From b95c77e3d28d77141eac6e09058ffc9fecedc7ed Mon Sep 17 00:00:00 2001 From: Xin Ouyang Date: Tue, 11 Sep 2012 14:09:24 +0800 Subject: refpolicy: Fix specific file contexts for poky Signed-off-by: Xin Ouyang --- .../poky-fc-fix-prefix-path_rpc.patch | 43 +++++++++++++++++ .../poky-fc-fix-real-path_login.patch | 37 +++++++++++++++ .../poky-fc-fix-real-path_resolv.conf.patch | 24 ++++++++++ .../refpolicy-2.20120725/poky-fc-subs_dist.patch | 31 ++++++++++++ .../poky-fc-update-alternatives_hostname.patch | 20 ++++++++ .../poky-fc-update-alternatives_sysklogd.patch | 55 ++++++++++++++++++++++ .../poky-fc-update-alternatives_tinylogin.patch | 24 ++++++++++ .../refpolicy/refpolicy_2.20120725.inc | 13 ++++- 8 files changed, 245 insertions(+), 2 deletions(-) create mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-prefix-path_rpc.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-real-path_login.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-real-path_resolv.conf.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-subs_dist.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_hostname.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_sysklogd.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_tinylogin.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-prefix-path_rpc.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-prefix-path_rpc.patch new file mode 100644 index 0000000..ef7287c --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-prefix-path_rpc.patch @@ -0,0 +1,43 @@ +Subject: [PATCH] fc: fix prefix path for rpc* + +rpc* packages have installed files with the /usr prefix in poky, so fix +file contexts for them. + +Upstream-Status: Inappropriate [only for Poky] + +Signed-off-by: Xin Ouyang +--- + policy/modules/contrib/rpc.fc | 4 ++-- + policy/modules/contrib/rpcbind.fc | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/policy/modules/contrib/rpc.fc b/policy/modules/contrib/rpc.fc +index 5c70c0c..52db849 100644 +--- a/policy/modules/contrib/rpc.fc ++++ b/policy/modules/contrib/rpc.fc +@@ -9,8 +9,8 @@ + # + # /sbin + # +-/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) +-/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) ++/usr/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) ++/usr/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) + + # + # /usr +diff --git a/policy/modules/contrib/rpcbind.fc b/policy/modules/contrib/rpcbind.fc +index f5c47d6..3cd9e62 100644 +--- a/policy/modules/contrib/rpcbind.fc ++++ b/policy/modules/contrib/rpcbind.fc +@@ -1,6 +1,6 @@ + /etc/rc\.d/init\.d/rpcbind -- gen_context(system_u:object_r:rpcbind_initrc_exec_t,s0) + +-/sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0) ++/usr/sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0) + + /var/lib/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0) + +-- +1.7.5.4 + diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-real-path_login.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-real-path_login.patch new file mode 100644 index 0000000..427181e --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-real-path_login.patch @@ -0,0 +1,37 @@ +Subject: [PATCH] fix real path for login commands. + +Upstream-Status: Inappropriate [only for Poky] + +Signed-off-by: Xin Ouyang +--- + policy/modules/system/authlogin.fc | 7 ++++--- + 1 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc +index 28ad538..c8dd17f 100644 +--- a/policy/modules/system/authlogin.fc ++++ b/policy/modules/system/authlogin.fc +@@ -1,5 +1,7 @@ + + /bin/login -- gen_context(system_u:object_r:login_exec_t,s0) ++/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0) ++/bin/login\.tinylogin -- gen_context(system_u:object_r:login_exec_t,s0) + + /etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) + /etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0) +@@ -9,9 +11,9 @@ + + /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) + /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) +-/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) +-/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) +-/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ++/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ++/usr/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) ++/usr/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) + ifdef(`distro_suse', ` + /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) + ') +-- +1.7.5.4 + diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-real-path_resolv.conf.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-real-path_resolv.conf.patch new file mode 100644 index 0000000..80cca67 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-fix-real-path_resolv.conf.patch @@ -0,0 +1,24 @@ +Subject: [PATCH] fix real path for resolv.conf + +Upstream-Status: Inappropriate [only for Poky] + +Signed-off-by: Xin Ouyang +--- + policy/modules/system/sysnetwork.fc | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc +index 346a7cc..dec8632 100644 +--- a/policy/modules/system/sysnetwork.fc ++++ b/policy/modules/system/sysnetwork.fc +@@ -24,6 +24,7 @@ ifdef(`distro_debian',` + /etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0) + /etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0) + /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) ++/var/run/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) + /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) + + /etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0) +-- +1.7.5.4 + diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-subs_dist.