From d3902c823895ed3f7fe3f79a455f0e8e4d04c431 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Wed, 5 Jan 2022 16:52:02 +0800 Subject: refpolicy: upgrade 20210203+git -> 20210908+git * Update to latest git rev. * Drop obsolete and useless patches. * Rebase patches. * Set POLICY_DISTRO from redhat to debian, which can reduce the amount of local patches. * Set max kernel policy version from 31 to 33. Signed-off-by: Yi Zhao Signed-off-by: Joe MacDonald --- .../refpolicy/refpolicy-minimum_git.bb | 3 +- .../refpolicy/refpolicy-targeted_git.bb | 1 + ...-volatile-alias-common-var-volatile-paths.patch | 6 +- ...icy-minimum-make-sysadmin-module-optional.patch | 6 +- ...argeted-make-unconfined_u-the-default-sel.patch | 126 +------------- ...-busybox-set-aliases-for-bin-sbin-and-usr.patch | 6 +- ...002-refpolicy-minimum-enable-nscd_use_shm.patch | 35 ---- ...efpolicy-minimum-make-xdg-module-optional.patch | 40 +++++ ...argeted-add-capability2-bpf-and-perfmon-f.patch | 52 ++++++ ...-apply-policy-to-common-yocto-hostname-al.patch | 2 +- ...003-refpolicy-minimum-enable-nscd_use_shm.patch | 35 ++++ ...ply-usr-bin-bash-context-to-bin-bash.bash.patch | 2 +- ...onf-label-resolv.conf-in-var-run-properly.patch | 2 +- ...login-apply-login-context-to-login.shadow.patch | 10 +- .../0007-fc-bind-fix-real-path-for-bind.patch | 32 ---- .../0007-fc-hwclock-add-hwclock-alternatives.patch | 25 +++ ...-dmesg-apply-policy-to-dmesg-alternatives.patch | 23 +++ .../0008-fc-hwclock-add-hwclock-alternatives.patch | 25 --- ...-dmesg-apply-policy-to-dmesg-alternatives.patch | 23 --- ...9-fc-ssh-apply-policy-to-ssh-alternatives.patch | 28 +++ ...0-fc-ssh-apply-policy-to-ssh-alternatives.patch | 28 --- ...rk-apply-policy-to-network-commands-alter.patch | 47 +++++ ...ysnetwork-apply-policy-to-ip-alternatives.patch | 39 ----- ...c-udev-apply-policy-to-udevadm-in-libexec.patch | 29 ++++ ...pm-apply-rpm_exec-policy-to-cpio-binaries.patch | 27 +++ ...c-udev-apply-policy-to-udevadm-in-libexec.patch | 29 ---- ...pm-apply-rpm_exec-policy-to-cpio-binaries.patch | 27 --- ...013-fc-su-apply-policy-to-su-alternatives.patch | 27 +++ ...0014-fc-fstools-fix-real-path-for-fstools.patch | 76 +++++++++ ...014-fc-su-apply-policy-to-su-alternatives.patch | 27 --- ...0015-fc-fstools-fix-real-path-for-fstools.patch | 76 --------- ...init-fix-update-alternatives-for-sysvinit.patch | 55 ++++++ ...-brctl-apply-policy-to-brctl-alternatives.patch | 24 +++ ...init-fix-update-alternatives-for-sysvinit.patch | 55 ------ ...-brctl-apply-policy-to-brctl-alternatives.patch | 24 --- ...ands-apply-policy-to-nologin-alternatives.patch | 28 +++ ...ands-apply-policy-to-nologin-alternatives.patch | 28 --- ...ogin-apply-policy-to-sulogin-alternatives.patch | 25 +++ ...ogin-apply-policy-to-sulogin-alternatives.patch | 25 --- ...-fc-ntp-apply-policy-to-ntpd-alternatives.patch | 27 +++ ...ros-apply-policy-to-kerberos-alternatives.patch | 50 ++++++ ...-fc-ntp-apply-policy-to-ntpd-alternatives.patch | 27 --- ...ros-apply-policy-to-kerberos-alternatives.patch | 50 ------ ...fc-ldap-apply-policy-to-ldap-alternatives.patch | 40 +++++ ...fc-ldap-apply-policy-to-ldap-alternatives.patch | 40 ----- ...ql-apply-policy-to-postgresql-alternative.patch | 37 ++++ ...ql-apply-policy-to-postgresql-alternative.patch | 37 ---- ...creen-apply-policy-to-screen-alternatives.patch | 25 +++ ...creen-apply-policy-to-screen-alternatives.patch | 25 --- ...ge-apply-policy-to-usermanage-alternative.patch | 47 +++++ ...-fc-getty-add-file-context-to-start_getty.patch | 27 +++ ...ge-apply-policy-to-usermanage-alternative.patch | 45 ----- ...-fc-getty-add-file-context-to-start_getty.patch | 27 --- ...-vlock-apply-policy-to-vlock-alternatives.patch | 25 +++ ...text-for-init-scripts-and-systemd-service.patch | 64 +++++++ ...-add-file-context-to-etc-network-if-files.patch | 33 ---- ...-vlock-apply-policy-to-vlock-alternatives.patch | 25 --- ...ts.subs_dist-set-aliase-for-root-director.patch | 30 ++++ ...-fc-cron-apply-policy-to-etc-init.d-crond.patch | 25 --- ...les-system-logging-add-rules-for-the-syml.patch | 104 ++++++++++++ ...snetwork-update-file-context-for-ifconfig.patch | 31 ---- ...les-system-logging-add-rules-for-syslogd-.patch | 34 ++++ ...ts.subs_dist-set-aliase-for-root-director.patch | 30 ---- ...les-kernel-files-add-rules-for-the-symlin.patch | 102 +++++++++++ ...les-system-logging-add-rules-for-the-syml.patch | 104 ------------ ...les-system-logging-fix-auditd-startup-fai.patch | 41 +++++ ...les-kernel-terminal-don-t-audit-tty_devic.patch | 38 +++++ ...les-system-logging-add-rules-for-syslogd-.patch | 34 ---- ...les-kernel-files-add-rules-for-the-symlin.patch | 102 ----------- ...les-system-modutils-allow-mod_t-to-access.patch | 67 ++++++++ ...les-system-getty-allow-getty_t-to-search-.patch | 32 ++++ ...les-system-logging-fix-auditd-startup-fai.patch | 64 ------- ...les-kernel-terminal-don-t-audit-tty_devic.patch | 38 ----- ...les-services-rpcbind-allow-rpcbind_t-to-c.patch | 45 +++++ ...les-admin-usermanage-allow-useradd-to-rel.patch | 71 ++++++++ ...les-system-modutils-allow-mod_t-to-access.patch | 67 -------- ...les-services-avahi-allow-avahi_t-to-watch.patch | 34 ---- ...les-system-systemd-enable-support-for-sys.patch | 64 +++++++ ...les-system-getty-allow-getty_t-to-search-.patch | 32 ---- ...les-system-systemd-fix-systemd-resolved-s.patch | 60 +++++++ ...les-services-bluetooth-fix-bluetoothd-sta.patch | 88 ---------- ...les-system-systemd-allow-systemd_-_t-to-g.patch | 156 +++++++++++++++++ ...les-roles-sysadm-allow-sysadm-to-run-rpci.patch | 38 ----- ...les-system-logging-fix-syslogd-failures-f.patch | 55 ++++++ ...les-services-rpc-add-capability-dac_read_.patch | 34 ---- ...modules-system-systemd-systemd-user-fixes.patch | 172 +++++++++++++++++++ ...les-services-rpcbind-allow-rpcbind_t-to-c.patch | 63 ------- ...les-system-sysnetwork-support-priviledge-.patch | 132 ++++++++++++++ ...les-services-rngd-fix-security-context-fo.patch | 65 ------- ...les-system-modutils-allow-kmod_t-to-write.patch | 34 ++++ ...les-services-ssh-allow-ssh_keygen_t-to-re.patch | 34 ---- ...les-system-systemd-allow-systemd_logind_t.patch | 43 +++++ ...les-services-ssh-make-respective-init-scr.patch | 33 ---- ...les-system-mount-make-mount_t-domain-MLS-.patch | 35 ++++ ...les-kernel-terminal-allow-loging-to-reset.patch | 31 ---- ...les-roles-sysadm-MLS-sysadm-rw-to-clearan.patch | 40 +++++ ...les-services-rpc-make-nfsd_t-domain-MLS-t.patch | 48 ++++++ ...les-system-selinuxutil-allow-semanage_t-t.patch | 33 ---- ...les-admin-dmesg-make-dmesg_t-MLS-trusted-.patch | 36 ++++ ...les-system-systemd-enable-support-for-sys.patch | 64 ------- ...les-kernel-kernel-make-kernel_t-MLS-trust.patch | 76 +++++++++ ...les-system-systemd-fix-systemd-resolved-s.patch | 69 -------- ...les-system-init-add-capability2-bpf-and-p.patch | 37 ---- ...les-system-init-make-init_t-MLS-trusted-f.patch | 46 +++++ ...les-system-systemd-allow-systemd_logind_t.patch | 37 ---- ...les-system-systemd-make-systemd-tmpfiles_.patch | 63 +++++++ ...les-system-logging-set-label-devlog_t-to-.patch | 86 ---------- ...les-system-systemd-systemd-make-systemd_-.patch | 91 ++++++++++ ...les-system-logging-add-the-syslogd_t-to-t.patch | 37 ++++ ...dules-system-systemd-support-systemd-user.patch | 189 --------------------- ...les-system-init-make-init_t-MLS-trusted-f.patch | 33 ++++ ...les-system-systemd-allow-systemd-generato.patch | 69 -------- ...les-system-init-all-init_t-to-read-any-le.patch | 40 +++++ ...les-system-systemd-allow-systemd_backligh.patch | 35 ---- ...les-system-logging-allow-auditd_t-to-writ.patch | 39 +++++ ...les-system-logging-fix-systemd-journald-s.patch | 47 ----- ...les-kernel-kernel-make-kernel_t-MLS-trust.patch | 31 ++++ ...les-services-cron-allow-crond_t-to-search.patch | 34 ---- ...les-services-crontab-allow-sysadm_r-to-ru.patch | 46 ----- ...les-system-setrans-allow-setrans_t-use-fd.patch | 30 ++++ ...les-system-sysnetwork-support-priviledge-.patch | 120 ------------- ...les-system-systemd-make-_systemd_t-MLS-tr.patch | 42 +++++ ...les-services-acpi-allow-acpid-to-watch-th.patch | 35 ---- ...les-system-logging-make-syslogd_runtime_t.patch | 48 ++++++ ...les-system-setrans-allow-setrans-to-acces.patch | 42 ----- ...les-system-modutils-allow-kmod_t-to-write.patch | 35 ---- ...les-roles-sysadm-allow-sysadm_t-to-watch-.patch | 33 ---- ...les-system-selinux-allow-setfiles_t-to-re.patch | 44 ----- ...les-system-mount-make-mount_t-domain-MLS-.patch | 36 ---- ...les-roles-sysadm-MLS-sysadm-rw-to-clearan.patch | 41 ----- ...les-services-rpc-make-nfsd_t-domain-MLS-t.patch | 63 ------- ...les-admin-dmesg-make-dmesg_t-MLS-trusted-.patch | 36 ---- ...les-kernel-kernel-make-kernel_t-MLS-trust.patch | 77 --------- ...les-system-init-make-init_t-MLS-trusted-f.patch | 46 ----- ...les-system-systemd-make-systemd-tmpfiles_.patch | 63 ------- ...les-system-logging-add-the-syslogd_t-to-t.patch | 37 ---- ...les-system-init-make-init_t-MLS-trusted-f.patch | 33 ---- ...les-system-init-all-init_t-to-read-any-le.patch | 40 ----- ...les-system-logging-allow-auditd_t-to-writ.patch | 39 ----- ...les-kernel-kernel-make-kernel_t-MLS-trust.patch | 32 ---- ...les-system-systemd-make-systemd-logind-do.patch | 42 ----- ...les-system-systemd-systemd-user-sessions-.patch | 41 ----- ...les-system-systemd-systemd-make-systemd_-.patch | 162 ------------------ ...les-services-ntp-make-nptd_t-MLS-trusted-.patch | 40 ----- ...les-system-setrans-allow-setrans_t-use-fd.patch | 30 ---- ...les-services-acpi-make-acpid_t-domain-MLS.patch | 35 ---- ...les-services-avahi-make-avahi_t-MLS-trust.patch | 29 ---- ...les-services-bluetooth-make-bluetooth_t-d.patch | 36 ---- ...les-system-sysnetwork-make-dhcpc_t-domain.patch | 38 ----- ...les-services-inetd-make-inetd_t-domain-ML.patch | 36 ---- ...les-services-bind-make-named_t-domain-MLS.patch | 38 ----- ...les-services-rpc-make-rpcd_t-MLS-trusted-.patch | 36 ---- ...les-system-systemd-make-_systemd_t-MLS-tr.patch | 42 ----- ...rmanage-update-file-context-for-chfn-chsh.patch | 34 ---- recipes-security/refpolicy/refpolicy_common.inc | 148 +++++++--------- recipes-security/refpolicy/refpolicy_git.inc | 4 +- 156 files changed, 2986 insertions(+), 4194 deletions(-) delete mode 100644 recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-enable-nscd_use_shm.patch create mode 100644 recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-make-xdg-module-optional.patch create mode 100644 recipes-security/refpolicy/refpolicy/0002-refpolicy-targeted-add-capability2-bpf-and-perfmon-f.patch create mode 100644 recipes-security/refpolicy/refpolicy/0003-refpolicy-minimum-enable-nscd_use_shm.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0007-fc-bind-fix-real-path-for-bind.patch create mode 100644 recipes-security/refpolicy/refpolicy/0007-fc-hwclock-add-hwclock-alternatives.patch create mode 100644 recipes-security/refpolicy/refpolicy/0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0008-fc-hwclock-add-hwclock-alternatives.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0009-fc-dmesg-apply-policy-to-dmesg-alternatives.patch create mode 100644 recipes-security/refpolicy/refpolicy/0009-fc-ssh-apply-policy-to-ssh-alternatives.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0010-fc-ssh-apply-policy-to-ssh-alternatives.patch create mode 100644 recipes-security/refpolicy/refpolicy/0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0011-fc-sysnetwork-apply-policy-to-ip-alternatives.patch create mode 100644 recipes-security/refpolicy/refpolicy/0011-fc-udev-apply-policy-to-udevadm-in-libexec.patch create mode 100644 recipes-security/refpolicy/refpolicy/0012-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0012-fc-udev-apply-policy-to-udevadm-in-libexec.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0013-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch create mode 100644 recipes-security/refpolicy/refpolicy/0013-fc-su-apply-policy-to-su-alternatives.patch create mode 100644 recipes-security/refpolicy/refpolicy/0014-fc-fstools-fix-real-path-for-fstools.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0014-fc-su-apply-policy-to-su-alternatives.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0015-fc-fstools-fix-real-path-for-fstools.patch create mode 100644 recipes-security/refpolicy/refpolicy/0015-fc-init-fix-update-alternatives-for-sysvinit.patch create mode 100644 recipes-security/refpolicy/refpolicy/0016-fc-brctl-apply-policy-to-brctl-alternatives.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0016-fc-init-fix-update-alternatives-for-sysvinit.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0017-fc-brctl-apply-policy-to-brctl-alternatives.patch create mode 100644 recipes-security/refpolicy/refpolicy/0017-fc-corecommands-apply-policy-to-nologin-alternatives.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0018-fc-corecommands-apply-policy-to-nologin-alternatives.patch create mode 100644 recipes-security/refpolicy/refpolicy/0018-fc-locallogin-apply-policy-to-sulogin-alternatives.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0019-fc-locallogin-apply-policy-to-sulogin-alternatives.patch create mode 100644 recipes-security/refpolicy/refpolicy/0019-fc-ntp-apply-policy-to-ntpd-alternatives.patch create mode 100644 recipes-security/refpolicy/refpolicy/0020-fc-kerberos-apply-policy-to-kerberos-alternatives.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0020-fc-ntp-apply-policy-to-ntpd-alternatives.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0021-fc-kerberos-apply-policy-to-kerberos-alternatives.patch create mode 100644 recipes-security/refpolicy/refpolicy/0021-fc-ldap-apply-policy-to-ldap-alternatives.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0022-fc-ldap-apply-policy-to-ldap-alternatives.patch create mode 100644 recipes-security/refpolicy/refpolicy/0022-fc-postgresql-apply-policy-to-postgresql-alternative.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0023-fc-postgresql-apply-policy-to-postgresql-alternative.patch create mode 100644 recipes-security/refpolicy/refpolicy/0023-fc-screen-apply-policy-to-screen-alternatives.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0024-fc-screen-apply-policy-to-screen-alternatives.patch create mode 100644 recipes-security/refpolicy/refpolicy/0024-fc-usermanage-apply-policy-to-usermanage-alternative.patch create mode 100644 recipes-security/refpolicy/refpolicy/0025-fc-getty-add-file-context-to-start_getty.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0025-fc-usermanage-apply-policy-to-usermanage-alternative.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0026-fc-getty-add-file-context-to-start_getty.patch create mode 100644 recipes-security/refpolicy/refpolicy/0026-fc-vlock-apply-policy-to-vlock-alternatives.patch create mode 100644 recipes-security/refpolicy/refpolicy/0027-fc-add-fcontext-for-init-scripts-and-systemd-service.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0027-fc-init-add-file-context-to-etc-network-if-files.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0028-fc-vlock-apply-policy-to-vlock-alternatives.patch create mode 100644 recipes-security/refpolicy/refpolicy/0028-file_contexts.subs_dist-set-aliase-for-root-director.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0029-fc-cron-apply-policy-to-etc-init.d-crond.patch create mode 100644 recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-the-syml.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0030-fc-sysnetwork-update-file-context-for-ifconfig.patch create mode 100644 recipes-security/refpolicy/refpolicy/0030-policy-modules-system-logging-add-rules-for-syslogd-.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0031-file_contexts.subs_dist-set-aliase-for-root-director.patch create mode 100644 recipes-security/refpolicy/refpolicy/0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0032-policy-modules-system-logging-add-rules-for-the-syml.patch create mode 100644 recipes-security/refpolicy/refpolicy/0032-policy-modules-system-logging-fix-auditd-startup-fai.patch create mode 100644 recipes-security/refpolicy/refpolicy/0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0033-policy-modules-system-logging-add-rules-for-syslogd-.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0034-policy-modules-kernel-files-add-rules-for-the-symlin.patch create mode 100644 recipes-security/refpolicy/refpolicy/0034-policy-modules-system-modutils-allow-mod_t-to-access.patch create mode 100644 recipes-security/refpolicy/refpolicy/0035-policy-modules-system-getty-allow-getty_t-to-search-.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0035-policy-modules-system-logging-fix-auditd-startup-fai.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0036-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch create mode 100644 recipes-security/refpolicy/refpolicy/0036-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch create mode 100644 recipes-security/refpolicy/refpolicy/0037-policy-modules-admin-usermanage-allow-useradd-to-rel.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0037-policy-modules-system-modutils-allow-mod_t-to-access.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0038-policy-modules-services-avahi-allow-avahi_t-to-watch.patch create mode 100644 recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-enable-support-for-sys.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0039-policy-modules-system-getty-allow-getty_t-to-search-.patch create mode 100644 recipes-security/refpolicy/refpolicy/0039-policy-modules-system-systemd-fix-systemd-resolved-s.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0040-policy-modules-services-bluetooth-fix-bluetoothd-sta.patch create mode 100644 recipes-security/refpolicy/refpolicy/0040-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0041-policy-modules-roles-sysadm-allow-sysadm-to-run-rpci.patch create mode 100644 recipes-security/refpolicy/refpolicy/0041-policy-modules-system-logging-fix-syslogd-failures-f.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0042-policy-modules-services-rpc-add-capability-dac_read_.patch create mode 100644 recipes-security/refpolicy/refpolicy/0042-policy-modules-system-systemd-systemd-user-fixes.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0043-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch create mode 100644 recipes-security/refpolicy/refpolicy/0043-policy-modules-system-sysnetwork-support-priviledge-.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0044-policy-modules-services-rngd-fix-security-context-fo.patch create mode 100644 recipes-security/refpolicy/refpolicy/0044-policy-modules-system-modutils-allow-kmod_t-to-write.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0045-policy-modules-services-ssh-allow-ssh_keygen_t-to-re.patch create mode 100644 recipes-security/refpolicy/refpolicy/0045-policy-modules-system-systemd-allow-systemd_logind_t.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0046-policy-modules-services-ssh-make-respective-init-scr.patch create mode 100644 recipes-security/refpolicy/refpolicy/0046-policy-modules-system-mount-make-mount_t-domain-MLS-.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0047-policy-modules-kernel-terminal-allow-loging-to-reset.patch create mode 100644 recipes-security/refpolicy/refpolicy/0047-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch create mode 100644 recipes-security/refpolicy/refpolicy/0048-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0048-policy-modules-system-selinuxutil-allow-semanage_t-t.patch create mode 100644 recipes-security/refpolicy/refpolicy/0049-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0049-policy-modules-system-systemd-enable-support-for-sys.patch create mode 100644 recipes-security/refpolicy/refpolicy/0050-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0050-policy-modules-system-systemd-fix-systemd-resolved-s.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-add-capability2-bpf-and-p.patch create mode 100644 recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-make-init_t-MLS-trusted-f.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0052-policy-modules-system-systemd-allow-systemd_logind_t.patch create mode 100644 recipes-security/refpolicy/refpolicy/0052-policy-modules-system-systemd-make-systemd-tmpfiles_.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0053-policy-modules-system-logging-set-label-devlog_t-to-.patch create mode 100644 recipes-security/refpolicy/refpolicy/0053-policy-modules-system-systemd-systemd-make-systemd_-.patch create mode 100644 recipes-security/refpolicy/refpolicy/0054-policy-modules-system-logging-add-the-syslogd_t-to-t.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0054-policy-modules-system-systemd-support-systemd-user.patch create mode 100644 recipes-security/refpolicy/refpolicy/0055-policy-modules-system-init-make-init_t-MLS-trusted-f.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0055-policy-modules-system-systemd-allow-systemd-generato.patch create mode 100644 recipes-security/refpolicy/refpolicy/0056-policy-modules-system-init-all-init_t-to-read-any-le.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0056-policy-modules-system-systemd-allow-systemd_backligh.patch create mode 100644 recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-allow-auditd_t-to-writ.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-fix-systemd-journald-s.patch create mode 100644 recipes-security/refpolicy/refpolicy/0058-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0058-policy-modules-services-cron-allow-crond_t-to-search.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0059-policy-modules-services-crontab-allow-sysadm_r-to-ru.patch create mode 100644 recipes-security/refpolicy/refpolicy/0059-policy-modules-system-setrans-allow-setrans_t-use-fd.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0060-policy-modules-system-sysnetwork-support-priviledge-.patch create mode 100644 recipes-security/refpolicy/refpolicy/0060-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0061-policy-modules-services-acpi-allow-acpid-to-watch-th.patch create mode 100644 recipes-security/refpolicy/refpolicy/0061-policy-modules-system-logging-make-syslogd_runtime_t.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0062-policy-modules-system-setrans-allow-setrans-to-acces.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0063-policy-modules-system-modutils-allow-kmod_t-to-write.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0064-policy-modules-roles-sysadm-allow-sysadm_t-to-watch-.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0065-policy-modules-system-selinux-allow-setfiles_t-to-re.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0066-policy-modules-system-mount-make-mount_t-domain-MLS-.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0067-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0068-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0069-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0070-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0071-policy-modules-system-init-make-init_t-MLS-trusted-f.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0072-policy-modules-system-systemd-make-systemd-tmpfiles_.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0073-policy-modules-system-logging-add-the-syslogd_t-to-t.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0074-policy-modules-system-init-make-init_t-MLS-trusted-f.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0075-policy-modules-system-init-all-init_t-to-read-any-le.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0076-policy-modules-system-logging-allow-auditd_t-to-writ.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0077-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0078-policy-modules-system-systemd-make-systemd-logind-do.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0079-policy-modules-system-systemd-systemd-user-sessions-.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0080-policy-modules-system-systemd-systemd-make-systemd_-.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0081-policy-modules-services-ntp-make-nptd_t-MLS-trusted-.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0082-policy-modules-system-setrans-allow-setrans_t-use-fd.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0083-policy-modules-services-acpi-make-acpid_t-domain-MLS.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0084-policy-modules-services-avahi-make-avahi_t-MLS-trust.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0085-policy-modules-services-bluetooth-make-bluetooth_t-d.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0086-policy-modules-system-sysnetwork-make-dhcpc_t-domain.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0087-policy-modules-services-inetd-make-inetd_t-domain-ML.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0088-policy-modules-services-bind-make-named_t-domain-MLS.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0089-policy-modules-services-rpc-make-rpcd_t-MLS-trusted-.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0090-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0091-fc-usermanage-update-file-context-for-chfn-chsh.patch diff --git a/recipes-security/refpolicy/refpolicy-minimum_git.bb b/recipes-security/refpolicy/refpolicy-minimum_git.bb index c4c9031..2e95b9f 100644 --- a/recipes-security/refpolicy/refpolicy-minimum_git.bb +++ b/recipes-security/refpolicy/refpolicy-minimum_git.bb @@ -13,7 +13,8 @@ domains are unconfined. \ SRC_URI += " \ file://0001-refpolicy-minimum-make-sysadmin-module-optional.patch \ - file://0002-refpolicy-minimum-enable-nscd_use_shm.patch \ + file://0002-refpolicy-minimum-make-xdg-module-optional.patch \ + file://0003-refpolicy-minimum-enable-nscd_use_shm.patch \ " POLICY_NAME = "minimum" diff --git a/recipes-security/refpolicy/refpolicy-targeted_git.bb b/recipes-security/refpolicy/refpolicy-targeted_git.bb index de81d46..15226db 100644 --- a/recipes-security/refpolicy/refpolicy-targeted_git.bb +++ b/recipes-security/refpolicy/refpolicy-targeted_git.bb @@ -14,4 +14,5 @@ include refpolicy_${PV}.inc SRC_URI += " \ file://0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch \ + file://0002-refpolicy-targeted-add-capability2-bpf-and-perfmon-f.patch \ " diff --git a/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch b/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch index 9f85980..c3a03f3 100644 --- a/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch +++ b/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch @@ -1,4 +1,4 @@ -From 8a6052604e4f39ef9cbab62372006bc6f736dbed Mon Sep 17 00:00:00 2001 +From d39f2ddbfcfd6e224a50bf327a7bd0031d74d0c6 Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Thu, 28 Mar 2019 16:14:09 -0400 Subject: [PATCH] fc/subs/volatile: alias common /var/volatile paths @@ -15,10 +15,10 @@ Signed-off-by: Yi Zhao 1 file changed, 6 insertions(+) diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist -index 653d25d93..652e1dd35 100644 +index ba22ce7e7..23d4328f7 100644 --- a/config/file_contexts.subs_dist +++ b/config/file_contexts.subs_dist -@@ -32,3 +32,9 @@ +@@ -33,3 +33,9 @@ # not for refpolicy intern, but for /var/run using applications, # like systemd tmpfiles or systemd socket configurations /var/run /run diff --git a/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch b/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch index d300edd..f607cbb 100644 --- a/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch +++ b/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch @@ -1,4 +1,4 @@ -From dc757d6df2314d82029b23b409df8de22a4df45e Mon Sep 17 00:00:00 2001 +From 669293ddf351f231b34979a7d708601ccbd11930 Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Fri, 5 Apr 2019 11:53:28 -0400 Subject: [PATCH] refpolicy-minimum: make sysadmin module optional @@ -22,10 +22,10 @@ Signed-off-by: Yi Zhao 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index aa57a5661..9b03d3767 100644 +index 5a19f0e43..1f4a671dc 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te -@@ -527,13 +527,15 @@ ifdef(`init_systemd',` +@@ -556,13 +556,15 @@ ifdef(`init_systemd',` unconfined_write_keys(init_t) ') ',` diff --git a/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch b/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch index 89bc68e..9939b59 100644 --- a/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch +++ b/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch @@ -1,4 +1,4 @@ -From 7ff6cf3766a672c4f2b7bd0dc5efa296bd6aba51 Mon Sep 17 00:00:00 2001 +From bf7b74e7c38b546e162eb5a3bd4774e3d84d593d Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Mon, 20 Apr 2020 11:50:03 +0800 Subject: [PATCH] refpolicy-targeted: make unconfined_u the default selinux @@ -8,9 +8,6 @@ For targeted policy type, we define unconfined_u as the default selinux user for root and normal users, so users could login in and run most commands and services on unconfined domains. -Also add rules for users to run init scripts directly, instead of via -run_init. - Upstream-Status: Inappropriate [configuration] Signed-off-by: Xin Ouyang @@ -18,13 +15,11 @@ Signed-off-by: Joe MacDonald Signed-off-by: Wenzong Fan Signed-off-by: Yi Zhao --- - config/appconfig-mcs/failsafe_context | 2 +- - config/appconfig-mcs/seusers | 4 +-- - policy/modules/roles/sysadm.te | 1 + - policy/modules/system/init.if | 42 +++++++++++++++++++++++---- - policy/modules/system/unconfined.te | 7 +++++ - policy/users | 6 ++-- - 6 files changed, 50 insertions(+), 12 deletions(-) + config/appconfig-mcs/failsafe_context | 2 +- + config/appconfig-mcs/seusers | 4 ++-- + policy/modules/system/unconfined.te | 5 +++++ + policy/users | 6 +++--- + 4 files changed, 11 insertions(+), 6 deletions(-) diff --git a/config/appconfig-mcs/failsafe_context b/config/appconfig-mcs/failsafe_context index 999abd9a3..a50bde775 100644 @@ -42,106 +37,8 @@ index ce614b41b..c0903d98b 100644 -__default__:user_u:s0 +root:unconfined_u:s0-mcs_systemhigh +__default__:unconfined_u:s0 -diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index ce7d77d31..1aff2c31a 100644 ---- a/policy/modules/roles/sysadm.te -+++ b/policy/modules/roles/sysadm.te -@@ -53,6 +53,7 @@ ubac_fd_exempt(sysadm_t) - - init_exec(sysadm_t) - init_admin(sysadm_t) -+init_script_role_transition(sysadm_r) - - # Add/remove user home directories - userdom_manage_user_home_dirs(sysadm_t) -diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 98e94283f..eb6d5b32d 100644 ---- a/policy/modules/system/init.if -+++ b/policy/modules/system/init.if -@@ -1821,11 +1821,12 @@ interface(`init_script_file_entry_type',` - # - interface(`init_spec_domtrans_script',` - gen_require(` -- type initrc_t, initrc_exec_t; -+ type initrc_t; -+ attribute init_script_file_type; - ') - - files_list_etc($1) -- spec_domtrans_pattern($1, initrc_exec_t, initrc_t) -+ spec_domtrans_pattern($1, init_script_file_type, initrc_t) - - ifdef(`distro_gentoo',` - gen_require(` -@@ -1836,11 +1837,11 @@ interface(`init_spec_domtrans_script',` - ') - - ifdef(`enable_mcs',` -- range_transition $1 initrc_exec_t:process s0; -+ range_transition $1 init_script_file_type:process s0; - ') - - ifdef(`enable_mls',` -- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; -+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh; - ') - ') - -@@ -1857,17 +1858,18 @@ interface(`init_spec_domtrans_script',` - interface(`init_domtrans_script',` - gen_require(` - type initrc_t, initrc_exec_t; -+ attribute init_script_file_type; - ') - - files_list_etc($1) - domtrans_pattern($1, initrc_exec_t, initrc_t) - - ifdef(`enable_mcs',` -- range_transition $1 initrc_exec_t:process s0; -+ range_transition $1 init_script_file_type:process s0; - ') - - ifdef(`enable_mls',` -- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; -+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh; - ') - ') - -@@ -3532,3 +3534,31 @@ interface(`init_getrlimit',` - - allow $1 init_t:process getrlimit; - ') -+ -+######################################## -+## -+## Transition to system_r when execute an init script -+## -+## -+##

-+## Execute a init script in a specified role -+##

-+##

-+## No interprocess communication (signals, pipes, -+## etc.) is provided by this interface since -+## the domains are not owned by this module. -+##

-+##
-+## -+## -+## Role to transition from. -+## -+## -+# -+interface(`init_script_role_transition',` -+ gen_require(` -+ attribute init_script_file_type; -+ ') -+ -+ role_transition $1 init_script_file_type system_r; -+') diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te -index 385c88695..87adb7e9d 100644 +index 4972094cb..b6d769412 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -20,6 +20,11 @@ type unconfined_execmem_t alias ada_t; @@ -156,15 +53,6 @@ index 385c88695..87adb7e9d 100644 ######################################## # -@@ -50,6 +55,8 @@ userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_f - ifdef(`direct_sysadm_daemon',` - optional_policy(` - init_run_daemon(unconfined_t, unconfined_r) -+ init_domtrans_script(unconfined_t) -+ init_script_role_transition(unconfined_r) - ') - ',` - ifdef(`distro_gentoo',` diff --git a/policy/users b/policy/users index ca203758c..e737cd9cc 100644 --- a/policy/users diff --git a/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch b/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch index 5907c4d..d2b8139 100644 --- a/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch +++ b/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch @@ -1,4 +1,4 @@ -From 0ee7bc5f28ffae30b1a1f40edd96cfed993db667 Mon Sep 17 00:00:00 2001 +From 974befcafcee1377e122f19a4182f74eea757158 Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Thu, 28 Mar 2019 20:48:10 -0400 Subject: [PATCH] fc/subs/busybox: set aliases for bin, sbin and usr @@ -15,10 +15,10 @@ Signed-off-by: Yi Zhao 1 file changed, 6 insertions(+) diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist -index 652e1dd35..a38d58e16 100644 +index 23d4328f7..690007f22 100644 --- a/config/file_contexts.subs_dist +++ b/config/file_contexts.subs_dist -@@ -38,3 +38,9 @@ +@@ -39,3 +39,9 @@ # volatile hierarchy. /var/volatile/log /var/log /var/volatile/tmp /var/tmp diff --git a/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-enable-nscd_use_shm.patch b/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-enable-nscd_use_shm.patch deleted file mode 100644 index 5598c70..0000000 --- a/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-enable-nscd_use_shm.patch +++ /dev/null @@ -1,35 +0,0 @@ -From d71b79cc9b174181934d588f64baa5637c8e85d1 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Fri, 26 Feb 2021 09:13:23 +0800 -Subject: [PATCH] policy/modules/services/nscd: enable nscd_use_shm - -Fixes: -avc: denied { listen } for pid=199 comm="systemd-resolve" -path="/run/systemd/resolve/io.systemd.Resolve" -scontext=system_u:system_r:systemd_resolved_t:s0 -tcontext=system_u:system_r:systemd_resolved_t:s0 -tclass=unix_stream_socket permissive=0 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/services/nscd.te | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te -index ada67edb1..9801fc228 100644 ---- a/policy/modules/services/nscd.te -+++ b/policy/modules/services/nscd.te -@@ -15,7 +15,7 @@ gen_require(` - ## can use nscd shared memory. - ##

- ## --gen_tunable(nscd_use_shm, false) -+gen_tunable(nscd_use_shm, true) - - attribute_role nscd_roles; - --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-make-xdg-module-optional.patch b/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-make-xdg-module-optional.patch new file mode 100644 index 0000000..84764e5 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-make-xdg-module-optional.patch @@ -0,0 +1,40 @@ +From 1ff0e212ce737bba59d90977a58a15250bc84ea9 Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Wed, 29 Sep 2021 11:08:49 +0800 +Subject: [PATCH] refpolicy-minimum: make xdg module optional + +The systemd module invokes xdg_config_content and xdg_data_content +interfaces which are from xdg module. Since xdg is not a core module, we +could make it optional in minimum policy. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/system/systemd.te | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 8cea6baa1..218834495 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -276,10 +276,14 @@ files_type(systemd_update_run_t) + + type systemd_conf_home_t; + init_unit_file(systemd_conf_home_t) +-xdg_config_content(systemd_conf_home_t) ++optional_policy(` ++ xdg_config_content(systemd_conf_home_t) ++') + + type systemd_data_home_t; +-xdg_data_content(systemd_data_home_t) ++optional_policy(` ++ xdg_data_content(systemd_data_home_t) ++') + + type systemd_user_runtime_notify_t; + userdom_user_runtime_content(systemd_user_runtime_notify_t) +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0002-refpolicy-targeted-add-capability2-bpf-and-perfmon-f.patch b/recipes-security/refpolicy/refpolicy/0002-refpolicy-targeted-add-capability2-bpf-and-perfmon-f.patch new file mode 100644 index 0000000..e4c081d --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0002-refpolicy-targeted-add-capability2-bpf-and-perfmon-f.patch @@ -0,0 +1,52 @@ +From b46903aaf7e52f9c4c51a2fa7fe7a85190da98b1 Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Wed, 29 Sep 2021 16:43:54 +0800 +Subject: [PATCH] refpolicy-targeted: add capability2 bpf and perfmon for + unconfined_t + +Fixes: +avc: denied { bpf } for pid=433 comm="systemd" capability=39 +scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 +tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 +tclass=capability2 permissive=0 + +avc: denied { perfmon } for pid=433 comm="systemd" capability=38 +scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 +tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 +tclass=capability2 permissive=0 + +type=USER_AVC msg=audit(1632901631.693:86): pid=433 uid=0 auid=0 ses=3 +subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='avc: +denied { reload } for auid=n/a uid=0 gid=0 cmdline="" +scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 +tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 +tclass=system permissive=0 exe="/lib/systemd/systemd" sauid=0 +hostname=? addr=? terminal=?'UID="root" AUID="root" AUID="root" +UID="root" GID="root" SAUID="root" + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/system/unconfined.if | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if +index a139cfe78..807e959c3 100644 +--- a/policy/modules/system/unconfined.if ++++ b/policy/modules/system/unconfined.if +@@ -66,6 +66,11 @@ interface(`unconfined_domain_noaudit',` + files_start_etc_service($1) + files_stop_etc_service($1) + ++ ifdef(`init_systemd',` ++ allow $1 self:capability2 { bpf perfmon }; ++ allow $1 self:system reload; ++ ') ++ + tunable_policy(`allow_execheap',` + # Allow making the stack executable via mprotect. + allow $1 self:process execheap; +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch b/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch index db3f9c3..6596e76 100644 --- a/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch +++ b/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch @@ -1,4 +1,4 @@ -From e0c34d0feb5305b1397f252d698501b641277517 Mon Sep 17 00:00:00 2001 +From 9c6f3c5acc01607a67277f69faa67e34dc98232b Mon Sep 17 00:00:00 2001 From: Xin Ouyang Date: Thu, 22 Aug 2013 13:37:23 +0800 Subject: [PATCH] fc/hostname: apply policy to common yocto hostname diff --git a/recipes-security/refpolicy/refpolicy/0003-refpolicy-minimum-enable-nscd_use_shm.patch b/recipes-security/refpolicy/refpolicy/0003-refpolicy-minimum-enable-nscd_use_shm.patch new file mode 100644 index 0000000..edf9caa --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0003-refpolicy-minimum-enable-nscd_use_shm.patch @@ -0,0 +1,35 @@ +From 5f992b59a74cc6cde8fd20162a11065dc30fd7ab Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Fri, 26 Feb 2021 09:13:23 +0800 +Subject: [PATCH] refpolicy-minimum: enable nscd_use_shm + +Fixes: +avc: denied { listen } for pid=199 comm="systemd-resolve" +path="/run/systemd/resolve/io.systemd.Resolve" +scontext=system_u:system_r:systemd_resolved_t:s0 +tcontext=system_u:system_r:systemd_resolved_t:s0 +tclass=unix_stream_socket permissive=0 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/services/nscd.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te +index ada67edb1..9801fc228 100644 +--- a/policy/modules/services/nscd.te ++++ b/policy/modules/services/nscd.te +@@ -15,7 +15,7 @@ gen_require(` + ## can use nscd shared memory. + ##

