diff options
313 files changed, 3499 insertions, 8001 deletions
diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..c01df45 --- /dev/null +++ b/.gitignore @@ -0,0 +1,7 @@ +*.pyc +*.pyo +/*.patch +*.swp +*.orig +*.rej +*~ diff --git a/MAINTAINERS b/MAINTAINERS index ec7fddd..016f325 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -1,7 +1,14 @@ This file contains a list of maintainers for the meta-selinux layer. Please submit any patches against meta-selinux to the Yocto Project mailing -list (yocto@yoctoproject.org). +list (yocto-patches@lists.yoctoproject.org). + +git send-email -1 --to yocto-patches@lists.yoctoproject.org --subject-prefix=meta-selinux][PATCH + +These values can be set as defaults for this repository: + +$ git config sendemail.to yocto-patches@lists.yoctoproject.org +$ git config format.subjectPrefix meta-selinux][PATCH You may also contact the maintainers directly. @@ -19,17 +26,12 @@ Please keep this list in alphabetical order. Maintainers List (try to look for most precise areas first) COMMON -M: Joe MacDonald <joe_macdonald@mentor.com> -F: conf -F: classes -F: recipes-* - -M: Philip Tricca <flihp@twobit.us> +M: Joe MacDonald <joe.macdonald@siemens.com> F: conf F: classes F: recipes-* COMMON -M: Mark Hatle <mark.hatle@windriver.com> +M: Yi Zhao <yi.zhao@windriver.com> F: conf F: recipes-* @@ -38,7 +38,7 @@ layer should not change the system behavior. In order to use the components in this layer you must add the 'selinux' to the DISTRO_FEATURES. In addition to selinux, you should be sure that acl, xattr and pam are also present. -e.g. DISTRO_FEATURES_append = " acl xattr pam selinux" +e.g. DISTRO_FEATURES:append = " acl xattr pam selinux" You must also specify a preferred provider for the virtual/refpolicy. The included policies with this layer are simply reference policies and will need @@ -69,12 +69,20 @@ By default selinux enabled images coming up with "sysvinit" as init manager, we can use "systemd" as an init manager using below changes to local.conf * enable systemd as init manager changes to local.conf -DISTRO_FEATURES_remove = " sysvinit" -DISTRO_FEATURES_append = " systemd" +DISTRO_FEATURES:remove = " sysvinit" +DISTRO_FEATURES:append = " systemd" VIRTUAL-RUNTIME_init_manager = "systemd" DISTRO_FEATURES_BACKFILL_CONSIDERED = "" +Enable labeling on first boot +---------------------------- +By default, the system will label selinux contexts during build. To enable +labeling on first boot. Set FIRST_BOOT_RELABEL to 1 in local.conf: + +FIRST_BOOT_RELABEL = "1" + + Starting up the system ---------------------- Most likely the reference policy selected will not just work "out of the box". diff --git a/SELinux-FAQ b/SELinux-FAQ index b6a0df9..2ae6649 100644 --- a/SELinux-FAQ +++ b/SELinux-FAQ @@ -47,7 +47,6 @@ controls could be added to an operating system. To enable SELinux features, this layers has done these works: * new DISTRO_FEATURES "selinux" defined - * new DISTRO "poky-selinux" defined, with DISTRO_FEATURES += "pam selinux" * config file for Linux kernel to enable SELinux * recipes for SELinux userland libraries and tools * package group (packagegroup-core-selinux) for SELinux userland packages @@ -67,7 +66,7 @@ After init Poky build environment, please follow these steps: 1. Add meta-selinux path to BUILDDIR/conf/bblayers.conf file. - 2. Set DISTRO="poky-selinux" or add DISTRO_FEATURES_append=" pam