1 files changed, 0 insertions, 121 deletions
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch b/recipes-security/refpolicy/refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch
deleted file mode 100644
index b5ca0f8..0000000
--- a/recipes-security/refpolicy/refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch
+++ /dev/null
@@ -1,121 +0,0 @@
-From 17507a42ce91376b00069ff22b43786894910ed6 Mon Sep 17 00:00:00 2001
-From: Shrikant Bobade <shrikant_bobade@mentor.com>
-Date: Fri, 26 Aug 2016 17:51:32 +0530
-Subject: [PATCH 1/9] refpolicy-minimum: systemd:unconfined:lib: add systemd
- services allow rules
-systemd allow rules for systemd service file operations: start, stop, restart
-& allow rule for unconfined systemd service.
-without this change we are getting these errors:
-:~# systemctl status selinux-init.service
-Failed to get properties: Access denied
-:~# systemctl stop selinux-init.service
-Failed to stop selinux-init.service: Access denied
-:~# systemctl restart  selinux-init.service
-audit: type=1107 audit: pid=1 uid=0 auid=4294967295 ses=4294967295 subj=
-system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0
-gid=0 path="/lib/systemd/system/selinux-init.service" cmdline="systemctl
-restart selinux-init.service" scontext=unconfined_u:unconfined_r:
-unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service
-Upstream-Status: Pending
-Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
---
- policy/modules/system/init.te       |  6 +++++-
- policy/modules/system/libraries.te  |  3 +++
- policy/modules/system/systemd.if    | 40 +++++++++++++++++++++++++++++++++++++
- policy/modules/system/unconfined.te |  6 ++++++
- 4 files changed, 54 insertions(+), 1 deletion(-)
-diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index d710fb0..f9d7114 100644
--- a/policy/modules/system/init.te
-+++ b/policy/modules/system/init.te
-@@ -1114,3 +1114,7 @@ optional_policy(`
- allow kernel_t init_t:process dyntransition;
- allow devpts_t device_t:filesystem associate;
- allow init_t self:capability2 block_suspend;
-+allow init_t self:capability2 audit_read;
-+
-+allow initrc_t init_t:system { start status };
-+allow initrc_t init_var_run_t:service { start status };
-diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index 0f5cd56..df98fe9 100644
--- a/policy/modules/system/libraries.te
-+++ b/policy/modules/system/libraries.te
-@@ -144,3 +144,6 @@ optional_policy(`
- optional_policy(`
-        unconfined_domain(ldconfig_t)
- ')
-+
-+# systemd: init domain to start lib domain service
-+systemd_service_lib_function(lib_t)
-diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
-index 3cd6670..822c03d 100644
--- a/policy/modules/system/systemd.if
-+++ b/policy/modules/system/systemd.if
-@@ -171,3 +171,43 @@ interface(`systemd_start_power_units',`
- 
-        allow $1 power_unit_t:service start;
- ')
-+
-+
-+########################################
-+## <summary>
-+## Allow specified domain to start stop reset systemd service
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`systemd_service_file_operations',`
-+         gen_require(`
-+               class service { start status stop };
-+         ')
-+
-+       allow $1 lib_t:service { start status stop };
-+
-+')
-+
-+
-+########################################
-+## <summary>
-+## Allow init domain to start lib domain service
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`systemd_service_lib_function',`
-+         gen_require(`
-+               class service start;
-+         ')
-+
-+       allow initrc_t $1:service start;
-+
-+')
-diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
-index 99cab31..87a1b03 100644
--- a/policy/modules/system/unconfined.te
-+++ b/policy/modules/system/unconfined.te
-@@ -220,3 +220,9 @@ unconfined_domain_noaudit(unconfined_execmem_t)
- optional_policy(`
-        unconfined_dbus_chat(unconfined_execmem_t)
- ')
-+
-+
-+# systemd: specified domain to start stop reset systemd service
-+systemd_service_file_operations(unconfined_t)
-+
-+allow unconfined_t init_t:system reload;
-- 
-1.9.1

diff --git a/recipes-security/refpolicy/refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch b/recipes-security/refpolicy/refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch deleted file mode 100644 index b5ca0f8..0000000 --- a/recipes-security/refpolicy/refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch +++ /dev/null
@@ -1,121 +0,0 @@
1	From 17507a42ce91376b00069ff22b43786894910ed6 Mon Sep 17 00:00:00 2001
2	From: Shrikant Bobade <shrikant_bobade@mentor.com>
3	Date: Fri, 26 Aug 2016 17:51:32 +0530
4	Subject: [PATCH 1/9] refpolicy-minimum: systemd:unconfined:lib: add systemd
5	services allow rules
6
7	systemd allow rules for systemd service file operations: start, stop, restart
8	& allow rule for unconfined systemd service.