+ ## +-gen_tunable(nscd_use_shm, false) ++gen_tunable(nscd_use_shm, true) + + attribute_role nscd_roles; + +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch b/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch index 4a6d5eb..cf333f1 100644 --- a/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch +++ b/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch @@ -1,4 +1,4 @@ -From 8d2c24bc1e2ef8ddf3cf7a08297cfab8a8a92b0d Mon Sep 17 00:00:00 2001 +From bbc8b58fe5fe709dfadbffc86e17ebd2d76a257c Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Thu, 28 Mar 2019 21:37:32 -0400 Subject: [PATCH] fc/bash: apply /usr/bin/bash context to /bin/bash.bash diff --git a/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch b/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch index cb36ac4..078c246 100644 --- a/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch +++ b/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch @@ -1,4 +1,4 @@ -From 85a77289d193bb3335c78f6d51b4ae2b81249952 Mon Sep 17 00:00:00 2001 +From 3cccdec2aaa273ca09100ca957f4968a25f4f3a3 Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Thu, 4 Apr 2019 10:45:03 -0400 Subject: [PATCH] fc/resolv.conf: label resolv.conf in var/run/ properly diff --git a/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch b/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch index 30bbe07..b4747f7 100644 --- a/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch +++ b/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch @@ -1,4 +1,4 @@ -From 253ab75676232be5522fc628b0819d0c48a08c03 Mon Sep 17 00:00:00 2001 +From 9a1e1c7b65cb3f5ab97ce05463ca02a3eaa57d86 Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Thu, 28 Mar 2019 21:43:53 -0400 Subject: [PATCH] fc/login: apply login context to login.shadow @@ -12,17 +12,17 @@ Signed-off-by: Yi Zhao 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc -index 7fd315706..fa86d6f92 100644 +index 50efcff7b..5cb48882c 100644 --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc -@@ -5,6 +5,7 @@ - /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) +@@ -6,6 +6,7 @@ + /etc/tcb(/.*)? -- gen_context(system_u:object_r:shadow_t,s0) /usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0) +/usr/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0) /usr/bin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) /usr/bin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) - /usr/bin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) + /usr/bin/tcb_convert -- gen_context(system_u:object_r:updpwd_exec_t,s0) -- 2.17.1 diff --git a/recipes-security/refpolicy/refpolicy/0007-fc-bind-fix-real-path-for-bind.patch b/recipes-security/refpolicy/refpolicy/0007-fc-bind-fix-real-path-for-bind.patch deleted file mode 100644 index 351b30e..0000000 --- a/recipes-security/refpolicy/refpolicy/0007-fc-bind-fix-real-path-for-bind.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 7e61e5d715451bafd785ec7db01e24e726e31c35 Mon Sep 17 00:00:00 2001 -From: Joe MacDonald -Date: Thu, 28 Mar 2019 21:58:53 -0400 -Subject: [PATCH] fc/bind: fix real path for bind - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Xin Ouyang -Signed-off-by: Joe MacDonald -Signed-off-by: Yi Zhao ---- - policy/modules/services/bind.fc | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc -index ce68a0af9..585103eb9 100644 ---- a/policy/modules/services/bind.fc -+++ b/policy/modules/services/bind.fc -@@ -1,8 +1,10 @@ - /etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/bind -- gen_context(system_u:object_r:named_initrc_exec_t,s0) - /etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) - - /etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) - /etc/bind/named\.conf.* -- gen_context(system_u:object_r:named_conf_t,s0) -+/etc/bind/rndc\.conf.* -- gen_context(system_u:object_r:named_conf_t,s0) - /etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) - /etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0) - /etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0) --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0007-fc-hwclock-add-hwclock-alternatives.patch b/recipes-security/refpolicy/refpolicy/0007-fc-hwclock-add-hwclock-alternatives.patch new file mode 100644 index 0000000..33f6a10 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0007-fc-hwclock-add-hwclock-alternatives.patch @@ -0,0 +1,25 @@ +From 73716015ab28a9474912902e9467f2d2a864ecd0 Mon Sep 17 00:00:00 2001 +From: Joe MacDonald +Date: Thu, 28 Mar 2019 21:59:18 -0400 +Subject: [PATCH] fc/hwclock: add hwclock alternatives + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Joe MacDonald +Signed-off-by: Yi Zhao +--- + policy/modules/system/clock.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc +index 301965892..139485835 100644 +--- a/policy/modules/system/clock.fc ++++ b/policy/modules/system/clock.fc +@@ -3,3 +3,4 @@ + /usr/bin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) + + /usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) ++/usr/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0) +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch b/recipes-security/refpolicy/refpolicy/0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch new file mode 100644 index 0000000..5f2ffdf --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch @@ -0,0 +1,23 @@ +From 504e8429500ab0984adfd52bb09a3e993b87f2f1 Mon Sep 17 00:00:00 2001 +From: Joe MacDonald +Date: Fri, 29 Mar 2019 08:26:55 -0400 +Subject: [PATCH] fc/dmesg: apply policy to dmesg alternatives + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Joe MacDonald +Signed-off-by: Yi Zhao +--- + policy/modules/admin/dmesg.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc +index e52fdfcf8..526b92ed2 100644 +--- a/policy/modules/admin/dmesg.fc ++++ b/policy/modules/admin/dmesg.fc +@@ -1 +1,2 @@ + /usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) ++/usr/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0) +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0008-fc-hwclock-add-hwclock-alternatives.patch b/recipes-security/refpolicy/refpolicy/0008-fc-hwclock-add-hwclock-alternatives.patch deleted file mode 100644 index 75c8e7f..0000000 --- a/recipes-security/refpolicy/refpolicy/0008-fc-hwclock-add-hwclock-alternatives.patch +++ /dev/null @@ -1,25 +0,0 @@ -From c7e69aa036d16a57709684fd2f72959f9a4ac251 Mon Sep 17 00:00:00 2001 -From: Joe MacDonald -Date: Thu, 28 Mar 2019 21:59:18 -0400 -Subject: [PATCH] fc/hwclock: add hwclock alternatives - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Joe MacDonald -Signed-off-by: Yi Zhao ---- - policy/modules/system/clock.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc -index 301965892..139485835 100644 ---- a/policy/modules/system/clock.fc -+++ b/policy/modules/system/clock.fc -@@ -3,3 +3,4 @@ - /usr/bin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) - - /usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) -+/usr/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0) --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0009-fc-dmesg-apply-policy-to-dmesg-alternatives.patch b/recipes-security/refpolicy/refpolicy/0009-fc-dmesg-apply-policy-to-dmesg-alternatives.patch deleted file mode 100644 index 3c939de..0000000 --- a/recipes-security/refpolicy/refpolicy/0009-fc-dmesg-apply-policy-to-dmesg-alternatives.patch +++ /dev/null @@ -1,23 +0,0 @@ -From 0fe5ae0d1b5f4268b04ba6c6134324385bb630a2 Mon Sep 17 00:00:00 2001 -From: Joe MacDonald -Date: Fri, 29 Mar 2019 08:26:55 -0400 -Subject: [PATCH] fc/dmesg: apply policy to dmesg alternatives - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Joe MacDonald -Signed-off-by: Yi Zhao ---- - policy/modules/admin/dmesg.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc -index e52fdfcf8..526b92ed2 100644 ---- a/policy/modules/admin/dmesg.fc -+++ b/policy/modules/admin/dmesg.fc -@@ -1 +1,2 @@ - /usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) -+/usr/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0) --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0009-fc-ssh-apply-policy-to-ssh-alternatives.patch b/recipes-security/refpolicy/refpolicy/0009-fc-ssh-apply-policy-to-ssh-alternatives.patch new file mode 100644 index 0000000..585850b --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0009-fc-ssh-apply-policy-to-ssh-alternatives.patch @@ -0,0 +1,28 @@ +From 8ad451ceff2ba4ea26290a7ba9918406a90bb10f Mon Sep 17 00:00:00 2001 +From: Joe MacDonald +Date: Fri, 29 Mar 2019 09:20:58 -0400 +Subject: [PATCH] fc/ssh: apply policy to ssh alternatives + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Joe MacDonald +Signed-off-by: Yi Zhao +--- + policy/modules/services/ssh.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc +index 60060c35c..518043a9b 100644 +--- a/policy/modules/services/ssh.fc ++++ b/policy/modules/services/ssh.fc +@@ -4,6 +4,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) + /etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0) + + /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0) ++/usr/bin/ssh\.openssh -- gen_context(system_u:object_r:ssh_exec_t,s0) + /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0) + /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0) + /usr/bin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0010-fc-ssh-apply-policy-to-ssh-alternatives.patch b/recipes-security/refpolicy/refpolicy/0010-fc-ssh-apply-policy-to-ssh-alternatives.patch deleted file mode 100644 index 2a89acc..0000000 --- a/recipes-security/refpolicy/refpolicy/0010-fc-ssh-apply-policy-to-ssh-alternatives.patch +++ /dev/null @@ -1,28 +0,0 @@ -From e2d9462c5f26dc02f7d547548d8a94bfd79ea88f Mon Sep 17 00:00:00 2001 -From: Joe MacDonald -Date: Fri, 29 Mar 2019 09:20:58 -0400 -Subject: [PATCH] fc/ssh: apply policy to ssh alternatives - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Joe MacDonald -Signed-off-by: Yi Zhao ---- - policy/modules/services/ssh.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc -index 60060c35c..518043a9b 100644 ---- a/policy/modules/services/ssh.fc -+++ b/policy/modules/services/ssh.fc -@@ -4,6 +4,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) - /etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0) - - /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0) -+/usr/bin/ssh\.openssh -- gen_context(system_u:object_r:ssh_exec_t,s0) - /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0) - /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0) - /usr/bin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch b/recipes-security/refpolicy/refpolicy/0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch new file mode 100644 index 0000000..0621923 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch @@ -0,0 +1,47 @@ +From c85fd7d9c45770b31de44bb35521e2251882df10 Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Tue, 9 Jun 2015 21:22:52 +0530 +Subject: [PATCH] fc/sysnetwork: apply policy to network commands alternatives + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Xin Ouyang +Signed-off-by: Shrikant Bobade +Signed-off-by: Joe MacDonald +Signed-off-by: Yi Zhao +--- + policy/modules/system/sysnetwork.fc | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc +index c9ec4e5ab..4ca151524 100644 +--- a/policy/modules/system/sysnetwork.fc ++++ b/policy/modules/system/sysnetwork.fc +@@ -44,6 +44,7 @@ ifdef(`distro_redhat',` + /usr/bin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) + /usr/bin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + /usr/bin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++/usr/bin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + /usr/bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + /usr/bin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + /usr/bin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) +@@ -60,13 +61,16 @@ ifdef(`distro_redhat',` + /usr/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) + /usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + /usr/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++/usr/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + /usr/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++/usr/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + /usr/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + /usr/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + /usr/sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + /usr/sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + /usr/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + /usr/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++/usr/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + /usr/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0) + /usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0011-fc-sysnetwork-apply-policy-to-ip-alternatives.patch b/recipes-security/refpolicy/refpolicy/0011-fc-sysnetwork-apply-policy-to-ip-alternatives.patch deleted file mode 100644 index 9d7d71c..0000000 --- a/recipes-security/refpolicy/refpolicy/0011-fc-sysnetwork-apply-policy-to-ip-alternatives.patch +++ /dev/null @@ -1,39 +0,0 @@ -From dc3edc3b65dccf57d4cb22eb220498c2a5d9685f Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Tue, 9 Jun 2015 21:22:52 +0530 -Subject: [PATCH] fc/sysnetwork: apply policy to ip alternatives - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Xin Ouyang -Signed-off-by: Shrikant Bobade -Signed-off-by: Joe MacDonald -Signed-off-by: Yi Zhao ---- - policy/modules/system/sysnetwork.fc | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc -index c9ec4e5ab..c3291962d 100644 ---- a/policy/modules/system/sysnetwork.fc -+++ b/policy/modules/system/sysnetwork.fc -@@ -60,13 +60,16 @@ ifdef(`distro_redhat',` - /usr/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) - /usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /usr/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+/usr/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /usr/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+/usr/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /usr/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /usr/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /usr/sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /usr/sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /usr/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /usr/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+/usr/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /usr/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0) - /usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0011-fc-udev-apply-policy-to-udevadm-in-libexec.patch b/recipes-security/refpolicy/refpolicy/0011-fc-udev-apply-policy-to-udevadm-in-libexec.patch new file mode 100644 index 0000000..cc3e529 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0011-fc-udev-apply-policy-to-udevadm-in-libexec.patch @@ -0,0 +1,29 @@ +From aa2635a54f9c36205ebc469f799a56ece01ac610 Mon Sep 17 00:00:00 2001 +From: Joe MacDonald +Date: Fri, 29 Mar 2019 09:36:08 -0400 +Subject: [PATCH] fc/udev: apply policy to udevadm in libexec + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Joe MacDonald +Signed-off-by: Yi Zhao +--- + policy/modules/system/udev.fc | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc +index 7898ff01c..bc717e60c 100644 +--- a/policy/modules/system/udev.fc ++++ b/policy/modules/system/udev.fc +@@ -24,6 +24,8 @@ ifdef(`distro_debian',` + /usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0) + /usr/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0) + ++/usr/libexec/udevadm -- gen_context(system_u:object_r:udevadm_exec_t,s0) ++ + ifdef(`distro_redhat',` + /usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) + ') +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0012-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch b/recipes-security/refpolicy/refpolicy/0012-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch new file mode 100644 index 0000000..b039f53 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0012-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch @@ -0,0 +1,27 @@ +From faf757c732c9a022499b584cea64ce1fcc78e118 Mon Sep 17 00:00:00 2001 +From: Joe MacDonald +Date: Fri, 29 Mar 2019 09:54:07 -0400 +Subject: [PATCH] fc/rpm: apply rpm_exec policy to cpio binaries + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Joe MacDonald +Signed-off-by: Yi Zhao +--- + policy/modules/admin/rpm.fc | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc +index aaf530c2b..618b18cec 100644 +--- a/policy/modules/admin/rpm.fc ++++ b/policy/modules/admin/rpm.fc +@@ -66,4 +66,6 @@ ifdef(`distro_redhat',` + + ifdef(`enable_mls',` + /usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/bin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/bin/cpio\.cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) + ') +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0012-fc-udev-apply-policy-to-udevadm-in-libexec.patch b/recipes-security/refpolicy/refpolicy/0012-fc-udev-apply-policy-to-udevadm-in-libexec.patch deleted file mode 100644 index 0bb05e3..0000000 --- a/recipes-security/refpolicy/refpolicy/0012-fc-udev-apply-policy-to-udevadm-in-libexec.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 9afd44d1300bc858c1569344fc1271e0468edad9 Mon Sep 17 00:00:00 2001 -From: Joe MacDonald -Date: Fri, 29 Mar 2019 09:36:08 -0400 -Subject: [PATCH] fc/udev: apply policy to udevadm in libexec - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Joe MacDonald -Signed-off-by: Yi Zhao ---- - policy/modules/system/udev.fc | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc -index c88189fb7..ad4c0bba2 100644 ---- a/policy/modules/system/udev.fc -+++ b/policy/modules/system/udev.fc -@@ -24,6 +24,8 @@ ifdef(`distro_debian',` - /usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0) - /usr/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0) - -+/usr/libexec/udevadm -- gen_context(system_u:object_r:udevadm_exec_t,s0) -+ - ifdef(`distro_redhat',` - /usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) - ') --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0013-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch b/recipes-security/refpolicy/refpolicy/0013-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch deleted file mode 100644 index 55f0444..0000000 --- a/recipes-security/refpolicy/refpolicy/0013-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 79e58207060c25d5f2484ed164ab74413d00792a Mon Sep 17 00:00:00 2001 -From: Joe MacDonald -Date: Fri, 29 Mar 2019 09:54:07 -0400 -Subject: [PATCH] fc/rpm: apply rpm_exec policy to cpio binaries - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Joe MacDonald -Signed-off-by: Yi Zhao ---- - policy/modules/admin/rpm.fc | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc -index aaf530c2b..618b18cec 100644 ---- a/policy/modules/admin/rpm.fc -+++ b/policy/modules/admin/rpm.fc -@@ -66,4 +66,6 @@ ifdef(`distro_redhat',` - - ifdef(`enable_mls',` - /usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/bin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/bin/cpio\.cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) - ') --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0013-fc-su-apply-policy-to-su-alternatives.patch b/recipes-security/refpolicy/refpolicy/0013-fc-su-apply-policy-to-su-alternatives.patch new file mode 100644 index 0000000..14c7d5b --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0013-fc-su-apply-policy-to-su-alternatives.patch @@ -0,0 +1,27 @@ +From 52853ae9ee13038c5ffae8616858c442d412a2b8 Mon Sep 17 00:00:00 2001 +From: Wenzong Fan +Date: Thu, 13 Feb 2014 00:33:07 -0500 +Subject: [PATCH] fc/su: apply policy to su alternatives + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Wenzong Fan +Signed-off-by: Joe MacDonald +Signed-off-by: Yi Zhao +--- + policy/modules/admin/su.fc | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc +index 3375c9692..a9868cd58 100644 +--- a/policy/modules/admin/su.fc ++++ b/policy/modules/admin/su.fc +@@ -1,3 +1,5 @@ + /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0) + /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) + /usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) ++/usr/bin/su\.shadow -- gen_context(system_u:object_r:su_exec_t,s0) ++/usr/bin/su\.util-linux -- gen_context(system_u:object_r:su_exec_t,s0) +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0014-fc-fstools-fix-real-path-for-fstools.patch b/recipes-security/refpolicy/refpolicy/0014-fc-fstools-fix-real-path-for-fstools.patch new file mode 100644 index 0000000..c2e0ca8 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0014-fc-fstools-fix-real-path-for-fstools.patch @@ -0,0 +1,76 @@ +From 4f3a637c0385204c0b87806d158e106fb9f88972 Mon Sep 17 00:00:00 2001 +From: Wenzong Fan +Date: Mon, 27 Jan 2014 03:54:01 -0500 +Subject: [PATCH] fc/fstools: fix real path for fstools + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Wenzong Fan +Signed-off-by: Shrikant Bobade +Signed-off-by: Joe MacDonald +Signed-off-by: Yi Zhao +--- + policy/modules/system/fstools.fc | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc +index d871294e8..bef711850 100644 +--- a/policy/modules/system/fstools.fc ++++ b/policy/modules/system/fstools.fc +@@ -59,7 +59,9 @@ + /usr/sbin/addpart -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/blkid\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/blockdev\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/delpart -- gen_context(system_u:object_r:fsadm_exec_t,s0) +@@ -73,10 +75,12 @@ + /usr/sbin/efibootmgr -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/fatsort -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/fdisk\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/gdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/hdparm\.hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) +@@ -84,24 +88,30 @@ + /usr/sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/mkdosfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/mke2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/mke2fs\.e2fsprogs -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/mkswap\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/partprobe\.parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/swapoff\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/tune2fs\.e2fsprogs -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/zhack -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/zinject -- gen_context(system_u:object_r:fsadm_exec_t,s0) +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0014-fc-su-apply-policy-to-su-alternatives.patch b/recipes-security/refpolicy/refpolicy/0014-fc-su-apply-policy-to-su-alternatives.patch deleted file mode 100644 index 8d1c9aa..0000000 --- a/recipes-security/refpolicy/refpolicy/0014-fc-su-apply-policy-to-su-alternatives.patch +++ /dev/null @@ -1,27 +0,0 @@ -From a1281be5b894c0c6dc3471a1e6b6c910bab7aa46 Mon Sep 17 00:00:00 2001 -From: Wenzong Fan -Date: Thu, 13 Feb 2014 00:33:07 -0500 -Subject: [PATCH] fc/su: apply policy to su alternatives - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Wenzong Fan -Signed-off-by: Joe MacDonald -Signed-off-by: Yi Zhao ---- - policy/modules/admin/su.fc | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc -index 3375c9692..a9868cd58 100644 ---- a/policy/modules/admin/su.fc -+++ b/policy/modules/admin/su.fc -@@ -1,3 +1,5 @@ - /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0) - /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) - /usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) -+/usr/bin/su\.shadow -- gen_context(system_u:object_r:su_exec_t,s0) -+/usr/bin/su\.util-linux -- gen_context(system_u:object_r:su_exec_t,s0) --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0015-fc-fstools-fix-real-path-for-fstools.patch b/recipes-security/refpolicy/refpolicy/0015-fc-fstools-fix-real-path-for-fstools.patch deleted file mode 100644 index a9fbe33..0000000 --- a/recipes-security/refpolicy/refpolicy/0015-fc-fstools-fix-real-path-for-fstools.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 02f6557320c60d895397650a59c39708c8e63d27 Mon Sep 17 00:00:00 2001 -From: Wenzong Fan -Date: Mon, 27 Jan 2014 03:54:01 -0500 -Subject: [PATCH] fc/fstools: fix real path for fstools - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Wenzong Fan -Signed-off-by: Shrikant Bobade -Signed-off-by: Joe MacDonald -Signed-off-by: Yi Zhao ---- - policy/modules/system/fstools.fc | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc -index d871294e8..bef711850 100644 ---- a/policy/modules/system/fstools.fc -+++ b/policy/modules/system/fstools.fc -@@ -59,7 +59,9 @@ - /usr/sbin/addpart -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/blkid\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/blockdev\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/delpart -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -73,10 +75,12 @@ - /usr/sbin/efibootmgr -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/fatsort -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/fdisk\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/gdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/hdparm\.hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -84,24 +88,30 @@ - /usr/sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/mkdosfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/mke2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/mke2fs\.e2fsprogs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/mkswap\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/partprobe\.parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/swapoff\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/tune2fs\.e2fsprogs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/zhack -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/zinject -- gen_context(system_u:object_r:fsadm_exec_t,s0) --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0015-fc-init-fix-update-alternatives-for-sysvinit.patch b/recipes-security/refpolicy/refpolicy/0015-fc-init-fix-update-alternatives-for-sysvinit.patch new file mode 100644 index 0000000..b3ab0cc --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0015-fc-init-fix-update-alternatives-for-sysvinit.patch @@ -0,0 +1,55 @@ +From e1439aa43af6ef15b35eac3cdbf0cea561768362 Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Thu, 22 Aug 2013 13:37:23 +0800 +Subject: [PATCH] fc/init: fix update-alternatives for sysvinit + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald +Signed-off-by: Yi Zhao +--- + policy/modules/admin/shutdown.fc | 1 + + policy/modules/kernel/corecommands.fc | 2 ++ + policy/modules/system/init.fc | 1 + + 3 files changed, 4 insertions(+) + +diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc +index bf51c103f..91ed72be0 100644 +--- a/policy/modules/admin/shutdown.fc ++++ b/policy/modules/admin/shutdown.fc +@@ -5,5 +5,6 @@ + /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) + + /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) ++/usr/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0) + + /run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_runtime_t,s0) +diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc +index 9187e50af..0ecabe34e 100644 +--- a/policy/modules/kernel/corecommands.fc ++++ b/policy/modules/kernel/corecommands.fc +@@ -151,6 +151,8 @@ ifdef(`distro_gentoo',` + /usr/bin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) + /usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) + /usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0) ++/usr/bin/mountpoint\.sysvinit -- gen_context(system_u:object_r:bin_t,s0) ++/usr/bin/mountpoint\.util-linux -- gen_context(system_u:object_r:bin_t,s0) + /usr/bin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) + /usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) + /usr/bin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) +diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc +index 63cf195e6..5268bddb2 100644 +--- a/policy/modules/system/init.fc ++++ b/policy/modules/system/init.fc +@@ -40,6 +40,7 @@ ifdef(`distro_gentoo',` + /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) + + /usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) ++/usr/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0) + /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) + /usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) + +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0016-fc-brctl-apply-policy-to-brctl-alternatives.patch b/recipes-security/refpolicy/refpolicy/0016-fc-brctl-apply-policy-to-brctl-alternatives.patch new file mode 100644 index 0000000..b9812b7 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0016-fc-brctl-apply-policy-to-brctl-alternatives.patch @@ -0,0 +1,24 @@ +From 274066b3397b53d63134aee94a0148d9c7d1886d Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Fri, 15 Nov 2019 10:19:54 +0800 +Subject: [PATCH] fc/brctl: apply policy to brctl alternatives + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/admin/brctl.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/admin/brctl.fc b/policy/modules/admin/brctl.fc +index ed472f095..2a852b0fd 100644 +--- a/policy/modules/admin/brctl.fc ++++ b/policy/modules/admin/brctl.fc +@@ -1,3 +1,4 @@ + /usr/bin/brctl -- gen_context(system_u:object_r:brctl_exec_t,s0) + + /usr/sbin/brctl -- gen_context(system_u:object_r:brctl_exec_t,s0) ++/usr/sbin/brctl\.bridge-utils -- gen_context(system_u:object_r:brctl_exec_t,s0) +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0016-fc-init-fix-update-alternatives-for-sysvinit.patch b/recipes-security/refpolicy/refpolicy/0016-fc-init-fix-update-alternatives-for-sysvinit.patch deleted file mode 100644 index a2e5762..0000000 --- a/recipes-security/refpolicy/refpolicy/0016-fc-init-fix-update-alternatives-for-sysvinit.patch +++ /dev/null @@ -1,55 +0,0 @@ -From f7860456e3867e6d9c24a7e07bc9e518f65ec478 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH] fc/init: fix update-alternatives for sysvinit - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Xin Ouyang -Signed-off-by: Joe MacDonald -Signed-off-by: Yi Zhao ---- - policy/modules/admin/shutdown.fc | 1 + - policy/modules/kernel/corecommands.fc | 2 ++ - policy/modules/system/init.fc | 1 + - 3 files changed, 4 insertions(+) - -diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc -index bf51c103f..91ed72be0 100644 ---- a/policy/modules/admin/shutdown.fc -+++ b/policy/modules/admin/shutdown.fc -@@ -5,5 +5,6 @@ - /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) - - /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) -+/usr/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0) - - /run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_runtime_t,s0) -diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 9187e50af..0ecabe34e 100644 ---- a/policy/modules/kernel/corecommands.fc -+++ b/policy/modules/kernel/corecommands.fc -@@ -151,6 +151,8 @@ ifdef(`distro_gentoo',` - /usr/bin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) - /usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) - /usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0) -+/usr/bin/mountpoint\.sysvinit -- gen_context(system_u:object_r:bin_t,s0) -+/usr/bin/mountpoint\.util-linux -- gen_context(system_u:object_r:bin_t,s0) - /usr/bin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) - /usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) - /usr/bin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) -diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc -index 63cf195e6..5268bddb2 100644 ---- a/policy/modules/system/init.fc -+++ b/policy/modules/system/init.fc -@@ -40,6 +40,7 @@ ifdef(`distro_gentoo',` - /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) - - /usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) -+/usr/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0) - /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) - /usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) - --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0017-fc-brctl-apply-policy-to-brctl-alternatives.patch b/recipes-security/refpolicy/refpolicy/0017-fc-brctl-apply-policy-to-brctl-alternatives.patch deleted file mode 100644 index 9da5acc..0000000 --- a/recipes-security/refpolicy/refpolicy/0017-fc-brctl-apply-policy-to-brctl-alternatives.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 3a83de3883d0e287c0b6647e87a93d2cdc48aa10 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Fri, 15 Nov 2019 10:19:54 +0800 -Subject: [PATCH] fc/brctl: apply policy to brctl alternatives - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/admin/brctl.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/admin/brctl.fc b/policy/modules/admin/brctl.fc -index ed472f095..2a852b0fd 100644 ---- a/policy/modules/admin/brctl.fc -+++ b/policy/modules/admin/brctl.fc -@@ -1,3 +1,4 @@ - /usr/bin/brctl -- gen_context(system_u:object_r:brctl_exec_t,s0) - - /usr/sbin/brctl -- gen_context(system_u:object_r:brctl_exec_t,s0) -+/usr/sbin/brctl\.bridge-utils -- gen_context(system_u:object_r:brctl_exec_t,s0) --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0017-fc-corecommands-apply-policy-to-nologin-alternatives.patch b/recipes-security/refpolicy/refpolicy/0017-fc-corecommands-apply-policy-to-nologin-alternatives.patch new file mode 100644 index 0000000..e0ddc5e --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0017-fc-corecommands-apply-policy-to-nologin-alternatives.patch @@ -0,0 +1,28 @@ +From ab0267f77e38bcda797cfe00ba6fa49ba89e334a Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Fri, 15 Nov 2019 10:21:51 +0800 +Subject: [PATCH] fc/corecommands: apply policy to nologin alternatives + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/kernel/corecommands.fc | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc +index 0ecabe34e..e27e701ef 100644 +--- a/policy/modules/kernel/corecommands.fc ++++ b/policy/modules/kernel/corecommands.fc +@@ -304,6 +304,8 @@ ifdef(`distro_debian',` + /usr/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) + /usr/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) + /usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/sbin/nologin\.shadow -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/sbin/nologin\.util-linux -- gen_context(system_u:object_r:shell_exec_t,s0) + /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) + /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) + /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0018-fc-corecommands-apply-policy-to-nologin-alternatives.patch b/recipes-security/refpolicy/refpolicy/0018-fc-corecommands-apply-policy-to-nologin-alternatives.patch deleted file mode 100644 index 4c1ac26..0000000 --- a/recipes-security/refpolicy/refpolicy/0018-fc-corecommands-apply-policy-to-nologin-alternatives.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 5219bc4e0b3147455fecb1485e8387573207070c Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Fri, 15 Nov 2019 10:21:51 +0800 -Subject: [PATCH] fc/corecommands: apply policy to nologin alternatives - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/kernel/corecommands.fc | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 0ecabe34e..e27e701ef 100644 ---- a/policy/modules/kernel/corecommands.fc -+++ b/policy/modules/kernel/corecommands.fc -@@ -304,6 +304,8 @@ ifdef(`distro_debian',` - /usr/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) - /usr/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) - /usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) -+/usr/sbin/nologin\.shadow -- gen_context(system_u:object_r:shell_exec_t,s0) -+/usr/sbin/nologin\.util-linux -- gen_context(system_u:object_r:shell_exec_t,s0) - /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) - /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) - /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0018-fc-locallogin-apply-policy-to-sulogin-alternatives.patch b/recipes-security/refpolicy/refpolicy/0018-fc-locallogin-apply-policy-to-sulogin-alternatives.patch new file mode 100644 index 0000000..2fe3740 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0018-fc-locallogin-apply-policy-to-sulogin-alternatives.patch @@ -0,0 +1,25 @@ +From cfb86acce9fe9da9b88c853c0b22d48d99602fbb Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Fri, 15 Nov 2019 10:43:28 +0800 +Subject: [PATCH] fc/locallogin: apply policy to sulogin alternatives + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/system/locallogin.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/locallogin.fc b/policy/modules/system/locallogin.fc +index fc8d58507..59e6e9601 100644 +--- a/policy/modules/system/locallogin.fc ++++ b/policy/modules/system/locallogin.fc +@@ -2,4 +2,5 @@ + /usr/bin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0) + + /usr/sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0) ++/usr/sbin/sulogin\.util-linux -- gen_context(system_u:object_r:sulogin_exec_t,s0) + /usr/sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0) +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0019-fc-locallogin-apply-policy-to-sulogin-alternatives.patch b/recipes-security/refpolicy/refpolicy/0019-fc-locallogin-apply-policy-to-sulogin-alternatives.patch deleted file mode 100644 index acd2663..0000000 --- a/recipes-security/refpolicy/refpolicy/0019-fc-locallogin-apply-policy-to-sulogin-alternatives.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 2b3b5d43040e939e836ea5c9803f0b27641e50a4 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Fri, 15 Nov 2019 10:43:28 +0800 -Subject: [PATCH] fc/locallogin: apply policy to sulogin alternatives - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/system/locallogin.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/locallogin.fc b/policy/modules/system/locallogin.fc -index fc8d58507..59e6e9601 100644 ---- a/policy/modules/system/locallogin.fc -+++ b/policy/modules/system/locallogin.fc -@@ -2,4 +2,5 @@ - /usr/bin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0) - - /usr/sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0) -+/usr/sbin/sulogin\.util-linux -- gen_context(system_u:object_r:sulogin_exec_t,s0) - /usr/sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0) --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0019-fc-ntp-apply-policy-to-ntpd-alternatives.patch b/recipes-security/refpolicy/refpolicy/0019-fc-ntp-apply-policy-to-ntpd-alternatives.patch new file mode 100644 index 0000000..4b046ce --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0019-fc-ntp-apply-policy-to-ntpd-alternatives.patch @@ -0,0 +1,27 @@ +From e159e70b533b500390337ec666d678c7424afb90 Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Fri, 15 Nov 2019 10:45:23 +0800 +Subject: [PATCH] fc/ntp: apply policy to ntpd alternatives + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/services/ntp.