From b3eee84f453460bc306f72ee393109be65e5b0a9 Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Thu, 18 Sep 2014 15:39:34 -0400 Subject: refpolicy: update refpolicy to 20140311 release A straight update from refpolicy 2.20130424 to 2.20140311 for the core policy variants and forward-porting of policy patches as appropriate. Now that the updated refpolicy core variants are available, remove the previous recipe. Signed-off-by: Joe MacDonald --- .../ftp-add-ftpd_t-to-mlsfilewrite.patch | 39 ++++ .../refpolicy-2.20140311/poky-fc-clock.patch | 22 ++ .../poky-fc-corecommands.patch | 24 +++ .../refpolicy-2.20140311/poky-fc-dmesg.patch | 20 ++ .../refpolicy-2.20140311/poky-fc-fix-bind.patch | 30 +++ .../poky-fc-fix-real-path_login.patch | 37 ++++ .../poky-fc-fix-real-path_resolv.conf.patch | 24 +++ .../poky-fc-fix-real-path_shadow.patch | 34 +++ .../poky-fc-fix-real-path_su.patch | 25 +++ .../refpolicy-2.20140311/poky-fc-fstools.patch | 65 ++++++ .../refpolicy-2.20140311/poky-fc-ftpwho-dir.patch | 27 +++ .../refpolicy-2.20140311/poky-fc-iptables.patch | 24 +++ .../refpolicy-2.20140311/poky-fc-mta.patch | 27 +++ .../refpolicy-2.20140311/poky-fc-netutils.patch | 24 +++ .../refpolicy-2.20140311/poky-fc-nscd.patch | 27 +++ .../refpolicy-2.20140311/poky-fc-rpm.patch | 25 +++ .../refpolicy-2.20140311/poky-fc-screen.patch | 27 +++ .../refpolicy-2.20140311/poky-fc-ssh.patch | 24 +++ .../refpolicy-2.20140311/poky-fc-su.patch | 23 +++ .../refpolicy-2.20140311/poky-fc-subs_dist.patch | 29 +++ .../refpolicy-2.20140311/poky-fc-sysnetwork.patch | 41 ++++ .../refpolicy-2.20140311/poky-fc-udevd.patch | 35 ++++ .../poky-fc-update-alternatives_hostname.patch | 23 +++ .../poky-fc-update-alternatives_sysklogd.patch | 59 ++++++ .../poky-fc-update-alternatives_sysvinit.patch | 53 +++++ ...poky-policy-add-rules-for-bsdpty_device_t.patch | 121 +++++++++++ ...ky-policy-add-rules-for-syslogd_t-symlink.patch | 30 +++ .../poky-policy-add-rules-for-tmp-symlink.patch | 99 +++++++++ ...ky-policy-add-rules-for-var-cache-symlink.patch | 34 +++ ...licy-add-rules-for-var-log-symlink-apache.patch | 31 +++ ...rules-for-var-log-symlink-audisp_remote_t.patch | 29 +++ ...poky-policy-add-rules-for-var-log-symlink.patch | 145 +++++++++++++ ...ky-policy-add-syslogd_t-to-trusted-object.patch | 31 +++ ...-policy-allow-nfsd-to-exec-shell-commands.patch | 58 ++++++ ...-policy-allow-setfiles_t-to-read-symlinks.patch | 29 +++ .../poky-policy-allow-sysadm-to-run-rpcinfo.patch | 33 +++ .../poky-policy-don-t-audit-tty_device_t.patch | 35 ++++ .../poky-policy-fix-dmesg-to-use-dev-kmsg.patch | 37 ++++ .../poky-policy-fix-new-SELINUXMNT-in-sys.patch | 229 +++++++++++++++++++++ ...poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch | 65 ++++++ ...olicy-fix-setfiles-statvfs-get-file-count.patch | 31 +++ ...ky-policy-fix-seutils-manage-config-files.patch | 43 ++++ .../refpolicy/refpolicy-mcs_2.20130424.bb | 13 -- .../refpolicy/refpolicy-mcs_2.20140311.bb | 11 + .../refpolicy/refpolicy-mls_2.20130424.bb | 12 -- .../refpolicy/refpolicy-mls_2.20140311.bb | 10 + .../refpolicy/refpolicy-standard_2.20130424.bb | 10 - .../refpolicy/refpolicy-standard_2.20140311.bb | 8 + .../refpolicy/refpolicy_2.20140311.inc | 59 ++++++ 49 files changed, 1956 insertions(+), 35 deletions(-) create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/ftp-add-ftpd_t-to-mlsfilewrite.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-clock.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-corecommands.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-dmesg.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-bind.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_login.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_resolv.conf.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_shadow.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_su.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fstools.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-ftpwho-dir.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-iptables.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-mta.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-netutils.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-nscd.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-rpm.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-screen.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-ssh.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-su.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-subs_dist.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-sysnetwork.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-udevd.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-update-alternatives_hostname.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-update-alternatives_sysklogd.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-update-alternatives_sysvinit.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-bsdpty_device_t.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-syslogd_t-symlink.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-tmp-symlink.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-cache-symlink.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-log-symlink-apache.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-log-symlink.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-syslogd_t-to-trusted-object.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-allow-nfsd-to-exec-shell-commands.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-allow-setfiles_t-to-read-symlinks.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-allow-sysadm-to-run-rpcinfo.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-don-t-audit-tty_device_t.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-dmesg-to-use-dev-kmsg.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-new-SELINUXMNT-in-sys.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-setfiles-statvfs-get-file-count.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-seutils-manage-config-files.patch delete mode 100644 recipes-security/refpolicy/refpolicy-mcs_2.20130424.bb create mode 100644 recipes-security/refpolicy/refpolicy-mcs_2.20140311.bb delete mode 100644 recipes-security/refpolicy/refpolicy-mls_2.20130424.bb create mode 100644 recipes-security/refpolicy/refpolicy-mls_2.20140311.bb delete mode 100644 recipes-security/refpolicy/refpolicy-standard_2.20130424.bb create mode 100644 recipes-security/refpolicy/refpolicy-standard_2.20140311.bb create mode 100644 recipes-security/refpolicy/refpolicy_2.20140311.inc diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/ftp-add-ftpd_t-to-mlsfilewrite.patch b/recipes-security/refpolicy/refpolicy-2.20140311/ftp-add-ftpd_t-to-mlsfilewrite.patch new file mode 100644 index 0000000..49da4b6 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/ftp-add-ftpd_t-to-mlsfilewrite.patch @@ -0,0 +1,39 @@ +From e4e95b723d31c7b678a05cd81a96b10185978b4e Mon Sep 17 00:00:00 2001 +From: Roy Li +Date: Mon, 10 Feb 2014 18:10:12 +0800 +Subject: [PATCH] ftp: add ftpd_t to mls_file_write_all_levels + +Proftpd will create file under /var/run, but its mls is in high, and +can not write to lowlevel + +Upstream-Status: Pending + +type=AVC msg=audit(1392347709.621:15): avc: denied { write } for pid=545 comm="proftpd" name="/" dev="tmpfs" ino=5853 scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir +type=AVC msg=audit(1392347709.621:15): avc: denied { add_name } for pid=545 comm="proftpd" name="proftpd.delay" scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir +type=SYSCALL msg=audit(1392347709.621:15): arch=c000003e syscall=2 success=yes exit=3 a0=471910 a1=42 a2=1b6 a3=8 items=0 ppid=539 pid=545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s15:c0.c1023 key=(null) + +root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name + allow ftpd_t var_run_t : dir { ioctl read write getattr lock add_name remove_name search open } ; +root@localhost:~# + +Signed-off-by: Roy Li +--- + policy/modules/contrib/ftp.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te +index 544c512..12a31dd 100644 +--- a/policy/modules/contrib/ftp.te ++++ b/policy/modules/contrib/ftp.te +@@ -144,6 +144,8 @@ role ftpdctl_roles types ftpdctl_t; + type ftpdctl_tmp_t; + files_tmp_file(ftpdctl_tmp_t) + ++mls_file_write_all_levels(ftpd_t) ++ + type sftpd_t; + domain_type(sftpd_t) + role system_r types sftpd_t; +-- +1.7.10.4 + diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-clock.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-clock.patch new file mode 100644 index 0000000..3ff8f55 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-clock.patch @@ -0,0 +1,22 @@ +Subject: [PATCH] refpolicy: fix real path for clock + +Upstream-Status: Inappropriate [configuration] + +Signed-off-by: Xin Ouyang +--- + policy/modules/system/clock.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc +index c5e05ca..a74c40c 100644 +--- a/policy/modules/system/clock.fc ++++ b/policy/modules/system/clock.fc +@@ -2,4 +2,5 @@ + /etc/adjtime -- gen_context(system_u:object_r:adjtime_t,s0) + + /sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) ++/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0) + +-- +1.7.11.7 + diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-corecommands.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-corecommands.patch new file mode 100644 index 0000000..24b67c3 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-corecommands.patch @@ -0,0 +1,24 @@ +Subject: [PATCH] refpolicy: fix real path for corecommands + +Upstream-Status: Inappropriate [configuration] + +Signed-off-by: Xin Ouyang +--- + policy/modules/kernel/corecommands.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc +index f051c4a..ab624f3 100644 +--- a/policy/modules/kernel/corecommands.fc ++++ b/policy/modules/kernel/corecommands.fc +@@ -153,6 +153,7 @@ ifdef(`distro_gentoo',` + /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) + /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) + /sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) + + # + # /opt +-- +1.7.11.7 + diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-dmesg.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-dmesg.patch new file mode 100644 index 0000000..db4c4d4 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-dmesg.patch @@ -0,0 +1,20 @@ +Subject: [PATCH] refpolicy: fix real path for dmesg + +Upstream-Status: Inappropriate [configuration] + +Signed-off-by: Xin Ouyang +--- + policy/modules/admin/dmesg.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc +index d6cc2d9..7f3e5b0 100644 +--- a/policy/modules/admin/dmesg.fc ++++ b/policy/modules/admin/dmesg.fc +@@ -1,2 +1,3 @@ + + /bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) ++/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0) +-- +1.7.11.7 + diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-bind.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-bind.patch new file mode 100644 index 0000000..59ba5bc --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-bind.patch @@ -0,0 +1,30 @@ +From e438a9466a615db3f63421157d5ee3bd6d055403 Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Thu, 22 Aug 2013 19:09:11 +0800 +Subject: [PATCH] refpolicy: fix real path for bind. + +Upstream-Status: Inappropriate [configuration] + +Signed-off-by: Xin Ouyang +--- + policy/modules/contrib/bind.fc | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/contrib/bind.fc b/policy/modules/contrib/bind.fc +index 2b9a3a1..fd45d53 100644 +--- a/policy/modules/contrib/bind.fc ++++ b/policy/modules/contrib/bind.fc +@@ -1,8 +1,10 @@ + /etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/bind -- gen_context(system_u:object_r:named_initrc_exec_t,s0) + /etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) + + /etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) + /etc/bind/named\.conf.* -- gen_context(system_u:object_r:named_conf_t,s0) ++/etc/bind/rndc\.conf -- gen_context(system_u:object_r:named_conf_t,s0) + /etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) + /etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0) + /etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0) +-- +1.7.9.5 + diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_login.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_login.patch new file mode 100644 index 0000000..427181e --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_login.patch @@ -0,0 +1,37 @@ +Subject: [PATCH] fix real path for login commands. + +Upstream-Status: Inappropriate [only for Poky] + +Signed-off-by: Xin Ouyang +--- + policy/modules/system/authlogin.fc | 7 ++++--- + 1 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc +index 28ad538..c8dd17f 100644 +--- a/policy/modules/system/authlogin.fc ++++ b/policy/modules/system/authlogin.fc +@@ -1,5 +1,7 @@ + + /bin/login -- gen_context(system_u:object_r:login_exec_t,s0) ++/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0) ++/bin/login\.tinylogin -- gen_context(system_u:object_r:login_exec_t,s0) + + /etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) + /etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0) +@@ -9,9 +11,9 @@ + + /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) + /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) +-/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) +-/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) +-/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ++/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ++/usr/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) ++/usr/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) + ifdef(`distro_suse', ` + /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) + ') +-- +1.7.5.4 + diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_resolv.conf.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_resolv.conf.patch new file mode 100644 index 0000000..80cca67 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_resolv.conf.patch @@ -0,0 +1,24 @@ +Subject: [PATCH] fix real path for resolv.conf + +Upstream-Status: Inappropriate [only for Poky] + +Signed-off-by: Xin Ouyang +--- + policy/modules/system/sysnetwork.fc | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc +index 346a7cc..dec8632 100644 +--- a/policy/modules/system/sysnetwork.fc ++++ b/policy/modules/system/sysnetwork.fc +@@ -24,6 +24,7 @@ ifdef(`distro_debian',` + /etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0) + /etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0) + /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) ++/var/run/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) + /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) + + /etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0) +-- +1.7.5.4 + diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_shadow.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_shadow.patch new file mode 100644 index 0000000..29ac2c3 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_shadow.patch @@ -0,0 +1,34 @@ +Subject: [PATCH] fix real path for shadow commands. + +Upstream-Status: Inappropriate [only for Poky] + +Signed-off-by: Xin Ouyang +--- + policy/modules/admin/usermanage.fc | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc +index f82f0ce..841ba9b 100644 +--- a/policy/modules/admin/usermanage.fc ++++ b/policy/modules/admin/usermanage.fc +@@ -4,11 +4,17 @@ ifdef(`distro_gentoo',` + + /usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0) + /usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0) ++/usr/bin/chfn\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0) + /usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0) ++/usr/bin/chsh\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0) + /usr/bin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0) + /usr/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0) ++/usr/bin/passwd\.shadow -- gen_context(system_u:object_r:passwd_exec_t,s0) ++/usr/bin/passwd\.tinylogin -- gen_context(system_u:object_r:passwd_exec_t,s0) + /usr/bin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) ++/sbin/vigr\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) + /usr/bin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) ++/sbin/vipw\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) + + /usr/lib/cracklib_dict.* -- gen_context(system_u:object_r:crack_db_t,s0) + +-- +1.7.9.5 + diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_su.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_su.patch new file mode 100644 index 0000000..b0392ce --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fix-real-path_su.patch @@ -0,0 +1,25 @@ +From 4affa5e9797f5d51597c9b8e0f2503883c766699 Mon Sep 17 00:00:00 2001 +From: Wenzong Fan +Date: Thu, 13 Feb 2014 00:33:07 -0500 +Subject: [PATCH] fix real path for su.shadow command + +Upstream-Status: Inappropriate [only for Poky] + +Signed-off-by: Wenzong Fan +--- + policy/modules/admin/su.fc | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc +index a563687..0f43827 100644 +--- a/policy/modules/admin/su.fc ++++ b/policy/modules/admin/su.fc +@@ -4,3 +4,5 @@ + + /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0) + /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) ++ ++/bin/su.shadow -- gen_context(system_u:object_r:su_exec_t,s0) +-- +1.7.9.5 + diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fstools.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fstools.patch new file mode 100644 index 0000000..38c96c4 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-fstools.patch @@ -0,0 +1,65 @@ +From 7fdfd2ef8764ddfaeb43e53a756af83d42d8ac8b Mon Sep 17 00:00:00 2001 +From: Wenzong Fan +Date: Mon, 27 Jan 2014 03:54:01 -0500 +Subject: [PATCH] refpolicy: fix real path for fstools + +Upstream-Status: Inappropriate [configuration] + +Signed-off-by: Wenzong Fan +Signed-off-by: Joe MacDonald +--- + policy/modules/system/fstools.fc | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/policy/modules/system/fstools.fc ++++ b/policy/modules/system/fstools.fc +@@ -1,6 +1,8 @@ + /sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/sbin/blkid\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/sbin/blockdev\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0) +@@ -9,9 +11,11 @@ + /sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/sbin/fdisk\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/sbin/hdparm\.hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) +@@ -24,6 +28,7 @@ + /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/sbin/mkswap\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) +@@ -34,6 +39,7 @@ + /sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/sbin/swapoff\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0) +@@ -50,7 +56,12 @@ + + /usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/fatsort -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0) + + /var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0) diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-ftpwho-dir.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-ftpwho-dir.patch new file mode 100644 index 0000000..a7d434f --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-ftpwho-dir.patch @@ -0,0 +1,27 @@ +fix ftpwho install dir + +Upstream-Status: Pending + +ftpwho is installed into /usr/bin/, not /usr/sbin, so fix it + +Signed-off-by: Roy Li +--- + policy/modules/contrib/ftp.fc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/ftp.fc b/policy/modules/contrib/ftp.fc +index ddb75c1..26fec47 100644 +--- a/policy/modules/contrib/ftp.fc ++++ b/policy/modules/contrib/ftp.fc +@@ -9,7 +9,7 @@ + + /usr/kerberos/sbin/ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) + +-/usr/sbin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0) ++/usr/bin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0) + /usr/sbin/in\.ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) + /usr/sbin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) + /usr/sbin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) +-- +1.7.10.4 + diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-iptables.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-iptables.patch new file mode 100644 index 0000000..89b1547 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-iptables.patch @@ -0,0 +1,24 @@ +Subject: [PATCH] refpolicy: fix real path for iptables + +Upstream-Status: Inappropriate [configuration] + +Signed-off-by: Xin Ouyang +--- + policy/modules/system/iptables.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc +index 14cffd2..84ac92b 100644 +--- a/policy/modules/system/iptables.fc ++++ b/policy/modules/system/iptables.fc +@@ -13,6 +13,7 @@ + /sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) + /sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) + /sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) ++/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) + + /usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) + /usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0) +-- +1.7.11.7 + diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-mta.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-mta.patch new file mode 100644 index 0000000..bbd83ec --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-mta.patch @@ -0,0 +1,27 @@ +From c0bb2996db4f55f3987967bacfb99805fc45d027 Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Thu, 22 Aug 2013 19:21:55 +0800 +Subject: [PATCH] refpolicy: fix real path for mta + +Upstream-Status: Inappropriate [configuration] + +Signed-off-by: Xin Ouyang +--- + policy/modules/contrib/mta.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/mta.fc b/policy/modules/contrib/mta.fc +index f42896c..0d4bcef 100644 +--- a/policy/modules/contrib/mta.fc ++++ b/policy/modules/contrib/mta.fc +@@ -22,6 +22,7 @@ HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) + /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) + /usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0) + /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) ++/usr/sbin/msmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) + /usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) + + /var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) +-- +1.7.9.5 + diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-netutils.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-netutils.patch new file mode 100644 index 0000000..b45d03e --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-netutils.patch @@ -0,0 +1,24 @@ +Subject: [PATCH] refpolicy: fix real path for netutils + +Upstream-Status: Inappropriate [configuration] + +Signed-off-by: Xin Ouyang +--- + policy/modules/admin/netutils.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc +index 407078f..f2ed3dc 100644 +--- a/policy/modules/admin/netutils.fc ++++ b/policy/modules/admin/netutils.fc +@@ -3,6 +3,7 @@ + /bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) + + /sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0) ++/bin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0) + + /usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0) + /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0) +-- +1.7.11.7 + diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-nscd.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-nscd.patch new file mode 100644 index 0000000..1db328c --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-nscd.patch @@ -0,0 +1,27 @@ +From 642fab321a5f1f40495b4ca07f1fca4145024986 Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Thu, 22 Aug 2013 19:25:36 +0800 +Subject: [PATCH] refpolicy: fix real path for nscd + +Upstream-Status: Inappropriate [configuration] + +Signed-off-by: Xin Ouyang +--- + policy/modules/contrib/nscd.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/nscd.fc b/policy/modules/contrib/nscd.fc +index ba64485..61a6f24 100644 +--- a/policy/modules/contrib/nscd.fc ++++ b/policy/modules/contrib/nscd.fc +@@ -1,6 +1,7 @@ + /etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0) + + /usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0) ++/usr/bin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0) + + /var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) + +-- +1.7.9.5 + diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-rpm.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-rpm.patch new file mode 100644 index 0000000..7ba3380 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-rpm.patch @@ -0,0 +1,25 @@ +From 3ecbd842d51a8e70b3403e857a24203285d4983b Mon Sep 17 00:00:00 2001 +From: Wenzong Fan +Date: Mon, 27 Jan 2014 01:13:06 -0500 +Subject: [PATCH] refpolicy: fix real path for cpio + +Upstream-Status: Inappropriate [configuration] + +Signed-off-by: Wenzong Fan +--- + policy/modules/contrib/rpm.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/rpm.fc b/policy/modules/contrib/rpm.fc +index ebe91fc..539063c 100644 +--- a/policy/modules/contrib/rpm.fc ++++ b/policy/modules/contrib/rpm.fc +@@ -58,4 +58,5 @@ ifdef(`distro_redhat',` + + ifdef(`enable_mls',` + /usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/bin/cpio.cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) + ') +-- +1.7.9.5 + diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-screen.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-screen.patch new file mode 100644 index 0000000..3218194 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-screen.patch @@ -0,0 +1,27 @@ +From 3615e2d67f402a37ae7333e62b54f1d9d0a3bfd1 Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Thu, 22 Aug 2013 19:27:19 +0800 +Subject: [PATCH] refpolicy: fix real path for screen + +Upstream-Status: Inappropriate [configuration] + +Signed-off-by: Xin Ouyang +--- + policy/modules/contrib/screen.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/screen.fc b/policy/modules/contrib/screen.fc +index e7c2cf7..49ddca2 100644 +--- a/policy/modules/contrib/screen.fc ++++ b/policy/modules/contrib/screen.fc +@@ -3,6 +3,7 @@ HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0) + HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0) + + /usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0) ++/usr/bin/screen-.* -- gen_context(system_u:object_r:screen_exec_t,s0) + /usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0) + + /var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) +-- +1.7.9.5 + diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-ssh.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-ssh.patch new file mode 100644 index 0000000..9aeb3a2 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-ssh.patch @@ -0,0 +1,24 @@ +Subject: [PATCH] refpolicy: fix real path for ssh + +Upstream-Status: Inappropriate [configuration] + +Signed-off-by: Xin Ouyang +--- + policy/modules/services/ssh.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc +index 078bcd7..9717428 100644 +--- a/policy/modules/services/ssh.fc ++++ b/policy/modules/services/ssh.fc +@@ -6,6 +6,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) + /etc/ssh/ssh_host_rsa_key -- gen_context(system_u:object_r:sshd_key_t,s0) + + /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0) ++/usr/bin/ssh\.openssh -- gen_context(system_u:object_r:ssh_exec_t,s0) + /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0) + /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0) + +-- +1.7.11.7 + diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-su.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-su.patch new file mode 100644 index 0000000..358e4ef --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-su.patch @@ -0,0 +1,23 @@ +Subject: [PATCH] refpolicy: fix real path for su + +Upstream-Status: Inappropriate [configuration] + +Signed-off-by: Xin Ouyang +--- + policy/modules/admin/su.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc +index 688abc2..a563687 100644 +--- a/policy/modules/admin/su.fc ++++ b/policy/modules/admin/su.fc +@@ -1,5 +1,6 @@ + + /bin/su -- gen_context(system_u:object_r:su_exec_t,s0) ++/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) + + /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0) + /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) +-- +1.7.11.7 + diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-subs_dist.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-subs_dist.patch new file mode 100644 index 0000000..cfec7d9 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-subs_dist.patch @@ -0,0 +1,29 @@ +Subject: [PATCH] fix file_contexts.subs_dist for poky + +This file is used for Linux distros to define specific pathes +mapping to the pathes in file_contexts. + +Upstream-Status: Inappropriate [only for Poky] + +Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald +--- + config/file_contexts.subs_dist | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/config/file_contexts.subs_dist ++++ b/config/file_contexts.subs_dist +@@ -19,3 +19,13 @@ + /usr/local/lib64 /usr/lib + /usr/local/lib /usr/lib + /var/run/lock /var/lock ++/var/volatile/log /var/log ++/var/volatile/run /var/run ++/var/volatile/cache /var/cache ++/var/volatile/tmp /var/tmp ++/var/volatile/lock /var/lock ++/var/volatile/run/lock /var/lock ++/www /var/www ++/usr/lib/busybox/bin /bin ++/usr/lib/busybox/sbin /sbin ++/usr/lib/busybox/usr /usr diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-sysnetwork.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-sysnetwork.patch new file mode 100644 index 0000000..e0af6a1 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-sysnetwork.patch @@ -0,0 +1,41 @@ +Subject: [PATCH] refpolicy: fix real path for sysnetwork + +Upstream-Status: Inappropriate [configuration] + +Signed-off-by: Xin Ouyang +--- + policy/modules/system/sysnetwork.fc | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc +index dec8632..2e602e4 100644 +--- a/policy/modules/system/sysnetwork.fc ++++ b/policy/modules/system/sysnetwork.fc +@@ -3,6 +3,7 @@ + # /bin + # + /bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + + # + # /dev +@@ -43,13 +44,16 @@ ifdef(`distro_redhat',` + /sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) + /sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) + /sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++/usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + /sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + /sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + /sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + /sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + /sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + /sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + /sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + /sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0) + /sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + +-- +1.7.11.7 + diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-udevd.