9
10	without this change we are getting these errors:
11	:~# systemctl status selinux-init.service
12	Failed to get properties: Access denied
13
14	:~# systemctl stop selinux-init.service
15	Failed to stop selinux-init.service: Access denied
16
17	:~# systemctl restart selinux-init.service
18	audit: type=1107 audit: pid=1 uid=0 auid=4294967295 ses=4294967295 subj=
19	system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0
20	gid=0 path="/lib/systemd/system/selinux-init.service" cmdline="systemctl
21	restart selinux-init.service" scontext=unconfined_u:unconfined_r:
22	unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service
23
24	Upstream-Status: Pending
25
26	Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
27	---
28	policy/modules/system/init.te \| 6 +++++-
29	policy/modules/system/libraries.te \| 3 +++
30	policy/modules/system/systemd.if \| 40 +++++++++++++++++++++++++++++++++++++
31	policy/modules/system/unconfined.te \| 6 ++++++
32	4 files changed, 54 insertions(+), 1 deletion(-)
33
34	diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
35	index d710fb0..f9d7114 100644
36	--- a/policy/modules/system/init.te
37	+++ b/policy/modules/system/init.te
38	@@ -1114,3 +1114,7 @@ optional_policy(`
39	allow kernel_t init_t:process dyntransition;
40	allow devpts_t device_t:filesystem associate;
41	allow init_t self:capability2 block_suspend;
42	+allow init_t self:capability2 audit_read;
43	+
44	+allow initrc_t init_t:system { start status };
45	+allow initrc_t init_var_run_t:service { start status };
46	diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
47	index 0f5cd56..df98fe9 100644
48	--- a/policy/modules/system/libraries.te
49	+++ b/policy/modules/system/libraries.te
50	@@ -144,3 +144,6 @@ optional_policy(`
51	optional_policy(`
52	unconfined_domain(ldconfig_t)
53	')
54	+
55	+# systemd: init domain to start lib domain service
56	+systemd_service_lib_function(lib_t)
57	diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
58	index 3cd6670..822c03d 100644
59	--- a/policy/modules/system/systemd.if
60	+++ b/policy/modules/system/systemd.if
61	@@ -171,3 +171,43 @@ interface(`systemd_start_power_units',`
62
63	allow $1 power_unit_t:service start;
64	')
65	+
66	+
67	+########################################
68	+## <summary>
69	+## Allow specified domain to start stop reset systemd service
70	+## </summary>
71	+## <param name="domain">
72	+## <summary>
73	+## Domain to not audit.
74	+## </summary>
75	+## </param>
76	+#
77	+interface(`systemd_service_file_operations',`
78	+ gen_require(`
79	+ class service { start status stop };
80	+ ')
81	+
82	+ allow $1 lib_t:service { start status stop };
83	+
84	+')
85	+
86	+
87	+########################################
88	+## <summary>
89	+## Allow init domain to start lib domain service
90	+## </summary>
91	+## <param name="domain">
92	+## <summary>
93	+## Domain to not audit.
94	+## </summary>
95	+## </param>
96	+#
97	+interface(`systemd_service_lib_function',`
98	+ gen_require(`
99	+ class service start;
100	+ ')
101	+
102	+ allow initrc_t $1:service start;
103	+
104	+')
105	diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
106	index 99cab31..87a1b03 100644
107	--- a/policy/modules/system/unconfined.te
108	+++ b/policy/modules/system/unconfined.te
109	@@ -220,3 +220,9 @@ unconfined_domain_noaudit(unconfined_execmem_t)
110	optional_policy(`
111	unconfined_dbus_chat(unconfined_execmem_t)
112	')
113	+
114	+
115	+# systemd: specified domain to start stop reset systemd service
116	+systemd_service_file_operations(unconfined_t)
117	+
118	+allow unconfined_t init_t:system reload;
119	--
120	1.9.1
121