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/services/ntp.fc b/policy/modules/services/ntp.fc +index cd69ea5d5..49ffe6f68 100644 +--- a/policy/modules/services/ntp.fc ++++ b/policy/modules/services/ntp.fc +@@ -25,6 +25,7 @@ + /usr/lib/systemd/systemd-timesyncd -- gen_context(system_u:object_r:ntpd_exec_t,s0) + + /usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) ++/usr/sbin/ntpd\.ntp -- gen_context(system_u:object_r:ntpd_exec_t,s0) + /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) + /usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0) + +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0020-fc-kerberos-apply-policy-to-kerberos-alternatives.patch b/recipes-security/refpolicy/refpolicy/0020-fc-kerberos-apply-policy-to-kerberos-alternatives.patch new file mode 100644 index 0000000..9d2e6fa --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0020-fc-kerberos-apply-policy-to-kerberos-alternatives.patch @@ -0,0 +1,50 @@ +From 95797c20fb68558b9f37ded3f1cc9a4ef09717f9 Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Fri, 15 Nov 2019 10:55:05 +0800 +Subject: [PATCH] fc/kerberos: apply policy to kerberos alternatives + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/services/kerberos.fc | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc +index df21fcc78..ce0166edd 100644 +--- a/policy/modules/services/kerberos.fc ++++ b/policy/modules/services/kerberos.fc +@@ -12,6 +12,8 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) + /etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) + /etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) + /etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/krb5-admin-server -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/krb5-kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) + + /usr/bin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) + /usr/bin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) +@@ -26,6 +28,8 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) + + /usr/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) + /usr/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) ++/usr/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0) ++/usr/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0) + + /usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) + /usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) +@@ -41,6 +45,12 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) + /var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) + /var/kerberos/krb5kdc/principal.*\.ok -- gen_context(system_u:object_r:krb5kdc_lock_t,s0) + ++/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) ++/var/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0) ++/var/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) ++/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) ++/var/krb5kdc/principal.*\.ok -- gen_context(system_u:object_r:krb5kdc_lock_t,s0) ++ + /var/log/krb5kdc\.log.* -- gen_context(system_u:object_r:krb5kdc_log_t,s0) + /var/log/kadmin\.log.* -- gen_context(system_u:object_r:kadmind_log_t,s0) + /var/log/kadmind\.log.* -- gen_context(system_u:object_r:kadmind_log_t,s0) +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0020-fc-ntp-apply-policy-to-ntpd-alternatives.patch b/recipes-security/refpolicy/refpolicy/0020-fc-ntp-apply-policy-to-ntpd-alternatives.patch deleted file mode 100644 index c40413a..0000000 --- a/recipes-security/refpolicy/refpolicy/0020-fc-ntp-apply-policy-to-ntpd-alternatives.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 5308969204d535391cb766ba5aa4b5479f64248c Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Fri, 15 Nov 2019 10:45:23 +0800 -Subject: [PATCH] fc/ntp: apply policy to ntpd alternatives - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/services/ntp.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/services/ntp.fc b/policy/modules/services/ntp.fc -index cd69ea5d5..49ffe6f68 100644 ---- a/policy/modules/services/ntp.fc -+++ b/policy/modules/services/ntp.fc -@@ -25,6 +25,7 @@ - /usr/lib/systemd/systemd-timesyncd -- gen_context(system_u:object_r:ntpd_exec_t,s0) - - /usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) -+/usr/sbin/ntpd\.ntp -- gen_context(system_u:object_r:ntpd_exec_t,s0) - /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) - /usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0) - --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0021-fc-kerberos-apply-policy-to-kerberos-alternatives.patch b/recipes-security/refpolicy/refpolicy/0021-fc-kerberos-apply-policy-to-kerberos-alternatives.patch deleted file mode 100644 index 8d9ccd8..0000000 --- a/recipes-security/refpolicy/refpolicy/0021-fc-kerberos-apply-policy-to-kerberos-alternatives.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 89a54472ea0195ec19c291374e88e55b40107ff8 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Fri, 15 Nov 2019 10:55:05 +0800 -Subject: [PATCH] fc/kerberos: apply policy to kerberos alternatives - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/services/kerberos.fc | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc -index df21fcc78..ce0166edd 100644 ---- a/policy/modules/services/kerberos.fc -+++ b/policy/modules/services/kerberos.fc -@@ -12,6 +12,8 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) - /etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) - /etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) - /etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/krb5-admin-server -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/krb5-kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) - - /usr/bin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) - /usr/bin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) -@@ -26,6 +28,8 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) - - /usr/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) - /usr/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) -+/usr/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0) -+/usr/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0) - - /usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) - /usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) -@@ -41,6 +45,12 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) - /var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) - /var/kerberos/krb5kdc/principal.*\.ok -- gen_context(system_u:object_r:krb5kdc_lock_t,s0) - -+/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) -+/var/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0) -+/var/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) -+/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) -+/var/krb5kdc/principal.*\.ok -- gen_context(system_u:object_r:krb5kdc_lock_t,s0) -+ - /var/log/krb5kdc\.log.* -- gen_context(system_u:object_r:krb5kdc_log_t,s0) - /var/log/kadmin\.log.* -- gen_context(system_u:object_r:kadmind_log_t,s0) - /var/log/kadmind\.log.* -- gen_context(system_u:object_r:kadmind_log_t,s0) --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0021-fc-ldap-apply-policy-to-ldap-alternatives.patch b/recipes-security/refpolicy/refpolicy/0021-fc-ldap-apply-policy-to-ldap-alternatives.patch new file mode 100644 index 0000000..e0b7b9e --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0021-fc-ldap-apply-policy-to-ldap-alternatives.patch @@ -0,0 +1,40 @@ +From 6b43af067ec45bce1b7059fc549e246f53311d3a Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Fri, 15 Nov 2019 11:06:13 +0800 +Subject: [PATCH] fc/ldap: apply policy to ldap alternatives + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/services/ldap.fc | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc +index 0a1d08d0f..65b202962 100644 +--- a/policy/modules/services/ldap.fc ++++ b/policy/modules/services/ldap.fc +@@ -1,8 +1,10 @@ + /etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0) + /etc/openldap/certs(/.*)? gen_context(system_u:object_r:slapd_cert_t,s0) + /etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) ++/etc/openldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0) + + /etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/openldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) + + /usr/bin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) + +@@ -25,6 +27,9 @@ + /var/log/ldap.* gen_context(system_u:object_r:slapd_log_t,s0) + /var/log/slapd.* gen_context(system_u:object_r:slapd_log_t,s0) + ++/var/openldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) ++/var/openldap/replog(/.*)? gen_context(system_u:object_r:slapd_replog_t,s0) ++ + /run/ldapi -s gen_context(system_u:object_r:slapd_runtime_t,s0) + /run/openldap(/.*)? gen_context(system_u:object_r:slapd_runtime_t,s0) + /run/slapd.* -s gen_context(system_u:object_r:slapd_runtime_t,s0) +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0022-fc-ldap-apply-policy-to-ldap-alternatives.patch b/recipes-security/refpolicy/refpolicy/0022-fc-ldap-apply-policy-to-ldap-alternatives.patch deleted file mode 100644 index c88dcd9..0000000 --- a/recipes-security/refpolicy/refpolicy/0022-fc-ldap-apply-policy-to-ldap-alternatives.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 1130a43390bf41adb7747d0cc62c85c4320806cb Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Fri, 15 Nov 2019 11:06:13 +0800 -Subject: [PATCH] fc/ldap: apply policy to ldap alternatives - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/services/ldap.fc | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc -index 0a1d08d0f..65b202962 100644 ---- a/policy/modules/services/ldap.fc -+++ b/policy/modules/services/ldap.fc -@@ -1,8 +1,10 @@ - /etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0) - /etc/openldap/certs(/.*)? gen_context(system_u:object_r:slapd_cert_t,s0) - /etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) -+/etc/openldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0) - - /etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/openldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) - - /usr/bin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) - -@@ -25,6 +27,9 @@ - /var/log/ldap.* gen_context(system_u:object_r:slapd_log_t,s0) - /var/log/slapd.* gen_context(system_u:object_r:slapd_log_t,s0) - -+/var/openldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) -+/var/openldap/replog(/.*)? gen_context(system_u:object_r:slapd_replog_t,s0) -+ - /run/ldapi -s gen_context(system_u:object_r:slapd_runtime_t,s0) - /run/openldap(/.*)? gen_context(system_u:object_r:slapd_runtime_t,s0) - /run/slapd.* -s gen_context(system_u:object_r:slapd_runtime_t,s0) --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0022-fc-postgresql-apply-policy-to-postgresql-alternative.patch b/recipes-security/refpolicy/refpolicy/0022-fc-postgresql-apply-policy-to-postgresql-alternative.patch new file mode 100644 index 0000000..4a1a2dc --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0022-fc-postgresql-apply-policy-to-postgresql-alternative.patch @@ -0,0 +1,37 @@ +From 5f664c3a38853129fa1703032822c203dbeaf0a6 Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Fri, 15 Nov 2019 11:13:16 +0800 +Subject: [PATCH] fc/postgresql: apply policy to postgresql alternatives + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/services/postgresql.fc | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc +index f31a52cf8..f9bf46870 100644 +--- a/policy/modules/services/postgresql.fc ++++ b/policy/modules/services/postgresql.fc +@@ -27,6 +27,17 @@ + /usr/lib/postgresql(-.*)?/(.*/)?bin/postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0) + /usr/lib/postgresql(-.*)?/(.*/)?bin/postmaster -l gen_context(system_u:object_r:postgresql_exec_t,s0) + ++/usr/bin/pg_archivecleanup -- gen_context(system_u:object_r:postgresql_exec_t,s0) ++/usr/bin/pg_basebackup -- gen_context(system_u:object_r:postgresql_exec_t,s0) ++/usr/bin/pg_controldata -- gen_context(system_u:object_r:postgresql_exec_t,s0) ++/usr/bin/pg_ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0) ++/usr/bin/pg_resetxlog -- gen_context(system_u:object_r:postgresql_exec_t,s0) ++/usr/bin/pg_standby -- gen_context(system_u:object_r:postgresql_exec_t,s0) ++/usr/bin/pg_upgrade -- gen_context(system_u:object_r:postgresql_exec_t,s0) ++/usr/bin/pg_xlogdump -- gen_context(system_u:object_r:postgresql_exec_t,s0) ++/usr/bin/postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0) ++/usr/bin/postmaster -l gen_context(system_u:object_r:postgresql_exec_t,s0) ++ + ifdef(`distro_redhat', ` + /usr/share/jonas/pgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) + ') +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0023-fc-postgresql-apply-policy-to-postgresql-alternative.patch b/recipes-security/refpolicy/refpolicy/0023-fc-postgresql-apply-policy-to-postgresql-alternative.patch deleted file mode 100644 index ddd78b0..0000000 --- a/recipes-security/refpolicy/refpolicy/0023-fc-postgresql-apply-policy-to-postgresql-alternative.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 184f1dfe4cbff9c5ff2cbe865d4e7427f100ff59 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Fri, 15 Nov 2019 11:13:16 +0800 -Subject: [PATCH] fc/postgresql: apply policy to postgresql alternatives - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/services/postgresql.fc | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc -index f31a52cf8..f9bf46870 100644 ---- a/policy/modules/services/postgresql.fc -+++ b/policy/modules/services/postgresql.fc -@@ -27,6 +27,17 @@ - /usr/lib/postgresql(-.*)?/(.*/)?bin/postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0) - /usr/lib/postgresql(-.*)?/(.*/)?bin/postmaster -l gen_context(system_u:object_r:postgresql_exec_t,s0) - -+/usr/bin/pg_archivecleanup -- gen_context(system_u:object_r:postgresql_exec_t,s0) -+/usr/bin/pg_basebackup -- gen_context(system_u:object_r:postgresql_exec_t,s0) -+/usr/bin/pg_controldata -- gen_context(system_u:object_r:postgresql_exec_t,s0) -+/usr/bin/pg_ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0) -+/usr/bin/pg_resetxlog -- gen_context(system_u:object_r:postgresql_exec_t,s0) -+/usr/bin/pg_standby -- gen_context(system_u:object_r:postgresql_exec_t,s0) -+/usr/bin/pg_upgrade -- gen_context(system_u:object_r:postgresql_exec_t,s0) -+/usr/bin/pg_xlogdump -- gen_context(system_u:object_r:postgresql_exec_t,s0) -+/usr/bin/postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0) -+/usr/bin/postmaster -l gen_context(system_u:object_r:postgresql_exec_t,s0) -+ - ifdef(`distro_redhat', ` - /usr/share/jonas/pgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) - ') --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0023-fc-screen-apply-policy-to-screen-alternatives.patch b/recipes-security/refpolicy/refpolicy/0023-fc-screen-apply-policy-to-screen-alternatives.patch new file mode 100644 index 0000000..9ae9435 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0023-fc-screen-apply-policy-to-screen-alternatives.patch @@ -0,0 +1,25 @@ +From 2d1634127f8f5c9ec98f866711b8d15b7df815d1 Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Fri, 15 Nov 2019 11:15:33 +0800 +Subject: [PATCH] fc/screen: apply policy to screen alternatives + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/apps/screen.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/apps/screen.fc b/policy/modules/apps/screen.fc +index e51e01d97..238dc263e 100644 +--- a/policy/modules/apps/screen.fc ++++ b/policy/modules/apps/screen.fc +@@ -7,4 +7,5 @@ HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0) + /run/tmux(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0) + + /usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0) ++/usr/bin/screen-.* -- gen_context(system_u:object_r:screen_exec_t,s0) + /usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0) +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0024-fc-screen-apply-policy-to-screen-alternatives.patch b/recipes-security/refpolicy/refpolicy/0024-fc-screen-apply-policy-to-screen-alternatives.patch deleted file mode 100644 index 7ae54d9..0000000 --- a/recipes-security/refpolicy/refpolicy/0024-fc-screen-apply-policy-to-screen-alternatives.patch +++ /dev/null @@ -1,25 +0,0 @@ -From e114e09928232dd9eed568a4717dca2094f6e4ad Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Fri, 15 Nov 2019 11:15:33 +0800 -Subject: [PATCH] fc/screen: apply policy to screen alternatives - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/apps/screen.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/apps/screen.fc b/policy/modules/apps/screen.fc -index e51e01d97..238dc263e 100644 ---- a/policy/modules/apps/screen.fc -+++ b/policy/modules/apps/screen.fc -@@ -7,4 +7,5 @@ HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0) - /run/tmux(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0) - - /usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0) -+/usr/bin/screen-.* -- gen_context(system_u:object_r:screen_exec_t,s0) - /usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0) --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0024-fc-usermanage-apply-policy-to-usermanage-alternative.patch b/recipes-security/refpolicy/refpolicy/0024-fc-usermanage-apply-policy-to-usermanage-alternative.patch new file mode 100644 index 0000000..2dbdcf4 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0024-fc-usermanage-apply-policy-to-usermanage-alternative.patch @@ -0,0 +1,47 @@ +From 2323a6ab69c4a74ab127c16e38f14616a289b3d1 Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Fri, 15 Nov 2019 11:25:34 +0800 +Subject: [PATCH] fc/usermanage: apply policy to usermanage alternatives + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/admin/usermanage.fc | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc +index 620eefc6f..bf1ff09ab 100644 +--- a/policy/modules/admin/usermanage.fc ++++ b/policy/modules/admin/usermanage.fc +@@ -4,7 +4,11 @@ ifdef(`distro_debian',` + + /usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0) + /usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0) ++/usr/bin/chfn\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0) ++/usr/bin/chfn\.util-linux -- gen_context(system_u:object_r:chfn_exec_t,s0) + /usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0) ++/usr/bin/chsh\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0) ++/usr/bin/chsh\.util-linux -- gen_context(system_u:object_r:chfn_exec_t,s0) + /usr/bin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) + /usr/bin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) + /usr/bin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0) +@@ -14,6 +18,7 @@ ifdef(`distro_debian',` + /usr/bin/grpconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) + /usr/bin/grpunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) + /usr/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0) ++/usr/bin/passwd\.shadow -- gen_context(system_u:object_r:passwd_exec_t,s0) + /usr/bin/pwconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) + /usr/bin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) + /usr/bin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0) +@@ -39,6 +44,7 @@ ifdef(`distro_debian',` + /usr/sbin/usermod -- gen_context(system_u:object_r:useradd_exec_t,s0) + /usr/sbin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) + /usr/sbin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) ++/usr/sbin/vipw\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) + + /usr/share/cracklib(/.*)? gen_context(system_u:object_r:crack_db_t,s0) + +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0025-fc-getty-add-file-context-to-start_getty.patch b/recipes-security/refpolicy/refpolicy/0025-fc-getty-add-file-context-to-start_getty.patch new file mode 100644 index 0000000..c0d9cf4 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0025-fc-getty-add-file-context-to-start_getty.patch @@ -0,0 +1,27 @@ +From dbd399143d6fbda828cfc9f2546bc730e0da584c Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Fri, 15 Nov 2019 16:07:30 +0800 +Subject: [PATCH] fc/getty: add file context to start_getty + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/system/getty.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc +index 116ea6421..53ff6137b 100644 +--- a/policy/modules/system/getty.fc ++++ b/policy/modules/system/getty.fc +@@ -4,6 +4,7 @@ + /run/agetty\.reload -- gen_context(system_u:object_r:getty_runtime_t,s0) + + /usr/bin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0) ++/usr/bin/start_getty -- gen_context(system_u:object_r:bin_t,s0) + + /usr/sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0) + +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0025-fc-usermanage-apply-policy-to-usermanage-alternative.patch b/recipes-security/refpolicy/refpolicy/0025-fc-usermanage-apply-policy-to-usermanage-alternative.patch deleted file mode 100644 index e6fbba0..0000000 --- a/recipes-security/refpolicy/refpolicy/0025-fc-usermanage-apply-policy-to-usermanage-alternative.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 62a5f9dee28411f1d88a2101e507c15780467b2f Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Fri, 15 Nov 2019 11:25:34 +0800 -Subject: [PATCH] fc/usermanage: apply policy to usermanage alternatives - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/admin/usermanage.fc | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc -index 620eefc6f..6a051f8a5 100644 ---- a/policy/modules/admin/usermanage.fc -+++ b/policy/modules/admin/usermanage.fc -@@ -4,7 +4,9 @@ ifdef(`distro_debian',` - - /usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0) - /usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0) -+/usr/bin/chfn\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0) - /usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0) -+/usr/bin/chsh\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0) - /usr/bin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) - /usr/bin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) - /usr/bin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0) -@@ -14,6 +16,7 @@ ifdef(`distro_debian',` - /usr/bin/grpconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) - /usr/bin/grpunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) - /usr/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0) -+/usr/bin/passwd\.shadow -- gen_context(system_u:object_r:passwd_exec_t,s0) - /usr/bin/pwconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) - /usr/bin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) - /usr/bin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0) -@@ -39,6 +42,7 @@ ifdef(`distro_debian',` - /usr/sbin/usermod -- gen_context(system_u:object_r:useradd_exec_t,s0) - /usr/sbin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) - /usr/sbin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) -+/usr/sbin/vipw\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) - - /usr/share/cracklib(/.*)? gen_context(system_u:object_r:crack_db_t,s0) - --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0026-fc-getty-add-file-context-to-start_getty.patch b/recipes-security/refpolicy/refpolicy/0026-fc-getty-add-file-context-to-start_getty.patch deleted file mode 100644 index d51faa5..0000000 --- a/recipes-security/refpolicy/refpolicy/0026-fc-getty-add-file-context-to-start_getty.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 7be59b4d42165f7e12ccb8b2409304a2640eb898 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Fri, 15 Nov 2019 16:07:30 +0800 -Subject: [PATCH] fc/getty: add file context to start_getty - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/system/getty.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc -index 116ea6421..53ff6137b 100644 ---- a/policy/modules/system/getty.fc -+++ b/policy/modules/system/getty.fc -@@ -4,6 +4,7 @@ - /run/agetty\.reload -- gen_context(system_u:object_r:getty_runtime_t,s0) - - /usr/bin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0) -+/usr/bin/start_getty -- gen_context(system_u:object_r:bin_t,s0) - - /usr/sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0) - --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0026-fc-vlock-apply-policy-to-vlock-alternatives.patch b/recipes-security/refpolicy/refpolicy/0026-fc-vlock-apply-policy-to-vlock-alternatives.patch new file mode 100644 index 0000000..71521e8 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0026-fc-vlock-apply-policy-to-vlock-alternatives.patch @@ -0,0 +1,25 @@ +From 0280f05e2c9665f094d7098cd03e11d75908bcdb Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Wed, 18 Dec 2019 15:04:41 +0800 +Subject: [PATCH] fc/vlock: apply policy to vlock alternatives + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/apps/vlock.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/apps/vlock.fc b/policy/modules/apps/vlock.fc +index f668cde9c..c4bc50984 100644 +--- a/policy/modules/apps/vlock.fc ++++ b/policy/modules/apps/vlock.fc +@@ -1,4 +1,5 @@ + /usr/bin/vlock -- gen_context(system_u:object_r:vlock_exec_t,s0) ++/usr/bin/vlock\.kbd -- gen_context(system_u:object_r:vlock_exec_t,s0) + /usr/bin/vlock-main -- gen_context(system_u:object_r:vlock_exec_t,s0) + + /usr/sbin/vlock-main -- gen_context(system_u:object_r:vlock_exec_t,s0) +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0027-fc-add-fcontext-for-init-scripts-and-systemd-service.patch b/recipes-security/refpolicy/refpolicy/0027-fc-add-fcontext-for-init-scripts-and-systemd-service.patch new file mode 100644 index 0000000..ca9b644 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0027-fc-add-fcontext-for-init-scripts-and-systemd-service.patch @@ -0,0 +1,64 @@ +From 7f8b07b7af0c3cd8bbec49082b42011ac433df45 Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Tue, 30 Jun 2020 10:45:57 +0800 +Subject: [PATCH] fc: add fcontext for init scripts and systemd service files + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/services/cron.fc | 1 + + policy/modules/services/rngd.fc | 1 + + policy/modules/services/rpc.fc | 2 ++ + policy/modules/system/logging.fc | 1 + + 4 files changed, 5 insertions(+) + +diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc +index 827363d88..e8412396d 100644 +--- a/policy/modules/services/cron.fc ++++ b/policy/modules/services/cron.fc +@@ -1,4 +1,5 @@ + /etc/rc\.d/init\.d/(anacron|atd) -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/crond -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) + + /etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) + /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) +diff --git a/policy/modules/services/rngd.fc b/policy/modules/services/rngd.fc +index 382c067f9..0ecc5acc4 100644 +--- a/policy/modules/services/rngd.fc ++++ b/policy/modules/services/rngd.fc +@@ -1,4 +1,5 @@ + /etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/rng-tools -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0) + + /usr/bin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0) + +diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc +index 88d2acaf0..d9c0a4aa7 100644 +--- a/policy/modules/services/rpc.fc ++++ b/policy/modules/services/rpc.fc +@@ -1,7 +1,9 @@ + /etc/exports -- gen_context(system_u:object_r:exports_t,s0) + + /etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/nfsserver -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0) + /etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/nfscommon -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) + /etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) + + /usr/bin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) +diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc +index 5681acb51..4ff5f990a 100644 +--- a/policy/modules/system/logging.fc ++++ b/policy/modules/system/logging.fc +@@ -24,6 +24,7 @@ + /usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0) + /usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0) + /usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0) ++/usr/lib/systemd/system/syslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0) + /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0) + /usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) + +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0027-fc-init-add-file-context-to-etc-network-if-files.patch b/recipes-security/refpolicy/refpolicy/0027-fc-init-add-file-context-to-etc-network-if-files.patch deleted file mode 100644 index e34abe6..0000000 --- a/recipes-security/refpolicy/refpolicy/0027-fc-init-add-file-context-to-etc-network-if-files.patch +++ /dev/null @@ -1,33 +0,0 @@ -From ac335f80d09f9ce4756f2e58944a975a12441fa7 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Tue, 19 Nov 2019 14:33:28 +0800 -Subject: [PATCH] fc/init: add file context to /etc/network/if-* files - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/system/init.fc | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc -index 5268bddb2..a6762bd00 100644 ---- a/policy/modules/system/init.fc -+++ b/policy/modules/system/init.fc -@@ -75,11 +75,12 @@ ifdef(`distro_redhat',` - ifdef(`distro_debian',` - /run/hotkey-setup -- gen_context(system_u:object_r:initrc_runtime_t,s0) - /run/kdm/.* -- gen_context(system_u:object_r:initrc_runtime_t,s0) -+') -+ - /etc/network/if-pre-up\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) - /etc/network/if-up\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) - /etc/network/if-down\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) - /etc/network/if-post-down\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) --') - - ifdef(`distro_gentoo', ` - /var/lib/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0) --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0028-fc-vlock-apply-policy-to-vlock-alternatives.patch b/recipes-security/refpolicy/refpolicy/0028-fc-vlock-apply-policy-to-vlock-alternatives.patch deleted file mode 100644 index d0bd7b4..0000000 --- a/recipes-security/refpolicy/refpolicy/0028-fc-vlock-apply-policy-to-vlock-alternatives.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 1ee2b12fa1585bf765370e3e787081fe01ad990f Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Wed, 18 Dec 2019 15:04:41 +0800 -Subject: [PATCH] fc/vlock: apply policy to vlock alternatives - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/apps/vlock.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/apps/vlock.fc b/policy/modules/apps/vlock.fc -index f668cde9c..c4bc50984 100644 ---- a/policy/modules/apps/vlock.fc -+++ b/policy/modules/apps/vlock.fc -@@ -1,4 +1,5 @@ - /usr/bin/vlock -- gen_context(system_u:object_r:vlock_exec_t,s0) -+/usr/bin/vlock\.kbd -- gen_context(system_u:object_r:vlock_exec_t,s0) - /usr/bin/vlock-main -- gen_context(system_u:object_r:vlock_exec_t,s0) - - /usr/sbin/vlock-main -- gen_context(system_u:object_r:vlock_exec_t,s0) --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0028-file_contexts.subs_dist-set-aliase-for-root-director.patch b/recipes-security/refpolicy/refpolicy/0028-file_contexts.subs_dist-set-aliase-for-root-director.patch new file mode 100644 index 0000000..dc10350 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0028-file_contexts.subs_dist-set-aliase-for-root-director.patch @@ -0,0 +1,30 @@ +From 0bb081084a2d12f9041bfae195481d898b5a0ba1 Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Sun, 5 Apr 2020 22:03:45 +0800 +Subject: [PATCH] file_contexts.subs_dist: set aliase for /root directory + +The genhomedircon.py will expand /root directory to /home/root. +Add an aliase for it + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + config/file_contexts.subs_dist | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist +index 690007f22..f80499ebf 100644 +--- a/config/file_contexts.subs_dist ++++ b/config/file_contexts.subs_dist +@@ -45,3 +45,7 @@ + /usr/lib/busybox/bin /usr/bin + /usr/lib/busybox/sbin /usr/sbin + /usr/lib/busybox/usr /usr ++ ++# The genhomedircon.py will expand /root home directory to /home/root ++# Add an aliase for it ++/root /home/root +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0029-fc-cron-apply-policy-to-etc-init.d-crond.patch b/recipes-security/refpolicy/refpolicy/0029-fc-cron-apply-policy-to-etc-init.d-crond.patch deleted file mode 100644 index be57060..0000000 --- a/recipes-security/refpolicy/refpolicy/0029-fc-cron-apply-policy-to-etc-init.d-crond.patch +++ /dev/null @@ -1,25 +0,0 @@ -From a14d7d6fc54e7cf82d977c4b5c2df961c5eb1fe0 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Tue, 30 Jun 2020 10:45:57 +0800 -Subject: [PATCH] fc/cron: apply policy to /etc/init.d/crond - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/services/cron.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc -index 827363d88..e8412396d 100644 ---- a/policy/modules/services/cron.fc -+++ b/policy/modules/services/cron.fc -@@ -1,4 +1,5 @@ - /etc/rc\.d/init\.d/(anacron|atd) -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/crond -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) - - /etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) - /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-the-syml.patch b/recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-the-syml.patch new file mode 100644 index 0000000..f8a4cec --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-the-syml.patch @@ -0,0 +1,104 @@ +From 9c676fe5ff2a14206f25bf8ed932c305f13dcfdc Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Thu, 22 Aug 2013 13:37:23 +0800 +Subject: [PATCH] policy/modules/system/logging: add rules for the symlink of + /var/log + +/var/log is a symlink in poky, so we need allow rules for files to read +lnk_file while doing search/list/delete/rw... in /var/log/ directory. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald +Signed-off-by: Yi Zhao +--- + policy/modules/system/logging.fc | 1 + + policy/modules/system/logging.if | 9 +++++++++ + 2 files changed, 10 insertions(+) + +diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc +index 4ff5f990a..dee26a9f4 100644 +--- a/policy/modules/system/logging.fc ++++ b/policy/modules/system/logging.fc +@@ -53,6 +53,7 @@ ifdef(`distro_suse', ` + /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) + + /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) ++/var/log -l gen_context(system_u:object_r:var_log_t,s0) + /var/log/.* gen_context(system_u:object_r:var_log_t,s0) + /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0) + /var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0) +diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if +index 341763730..30d402c75 100644 +--- a/policy/modules/system/logging.if ++++ b/policy/modules/system/logging.if +@@ -1086,10 +1086,12 @@ interface(`logging_append_all_inherited_logs',` + interface(`logging_read_all_logs',` + gen_require(` + attribute logfile; ++ type var_log_t; + ') + + files_search_var($1) + allow $1 logfile:dir list_dir_perms; ++ allow $1 var_log_t:lnk_file read_lnk_file_perms; + read_files_pattern($1, logfile, logfile) + ') + +@@ -1127,10 +1129,12 @@ interface(`logging_watch_all_logs',` + interface(`logging_exec_all_logs',` + gen_require(` + attribute logfile; ++ type var_log_t; + ') + + files_search_var($1) + allow $1 logfile:dir list_dir_perms; ++ allow $1 var_log_t:lnk_file read_lnk_file_perms; + can_exec($1, logfile) + ') + +@@ -1192,6 +1196,7 @@ interface(`logging_manage_generic_log_dirs',` + + files_search_var($1) + allow $1 var_log_t:dir manage_dir_perms; ++ allow $1 var_log_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -1212,6 +1217,7 @@ interface(`logging_relabel_generic_log_dirs',` + + files_search_var($1) + allow $1 var_log_t:dir relabel_dir_perms; ++ allow $1 var_log_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -1232,6 +1238,7 @@ interface(`logging_read_generic_logs',` + + files_search_var($1) + allow $1 var_log_t:dir list_dir_perms; ++ allow $1 var_log_t:lnk_file read_lnk_file_perms; + read_files_pattern($1, var_log_t, var_log_t) + ') + +@@ -1333,6 +1340,7 @@ interface(`logging_manage_generic_logs',` + + files_search_var($1) + manage_files_pattern($1, var_log_t, var_log_t) ++ allow $1 var_log_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -1351,6 +1359,7 @@ interface(`logging_watch_generic_logs_dir',` + ') + + allow $1 var_log_t:dir watch; ++ allow $1 var_log_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0030-fc-sysnetwork-update-file-context-for-ifconfig.patch b/recipes-security/refpolicy/refpolicy/0030-fc-sysnetwork-update-file-context-for-ifconfig.patch deleted file mode 100644 index 6a659b2..0000000 --- a/recipes-security/refpolicy/refpolicy/0030-fc-sysnetwork-update-file-context-for-ifconfig.patch +++ /dev/null @@ -1,31 +0,0 @@ -From b3d2611360ddf21a3f8729766a1e4b64117ea710 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Tue, 4 Aug 2020 16:48:12 +0800 -Subject: [PATCH] fc/sysnetwork: update file context for ifconfig - -The ifconfig was moved from sbin to bin with oe-core commit: -c9caff40ff61c08e24a84922f8d7c8e9cdf8883e. Update the file context for -it. - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/system/sysnetwork.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc -index c3291962d..4ca151524 100644 ---- a/policy/modules/system/sysnetwork.fc -+++ b/policy/modules/system/sysnetwork.fc -@@ -44,6 +44,7 @@ ifdef(`distro_redhat',` - /usr/bin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) - /usr/bin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /usr/bin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+/usr/bin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /usr/bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /usr/bin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /usr/bin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0030-policy-modules-system-logging-add-rules-for-syslogd-.patch b/recipes-security/refpolicy/refpolicy/0030-policy-modules-system-logging-add-rules-for-syslogd-.patch new file mode 100644 index 0000000..a06b3f4 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0030-policy-modules-system-logging-add-rules-for-syslogd-.patch @@ -0,0 +1,34 @@ +From c9759b1024873819cf594fe7ac3bf06bcf0d959d Mon Sep 17 00:00:00 2001 +From: Joe MacDonald +Date: Fri, 29 Mar 2019 10:33:18 -0400 +Subject: [PATCH] policy/modules/system/logging: add rules for syslogd symlink + of /var/log + +We have added rules for the symlink of /var/log in logging.if, while +syslogd_t uses /var/log but does not use the interfaces in logging.if. So +still need add a individual rule for syslogd_t. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald +Signed-off-by: Yi Zhao +--- + policy/modules/system/logging.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index 21e3285a9..abee7df9c 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -411,6 +411,7 @@ files_search_spool(syslogd_t) + + # Allow access for syslog-ng + allow syslogd_t var_log_t:dir { create setattr }; ++allow syslogd_t var_log_t:lnk_file read_lnk_file_perms; + + # for systemd but can not be conditional + files_runtime_filetrans(syslogd_t, syslogd_tmp_t, dir, "log") +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0031-file_contexts.subs_dist-set-aliase-for-root-director.patch b/recipes-security/refpolicy/refpolicy/0031-file_contexts.subs_dist-set-aliase-for-root-director.patch deleted file mode 100644 index f65d1be..0000000 --- a/recipes-security/refpolicy/refpolicy/0031-file_contexts.subs_dist-set-aliase-for-root-director.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 8c733eff8089c24fe6885977d2bdcdfb0c453726 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Sun, 5 Apr 2020 22:03:45 +0800 -Subject: [PATCH] file_contexts.subs_dist: set aliase for /root directory - -The genhomedircon.py will expand /root directory to /home/root. -Add an aliase for it - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - config/file_contexts.subs_dist | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist -index a38d58e16..3e4c5720f 100644 ---- a/config/file_contexts.subs_dist -+++ b/config/file_contexts.subs_dist -@@ -44,3 +44,7 @@ - /usr/lib/busybox/bin /usr/bin - /usr/lib/busybox/sbin /usr/sbin - /usr/lib/busybox/usr /usr -+ -+# The genhomedircon.py will expand /root home directory to /home/root -+# Add an aliase for it -+/root /home/root --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch b/recipes-security/refpolicy/refpolicy/0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch new file mode 100644 index 0000000..ffa78ac --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch @@ -0,0 +1,102 @@ +From fd55f9f292617c7475c62c07ed6c478b4bd9eda5 Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Thu, 22 Aug 2013 13:37:23 +0800 +Subject: [PATCH] policy/modules/kernel/files: add rules for the symlink of + /tmp + +/tmp is a symlink in poky, so we need allow rules for files to read +lnk_file while doing search/list/delete/rw.. in /tmp/ directory. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald +Signed-off-by: Yi Zhao +--- + policy/modules/kernel/files.fc | 1 + + policy/modules/kernel/files.if | 8 ++++++++ + 2 files changed, 9 insertions(+) + +diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc +index 826722f4e..677ae96c3 100644 +--- a/policy/modules/kernel/files.fc ++++ b/policy/modules/kernel/files.fc +@@ -172,6 +172,7 @@ HOME_ROOT/lost\+found/.* <> + # /tmp + # + /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) ++/tmp -l gen_context(system_u:object_r:tmp_t,s0) + /tmp/.