From 0cfdbb47aafef9e9af562c9dffebd0aefefe5457 Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Wed, 3 May 2017 21:05:44 -0400 Subject: refpolicy: update git recipes The targeted, mls and minimum recipes had fallen far behind the upstream refpolicy repository. Refresh all patches and discard ones that are obviously no longer needed. This should not have any functional change on the policies. Signed-off-by: Joe MacDonald --- .../ftp-add-ftpd_t-to-mlsfilewrite.patch | 1 + .../refpolicy/refpolicy-git/poky-fc-clock.patch | 8 +- .../refpolicy/refpolicy-git/poky-fc-dmesg.patch | 8 +- .../refpolicy/refpolicy-git/poky-fc-fix-bind.patch | 1 + .../poky-fc-fix-real-path_login.patch | 34 +++---- .../poky-fc-fix-real-path_resolv.conf.patch | 3 +- .../poky-fc-fix-real-path_shadow.patch | 3 +- .../refpolicy-git/poky-fc-fix-real-path_su.patch | 8 +- .../refpolicy/refpolicy-git/poky-fc-fstools.patch | 105 ++++++++++----------- .../refpolicy-git/poky-fc-ftpwho-dir.patch | 1 + .../refpolicy/refpolicy-git/poky-fc-mta.patch | 3 +- .../refpolicy/refpolicy-git/poky-fc-netutils.patch | 23 ----- .../refpolicy/refpolicy-git/poky-fc-nscd.patch | 1 + .../refpolicy/refpolicy-git/poky-fc-rpm.patch | 3 +- .../refpolicy/refpolicy-git/poky-fc-screen.patch | 16 ++-- .../refpolicy/refpolicy-git/poky-fc-ssh.patch | 1 + .../refpolicy-git/poky-fc-subs_dist.patch | 2 +- .../refpolicy-git/poky-fc-sysnetwork.patch | 50 ++++------ .../refpolicy/refpolicy-git/poky-fc-udevd.patch | 27 +++--- .../poky-fc-update-alternatives_hostname.patch | 9 +- .../poky-fc-update-alternatives_sysklogd.patch | 38 ++++---- .../poky-fc-update-alternatives_sysvinit.patch | 70 +++++++------- ...poky-policy-add-rules-for-bsdpty_device_t.patch | 17 ++-- ...ky-policy-add-rules-for-syslogd_t-symlink.patch | 14 +-- .../poky-policy-add-rules-for-tmp-symlink.patch | 19 ++-- ...ky-policy-add-rules-for-var-cache-symlink.patch | 1 + ...licy-add-rules-for-var-log-symlink-apache.patch | 11 ++- ...rules-for-var-log-symlink-audisp_remote_t.patch | 5 +- ...poky-policy-add-rules-for-var-log-symlink.patch | 75 ++------------- ...ky-policy-add-syslogd_t-to-trusted-object.patch | 3 +- ...-policy-allow-nfsd-to-exec-shell-commands.patch | 58 ++++++++---- ...-policy-allow-setfiles_t-to-read-symlinks.patch | 11 ++- .../poky-policy-allow-sysadm-to-run-rpcinfo.patch | 1 + .../poky-policy-don-t-audit-tty_device_t.patch | 3 +- .../poky-policy-fix-dmesg-to-use-dev-kmsg.patch | 16 +--- ...poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch | 36 +++---- ...olicy-fix-setfiles-statvfs-get-file-count.patch | 14 +-- ...ky-policy-fix-seutils-manage-config-files.patch | 3 +- .../refpolicy-update-for_systemd.patch | 10 +- 39 files changed, 318 insertions(+), 394 deletions(-) delete mode 100644 recipes-security/refpolicy/refpolicy-git/poky-fc-netutils.patch (limited to 'recipes-security/refpolicy/refpolicy-git') diff --git a/recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch b/recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch index 4830566..85c40a4 100644 --- a/recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch +++ b/recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch @@ -17,6 +17,7 @@ root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name root@localhost:~# Signed-off-by: Roy Li +Signed-off-by: Joe MacDonald --- policy/modules/contrib/ftp.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch index b36c209..628e8a3 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch @@ -3,17 +3,15 @@ Subject: [PATCH] refpolicy: fix real path for clock Upstream-Status: Inappropriate [configuration] Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald --- policy/modules/system/clock.fc | 1 + 1 file changed, 1 insertion(+) --- a/policy/modules/system/clock.fc +++ b/policy/modules/system/clock.fc -@@ -1,6 +1,7 @@ - +@@ -1,3 +1,4 @@ /etc/adjtime -- gen_context(system_u:object_r:adjtime_t,s0) - /sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) -+/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0) - ++/usr/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0) /usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch index 6995bb5..689c75b 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch @@ -3,15 +3,13 @@ Subject: [PATCH] refpolicy: fix real path for dmesg Upstream-Status: Inappropriate [configuration] Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald --- policy/modules/admin/dmesg.fc | 1 + 1 file changed, 1 insertion(+) --- a/policy/modules/admin/dmesg.fc +++ b/policy/modules/admin/dmesg.fc -@@ -1,4 +1,5 @@ - - /bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) -+/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0) - +@@ -1 +1,2 @@ ++/usr/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0) /usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-bind.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-bind.patch index a96b4a7..3218c88 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-bind.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-bind.patch @@ -6,6 +6,7 @@ Subject: [PATCH] refpolicy: fix real path for bind. Upstream-Status: Inappropriate [configuration] Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald --- policy/modules/contrib/bind.fc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch index d97d58e..fc54217 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch @@ -3,31 +3,33 @@ Subject: [PATCH] fix real path for login commands. Upstream-Status: Inappropriate [only for Poky] Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald --- policy/modules/system/authlogin.fc | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc -@@ -1,19 +1,18 @@ - - /bin/login -- gen_context(system_u:object_r:login_exec_t,s0) -+/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0) -+/bin/login\.tinylogin -- gen_context(system_u:object_r:login_exec_t,s0) - - /etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) - /etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0) +@@ -3,20 +3,19 @@ /etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0) /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) - /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) - /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) --/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) --/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) --/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) + /usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0) ++/usr/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0) ++/usr/bin/login\.tinylogin -- gen_context(system_u:object_r:login_exec_t,s0) + + /usr/kerberos/sbin/login\.krb5 -- gen_context(system_u:object_r:login_exec_t,s0) + + /usr/lib/utempter/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0) + + /usr/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) + /usr/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) +-/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) +-/usr/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) +-/usr/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) + /usr/sbin/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0) + /usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ifdef(`distro_suse', ` - /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) + /usr/sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ') - - /usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_resolv.conf.