selinux" + 2. Add DISTRO_FEATURES:append=" acl xattr pam selinux" in BUILDDIR/conf/local.conf file. 3. Build the default selinux image. @@ -81,7 +80,7 @@ the following steps: 1. Add meta-selinux path to BUILDDIR/conf/bblayers.conf file - 2. Add DISTRO_FEATURES_append=" pam selinux" in BUILDDIR/conf/local.conf + 2. Add DISTRO_FEATURES:append=" pam selinux" in BUILDDIR/conf/local.conf file. 3. Add packagegroup-core-selinux to your custom image. @@ -94,7 +93,6 @@ the following steps: $ bitbake core-image-custom - ============================================================================== 3 - Using SELinux @@ -109,7 +107,7 @@ Alternatively, you can add "selinux=0" to your kernel boot parameters. It is not recommended but useful on some testing situations. For example, when you are using qemu targets, - $ runqemu qemumips core-image-selinux ext3 nographic bootparams="selinux=0" + $ runqemu qemumips core-image-selinux nographic bootparams="selinux=0" The initial filesystem relabel step requires considerable memory and can result in unexpected, sometimes impossible to reproduce, failures if an OOM condition diff --git a/classes/enable-audit.bbclass b/classes/enable-audit.bbclass index 4538b0b..17bcc8e 100644 --- a/classes/enable-audit.bbclass +++ b/classes/enable-audit.bbclass @@ -1,4 +1,4 @@ # There is still no audit DISTRO_FEATURE, so enable audit when selinux feature enabled. inherit selinux -PACKAGECONFIG_append = " ${@target_selinux(d, 'audit')}" +PACKAGECONFIG:append = " ${@target_selinux(d, 'audit')}" diff --git a/classes/enable-selinux.bbclass b/classes/enable-selinux.bbclass index de2a124..3dc61d6 100644 --- a/classes/enable-selinux.bbclass +++ b/classes/enable-selinux.bbclass @@ -1,4 +1,3 @@ inherit selinux -PACKAGECONFIG_append = " ${@target_selinux(d)}" -PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux," +PACKAGECONFIG:append = " ${@target_selinux(d, 'selinux')}" diff --git a/classes/meson-selinux.bbclass b/classes/meson-selinux.bbclass deleted file mode 100644 index 77a763a..0000000 --- a/classes/meson-selinux.bbclass +++ /dev/null @@ -1,4 +0,0 @@ -inherit selinux - -PACKAGECONFIG_append = " ${@target_selinux(d)}" -PACKAGECONFIG[selinux] = "-Dselinux=true,-Dselinux=false,libselinux," diff --git a/classes/selinux-image.bbclass b/classes/selinux-image.bbclass index 7f157d3..b4f9321 100644 --- a/classes/selinux-image.bbclass +++ b/classes/selinux-image.bbclass @@ -1,15 +1,29 @@ -selinux_set_labels () { - POL_TYPE=$(sed -n -e "s&^SELINUXTYPE[[:space:]]*=[[:space:]]*\([0-9A-Za-z_]\+\)&\1&p" ${IMAGE_ROOTFS}/${sysconfdir}/selinux/config) - if ! setfiles -m -r ${IMAGE_ROOTFS} ${IMAGE_ROOTFS}/${sysconfdir}/selinux/${POL_TYPE}/contexts/files/file_contexts ${IMAGE_ROOTFS} - then - echo WARNING: Unable to set filesystem context, setfiles / restorecon must be run on the live image. - touch ${IMAGE_ROOTFS}/.autorelabel - exit 0 +selinux_set_labels() { + if [ -f ${IMAGE_ROOTFS}/${sysconfdir}/selinux/config ]; then + POL_TYPE=$(sed -n -e "s&^SELINUXTYPE[[:space:]]*=[[:space:]]*\([0-9A-Za-z_]\+\)&\1&p" ${IMAGE_ROOTFS}/${sysconfdir}/selinux/config) + if ! setfiles -m -r ${IMAGE_ROOTFS} ${IMAGE_ROOTFS}/${sysconfdir}/selinux/${POL_TYPE}/contexts/files/file_contexts ${IMAGE_ROOTFS} + then + bbwarn "Failed to set security contexts. Restoring security contexts will run on first boot." + echo "# first boot