From 449804470ff7ed712c7ab4c6352fca3af0d4e244 Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Thu, 4 May 2017 14:23:12 -0400 Subject: refpolicy-git: clean up fallout from stable uprev Signed-off-by: Joe MacDonald --- .../refpolicy/refpolicy-git/poky-fc-clock.patch | 4 ++- .../poky-fc-fix-real-path_login.patch | 22 ++++--------- .../poky-fc-fix-real-path_shadow.patch | 32 ++++++++++++++----- .../refpolicy/refpolicy-git/poky-fc-fstools.patch | 8 ++--- .../refpolicy-git/poky-fc-ftpwho-dir.patch | 2 +- .../refpolicy/refpolicy-git/poky-fc-mta.patch | 2 +- .../refpolicy/refpolicy-git/poky-fc-rpm.patch | 2 +- .../refpolicy/refpolicy-git/poky-fc-ssh.patch | 2 +- .../refpolicy-git/poky-fc-sysnetwork.patch | 2 +- .../refpolicy/refpolicy-git/poky-fc-udevd.patch | 14 +-------- .../poky-fc-update-alternatives_sysklogd.patch | 10 +++--- .../poky-fc-update-alternatives_sysvinit.patch | 36 ++++++++++++---------- ...poky-policy-add-rules-for-var-log-symlink.patch | 2 +- ...olicy-fix-optional-issue-on-sysadm-module.patch | 33 ++++++++------------ ...efpolicy-remove-duplicate-type_transition.patch | 2 +- .../refpolicy-unconfined_u-default-user.patch | 30 +++++++++--------- recipes-security/refpolicy/refpolicy_git.inc | 2 -- 17 files changed, 98 insertions(+), 107 deletions(-) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch index 628e8a3..946dcc2 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch @@ -10,8 +10,10 @@ Signed-off-by: Joe MacDonald --- a/policy/modules/system/clock.fc +++ b/policy/modules/system/clock.fc -@@ -1,3 +1,4 @@ +@@ -1,5 +1,6 @@ /etc/adjtime -- gen_context(system_u:object_r:adjtime_t,s0) + /usr/bin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) + +/usr/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0) /usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch index fc54217..49f4960 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch @@ -10,7 +10,7 @@ Signed-off-by: Joe MacDonald --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc -@@ -3,20 +3,19 @@ +@@ -3,10 +3,12 @@ /etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0) /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) @@ -18,18 +18,8 @@ Signed-off-by: Joe MacDonald /usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0) +/usr/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0) +/usr/bin/login\.tinylogin -- gen_context(system_u:object_r:login_exec_t,s0) - - /usr/kerberos/sbin/login\.krb5 -- gen_context(system_u:object_r:login_exec_t,s0) - - /usr/lib/utempter/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0) - - /usr/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) - /usr/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) --/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) --/usr/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) --/usr/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) - /usr/sbin/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0) - /usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0) - ifdef(`distro_suse', ` - /usr/sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) - ') + /usr/bin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) + /usr/bin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) + /usr/bin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) + /usr/bin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) + /usr/bin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch index a15a776..b441257 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch @@ -10,7 +10,7 @@ Signed-off-by: Joe MacDonald --- a/policy/modules/admin/usermanage.fc +++ b/policy/modules/admin/usermanage.fc -@@ -2,15 +2,21 @@ ifdef(`distro_debian',` +@@ -2,20 +2,24 @@ ifdef(`distro_debian',` /etc/cron\.daily/cracklib-runtime -- gen_context(system_u:object_r:crack_exec_t,s0) ') @@ -19,16 +19,32 @@ Signed-off-by: Joe MacDonald +/usr/bin/chfn\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0) /usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0) +/usr/bin/chsh\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0) + /usr/bin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) + /usr/bin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) /usr/bin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0) + /usr/bin/groupadd -- gen_context(system_u:object_r:groupadd_exec_t,s0) + /usr/bin/groupdel -- gen_context(system_u:object_r:groupadd_exec_t,s0) + /usr/bin/groupmod -- gen_context(system_u:object_r:groupadd_exec_t,s0) + /usr/bin/grpconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) + /usr/bin/grpunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) /usr/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0) +/usr/bin/passwd\.shadow -- gen_context(system_u:object_r:passwd_exec_t,s0) +/usr/bin/passwd\.tinylogin -- gen_context(system_u:object_r:passwd_exec_t,s0) - /usr/bin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) -+/sbin/vigr\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) - /usr/bin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) -+/sbin/vipw\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) + /usr/bin/pwconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) + /usr/bin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) + /usr/bin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0) + /usr/bin/userdel -- gen_context(system_u:object_r:useradd_exec_t,s0) + /usr/bin/usermod -- gen_context(system_u:object_r:useradd_exec_t,s0) +@@ -36,10 +40,12 @@ ifdef(`distro_debian',` + /usr/sbin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) + /usr/sbin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0) + /usr/sbin/userdel -- gen_context(system_u:object_r:useradd_exec_t,s0) + /usr/sbin/usermod -- gen_context(system_u:object_r:useradd_exec_t,s0) + /usr/sbin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) ++/usr/sbin/vigr\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) + /usr/sbin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) ++/usr/sbin/vipw\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) - /usr/lib/cracklib_dict.* -- gen_context(system_u:object_r:crack_db_t,s0) + /usr/share/cracklib(/.*)? gen_context(system_u:object_r:crack_db_t,s0) - /usr/sbin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) - /usr/sbin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) + /var/cache/cracklib(/.*)? gen_context(system_u:object_r:crack_db_t,s0) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch index cf07b23..d887e96 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch @@ -14,8 +14,8 @@ Signed-off-by: Shrikant Bobade --- a/policy/modules/system/fstools.fc +++ b/policy/modules/system/fstools.fc -@@ -4,10 +4,11 @@ - /usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0) +@@ -55,10 +55,11 @@ + /usr/bin/ztest -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/addpart -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -26,7 +26,7 @@ Signed-off-by: Shrikant Bobade /usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/delpart -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -17,14 +18,16 @@ +@@ -68,14 +69,16 @@ /usr/sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/efibootmgr -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -43,7 +43,7 @@ Signed-off-by: Shrikant Bobade /usr/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/lsraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -33,21 +36,24 @@ +@@ -84,21 +87,24 @@ /usr/sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch index d58de6a..5ed7eae 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch @@ -12,7 +12,7 @@ Signed-off-by: Joe MacDonald --- a/policy/modules/contrib/ftp.fc +++ b/policy/modules/contrib/ftp.fc -@@ -10,11 +10,11 @@ +@@ -15,11 +15,11 @@ /usr/kerberos/sbin/ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) /usr/lib/systemd/system/proftpd.*\.service -- gen_context(system_u:object_r:ftpd_unit_t,s0) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch index 72b559f..b3e2846 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch @@ -13,7 +13,7 @@ Signed-off-by: Joe MacDonald --- a/policy/modules/contrib/mta.fc +++ b/policy/modules/contrib/mta.fc -@@ -19,10 +19,11 @@ HOME_DIR/\.maildir(/.*)? gen_context(sys +@@ -23,10 +23,11 @@ HOME_DIR/\.maildir(/.*)? gen_context(sys /usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch index 922afa9..3cd766d 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch @@ -13,7 +13,7 @@ Signed-off-by: Joe MacDonald --- a/policy/modules/contrib/rpm.fc +++ b/policy/modules/contrib/rpm.fc -@@ -57,6 +57,7 @@ ifdef(`distro_redhat',` +@@ -67,6 +67,7 @@ ifdef(`distro_redhat',` /run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0) /run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch index 648b21b..f01e5aa 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch @@ -19,6 +19,6 @@ Signed-off-by: Joe MacDonald +/usr/bin/ssh\.openssh -- gen_context(system_u:object_r:ssh_exec_t,s0) /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0) /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0) + /usr/bin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) /usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) - /usr/lib/ssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch index 0b148b5..88c8c45 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch @@ -14,7 +14,7 @@ Signed-off-by: Joe MacDonald --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc -@@ -41,17 +41,20 @@ ifdef(`distro_redhat',` +@@ -54,17 +54,20 @@ ifdef(`distro_redhat',` /usr/sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) /usr/sbin/dhcp6c -- gen_context(system_u:object_r:dhcpc_exec_t,s0) /usr/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch index 