From 6974239e6015b6cb84e9625b870835626b1b02fe Mon Sep 17 00:00:00 2001 From: Xin Ouyang Date: Mon, 26 Nov 2012 18:39:59 +0800 Subject: refpolicy: fix policy to allow nfsd works. Signed-off-by: Xin Ouyang --- .../poky-policy-fix-nfsd_t.patch | 69 ++++++++++++++++++++++ .../refpolicy/refpolicy-mls_2.20120725.bb | 2 +- .../refpolicy/refpolicy-standard_2.20120725.bb | 2 +- .../refpolicy/refpolicy_2.20120725.inc | 1 + 4 files changed, 72 insertions(+), 2 deletions(-) create mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-nfsd_t.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-nfsd_t.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-nfsd_t.patch new file mode 100644 index 0000000..bf509bc --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-nfsd_t.patch @@ -0,0 +1,69 @@ +Subject: [PATCH] fix policy to allow nfsserver to work fine. + +Upstream-Status: Pending + +Signed-off-by: Xin Ouyang +--- + policy/modules/contrib/rpc.te | 6 +++++- + policy/modules/contrib/rpcbind.te | 5 +++++ + policy/modules/kernel/filesystem.te | 1 + + policy/modules/kernel/kernel.te | 1 + + 4 files changed, 12 insertions(+), 1 deletions(-) + +diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te +index fde39d2..0fc7ddd 100644 +--- a/policy/modules/contrib/rpc.te ++++ b/policy/modules/contrib/rpc.te +@@ -179,7 +179,11 @@ tunable_policy(`nfs_export_all_ro',` + files_read_non_auth_files(nfsd_t) + ') + +-mount_exec(nfsd_t) ++# Should domtrans to mount_t while mounting nfsd_fs_t. ++mount_domtrans(nfsd_t) ++# nfsd_t need to chdir to /var/lib/nfs and read files. ++files_list_var(nfsd_t) ++rpc_read_nfs_state_data(nfsd_t) + + ######################################## + # +diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te +index a63e9ee..55397d9 100644 +--- a/policy/modules/contrib/rpcbind.te ++++ b/policy/modules/contrib/rpcbind.te +@@ -67,3 +67,8 @@ logging_send_syslog_msg(rpcbind_t) + miscfiles_read_localization(rpcbind_t) + + sysnet_dns_name_resolve(rpcbind_t) ++ ++# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t, ++# because the are running in different level. So add rules to allow this. ++mls_socket_read_all_levels(rpcbind_t) ++mls_socket_write_all_levels(rpcbind_t) +diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te +index 376bae8..310d992 100644 +--- a/policy/modules/kernel/filesystem.te ++++ b/policy/modules/kernel/filesystem.te +@@ -118,6 +118,7 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) + + type nfsd_fs_t; + fs_type(nfsd_fs_t) ++files_mountpoint(nfsd_fs_t) + genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0) + + type oprofilefs_t; +diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te +index ab9b6cd..15d3814 100644 +--- a/policy/modules/kernel/kernel.te ++++ b/policy/modules/kernel/kernel.te +@@ -284,6 +284,7 @@ mls_process_read_up(kernel_t) + mls_process_write_down(kernel_t) + mls_file_write_all_levels(kernel_t) + mls_file_read_all_levels(kernel_t) ++mls_socket_write_all_levels(kernel_t) + + ifdef(`distro_redhat',` + # Bugzilla 222337 +-- +1.7.5.4 + diff --git a/recipes-security/refpolicy/refpolicy-mls_2.20120725.bb b/recipes-security/refpolicy/refpolicy-mls_2.20120725.bb index bfb08be..77b7e0f 100644 --- a/recipes-security/refpolicy/refpolicy-mls_2.20120725.bb +++ b/recipes-security/refpolicy/refpolicy-mls_2.20120725.bb @@ -5,7 +5,7 @@ It allows giving data labels such as \"Top Secret\" and preventing \ such data from leaking to processes or files with lower classification. \ " -PR = "r1" +PR = "r2" POLICY_NAME = "mls" POLICY_TYPE = "mls" diff --git a/recipes-security/refpolicy/refpolicy-standard_2.20120725.bb b/recipes-security/refpolicy/refpolicy-standard_2.20120725.bb index fdd289a..25e94c6 100644 --- a/recipes-security/refpolicy/refpolicy-standard_2.20120725.bb +++ b/recipes-security/refpolicy/refpolicy-standard_2.20120725.bb @@ -3,7 +3,7 @@ DESCRIPTION = "\ This is the reference policy for SELinux built with type enforcement \ only." -PR = "r1" +PR = "r2" POLICY_NAME = "standard" POLICY_TYPE = "standard" diff --git a/recipes-security/refpolicy/refpolicy_2.20120725.inc b/recipes-security/refpolicy/refpolicy_2.20120725.inc index 54a571a..57f2046 100644 --- a/recipes-security/refpolicy/refpolicy_2.20120725.inc +++ b/recipes-security/refpolicy/refpolicy_2.20120725.inc @@ -30,6 +30,7 @@ SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \ # Other policy fixes SRC_URI += "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \ + file://poky-policy-fix-nfsd_t.patch \ " include refpolicy_common.inc -- cgit v1.2.3-54-g00ecf