From 20153c8810cecc31873fbe14bb1695a85b77cef4 Mon Sep 17 00:00:00 2001 From: Xin Ouyang Date: Mon, 23 Sep 2013 21:18:04 +0800 Subject: refpolicy*: remove old version recipes and patches. Signed-off-by: Xin Ouyang Signed-off-by: Joe MacDonald --- .../refpolicy-2.20120725/poky-fc-cgroup.patch | 26 -- .../refpolicy-2.20120725/poky-fc-clock.patch | 22 - .../poky-fc-corecommands.patch | 24 - .../refpolicy-2.20120725/poky-fc-dmesg.patch | 20 - .../refpolicy-2.20120725/poky-fc-fix-bind.patch | 36 -- .../refpolicy-2.20120725/poky-fc-fix-portmap.patch | 34 -- .../poky-fc-fix-prefix-path_rpc.patch | 43 -- .../poky-fc-fix-real-path_login.patch | 37 -- .../poky-fc-fix-real-path_resolv.conf.patch | 24 - .../poky-fc-fix-real-path_shadow.patch | 34 -- .../refpolicy-2.20120725/poky-fc-fstools.patch | 65 --- .../refpolicy-2.20120725/poky-fc-iptables.patch | 24 - .../refpolicy-2.20120725/poky-fc-mta.patch | 24 - .../refpolicy-2.20120725/poky-fc-netutils.patch | 24 - .../poky-fc-networkmanager.patch | 24 - .../refpolicy-2.20120725/poky-fc-nscd.patch | 24 - .../refpolicy-2.20120725/poky-fc-screen.patch | 24 - .../refpolicy-2.20120725/poky-fc-ssh.patch | 24 - .../refpolicy-2.20120725/poky-fc-su.patch | 23 - .../refpolicy-2.20120725/poky-fc-subs_dist.patch | 31 -- .../refpolicy-2.20120725/poky-fc-sysnetwork.patch | 41 -- .../poky-fc-update-alternatives_hostname.patch | 20 - .../poky-fc-update-alternatives_sysklogd.patch | 55 --- .../poky-fc-update-alternatives_sysvinit.patch | 47 -- .../poky-fc-update-alternatives_tinylogin.patch | 24 - ...poky-policy-add-rules-for-bsdpty_device_t.patch | 118 ----- .../poky-policy-add-rules-for-tmp-symlink.patch | 96 ---- ...ky-policy-add-rules-for-var-cache-symlink.patch | 509 --------------------- ...licy-add-rules-for-var-log-symlink-apache.patch | 28 -- ...poky-policy-add-rules-for-var-log-symlink.patch | 140 ------ ...ky-policy-add-syslogd_t-to-trusted-object.patch | 28 -- ...policy-allow-dbusd-to-exec-shell-commands.patch | 25 - ...ky-policy-allow-dbusd-to-setrlimit-itself.patch | 29 -- .../poky-policy-allow-nfsd-to-bind-nfs-port.patch | 63 --- ...-policy-allow-nfsd-to-exec-shell-commands.patch | 67 --- ...-policy-allow-setfiles_t-to-read-symlinks.patch | 26 -- .../poky-policy-don-t-audit-tty_device_t.patch | 32 -- .../poky-policy-fix-new-SELINUXMNT-in-sys.patch | 213 --------- ...poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch | 70 --- ...ky-policy-fix-seutils-manage-config-files.patch | 39 -- ...olicy-fix-xconsole_device_t-as-a-dev_node.patch | 24 - .../refpolicy/refpolicy-mls_2.20120725.bb | 24 - .../refpolicy/refpolicy-standard_2.20120725.bb | 18 - .../refpolicy/refpolicy_2.20120725.inc | 57 --- 44 files changed, 2380 deletions(-) delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-cgroup.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-clock.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-corecommands.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-dmesg.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-bind.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-portmap.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-prefix-path_rpc.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-real-path_login.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-real-path_resolv.conf.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-real-path_shadow.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fstools.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-iptables.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-mta.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-netutils.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-networkmanager.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-nscd.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-screen.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-ssh.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-su.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-subs_dist.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-sysnetwork.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_hostname.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_sysklogd.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_sysvinit.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_tinylogin.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-bsdpty_device_t.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-tmp-symlink.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-var-cache-symlink.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-var-log-symlink-apache.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-var-log-symlink.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-syslogd_t-to-trusted-object.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-dbusd-to-exec-shell-commands.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-dbusd-to-setrlimit-itself.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-nfsd-to-bind-nfs-port.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-nfsd-to-exec-shell-commands.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-setfiles_t-to-read-symlinks.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-don-t-audit-tty_device_t.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-new-SELINUXMNT-in-sys.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-seutils-manage-config-files.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-xconsole_device_t-as-a-dev_node.patch delete mode 100644 recipes-security/refpolicy/refpolicy-mls_2.20120725.bb delete mode 100644 recipes-security/refpolicy/refpolicy-standard_2.20120725.bb delete mode 100644 recipes-security/refpolicy/refpolicy_2.20120725.inc diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-cgroup.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-cgroup.patch deleted file mode 100644 index e5cfaa1..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-cgroup.patch +++ /dev/null @@ -1,26 +0,0 @@ -Subject: [PATCH] refpolicy: fix real path for cgroup - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Xin Ouyang ---- - policy/modules/contrib/cgroup.fc | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/policy/modules/contrib/cgroup.fc b/policy/modules/contrib/cgroup.fc -index b6bb46c..e214727 100644 ---- a/policy/modules/contrib/cgroup.fc -+++ b/policy/modules/contrib/cgroup.fc -@@ -10,6 +10,9 @@ - /sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfig_exec_t,s0) - /sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0) - /sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0) -+/usr/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfig_exec_t,s0) -+/usr/sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0) -+/usr/sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0) - - /var/log/cgrulesengd\.log -- gen_context(system_u:object_r:cgred_log_t,s0) - /var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0) --- -1.7.11.7 - diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-clock.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-clock.patch deleted file mode 100644 index 3ff8f55..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-clock.patch +++ /dev/null @@ -1,22 +0,0 @@ -Subject: [PATCH] refpolicy: fix real path for clock - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Xin Ouyang ---- - policy/modules/system/clock.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc -index c5e05ca..a74c40c 100644 ---- a/policy/modules/system/clock.fc -+++ b/policy/modules/system/clock.fc -@@ -2,4 +2,5 @@ - /etc/adjtime -- gen_context(system_u:object_r:adjtime_t,s0) - - /sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) -+/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0) - --- -1.7.11.7 - diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-corecommands.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-corecommands.patch deleted file mode 100644 index 24b67c3..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-corecommands.patch +++ /dev/null @@ -1,24 +0,0 @@ -Subject: [PATCH] refpolicy: fix real path for corecommands - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Xin Ouyang ---- - policy/modules/kernel/corecommands.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index f051c4a..ab624f3 100644 ---- a/policy/modules/kernel/corecommands.fc -+++ b/policy/modules/kernel/corecommands.fc -@@ -153,6 +153,7 @@ ifdef(`distro_gentoo',` - /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) - /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) - /sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) -+/usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) - - # - # /opt --- -1.7.11.7 - diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-dmesg.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-dmesg.patch deleted file mode 100644 index db4c4d4..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-dmesg.patch +++ /dev/null @@ -1,20 +0,0 @@ -Subject: [PATCH] refpolicy: fix real path for dmesg - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Xin Ouyang ---- - policy/modules/admin/dmesg.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc -index d6cc2d9..7f3e5b0 100644 ---- a/policy/modules/admin/dmesg.fc -+++ b/policy/modules/admin/dmesg.fc -@@ -1,2 +1,3 @@ - - /bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) -+/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0) --- -1.7.11.7 - diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-bind.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-bind.patch deleted file mode 100644 index 95ed172..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-bind.patch +++ /dev/null @@ -1,36 +0,0 @@ -Subject: [PATCH] refpolicy: fix real path for bind. - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Xin Ouyang ---- - policy/modules/contrib/bind.fc | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/policy/modules/contrib/bind.fc b/policy/modules/contrib/bind.fc -index 59aa54f..3275671 100644 ---- a/policy/modules/contrib/bind.fc -+++ b/policy/modules/contrib/bind.fc -@@ -1,10 +1,19 @@ - /etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/bind -- gen_context(system_u:object_r:named_initrc_exec_t,s0) - /etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) - - /etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0) - /etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) - /etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0) - -+/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) -+/etc/bind/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) -+/etc/bind/named\.conf\.local -- gen_context(system_u:object_r:named_conf_t,s0) -+/etc/bind/named\.conf\.options -- gen_context(system_u:object_r:named_conf_t,s0) -+/etc/bind/rndc\.conf -- gen_context(system_u:object_r:named_conf_t,s0) -+/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) -+/var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -+ - /usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0) - /usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) - /usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0) --- -1.7.9.5 - diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-portmap.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-portmap.patch deleted file mode 100644 index 25d449d..