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-subs_dist.patch new file mode 100644 index 0000000..2eaecdf --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-subs_dist.patch @@ -0,0 +1,31 @@ +Subject: [PATCH] fix file_contexts.subs_dist for poky + +This file is used for Linux distros to define specific pathes +mapping to the pathes in file_contexts. + +Upstream-Status: Inappropriate [only for Poky] + +Signed-off-by: Xin Ouyang +--- + config/file_contexts.subs_dist | 8 ++++++++ + 1 files changed, 8 insertions(+), 0 deletions(-) + +diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist +index 32b87a4..ebba73d 100644 +--- a/config/file_contexts.subs_dist ++++ b/config/file_contexts.subs_dist +@@ -5,3 +5,11 @@ + /usr/lib32 /usr/lib + /usr/lib64 /usr/lib + /var/run/lock /var/lock ++/etc/init.d /etc/rc.d/init.d ++/var/volatile/log /var/log ++/var/volatile/run /var/run ++/var/volatile/cache /var/cache ++/var/volatile/tmp /var/tmp ++/var/volatile/lock /var/lock ++/var/volatile/run/lock /var/lock ++/www /var/www +-- +1.7.5.4 + diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_hostname.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_hostname.patch new file mode 100644 index 0000000..e647668 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_hostname.patch @@ -0,0 +1,20 @@ +Subject: [PATCH] fix update-alternatives for hostname + +Upstream-Status: Inappropriate [only for Poky] + +Signed-off-by: Xin Ouyang +--- + policy/modules/system/hostname.fc | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc +index 9dfecf7..4003b6d 100644 +--- a/policy/modules/system/hostname.fc ++++ b/policy/modules/system/hostname.fc +@@ -1,2 +1,3 @@ + + /bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) ++/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0) +-- +1.7.5.4 + diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_sysklogd.patch new file mode 100644 index 0000000..c3c5fe1 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_sysklogd.patch @@ -0,0 +1,55 @@ +Subject: [PATCH] fix update-alternatives for sysklogd + +/etc/syslog.conf is a symlink to /etc/syslog.conf.sysklogd, so a allow rule +for syslogd_t to read syslog_conf_t lnk_file is needed. + +Upstream-Status: Inappropriate [only for Poky] + +Signed-off-by: Xin Ouyang +--- + policy/modules/system/logging.fc | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + +diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc +index 02f4c97..3cb65f1 100644 +--- a/policy/modules/system/logging.fc ++++ b/policy/modules/system/logging.fc +@@ -2,19 +2,23 @@ + + /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) + /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) ++/etc/syslog.conf\.sysklogd gen_context(system_u:object_r:syslog_conf_t,s0) + /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) + /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0) + /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/syslog\.sysklogd -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) + + /sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) + /sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) + /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) + /sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) + /sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) ++/sbin/klogd\.sysklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) + /sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) + /sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) + /sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) + /sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) ++/sbin/syslogd\.sysklogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) + /sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) + + /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index b6b0ddf..a3a25c2 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -369,6 +369,7 @@ allow syslogd_t self:udp_socket create_socket_perms; + allow syslogd_t self:tcp_socket create_stream_socket_perms; + + allow syslogd_t syslog_conf_t:file read_file_perms; ++allow syslogd_t syslog_conf_t:lnk_file read_file_perms; + + # Create and bind to /dev/log or /var/run/log. + allow syslogd_t devlog_t:sock_file manage_sock_file_perms; +-- +1.7.5.4 + diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_tinylogin.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_tinylogin.patch new file mode 100644 index 0000000..ae06dfa --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-fc-update-alternatives_tinylogin.patch @@ -0,0 +1,24 @@ +Subject: [PATCH] fix update-alternatives for tinylogin getty + +Upstream-Status: Inappropriate [only for Poky] + +Signed-off-by: Xin Ouyang +--- + policy/modules/system/getty.fc | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc +index e1a1848..a0bfd2e 100644 +--- a/policy/modules/system/getty.fc ++++ b/policy/modules/system/getty.fc +@@ -2,6 +2,7 @@ + /etc/mgetty(/.*)? gen_context(system_u:object_r:getty_etc_t,s0) + + /sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0) ++/sbin/getty\.tinylogin -- gen_context(system_u:object_r:getty_exec_t,s0) + + /var/log/mgetty\.log.* -- gen_context(system_u:object_r:getty_log_t,s0) + /var/log/vgetty\.log\..* -- gen_context(system_u:object_r:getty_log_t,s0) +-- +1.7.5.4 + diff --git a/recipes-security/refpolicy/refpolicy_2.20120725.inc b/recipes-security/refpolicy/refpolicy_2.20120725.inc index 06ea436..b588010 100644 --- a/recipes-security/refpolicy/refpolicy_2.20120725.inc +++ b/recipes-security/refpolicy/refpolicy_2.20120725.inc @@ -3,7 +3,16 @@ SRC_URI[md5sum] = "8aaa8a23cc1b7b7045f6f134e879ddb7" SRC_URI[sha256sum] = "7cd46ed908a4001368e6509d93e306ec6c9af2bfa6b70db88c9eaaefe257c635" FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-${PV}:" -SRC_URI += "file://poky-fc-update-alternatives_sysvinit.patch \ - " + +# Fix file contexts for Poky +SRC_URI += "file://poky-fc-subs_dist.patch \ + file://poky-fc-update-alternatives_sysvinit.patch \ + file://poky-fc-update-alternatives_tinylogin.patch \ + file://poky-fc-update-alternatives_sysklogd.patch \ + file://poky-fc-update-alternatives_hostname.patch \ + file://poky-fc-fix-prefix-path_rpc.patch \ + file://poky-fc-fix-real-path_resolv.conf.patch \ + file://poky-fc-fix-real-path_login.patch \ + " include refpolicy_common.inc -- cgit v1.2.3-54-g00ecf