relabelling" > ${IMAGE_ROOTFS}/.autorelabel + fi fi } -DEPENDS += "policycoreutils-native" +# The selinux_set_labels function should run as late as possible. Append +# it to IMAGE_PREPROCESS_COMMAND in RecipePreFinalise event handler, +# this ensures it is the last function in IMAGE_PREPROCESS_COMMAND. +python selinux_setlabels_handler() { + if not d or 'selinux' not in d.getVar('DISTRO_FEATURES').split(): + return -IMAGE_PREPROCESS_COMMAND_append = " selinux_set_labels ;" + if d.getVar('FIRST_BOOT_RELABEL') == '1': + return + + d.appendVar('IMAGE_PREPROCESS_COMMAND', ' selinux_set_labels; ') + d.appendVarFlag('do_image', 'depends', ' policycoreutils-native:do_populate_sysroot') +} + +addhandler selinux_setlabels_handler +selinux_setlabels_handler[eventmask] = "bb.event.RecipePreFinalise" inherit core-image diff --git a/classes/selinux.bbclass b/classes/selinux.bbclass index fb0df27..13256d5 100644 --- a/classes/selinux.bbclass +++ b/classes/selinux.bbclass @@ -2,8 +2,8 @@ def target_selinux(d, truevar = 'selinux', falsevar = ''): if not bb.utils.contains("DISTRO_FEATURES", "selinux", True, False, d): return falsevar - pn = d.getVar("PN", True) - type = pn.replace(d.getVar("BPN", True), "") + pn = d.getVar("PN") + type = pn.replace(d.getVar("BPN"), "") if type in ("-native", "nativesdk-", "-cross", "-crosssdk"): return falsevar diff --git a/classes/with-audit.bbclass b/classes/with-audit.bbclass deleted file mode 100644 index 0c15312..0000000 --- a/classes/with-audit.bbclass +++ /dev/null @@ -1,5 +0,0 @@ -# There is still no audit DISTRO_FEATURE, so enable audit when selinux feature enabled. -inherit selinux - -PACKAGECONFIG_append = " ${@target_selinux(d, 'audit')}" -PACKAGECONFIG[audit] = "--with-audit,--without-audit,audit," diff --git a/classes/with-selinux.bbclass b/classes/with-selinux.bbclass deleted file mode 100644 index 7873d9b..0000000 --- a/classes/with-selinux.bbclass +++ /dev/null @@ -1,4 +0,0 @@ -inherit selinux - -PACKAGECONFIG_append = " ${@target_selinux(d)}" -PACKAGECONFIG[selinux] = "--with-selinux,--without-selinux,libselinux," diff --git a/conf/layer.conf b/conf/layer.conf index 9dd34b1..4e04e5c 100644 --- a/conf/layer.conf +++ b/conf/layer.conf @@ -5,10 +5,9 @@ BBPATH .= ":${LAYERDIR}" BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \ ${LAYERDIR}/recipes-*/*/*.bbappend" -# Let us add layer-specific bbappends which are only applied when that -# layer is included in our configuration -BBFILES += "${@' '.join('${LAYERDIR}/%s/recipes*/*/*.bbappend' % layer \ - for layer in BBFILE_COLLECTIONS.split())}" +BBFILES_DYNAMIC += "networking-layer:${LAYERDIR}/dynamic-layers/networking-layer/*/*/*.bb \ + networking-layer:${LAYERDIR}/dynamic-layers/networking-layer/*/*/*.bbappend \ + " BBFILE_COLLECTIONS += "selinux" BBFILE_PATTERN_selinux = "^${LAYERDIR}/" @@ -18,9 +17,11 @@ BBFILE_PRIORITY_selinux = "5" # cause compatibility issues with other layers LAYERVERSION_selinux = "1" -LAYERSERIES_COMPAT_selinux = "thud warrior" +LAYERSERIES_COMPAT_selinux = "scarthgap" LAYERDEPENDS_selinux = " \ core \ meta-python \ " + +PREFERRED_PROVIDER_virtual/refpolicy ??