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-udevd.patch new file mode 100644 index 0000000..c6c19be --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-udevd.patch @@ -0,0 +1,35 @@ +From 025bd3c77d3eeb0e316413bf7e6353f1ccd7f6b2 Mon Sep 17 00:00:00 2001 +From: Wenzong Fan +Date: Sat, 25 Jan 2014 23:40:05 -0500 +Subject: [PATCH] refpolicy: fix real path for udevd/udevadm + +Upstream-Status: Inappropriate [configuration] + +Signed-off-by: Wenzong Fan +--- + policy/modules/system/udev.fc | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc +index 40928d8..491bb23 100644 +--- a/policy/modules/system/udev.fc ++++ b/policy/modules/system/udev.fc +@@ -10,6 +10,7 @@ + /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) + + /lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0) ++/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) + + ifdef(`distro_debian',` + /lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0) +@@ -27,6 +28,7 @@ ifdef(`distro_redhat',` + ') + + /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) ++/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) + + /usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0) + +-- +1.7.9.5 + diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-update-alternatives_hostname.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-update-alternatives_hostname.patch new file mode 100644 index 0000000..cedb5b5 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-update-alternatives_hostname.patch @@ -0,0 +1,23 @@ +From 845518a6f196e6e8c49ba38791c85e17276920e1 Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Thu, 22 Aug 2013 13:37:23 +0800 +Subject: [PATCH 3/4] fix update-alternatives for hostname + +Upstream-Status: Inappropriate [only for Poky] + +Signed-off-by: Xin Ouyang +--- + policy/modules/system/hostname.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc +index 9dfecf7..4003b6d 100644 +--- a/policy/modules/system/hostname.fc ++++ b/policy/modules/system/hostname.fc +@@ -1,2 +1,3 @@ + + /bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) ++/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0) +-- +1.7.9.5 + diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-update-alternatives_sysklogd.patch new file mode 100644 index 0000000..868ee6b --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-update-alternatives_sysklogd.patch @@ -0,0 +1,59 @@ +From 4964fa5593349916d8f5c69edb0b16f611586098 Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Thu, 22 Aug 2013 13:39:41 +0800 +Subject: [PATCH 2/4] fix update-alternatives for sysklogd + +/etc/syslog.conf is a symlink to /etc/syslog.conf.sysklogd, so a allow rule +for syslogd_t to read syslog_conf_t lnk_file is needed. + +Upstream-Status: Inappropriate [only for Poky] + +Signed-off-by: Xin Ouyang +--- + policy/modules/system/logging.fc | 4 ++++ + policy/modules/system/logging.te | 1 + + 2 files changed, 5 insertions(+) + +diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc +index b50c5fe..c005f33 100644 +--- a/policy/modules/system/logging.fc ++++ b/policy/modules/system/logging.fc +@@ -2,19 +2,23 @@ + + /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) + /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) ++/etc/syslog.conf\.sysklogd gen_context(system_u:object_r:syslog_conf_t,s0) + /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) + /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0) + /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/syslog\.sysklogd -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) + + /sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) + /sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) + /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) + /sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) + /sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) ++/sbin/klogd\.sysklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) + /sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) + /sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) + /sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) + /sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) ++/sbin/syslogd\.sysklogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) + /sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) + + /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index 87e3db2..2914b0b 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -371,6 +371,7 @@ allow syslogd_t self:udp_socket create_socket_perms; + allow syslogd_t self:tcp_socket create_stream_socket_perms; + + allow syslogd_t syslog_conf_t:file read_file_perms; ++allow syslogd_t syslog_conf_t:lnk_file read_file_perms; + + # Create and bind to /dev/log or /var/run/log. + allow syslogd_t devlog_t:sock_file manage_sock_file_perms; +-- +1.7.9.5 + diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-update-alternatives_sysvinit.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-update-alternatives_sysvinit.patch new file mode 100644 index 0000000..3a617d8 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-fc-update-alternatives_sysvinit.patch @@ -0,0 +1,53 @@ +From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Thu, 22 Aug 2013 13:37:23 +0800 +Subject: [PATCH 1/4] fix update-alternatives for sysvinit + +Upstream-Status: Inappropriate [only for Poky] + +Signed-off-by: Xin Ouyang +--- + policy/modules/contrib/shutdown.fc | 1 + + policy/modules/kernel/corecommands.fc | 1 + + policy/modules/system/init.fc | 1 + + 3 files changed, 3 insertions(+) + +diff --git a/policy/modules/contrib/shutdown.fc b/policy/modules/contrib/shutdown.fc +index a91f33b..90e51e0 100644 +--- a/policy/modules/contrib/shutdown.fc ++++ b/policy/modules/contrib/shutdown.fc +@@ -3,6 +3,7 @@ + /lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) + + /sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) ++/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0) + + /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) + +diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc +index bcfdba7..87502a3 100644 +--- a/policy/modules/kernel/corecommands.fc ++++ b/policy/modules/kernel/corecommands.fc +@@ -10,6 +10,7 @@ + /bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0) + /bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) + /bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0) ++/bin/mountpoint\.sysvinit -- gen_context(system_u:object_r:bin_t,s0) + /bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) + /bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0) + /bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0) +diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc +index bc0ffc8..020b9fe 100644 +--- a/policy/modules/system/init.fc ++++ b/policy/modules/system/init.fc +@@ -30,6 +30,7 @@ ifdef(`distro_gentoo', ` + # /sbin + # + /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) ++/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0) + # because nowadays, /sbin/init is often a symlink to /sbin/upstart + /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) + +-- +1.7.9.5 + diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-bsdpty_device_t.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-bsdpty_device_t.patch new file mode 100644 index 0000000..9a3322f --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-bsdpty_device_t.patch @@ -0,0 +1,121 @@ +From c0b65c327b9354ee5c403cbde428e762ce3f327e Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Thu, 22 Aug 2013 13:37:23 +0800 +Subject: [PATCH 5/6] add rules for bsdpty_device_t to complete pty devices. + +Upstream-Status: Pending + +Signed-off-by: Xin Ouyang +--- + policy/modules/kernel/terminal.if | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if +index 771bce1..7519d0e 100644 +--- a/policy/modules/kernel/terminal.if ++++ b/policy/modules/kernel/terminal.if +@@ -531,9 +531,11 @@ interface(`term_dontaudit_manage_pty_dirs',` + interface(`term_dontaudit_getattr_generic_ptys',` + gen_require(` + type devpts_t; ++ type bsdpty_device_t; + ') + + dontaudit $1 devpts_t:chr_file getattr; ++ dontaudit $1 bsdpty_device_t:chr_file getattr; + ') + ######################################## + ## +@@ -549,11 +551,13 @@ interface(`term_dontaudit_getattr_generic_ptys',` + interface(`term_ioctl_generic_ptys',` + gen_require(` + type devpts_t; ++ type bsdpty_device_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 devpts_t:dir search; + allow $1 devpts_t:chr_file ioctl; ++ allow $1 bsdpty_device_t:chr_file ioctl; + ') + + ######################################## +@@ -571,9 +575,11 @@ interface(`term_ioctl_generic_ptys',` + interface(`term_setattr_generic_ptys',` + gen_require(` + type devpts_t; ++ type bsdpty_device_t; + ') + + allow $1 devpts_t:chr_file setattr; ++ allow $1 bsdpty_device_t:chr_file setattr; + ') + + ######################################## +@@ -591,9 +597,11 @@ interface(`term_setattr_generic_ptys',` + interface(`term_dontaudit_setattr_generic_ptys',` + gen_require(` + type devpts_t; ++ type bsdpty_device_t; + ') + + dontaudit $1 devpts_t:chr_file setattr; ++ dontaudit $1 bsdpty_device_t:chr_file setattr; + ') + + ######################################## +@@ -611,11 +619,13 @@ interface(`term_dontaudit_setattr_generic_ptys',` + interface(`term_use_generic_ptys',` + gen_require(` + type devpts_t; ++ type bsdpty_device_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 devpts_t:dir list_dir_perms; + allow $1 devpts_t:chr_file { rw_term_perms lock append }; ++ allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append }; + ') + + ######################################## +@@ -633,9 +643,11 @@ interface(`term_use_generic_ptys',` + interface(`term_dontaudit_use_generic_ptys',` + gen_require(` + type devpts_t; ++ type bsdpty_device_t; + ') + + dontaudit $1 devpts_t:chr_file { getattr read write ioctl }; ++ dontaudit $1 bsdpty_device_t:chr_file { getattr read write ioctl }; + ') + + ####################################### +@@ -651,10 +663,12 @@ interface(`term_dontaudit_use_generic_ptys',` + interface(`term_setattr_controlling_term',` + gen_require(` + type devtty_t; ++ type bsdpty_device_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 devtty_t:chr_file setattr; ++ allow $1 bsdpty_device_t:chr_file setattr; + ') + + ######################################## +@@ -671,10 +685,12 @@ interface(`term_setattr_controlling_term',` + interface(`term_use_controlling_term',` + gen_require(` + type devtty_t; ++ type bsdpty_device_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 devtty_t:chr_file { rw_term_perms lock append }; ++ allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append }; + ') + + ####################################### +-- +1.7.9.5 + diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-syslogd_t-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-syslogd_t-symlink.patch new file mode 100644 index 0000000..aa9734a --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-syslogd_t-symlink.patch @@ -0,0 +1,30 @@ +Subject: [PATCH] add rules for the symlink of /var/log - syslogd_t + +We have added rules for the symlink of /var/log in logging.if, +while syslogd_t uses /var/log but does not use the +interfaces in logging.if. So still need add a individual rule for +syslogd_t. + +Upstream-Status: Inappropriate [only for Poky] + +Signed-off-by: Xin Ouyang +--- + policy/modules/system/logging.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index 2ad9ea5..70427d8 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -384,6 +384,8 @@ rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) + # Allow access for syslog-ng + allow syslogd_t var_log_t:dir { create setattr }; + ++allow syslogd_t var_log_t:lnk_file read_lnk_file_perms; ++ + # manage temporary files + manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) + manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +-- +1.7.11.7 + diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-tmp-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-tmp-symlink.patch new file mode 100644 index 0000000..210c297 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-tmp-symlink.patch @@ -0,0 +1,99 @@ +From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Thu, 22 Aug 2013 13:37:23 +0800 +Subject: [PATCH] add rules for the symlink of /tmp + +/tmp is a symlink in poky, so we need allow rules for files to read +lnk_file while doing search/list/delete/rw.. in /tmp/ directory. + +Upstream-Status: Inappropriate [only for Poky] + +Signed-off-by: Xin Ouyang +--- + policy/modules/kernel/files.fc | 1 + + policy/modules/kernel/files.if | 8 ++++++++ + 2 files changed, 9 insertions(+), 0 deletions(-) + +diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc +index 8796ca3..a0db748 100644 +--- a/policy/modules/kernel/files.fc ++++ b/policy/modules/kernel/files.fc +@@ -185,6 +185,7 @@ ifdef(`distro_debian',` + # /tmp + # + /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) ++/tmp -l gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) + /tmp/.* <> + /tmp/\.journal <> + +diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if +index e1e814d..a7384b0 100644 +--- a/policy/modules/kernel/files.if ++++ b/policy/modules/kernel/files.if +@@ -4199,6 +4199,7 @@ interface(`files_search_tmp',` + ') + + allow $1 tmp_t:dir search_dir_perms; ++ allow $1 tmp_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -4235,6 +4236,7 @@ interface(`files_list_tmp',` + ') + + allow $1 tmp_t:dir list_dir_perms; ++ allow $1 tmp_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -4271,6 +4273,7 @@ interface(`files_delete_tmp_dir_entry',` + ') + + allow $1 tmp_t:dir del_entry_dir_perms; ++ allow $1 tmp_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -4289,6 +4292,7 @@ interface(`files_read_generic_tmp_files',` + ') + + read_files_pattern($1, tmp_t, tmp_t) ++ allow $1 tmp_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -4307,6 +4311,7 @@ interface(`files_manage_generic_tmp_dirs',` + ') + + manage_dirs_pattern($1, tmp_t, tmp_t) ++ allow $1 tmp_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -4325,6 +4330,7 @@ interface(`files_manage_generic_tmp_files',` + ') + + manage_files_pattern($1, tmp_t, tmp_t) ++ allow $1 tmp_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -4361,6 +4367,7 @@ interface(`files_rw_generic_tmp_sockets',` + ') + + rw_sock_files_pattern($1, tmp_t, tmp_t) ++ allow $1 tmp_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -4550,6 +4557,7 @@ interface(`files_tmp_filetrans',` + ') + + filetrans_pattern($1, tmp_t, $2, $3, $4) ++ allow $1 tmp_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +-- +1.7.5.4 + diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-cache-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-cache-symlink.patch new file mode 100644 index 0000000..18a92dd --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-cache-symlink.patch @@ -0,0 +1,34 @@ +From bad816bc752369a6c1bf40231c505d21d95cab08 Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Fri, 23 Aug 2013 11:20:00 +0800 +Subject: [PATCH 4/6] add rules for the subdir symlinks in /var/ + +Except /var/log,/var/run,/var/lock, there still other subdir symlinks in +/var for poky, so we need allow rules for all domains to read these +symlinks. Domains still need their practical allow rules to read the +contents, so this is still a secure relax. + +Upstream-Status: Inappropriate [only for Poky] + +Signed-off-by: Xin Ouyang +--- + policy/modules/kernel/domain.te | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te +index cf04cb5..9ffe6b0 100644 +--- a/policy/modules/kernel/domain.te ++++ b/policy/modules/kernel/domain.te +@@ -104,6 +104,9 @@ term_use_controlling_term(domain) + # list the root directory + files_list_root(domain) + ++# Yocto/oe-core use some var volatile links ++files_read_var_symlinks(domain) ++ + ifdef(`hide_broken_symptoms',` + # This check is in the general socket + # listen code, before protocol-specific +-- +1.7.9.5 + diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-log-symlink-apache.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-log-symlink-apache.patch new file mode 100644 index 0000000..8bc40c4 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-log-symlink-apache.patch @@ -0,0 +1,31 @@ +From ed2b0a00e2fb78056041b03c7e198e8f5adaf939 Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Thu, 22 Aug 2013 19:36:44 +0800 +Subject: [PATCH 3/6] add rules for the symlink of /var/log - apache2 + +We have added rules for the symlink of /var/log in logging.if, +while apache.te uses /var/log but does not use the interfaces in +logging.if. So still need add a individual rule for apache.te. + +Upstream-Status: Inappropriate [only for Poky] + +Signed-off-by: Xin Ouyang +--- + policy/modules/contrib/apache.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te +index ec8bd13..06f2e95 100644 +--- a/policy/modules/contrib/apache.te ++++ b/policy/modules/contrib/apache.te +@@ -400,6 +400,7 @@ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t) + append_files_pattern(httpd_t, httpd_log_t, httpd_log_t) + read_files_pattern(httpd_t, httpd_log_t, httpd_log_t) + read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t) ++read_lnk_files_pattern(httpd_t, var_log_t, var_log_t) + logging_log_filetrans(httpd_t, httpd_log_t, file) + + allow httpd_t httpd_modules_t:dir list_dir_perms; +-- +1.7.9.5 + diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch new file mode 100644 index 0000000..cbf0f7d --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch @@ -0,0 +1,29 @@ +Subject: [PATCH] add rules for the symlink of /var/log - audisp_remote_t + +We have added rules for the symlink of /var/log in logging.if, +while audisp_remote_t uses /var/log but does not use the +interfaces in logging.if. So still need add a individual rule for +audisp_remote_t. + +Upstream-Status: Inappropriate [only for Poky] + +Signed-off-by: Xin Ouyang +--- + policy/modules/system/logging.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index 8426a49..2ad9ea5 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -262,6 +262,7 @@ allow audisp_remote_t self:capability { setuid setpcap }; + allow audisp_remote_t self:process { getcap setcap }; + allow audisp_remote_t self:tcp_socket create_socket_perms; + allow audisp_remote_t var_log_t:dir search_dir_perms; ++allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms; + + manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) + manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) +-- +1.7.11.7 + diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-log-symlink.patch new file mode 100644 index 0000000..b06f3ef --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-rules-for-var-log-symlink.patch @@ -0,0 +1,145 @@ +From 03cb6534f75812f3a33ac768fe83861e0805b0e0 Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Thu, 22 Aug 2013 13:37:23 +0800 +Subject: [PATCH 2/6] add rules for the symlink of /var/log + +/var/log is a symlink in poky, so we need allow rules for files to read +lnk_file while doing search/list/delete/rw.. in /var/log/ directory. + +Upstream-Status: Inappropriate [only for Poky] + +Signed-off-by: Xin Ouyang +--- + policy/modules/system/logging.fc | 1 + + policy/modules/system/logging.if | 14 +++++++++++++- + policy/modules/system/logging.te | 1 + + 3 files changed, 15 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc +index c005f33..9529e40 100644 +--- a/policy/modules/system/logging.fc ++++ b/policy/modules/system/logging.fc +@@ -41,6 +41,7 @@ ifdef(`distro_suse', ` + /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) + + /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) ++/var/log -l gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) + /var/log/.* gen_context(system_u:object_r:var_log_t,s0) + /var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh) + /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) +diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if +index 4e94884..9a6f599 100644 +--- a/policy/modules/system/logging.if ++++ b/policy/modules/system/logging.if +@@ -136,12 +136,13 @@ interface(`logging_set_audit_parameters',` + # + interface(`logging_read_audit_log',` + gen_require(` +- type auditd_log_t; ++ type auditd_log_t, var_log_t; + ') + + files_search_var($1) + read_files_pattern($1, auditd_log_t, auditd_log_t) + allow $1 auditd_log_t:dir list_dir_perms; ++ allow $1 var_log_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -626,6 +627,7 @@ interface(`logging_search_logs',` + + files_search_var($1) + allow $1 var_log_t:dir search_dir_perms; ++ allow $1 var_log_t:lnk_file read_lnk_file_perms; + ') + + ####################################### +@@ -663,6 +665,7 @@ interface(`logging_list_logs',` + + files_search_var($1) + allow $1 var_log_t:dir list_dir_perms; ++ allow $1 var_log_t:lnk_file read_lnk_file_perms; + ') + + ####################################### +@@ -682,6 +685,7 @@ interface(`logging_rw_generic_log_dirs',` + + files_search_var($1) + allow $1 var_log_t:dir rw_dir_perms; ++ allow $1 var_log_t:lnk_file read_lnk_file_perms; + ') + + ####################################### +@@ -793,10 +797,12 @@ interface(`logging_append_all_logs',` + interface(`logging_read_all_logs',` + gen_require(` + attribute logfile; ++ type var_log_t; + ') + + files_search_var($1) + allow $1 logfile:dir list_dir_perms; ++ allow $1 var_log_t:lnk_file read_lnk_file_perms; + read_files_pattern($1, logfile, logfile) + ') + +@@ -815,10 +821,12 @@ interface(`logging_read_all_logs',` + interface(`logging_exec_all_logs',` + gen_require(` + attribute logfile; ++ type var_log_t; + ') + + files_search_var($1) + allow $1 logfile:dir list_dir_perms; ++ allow $1 var_log_t:lnk_file read_lnk_file_perms; + can_exec($1, logfile) + ') + +@@ -880,6 +888,7 @@ interface(`logging_read_generic_logs',` + + files_search_var($1) + allow $1 var_log_t:dir list_dir_perms; ++ allow $1 var_log_t:lnk_file read_lnk_file_perms; + read_files_pattern($1, var_log_t, var_log_t) + ') + +@@ -900,6 +909,7 @@ interface(`logging_write_generic_logs',` + + files_search_var($1) + allow $1 var_log_t:dir list_dir_perms; ++ allow $1 var_log_t:lnk_file read_lnk_file_perms; + write_files_pattern($1, var_log_t, var_log_t) + ') + +@@ -938,6 +948,7 @@ interface(`logging_rw_generic_logs',` + + files_search_var($1) + allow $1 var_log_t:dir list_dir_perms; ++ allow $1 var_log_t:lnk_file read_lnk_file_perms; + rw_files_pattern($1, var_log_t, var_log_t) + ') + +@@ -960,6 +971,7 @@ interface(`logging_manage_generic_logs',` + + files_search_var($1) + manage_files_pattern($1, var_log_t, var_log_t) ++ allow $1 var_log_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index 2ab0a49..2795d89 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -139,6 +139,7 @@ allow auditd_t auditd_etc_t:file read_file_perms; + manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) + manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) + allow auditd_t var_log_t:dir search_dir_perms; ++allow auditd_t var_log_t:lnk_file read_lnk_file_perms; + + manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) + manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) +-- +1.7.9.5 + diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-syslogd_t-to-trusted-object.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-syslogd_t-to-trusted-object.patch new file mode 100644 index 0000000..92b1592 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-add-syslogd_t-to-trusted-object.patch @@ -0,0 +1,31 @@ +From 27e62a5d9ab9993760369ccdad83673e9148cbb2 Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Thu, 22 Aug 2013 13:37:23 +0800 +Subject: [PATCH 1/6] Add the syslogd_t to trusted object + +We add the syslogd_t to trusted object, because other process need +to have the right to connectto/sendto /dev/log. + +Upstream-Status: Inappropriate [only for Poky] + +Signed-off-by: Roy.Li +Signed-off-by: Xin Ouyang +--- + policy/modules/system/logging.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index 2914b0b..2ab0a49 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -450,6 +450,7 @@ fs_getattr_all_fs(syslogd_t) + fs_search_auto_mountpoints(syslogd_t) + + mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories ++mls_trusted_object(syslogd_t) # Other process need to have the right to connectto/sendto /dev/log + + term_write_console(syslogd_t) + # Allow syslog to a terminal +-- +1.7.9.5 + diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-allow-nfsd-to-exec-shell-commands.patch new file mode 100644 index 0000000..e77a730 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-allow-nfsd-to-exec-shell-commands.patch @@ -0,0 +1,58 @@ +From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Thu, 22 Aug 2013 13:37:23 +0800 +Subject: [PATCH] allow nfsd to exec shell commands. + +Upstream-Status: Inappropriate [only for Poky] + +Signed-off-by: Xin Ouyang +--- + policy/modules/contrib/rpc.te | 2 +- + policy/modules/kernel/kernel.if | 18 ++++++++++++++++++ + 2 files changed, 19 insertions(+), 1 deletions(-) + +diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te +index 9566932..5605205 100644 +--- a/policy/modules/contrib/rpc.te ++++ b/policy/modules/contrib/rpc.te +@@ -203,7 +203,7 @@ kernel_read_network_state(nfsd_t) + kernel_dontaudit_getattr_core_if(nfsd_t) + kernel_setsched(nfsd_t) + kernel_request_load_module(nfsd_t) +-# kernel_mounton_proc(nfsd_t) ++kernel_mounton_proc(nfsd_t) + + corenet_sendrecv_nfs_server_packets(nfsd_t) + corenet_tcp_bind_nfs_port(nfsd_t) +diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if +index 649e458..8a669c5 100644 +--- a/policy/modules/kernel/kernel.if ++++ b/policy/modules/kernel/kernel.if +@@ -804,6 +804,24 @@ interface(`kernel_unmount_proc',` + + ######################################## + ## ++## Mounton a proc filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_mounton_proc',` ++ gen_require(` ++ type proc_t; ++ ') ++ ++ allow $1 proc_t:dir mounton; ++') ++ ++######################################## ++## + ## Get the attributes of the proc filesystem. + ## + ## +-- +1.7.5.4 + diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-allow-setfiles_t-to-read-symlinks.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-allow-setfiles_t-to-read-symlinks.patch new file mode 100644 index 0000000..71497fb --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-allow-setfiles_t-to-read-symlinks.patch @@ -0,0 +1,29 @@ +From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Thu, 22 Aug 2013 13:37:23 +0800 +Subject: [PATCH] fix setfiles_t to read symlinks + +Upstream-Status: Pending + +Signed-off-by: Xin Ouyang +--- + policy/modules/system/selinuxutil.te | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te +index ec01d0b..45ed81b 100644 +--- a/policy/modules/system/selinuxutil.te ++++ b/policy/modules/system/selinuxutil.te +@@ -553,6 +553,9 @@ files_list_all(setfiles_t) + files_relabel_all_files(setfiles_t) + files_read_usr_symlinks(setfiles_t) + ++# needs to be able to read symlinks to make restorecon on symlink working ++files_read_all_symlinks(setfiles_t) ++ + fs_getattr_xattr_fs(setfiles_t) + fs_list_all(setfiles_t) + fs_search_auto_mountpoints(setfiles_t) +-- +1.7.5.4 + diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-allow-sysadm-to-run-rpcinfo.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-allow-sysadm-to-run-rpcinfo.patch new file mode 100644 index 0000000..ec3dbf4 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-allow-sysadm-to-run-rpcinfo.patch @@ -0,0 +1,33 @@ +From 7005533d61770fed5a3312aa9dfd1c18dae88c16 Mon Sep 17 00:00:00 2001 +From: Roy Li +Date: Sat, 15 Feb 2014 09:45:00 +0800 +Subject: [PATCH] allow sysadm to run rpcinfo + +Upstream-Status: Pending + +type=AVC msg=audit(1392427946.976:264): avc: denied { connectto } for pid=2111 comm="rpcinfo" path="/run/rpcbind.sock" scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tclass=unix_stream_socket +type=SYSCALL msg=audit(1392427946.976:264): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff3aa20000 a2=17 a3=22 items=0 ppid=2108 pid=2111 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="rpcinfo" exe="/usr/sbin/rpcinfo" subj=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 key=(null) + +Signed-off-by: Roy Li +--- + policy/modules/roles/sysadm.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te +index 1767217..5502c6a 100644 +--- a/policy/modules/roles/sysadm.te ++++ b/policy/modules/roles/sysadm.te +@@ -413,6 +413,10 @@ optional_policy(` + ') + + optional_policy(` ++ rpcbind_stream_connect(sysadm_t) ++') ++ ++optional_policy(` + vmware_role(sysadm_r, sysadm_t) + ') + +-- +1.7.10.4 + diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-don-t-audit-tty_device_t.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-don-t-audit-tty_device_t.patch new file mode 100644 index 0000000..82370d8 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-don-t-audit-tty_device_t.patch @@ -0,0 +1,35 @@ +From 29a0d287880f8f83cf4337a3db7c8b94c0c36e1d Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Thu, 22 Aug 2013 13:37:23 +0800 +Subject: [PATCH 6/6] don't audit tty_device_t in term_dontaudit_use_console. + +We should also not audit terminal to rw tty_device_t and fds in +term_dontaudit_use_console. + +Upstream-Status: Inappropriate [only for Poky] + +Signed-off-by: Xin Ouyang +--- + policy/modules/kernel/terminal.if | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if +index 7519d0e..45de1ac 100644 +--- a/policy/modules/kernel/terminal.if ++++ b/policy/modules/kernel/terminal.if +@@ -299,9 +299,12 @@ interface(`term_use_console',` + interface(`term_dontaudit_use_console',` + gen_require(` + type console_device_t; ++ type tty_device_t; + ') + ++ init_dontaudit_use_fds($1) + dontaudit $1 console_device_t:chr_file rw_chr_file_perms; ++ dontaudit $1 tty_device_t:chr_file rw_chr_file_perms; + ') + + ######################################## +-- +1.7.9.5 + diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-dmesg-to-use-dev-kmsg.