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_resolv.conf.patch index c1cd74d..cd79f45 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_resolv.conf.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_resolv.conf.patch @@ -3,13 +3,14 @@ Subject: [PATCH] fix real path for resolv.conf Upstream-Status: Inappropriate [only for Poky] Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald --- policy/modules/system/sysnetwork.fc | 1 + 1 file changed, 1 insertion(+) --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc -@@ -23,10 +23,11 @@ ifdef(`distro_debian',` +@@ -17,10 +17,11 @@ ifdef(`distro_debian',` /etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0) /etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0) /etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch index d74f524..a15a776 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch @@ -3,13 +3,14 @@ Subject: [PATCH] fix real path for shadow commands. Upstream-Status: Inappropriate [only for Poky] Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald --- policy/modules/admin/usermanage.fc | 6 ++++++ 1 file changed, 6 insertions(+) --- a/policy/modules/admin/usermanage.fc +++ b/policy/modules/admin/usermanage.fc -@@ -6,15 +6,21 @@ ifdef(`distro_debian',` +@@ -2,15 +2,21 @@ ifdef(`distro_debian',` /etc/cron\.daily/cracklib-runtime -- gen_context(system_u:object_r:crack_exec_t,s0) ') diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_su.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_su.patch index 23484de..41c32df 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_su.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_su.patch @@ -6,17 +6,15 @@ Subject: [PATCH] fix real path for su.shadow command Upstream-Status: Inappropriate [only for Poky] Signed-off-by: Wenzong Fan +Signed-off-by: Joe MacDonald --- policy/modules/admin/su.fc | 2 ++ 1 file changed, 2 insertions(+) --- a/policy/modules/admin/su.fc +++ b/policy/modules/admin/su.fc -@@ -3,5 +3,7 @@ - /usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) - +@@ -1,3 +1,4 @@ /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0) /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) /usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) -+ -+/bin/su.shadow -- gen_context(system_u:object_r:su_exec_t,s0) ++/usr/bin/su.shadow -- gen_context(system_u:object_r:su_exec_t,s0) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch index 5d3aa76..cf07b23 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch @@ -14,62 +14,57 @@ Signed-off-by: Shrikant Bobade --- a/policy/modules/system/fstools.fc +++ b/policy/modules/system/fstools.fc -@@ -1,19 +1,23 @@ - /sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/sbin/blkid/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/sbin/blockdev/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/dumpe2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/e2fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/sbin/fdisk/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/sbin/hdparm/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/lsraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -22,20 +26,22 @@ - /sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/sbin/mkswap/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/sbin/swapoff/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/zhack -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/zinject -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -43,10 +49,11 @@ - /sbin/zstreamdump -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/ztest -- gen_context(system_u:object_r:fsadm_exec_t,s0) - - /usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0) +@@ -4,10 +4,11 @@ /usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/addpart -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/blkid/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/delpart -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) +@@ -17,14 +18,16 @@ + /usr/sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/efibootmgr -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/fatsort -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/fdisk/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/gdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/hdparm/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/lsraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0) +@@ -33,21 +36,24 @@ + /usr/sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/mkswap/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/swapoff/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/zhack -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/zinject -- gen_context(system_u:object_r:fsadm_exec_t,s0) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch index b4ba2e2..d58de6a 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch @@ -5,6 +5,7 @@ Upstream-Status: Pending ftpwho is installed into /usr/bin/, not /usr/sbin, so fix it Signed-off-by: Roy Li +Signed-off-by: Joe MacDonald --- policy/modules/contrib/ftp.fc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch index 1a8fbe3..72b559f 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch @@ -6,13 +6,14 @@ Subject: [PATCH] refpolicy: fix real path for mta Upstream-Status: Inappropriate [configuration] Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald --- policy/modules/contrib/mta.fc | 1 + 1 file changed, 1 insertion(+) --- a/policy/modules/contrib/mta.fc +++ b/policy/modules/contrib/mta.fc -@@ -20,10 +20,11 @@ HOME_DIR/\.maildir(/.*)? gen_context(sys +@@ -19,10 +19,11 @@ HOME_DIR/\.maildir(/.*)? gen_context(sys /usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-netutils.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-netutils.patch deleted file mode 100644 index fea90ad..