= "refpolicy-targeted" diff --git a/networking-layer/recipes-daemons/iscsi-initiator-utils/files/initd.debian b/dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/files/initd.debian index 43fb348..43fb348 100644 --- a/networking-layer/recipes-daemons/iscsi-initiator-utils/files/initd.debian +++ b/dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/files/initd.debian diff --git a/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend b/dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend index 7719d3b..7719d3b 100644 --- a/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend +++ b/dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend diff --git a/dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc b/dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc new file mode 100644 index 0000000..8802adb --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc @@ -0,0 +1 @@ +FILESEXTRAPATHS:prepend := "${THISDIR}/files:" diff --git a/meta-python/recipes-extended/augeas/augeas/augeas_%.bbappend b/meta-python/recipes-extended/augeas/augeas/augeas_%.bbappend deleted file mode 100644 index b01ad25..0000000 --- a/meta-python/recipes-extended/augeas/augeas/augeas_%.bbappend +++ /dev/null @@ -1 +0,0 @@ -inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'with-selinux', '', d)} diff --git a/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc b/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc deleted file mode 100644 index 81fe7b7..0000000 --- a/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc +++ /dev/null @@ -1 +0,0 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/files:" diff --git a/recipes-connectivity/bind/bind_selinux.inc b/recipes-connectivity/bind/bind_selinux.inc index 1dfef8a..948a377 100644 --- a/recipes-connectivity/bind/bind_selinux.inc +++ b/recipes-connectivity/bind/bind_selinux.inc @@ -1,11 +1,4 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/files:" - -SRC_URI += "file://volatiles.04_bind" - -do_install_append() { - install -d ${D}${sysconfdir}/default/volatiles - install -m 0644 ${WORKDIR}/volatiles.04_bind ${D}${sysconfdir}/default/volatiles/volatiles.04_bind - +do_install:append() { sed -i '/^\s*\/usr\/sbin\/rndc-confgen/a\ [ -x /sbin/restorecon ] && /sbin/restorecon -F /etc/bind/rndc.key' ${D}${sysconfdir}/init.d/bind } diff --git a/recipes-connectivity/bind/files/volatiles.04_bind b/recipes-connectivity/bind/files/volatiles.04_bind deleted file mode 100644 index c6a8151..0000000 --- a/recipes-connectivity/bind/files/volatiles.04_bind +++ /dev/null @@ -1,4 +0,0 @@ -# <type> <owner> <group> <mode> <path> <linksource> -d root root 0755 /var/run/named none -d root root 0755 /var/run/bind/run none -d root root 0755 /var/cache/bind none diff --git a/recipes-connectivity/dhcp/dhcp_selinux.inc b/recipes-connectivity/dhcp/dhcp_selinux.inc deleted file mode 100644 index 08389f1..0000000 --- a/recipes-connectivity/dhcp/dhcp_selinux.inc +++ /dev/null @@ -1,3 +0,0 @@ -inherit selinux - -FILESEXTRAPATHS_prepend := "${THISDIR}/files:" diff --git a/recipes-connectivity/dhcp/files/init-server b/recipes-connectivity/dhcp/files/init-server deleted file mode 100644 index a0e901a..0000000 --- a/recipes-connectivity/dhcp/files/init-server +++ /dev/null @@ -1,52 +0,0 @@ -#!