date: Thu, 22 Aug 2013 13:37:23 +0800
4	Subject: [PATCH] fix for new SELINUXMNT in /sys
5
6	SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should
7	add rules to access sysfs.
8
9	Upstream-Status: Inappropriate [only for Poky]
10
11	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
12	Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
13	---
14	policy/modules/kernel/selinux.if \| 26 ++++++++++++++++++++++++++
15	1 file changed, 26 insertions(+)
16
17	--- a/policy/modules/kernel/selinux.if
18	+++ b/policy/modules/kernel/selinux.if
19	@@ -56,10 +56,14 @@ interface(`selinux_labeled_boolean',`
20	interface(`selinux_get_fs_mount',`
21	gen_require(`
22	type security_t;
23	')
24
25	+ # SELINUXMNT is now /sys/fs/selinux, so we should add rules to
26	+ # access sysfs
27	+ dev_getattr_sysfs_dirs($1)
28	+ dev_search_sysfs($1)
29	# starting in libselinux 2.0.5, init_selinuxmnt() will
30	# attempt to short circuit by checking if SELINUXMNT
31	# (/selinux) is already a selinuxfs
32	allow $1 security_t:filesystem getattr;
33
34	@@ -86,10 +90,11 @@ interface(`selinux_get_fs_mount',`
35	interface(`selinux_dontaudit_get_fs_mount',`
36	gen_require(`
37	type security_t;
38	')
39
40	+ dev_dontaudit_search_sysfs($1)
41	# starting in libselinux 2.0.5, init_selinuxmnt() will
42	# attempt to short circuit by checking if SELINUXMNT
43	# (/selinux) is already a selinuxfs
44	dontaudit $1 security_t:filesystem getattr;
45
46	@@ -115,10 +120,12 @@ interface(`selinux_dontaudit_get_fs_moun
47	interface(`selinux_mount_fs',`
48	gen_require(`
49	type security_t;
50	')
51
52	+ dev_getattr_sysfs_dirs($1)
53	+ dev_search_sysfs($1)
54	allow $1 security_t:filesystem mount;
55	')
56
57	########################################
58	## <summary>
59	@@ -134,10 +141,12 @@ interface(`selinux_mount_fs',`
60	interface(`selinux_remount_fs',`
61	gen_require(`
62	type security_t;
63	')
64
65	+ dev_getattr_sysfs_dirs($1)
66	+ dev_search_sysfs($1)
67	allow $1 security_t:filesystem remount;
68	')
69
70	########################################
71	## <summary>
72	@@ -152,10 +161,12 @@ interface(`selinux_remount_fs',`
73	interface(`selinux_unmount_fs',`
74	gen_require(`
75	type security_t;
76	')
77
78	+ dev_getattr_sysfs_dirs($1)
79	+ dev_search_sysfs($1)
80	allow $1 security_t:filesystem unmount;
81	')
82
83	########################################
84	## <summary>
85	@@ -170,10 +181,12 @@ interface(`selinux_unmount_fs',`
86	interface(`selinux_getattr_fs',`
87	gen_require(`
88	type security_t;
89	')
90
91	+ dev_getattr_sysfs_dirs($1)
92	+ dev_search_sysfs($1)
93	allow $1 security_t:filesystem getattr;
94
95	dev_getattr_sysfs($1)
96	dev_search_sysfs($1)
97	')
98	@@ -192,10 +205,11 @@ interface(`selinux_getattr_fs',`
99	interface(`selinux_dontaudit_getattr_fs',`
100	gen_require(`
101	type security_t;
102	')
103
104	+ dev_dontaudit_search_sysfs($1)
105	dontaudit $1 security_t:filesystem getattr;
106
107	dev_dontaudit_getattr_sysfs($1)
108	dev_dontaudit_search_sysfs($1)
109	')
110	@@ -214,10 +228,11 @@ interface(`selinux_dontaudit_getattr_fs'
111	interface(`selinux_dontaudit_getattr_dir',`
112	gen_require(`
113	type security_t;
114	')
115
116	+ dev_dontaudit_search_sysfs($1)
117	dontaudit $1 security_t:dir getattr;
118	')
119
120	########################################
121	## <summary>
122	@@ -232,10 +247,11 @@ interface(`selinux_dontaudit_getattr_dir
123	interface(`selinux_search_fs',`
124	gen_require(`
125	type security_t;
126	')
127
128	+ dev_getattr_sysfs_dirs($1)
129	dev_search_sysfs($1)
130	allow $1 security_t:dir search_dir_perms;
131	')