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-dmesg-to-use-dev-kmsg.patch new file mode 100644 index 0000000..d6c8dbf --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-dmesg-to-use-dev-kmsg.patch @@ -0,0 +1,37 @@ +From 2f5981f2244289a1cc79748e9ffdaaea168b1df2 Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Fri, 23 Aug 2013 16:36:09 +0800 +Subject: [PATCH] fix dmesg to use /dev/kmsg as default input + +Signed-off-by: Xin Ouyang +--- + policy/modules/admin/dmesg.if | 1 + + policy/modules/admin/dmesg.te | 2 ++ + 2 files changed, 3 insertions(+) + +diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if +index e1973c7..739a4bc 100644 +--- a/policy/modules/admin/dmesg.if ++++ b/policy/modules/admin/dmesg.if +@@ -37,4 +37,5 @@ interface(`dmesg_exec',` + + corecmd_search_bin($1) + can_exec($1, dmesg_exec_t) ++ dev_read_kmsg($1) + ') +diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te +index 72bc6d8..c591aea 100644 +--- a/policy/modules/admin/dmesg.te ++++ b/policy/modules/admin/dmesg.te +@@ -28,6 +28,8 @@ kernel_read_proc_symlinks(dmesg_t) + + dev_read_sysfs(dmesg_t) + ++dev_read_kmsg(dmesg_t) ++ + fs_search_auto_mountpoints(dmesg_t) + + term_dontaudit_use_console(dmesg_t) +-- +1.7.9.5 + diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-new-SELINUXMNT-in-sys.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-new-SELINUXMNT-in-sys.patch new file mode 100644 index 0000000..302a38f --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-new-SELINUXMNT-in-sys.patch @@ -0,0 +1,229 @@ +From 0bd1187768c79ccf7d0563fa8e2bc01494fef167 Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Thu, 22 Aug 2013 13:37:23 +0800 +Subject: [PATCH] fix for new SELINUXMNT in /sys + +SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should +add rules to access sysfs. + +Upstream-Status: Inappropriate [only for Poky] + +Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald +--- + policy/modules/kernel/selinux.if | 34 ++++++++++++++++++++++++++++++++-- + 1 file changed, 32 insertions(+), 2 deletions(-) + +--- a/policy/modules/kernel/selinux.if ++++ b/policy/modules/kernel/selinux.if +@@ -58,6 +58,10 @@ interface(`selinux_get_fs_mount',` + type security_t; + ') + ++ # SELINUXMNT is now /sys/fs/selinux, so we should add rules to ++ # access sysfs ++ dev_getattr_sysfs_dirs($1) ++ dev_search_sysfs($1) + # starting in libselinux 2.0.5, init_selinuxmnt() will + # attempt to short circuit by checking if SELINUXMNT + # (/selinux) is already a selinuxfs +@@ -84,6 +88,7 @@ interface(`selinux_dontaudit_get_fs_moun + type security_t; + ') + ++ dev_dontaudit_search_sysfs($1) + # starting in libselinux 2.0.5, init_selinuxmnt() will + # attempt to short circuit by checking if SELINUXMNT + # (/selinux) is already a selinuxfs +@@ -109,6 +114,8 @@ interface(`selinux_mount_fs',` + type security_t; + ') + ++ dev_getattr_sysfs_dirs($1) ++ dev_search_sysfs($1) + allow $1 security_t:filesystem mount; + ') + +@@ -128,6 +135,8 @@ interface(`selinux_remount_fs',` + type security_t; + ') + ++ dev_getattr_sysfs_dirs($1) ++ dev_search_sysfs($1) + allow $1 security_t:filesystem remount; + ') + +@@ -146,6 +155,8 @@ interface(`selinux_unmount_fs',` + type security_t; + ') + ++ dev_getattr_sysfs_dirs($1) ++ dev_search_sysfs($1) + allow $1 security_t:filesystem unmount; + ') + +@@ -164,6 +175,8 @@ interface(`selinux_getattr_fs',` + type security_t; + ') + ++ dev_getattr_sysfs_dirs($1) ++ dev_search_sysfs($1) + allow $1 security_t:filesystem getattr; + ') + +@@ -183,6 +196,7 @@ interface(`selinux_dontaudit_getattr_fs' + type security_t; + ') + ++ dev_dontaudit_search_sysfs($1) + dontaudit $1 security_t:filesystem getattr; + ') + +@@ -202,6 +216,7 @@ interface(`selinux_dontaudit_getattr_dir + type security_t; + ') + ++ dev_dontaudit_search_sysfs($1) + dontaudit $1 security_t:dir getattr; + ') + +@@ -220,6 +235,7 @@ interface(`selinux_search_fs',` + type security_t; + ') + ++ dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) + allow $1 security_t:dir search_dir_perms; + ') +@@ -239,6 +255,7 @@ interface(`selinux_dontaudit_search_fs', + type security_t; + ') + ++ dev_dontaudit_search_sysfs($1) + dontaudit $1 security_t:dir search_dir_perms; + ') + +@@ -258,6 +275,7 @@ interface(`selinux_dontaudit_read_fs',` + type security_t; + ') + ++ dev_dontaudit_search_sysfs($1) + dontaudit $1 security_t:dir search_dir_perms; + dontaudit $1 security_t:file read_file_perms; + ') +@@ -279,6 +297,7 @@ interface(`selinux_get_enforce_mode',` + type security_t; + ') + ++ dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file read_file_perms; +@@ -313,6 +332,7 @@ interface(`selinux_set_enforce_mode',` + bool secure_mode_policyload; + ') + ++ dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file rw_file_perms; +@@ -345,6 +365,7 @@ interface(`selinux_load_policy',` + bool secure_mode_policyload; + ') + ++ dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file rw_file_perms; +@@ -375,6 +396,7 @@ interface(`selinux_read_policy',` + type security_t; + ') + ++ dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file read_file_perms; +@@ -440,8 +462,8 @@ interface(`selinux_set_generic_booleans' + type security_t; + ') + ++ dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) +- + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file rw_file_perms; + +@@ -482,8 +504,8 @@ interface(`selinux_set_all_booleans',` + bool secure_mode_policyload; + ') + ++ dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) +- + allow $1 security_t:dir list_dir_perms; + allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms; + allow $1 secure_mode_policyload_t:file read_file_perms; +@@ -528,6 +550,7 @@ interface(`selinux_set_parameters',` + attribute can_setsecparam; + ') + ++ dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file rw_file_perms; +@@ -552,6 +575,7 @@ interface(`selinux_validate_context',` + type security_t; + ') + ++ dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file rw_file_perms; +@@ -574,6 +598,7 @@ interface(`selinux_dontaudit_validate_co + type security_t; + ') + ++ dev_dontaudit_search_sysfs($1) + dontaudit $1 security_t:dir list_dir_perms; + dontaudit $1 security_t:file rw_file_perms; + dontaudit $1 security_t:security check_context; +@@ -595,6 +620,7 @@ interface(`selinux_compute_access_vector + type security_t; + ') + ++ dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file rw_file_perms; +@@ -617,6 +643,7 @@ interface(`selinux_compute_create_contex + type security_t; + ') + ++ dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file rw_file_perms; +@@ -639,6 +666,7 @@ interface(`selinux_compute_member',` + type security_t; + ') + ++ dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file rw_file_perms; +@@ -669,6 +697,7 @@ interface(`selinux_compute_relabel_conte + type security_t; + ') + ++ dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file rw_file_perms; +@@ -690,6 +719,7 @@ interface(`selinux_compute_user_contexts + type security_t; + ') + ++ dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file rw_file_perms; diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch new file mode 100644 index 0000000..f04ebec --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch @@ -0,0 +1,65 @@ +From 054a2d81a42bc127d29a916c64b43ad5a7c97f21 Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Fri, 23 Aug 2013 12:01:53 +0800 +Subject: [PATCH] fix policy for nfsserver to mount nfsd_fs_t. + +Upstream-Status: Pending + +Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald +--- + policy/modules/contrib/rpc.te | 5 +++++ + policy/modules/contrib/rpcbind.te | 5 +++++ + policy/modules/kernel/filesystem.te | 1 + + policy/modules/kernel/kernel.te | 2 ++ + 4 files changed, 13 insertions(+) + +--- a/policy/modules/contrib/rpc.te ++++ b/policy/modules/contrib/rpc.te +@@ -263,6 +263,11 @@ tunable_policy(`nfs_export_all_ro',` + + optional_policy(` + mount_exec(nfsd_t) ++ # Should domtrans to mount_t while mounting nfsd_fs_t. ++ mount_domtrans(nfsd_t) ++ # nfsd_t need to chdir to /var/lib/nfs and read files. ++ files_list_var(nfsd_t) ++ rpc_read_nfs_state_data(nfsd_t) + ') + + ######################################## +--- a/policy/modules/contrib/rpcbind.te ++++ b/policy/modules/contrib/rpcbind.te +@@ -70,6 +70,11 @@ logging_send_syslog_msg(rpcbind_t) + + miscfiles_read_localization(rpcbind_t) + ++# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t, ++# because the are running in different level. So add rules to allow this. ++mls_socket_read_all_levels(rpcbind_t) ++mls_socket_write_all_levels(rpcbind_t) ++ + ifdef(`distro_debian',` + term_dontaudit_use_unallocated_ttys(rpcbind_t) + ') +--- a/policy/modules/kernel/filesystem.te ++++ b/policy/modules/kernel/filesystem.te +@@ -119,6 +119,7 @@ genfscon mvfs / gen_context(system_u:obj + + type nfsd_fs_t; + fs_type(nfsd_fs_t) ++files_mountpoint(nfsd_fs_t) + genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0) + + type oprofilefs_t; +--- a/policy/modules/kernel/kernel.te ++++ b/policy/modules/kernel/kernel.te +@@ -293,6 +293,8 @@ mls_process_read_up(kernel_t) + mls_process_write_down(kernel_t) + mls_file_write_all_levels(kernel_t) + mls_file_read_all_levels(kernel_t) ++mls_socket_write_all_levels(kernel_t) ++mls_fd_use_all_levels(kernel_t) + + ifdef(`distro_redhat',` + # Bugzilla 222337 diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-setfiles-statvfs-get-file-count.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-setfiles-statvfs-get-file-count.patch new file mode 100644 index 0000000..90efbd8 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-setfiles-statvfs-get-file-count.patch @@ -0,0 +1,31 @@ +From 4d2c4c358602b246881210889756f229730505d3 Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Fri, 23 Aug 2013 14:38:53 +0800 +Subject: [PATCH] fix setfiles statvfs to get file count + +New setfiles will read /proc/mounts and use statvfs in +file_system_count() to get file count of filesystems. + +Upstream-Status: pending + +Signed-off-by: Xin Ouyang +--- + policy/modules/system/selinuxutil.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te +index 45ed81b..12c3d2e 100644 +--- a/policy/modules/system/selinuxutil.te ++++ b/policy/modules/system/selinuxutil.te +@@ -556,7 +556,7 @@ files_read_usr_symlinks(setfiles_t) + # needs to be able to read symlinks to make restorecon on symlink working + files_read_all_symlinks(setfiles_t) + +-fs_getattr_xattr_fs(setfiles_t) ++fs_getattr_all_fs(setfiles_t) + fs_list_all(setfiles_t) + fs_search_auto_mountpoints(setfiles_t) + fs_relabelfrom_noxattr_fs(setfiles_t) +-- +1.7.9.5 + diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-seutils-manage-config-files.patch b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-seutils-manage-config-files.patch new file mode 100644 index 0000000..be33bf1 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/poky-policy-fix-seutils-manage-config-files.patch @@ -0,0 +1,43 @@ +From be8e015aec19553d3753af132861d24da9ed0265 Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Thu, 22 Aug 2013 13:37:23 +0800 +Subject: [PATCH 2/2] refpolicy: fix selinux utils to manage config files + +Upstream-Status: Pending + +Signed-off-by: Xin Ouyang +--- + policy/modules/system/selinuxutil.if | 1 + + policy/modules/system/userdomain.if | 4 ++++ + 2 files changed, 5 insertions(+) + +diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if +index 3822072..db03ca1 100644 +--- a/policy/modules/system/selinuxutil.if ++++ b/policy/modules/system/selinuxutil.if +@@ -680,6 +680,7 @@ interface(`seutil_manage_config',` + ') + + files_search_etc($1) ++ manage_dirs_pattern($1, selinux_config_t, selinux_config_t) + manage_files_pattern($1, selinux_config_t, selinux_config_t) + read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) + ') +diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if +index b4a691d..20c8bf8 100644 +--- a/policy/modules/system/userdomain.if ++++ b/policy/modules/system/userdomain.if +@@ -1277,6 +1277,10 @@ template(`userdom_security_admin_template',` + logging_read_audit_config($1) + + seutil_manage_bin_policy($1) ++ seutil_manage_default_contexts($1) ++ seutil_manage_file_contexts($1) ++ seutil_manage_module_store($1) ++ seutil_manage_config($1) + seutil_run_checkpolicy($1, $2) + seutil_run_loadpolicy($1, $2) + seutil_run_semanage($1, $2) +-- +1.7.9.5 + diff --git a/recipes-security/refpolicy/refpolicy-mcs_2.20130424.bb b/recipes-security/refpolicy/refpolicy-mcs_2.20130424.bb deleted file mode 100644 index 9288e2a..0000000 --- a/recipes-security/refpolicy/refpolicy-mcs_2.20130424.bb +++ /dev/null @@ -1,13 +0,0 @@ -SUMMARY = "MCS (Multi Category Security) variant of the SELinux policy" -DESCRIPTION = "\ -This is the reference policy for SE Linux built with MCS support. \ -An MCS policy is the same as an MLS policy but with only one sensitivity \ -level. This is useful on systems where a hierarchical policy (MLS) isn't \ -needed (pretty much all systems) but the non-hierarchical categories are. \ -" - -PR = "r99" - -POLICY_TYPE = "mcs" - -include refpolicy_${PV}.inc diff --git a/recipes-security/refpolicy/refpolicy-mcs_2.20140311.bb b/recipes-security/refpolicy/refpolicy-mcs_2.20140311.bb new file mode 100644 index 0000000..062727b --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-mcs_2.20140311.bb @@ -0,0 +1,11 @@ +SUMMARY = "MCS (Multi Category Security) variant of the SELinux policy" +DESCRIPTION = "\ +This is the reference policy for SE Linux built with MCS support. \ +An MCS policy is the same as an MLS policy but with only one sensitivity \ +level. This is useful on systems where a hierarchical policy (MLS) isn't \ +needed (pretty much all systems) but the non-hierarchical categories are. \ +" + +POLICY_TYPE = "mcs" + +include refpolicy_${PV}.inc diff --git a/recipes-security/refpolicy/refpolicy-mls_2.20130424.bb b/recipes-security/refpolicy/refpolicy-mls_2.20130424.bb deleted file mode 100644 index e586ac2..0000000 --- a/recipes-security/refpolicy/refpolicy-mls_2.20130424.bb +++ /dev/null @@ -1,12 +0,0 @@ -SUMMARY = "MLS (Multi Level Security) variant of the SELinux policy" -DESCRIPTION = "\ -This is the reference policy for SE Linux built with MLS support. \ -It allows giving data labels such as \"Top Secret\" and preventing \ -such data from leaking to processes or files with lower classification. \ -" - -PR = "r99" - -POLICY_TYPE = "mls" - -include refpolicy_${PV}.inc diff --git a/recipes-security/refpolicy/refpolicy-mls_2.20140311.bb b/recipes-security/refpolicy/refpolicy-mls_2.20140311.bb new file mode 100644 index 0000000..7388232 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-mls_2.20140311.bb @@ -0,0 +1,10 @@ +SUMMARY = "MLS (Multi Level Security) variant of the SELinux policy" +DESCRIPTION = "\ +This is the reference policy for SE Linux built with MLS support. \ +It allows giving data labels such as \"Top Secret\" and preventing \ +such data from leaking to processes or files with lower classification. \ +" + +POLICY_TYPE = "mls" + +include refpolicy_${PV}.inc diff --git a/recipes-security/refpolicy/refpolicy-standard_2.20130424.bb b/recipes-security/refpolicy/refpolicy-standard_2.20130424.bb deleted file mode 100644 index 98bc26b..0000000 --- a/recipes-security/refpolicy/refpolicy-standard_2.20130424.bb +++ /dev/null @@ -1,10 +0,0 @@ -SUMMARY = "Standard variants of the SELinux policy" -DESCRIPTION = "\ -This is the reference policy for SELinux built with type enforcement \ -only." - -PR = "r99" - -POLICY_TYPE = "standard" - -include refpolicy_${PV}.inc diff --git a/recipes-security/refpolicy/refpolicy-standard_2.20140311.bb b/recipes-security/refpolicy/refpolicy-standard_2.20140311.bb new file mode 100644 index 0000000..3674fdd --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-standard_2.20140311.bb @@ -0,0 +1,8 @@ +SUMMARY = "Standard variants of the SELinux policy" +DESCRIPTION = "\ +This is the reference policy for SELinux built with type enforcement \ +only." + +POLICY_TYPE = "standard" + +include refpolicy_${PV}.inc diff --git a/recipes-security/refpolicy/refpolicy_2.20140311.inc b/recipes-security/refpolicy/refpolicy_2.20140311.inc new file mode 100644 index 0000000..8894583 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy_2.20140311.inc @@ -0,0 +1,59 @@ +SRC_URI = "https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2;" +SRC_URI[md5sum] = "418f8d2a6ada3a299816153e70970449" +SRC_URI[sha256sum] = "f69437db95548c78a5dec44c236397146b144153149009ea554d2e536e5436f7" + +FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-2.20140311:" + +# Fix file contexts for Poky +SRC_URI += "file://poky-fc-subs_dist.patch \ + file://poky-fc-update-alternatives_sysvinit.patch \ + file://poky-fc-update-alternatives_sysklogd.patch \ + file://poky-fc-update-alternatives_hostname.patch \ + file://poky-fc-fix-real-path_resolv.conf.patch \ + file://poky-fc-fix-real-path_login.patch \ + file://poky-fc-fix-real-path_shadow.patch \ + file://poky-fc-fix-bind.patch \ + file://poky-fc-clock.patch \ + file://poky-fc-corecommands.patch \ + file://poky-fc-dmesg.patch \ + file://poky-fc-fstools.patch \ + file://poky-fc-iptables.patch \ + file://poky-fc-mta.patch \ + file://poky-fc-netutils.patch \ + file://poky-fc-nscd.patch \ + file://poky-fc-screen.patch \ + file://poky-fc-ssh.patch \ + file://poky-fc-su.patch \ + file://poky-fc-sysnetwork.patch \ + file://poky-fc-udevd.patch \ + file://poky-fc-rpm.patch \ + file://poky-fc-ftpwho-dir.patch \ + file://poky-fc-fix-real-path_su.patch \ + " + +# Specific policy for Poky +SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \ + file://poky-policy-add-rules-for-var-log-symlink.patch \ + file://poky-policy-add-rules-for-var-log-symlink-apache.patch \ + file://poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch \ + file://poky-policy-add-rules-for-syslogd_t-symlink.patch \ + file://poky-policy-add-rules-for-var-cache-symlink.patch \ + file://poky-policy-add-rules-for-tmp-symlink.patch \ + file://poky-policy-add-rules-for-bsdpty_device_t.patch \ + file://poky-policy-don-t-audit-tty_device_t.patch \ + file://poky-policy-allow-nfsd-to-exec-shell-commands.patch \ + file://poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch \ + file://poky-policy-allow-setfiles_t-to-read-symlinks.patch \ + file://poky-policy-fix-new-SELINUXMNT-in-sys.patch \ + file://poky-policy-allow-sysadm-to-run-rpcinfo.patch \ + " + +# Other policy fixes +SRC_URI += " \ + file://poky-policy-fix-seutils-manage-config-files.patch \ + file://poky-policy-fix-setfiles-statvfs-get-file-count.patch \ + file://poky-policy-fix-dmesg-to-use-dev-kmsg.patch \ + file://ftp-add-ftpd_t-to-mlsfilewrite.patch \ + " + +include refpolicy_common.inc -- cgit v1.2.3-54-g00ecf From df9d89161644559b328cc5e9712ddca5f79e7421 Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Fri, 19 Sep 2014 16:09:22 -0400 Subject: refpolicy-targeted: update base refpolicy 20140311 A simple forward-port of refpolicy-targeted to use the 20140311 base refpolicy. Now that the updated refpolicy core variants are available, remove the previous recipe. Signed-off-by: Joe MacDonald --- .../refpolicy-unconfined_u-default-user.patch | 68 ++++++++++------------ .../refpolicy/refpolicy-targeted_2.20130424.bb | 19 ------ .../refpolicy/refpolicy-targeted_2.20140311.bb | 20 +++++++ 3 files changed, 50 insertions(+), 57 deletions(-) delete mode 100644 recipes-security/refpolicy/refpolicy-targeted_2.20130424.bb create mode 100644 recipes-security/refpolicy/refpolicy-targeted_2.20140311.bb diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch index e39afca..51edcd2 100644 --- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch +++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch @@ -1,4 +1,4 @@ -Subject: [PATCH] refpolicy: make unconfined_u the default selinux user +refpolicy: make unconfined_u the default selinux user For targeted policy type, we define unconfined_u as the default selinux user for root and normal users, so users could login in and run most @@ -10,16 +10,15 @@ run_init. Upstream-Status: Inappropriate [configuration] Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald --- - config/appconfig-mcs/seusers | 4 +- - policy/modules/roles/sysadm.te | 1 + - policy/modules/system/init.if | 47 +++++++++++++++++++++++++++++------ + config/appconfig-mcs/seusers | 4 +-- + policy/modules/roles/sysadm.te | 1 + policy/modules/system/init.if | 47 +++++++++++++++++++++++++++++------- policy/modules/system/unconfined.te | 7 +++++ - policy/users | 14 +++------ - 5 files changed, 54 insertions(+), 19 deletions(-) + policy/users | 16 ++++-------- + 5 files changed, 55 insertions(+), 20 deletions(-) -diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers -index dc5f1e4..4428da8 100644 --- a/config/appconfig-mcs/seusers +++ b/config/appconfig-mcs/seusers @@ -1,3 +1,3 @@ @@ -28,11 +27,9 @@ index dc5f1e4..4428da8 100644 -__default__:user_u:s0 +root:unconfined_u:s0-mcs_systemhigh +__default__:unconfined_u:s0 -diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 85ff145..77d7bdc 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te -@@ -37,6 +37,7 @@ ubac_file_exempt(sysadm_t) +@@ -34,6 +34,7 @@ ubac_file_exempt(sysadm_t) ubac_fd_exempt(sysadm_t) init_exec(sysadm_t) @@ -40,11 +37,9 @@ index 85ff145..77d7bdc 100644 # Add/remove user home directories userdom_manage_user_home_dirs(sysadm_t) -diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index d26fe81..fa46786 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if -@@ -803,11 +803,12 @@ interface(`init_script_file_entry_type',` +@@ -825,11 +825,12 @@ interface(`init_script_file_entry_type', # interface(`init_spec_domtrans_script',` gen_require(` @@ -59,7 +54,7 @@ index d26fe81..fa46786 100644 ifdef(`distro_gentoo',` gen_require(` -@@ -818,11 +819,11 @@ interface(`init_spec_domtrans_script',` +@@ -840,11 +841,11 @@ interface(`init_spec_domtrans_script',` ') ifdef(`enable_mcs',` @@ -73,7 +68,7 @@ index d26fe81..fa46786 100644 ') ') -@@ -838,18 +839,19 @@ interface(`init_spec_domtrans_script',` +@@ -860,18 +861,19 @@ interface(`init_spec_domtrans_script',` # interface(`init_domtrans_script',` gen_require(` @@ -97,7 +92,7 @@ index d26fe81..fa46786 100644 ') ') -@@ -1792,3 +1794,32 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1837,3 +1839,32 @@ interface(`init_udp_recvfrom_all_daemons ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -130,8 +125,6 @@ index d26fe81..fa46786 100644 + role_transition $1 init_script_file_type system_r; +') + -diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te -index 0280b32..00b4dcf 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -20,6 +20,11 @@ type unconfined_execmem_t; @@ -146,17 +139,15 @@ index 0280b32..00b4dcf 100644 ######################################## # -@@ -34,6 +39,8 @@ mcs_killall(unconfined_t) - mcs_ptrace_all(unconfined_t) - - init_run_daemon(unconfined_t, unconfined_r) -+init_domtrans_script(unconfined_t) -+init_script_role_transition(unconfined_r) - - libs_run_ldconfig(unconfined_t, unconfined_r) - -diff --git a/policy/users b/policy/users -index c4ebc7e..f300f22 100644 +@@ -50,6 +55,8 @@ userdom_user_home_dir_filetrans_user_hom + ifdef(`direct_sysadm_daemon',` + optional_policy(` + init_run_daemon(unconfined_t, unconfined_r) ++ init_domtrans_script(unconfined_t) ++ init_script_role_transition(unconfined_r) + ') + ',` + ifdef(`distro_gentoo',` --- a/policy/users +++ b/policy/users @@ -15,7 +15,7 @@ @@ -168,7 +159,7 @@ index c4ebc7e..f300f22 100644 # # user_u is a generic user identity for Linux users who have no -@@ -25,11 +25,11 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) +@@ -25,14 +25,14 @@ gen_user(system_u,, system_r, s0, s0 - m # permit any access to such users, then remove this entry. # gen_user(user_u, user, user_r, s0, s0) @@ -178,12 +169,16 @@ index c4ebc7e..f300f22 100644 +gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # Until order dependence is fixed for users: --gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) -+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) + ifdef(`direct_sysadm_daemon',` +- gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) ++ gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) + ',` +- gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) ++ gen_user(unconfined_u, user, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) + ') # - # The following users correspond to Unix identities. -@@ -38,8 +38,4 @@ gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_al +@@ -42,8 +42,4 @@ ifdef(`direct_sysadm_daemon',` # role should use the staff_r role instead of the user_r role when # not in the sysadm_r. # @@ -193,6 +188,3 @@ index c4ebc7e..f300f22 100644 - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) -') +gen_user(root, user, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) --- -1.7.1 - diff --git a/recipes-security/refpolicy/refpolicy-targeted_2.20130424.bb b/recipes-security/refpolicy/refpolicy-targeted_2.20130424.bb deleted file mode 100644 index 1f20caa..0000000 --- a/recipes-security/refpolicy/refpolicy-targeted_2.20130424.bb +++ /dev/null @@ -1,19 +0,0 @@ -SUMMARY = "SELinux targeted policy" -DESCRIPTION = "\ -This is the targeted variant of the SELinux reference policy. Most service \ -domains are locked down. Users and admins will login in with unconfined_t \ -domain, so they have the same access to the system as if SELinux was not \ -enabled. \ -" - -FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-${PV}:" - -POLICY_NAME = "targeted" -POLICY_TYPE = "mcs" -POLICY_MLS_SENS = "0" - -PR = "r99" -include refpolicy_${PV}.inc - -SRC_URI += "file://refpolicy-fix-optional-issue-on-sysadm-module.patch \ - file://refpolicy-unconfined_u-default-user.patch" diff --git a/recipes-security/refpolicy/refpolicy-targeted_2.20140311.bb b/recipes-security/refpolicy/refpolicy-targeted_2.20140311.bb new file mode 100644 index 0000000..b169604 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-targeted_2.20140311.bb @@ -0,0 +1,20 @@ +SUMMARY = "SELinux targeted policy" +DESCRIPTION = "\ +This is the targeted variant of the SELinux reference policy. Most service \ +domains are locked down. Users and admins will login in with unconfined_t \ +domain, so they have the same access to the system as if SELinux was not \ +enabled. \ +" + +FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-${PV}:" + +POLICY_NAME = "targeted" +POLICY_TYPE = "mcs" +POLICY_MLS_SENS = "0" + +include refpolicy_${PV}.inc + +SRC_URI += " \ + file://refpolicy-fix-optional-issue-on-sysadm-module.patch \ + file://refpolicy-unconfined_u-default-user.patch \ + " -- cgit v1.2.3-54-g00ecf From 0834a07d0061d3d9a5911424d82962673cb9b017 Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Fri, 19 Sep 2014 16:55:06 -0400 Subject: refpolicy-minimum: update base refpolicy 20140311 A simple forward-port of refpolicy-minimum to use the 20140311 base refpolicy. Signed-off-by: Joe MacDonald --- .../refpolicy/refpolicy-minimum_2.20130424.bb | 58 ---------------------- .../refpolicy/refpolicy-minimum_2.20140311.bb | 29 +++++++++++ 2 files changed, 29 insertions(+), 58 deletions(-) delete mode 100644 recipes-security/refpolicy/refpolicy-minimum_2.20130424.bb create mode 100644 recipes-security/refpolicy/refpolicy-minimum_2.20140311.bb diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20130424.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20130424.bb deleted file mode 100644 index d9539f3..0000000 --- a/recipes-security/refpolicy/refpolicy-minimum_2.20130424.bb +++ /dev/null @@ -1,58 +0,0 @@ -PR = "r99" - -include refpolicy-targeted_${PV}.bb - -SUMMARY = "SELinux minimum policy" -DESCRIPTION = "\ -This is a minimum reference policy with just core policy modules, and \ -could be used as a base for customizing targeted policy. \ -Pretty much everything runs as initrc_t or unconfined_t so all of the \ -domains are unconfined. \ -" - -POLICY_NAME = "minimum" - -FILESEXTRAPATHS_prepend := "${THISDIR}/files:${THISDIR}/refpolicy-${PV}:${THISDIR}/refpolicy-targeted:" - -CORE_POLICY_MODULES = "unconfined \ - selinuxutil storage sysnetwork \ - application libraries miscfiles logging userdomain \ - init mount modutils getty authlogin locallogin \ - " - -# nscd caches libc-issued requests to the name service. -# Without nscd.pp, commands want to use these caches will be blocked. -EXTRA_POLICY_MODULES += "nscd" - -# pam_mail module enables checking and display of mailbox status upon -# "login", so "login" process will access to /var/spool/mail. -EXTRA_POLICY_MODULES += "mta" - -POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}" - -# re-write the same func from refpolicy_common.inc -prepare_policy_store () { - oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install - - # Prepare to create policy store - mkdir -p ${D}${sysconfdir}/selinux/ - mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/policy - mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules - mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files - touch ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.local - if ${@base_contains('DISTRO_FEATURES','compressed_policy','true','false',d)}; then - bzip2 base.pp - cp base.pp.bz2 ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp - for i in ${POLICY_MODULES_MIN}; do - bzip2 $i - cp ${i}.bz2 ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i` - done - else - bzip2 -c ${D}${datadir}/selinux/${POLICY_NAME}/base.pp > \ - ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp - for i in ${POLICY_MODULES_MIN}; do - bzip2 -c ${D}${datadir}/selinux/${POLICY_NAME}/$i.pp > \ - ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/$i.pp - done - fi -} diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20140311.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20140311.bb new file mode 100644 index 0000000..429a378 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-minimum_2.20140311.bb @@ -0,0 +1,29 @@ +include refpolicy-targeted_${PV}.bb + +SUMMARY = "SELinux minimum policy" +DESCRIPTION = "\ +This is a minimum reference policy with just core policy modules, and \ +could be used as a base for customizing targeted policy. \ +Pretty much everything runs as initrc_t or unconfined_t so all of the \ +domains are unconfined. \ +" + +POLICY_NAME = "minimum" + +FILESEXTRAPATHS_prepend := "${THISDIR}/files:${THISDIR}/refpolicy-${PV}:${THISDIR}/refpolicy-targeted:" + +CORE_POLICY_MODULES = "unconfined \ + selinuxutil storage sysnetwork \ + application libraries miscfiles logging userdomain \ + init mount modutils getty authlogin locallogin \ + " + +# nscd caches libc-issued requests to the name service. +# Without nscd.pp, commands want to use these caches will be blocked. +EXTRA_POLICY_MODULES += "nscd" + +# pam_mail module enables checking and display of mailbox status upon +# "login", so "login" process will access to /var/spool/mail. +EXTRA_POLICY_MODULES += "mta" + +POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}" -- cgit v1.2.3-54-g00ecf From 261b8294533cc981ecec54c095f89b4f7821e5ec Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Fri, 19 Sep 2014 17:02:29 -0400 Subject: refpolicy: clean up old policy and patches Now that the updated refpolicy core variants are available, remove the previous recipe and patches. Signed-off-by: Joe MacDonald --- .../Allow-ping-to-get-set-capabilities.patch | 32 --- .../Allow-udev-the-block_suspend-capability.patch | 25 --- ...associate-tmpfs_t-shm-to-device_t-devtmpf.patch | 30 --- .../ftp-add-ftpd_t-to-mlsfilewrite.patch | 39 ---- ...