/bin/sh -# -# $Id: dhcp3-server.init.d,v 1.4 2003/07/13 19:12:41 mdz Exp $ -# - -test -f /usr/sbin/dhcpd || exit 0 - -# It is not safe to start if we don't have a default configuration... -if [ ! -f /etc/default/dhcp-server ]; then - echo "/etc/default/dhcp-server does not exist! - Aborting..." - exit 0 -fi - -# Read init script configuration (so far only interfaces the daemon -# should listen on.) -. /etc/default/dhcp-server - -# Restorecon for /var/lib/dhcp/{dhcpd.leases,dhcpd6.leases} -restorecon_dhcpd_leases(){ - test ! -x /sbin/restorecon || for x in dhcpd.leases dhcpd6.leases; do - [ -f /var/lib/dhcp/$x ] && /sbin/restorecon -F /var/lib/dhcp/$x - done -} - -case "$1" in - start) - echo -n "Starting DHCP server: " - test -d /var/lib/dhcp/ || mkdir -p /var/lib/dhcp/ - test -f /var/lib/dhcp/dhcpd.leases || touch /var/lib/dhcp/dhcpd.leases - restorecon_dhcpd_leases - start-stop-daemon -S -x /usr/sbin/dhcpd -- -q $INTERFACES -user dhcp -group dhcp - echo "." - ;; - stop) - echo -n "Stopping DHCP server: dhcpd3" - start-stop-daemon -K -x /usr/sbin/dhcpd - echo "." - ;; - restart | force-reload) - $0 stop - sleep 2 - $0 start - if [ "$?" != "0" ]; then - exit 1 - fi - ;; - *) - echo "Usage: /etc/init.d/dhcp-server {start|stop|restart|force-reload}" - exit 1 -esac - -exit 0 diff --git a/recipes-connectivity/iproute2/iproute2_%.bbappend b/recipes-connectivity/iproute2/iproute2_%.bbappend index b01ad25..74e22b3 100644 --- a/recipes-connectivity/iproute2/iproute2_%.bbappend +++ b/recipes-connectivity/iproute2/iproute2_%.bbappend @@ -1 +1 @@ -inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'with-selinux', '', d)} +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-selinux', '', d)} diff --git a/recipes-connectivity/openssh/openssh_selinux.inc b/recipes-connectivity/openssh/openssh_selinux.inc index ebd2721..07c25c5 100644 --- a/recipes-connectivity/openssh/openssh_selinux.inc +++ b/recipes-connectivity/openssh/openssh_selinux.inc @@ -1,9 +1,6 @@ -inherit with-selinux +inherit enable-selinux enable-audit -FILESEXTRAPATHS_prepend := "${THISDIR}/files:" - -# There is no distro feature just for audit. -PACKAGECONFIG_append = " audit" - -PACKAGECONFIG[audit] = "--with-audit=linux,--without-audit,audit," +FILESEXTRAPATHS:prepend := "${THISDIR}/files:" +PACKAGECONFIG[selinux] = "--with-selinux,--without-selinux,libselinux" +PACKAGECONFIG[audit] = "--with-audit=linux,--without-audit,audit" diff --git a/recipes-core/base-files/base-files_%.bbappend b/recipes-core/base-files/base-files_%.bbappend new file mode 100644 index 0000000..f167033 --- /dev/null +++ b/recipes-core/base-files/base-files_%.bbappend @@ -0,0 +1 @@ +require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'base-files_selinux.inc', '', d)} diff --git a/recipes-core/base-files/base-files_selinux.inc b/recipes-core/base-files/base-files_selinux.inc new file mode 100644 index 0000000..f2373aa --- /dev/null +++ b/recipes-core/base-files/base-files_selinux.inc @@ -0,0 +1,13 @@ +REFPOLICY_TYPE = "${@d.getVar('PREFERRED_PROVIDER_virtual/refpolicy').split('-')[1] or ''}" + +do_install:append () { + if [ -n "${REFPOLICY_TYPE}" ]; then + if [ "${REFPOLICY_TYPE}" = "standard" ]; then + sed -i 's/\s*\/var\/volatile\s*tmpfs\s*defaults/&,rootcontext=system_u:object_r:var_t/' \ + ${D}${sysconfdir}/fstab + else + sed -i 's/\s*\/var\/volatile\s*tmpfs\s*defaults/&,rootcontext=system_u:object_r:var_t:s0/' \ + ${D}${sysconfdir}/fstab + fi + fi +} diff --git a/recipes-core/busybox/busybox_selinux.inc b/recipes-core/busybox/busybox_selinux.inc index cc83b01..740980f 100644 --- a/recipes-core/busybox/busybox_selinux.inc +++ b/recipes-core/busybox/busybox_selinux.inc @@ -1,6 +1,6 @@ PTEST_BINDIR = "0" -FILES_${PN} += "${libdir}/${PN}" +FILES:${PN} += "${libdir}/${PN}" # We