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-portmap.patch +++ /dev/null @@ -1,34 +0,0 @@ -Subject: [PATCH] refpolicy: fix real path for portmap. - -Fix file contexts for portmap files to match the oe-core install -paths. - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Xin Ouyang ---- - policy/modules/contrib/portmap.fc | 7 ++----- - 1 file changed, 2 insertions(+), 5 deletions(-) - -diff --git a/policy/modules/contrib/portmap.fc b/policy/modules/contrib/portmap.fc -index 3cdcd9f..3faf697 100644 ---- a/policy/modules/contrib/portmap.fc -+++ b/policy/modules/contrib/portmap.fc -@@ -5,12 +5,9 @@ ifdef(`distro_debian',` - /sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) - /sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) - ', ` --/usr/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) --/usr/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) -+/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) -+/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) - ') - - /var/run/portmap\.upgrade-state -- gen_context(system_u:object_r:portmap_var_run_t,s0) -- --ifdef(`distro_debian',` - /var/run/portmap_mapping -- gen_context(system_u:object_r:portmap_var_run_t,s0) --') --- -1.7.9.5 - diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-prefix-path_rpc.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-prefix-path_rpc.patch deleted file mode 100644 index ef7287c..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-prefix-path_rpc.patch +++ /dev/null @@ -1,43 +0,0 @@ -Subject: [PATCH] fc: fix prefix path for rpc* - -rpc* packages have installed files with the /usr prefix in poky, so fix -file contexts for them. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang ---- - policy/modules/contrib/rpc.fc | 4 ++-- - policy/modules/contrib/rpcbind.fc | 2 +- - 2 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/policy/modules/contrib/rpc.fc b/policy/modules/contrib/rpc.fc -index 5c70c0c..52db849 100644 ---- a/policy/modules/contrib/rpc.fc -+++ b/policy/modules/contrib/rpc.fc -@@ -9,8 +9,8 @@ - # - # /sbin - # --/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) --/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) -+/usr/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) -+/usr/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) - - # - # /usr -diff --git a/policy/modules/contrib/rpcbind.fc b/policy/modules/contrib/rpcbind.fc -index f5c47d6..3cd9e62 100644 ---- a/policy/modules/contrib/rpcbind.fc -+++ b/policy/modules/contrib/rpcbind.fc -@@ -1,6 +1,6 @@ - /etc/rc\.d/init\.d/rpcbind -- gen_context(system_u:object_r:rpcbind_initrc_exec_t,s0) - --/sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0) -+/usr/sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0) - - /var/lib/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0) - --- -1.7.5.4 - diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-real-path_login.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-real-path_login.patch deleted file mode 100644 index 427181e..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-real-path_login.patch +++ /dev/null @@ -1,37 +0,0 @@ -Subject: [PATCH] fix real path for login commands. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang ---- - policy/modules/system/authlogin.fc | 7 ++++--- - 1 files changed, 4 insertions(+), 3 deletions(-) - -diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc -index 28ad538..c8dd17f 100644 ---- a/policy/modules/system/authlogin.fc -+++ b/policy/modules/system/authlogin.fc -@@ -1,5 +1,7 @@ - - /bin/login -- gen_context(system_u:object_r:login_exec_t,s0) -+/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0) -+/bin/login\.tinylogin -- gen_context(system_u:object_r:login_exec_t,s0) - - /etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) - /etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0) -@@ -9,9 +11,9 @@ - - /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) - /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) --/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) --/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) --/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) -+/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) -+/usr/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) -+/usr/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) - ifdef(`distro_suse', ` - /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) - ') --- -1.7.5.4 - diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-real-path_resolv.conf.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-real-path_resolv.conf.patch deleted file mode 100644 index 80cca67..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-real-path_resolv.conf.patch +++ /dev/null @@ -1,24 +0,0 @@ -Subject: [PATCH] fix real path for resolv.conf - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang ---- - policy/modules/system/sysnetwork.fc | 1 + - 1 files changed, 1 insertions(+), 0 deletions(-) - -diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc -index 346a7cc..dec8632 100644 ---- a/policy/modules/system/sysnetwork.fc -+++ b/policy/modules/system/sysnetwork.fc -@@ -24,6 +24,7 @@ ifdef(`distro_debian',` - /etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0) - /etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0) - /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) -+/var/run/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) - /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) - - /etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0) --- -1.7.5.4 - diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-real-path_shadow.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-real-path_shadow.patch deleted file mode 100644 index 29ac2c3..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-real-path_shadow.patch +++ /dev/null @@ -1,34 +0,0 @@ -Subject: [PATCH] fix real path for shadow commands. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang ---- - policy/modules/admin/usermanage.fc | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc -index f82f0ce..841ba9b 100644 ---- a/policy/modules/admin/usermanage.fc -+++ b/policy/modules/admin/usermanage.fc -@@ -4,11 +4,17 @@ ifdef(`distro_gentoo',` - - /usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0) - /usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0) -+/usr/bin/chfn\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0) - /usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0) -+/usr/bin/chsh\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0) - /usr/bin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0) - /usr/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0) -+/usr/bin/passwd\.shadow -- gen_context(system_u:object_r:passwd_exec_t,s0) -+/usr/bin/passwd\.tinylogin -- gen_context(system_u:object_r:passwd_exec_t,s0) - /usr/bin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) -+/sbin/vigr\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) - /usr/bin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) -+/sbin/vipw\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) - - /usr/lib/cracklib_dict.* -- gen_context(system_u:object_r:crack_db_t,s0) - --- -1.7.9.5 - diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fstools.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fstools.patch deleted file mode 100644 index b74f8d3..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fstools.patch +++ /dev/null @@ -1,65 +0,0 @@ -Subject: [PATCH] refpolicy: fix real path for fstools - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Xin Ouyang ---- - policy/modules/system/fstools.fc | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc -index a97a096..d996b29 100644 ---- a/policy/modules/system/fstools.fc -+++ b/policy/modules/system/fstools.fc -@@ -1,6 +1,8 @@ - /sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/sbin/blkid\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/sbin/blockdev\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -9,9 +11,12 @@ - /sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/sbin/fdisk\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/sbin/hdparm\.hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -24,20 +29,26 @@ - /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/sbin/mkswap\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - - /usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0) - --- -1.7.11.7 - diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-iptables.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-iptables.patch deleted file mode 100644 index 89b1547..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-iptables.patch +++ /dev/null @@ -1,24 +0,0 @@ -Subject: [PATCH] refpolicy: fix real path for iptables - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Xin Ouyang ---- - policy/modules/system/iptables.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc -index 14cffd2..84ac92b 100644 ---- a/policy/modules/system/iptables.fc -+++ b/policy/modules/system/iptables.fc -@@ -13,6 +13,7 @@ - /sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) - /sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) - /sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) -+/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) - - /usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) - /usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0) --- -1.7.11.7 - diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-mta.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-mta.patch deleted file mode 100644 index 3b4da9e..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-mta.patch +++ /dev/null @@ -1,24 +0,0 @@ -Subject: [PATCH] refpolicy: fix real path for mta - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Xin Ouyang ---- - policy/modules/contrib/mta.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/contrib/mta.fc b/policy/modules/contrib/mta.fc -index afa18c8..aeea97a 100644 ---- a/policy/modules/contrib/mta.fc -+++ b/policy/modules/contrib/mta.fc -@@ -18,6 +18,7 @@ ifdef(`distro_redhat',` - - /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) - /usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0) -+/usr/bin/msmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) - /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) - /usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) - --- -1.7.11.7 - diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-netutils.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-netutils.patch deleted file mode 100644 index b45d03e..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-netutils.patch +++ /dev/null @@ -1,24 +0,0 @@ -Subject: [PATCH] refpolicy: fix real path for netutils - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Xin Ouyang ---- - policy/modules/admin/netutils.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc -index 407078f..f2ed3dc 100644 ---- a/policy/modules/admin/netutils.fc -+++ b/policy/modules/admin/netutils.fc -@@ -3,6 +3,7 @@ - /bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) - - /sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0) -+/bin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0) - - /usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0) - /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0) --- -1.7.11.7 - diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-networkmanager.