-not-audit-attempts-by-hostname-to-read-a.patch | 59 ------ .../refpolicy-2.20130424/poky-fc-clock.patch | 22 --- .../poky-fc-corecommands.patch | 24 --- .../refpolicy-2.20130424/poky-fc-dmesg.patch | 20 -- .../refpolicy-2.20130424/poky-fc-fix-bind.patch | 30 --- .../poky-fc-fix-real-path_login.patch | 37 ---- .../poky-fc-fix-real-path_resolv.conf.patch | 24 --- .../poky-fc-fix-real-path_shadow.patch | 34 ---- .../poky-fc-fix-real-path_su.patch | 25 --- .../refpolicy-2.20130424/poky-fc-fstools.patch | 70 ------- .../refpolicy-2.20130424/poky-fc-ftpwho-dir.patch | 27 --- .../refpolicy-2.20130424/poky-fc-iptables.patch | 24 --- .../refpolicy-2.20130424/poky-fc-mta.patch | 27 --- .../refpolicy-2.20130424/poky-fc-netutils.patch | 24 --- .../refpolicy-2.20130424/poky-fc-nscd.patch | 27 --- .../refpolicy-2.20130424/poky-fc-rpm.patch | 25 --- .../refpolicy-2.20130424/poky-fc-screen.patch | 27 --- .../refpolicy-2.20130424/poky-fc-ssh.patch | 24 --- .../refpolicy-2.20130424/poky-fc-su.patch | 23 --- .../refpolicy-2.20130424/poky-fc-subs_dist.patch | 34 ---- .../refpolicy-2.20130424/poky-fc-sysnetwork.patch | 41 ---- .../refpolicy-2.20130424/poky-fc-udevd.patch | 35 ---- .../poky-fc-update-alternatives_hostname.patch | 23 --- .../poky-fc-update-alternatives_sysklogd.patch | 59 ------ .../poky-fc-update-alternatives_sysvinit.patch | 53 ----- ...poky-policy-add-rules-for-bsdpty_device_t.patch | 121 ------------ ...ky-policy-add-rules-for-syslogd_t-symlink.patch | 30 --- .../poky-policy-add-rules-for-tmp-symlink.patch | 99 ---------- ...ky-policy-add-rules-for-var-cache-symlink.patch | 34 ---- ...licy-add-rules-for-var-log-symlink-apache.patch | 31 --- ...rules-for-var-log-symlink-audisp_remote_t.patch | 29 --- ...poky-policy-add-rules-for-var-log-symlink.patch | 145 -------------- ...ky-policy-add-syslogd_t-to-trusted-object.patch | 31 --- ...-policy-allow-nfsd-to-exec-shell-commands.patch | 58 ------ ...-policy-allow-setfiles_t-to-read-symlinks.patch | 29 --- .../poky-policy-allow-sysadm-to-run-rpcinfo.patch | 33 ---- .../poky-policy-don-t-audit-tty_device_t.patch | 35 ---- .../poky-policy-fix-dmesg-to-use-dev-kmsg.patch | 37 ---- .../poky-policy-fix-new-SELINUXMNT-in-sys.patch | 216 --------------------- ...poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch | 75 ------- ...olicy-fix-setfiles-statvfs-get-file-count.patch | 31 --- ...ky-policy-fix-seutils-manage-config-files.patch | 43 ---- ...olicy-fix-xconsole_device_t-as-a-dev_node.patch | 27 --- ...dhcpc-binds-socket-to-random-high-udp-por.patch | 41 ---- .../refpolicy/refpolicy_2.20130424.inc | 67 ------- 49 files changed, 2156 deletions(-) delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/Allow-ping-to-get-set-capabilities.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/Allow-udev-the-block_suspend-capability.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/filesystem-associate-tmpfs_t-shm-to-device_t-devtmpf.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/ftp-add-ftpd_t-to-mlsfilewrite.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/hostname-do-not-audit-attempts-by-hostname-to-read-a.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-clock.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-corecommands.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-dmesg.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-bind.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_login.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_resolv.conf.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_shadow.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_su.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fstools.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-ftpwho-dir.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-iptables.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-mta.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-netutils.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-nscd.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-rpm.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-screen.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-ssh.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-su.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-subs_dist.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-sysnetwork.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-udevd.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_hostname.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_sysklogd.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_sysvinit.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-bsdpty_device_t.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-syslogd_t-symlink.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-tmp-symlink.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-cache-symlink.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-apache.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-syslogd_t-to-trusted-object.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-nfsd-to-exec-shell-commands.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-setfiles_t-to-read-symlinks.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-sysadm-to-run-rpcinfo.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-don-t-audit-tty_device_t.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-dmesg-to-use-dev-kmsg.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-new-SELINUXMNT-in-sys.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-setfiles-statvfs-get-file-count.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-seutils-manage-config-files.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-xconsole_device_t-as-a-dev_node.patch delete mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch delete mode 100644 recipes-security/refpolicy/refpolicy_2.20130424.inc diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/Allow-ping-to-get-set-capabilities.patch b/recipes-security/refpolicy/refpolicy-2.20130424/Allow-ping-to-get-set-capabilities.patch deleted file mode 100644 index fced84a..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/Allow-ping-to-get-set-capabilities.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 56c43144d7dcf5fec969c9aa9cb97679ccad50cc Mon Sep 17 00:00:00 2001 -From: Sven Vermeulen -Date: Wed, 25 Sep 2013 20:27:34 +0200 -Subject: [PATCH] Allow ping to get/set capabilities - -When ping is installed with capabilities instead of being marked setuid, -then the ping_t domain needs to be allowed to getcap/setcap. - -Reported-by: Luis Ressel -Signed-off-by: Sven Vermeulen - -Upstream-Status: backport ---- - policy/modules/admin/netutils.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te -index 557da97..cfe036a 100644 ---- a/policy/modules/admin/netutils.te -+++ b/policy/modules/admin/netutils.te -@@ -106,6 +106,8 @@ optional_policy(` - # - - allow ping_t self:capability { setuid net_raw }; -+# When ping is installed with capabilities instead of setuid -+allow ping_t self:process { getcap setcap }; - dontaudit ping_t self:capability sys_tty_config; - allow ping_t self:tcp_socket create_socket_perms; - allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt }; --- -1.7.10.4 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/Allow-udev-the-block_suspend-capability.patch b/recipes-security/refpolicy/refpolicy-2.20130424/Allow-udev-the-block_suspend-capability.patch deleted file mode 100644 index 3c6a979..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/Allow-udev-the-block_suspend-capability.patch +++ /dev/null @@ -1,25 +0,0 @@ -Allow udev the block_suspend capability - -Upstream-Status: backport -upstream commit: 5905067f2acf710ffbb13ba32575e6316619ddd8 - -Signed-off-by: Jackie Huang ---- - policy/modules/system/udev.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index 90e4ab3..efe6c02 100644 ---- a/policy/modules/system/udev.te -+++ b/policy/modules/system/udev.te -@@ -39,6 +39,7 @@ ifdef(`enable_mcs',` - - allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace }; - dontaudit udev_t self:capability sys_tty_config; -+allow udev_t self:capability2 block_suspend; - allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow udev_t self:process { execmem setfscreate }; - allow udev_t self:fd use; --- -1.7.9.5 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/filesystem-associate-tmpfs_t-shm-to-device_t-devtmpf.patch b/recipes-security/refpolicy/refpolicy-2.20130424/filesystem-associate-tmpfs_t-shm-to-device_t-devtmpf.patch deleted file mode 100644 index 094d9e5..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/filesystem-associate-tmpfs_t-shm-to-device_t-devtmpf.patch +++ /dev/null @@ -1,30 +0,0 @@ -Upstream-Status: backport - -Signed-off-by: Wenzong Fan -========================= -From e3072cb7bf8f9e09598f01c9eb58d9cfb319d8a1 Mon Sep 17 00:00:00 2001 -From: Dominick Grift -Date: Tue, 24 Sep 2013 15:39:21 +0200 -Subject: [PATCH] filesystem: associate tmpfs_t (shm) to device_t (devtmpfs) - file systems - -Signed-off-by: Dominick Grift ---- - policy/modules/kernel/filesystem.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index ed59e5e..f72cde1 100644 ---- a/policy/modules/kernel/filesystem.te -+++ b/policy/modules/kernel/filesystem.te -@@ -177,6 +177,7 @@ genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0) - # tmpfs_t is the type for tmpfs filesystems - # - type tmpfs_t; -+dev_associate(tmpfs_t) - fs_type(tmpfs_t) - files_type(tmpfs_t) - files_mountpoint(tmpfs_t) --- -1.7.10.4 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/ftp-add-ftpd_t-to-mlsfilewrite.patch b/recipes-security/refpolicy/refpolicy-2.20130424/ftp-add-ftpd_t-to-mlsfilewrite.patch deleted file mode 100644 index 49da4b6..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/ftp-add-ftpd_t-to-mlsfilewrite.patch +++ /dev/null @@ -1,39 +0,0 @@ -From e4e95b723d31c7b678a05cd81a96b10185978b4e Mon Sep 17 00:00:00 2001 -From: Roy Li -Date: Mon, 10 Feb 2014 18:10:12 +0800 -Subject: [PATCH] ftp: add ftpd_t to mls_file_write_all_levels - -Proftpd will create file under /var/run, but its mls is in high, and -can not write to lowlevel - -Upstream-Status: Pending - -type=AVC msg=audit(1392347709.621:15): avc: denied { write } for pid=545 comm="proftpd" name="/" dev="tmpfs" ino=5853 scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir -type=AVC msg=audit(1392347709.621:15): avc: denied { add_name } for pid=545 comm="proftpd" name="proftpd.delay" scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir -type=SYSCALL msg=audit(1392347709.621:15): arch=c000003e syscall=2 success=yes exit=3 a0=471910 a1=42 a2=1b6 a3=8 items=0 ppid=539 pid=545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s15:c0.c1023 key=(null) - -root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name - allow ftpd_t var_run_t : dir { ioctl read write getattr lock add_name remove_name search open } ; -root@localhost:~# - -Signed-off-by: Roy Li ---- - policy/modules/contrib/ftp.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te -index 544c512..12a31dd 100644 ---- a/policy/modules/contrib/ftp.te -+++ b/policy/modules/contrib/ftp.te -@@ -144,6 +144,8 @@ role ftpdctl_roles types ftpdctl_t; - type ftpdctl_tmp_t; - files_tmp_file(ftpdctl_tmp_t) - -+mls_file_write_all_levels(ftpd_t) -+ - type sftpd_t; - domain_type(sftpd_t) - role system_r types sftpd_t; --- -1.7.10.4 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/hostname-do-not-audit-attempts-by-hostname-to-read-a.patch b/recipes-security/refpolicy/refpolicy-2.20130424/hostname-do-not-audit-attempts-by-hostname-to-read-a.patch deleted file mode 100644 index edba56d..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/hostname-do-not-audit-attempts-by-hostname-to-read-a.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 0857061b58e5ec0bf00e78839254f21519ed55d4 Mon Sep 17 00:00:00 2001 -From: Dominick Grift -Date: Fri, 27 Sep 2013 10:36:14 +0200 -Subject: [PATCH] hostname: do not audit attempts by hostname to read and - write dhcpc udp sockets (looks like a leaked fd) - -Upstream-Status: backport - -Signed-off-by: Dominick Grift ---- - policy/modules/system/hostname.te | 1 + - policy/modules/system/sysnetwork.if | 19 +++++++++++++++++++ - 2 files changed, 20 insertions(+) - -diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te -index f6cbda9..380197b 100644 ---- a/policy/modules/system/hostname.te -+++ b/policy/modules/system/hostname.te -@@ -51,6 +51,7 @@ logging_send_syslog_msg(hostname_t) - - miscfiles_read_localization(hostname_t) - -+sysnet_dontaudit_rw_dhcpc_udp_sockets(hostname_t) - sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t) - sysnet_read_config(hostname_t) - sysnet_dns_name_resolve(hostname_t) -diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 52b548c..2cea692 100644 ---- a/policy/modules/system/sysnetwork.if -+++ b/policy/modules/system/sysnetwork.if -@@ -47,6 +47,25 @@ interface(`sysnet_run_dhcpc',` - - ######################################## - ## -+## Do not audit attempts to read and -+## write dhcpc udp socket descriptors. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`sysnet_dontaudit_rw_dhcpc_udp_sockets',` -+ gen_require(` -+ type dhcpc_t; -+ ') -+ -+ dontaudit $1 dhcpc_t:udp_socket { read write }; -+') -+ -+######################################## -+## - ## Do not audit attempts to use - ## the dhcp file descriptors. - ## --- -1.7.10.4 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-clock.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-clock.patch deleted file mode 100644 index 3ff8f55..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-clock.patch +++ /dev/null @@ -1,22 +0,0 @@ -Subject: [PATCH] refpolicy: fix real path for clock - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Xin Ouyang ---- - policy/modules/system/clock.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc -index c5e05ca..a74c40c 100644 ---- a/policy/modules/system/clock.fc -+++ b/policy/modules/system/clock.fc -@@ -2,4 +2,5 @@ - /etc/adjtime -- gen_context(system_u:object_r:adjtime_t,s0) - - /sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) -+/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0) - --- -1.7.11.7 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-corecommands.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-corecommands.patch deleted file mode 100644 index 24b67c3..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-corecommands.patch +++ /dev/null @@ -1,24 +0,0 @@ -Subject: [PATCH] refpolicy: fix real path for corecommands - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Xin Ouyang ---- - policy/modules/kernel/corecommands.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index f051c4a..ab624f3 100644 ---- a/policy/modules/kernel/corecommands.fc -+++ b/policy/modules/kernel/corecommands.fc -@@ -153,6 +153,7 @@ ifdef(`distro_gentoo',` - /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) - /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) - /sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) -+/usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) - - # - # /opt --- -1.7.11.7 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-dmesg.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-dmesg.patch deleted file mode 100644 index db4c4d4..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-dmesg.patch +++ /dev/null @@ -1,20 +0,0 @@ -Subject: [PATCH] refpolicy: fix real path for dmesg - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Xin Ouyang ---- - policy/modules/admin/dmesg.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc -index d6cc2d9..7f3e5b0 100644 ---- a/policy/modules/admin/dmesg.fc -+++ b/policy/modules/admin/dmesg.fc -@@ -1,2 +1,3 @@ - - /bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) -+/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0) --- -1.7.11.7 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-bind.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-bind.patch deleted file mode 100644 index 59ba5bc..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-bind.patch +++ /dev/null @@ -1,30 +0,0 @@ -From e438a9466a615db3f63421157d5ee3bd6d055403 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Thu, 22 Aug 2013 19:09:11 +0800 -Subject: [PATCH] refpolicy: fix real path for bind. - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Xin Ouyang ---- - policy/modules/contrib/bind.fc | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/contrib/bind.fc b/policy/modules/contrib/bind.fc -index 2b9a3a1..fd45d53 100644 ---- a/policy/modules/contrib/bind.fc -+++ b/policy/modules/contrib/bind.fc -@@ -1,8 +1,10 @@ - /etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/bind -- gen_context(system_u:object_r:named_initrc_exec_t,s0) - /etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) - - /etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) - /etc/bind/named\.conf.* -- gen_context(system_u:object_r:named_conf_t,s0) -+/etc/bind/rndc\.conf -- gen_context(system_u:object_r:named_conf_t,s0) - /etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) - /etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0) - /etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0) --- -1.7.9.5 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_login.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_login.patch deleted file mode 100644 index 427181e..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_login.patch +++ /dev/null @@ -1,37 +0,0 @@ -Subject: [PATCH] fix real path for login commands. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang ---- - policy/modules/system/authlogin.fc | 7 ++++--- - 1 files changed, 4 insertions(+), 3 deletions(-) - -diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc -index 28ad538..c8dd17f 100644 ---- a/policy/modules/system/authlogin.fc -+++ b/policy/modules/system/authlogin.fc -@@ -1,5 +1,7 @@ - - /bin/login -- gen_context(system_u:object_r:login_exec_t,s0) -+/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0) -+/bin/login\.tinylogin -- gen_context(system_u:object_r:login_exec_t,s0) - - /etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) - /etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0) -@@ -9,9 +11,9 @@ - - /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) - /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) --/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) --/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) --/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) -+/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) -+/usr/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) -+/usr/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) - ifdef(`distro_suse', ` - /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) - ') --- -1.7.5.4 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_resolv.conf.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_resolv.conf.patch deleted file mode 100644 index 80cca67..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_resolv.conf.patch +++ /dev/null @@ -1,24 +0,0 @@ -Subject: [PATCH] fix real path for resolv.conf - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang ---- - policy/modules/system/sysnetwork.fc | 1 + - 1 files changed, 1 insertions(+), 0 deletions(-) - -diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc -index 346a7cc..dec8632 100644 ---- a/policy/modules/system/sysnetwork.fc -+++ b/policy/modules/system/sysnetwork.fc -@@ -24,6 +24,7 @@ ifdef(`distro_debian',` - /etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0) - /etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0) - /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) -+/var/run/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) - /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) - - /etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0) --- -1.7.5.4 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_shadow.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_shadow.patch deleted file mode 100644 index 29ac2c3..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_shadow.patch +++ /dev/null @@ -1,34 +0,0 @@ -Subject: [PATCH] fix real path for shadow commands. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang ---- - policy/modules/admin/usermanage.fc | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc -index f82f0ce..841ba9b 100644 ---- a/policy/modules/admin/usermanage.fc -+++ b/policy/modules/admin/usermanage.fc -@@ -4,11 +4,17 @@ ifdef(`distro_gentoo',` - - /usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0) - /usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0) -+/usr/bin/chfn\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0) - /usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0) -+/usr/bin/chsh\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0) - /usr/bin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0) - /usr/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0) -+/usr/bin/passwd\.shadow -- gen_context(system_u:object_r:passwd_exec_t,s0) -+/usr/bin/passwd\.tinylogin -- gen_context(system_u:object_r:passwd_exec_t,s0) - /usr/bin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) -+/sbin/vigr\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) - /usr/bin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) -+/sbin/vipw\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) - - /usr/lib/cracklib_dict.* -- gen_context(system_u:object_r:crack_db_t,s0) - --- -1.7.9.5 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_su.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_su.patch deleted file mode 100644 index b0392ce..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fix-real-path_su.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 4affa5e9797f5d51597c9b8e0f2503883c766699 Mon Sep 17 00:00:00 2001 -From: Wenzong Fan -Date: Thu, 13 Feb 2014 00:33:07 -0500 -Subject: [PATCH] fix real path for su.shadow command - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Wenzong Fan ---- - policy/modules/admin/su.fc | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc -index a563687..0f43827 100644 ---- a/policy/modules/admin/su.fc -+++ b/policy/modules/admin/su.fc -@@ -4,3 +4,5 @@ - - /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0) - /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) -+ -+/bin/su.shadow -- gen_context(system_u:object_r:su_exec_t,s0) --- -1.7.9.5 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fstools.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fstools.patch deleted file mode 100644 index 5343893..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-fstools.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 7fdfd2ef8764ddfaeb43e53a756af83d42d8ac8b Mon Sep 17 00:00:00 2001 -From: Wenzong Fan -Date: Mon, 27 Jan 2014 03:54:01 -0500 -Subject: [PATCH] refpolicy: fix real path for fstools - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Wenzong Fan ---- - policy/modules/system/fstools.fc | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc -index 7a46b45..a724776 100644 ---- a/policy/modules/system/fstools.fc -+++ b/policy/modules/system/fstools.fc -@@ -1,6 +1,8 @@ - /sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/sbin/blkid\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/sbin/blockdev\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -9,9 +11,12 @@ - /sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/sbin/fdisk\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/sbin/hdparm\.hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -24,21 +29,28 @@ - /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/sbin/mkswap\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/sbin/swapoff\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - - /usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0) - --- -1.7.9.5 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-ftpwho-dir.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-ftpwho-dir.patch deleted file mode 100644 index a7d434f..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-ftpwho-dir.patch +++ /dev/null @@ -1,27 +0,0 @@ -fix ftpwho install dir - -Upstream-Status: Pending - -ftpwho is installed into /usr/bin/, not /usr/sbin, so fix it - -Signed-off-by: Roy Li ---- - policy/modules/contrib/ftp.fc | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/policy/modules/contrib/ftp.fc b/policy/modules/contrib/ftp.fc -index ddb75c1..26fec47 100644 ---- a/policy/modules/contrib/ftp.fc -+++ b/policy/modules/contrib/ftp.fc -@@ -9,7 +9,7 @@ - - /usr/kerberos/sbin/ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) - --/usr/sbin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0) -+/usr/bin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0) - /usr/sbin/in\.ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) - /usr/sbin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) - /usr/sbin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) --- -1.7.10.4 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-iptables.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-iptables.patch deleted file mode 100644 index 89b1547..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-iptables.patch +++ /dev/null @@ -1,24 +0,0 @@ -Subject: [PATCH] refpolicy: fix real path for iptables - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Xin Ouyang ---- - policy/modules/system/iptables.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc -index 14cffd2..84ac92b 100644 ---- a/policy/modules/system/iptables.fc -+++ b/policy/modules/system/iptables.fc -@@ -13,6 +13,7 @@ - /sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) - /sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) - /sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) -+/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) - - /usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) - /usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0) --- -1.7.11.7 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-mta.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-mta.patch deleted file mode 100644 index bbd83ec..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-mta.patch +++ /dev/null @@ -1,27 +0,0 @@ -From c0bb2996db4f55f3987967bacfb99805fc45d027 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Thu, 22 Aug 2013 19:21:55 +0800 -Subject: [PATCH] refpolicy: fix real path for mta - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Xin Ouyang ---- - policy/modules/contrib/mta.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/contrib/mta.fc b/policy/modules/contrib/mta.fc -index f42896c..0d4bcef 100644 ---- a/policy/modules/contrib/mta.fc -+++ b/policy/modules/contrib/mta.fc -@@ -22,6 +22,7 @@ HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) - /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) - /usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0) - /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) -+/usr/sbin/msmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) - /usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) - - /var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) --- -1.7.9.5 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-netutils.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-netutils.patch deleted file mode 100644 index b45d03e..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-netutils.patch +++ /dev/null @@ -1,24 +0,0 @@ -Subject: [PATCH] refpolicy: fix real path for netutils - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Xin Ouyang ---- - policy/modules/admin/netutils.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc -index 407078f..f2ed3dc 100644 ---- a/policy/modules/admin/netutils.fc -+++ b/policy/modules/admin/netutils.fc -@@ -3,6 +3,7 @@ - /bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) - - /sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0) -+/bin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0) - - /usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0) - /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0) --- -1.7.11.7 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-nscd.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-nscd.patch deleted file mode 100644 index 1db328c..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-nscd.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 642fab321a5f1f40495b4ca07f1fca4145024986 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Thu, 22 Aug 2013 19:25:36 +0800 -Subject: [PATCH] refpolicy: fix real path for nscd - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Xin Ouyang ---- - policy/modules/contrib/nscd.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/contrib/nscd.fc b/policy/modules/contrib/nscd.fc -index ba64485..61a6f24 100644 ---- a/policy/modules/contrib/nscd.fc -+++ b/policy/modules/contrib/nscd.fc -@@ -1,6 +1,7 @@ - /etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0) - - /usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0) -+/usr/bin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0) - - /var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) - --- -1.7.9.5 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-rpm.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-rpm.patch deleted file mode 100644 index 7ba3380..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-rpm.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 3ecbd842d51a8e70b3403e857a24203285d4983b Mon Sep 17 00:00:00 2001 -From: Wenzong Fan -Date: Mon, 27 Jan 2014 01:13:06 -0500 -Subject: [PATCH] refpolicy: fix real path for cpio - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Wenzong Fan ---- - policy/modules/contrib/rpm.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/contrib/rpm.fc b/policy/modules/contrib/rpm.fc -index ebe91fc..539063c 100644 ---- a/policy/modules/contrib/rpm.fc -+++ b/policy/modules/contrib/rpm.fc -@@ -58,4 +58,5 @@ ifdef(`distro_redhat',` - - ifdef(`enable_mls',` - /usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/bin/cpio.cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) - ') --- -1.7.9.5 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-screen.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-screen.patch deleted file mode 100644 index 3218194..