* <> + /tmp/\.journal <> + +diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if +index 495cbe2f4..b308eefd9 100644 +--- a/policy/modules/kernel/files.if ++++ b/policy/modules/kernel/files.if +@@ -4555,6 +4555,7 @@ interface(`files_search_tmp',` + ') + + allow $1 tmp_t:dir search_dir_perms; ++ allow $1 tmp_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -4591,6 +4592,7 @@ interface(`files_list_tmp',` + ') + + allow $1 tmp_t:dir list_dir_perms; ++ allow $1 tmp_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -4627,6 +4629,7 @@ interface(`files_delete_tmp_dir_entry',` + ') + + allow $1 tmp_t:dir del_entry_dir_perms; ++ allow $1 tmp_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -4645,6 +4648,7 @@ interface(`files_read_generic_tmp_files',` + ') + + read_files_pattern($1, tmp_t, tmp_t) ++ allow $1 tmp_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -4663,6 +4667,7 @@ interface(`files_manage_generic_tmp_dirs',` + ') + + manage_dirs_pattern($1, tmp_t, tmp_t) ++ allow $1 tmp_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -4699,6 +4704,7 @@ interface(`files_manage_generic_tmp_files',` + ') + + manage_files_pattern($1, tmp_t, tmp_t) ++ allow $1 tmp_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -4735,6 +4741,7 @@ interface(`files_rw_generic_tmp_sockets',` + ') + + rw_sock_files_pattern($1, tmp_t, tmp_t) ++ allow $1 tmp_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -4942,6 +4949,7 @@ interface(`files_tmp_filetrans',` + ') + + filetrans_pattern($1, tmp_t, $2, $3, $4) ++ allow $1 tmp_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0032-policy-modules-system-logging-add-rules-for-the-syml.patch b/recipes-security/refpolicy/refpolicy/0032-policy-modules-system-logging-add-rules-for-the-syml.patch deleted file mode 100644 index a80bf03..0000000 --- a/recipes-security/refpolicy/refpolicy/0032-policy-modules-system-logging-add-rules-for-the-syml.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 456bb92237aa637f506fcc56b190eb534d745e41 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH] policy/modules/system/logging: add rules for the symlink of - /var/log - -/var/log is a symlink in poky, so we need allow rules for files to read -lnk_file while doing search/list/delete/rw... in /var/log/ directory. - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Xin Ouyang -Signed-off-by: Joe MacDonald -Signed-off-by: Yi Zhao ---- - policy/modules/system/logging.fc | 1 + - policy/modules/system/logging.if | 9 +++++++++ - 2 files changed, 10 insertions(+) - -diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc -index 5681acb51..a4ecd570a 100644 ---- a/policy/modules/system/logging.fc -+++ b/policy/modules/system/logging.fc -@@ -52,6 +52,7 @@ ifdef(`distro_suse', ` - /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) - - /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) -+/var/log -l gen_context(system_u:object_r:var_log_t,s0) - /var/log/.* gen_context(system_u:object_r:var_log_t,s0) - /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0) - /var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0) -diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 10dee6563..9bb3afdb2 100644 ---- a/policy/modules/system/logging.if -+++ b/policy/modules/system/logging.if -@@ -1065,10 +1065,12 @@ interface(`logging_append_all_inherited_logs',` - interface(`logging_read_all_logs',` - gen_require(` - attribute logfile; -+ type var_log_t; - ') - - files_search_var($1) - allow $1 logfile:dir list_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - read_files_pattern($1, logfile, logfile) - ') - -@@ -1087,10 +1089,12 @@ interface(`logging_read_all_logs',` - interface(`logging_exec_all_logs',` - gen_require(` - attribute logfile; -+ type var_log_t; - ') - - files_search_var($1) - allow $1 logfile:dir list_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - can_exec($1, logfile) - ') - -@@ -1152,6 +1156,7 @@ interface(`logging_manage_generic_log_dirs',` - - files_search_var($1) - allow $1 var_log_t:dir manage_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -1172,6 +1177,7 @@ interface(`logging_relabel_generic_log_dirs',` - - files_search_var($1) - allow $1 var_log_t:dir relabel_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -1192,6 +1198,7 @@ interface(`logging_read_generic_logs',` - - files_search_var($1) - allow $1 var_log_t:dir list_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - read_files_pattern($1, var_log_t, var_log_t) - ') - -@@ -1293,6 +1300,7 @@ interface(`logging_manage_generic_logs',` - - files_search_var($1) - manage_files_pattern($1, var_log_t, var_log_t) -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -1311,6 +1319,7 @@ interface(`logging_watch_generic_logs_dir',` - ') - - allow $1 var_log_t:dir watch; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - ') - - ######################################## --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0032-policy-modules-system-logging-fix-auditd-startup-fai.patch b/recipes-security/refpolicy/refpolicy/0032-policy-modules-system-logging-fix-auditd-startup-fai.patch new file mode 100644 index 0000000..3f10d06 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0032-policy-modules-system-logging-fix-auditd-startup-fai.patch @@ -0,0 +1,41 @@ +From a196ae5e13b3f8e0d2e7ff27c8d481c9376b18e9 Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Thu, 22 Aug 2013 13:37:23 +0800 +Subject: [PATCH] policy/modules/system/logging: fix auditd startup failures + +Fixes: +avc: denied { read } for pid=321 comm="auditd" name="log" dev="vda" +ino=12552 scontext=system_u:system_r:auditd_t +tcontext=system_u:object_r:var_log_t tclass=lnk_file permissive=0 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Xin Ouyang +Signed-off-by: Yi Zhao +--- + policy/modules/system/logging.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index abee7df9c..cc530a2be 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -161,6 +161,7 @@ dontaudit auditd_t auditd_etc_t:file map; + manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) + allow auditd_t auditd_log_t:dir setattr; + manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) ++allow auditd_t var_log_t:lnk_file read_lnk_file_perms; + allow auditd_t var_log_t:dir search_dir_perms; + + manage_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t) +@@ -290,6 +291,7 @@ optional_policy(` + allow audisp_remote_t self:capability { setpcap setuid }; + allow audisp_remote_t self:process { getcap setcap }; + allow audisp_remote_t self:tcp_socket create_socket_perms; ++allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms; + allow audisp_remote_t var_log_t:dir search_dir_perms; + + manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch b/recipes-security/refpolicy/refpolicy/0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch new file mode 100644 index 0000000..3421a43 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch @@ -0,0 +1,38 @@ +From bfcb86c9c9ad6a9f10a8556320443d8c96adedc9 Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Thu, 22 Aug 2013 13:37:23 +0800 +Subject: [PATCH] policy/modules/kernel/terminal: don't audit tty_device_t in + term_dontaudit_use_console + +We should also not audit terminal to rw tty_device_t and fds in +term_dontaudit_use_console. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald +Signed-off-by: Yi Zhao +--- + policy/modules/kernel/terminal.if | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if +index 55c18dffb..e8c0735eb 100644 +--- a/policy/modules/kernel/terminal.if ++++ b/policy/modules/kernel/terminal.if +@@ -335,9 +335,12 @@ interface(`term_use_console',` + interface(`term_dontaudit_use_console',` + gen_require(` + type console_device_t; ++ type tty_device_t; + ') + ++ init_dontaudit_use_fds($1) + dontaudit $1 console_device_t:chr_file rw_chr_file_perms; ++ dontaudit $1 tty_device_t:chr_file rw_chr_file_perms; + ') + + ######################################## +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0033-policy-modules-system-logging-add-rules-for-syslogd-.patch b/recipes-security/refpolicy/refpolicy/0033-policy-modules-system-logging-add-rules-for-syslogd-.patch deleted file mode 100644 index 4e5ee51..0000000 --- a/recipes-security/refpolicy/refpolicy/0033-policy-modules-system-logging-add-rules-for-syslogd-.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 275597cbb54eb8007c07fc06c3d9bd3d3090f7f2 Mon Sep 17 00:00:00 2001 -From: Joe MacDonald -Date: Fri, 29 Mar 2019 10:33:18 -0400 -Subject: [PATCH] policy/modules/system/logging: add rules for syslogd symlink - of /var/log - -We have added rules for the symlink of /var/log in logging.if, while -syslogd_t uses /var/log but does not use the interfaces in logging.if. So -still need add a individual rule for syslogd_t. - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Xin Ouyang -Signed-off-by: Joe MacDonald -Signed-off-by: Yi Zhao ---- - policy/modules/system/logging.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 031e2f40f..673046781 100644 ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -404,6 +404,7 @@ files_search_spool(syslogd_t) - - # Allow access for syslog-ng - allow syslogd_t var_log_t:dir { create setattr }; -+allow syslogd_t var_log_t:lnk_file read_lnk_file_perms; - - # for systemd but can not be conditional - files_runtime_filetrans(syslogd_t, syslogd_tmp_t, dir, "log") --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0034-policy-modules-kernel-files-add-rules-for-the-symlin.patch b/recipes-security/refpolicy/refpolicy/0034-policy-modules-kernel-files-add-rules-for-the-symlin.patch deleted file mode 100644 index da42fdd..0000000 --- a/recipes-security/refpolicy/refpolicy/0034-policy-modules-kernel-files-add-rules-for-the-symlin.patch +++ /dev/null @@ -1,102 +0,0 @@ -From 491783f2ae026ac969c9f6ef6eea1bd75ac7e2a5 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH] policy/modules/kernel/files: add rules for the symlink of - /tmp - -/tmp is a symlink in poky, so we need allow rules for files to read -lnk_file while doing search/list/delete/rw.. in /tmp/ directory. - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Xin Ouyang -Signed-off-by: Joe MacDonald -Signed-off-by: Yi Zhao ---- - policy/modules/kernel/files.fc | 1 + - policy/modules/kernel/files.if | 8 ++++++++ - 2 files changed, 9 insertions(+) - -diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index 826722f4e..677ae96c3 100644 ---- a/policy/modules/kernel/files.fc -+++ b/policy/modules/kernel/files.fc -@@ -172,6 +172,7 @@ HOME_ROOT/lost\+found/.* <> - # /tmp - # - /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) -+/tmp -l gen_context(system_u:object_r:tmp_t,s0) - /tmp/.* <> - /tmp/\.journal <> - -diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 34a9cd66d..7fc7e922f 100644 ---- a/policy/modules/kernel/files.if -+++ b/policy/modules/kernel/files.if -@@ -4533,6 +4533,7 @@ interface(`files_search_tmp',` - ') - - allow $1 tmp_t:dir search_dir_perms; -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -4569,6 +4570,7 @@ interface(`files_list_tmp',` - ') - - allow $1 tmp_t:dir list_dir_perms; -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -4605,6 +4607,7 @@ interface(`files_delete_tmp_dir_entry',` - ') - - allow $1 tmp_t:dir del_entry_dir_perms; -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -4623,6 +4626,7 @@ interface(`files_read_generic_tmp_files',` - ') - - read_files_pattern($1, tmp_t, tmp_t) -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -4641,6 +4645,7 @@ interface(`files_manage_generic_tmp_dirs',` - ') - - manage_dirs_pattern($1, tmp_t, tmp_t) -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -4659,6 +4664,7 @@ interface(`files_manage_generic_tmp_files',` - ') - - manage_files_pattern($1, tmp_t, tmp_t) -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -4695,6 +4701,7 @@ interface(`files_rw_generic_tmp_sockets',` - ') - - rw_sock_files_pattern($1, tmp_t, tmp_t) -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -4902,6 +4909,7 @@ interface(`files_tmp_filetrans',` - ') - - filetrans_pattern($1, tmp_t, $2, $3, $4) -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-modutils-allow-mod_t-to-access.patch b/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-modutils-allow-mod_t-to-access.patch new file mode 100644 index 0000000..e7ce388 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-modutils-allow-mod_t-to-access.patch @@ -0,0 +1,67 @@ +From b3ff2e8572cd929c419775e57b547f309ba9d8fb Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Mon, 24 Aug 2020 11:29:09 +0800 +Subject: [PATCH] policy/modules/system/modutils: allow mod_t to access + confidentiality of class lockdown + +The SELinux lockdown implementation was introduced since kernel 5.6 by +commit 59438b46471ae6cdfb761afc8c9beaf1e428a331. We need to allow mod_t +and udev_t to access confidentiality of class lockdown to mount tracefs. + +Fixes: +kernel: Could not create tracefs 'iwlwifi_data/filter' entry +kernel: Could not create tracefs 'enable' entry +kernel: Could not create tracefs 'id' entry +kernel: Could not create tracefs 'filter' entry +kernel: Could not create tracefs 'trigger' entry +kernel: Could not create tracefs 'format' entry + +audit[170]: AVC avc: denied { confidentiality } for pid=170 +comm="modprobe" lockdown_reason="use of tracefs" +scontext=system_u:system_r:kmod_t:s15:c0.c1023 +tcontext=system_u:system_r:kmod_t:s15:c0.c1023 tclass=lockdown +permissive=0 + +audit[190]: AVC avc: denied { confidentiality } for pid=190 +comm="systemd-udevd" lockdown_reason="use of tracefs" +scontext=system_u:system_r:udev_t:s0-s15:c0.c1023 +tcontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tclass=lockdown +permissive=0 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/system/modutils.te | 2 ++ + policy/modules/system/udev.te | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te +index b0a419dc1..5b4f0aca1 100644 +--- a/policy/modules/system/modutils.te ++++ b/policy/modules/system/modutils.te +@@ -41,6 +41,8 @@ dontaudit kmod_t self:capability sys_admin; + allow kmod_t self:udp_socket create_socket_perms; + allow kmod_t self:rawip_socket create_socket_perms; + ++allow kmod_t self:lockdown confidentiality; ++ + # Read module config and dependency information + list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t) + read_files_pattern(kmod_t, modules_conf_t, modules_conf_t) +diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te +index c50ff68c1..4c5a690fb 100644 +--- a/policy/modules/system/udev.te ++++ b/policy/modules/system/udev.te +@@ -67,6 +67,8 @@ ifdef(`init_systemd',` + # for systemd-udevd to rename interfaces + allow udev_t self:netlink_route_socket nlmsg_write; + ++allow udev_t self:lockdown confidentiality; ++ + can_exec(udev_t, udev_exec_t) + + allow udev_t udev_helper_exec_t:dir list_dir_perms; +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-getty-allow-getty_t-to-search-.patch b/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-getty-allow-getty_t-to-search-.patch new file mode 100644 index 0000000..0dfe0ee --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-getty-allow-getty_t-to-search-.patch @@ -0,0 +1,32 @@ +From 175b493e7fe69de274388a7f251e74ec9cd56c41 Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Tue, 23 Jun 2020 08:39:44 +0800 +Subject: [PATCH] policy/modules/system/getty: allow getty_t to search tmpfs + +Fixes: +avc: denied { search } for pid=211 comm="agetty" name="/" dev="tmpfs" +ino=1 scontext=system_u:system_r:getty_t +tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=0 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/system/getty.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te +index e6e76a93b..c704ddb82 100644 +--- a/policy/modules/system/getty.te ++++ b/policy/modules/system/getty.te +@@ -68,6 +68,7 @@ files_read_etc_runtime_files(getty_t) + files_read_etc_files(getty_t) + files_search_spool(getty_t) + files_dontaudit_search_var_lib(getty_t) ++fs_search_tmpfs(getty_t) + + fs_search_auto_mountpoints(getty_t) + # for error condition handling +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-logging-fix-auditd-startup-fai.patch b/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-logging-fix-auditd-startup-fai.patch deleted file mode 100644 index 9856fcd..0000000 --- a/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-logging-fix-auditd-startup-fai.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 25036d5f5c41e4215d071d9c1eb77760a0eca87c Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH] policy/modules/system/logging: fix auditd startup failures - -Fixes: -avc: denied { getattr } for pid=322 comm="auditd" -path="/sbin/audisp-remote" dev="vda" ino=1115 -scontext=system_u:system_r:auditd_t -tcontext=system_u:object_r:audisp_remote_exec_t tclass=file permissive=0 - -avc: denied { read } for pid=321 comm="auditd" name="log" dev="vda" -ino=12552 scontext=system_u:system_r:auditd_t -tcontext=system_u:object_r:var_log_t tclass=lnk_file permissive=0 - -avc: denied { getattr } for pid=183 comm="auditctl" name="/" -dev="proc" ino=1 scontext=system_u:system_r:auditctl_t -tcontext=system_u:object_r:proc_t tclass=filesystem permissive=0 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Xin Ouyang -Signed-off-by: Yi Zhao ---- - policy/modules/system/logging.te | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 673046781..9b3254f63 100644 ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -117,6 +117,7 @@ files_read_etc_files(auditctl_t) - kernel_read_kernel_sysctls(auditctl_t) - kernel_read_proc_symlinks(auditctl_t) - kernel_setsched(auditctl_t) -+kernel_getattr_proc(auditctl_t) - - domain_read_all_domains_state(auditctl_t) - domain_use_interactive_fds(auditctl_t) -@@ -157,10 +158,13 @@ allow auditd_t auditd_etc_t:dir list_dir_perms; - allow auditd_t auditd_etc_t:file read_file_perms; - dontaudit auditd_t auditd_etc_t:file map; - -+allow auditd_t audisp_remote_exec_t:file getattr; -+ - manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) - allow auditd_t auditd_log_t:dir setattr; - manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) - allow auditd_t var_log_t:dir search_dir_perms; -+allow auditd_t var_log_t:lnk_file read_lnk_file_perms; - - manage_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t) - manage_sock_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t) -@@ -284,6 +288,7 @@ allow audisp_remote_t self:capability { setpcap setuid }; - allow audisp_remote_t self:process { getcap setcap }; - allow audisp_remote_t self:tcp_socket create_socket_perms; - allow audisp_remote_t var_log_t:dir search_dir_perms; -+allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms; - - manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) - manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0036-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch b/recipes-security/refpolicy/refpolicy/0036-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch deleted file mode 100644 index 855aae6..0000000 --- a/recipes-security/refpolicy/refpolicy/0036-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 15773d54215587284f937b9a37b08c682949e7ab Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH] policy/modules/kernel/terminal: don't audit tty_device_t in - term_dontaudit_use_console - -We should also not audit terminal to rw tty_device_t and fds in -term_dontaudit_use_console. - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Xin Ouyang -Signed-off-by: Joe MacDonald -Signed-off-by: Yi Zhao ---- - policy/modules/kernel/terminal.if | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if -index 55c18dffb..e8c0735eb 100644 ---- a/policy/modules/kernel/terminal.if -+++ b/policy/modules/kernel/terminal.if -@@ -335,9 +335,12 @@ interface(`term_use_console',` - interface(`term_dontaudit_use_console',` - gen_require(` - type console_device_t; -+ type tty_device_t; - ') - -+ init_dontaudit_use_fds($1) - dontaudit $1 console_device_t:chr_file rw_chr_file_perms; -+ dontaudit $1 tty_device_t:chr_file rw_chr_file_perms; - ') - - ######################################## --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0036-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch b/recipes-security/refpolicy/refpolicy/0036-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch new file mode 100644 index 0000000..f9aa158 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0036-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch @@ -0,0 +1,45 @@ +From d1352b688603b16eb6da7a30198d8b7abfc55d1e Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Wed, 1 Jul 2020 08:44:07 +0800 +Subject: [PATCH] policy/modules/services/rpcbind: allow rpcbind_t to create + directory with label rpcbind_runtime_t + +Fixes: +avc: denied { create } for pid=136 comm="rpcbind" name="rpcbind" +scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=0 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/services/rpcbind.te | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te +index 168c28ca3..e1eb7d5fc 100644 +--- a/policy/modules/services/rpcbind.te ++++ b/policy/modules/services/rpcbind.te +@@ -25,16 +25,17 @@ files_type(rpcbind_var_lib_t) + # Local policy + # + +-allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config }; ++allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config chown }; + # net_admin is for SO_SNDBUFFORCE + dontaudit rpcbind_t self:capability net_admin; + allow rpcbind_t self:fifo_file rw_fifo_file_perms; + allow rpcbind_t self:unix_stream_socket { accept listen }; + allow rpcbind_t self:tcp_socket { accept listen }; + ++manage_dirs_pattern(rpcbind_t, rpcbind_runtime_t, rpcbind_runtime_t) + manage_files_pattern(rpcbind_t, rpcbind_runtime_t, rpcbind_runtime_t) + manage_sock_files_pattern(rpcbind_t, rpcbind_runtime_t, rpcbind_runtime_t) +-files_runtime_filetrans(rpcbind_t, rpcbind_runtime_t, { file sock_file }) ++files_runtime_filetrans(rpcbind_t, rpcbind_runtime_t, { file sock_file dir }) + + manage_dirs_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t) + manage_files_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t) +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0037-policy-modules-admin-usermanage-allow-useradd-to-rel.patch b/recipes-security/refpolicy/refpolicy/0037-policy-modules-admin-usermanage-allow-useradd-to-rel.patch new file mode 100644 index 0000000..9465a3e --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0037-policy-modules-admin-usermanage-allow-useradd-to-rel.patch @@ -0,0 +1,71 @@ +From 07866ad826b299194c1bfd7978e5077dde72a68e Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Mon, 11 Oct 2021 10:10:10 +0800 +Subject: [PATCH] policy/modules/admin/usermanage: allow useradd to relabel + user home files + +Fixes: +avc: denied { relabelfrom } for pid=491 comm="useradd" name=".bashrc" +dev="vda" ino=12641 scontext=root:sysadm_r:useradd_t +tcontext=user_u:object_r:user_home_t tclass=file permissive=0 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/admin/usermanage.te | 2 ++ + policy/modules/system/userdomain.if | 18 ++++++++++++++++++ + 2 files changed, 20 insertions(+) + +diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te +index 98646b4b4..50c479498 100644 +--- a/policy/modules/admin/usermanage.te ++++ b/policy/modules/admin/usermanage.te +@@ -496,6 +496,7 @@ files_read_etc_runtime_files(useradd_t) + + fs_search_auto_mountpoints(useradd_t) + fs_getattr_xattr_fs(useradd_t) ++fs_search_tmpfs(useradd_t) + + mls_file_upgrade(useradd_t) + +@@ -541,6 +542,7 @@ userdom_home_filetrans_user_home_dir(useradd_t) + userdom_manage_user_home_content_dirs(useradd_t) + userdom_manage_user_home_content_files(useradd_t) + userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set) ++userdom_relabel_user_home_content_files(useradd_t) + + optional_policy(` + mta_manage_spool(useradd_t) +diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if +index 22b3c1bf7..ec625170d 100644 +--- a/policy/modules/system/userdomain.if ++++ b/policy/modules/system/userdomain.if +@@ -2362,6 +2362,24 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',` + dontaudit $1 user_home_t:file relabel_file_perms; + ') + ++######################################## ++## ++## Relabel user home files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_relabel_user_home_content_files',` ++ gen_require(` ++ type user_home_t; ++ ') ++ ++ allow $1 user_home_t:file relabel_file_perms; ++') ++ + ######################################## + ## + ## Read user home subdirectory symbolic links. +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0037-policy-modules-system-modutils-allow-mod_t-to-access.patch b/recipes-security/refpolicy/refpolicy/0037-policy-modules-system-modutils-allow-mod_t-to-access.patch deleted file mode 100644 index da03017..0000000 --- a/recipes-security/refpolicy/refpolicy/0037-policy-modules-system-modutils-allow-mod_t-to-access.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 1126ee6883d7e107b103a18d255416d542ca50f2 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Mon, 24 Aug 2020 11:29:09 +0800 -Subject: [PATCH] policy/modules/system/modutils: allow mod_t to access - confidentiality of class lockdown - -The SELinux lockdown implementation was introduced since kernel 5.6 by -commit 59438b46471ae6cdfb761afc8c9beaf1e428a331. We need to allow mod_t -and udev_t to access confidentiality of class lockdown to mount tracefs. - -Fixes: -kernel: Could not create tracefs 'iwlwifi_data/filter' entry -kernel: Could not create tracefs 'enable' entry -kernel: Could not create tracefs 'id' entry -kernel: Could not create tracefs 'filter' entry -kernel: Could not create tracefs 'trigger' entry -kernel: Could not create tracefs 'format' entry - -audit[170]: AVC avc: denied { confidentiality } for pid=170 -comm="modprobe" lockdown_reason="use of tracefs" -scontext=system_u:system_r:kmod_t:s15:c0.c1023 -tcontext=system_u:system_r:kmod_t:s15:c0.c1023 tclass=lockdown -permissive=0 - -audit[190]: AVC avc: denied { confidentiality } for pid=190 -comm="systemd-udevd" lockdown_reason="use of tracefs" -scontext=system_u:system_r:udev_t:s0-s15:c0.c1023 -tcontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tclass=lockdown -permissive=0 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/system/modutils.te | 2 ++ - policy/modules/system/udev.te | 2 ++ - 2 files changed, 4 insertions(+) - -diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te -index ef5de835e..ee249ae04 100644 ---- a/policy/modules/system/modutils.te -+++ b/policy/modules/system/modutils.te -@@ -41,6 +41,8 @@ dontaudit kmod_t self:capability sys_admin; - allow kmod_t self:udp_socket create_socket_perms; - allow kmod_t self:rawip_socket create_socket_perms; - -+allow kmod_t self:lockdown confidentiality; -+ - # Read module config and dependency information - list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t) - read_files_pattern(kmod_t, modules_conf_t, modules_conf_t) -diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index 4a2283b6c..daf64482f 100644 ---- a/policy/modules/system/udev.te -+++ b/policy/modules/system/udev.te -@@ -61,6 +61,8 @@ allow udev_t self:rawip_socket create_socket_perms; - # for systemd-udevd to rename interfaces - allow udev_t self:netlink_route_socket nlmsg_write; - -+allow udev_t self:lockdown confidentiality; -+ - can_exec(udev_t, udev_exec_t) - - allow udev_t udev_helper_exec_t:dir list_dir_perms; --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0038-policy-modules-services-avahi-allow-avahi_t-to-watch.patch b/recipes-security/refpolicy/refpolicy/0038-policy-modules-services-avahi-allow-avahi_t-to-watch.patch deleted file mode 100644 index 1b0391d..0000000 --- a/recipes-security/refpolicy/refpolicy/0038-policy-modules-services-avahi-allow-avahi_t-to-watch.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 92571e7c066b3d91634a4c1f55542cb528f5bac4 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Tue, 23 Jun 2020 08:19:16 +0800 -Subject: [PATCH] policy/modules/services/avahi: allow avahi_t to watch - /etc/avahi directory - -Fixes: -type=AVC msg=audit(1592813140.176:24): avc: denied { watch } for -pid=360 comm="avahi-daemon" path="/services" dev="vda" ino=173 -scontext=system_u:system_r:avahi_t tcontext=system_u:object_r:etc_t -tclass=dir permissive=1 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/services/avahi.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te -index af838d8b0..674cdcb81 100644 ---- a/policy/modules/services/avahi.te -+++ b/policy/modules/services/avahi.te -@@ -76,6 +76,7 @@ domain_use_interactive_fds(avahi_t) - - files_read_etc_runtime_files(avahi_t) - files_read_usr_files(avahi_t) -+files_watch_etc_dirs(avahi_t) - - auth_use_nsswitch(avahi_t) - --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-enable-support-for-sys.patch b/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-enable-support-for-sys.patch new file mode 100644 index 0000000..cc29c7b --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-enable-support-for-sys.patch @@ -0,0 +1,64 @@ +From 93d4f198bd469a8728f5ce0cc51ff18f8a58b23b Mon Sep 17 00:00:00 2001 +From: Wenzong Fan +Date: Thu, 4 Feb 2016 06:03:19 -0500 +Subject: [PATCH] policy/modules/system/systemd: enable support for + systemd-tmpfiles to manage all non-security files + +Fixes: +systemd-tmpfiles[137]: Failed to create directory or subvolume "/var/volatile/log": Permission denied +systemd-tmpfiles[137]: Failed to create directory or subvolume "/var/volatile/tmp": Permission denied +systemd-tmpfiles[137]: Failed to create directory or subvolume "/var/log/audit": Permission denied + +avc: denied { write } for pid=137 comm="systemd-tmpfile" name="/" +dev="tmpfs" ino=12400 scontext=system_u:system_r:systemd_tmpfiles_t +tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=0 + +avc: denied { read } for pid=137 comm="systemd-tmpfile" name="dbus" +dev="vda" ino=12363 scontext=system_u:system_r:systemd_tmpfiles_t +tcontext=system_u:object_r:system_dbusd_var_lib_t tclass=dir +permissive=0 + +avc: denied { relabelfrom } for pid=137 comm="systemd-tmpfile" +name="log" dev="vda" ino=14129 +scontext=system_u:system_r:systemd_tmpfiles_t +tcontext=system_u:object_r:var_log_t tclass=lnk_file permissive=0 + +avc: denied { create } for pid=137 comm="systemd-tmpfile" +name="audit" scontext=system_u:system_r:systemd_tmpfiles_t +tcontext=system_u:object_r:auditd_log_t tclass=dir permissive=0 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Wenzong Fan +Signed-off-by: Yi Zhao +--- + policy/modules/system/systemd.te | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 3d9198342..31d28a0e3 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -10,7 +10,7 @@ policy_module(systemd, 1.12.6) + ## Enable support for systemd-tmpfiles to manage all non-security files. + ##

+ ## +-gen_tunable(systemd_tmpfiles_manage_all, false) ++gen_tunable(systemd_tmpfiles_manage_all, true) + + ## + ##

+@@ -1396,6 +1396,10 @@ files_relabelfrom_home(systemd_tmpfiles_t) + files_relabelto_home(systemd_tmpfiles_t) + files_relabelto_etc_dirs(systemd_tmpfiles_t) + files_setattr_lock_dirs(systemd_tmpfiles_t) ++ ++files_manage_non_auth_files(systemd_tmpfiles_t) ++files_relabel_non_auth_files(systemd_tmpfiles_t) ++ + # for /etc/mtab + files_manage_etc_symlinks(systemd_tmpfiles_t) + +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-getty-allow-getty_t-to-search-.patch b/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-getty-allow-getty_t-to-search-.patch deleted file mode 100644 index d673d54..0000000 --- a/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-getty-allow-getty_t-to-search-.patch +++ /dev/null @@ -1,32 +0,0 @@ -From f23178d9d89bf39895f75867c29bda4dfb27e786 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Tue, 23 Jun 2020 08:39:44 +0800 -Subject: [PATCH] policy/modules/system/getty: allow getty_t to search tmpfs - -Fixes: -avc: denied { search } for pid=211 comm="agetty" name="/" dev="tmpfs" -ino=1 scontext=system_u:system_r:getty_t -tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=0 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/system/getty.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te -index 95b1ec632..0415e1ee7 100644 ---- a/policy/modules/system/getty.te -+++ b/policy/modules/system/getty.te -@@ -66,6 +66,7 @@ dev_read_sysfs(getty_t) - files_read_etc_runtime_files(getty_t) - files_read_etc_files(getty_t) - files_search_spool(getty_t) -+fs_search_tmpfs(getty_t) - - fs_search_auto_mountpoints(getty_t) - # for error condition handling --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-systemd-fix-systemd-resolved-s.patch b/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-systemd-fix-systemd-resolved-s.patch new file mode 100644 index 0000000..ea8af31 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-systemd-fix-systemd-resolved-s.patch @@ -0,0 +1,60 @@ +From 99139408a7919282e97e1b2fcd5da33248386d73 Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Mon, 25 Jan 2021 14:14:59 +0800 +Subject: [PATCH] policy/modules/system/systemd: fix systemd-resolved startup + failures + +* Allow systemd_resolved_t to manage systemd_resolved_runtime_t link + files +* Allow systemd_resolved_t to send and recevie messages from dhcpc over + dbus + +Fixes: +avc: denied { create } for pid=329 comm="systemd-resolve" +name=".#stub-resolv.conf53cb7f9d1e3aa72b" +scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:systemd_resolved_runtime_t:s0 tclass=lnk_file +permissive=0 + +avc: denied { send_msg } for msgtype=method_call +interface=org.freedesktop.resolve1.Manager member=RevertLink +dest=org.freedesktop.resolve1 spid=340 tpid=345 +scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 +tcontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023 +tclass=dbus permissive=0 + +avc: denied { send_msg } for msgtype=method_return dest=:1.6 spid=345 +tpid=340 scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023 +tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=dbus +permissive=0 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/system/systemd.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 31d28a0e3..448905ff7 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -1199,6 +1199,7 @@ allow systemd_resolved_t systemd_networkd_runtime_t:dir watch; + + manage_dirs_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t) + manage_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t) ++manage_lnk_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t) + manage_sock_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t) + init_runtime_filetrans(systemd_resolved_t, systemd_resolved_runtime_t, dir) + +@@ -1236,6 +1237,7 @@ optional_policy(` + dbus_system_bus_client(systemd_resolved_t) + dbus_watch_system_bus_runtime_dirs(systemd_resolved_t) + dbus_watch_system_bus_runtime_named_sockets(systemd_resolved_t) ++ sysnet_dbus_chat_dhcpc(systemd_resolved_t) + ') + + ######################################### +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0040-policy-modules-services-bluetooth-fix-bluetoothd-sta.patch b/recipes-security/refpolicy/refpolicy/0040-policy-modules-services-bluetooth-fix-bluetoothd-sta.patch deleted file mode 100644 index 8532a24..0000000 --- a/recipes-security/refpolicy/refpolicy/0040-policy-modules-services-bluetooth-fix-bluetoothd-sta.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 21c60a1ed37aef0427dbd49f602896b09b875bca Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Tue, 23 Jun 2020 08:54:20 +0800 -Subject: [PATCH] policy/modules/services/bluetooth: fix bluetoothd startup - failures - -* Allow bluetooth_t to create and use bluetooth_socket -* Allow bluetooth_t to create alg_socket -* Allow bluetooth_t to send and receive messages from systemd hostnamed - over dbus - -Fixes: -avc: denied { create } for pid=324 comm="bluetoothd" -scontext=system_u:system_r:bluetooth_t -tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket -permissive=0 - -avc: denied { bind } for pid=324 comm="bluetoothd" -scontext=system_u:system_r:bluetooth_t -tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket -permissive=0 - -avc: denied { write } for pid=324 comm="bluetoothd" -scontext=system_u:system_r:bluetooth_t -tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket -permissive=0 - -avc: denied { getattr } for pid=324 comm="bluetoothd" -path="socket:[11771]" dev="sockfs" ino=11771 -scontext=system_u:system_r:bluetooth_t -tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket -permissive=0 - -avc: denied { listen } for pid=324 comm="bluetoothd" -scontext=system_u:system_r:bluetooth_t -tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket -permissive=0 - -avc: denied { read } for pid=324 comm="bluetoothd" path="socket:[11771]" -dev="sockfs" ino=11771 scontext=system_u:system_r:bluetooth_t -tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket -permissive=0 - -avc: denied { create } for pid=268 comm="bluetoothd" -scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 -tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tclass=alg_socket -permissive=0 - -avc: denied { send_msg } for msgtype=method_call -interface=org.freedesktop.DBus.Properties member=GetAll -dest=org.freedesktop.hostname1 spid=266 tpid=312 -scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 -tcontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023 -tclass=dbus permissive=0 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/services/bluetooth.te | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te -index 69a38543e..b3df695db 100644 ---- a/policy/modules/services/bluetooth.te -+++ b/policy/modules/services/bluetooth.te -@@ -60,6 +60,8 @@ allow bluetooth_t self:socket create_stream_socket_perms; - allow bluetooth_t self:unix_stream_socket { accept connectto listen }; - allow bluetooth_t self:tcp_socket { accept listen }; - allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms; -+allow bluetooth_t self:bluetooth_socket create_stream_socket_perms; -+allow bluetooth_t self:alg_socket create; - - read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t) - -@@ -127,6 +129,9 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t) - userdom_dontaudit_use_user_terminals(bluetooth_t) - userdom_dontaudit_search_user_home_dirs(bluetooth_t) - -+init_dbus_send_script(bluetooth_t) -+systemd_dbus_chat_hostnamed(bluetooth_t) -+ - optional_policy(` - dbus_system_bus_client(bluetooth_t) - dbus_connect_system_bus(bluetooth_t) --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0040-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch b/recipes-security/refpolicy/refpolicy/0040-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch new file mode 100644 index 0000000..91588f1 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0040-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch @@ -0,0 +1,156 @@ +From 81e63f86d6d030eaf0204796e32011c08e7b5e52 Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Tue, 28 Sep 2021 10:03:04 +0800 +Subject: [PATCH] policy/modules/system/systemd: allow systemd_*_t to get the + attributes of tmpfs and cgroups + +Fixes: +avc: denied { getattr } for pid=245 comm="systemd-network" name="/" +dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_networkd_t +tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0 + +avc: denied { getattr } for pid=252 comm="systemd-resolve" name="/" +dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_resolved_t +tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0 + +avc: denied { getattr } for pid=260 comm="systemd-user-se" name="/" +dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_sessions_t +tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0 + +avc: denied { search } for pid=293 comm="systemd-user-ru" name="/" +dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_user_runtime_dir_t +tcontext=system_u:object_r:cgroup_t tclass=dir permissive=0 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/system/systemd.te | 35 ++++++++++++++++++++++++++++++++ + 1 file changed, 35 insertions(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 448905ff7..847895e63 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -337,6 +337,10 @@ udev_read_runtime_files(systemd_backlight_t) + + files_search_var_lib(systemd_backlight_t) + ++fs_getattr_tmpfs(systemd_backlight_t) ++fs_search_cgroup_dirs(systemd_backlight_t) ++fs_getattr_cgroup(systemd_backlight_t) ++ + ####################################### + # + # Binfmt local policy +@@ -447,6 +451,7 @@ files_list_usr(systemd_generator_t) + fs_list_efivars(systemd_generator_t) + fs_getattr_cgroup(systemd_generator_t) + fs_getattr_xattr_fs(systemd_generator_t) ++fs_getattr_tmpfs(systemd_generator_t) + + init_create_runtime_files(systemd_generator_t) + init_manage_runtime_dirs(systemd_generator_t) +@@ -515,6 +520,10 @@ systemd_log_parse_environment(systemd_hostnamed_t) + # Allow reading /run/udev/data/+dmi:id + udev_read_runtime_files(systemd_hostnamed_t) + ++fs_getattr_tmpfs(systemd_hostnamed_t) ++fs_search_cgroup_dirs(systemd_hostnamed_t) ++fs_getattr_cgroup(systemd_hostnamed_t) ++ + optional_policy(` + dbus_connect_system_bus(systemd_hostnamed_t) + dbus_system_bus_client(systemd_hostnamed_t) +@@ -835,6 +844,10 @@ dev_read_sysfs(systemd_modules_load_t) + files_mmap_read_kernel_modules(systemd_modules_load_t) + files_read_etc_files(systemd_modules_load_t) + ++fs_getattr_tmpfs(systemd_modules_load_t) ++fs_search_cgroup_dirs(systemd_modules_load_t) ++fs_getattr_cgroup(systemd_modules_load_t) ++ + modutils_read_module_config(systemd_modules_load_t) + modutils_read_module_deps(systemd_modules_load_t) + +@@ -885,6 +898,7 @@ files_watch_runtime_dirs(systemd_networkd_t) + files_watch_root_dirs(systemd_networkd_t) + files_list_runtime(systemd_networkd_t) + fs_getattr_xattr_fs(systemd_networkd_t) ++fs_getattr_tmpfs(systemd_networkd_t) + fs_getattr_cgroup(systemd_networkd_t) + fs_search_cgroup_dirs(systemd_networkd_t) + fs_read_nsfs_files(systemd_networkd_t) +@@ -1185,6 +1199,10 @@ udev_read_runtime_files(systemd_rfkill_t) + + systemd_log_parse_environment(systemd_rfkill_t) + ++fs_getattr_tmpfs(systemd_rfkill_t) ++fs_search_cgroup_dirs(systemd_rfkill_t) ++fs_getattr_cgroup(systemd_rfkill_t) ++ + ######################################### + # + # Resolved local policy +@@ -1224,6 +1242,9 @@ auth_use_nsswitch(systemd_resolved_t) + files_watch_root_dirs(systemd_resolved_t) + files_watch_runtime_dirs(systemd_resolved_t) + files_list_runtime(systemd_resolved_t) ++fs_getattr_tmpfs(systemd_resolved_t) ++fs_search_cgroup_dirs(systemd_resolved_t) ++fs_getattr_cgroup(systemd_resolved_t) + + init_dgram_send(systemd_resolved_t) + +@@ -1288,6 +1309,10 @@ seutil_read_file_contexts(systemd_sessions_t) + + systemd_log_parse_environment(systemd_sessions_t) + ++fs_getattr_tmpfs(systemd_sessions_t) ++fs_search_cgroup_dirs(systemd_sessions_t) ++fs_getattr_cgroup(systemd_sessions_t) ++ + ######################################## + # + # sysctl local policy +@@ -1304,6 +1329,9 @@ kernel_rw_all_sysctls(systemd_sysctl_t) + kernel_dontaudit_getattr_proc(systemd_sysctl_t) + + files_read_etc_files(systemd_sysctl_t) ++fs_getattr_tmpfs(systemd_sysctl_t) ++fs_search_cgroup_dirs(systemd_sysctl_t) ++fs_getattr_cgroup(systemd_sysctl_t) + + systemd_log_parse_environment(systemd_sysctl_t) + +@@ -1409,6 +1437,8 @@ fs_getattr_tmpfs(systemd_tmpfiles_t) + fs_getattr_xattr_fs(systemd_tmpfiles_t) + fs_list_tmpfs(systemd_tmpfiles_t) + fs_relabelfrom_tmpfs_dirs(systemd_tmpfiles_t) ++fs_search_cgroup_dirs(systemd_tmpfiles_t) ++fs_getattr_cgroup(systemd_tmpfiles_t) + + selinux_get_fs_mount(systemd_tmpfiles_t) + selinux_use_status_page(systemd_tmpfiles_t) +@@ -1497,6 +1527,10 @@ allow systemd_update_done_t systemd_update_run_t:file manage_file_perms; + files_etc_filetrans(systemd_update_done_t, systemd_update_run_t, file) + files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file) + ++fs_getattr_tmpfs(systemd_update_done_t) ++fs_search_cgroup_dirs(systemd_update_done_t) ++fs_getattr_cgroup(systemd_update_done_t) ++ + kernel_read_kernel_sysctls(systemd_update_done_t) + + selinux_use_status_page(systemd_update_done_t) +@@ -1601,6 +1635,7 @@ fs_unmount_tmpfs(systemd_user_runtime_dir_t) + fs_relabelfrom_tmpfs_dirs(systemd_user_runtime_dir_t) + fs_read_cgroup_files(systemd_user_runtime_dir_t) + fs_getattr_cgroup(systemd_user_runtime_dir_t) ++fs_search_cgroup_dirs(systemd_user_runtime_dir_t) + + kernel_read_kernel_sysctls(systemd_user_runtime_dir_t) + kernel_dontaudit_getattr_proc(systemd_user_runtime_dir_t) +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0041-policy-modules-roles-sysadm-allow-sysadm-to-run-rpci.patch b/recipes-security/refpolicy/refpolicy/0041-policy-modules-roles-sysadm-allow-sysadm-to-run-rpci.patch deleted file mode 100644 index bd06065..0000000 --- a/recipes-security/refpolicy/refpolicy/0041-policy-modules-roles-sysadm-allow-sysadm-to-run-rpci.patch +++ /dev/null @@ -1,38 +0,0 @@ -From e67fe4fa79d59be7bcefd256c1966ea8c034a3d9 Mon Sep 17 00:00:00 2001 -From: Roy Li -Date: Sat, 15 Feb 2014 09:45:00 +0800 -Subject: [PATCH] policy/modules/roles/sysadm: allow sysadm to run rpcinfo - -Fixes: -$ rpcinfo -rpcinfo: can't contact rpcbind: RPC: Remote system error - Permission denied - -avc: denied { connectto } for pid=406 comm="rpcinfo" -path="/run/rpcbind.sock" scontext=root:sysadm_r:sysadm_t -tcontext=system_u:system_r:rpcbind_t tclass=unix_stream_socket -permissive=0 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Roy Li -Signed-off-by: Joe MacDonald -Signed-off-by: Yi Zhao ---- - policy/modules/roles/sysadm.