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-networkmanager.patch deleted file mode 100644 index 1da6d22..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-networkmanager.patch +++ /dev/null @@ -1,24 +0,0 @@ -Subject: [PATCH] refpolicy: fix real path for networkmanager - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Xin Ouyang ---- - policy/modules/contrib/networkmanager.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/contrib/networkmanager.fc b/policy/modules/contrib/networkmanager.fc -index 386543b..e0739b5 100644 ---- a/policy/modules/contrib/networkmanager.fc -+++ b/policy/modules/contrib/networkmanager.fc -@@ -5,6 +5,7 @@ - /usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) - - /sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) -+/usr/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) - /sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) - - /usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) --- -1.7.11.7 - diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-nscd.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-nscd.patch deleted file mode 100644 index c347919..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-nscd.patch +++ /dev/null @@ -1,24 +0,0 @@ -Subject: [PATCH] refpolicy: fix real path for nscd - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Xin Ouyang ---- - policy/modules/contrib/nscd.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/contrib/nscd.fc b/policy/modules/contrib/nscd.fc -index 623b731..9e4b3d0 100644 ---- a/policy/modules/contrib/nscd.fc -+++ b/policy/modules/contrib/nscd.fc -@@ -1,6 +1,7 @@ - /etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0) - - /usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0) -+/usr/bin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0) - - /var/db/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) - /var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) --- -1.7.11.7 - diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-screen.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-screen.patch deleted file mode 100644 index ff4a2fd..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-screen.patch +++ /dev/null @@ -1,24 +0,0 @@ -Subject: [PATCH] refpolicy: fix real path for screen - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Xin Ouyang ---- - policy/modules/contrib/screen.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/contrib/screen.fc b/policy/modules/contrib/screen.fc -index c8254dd..4a321d1 100644 ---- a/policy/modules/contrib/screen.fc -+++ b/policy/modules/contrib/screen.fc -@@ -8,6 +8,7 @@ HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0) - # /usr - # - /usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0) -+/usr/bin/screen-.* -- gen_context(system_u:object_r:screen_exec_t,s0) - - # - # /var --- -1.7.11.7 - diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-ssh.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-ssh.patch deleted file mode 100644 index 9aeb3a2..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-ssh.patch +++ /dev/null @@ -1,24 +0,0 @@ -Subject: [PATCH] refpolicy: fix real path for ssh - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Xin Ouyang ---- - policy/modules/services/ssh.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc -index 078bcd7..9717428 100644 ---- a/policy/modules/services/ssh.fc -+++ b/policy/modules/services/ssh.fc -@@ -6,6 +6,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) - /etc/ssh/ssh_host_rsa_key -- gen_context(system_u:object_r:sshd_key_t,s0) - - /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0) -+/usr/bin/ssh\.openssh -- gen_context(system_u:object_r:ssh_exec_t,s0) - /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0) - /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0) - --- -1.7.11.7 - diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-su.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-su.patch deleted file mode 100644 index 358e4ef..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-su.patch +++ /dev/null @@ -1,23 +0,0 @@ -Subject: [PATCH] refpolicy: fix real path for su - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Xin Ouyang ---- - policy/modules/admin/su.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc -index 688abc2..a563687 100644 ---- a/policy/modules/admin/su.fc -+++ b/policy/modules/admin/su.fc -@@ -1,5 +1,6 @@ - - /bin/su -- gen_context(system_u:object_r:su_exec_t,s0) -+/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) - - /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0) - /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) --- -1.7.11.7 - diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-subs_dist.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-subs_dist.patch deleted file mode 100644 index 2eaecdf..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-subs_dist.patch +++ /dev/null @@ -1,31 +0,0 @@ -Subject: [PATCH] fix file_contexts.subs_dist for poky - -This file is used for Linux distros to define specific pathes -mapping to the pathes in file_contexts. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang ---- - config/file_contexts.subs_dist | 8 ++++++++ - 1 files changed, 8 insertions(+), 0 deletions(-) - -diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist -index 32b87a4..ebba73d 100644 ---- a/config/file_contexts.subs_dist -+++ b/config/file_contexts.subs_dist -@@ -5,3 +5,11 @@ - /usr/lib32 /usr/lib - /usr/lib64 /usr/lib - /var/run/lock /var/lock -+/etc/init.d /etc/rc.d/init.d -+/var/volatile/log /var/log -+/var/volatile/run /var/run -+/var/volatile/cache /var/cache -+/var/volatile/tmp /var/tmp -+/var/volatile/lock /var/lock -+/var/volatile/run/lock /var/lock -+/www /var/www --- -1.7.5.4 - diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-sysnetwork.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-sysnetwork.patch deleted file mode 100644 index e0af6a1..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-sysnetwork.patch +++ /dev/null @@ -1,41 +0,0 @@ -Subject: [PATCH] refpolicy: fix real path for sysnetwork - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Xin Ouyang ---- - policy/modules/system/sysnetwork.fc | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc -index dec8632..2e602e4 100644 ---- a/policy/modules/system/sysnetwork.fc -+++ b/policy/modules/system/sysnetwork.fc -@@ -3,6 +3,7 @@ - # /bin - # - /bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - - # - # /dev -@@ -43,13 +44,16 @@ ifdef(`distro_redhat',` - /sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) - /sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) - /sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+/usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0) - /sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - --- -1.7.11.7 - diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_hostname.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_hostname.patch deleted file mode 100644 index e647668..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_hostname.patch +++ /dev/null @@ -1,20 +0,0 @@ -Subject: [PATCH] fix update-alternatives for hostname - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang ---- - policy/modules/system/hostname.fc | 1 + - 1 files changed, 1 insertions(+), 0 deletions(-) - -diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc -index 9dfecf7..4003b6d 100644 ---- a/policy/modules/system/hostname.fc -+++ b/policy/modules/system/hostname.fc -@@ -1,2 +1,3 @@ - - /bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) -+/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0) --- -1.7.5.4 - diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_sysklogd.patch deleted file mode 100644 index c3c5fe1..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_sysklogd.patch +++ /dev/null @@ -1,55 +0,0 @@ -Subject: [PATCH] fix update-alternatives for sysklogd - -/etc/syslog.conf is a symlink to /etc/syslog.conf.sysklogd, so a allow rule -for syslogd_t to read syslog_conf_t lnk_file is needed. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang ---- - policy/modules/system/logging.fc | 4 ++++ - 1 files changed, 4 insertions(+), 0 deletions(-) - -diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc -index 02f4c97..3cb65f1 100644 ---- a/policy/modules/system/logging.fc -+++ b/policy/modules/system/logging.fc -@@ -2,19 +2,23 @@ - - /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) - /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) -+/etc/syslog.conf\.sysklogd gen_context(system_u:object_r:syslog_conf_t,s0) - /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) - /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0) - /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/syslog\.sysklogd -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) - - /sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) - /sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) - /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) - /sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) - /sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) -+/sbin/klogd\.sysklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) - /sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) - /sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) - /sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) - /sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) -+/sbin/syslogd\.sysklogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) - /sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) - - /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index b6b0ddf..a3a25c2 100644 ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -369,6 +369,7 @@ allow syslogd_t self:udp_socket create_socket_perms; - allow syslogd_t self:tcp_socket create_stream_socket_perms; - - allow syslogd_t syslog_conf_t:file read_file_perms; -+allow syslogd_t syslog_conf_t:lnk_file read_file_perms; - - # Create and bind to /dev/log or /var/run/log. - allow syslogd_t devlog_t:sock_file manage_sock_file_perms; --- -1.7.5.4 - diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_sysvinit.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_sysvinit.patch deleted file mode 100644 index 9e0a71f..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_sysvinit.patch +++ /dev/null @@ -1,47 +0,0 @@ -Subject: [PATCH] fix update-alternatives for sysvinit - -Upstream-Status: Inappropriate [only for Poky] ---- - policy/modules/contrib/shutdown.fc | 1 + - policy/modules/kernel/corecommands.fc | 1 + - policy/modules/system/init.fc | 1 + - 3 files changed, 3 insertions(+), 0 deletions(-) - -diff --git a/policy/modules/contrib/shutdown.fc b/policy/modules/contrib/shutdown.fc -index 97671a3..6cad0fd 100644 ---- a/policy/modules/contrib/shutdown.fc -+++ b/policy/modules/contrib/shutdown.fc -@@ -3,5 +3,6 @@ - /lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) - - /sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) -+/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0) - - /var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) -diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index db981df..f051c4a 100644 ---- a/policy/modules/kernel/corecommands.fc -+++ b/policy/modules/kernel/corecommands.fc -@@ -10,6 +10,7 @@ - /bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0) - /bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) - /bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0) -+/bin/mountpoint\.sysvinit -- gen_context(system_u:object_r:bin_t,s0) - /bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) - /bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0) - /bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0) -diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc -index d2e40b8..80150ef 100644 ---- a/policy/modules/system/init.fc -+++ b/policy/modules/system/init.fc -@@ -32,6 +32,7 @@ ifdef(`distro_gentoo', ` - # /sbin - # - /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) -+/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0) - # because nowadays, /sbin/init is often a symlink to /sbin/upstart - /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) - --- -1.7.5.4 - diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_tinylogin.