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-screen.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 3615e2d67f402a37ae7333e62b54f1d9d0a3bfd1 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Thu, 22 Aug 2013 19:27:19 +0800 -Subject: [PATCH] refpolicy: fix real path for screen - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Xin Ouyang ---- - policy/modules/contrib/screen.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/contrib/screen.fc b/policy/modules/contrib/screen.fc -index e7c2cf7..49ddca2 100644 ---- a/policy/modules/contrib/screen.fc -+++ b/policy/modules/contrib/screen.fc -@@ -3,6 +3,7 @@ HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0) - HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0) - - /usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0) -+/usr/bin/screen-.* -- gen_context(system_u:object_r:screen_exec_t,s0) - /usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0) - - /var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) --- -1.7.9.5 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-ssh.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-ssh.patch deleted file mode 100644 index 9aeb3a2..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-ssh.patch +++ /dev/null @@ -1,24 +0,0 @@ -Subject: [PATCH] refpolicy: fix real path for ssh - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Xin Ouyang ---- - policy/modules/services/ssh.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc -index 078bcd7..9717428 100644 ---- a/policy/modules/services/ssh.fc -+++ b/policy/modules/services/ssh.fc -@@ -6,6 +6,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) - /etc/ssh/ssh_host_rsa_key -- gen_context(system_u:object_r:sshd_key_t,s0) - - /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0) -+/usr/bin/ssh\.openssh -- gen_context(system_u:object_r:ssh_exec_t,s0) - /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0) - /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0) - --- -1.7.11.7 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-su.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-su.patch deleted file mode 100644 index 358e4ef..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-su.patch +++ /dev/null @@ -1,23 +0,0 @@ -Subject: [PATCH] refpolicy: fix real path for su - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Xin Ouyang ---- - policy/modules/admin/su.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc -index 688abc2..a563687 100644 ---- a/policy/modules/admin/su.fc -+++ b/policy/modules/admin/su.fc -@@ -1,5 +1,6 @@ - - /bin/su -- gen_context(system_u:object_r:su_exec_t,s0) -+/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) - - /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0) - /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) --- -1.7.11.7 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-subs_dist.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-subs_dist.patch deleted file mode 100644 index 4058b18..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-subs_dist.patch +++ /dev/null @@ -1,34 +0,0 @@ -Subject: [PATCH] fix file_contexts.subs_dist for poky - -This file is used for Linux distros to define specific pathes -mapping to the pathes in file_contexts. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang ---- - config/file_contexts.subs_dist | 8 ++++++++ - 1 files changed, 11 insertions(+), 0 deletions(-) - -diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist -index 32b87a4..ebba73d 100644 ---- a/config/file_contexts.subs_dist -+++ b/config/file_contexts.subs_dist -@@ -5,3 +5,14 @@ - /usr/lib32 /usr/lib - /usr/lib64 /usr/lib - /var/run/lock /var/lock -+/etc/init.d /etc/rc.d/init.d -+/var/volatile/log /var/log -+/var/volatile/run /var/run -+/var/volatile/cache /var/cache -+/var/volatile/tmp /var/tmp -+/var/volatile/lock /var/lock -+/var/volatile/run/lock /var/lock -+/www /var/www -+/usr/lib/busybox/bin /bin -+/usr/lib/busybox/sbin /sbin -+/usr/lib/busybox/usr /usr --- -1.7.5.4 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-sysnetwork.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-sysnetwork.patch deleted file mode 100644 index e0af6a1..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-sysnetwork.patch +++ /dev/null @@ -1,41 +0,0 @@ -Subject: [PATCH] refpolicy: fix real path for sysnetwork - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Xin Ouyang ---- - policy/modules/system/sysnetwork.fc | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc -index dec8632..2e602e4 100644 ---- a/policy/modules/system/sysnetwork.fc -+++ b/policy/modules/system/sysnetwork.fc -@@ -3,6 +3,7 @@ - # /bin - # - /bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - - # - # /dev -@@ -43,13 +44,16 @@ ifdef(`distro_redhat',` - /sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) - /sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) - /sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+/usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0) - /sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - --- -1.7.11.7 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-udevd.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-udevd.patch deleted file mode 100644 index c6c19be..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-udevd.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 025bd3c77d3eeb0e316413bf7e6353f1ccd7f6b2 Mon Sep 17 00:00:00 2001 -From: Wenzong Fan -Date: Sat, 25 Jan 2014 23:40:05 -0500 -Subject: [PATCH] refpolicy: fix real path for udevd/udevadm - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Wenzong Fan ---- - policy/modules/system/udev.fc | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc -index 40928d8..491bb23 100644 ---- a/policy/modules/system/udev.fc -+++ b/policy/modules/system/udev.fc -@@ -10,6 +10,7 @@ - /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) - - /lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0) -+/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) - - ifdef(`distro_debian',` - /lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0) -@@ -27,6 +28,7 @@ ifdef(`distro_redhat',` - ') - - /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) -+/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) - - /usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0) - --- -1.7.9.5 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_hostname.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_hostname.patch deleted file mode 100644 index cedb5b5..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_hostname.patch +++ /dev/null @@ -1,23 +0,0 @@ -From 845518a6f196e6e8c49ba38791c85e17276920e1 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH 3/4] fix update-alternatives for hostname - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang ---- - policy/modules/system/hostname.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc -index 9dfecf7..4003b6d 100644 ---- a/policy/modules/system/hostname.fc -+++ b/policy/modules/system/hostname.fc -@@ -1,2 +1,3 @@ - - /bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) -+/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0) --- -1.7.9.5 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_sysklogd.patch deleted file mode 100644 index 868ee6b..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_sysklogd.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 4964fa5593349916d8f5c69edb0b16f611586098 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Thu, 22 Aug 2013 13:39:41 +0800 -Subject: [PATCH 2/4] fix update-alternatives for sysklogd - -/etc/syslog.conf is a symlink to /etc/syslog.conf.sysklogd, so a allow rule -for syslogd_t to read syslog_conf_t lnk_file is needed. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang ---- - policy/modules/system/logging.fc | 4 ++++ - policy/modules/system/logging.te | 1 + - 2 files changed, 5 insertions(+) - -diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc -index b50c5fe..c005f33 100644 ---- a/policy/modules/system/logging.fc -+++ b/policy/modules/system/logging.fc -@@ -2,19 +2,23 @@ - - /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) - /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) -+/etc/syslog.conf\.sysklogd gen_context(system_u:object_r:syslog_conf_t,s0) - /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) - /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0) - /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/syslog\.sysklogd -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) - - /sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) - /sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) - /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) - /sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) - /sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) -+/sbin/klogd\.sysklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) - /sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) - /sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) - /sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) - /sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) -+/sbin/syslogd\.sysklogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) - /sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) - - /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 87e3db2..2914b0b 100644 ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -371,6 +371,7 @@ allow syslogd_t self:udp_socket create_socket_perms; - allow syslogd_t self:tcp_socket create_stream_socket_perms; - - allow syslogd_t syslog_conf_t:file read_file_perms; -+allow syslogd_t syslog_conf_t:lnk_file read_file_perms; - - # Create and bind to /dev/log or /var/run/log. - allow syslogd_t devlog_t:sock_file manage_sock_file_perms; --- -1.7.9.5 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_sysvinit.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_sysvinit.patch deleted file mode 100644 index 3a617d8..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-update-alternatives_sysvinit.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH 1/4] fix update-alternatives for sysvinit - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang ---- - policy/modules/contrib/shutdown.fc | 1 + - policy/modules/kernel/corecommands.fc | 1 + - policy/modules/system/init.fc | 1 + - 3 files changed, 3 insertions(+) - -diff --git a/policy/modules/contrib/shutdown.fc b/policy/modules/contrib/shutdown.fc -index a91f33b..90e51e0 100644 ---- a/policy/modules/contrib/shutdown.fc -+++ b/policy/modules/contrib/shutdown.fc -@@ -3,6 +3,7 @@ - /lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) - - /sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) -+/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0) - - /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) - -diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index bcfdba7..87502a3 100644 ---- a/policy/modules/kernel/corecommands.fc -+++ b/policy/modules/kernel/corecommands.fc -@@ -10,6 +10,7 @@ - /bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0) - /bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) - /bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0) -+/bin/mountpoint\.sysvinit -- gen_context(system_u:object_r:bin_t,s0) - /bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) - /bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0) - /bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0) -diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc -index bc0ffc8..020b9fe 100644 ---- a/policy/modules/system/init.fc -+++ b/policy/modules/system/init.fc -@@ -30,6 +30,7 @@ ifdef(`distro_gentoo', ` - # /sbin - # - /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) -+/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0) - # because nowadays, /sbin/init is often a symlink to /sbin/upstart - /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) - --- -1.7.9.5 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-bsdpty_device_t.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-bsdpty_device_t.patch deleted file mode 100644 index 9a3322f..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-bsdpty_device_t.patch +++ /dev/null @@ -1,121 +0,0 @@ -From c0b65c327b9354ee5c403cbde428e762ce3f327e Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH 5/6] add rules for bsdpty_device_t to complete pty devices. - -Upstream-Status: Pending - -Signed-off-by: Xin Ouyang ---- - policy/modules/kernel/terminal.if | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if -index 771bce1..7519d0e 100644 ---- a/policy/modules/kernel/terminal.if -+++ b/policy/modules/kernel/terminal.if -@@ -531,9 +531,11 @@ interface(`term_dontaudit_manage_pty_dirs',` - interface(`term_dontaudit_getattr_generic_ptys',` - gen_require(` - type devpts_t; -+ type bsdpty_device_t; - ') - - dontaudit $1 devpts_t:chr_file getattr; -+ dontaudit $1 bsdpty_device_t:chr_file getattr; - ') - ######################################## - ## -@@ -549,11 +551,13 @@ interface(`term_dontaudit_getattr_generic_ptys',` - interface(`term_ioctl_generic_ptys',` - gen_require(` - type devpts_t; -+ type bsdpty_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devpts_t:dir search; - allow $1 devpts_t:chr_file ioctl; -+ allow $1 bsdpty_device_t:chr_file ioctl; - ') - - ######################################## -@@ -571,9 +575,11 @@ interface(`term_ioctl_generic_ptys',` - interface(`term_setattr_generic_ptys',` - gen_require(` - type devpts_t; -+ type bsdpty_device_t; - ') - - allow $1 devpts_t:chr_file setattr; -+ allow $1 bsdpty_device_t:chr_file setattr; - ') - - ######################################## -@@ -591,9 +597,11 @@ interface(`term_setattr_generic_ptys',` - interface(`term_dontaudit_setattr_generic_ptys',` - gen_require(` - type devpts_t; -+ type bsdpty_device_t; - ') - - dontaudit $1 devpts_t:chr_file setattr; -+ dontaudit $1 bsdpty_device_t:chr_file setattr; - ') - - ######################################## -@@ -611,11 +619,13 @@ interface(`term_dontaudit_setattr_generic_ptys',` - interface(`term_use_generic_ptys',` - gen_require(` - type devpts_t; -+ type bsdpty_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devpts_t:dir list_dir_perms; - allow $1 devpts_t:chr_file { rw_term_perms lock append }; -+ allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append }; - ') - - ######################################## -@@ -633,9 +643,11 @@ interface(`term_use_generic_ptys',` - interface(`term_dontaudit_use_generic_ptys',` - gen_require(` - type devpts_t; -+ type bsdpty_device_t; - ') - - dontaudit $1 devpts_t:chr_file { getattr read write ioctl }; -+ dontaudit $1 bsdpty_device_t:chr_file { getattr read write ioctl }; - ') - - ####################################### -@@ -651,10 +663,12 @@ interface(`term_dontaudit_use_generic_ptys',` - interface(`term_setattr_controlling_term',` - gen_require(` - type devtty_t; -+ type bsdpty_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devtty_t:chr_file setattr; -+ allow $1 bsdpty_device_t:chr_file setattr; - ') - - ######################################## -@@ -671,10 +685,12 @@ interface(`term_setattr_controlling_term',` - interface(`term_use_controlling_term',` - gen_require(` - type devtty_t; -+ type bsdpty_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devtty_t:chr_file { rw_term_perms lock append }; -+ allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append }; - ') - - ####################################### --- -1.7.9.5 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-syslogd_t-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-syslogd_t-symlink.patch deleted file mode 100644 index aa9734a..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-syslogd_t-symlink.patch +++ /dev/null @@ -1,30 +0,0 @@ -Subject: [PATCH] add rules for the symlink of /var/log - syslogd_t - -We have added rules for the symlink of /var/log in logging.if, -while syslogd_t uses /var/log but does not use the -interfaces in logging.if. So still need add a individual rule for -syslogd_t. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang ---- - policy/modules/system/logging.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 2ad9ea5..70427d8 100644 ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -384,6 +384,8 @@ rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) - # Allow access for syslog-ng - allow syslogd_t var_log_t:dir { create setattr }; - -+allow syslogd_t var_log_t:lnk_file read_lnk_file_perms; -+ - # manage temporary files - manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) - manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) --- -1.7.11.7 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-tmp-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-tmp-symlink.patch deleted file mode 100644 index 210c297..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-tmp-symlink.patch +++ /dev/null @@ -1,99 +0,0 @@ -From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH] add rules for the symlink of /tmp - -/tmp is a symlink in poky, so we need allow rules for files to read -lnk_file while doing search/list/delete/rw.. in /tmp/ directory. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang ---- - policy/modules/kernel/files.fc | 1 + - policy/modules/kernel/files.if | 8 ++++++++ - 2 files changed, 9 insertions(+), 0 deletions(-) - -diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index 8796ca3..a0db748 100644 ---- a/policy/modules/kernel/files.fc -+++ b/policy/modules/kernel/files.fc -@@ -185,6 +185,7 @@ ifdef(`distro_debian',` - # /tmp - # - /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) -+/tmp -l gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) - /tmp/.* <> - /tmp/\.journal <> - -diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index e1e814d..a7384b0 100644 ---- a/policy/modules/kernel/files.if -+++ b/policy/modules/kernel/files.if -@@ -4199,6 +4199,7 @@ interface(`files_search_tmp',` - ') - - allow $1 tmp_t:dir search_dir_perms; -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -4235,6 +4236,7 @@ interface(`files_list_tmp',` - ') - - allow $1 tmp_t:dir list_dir_perms; -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -4271,6 +4273,7 @@ interface(`files_delete_tmp_dir_entry',` - ') - - allow $1 tmp_t:dir del_entry_dir_perms; -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -4289,6 +4292,7 @@ interface(`files_read_generic_tmp_files',` - ') - - read_files_pattern($1, tmp_t, tmp_t) -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -4307,6 +4311,7 @@ interface(`files_manage_generic_tmp_dirs',` - ') - - manage_dirs_pattern($1, tmp_t, tmp_t) -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -4325,6 +4330,7 @@ interface(`files_manage_generic_tmp_files',` - ') - - manage_files_pattern($1, tmp_t, tmp_t) -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -4361,6 +4367,7 @@ interface(`files_rw_generic_tmp_sockets',` - ') - - rw_sock_files_pattern($1, tmp_t, tmp_t) -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -4550,6 +4557,7 @@ interface(`files_tmp_filetrans',` - ') - - filetrans_pattern($1, tmp_t, $2, $3, $4) -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## --- -1.7.5.4 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-cache-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-cache-symlink.patch deleted file mode 100644 index 18a92dd..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-cache-symlink.patch +++ /dev/null @@ -1,34 +0,0 @@ -From bad816bc752369a6c1bf40231c505d21d95cab08 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Fri, 23 Aug 2013 11:20:00 +0800 -Subject: [PATCH 4/6] add rules for the subdir symlinks in /var/ - -Except /var/log,/var/run,/var/lock, there still other subdir symlinks in -/var for poky, so we need allow rules for all domains to read these -symlinks. Domains still need their practical allow rules to read the -contents, so this is still a secure relax. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang ---- - policy/modules/kernel/domain.te | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..9ffe6b0 100644 ---- a/policy/modules/kernel/domain.te -+++ b/policy/modules/kernel/domain.te -@@ -104,6 +104,9 @@ term_use_controlling_term(domain) - # list the root directory - files_list_root(domain) - -+# Yocto/oe-core use some var volatile links -+files_read_var_symlinks(domain) -+ - ifdef(`hide_broken_symptoms',` - # This check is in the general socket - # listen code, before protocol-specific --- -1.7.9.5 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-apache.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-apache.patch deleted file mode 100644 index 8bc40c4..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-apache.patch +++ /dev/null @@ -1,31 +0,0 @@ -From ed2b0a00e2fb78056041b03c7e198e8f5adaf939 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Thu, 22 Aug 2013 19:36:44 +0800 -Subject: [PATCH 3/6] add rules for the symlink of /var/log - apache2 - -We have added rules for the symlink of /var/log in logging.if, -while apache.te uses /var/log but does not use the interfaces in -logging.if. So still need add a individual rule for apache.te. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang ---- - policy/modules/contrib/apache.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te -index ec8bd13..06f2e95 100644 ---- a/policy/modules/contrib/apache.te -+++ b/policy/modules/contrib/apache.te -@@ -400,6 +400,7 @@ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t) - append_files_pattern(httpd_t, httpd_log_t, httpd_log_t) - read_files_pattern(httpd_t, httpd_log_t, httpd_log_t) - read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t) -+read_lnk_files_pattern(httpd_t, var_log_t, var_log_t) - logging_log_filetrans(httpd_t, httpd_log_t, file) - - allow httpd_t httpd_modules_t:dir list_dir_perms; --- -1.7.9.5 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch deleted file mode 100644 index cbf0f7d..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch +++ /dev/null @@ -1,29 +0,0 @@ -Subject: [PATCH] add rules for the symlink of /var/log - audisp_remote_t - -We have added rules for the symlink of /var/log in logging.if, -while audisp_remote_t uses /var/log but does not use the -interfaces in logging.if. So still need add a individual rule for -audisp_remote_t. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang ---- - policy/modules/system/logging.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 8426a49..2ad9ea5 100644 ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -262,6 +262,7 @@ allow audisp_remote_t self:capability { setuid setpcap }; - allow audisp_remote_t self:process { getcap setcap }; - allow audisp_remote_t self:tcp_socket create_socket_perms; - allow audisp_remote_t var_log_t:dir search_dir_perms; -+allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms; - - manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) - manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) --- -1.7.11.7 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink.patch deleted file mode 100644 index b06f3ef..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink.patch +++ /dev/null @@ -1,145 +0,0 @@ -From 03cb6534f75812f3a33ac768fe83861e0805b0e0 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH 2/6] add rules for the symlink of /var/log - -/var/log is a symlink in poky, so we need allow rules for files to read -lnk_file while doing search/list/delete/rw.. in /var/log/ directory. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang ---- - policy/modules/system/logging.fc | 1 + - policy/modules/system/logging.if | 14 +++++++++++++- - policy/modules/system/logging.te | 1 + - 3 files changed, 15 insertions(+), 1 deletion(-) - -diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc -index c005f33..9529e40 100644 ---- a/policy/modules/system/logging.fc -+++ b/policy/modules/system/logging.fc -@@ -41,6 +41,7 @@ ifdef(`distro_suse', ` - /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) - - /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) -+/var/log -l gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) - /var/log/.* gen_context(system_u:object_r:var_log_t,s0) - /var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh) - /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) -diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 4e94884..9a6f599 100644 ---- a/policy/modules/system/logging.if -+++ b/policy/modules/system/logging.if -@@ -136,12 +136,13 @@ interface(`logging_set_audit_parameters',` - # - interface(`logging_read_audit_log',` - gen_require(` -- type auditd_log_t; -+ type auditd_log_t, var_log_t; - ') - - files_search_var($1) - read_files_pattern($1, auditd_log_t, auditd_log_t) - allow $1 auditd_log_t:dir list_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -626,6 +627,7 @@ interface(`logging_search_logs',` - - files_search_var($1) - allow $1 var_log_t:dir search_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - ') - - ####################################### -@@ -663,6 +665,7 @@ interface(`logging_list_logs',` - - files_search_var($1) - allow $1 var_log_t:dir list_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - ') - - ####################################### -@@ -682,6 +685,7 @@ interface(`logging_rw_generic_log_dirs',` - - files_search_var($1) - allow $1 var_log_t:dir rw_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - ') - - ####################################### -@@ -793,10 +797,12 @@ interface(`logging_append_all_logs',` - interface(`logging_read_all_logs',` - gen_require(` - attribute logfile; -+ type var_log_t; - ') - - files_search_var($1) - allow $1 logfile:dir list_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - read_files_pattern($1, logfile, logfile) - ') - -@@ -815,10 +821,12 @@ interface(`logging_read_all_logs',` - interface(`logging_exec_all_logs',` - gen_require(` - attribute logfile; -+ type var_log_t; - ') - - files_search_var($1) - allow $1 logfile:dir list_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - can_exec($1, logfile) - ') - -@@ -880,6 +888,7 @@ interface(`logging_read_generic_logs',` - - files_search_var($1) - allow $1 var_log_t:dir list_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - read_files_pattern($1, var_log_t, var_log_t) - ') - -@@ -900,6 +909,7 @@ interface(`logging_write_generic_logs',` - - files_search_var($1) - allow $1 var_log_t:dir list_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - write_files_pattern($1, var_log_t, var_log_t) - ') - -@@ -938,6 +948,7 @@ interface(`logging_rw_generic_logs',` - - files_search_var($1) - allow $1 var_log_t:dir list_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - rw_files_pattern($1, var_log_t, var_log_t) - ') - -@@ -960,6 +971,7 @@ interface(`logging_manage_generic_logs',` - - files_search_var($1) - manage_files_pattern($1, var_log_t, var_log_t) -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 2ab0a49..2795d89 100644 ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -139,6 +139,7 @@ allow auditd_t auditd_etc_t:file read_file_perms; - manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) - manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) - allow auditd_t var_log_t:dir search_dir_perms; -+allow auditd_t var_log_t:lnk_file read_lnk_file_perms; - - manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) - manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) --- -1.7.9.5 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-syslogd_t-to-trusted-object.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-syslogd_t-to-trusted-object.patch deleted file mode 100644 index 92b1592..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-syslogd_t-to-trusted-object.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 27e62a5d9ab9993760369ccdad83673e9148cbb2 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH 1/6] Add the syslogd_t to trusted object - -We add the syslogd_t to trusted object, because other process need -to have the right to connectto/sendto /dev/log. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Roy.Li -Signed-off-by: Xin Ouyang ---- - policy/modules/system/logging.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 2914b0b..2ab0a49 100644 ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -450,6 +450,7 @@ fs_getattr_all_fs(syslogd_t) - fs_search_auto_mountpoints(syslogd_t) - - mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories -+mls_trusted_object(syslogd_t) # Other process need to have the right to connectto/sendto /dev/log - - term_write_console(syslogd_t) - # Allow syslog to a terminal --- -1.7.9.5 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-nfsd-to-exec-shell-commands.patch deleted file mode 100644 index e77a730..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-nfsd-to-exec-shell-commands.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH] allow nfsd to exec shell commands. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang ---- - policy/modules/contrib/rpc.te | 2 +- - policy/modules/kernel/kernel.if | 18 ++++++++++++++++++ - 2 files changed, 19 insertions(+), 1 deletions(-) - -diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te -index 9566932..5605205 100644 ---- a/policy/modules/contrib/rpc.te -+++ b/policy/modules/contrib/rpc.te -@@ -203,7 +203,7 @@ kernel_read_network_state(nfsd_t) - kernel_dontaudit_getattr_core_if(nfsd_t) - kernel_setsched(nfsd_t) - kernel_request_load_module(nfsd_t) --# kernel_mounton_proc(nfsd_t) -+kernel_mounton_proc(nfsd_t) - - corenet_sendrecv_nfs_server_packets(nfsd_t) - corenet_tcp_bind_nfs_port(nfsd_t) -diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index 649e458..8a669c5 100644 ---- a/policy/modules/kernel/kernel.if -+++ b/policy/modules/kernel/kernel.if -@@ -804,6 +804,24 @@ interface(`kernel_unmount_proc',` - - ######################################## - ## -+## Mounton a proc filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`kernel_mounton_proc',` -+ gen_require(` -+ type proc_t; -+ ') -+ -+ allow $1 proc_t:dir mounton; -+') -+ -+######################################## -+## - ## Get the attributes of the proc filesystem. - ## - ## --- -1.7.5.4 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-setfiles_t-to-read-symlinks.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-setfiles_t-to-read-symlinks.patch deleted file mode 100644 index 71497fb..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-setfiles_t-to-read-symlinks.