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index ddf973693..1642f3b93 100644 ---- a/policy/modules/roles/sysadm.te -+++ b/policy/modules/roles/sysadm.te -@@ -947,6 +947,7 @@ optional_policy(` - ') - - optional_policy(` -+ rpcbind_stream_connect(sysadm_t) - rpcbind_admin(sysadm_t, sysadm_r) - ') - --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0041-policy-modules-system-logging-fix-syslogd-failures-f.patch b/recipes-security/refpolicy/refpolicy/0041-policy-modules-system-logging-fix-syslogd-failures-f.patch new file mode 100644 index 0000000..2232d48 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0041-policy-modules-system-logging-fix-syslogd-failures-f.patch @@ -0,0 +1,55 @@ +From dc2c9c91219311f6c4d985169dff6c5931a465d7 Mon Sep 17 00:00:00 2001 +From: Wenzong Fan +Date: Thu, 4 Feb 2016 02:10:15 -0500 +Subject: [PATCH] policy/modules/system/logging: fix syslogd failures for + systemd + +Fixes: +syslogd[243]: Error opening log file: /var/log/auth.log: Permission denied +syslogd[243]: Error opening log file: /var/log/syslog: Permission denied +syslogd[243]: Error opening log file: /var/log/kern.log: Permission denied +syslogd[243]: Error opening log file: /var/log/mail.log: Permission denied +syslogd[243]: Error opening log file: /var/log/mail.err: Permission denied +syslogd[243]: Error opening log file: /var/log/messages: Permission denied + +avc: denied { search } for pid=243 comm="syslogd" name="/" +dev="tmpfs" ino=1 scontext=system_u:system_r:syslogd_t +tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=0 + +avc: denied { write } for pid=162 comm="systemd-journal" +name="syslog" dev="tmpfs" ino=515 scontext=system_u:system_r:syslogd_t +tcontext=system_u:object_r:syslogd_runtime_t tclass=sock_file +permissive=0 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Wenzong Fan +Signed-off-by: Yi Zhao +--- + policy/modules/system/logging.te | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index cc530a2be..5b4b5ec5d 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -431,7 +431,7 @@ files_search_var_lib(syslogd_t) + + # manage runtime files + allow syslogd_t syslogd_runtime_t:dir create_dir_perms; +-allow syslogd_t syslogd_runtime_t:sock_file { create setattr unlink }; ++allow syslogd_t syslogd_runtime_t:sock_file { create setattr unlink write }; + allow syslogd_t syslogd_runtime_t:file map; + manage_files_pattern(syslogd_t, syslogd_runtime_t, syslogd_runtime_t) + files_runtime_filetrans(syslogd_t, syslogd_runtime_t, file) +@@ -495,6 +495,7 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) + + fs_getattr_all_fs(syslogd_t) + fs_search_auto_mountpoints(syslogd_t) ++fs_search_tmpfs(syslogd_t) + + mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories + +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0042-policy-modules-services-rpc-add-capability-dac_read_.patch b/recipes-security/refpolicy/refpolicy/0042-policy-modules-services-rpc-add-capability-dac_read_.patch deleted file mode 100644 index 534c280..0000000 --- a/recipes-security/refpolicy/refpolicy/0042-policy-modules-services-rpc-add-capability-dac_read_.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 7c94b6aa3c679dc201ed5a907f713c0857d8b8ca Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Tue, 14 May 2019 15:22:08 +0800 -Subject: [PATCH] policy/modules/services/rpc: add capability dac_read_search - for rpcd_t - -Fixes: -type=AVC msg=audit(1558592079.931:494): avc: denied { dac_read_search } -for pid=585 comm="sm-notify" capability=2 scontext=system_u:system_r:rpcd_t -tcontext=system_u:system_r:rpcd_t tclass=capability permissive=0 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/services/rpc.te | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te -index c3e37177b..87b6b4561 100644 ---- a/policy/modules/services/rpc.te -+++ b/policy/modules/services/rpc.te -@@ -232,7 +232,7 @@ optional_policy(` - # Local policy - # - --allow rpcd_t self:capability { chown dac_override setgid setpcap setuid sys_admin }; -+allow rpcd_t self:capability { chown dac_override dac_read_search setgid setpcap setuid sys_admin }; - allow rpcd_t self:capability2 block_suspend; - allow rpcd_t self:process { getcap setcap }; - allow rpcd_t self:fifo_file rw_fifo_file_perms; --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0042-policy-modules-system-systemd-systemd-user-fixes.patch b/recipes-security/refpolicy/refpolicy/0042-policy-modules-system-systemd-systemd-user-fixes.patch new file mode 100644 index 0000000..108f62f --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0042-policy-modules-system-systemd-systemd-user-fixes.patch @@ -0,0 +1,172 @@ +From 20b2608718064a92f9255adb459a97d95fdbc22e Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Thu, 4 Feb 2021 10:48:54 +0800 +Subject: [PATCH] policy/modules/system/systemd: systemd --user fixes + +Fixes: +systemctl[1598]: Failed to connect to bus: $DBUS_SESSION_BUS_ADDRESS and +$XDG_RUNTIME_DIR not defined (consider using --machine=@.host +--user to connect to bus of other user) + +avc: denied { connectto } for pid=293 comm="login" +path="/run/systemd/userdb/io.systemd.Multiplexer" +scontext=system_u:system_r:local_login_t +tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket +permissive=0 + +avc: denied { read } for pid=293 comm="login" name="io.systemd.DropIn" +dev="tmpfs" ino=44 scontext=system_u:system_r:local_login_t +tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file +permissive=0 + +avc: denied { read } for pid=293 comm="login" +name="io.systemd.NameServiceSwitch" dev="tmpfs" ino=43 +scontext=system_u:system_r:local_login_t +tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file +permissive=0 + +avc: denied { connectto } for pid=244 comm="systemd-logind" +path="/run/systemd/userdb/io.systemd.Multiplexer" +scontext=system_u:system_r:systemd_logind_t +tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket +permissive=0 + +avc: denied { read } for pid=244 comm="systemd-logind" +name="io.systemd.DropIn" dev="tmpfs" ino=44 +scontext=system_u:system_r:systemd_logind_t +tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file +permissive=0 + +avc: denied { read } for pid=244 comm="systemd-logind" +name="io.systemd.NameServiceSwitch" dev="tmpfs" ino=43 +scontext=system_u:system_r:systemd_logind_t +tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file +permissive=0 + +avc: denied { mknod } for pid=297 comm="systemd" capability=27 +scontext=root:sysadm_r:sysadm_systemd_t +tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability permissive=0 + +avc: denied { setrlimit } for pid=297 comm="systemd" +scontext=root:sysadm_r:sysadm_systemd_t +tcontext=root:sysadm_r:sysadm_systemd_t tclass=process permissive=0 + +avc: denied { bpf } for pid=297 comm="systemd" capability=39 +scontext=root:sysadm_r:sysadm_systemd_t +tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability2 permissive=0 + +avc: denied { sys_admin } for pid=297 comm="systemd" capability=21 +scontext=root:sysadm_r:sysadm_systemd_t +tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability permissive=0 + +avc: denied { perfmon } for pid=297 comm="systemd" capability=38 +scontext=root:sysadm_r:sysadm_systemd_t +tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability2 permissive=0 + +avc: denied { watch } for pid=297 comm="systemd" path="/etc" dev="vda" +ino=173 scontext=root:sysadm_r:sysadm_systemd_t +tcontext=system_u:object_r:etc_t tclass=dir permissive=0 + +avc: denied { getattr } for pid=297 comm="systemd" name="/" dev="vda" +ino=2 scontext=root:sysadm_r:sysadm_systemd_t +tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0 + +avc: denied { read } for pid=297 comm="systemd" name="unix" dev="proc" +ino=4026532057 scontext=root:sysadm_r:sysadm_systemd_t +tcontext=system_u:object_r:proc_net_t tclass=file permissive=0 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/roles/sysadm.te | 2 ++ + policy/modules/system/init.if | 1 + + policy/modules/system/systemd.if | 27 ++++++++++++++++++++++++++- + 3 files changed, 29 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te +index 46d3e2f0b..e1933a5bd 100644 +--- a/policy/modules/roles/sysadm.te ++++ b/policy/modules/roles/sysadm.te +@@ -92,6 +92,8 @@ ifdef(`init_systemd',` + # Allow sysadm to query and set networking settings on the system. + systemd_dbus_chat_networkd(sysadm_t) + fs_read_nsfs_files(sysadm_t) ++ ++ systemd_sysadm_user(sysadm_t) + ') + + tunable_policy(`allow_ptrace',` +diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if +index 0171ee299..8ca29f654 100644 +--- a/policy/modules/system/init.if ++++ b/policy/modules/system/init.if +@@ -959,6 +959,7 @@ interface(`init_unix_stream_socket_connectto',` + ') + + allow $1 init_t:unix_stream_socket connectto; ++ allow $1 initrc_t:unix_stream_socket connectto; + ') + + ######################################## +diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if +index 38adf050c..5c44d8d8a 100644 +--- a/policy/modules/system/systemd.if ++++ b/policy/modules/system/systemd.if +@@ -57,7 +57,7 @@ template(`systemd_role_template',` + allow $1_systemd_t self:process { getsched signal }; + allow $1_systemd_t self:netlink_kobject_uevent_socket create_socket_perms; + allow $1_systemd_t self:unix_stream_socket create_stream_socket_perms; +- allow $1_systemd_t $3:process { setsched rlimitinh signal_perms }; ++ allow $1_systemd_t $3:process { setsched rlimitinh signal_perms noatsecure }; + corecmd_shell_domtrans($1_systemd_t, $3) + corecmd_bin_domtrans($1_systemd_t, $3) + +@@ -88,8 +88,11 @@ template(`systemd_role_template',` + + fs_manage_cgroup_files($1_systemd_t) + fs_watch_cgroup_files($1_systemd_t) ++ files_watch_etc_dirs($1_systemd_t) ++ fs_getattr_xattr_fs($1_systemd_t) + + kernel_dontaudit_getattr_proc($1_systemd_t) ++ kernel_read_network_state($1_systemd_t) + + selinux_use_status_page($1_systemd_t) + +@@ -1052,6 +1055,7 @@ interface(`systemd_stream_connect_userdb', ` + init_search_runtime($1) + allow $1 systemd_userdb_runtime_t:dir list_dir_perms; + allow $1 systemd_userdb_runtime_t:sock_file write_sock_file_perms; ++ allow $1 systemd_userdb_runtime_t:lnk_file read_lnk_file_perms; + init_unix_stream_socket_connectto($1) + ') + +@@ -2003,3 +2007,24 @@ interface(`systemd_use_inherited_machined_ptys', ` + allow $1 systemd_machined_t:fd use; + allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms; + ') ++ ++######################################### ++##

++## sysadm user for systemd --user ++## ++## ++## ++## Role allowed access. ++## ++## ++# ++interface(`systemd_sysadm_user',` ++ gen_require(` ++ type sysadm_systemd_t; ++ ') ++ ++ allow sysadm_systemd_t self:capability { mknod sys_admin }; ++ allow sysadm_systemd_t self:capability2 { bpf perfmon }; ++ allow sysadm_systemd_t self:process setrlimit; ++ allow $1 sysadm_systemd_t:system reload; ++') +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0043-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch b/recipes-security/refpolicy/refpolicy/0043-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch deleted file mode 100644 index 408df05..0000000 --- a/recipes-security/refpolicy/refpolicy/0043-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 40101e4da939fcea2eebe3e4800d0de4e551ca26 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Wed, 1 Jul 2020 08:44:07 +0800 -Subject: [PATCH] policy/modules/services/rpcbind: allow rpcbind_t to create - directory with label rpcbind_runtime_t - -* Allow rpcbind_t to create directory with label rpcbind_runtime_t -* Set context for nfsserver and nfscommon - -Fixes: -avc: denied { create } for pid=136 comm="rpcbind" name="rpcbind" -scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=0 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/services/rpc.fc | 2 ++ - policy/modules/services/rpcbind.te | 5 +++-- - 2 files changed, 5 insertions(+), 2 deletions(-) - -diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc -index 88d2acaf0..d9c0a4aa7 100644 ---- a/policy/modules/services/rpc.fc -+++ b/policy/modules/services/rpc.fc -@@ -1,7 +1,9 @@ - /etc/exports -- gen_context(system_u:object_r:exports_t,s0) - - /etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/nfsserver -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0) - /etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/nfscommon -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) - /etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) - - /usr/bin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) -diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te -index 370c9bce6..8972980fa 100644 ---- a/policy/modules/services/rpcbind.te -+++ b/policy/modules/services/rpcbind.te -@@ -25,16 +25,17 @@ files_type(rpcbind_var_lib_t) - # Local policy - # - --allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config }; -+allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config chown }; - # net_admin is for SO_SNDBUFFORCE - dontaudit rpcbind_t self:capability net_admin; - allow rpcbind_t self:fifo_file rw_fifo_file_perms; - allow rpcbind_t self:unix_stream_socket { accept listen }; - allow rpcbind_t self:tcp_socket { accept listen }; - -+manage_dirs_pattern(rpcbind_t, rpcbind_runtime_t, rpcbind_runtime_t) - manage_files_pattern(rpcbind_t, rpcbind_runtime_t, rpcbind_runtime_t) - manage_sock_files_pattern(rpcbind_t, rpcbind_runtime_t, rpcbind_runtime_t) --files_runtime_filetrans(rpcbind_t, rpcbind_runtime_t, { file sock_file }) -+files_runtime_filetrans(rpcbind_t, rpcbind_runtime_t, { file sock_file dir }) - - manage_dirs_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t) - manage_files_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t) --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0043-policy-modules-system-sysnetwork-support-priviledge-.patch b/recipes-security/refpolicy/refpolicy/0043-policy-modules-system-sysnetwork-support-priviledge-.patch new file mode 100644 index 0000000..504e028 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0043-policy-modules-system-sysnetwork-support-priviledge-.patch @@ -0,0 +1,132 @@ +From d1c159d4400722e783d12cc3684c1cf15004f7a9 Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Thu, 24 Sep 2020 14:05:52 +0800 +Subject: [PATCH] policy/modules/system/sysnetwork: support priviledge + separation for dhcpcd + +Fixes: + +avc: denied { sys_chroot } for pid=332 comm="dhcpcd" capability=18 +scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 +tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability +permissive=0 + +avc: denied { setgid } for pid=332 comm="dhcpcd" capability=6 +scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 +tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability +permissive=0 + +avc: denied { setuid } for pid=332 comm="dhcpcd" capability=7 +scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 +tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability +permissive=0 + +avc: denied { setrlimit } for pid=332 comm="dhcpcd" +scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 +tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=process +permissive=0 + +avc: denied { create } for pid=330 comm="dhcpcd" +scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 +tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 +tclass=netlink_kobject_uevent_socket permissive=0 + +avc: denied { setopt } for pid=330 comm="dhcpcd" +scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 +tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 +tclass=netlink_kobject_uevent_socket permissive=0 + +avc: denied { bind } for pid=330 comm="dhcpcd" +scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 +tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 +tclass=netlink_kobject_uevent_socket permissive=0 + +avc: denied { getattr } for pid=330 comm="dhcpcd" +scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 +tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 +tclass=netlink_kobject_uevent_socket permissive=0 + +avc: denied { read } for pid=330 comm="dhcpcd" name="n1" dev="tmpfs" +ino=15616 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=0 + +avc: denied { open } for pid=330 comm="dhcpcd" +path="/run/udev/data/n1" dev="tmpfs" ino=15616 +scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=0 + +avc: denied { getattr } for pid=330 comm="dhcpcd" +path="/run/udev/data/n1" dev="tmpfs" ino=15616 +scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=0 + +avc: denied { connectto } for pid=1600 comm="dhcpcd" +path="/run/dhcpcd/unpriv.sock" +scontext=root:sysadm_r:dhcpc_t:s0-s15:c0.c1023 +tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 +tclass=unix_stream_socket permissive=0 + +avc: denied { kill } for pid=314 comm="dhcpcd" capability=5 +scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 +tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability +permissive=0 + +avc: denied { getattr } for pid=300 comm="dhcpcd" +path="net:[4026532008]" dev="nsfs" ino=4026532008 +scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/system/sysnetwork.te | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te +index 4c317cc4c..05a9a52b8 100644 +--- a/policy/modules/system/sysnetwork.te ++++ b/policy/modules/system/sysnetwork.te +@@ -58,10 +58,11 @@ ifdef(`distro_debian',` + # DHCP client local policy + # + allow dhcpc_t self:capability { dac_override fsetid net_admin net_bind_service net_raw setpcap sys_nice sys_resource sys_tty_config }; ++allow dhcpc_t self:capability { setgid setuid sys_chroot kill }; + dontaudit dhcpc_t self:capability { sys_ptrace sys_tty_config }; + # for access("/etc/bashrc", X_OK) on Red Hat + dontaudit dhcpc_t self:capability { dac_read_search sys_module }; +-allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms }; ++allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms setrlimit }; + + allow dhcpc_t self:fifo_file rw_fifo_file_perms; + allow dhcpc_t self:tcp_socket create_stream_socket_perms; +@@ -69,8 +70,10 @@ allow dhcpc_t self:udp_socket create_socket_perms; + allow dhcpc_t self:packet_socket create_socket_perms; + allow dhcpc_t self:netlink_generic_socket create_socket_perms; + allow dhcpc_t self:netlink_route_socket create_netlink_socket_perms; ++allow dhcpc_t self:netlink_kobject_uevent_socket create_socket_perms; + allow dhcpc_t self:rawip_socket create_socket_perms; + allow dhcpc_t self:unix_dgram_socket { create_socket_perms sendto }; ++allow dhcpc_t self:unix_stream_socket connectto; + + allow dhcpc_t dhcp_etc_t:dir list_dir_perms; + read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) +@@ -146,6 +149,7 @@ files_manage_var_files(dhcpc_t) + fs_getattr_all_fs(dhcpc_t) + fs_search_auto_mountpoints(dhcpc_t) + fs_search_cgroup_dirs(dhcpc_t) ++fs_read_nsfs_files(dhcpc_t) + + term_dontaudit_use_all_ttys(dhcpc_t) + term_dontaudit_use_all_ptys(dhcpc_t) +@@ -181,6 +185,7 @@ ifdef(`init_systemd',` + init_stream_connect(dhcpc_t) + init_get_all_units_status(dhcpc_t) + init_search_units(dhcpc_t) ++ udev_read_runtime_files(dhcpc_t) + ') + + optional_policy(` +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0044-policy-modules-services-rngd-fix-security-context-fo.patch b/recipes-security/refpolicy/refpolicy/0044-policy-modules-services-rngd-fix-security-context-fo.patch deleted file mode 100644 index 7bd1402..0000000 --- a/recipes-security/refpolicy/refpolicy/0044-policy-modules-services-rngd-fix-security-context-fo.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 5dbfff582a9c7745f8517adefb27c5f90653f8fa Mon Sep 17 00:00:00 2001 -From: Wenzong Fan -Date: Wed, 25 May 2016 03:16:24 -0400 -Subject: [PATCH] policy/modules/services/rngd: fix security context for - rng-tools - -* Fix security context for /etc/init.d/rng-tools -* Allow rngd_t to read sysfs - -Fixes: -avc: denied { read } for pid=355 comm="rngd" name="cpu" dev="sysfs" -ino=36 scontext=system_u:system_r:rngd_t -tcontext=system_u:object_r:sysfs_t tclass=dir permissive=1 - -avc: denied { getsched } for pid=355 comm="rngd" -scontext=system_u:system_r:rngd_t tcontext=system_u:system_r:rngd_t -tclass=process permissive=1 - -avc: denied { setsched } for pid=355 comm="rngd" -scontext=system_u:system_r:rngd_t tcontext=system_u:system_r:rngd_t -tclass=process permissive=1 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Wenzong Fan -Signed-off-by: Yi Zhao ---- - policy/modules/services/rngd.fc | 1 + - policy/modules/services/rngd.te | 3 ++- - 2 files changed, 3 insertions(+), 1 deletion(-) - -diff --git a/policy/modules/services/rngd.fc b/policy/modules/services/rngd.fc -index 382c067f9..0ecc5acc4 100644 ---- a/policy/modules/services/rngd.fc -+++ b/policy/modules/services/rngd.fc -@@ -1,4 +1,5 @@ - /etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/rng-tools -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0) - - /usr/bin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0) - -diff --git a/policy/modules/services/rngd.te b/policy/modules/services/rngd.te -index 4540e4ec7..48f08fb48 100644 ---- a/policy/modules/services/rngd.te -+++ b/policy/modules/services/rngd.te -@@ -21,7 +21,7 @@ files_runtime_file(rngd_runtime_t) - # - - allow rngd_t self:capability { ipc_lock sys_admin }; --allow rngd_t self:process signal; -+allow rngd_t self:process { signal getsched setsched }; - allow rngd_t self:fifo_file rw_fifo_file_perms; - allow rngd_t self:unix_stream_socket { accept listen }; - -@@ -34,6 +34,7 @@ dev_read_rand(rngd_t) - dev_read_urand(rngd_t) - dev_rw_tpm(rngd_t) - dev_write_rand(rngd_t) -+dev_read_sysfs(rngd_t) - - files_read_etc_files(rngd_t) - --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-modutils-allow-kmod_t-to-write.patch b/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-modutils-allow-kmod_t-to-write.patch new file mode 100644 index 0000000..2f94974 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-modutils-allow-kmod_t-to-write.patch @@ -0,0 +1,34 @@ +From 8343ff97a265836ba1e1e2f4159f888c21e5cabe Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Tue, 9 Feb 2021 17:31:55 +0800 +Subject: [PATCH] policy/modules/system/modutils: allow kmod_t to write keys + +Fixes: +kernel: cfg80211: Problem loading in-kernel X.509 certificate (-13) + +avc: denied { write } for pid=219 comm="modprobe" +scontext=system_u:system_r:kmod_t tcontext=system_u:system_r:kmod_t +tclass=key permissive=0 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/system/modutils.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te +index 5b4f0aca1..008f286a8 100644 +--- a/policy/modules/system/modutils.te ++++ b/policy/modules/system/modutils.te +@@ -42,6 +42,7 @@ allow kmod_t self:udp_socket create_socket_perms; + allow kmod_t self:rawip_socket create_socket_perms; + + allow kmod_t self:lockdown confidentiality; ++allow kmod_t self:key write; + + # Read module config and dependency information + list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t) +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0045-policy-modules-services-ssh-allow-ssh_keygen_t-to-re.patch b/recipes-security/refpolicy/refpolicy/0045-policy-modules-services-ssh-allow-ssh_keygen_t-to-re.patch deleted file mode 100644 index 4b7e2b5..0000000 --- a/recipes-security/refpolicy/refpolicy/0045-policy-modules-services-ssh-allow-ssh_keygen_t-to-re.patch +++ /dev/null @@ -1,34 +0,0 @@ -From be61411d6d7d3bb2c700ec24f42661ce9c728df4 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Fri, 29 Jan 2021 10:32:00 +0800 -Subject: [PATCH] policy/modules/services/ssh: allow ssh_keygen_t to read - proc_t - -Fixes: -avc: denied { read } for pid=353 comm="ssh-keygen" name="filesystems" -dev="proc" ino=4026532078 scontext=system_u:system_r:ssh_keygen_t -tcontext=system_u:object_r:proc_t tclass=file permissive=0 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/services/ssh.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 238c45ed8..2bbf50e84 100644 ---- a/policy/modules/services/ssh.te -+++ b/policy/modules/services/ssh.te -@@ -330,6 +330,8 @@ allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; - - allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; - -+allow ssh_keygen_t proc_t:file read_file_perms; -+ - allow ssh_keygen_t sshd_key_t:file manage_file_perms; - files_etc_filetrans(ssh_keygen_t, sshd_key_t, file) - --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0045-policy-modules-system-systemd-allow-systemd_logind_t.patch b/recipes-security/refpolicy/refpolicy/0045-policy-modules-system-systemd-allow-systemd_logind_t.patch new file mode 100644 index 0000000..49aa7a6 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0045-policy-modules-system-systemd-allow-systemd_logind_t.patch @@ -0,0 +1,43 @@ +From 4e2df7ca542b6c94e74345daaecb33efc82d749a Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Sat, 18 Dec 2021 09:26:43 +0800 +Subject: [PATCH] policy/modules/system/systemd: allow systemd_logind_t to read + the process state of all domains + +We encountered the following su runtime error: +$ useradd user1 +$ passwd user1 +New password: +Retype new password: +passwd: password updated successfully +$ su - user1 +Session terminated, terminating shell...Hangup + +Fixes: +avc: denied { use } for pid=344 comm="su" +path="/run/systemd/sessions/c4.ref" dev="tmpfs" ino=661 +scontext=root:sysadm_r:sysadm_su_t +tcontext=system_u:system_r:systemd_logind_t tclass=fd permissive=0 + +Upstream-Status: Pending + +Signed-off-by: Yi Zhao +--- + policy/modules/system/systemd.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 847895e63..1a83148c1 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -721,6 +721,7 @@ userdom_relabelfrom_user_runtime_dirs(systemd_logind_t) + userdom_relabelto_user_runtime_dirs(systemd_logind_t) + userdom_setattr_user_ttys(systemd_logind_t) + userdom_use_user_ttys(systemd_logind_t) ++domain_read_all_domains_state(systemd_logind_t) + + # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x + # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96 +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0046-policy-modules-services-ssh-make-respective-init-scr.patch b/recipes-security/refpolicy/refpolicy/0046-policy-modules-services-ssh-make-respective-init-scr.patch deleted file mode 100644 index fd8d527..0000000 --- a/recipes-security/refpolicy/refpolicy/0046-policy-modules-services-ssh-make-respective-init-scr.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 20e6395a7e8bce552fb0190dbc57d836d763fc18 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Sun, 28 Jun 2020 16:14:45 +0800 -Subject: [PATCH] policy/modules/services/ssh: make respective init scripts - create pid dirs with proper contexts - -Fix sshd starup failure. - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/services/ssh.te | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 2bbf50e84..ad0a1b7ad 100644 ---- a/policy/modules/services/ssh.te -+++ b/policy/modules/services/ssh.te -@@ -80,9 +80,7 @@ userdom_user_home_content(ssh_home_t) - type sshd_keytab_t; - files_type(sshd_keytab_t) - --ifdef(`distro_debian',` -- init_daemon_runtime_file(sshd_runtime_t, dir, "sshd") --') -+init_daemon_runtime_file(sshd_runtime_t, dir, "sshd") - - ############################## - # --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-mount-make-mount_t-domain-MLS-.patch b/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-mount-make-mount_t-domain-MLS-.patch new file mode 100644 index 0000000..4cae8c6 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-mount-make-mount_t-domain-MLS-.patch @@ -0,0 +1,35 @@ +From 705008ba8ef960cf2e4813b4b8c5a87b919d545f Mon Sep 17 00:00:00 2001 +From: Wenzong Fan +Date: Sat, 15 Feb 2014 04:22:47 -0500 +Subject: [PATCH] policy/modules/system/mount: make mount_t domain MLS trusted + for writing to processes up to its clearance + +Fixes: +avc: denied { setsched } for pid=148 comm="mount" +scontext=system_u:system_r:mount_t:s0-s15:c0.c1023 +tcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=process +permissive=1 + +Upstream-Status: Inappropriate [embedded specific] + +Signen-off-by: Wenzong Fan +Signed-off-by: Yi Zhao +--- + policy/modules/system/mount.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te +index e39ab41a8..3481f9294 100644 +--- a/policy/modules/system/mount.te ++++ b/policy/modules/system/mount.te +@@ -116,6 +116,7 @@ fs_dontaudit_write_all_image_files(mount_t) + + mls_file_read_all_levels(mount_t) + mls_file_write_all_levels(mount_t) ++mls_process_write_to_clearance(mount_t) + + selinux_get_enforce_mode(mount_t) + +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0047-policy-modules-kernel-terminal-allow-loging-to-reset.patch b/recipes-security/refpolicy/refpolicy/0047-policy-modules-kernel-terminal-allow-loging-to-reset.patch deleted file mode 100644 index cafdd61..0000000 --- a/recipes-security/refpolicy/refpolicy/0047-policy-modules-kernel-terminal-allow-loging-to-reset.patch +++ /dev/null @@ -1,31 +0,0 @@ -From f0249cb5802af7f9113786940d0c49e786f774ae Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Mon, 29 Jun 2020 14:27:02 +0800 -Subject: [PATCH] policy/modules/kernel/terminal: allow loging to reset tty - perms - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/kernel/terminal.if | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if -index e8c0735eb..9ccecfa0d 100644 ---- a/policy/modules/kernel/terminal.if -+++ b/policy/modules/kernel/terminal.if -@@ -119,9 +119,7 @@ interface(`term_user_tty',` - - # Debian login is from shadow utils and does not allow resetting the perms. - # have to fix this! -- ifdef(`distro_debian',` -- type_change $1 ttynode:chr_file $2; -- ') -+ type_change $1 ttynode:chr_file $2; - - tunable_policy(`console_login',` - # When user logs in from /dev/console, relabel it --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0047-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch b/recipes-security/refpolicy/refpolicy/0047-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch new file mode 100644 index 0000000..86317b3 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0047-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch @@ -0,0 +1,40 @@ +From ef2b9196f3a51745a3644489d316bda7cd67f72d Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Mon, 28 Jan 2019 14:05:18 +0800 +Subject: [PATCH] policy/modules/roles/sysadm: MLS - sysadm rw to clearance + +The two new rules make sysadm_t domain MLS trusted for: + - reading from files at all levels. + - writing to processes up to its clearance(s0-s15). + +With default MLS policy, root user would login in as sysadm_t:s0 by +default. Most processes will run in sysadm_t:s0 because no +domtrans/rangetrans rules, as a result, even root could not access +high level files/processes. + +So with the two new rules, root user could work easier in MLS policy. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Xin Ouyang +Signed-off-by: Yi Zhao +--- + policy/modules/roles/sysadm.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te +index e1933a5bd..0682ed31a 100644 +--- a/policy/modules/roles/sysadm.te ++++ b/policy/modules/roles/sysadm.te +@@ -44,6 +44,8 @@ logging_watch_all_logs(sysadm_t) + logging_watch_audit_log(sysadm_t) + + mls_process_read_all_levels(sysadm_t) ++mls_file_read_all_levels(sysadm_t) ++mls_process_write_to_clearance(sysadm_t) + + selinux_read_policy(sysadm_t) + +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0048-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch b/recipes-security/refpolicy/refpolicy/0048-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch new file mode 100644 index 0000000..f659e7e --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0048-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch @@ -0,0 +1,48 @@ +From 18ad027229a06fdcb833482dff0c2ae637d08e78 Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Fri, 23 Aug 2013 12:01:53 +0800 +Subject: [PATCH] policy/modules/services/rpc: make nfsd_t domain MLS trusted + for reading from files up to its clearance + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald +Signed-off-by: Yi Zhao +--- + policy/modules/kernel/kernel.te | 2 ++ + policy/modules/services/rpcbind.te | 5 +++++ + 2 files changed, 7 insertions(+) + +diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te +index ca951cb44..a32c59eb1 100644 +--- a/policy/modules/kernel/kernel.te ++++ b/policy/modules/kernel/kernel.te +@@ -356,6 +356,8 @@ mls_process_read_all_levels(kernel_t) + mls_process_write_all_levels(kernel_t) + mls_file_write_all_levels(kernel_t) + mls_file_read_all_levels(kernel_t) ++mls_socket_write_all_levels(kernel_t) ++mls_fd_use_all_levels(kernel_t) + + ifdef(`distro_redhat',` + # Bugzilla 222337 +diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te +index e1eb7d5fc..da0994749 100644 +--- a/policy/modules/services/rpcbind.te ++++ b/policy/modules/services/rpcbind.te +@@ -73,6 +73,11 @@ logging_send_syslog_msg(rpcbind_t) + + miscfiles_read_localization(rpcbind_t) + ++# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t, ++# because the are running in different level. So add rules to allow this. ++mls_socket_read_all_levels(rpcbind_t) ++mls_socket_write_all_levels(rpcbind_t) ++ + ifdef(`distro_debian',` + term_dontaudit_use_unallocated_ttys(rpcbind_t) + ') +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-selinuxutil-allow-semanage_t-t.patch b/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-selinuxutil-allow-semanage_t-t.patch deleted file mode 100644 index 54dd451..0000000 --- a/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-selinuxutil-allow-semanage_t-t.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 74f611538d63cdf4157e6b5f4b982cafe0378b9a Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Mon, 29 Jun 2020 14:30:58 +0800 -Subject: [PATCH] policy/modules/system/selinuxutil: allow semanage_t to read - /var/lib - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/system/selinuxutil.te | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - -diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index 8f8f42ec7..a505b3987 100644 ---- a/policy/modules/system/selinuxutil.te -+++ b/policy/modules/system/selinuxutil.te -@@ -549,10 +549,8 @@ userdom_map_user_home_content_files(semanage_t) - userdom_read_user_tmp_files(semanage_t) - userdom_map_user_tmp_files(semanage_t) - --ifdef(`distro_debian',` -- files_read_var_lib_files(semanage_t) -- files_read_var_lib_symlinks(semanage_t) --') -+files_read_var_lib_files(semanage_t) -+files_read_var_lib_symlinks(semanage_t) - - ifdef(`distro_ubuntu',` - optional_policy(` --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0049-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch b/recipes-security/refpolicy/refpolicy/0049-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch new file mode 100644 index 0000000..ace056a --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0049-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch @@ -0,0 +1,36 @@ +From b41a910654f5c5fe198b1695df18b6f6a1af7904 Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Tue, 30 Jun 2020 10:18:20 +0800 +Subject: [PATCH] policy/modules/admin/dmesg: make dmesg_t MLS trusted reading + from files up to its clearance + +Fixes: +avc: denied { read } for pid=255 comm="dmesg" name="kmsg" +dev="devtmpfs" ino=10032 +scontext=system_u:system_r:dmesg_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file +permissive=0 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/admin/dmesg.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te +index f3421fdbb..d87ee5583 100644 +--- a/policy/modules/admin/dmesg.te ++++ b/policy/modules/admin/dmesg.te +@@ -52,6 +52,8 @@ miscfiles_read_localization(dmesg_t) + userdom_dontaudit_use_unpriv_user_fds(dmesg_t) + userdom_use_user_terminals(dmesg_t) + ++mls_file_read_to_clearance(dmesg_t) ++ + optional_policy(` + seutil_sigchld_newrole(dmesg_t) + ') +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0049-policy-modules-system-systemd-enable-support-for-sys.patch b/recipes-security/refpolicy/refpolicy/0049-policy-modules-system-systemd-enable-support-for-sys.patch deleted file mode 100644 index ae1d71a..0000000 --- a/recipes-security/refpolicy/refpolicy/0049-policy-modules-system-systemd-enable-support-for-sys.patch +++ /dev/null @@ -1,64 +0,0 @@ -From c2a6ad9b4eee990b79175ec1866cfe20b7c61ef3 Mon Sep 17 00:00:00 2001 -From: Wenzong Fan -Date: Thu, 4 Feb 2016 06:03:19 -0500 -Subject: [PATCH] policy/modules/system/systemd: enable support for - systemd-tmpfiles to manage all non-security files - -Fixes: -systemd-tmpfiles[137]: Failed to create directory or subvolume "/var/volatile/log": Permission denied -systemd-tmpfiles[137]: Failed to create directory or subvolume "/var/volatile/tmp": Permission denied -systemd-tmpfiles[137]: Failed to create directory or subvolume "/var/log/audit": Permission denied - -avc: denied { write } for pid=137 comm="systemd-tmpfile" name="/" -dev="tmpfs" ino=12400 scontext=system_u:system_r:systemd_tmpfiles_t -tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=0 - -avc: denied { read } for pid=137 comm="systemd-tmpfile" name="dbus" -dev="vda" ino=12363 scontext=system_u:system_r:systemd_tmpfiles_t -tcontext=system_u:object_r:system_dbusd_var_lib_t tclass=dir -permissive=0 - -avc: denied { relabelfrom } for pid=137 comm="systemd-tmpfile" -name="log" dev="vda" ino=14129 -scontext=system_u:system_r:systemd_tmpfiles_t -tcontext=system_u:object_r:var_log_t tclass=lnk_file permissive=0 - -avc: denied { create } for pid=137 comm="systemd-tmpfile" -name="audit" scontext=system_u:system_r:systemd_tmpfiles_t -tcontext=system_u:object_r:auditd_log_t tclass=dir permissive=0 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Wenzong Fan -Signed-off-by: Yi Zhao ---- - policy/modules/system/systemd.te | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 2e08efd19..7da836136 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -10,7 +10,7 @@ policy_module(systemd, 1.11.1) - ## Enable support for systemd-tmpfiles to manage all non-security files. - ##