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_tinylogin.patch deleted file mode 100644 index ae06dfa..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_tinylogin.patch +++ /dev/null @@ -1,24 +0,0 @@ -Subject: [PATCH] fix update-alternatives for tinylogin getty - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang ---- - policy/modules/system/getty.fc | 1 + - 1 files changed, 1 insertions(+), 0 deletions(-) - -diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc -index e1a1848..a0bfd2e 100644 ---- a/policy/modules/system/getty.fc -+++ b/policy/modules/system/getty.fc -@@ -2,6 +2,7 @@ - /etc/mgetty(/.*)? gen_context(system_u:object_r:getty_etc_t,s0) - - /sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0) -+/sbin/getty\.tinylogin -- gen_context(system_u:object_r:getty_exec_t,s0) - - /var/log/mgetty\.log.* -- gen_context(system_u:object_r:getty_log_t,s0) - /var/log/vgetty\.log\..* -- gen_context(system_u:object_r:getty_log_t,s0) --- -1.7.5.4 - diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-bsdpty_device_t.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-bsdpty_device_t.patch deleted file mode 100644 index b5d0fa8..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-bsdpty_device_t.patch +++ /dev/null @@ -1,118 +0,0 @@ -Subject: [PATCH] add rules for bsdpty_device_t to complete pty devices. - -Upstream-Status: Pending - -Signed-off-by: Xin Ouyang ---- - policy/modules/kernel/terminal.if | 16 ++++++++++++++++ - 1 files changed, 16 insertions(+), 0 deletions(-) - -diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if -index 01dd2f1..f9d46cc 100644 ---- a/policy/modules/kernel/terminal.if -+++ b/policy/modules/kernel/terminal.if -@@ -512,9 +512,11 @@ interface(`term_dontaudit_manage_pty_dirs',` - interface(`term_dontaudit_getattr_generic_ptys',` - gen_require(` - type devpts_t; -+ type bsdpty_device_t; - ') - - dontaudit $1 devpts_t:chr_file getattr; -+ dontaudit $1 bsdpty_device_t:chr_file getattr; - ') - ######################################## - ## -@@ -530,11 +532,13 @@ interface(`term_dontaudit_getattr_generic_ptys',` - interface(`term_ioctl_generic_ptys',` - gen_require(` - type devpts_t; -+ type bsdpty_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devpts_t:dir search; - allow $1 devpts_t:chr_file ioctl; -+ allow $1 bsdpty_device_t:chr_file ioctl; - ') - - ######################################## -@@ -552,9 +556,11 @@ interface(`term_ioctl_generic_ptys',` - interface(`term_setattr_generic_ptys',` - gen_require(` - type devpts_t; -+ type bsdpty_device_t; - ') - - allow $1 devpts_t:chr_file setattr; -+ allow $1 bsdpty_device_t:chr_file setattr; - ') - - ######################################## -@@ -572,9 +578,11 @@ interface(`term_setattr_generic_ptys',` - interface(`term_dontaudit_setattr_generic_ptys',` - gen_require(` - type devpts_t; -+ type bsdpty_device_t; - ') - - dontaudit $1 devpts_t:chr_file setattr; -+ dontaudit $1 bsdpty_device_t:chr_file setattr; - ') - - ######################################## -@@ -592,11 +600,13 @@ interface(`term_dontaudit_setattr_generic_ptys',` - interface(`term_use_generic_ptys',` - gen_require(` - type devpts_t; -+ type bsdpty_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devpts_t:dir list_dir_perms; - allow $1 devpts_t:chr_file { rw_term_perms lock append }; -+ allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append }; - ') - - ######################################## -@@ -614,9 +624,11 @@ interface(`term_use_generic_ptys',` - interface(`term_dontaudit_use_generic_ptys',` - gen_require(` - type devpts_t; -+ type bsdpty_device_t; - ') - - dontaudit $1 devpts_t:chr_file { getattr read write ioctl }; -+ dontaudit $1 bsdpty_device_t:chr_file { getattr read write ioctl }; - ') - - ####################################### -@@ -632,10 +644,12 @@ interface(`term_dontaudit_use_generic_ptys',` - interface(`term_setattr_controlling_term',` - gen_require(` - type devtty_t; -+ type bsdpty_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devtty_t:chr_file setattr; -+ allow $1 bsdpty_device_t:chr_file setattr; - ') - - ######################################## -@@ -652,10 +666,12 @@ interface(`term_setattr_controlling_term',` - interface(`term_use_controlling_term',` - gen_require(` - type devtty_t; -+ type bsdpty_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devtty_t:chr_file { rw_term_perms lock append }; -+ allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append }; - ') - - ####################################### --- -1.7.5.4 - diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-tmp-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-tmp-symlink.patch deleted file mode 100644 index 45de2df..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-tmp-symlink.patch +++ /dev/null @@ -1,96 +0,0 @@ -Subject: [PATCH] add rules for the symlink of /tmp - -/tmp is a symlink in poky, so we need allow rules for files to read -lnk_file while doing search/list/delete/rw.. in /tmp/ directory. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang ---- - policy/modules/kernel/files.fc | 1 + - policy/modules/kernel/files.if | 8 ++++++++ - 2 files changed, 9 insertions(+), 0 deletions(-) - -diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index 8796ca3..a0db748 100644 ---- a/policy/modules/kernel/files.fc -+++ b/policy/modules/kernel/files.fc -@@ -185,6 +185,7 @@ ifdef(`distro_debian',` - # /tmp - # - /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) -+/tmp -l gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) - /tmp/.* <> - /tmp/\.journal <> - -diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index e1e814d..a7384b0 100644 ---- a/policy/modules/kernel/files.if -+++ b/policy/modules/kernel/files.if -@@ -4199,6 +4199,7 @@ interface(`files_search_tmp',` - ') - - allow $1 tmp_t:dir search_dir_perms; -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -4235,6 +4236,7 @@ interface(`files_list_tmp',` - ') - - allow $1 tmp_t:dir list_dir_perms; -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -4271,6 +4273,7 @@ interface(`files_delete_tmp_dir_entry',` - ') - - allow $1 tmp_t:dir del_entry_dir_perms; -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -4289,6 +4292,7 @@ interface(`files_read_generic_tmp_files',` - ') - - read_files_pattern($1, tmp_t, tmp_t) -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -4307,6 +4311,7 @@ interface(`files_manage_generic_tmp_dirs',` - ') - - manage_dirs_pattern($1, tmp_t, tmp_t) -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -4325,6 +4330,7 @@ interface(`files_manage_generic_tmp_files',` - ') - - manage_files_pattern($1, tmp_t, tmp_t) -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -4361,6 +4367,7 @@ interface(`files_rw_generic_tmp_sockets',` - ') - - rw_sock_files_pattern($1, tmp_t, tmp_t) -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -4550,6 +4557,7 @@ interface(`files_tmp_filetrans',` - ') - - filetrans_pattern($1, tmp_t, $2, $3, $4) -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## --- -1.7.5.4 - diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-var-cache-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-var-cache-symlink.patch deleted file mode 100644 index 243cc7b..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-var-cache-symlink.patch +++ /dev/null @@ -1,509 +0,0 @@ -Subject: [PATCH] add rules for the symlink of /var/cache - -/var/cache is a symlink in poky, so we need allow rules for files to read -lnk_file while doing search/list/delete/rw.. in /var/cache/ directory. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang ---- - policy/modules/contrib/abrt.te | 2 ++ - policy/modules/contrib/afs.te | 1 + - policy/modules/contrib/apache.if | 5 +++++ - policy/modules/contrib/apache.te | 1 + - policy/modules/contrib/apt.if | 2 ++ - policy/modules/contrib/apt.te | 1 + - policy/modules/contrib/bind.if | 2 ++ - policy/modules/contrib/bind.te | 1 + - policy/modules/contrib/logwatch.if | 2 ++ - policy/modules/contrib/logwatch.te | 1 + - policy/modules/contrib/podsleuth.te | 1 + - policy/modules/contrib/portage.te | 1 + - policy/modules/contrib/rpm.if | 4 ++++ - policy/modules/contrib/rpm.te | 1 + - policy/modules/contrib/squid.if | 2 ++ - policy/modules/contrib/squid.te | 1 + - policy/modules/contrib/virt.if | 2 ++ - policy/modules/contrib/virt.te | 2 ++ - policy/modules/services/xserver.if | 6 ++++++ - policy/modules/system/authlogin.if | 10 ++++++++++ - policy/modules/system/miscfiles.if | 8 ++++++++ - 21 files changed, 56 insertions(+) - -diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te -index 30861ec..10c941a 100644 ---- a/policy/modules/contrib/abrt.te -+++ b/policy/modules/contrib/abrt.te -@@ -73,6 +73,7 @@ files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) - # abrt var/cache files - manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) - manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) -+allow abrt_t var_t:lnk_file read_lnk_file_perms; - manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) - files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir }) - files_spool_filetrans(abrt_t, abrt_var_cache_t, dir) -@@ -193,6 +194,7 @@ read_files_pattern(abrt_helper_t, abrt_etc_t, abrt_etc_t) - - files_search_spool(abrt_helper_t) - manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) -+allow abrt_helper_t var_t:lnk_file read_lnk_file_perms; - manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) - manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) - files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) -diff --git a/policy/modules/contrib/afs.te b/policy/modules/contrib/afs.te -index a496fde..a739e1d 100644 ---- a/policy/modules/contrib/afs.te -+++ b/policy/modules/contrib/afs.te -@@ -78,6 +78,7 @@ allow afs_t self:unix_stream_socket create_stream_socket_perms; - - manage_files_pattern(afs_t, afs_cache_t, afs_cache_t) - manage_dirs_pattern(afs_t, afs_cache_t, afs_cache_t) -+allow afs_t var_t:lnk_file read_lnk_file_perms; - files_var_filetrans(afs_t, afs_cache_t, { file dir }) - - kernel_rw_afs_state(afs_t) -diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if -index 6480167..1b3c593 100644 ---- a/policy/modules/contrib/apache.if -+++ b/policy/modules/contrib/apache.if -@@ -485,9 +485,11 @@ interface(`apache_manage_all_content',` - interface(`apache_setattr_cache_dirs',` - gen_require(` - type httpd_cache_t; -+ type var_t; - ') - - allow $1 httpd_cache_t:dir setattr; -+ allow $1 var_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -504,9 +506,11 @@ interface(`apache_setattr_cache_dirs',` - interface(`apache_list_cache',` - gen_require(` - type httpd_cache_t; -+ type var_t; - ') - - list_dirs_pattern($1, httpd_cache_t, httpd_cache_t) -+ allow $1 var_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -777,6 +781,7 @@ interface(`apache_list_modules',` - interface(`apache_exec_modules',` - gen_require(` - type httpd_modules_t; -+ type var_t; - ') - - allow $1 httpd_modules_t:dir list_dir_perms; -diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te -index 0833afb..1115d37 100644 ---- a/policy/modules/contrib/apache.te -+++ b/policy/modules/contrib/apache.te -@@ -291,6 +291,7 @@ allow httpd_t self:udp_socket create_socket_perms; - - # Allow httpd_t to put files in /var/cache/httpd etc - manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t) -+allow httpd_t var_t:lnk_file read_lnk_file_perms; - manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) - manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) - -diff --git a/policy/modules/contrib/apt.if b/policy/modules/contrib/apt.if -index e696b80..c6cc149 100644 ---- a/policy/modules/contrib/apt.if -+++ b/policy/modules/contrib/apt.if -@@ -152,10 +152,12 @@ interface(`apt_use_ptys',` - interface(`apt_read_cache',` - gen_require(` - type apt_var_cache_t; -+ type var_t; - ') - - files_search_var($1) - allow $1 apt_var_cache_t:dir list_dir_perms; -+ allow $1 var_t:lnk_file read_lnk_file_perms; - dontaudit $1 apt_var_cache_t:dir write; - allow $1 apt_var_cache_t:file read_file_perms; - ') -diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te -index 8555315..8bfd892 100644 ---- a/policy/modules/contrib/apt.te -+++ b/policy/modules/contrib/apt.te -@@ -78,6 +78,7 @@ fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file } - # Access /var/cache/apt files - manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t) - files_var_filetrans(apt_t, apt_var_cache_t, dir) -+allow apt_t var_t:lnk_file read_lnk_file_perms; - - # Access /var/lib/apt files - manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t) -diff --git a/policy/modules/contrib/bind.if b/policy/modules/contrib/bind.if -index 44a1e3d..9b93562 100644 ---- a/policy/modules/contrib/bind.if -+++ b/policy/modules/contrib/bind.if -@@ -221,12 +221,14 @@ interface(`bind_manage_config_dirs',` - interface(`bind_search_cache',` - gen_require(` - type named_conf_t, named_cache_t, named_zone_t; -+ type var_t; - ') - - files_search_var($1) - allow $1 named_conf_t:dir search_dir_perms; - allow $1 named_zone_t:dir search_dir_perms; - allow $1 named_cache_t:dir search_dir_perms; -+ allow $1 var_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te -index 0968cb4..15c605c 100644 ---- a/policy/modules/contrib/bind.te -+++ b/policy/modules/contrib/bind.te -@@ -79,6 +79,7 @@ read_lnk_files_pattern(named_t, named_conf_t, named_conf_t) - # write cache for secondary zones - manage_files_pattern(named_t, named_cache_t, named_cache_t) - manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t) -+allow named_t var_t:lnk_file read_lnk_file_perms; - - can_exec(named_t, named_exec_t) - -diff --git a/policy/modules/contrib/logwatch.if b/policy/modules/contrib/logwatch.if -index d878e75..1484c1e 100644 ---- a/policy/modules/contrib/logwatch.if -+++ b/policy/modules/contrib/logwatch.if -@@ -32,7 +32,9 @@ interface(`logwatch_read_tmp_files',` - interface(`logwatch_search_cache_dir',` - gen_require(` - type logwatch_cache_t; -+ type var_t; - ') - - allow $1 logwatch_cache_t:dir search_dir_perms; -+ allow $1 var_t:lnk_file read_lnk_file_perms; - ') -diff --git a/policy/modules/contrib/logwatch.te b/policy/modules/contrib/logwatch.te -index 75ce30f..31bff65 100644 ---- a/policy/modules/contrib/logwatch.te -+++ b/policy/modules/contrib/logwatch.te -@@ -30,6 +30,7 @@ allow logwatch_t self:fifo_file rw_file_perms; - allow logwatch_t self:unix_stream_socket create_stream_socket_perms; - - manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t) -+allow logwatch_t var_t:lnk_file read_lnk_file_perms; - manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t) - - allow logwatch_t logwatch_lock_t:file manage_file_perms; -diff --git a/policy/modules/contrib/podsleuth.te b/policy/modules/contrib/podsleuth.te -index 4cffb07..32ab27e 100644 ---- a/policy/modules/contrib/podsleuth.te -+++ b/policy/modules/contrib/podsleuth.te -@@ -33,6 +33,7 @@ allow podsleuth_t self:tcp_socket create_stream_socket_perms; - allow podsleuth_t self:udp_socket create_socket_perms; - - manage_dirs_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t) -+allow podsleuth_t var_t:lnk_file read_lnk_file_perms; - manage_files_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t) - files_var_filetrans(podsleuth_t, podsleuth_cache_t, { file dir }) - -diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te -index 630f16f..f4e43be 100644 ---- a/policy/modules/contrib/portage.te -+++ b/policy/modules/contrib/portage.te -@@ -339,5 +339,6 @@ portage_compile_domain(portage_sandbox_t) - ifdef(`hide_broken_symptoms',` - # leaked descriptors - dontaudit portage_sandbox_t portage_cache_t:dir { setattr }; -+ allow portage_sandbox_t var_t:lnk_file read_lnk_file_perms; - dontaudit portage_sandbox_t portage_cache_t:file { setattr write }; - ') -diff --git a/policy/modules/contrib/rpm.if b/policy/modules/contrib/rpm.if -index 951d8f6..f4c6825 100644 ---- a/policy/modules/contrib/rpm.if -+++ b/policy/modules/contrib/rpm.if -@@ -408,10 +408,12 @@ interface(`rpm_read_script_tmp_files',` - interface(`rpm_read_cache',` - gen_require(` - type rpm_var_cache_t; -+ type var_t; - ') - - files_search_var($1) - allow $1 rpm_var_cache_t:dir list_dir_perms; -+ allow $1 var_t:lnk_file read_lnk_file_perms; - read_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) - read_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) - ') -@@ -429,10 +431,12 @@ interface(`rpm_read_cache',` - interface(`rpm_manage_cache',` - gen_require(` - type rpm_var_cache_t; -+ type var_t; - ') - - files_search_var_lib($1) - manage_dirs_pattern($1, rpm_var_cache_t, rpm_var_cache_t) -+ allow $1 var_t:lnk_file read_lnk_file_perms; - manage_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) - manage_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) - ') -diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te -index 60149a5..f3f0640 100644 ---- a/policy/modules/contrib/rpm.te -+++ b/policy/modules/contrib/rpm.te -@@ -98,6 +98,7 @@ fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file } - can_exec(rpm_t, rpm_tmpfs_t) - - manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t) -+allow rpm_t var_t:lnk_file read_lnk_file_perms; - manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t) - files_var_filetrans(rpm_t, rpm_var_cache_t, dir) - -diff --git a/policy/modules/contrib/squid.if b/policy/modules/contrib/squid.if -index d2496bd..28f8e2e 100644 ---- a/policy/modules/contrib/squid.if -+++ b/policy/modules/contrib/squid.if -@@ -88,9 +88,11 @@ interface(`squid_rw_stream_sockets',` - interface(`squid_dontaudit_search_cache',` - gen_require(` - type squid_cache_t; -+ type var_t; - ') - - dontaudit $1 squid_cache_t:dir search_dir_perms; -+ allow $1 var_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te -index c38de7a..01e1222 100644 ---- a/policy/modules/contrib/squid.te -+++ b/policy/modules/contrib/squid.te -@@ -67,6 +67,7 @@ allow squid_t self:udp_socket create_socket_perms; - - # Grant permissions to create, access, and delete cache files. - manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t) -+allow squid_t var_t:lnk_file read_lnk_file_perms; - manage_files_pattern(squid_t, squid_cache_t, squid_cache_t) - manage_lnk_files_pattern(squid_t, squid_cache_t, squid_cache_t) - -diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if -index 6f0736b..2fcd979 100644 ---- a/policy/modules/contrib/virt.if -+++ b/policy/modules/contrib/virt.if -@@ -438,10 +438,12 @@ interface(`virt_read_images',` - interface(`virt_manage_svirt_cache',` - gen_require(` - type svirt_cache_t; -+ type var_t; - ') - - files_search_var($1) - manage_dirs_pattern($1, svirt_cache_t, svirt_cache_t) -+ allow $1 var_t:lnk_file read_lnk_file_perms; - manage_files_pattern($1, svirt_cache_t, svirt_cache_t) - manage_lnk_files_pattern($1, svirt_cache_t, svirt_cache_t) - ') -diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te -index 947bbc6..659abcc 100644 ---- a/policy/modules/contrib/virt.te -+++ b/policy/modules/contrib/virt.te -@@ -108,6 +108,7 @@ ifdef(`enable_mls',` - allow svirt_t self:udp_socket create_socket_perms; - - manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t) -+allow svirt_t var_t:lnk_file read_lnk_file_perms; - manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t) - files_var_filetrans(svirt_t, svirt_cache_t, { file dir }) - -@@ -186,6 +187,7 @@ allow virtd_t self:tun_socket create_socket_perms; - allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms; - - manage_dirs_pattern(virtd_t, svirt_cache_t, svirt_cache_t) -+allow virtd_t var_t:lnk_file read_lnk_file_perms; - manage_files_pattern(virtd_t, svirt_cache_t, svirt_cache_t) - - manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t) -diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 130ced9..ffef982 100644 ---- a/policy/modules/services/xserver.if -+++ b/policy/modules/services/xserver.if -@@ -22,6 +22,7 @@ interface(`xserver_restricted_role',` - type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; - type iceauth_t, iceauth_exec_t, iceauth_home_t; - type xauth_t, xauth_exec_t, xauth_home_t; -+ type var_t; - ') - - role $1 types { xserver_t xauth_t iceauth_t }; -@@ -41,6 +42,7 @@ interface(`xserver_restricted_role',` - allow $2 user_fonts_config_t:file read_file_perms; - - manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) -+ allow $2 var_t:lnk_file read_lnk_file_perms; - manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) - - stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -134,6 +136,7 @@ interface(`xserver_role',` - gen_require(` - type iceauth_home_t, xserver_t, xserver_tmpfs_t, xauth_home_t; - type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; -+ type var_t; - ') - - xserver_restricted_role($1, $2) -@@ -154,6 +157,7 @@ interface(`xserver_role',` - relabel_files_pattern($2, user_fonts_t, user_fonts_t) - - manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) -+ allow $2 var_t:lnk_file read_lnk_file_perms; - manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) - relabel_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) - relabel_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) -@@ -512,6 +516,7 @@ template(`xserver_user_x_domain_template',` - interface(`xserver_use_user_fonts',` - gen_require(` - type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; -+ type var_t; - ') - - # Read per user fonts -@@ -520,6 +525,7 @@ interface(`xserver_use_user_fonts',` - - # Manipulate the global font cache - manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t) -+ allow $1 var_t:lnk_file read_lnk_file_perms; - manage_files_pattern($1, user_fonts_cache_t, user_fonts_cache_t) - - # Read per user font config -diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index f416ce9..00a209d 100644 ---- a/policy/modules/system/authlogin.if -+++ b/policy/modules/system/authlogin.if -@@ -95,6 +95,7 @@ interface(`auth_use_pam',` - interface(`auth_login_pgm_domain',` - gen_require(` - type var_auth_t, auth_cache_t; -+ type var_t; - ') - - domain_type($1) -@@ -116,6 +117,7 @@ interface(`auth_login_pgm_domain',` - manage_files_pattern($1, var_auth_t, var_auth_t) - - manage_dirs_pattern($1, auth_cache_t, auth_cache_t) -+ allow $1 var_t:lnk_file read_lnk_file_perms; - manage_files_pattern($1, auth_cache_t, auth_cache_t) - manage_sock_files_pattern($1, auth_cache_t, auth_cache_t) - files_var_filetrans($1, auth_cache_t, dir) -@@ -279,9 +281,11 @@ interface(`auth_ranged_domtrans_login_program',` - interface(`auth_search_cache',` - gen_require(` - type auth_cache_t; -+ type var_t; - ') - - allow $1 auth_cache_t:dir search_dir_perms; -+ allow $1 var_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -333,9 +337,11 @@ interface(`auth_rw_cache',` - interface(`auth_manage_cache',` - gen_require(` - type auth_cache_t; -+ type var_t; - ') - - manage_dirs_pattern($1, auth_cache_t, auth_cache_t) -+ allow $1 var_t:lnk_file read_lnk_file_perms; - manage_files_pattern($1, auth_cache_t, auth_cache_t) - ') - -@@ -352,9 +358,11 @@ interface(`auth_manage_cache',` - interface(`auth_var_filetrans_cache',` - gen_require(` - type auth_cache_t; -+ type var_t; - ') - - files_var_filetrans($1, auth_cache_t, { file dir } ) -+ allow $1 var_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -371,9 +379,11 @@ interface(`auth_domtrans_chk_passwd',` - gen_require(` - type chkpwd_t, chkpwd_exec_t, shadow_t; - type auth_cache_t; -+ type var_t; - ') - - allow $1 auth_cache_t:dir search_dir_perms; -+ allow $1 var_t:lnk_file read_lnk_file_perms; - - corecmd_search_bin($1) - domtrans_pattern($1, chkpwd_exec_t, chkpwd_t) -diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if -index 926ba65..e2eaee6 100644 ---- a/policy/modules/system/miscfiles.if -+++ b/policy/modules/system/miscfiles.if -@@ -183,6 +183,7 @@ interface(`miscfiles_manage_cert_files',` - interface(`miscfiles_read_fonts',` - gen_require(` - type fonts_t, fonts_cache_t; -+ type var_t; - ') - - # cjp: fonts can be in either of these dirs -@@ -194,6 +195,7 @@ interface(`miscfiles_read_fonts',` - read_lnk_files_pattern($1, fonts_t, fonts_t) - - allow $1 fonts_cache_t:dir list_dir_perms; -+ allow $1 var_t:lnk_file read_lnk_file_perms; - read_files_pattern($1, fonts_cache_t, fonts_cache_t) - read_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t) - ') -@@ -295,9 +297,11 @@ interface(`miscfiles_manage_fonts',` - interface(`miscfiles_setattr_fonts_cache_dirs',` - gen_require(` - type fonts_cache_t; -+ type var_t; - ') - - allow $1 fonts_cache_t:dir setattr; -+ allow $1 var_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -314,9 +318,11 @@ interface(`miscfiles_setattr_fonts_cache_dirs',` - interface(`miscfiles_dontaudit_setattr_fonts_cache_dirs',` - gen_require(` - type fonts_cache_t; -+ type var_t; - ') - - dontaudit $1 fonts_cache_t:dir setattr; -+ allow $1 var_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -333,11 +339,13 @@ interface(`miscfiles_dontaudit_setattr_fonts_cache_dirs',` - interface(`miscfiles_manage_fonts_cache',` - gen_require(` - type fonts_cache_t; -+ type var_t; - ') - - files_search_var($1) - - manage_dirs_pattern($1, fonts_cache_t, fonts_cache_t) -+ allow $1 var_t:lnk_file read_lnk_file_perms; - manage_files_pattern($1, fonts_cache_t, fonts_cache_t) - manage_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t) - ') --- -1.7.9.5 - diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-var-log-symlink-apache.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-var-log-symlink-apache.patch deleted file mode 100644 index 91492c4..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-var-log-symlink-apache.patch +++ /dev/null @@ -1,28 +0,0 @@ -Subject: [PATCH] add rules for the symlink of /var/log - apache2 - -We have added rules for the symlink of /var/log in logging.if, -while apache.te uses /var/log but does not use the interfaces in -logging.if. So still need add a individual rule for apache.te. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang ---- - policy/modules/contrib/apache.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te -index 1115d37..4c6316d 100644 ---- a/policy/modules/contrib/apache.te -+++ b/policy/modules/contrib/apache.te -@@ -310,6 +310,7 @@ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t) - append_files_pattern(httpd_t, httpd_log_t, httpd_log_t) - read_files_pattern(httpd_t, httpd_log_t, httpd_log_t) - read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t) -+read_lnk_files_pattern(httpd_t, var_log_t, var_log_t) - # cjp: need to refine create interfaces to - # cut this back to add_name only - logging_log_filetrans(httpd_t, httpd_log_t, file) --- -1.7.9.5 - diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-var-log-symlink.patch deleted file mode 100644 index a2f3c5d..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-var-log-symlink.patch +++ /dev/null @@ -1,140 +0,0 @@ -Subject: [PATCH] add rules for the symlink of /var/log - -/var/log is a symlink in poky, so we need allow rules for files to read -lnk_file while doing search/list/delete/rw.. in /var/log/ directory. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang ---- - policy/modules/system/logging.fc | 1 + - policy/modules/system/logging.if | 14 +++++++++++++- - 2 files changed, 14 insertions(+), 1 deletion(-) - -diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc -index 3cb65f1..2419cd7 100644 ---- a/policy/modules/system/logging.fc -+++ b/policy/modules/system/logging.fc -@@ -41,6 +41,7 @@ ifdef(`distro_suse', ` - /var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0) - - /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) -+/var/log -l gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) - /var/log/.* gen_context(system_u:object_r:var_log_t,s0) - /var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh) - /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) -diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 321bb13..4812d46 100644 ---- a/policy/modules/system/logging.if -+++ b/policy/modules/system/logging.if -@@ -136,12 +136,13 @@ interface(`logging_set_audit_parameters',` - # - interface(`logging_read_audit_log',` - gen_require(` -- type auditd_log_t; -+ type auditd_log_t, var_log_t; - ') - - files_search_var($1) - read_files_pattern($1, auditd_log_t, auditd_log_t) - allow $1 auditd_log_t:dir list_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -626,6 +627,7 @@ interface(`logging_search_logs',` - - files_search_var($1) - allow $1 var_log_t:dir search_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - ') - - ####################################### -@@ -663,6 +665,7 @@ interface(`logging_list_logs',` - - files_search_var($1) - allow $1 var_log_t:dir list_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - ') - - ####################################### -@@ -682,6 +685,7 @@ interface(`logging_rw_generic_log_dirs',` - - files_search_var($1) - allow $1 var_log_t:dir rw_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - ') - - ####################################### -@@ -756,10 +760,12 @@ interface(`logging_append_all_logs',` - interface(`logging_read_all_logs',` - gen_require(` - attribute logfile; -+ type var_log_t; - ') - - files_search_var($1) - allow $1 logfile:dir list_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - read_files_pattern($1, logfile, logfile) - ') - -@@ -778,10 +784,12 @@ interface(`logging_read_all_logs',` - interface(`logging_exec_all_logs',` - gen_require(` - attribute logfile; -+ type var_log_t; - ') - - files_search_var($1) - allow $1 logfile:dir list_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - can_exec($1, logfile) - ') - -@@ -843,6 +851,7 @@ interface(`logging_read_generic_logs',` - - files_search_var($1) - allow $1 var_log_t:dir list_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - read_files_pattern($1, var_log_t, var_log_t) - ') - -@@ -863,6 +872,7 @@ interface(`logging_write_generic_logs',` - - files_search_var($1) - allow $1 var_log_t:dir list_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - write_files_pattern($1, var_log_t, var_log_t) - ') - -@@ -901,6 +911,7 @@ interface(`logging_rw_generic_logs',` - - files_search_var($1) - allow $1 var_log_t:dir list_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - rw_files_pattern($1, var_log_t, var_log_t) - ') - -@@ -923,6 +934,7 @@ interface(`logging_manage_generic_logs',` - - files_search_var($1) - manage_files_pattern($1, var_log_t, var_log_t) -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index a3a25c2..a45c68e 100644 ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -139,6 +139,7 @@ allow auditd_t auditd_etc_t:file read_file_perms; - manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) - manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) - allow auditd_t var_log_t:dir search_dir_perms; -+allow auditd_t var_log_t:lnk_file read_lnk_file_perms; - - manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) - manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) --- -1.7.9.5 diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-syslogd_t-to-trusted-object.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-syslogd_t-to-trusted-object.patch deleted file mode 100644 index 9b5db54..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-syslogd_t-to-trusted-object.patch +++ /dev/null @@ -1,28 +0,0 @@ -Subject: [PATCH] Add the syslogd_t to trusted object - -We add the syslogd_t to trusted object, because other process need -to have the right to connectto/sendto /dev/log. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Roy.Li -Signed-off-by: Xin Ouyang ---- - policy/modules/system/logging.te | 1 + - 1 files changed, 1 insertions(+), 0 deletions(-) - -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 0034021..b6b0ddf 100644 ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -444,6 +444,7 @@ fs_getattr_all_fs(syslogd_t) - fs_search_auto_mountpoints(syslogd_t) - - mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories -+mls_trusted_object(syslogd_t) # Other process need to have the right to connectto/sendto /dev/log - - term_write_console(syslogd_t) - # Allow syslog to a terminal --- -1.7.5.4 - diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-dbusd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-dbusd-to-exec-shell-commands.patch deleted file mode 100644 index 6207e40..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-dbusd-to-exec-shell-commands.patch +++ /dev/null @@ -1,25 +0,0 @@ -Subject: [PATCH] allow dbusd to exec shell commands. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang ---- - policy/modules/contrib/dbus.te | 2 ++ - 1 files changed, 2 insertions(+), 0 deletions(-) - -diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te -index 529944b..bb76257 100644 ---- a/policy/modules/contrib/dbus.te -+++ b/policy/modules/contrib/dbus.te -@@ -111,6 +111,8 @@ corecmd_list_bin(system_dbusd_t) - corecmd_read_bin_pipes(system_dbusd_t) - corecmd_read_bin_sockets(system_dbusd_t) - -+corecmd_exec_shell(system_dbusd_t) -+ - domain_use_interactive_fds(system_dbusd_t) - domain_read_all_domains_state(system_dbusd_t) - --- -1.7.5.4 - diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-dbusd-to-setrlimit-itself.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-dbusd-to-setrlimit-itself.patch deleted file mode 100644 index 6eded62..