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH] fix setfiles_t to read symlinks - -Upstream-Status: Pending - -Signed-off-by: Xin Ouyang ---- - policy/modules/system/selinuxutil.te | 3 +++ - 1 files changed, 3 insertions(+), 0 deletions(-) - -diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index ec01d0b..45ed81b 100644 ---- a/policy/modules/system/selinuxutil.te -+++ b/policy/modules/system/selinuxutil.te -@@ -553,6 +553,9 @@ files_list_all(setfiles_t) - files_relabel_all_files(setfiles_t) - files_read_usr_symlinks(setfiles_t) - -+# needs to be able to read symlinks to make restorecon on symlink working -+files_read_all_symlinks(setfiles_t) -+ - fs_getattr_xattr_fs(setfiles_t) - fs_list_all(setfiles_t) - fs_search_auto_mountpoints(setfiles_t) --- -1.7.5.4 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-sysadm-to-run-rpcinfo.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-sysadm-to-run-rpcinfo.patch deleted file mode 100644 index ec3dbf4..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allow-sysadm-to-run-rpcinfo.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 7005533d61770fed5a3312aa9dfd1c18dae88c16 Mon Sep 17 00:00:00 2001 -From: Roy Li -Date: Sat, 15 Feb 2014 09:45:00 +0800 -Subject: [PATCH] allow sysadm to run rpcinfo - -Upstream-Status: Pending - -type=AVC msg=audit(1392427946.976:264): avc: denied { connectto } for pid=2111 comm="rpcinfo" path="/run/rpcbind.sock" scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tclass=unix_stream_socket -type=SYSCALL msg=audit(1392427946.976:264): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff3aa20000 a2=17 a3=22 items=0 ppid=2108 pid=2111 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="rpcinfo" exe="/usr/sbin/rpcinfo" subj=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 key=(null) - -Signed-off-by: Roy Li ---- - policy/modules/roles/sysadm.te | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 1767217..5502c6a 100644 ---- a/policy/modules/roles/sysadm.te -+++ b/policy/modules/roles/sysadm.te -@@ -413,6 +413,10 @@ optional_policy(` - ') - - optional_policy(` -+ rpcbind_stream_connect(sysadm_t) -+') -+ -+optional_policy(` - vmware_role(sysadm_r, sysadm_t) - ') - --- -1.7.10.4 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-don-t-audit-tty_device_t.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-don-t-audit-tty_device_t.patch deleted file mode 100644 index 82370d8..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-don-t-audit-tty_device_t.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 29a0d287880f8f83cf4337a3db7c8b94c0c36e1d Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH 6/6] don't audit tty_device_t in term_dontaudit_use_console. - -We should also not audit terminal to rw tty_device_t and fds in -term_dontaudit_use_console. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang ---- - policy/modules/kernel/terminal.if | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if -index 7519d0e..45de1ac 100644 ---- a/policy/modules/kernel/terminal.if -+++ b/policy/modules/kernel/terminal.if -@@ -299,9 +299,12 @@ interface(`term_use_console',` - interface(`term_dontaudit_use_console',` - gen_require(` - type console_device_t; -+ type tty_device_t; - ') - -+ init_dontaudit_use_fds($1) - dontaudit $1 console_device_t:chr_file rw_chr_file_perms; -+ dontaudit $1 tty_device_t:chr_file rw_chr_file_perms; - ') - - ######################################## --- -1.7.9.5 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-dmesg-to-use-dev-kmsg.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-dmesg-to-use-dev-kmsg.patch deleted file mode 100644 index d6c8dbf..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-dmesg-to-use-dev-kmsg.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 2f5981f2244289a1cc79748e9ffdaaea168b1df2 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Fri, 23 Aug 2013 16:36:09 +0800 -Subject: [PATCH] fix dmesg to use /dev/kmsg as default input - -Signed-off-by: Xin Ouyang ---- - policy/modules/admin/dmesg.if | 1 + - policy/modules/admin/dmesg.te | 2 ++ - 2 files changed, 3 insertions(+) - -diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if -index e1973c7..739a4bc 100644 ---- a/policy/modules/admin/dmesg.if -+++ b/policy/modules/admin/dmesg.if -@@ -37,4 +37,5 @@ interface(`dmesg_exec',` - - corecmd_search_bin($1) - can_exec($1, dmesg_exec_t) -+ dev_read_kmsg($1) - ') -diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te -index 72bc6d8..c591aea 100644 ---- a/policy/modules/admin/dmesg.te -+++ b/policy/modules/admin/dmesg.te -@@ -28,6 +28,8 @@ kernel_read_proc_symlinks(dmesg_t) - - dev_read_sysfs(dmesg_t) - -+dev_read_kmsg(dmesg_t) -+ - fs_search_auto_mountpoints(dmesg_t) - - term_dontaudit_use_console(dmesg_t) --- -1.7.9.5 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-new-SELINUXMNT-in-sys.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-new-SELINUXMNT-in-sys.patch deleted file mode 100644 index 557af04..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-new-SELINUXMNT-in-sys.patch +++ /dev/null @@ -1,216 +0,0 @@ -From 0bd1187768c79ccf7d0563fa8e2bc01494fef167 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH] fix for new SELINUXMNT in /sys - -SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should -add rules to access sysfs. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang ---- - policy/modules/kernel/selinux.if | 40 ++++++++++++++++++++++++++++++++++++++ - 1 file changed, 40 insertions(+) - -diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if -index 81440c5..ee4e86b 100644 ---- a/policy/modules/kernel/selinux.if -+++ b/policy/modules/kernel/selinux.if -@@ -58,6 +58,10 @@ interface(`selinux_get_fs_mount',` - type security_t; - ') - -+ # SELINUXMNT is now /sys/fs/selinux, so we should add rules to -+ # access sysfs -+ dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) - # starting in libselinux 2.0.5, init_selinuxmnt() will - # attempt to short circuit by checking if SELINUXMNT - # (/selinux) is already a selinuxfs -@@ -84,6 +88,7 @@ interface(`selinux_dontaudit_get_fs_mount',` - type security_t; - ') - -+ dev_dontaudit_search_sysfs($1) - # starting in libselinux 2.0.5, init_selinuxmnt() will - # attempt to short circuit by checking if SELINUXMNT - # (/selinux) is already a selinuxfs -@@ -109,6 +114,8 @@ interface(`selinux_mount_fs',` - type security_t; - ') - -+ dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) - allow $1 security_t:filesystem mount; - ') - -@@ -128,6 +135,8 @@ interface(`selinux_remount_fs',` - type security_t; - ') - -+ dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) - allow $1 security_t:filesystem remount; - ') - -@@ -146,6 +155,8 @@ interface(`selinux_unmount_fs',` - type security_t; - ') - -+ dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) - allow $1 security_t:filesystem unmount; - ') - -@@ -164,6 +175,8 @@ interface(`selinux_getattr_fs',` - type security_t; - ') - -+ dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) - allow $1 security_t:filesystem getattr; - ') - -@@ -183,6 +196,7 @@ interface(`selinux_dontaudit_getattr_fs',` - type security_t; - ') - -+ dev_dontaudit_search_sysfs($1) - dontaudit $1 security_t:filesystem getattr; - ') - -@@ -202,6 +216,7 @@ interface(`selinux_dontaudit_getattr_dir',` - type security_t; - ') - -+ dev_dontaudit_search_sysfs($1) - dontaudit $1 security_t:dir getattr; - ') - -@@ -220,6 +235,8 @@ interface(`selinux_search_fs',` - type security_t; - ') - -+ dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) - allow $1 security_t:dir search_dir_perms; - ') - -@@ -238,6 +255,7 @@ interface(`selinux_dontaudit_search_fs',` - type security_t; - ') - -+ dev_dontaudit_search_sysfs($1) - dontaudit $1 security_t:dir search_dir_perms; - ') - -@@ -257,6 +275,7 @@ interface(`selinux_dontaudit_read_fs',` - type security_t; - ') - -+ dev_dontaudit_search_sysfs($1) - dontaudit $1 security_t:dir search_dir_perms; - dontaudit $1 security_t:file read_file_perms; - ') -@@ -342,6 +361,8 @@ interface(`selinux_load_policy',` - bool secure_mode_policyload; - ') - -+ dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - typeattribute $1 can_load_policy; -@@ -371,6 +392,8 @@ interface(`selinux_read_policy',` - type security_t; - ') - -+ dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file read_file_perms; - allow $1 security_t:security read_policy; -@@ -435,6 +458,8 @@ interface(`selinux_set_generic_booleans',` - type security_t; - ') - -+ dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - -@@ -475,6 +500,8 @@ interface(`selinux_set_all_booleans',` - bool secure_mode_policyload; - ') - -+ dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms; - allow $1 secure_mode_policyload_t:file read_file_perms; -@@ -519,6 +546,8 @@ interface(`selinux_set_parameters',` - attribute can_setsecparam; - ') - -+ dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security setsecparam; -@@ -563,6 +592,7 @@ interface(`selinux_dontaudit_validate_context',` - type security_t; - ') - -+ dev_dontaudit_search_sysfs($1) - dontaudit $1 security_t:dir list_dir_perms; - dontaudit $1 security_t:file rw_file_perms; - dontaudit $1 security_t:security check_context; -@@ -584,6 +614,8 @@ interface(`selinux_compute_access_vector',` - type security_t; - ') - -+ dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security compute_av; -@@ -605,6 +637,8 @@ interface(`selinux_compute_create_context',` - type security_t; - ') - -+ dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security compute_create; -@@ -626,6 +660,8 @@ interface(`selinux_compute_member',` - type security_t; - ') - -+ dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security compute_member; -@@ -655,6 +691,8 @@ interface(`selinux_compute_relabel_context',` - type security_t; - ') - -+ dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security compute_relabel; -@@ -675,6 +713,8 @@ interface(`selinux_compute_user_contexts',` - type security_t; - ') - -+ dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security compute_user; --- -1.7.9.5 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch deleted file mode 100644 index 19e2516..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 054a2d81a42bc127d29a916c64b43ad5a7c97f21 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Fri, 23 Aug 2013 12:01:53 +0800 -Subject: [PATCH] fix policy for nfsserver to mount nfsd_fs_t. - -Upstream-Status: Pending - -Signed-off-by: Xin Ouyang ---- - policy/modules/contrib/rpc.te | 5 +++++ - policy/modules/contrib/rpcbind.te | 5 +++++ - policy/modules/kernel/filesystem.te | 1 + - policy/modules/kernel/kernel.te | 2 ++ - 4 files changed, 13 insertions(+) - -diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te -index 5605205..9e9f468 100644 ---- a/policy/modules/contrib/rpc.te -+++ b/policy/modules/contrib/rpc.te -@@ -256,6 +256,11 @@ tunable_policy(`nfs_export_all_ro',` - - optional_policy(` - mount_exec(nfsd_t) -+ # Should domtrans to mount_t while mounting nfsd_fs_t. -+ mount_domtrans(nfsd_t) -+ # nfsd_t need to chdir to /var/lib/nfs and read files. -+ files_list_var(nfsd_t) -+ rpc_read_nfs_state_data(nfsd_t) - ') - - ######################################## -diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te -index 196f168..9c75677 100644 ---- a/policy/modules/contrib/rpcbind.te -+++ b/policy/modules/contrib/rpcbind.te -@@ -71,6 +71,11 @@ miscfiles_read_localization(rpcbind_t) - - sysnet_dns_name_resolve(rpcbind_t) - -+# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t, -+# because the are running in different level. So add rules to allow this. -+mls_socket_read_all_levels(rpcbind_t) -+mls_socket_write_all_levels(rpcbind_t) -+ - optional_policy(` - nis_use_ypbind(rpcbind_t) - ') -diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index 1c66416..2b9e7ce 100644 ---- a/policy/modules/kernel/filesystem.te -+++ b/policy/modules/kernel/filesystem.te -@@ -119,6 +119,7 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) - - type nfsd_fs_t; - fs_type(nfsd_fs_t) -+files_mountpoint(nfsd_fs_t) - genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0) - - type oprofilefs_t; -diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 49fde6e..a731078 100644 ---- a/policy/modules/kernel/kernel.te -+++ b/policy/modules/kernel/kernel.te -@@ -284,6 +284,8 @@ mls_process_read_up(kernel_t) - mls_process_write_down(kernel_t) - mls_file_write_all_levels(kernel_t) - mls_file_read_all_levels(kernel_t) -+mls_socket_write_all_levels(kernel_t) -+mls_fd_use_all_levels(kernel_t) - - ifdef(`distro_redhat',` - # Bugzilla 222337 --- -1.7.9.5 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-setfiles-statvfs-get-file-count.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-setfiles-statvfs-get-file-count.patch deleted file mode 100644 index 90efbd8..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-setfiles-statvfs-get-file-count.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 4d2c4c358602b246881210889756f229730505d3 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Fri, 23 Aug 2013 14:38:53 +0800 -Subject: [PATCH] fix setfiles statvfs to get file count - -New setfiles will read /proc/mounts and use statvfs in -file_system_count() to get file count of filesystems. - -Upstream-Status: pending - -Signed-off-by: Xin Ouyang ---- - policy/modules/system/selinuxutil.te | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index 45ed81b..12c3d2e 100644 ---- a/policy/modules/system/selinuxutil.te -+++ b/policy/modules/system/selinuxutil.te -@@ -556,7 +556,7 @@ files_read_usr_symlinks(setfiles_t) - # needs to be able to read symlinks to make restorecon on symlink working - files_read_all_symlinks(setfiles_t) - --fs_getattr_xattr_fs(setfiles_t) -+fs_getattr_all_fs(setfiles_t) - fs_list_all(setfiles_t) - fs_search_auto_mountpoints(setfiles_t) - fs_relabelfrom_noxattr_fs(setfiles_t) --- -1.7.9.5 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-seutils-manage-config-files.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-seutils-manage-config-files.patch deleted file mode 100644 index be33bf1..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-seutils-manage-config-files.patch +++ /dev/null @@ -1,43 +0,0 @@ -From be8e015aec19553d3753af132861d24da9ed0265 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH 2/2] refpolicy: fix selinux utils to manage config files - -Upstream-Status: Pending - -Signed-off-by: Xin Ouyang ---- - policy/modules/system/selinuxutil.if | 1 + - policy/modules/system/userdomain.if | 4 ++++ - 2 files changed, 5 insertions(+) - -diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if -index 3822072..db03ca1 100644 ---- a/policy/modules/system/selinuxutil.if -+++ b/policy/modules/system/selinuxutil.if -@@ -680,6 +680,7 @@ interface(`seutil_manage_config',` - ') - - files_search_etc($1) -+ manage_dirs_pattern($1, selinux_config_t, selinux_config_t) - manage_files_pattern($1, selinux_config_t, selinux_config_t) - read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) - ') -diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index b4a691d..20c8bf8 100644 ---- a/policy/modules/system/userdomain.if -+++ b/policy/modules/system/userdomain.if -@@ -1277,6 +1277,10 @@ template(`userdom_security_admin_template',` - logging_read_audit_config($1) - - seutil_manage_bin_policy($1) -+ seutil_manage_default_contexts($1) -+ seutil_manage_file_contexts($1) -+ seutil_manage_module_store($1) -+ seutil_manage_config($1) - seutil_run_checkpolicy($1, $2) - seutil_run_loadpolicy($1, $2) - seutil_run_semanage($1, $2) --- -1.7.9.5 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-xconsole_device_t-as-a-dev_node.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-xconsole_device_t-as-a-dev_node.patch deleted file mode 100644 index aa870f4..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-fix-xconsole_device_t-as-a-dev_node.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 843299c135c30b036ed163a10570a1d5efe36ff8 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH 1/2] fix xconsole_device_t as a dev_node. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang ---- - policy/modules/services/xserver.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 4f6d693..b00f004 100644 ---- a/policy/modules/services/xserver.te -+++ b/policy/modules/services/xserver.te -@@ -151,6 +151,7 @@ userdom_user_tmp_file(xauth_tmp_t) - # this is not actually a device, its a pipe - type xconsole_device_t; - files_type(xconsole_device_t) -+dev_node(xconsole_device_t) - fs_associate_tmpfs(xconsole_device_t) - files_associate_tmp(xconsole_device_t) - --- -1.7.9.5 - diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch b/recipes-security/refpolicy/refpolicy-2.20130424/sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch deleted file mode 100644 index e95d675..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20130424/sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch +++ /dev/null @@ -1,41 +0,0 @@ -From b1599e01fe3f3e7a1c2048d1c466e3e842952924 Mon Sep 17 00:00:00 2001 -From: Dominick Grift -Date: Fri, 27 Sep 2013 11:35:41 +0200 -Subject: [PATCH] sysnetwork: dhcpc binds socket to random high udp ports - sysnetwork: do not audit attempts by ifconfig to read, and - write dhcpc udp sockets (looks like a leaked fd) - -Upstream-Status: backport - -Signed-off-by: Dominick Grift ---- - policy/modules/system/sysnetwork.te | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index f9dce11..67709b5 100644 ---- a/policy/modules/system/sysnetwork.te -+++ b/policy/modules/system/sysnetwork.te -@@ -111,7 +111,9 @@ corenet_tcp_bind_dhcpc_port(dhcpc_t) - corenet_udp_bind_dhcpc_port(dhcpc_t) - corenet_tcp_connect_all_ports(dhcpc_t) - corenet_sendrecv_dhcpd_client_packets(dhcpc_t) --corenet_sendrecv_dhcpc_server_packets(dhcpc_t) -+ -+corenet_sendrecv_all_server_packets(dhcpc_t) -+corenet_udp_bind_all_unreserved_ports(dhcpc_t) - - dev_read_sysfs(dhcpc_t) - # for SSP: -@@ -313,6 +315,8 @@ modutils_domtrans_insmod(ifconfig_t) - - seutil_use_runinit_fds(ifconfig_t) - -+sysnet_dontaudit_rw_dhcpc_udp_sockets(ifconfig_t) -+ - userdom_use_user_terminals(ifconfig_t) - userdom_use_all_users_fds(ifconfig_t) - --- -1.7.10.4 - diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc b/recipes-security/refpolicy/refpolicy_2.20130424.inc deleted file mode 100644 index 0e7419d..0000000 --- a/recipes-security/refpolicy/refpolicy_2.20130424.inc +++ /dev/null @@ -1,67 +0,0 @@ -SRC_URI = "http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2;" -SRC_URI[md5sum] = "6a5c975258cc8eb92c122f11b11a5085" -SRC_URI[sha256sum] = "6039ba854f244a39dc727cc7db25632f7b933bb271c803772d754d4354f5aef4" - -FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-2.20130424:" - -# Fix file contexts for Poky -SRC_URI += "file://poky-fc-subs_dist.patch \ - file://poky-fc-update-alternatives_sysvinit.patch \ - file://poky-fc-update-alternatives_sysklogd.patch \ - file://poky-fc-update-alternatives_hostname.patch \ - file://poky-fc-fix-real-path_resolv.conf.patch \ - file://poky-fc-fix-real-path_login.patch \ - file://poky-fc-fix-real-path_shadow.patch \ - file://poky-fc-fix-bind.patch \ - file://poky-fc-clock.patch \ - file://poky-fc-corecommands.patch \ - file://poky-fc-dmesg.patch \ - file://poky-fc-fstools.patch \ - file://poky-fc-iptables.patch \ - file://poky-fc-mta.patch \ - file://poky-fc-netutils.patch \ - file://poky-fc-nscd.patch \ - file://poky-fc-screen.patch \ - file://poky-fc-ssh.patch \ - file://poky-fc-su.patch \ - file://poky-fc-sysnetwork.patch \ - file://poky-fc-udevd.patch \ - file://poky-fc-rpm.patch \ - file://poky-fc-ftpwho-dir.patch \ - file://poky-fc-fix-real-path_su.patch \ - " - -# Specific policy for Poky -SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \ - file://poky-policy-add-rules-for-var-log-symlink.patch \ - file://poky-policy-add-rules-for-var-log-symlink-apache.patch \ - file://poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch \ - file://poky-policy-add-rules-for-syslogd_t-symlink.patch \ - file://poky-policy-add-rules-for-var-cache-symlink.patch \ - file://poky-policy-add-rules-for-tmp-symlink.patch \ - file://poky-policy-add-rules-for-bsdpty_device_t.patch \ - file://poky-policy-don-t-audit-tty_device_t.patch \ - file://poky-policy-allow-nfsd-to-exec-shell-commands.patch \ - file://poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch \ - file://poky-policy-allow-setfiles_t-to-read-symlinks.patch \ - file://poky-policy-fix-new-SELINUXMNT-in-sys.patch \ - file://poky-policy-allow-sysadm-to-run-rpcinfo.patch \ - " - -# Other policy fixes -SRC_URI += "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \ - file://poky-policy-fix-seutils-manage-config-files.patch \ - file://poky-policy-fix-setfiles-statvfs-get-file-count.patch \ - file://poky-policy-fix-dmesg-to-use-dev-kmsg.patch \ - file://hostname-do-not-audit-attempts-by-hostname-to-read-a.patch \ - file://sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch \ - file://ftp-add-ftpd_t-to-mlsfilewrite.patch \ - " - -# Backport from upstream -SRC_URI += "file://Allow-ping-to-get-set-capabilities.patch \ - file://filesystem-associate-tmpfs_t-shm-to-device_t-devtmpf.patch \ - file://Allow-udev-the-block_suspend-capability.patch \ - " - -include refpolicy_common.inc -- cgit v1.2.3-54-g00ecf From b59250d423e9938ae934c201922141886e279188 Mon Sep 17 00:00:00 2001 From: Xin Ouyang Date: Mon, 22 Sep 2014 13:49:03 +0800 Subject: refpolicy-minimum: add fixed prepare_policy_store(). Original prepare_policy_store() has a naming bug for compressed_policy, fix that and let prepare_policy_store() back. Signed-off-by: Xin Ouyang --- .../refpolicy/refpolicy-minimum_2.20140311.bb | 28 ++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20140311.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20140311.bb index 429a378..0b286ac 100644 --- a/recipes-security/refpolicy/refpolicy-minimum_2.20140311.bb +++ b/recipes-security/refpolicy/refpolicy-minimum_2.20140311.bb @@ -27,3 +27,31 @@ EXTRA_POLICY_MODULES += "nscd" EXTRA_POLICY_MODULES += "mta" POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}" + +# re-write the same func from refpolicy_common.inc +prepare_policy_store () { + oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install + + # Prepare to create policy store + mkdir -p ${D}${sysconfdir}/selinux/ + mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/policy + mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules + mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files + touch ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.local + if ${@base_contains('DISTRO_FEATURES','compressed_policy','true','false',d)}; then + for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do + bzip2 $i + done + cp base.pp.bz2 ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp + for i in ${POLICY_MODULES_MIN}; do + cp ${i}.pp.bz2 ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i.pp` + done + else + bzip2 -c ${D}${datadir}/selinux/${POLICY_NAME}/base.pp > \ + ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp + for i in ${POLICY_MODULES_MIN}; do + bzip2 -c ${D}${datadir}/selinux/${POLICY_NAME}/$i.pp > \ + ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/$i.pp + done + fi +} -- cgit v1.2.3-54-g00ecf From af4937c07eadb13d829c1ef278bed6528a2603a5 Mon Sep 17 00:00:00 2001 From: Xin Ouyang Date: Mon, 22 Sep 2014 14:10:47 +0800 Subject: Use compressed_policy by default, and clear distro feature Original refpolicy install compressed policy modules to policy store, but leave datadir ones uncompressed. After, a "compressed_policy" distro feature is added for compressing the datadir ones. This simple mechanism is unworthy for a distro feature, just clear it and use compressed policy modules by default. Signed-off-by: Xin Ouyang --- conf/distro/oe-selinux.conf | 2 +- .../refpolicy/refpolicy-minimum_2.20140311.bb | 23 ++++++------------ recipes-security/refpolicy/refpolicy_common.inc | 28 +++++++--------------- 3 files changed, 17 insertions(+), 36 deletions(-) diff --git a/conf/distro/oe-selinux.conf b/conf/distro/oe-selinux.conf index 5f4af87..6e55a32 100644 --- a/conf/distro/oe-selinux.conf +++ b/conf/distro/oe-selinux.conf @@ -1,4 +1,4 @@ DISTRO = "oe-selinux" DISTROOVERRIDES .= ":selinux" -DISTRO_FEATURES_append = " acl xattr pam selinux compressed_policy" +DISTRO_FEATURES_append = " acl xattr pam selinux" diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20140311.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20140311.bb index 0b286ac..b275821 100644 --- a/recipes-security/refpolicy/refpolicy-minimum_2.20140311.bb +++ b/recipes-security/refpolicy/refpolicy-minimum_2.20140311.bb @@ -38,20 +38,11 @@ prepare_policy_store () { mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files touch ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.local - if ${@base_contains('DISTRO_FEATURES','compressed_policy','true','false',d)}; then - for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do - bzip2 $i - done - cp base.pp.bz2 ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp - for i in ${POLICY_MODULES_MIN}; do - cp ${i}.pp.bz2 ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i.pp` - done - else - bzip2 -c ${D}${datadir}/selinux/${POLICY_NAME}/base.pp > \ - ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp - for i in ${POLICY_MODULES_MIN}; do - bzip2 -c ${D}${datadir}/selinux/${POLICY_NAME}/$i.pp > \ - ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/$i.pp - done - fi + for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do + bzip2 -f $i && mv -f $i.bz2 $i + done + cp base.pp ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp + for i in ${POLICY_MODULES_MIN}; do + cp ${i}.pp ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i.pp` + done } diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index fd205cf..0dc055e 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc @@ -13,7 +13,7 @@ S = "${WORKDIR}/refpolicy" FILES_${PN} = " \ ${sysconfdir}/selinux/${POLICY_NAME}/ \ - ${@base_contains('DISTRO_FEATURES', 'compressed_policy', '${datadir}/selinux/${POLICY_NAME}/*.pp.bz2', '${datadir}/selinux/${POLICY_NAME}/*.pp', d)} \ + ${datadir}/selinux/${POLICY_NAME}/*.pp \ " FILES_${PN}-dev =+ "${datadir}/selinux/${POLICY_NAME}/include/" @@ -69,24 +69,14 @@ prepare_policy_store () { mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files touch ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.local - if ${@base_contains('DISTRO_FEATURES','compressed_policy','true','false',d)}; then - for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do - bzip2 $i - if [ "`basename $i`" != "base.pp" ]; then - cp ${i}.bz2 ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i` - else - cp ${i}.bz2 ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/`basename $i` - fi - done - else - bzip2 -c ${D}${datadir}/selinux/${POLICY_NAME}/base.pp >\ - ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp - for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do - if [ "`basename $i`" != "base.pp" ]; then - bzip2 -c $i > ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i`; - fi - done - fi + for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do + bzip2 -f $i && mv -f $i.bz2 $i + if [ "`basename $i`" != "base.pp" ]; then + cp $i ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i` + else + cp $i ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/`basename $i` + fi + done } rebuild_policy () { -- cgit v1.2.3-54-g00ecf From e0a92ce7b2da899da8a2e2884eca9fd74aa12763 Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Tue, 16 Sep 2014 21:05:00 -0400 Subject: Globally replace 'base_contains' calls with 'bb.utils.contains' Based on oe-core commit: commit 1528e596d4906c33e4be83fcf691cfe76d340ff3 Author: Otavio Salvador Date: Thu Apr 24 15:59:20 2014 -0300 Globally replace 'base_contains' calls with 'bb.utils.contains' The base_contains is kept as a compatibility method and we ought to not use it in OE-Core so we can remove it from base metadata in future. Signed-off-by: Joe MacDonald --- classes/selinux.bbclass | 2 +- recipes-extended/tar/tar_1.27.1.bbappend | 2 +- recipes-kernel/linux/linux-yocto_3.14.bbappend | 4 ++-- recipes-security/audit/audit_2.3.2.bb | 2 +- recipes-security/selinux/policycoreutils.inc | 6 +++--- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/classes/selinux.bbclass b/classes/selinux.bbclass index f9db49c..fb0df27 100644 --- a/classes/selinux.bbclass +++ b/classes/selinux.bbclass @@ -1,5 +1,5 @@ def target_selinux(d, truevar = 'selinux', falsevar = ''): - if not base_contains("DISTRO_FEATURES", "selinux", True, False, d): + if not bb.utils.contains("DISTRO_FEATURES", "selinux", True, False, d): return falsevar pn = d.getVar("PN", True) diff --git a/recipes-extended/tar/tar_1.27.1.bbappend b/recipes-extended/tar/tar_1.27.1.bbappend index 8e45037..a1dc99c 100644 --- a/recipes-extended/tar/tar_1.27.1.bbappend +++ b/recipes-extended/tar/tar_1.27.1.bbappend @@ -5,7 +5,7 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" inherit with-selinux -PACKAGECONFIG += "${@base_contains('DISTRO_FEATURES', 'acl', 'acl', '', d)}" +PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'acl', 'acl', '', d)}" # configure has no acl enable/disable options! # diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend index 4118cc0..65c79ef 100644 --- a/recipes-kernel/linux/linux-yocto_3.14.bbappend +++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend @@ -1,8 +1,8 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" # Enable selinux support in the kernel if the feature is enabled -SRC_URI += "${@base_contains('DISTRO_FEATURES', 'selinux', 'file://selinux.cfg', '', d)}" +SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'file://selinux.cfg', '', d)}" # For inconsistent kallsyms data bug on ARM # http://lists.infradead.org/pipermail/linux-arm-kernel/2012-March/thread.html#89718 -EXTRA_OEMAKE += "${@base_contains('TARGET_ARCH', 'arm', ' KALLSYMS_EXTRA_PASS=1', '', d)}" +EXTRA_OEMAKE += "${@bb.utils.contains('TARGET_ARCH', 'arm', ' KALLSYMS_EXTRA_PASS=1', '', d)}" diff --git a/recipes-security/audit/audit_2.3.2.bb b/recipes-security/audit/audit_2.3.2.bb index 4baf7a0..96b19c8 100644 --- a/recipes-security/audit/audit_2.3.2.bb +++ b/recipes-security/audit/audit_2.3.2.bb @@ -84,7 +84,7 @@ do_install_append() { install -D -m 0755 ${S}/../auditd ${D}/etc/init.d/auditd rm -rf ${D}/etc/rc.d - if ${@base_contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then install -d ${D}${sysconfdir}/tmpfiles.d/ install -m 0644 ${WORKDIR}/audit-volatile.conf ${D}${sysconfdir}/tmpfiles.d/ fi diff --git a/recipes-security/selinux/policycoreutils.inc b/recipes-security/selinux/policycoreutils.inc index a4d174c..153b688 100644 --- a/recipes-security/selinux/policycoreutils.inc +++ b/recipes-security/selinux/policycoreutils.inc @@ -7,7 +7,7 @@ context." SECTION = "base" LICENSE = "GPLv2+" -SRC_URI += "${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)}" +SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)}" PAM_SRC_URI = "file://pam.d/newrole \ file://pam.d/run_init \ @@ -154,7 +154,7 @@ FILES_${PN}-loadpolicy += "\ " FILES_${PN}-newrole += "\ ${bindir}/newrole \ - ${@base_contains('DISTRO_FEATURES', 'pam', '${sysconfdir}/pam.d/newrole', '', d)} \ + ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${sysconfdir}/pam.d/newrole', '', d)} \ " FILES_${PN}-python = "\ ${libdir}/python${PYTHON_BASEVERSION}/site-packages/seobject.py* \ @@ -164,7 +164,7 @@ FILES_${PN}-python = "\ FILES_${PN}-runinit += "\ ${sbindir}/run_init \ ${sbindir}/open_init_pty \ - ${@base_contains('DISTRO_FEATURES', 'pam', '${sysconfdir}/pam.d/run_init', '', d)} \ + ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${sysconfdir}/pam.d/run_init', '', d)} \ " FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy/.debug/*" FILES_${PN}-sandbox += "\ -- cgit v1.2.3-54-g00ecf From 981b18429013999e405b889bdecd59837ee2d6d3 Mon Sep 17 00:00:00 2001 From: "Roy.Li" Date: Wed, 24 Sep 2014 09:33:48 +0800 Subject: dhcp: remove the unrecognised without-selinux configuration warning dhcp 4.3 has no selinux related configuration options, but it needs the correct initscript when SELinux is enabled, so inherit selinux, not inherit with-selinux Signed-off-by: Roy.Li Signed-off-by: Joe MacDonald --- recipes-connectivity/dhcp/dhcp_4.3.0.bbappend | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-connectivity/dhcp/dhcp_4.3.0.bbappend b/recipes-connectivity/dhcp/dhcp_4.3.0.bbappend index 900c2aa..2d2232c 100644 --- a/recipes-connectivity/dhcp/dhcp_4.3.0.bbappend +++ b/recipes-connectivity/dhcp/dhcp_4.3.0.bbappend @@ -1,3 +1,3 @@ -inherit with-selinux +inherit selinux FILESEXTRAPATHS_prepend := "${@target_selinux(d, '${THISDIR}/files:')}" -- cgit v1.2.3-54-g00ecf From 713359e1b8f6794357edc280a826528a3811bcee Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Sun, 28 Sep 2014 22:34:09 -0400 Subject: userspace: update core selinux userspace tools Update to the latest stable release, 20140506. Signed-off-by: Joe MacDonald --- recipes-security/selinux/checkpolicy.inc | 2 +- recipes-security/selinux/checkpolicy_2.2.bb | 9 - recipes-security/selinux/checkpolicy_2.3.bb | 7 + recipes-security/selinux/libselinux_2.2.2.bb | 16 - recipes-security/selinux/libselinux_2.3.bb | 14 + recipes-security/selinux/libsemanage_2.2.bb | 19 - recipes-security/selinux/libsemanage_2.3.bb | 17 + recipes-security/selinux/libsepol_2.2.bb | 9 - recipes-security/selinux/libsepol_2.3.bb | 7 + recipes-security/selinux/policycoreutils.inc | 2 +- recipes-security/selinux/policycoreutils_2.2.5.bb | 18 - recipes-security/selinux/policycoreutils_2.3.bb | 16 + recipes-security/selinux/selinux_20131030.inc | 5 - recipes-security/selinux/selinux_20140506.inc | 5 + recipes-security/selinux/selinux_git.inc | 2 +- recipes-security/selinux/sepolgen_1.2.1.bb | 4 +- ...Changes-to-support-named-file_trans-rules.patch | 1511 -------------------- ...rect-invalid-prototype-for-lsetfilecon_ra.patch | 34 + recipes-security/setools/setools_3.3.8.bb | 3 +- 19 files changed, 106 insertions(+), 1594 deletions(-) delete mode 100644 recipes-security/selinux/checkpolicy_2.2.bb create mode 100644 recipes-security/selinux/checkpolicy_2.3.bb delete mode 100644 recipes-security/selinux/libselinux_2.2.2.bb create mode 100644 recipes-security/selinux/libselinux_2.3.bb delete mode 100644 recipes-security/selinux/libsemanage_2.2.bb create mode 100644 recipes-security/selinux/libsemanage_2.3.bb delete mode 100644 recipes-security/selinux/libsepol_2.2.bb create mode 100644 recipes-security/selinux/libsepol_2.3.bb delete mode 100644 recipes-security/selinux/policycoreutils_2.2.5.bb create mode 100644 recipes-security/selinux/policycoreutils_2.3.bb delete mode 100644 recipes-security/selinux/selinux_20131030.inc create mode 100644 recipes-security/selinux/selinux_20140506.inc delete mode 100644 recipes-security/setools/setools/setools-Changes-to-support-named-file_trans-rules.patch create mode 100644 recipes-security/setools/setools/setools-replcon-correct-invalid-prototype-for-lsetfilecon_ra.patch diff --git a/recipes-security/selinux/checkpolicy.inc b/recipes-security/selinux/checkpolicy.inc index e0c7377..1a21680 100644 --- a/recipes-security/selinux/checkpolicy.inc +++ b/recipes-security/selinux/checkpolicy.inc @@ -11,7 +11,7 @@ LICENSE = "GPLv2+" DEPENDS += "libsepol libselinux bison-native flex-native" -SRC_URI += "file://checkpolicy-Do-not-link-against-libfl.patch" +#SRC_URI += "file://checkpolicy-Do-not-link-against-libfl.patch" EXTRA_OEMAKE += "PREFIX=${D}" EXTRA_OEMAKE += "LEX='flex'" diff --git a/recipes-security/selinux/checkpolicy_2.2.bb b/recipes-security/selinux/checkpolicy_2.2.bb deleted file mode 100644 index 23d57c1..0000000 --- a/recipes-security/selinux/checkpolicy_2.2.bb +++ /dev/null @@ -1,9 +0,0 @@ -PR = "r99" - -include selinux_20131030.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" - -SRC_URI[md5sum] = "d76d5c70cd594fdb15f8d319c6536324" -SRC_URI[sha256sum] = "5d74075379cbaf17135c2a113a3053bd2e7b2a2c54ac04458de652457306c020" diff --git a/recipes-security/selinux/checkpolicy_2.3.bb b/recipes-security/selinux/checkpolicy_2.3.bb new file mode 100644 index 0000000..9f68487 --- /dev/null +++ b/recipes-security/selinux/checkpolicy_2.3.bb @@ -0,0 +1,7 @@ +include selinux_20140506.inc +include ${BPN}.inc + +LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" + +SRC_URI[md5sum] = "920f1a048b6023a22e1bae7b40fd413c" +SRC_URI[sha256sum] = "8072c12121613ba943417bbb6d33224d12373ea19d75c5acd1846a35e0e05b74" diff --git a/recipes-security/selinux/libselinux_2.2.2.bb b/recipes-security/selinux/libselinux_2.2.2.bb deleted file mode 100644 index d6502ad..0000000 --- a/recipes-security/selinux/libselinux_2.2.2.bb +++ /dev/null @@ -1,16 +0,0 @@ -PR = "r99" - -include selinux_20131030.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://LICENSE;md5=84b4d2c6ef954a2d4081e775a270d0d0" - -SRC_URI[md5sum] = "c13ea5de171f21fee399abfd4aef9481" -SRC_URI[sha256sum] = "cc8354d67d7bef11fb2a03d23e788c6f4e8510b6760c3778dc7baf6dcfa97539" - -SRC_URI += "\ - file://libselinux-drop-Wno-unused-but-set-variable.patch \ - file://libselinux-make-O_CLOEXEC-optional.patch \ - file://libselinux-make-SOCK_CLOEXEC-optional.patch \ - file://libselinux-define-FD_CLOEXEC-as-necessary.patch \ - " diff --git a/recipes-security/selinux/libselinux_2.3.bb b/recipes-security/selinux/libselinux_2.3.bb new file mode 100644 index 0000000..81e599d --- /dev/null +++ b/recipes-security/selinux/libselinux_2.3.bb @@ -0,0 +1,14 @@ +include selinux_20140506.inc +include ${BPN}.inc + +LIC_FILES_CHKSUM = "file://LICENSE;md5=84b4d2c6ef954a2d4081e775a270d0d0" + +SRC_URI[md5sum] = "d27e249ad8450e7182203134cf4d85e2" +SRC_URI[sha256sum] = "03fe2baa7ceeea531a64fd321b44ecf09a55f3af5ef66a58a4135944f34e9851" + +SRC_URI += "\ + file://libselinux-drop-Wno-unused-but-set-variable.patch \ + file://libselinux-make-O_CLOEXEC-optional.patch \ + file://libselinux-make-SOCK_CLOEXEC-optional.patch \ + file://libselinux-define-FD_CLOEXEC-as-necessary.patch \ + " diff --git a/recipes-security/selinux/libsemanage_2.2.bb b/recipes-security/selinux/libsemanage_2.2.bb deleted file mode 100644 index 1f00d07..0000000 --- a/recipes-security/selinux/libsemanage_2.2.bb +++ /dev/null @@ -1,19 +0,0 @@ -PR = "r99" - -include selinux_20131030.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343" - -SRC_URI[md5sum] = "2bb8f4b728a5667519764297b7725c19" -SRC_URI[sha256sum] = "9b421ce1df10594cb467eef37faeb403d5c6b341a4b7e4b407ac4cb77df95cba" - -SRC_URI += "\ - file://libsemanage-Fix-execve-segfaults-on-Ubuntu.patch \ - file://libsemanage-fix-path-len-limit.patch \ - file://libsemanage-fix-path-nologin.patch \ - file://libsemanage-drop-Wno-unused-but-set-variable.patch \ - file://libsemanage-define-FD_CLOEXEC-as-necessary.patch;striplevel=2 \ - file://libsemanage-allow-to-disable-audit-support.patch \ - file://libsemanage-disable-expand-check-on-policy-load.patch \ - " diff --git a/recipes-security/selinux/libsemanage_2.3.bb b/recipes-security/selinux/libsemanage_2.3.bb new file mode 100644 index 0000000..5eada94 --- /dev/null +++ b/recipes-security/selinux/libsemanage_2.3.bb @@ -0,0 +1,17 @@ +include selinux_20140506.inc +include ${BPN}.inc + +LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343" + +SRC_URI[md5sum] = "cc313b400637d94e3a549bf77555d8c3" +SRC_URI[sha256sum] = "4c984379a98ee9f05b80ff6e57dd2de886273d7136146456cabdce21ac32ed7f" + +SRC_URI += "\ + file://libsemanage-Fix-execve-segfaults-on-Ubuntu.patch \ + file://libsemanage-fix-path-len-limit.patch \ + file://libsemanage-fix-path-nologin.patch \ + file://libsemanage-drop-Wno-unused-but-set-variable.patch \ + file://libsemanage-define-FD_CLOEXEC-as-necessary.patch;striplevel=2 \ + file://libsemanage-allow-to-disable-audit-support.patch \ + file://libsemanage-disable-expand-check-on-policy-load.patch \ + " diff --git a/recipes-security/selinux/libsepol_2.2.bb b/recipes-security/selinux/libsepol_2.2.bb deleted file mode 100644 index a0b7df7..0000000 --- a/recipes-security/selinux/libsepol_2.2.bb +++ /dev/null @@ -1,9 +0,0 @@ -PR = "r99" - -include selinux_20131030.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343" - -SRC_URI[md5sum] = "2d43599ed29fea9ef41218ec9635ef64" -SRC_URI[sha256sum] = "fbd77459fd03979a9020289b10c89a0af56a52bcd0f7ae0a78455713bb04878b" diff --git a/recipes-security/selinux/libsepol_2.3.bb b/recipes-security/selinux/libsepol_2.3.bb new file mode 100644 index 0000000..0c07d41 --- /dev/null +++ b/recipes-security/selinux/libsepol_2.3.bb @@ -0,0 +1,7 @@ +include selinux_20140506.inc +include ${BPN}.inc + +LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343" + +SRC_URI[md5sum] = "c6b3dc07bf19ab4f364f21bbecb44beb" +SRC_URI[sha256sum] = "5a4481bfd0fad6fdad1511c786d69de1fc3eddc28154eae1691e1bf4e9e505c3" diff --git a/recipes-security/selinux/policycoreutils.inc b/recipes-security/selinux/policycoreutils.inc index 153b688..44a5861 100644 --- a/recipes-security/selinux/policycoreutils.inc +++ b/recipes-security/selinux/policycoreutils.inc @@ -211,7 +211,7 @@ FILES_${PN}-setsebool += "\ FILES_system-config-selinux = " \ ${bindir}/sepolgen \ ${datadir}/system-config-selinux/* \ - ${datadir}/icons/hicolor/24x24/apps/system-config-selinux.png \ + ${datadir}/icons/hicolor/ \ ${datadir}/polkit-1/actions/org.selinux.config.policy \ " diff --git a/recipes-security/selinux/policycoreutils_2.2.5.bb b/recipes-security/selinux/policycoreutils_2.2.5.bb deleted file mode 100644 index 96cf354..0000000 --- a/recipes-security/selinux/policycoreutils_2.2.5.bb +++ /dev/null @@ -1,18 +0,0 @@ -PR = "r99" - -include selinux_20131030.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" - -SRC_URI[md5sum] = "f330a90c566c8b564858d45399ce3dd1" -SRC_URI[sha256sum] = "3d2c8806742004693c2d4726abbc4f412340ee07bed407976dd8abeda09a4333" - -SRC_URI += "\ - file://policycoreutils-fix-sepolicy-install-path.patch \ - file://policycoreutils-make-O_CLOEXEC-optional.patch \ - file://policycoreutils-loadpolicy-symlink.patch \ - file://policycoreutils-semanage-edit-user.patch \ - file://policycoreutils-process-ValueError-for-sepolicy-seobject.patch \ - file://policycoreutils-fix-TypeError-for-seobject.py.patch \ - " diff --git a/recipes-security/selinux/policycoreutils_2.3.bb b/recipes-security/selinux/policycoreutils_2.3.bb new file mode 100644 index 0000000..447e6c9 --- /dev/null +++ b/recipes-security/selinux/policycoreutils_2.3.bb @@ -0,0 +1,16 @@ +include selinux_20140506.inc +include ${BPN}.inc + +LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" + +SRC_URI[md5sum] = "4f5c508e3c3867c8beb343e993d353dd" +SRC_URI[sha256sum] = "11e8815ac13debb87897d2781381b89ec5c6c746a3d44223a493bc7ace6cc71f" + +SRC_URI += "\ + file://policycoreutils-fix-sepolicy-install-path.patch \ + file://policycoreutils-make-O_CLOEXEC-optional.patch \ + file://policycoreutils-loadpolicy-symlink.patch \ + file://policycoreutils-semanage-edit-user.patch \ + file://policycoreutils-process-ValueError-for-sepolicy-seobject.patch \ + file://policycoreutils-fix-TypeError-for-seobject.py.patch \ + " diff --git a/recipes-security/selinux/selinux_20131030.inc b/recipes-security/selinux/selinux_20131030.inc deleted file mode 100644 index 01cc52f..0000000 --- a/recipes-security/selinux/selinux_20131030.inc +++ /dev/null @@ -1,5 +0,0 @@ -SELINUX_RELEASE = "20131030" - -SRC_URI = "https://github.com/SELinuxProject/selinux/archive/${BPN}-${PV}.tar.gz" - -include selinux_common.inc diff --git a/recipes-security/selinux/selinux_20140506.inc b/recipes-security/selinux/selinux_20140506.inc new file mode 100644 index 0000000..01cc52f --- /dev/null +++ b/recipes-security/selinux/selinux_20140506.inc @@ -0,0 +1,5 @@ +SELINUX_RELEASE = "20131030" + +SRC_URI = "https://github.com/SELinuxProject/selinux/archive/${BPN}-${PV}.tar.gz" + +include selinux_common.inc diff --git a/recipes-security/selinux/selinux_git.inc b/recipes-security/selinux/selinux_git.inc index d56f25b..6112d7d 100644 --- a/recipes-security/selinux/selinux_git.inc +++ b/recipes-security/selinux/selinux_git.inc @@ -1,6 +1,6 @@ SRCREV = "edc2e99687b050d5be21a78a66d038aa1fc068d9" -SRC_URI = "git://oss.tresys.com/git/selinux.git;protocol=http" +SRC_URI = "git://github.com/SELinuxProject/selinux.git;protocol=http" include selinux_common.inc diff --git a/recipes-security/selinux/sepolgen_1.2.1.bb b/recipes-security/selinux/sepolgen_1.2.1.bb index 21dff41..b47ff26 100644 --- a/recipes-security/selinux/sepolgen_1.2.1.bb +++ b/recipes-security/selinux/sepolgen_1.2.1.bb @@ -1,6 +1,4 @@ -PR = "r99" - -include selinux_20131030.inc +include selinux_20140506.inc include ${BPN}.inc LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" diff --git a/recipes-security/setools/setools/setools-Changes-to-support-named-file_trans-rules.patch b/recipes-security/setools/setools/setools-Changes-to-support-named-file_trans-rules.patch deleted file mode 100644 index d44ae21..0000000 --- a/recipes-security/setools/setools/setools-Changes-to-support-named-file_trans-rules.patch +++ /dev/null @@ -1,1511 +0,0 @@ -From e0f74aa934140ccc6f5a51aa2df6fd19f0c0ee08 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Wed, 7 Mar 2012 11:00:19 +0800 -Subject: [PATCH 5/7] setools: Changes to support named file_trans rules - -Integrated from Fedora: -https://community.dev.fedoraproject.org/packages/setools/sources/patches/ ---- - libapol/include/apol/Makefile.am | 1 + - libapol/include/apol/ftrule-query.h | 198 +++++++++++++++++++ - libapol/include/apol/policy-query.h | 1 + - libapol/src/Makefile.am | 1 + - libapol/src/ftrule-query.c | 363 +++++++++++++++++++++++++++++++++++ - libapol/src/libapol.map | 1 + - libqpol/include/qpol/Makefile.am | 1 + - libqpol/include/qpol/ftrule_query.h | 116 +++++++++++ - libqpol/include/qpol/policy.h | 1 + - libqpol/src/Makefile.am | 1 + - libqpol/src/ftrule_query.c | 277 ++++++++++++++++++++++++++ - libqpol/src/libqpol.map | 1 + - libqpol/src/module_compiler.c | 12 ++ - libqpol/src/policy_define.c | 186 ++++++++++++++++++- - libqpol/src/policy_parse.y | 13 +- - libqpol/src/policy_scan.l | 1 + - secmds/sesearch.c | 101 ++++++++++ - 17 files changed, 1272 insertions(+), 3 deletions(-) - create mode 100644 libapol/include/apol/ftrule-query.h - create mode 100644 libapol/src/ftrule-query.c - create mode 100644 libqpol/include/qpol/ftrule_query.h - create mode 100644 libqpol/src/ftrule_query.c - -diff --git a/libapol/include/apol/Makefile.am b/libapol/include/apol/Makefile.am -index 0883c10..e398ff2 100644 ---- a/libapol/include/apol/Makefile.am -+++ b/libapol/include/apol/Makefile.am -@@ -27,6 +27,7 @@ apol_HEADERS = \ - relabel-analysis.h \ - render.h \ - role-query.h \ -+ ftrule-query.h \ - terule-query.h \ - type-query.h \ - types-relation-analysis.h \ -diff --git a/libapol/include/apol/ftrule-query.h b/libapol/include/apol/ftrule-query.h -new file mode 100644 -index 0000000..119c52f ---- /dev/null -+++ b/libapol/include/apol/ftrule-query.h -@@ -0,0 +1,198 @@ -+/** -+ * @file -+ * -+ * Routines to query filename_transition rules of a -+ * policy. -+ * -+ * @author Jeremy A. Mowery jmowery@tresys.com -+ * @author Jason Tang jtang@tresys.com -+ * -+ * Copyright (C) 2006-2007 Tresys Technology, LLC -+ * -+ * This library is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public -+ * License as published by the Free Software Foundation; either -+ * version 2.1 of the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public -+ * License along with this library; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA -+ */ -+ -+#ifndef APOL_FILENAMERULE_QUERY_H -+#define APOL_FILENAMERULE_QUERY_H -+ -+#ifdef __cplusplus -+extern "C" -+{ -+#endif -+ -+#include "policy.h" -+#include "vector.h" -+#include -+ -+ typedef struct apol_filename_trans_query apol_filename_trans_query_t; -+ -+ -+/******************** filename_transition queries ********************/ -+ -+/** -+ * Execute a query against all filename_transition rules within the -+ * policy. -+ * -+ * @param p Policy within which to look up filename_transition rules. -+ * @param r Structure containing parameters for query. If this is -+ * NULL then return all filename_transition rules. -+ * @param v Reference to a vector of qpol_filename_trans_t. The vector -+ * will be allocated by this function. The caller must call -+ * apol_vector_destroy() afterwards. This will be set to NULL upon no -+ * results or upon error. -+ * -+ * @return 0 on success (including none found), negative on error. -+ */ -+ extern int apol_filename_trans_get_by_query(const apol_policy_t * p, const apol_filename_trans_query_t * r, apol_vector_t ** v); -+ -+/** -+ * Allocate and return a new filename trans query structure. All fields -+ * are initialized, such that running this blank query results in -+ * returning all filename_transitions within the policy. The caller must -+ * call apol_filename_trans_query_destroy() upon the return value -+ * afterwards. -+ * -+ * @return An initialized filename trans query structure, or NULL upon -+ * error. -+ */ -+ extern apol_filename_trans_query_t *apol_filename_trans_query_create(void); -+ -+/** -+ * Deallocate all memory associated with the referenced filename trans -+ * query, and then set it to NULL. This function does nothing if the -+ * query is already NULL. -+ * -+ * @param r Reference to a filename trans query structure to destroy. -+ */ -+ extern void apol_filename_trans_query_destroy(apol_filename_trans_query_t ** r); -+ -+/** -+ * Set a filename_trans query to return rules whose source symbol matches -+ * symbol. Symbol may be a type or attribute; if it is an alias then -+ * the query will convert it to its primary prior to searching. If -+ * is_indirect is non-zero then the search will be done indirectly. -+ * If the symbol is a type, then the query matches rules with one of -+ * the type's attributes. If the symbol is an attribute, then it -+ * matches rule with any of the attribute's types. -+ * -+ * @param p Policy handler, to report errors. -+ * @param t TE rule query to set. -+ * @param symbol Limit query to rules with this symbol as their -+ * source, or NULL to unset this field. -+ * @param is_indirect If non-zero, perform indirect matching. -+ * -+ * @return 0 on success, negative on error. -+ */ -+ extern int apol_filename_trans_query_set_source(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *symbol, -+ int is_indirect); -+ -+/** -+ * Set a filename trans query to return rules with a particular target -+ * symbol. Symbol may be a type or attribute; if it is an alias then -+ * the query will convert it to its primary prior to searching. If -+ * is_indirect is non-zero then the search will be done indirectly. -+ * If the symbol is a type, then the query matches rules with one of -+ * the type's attributes. If the symbol is an attribute, then it -+ * matches rule with any of the attribute's types. -+ * -+ * @param p Policy handler, to report errors. -+ * @param r Role trans query to set. -+ * @param symbol Limit query to rules with this type or attribute as -+ * their target, or NULL to unset this field. -+ * @param is_indirect If non-zero, perform indirect matching. -+ * -+ * @return 0 on success, negative on error. -+ */ -+ extern int apol_filename_trans_query_set_target(const apol_policy_t * p, apol_filename_trans_query_t * r, const char *symbol, -+ int is_indirect); -+ -+/** -+ * Set a filename trans query to return rules with a particular default -+ * filename. This field is ignored if -+ * apol_filename_trans_query_set_source_any() is set to non-zero. -+ * -+ * @param p Policy handler, to report errors. -+ * @param r Role trans query to set. -+ * @param filename Limit query to rules with this filename as their default, or -+ * NULL to unset this field. -+ * -+ * @return 0 on success, negative on error. -+ */ -+ extern int apol_filename_trans_query_set_default(const apol_policy_t * p, apol_filename_trans_query_t * r, const char *filename); -+ -+/** -+ * Set at filename_trans query to return rules with this object (non-common) -+ * class. If more than one class are appended to the query, the -+ * rule's class must be one of those appended. (I.e., the rule's -+ * class must be a member of the query's classes.) Pass a NULL to -+ * clear all classes. Note that this performs straight string -+ * comparison, ignoring the regex flag. -+ -+ * -+ * @param p Policy handler, to report errors. -+ * @param t TE rule query to set. -+ * @param obj_class Name of object class to add to search set. -+ * -+ * @return 0 on success, negative on error. -+ */ -+ extern int apol_filename_trans_query_append_class(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *obj_class); -+ -+/** -+ * Set a filename trans query to treat the source filename as any. That is, -+ * use the same symbol for either source or default of a -+ * filename_transition rule. This flag does nothing if the source filename is -+ * not set. Note that a filename_transition's target is a type, so thus -+ * this flag does not affect its searching. -+ * -+ * @param p Policy handler, to report errors. -+ * @param r Role trans query to set. -+ * @param is_any Non-zero to use source symbol for source or default -+ * field, 0 to keep source as only source. -+ * -+ * @return Always 0. -+ */ -+ extern int apol_filename_trans_query_set_source_any(const apol_policy_t * p, apol_filename_trans_query_t * r, int is_any); -+ -+/** -+ * Set a filename trans query to use regular expression searching for -+ * source, target, and default fields. Strings will be treated as -+ * regexes instead of literals. For the target type, matching will -+ * occur against the type name or any of its aliases. -+ * -+ * @param p Policy handler, to report errors. -+ * @param r Role trans query to set. -+ * @param is_regex Non-zero to enable regex searching, 0 to disable. -+ * -+ * @return Always 0. -+ */ -+ extern int apol_filename_trans_query_set_regex(const apol_policy_t * p, apol_filename_trans_query_t * r, int is_regex); -+ -+/** -+ * Render a filename_transition rule to a string. -+ * -+ * @param policy Policy handler, to report errors. -+ * @param rule The rule to render. -+ * -+ * @return A newly malloc()'d string representation of the rule, or NULL on -+ * failure; if the call fails, errno will be set. The caller is responsible -+ * for calling free() on the returned string. -+ */ -+ extern char *apol_filename_trans_render(const apol_policy_t * policy, const qpol_filename_trans_t * rule); -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif -diff --git a/libapol/include/apol/policy-query.h b/libapol/include/apol/policy-query.h -index 315f70e..665e4cb 100644 ---- a/libapol/include/apol/policy-query.h -+++ b/libapol/include/apol/policy-query.h -@@ -71,6 +71,7 @@ extern "C" - #include "terule-query.h" - #include "condrule-query.h" - #include "rbacrule-query.h" -+#include "ftrule-query.h" - #include "range_trans-query.h" - #include "constraint-query.h" - -diff --git a/libapol/src/Makefile.am b/libapol/src/Makefile.am -index 3fa4f06..baaa4f6 100644 ---- a/libapol/src/Makefile.am -+++ b/libapol/src/Makefile.am -@@ -40,6 +40,7 @@ libapol_a_SOURCES = \ - render.c \ - role-query.c \ - terule-query.c \ -+ ftrule-query.c \ - type-query.c \ - types-relation-analysis.c \ - user-query.c \ -diff --git a/libapol/src/ftrule-query.c b/libapol/src/ftrule-query.c -new file mode 100644 -index 0000000..dc248de ---- /dev/null -+++ b/libapol/src/ftrule-query.c -@@ -0,0 +1,363 @@ -+/** -+ * @file -+ * -+ * Provides a way for setools to make queries about type enforcement -+ * filename_transs within a policy. The caller obtains a query object, fills in -+ * its parameters, and then runs the query; it obtains a vector of -+ * results. Searches are conjunctive -- all fields of the search -+ * query must match for a datum to be added to the results query. -+ * -+ * @author Jeremy A. Mowery jmowery@tresys.com -+ * @author Jason Tang jtang@tresys.com -+ * -+ * Copyright (C) 2006-2007 Tresys Technology, LLC -+ * -+ * This library is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public -+ * License as published by the Free Software Foundation; either -+ * version 2.1 of the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public -+ * License along with this library; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA -+ */ -+ -+#include "policy-query-internal.h" -+ -+#include -+#include -+ -+struct apol_filename_trans_query -+{ -+ char *source, *target, *default_type, *name; -+ apol_vector_t *classes; -+ unsigned int flags; -+}; -+ -+ -+/******************** filename_transition queries ********************/ -+ -+int apol_filename_trans_get_by_query(const apol_policy_t * p, const apol_filename_trans_query_t * t, apol_vector_t ** v) -+{ -+ apol_vector_t *source_list = NULL, *target_list = NULL, *class_list = NULL, *default_list = NULL; -+ int retval = -1, source_as_any = 0, is_regex = 0, append_filename_trans; -+ char *bool_name = NULL; -+ *v = NULL; -+ unsigned int flags = 0; -+ qpol_iterator_t *iter = NULL, *type_iter = NULL; -+ -+ if (t != NULL) { -+ flags = t->flags; -+ is_regex = t->flags & APOL_QUERY_REGEX; -+ if (t->source != NULL && -+ (source_list = -+ apol_query_create_candidate_type_list(p, t->source, is_regex, -+ t->flags & APOL_QUERY_SOURCE_INDIRECT, -+ ((t->flags & (APOL_QUERY_SOURCE_TYPE | APOL_QUERY_SOURCE_ATTRIBUTE)) / -+ APOL_QUERY_SOURCE_TYPE))) == NULL) { -+ goto cleanup; -+ } -+ -+ if ((t->flags & APOL_QUERY_SOURCE_AS_ANY) && t->source != NULL) { -+ default_list = target_list = source_list; -+ source_as_any = 1; -+ } else { -+ if (t->target != NULL && -+ (target_list = -+ apol_query_create_candidate_type_list(p, t->target, is_regex, -+ t->flags & APOL_QUERY_TARGET_INDIRECT, -+ ((t-> -+ flags & (APOL_QUERY_TARGET_TYPE | APOL_QUERY_TARGET_ATTRIBUTE)) -+ / APOL_QUERY_TARGET_TYPE))) == NULL) { -+ goto cleanup; -+ } -+ if (t->default_type != NULL && -+ (default_list = -+ apol_query_create_candidate_type_list(p, t->default_type, is_regex, 0, -+ APOL_QUERY_SYMBOL_IS_TYPE)) == NULL) { -+ goto cleanup; -+ } -+ } -+ if (t->classes != NULL && -+ apol_vector_get_size(t->classes) > 0 && -+ (class_list = apol_query_create_candidate_class_list(p, t->classes)) == NULL) { -+ goto cleanup; -+ } -+ } -+ -+ if (qpol_policy_get_filename_trans_iter(p->p, &iter) < 0) { -+ return -1; -+ } -+ -+ if ((*v = apol_vector_create(NULL)) == NULL) { -+ ERR(p, "%s", strerror(errno)); -+ goto cleanup; -+ } -+ -+ for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) { -+ qpol_filename_trans_t *filename_trans; -+ if (qpol_iterator_get_item(iter, (void **)&filename_trans) < 0) { -+ goto cleanup; -+ } -+ int match_source = 0, match_target = 0, match_default = 0, match_bool = 0; -+ size_t i; -+ -+ if (source_list == NULL) { -+ match_source = 1; -+ } else { -+ const qpol_type_t *source_type; -+ if (qpol_filename_trans_get_source_type(p->p, filename_trans, &source_type) < 0) { -+ goto cleanup; -+ } -+ if (apol_vector_get_index(source_list, source_type, NULL, NULL, &i) == 0) { -+ match_source = 1; -+ } -+ } -+ -+ /* if source did not match, but treating source symbol -+ * as any field, then delay rejecting this filename_trans until -+ * the target and default have been checked */ -+ if (!source_as_any && !match_source) { -+ continue; -+ } -+ -+ if (target_list == NULL || (source_as_any && match_source)) { -+ match_target = 1; -+ } else { -+ const qpol_type_t *target_type; -+ if (qpol_filename_trans_get_target_type(p->p, filename_trans, &target_type) < 0) { -+ goto cleanup; -+ } -+ if (apol_vector_get_index(target_list, target_type, NULL, NULL, &i) == 0) { -+ match_target = 1; -+ } -+ } -+ -+ if (!source_as_any && !match_target) { -+ continue; -+ } -+ -+ if (default_list == NULL || (source_as_any && match_source) || (source_as_any && match_target)) { -+ match_default = 1; -+ } else { -+ const qpol_type_t *default_type; -+ if (qpol_filename_trans_get_default_type(p->p, filename_trans, &default_type) < 0) { -+ goto cleanup; -+ } -+ if (apol_vector_get_index(default_list, default_type, NULL, NULL, &i) == 0) { -+ match_default = 1; -+ } -+ } -+ -+ if (!source_as_any && !match_default) { -+ continue; -+ } -+ /* at least one thing must match if source_as_any was given */ -+ if (source_as_any && (!match_source && !match_target && !match_default)) { -+ continue; -+ } -+ -+ if (class_list != NULL) { -+ const qpol_class_t *obj_class; -+ if (qpol_filename_trans_get_object_class(p->p, filename_trans, &obj_class) < 0) { -+ goto cleanup; -+ } -+ if (apol_vector_get_index(class_list, obj_class, NULL, NULL, &i) < 0) { -+ continue; -+ } -+ } -+ -+ if (apol_vector_append(*v, filename_trans)) { -+ ERR(p, "%s", strerror(ENOMEM)); -+ goto cleanup; -+ } -+ } -+ -+ retval = 0; -+ cleanup: -+ if (retval != 0) { -+ apol_vector_destroy(v); -+ } -+ apol_vector_destroy(&source_list); -+ if (!source_as_any) { -+ apol_vector_destroy(&target_list); -+ apol_vector_destroy(&default_list); -+ } -+ apol_vector_destroy(&class_list); -+ return retval; -+} -+ -+apol_filename_trans_query_t *apol_filename_trans_query_create(void) -+{ -+ apol_filename_trans_query_t *t = calloc(1, sizeof(apol_filename_trans_query_t)); -+ if (t != NULL) { -+ t->flags = -+ (APOL_QUERY_SOURCE_TYPE | APOL_QUERY_SOURCE_ATTRIBUTE | APOL_QUERY_TARGET_TYPE | -+ APOL_QUERY_TARGET_ATTRIBUTE); -+ } -+ return t; -+} -+ -+void apol_filename_trans_query_destroy(apol_filename_trans_query_t ** r) -+{ -+ if (r != NULL && *r != NULL) { -+ free((*r)->source); -+ free((*r)->target); -+ free((*r)->default_type); -+ free((*r)->name); -+ free(*r); -+ *r = NULL; -+ } -+} -+ -+int apol_filename_trans_query_set_source(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *filename, int is_indirect) -+{ -+ apol_query_set_flag(p, &t->flags, is_indirect, APOL_QUERY_TARGET_INDIRECT); -+ return apol_query_set(p, &t->source, NULL, filename); -+} -+ -+int apol_filename_trans_query_set_target(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *type, int is_indirect) -+{ -+ apol_query_set_flag(p, &t->flags, is_indirect, APOL_QUERY_TARGET_INDIRECT); -+ return apol_query_set(p, &t->target, NULL, type); -+} -+ -+int apol_filename_trans_query_set_default(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *symbol) -+{ -+ return apol_query_set(p, &t->default_type, NULL, symbol); -+} -+ -+int apol_filename_trans_query_append_class(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *obj_class) -+{ -+ char *s = NULL; -+ if (obj_class == NULL) { -+ apol_vector_destroy(&t->classes); -+ } else if ((s = strdup(obj_class)) == NULL || (t->classes == NULL && (t->classes = apol_vector_create(free)) == NULL) -+ || apol_vector_append(t->classes, s) < 0) { -+ ERR(p, "%s", strerror(errno)); -+ free(s); -+ return -1; -+ } -+ return 0; -+} -+ -+int apol_filename_trans_query_set_name(const apol_policy_t * p, apol_filename_trans_query_t * t, const char *filename) -+{ -+ return apol_query_set(p, &t->name, NULL, filename); -+} -+ -+int apol_filename_trans_query_set_source_any(const apol_policy_t * p, apol_filename_trans_query_t * t, int is_any) -+{ -+ return apol_query_set_flag(p, &t->flags, is_any, APOL_QUERY_SOURCE_AS_ANY); -+} -+ -+int apol_filename_trans_query_set_regex(const apol_policy_t * p, apol_filename_trans_query_t * t, int is_regex) -+{ -+ return apol_query_set_regex(p, &t->flags, is_regex); -+} -+ -+char *apol_filename_trans_render(const apol_policy_t * policy, const qpol_filename_trans_t * filename_trans) -+{ -+ char *tmp = NULL; -+ const char *tmp_name = NULL; -+ const char *filename_trans_type_str; -+ int error = 0; -+ size_t tmp_sz = 0; -+ uint32_t filename_trans_type = 0; -+ const qpol_type_t *type = NULL; -+ const qpol_class_t *obj_class = NULL; -+ -+ if (!policy || !filename_trans) { -+ ERR(policy, "%s", strerror(EINVAL)); -+ errno = EINVAL; -+ return NULL; -+ } -+ -+ /* source type */ -+ if (qpol_filename_trans_get_source_type(policy->p, filename_trans, &type)) { -+ error = errno; -+ goto err; -+ } -+ if (qpol_type_get_name(policy->p, type, &tmp_name)) { -+ error = errno; -+ goto err; -+ } -+ if (apol_str_appendf(&tmp, &tmp_sz, "transition_type %s ", tmp_name)) { -+ error = errno; -+ ERR(policy, "%s", strerror(error)); -+ goto err; -+ } -+ -+ /* target type */ -+ if (qpol_filename_trans_get_target_type(policy->p, filename_trans, &type)) { -+ error = errno; -+ goto err; -+ } -+ if (qpol_type_get_name(policy->p, type, &tmp_name)) { -+ error = errno; -+ goto err; -+ } -+ if (apol_str_appendf(&tmp, &tmp_sz, "%s : ", tmp_name)) { -+ error = errno; -+ ERR(policy, "%s", strerror(error)); -+ goto err; -+ } -+ -+ /* object class */ -+ if (qpol_filename_trans_get_object_class(policy->p, filename_trans, &obj_class)) { -+ error = errno; -+ goto err; -+ } -+ if (qpol_class_get_name(policy->p, obj_class, &tmp_name)) { -+ error = errno; -+ goto err; -+ } -+ if (apol_str_appendf(&tmp, &tmp_sz, "%s ", tmp_name)) { -+ error = errno; -+ ERR(policy, "%s", strerror(error)); -+ goto err; -+ } -+ -+ /* default type */ -+ if (qpol_filename_trans_get_default_type(policy->p, filename_trans, &type)) { -+ error = errno; -+ goto err; -+ } -+ if (qpol_type_get_name(policy->p, type, &tmp_name)) { -+ error = errno; -+ goto err; -+ } -+ if (apol_str_appendf(&tmp, &tmp_sz, "%s", tmp_name)) { -+ error = errno; -+ ERR(policy, "%s", strerror(error)); -+ goto err; -+ } -+ -+ if (qpol_filename_trans_get_filename(policy->p, filename_trans, &tmp_name)) { -+ error = errno; -+ goto err; -+ } -+ -+ if (apol_str_appendf(&tmp, &tmp_sz, " %s", tmp_name)) { -+ error = errno; -+ ERR(policy, "%s", strerror(error)); -+ goto err; -+ } -+ -+ if (apol_str_appendf(&tmp, &tmp_sz, ";")) { -+ error = errno; -+ ERR(policy, "%s", strerror(error)); -+ goto err; -+ } -+ return tmp; -+ -+ err: -+ free(tmp); -+ errno = error; -+ return NULL; -+} -diff --git a/libapol/src/libapol.map b/libapol/src/libapol.map -index 4894374..7657a2d 100644 ---- a/libapol/src/libapol.map -+++ b/libapol/src/libapol.map -@@ -34,6 +34,7 @@ VERS_4.0{ - apol_protocol_to_str; - apol_qpol_context_render; - apol_range_trans_*; -+ apol_filename_trans_*; - apol_relabel_*; - apol_role_*; - apol_role_allow_*; -diff --git a/libqpol/include/qpol/Makefile.am b/libqpol/include/qpol/Makefile.am -index b55acb7..9b570e1 100644 ---- a/libqpol/include/qpol/Makefile.am -+++ b/libqpol/include/qpol/Makefile.am -@@ -25,6 +25,7 @@ qpol_HEADERS = \ - role_query.h \ - syn_rule_query.h \ - terule_query.h \ -+ ftrule_query.h \ - type_query.h \ - user_query.h \ - util.h -diff --git a/libqpol/include/qpol/ftrule_query.h b/libqpol/include/qpol/ftrule_query.h -new file mode 100644 -index 0000000..1f533a4 ---- /dev/null -+++ b/libqpol/include/qpol/ftrule_query.h -@@ -0,0 +1,116 @@ -+/** -+ * @file -+ * Defines public interface for iterating over FTRULE rules. -+ * -+ * @author Kevin Carr kcarr@tresys.com -+ * @author Jeremy A. Mowery jmowery@tresys.com -+ * @author Jason Tang jtang@tresys.com -+ * -+ * Copyright (C) 2006-2007 Tresys Technology, LLC -+ * -+ * This library is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public -+ * License as published by the Free Software Foundation; either -+ * version 2.1 of the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public -+ * License along with this library; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA -+ */ -+ -+#ifndef QPOL_FTRULERULE_QUERY -+#define QPOL_FTRULERULE_QUERY -+ -+#ifdef __cplusplus -+extern "C" -+{ -+#endif -+ -+#include -+#include -+ -+ typedef struct qpol_filename_trans qpol_filename_trans_t; -+ -+/** -+ * Get an iterator over all filename transition rules in the policy. -+ * @param policy Policy from which to create the iterator. -+ * @param iter Iterator over items of type qpol_filename_trans_t returned. -+ * The caller is responsible for calling qpol_iterator_destroy() -+ * to free memory used by this iterator. -+ * It is important to note that this iterator is only valid as long as -+ * the policy is unmodifed. -+ * @returm 0 on success and < 0 on failure; if the call fails, -+ * errno will be set and *iter will be NULL. -+ */ -+ extern int qpol_policy_get_filename_trans_iter(const qpol_policy_t * policy, qpol_iterator_t ** iter); -+ -+/** -+ * Get the source type from a filename transition rule. -+ * @param policy The policy from which the rule comes. -+ * @param rule The rule from which to get the source type. -+ * @param source Pointer in which to store the source type. -+ * The caller should not free this pointer. -+ * @return 0 on success and < 0 on failure; if the call fails, -+ * errno will be set and *source will be NULL. -+ */ -+ extern int qpol_filename_trans_get_source_type(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, -+ const qpol_type_t ** source); -+ -+/** -+ * Get the target type from a filename transition rule. -+ * @param policy The policy from which the rule comes. -+ * @param rule The rule from which to get the target type. -+ * @param target Pointer in which to store the target type. -+ * The caller should not free this pointer. -+ * @return 0 on success and < 0 on failure; if the call fails, -+ * errno will be set and *target will be NULL. -+ */ -+ extern int qpol_filename_trans_get_target_type(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, -+ const qpol_type_t ** target); -+ -+/** -+ * Get the default type from a type rule. -+ * @param policy Policy from which the rule comes. -+ * @param rule The rule from which to get the default type. -+ * @param dflt Pointer in which to store the default type. -+ * The caller should not free this pointer. -+ * @returm 0 on success and < 0 on failure; if the call fails, -+ * errno will be set and *dflt will be NULL. -+ */ -+ extern int qpol_filename_trans_get_default_type(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, -+ const qpol_type_t ** dflt); -+ -+/** -+ * Get the object class from a type rule. -+ * @param policy Policy from which the rule comes. -+ * @param rule The rule from which to get the object class. -+ * @param obj_class Pointer in which to store the object class. -+ * The caller should not free this pointer. -+ * @returm 0 on success and < 0 on failure; if the call fails, -+ * errno will be set and *obj_class will be NULL. -+ */ -+ extern int qpol_filename_trans_get_object_class(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, -+ const qpol_class_t ** obj_class); -+ -+/** -+ * Get the transition filename type from a type rule. -+ * @param policy Policy from which the rule comes. -+ * @param rule The rule from which to get the transition filename. -+ * @param target Pointer in which to store the transition filename. -+ * The caller should not free this pointer. -+ * @returm 0 on success and < 0 on failure; if the call fails, -+ * errno will be set and *target will be NULL. -+ */ -+ extern int qpol_filename_trans_get_filename(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, -+ const char ** name); -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* QPOL_FTRULERULE_QUERY */ -diff --git a/libqpol/include/qpol/policy.h b/libqpol/include/qpol/policy.h -index ae4ea08..bf85718 100644 ---- a/libqpol/include/qpol/policy.h -+++ b/libqpol/include/qpol/policy.h -@@ -55,6 +55,7 @@ extern "C" - #include - #include - #include -+#include - #include - #include - #include -diff --git a/libqpol/src/Makefile.am b/libqpol/src/Makefile.am -index 34d87a6..0889a61 100644 ---- a/libqpol/src/Makefile.am -+++ b/libqpol/src/Makefile.am -@@ -48,6 +48,7 @@ libqpol_a_SOURCES = \ - syn_rule_internal.h \ - syn_rule_query.c \ - terule_query.c \ -+ ftrule_query.c \ - type_query.c \ - user_query.c \ - util.c \ -diff --git a/libqpol/src/ftrule_query.c b/libqpol/src/ftrule_query.c -new file mode 100644 -index 0000000..d6db848 ---- /dev/null -+++ b/libqpol/src/ftrule_query.c -@@ -0,0 +1,277 @@ -+/** -+ * @file -+ * Defines public interface for iterating over RBAC rules. -+ * -+ * @author Jeremy A. Mowery jmowery@tresys.com -+ * @author Jason Tang jtang@tresys.com -+ * -+ * Copyright (C) 2006-2007 Tresys Technology, LLC -+ * -+ * This library is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public -+ * License as published by the Free Software Foundation; either -+ * version 2.1 of the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public -+ * License along with this library; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA -+ */ -+ -+#include -+#include -+#include -+#include -+#include "iterator_internal.h" -+#include "qpol_internal.h" -+#include -+ -+typedef struct filename_trans_state -+{ -+ filename_trans_t *head; -+ filename_trans_t *cur; -+} filename_trans_state_t; -+ -+static int filename_trans_state_end(const qpol_iterator_t * iter) -+{ -+ filename_trans_state_t *fts = NULL; -+ -+ if (!iter || !(fts = qpol_iterator_state(iter))) { -+ errno = EINVAL; -+ return STATUS_ERR; -+ } -+ -+ return fts->cur ? 0 : 1; -+} -+ -+static void *filename_trans_state_get_cur(const qpol_iterator_t * iter) -+{ -+ filename_trans_state_t *fts = NULL; -+ const policydb_t *db = NULL; -+ -+ if (!iter || !(fts = qpol_iterator_state(iter)) || !(db = qpol_iterator_policy(iter)) || filename_trans_state_end(iter)) { -+ errno = EINVAL; -+ return NULL; -+ } -+ -+ return fts->cur; -+} -+ -+static int filename_trans_state_next(qpol_iterator_t * iter) -+{ -+ filename_trans_state_t *fts = NULL; -+ const policydb_t *db = NULL; -+ -+ if (!iter || !(fts = qpol_iterator_state(iter)) || !(db = qpol_iterator_policy(iter))) { -+ errno = EINVAL; -+ return STATUS_ERR; -+ } -+ -+ if (filename_trans_state_end(iter)) { -+ errno = ERANGE; -+ return STATUS_ERR; -+ } -+ -+ fts->cur = fts->cur->next; -+ -+ return STATUS_SUCCESS; -+} -+ -+static size_t filename_trans_state_size(const qpol_iterator_t * iter) -+{ -+ filename_trans_state_t *fts = NULL; -+ const policydb_t *db = NULL; -+ filename_trans_t *tmp = NULL; -+ size_t count = 0; -+ -+ if (!iter || !(fts = qpol_iterator_state(iter)) || !(db = qpol_iterator_policy(iter))) { -+ errno = EINVAL; -+ return STATUS_ERR; -+ } -+ -+ for (tmp = fts->head; tmp; tmp = tmp->next) -+ count++; -+ -+ return count; -+} -+ -+int qpol_policy_get_filename_trans_iter(const qpol_policy_t * policy, qpol_iterator_t ** iter) -+{ -+ policydb_t *db = NULL; -+ filename_trans_state_t *fts = NULL; -+ int error = 0; -+ -+ if (iter) -+ *iter = NULL; -+ -+ if (!policy || !iter) { -+ ERR(policy, "%s", strerror(EINVAL)); -+ errno = EINVAL; -+ return STATUS_ERR; -+ } -+ -+ db = &policy->p->p; -+ -+ fts = calloc(1, sizeof(filename_trans_state_t)); -+ if (!fts) { -+ /* errno set by calloc */ -+ ERR(policy, "%s", strerror(errno)); -+ return STATUS_ERR; -+ } -+ fts->head = fts->cur = db->filename_trans; -+ -+ if (qpol_iterator_create -+ (policy, (void *)fts, filename_trans_state_get_cur, filename_trans_state_next, filename_trans_state_end, filename_trans_state_size, -+ free, iter)) { -+ error = errno; -+ free(fts); -+ errno = error; -+ return STATUS_ERR; -+ } -+ -+ return STATUS_SUCCESS; -+} -+ -+int qpol_filename_trans_get_source_type(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, const qpol_type_t ** source) -+{ -+ policydb_t *db = NULL; -+ filename_trans_t *ft = NULL; -+ -+ if (source) { -+ *source = NULL; -+ } -+ -+ if (!policy || !rule || !source) { -+ ERR(policy, "%s", strerror(EINVAL)); -+ errno = EINVAL; -+ return STATUS_ERR; -+ } -+ -+ db = &policy->p->p; -+ ft = (filename_trans_t *) rule; -+ -+ *source = (qpol_type_t *) db->type_val_to_struct[ft->stype - 1]; -+ -+ return STATUS_SUCCESS; -+} -+ -+int qpol_filename_trans_get_target_type(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, const qpol_type_t ** target) -+{ -+ policydb_t *db = NULL; -+ filename_trans_t *ft = NULL; -+ -+ if (target) { -+ *target = NULL; -+ } -+ -+ if (!policy || !rule || !target) { -+ ERR(policy, "%s", strerror(EINVAL)); -+ errno = EINVAL; -+ return STATUS_ERR; -+ } -+ -+ db = &policy->p->p; -+ ft = (filename_trans_t *) rule; -+ -+ *target = (qpol_type_t *) db->type_val_to_struct[ft->ttype - 1]; -+ -+ return STATUS_SUCCESS; -+} -+ -+int qpol_filename_trans_get_object_class(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, -+ const qpol_class_t ** obj_class) -+{ -+ policydb_t *db = NULL; -+ filename_trans_t *ft = NULL; -+ -+ if (obj_class) { -+ *obj_class = NULL; -+ } -+ -+ if (!policy || !rule || !obj_class) { -+ ERR(policy, "%s", strerror(EINVAL)); -+ errno = EINVAL; -+ return STATUS_ERR; -+ } -+ -+ db = &policy->p->p; -+ ft = (filename_trans_t *) rule; -+ -+ *obj_class = (qpol_class_t *) db->class_val_to_struct[ft->tclass - 1]; -+ -+ return STATUS_SUCCESS; -+} -+ -+int qpol_filename_trans_get_trans_type(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, const qpol_type_t ** output_type) -+{ -+ policydb_t *db = NULL; -+ filename_trans_t *ft = NULL; -+ -+ if (output_type) { -+ *output_type = NULL; -+ } -+ -+ if (!policy || !rule || !output_type) { -+ ERR(policy, "%s", strerror(EINVAL)); -+ errno = EINVAL; -+ return STATUS_ERR; -+ } -+ -+ db = &policy->p->p; -+ ft = (filename_trans_t *) rule; -+ -+ *output_type = (qpol_type_t *) db->type_val_to_struct[ft->otype - 1]; -+ -+ return STATUS_SUCCESS; -+} -+ -+int qpol_filename_trans_get_default_type(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, const qpol_type_t ** dflt) -+{ -+ policydb_t *db = NULL; -+ filename_trans_t *ft = NULL; -+ -+ if (dflt) { -+ *dflt = NULL; -+ } -+ -+ if (!policy || !rule || !dflt) { -+ ERR(policy, "%s", strerror(EINVAL)); -+ errno = EINVAL; -+ return STATUS_ERR; -+ } -+ -+ db = &policy->p->p; -+ ft = (filename_trans_t *) rule; -+ -+ *dflt = (qpol_type_t *) db->type_val_to_struct[ft->otype - 1]; -+ -+ return STATUS_SUCCESS; -+} -+ -+int qpol_filename_trans_get_filename(const qpol_policy_t * policy, const qpol_filename_trans_t * rule, const char ** name) -+{ -+ policydb_t *db = NULL; -+ filename_trans_t *ft = NULL; -+ -+ if (name) { -+ *name = NULL; -+ } -+ -+ if (!policy || !rule || !name) { -+ ERR(policy, "%s", strerror(EINVAL)); -+ errno = EINVAL; -+ return STATUS_ERR; -+ } -+ -+ db = &policy->p->p; -+ ft = (filename_trans_t *) rule; -+ -+ *name = ft->name; -+ -+ return STATUS_SUCCESS; -+} -+ -diff --git a/libqpol/src/libqpol.map b/libqpol/src/libqpol.map -index dd293bc..6973cca 100644 ---- a/libqpol/src/libqpol.map -+++ b/libqpol/src/libqpol.map -@@ -34,6 +34,7 @@ VERS_1.2 { - qpol_policy_reevaluate_conds; - qpol_portcon_*; - qpol_range_trans_*; -+ qpol_filename_trans_*; - qpol_role_*; - qpol_syn_avrule_*; - qpol_syn_terule_*; -diff --git a/libqpol/src/module_compiler.c b/libqpol/src/module_compiler.c -index dc19798..b06e285 100644 ---- a/libqpol/src/module_compiler.c -+++ b/libqpol/src/module_compiler.c -@@ -1247,6 +1247,18 @@ void append_role_allow(role_allow_rule_t * role_allow_rules) - } - - /* this doesn't actually append, but really prepends it */ -+void append_filename_trans(filename_trans_rule_t * filename_trans_rules) -+{ -+ avrule_decl_t *decl = stack_top->decl; -+ -+ /* filename transitions are not allowed within conditionals */ -+ assert(stack_top->type == 1); -+ -+ filename_trans_rules->next = decl->filename_trans_rules; -+ decl->filename_trans_rules = filename_trans_rules; -+} -+ -+/* this doesn't actually append, but really prepends it */ - void append_range_trans(range_trans_rule_t * range_tr_rules) - { - avrule_decl_t *decl = stack_top->decl; -diff --git a/libqpol/src/policy_define.c b/libqpol/src/policy_define.c -index c94f7aa..0f3a45a 100644 ---- a/libqpol/src/policy_define.c -+++ b/libqpol/src/policy_define.c -@@ -2133,7 +2133,7 @@ int define_role_trans(void) - - /* This ebitmap business is just to ensure that there are not conflicting role_trans rules */ - #ifdef HAVE_SEPOL_USER_ROLE_MAPPING -- if (role_set_expand(&roles, &e_roles, policydbp, NULL)) -+ if (role_set_expand(&roles, &e_roles, policydbp, NULL, NULL)) - #else - if (role_set_expand(&roles, &e_roles, policydbp)) - #endif -@@ -2226,6 +2226,190 @@ int define_role_allow(void) - return 0; - } - -+avrule_t *define_cond_filename_trans(void) -+{ -+ yyerror("type transitions with a filename not allowed inside " -+ "conditionals\n"); -+ return COND_ERR; -+} -+ -+int define_filename_trans(void) -+{ -+ char *id, *name = NULL; -+ type_set_t stypes, ttypes; -+ ebitmap_t e_stypes, e_ttypes; -+ ebitmap_t e_tclasses; -+ ebitmap_node_t *snode, *tnode, *cnode; -+ filename_trans_t *ft; -+ filename_trans_rule_t *ftr; -+ class_datum_t *cladatum; -+ type_datum_t *typdatum; -+ uint32_t otype; -+ unsigned int c, s, t; -+ int add; -+ -+ if (pass == 1) { -+ /* stype */ -+ while ((id = queue_remove(id_queue))) -+ free(id); -+ /* ttype */ -+ while ((id = queue_remove(id_queue))) -+ free(id); -+ /* tclass */ -+ while ((id = queue_remove(id_queue))) -+ free(id); -+ /* otype */ -+ id = queue_remove(id_queue); -+ free(id); -+ /* name */ -+ id = queue_remove(id_queue); -+ free(id); -+ return 0; -+ } -+ -+ -+ add = 1; -+ type_set_init(&stypes); -+ while ((id = queue_remove(id_queue))) { -+ if (set_types(&stypes, id, &add, 0)) -+ goto bad; -+ } -+ -+ add =1; -+ type_set_init(&ttypes); -+ while ((id = queue_remove(id_queue))) { -+ if (set_types(&ttypes, id, &add, 0)) -+ goto bad; -+ } -+ -+ ebitmap_init(&e_tclasses); -+ while ((id = queue_remove(id_queue))) { -+ if (!is_id_in_scope(SYM_CLASSES, id)) { -+ yyerror2("class %s is not within scope", id); -+ free(id); -+ goto bad; -+ } -+ cladatum = hashtab_search(policydbp->p_classes.table, id); -+ if (!cladatum) { -+ yyerror2("unknown class %s", id); -+ goto bad; -+ } -+ if (ebitmap_set_bit(&e_tclasses, cladatum->s.value - 1, TRUE)) { -+ yyerror("Out of memory"); -+ goto bad; -+ } -+ free(id); -+ } -+ -+ id = (char *)queue_remove(id_queue); -+ if (!id) { -+ yyerror("no otype in transition definition?"); -+ goto bad; -+ } -+ if (!is_id_in_scope(SYM_TYPES, id)) { -+ yyerror2("type %s is not within scope", id); -+ free(id); -+ goto bad; -+ } -+ typdatum = hashtab_search(policydbp->p_types.table, id); -+ if (!typdatum) { -+ yyerror2("unknown type %s used in transition definition", id); -+ goto bad; -+ } -+ free(id); -+ otype = typdatum->s.value; -+ -+ name = queue_remove(id_queue); -+ if (!name) { -+ yyerror("no pathname specified in filename_trans definition?"); -+ goto bad; -+ } -+ -+ /* We expand the class set into seperate rules. We expand the types -+ * just to make sure there are not duplicates. They will get turned -+ * into seperate rules later */ -+ ebitmap_init(&e_stypes); -+ if (type_set_expand(&stypes, &e_stypes, policydbp, 1)) -+ goto bad; -+ -+ ebitmap_init(&e_ttypes); -+ if (type_set_expand(&ttypes, &e_ttypes, policydbp, 1)) -+ goto bad; -+ -+ ebitmap_for_each_bit(&e_tclasses, cnode, c) { -+ if (!ebitmap_node_get_bit(cnode, c)) -+ continue; -+ ebitmap_for_each_bit(&e_stypes, snode, s) { -+ if (!ebitmap_node_get_bit(snode, s)) -+ continue; -+ ebitmap_for_each_bit(&e_ttypes, tnode, t) { -+ if (!ebitmap_node_get_bit(tnode, t)) -+ continue; -+ -+ for (ft = policydbp->filename_trans; ft; ft = ft->next) { -+ if (ft->stype == (s + 1) && -+ ft->ttype == (t + 1) && -+ ft->tclass == (c + 1) && -+ !strcmp(ft->name, name)) { -+ yyerror2("duplicate filename transition for: filename_trans %s %s %s:%s", -+ name, -+ policydbp->p_type_val_to_name[s], -+ policydbp->p_type_val_to_name[t], -+ policydbp->p_class_val_to_name[c]); -+ goto bad; -+ } -+ } -+ -+ ft = malloc(sizeof(*ft)); -+ if (!ft) { -+ yyerror("out of memory"); -+ goto bad; -+ } -+ memset(ft, 0, sizeof(*ft)); -+ -+ ft->next = policydbp->filename_trans; -+ policydbp->filename_trans = ft; -+ -+ ft->name = strdup(name); -+ if (!ft->name) { -+ yyerror("out of memory"); -+ goto bad; -+ } -+ ft->stype = s + 1; -+ ft->ttype = t + 1; -+ ft->tclass = c + 1; -+ ft->otype = otype; -+ } -+ } -+ -+ /* Now add the real rule since we didn't find any duplicates */ -+ ftr = malloc(sizeof(*ftr)); -+ if (!ftr) { -+ yyerror("out of memory"); -+ goto bad; -+ } -+ filename_trans_rule_init(ftr); -+ append_filename_trans(ftr); -+ -+ ftr->name = strdup(name); -+ ftr->stypes = stypes; -+ ftr->ttypes = ttypes; -+ ftr->tclass = c + 1; -+ ftr->otype = otype; -+ } -+ -+ free(name); -+ ebitmap_destroy(&e_stypes); -+ ebitmap_destroy(&e_ttypes); -+ ebitmap_destroy(&e_tclasses); -+ -+ return 0; -+ -+bad: -+ free(name); -+ return -1; -+} -+ - static constraint_expr_t *constraint_expr_clone(constraint_expr_t * expr) - { - constraint_expr_t *h = NULL, *l = NULL, *e, *newe; -diff --git a/libqpol/src/policy_parse.y b/libqpol/src/policy_parse.y -index 84f4114..dc16c6f 100644 ---- a/libqpol/src/policy_parse.y -+++ b/libqpol/src/policy_parse.y -@@ -98,6 +98,7 @@ extern char *qpol_src_inputlim;/* end of data */ - %type require_decl_def - - %token PATH -+%token FILENAME - %token CLONE - %token COMMON - %token CLASS -@@ -360,7 +361,10 @@ cond_rule_def : cond_transition_def - | require_block - { $$ = NULL; } - ; --cond_transition_def : TYPE_TRANSITION names names ':' names identifier ';' -+cond_transition_def : TYPE_TRANSITION names names ':' names identifier filename ';' -+ { $$ = define_cond_filename_trans() ; -+ if ($$ == COND_ERR) return -1;} -+ | TYPE_TRANSITION names names ':' names identifier ';' - { $$ = define_cond_compute_type(AVRULE_TRANSITION) ; - if ($$ == COND_ERR) return -1;} - | TYPE_MEMBER names names ':' names identifier ';' -@@ -395,7 +399,9 @@ cond_dontaudit_def : DONTAUDIT names names ':' names names ';' - { $$ = define_cond_te_avtab(AVRULE_DONTAUDIT); - if ($$ == COND_ERR) return -1; } - ; --transition_def : TYPE_TRANSITION names names ':' names identifier ';' -+transition_def : TYPE_TRANSITION names names ':' names identifier filename ';' -+ {if (define_filename_trans()) return -1; } -+ | TYPE_TRANSITION names names ':' names identifier ';' - {if (define_compute_type(AVRULE_TRANSITION)) return -1;} - | TYPE_MEMBER names names ':' names identifier ';' - {if (define_compute_type(AVRULE_MEMBER)) return -1;} -@@ -752,6 +758,9 @@ identifier : IDENTIFIER - path : PATH - { if (insert_id(yytext,0)) return -1; } - ; -+filename : FILENAME -+ { yytext[strlen(yytext) - 1] = '\0'; if (insert_id(yytext + 1,0)) return -1; } -+ ; - number : NUMBER - { $$ = strtoul(yytext,NULL,0); } - ; -diff --git a/libqpol/src/policy_scan.l b/libqpol/src/policy_scan.l -index 75485f3..30203cd 100644 ---- a/libqpol/src/policy_scan.l -+++ b/libqpol/src/policy_scan.l -@@ -235,6 +235,7 @@ POLICYCAP { return(POLICYCAP); } - permissive | - PERMISSIVE { return(PERMISSIVE); } - "/"({alnum}|[_\.\-/])* { return(PATH); } -+\"({alnum}|[_\.\-])+\" { return(FILENAME); } - {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); } - {digit}+|0x{hexval}+ { return(NUMBER); } - {digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); } -diff --git a/secmds/sesearch.c b/secmds/sesearch.c -index ec0315f..e44b3bc 100644 ---- a/secmds/sesearch.c -+++ b/secmds/sesearch.c -@@ -575,6 +575,95 @@ static void print_te_results(const apol_policy_t * policy, const options_t * opt - free(expr); - } - -+static int perform_ft_query(const apol_policy_t * policy, const options_t * opt, apol_vector_t ** v) -+{ -+ apol_filename_trans_query_t *ftq = NULL; -+ int error = 0; -+ -+ if (!policy || !opt || !v) { -+ ERR(policy, "%s", strerror(EINVAL)); -+ errno = EINVAL; -+ return -1; -+ } -+ -+ if (!opt->type == QPOL_RULE_TYPE_TRANS && !opt->all) { -+ *v = NULL; -+ return 0; /* no search to do */ -+ } -+ -+ ftq = apol_filename_trans_query_create(); -+ if (!ftq) { -+ ERR(policy, "%s", strerror(ENOMEM)); -+ errno = ENOMEM; -+ return -1; -+ } -+ -+ apol_filename_trans_query_set_regex(policy, ftq, opt->useregex); -+ if (opt->src_name) { -+ if (apol_filename_trans_query_set_source(policy, ftq, opt->src_name)) { -+ error = errno; -+ goto err; -+ } -+ } -+ if (opt->tgt_name) { -+ if (apol_filename_trans_query_set_target(policy, ftq, opt->tgt_name, opt->indirect)) { -+ error = errno; -+ goto err; -+ } -+ } -+ -+ if (apol_filename_trans_get_by_query(policy, ftq, v)) { -+ error = errno; -+ goto err; -+ } -+ -+ apol_filename_trans_query_destroy(&ftq); -+ return 0; -+ -+ err: -+ apol_vector_destroy(v); -+ apol_filename_trans_query_destroy(&ftq); -+ ERR(policy, "%s", strerror(error)); -+ errno = error; -+ return -1; -+} -+ -+static void print_ft_results(const apol_policy_t * policy, const options_t * opt, const apol_vector_t * v) -+{ -+ qpol_policy_t *q = apol_policy_get_qpol(policy); -+ size_t i, num_rules = 0; -+ const qpol_filename_trans_t *rule = NULL; -+ char *tmp = NULL, *rule_str = NULL, *expr = NULL; -+ char enable_char = ' ', branch_char = ' '; -+ qpol_iterator_t *iter = NULL; -+ const qpol_cond_t *cond = NULL; -+ uint32_t enabled = 0, list = 0; -+ -+ if (!(num_rules = apol_vector_get_size(v))) -+ goto cleanup; -+ -+ fprintf(stdout, "Found %zd named file transition rules:\n", num_rules); -+ -+ for (i = 0; i < num_rules; i++) { -+ enable_char = branch_char = ' '; -+ if (!(rule = apol_vector_get_element(v, i))) -+ goto cleanup; -+ -+ if (!(rule_str = apol_filename_trans_render(policy, rule))) -+ goto cleanup; -+ fprintf(stdout, "%s %s\n", rule_str, expr ? expr : ""); -+ free(rule_str); -+ rule_str = NULL; -+ free(expr); -+ expr = NULL; -+ } -+ -+ cleanup: -+ free(tmp); -+ free(rule_str); -+ free(expr); -+} -+ - static int perform_ra_query(const apol_policy_t * policy, const options_t * opt, apol_vector_t ** v) - { - apol_role_allow_query_t *raq = NULL; -@@ -1128,6 +1217,18 @@ int main(int argc, char **argv) - print_te_results(policy, &cmd_opts, v); - fprintf(stdout, "\n"); - } -+ -+ if (cmd_opts.all || cmd_opts.type == QPOL_RULE_TYPE_TRANS) { -+ apol_vector_destroy(&v); -+ if (perform_ft_query(policy, &cmd_opts, &v)) { -+ rt = 1; -+ goto cleanup; -+ } -+ -+ print_ft_results(policy, &cmd_opts, v); -+ fprintf(stdout, "\n"); -+ } -+ - apol_vector_destroy(&v); - if (perform_ra_query(policy, &cmd_opts, &v)) { - rt = 1; --- -1.7.5.4 - diff --git a/recipes-security/setools/setools/setools-replcon-correct-invalid-prototype-for-lsetfilecon_ra.patch b/recipes-security/setools/setools/setools-replcon-correct-invalid-prototype-for-lsetfilecon_ra.patch new file mode 100644 index 0000000..c9bacbd --- /dev/null +++ b/recipes-security/setools/setools/setools-replcon-correct-invalid-prototype-for-lsetfilecon_ra.patch @@ -0,0 +1,34 @@ +From 74680dfb3df4c0c5b0e4bcf41717a9ea16fd8680 Mon Sep 17 00:00:00 2001 +From: Joe MacDonald +Date: Mon, 29 Sep 2014 14:19:48 -0400 +Subject: [PATCH] replcon: correct invalid prototype for lsetfilecon_raw + +Port debian patch from: + + git://anonscm.debian.org/selinux/setools.git + commit a3ab84b35efd9c42641d53ec2236ad01f7411df7 + +Upstream-Status: Denied [ the setools3 tree is in stasis and the focus is + only on setools4 now ] + +Signed-off-by: Joe MacDonald +--- + secmds/replcon.cc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/secmds/replcon.cc b/secmds/replcon.cc +index 34f7c1a..307c39f 100644 +--- a/secmds/replcon.cc ++++ b/secmds/replcon.cc +@@ -60,7 +60,7 @@ static struct option const longopts[] = { + {NULL, 0, NULL, 0} + }; + +-extern int lsetfilecon_raw(const char *, security_context_t) __attribute__ ((weak)); ++extern int lsetfilecon_raw(const char *, const char *) __attribute__ ((weak)); + + /** + * As that setools must work with older libselinux versions that may +-- +1.9.1 + diff --git a/recipes-security/setools/setools_3.3.8.bb b/recipes-security/setools/setools_3.3.8.bb index 6f3b1dd..050f4ff 100644 --- a/recipes-security/setools/setools_3.3.8.bb +++ b/recipes-security/setools/setools_3.3.8.bb @@ -14,7 +14,6 @@ SRC_URI[sha256sum] = "44387ecc9a231ec536a937783440cd8960a72c51f14bffc1604b7525e3 SRC_URI += "file://setools-neverallow-rules-all-always-fail.patch" SRC_URI += "file://setools-Fix-sepol-calls-to-work-with-latest-libsepol.patch" -#SRC_URI += "file://setools-Changes-to-support-named-file_trans-rules.patch" SRC_URI += "file://setools-Don-t-check-selinux-policies-if-disabled.patch" SRC_URI += "file://setools-configure-ac.patch" @@ -23,6 +22,8 @@ SRC_URI += "file://setools-cross-ar.patch" SRC_URI += "file://setools-Fix-test-bug-for-unary-operator.patch" SRC_URI += "file://setools-Fix-python-setools-Makefile.am-for-cross.patch" +SRC_URI += "file://setools-replcon-correct-invalid-prototype-for-lsetfilecon_ra.patch" + LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=26035c503c68ae1098177934ac0cc795 \ file://${S}/COPYING.GPL;md5=751419260aa954499f7abaabaa882bbe \ file://${S}/COPYING.LGPL;md5=fbc093901857fcd118f065f900982c24" -- cgit v1.2.3-54-g00ecf