- ##
--gen_tunable(systemd_tmpfiles_manage_all, false) -+gen_tunable(systemd_tmpfiles_manage_all, true) - - ## - ##

-@@ -1332,6 +1332,10 @@ files_relabelfrom_home(systemd_tmpfiles_t) - files_relabelto_home(systemd_tmpfiles_t) - files_relabelto_etc_dirs(systemd_tmpfiles_t) - files_setattr_lock_dirs(systemd_tmpfiles_t) -+ -+files_manage_non_auth_files(systemd_tmpfiles_t) -+files_relabel_non_auth_files(systemd_tmpfiles_t) -+ - # for /etc/mtab - files_manage_etc_symlinks(systemd_tmpfiles_t) - --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0050-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch b/recipes-security/refpolicy/refpolicy/0050-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch new file mode 100644 index 0000000..8b9f98c --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0050-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch @@ -0,0 +1,76 @@ +From c2e99e27acc1454d792b3e8d6f24d3a2a3be29e3 Mon Sep 17 00:00:00 2001 +From: Wenzong Fan +Date: Fri, 13 Oct 2017 07:20:40 +0000 +Subject: [PATCH] policy/modules/kernel/kernel: make kernel_t MLS trusted for + lowering the level of files + +The boot process hangs with the error while using MLS policy: + + [!!!!!!] Failed to mount API filesystems, freezing. + [ 4.085349] systemd[1]: Freezing execution. + +Make kernel_t mls trusted for lowering the level of files to fix below +avc denials and remove the hang issue. + + op=security_validate_transition seresult=denied \ + oldcontext=system_u:object_r:device_t:s15:c0.c1023 \ + newcontext=system_u:object_r:device_t:s0 \ + taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir + systemd[1]: Unable to fix SELinux security context of /dev: Operation not permitted + + avc: denied { create } for pid=1 comm="systemd" name="shm" \ + scontext=system_u:system_r:kernel_t:s15:c0.c1023 \ + tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 + systemd[1]: Failed to mount tmpfs at /dev/shm: No such file or directory + + avc: denied { create } for pid=1 comm="systemd" name="pts" \ + scontext=system_u:system_r:kernel_t:s15:c0.c1023 \ + tcontext=system_u:object_r:devpts_t:s0-s15:c0.c1023 tclass=dir permissive=0 + + op=security_validate_transition seresult=denied \ + oldcontext=system_u:object_r:unlabeled_t:s0 \ + newcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 \ + taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir + + op=security_validate_transition seresult=denied \ + oldcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 \ + newcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 \ + taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir + systemd[1]: Unable to fix SELinux security context of /run: Operation not permitted + + op=security_validate_transition seresult=denied \ + oldcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 \ + newcontext=system_u:object_r:cgroup_t:s0 \ + taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir + systemd[1]: Unable to fix SELinux security context of /sys/fs/cgroup: Operation not permitted + + avc: denied { create } for pid=1 comm="systemd" name="pstore" \ + scontext=system_u:system_r:kernel_t:s15:c0.c1023 \ + tcontext=system_u:object_r:pstore_t:s0 tclass=dir permissive=0 + +Reference: https://bugzilla.redhat.com/show_bug.cgi?id=667370 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Wenzong Fan +Signed-off-by: Yi Zhao +--- + policy/modules/kernel/kernel.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te +index a32c59eb1..1c53754ee 100644 +--- a/policy/modules/kernel/kernel.te ++++ b/policy/modules/kernel/kernel.te +@@ -358,6 +358,8 @@ mls_file_write_all_levels(kernel_t) + mls_file_read_all_levels(kernel_t) + mls_socket_write_all_levels(kernel_t) + mls_fd_use_all_levels(kernel_t) ++# https://bugzilla.redhat.com/show_bug.cgi?id=667370 ++mls_file_downgrade(kernel_t) + + ifdef(`distro_redhat',` + # Bugzilla 222337 +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0050-policy-modules-system-systemd-fix-systemd-resolved-s.patch b/recipes-security/refpolicy/refpolicy/0050-policy-modules-system-systemd-fix-systemd-resolved-s.patch deleted file mode 100644 index a0dc9f2..0000000 --- a/recipes-security/refpolicy/refpolicy/0050-policy-modules-system-systemd-fix-systemd-resolved-s.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 8e762e1070e98a4235a70536ee6ca81725858a4b Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Mon, 25 Jan 2021 14:14:59 +0800 -Subject: [PATCH] policy/modules/system/systemd: fix systemd-resolved startup - failures - -* Allow systemd_resolved_t to create socket file -* Allow systemd_resolved_t to manage systemd_resolved_runtime_t link - files -* Allow systemd_resolved_t to send and recevie messages from dhcpc over - dbus - -Fixes: -avc: denied { create } for pid=258 comm="systemd-resolve" -name="io.systemd.Resolve" -scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:systemd_resolved_runtime_t:s0 -tclass=sock_file permissive=0 - -avc: denied { create } for pid=329 comm="systemd-resolve" -name=".#stub-resolv.conf53cb7f9d1e3aa72b" -scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:systemd_resolved_runtime_t:s0 tclass=lnk_file -permissive=0 - -avc: denied { send_msg } for msgtype=method_call -interface=org.freedesktop.resolve1.Manager member=RevertLink -dest=org.freedesktop.resolve1 spid=340 tpid=345 -scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 -tcontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023 -tclass=dbus permissive=0 - -avc: denied { send_msg } for msgtype=method_return dest=:1.6 spid=345 -tpid=340 scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023 -tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=dbus -permissive=0 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/system/systemd.te | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 7da836136..0411729ea 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -1164,6 +1164,8 @@ allow systemd_resolved_t systemd_networkd_runtime_t:dir watch; - - manage_dirs_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t) - manage_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t) -+manage_sock_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t) -+manage_lnk_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t) - init_runtime_filetrans(systemd_resolved_t, systemd_resolved_runtime_t, dir) - - dev_read_sysfs(systemd_resolved_t) -@@ -1194,6 +1196,8 @@ seutil_read_file_contexts(systemd_resolved_t) - systemd_log_parse_environment(systemd_resolved_t) - systemd_read_networkd_runtime(systemd_resolved_t) - -+sysnet_dbus_chat_dhcpc(systemd_resolved_t) -+ - optional_policy(` - dbus_connect_system_bus(systemd_resolved_t) - dbus_system_bus_client(systemd_resolved_t) --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-add-capability2-bpf-and-p.patch b/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-add-capability2-bpf-and-p.patch deleted file mode 100644 index f7758c5..0000000 --- a/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-add-capability2-bpf-and-p.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 2d932ba7140d91cf2a8386b0240f4f1014124746 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Wed, 3 Feb 2021 09:47:59 +0800 -Subject: [PATCH] policy/modules/system/init: add capability2 bpf and perfmon - for init_t - -Fixes: -avc: denied { bpf } for pid=1 comm="systemd" capability=39 -scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t -tclass=capability2 permissive=0 -avc: denied { perfmon } for pid=1 comm="systemd" capability=38 -scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t -tclass=capability2 permissive=0 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/system/init.te | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index e82177938..b7d494398 100644 ---- a/policy/modules/system/init.te -+++ b/policy/modules/system/init.te -@@ -134,7 +134,7 @@ ifdef(`enable_mls',` - - # Use capabilities. old rule: - allow init_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }; --allow init_t self:capability2 { wake_alarm block_suspend }; -+allow init_t self:capability2 { wake_alarm block_suspend bpf perfmon }; - # is ~sys_module really needed? observed: - # sys_boot - # sys_tty_config --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-make-init_t-MLS-trusted-f.patch b/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-make-init_t-MLS-trusted-f.patch new file mode 100644 index 0000000..b4da47d --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-make-init_t-MLS-trusted-f.patch @@ -0,0 +1,46 @@ +From 7bcc117ea39532427df297299c10ca1d2948a70c Mon Sep 17 00:00:00 2001 +From: Wenzong Fan +Date: Fri, 15 Jan 2016 03:47:05 -0500 +Subject: [PATCH] policy/modules/system/init: make init_t MLS trusted for + lowering/raising the leve of files + +Fix security_validate_transition issues: + + op=security_validate_transition seresult=denied \ + oldcontext=system_u:object_r:device_t:s15:c0.c1023 \ + newcontext=system_u:object_r:device_t:s0 \ + taskcontext=system_u:system_r:init_t:s0-s15:c0.c1023 \ + tclass=dir + + op=security_validate_transition seresult=denied \ + oldcontext=system_u:object_r:var_run_t:s0 \ + newcontext=system_u:object_r:var_log_t:s0-s15:c0.c1023 \ + taskcontext=system_u:system_r:init_t:s0-s15:c0.c1023 \ + tclass=dir + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Wenzong Fan +Signed-off-by: Yi Zhao +--- + policy/modules/system/init.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index 932d1f7b3..36becaa6e 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -219,6 +219,10 @@ mls_process_write_all_levels(init_t) + mls_fd_use_all_levels(init_t) + mls_process_set_level(init_t) + ++# MLS trusted for lowering/raising the level of files ++mls_file_downgrade(init_t) ++mls_file_upgrade(init_t) ++ + # the following one is needed for libselinux:is_selinux_enabled() + # otherwise the call fails and sysvinit tries to load the policy + # again when using the initramfs +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-systemd-allow-systemd_logind_t.patch b/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-systemd-allow-systemd_logind_t.patch deleted file mode 100644 index aa49ac7..0000000 --- a/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-systemd-allow-systemd_logind_t.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 5db5b20728dff6c5e75dc07ea4feb6c507661b62 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Wed, 8 Jul 2020 13:53:28 +0800 -Subject: [PATCH] policy/modules/system/systemd: allow systemd_logind_t to - watch initrc_runtime_t - -Fixes: -avc: denied { watch } for pid=200 comm="systemd-logind" -path="/run/utmp" dev="tmpfs" ino=12766 -scontext=system_u:system_r:systemd_logind_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:initrc_runtime_t:s0 tclass=file permissive=0 - -systemd-logind[200]: Failed to create inotify watch on /var/run/utmp, ignoring: Permission denied - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/system/systemd.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 0411729ea..2d9d7d331 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -651,6 +651,8 @@ init_stop_all_units(systemd_logind_t) - init_start_system(systemd_logind_t) - init_stop_system(systemd_logind_t) - -+allow systemd_logind_t initrc_runtime_t:file watch; -+ - locallogin_read_state(systemd_logind_t) - - seutil_libselinux_linked(systemd_logind_t) --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-systemd-make-systemd-tmpfiles_.patch b/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-systemd-make-systemd-tmpfiles_.patch new file mode 100644 index 0000000..4b768e0 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-systemd-make-systemd-tmpfiles_.patch @@ -0,0 +1,63 @@ +From d965e6a02854a07c4783cf33e95bf3c7cf9f56f1 Mon Sep 17 00:00:00 2001 +From: Wenzong Fan +Date: Thu, 4 Feb 2016 06:03:19 -0500 +Subject: [PATCH] policy/modules/system/systemd: make systemd-tmpfiles_t domain + MLS trusted for raising/lowering the level of files + +Fixes: + avc: denied { search } for pid=92 comm="systemd-tmpfile" name="1" \ + dev="proc" ino=7987 \ + scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \ + tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 \ + tclass=dir + + avc: denied { search } for pid=92 comm="systemd-tmpfile" \ + name="journal" dev="tmpfs" ino=8226 \ + scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \ + tcontext=system_u:object_r:syslogd_var_run_t:s15:c0.c1023 \ + tclass=dir + + avc: denied { write } for pid=92 comm="systemd-tmpfile" \ + name="kmsg" dev="devtmpfs" ino=7242 \ + scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \ + tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 \ + tclass=chr_file + + avc: denied { read } for pid=92 comm="systemd-tmpfile" \ + name="kmod.conf" dev="tmpfs" ino=8660 \ + scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \ + tcontext=system_u:object_r:var_run_t:s0 \ + tclass=file + + avc: denied { search } for pid=92 comm="systemd-tmpfile" \ + name="kernel" dev="proc" ino=8731 \ + scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \ + tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Wenzong Fan +Signed-off-by: Yi Zhao +--- + policy/modules/system/systemd.te | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 1a83148c1..736107fad 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -1483,6 +1483,11 @@ sysnet_relabel_config(systemd_tmpfiles_t) + + systemd_log_parse_environment(systemd_tmpfiles_t) + ++mls_file_write_all_levels(systemd_tmpfiles_t) ++mls_file_read_all_levels(systemd_tmpfiles_t) ++mls_file_downgrade(systemd_tmpfiles_t) ++mls_file_upgrade(systemd_tmpfiles_t) ++ + userdom_manage_user_runtime_root_dirs(systemd_tmpfiles_t) + userdom_relabel_user_runtime_root_dirs(systemd_tmpfiles_t) + +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-logging-set-label-devlog_t-to-.patch b/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-logging-set-label-devlog_t-to-.patch deleted file mode 100644 index a4b387a..0000000 --- a/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-logging-set-label-devlog_t-to-.patch +++ /dev/null @@ -1,86 +0,0 @@ -From a92be78e20a0838c2f04cf8d2781dcf918f8d7ab Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Tue, 14 May 2019 16:02:19 +0800 -Subject: [PATCH] policy/modules/system/logging: set label devlog_t to symlink - /dev/log - -* Set labe devlog_t to symlink /dev/log -* Allow syslogd_t to manage devlog_t link file - -Fixes: -avc: denied { unlink } for pid=250 comm="rsyslogd" name="log" -dev="devtmpfs" ino=10997 -scontext=system_u:system_r:syslogd_t:s15:c0.c1023 -tcontext=system_u:object_r:device_t:s0 tclass=lnk_file permissive=0 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/system/logging.fc | 2 ++ - policy/modules/system/logging.if | 4 ++++ - policy/modules/system/logging.te | 1 + - 3 files changed, 7 insertions(+) - -diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc -index a4ecd570a..02f0b6270 100644 ---- a/policy/modules/system/logging.fc -+++ b/policy/modules/system/logging.fc -@@ -1,4 +1,5 @@ - /dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) -+/dev/log -l gen_context(system_u:object_r:devlog_t,s0) - - /etc/rsyslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0) - /etc/syslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0) -@@ -24,6 +25,7 @@ - /usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0) - /usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0) - /usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0) -+/usr/lib/systemd/system/syslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0) - /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0) - /usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) - -diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 9bb3afdb2..7233a108c 100644 ---- a/policy/modules/system/logging.if -+++ b/policy/modules/system/logging.if -@@ -661,6 +661,7 @@ interface(`logging_send_syslog_msg',` - ') - - allow $1 devlog_t:sock_file write_sock_file_perms; -+ allow $1 devlog_t:lnk_file read_lnk_file_perms; - - # systemd journal socket is in /run/systemd/journal/dev-log - init_search_run($1) -@@ -722,6 +723,7 @@ interface(`logging_relabelto_devlog_sock_files',` - ') - - allow $1 devlog_t:sock_file relabelto_sock_file_perms; -+ allow $1 devlog_t:lnk_file relabelto_lnk_file_perms; - ') - - ######################################## -@@ -741,6 +743,8 @@ interface(`logging_create_devlog',` - - allow $1 devlog_t:sock_file manage_sock_file_perms; - dev_filetrans($1, devlog_t, sock_file) -+ allow $1 devlog_t:lnk_file manage_lnk_file_perms; -+ dev_filetrans($1, devlog_t, lnk_file) - init_runtime_filetrans($1, devlog_t, sock_file, "syslog") - ') - -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 9b3254f63..d864cfd3d 100644 ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -398,6 +398,7 @@ allow syslogd_t syslog_conf_t:dir list_dir_perms; - - # Create and bind to /dev/log or /var/run/log. - allow syslogd_t devlog_t:sock_file manage_sock_file_perms; -+allow syslogd_t devlog_t:lnk_file manage_lnk_file_perms; - files_runtime_filetrans(syslogd_t, devlog_t, sock_file) - init_runtime_filetrans(syslogd_t, devlog_t, sock_file, "dev-log") - --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-systemd-systemd-make-systemd_-.patch b/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-systemd-systemd-make-systemd_-.patch new file mode 100644 index 0000000..60f7dae --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-systemd-systemd-make-systemd_-.patch @@ -0,0 +1,91 @@ +From 71986d0c6775408a1c89415dd5d4e7ea03302248 Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Thu, 18 Jun 2020 09:59:58 +0800 +Subject: [PATCH] policy/modules/system/systemd: systemd-*: make systemd_*_t + MLS trusted for writing/reading from files up to its clearance + +Fixes: +audit: type=1400 audit(1592892455.376:3): avc: denied { write } for +pid=120 comm="systemd-gpt-aut" name="kmsg" dev="devtmpfs" ino=10032 +scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file +permissive=0 + +audit: type=1400 audit(1592892455.381:4): avc: denied { write } for +pid=119 comm="systemd-getty-g" name="kmsg" dev="devtmpfs" ino=10032 +scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file +permissive=0 + +avc: denied { read } for pid=125 comm="systemd-gpt-aut" name="sdb" +dev="devtmpfs" ino=42 +scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 +tclass=blk_file permissive=0 + +avc: denied { write } for pid=233 comm="systemd-rfkill" name="kmsg" +dev="devtmpfs" ino=2060 +scontext=system_u:system_r:systemd_rfkill_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file +permissive=0 + +avc: denied { write } for pid=354 comm="systemd-backlig" name="kmsg" +dev="devtmpfs" ino=3081 +scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file +permissive=0 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/system/systemd.te | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 736107fad..8cea6baa1 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -341,6 +341,9 @@ fs_getattr_tmpfs(systemd_backlight_t) + fs_search_cgroup_dirs(systemd_backlight_t) + fs_getattr_cgroup(systemd_backlight_t) + ++mls_file_read_to_clearance(systemd_backlight_t) ++mls_file_write_to_clearance(systemd_backlight_t) ++ + ####################################### + # + # Binfmt local policy +@@ -479,6 +482,9 @@ term_use_unallocated_ttys(systemd_generator_t) + + udev_search_runtime(systemd_generator_t) + ++mls_file_read_to_clearance(systemd_generator_t) ++mls_file_write_to_clearance(systemd_generator_t) ++ + ifdef(`distro_gentoo',` + corecmd_shell_entry_type(systemd_generator_t) + ') +@@ -723,6 +729,9 @@ userdom_setattr_user_ttys(systemd_logind_t) + userdom_use_user_ttys(systemd_logind_t) + domain_read_all_domains_state(systemd_logind_t) + ++mls_file_read_to_clearance(systemd_logind_t) ++mls_file_write_to_clearance(systemd_logind_t) ++ + # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x + # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96 + # should fix the problem where user directories in /run/user/$UID/ are not getting the proper context +@@ -1204,6 +1213,9 @@ fs_getattr_tmpfs(systemd_rfkill_t) + fs_search_cgroup_dirs(systemd_rfkill_t) + fs_getattr_cgroup(systemd_rfkill_t) + ++mls_file_read_to_clearance(systemd_rfkill_t) ++mls_file_write_to_clearance(systemd_rfkill_t) ++ + ######################################### + # + # Resolved local policy +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-logging-add-the-syslogd_t-to-t.patch b/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-logging-add-the-syslogd_t-to-t.patch new file mode 100644 index 0000000..75be11d --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-logging-add-the-syslogd_t-to-t.patch @@ -0,0 +1,37 @@ +From 511f7fdad45a150f7ea3666eb51463573eabab0a Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Thu, 22 Aug 2013 13:37:23 +0800 +Subject: [PATCH] policy/modules/system/logging: add the syslogd_t to trusted + object + +We add the syslogd_t to trusted object, because other process need +to have the right to connectto/sendto /dev/log. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Roy.Li +Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald +Signed-off-by: Yi Zhao +--- + policy/modules/system/logging.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index 5b4b5ec5d..e67c25a9e 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -498,6 +498,10 @@ fs_search_auto_mountpoints(syslogd_t) + fs_search_tmpfs(syslogd_t) + + mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories ++mls_file_read_all_levels(syslogd_t) ++mls_socket_write_all_levels(syslogd_t) # Need to be able to sendto dgram ++mls_trusted_object(syslogd_t) # Other process need to have the right to connectto/sendto /dev/log ++mls_fd_use_all_levels(syslogd_t) + + term_write_console(syslogd_t) + # Allow syslog to a terminal +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-systemd-support-systemd-user.patch b/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-systemd-support-systemd-user.patch deleted file mode 100644 index f7abefb..0000000 --- a/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-systemd-support-systemd-user.patch +++ /dev/null @@ -1,189 +0,0 @@ -From bd77e8e51962bb6a8c5708f3e5362007c915498e Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Thu, 4 Feb 2021 10:48:54 +0800 -Subject: [PATCH] policy/modules/system/systemd: support systemd --user - -Fixes: -$ systemctl status user@0.service -* user@0.service - User Manager for UID 0 - Loaded: loaded (/lib/systemd/system/user@.service; static) - Active: failed (Result: exit-code) since Thu 2021-02-04 02:57:32 UTC; 11s ago - Docs: man:user@.service(5) - Process: 1502 ExecStart=/lib/systemd/systemd --user (code=exited, status=1/FAILURE) - Main PID: 1502 (code=exited, status=1/FAILURE) - -Feb 04 02:57:32 intel-x86-64 systemd[1]: Starting User Manager for UID 0... -Feb 04 02:57:32 intel-x86-64 systemd[1502]: selinux_status_open() failed to open the status page, using the netlink fallback. -Feb 04 02:57:32 intel-x86-64 systemd[1502]: Failed to initialize SELinux labeling handle: Permission denied -Feb 04 02:57:32 intel-x86-64 systemd[1]: user@0.service: Main process exited, code=exited, status=1/FAILURE -Feb 04 02:57:32 intel-x86-64 systemd[1]: user@0.service: Failed with result 'exit-code'. -Feb 04 02:57:32 intel-x86-64 systemd[1]: Failed to start User Manager for UID 0. - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/roles/sysadm.te | 2 + - policy/modules/system/init.if | 1 + - policy/modules/system/logging.te | 5 ++- - policy/modules/system/systemd.if | 75 +++++++++++++++++++++++++++++++- - 4 files changed, 81 insertions(+), 2 deletions(-) - -diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 1642f3b93..1de7e441d 100644 ---- a/policy/modules/roles/sysadm.te -+++ b/policy/modules/roles/sysadm.te -@@ -81,6 +81,8 @@ ifdef(`init_systemd',` - # Allow sysadm to resolve the username of dynamic users by calling - # LookupDynamicUserByUID on org.freedesktop.systemd1. - init_dbus_chat(sysadm_t) -+ -+ systemd_sysadm_user(sysadm_t) - ') - - tunable_policy(`allow_ptrace',` -diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index ba533ba1a..98e94283f 100644 ---- a/policy/modules/system/init.if -+++ b/policy/modules/system/init.if -@@ -943,6 +943,7 @@ interface(`init_unix_stream_socket_connectto',` - ') - - allow $1 init_t:unix_stream_socket connectto; -+ allow $1 initrc_t:unix_stream_socket connectto; - ') - - ######################################## -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index d864cfd3d..bdd97631c 100644 ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -519,7 +519,7 @@ ifdef(`init_systemd',` - # for systemd-journal - allow syslogd_t self:netlink_audit_socket connected_socket_perms; - allow syslogd_t self:capability2 audit_read; -- allow syslogd_t self:capability { chown setgid setuid sys_ptrace }; -+ allow syslogd_t self:capability { chown setgid setuid sys_ptrace dac_read_search }; - allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write nlmsg_write }; - - # remove /run/log/journal when switching to permanent storage -@@ -555,6 +555,9 @@ ifdef(`init_systemd',` - systemd_manage_journal_files(syslogd_t) - - udev_read_runtime_files(syslogd_t) -+ -+ userdom_search_user_runtime(syslogd_t) -+ systemd_search_user_runtime(syslogd_t) - ') - - ifdef(`distro_gentoo',` -diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if -index 6a66a2d79..152139261 100644 ---- a/policy/modules/system/systemd.if -+++ b/policy/modules/system/systemd.if -@@ -30,6 +30,7 @@ template(`systemd_role_template',` - attribute systemd_user_session_type, systemd_log_parse_env_type; - type systemd_user_runtime_t, systemd_user_runtime_notify_t; - type systemd_run_exec_t, systemd_analyze_exec_t; -+ type session_dbusd_runtime_t, systemd_user_runtime_dir_t; - ') - - ################################# -@@ -55,10 +56,42 @@ template(`systemd_role_template',` - - allow $3 systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - -+ allow $1_systemd_t systemd_user_runtime_t:dir { manage_dir_perms relabel_dir_perms }; -+ allow $1_systemd_t systemd_user_runtime_t:file { manage_file_perms relabel_file_perms }; -+ allow $1_systemd_t systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; -+ allow $1_systemd_t systemd_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; -+ allow $1_systemd_t systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; -+ allow $1_systemd_t systemd_user_runtime_t:blk_file { manage_blk_file_perms relabel_blk_file_perms }; -+ allow $1_systemd_t systemd_user_runtime_t:chr_file { manage_chr_file_perms relabel_chr_file_perms }; -+ allow $1_systemd_t systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; -+ allow $1_systemd_t session_dbusd_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; -+ allow $1_systemd_t self:netlink_kobject_uevent_socket getopt; -+ allow $1_systemd_t self:process setrlimit; -+ -+ kernel_getattr_proc($1_systemd_t) -+ fs_watch_cgroup_files($1_systemd_t) -+ files_watch_etc_dirs($1_systemd_t) -+ -+ userdom_search_user_home_dirs($1_systemd_t) -+ allow $1_systemd_t $3:dir search_dir_perms; -+ allow $1_systemd_t $3:file read_file_perms; -+ -+ allow $3 $1_systemd_t:unix_stream_socket { getattr read write }; -+ -+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:dir { manage_dir_perms relabel_dir_perms }; -+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:file { manage_file_perms relabel_file_perms }; -+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; -+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; -+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; -+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:blk_file { manage_blk_file_perms relabel_blk_file_perms }; -+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:chr_file { manage_chr_file_perms relabel_chr_file_perms }; -+ allow systemd_user_runtime_dir_t systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; -+ allow systemd_user_runtime_dir_t session_dbusd_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; -+ - # This domain is per-role because of the below transitions. - # See the systemd --user section of systemd.te for the - # remainder of the rules. -- allow $1_systemd_t $3:process { setsched rlimitinh }; -+ allow $1_systemd_t $3:process { setsched rlimitinh noatsecure siginh }; - corecmd_shell_domtrans($1_systemd_t, $3) - corecmd_bin_domtrans($1_systemd_t, $3) - allow $1_systemd_t self:process signal; -@@ -479,6 +512,7 @@ interface(`systemd_stream_connect_userdb', ` - init_search_runtime($1) - allow $1 systemd_userdb_runtime_t:dir list_dir_perms; - allow $1 systemd_userdb_runtime_t:sock_file write_sock_file_perms; -+ allow $1 systemd_userdb_runtime_t:lnk_file read_lnk_file_perms; - init_unix_stream_socket_connectto($1) - ') - -@@ -1353,3 +1387,42 @@ interface(`systemd_use_inherited_machined_ptys', ` - allow $1 systemd_machined_t:fd use; - allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms; - ') -+ -+######################################### -+##

-+## sysadm user for systemd --user -+## -+## -+## -+## Role allowed access. -+## -+## -+# -+interface(`systemd_sysadm_user',` -+ gen_require(` -+ type sysadm_systemd_t; -+ ') -+ -+ allow sysadm_systemd_t self:capability { mknod sys_admin }; -+ allow sysadm_systemd_t self:capability2 { bpf perfmon }; -+ allow $1 sysadm_systemd_t:system reload; -+') -+ -+####################################### -+## -+## Search systemd users runtime directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_search_user_runtime',` -+ gen_require(` -+ type systemd_user_runtime_t; -+ ') -+ -+ allow $1 systemd_user_runtime_t:dir search_dir_perms; -+ allow $1 systemd_user_runtime_t:lnk_file read_lnk_file_perms; -+') --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-init-make-init_t-MLS-trusted-f.patch b/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-init-make-init_t-MLS-trusted-f.patch new file mode 100644 index 0000000..5c01ef4 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-init-make-init_t-MLS-trusted-f.patch @@ -0,0 +1,33 @@ +From 3f875fae6d9a4538b3e7d33f30dd2a98fc9ea2bd Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Tue, 28 May 2019 16:41:37 +0800 +Subject: [PATCH] policy/modules/system/init: make init_t MLS trusted for + writing to keys at all levels + +Fixes: +type=AVC msg=audit(1559024138.454:31): avc: denied { link } for +pid=190 comm="(mkdir)" scontext=system_u:system_r:init_t:s0-s15:c0.c1023 +tcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=key permissive=1 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/system/init.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index 36becaa6e..9c0a98eb7 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -218,6 +218,7 @@ mls_file_write_all_levels(init_t) + mls_process_write_all_levels(init_t) + mls_fd_use_all_levels(init_t) + mls_process_set_level(init_t) ++mls_key_write_all_levels(init_t) + + # MLS trusted for lowering/raising the level of files + mls_file_downgrade(init_t) +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-systemd-allow-systemd-generato.patch b/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-systemd-allow-systemd-generato.patch deleted file mode 100644 index 9d4bbf7..0000000 --- a/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-systemd-allow-systemd-generato.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 954a49ec0a4dc64fd9e513abe7a737d956b337ca Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Tue, 9 Feb 2021 17:50:24 +0800 -Subject: [PATCH] policy/modules/system/systemd: allow systemd-generators to - get the attributes of tmpfs and cgroup - -* Allow systemd-generators to get the attributes of a tmpfs -* Allow systemd-generators to get the attributes of cgroup filesystems - -Fixes: -systemd[95]: /lib/systemd/system-generators/systemd-fstab-generator failed with exit status 1. - -avc: denied { getattr } for pid=102 comm="systemd-run-gen" name="/" -dev="tmpfs" ino=11208 scontext=system_u:system_r:systemd_generator_t -tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0 - -avc: denied { getattr } for pid=98 comm="systemd-getty-g" name="/" -dev="tmpfs" ino=11208 scontext=system_u:system_r:systemd_generator_t -tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0 - -avc: denied { getattr } for pid=104 comm="systemd-sysv-ge" name="/" -dev="tmpfs" ino=11208 scontext=system_u:system_r:systemd_generator_t -tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0 - -avc: denied { getattr } for pid=97 comm="systemd-fstab-g" name="/" -dev="tmpfs" ino=11208 scontext=system_u:system_r:systemd_generator_t -tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0 - -avc: denied { getattr } for pid=102 comm="systemd-run-gen" name="/" -dev="cgroup" ino=1 scontext=system_u:system_r:systemd_generator_t -tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=0 - -avc: denied { getattr } for pid=100 comm="systemd-hiberna" name="/" -dev="cgroup" ino=1 scontext=system_u:system_r:systemd_generator_t -tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=0 - -avc: denied { getattr } for pid=99 comm="systemd-gpt-aut" name="/" -dev="cgroup2" ino=1 scontext=system_u:system_r:systemd_generator_t -tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=0 - -avc: denied { getattr } for pid=97 comm="systemd-fstab-g" -path="/var/volatile" dev="vda" ino=37131 -scontext=system_u:system_r:systemd_generator_t -tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=0 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/system/systemd.te | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 2d9d7d331..c1111198d 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -431,6 +431,9 @@ files_list_usr(systemd_generator_t) - - fs_list_efivars(systemd_generator_t) - fs_getattr_xattr_fs(systemd_generator_t) -+fs_getattr_tmpfs(systemd_generator_t) -+fs_getattr_cgroup(systemd_generator_t) -+kernel_getattr_unlabeled_dirs(systemd_generator_t) - - init_create_runtime_files(systemd_generator_t) - init_manage_runtime_dirs(systemd_generator_t) --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-init-all-init_t-to-read-any-le.patch b/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-init-all-init_t-to-read-any-le.patch new file mode 100644 index 0000000..d3ddcd2 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-init-all-init_t-to-read-any-le.patch @@ -0,0 +1,40 @@ +From a59dae035b7d5063e0f25c4cf40b5b180ad69022 Mon Sep 17 00:00:00 2001 +From: Wenzong Fan +Date: Wed, 3 Feb 2016 04:16:06 -0500 +Subject: [PATCH] policy/modules/system/init: all init_t to read any level + sockets + +Fixes: + avc: denied { listen } for pid=1 comm="systemd" \ + path="/run/systemd/journal/stdout" \ + scontext=system_u:system_r:init_t:s0-s15:c0.c1023 \ + tcontext=system_u:system_r:syslogd_t:s15:c0.c1023 \ + tclass=unix_stream_socket permissive=1 + + systemd[1]: Failded to listen on Journal Socket + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Wenzong Fan +Signed-off-by: Yi Zhao +--- + policy/modules/system/init.te | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index 9c0a98eb7..5a19f0e43 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -224,6 +224,9 @@ mls_key_write_all_levels(init_t) + mls_file_downgrade(init_t) + mls_file_upgrade(init_t) + ++# MLS trusted for reading from sockets at any level ++mls_socket_read_all_levels(init_t) ++ + # the following one is needed for libselinux:is_selinux_enabled() + # otherwise the call fails and sysvinit tries to load the policy + # again when using the initramfs +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-systemd-allow-systemd_backligh.patch b/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-systemd-allow-systemd_backligh.patch deleted file mode 100644 index 1c1b459..0000000 --- a/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-systemd-allow-systemd_backligh.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 8b0bb1e349e2ea021acec1639be0802ac4d7d0c2 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Thu, 4 Feb 2021 15:13:50 +0800 -Subject: [PATCH] policy/modules/system/systemd: allow systemd_backlight_t to - read kernel sysctl - -Fixes: -avc: denied { search } for pid=354 comm="systemd-backlig" name="sys" -dev="proc" ino=4026531854 -scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:sysctl_t:s0 tclass=dir permissive=0 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/system/systemd.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index c1111198d..7d2ba2796 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -324,6 +324,8 @@ udev_read_runtime_files(systemd_backlight_t) - - files_search_var_lib(systemd_backlight_t) - -+kernel_read_kernel_sysctls(systemd_backlight_t) -+ - ####################################### - # - # Binfmt local policy --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-allow-auditd_t-to-writ.patch b/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-allow-auditd_t-to-writ.patch new file mode 100644 index 0000000..47328be --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-allow-auditd_t-to-writ.patch @@ -0,0 +1,39 @@ +From 96437ba860d352304246fbe3381030da0665f239 Mon Sep 17 00:00:00 2001 +From: Wenzong Fan +Date: Thu, 25 Feb 2016 04:25:08 -0500 +Subject: [PATCH] policy/modules/system/logging: allow auditd_t to write socket + at any level + +Allow auditd_t to write init_t:unix_stream_socket at any level. + +Fixes: + avc: denied { write } for pid=748 comm="auditd" \ + path="socket:[17371]" dev="sockfs" ino=17371 \ + scontext=system_u:system_r:auditd_t:s15:c0.c1023 \ + tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 \ + tclass=unix_stream_socket permissive=1 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Wenzong Fan +Signed-off-by: Yi Zhao +--- + policy/modules/system/logging.