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-dbusd-to-setrlimit-itself.patch +++ /dev/null @@ -1,29 +0,0 @@ -Subject: [PATCH] allow system_dbusd_t to setrlimit itself. - -avc: denied { setrlimit } for pid=391 comm="dbus-daemon" - scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 - tcontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 tclass=proces - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang ---- - policy/modules/contrib/dbus.te | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - -diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te -index 625cb32..529944b 100644 ---- a/policy/modules/contrib/dbus.te -+++ b/policy/modules/contrib/dbus.te -@@ -53,7 +53,7 @@ ifdef(`enable_mls',` - # cjp: dac_override should probably go in a distro_debian - allow system_dbusd_t self:capability { dac_override setgid setpcap setuid }; - dontaudit system_dbusd_t self:capability sys_tty_config; --allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap }; -+allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit }; - allow system_dbusd_t self:fifo_file rw_fifo_file_perms; - allow system_dbusd_t self:dbus { send_msg acquire_svc }; - allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto }; --- -1.7.5.4 - diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-nfsd-to-bind-nfs-port.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-nfsd-to-bind-nfs-port.patch deleted file mode 100644 index e643b10..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-nfsd-to-bind-nfs-port.patch +++ /dev/null @@ -1,63 +0,0 @@ -Subject: [PATCH] refpolicy: allow nfsd to bind nfs port - -NFS server need bind to tcp/udp 2049,20048-20049 port, but no -these rules in default refpolicy. So add the allow rules. - -Upstream-Status: Pending - -Signed-off-by: Xin Ouyang ---- - policy/modules/contrib/rpc.te | 2 ++ - policy/modules/kernel/corenetwork.te | 10 ++++++++++ - policy/modules/kernel/corenetwork.te.in | 1 + - 3 files changed, 13 insertions(+) - -diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te -index 0fc7ddd..03783ae 100644 ---- a/policy/modules/contrib/rpc.te -+++ b/policy/modules/contrib/rpc.te -@@ -128,6 +128,8 @@ corecmd_exec_shell(nfsd_t) - - corenet_tcp_bind_all_rpc_ports(nfsd_t) - corenet_udp_bind_all_rpc_ports(nfsd_t) -+corenet_tcp_bind_nfs_port(nfsd_t) -+corenet_udp_bind_nfs_port(nfsd_t) - - dev_dontaudit_getattr_all_blk_files(nfsd_t) - dev_dontaudit_getattr_all_chr_files(nfsd_t) -diff --git a/policy/modules/kernel/corenetwork.te b/policy/modules/kernel/corenetwork.te -index a5276af..8fca50e 100644 ---- a/policy/modules/kernel/corenetwork.te -+++ b/policy/modules/kernel/corenetwork.te -@@ -849,6 +849,16 @@ portcon tcp 5405 gen_context(system_u:object_r:netsupport_port_t,s0) - portcon udp 5405 gen_context(system_u:object_r:netsupport_port_t,s0) - - -+type nfs_port_t, port_type, defined_port_type; -+type nfs_client_packet_t, packet_type, client_packet_type; -+type nfs_server_packet_t, packet_type, server_packet_type; -+typeattribute nfs_port_t unreserved_port_type; -+portcon tcp 2049 gen_context(system_u:object_r:nfs_port_t,s0) -+portcon udp 2049 gen_context(system_u:object_r:nfs_port_t,s0) -+portcon tcp 20048-20049 gen_context(system_u:object_r:nfs_port_t,s0) -+portcon udp 20048-20049 gen_context(system_u:object_r:nfs_port_t,s0) -+ -+ - type nmbd_port_t, port_type, defined_port_type; - type nmbd_client_packet_t, packet_type, client_packet_type; - type nmbd_server_packet_t, packet_type, server_packet_type; -diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index fe2ee5e..fca0bc3 100644 ---- a/policy/modules/kernel/corenetwork.te.in -+++ b/policy/modules/kernel/corenetwork.te.in -@@ -164,6 +164,7 @@ network_port(mysqlmanagerd, tcp,2273,s0) - network_port(nessus, tcp,1241,s0) - network_port(netport, tcp,3129,s0, udp,3129,s0) - network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) -+network_port(nfs, tcp,2049,s0, udp,2049,s0, tcp,20048-20049,s0, udp,20048-20049,s0) - network_port(nmbd, udp,137,s0, udp,138,s0) - network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0) - network_port(ntp, udp,123,s0) --- -1.7.11.7 - diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-nfsd-to-exec-shell-commands.patch deleted file mode 100644 index f1fcc4c..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-nfsd-to-exec-shell-commands.patch +++ /dev/null @@ -1,67 +0,0 @@ -Subject: [PATCH] allow nfsd to exec shell commands. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang ---- - policy/modules/contrib/rpc.te | 7 +++++++ - policy/modules/kernel/kernel.if | 18 ++++++++++++++++++ - 2 files changed, 25 insertions(+), 0 deletions(-) - -diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te -index 330d01f..fde39d2 100644 ---- a/policy/modules/contrib/rpc.te -+++ b/policy/modules/contrib/rpc.te -@@ -120,6 +120,11 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; - kernel_read_system_state(nfsd_t) - kernel_read_network_state(nfsd_t) - kernel_dontaudit_getattr_core_if(nfsd_t) -+kernel_setsched(nfsd_t) -+kernel_request_load_module(nfsd_t) -+kernel_mounton_proc(nfsd_t) -+ -+corecmd_exec_shell(nfsd_t) - - corenet_tcp_bind_all_rpc_ports(nfsd_t) - corenet_udp_bind_all_rpc_ports(nfsd_t) -@@ -174,6 +179,8 @@ tunable_policy(`nfs_export_all_ro',` - files_read_non_auth_files(nfsd_t) - ') - -+mount_exec(nfsd_t) -+ - ######################################## - # - # GSSD local policy -diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index 4bf45cb..25e7b1b 100644 ---- a/policy/modules/kernel/kernel.if -+++ b/policy/modules/kernel/kernel.if -@@ -785,6 +785,24 @@ interface(`kernel_unmount_proc',` - - ######################################## - ## -+## Mounton a proc filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`kernel_mounton_proc',` -+ gen_require(` -+ type proc_t; -+ ') -+ -+ allow $1 proc_t:dir mounton; -+') -+ -+######################################## -+## - ## Get the attributes of the proc filesystem. - ## - ## --- -1.7.5.4 - diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-setfiles_t-to-read-symlinks.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-setfiles_t-to-read-symlinks.patch deleted file mode 100644 index 15dc506..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-allow-setfiles_t-to-read-symlinks.patch +++ /dev/null @@ -1,26 +0,0 @@ -Subject: [PATCH] fix setfiles_t to read symlinks - -Upstream-Status: Pending - -Signed-off-by: Xin Ouyang ---- - policy/modules/system/selinuxutil.te | 3 +++ - 1 files changed, 3 insertions(+), 0 deletions(-) - -diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index ec01d0b..45ed81b 100644 ---- a/policy/modules/system/selinuxutil.te -+++ b/policy/modules/system/selinuxutil.te -@@ -553,6 +553,9 @@ files_list_all(setfiles_t) - files_relabel_all_files(setfiles_t) - files_read_usr_symlinks(setfiles_t) - -+# needs to be able to read symlinks to make restorecon on symlink working -+files_read_all_symlinks(setfiles_t) -+ - fs_getattr_xattr_fs(setfiles_t) - fs_list_all(setfiles_t) - fs_search_auto_mountpoints(setfiles_t) --- -1.7.5.4 - diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-don-t-audit-tty_device_t.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-don-t-audit-tty_device_t.patch deleted file mode 100644 index d7e407b..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-don-t-audit-tty_device_t.patch +++ /dev/null @@ -1,32 +0,0 @@ -Subject: [PATCH] don't audit tty_device_t in term_dontaudit_use_console. - -We should also not audit terminal to rw tty_device_t and fds in -term_dontaudit_use_console. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang ---- - policy/modules/kernel/terminal.if | 3 +++ - 1 files changed, 3 insertions(+), 0 deletions(-) - -diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if -index f9d46cc..234e0b8 100644 ---- a/policy/modules/kernel/terminal.if -+++ b/policy/modules/kernel/terminal.if -@@ -299,9 +299,12 @@ interface(`term_use_console',` - interface(`term_dontaudit_use_console',` - gen_require(` - type console_device_t; -+ type tty_device_t; - ') - -+ init_dontaudit_use_fds($1) - dontaudit $1 console_device_t:chr_file rw_chr_file_perms; -+ dontaudit $1 tty_device_t:chr_file rw_chr_file_perms; - ') - - ######################################## --- -1.7.5.4 - diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-new-SELINUXMNT-in-sys.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-new-SELINUXMNT-in-sys.patch deleted file mode 100644 index fa0a274..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-new-SELINUXMNT-in-sys.patch +++ /dev/null @@ -1,213 +0,0 @@ -Subject: [PATCH] fix for new SELINUXMNT in /sys - -SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should -add rules to access sysfs. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang ---- - policy/modules/kernel/selinux.if | 40 ++++++++++++++++++++++++++++++++++++++ - 1 files changed, 40 insertions(+), 0 deletions(-) - -diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if -index 81440c5..b57ec34 100644 ---- a/policy/modules/kernel/selinux.if -+++ b/policy/modules/kernel/selinux.if -@@ -58,6 +58,10 @@ interface(`selinux_get_fs_mount',` - type security_t; - ') - -+ # SELINUXMNT is now /sys/fs/selinux, so we should add rules to -+ # access sysfs -+ dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) - # starting in libselinux 2.0.5, init_selinuxmnt() will - # attempt to short circuit by checking if SELINUXMNT - # (/selinux) is already a selinuxfs -@@ -84,6 +88,7 @@ interface(`selinux_dontaudit_get_fs_mount',` - type security_t; - ') - -+ dev_dontaudit_search_sysfs($1) - # starting in libselinux 2.0.5, init_selinuxmnt() will - # attempt to short circuit by checking if SELINUXMNT - # (/selinux) is already a selinuxfs -@@ -109,6 +114,8 @@ interface(`selinux_mount_fs',` - type security_t; - ') - -+ dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) - allow $1 security_t:filesystem mount; - ') - -@@ -128,6 +135,8 @@ interface(`selinux_remount_fs',` - type security_t; - ') - -+ dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) - allow $1 security_t:filesystem remount; - ') - -@@ -146,6 +155,8 @@ interface(`selinux_unmount_fs',` - type security_t; - ') - -+ dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) - allow $1 security_t:filesystem unmount; - ') - -@@ -164,6 +175,8 @@ interface(`selinux_getattr_fs',` - type security_t; - ') - -+ dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) - allow $1 security_t:filesystem getattr; - ') - -@@ -183,6 +196,7 @@ interface(`selinux_dontaudit_getattr_fs',` - type security_t; - ') - -+ dev_dontaudit_search_sysfs($1) - dontaudit $1 security_t:filesystem getattr; - ') - -@@ -202,6 +216,7 @@ interface(`selinux_dontaudit_getattr_dir',` - type security_t; - ') - -+ dev_dontaudit_search_sysfs($1) - dontaudit $1 security_t:dir getattr; - ') - -@@ -220,6 +235,8 @@ interface(`selinux_search_fs',` - type security_t; - ') - -+ dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) - allow $1 security_t:dir search_dir_perms; - ') - -@@ -238,6 +255,7 @@ interface(`selinux_dontaudit_search_fs',` - type security_t; - ') - -+ dev_dontaudit_search_sysfs($1) - dontaudit $1 security_t:dir search_dir_perms; - ') - -@@ -257,6 +275,7 @@ interface(`selinux_dontaudit_read_fs',` - type security_t; - ') - -+ dev_dontaudit_search_sysfs($1) - dontaudit $1 security_t:dir