2271a05..f53b551 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch @@ -13,19 +13,7 @@ Signed-off-by: Joe MacDonald --- a/policy/modules/system/udev.fc +++ b/policy/modules/system/udev.fc -@@ -8,10 +8,11 @@ - - /etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_rules_t,s0) - /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) - - /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) -+/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) - - ifdef(`distro_debian',` - /usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) - ') - -@@ -30,10 +31,11 @@ ifdef(`distro_redhat',` +@@ -32,10 +32,11 @@ ifdef(`distro_redhat',` /usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) ') diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch index dfa67a6..77f7fad 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch @@ -28,11 +28,11 @@ Signed-off-by: Joe MacDonald /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/syslog\.sysklogd -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) - /usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0) - /usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0) - /usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0) - /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0) -@@ -15,14 +17,16 @@ + /usr/bin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) + /usr/bin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) + /usr/bin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) + /usr/bin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) +@@ -27,14 +29,16 @@ /usr/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) /usr/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) /usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch index 81fe141..3f6a5c8 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch @@ -13,34 +13,36 @@ Signed-off-by: Joe MacDonald policy/modules/system/init.fc | 1 + 3 files changed, 3 insertions(+) -Index: refpolicy/policy/modules/contrib/shutdown.fc -=================================================================== ---- refpolicy.orig/policy/modules/contrib/shutdown.fc -+++ refpolicy/policy/modules/contrib/shutdown.fc -@@ -3,5 +3,6 @@ +--- a/policy/modules/contrib/shutdown.fc ++++ b/policy/modules/contrib/shutdown.fc +@@ -3,7 +3,8 @@ + /usr/bin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) + /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) +/usr/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0) /run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) -Index: refpolicy/policy/modules/kernel/corecommands.fc -=================================================================== ---- refpolicy.orig/policy/modules/kernel/corecommands.fc -+++ refpolicy/policy/modules/kernel/corecommands.fc -@@ -144,6 +144,7 @@ ifdef(`distro_gentoo',` +--- a/policy/modules/kernel/corecommands.fc ++++ b/policy/modules/kernel/corecommands.fc +@@ -144,10 +144,11 @@ ifdef(`distro_gentoo',` + /usr/bin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) /usr/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0) + /usr/bin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) /usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0) +/usr/bin/mountpoint\.sysvinit -- gen_context(system_u:object_r:bin_t,s0) + /usr/bin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) + /usr/bin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0) - /usr/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0) -Index: refpolicy/policy/modules/system/init.fc -=================================================================== ---- refpolicy.orig/policy/modules/system/init.fc -+++ refpolicy/policy/modules/system/init.fc -@@ -39,6 +39,7 @@ ifdef(`distro_gentoo', ` + /usr/bin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) +--- a/policy/modules/system/init.fc ++++ b/policy/modules/system/init.fc +@@ -40,10 +40,11 @@ ifdef(`distro_gentoo', ` + + /usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) /usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) @@ -48,3 +50,5 @@ Index: refpolicy/policy/modules/system/init.fc /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) /usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) + ifdef(`distro_gentoo', ` + /usr/sbin/rc -- gen_context(system_u:object_r:rc_exec_t,s0) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch index 19342f5..75a5fa2 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch @@ -18,7 +18,7 @@ Signed-off-by: Joe MacDonald --- a/policy/modules/system/logging.fc +++ b/policy/modules/system/logging.fc -@@ -39,10 +39,11 @@ ifdef(`distro_suse', ` +@@ -51,10 +51,11 @@ ifdef(`distro_suse', ` /var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch index 3a8a95e..b33e84b 100644 --- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch +++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch @@ -19,10 +19,10 @@ Signed-off-by: Joe MacDonald --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te -@@ -300,16 +300,18 @@ ifdef(`init_systemd',` +@@ -344,17 +344,19 @@ ifdef(`init_systemd',` optional_policy(` - modutils_domtrans_insmod(init_t) + modutils_domtrans(init_t) ') ',` - tunable_policy(`init_upstart',` @@ -30,32 +30,25 @@ Signed-off-by: Joe MacDonald - ',` - # Run the shell in the sysadm role for single-user mode. - # causes problems with upstart -- sysadm_shell_domtrans(init_t) +- ifndef(`distro_debian',` +- sysadm_shell_domtrans(init_t) + optional_policy(` + tunable_policy(`init_upstart',` + corecmd_shell_domtrans(init_t, initrc_t) + ',` + # Run the shell in the sysadm role for single-user mode. + # causes problems with upstart -+ sysadm_shell_domtrans(init_t) -+ ') ++ ifndef(`distro_debian',` ++ sysadm_shell_domtrans(init_t) ++ ') + ') ') ') ifdef(`distro_debian',` - fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl") -@@ -1109,6 +1111,6 @@ optional_policy(` - ') - - # systemd related allow rules - allow kernel_t init_t:process dyntransition; - allow devpts_t device_t:filesystem associate; --allow init_t self:capability2 block_suspend; -\ No newline at end of file -+allow init_t self:capability2 block_suspend; --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te -@@ -244,11 +244,13 @@ seutil_read_default_contexts(sulogin_t) +@@ -260,11 +260,13 @@ seutil_read_default_contexts(sulogin_t) userdom_use_unpriv_users_fds(sulogin_t) userdom_search_user_home_dirs(sulogin_t) @@ -66,7 +59,7 @@ Signed-off-by: Joe MacDonald + sysadm_shell_domtrans(sulogin_t) +') - # suse and debian do not use pam with sulogin... - ifdef(`distro_suse', `define(`sulogin_no_pam')') - ifdef(`distro_debian', `define(`sulogin_no_pam')') - + # by default, sulogin does not use pam... + # sulogin_pam might need to be defined otherwise + ifdef(`sulogin_pam', ` + selinux_get_fs_mount(sulogin_t) diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch index 1dc9911..17a8199 100644 --- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch +++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-remove-duplicate-type_transition.patch @@ -25,7 +25,7 @@ Signed-off-by: Joe MacDonald --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if -@@ -1268,16 +1268,16 @@ interface(`init_spec_domtrans_script',` +@@ -1430,16 +1430,16 @@ interface(`init_spec_domtrans_script',` ## ## # diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch index f28ab74..29d3e2d 100644 --- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch +++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch @@ -30,21 +30,21 @@ Signed-off-by: Wenzong Fan + --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te -@@ -41,10 +41,11 @@ init_reload(sysadm_t) - init_reboot_system(sysadm_t) - init_shutdown_system(sysadm_t) - init_start_generic_units(sysadm_t) - init_stop_generic_units(sysadm_t) - init_reload_generic_units(sysadm_t) +@@ -37,10 +37,11 @@ ubac_process_exempt(sysadm_t) + ubac_file_exempt(sysadm_t) + ubac_fd_exempt(sysadm_t) + + init_exec(sysadm_t) + init_admin(sysadm_t) +init_script_role_transition(sysadm_r) + selinux_read_policy(sysadm_t) + # Add/remove user home directories userdom_manage_user_home_dirs(sysadm_t) - userdom_home_filetrans_user_home_dir(sysadm_t) - --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if -@@ -1232,30 +1232,31 @@ interface(`init_script_file_entry_type', +@@ -1394,30 +1394,31 @@ interface(`init_script_file_entry_type', ## ## # @@ -80,7 +80,7 @@ Signed-off-by: Wenzong Fan ######################################## ## -@@ -1267,22 +1268,23 @@ interface(`init_spec_domtrans_script',` +@@ -1429,22 +1430,23 @@ interface(`init_spec_domtrans_script',` ## ## # @@ -108,11 +108,11 @@ Signed-off-by: Wenzong Fan ######################################## ## -@@ -2502,5 +2504,34 @@ interface(`init_reload_all_units',` - class service reload; - ') - - allow $1 systemdunit:service reload; +@@ -2972,5 +2974,34 @@ interface(`init_admin',` + init_stop_all_units($1) + init_stop_generic_units($1) + init_stop_system($1) + init_telinit($1) ') + +######################################## diff --git a/recipes-security/refpolicy/refpolicy_git.inc b/recipes-security/refpolicy/refpolicy_git.inc index b320e4d..21e3a4c 100644 --- a/recipes-security/refpolicy/refpolicy_git.inc +++ b/recipes-security/refpolicy/refpolicy_git.inc @@ -20,13 +20,11 @@ SRC_URI += "file://poky-fc-subs_dist.patch \ file://poky-fc-dmesg.patch \ file://poky-fc-fstools.patch \ file://poky-fc-mta.patch \ - file://poky-fc-nscd.patch \ file://poky-fc-screen.patch \ file://poky-fc-ssh.patch \ file://poky-fc-sysnetwork.patch \ file://poky-fc-udevd.patch \ file://poky-fc-rpm.patch \ - file://poky-fc-ftpwho-dir.patch \ file://poky-fc-fix-real-path_su.patch \ file://refpolicy-update-for_systemd.patch \ " -- cgit v1.2.3-54-g00ecf