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index e67c25a9e..f8d8b73f0 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -215,6 +215,8 @@ miscfiles_read_localization(auditd_t) + + mls_file_read_all_levels(auditd_t) + mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory ++mls_fd_use_all_levels(auditd_t) ++mls_socket_write_all_levels(auditd_t) + + seutil_dontaudit_read_config(auditd_t) + +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-fix-systemd-journald-s.patch b/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-fix-systemd-journald-s.patch deleted file mode 100644 index d283879..0000000 --- a/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-fix-systemd-journald-s.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 5973dc3824b395ce9f6620e3ae432664cc357b66 Mon Sep 17 00:00:00 2001 -From: Wenzong Fan -Date: Thu, 4 Feb 2016 02:10:15 -0500 -Subject: [PATCH] policy/modules/system/logging: fix systemd-journald startup - failures - -Fixes: -avc: denied { audit_control } for pid=109 comm="systemd-journal" -capability=30 scontext=system_u:system_r:syslogd_t -tcontext=system_u:system_r:syslogd_t tclass=capability permissive=0 - -avc: denied { search } for pid=233 comm="systemd-journal" name="/" -dev="tmpfs" ino=12398 scontext=system_u:system_r:syslogd_t -tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=0 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Wenzong Fan -Signed-off-by: Yi Zhao ---- - policy/modules/system/logging.te | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index bdd97631c..62caa7a56 100644 ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -492,6 +492,7 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) - - fs_getattr_all_fs(syslogd_t) - fs_search_auto_mountpoints(syslogd_t) -+fs_search_tmpfs(syslogd_t) - - mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories - -@@ -552,6 +553,8 @@ ifdef(`init_systemd',` - # needed for systemd-initrd case when syslog socket is unlabelled - logging_send_syslog_msg(syslogd_t) - -+ logging_set_loginuid(syslogd_t) -+ - systemd_manage_journal_files(syslogd_t) - - udev_read_runtime_files(syslogd_t) --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0058-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch b/recipes-security/refpolicy/refpolicy/0058-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch new file mode 100644 index 0000000..ad92c7f --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0058-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch @@ -0,0 +1,31 @@ +From 102255e89863c5a31d0d6c8df67b258d819b9a68 Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Thu, 31 Oct 2019 17:35:59 +0800 +Subject: [PATCH] policy/modules/kernel/kernel: make kernel_t MLS trusted for + writing to keys at all levels. + +Fixes: +systemd-udevd[216]: regulatory.0: Process '/usr/sbin/crda' failed with exit code 254. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/kernel/kernel.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te +index 1c53754ee..2031576e0 100644 +--- a/policy/modules/kernel/kernel.te ++++ b/policy/modules/kernel/kernel.te +@@ -360,6 +360,7 @@ mls_socket_write_all_levels(kernel_t) + mls_fd_use_all_levels(kernel_t) + # https://bugzilla.redhat.com/show_bug.cgi?id=667370 + mls_file_downgrade(kernel_t) ++mls_key_write_all_levels(kernel_t) + + ifdef(`distro_redhat',` + # Bugzilla 222337 +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0058-policy-modules-services-cron-allow-crond_t-to-search.patch b/recipes-security/refpolicy/refpolicy/0058-policy-modules-services-cron-allow-crond_t-to-search.patch deleted file mode 100644 index b7e7c1d..0000000 --- a/recipes-security/refpolicy/refpolicy/0058-policy-modules-services-cron-allow-crond_t-to-search.patch +++ /dev/null @@ -1,34 +0,0 @@ -From e8ff96c9bb98305d1b50fccce67025df3ebbf184 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Thu, 23 May 2019 15:52:17 +0800 -Subject: [PATCH] policy/modules/services/cron: allow crond_t to search - logwatch_cache_t - -Fixes: -avc: denied { search } for pid=234 comm="crond" name="logcheck" -dev="vda" ino=29080 scontext=system_u:system_r:crond_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:logwatch_cache_t:s0 tclass=dir permissive=0 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/services/cron.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te -index 2902820b0..36eb33060 100644 ---- a/policy/modules/services/cron.te -+++ b/policy/modules/services/cron.te -@@ -318,6 +318,8 @@ miscfiles_read_localization(crond_t) - - userdom_list_user_home_dirs(crond_t) - -+logwatch_search_cache_dir(crond_t) -+ - tunable_policy(`cron_userdomain_transition',` - dontaudit crond_t cronjob_t:process transition; - dontaudit crond_t cronjob_t:fd use; --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0059-policy-modules-services-crontab-allow-sysadm_r-to-ru.patch b/recipes-security/refpolicy/refpolicy/0059-policy-modules-services-crontab-allow-sysadm_r-to-ru.patch deleted file mode 100644 index d5e40d0..0000000 --- a/recipes-security/refpolicy/refpolicy/0059-policy-modules-services-crontab-allow-sysadm_r-to-ru.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 1571e6da8a90bb325a94330dcd130d56bae30b37 Mon Sep 17 00:00:00 2001 -From: Roy Li -Date: Thu, 20 Feb 2014 17:07:05 +0800 -Subject: [PATCH] policy/modules/services/crontab: allow sysadm_r to run - crontab - -This permission has been given if release is not redhat; but we want it -even we define distro_redhat - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Roy Li -Signed-off-by: Yi Zhao ---- - policy/modules/roles/sysadm.te | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 1de7e441d..129e94229 100644 ---- a/policy/modules/roles/sysadm.te -+++ b/policy/modules/roles/sysadm.te -@@ -1277,6 +1277,10 @@ optional_policy(` - zebra_admin(sysadm_t, sysadm_r) - ') - -+optional_policy(` -+ cron_admin_role(sysadm_r, sysadm_t) -+') -+ - ifndef(`distro_redhat',` - optional_policy(` - auth_role(sysadm_r, sysadm_t) -@@ -1295,10 +1299,6 @@ ifndef(`distro_redhat',` - chromium_role(sysadm_r, sysadm_t) - ') - -- optional_policy(` -- cron_admin_role(sysadm_r, sysadm_t) -- ') -- - optional_policy(` - cryfs_role(sysadm_r, sysadm_t) - ') --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0059-policy-modules-system-setrans-allow-setrans_t-use-fd.patch b/recipes-security/refpolicy/refpolicy/0059-policy-modules-system-setrans-allow-setrans_t-use-fd.patch new file mode 100644 index 0000000..96d0588 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0059-policy-modules-system-setrans-allow-setrans_t-use-fd.patch @@ -0,0 +1,30 @@ +From 5fa9e03a3b90f97e573a7724cd9d49b53730d083 Mon Sep 17 00:00:00 2001 +From: Roy Li +Date: Sat, 22 Feb 2014 13:35:38 +0800 +Subject: [PATCH] policy/modules/system/setrans: allow setrans_t use fd at any + level + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Roy Li +Signed-off-by: Yi Zhao +--- + policy/modules/system/setrans.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te +index 25aadfc5f..564e2d4d1 100644 +--- a/policy/modules/system/setrans.te ++++ b/policy/modules/system/setrans.te +@@ -73,6 +73,8 @@ mls_net_receive_all_levels(setrans_t) + mls_socket_write_all_levels(setrans_t) + mls_process_read_all_levels(setrans_t) + mls_socket_read_all_levels(setrans_t) ++mls_fd_use_all_levels(setrans_t) ++mls_trusted_object(setrans_t) + + selinux_compute_access_vector(setrans_t) + +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0060-policy-modules-system-sysnetwork-support-priviledge-.patch b/recipes-security/refpolicy/refpolicy/0060-policy-modules-system-sysnetwork-support-priviledge-.patch deleted file mode 100644 index 64cc90e..0000000 --- a/recipes-security/refpolicy/refpolicy/0060-policy-modules-system-sysnetwork-support-priviledge-.patch +++ /dev/null @@ -1,120 +0,0 @@ -From ab462f0022c35fde984dbe792ce386f5d507aeeb Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Thu, 24 Sep 2020 14:05:52 +0800 -Subject: [PATCH] policy/modules/system/sysnetwork: support priviledge - separation for dhcpcd - -Fixes: - -avc: denied { sys_chroot } for pid=332 comm="dhcpcd" capability=18 -scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 -tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability -permissive=0 - -avc: denied { setgid } for pid=332 comm="dhcpcd" capability=6 -scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 -tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability -permissive=0 - -avc: denied { setuid } for pid=332 comm="dhcpcd" capability=7 -scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 -tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability -permissive=0 - -avc: denied { setrlimit } for pid=332 comm="dhcpcd" -scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 -tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=process -permissive=0 - -avc: denied { create } for pid=330 comm="dhcpcd" -scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 -tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 -tclass=netlink_kobject_uevent_socket permissive=0 - -avc: denied { setopt } for pid=330 comm="dhcpcd" -scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 -tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 -tclass=netlink_kobject_uevent_socket permissive=0 - -avc: denied { bind } for pid=330 comm="dhcpcd" -scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 -tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 -tclass=netlink_kobject_uevent_socket permissive=0 - -avc: denied { getattr } for pid=330 comm="dhcpcd" -scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 -tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 -tclass=netlink_kobject_uevent_socket permissive=0 - -avc: denied { read } for pid=330 comm="dhcpcd" name="n1" dev="tmpfs" -ino=15616 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=0 - -avc: denied { open } for pid=330 comm="dhcpcd" -path="/run/udev/data/n1" dev="tmpfs" ino=15616 -scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=0 - -avc: denied { getattr } for pid=330 comm="dhcpcd" -path="/run/udev/data/n1" dev="tmpfs" ino=15616 -scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=0 - -avc: denied { connectto } for pid=1600 comm="dhcpcd" -path="/run/dhcpcd/unpriv.sock" -scontext=root:sysadm_r:dhcpc_t:s0-s15:c0.c1023 -tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 -tclass=unix_stream_socket permissive=0 - -avc: denied { kill } for pid=314 comm="dhcpcd" capability=5 -scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 -tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability -permissive=0 - -avc: denied { getattr } for pid=300 comm="dhcpcd" -path="net:[4026532008]" dev="nsfs" ino=4026532008 -scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/system/sysnetwork.te | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index cb1434180..a9297f976 100644 ---- a/policy/modules/system/sysnetwork.te -+++ b/policy/modules/system/sysnetwork.te -@@ -72,6 +72,11 @@ allow dhcpc_t self:netlink_route_socket create_netlink_socket_perms; - allow dhcpc_t self:rawip_socket create_socket_perms; - allow dhcpc_t self:unix_dgram_socket { create_socket_perms sendto }; - -+allow dhcpc_t self:capability { setgid setuid sys_chroot kill }; -+allow dhcpc_t self:netlink_kobject_uevent_socket create_socket_perms; -+allow dhcpc_t self:process setrlimit; -+allow dhcpc_t self:unix_stream_socket connectto; -+ - allow dhcpc_t dhcp_etc_t:dir list_dir_perms; - read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) - exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) -@@ -145,6 +150,7 @@ files_manage_var_files(dhcpc_t) - fs_getattr_all_fs(dhcpc_t) - fs_search_auto_mountpoints(dhcpc_t) - fs_search_cgroup_dirs(dhcpc_t) -+fs_read_nsfs_files(dhcpc_t) - - term_dontaudit_use_all_ttys(dhcpc_t) - term_dontaudit_use_all_ptys(dhcpc_t) -@@ -180,6 +186,7 @@ ifdef(`init_systemd',` - init_stream_connect(dhcpc_t) - init_get_all_units_status(dhcpc_t) - init_search_units(dhcpc_t) -+ udev_read_runtime_files(dhcpc_t) - ') - - optional_policy(` --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0060-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch b/recipes-security/refpolicy/refpolicy/0060-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch new file mode 100644 index 0000000..8bfe607 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0060-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch @@ -0,0 +1,42 @@ +From fe70aaf9a104b4b0c3439d2767eccb0136951f08 Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Mon, 22 Feb 2021 11:28:12 +0800 +Subject: [PATCH] policy/modules/system/systemd: make *_systemd_t MLS trusted + for writing/reading from files at all levels + +Fixes: +avc: denied { search } for pid=1148 comm="systemd" name="journal" +dev="tmpfs" ino=206 +scontext=root:sysadm_r:sysadm_systemd_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir +permissive=0 +avc: denied { write } for pid=1148 comm="systemd" name="kmsg" +dev="devtmpfs" ino=3081 +scontext=root:sysadm_r:sysadm_systemd_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file +permissive=0 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/system/systemd.if | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if +index 5c44d8d8a..5f2038f22 100644 +--- a/policy/modules/system/systemd.if ++++ b/policy/modules/system/systemd.if +@@ -171,6 +171,9 @@ template(`systemd_role_template',` + xdg_read_config_files($1_systemd_t) + xdg_read_data_files($1_systemd_t) + ') ++ ++ mls_file_read_all_levels($1_systemd_t) ++ mls_file_write_all_levels($1_systemd_t) + ') + + ###################################### +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0061-policy-modules-services-acpi-allow-acpid-to-watch-th.patch b/recipes-security/refpolicy/refpolicy/0061-policy-modules-services-acpi-allow-acpid-to-watch-th.patch deleted file mode 100644 index 8de3d5f..0000000 --- a/recipes-security/refpolicy/refpolicy/0061-policy-modules-services-acpi-allow-acpid-to-watch-th.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 7418cd97f2c92579bd4d18cbd9063f811ff9a81e Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Tue, 9 Feb 2021 16:42:36 +0800 -Subject: [PATCH] policy/modules/services/acpi: allow acpid to watch the - directories in /dev - -Fixes: -acpid: inotify_add_watch() failed: Permission denied (13) - -avc: denied { watch } for pid=269 comm="acpid" path="/dev/input" -dev="devtmpfs" ino=35 scontext=system_u:system_r:acpid_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:device_t:s0 tclass=dir permissive=0 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/services/acpi.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/services/acpi.te b/policy/modules/services/acpi.te -index 69f1dab4a..5c22adecd 100644 ---- a/policy/modules/services/acpi.te -+++ b/policy/modules/services/acpi.te -@@ -105,6 +105,7 @@ dev_rw_acpi_bios(acpid_t) - dev_rw_sysfs(acpid_t) - dev_dontaudit_getattr_all_chr_files(acpid_t) - dev_dontaudit_getattr_all_blk_files(acpid_t) -+dev_watch_dev_dirs(acpid_t) - - files_exec_etc_files(acpid_t) - files_read_etc_runtime_files(acpid_t) --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0061-policy-modules-system-logging-make-syslogd_runtime_t.patch b/recipes-security/refpolicy/refpolicy/0061-policy-modules-system-logging-make-syslogd_runtime_t.patch new file mode 100644 index 0000000..7bdc9d6 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0061-policy-modules-system-logging-make-syslogd_runtime_t.patch @@ -0,0 +1,48 @@ +From f8a12b28b70689ab520e7ae94d306afe9dcbb556 Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Sat, 18 Dec 2021 17:31:45 +0800 +Subject: [PATCH] policy/modules/system/logging: make syslogd_runtime_t MLS + trusted. + +Make syslogd_runtime_t MLS trusted to allow all levels to read and write +the object. + +Fixes: +avc: denied { search } for pid=314 comm="useradd" name="journal" +dev="tmpfs" ino=34 scontext=root:sysadm_r:useradd_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir +permissive=0 + +avc: denied { search } for pid=319 comm="passwd" name="journal" +dev="tmpfs" ino=34 scontext=root:sysadm_r:passwd_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir +permissive=0 + +avc: denied { search } for pid=374 comm="rpc.statd" name="journal" +dev="tmpfs" ino=9854 scontext=system_u:system_r:rpcd_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:syslogd_var_run_t:s15:c0.c1023 tclass=dir +permissive=0 + +Upstream-Status: Pending + +Signed-off-by: Yi Zhao +--- + policy/modules/system/logging.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index f8d8b73f0..badf56f16 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -438,6 +438,8 @@ allow syslogd_t syslogd_runtime_t:file map; + manage_files_pattern(syslogd_t, syslogd_runtime_t, syslogd_runtime_t) + files_runtime_filetrans(syslogd_t, syslogd_runtime_t, file) + ++mls_trusted_object(syslogd_runtime_t) ++ + kernel_read_crypto_sysctls(syslogd_t) + kernel_read_system_state(syslogd_t) + kernel_read_network_state(syslogd_t) +-- +2.17.1 + diff --git a/recipes-security/refpolicy/refpolicy/0062-policy-modules-system-setrans-allow-setrans-to-acces.patch b/recipes-security/refpolicy/refpolicy/0062-policy-modules-system-setrans-allow-setrans-to-acces.patch deleted file mode 100644 index b692012..0000000 --- a/recipes-security/refpolicy/refpolicy/0062-policy-modules-system-setrans-allow-setrans-to-acces.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 84c69d220ffdd039b88a34f9afc127274a985541 Mon Sep 17 00:00:00 2001 -From: Roy Li -Date: Sat, 22 Feb 2014 13:35:38 +0800 -Subject: [PATCH] policy/modules/system/setrans: allow setrans to access - /sys/fs/selinux - -1. mcstransd failed to boot-up since the below permission is denied -statfs("/sys/fs/selinux", 0x7ffff2b80370) = -1 EACCES (Permission denied) - -2. other programs can not connect to /run/setrans/.setrans-unix -avc: denied { connectto } for pid=2055 comm="ls" -path="/run/setrans/.setrans-unix" -scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 -tcontext=system_u:system_r:setrans_t:s15:c0.c1023 -tclass=unix_stream_socket - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Roy Li -Signed-off-by: Yi Zhao ---- - policy/modules/system/setrans.te | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te -index 25aadfc5f..78bd6e2eb 100644 ---- a/policy/modules/system/setrans.te -+++ b/policy/modules/system/setrans.te -@@ -23,9 +23,7 @@ mls_trusted_object(setrans_runtime_t) - type setrans_unit_t; - init_unit_file(setrans_unit_t) - --ifdef(`distro_debian',` -- init_daemon_runtime_file(setrans_runtime_t, dir, "setrans") --') -+init_daemon_runtime_file(setrans_runtime_t, dir, "setrans") - - ifdef(`enable_mcs',` - init_ranged_daemon_domain(setrans_t, setrans_exec_t, s0 - mcs_systemhigh) --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0063-policy-modules-system-modutils-allow-kmod_t-to-write.patch b/recipes-security/refpolicy/refpolicy/0063-policy-modules-system-modutils-allow-kmod_t-to-write.patch deleted file mode 100644 index b644571..0000000 --- a/recipes-security/refpolicy/refpolicy/0063-policy-modules-system-modutils-allow-kmod_t-to-write.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 7002b4e33b949b474a0ce0b78a7f2e180dbbc9bb Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Tue, 9 Feb 2021 17:31:55 +0800 -Subject: [PATCH] policy/modules/system/modutils: allow kmod_t to write keys - -Fixes: -kernel: cfg80211: Problem loading in-kernel X.509 certificate (-13) - -avc: denied { write } for pid=219 comm="modprobe" -scontext=system_u:system_r:kmod_t tcontext=system_u:system_r:kmod_t -tclass=key permissive=0 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/system/modutils.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te -index ee249ae04..b8769bc02 100644 ---- a/policy/modules/system/modutils.te -+++ b/policy/modules/system/modutils.te -@@ -43,6 +43,8 @@ allow kmod_t self:rawip_socket create_socket_perms; - - allow kmod_t self:lockdown confidentiality; - -+allow kmod_t self:key write; -+ - # Read module config and dependency information - list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t) - read_files_pattern(kmod_t, modules_conf_t, modules_conf_t) --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0064-policy-modules-roles-sysadm-allow-sysadm_t-to-watch-.patch b/recipes-security/refpolicy/refpolicy/0064-policy-modules-roles-sysadm-allow-sysadm_t-to-watch-.patch deleted file mode 100644 index dbd1390..0000000 --- a/recipes-security/refpolicy/refpolicy/0064-policy-modules-roles-sysadm-allow-sysadm_t-to-watch-.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 291d3329c280b6b8b70fcc3092ac4d3399936825 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Mon, 29 Jun 2020 10:32:25 +0800 -Subject: [PATCH] policy/modules/roles/sysadm: allow sysadm_t to watch runtime - dirs - -Fixes: -Failed to add a watch for /run/systemd/ask-password: Permission denied - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/roles/sysadm.te | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 129e94229..a4abaefe4 100644 ---- a/policy/modules/roles/sysadm.te -+++ b/policy/modules/roles/sysadm.te -@@ -83,6 +83,9 @@ ifdef(`init_systemd',` - init_dbus_chat(sysadm_t) - - systemd_sysadm_user(sysadm_t) -+ -+ systemd_filetrans_passwd_runtime_dirs(sysadm_t) -+ allow sysadm_t systemd_passwd_runtime_t:dir watch; - ') - - tunable_policy(`allow_ptrace',` --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0065-policy-modules-system-selinux-allow-setfiles_t-to-re.patch b/recipes-security/refpolicy/refpolicy/0065-policy-modules-system-selinux-allow-setfiles_t-to-re.patch deleted file mode 100644 index a824004..0000000 --- a/recipes-security/refpolicy/refpolicy/0065-policy-modules-system-selinux-allow-setfiles_t-to-re.patch +++ /dev/null @@ -1,44 +0,0 @@ -From bc821718f7e9575a67c4667decad937cbe5f8514 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Tue, 2 Mar 2021 14:25:03 +0800 -Subject: [PATCH] policy/modules/system/selinux: allow setfiles_t to read - kernel sysctl - -Fixes: -avc: denied { read } for pid=171 comm="restorecon" name="cap_last_cap" -dev="proc" ino=1241 -scontext=system_u:system_r:setfiles_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0 - -avc: denied { open } for pid=171 comm="restorecon" -path="/proc/sys/kernel/cap_last_cap" dev="proc" ino=1241 -scontext=system_u:system_r:setfiles_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0 - -avc: denied { getattr } for pid=171 comm="restorecon" name="/" -dev="proc" ino=1 scontext=system_u:system_r:setfiles_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/system/selinuxutil.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index a505b3987..a26f8db03 100644 ---- a/policy/modules/system/selinuxutil.te -+++ b/policy/modules/system/selinuxutil.te -@@ -597,6 +597,8 @@ kernel_rw_unix_dgram_sockets(setfiles_t) - kernel_dontaudit_list_all_proc(setfiles_t) - kernel_dontaudit_list_all_sysctls(setfiles_t) - kernel_getattr_debugfs(setfiles_t) -+kernel_read_kernel_sysctls(setfiles_t) -+kernel_getattr_proc(setfiles_t) - - dev_read_urand(setfiles_t) - dev_relabel_all_dev_nodes(setfiles_t) --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0066-policy-modules-system-mount-make-mount_t-domain-MLS-.patch b/recipes-security/refpolicy/refpolicy/0066-policy-modules-system-mount-make-mount_t-domain-MLS-.patch deleted file mode 100644 index 1d6a3c4..0000000 --- a/recipes-security/refpolicy/refpolicy/0066-policy-modules-system-mount-make-mount_t-domain-MLS-.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 0d69354886e0b635dd069876b9d53890a5a9cab1 Mon Sep 17 00:00:00 2001 -From: Wenzong Fan -Date: Sat, 15 Feb 2014 04:22:47 -0500 -Subject: [PATCH] policy/modules/system/mount: make mount_t domain MLS trusted - for writing to processes up to its clearance - -Fixes: -avc: denied { setsched } for pid=148 comm="mount" -scontext=system_u:system_r:mount_t:s0-s15:c0.c1023 -tcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=process -permissive=1 - -Upstream-Status: Inappropriate [embedded specific] - -Signen-off-by: Wenzong Fan -Signed-off-by: Yi Zhao ---- - policy/modules/system/mount.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index b628c3b2f..f55457bb0 100644 ---- a/policy/modules/system/mount.te -+++ b/policy/modules/system/mount.te -@@ -116,6 +116,8 @@ fs_dontaudit_write_all_image_files(mount_t) - mls_file_read_all_levels(mount_t) - mls_file_write_all_levels(mount_t) - -+mls_process_write_to_clearance(mount_t) -+ - selinux_get_enforce_mode(mount_t) - - storage_raw_read_fixed_disk(mount_t) --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0067-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch b/recipes-security/refpolicy/refpolicy/0067-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch deleted file mode 100644 index f441742..0000000 --- a/recipes-security/refpolicy/refpolicy/0067-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch +++ /dev/null @@ -1,41 +0,0 @@ -From b83147aa97fe6f51c997256539dff827e3a44edc Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Mon, 28 Jan 2019 14:05:18 +0800 -Subject: [PATCH] policy/modules/roles/sysadm: MLS - sysadm rw to clearance - -The two new rules make sysadm_t domain MLS trusted for: - - reading from files at all levels. - - writing to processes up to its clearance(s0-s15). - -With default MLS policy, root user would login in as sysadm_t:s0 by -default. Most processes will run in sysadm_t:s0 because no -domtrans/rangetrans rules, as a result, even root could not access -high level files/processes. - -So with the two new rules, root user could work easier in MLS policy. - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Xin Ouyang -Signed-off-by: Yi Zhao ---- - policy/modules/roles/sysadm.te | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index a4abaefe4..aaae73fc3 100644 ---- a/policy/modules/roles/sysadm.te -+++ b/policy/modules/roles/sysadm.te -@@ -42,6 +42,9 @@ dev_read_kmsg(sysadm_t) - - mls_process_read_all_levels(sysadm_t) - -+mls_file_read_all_levels(sysadm_t) -+mls_process_write_to_clearance(sysadm_t) -+ - selinux_read_policy(sysadm_t) - - ubac_process_exempt(sysadm_t) --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0068-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch b/recipes-security/refpolicy/refpolicy/0068-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch deleted file mode 100644 index 4403997..0000000 --- a/recipes-security/refpolicy/refpolicy/0068-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 7b8290ba52052f90b6221c1b3ccb8f7536f4c41e Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Fri, 23 Aug 2013 12:01:53 +0800 -Subject: [PATCH] policy/modules/services/rpc: make nfsd_t domain MLS trusted - for reading from files up to its clearance - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Xin Ouyang -Signed-off-by: Joe MacDonald -Signed-off-by: Yi Zhao ---- - policy/modules/kernel/kernel.te | 2 ++ - policy/modules/services/rpc.te | 2 ++ - policy/modules/services/rpcbind.te | 6 ++++++ - 3 files changed, 10 insertions(+) - -diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 5ce6e041b..c1557ddb2 100644 ---- a/policy/modules/kernel/kernel.te -+++ b/policy/modules/kernel/kernel.te -@@ -356,6 +356,8 @@ mls_process_read_all_levels(kernel_t) - mls_process_write_all_levels(kernel_t) - mls_file_write_all_levels(kernel_t) - mls_file_read_all_levels(kernel_t) -+mls_socket_write_all_levels(kernel_t) -+mls_fd_use_all_levels(kernel_t) - - ifdef(`distro_redhat',` - # Bugzilla 222337 -diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te -index 87b6b4561..9618df04e 100644 ---- a/policy/modules/services/rpc.te -+++ b/policy/modules/services/rpc.te -@@ -341,6 +341,8 @@ storage_raw_read_removable_device(nfsd_t) - - miscfiles_read_public_files(nfsd_t) - -+mls_file_read_to_clearance(nfsd_t) -+ - tunable_policy(`allow_nfsd_anon_write',` - miscfiles_manage_public_files(nfsd_t) - ') -diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te -index 8972980fa..5c89a1343 100644 ---- a/policy/modules/services/rpcbind.te -+++ b/policy/modules/services/rpcbind.te -@@ -73,6 +73,12 @@ logging_send_syslog_msg(rpcbind_t) - - miscfiles_read_localization(rpcbind_t) - -+# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t, -+# because the are running in different level. So add rules to allow this. -+mls_socket_read_all_levels(rpcbind_t) -+mls_socket_write_all_levels(rpcbind_t) -+mls_file_read_to_clearance(rpcbind_t) -+ - ifdef(`distro_debian',` - term_dontaudit_use_unallocated_ttys(rpcbind_t) - ') --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0069-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch b/recipes-security/refpolicy/refpolicy/0069-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch deleted file mode 100644 index 02aa5e3..0000000 --- a/recipes-security/refpolicy/refpolicy/0069-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch +++ /dev/null @@ -1,36 +0,0 @@ -From bc6872d164d09355ee82dc97c4e3d99a6b6669b3 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Tue, 30 Jun 2020 10:18:20 +0800 -Subject: [PATCH] policy/modules/admin/dmesg: make dmesg_t MLS trusted reading - from files up to its clearance - -Fixes: -avc: denied { read } for pid=255 comm="dmesg" name="kmsg" -dev="devtmpfs" ino=10032 -scontext=system_u:system_r:dmesg_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file -permissive=0 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/admin/dmesg.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te -index 0f2835575..9f4f11397 100644 ---- a/policy/modules/admin/dmesg.te -+++ b/policy/modules/admin/dmesg.te -@@ -51,6 +51,8 @@ miscfiles_read_localization(dmesg_t) - userdom_dontaudit_use_unpriv_user_fds(dmesg_t) - userdom_use_user_terminals(dmesg_t) - -+mls_file_read_to_clearance(dmesg_t) -+ - optional_policy(` - seutil_sigchld_newrole(dmesg_t) - ') --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0070-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch b/recipes-security/refpolicy/refpolicy/0070-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch deleted file mode 100644 index 733fbad..0000000 --- a/recipes-security/refpolicy/refpolicy/0070-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch +++ /dev/null @@ -1,77 +0,0 @@ -From e7b9af24946f5f76e8e6831bfeb444c0153298be Mon Sep 17 00:00:00 2001 -From: Wenzong Fan -Date: Fri, 13 Oct 2017 07:20:40 +0000 -Subject: [PATCH] policy/modules/kernel/kernel: make kernel_t MLS trusted for - lowering the level of files - -The boot process hangs with the error while using MLS policy: - - [!!!!!!] Failed to mount API filesystems, freezing. - [ 4.085349] systemd[1]: Freezing execution. - -Make kernel_t mls trusted for lowering the level of files to fix below -avc denials and remove the hang issue. - - op=security_validate_transition seresult=denied \ - oldcontext=system_u:object_r:device_t:s15:c0.c1023 \ - newcontext=system_u:object_r:device_t:s0 \ - taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir - systemd[1]: Unable to fix SELinux security context of /dev: Operation not permitted - - avc: denied { create } for pid=1 comm="systemd" name="shm" \ - scontext=system_u:system_r:kernel_t:s15:c0.c1023 \ - tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 - systemd[1]: Failed to mount tmpfs at /dev/shm: No such file or directory - - avc: denied { create } for pid=1 comm="systemd" name="pts" \ - scontext=system_u:system_r:kernel_t:s15:c0.c1023 \ - tcontext=system_u:object_r:devpts_t:s0-s15:c0.c1023 tclass=dir permissive=0 - - op=security_validate_transition seresult=denied \ - oldcontext=system_u:object_r:unlabeled_t:s0 \ - newcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 \ - taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir - - op=security_validate_transition seresult=denied \ - oldcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 \ - newcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 \ - taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir - systemd[1]: Unable to fix SELinux security context of /run: Operation not permitted - - op=security_validate_transition seresult=denied \ - oldcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 \ - newcontext=system_u:object_r:cgroup_t:s0 \ - taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir - systemd[1]: Unable to fix SELinux security context of /sys/fs/cgroup: Operation not permitted - - avc: denied { create } for pid=1 comm="systemd" name="pstore" \ - scontext=system_u:system_r:kernel_t:s15:c0.c1023 \ - tcontext=system_u:object_r:pstore_t:s0 tclass=dir permissive=0 - -Reference: https://bugzilla.redhat.com/show_bug.cgi?id=667370 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Wenzong Fan -Signed-off-by: Yi Zhao ---- - policy/modules/kernel/kernel.te | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index c1557ddb2..8f67c6ec9 100644 ---- a/policy/modules/kernel/kernel.te -+++ b/policy/modules/kernel/kernel.te -@@ -359,6 +359,9 @@ mls_file_read_all_levels(kernel_t) - mls_socket_write_all_levels(kernel_t) - mls_fd_use_all_levels(kernel_t) - -+# https://bugzilla.redhat.com/show_bug.cgi?id=667370 -+mls_file_downgrade(kernel_t) -+ - ifdef(`distro_redhat',` - # Bugzilla 222337 - fs_rw_tmpfs_chr_files(kernel_t) --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0071-policy-modules-system-init-make-init_t-MLS-trusted-f.patch b/recipes-security/refpolicy/refpolicy/0071-policy-modules-system-init-make-init_t-MLS-trusted-f.patch deleted file mode 100644 index 74d7428..0000000 --- a/recipes-security/refpolicy/refpolicy/0071-policy-modules-system-init-make-init_t-MLS-trusted-f.patch +++ /dev/null @@ -1,46 +0,0 @@ -From ee3e2bbaf3b94902aadebbb085c7e86b8d074e98 Mon Sep 17 00:00:00 2001 -From: Wenzong Fan -Date: Fri, 15 Jan 2016 03:47:05 -0500 -Subject: [PATCH] policy/modules/system/init: make init_t MLS trusted for - lowering/raising the leve of files - -Fix security_validate_transition issues: - - op=security_validate_transition seresult=denied \ - oldcontext=system_u:object_r:device_t:s15:c0.c1023 \ - newcontext=system_u:object_r:device_t:s0 \ - taskcontext=system_u:system_r:init_t:s0-s15:c0.c1023 \ - tclass=dir - - op=security_validate_transition seresult=denied \ - oldcontext=system_u:object_r:var_run_t:s0 \ - newcontext=system_u:object_r:var_log_t:s0-s15:c0.c1023 \ - taskcontext=system_u:system_r:init_t:s0-s15:c0.c1023 \ - tclass=dir - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Wenzong Fan -Signed-off-by: Yi Zhao ---- - policy/modules/system/init.te | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index b7d494398..b6750015e 100644 ---- a/policy/modules/system/init.te -+++ b/policy/modules/system/init.te -@@ -210,6 +210,10 @@ mls_process_write_all_levels(init_t) - mls_fd_use_all_levels(init_t) - mls_process_set_level(init_t) - -+# MLS trusted for lowering/raising the level of files -+mls_file_downgrade(init_t) -+mls_file_upgrade(init_t) -+ - # the following one is needed for libselinux:is_selinux_enabled() - # otherwise the call fails and sysvinit tries to load the policy - # again when using the initramfs --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0072-policy-modules-system-systemd-make-systemd-tmpfiles_.patch b/recipes-security/refpolicy/refpolicy/0072-policy-modules-system-systemd-make-systemd-tmpfiles_.patch deleted file mode 100644 index 2832681..0000000 --- a/recipes-security/refpolicy/refpolicy/0072-policy-modules-system-systemd-make-systemd-tmpfiles_.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 8cdcca3702d69ed5f3aa9ce9d769ad483f977094 Mon Sep 17 00:00:00 2001 -From: Wenzong Fan -Date: Thu, 4 Feb 2016 06:03:19 -0500 -Subject: [PATCH] policy/modules/system/systemd: make systemd-tmpfiles_t domain - MLS trusted for raising/lowering the level of files - -Fixes: - avc: denied { search } for pid=92 comm="systemd-tmpfile" name="1" \ - dev="proc" ino=7987 \ - scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \ - tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 \ - tclass=dir - - avc: denied { search } for pid=92 comm="systemd-tmpfile" \ - name="journal" dev="tmpfs" ino=8226 \ - scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \ - tcontext=system_u:object_r:syslogd_var_run_t:s15:c0.c1023 \ - tclass=dir - - avc: denied { write } for pid=92 comm="systemd-tmpfile" \ - name="kmsg" dev="devtmpfs" ino=7242 \ - scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \ - tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 \ - tclass=chr_file - - avc: denied { read } for pid=92 comm="systemd-tmpfile" \ - name="kmod.conf" dev="tmpfs" ino=8660 \ - scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \ - tcontext=system_u:object_r:var_run_t:s0 \ - tclass=file - - avc: denied { search } for pid=92 comm="systemd-tmpfile" \ - name="kernel" dev="proc" ino=8731 \ - scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \ - tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Wenzong Fan -Signed-off-by: Yi Zhao ---- - policy/modules/system/systemd.te | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 7d2ba2796..c50a2ba64 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -1396,6 +1396,11 @@ sysnet_relabel_config(systemd_tmpfiles_t) - - systemd_log_parse_environment(systemd_tmpfiles_t) - -+mls_file_write_all_levels(systemd_tmpfiles_t) -+mls_file_read_all_levels(systemd_tmpfiles_t) -+mls_file_downgrade(systemd_tmpfiles_t) -+mls_file_upgrade(systemd_tmpfiles_t) -+ - userdom_manage_user_runtime_root_dirs(systemd_tmpfiles_t) - userdom_relabel_user_runtime_root_dirs(systemd_tmpfiles_t) - --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0073-policy-modules-system-logging-add-the-syslogd_t-to-t.patch b/recipes-security/refpolicy/refpolicy/0073-policy-modules-system-logging-add-the-syslogd_t-to-t.patch deleted file mode 100644 index d208752..0000000 --- a/recipes-security/refpolicy/refpolicy/0073-policy-modules-system-logging-add-the-syslogd_t-to-t.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 4e7b0040ff558f2d69c8b9a30e73223acb20f35f Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH] policy/modules/system/logging: add the syslogd_t to trusted - object - -We add the syslogd_t to trusted object, because other process need -to have the right to connectto/sendto /dev/log. - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Roy.Li -Signed-off-by: Xin Ouyang -Signed-off-by: Joe MacDonald -Signed-off-by: Yi Zhao ---- - policy/modules/system/logging.te | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 62caa7a56..e608327fe 100644 ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -495,6 +495,10 @@ fs_search_auto_mountpoints(syslogd_t) - fs_search_tmpfs(syslogd_t) - - mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories -+mls_file_read_all_levels(syslogd_t) -+mls_socket_write_all_levels(syslogd_t) # Neet to be able to sendto dgram -+mls_trusted_object(syslogd_t) # Other process need to have the right to connectto/sendto /dev/log -+mls_fd_use_all_levels(syslogd_t) - - term_write_console(syslogd_t) - # Allow syslog to a terminal --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0074-policy-modules-system-init-make-init_t-MLS-trusted-f.patch b/recipes-security/refpolicy/refpolicy/0074-policy-modules-system-init-make-init_t-MLS-trusted-f.patch deleted file mode 100644 index b7dcaa8..0000000 --- a/recipes-security/refpolicy/refpolicy/0074-policy-modules-system-init-make-init_t-MLS-trusted-f.patch +++ /dev/null @@ -1,33 +0,0 @@ -From bbb405ac6270ef945db21cfddda63d283ee5d8af Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Tue, 28 May 2019 16:41:37 +0800 -Subject: [PATCH] policy/modules/system/init: make init_t MLS trusted for - writing to keys at all levels - -Fixes: -type=AVC msg=audit(1559024138.454:31): avc: denied { link } for -pid=190 comm="(mkdir)" scontext=system_u:system_r:init_t:s0-s15:c0.c1023 -tcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=key permissive=1 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/system/init.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index b6750015e..962c675b0 100644 ---- a/policy/modules/system/init.te -+++ b/policy/modules/system/init.te -@@ -209,6 +209,7 @@ mls_file_write_all_levels(init_t) - mls_process_write_all_levels(init_t) - mls_fd_use_all_levels(init_t) - mls_process_set_level(init_t) -+mls_key_write_all_levels(init_t) - - # MLS trusted for lowering/raising the level of files - mls_file_downgrade(init_t) --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0075-policy-modules-system-init-all-init_t-to-read-any-le.patch b/recipes-security/refpolicy/refpolicy/0075-policy-modules-system-init-all-init_t-to-read-any-le.patch deleted file mode 100644 index de7271f..0000000 --- a/recipes-security/refpolicy/refpolicy/0075-policy-modules-system-init-all-init_t-to-read-any-le.