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-netutils.patch +++ /dev/null @@ -1,23 +0,0 @@ -Subject: [PATCH] refpolicy: fix real path for netutils - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Xin Ouyang ---- - policy/modules/admin/netutils.fc | 1 + - 1 file changed, 1 insertion(+) - ---- a/policy/modules/admin/netutils.fc -+++ b/policy/modules/admin/netutils.fc -@@ -1,10 +1,11 @@ - /bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0) - /bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) - /bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) - - /sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0) -+/bin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0) - - /usr/bin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0) - /usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0) - /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0) - /usr/bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch index 5fe5062..0adf7c2 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch @@ -6,6 +6,7 @@ Subject: [PATCH] refpolicy: fix real path for nscd Upstream-Status: Inappropriate [configuration] Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald --- policy/modules/contrib/nscd.fc | 1 + 1 file changed, 1 insertion(+) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch index 8680f19..922afa9 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch @@ -6,13 +6,14 @@ Subject: [PATCH] refpolicy: fix real path for cpio Upstream-Status: Inappropriate [configuration] Signed-off-by: Wenzong Fan +Signed-off-by: Joe MacDonald --- policy/modules/contrib/rpm.fc | 1 + 1 file changed, 1 insertion(+) --- a/policy/modules/contrib/rpm.fc +++ b/policy/modules/contrib/rpm.fc -@@ -61,6 +61,7 @@ ifdef(`distro_redhat',` +@@ -57,6 +57,7 @@ ifdef(`distro_redhat',` /run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0) /run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch index a7301e9..8ea210e 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch @@ -6,20 +6,18 @@ Subject: [PATCH] refpolicy: fix real path for screen Upstream-Status: Inappropriate [configuration] Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald --- policy/modules/contrib/screen.fc | 1 + 1 file changed, 1 insertion(+) --- a/policy/modules/contrib/screen.fc +++ b/policy/modules/contrib/screen.fc -@@ -1,9 +1,10 @@ - HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0) - HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0) - HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0) +@@ -4,6 +4,7 @@ HOME_DIR/\.tmux\.conf -- gen_context(sys - /usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0) -+/usr/bin/screen-.* -- gen_context(system_u:object_r:screen_exec_t,s0) - /usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0) + /run/screen(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0) + /run/tmux(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0) - /run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) - /run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) + /usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0) ++/usr/bin/screen-.* -- gen_context(system_u:object_r:screen_exec_t,s0) + /usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch index 35bbc9e..648b21b 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch @@ -3,6 +3,7 @@ Subject: [PATCH] refpolicy: fix real path for ssh Upstream-Status: Inappropriate [configuration] Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald --- policy/modules/services/ssh.fc | 1 + 1 file changed, 1 insertion(+) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch index f82f359..8aec193 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch @@ -13,7 +13,7 @@ Signed-off-by: Joe MacDonald --- a/config/file_contexts.subs_dist +++ b/config/file_contexts.subs_dist -@@ -21,5 +21,16 @@ +@@ -26,5 +26,16 @@ # backward compatibility # not for refpolicy intern, but for /var/run using applications, diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch index 7f8f368..0b148b5 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch @@ -7,41 +7,31 @@ Upstream-Status: Inappropriate [configuration] Signed-off-by: Xin Ouyang Signed-off-by: Shrikant Bobade +Signed-off-by: Joe MacDonald --- policy/modules/system/sysnetwork.fc | 3 +++ 1 file changed, 3 insertions(+) --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc -@@ -2,10 +2,11 @@ - # - # /bin - # - /bin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - - # - # /dev - # - ifdef(`distro_debian',` -@@ -43,17 +44,19 @@ ifdef(`distro_redhat',` - /sbin/dhclient.* -- gen_context(system_u:object_r:dhcpc_exec_t,s0) - /sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) - /sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) - /sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0) - /sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) +@@ -41,17 +41,20 @@ ifdef(`distro_redhat',` + /usr/sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) + /usr/sbin/dhcp6c -- gen_context(system_u:object_r:dhcpc_exec_t,s0) + /usr/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) + /usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + /usr/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++/usr/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++/usr/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + /usr/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + /usr/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + /usr/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + /usr/sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + /usr/sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + /usr/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + /usr/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++/usr/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + /usr/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0) + /usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) # - # /usr + # /var diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch index 8e2cb1b..2271a05 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch @@ -6,6 +6,7 @@ Subject: [PATCH] refpolicy: fix real path for udevd/udevadm Upstream-Status: Inappropriate [configuration] Signed-off-by: Wenzong Fan +Signed-off-by: Joe MacDonald --- policy/modules/system/udev.fc | 2 ++ 1 file changed, 2 insertions(+) @@ -17,22 +18,22 @@ Signed-off-by: Wenzong Fan /etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_rules_t,s0) /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) - /lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0) -+/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) + /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) ++/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) ifdef(`distro_debian',` - /bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) - /lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0) + /usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) ') -@@ -26,10 +27,11 @@ ifdef(`distro_debian',` - ifdef(`distro_redhat',` - /sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) + +@@ -30,10 +31,11 @@ ifdef(`distro_redhat',` + /usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) ') - /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) -+/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) + /usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0) + /usr/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0) ++/usr/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) + + /usr/share/virtualbox/VBoxCreateUSBNode\.sh -- gen_context(system_u:object_r:udev_helper_exec_t,s0) + + /run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) - /usr/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) - /usr/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) - /usr/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) - /usr/sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch index 80c40d0..e3edce1 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch @@ -6,15 +6,14 @@ Subject: [PATCH 3/4] fix update-alternatives for hostname Upstream-Status: Inappropriate [only for Poky] Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald --- policy/modules/system/hostname.fc | 1 + 1 file changed, 1 insertion(+) --- a/policy/modules/system/hostname.fc +++ b/policy/modules/system/hostname.fc -@@ -1,4 +1,5 @@ - - /bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) -+/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0) - +@@ -1 +1,3 @@ ++/usr/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0) ++ /usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch index 03284cd..dfa67a6 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch @@ -9,6 +9,7 @@ for syslogd_t to read syslog_conf_t lnk_file is needed. Upstream-Status: Inappropriate [only for Poky] Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald --- policy/modules/system/logging.fc | 4 ++++ policy/modules/system/logging.te | 1 + @@ -16,7 +17,7 @@ Signed-off-by: Xin Ouyang --- a/policy/modules/system/logging.fc +++ b/policy/modules/system/logging.fc -@@ -1,22 +1,26 @@ +@@ -1,12 +1,14 @@ /dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) @@ -27,25 +28,30 @@ Signed-off-by: Xin Ouyang /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/syslog\.sysklogd -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) - /sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) - /sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) - /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) - /sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) - /sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) -+/sbin/klogd\.sysklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) - /sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) - /sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) - /sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) - /sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) -+/sbin/syslogd\.sysklogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) - /sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) - /usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0) /usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0) + /usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0) /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0) +@@ -15,14 +17,16 @@ + /usr/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) + /usr/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) + /usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) + /usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) + /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) ++/usr/sbin/klogd\.sysklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) + /usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0) + /usr/sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) + /usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) + /usr/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) ++/usr/sbin/syslogd\.sysklogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) + /usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) + /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) + + /var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0) + /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te -@@ -386,10 +386,11 @@ allow syslogd_t self:unix_dgram_socket s +@@ -390,10 +390,11 @@ allow syslogd_t self:unix_dgram_socket s allow syslogd_t self:fifo_file rw_fifo_file_perms; allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; @@ -56,4 +62,4 @@ Signed-off-by: Xin Ouyang # Create and bind to /dev/log or /var/run/log. allow syslogd_t devlog_t:sock_file manage_sock_file_perms; files_pid_filetrans(syslogd_t, devlog_t, sock_file) - + init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log") diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch index 0c09825..81fe141 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch @@ -6,51 +6,45 @@ Subject: [PATCH 1/4] fix update-alternatives for sysvinit Upstream-Status: Inappropriate [only for Poky] Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald --- policy/modules/contrib/shutdown.fc | 1 + policy/modules/kernel/corecommands.fc | 1 + policy/modules/system/init.fc | 1 + 3 files changed, 3 insertions(+) ---- a/policy/modules/contrib/shutdown.fc -+++ b/policy/modules/contrib/shutdown.fc -@@ -1,10 +1,11 @@ - /etc/nologin -- gen_context(system_u:object_r:shutdown_etc_t,s0) - - /lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) - - /sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) -+/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0) - +Index: refpolicy/policy/modules/contrib/shutdown.fc +=================================================================== +--- refpolicy.orig/policy/modules/contrib/shutdown.fc ++++ refpolicy/policy/modules/contrib/shutdown.fc +@@ -3,5 +3,6 @@ /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) ++/usr/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0) + + /run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) +Index: refpolicy/policy/modules/kernel/corecommands.fc +=================================================================== +--- refpolicy.orig/policy/modules/kernel/corecommands.fc ++++ refpolicy/policy/modules/kernel/corecommands.fc +@@ -144,6 +144,7 @@ ifdef(`distro_gentoo',` + /usr/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0) + /usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) + /usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0) ++/usr/bin/mountpoint\.sysvinit -- gen_context(system_u:object_r:bin_t,s0) + /usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) + /usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0) + /usr/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0) +Index: refpolicy/policy/modules/system/init.fc +=================================================================== +--- refpolicy.orig/policy/modules/system/init.fc ++++ refpolicy/policy/modules/system/init.fc +@@ -39,6 +39,7 @@ ifdef(`distro_gentoo', ` + /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) + + /usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) ++/usr/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0) + /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) + /usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) ---- a/policy/modules/kernel/corecommands.fc -+++ b/policy/modules/kernel/corecommands.fc -@@ -8,10 +8,11 @@ - /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) - /bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) - /bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0) - /bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) - /bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0) -+/bin/mountpoint\.sysvinit -- gen_context(system_u:object_r:bin_t,s0) - /bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) - /bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0) - /bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0) - /bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0) - ---- a/policy/modules/system/init.fc -+++ b/policy/modules/system/init.fc -@@ -30,10 +30,11 @@ ifdef(`distro_gentoo', ` - - # - # /sbin - # - /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) -+/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0) - # because nowadays, /sbin/init is often a symlink to /sbin/upstart - /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) - - ifdef(`distro_gentoo', ` - /sbin/rc -- gen_context(system_u:object_r:rc_exec_t,s0) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-bsdpty_device_t.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-bsdpty_device_t.patch index fee4068..ad7b5a6 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-bsdpty_device_t.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-bsdpty_device_t.patch @@ -6,13 +6,14 @@ Subject: [PATCH 5/6] add rules for bsdpty_device_t to complete pty devices. Upstream-Status: Pending Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald --- policy/modules/kernel/terminal.if | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if -@@ -585,13 +585,15 @@ interface(`term_getattr_generic_ptys',` +@@ -603,13 +603,15 @@ interface(`term_getattr_generic_ptys',` ## # interface(`term_dontaudit_getattr_generic_ptys',` @@ -28,7 +29,7 @@ Signed-off-by: Xin Ouyang ## ## ioctl of generic pty devices. ## -@@ -603,15 +605,17 @@ interface(`term_dontaudit_getattr_generi +@@ -621,15 +623,17 @@ interface(`term_dontaudit_getattr_generi # # cjp: added for ppp interface(`term_ioctl_generic_ptys',` @@ -46,7 +47,7 @@ Signed-off-by: Xin Ouyang ######################################## ## ## Allow setting the attributes of -@@ -625,13 +629,15 @@ interface(`term_ioctl_generic_ptys',` +@@ -643,13 +647,15 @@ interface(`term_ioctl_generic_ptys',` # # dwalsh: added for rhgb interface(`term_setattr_generic_ptys',` @@ -62,7 +63,7 @@ Signed-off-by: Xin Ouyang ######################################## ## ## Dontaudit setting the attributes of -@@ -645,13 +651,15 @@ interface(`term_setattr_generic_ptys',` +@@ -663,13 +669,15 @@ interface(`term_setattr_generic_ptys',` # # dwalsh: added for rhgb interface(`term_dontaudit_setattr_generic_ptys',` @@ -78,7 +79,7 @@ Signed-off-by: Xin Ouyang ######################################## ## ## Read and write the generic pty -@@ -665,15 +673,17 @@ interface(`term_dontaudit_setattr_generi +@@ -683,15 +691,17 @@ interface(`term_dontaudit_setattr_generi ## # interface(`term_use_generic_ptys',` @@ -96,7 +97,7 @@ Signed-off-by: Xin Ouyang ######################################## ## ## Dot not audit attempts to read and -@@ -687,13 +697,15 @@ interface(`term_use_generic_ptys',` +@@ -705,13 +715,15 @@ interface(`term_use_generic_ptys',` ## # interface(`term_dontaudit_use_generic_ptys',` @@ -112,7 +113,7 @@ Signed-off-by: Xin Ouyang ####################################### ## ## Set the attributes of the tty device -@@ -705,14 +717,16 @@ interface(`term_dontaudit_use_generic_pt +@@ -723,14 +735,16 @@ interface(`term_dontaudit_use_generic_pt ## # interface(`term_setattr_controlling_term',` @@ -129,7 +130,7 @@ Signed-off-by: Xin Ouyang ######################################## ## ## Read and write the controlling -@@ -725,14 +739,16 @@ interface(`term_setattr_controlling_term +@@ -743,14 +757,16 @@ interface(`term_setattr_controlling_term ## # interface(`term_use_controlling_term',` diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch index d3aa705..b12ee9d 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch @@ -8,22 +8,22 @@ syslogd_t. Upstream-Status: Inappropriate [only for Poky] Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald --- policy/modules/system/logging.te | 2 ++ 1 file changed, 2 insertions(+) --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te -@@ -402,10 +402,12 @@ rw_fifo_files_pattern(syslogd_t, var_log +@@ -406,10 +406,11 @@ manage_files_pattern(syslogd_t, var_log_ + rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) files_search_spool(syslogd_t) # Allow access for syslog-ng allow syslogd_t var_log_t:dir { create setattr }; - +allow syslogd_t var_log_t:lnk_file read_lnk_file_perms; -+ - # manage temporary files - manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) - manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) - files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) + # for systemd but can not be conditional + files_pid_filetrans(syslogd_t, syslogd_tmp_t, dir, "log") + + # manage temporary files diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-tmp-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-tmp-symlink.patch index 7a30460..d3c1ee5 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-tmp-symlink.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-tmp-symlink.patch @@ -9,6 +9,7 @@ lnk_file while doing search/list/delete/rw.. in /tmp/ directory. Upstream-Status: Inappropriate [only for Poky] Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald --- policy/modules/kernel/files.fc | 1 + policy/modules/kernel/files.if | 8 ++++++++ @@ -16,7 +17,7 @@ Signed-off-by: Xin Ouyang --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc -@@ -191,10 +191,11 @@ ifdef(`distro_debian',` +@@ -172,10 +172,11 @@ HOME_ROOT/lost\+found/.* <> # # /tmp @@ -30,7 +31,7 @@ Signed-off-by: Xin Ouyang /tmp/lost\+found/.