search_dir_perms; - dontaudit $1 security_t:file read_file_perms; - ') -@@ -342,6 +361,8 @@ interface(`selinux_load_policy',` - bool secure_mode_policyload; - ') - -+ dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - typeattribute $1 can_load_policy; -@@ -371,6 +392,8 @@ interface(`selinux_read_policy',` - type security_t; - ') - -+ dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file read_file_perms; - allow $1 security_t:security read_policy; -@@ -435,6 +458,8 @@ interface(`selinux_set_generic_booleans',` - type security_t; - ') - -+ dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - -@@ -475,6 +500,8 @@ interface(`selinux_set_all_booleans',` - bool secure_mode_policyload; - ') - -+ dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms; - allow $1 secure_mode_policyload_t:file read_file_perms; -@@ -519,6 +546,8 @@ interface(`selinux_set_parameters',` - attribute can_setsecparam; - ') - -+ dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security setsecparam; -@@ -563,6 +592,7 @@ interface(`selinux_dontaudit_validate_context',` - type security_t; - ') - -+ dev_dontaudit_search_sysfs($1) - dontaudit $1 security_t:dir list_dir_perms; - dontaudit $1 security_t:file rw_file_perms; - dontaudit $1 security_t:security check_context; -@@ -584,6 +614,8 @@ interface(`selinux_compute_access_vector',` - type security_t; - ') - -+ dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security compute_av; -@@ -605,6 +637,8 @@ interface(`selinux_compute_create_context',` - type security_t; - ') - -+ dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security compute_create; -@@ -626,6 +660,8 @@ interface(`selinux_compute_member',` - type security_t; - ') - -+ dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security compute_member; -@@ -655,6 +691,8 @@ interface(`selinux_compute_relabel_context',` - type security_t; - ') - -+ dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security compute_relabel; -@@ -675,6 +713,8 @@ interface(`selinux_compute_user_contexts',` - type security_t; - ') - -+ dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security compute_user; --- -1.7.5.4 - diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch deleted file mode 100644 index 42ee31e..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch +++ /dev/null @@ -1,70 +0,0 @@ -Subject: [PATCH] fix policy for nfsserver to mount nfsd_fs_t. - -Upstream-Status: Pending - -Signed-off-by: Xin Ouyang ---- - policy/modules/contrib/rpc.te | 6 +++++- - policy/modules/contrib/rpcbind.te | 5 +++++ - policy/modules/kernel/filesystem.te | 1 + - policy/modules/kernel/kernel.te | 1 + - 4 files changed, 12 insertions(+), 1 deletions(-) - -diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te -index fde39d2..0fc7ddd 100644 ---- a/policy/modules/contrib/rpc.te -+++ b/policy/modules/contrib/rpc.te -@@ -179,7 +179,11 @@ tunable_policy(`nfs_export_all_ro',` - files_read_non_auth_files(nfsd_t) - ') - --mount_exec(nfsd_t) -+# Should domtrans to mount_t while mounting nfsd_fs_t. -+mount_domtrans(nfsd_t) -+# nfsd_t need to chdir to /var/lib/nfs and read files. -+files_list_var(nfsd_t) -+rpc_read_nfs_state_data(nfsd_t) - - ######################################## - # -diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te -index a63e9ee..55397d9 100644 ---- a/policy/modules/contrib/rpcbind.te -+++ b/policy/modules/contrib/rpcbind.te -@@ -67,3 +67,8 @@ logging_send_syslog_msg(rpcbind_t) - miscfiles_read_localization(rpcbind_t) - - sysnet_dns_name_resolve(rpcbind_t) -+ -+# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t, -+# because the are running in different level. So add rules to allow this. -+mls_socket_read_all_levels(rpcbind_t) -+mls_socket_write_all_levels(rpcbind_t) -diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index 376bae8..310d992 100644 ---- a/policy/modules/kernel/filesystem.te -+++ b/policy/modules/kernel/filesystem.te -@@ -118,6 +118,7 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) - - type nfsd_fs_t; - fs_type(nfsd_fs_t) -+files_mountpoint(nfsd_fs_t) - genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0) - - type oprofilefs_t; -diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index ab9b6cd..15d3814 100644 ---- a/policy/modules/kernel/kernel.te -+++ b/policy/modules/kernel/kernel.te -@@ -284,6 +284,8 @@ mls_process_read_up(kernel_t) - mls_process_write_down(kernel_t) - mls_file_write_all_levels(kernel_t) - mls_file_read_all_levels(kernel_t) -+mls_socket_write_all_levels(kernel_t) -+mls_fd_use_all_levels(kernel_t) - - ifdef(`distro_redhat',` - # Bugzilla 222337 --- -1.7.5.4 - diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-seutils-manage-config-files.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-seutils-manage-config-files.patch deleted file mode 100644 index bd76004..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-seutils-manage-config-files.patch +++ /dev/null @@ -1,39 +0,0 @@ -Subject: [PATCH] refpolicy: fix selinux utils to manage config files - -Upstream-Status: Pending - -Signed-off-by: Xin Ouyang ---- - policy/modules/system/selinuxutil.if | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if -index 3822072..db03ca1 100644 ---- a/policy/modules/system/selinuxutil.if -+++ b/policy/modules/system/selinuxutil.if -@@ -680,6 +680,7 @@ interface(`seutil_manage_config',` - ') - - files_search_etc($1) -+ manage_dirs_pattern($1, selinux_config_t, selinux_config_t) - manage_files_pattern($1, selinux_config_t, selinux_config_t) - read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) - ') -diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index e720dcd..6b6a5b3 100644 ---- a/policy/modules/system/userdomain.if -+++ b/policy/modules/system/userdomain.if -@@ -1235,6 +1235,10 @@ template(`userdom_security_admin_template',` - logging_read_audit_config($1) - - seutil_manage_bin_policy($1) -+ seutil_manage_default_contexts($1) -+ seutil_manage_file_contexts($1) -+ seutil_manage_module_store($1) -+ seutil_manage_config($1) - seutil_run_checkpolicy($1, $2) - seutil_run_loadpolicy($1, $2) - seutil_run_semanage($1, $2) --- -1.7.9.5 - diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-xconsole_device_t-as-a-dev_node.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-xconsole_device_t-as-a-dev_node.patch deleted file mode 100644 index 87ac790..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-xconsole_device_t-as-a-dev_node.patch +++ /dev/null @@ -1,24 +0,0 @@ -Subject: [PATCH] fix xconsole_device_t as a dev_node. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang ---- - policy/modules/services/xserver.te | 1 + - 1 files changed, 1 insertions(+), 0 deletions(-) - -diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index d40f750..5bb97e9 100644 ---- a/policy/modules/services/xserver.te -+++ b/policy/modules/services/xserver.te -@@ -151,6 +151,7 @@ userdom_user_tmp_file(xauth_tmp_t) - # this is not actually a device, its a pipe - type xconsole_device_t; - files_type(xconsole_device_t) -+dev_node(xconsole_device_t) - fs_associate_tmpfs(xconsole_device_t) - files_associate_tmp(xconsole_device_t) - --- -1.7.5.4 - diff --git a/recipes-security/refpolicy/refpolicy-mls_2.20120725.bb b/recipes-security/refpolicy/refpolicy-mls_2.20120725.bb deleted file mode 100644 index 4d75322..0000000 --- a/recipes-security/refpolicy/refpolicy-mls_2.20120725.bb +++ /dev/null @@ -1,24 +0,0 @@ -SUMMARY = "MLS (Multi Level Security) variant of the SELinux policy" -DESCRIPTION = "\ -This is the reference policy for SE Linux built with MLS support. \ -It allows giving data labels such as \"Top Secret\" and preventing \ -such data from leaking to processes or files with lower classification. \ -" - -PR = "r3" - -POLICY_NAME = "mls" -POLICY_TYPE = "mls" -POLICY_DISTRO = "redhat" -POLICY_UBAC = "n" -POLICY_UNK_PERMS = "allow" -POLICY_DIRECT_INITRC = "n" -POLICY_MONOLITHIC = "n" -POLICY_CUSTOM_BUILDOPT = "" -POLICY_QUIET = "y" - -POLICY_MLS_SENS = "16" -POLICY_MLS_CATS = "1024" -POLICY_MCS_CATS = "1024" - -include refpolicy_${PV}.inc diff --git a/recipes-security/refpolicy/refpolicy-standard_2.20120725.bb b/recipes-security/refpolicy/refpolicy-standard_2.20120725.bb deleted file mode 100644 index 1f3030a..0000000 --- a/recipes-security/refpolicy/refpolicy-standard_2.20120725.bb +++ /dev/null @@ -1,18 +0,0 @@ -SUMMARY = "Standard variants of the SELinux policy" -DESCRIPTION = "\ -This is the reference policy for SELinux built with type enforcement \ -only." - -PR = "r3" - -POLICY_NAME = "standard" -POLICY_TYPE = "standard" -POLICY_DISTRO = "redhat" -POLICY_UBAC = "n" -POLICY_UNK_PERMS = "allow" -POLICY_DIRECT_INITRC = "n" -POLICY_MONOLITHIC = "n" -POLICY_CUSTOM_BUILDOPT = "" -POLICY_QUIET = "y" - -include refpolicy_${PV}.inc diff --git a/recipes-security/refpolicy/refpolicy_2.20120725.inc b/recipes-security/refpolicy/refpolicy_2.20120725.inc deleted file mode 100644 index 5d1868d..0000000 --- a/recipes-security/refpolicy/refpolicy_2.20120725.inc +++ /dev/null @@ -1,57 +0,0 @@ -SRC_URI = "http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2;" -SRC_URI[md5sum] = "8aaa8a23cc1b7b7045f6f134e879ddb7" -SRC_URI[sha256sum] = "7cd46ed908a4001368e6509d93e306ec6c9af2bfa6b70db88c9eaaefe257c635" - -FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-${PV}:" - -# Fix file contexts for Poky -SRC_URI += "file://poky-fc-subs_dist.patch \ - file://poky-fc-update-alternatives_sysvinit.patch \ - file://poky-fc-update-alternatives_tinylogin.patch \ - file://poky-fc-update-alternatives_sysklogd.patch \ - file://poky-fc-update-alternatives_hostname.patch \ - file://poky-fc-fix-prefix-path_rpc.patch \ - file://poky-fc-fix-real-path_resolv.conf.patch \ - file://poky-fc-fix-real-path_login.patch \ - file://poky-fc-fix-real-path_shadow.patch \ - file://poky-fc-fix-bind.patch \ - file://poky-fc-fix-portmap.patch \ - file://poky-fc-cgroup.patch \ - file://poky-fc-clock.patch \ - file://poky-fc-corecommands.patch \ - file://poky-fc-dmesg.patch \ - file://poky-fc-fstools.patch \ - file://poky-fc-iptables.patch \ - file://poky-fc-mta.patch \ - file://poky-fc-netutils.patch \ - file://poky-fc-networkmanager.patch \ - file://poky-fc-nscd.patch \ - file://poky-fc-screen.patch \ - file://poky-fc-ssh.patch \ - file://poky-fc-su.patch \ - file://poky-fc-sysnetwork.patch \ - " - -# Specific policy for Poky -SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \ - file://poky-policy-add-rules-for-var-log-symlink.patch \ - file://poky-policy-add-rules-for-var-log-symlink-apache.patch \ - file://poky-policy-add-rules-for-var-cache-symlink.patch \ - file://poky-policy-add-rules-for-tmp-symlink.patch \ - file://poky-policy-add-rules-for-bsdpty_device_t.patch \ - file://poky-policy-don-t-audit-tty_device_t.patch \ - file://poky-policy-allow-dbusd-to-setrlimit-itself.patch \ - file://poky-policy-allow-dbusd-to-exec-shell-commands.patch \ - file://poky-policy-allow-nfsd-to-exec-shell-commands.patch \ - file://poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch \ - file://poky-policy-allow-nfsd-to-bind-nfs-port.patch \ - file://poky-policy-allow-setfiles_t-to-read-symlinks.patch \ - file://poky-policy-fix-new-SELINUXMNT-in-sys.patch \ - " - -# Other policy fixes -SRC_URI += "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \ - file://poky-policy-fix-seutils-manage-config-files.patch \ - " - -include refpolicy_common.inc -- cgit v1.2.3-54-g00ecf