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 2780811e48663df0265676749a4041c077ae6a89 Mon Sep 17 00:00:00 2001 -From: Wenzong Fan -Date: Wed, 3 Feb 2016 04:16:06 -0500 -Subject: [PATCH] policy/modules/system/init: all init_t to read any level - sockets - -Fixes: - avc: denied { listen } for pid=1 comm="systemd" \ - path="/run/systemd/journal/stdout" \ - scontext=system_u:system_r:init_t:s0-s15:c0.c1023 \ - tcontext=system_u:system_r:syslogd_t:s15:c0.c1023 \ - tclass=unix_stream_socket permissive=1 - - systemd[1]: Failded to listen on Journal Socket - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Wenzong Fan -Signed-off-by: Yi Zhao ---- - policy/modules/system/init.te | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 962c675b0..aa57a5661 100644 ---- a/policy/modules/system/init.te -+++ b/policy/modules/system/init.te -@@ -215,6 +215,9 @@ mls_key_write_all_levels(init_t) - mls_file_downgrade(init_t) - mls_file_upgrade(init_t) - -+# MLS trusted for reading from sockets at any level -+mls_socket_read_all_levels(init_t) -+ - # the following one is needed for libselinux:is_selinux_enabled() - # otherwise the call fails and sysvinit tries to load the policy - # again when using the initramfs --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0076-policy-modules-system-logging-allow-auditd_t-to-writ.patch b/recipes-security/refpolicy/refpolicy/0076-policy-modules-system-logging-allow-auditd_t-to-writ.patch deleted file mode 100644 index cd93c08..0000000 --- a/recipes-security/refpolicy/refpolicy/0076-policy-modules-system-logging-allow-auditd_t-to-writ.patch +++ /dev/null @@ -1,39 +0,0 @@ -From a74584ba424cd5e392db2a64b4ec66ebb307eb4c Mon Sep 17 00:00:00 2001 -From: Wenzong Fan -Date: Thu, 25 Feb 2016 04:25:08 -0500 -Subject: [PATCH] policy/modules/system/logging: allow auditd_t to write socket - at any level - -Allow auditd_t to write init_t:unix_stream_socket at any level. - -Fixes: - avc: denied { write } for pid=748 comm="auditd" \ - path="socket:[17371]" dev="sockfs" ino=17371 \ - scontext=system_u:system_r:auditd_t:s15:c0.c1023 \ - tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 \ - tclass=unix_stream_socket permissive=1 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Wenzong Fan -Signed-off-by: Yi Zhao ---- - policy/modules/system/logging.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index e608327fe..bdd5c9dff 100644 ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -211,6 +211,8 @@ miscfiles_read_localization(auditd_t) - - mls_file_read_all_levels(auditd_t) - mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory -+mls_fd_use_all_levels(auditd_t) -+mls_socket_write_all_levels(auditd_t) - - seutil_dontaudit_read_config(auditd_t) - --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0077-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch b/recipes-security/refpolicy/refpolicy/0077-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch deleted file mode 100644 index 6b84403..0000000 --- a/recipes-security/refpolicy/refpolicy/0077-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 1bcb41c20d666761bb407bf34c9e3391e16449a7 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Thu, 31 Oct 2019 17:35:59 +0800 -Subject: [PATCH] policy/modules/kernel/kernel: make kernel_t MLS trusted for - writing to keys at all levels. - -Fixes: -systemd-udevd[216]: regulatory.0: Process '/usr/sbin/crda' failed with exit code 254. - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/kernel/kernel.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 8f67c6ec9..fbcf1413f 100644 ---- a/policy/modules/kernel/kernel.te -+++ b/policy/modules/kernel/kernel.te -@@ -362,6 +362,8 @@ mls_fd_use_all_levels(kernel_t) - # https://bugzilla.redhat.com/show_bug.cgi?id=667370 - mls_file_downgrade(kernel_t) - -+mls_key_write_all_levels(kernel_t) -+ - ifdef(`distro_redhat',` - # Bugzilla 222337 - fs_rw_tmpfs_chr_files(kernel_t) --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0078-policy-modules-system-systemd-make-systemd-logind-do.patch b/recipes-security/refpolicy/refpolicy/0078-policy-modules-system-systemd-make-systemd-logind-do.patch deleted file mode 100644 index 5ac5a19..0000000 --- a/recipes-security/refpolicy/refpolicy/0078-policy-modules-system-systemd-make-systemd-logind-do.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 7021844f20c5d5c885edf87abf8ce3329bcc5836 Mon Sep 17 00:00:00 2001 -From: Wenzong Fan -Date: Mon, 23 Jan 2017 08:42:44 +0000 -Subject: [PATCH] policy/modules/system/systemd: make systemd-logind domain MLS - trusted for reading from files up to its clearance. - -Fixes: -avc: denied { search } for pid=184 comm="systemd-logind" -name="journal" dev="tmpfs" ino=10949 -scontext=system_u:system_r:systemd_logind_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir -permissive=1 - -avc: denied { watch } for pid=184 comm="systemd-logind" -path="/run/utmp" dev="tmpfs" ino=12725 -scontext=system_u:system_r:systemd_logind_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:initrc_runtime_t:s0 tclass=file permissive=1 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Wenzong Fan -Signed-off-by: Yi Zhao ---- - policy/modules/system/systemd.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index c50a2ba64..a7390b1cd 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -693,6 +693,8 @@ userdom_relabelto_user_runtime_dirs(systemd_logind_t) - userdom_setattr_user_ttys(systemd_logind_t) - userdom_use_user_ttys(systemd_logind_t) - -+mls_file_read_to_clearance(systemd_logind_t) -+ - # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x - # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96 - # should fix the problem where user directories in /run/user/$UID/ are not getting the proper context --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0079-policy-modules-system-systemd-systemd-user-sessions-.patch b/recipes-security/refpolicy/refpolicy/0079-policy-modules-system-systemd-systemd-user-sessions-.patch deleted file mode 100644 index 3ea0085..0000000 --- a/recipes-security/refpolicy/refpolicy/0079-policy-modules-system-systemd-systemd-user-sessions-.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 6e3e1a5f79d6deab2966fc74c64720e90d248f3d Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Thu, 18 Jun 2020 09:39:23 +0800 -Subject: [PATCH] policy/modules/system/systemd: systemd-user-sessions: make - systemd_sessions_t MLS trusted for reading/writing from files at all levels - -Fixes: -avc: denied { search } for pid=229 comm="systemd-user-se" -name="journal" dev="tmpfs" ino=10956 -scontext=system_u:system_r:systemd_sessions_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir -permissive=0 -avc: denied { write } for pid=229 comm="systemd-user-se" name="kmsg" -dev="devtmpfs" ino=10032 -scontext=system_u:system_r:systemd_sessions_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file -permissive=0 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/system/systemd.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index a7390b1cd..f0b0e8b92 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -1261,6 +1261,8 @@ seutil_read_file_contexts(systemd_sessions_t) - - systemd_log_parse_environment(systemd_sessions_t) - -+mls_file_read_to_clearance(systemd_sessions_t) -+mls_file_write_all_levels(systemd_sessions_t) - - ######################################### - # --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0080-policy-modules-system-systemd-systemd-make-systemd_-.patch b/recipes-security/refpolicy/refpolicy/0080-policy-modules-system-systemd-systemd-make-systemd_-.patch deleted file mode 100644 index cb8e821..0000000 --- a/recipes-security/refpolicy/refpolicy/0080-policy-modules-system-systemd-systemd-make-systemd_-.patch +++ /dev/null @@ -1,162 +0,0 @@ -From 05ec2d78b44e57ecf188472b903fe66eeb568951 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Thu, 18 Jun 2020 09:59:58 +0800 -Subject: [PATCH] policy/modules/system/systemd: systemd-*: make systemd_*_t - MLS trusted for writing/reading from files up to its clearance - -Fixes: -avc: denied { search } for pid=219 comm="systemd-network" -name="journal" dev="tmpfs" ino=10956 -scontext=system_u:system_r:systemd_networkd_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir -permissive=0 - -avc: denied { search } for pid=220 comm="systemd-resolve" -name="journal" dev="tmpfs" ino=10956 -scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir -permissive=0 -avc: denied { search } for pid=220 comm="systemd-resolve" name="/" -dev="tmpfs" ino=15102 -scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 - -avc: denied { search } for pid=142 comm="systemd-modules" -name="journal" dev="tmpfs" ino=10990 -scontext=system_u:system_r:systemd_modules_load_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir -permissive=0 - -audit: type=1400 audit(1592892455.376:3): avc: denied { write } for -pid=120 comm="systemd-gpt-aut" name="kmsg" dev="devtmpfs" ino=10032 -scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file -permissive=0 - -audit: type=1400 audit(1592892455.381:4): avc: denied { write } for -pid=119 comm="systemd-getty-g" name="kmsg" dev="devtmpfs" ino=10032 -scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file -permissive=0 - -avc: denied { read } for pid=125 comm="systemd-gpt-aut" name="sdb" -dev="devtmpfs" ino=42 -scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 -tclass=blk_file permissive=0 - -avc: denied { search } for pid=302 comm="systemd-hostnam" -name="journal" dev="tmpfs" ino=14165 -scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir -permissive=0 - -avc: denied { search } for pid=302 comm="systemd-hostnam" name="/" -dev="tmpfs" ino=17310 -scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 - -avc: denied { search } for pid=233 comm="systemd-rfkill" -name="journal" dev="tmpfs" ino=14165 -scontext=system_u:system_r:systemd_rfkill_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir -permissive=0 - -avc: denied { write } for pid=233 comm="systemd-rfkill" name="kmsg" -dev="devtmpfs" ino=2060 -scontext=system_u:system_r:systemd_rfkill_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file -permissive=0 - -avc: denied { search } for pid=354 comm="systemd-backlig" -name="journal" dev="tmpfs" ino=1183 -scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir -permissive=0 - -avc: denied { write } for pid=354 comm="systemd-backlig" name="kmsg" -dev="devtmpfs" ino=3081 -scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file -permissive=0 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/system/systemd.te | 17 +++++++++++++++++ - 1 file changed, 17 insertions(+) - -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index f0b0e8b92..7b2d359b7 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -326,6 +326,9 @@ files_search_var_lib(systemd_backlight_t) - - kernel_read_kernel_sysctls(systemd_backlight_t) - -+mls_file_write_to_clearance(systemd_backlight_t) -+mls_file_read_to_clearance(systemd_backlight_t) -+ - ####################################### - # - # Binfmt local policy -@@ -460,6 +463,9 @@ systemd_log_parse_environment(systemd_generator_t) - - term_use_unallocated_ttys(systemd_generator_t) - -+mls_file_write_to_clearance(systemd_generator_t) -+mls_file_read_to_clearance(systemd_generator_t) -+ - ifdef(`distro_gentoo',` - corecmd_shell_entry_type(systemd_generator_t) - ') -@@ -497,6 +503,8 @@ sysnet_manage_config(systemd_hostnamed_t) - - systemd_log_parse_environment(systemd_hostnamed_t) - -+mls_file_read_to_clearance(systemd_hostnamed_t) -+ - optional_policy(` - dbus_connect_system_bus(systemd_hostnamed_t) - dbus_system_bus_client(systemd_hostnamed_t) -@@ -818,6 +826,8 @@ modutils_read_module_deps(systemd_modules_load_t) - - systemd_log_parse_environment(systemd_modules_load_t) - -+mls_file_read_to_clearance(systemd_modules_load_t) -+ - ######################################## - # - # networkd local policy -@@ -876,6 +886,8 @@ sysnet_read_config(systemd_networkd_t) - - systemd_log_parse_environment(systemd_networkd_t) - -+mls_file_read_to_clearance(systemd_networkd_t) -+ - optional_policy(` - dbus_system_bus_client(systemd_networkd_t) - dbus_connect_system_bus(systemd_networkd_t) -@@ -1159,6 +1171,9 @@ udev_read_runtime_files(systemd_rfkill_t) - - systemd_log_parse_environment(systemd_rfkill_t) - -+mls_file_write_to_clearance(systemd_rfkill_t) -+mls_file_read_to_clearance(systemd_rfkill_t) -+ - ######################################### - # - # Resolved local policy -@@ -1202,6 +1217,8 @@ init_dgram_send(systemd_resolved_t) - - seutil_read_file_contexts(systemd_resolved_t) - -+mls_file_read_to_clearance(systemd_resolved_t) -+ - systemd_log_parse_environment(systemd_resolved_t) - systemd_read_networkd_runtime(systemd_resolved_t) - --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0081-policy-modules-services-ntp-make-nptd_t-MLS-trusted-.patch b/recipes-security/refpolicy/refpolicy/0081-policy-modules-services-ntp-make-nptd_t-MLS-trusted-.patch deleted file mode 100644 index 250d89b..0000000 --- a/recipes-security/refpolicy/refpolicy/0081-policy-modules-services-ntp-make-nptd_t-MLS-trusted-.patch +++ /dev/null @@ -1,40 +0,0 @@ -From a105ea8b48c5e9ada567c7f6347f3875df7098a0 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Thu, 18 Jun 2020 10:21:04 +0800 -Subject: [PATCH] policy/modules/services/ntp: make nptd_t MLS trusted for - reading from files at all levels - -Fixes: -avc: denied { search } for pid=193 comm="systemd-timesyn" -name="journal" dev="tmpfs" ino=10956 -scontext=system_u:system_r:ntpd_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir -permissive=0 -avc: denied { read } for pid=193 comm="systemd-timesyn" name="dbus" -dev="tmpfs" ino=13971 scontext=system_u:system_r:ntpd_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:system_dbusd_runtime_t:s0 tclass=dir -permissive=0 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/services/ntp.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te -index 1626ae87a..c8a1f041b 100644 ---- a/policy/modules/services/ntp.te -+++ b/policy/modules/services/ntp.te -@@ -138,6 +138,8 @@ miscfiles_read_localization(ntpd_t) - userdom_dontaudit_use_unpriv_user_fds(ntpd_t) - userdom_list_user_home_dirs(ntpd_t) - -+mls_file_read_all_levels(ntpd_t) -+ - ifdef(`init_systemd',` - allow ntpd_t self:process setfscreate; - --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0082-policy-modules-system-setrans-allow-setrans_t-use-fd.patch b/recipes-security/refpolicy/refpolicy/0082-policy-modules-system-setrans-allow-setrans_t-use-fd.patch deleted file mode 100644 index b67f069..0000000 --- a/recipes-security/refpolicy/refpolicy/0082-policy-modules-system-setrans-allow-setrans_t-use-fd.patch +++ /dev/null @@ -1,30 +0,0 @@ -From e6a08769138d68582c72fe28ed7dd51c118654a5 Mon Sep 17 00:00:00 2001 -From: Roy Li -Date: Sat, 22 Feb 2014 13:35:38 +0800 -Subject: [PATCH] policy/modules/system/setrans: allow setrans_t use fd at any - level - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Roy Li -Signed-off-by: Yi Zhao ---- - policy/modules/system/setrans.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te -index 78bd6e2eb..0dd3a63cd 100644 ---- a/policy/modules/system/setrans.te -+++ b/policy/modules/system/setrans.te -@@ -71,6 +71,8 @@ mls_net_receive_all_levels(setrans_t) - mls_socket_write_all_levels(setrans_t) - mls_process_read_all_levels(setrans_t) - mls_socket_read_all_levels(setrans_t) -+mls_fd_use_all_levels(setrans_t) -+mls_trusted_object(setrans_t) - - selinux_compute_access_vector(setrans_t) - --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0083-policy-modules-services-acpi-make-acpid_t-domain-MLS.patch b/recipes-security/refpolicy/refpolicy/0083-policy-modules-services-acpi-make-acpid_t-domain-MLS.patch deleted file mode 100644 index cc2d5dd..0000000 --- a/recipes-security/refpolicy/refpolicy/0083-policy-modules-services-acpi-make-acpid_t-domain-MLS.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 15c99854aa21564a6eb1121f58f55a9626ba6297 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Fri, 10 Jul 2020 09:07:00 +0800 -Subject: [PATCH] policy/modules/services/acpi: make acpid_t domain MLS trusted - for reading from files up to its clearance - -Fixes: -avc: denied { search } for pid=265 comm="acpid" name="journal" -dev="tmpfs" ino=14165 scontext=system_u:system_r:acpid_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir -permissive=0 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/services/acpi.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/services/acpi.te b/policy/modules/services/acpi.te -index 5c22adecd..bd442ff8a 100644 ---- a/policy/modules/services/acpi.te -+++ b/policy/modules/services/acpi.te -@@ -157,6 +157,8 @@ userdom_dontaudit_use_unpriv_user_fds(acpid_t) - userdom_dontaudit_search_user_home_dirs(acpid_t) - userdom_dontaudit_search_user_home_content(acpid_t) - -+mls_file_read_to_clearance(acpid_t) -+ - optional_policy(` - automount_domtrans(acpid_t) - ') --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0084-policy-modules-services-avahi-make-avahi_t-MLS-trust.patch b/recipes-security/refpolicy/refpolicy/0084-policy-modules-services-avahi-make-avahi_t-MLS-trust.patch deleted file mode 100644 index 3cfe2c0..0000000 --- a/recipes-security/refpolicy/refpolicy/0084-policy-modules-services-avahi-make-avahi_t-MLS-trust.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 5cd8a1121685c269238c89ea22743441541cf108 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Tue, 23 Jun 2020 08:19:16 +0800 -Subject: [PATCH] policy/modules/services/avahi: make avahi_t MLS trusted for - reading from files up to its clearance - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/services/avahi.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te -index 674cdcb81..8ddd922e5 100644 ---- a/policy/modules/services/avahi.te -+++ b/policy/modules/services/avahi.te -@@ -95,6 +95,8 @@ sysnet_etc_filetrans_config(avahi_t) - userdom_dontaudit_use_unpriv_user_fds(avahi_t) - userdom_dontaudit_search_user_home_dirs(avahi_t) - -+mls_file_read_to_clearance(avahi_t) -+ - optional_policy(` - dbus_system_domain(avahi_t, avahi_exec_t) - --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0085-policy-modules-services-bluetooth-make-bluetooth_t-d.patch b/recipes-security/refpolicy/refpolicy/0085-policy-modules-services-bluetooth-make-bluetooth_t-d.patch deleted file mode 100644 index a784657..0000000 --- a/recipes-security/refpolicy/refpolicy/0085-policy-modules-services-bluetooth-make-bluetooth_t-d.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 3c74f403cb38410ea7e1de0e61dafa80a60c5ba5 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Fri, 10 Jul 2020 09:18:12 +0800 -Subject: [PATCH] policy/modules/services/bluetooth: make bluetooth_t domain - MLS trusted for reading from files up to its clearance - -Fixes: -avc: denied { search } for pid=268 comm="bluetoothd" name="journal" -dev="tmpfs" ino=14165 -scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir -permissive=0 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/services/bluetooth.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te -index b3df695db..931021346 100644 ---- a/policy/modules/services/bluetooth.te -+++ b/policy/modules/services/bluetooth.te -@@ -132,6 +132,8 @@ userdom_dontaudit_search_user_home_dirs(bluetooth_t) - init_dbus_send_script(bluetooth_t) - systemd_dbus_chat_hostnamed(bluetooth_t) - -+mls_file_read_to_clearance(bluetooth_t) -+ - optional_policy(` - dbus_system_bus_client(bluetooth_t) - dbus_connect_system_bus(bluetooth_t) --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0086-policy-modules-system-sysnetwork-make-dhcpc_t-domain.patch b/recipes-security/refpolicy/refpolicy/0086-policy-modules-system-sysnetwork-make-dhcpc_t-domain.patch deleted file mode 100644 index 2ba3100..0000000 --- a/recipes-security/refpolicy/refpolicy/0086-policy-modules-system-sysnetwork-make-dhcpc_t-domain.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 1ab2ca67db9205f484ebce022be9c9a42bacc802 Mon Sep 17 00:00:00 2001 -From: Wenzong Fan -Date: Thu, 23 Feb 2017 08:18:36 +0000 -Subject: [PATCH] policy/modules/system/sysnetwork: make dhcpc_t domain MLS - trusted for reading from files up to its clearance - -Allow dhcpc_t to search /run/systemd/journal - -Fixes: -avc: denied { search } for pid=218 comm="dhclient" name="journal" -dev="tmpfs" ino=10990 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir -permissive=0 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Wenzong Fan -Signed-off-by: Yi Zhao ---- - policy/modules/system/sysnetwork.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index a9297f976..b6fd3f907 100644 ---- a/policy/modules/system/sysnetwork.te -+++ b/policy/modules/system/sysnetwork.te -@@ -170,6 +170,8 @@ sysnet_run_ifconfig(dhcpc_t, dhcpc_roles) - userdom_use_user_terminals(dhcpc_t) - userdom_dontaudit_search_user_home_dirs(dhcpc_t) - -+mls_file_read_to_clearance(dhcpc_t) -+ - ifdef(`distro_redhat', ` - files_exec_etc_files(dhcpc_t) - ') --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0087-policy-modules-services-inetd-make-inetd_t-domain-ML.patch b/recipes-security/refpolicy/refpolicy/0087-policy-modules-services-inetd-make-inetd_t-domain-ML.patch deleted file mode 100644 index abf5cd9..0000000 --- a/recipes-security/refpolicy/refpolicy/0087-policy-modules-services-inetd-make-inetd_t-domain-ML.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 2a54a7cab41aaddc113ed71d68f82e37661c3487 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Fri, 3 Jul 2020 08:57:51 +0800 -Subject: [PATCH] policy/modules/services/inetd: make inetd_t domain MLS - trusted for reading from files up to its clearance - -Allow inetd_t to search /run/systemd/journal - -Fixes: -avc: denied { search } for pid=286 comm="xinetd" name="journal" -dev="tmpfs" ino=10990 scontext=system_u:system_r:inetd_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir -permissive=0 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/services/inetd.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te -index 1a6ad6e1a..8d1fc0241 100644 ---- a/policy/modules/services/inetd.te -+++ b/policy/modules/services/inetd.te -@@ -161,6 +161,7 @@ mls_socket_read_to_clearance(inetd_t) - mls_socket_write_to_clearance(inetd_t) - mls_net_outbound_all_levels(inetd_t) - mls_process_set_level(inetd_t) -+mls_file_read_to_clearance(inetd_t) - - userdom_dontaudit_use_unpriv_user_fds(inetd_t) - userdom_dontaudit_search_user_home_dirs(inetd_t) --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0088-policy-modules-services-bind-make-named_t-domain-MLS.patch b/recipes-security/refpolicy/refpolicy/0088-policy-modules-services-bind-make-named_t-domain-MLS.patch deleted file mode 100644 index 5be48df..0000000 --- a/recipes-security/refpolicy/refpolicy/0088-policy-modules-services-bind-make-named_t-domain-MLS.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 0e93ad162cda033935fbac584787417b97b4bc17 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Fri, 3 Jul 2020 09:42:21 +0800 -Subject: [PATCH] policy/modules/services/bind: make named_t domain MLS trusted - for reading from files up to its clearance - -Allow named_t to search /run/systemd/journal - -Fixes: -avc: denied { search } for pid=295 comm="isc-worker0000" -name="journal" dev="tmpfs" ino=10990 -scontext=system_u:system_r:named_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir -permissive=0 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/services/bind.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te -index bf50763bd..be1813cb9 100644 ---- a/policy/modules/services/bind.te -+++ b/policy/modules/services/bind.te -@@ -165,6 +165,8 @@ miscfiles_read_generic_tls_privkey(named_t) - userdom_dontaudit_use_unpriv_user_fds(named_t) - userdom_dontaudit_search_user_home_dirs(named_t) - -+mls_file_read_to_clearance(named_t) -+ - tunable_policy(`named_tcp_bind_http_port',` - corenet_sendrecv_http_server_packets(named_t) - corenet_tcp_bind_http_port(named_t) --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0089-policy-modules-services-rpc-make-rpcd_t-MLS-trusted-.patch b/recipes-security/refpolicy/refpolicy/0089-policy-modules-services-rpc-make-rpcd_t-MLS-trusted-.patch deleted file mode 100644 index 7adaea0..0000000 --- a/recipes-security/refpolicy/refpolicy/0089-policy-modules-services-rpc-make-rpcd_t-MLS-trusted-.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 58cdf21546b973b458a26ea4b3a523275a80aca5 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Thu, 30 May 2019 08:30:06 +0800 -Subject: [PATCH] policy/modules/services/rpc: make rpcd_t MLS trusted for - reading from files up to its clearance - -Fixes: -type=AVC msg=audit(1559176077.169:242): avc: denied { search } for -pid=374 comm="rpc.statd" name="journal" dev="tmpfs" ino=9854 -scontext=system_u:system_r:rpcd_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:syslogd_var_run_t:s15:c0.c1023 tclass=dir -permissive=0 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/services/rpc.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te -index 9618df04e..84caefbbb 100644 ---- a/policy/modules/services/rpc.te -+++ b/policy/modules/services/rpc.te -@@ -275,6 +275,8 @@ seutil_dontaudit_search_config(rpcd_t) - - userdom_signal_all_users(rpcd_t) - -+mls_file_read_to_clearance(rpcd_t) -+ - ifdef(`distro_debian',` - term_dontaudit_use_unallocated_ttys(rpcd_t) - ') --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0090-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch b/recipes-security/refpolicy/refpolicy/0090-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch deleted file mode 100644 index 0a18ca3..0000000 --- a/recipes-security/refpolicy/refpolicy/0090-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch +++ /dev/null @@ -1,42 +0,0 @@ -From abb0ef8967130c6a31b45d6dfb0970cf8415fec6 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Mon, 22 Feb 2021 11:28:12 +0800 -Subject: [PATCH] policy/modules/system/systemd: make *_systemd_t MLS trusted - for writing/reading from files at all levels - -Fixes: -avc: denied { search } for pid=1148 comm="systemd" name="journal" -dev="tmpfs" ino=206 -scontext=root:sysadm_r:sysadm_systemd_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir -permissive=0 -avc: denied { write } for pid=1148 comm="systemd" name="kmsg" -dev="devtmpfs" ino=3081 -scontext=root:sysadm_r:sysadm_systemd_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file -permissive=0 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/system/systemd.if | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if -index 152139261..320619289 100644 ---- a/policy/modules/system/systemd.if -+++ b/policy/modules/system/systemd.if -@@ -113,6 +113,9 @@ template(`systemd_role_template',` - - seutil_read_file_contexts($1_systemd_t) - seutil_search_default_contexts($1_systemd_t) -+ -+ mls_file_read_all_levels($1_systemd_t) -+ mls_file_write_all_levels($1_systemd_t) - ') - - ###################################### --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy/0091-fc-usermanage-update-file-context-for-chfn-chsh.patch b/recipes-security/refpolicy/refpolicy/0091-fc-usermanage-update-file-context-for-chfn-chsh.patch deleted file mode 100644 index 370bc64..0000000 --- a/recipes-security/refpolicy/refpolicy/0091-fc-usermanage-update-file-context-for-chfn-chsh.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 311d4759340f2af1e1e157d571802e4367e0a46b Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Mon, 2 Aug 2021 09:38:39 +0800 -Subject: [PATCH] fc/usermanage: update file context for chfn/chsh - -The util-linux has provided chfn and chsh since oe-core commit -804c6b5bd3d398d5ea2a45d6bcc23c76e328ea3f. Update the file context for -them. - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/admin/usermanage.fc | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc -index 6a051f8a5..bf1ff09ab 100644 ---- a/policy/modules/admin/usermanage.fc -+++ b/policy/modules/admin/usermanage.fc -@@ -5,8 +5,10 @@ ifdef(`distro_debian',` - /usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0) - /usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0) - /usr/bin/chfn\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0) -+/usr/bin/chfn\.util-linux -- gen_context(system_u:object_r:chfn_exec_t,s0) - /usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0) - /usr/bin/chsh\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0) -+/usr/bin/chsh\.util-linux -- gen_context(system_u:object_r:chfn_exec_t,s0) - /usr/bin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) - /usr/bin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) - /usr/bin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0) --- -2.17.1 - diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index 3d2eb89..dffc34a 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc @@ -1,5 +1,3 @@ -DEFAULT_ENFORCING ??= "enforcing" - SECTION = "admin" LICENSE = "GPLv2" @@ -24,91 +22,61 @@ SRC_URI += " \ file://0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch \ file://0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch \ file://0006-fc-login-apply-login-context-to-login.shadow.patch \ - file://0007-fc-bind-fix-real-path-for-bind.patch \ - file://0008-fc-hwclock-add-hwclock-alternatives.patch \ - file://0009-fc-dmesg-apply-policy-to-dmesg-alternatives.patch \ - file://0010-fc-ssh-apply-policy-to-ssh-alternatives.patch \ - file://0011-fc-sysnetwork-apply-policy-to-ip-alternatives.patch \ - file://0012-fc-udev-apply-policy-to-udevadm-in-libexec.patch \ - file://0013-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch \ - file://0014-fc-su-apply-policy-to-su-alternatives.patch \ - file://0015-fc-fstools-fix-real-path-for-fstools.patch \ - file://0016-fc-init-fix-update-alternatives-for-sysvinit.patch \ - file://0017-fc-brctl-apply-policy-to-brctl-alternatives.patch \ - file://0018-fc-corecommands-apply-policy-to-nologin-alternatives.patch \ - file://0019-fc-locallogin-apply-policy-to-sulogin-alternatives.patch \ - file://0020-fc-ntp-apply-policy-to-ntpd-alternatives.patch \ - file://0021-fc-kerberos-apply-policy-to-kerberos-alternatives.patch \ - file://0022-fc-ldap-apply-policy-to-ldap-alternatives.patch \ - file://0023-fc-postgresql-apply-policy-to-postgresql-alternative.patch \ - file://0024-fc-screen-apply-policy-to-screen-alternatives.patch \ - file://0025-fc-usermanage-apply-policy-to-usermanage-alternative.patch \ - file://0026-fc-getty-add-file-context-to-start_getty.patch \ - file://0027-fc-init-add-file-context-to-etc-network-if-files.patch \ - file://0028-fc-vlock-apply-policy-to-vlock-alternatives.patch \ - file://0029-fc-cron-apply-policy-to-etc-init.d-crond.patch \ - file://0030-fc-sysnetwork-update-file-context-for-ifconfig.patch \ - file://0031-file_contexts.subs_dist-set-aliase-for-root-director.patch \ - file://0032-policy-modules-system-logging-add-rules-for-the-syml.patch \ - file://0033-policy-modules-system-logging-add-rules-for-syslogd-.patch \ - file://0034-policy-modules-kernel-files-add-rules-for-the-symlin.patch \ - file://0035-policy-modules-system-logging-fix-auditd-startup-fai.patch \ - file://0036-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch \ - file://0037-policy-modules-system-modutils-allow-mod_t-to-access.patch \ - file://0038-policy-modules-services-avahi-allow-avahi_t-to-watch.patch \ - file://0039-policy-modules-system-getty-allow-getty_t-to-search-.patch \ - file://0040-policy-modules-services-bluetooth-fix-bluetoothd-sta.patch \ - file://0041-policy-modules-roles-sysadm-allow-sysadm-to-run-rpci.patch \ - file://0042-policy-modules-services-rpc-add-capability-dac_read_.patch \ - file://0043-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch \ - file://0044-policy-modules-services-rngd-fix-security-context-fo.patch \ - file://0045-policy-modules-services-ssh-allow-ssh_keygen_t-to-re.patch \ - file://0046-policy-modules-services-ssh-make-respective-init-scr.patch \ - file://0047-policy-modules-kernel-terminal-allow-loging-to-reset.patch \ - file://0048-policy-modules-system-selinuxutil-allow-semanage_t-t.patch \ - file://0049-policy-modules-system-systemd-enable-support-for-sys.patch \ - file://0050-policy-modules-system-systemd-fix-systemd-resolved-s.patch \ - file://0051-policy-modules-system-init-add-capability2-bpf-and-p.patch \ - file://0052-policy-modules-system-systemd-allow-systemd_logind_t.patch \ - file://0053-policy-modules-system-logging-set-label-devlog_t-to-.patch \ - file://0054-policy-modules-system-systemd-support-systemd-user.patch \ - file://0055-policy-modules-system-systemd-allow-systemd-generato.patch \ - file://0056-policy-modules-system-systemd-allow-systemd_backligh.patch \ - file://0057-policy-modules-system-logging-fix-systemd-journald-s.patch \ - file://0058-policy-modules-services-cron-allow-crond_t-to-search.patch \ - file://0059-policy-modules-services-crontab-allow-sysadm_r-to-ru.patch \ - file://0060-policy-modules-system-sysnetwork-support-priviledge-.patch \ - file://0061-policy-modules-services-acpi-allow-acpid-to-watch-th.patch \ - file://0062-policy-modules-system-setrans-allow-setrans-to-acces.patch \ - file://0063-policy-modules-system-modutils-allow-kmod_t-to-write.patch \ - file://0064-policy-modules-roles-sysadm-allow-sysadm_t-to-watch-.patch \ - file://0065-policy-modules-system-selinux-allow-setfiles_t-to-re.patch \ - file://0066-policy-modules-system-mount-make-mount_t-domain-MLS-.patch \ - file://0067-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch \ - file://0068-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch \ - file://0069-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch \ - file://0070-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \ - file://0071-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \ - file://0072-policy-modules-system-systemd-make-systemd-tmpfiles_.patch \ - file://0073-policy-modules-system-logging-add-the-syslogd_t-to-t.patch \ - file://0074-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \ - file://0075-policy-modules-system-init-all-init_t-to-read-any-le.patch \ - file://0076-policy-modules-system-logging-allow-auditd_t-to-writ.patch \ - file://0077-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \ - file://0078-policy-modules-system-systemd-make-systemd-logind-do.patch \ - file://0079-policy-modules-system-systemd-systemd-user-sessions-.patch \ - file://0080-policy-modules-system-systemd-systemd-make-systemd_-.patch \ - file://0081-policy-modules-services-ntp-make-nptd_t-MLS-trusted-.patch \ - file://0082-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \ - file://0083-policy-modules-services-acpi-make-acpid_t-domain-MLS.patch \ - file://0084-policy-modules-services-avahi-make-avahi_t-MLS-trust.patch \ - file://0085-policy-modules-services-bluetooth-make-bluetooth_t-d.patch \ - file://0086-policy-modules-system-sysnetwork-make-dhcpc_t-domain.patch \ - file://0087-policy-modules-services-inetd-make-inetd_t-domain-ML.patch \ - file://0088-policy-modules-services-bind-make-named_t-domain-MLS.patch \ - file://0089-policy-modules-services-rpc-make-rpcd_t-MLS-trusted-.patch \ - file://0090-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \ - file://0091-fc-usermanage-update-file-context-for-chfn-chsh.patch \ + file://0007-fc-hwclock-add-hwclock-alternatives.patch \ + file://0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch \ + file://0009-fc-ssh-apply-policy-to-ssh-alternatives.patch \ + file://0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch \ + file://0011-fc-udev-apply-policy-to-udevadm-in-libexec.patch \ + file://0012-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch \ + file://0013-fc-su-apply-policy-to-su-alternatives.patch \ + file://0014-fc-fstools-fix-real-path-for-fstools.patch \ + file://0015-fc-init-fix-update-alternatives-for-sysvinit.patch \ + file://0016-fc-brctl-apply-policy-to-brctl-alternatives.patch \ + file://0017-fc-corecommands-apply-policy-to-nologin-alternatives.patch \ + file://0018-fc-locallogin-apply-policy-to-sulogin-alternatives.patch \ + file://0019-fc-ntp-apply-policy-to-ntpd-alternatives.patch \ + file://0020-fc-kerberos-apply-policy-to-kerberos-alternatives.patch \ + file://0021-fc-ldap-apply-policy-to-ldap-alternatives.patch \ + file://0022-fc-postgresql-apply-policy-to-postgresql-alternative.patch \ + file://0023-fc-screen-apply-policy-to-screen-alternatives.patch \ + file://0024-fc-usermanage-apply-policy-to-usermanage-alternative.patch \ + file://0025-fc-getty-add-file-context-to-start_getty.patch \ + file://0026-fc-vlock-apply-policy-to-vlock-alternatives.patch \ + file://0027-fc-add-fcontext-for-init-scripts-and-systemd-service.patch \ + file://0028-file_contexts.subs_dist-set-aliase-for-root-director.patch \ + file://0029-policy-modules-system-logging-add-rules-for-the-syml.patch \ + file://0030-policy-modules-system-logging-add-rules-for-syslogd-.patch \ + file://0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch \ + file://0032-policy-modules-system-logging-fix-auditd-startup-fai.patch \ + file://0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch \ + file://0034-policy-modules-system-modutils-allow-mod_t-to-access.patch \ + file://0035-policy-modules-system-getty-allow-getty_t-to-search-.patch \ + file://0036-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch \ + file://0037-policy-modules-admin-usermanage-allow-useradd-to-rel.patch \ + file://0038-policy-modules-system-systemd-enable-support-for-sys.patch \ + file://0039-policy-modules-system-systemd-fix-systemd-resolved-s.patch \ + file://0040-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch \ + file://0041-policy-modules-system-logging-fix-syslogd-failures-f.patch \ + file://0042-policy-modules-system-systemd-systemd-user-fixes.patch \ + file://0043-policy-modules-system-sysnetwork-support-priviledge-.patch \ + file://0044-policy-modules-system-modutils-allow-kmod_t-to-write.patch \ + file://0045-policy-modules-system-systemd-allow-systemd_logind_t.patch \ + file://0046-policy-modules-system-mount-make-mount_t-domain-MLS-.patch \ + file://0047-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch \ + file://0048-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch \ + file://0049-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch \ + file://0050-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \ + file://0051-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \ + file://0052-policy-modules-system-systemd-make-systemd-tmpfiles_.patch \ + file://0053-policy-modules-system-systemd-systemd-make-systemd_-.patch \ + file://0054-policy-modules-system-logging-add-the-syslogd_t-to-t.patch \ + file://0055-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \ + file://0056-policy-modules-system-init-all-init_t-to-read-any-le.patch \ + file://0057-policy-modules-system-logging-allow-auditd_t-to-writ.patch \ + file://0058-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \ + file://0059-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \ + file://0060-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \ + file://0061-policy-modules-system-logging-make-syslogd_runtime_t.patch \ " S = "${WORKDIR}/refpolicy" @@ -138,8 +106,10 @@ inherit python3native PARALLEL_MAKE = "" +DEFAULT_ENFORCING ??= "enforcing" + POLICY_NAME ?= "${POLICY_TYPE}" -POLICY_DISTRO ?= "redhat" +POLICY_DISTRO ?= "debian" POLICY_UBAC ?= "n" POLICY_UNK_PERMS ?= "allow" POLICY_DIRECT_INITRC ?= "y" @@ -238,7 +208,7 @@ path = ${STAGING_DIR_NATIVE}${sbindir_native}/sefcontext_compile args = \$@ [end] -policy-version = 31 +policy-version = 33 EOF # Create policy store and build the policy diff --git a/recipes-security/refpolicy/refpolicy_git.inc b/recipes-security/refpolicy/refpolicy_git.inc index 1d56403..9e78aed 100644 --- a/recipes-security/refpolicy/refpolicy_git.inc +++ b/recipes-security/refpolicy/refpolicy_git.inc @@ -1,8 +1,8 @@ -PV = "2.20210203+git${SRCPV}" +PV = "2.20210908+git${SRCPV}" SRC_URI = "git://github.com/SELinuxProject/refpolicy.git;protocol=https;branch=master;name=refpolicy;destsuffix=refpolicy" -SRCREV_refpolicy ?= "1167739da1882f9c89281095d2595da5ea2d9d6b" +SRCREV_refpolicy ?= "23a8d103f379361cfe63a9ee064564624e108196" UPSTREAM_CHECK_GITTAGREGEX = "RELEASE_(?P\d+_\d+)" -- cgit v1.2.3-54-g00ecf