* <> --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if -@@ -4471,10 +4471,11 @@ interface(`files_search_tmp',` +@@ -4579,10 +4579,11 @@ interface(`files_search_tmp',` gen_require(` type tmp_t; ') @@ -42,7 +43,7 @@ Signed-off-by: Xin Ouyang ######################################## ## ## Do not audit attempts to search the tmp directory (/tmp). -@@ -4507,10 +4508,11 @@ interface(`files_list_tmp',` +@@ -4615,10 +4616,11 @@ interface(`files_list_tmp',` gen_require(` type tmp_t; ') @@ -54,7 +55,7 @@ Signed-off-by: Xin Ouyang ######################################## ## ## Do not audit listing of the tmp directory (/tmp). -@@ -4543,10 +4545,11 @@ interface(`files_delete_tmp_dir_entry',` +@@ -4651,10 +4653,11 @@ interface(`files_delete_tmp_dir_entry',` gen_require(` type tmp_t; ') @@ -66,7 +67,7 @@ Signed-off-by: Xin Ouyang ######################################## ## ## Read files in the tmp directory (/tmp). -@@ -4561,10 +4564,11 @@ interface(`files_read_generic_tmp_files' +@@ -4669,10 +4672,11 @@ interface(`files_read_generic_tmp_files' gen_require(` type tmp_t; ') @@ -78,7 +79,7 @@ Signed-off-by: Xin Ouyang ######################################## ## ## Manage temporary directories in /tmp. -@@ -4579,10 +4583,11 @@ interface(`files_manage_generic_tmp_dirs +@@ -4687,10 +4691,11 @@ interface(`files_manage_generic_tmp_dirs gen_require(` type tmp_t; ') @@ -90,7 +91,7 @@ Signed-off-by: Xin Ouyang ######################################## ## ## Manage temporary files and directories in /tmp. -@@ -4597,10 +4602,11 @@ interface(`files_manage_generic_tmp_file +@@ -4705,10 +4710,11 @@ interface(`files_manage_generic_tmp_file gen_require(` type tmp_t; ') @@ -102,7 +103,7 @@ Signed-off-by: Xin Ouyang ######################################## ## ## Read symbolic links in the tmp directory (/tmp). -@@ -4633,10 +4639,11 @@ interface(`files_rw_generic_tmp_sockets' +@@ -4741,10 +4747,11 @@ interface(`files_rw_generic_tmp_sockets' gen_require(` type tmp_t; ') @@ -114,7 +115,7 @@ Signed-off-by: Xin Ouyang ######################################## ## ## Mount filesystems in the tmp directory (/tmp) -@@ -4840,10 +4847,11 @@ interface(`files_tmp_filetrans',` +@@ -4948,10 +4955,11 @@ interface(`files_tmp_filetrans',` gen_require(` type tmp_t; ') diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-cache-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-cache-symlink.patch index fc6dea0..b828b7a 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-cache-symlink.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-cache-symlink.patch @@ -11,6 +11,7 @@ contents, so this is still a secure relax. Upstream-Status: Inappropriate [only for Poky] Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald --- policy/modules/kernel/domain.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch index d907095..fb912b5 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch @@ -10,17 +10,18 @@ logging.if. So still need add a individual rule for apache.te. Upstream-Status: Inappropriate [only for Poky] Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald --- policy/modules/contrib/apache.te | 1 + 1 file changed, 1 insertion(+) --- a/policy/modules/contrib/apache.te +++ b/policy/modules/contrib/apache.te -@@ -409,10 +409,11 @@ allow httpd_t httpd_log_t:dir setattr_di - create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t) - create_files_pattern(httpd_t, httpd_log_t, httpd_log_t) - append_files_pattern(httpd_t, httpd_log_t, httpd_log_t) - read_files_pattern(httpd_t, httpd_log_t, httpd_log_t) +@@ -407,10 +407,11 @@ allow httpd_t httpd_lock_t:file manage_f + files_lock_filetrans(httpd_t, httpd_lock_t, { file dir }) + + manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t) + manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t) read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t) +read_lnk_files_pattern(httpd_t, var_log_t, var_log_t) logging_log_filetrans(httpd_t, httpd_log_t, file) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch index 90c8f36..7c7355f 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch @@ -8,15 +8,16 @@ audisp_remote_t. Upstream-Status: Inappropriate [only for Poky] Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald --- policy/modules/system/logging.te | 1 + 1 file changed, 1 insertion(+) --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te -@@ -276,10 +276,11 @@ optional_policy(` +@@ -280,10 +280,11 @@ optional_policy(` - allow audisp_remote_t self:capability { setuid setpcap }; + allow audisp_remote_t self:capability { setpcap setuid }; allow audisp_remote_t self:process { getcap setcap }; allow audisp_remote_t self:tcp_socket create_socket_perms; allow audisp_remote_t var_log_t:dir search_dir_perms; diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch index a9ae381..19342f5 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch @@ -9,6 +9,7 @@ lnk_file while doing search/list/delete/rw.. in /var/log/ directory. Upstream-Status: Inappropriate [only for Poky] Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald --- policy/modules/system/logging.fc | 1 + policy/modules/system/logging.if | 14 +++++++++++++- @@ -17,7 +18,7 @@ Signed-off-by: Xin Ouyang --- a/policy/modules/system/logging.fc +++ b/policy/modules/system/logging.fc -@@ -49,10 +49,11 @@ ifdef(`distro_suse', ` +@@ -39,10 +39,11 @@ ifdef(`distro_suse', ` /var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) @@ -50,43 +51,7 @@ Signed-off-by: Xin Ouyang ######################################## ## ## Execute auditctl in the auditctl domain. -@@ -665,10 +666,11 @@ interface(`logging_search_logs',` - type var_log_t; - ') - - files_search_var($1) - allow $1 var_log_t:dir search_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - ') - - ####################################### - ## - ## Do not audit attempts to search the var log directory. -@@ -702,10 +704,11 @@ interface(`logging_list_logs',` - type var_log_t; - ') - - files_search_var($1) - allow $1 var_log_t:dir list_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - ') - - ####################################### - ## - ## Read and write the generic log directory (/var/log). -@@ -721,10 +724,11 @@ interface(`logging_rw_generic_log_dirs', - type var_log_t; - ') - - files_search_var($1) - allow $1 var_log_t:dir rw_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - ') - - ####################################### - ## - ## Search through all log dirs. -@@ -832,14 +836,16 @@ interface(`logging_append_all_logs',` +@@ -950,14 +951,16 @@ interface(`logging_append_all_inherited_ ## # interface(`logging_read_all_logs',` @@ -103,7 +68,7 @@ Signed-off-by: Xin Ouyang ######################################## ## -@@ -854,14 +860,16 @@ interface(`logging_read_all_logs',` +@@ -972,14 +975,16 @@ interface(`logging_read_all_logs',` # cjp: not sure why this is needed. This was added # because of logrotate. interface(`logging_exec_all_logs',` @@ -120,7 +85,7 @@ Signed-off-by: Xin Ouyang ######################################## ## -@@ -919,10 +927,11 @@ interface(`logging_read_generic_logs',` +@@ -1077,10 +1082,11 @@ interface(`logging_read_generic_logs',` type var_log_t; ') @@ -132,31 +97,7 @@ Signed-off-by: Xin Ouyang ######################################## ## -@@ -939,10 +948,11 @@ interface(`logging_write_generic_logs',` - type var_log_t; - ') - - files_search_var($1) - allow $1 var_log_t:dir list_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - write_files_pattern($1, var_log_t, var_log_t) - ') - - ######################################## - ## -@@ -977,10 +987,11 @@ interface(`logging_rw_generic_logs',` - type var_log_t; - ') - - files_search_var($1) - allow $1 var_log_t:dir list_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - rw_files_pattern($1, var_log_t, var_log_t) - ') - - ######################################## - ## -@@ -999,10 +1010,11 @@ interface(`logging_manage_generic_logs', +@@ -1159,10 +1165,11 @@ interface(`logging_manage_generic_logs', type var_log_t; ') @@ -170,10 +111,10 @@ Signed-off-by: Xin Ouyang ## All of the rules required to administrate --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te -@@ -149,10 +149,11 @@ allow auditd_t auditd_etc_t:dir list_dir - allow auditd_t auditd_etc_t:file read_file_perms; +@@ -153,10 +153,11 @@ allow auditd_t auditd_etc_t:file read_fi manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) + allow auditd_t auditd_log_t:dir setattr; manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) allow auditd_t var_log_t:dir search_dir_perms; +allow auditd_t var_log_t:lnk_file read_lnk_file_perms; diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-syslogd_t-to-trusted-object.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-syslogd_t-to-trusted-object.patch index c2cba9a..b755b45 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-syslogd_t-to-trusted-object.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-syslogd_t-to-trusted-object.patch @@ -10,13 +10,14 @@ Upstream-Status: Inappropriate [only for Poky] Signed-off-by: Roy.Li Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald --- policy/modules/system/logging.te | 1 + 1 file changed, 1 insertion(+) --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te -@@ -475,10 +475,11 @@ files_var_lib_filetrans(syslogd_t, syslo +@@ -484,10 +484,11 @@ files_var_lib_filetrans(syslogd_t, syslo fs_getattr_all_fs(syslogd_t) fs_search_auto_mountpoints(syslogd_t) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch index 189dc6e..a9a0a55 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch @@ -6,6 +6,7 @@ Subject: [PATCH] allow nfsd to exec shell commands. Upstream-Status: Inappropriate [only for Poky] Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald --- policy/modules/contrib/rpc.te | 2 +- policy/modules/kernel/kernel.if | 18 ++++++++++++++++++ @@ -13,7 +14,7 @@ Signed-off-by: Xin Ouyang --- a/policy/modules/contrib/rpc.te +++ b/policy/modules/contrib/rpc.te -@@ -222,11 +222,11 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir +@@ -224,11 +224,11 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir kernel_read_network_state(nfsd_t) kernel_dontaudit_getattr_core_if(nfsd_t) @@ -28,32 +29,53 @@ Signed-off-by: Xin Ouyang --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if -@@ -844,10 +844,28 @@ interface(`kernel_unmount_proc',` +@@ -880,43 +880,42 @@ interface(`kernel_unmount_proc',` allow $1 proc_t:filesystem unmount; ') ######################################## ## +-## Get the attributes of the proc filesystem. +## Mounton a proc filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## + ## Domain allowed access. + ## + ## + # +-interface(`kernel_getattr_proc',` +interface(`kernel_mounton_proc',` -+ gen_require(` -+ type proc_t; -+ ') -+ + gen_require(` + type proc_t; + ') + +- allow $1 proc_t:filesystem getattr; + allow $1 proc_t:dir mounton; -+') -+ -+######################################## -+## - ## Get the attributes of the proc filesystem. + ') + + ######################################## + ## +-## Mount on proc directories. ++## Get the attributes of the proc filesystem. ## ## ## ## Domain allowed access. + ## + ## +-## + # +-interface(`kernel_mounton_proc',` ++interface(`kernel_getattr_proc',` + gen_require(` + type proc_t; + ') + +- allow $1 proc_t:dir mounton; ++ allow $1 proc_t:filesystem getattr; + ') + + ######################################## + ## + ## Do not audit attempts to set the diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch index 766b3df..08e9398 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch @@ -7,13 +7,14 @@ Upstream-Status: Pending Signed-off-by: Xin Ouyang Signed-off-by: Shrikant Bobade +Signed-off-by: Joe MacDonald --- policy/modules/system/selinuxutil.te | 3 +++ 1 file changed, 3 insertions(+) --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te -@@ -553,10 +553,13 @@ files_read_etc_files(setfiles_t) +@@ -591,10 +591,13 @@ files_read_etc_files(setfiles_t) files_list_all(setfiles_t) files_relabel_all_files(setfiles_t) files_read_usr_symlinks(setfiles_t) @@ -23,7 +24,7 @@ Signed-off-by: Shrikant Bobade +files_read_all_symlinks(setfiles_t) + fs_getattr_all_xattr_fs(setfiles_t) - fs_list_all(setfiles_t) - fs_search_auto_mountpoints(setfiles_t) - fs_relabelfrom_noxattr_fs(setfiles_t) - + fs_getattr_nfs(setfiles_t) + fs_getattr_pstore_dirs(setfiles_t) + fs_getattr_pstorefs(setfiles_t) + fs_getattr_tracefs(setfiles_t) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-sysadm-to-run-rpcinfo.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-sysadm-to-run-rpcinfo.patch index 8ce2f62..a1fda13 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-sysadm-to-run-rpcinfo.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-sysadm-to-run-rpcinfo.patch @@ -9,6 +9,7 @@ type=AVC msg=audit(1392427946.976:264): avc: denied { connectto } for pid=211 type=SYSCALL msg=audit(1392427946.976:264): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff3aa20000 a2=17 a3=22 items=0 ppid=2108 pid=2111 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="rpcinfo" exe="/usr/sbin/rpcinfo" subj=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 key=(null) Signed-off-by: Roy Li +Signed-off-by: Joe MacDonald --- policy/modules/roles/sysadm.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-don-t-audit-tty_device_t.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-don-t-audit-tty_device_t.patch index 998bfa0..e3ea75e 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-don-t-audit-tty_device_t.