From 776da889b550ac9e5be414a8cc10fd86b1923264 Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Mon, 8 Apr 2019 13:50:40 -0400 Subject: refpolicy: update to 2.20190201 and git HEAD policies Additionally, the README has fallen out of date, update it to reflect the current reality of layer dependencies. Signed-off-by: Joe MacDonald --- ...icy-minimum-make-sysadmin-module-optional.patch | 67 ++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-git/0033-refpolicy-minimum-make-sysadmin-module-optional.patch (limited to 'recipes-security/refpolicy/refpolicy-git/0033-refpolicy-minimum-make-sysadmin-module-optional.patch') diff --git a/recipes-security/refpolicy/refpolicy-git/0033-refpolicy-minimum-make-sysadmin-module-optional.patch b/recipes-security/refpolicy/refpolicy-git/0033-refpolicy-minimum-make-sysadmin-module-optional.patch new file mode 100644 index 0000000..09a16fb --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0033-refpolicy-minimum-make-sysadmin-module-optional.patch @@ -0,0 +1,67 @@ +From a45624beb571ad5dadfca95d53ff69925c9f628c Mon Sep 17 00:00:00 2001 +From: Joe MacDonald +Date: Fri, 5 Apr 2019 11:53:28 -0400 +Subject: [PATCH 33/34] refpolicy/minimum: make sysadmin module optional + +init and locallogin modules have a depend for sysadm module because +they have called sysadm interfaces(sysadm_shell_domtrans). Since +sysadm is not a core module, we could make the sysadm_shell_domtrans +calls optionally by optional_policy. + +So, we could make the minimum policy without sysadm module. + +Upstream-Status: pending + +Signed-off-by: Xin Ouyang +Signed-off-by: Wenzong Fan +Signed-off-by: Joe MacDonald +--- + policy/modules/system/init.te | 16 +++++++++------- + policy/modules/system/locallogin.te | 4 +++- + 2 files changed, 12 insertions(+), 8 deletions(-) + +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index 2e6b57a6..d8696580 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -448,13 +448,15 @@ ifdef(`init_systemd',` + modutils_domtrans(init_t) + ') + ',` +- tunable_policy(`init_upstart',` +- corecmd_shell_domtrans(init_t, initrc_t) +- ',` +- # Run the shell in the sysadm role for single-user mode. +- # causes problems with upstart +- ifndef(`distro_debian',` +- sysadm_shell_domtrans(init_t) ++ optional_policy(` ++ tunable_policy(`init_upstart',` ++ corecmd_shell_domtrans(init_t, initrc_t) ++ ',` ++ # Run the shell in the sysadm role for single-user mode. ++ # causes problems with upstart ++ ifndef(`distro_debian',` ++ sysadm_shell_domtrans(init_t) ++ ') + ') + ') + ') +diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te +index a56f3d1f..4c679ff3 100644 +--- a/policy/modules/system/locallogin.te ++++ b/policy/modules/system/locallogin.te +@@ -266,7 +266,9 @@ userdom_use_unpriv_users_fds(sulogin_t) + userdom_search_user_home_dirs(sulogin_t) + userdom_use_user_ptys(sulogin_t) + +-sysadm_shell_domtrans(sulogin_t) ++optional_policy(` ++ sysadm_shell_domtrans(sulogin_t) ++') + + # by default, sulogin does not use pam... + # sulogin_pam might need to be defined otherwise +-- +2.19.1 + -- cgit v1.2.3-54-g00ecf