132
133	########################################
134	@@ -251,10 +267,11 @@ interface(`selinux_search_fs',`
135	interface(`selinux_dontaudit_search_fs',`
136	gen_require(`
137	type security_t;
138	')
139
140	+ dev_dontaudit_search_sysfs($1)
141	dontaudit $1 security_t:dir search_dir_perms;
142	')
143
144	########################################
145	## <summary>
146	@@ -270,10 +287,11 @@ interface(`selinux_dontaudit_search_fs',
147	interface(`selinux_dontaudit_read_fs',`
148	gen_require(`
149	type security_t;
150	')
151
152	+ dev_dontaudit_search_sysfs($1)
153	dontaudit $1 security_t:dir search_dir_perms;
154	dontaudit $1 security_t:file read_file_perms;
155	')
156
157	########################################
158	@@ -291,10 +309,11 @@ interface(`selinux_dontaudit_read_fs',`
159	interface(`selinux_get_enforce_mode',`
160	gen_require(`
161	type security_t;
162	')
163
164	+ dev_getattr_sysfs_dirs($1)
165	dev_search_sysfs($1)
166	allow $1 security_t:dir list_dir_perms;
167	allow $1 security_t:file read_file_perms;
168	')
169
170	@@ -359,10 +378,11 @@ interface(`selinux_load_policy',`
171	interface(`selinux_read_policy',`
172	gen_require(`
173	type security_t;
174	')
175
176	+ dev_getattr_sysfs_dirs($1)
177	dev_search_sysfs($1)
178	allow $1 security_t:dir list_dir_perms;
179	allow $1 security_t:file read_file_perms;
180	allow $1 security_t:security read_policy;
181	')
182	@@ -424,10 +444,11 @@ interface(`selinux_set_boolean',`
183	interface(`selinux_set_generic_booleans',`
184	gen_require(`
185	type security_t;
186	')
187
188	+ dev_getattr_sysfs_dirs($1)
189	dev_search_sysfs($1)
190
191	allow $1 security_t:dir list_dir_perms;
192	allow $1 security_t:file rw_file_perms;
193
194	@@ -461,10 +482,11 @@ interface(`selinux_set_all_booleans',`
195	type security_t, secure_mode_policyload_t;
196	attribute boolean_type;
197	bool secure_mode_policyload;
198	')
199
200	+ dev_getattr_sysfs_dirs($1)
201	dev_search_sysfs($1)
202
203	allow $1 security_t:dir list_dir_perms;
204	allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms;
205	allow $1 secure_mode_policyload_t:file read_file_perms;
206	@@ -520,10 +542,11 @@ interface(`selinux_set_parameters',`
207	interface(`selinux_validate_context',`
208	gen_require(`
209	type security_t;
210	')
211
212	+ dev_getattr_sysfs_dirs($1)
213	dev_search_sysfs($1)
214	allow $1 security_t:dir list_dir_perms;
215	allow $1 security_t:file rw_file_perms;
216	allow $1 security_t:security check_context;
217	')
218	@@ -542,10 +565,11 @@ interface(`selinux_validate_context',`
219	interface(`selinux_dontaudit_validate_context',`
220	gen_require(`
221	type security_t;
222	')
223
224	+ dev_dontaudit_search_sysfs($1)
225	dontaudit $1 security_t:dir list_dir_perms;
226	dontaudit $1 security_t:file rw_file_perms;
227	dontaudit $1 security_t:security check_context;
228	')
229
230	@@ -563,10 +587,11 @@ interface(`selinux_dontaudit_validate_co
231	interface(`selinux_compute_access_vector',`
232	gen_require(`
233	type security_t;
234	')
235
236	+ dev_getattr_sysfs_dirs($1)
237	dev_search_sysfs($1)
238	allow $1 security_t:dir list_dir_perms;
239	allow $1 security_t:file rw_file_perms;
240	allow $1 security_t:security compute_av;
241	')
242	@@ -658,10 +683,11 @@ interface(`selinux_compute_relabel_conte
243	interface(`selinux_compute_user_contexts',`
244	gen_require(`
245	type security_t;
246	')
247
248	+ dev_getattr_sysfs_dirs($1)
249	dev_search_sysfs($1)
250	allow $1 security_t:dir list_dir_perms;
251	allow $1 security_t:file rw_file_perms;
252	allow $1 security_t:security compute_user;
253	')