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-don-t-audit-tty_device_t.patch @@ -9,13 +9,14 @@ term_dontaudit_use_console. Upstream-Status: Inappropriate [only for Poky] Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald --- policy/modules/kernel/terminal.if | 3 +++ 1 file changed, 3 insertions(+) --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if -@@ -297,13 +297,16 @@ interface(`term_use_console',` +@@ -315,13 +315,16 @@ interface(`term_use_console',` ## # interface(`term_dontaudit_use_console',` diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch index 131a9bb..11a6963 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch @@ -4,6 +4,7 @@ Date: Fri, 23 Aug 2013 16:36:09 +0800 Subject: [PATCH] fix dmesg to use /dev/kmsg as default input Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald --- policy/modules/admin/dmesg.if | 1 + policy/modules/admin/dmesg.te | 2 ++ @@ -19,18 +20,3 @@ Signed-off-by: Xin Ouyang can_exec($1, dmesg_exec_t) + dev_read_kmsg($1) ') ---- a/policy/modules/admin/dmesg.te -+++ b/policy/modules/admin/dmesg.te -@@ -28,10 +28,12 @@ kernel_read_proc_symlinks(dmesg_t) - # for when /usr is not mounted: - kernel_dontaudit_search_unlabeled(dmesg_t) - - dev_read_sysfs(dmesg_t) - -+dev_read_kmsg(dmesg_t) -+ - fs_search_auto_mountpoints(dmesg_t) - - term_dontaudit_use_console(dmesg_t) - - domain_use_interactive_fds(dmesg_t) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch index 016685c..d0b0073 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch @@ -14,9 +14,25 @@ Signed-off-by: Joe MacDonald policy/modules/kernel/kernel.te | 2 ++ 4 files changed, 13 insertions(+) +--- a/policy/modules/contrib/rpcbind.te ++++ b/policy/modules/contrib/rpcbind.te +@@ -73,8 +73,13 @@ auth_use_nsswitch(rpcbind_t) + + logging_send_syslog_msg(rpcbind_t) + + miscfiles_read_localization(rpcbind_t) + ++# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t, ++# because the are running in different level. So add rules to allow this. ++mls_socket_read_all_levels(rpcbind_t) ++mls_socket_write_all_levels(rpcbind_t) ++ + ifdef(`distro_debian',` + term_dontaudit_use_unallocated_ttys(rpcbind_t) + ') --- a/policy/modules/contrib/rpc.te +++ b/policy/modules/contrib/rpc.te -@@ -275,10 +275,15 @@ tunable_policy(`nfs_export_all_ro',` +@@ -277,10 +277,15 @@ tunable_policy(`nfs_export_all_ro',` files_read_non_auth_files(nfsd_t) ') @@ -32,22 +48,6 @@ Signed-off-by: Joe MacDonald ######################################## # # GSSD local policy ---- a/policy/modules/contrib/rpcbind.te -+++ b/policy/modules/contrib/rpcbind.te -@@ -71,8 +71,13 @@ auth_use_nsswitch(rpcbind_t) - - logging_send_syslog_msg(rpcbind_t) - - miscfiles_read_localization(rpcbind_t) - -+# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t, -+# because the are running in different level. So add rules to allow this. -+mls_socket_read_all_levels(rpcbind_t) -+mls_socket_write_all_levels(rpcbind_t) -+ - ifdef(`distro_debian',` - term_dontaudit_use_unallocated_ttys(rpcbind_t) - ') --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -127,10 +127,11 @@ fs_noxattr_type(mvfs_t) @@ -64,7 +64,7 @@ Signed-off-by: Joe MacDonald genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0) --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te -@@ -324,10 +324,12 @@ mcs_process_set_categories(kernel_t) +@@ -325,10 +325,12 @@ mcs_process_set_categories(kernel_t) mls_process_read_all_levels(kernel_t) mls_process_write_all_levels(kernel_t) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch index 950f525..0cd8bf9 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch @@ -10,22 +10,22 @@ Upstream-Status: pending Signed-off-by: Xin Ouyang Signed-off-by: Shrikant Bobade +Signed-off-by: Joe MacDonald --- policy/modules/system/selinuxutil.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te -@@ -556,11 +556,11 @@ files_read_usr_symlinks(setfiles_t) +@@ -594,10 +594,11 @@ files_read_usr_symlinks(setfiles_t) files_dontaudit_read_all_symlinks(setfiles_t) # needs to be able to read symlinks to make restorecon on symlink working files_read_all_symlinks(setfiles_t) --fs_getattr_all_xattr_fs(setfiles_t) +fs_getattr_all_fs(setfiles_t) - fs_list_all(setfiles_t) - fs_search_auto_mountpoints(setfiles_t) - fs_relabelfrom_noxattr_fs(setfiles_t) - - mls_file_read_all_levels(setfiles_t) + fs_getattr_all_xattr_fs(setfiles_t) + fs_getattr_nfs(setfiles_t) + fs_getattr_pstore_dirs(setfiles_t) + fs_getattr_pstorefs(setfiles_t) + fs_getattr_tracefs(setfiles_t) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-seutils-manage-config-files.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-seutils-manage-config-files.patch index c9a877b..e0f8c1a 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-seutils-manage-config-files.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-seutils-manage-config-files.patch @@ -6,6 +6,7 @@ Subject: [PATCH 2/2] refpolicy: fix selinux utils to manage config files Upstream-Status: Pending Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald --- policy/modules/system/selinuxutil.if | 1 + policy/modules/system/userdomain.if | 4 ++++ @@ -27,7 +28,7 @@ Signed-off-by: Xin Ouyang ####################################### --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if -@@ -1327,10 +1327,14 @@ template(`userdom_security_admin_templat +@@ -1361,10 +1361,14 @@ template(`userdom_security_admin_templat logging_read_audit_log($1) logging_read_generic_logs($1) logging_read_audit_config($1) diff --git a/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch b/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch index 86ff0d2..6eba356 100644 --- a/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch +++ b/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch @@ -8,21 +8,21 @@ It provide, the systemd support related allow rules Upstream-Status: Pending Signed-off-by: Shrikant Bobade +Signed-off-by: Joe MacDonald --- policy/modules/system/init.te | 5 +++++ 1 file changed, 5 insertions(+) --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te -@@ -1105,5 +1105,10 @@ optional_policy(` - ') - +@@ -1387,5 +1387,10 @@ dontaudit systemprocess init_t:unix_stre optional_policy(` - zebra_read_config(initrc_t) + userdom_dontaudit_search_user_home_dirs(systemprocess) + userdom_dontaudit_rw_all_users_stream_sockets(systemprocess) + userdom_dontaudit_write_user_tmp_files(systemprocess) ') + +# systemd related allow rules +allow kernel_t init_t:process dyntransition; +allow devpts_t device_t:filesystem associate; +allow init_t self:capability2 block_suspend; -\ No newline at end of file -- cgit v1.2.3-54-g00ecf