should use sh wrappers instead of links so the commands could get correct # security labels @@ -8,9 +8,9 @@ python create_sh_wrapper_reset_alternative_vars () { # We need to load the full set of busybox provides from the /etc/busybox.links # Use this to see the update-alternatives with the right information - dvar = d.getVar('D', True) - pn = d.getVar('PN', True) - base_bindir = d.getVar('base_bindir', True) + dvar = d.getVar('PKGD') + pn = d.getVar('PN') + base_bindir = d.getVar('base_bindir') def create_sh_alternative_vars(links, target, mode): import shutil @@ -20,7 +20,7 @@ python create_sh_wrapper_reset_alternative_vars () { os.fchmod(fwp.fileno(), mode) fwp.close() # Install the sh wrappers and alternatives reset to link to them - wpdir = os.path.join(d.getVar('libdir', True), pn) + wpdir = os.path.join(d.getVar('libdir'), pn) wpdir_dest = '%s%s' % (dvar, wpdir) if not os.path.exists(wpdir_dest): os.makedirs(wpdir_dest) @@ -39,7 +39,7 @@ python create_sh_wrapper_reset_alternative_vars () { # Match coreutils if alt_name == '[': alt_name = 'lbracket' - d.appendVar('ALTERNATIVE_%s' % (pn), ' ' + alt_name) + d.appendVar('ALTERNATIVE:%s' % (pn), ' ' + alt_name) d.setVarFlag('ALTERNATIVE_LINK_NAME', alt_name, alt_link_name) if os.path.exists(alt_wppath_dest): d.setVarFlag('ALTERNATIVE_TARGET', alt_name, alt_wppath) @@ -55,12 +55,12 @@ python create_sh_wrapper_reset_alternative_vars () { create_sh_alternative_vars("/etc/busybox.links.suid", "%s/busybox.suid" % base_bindir, 0o4755) } -# Add to PACKAGEBUILDPKGD so it could override the alternatives, which are set in -# do_package_prepend() section of busybox_*.bb. -PACKAGEBUILDPKGD_prepend = "create_sh_wrapper_reset_alternative_vars " +# Add to PACKAGE_PREPROCESS_FUNCS so it could override the alternatives, which are set in +# do_package:prepend() section of busybox_*.bb. +PACKAGE_PREPROCESS_FUNCS:prepend = "create_sh_wrapper_reset_alternative_vars " # Use sh wrappers instead of links -pkg_postinst_${PN} () { +pkg_postinst:${PN} () { # This part of code is dedicated to the on target upgrade problem. # It's known that if we don't make appropriate symlinks before update-alternatives calls, # there will be errors indicating missing commands such as 'sed'. diff --git a/recipes-core/coreutils/coreutils_%.bbappend b/recipes-core/coreutils/coreutils_%.bbappend index 7b9a2dc..74e22b3 100644 --- a/recipes-core/coreutils/coreutils_%.bbappend +++ b/recipes-core/coreutils/coreutils_%.bbappend @@ -1,2 +1 @@ -inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'with-selinux', '', d)} - +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-selinux', '', d)} diff --git a/recipes-core/dbus/dbus_%.bbappend b/recipes-core/dbus/dbus_%.bbappend index ee221e2..fe51e54 100644 --- a/recipes-core/dbus/dbus_%.bbappend +++ b/recipes-core/dbus/dbus_%.bbappend @@ -1,2 +1,2 @@ -inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-selinux', '', d)} +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-selinux enable-audit', '', d)} diff --git a/recipes-core/eudev/eudev_selinux.inc b/recipes-core/eudev/eudev_selinux.inc index 2ad6b13..94950f5 100644 --- a/recipes-core/eudev/eudev_selinux.inc +++ b/recipes-core/eudev/eudev_selinux.inc @@ -1,3 +1,3 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/files:" +FILESEXTRAPATHS:prepend := "${THISDIR}/files:" inherit enable-selinux diff --git a/recipes-core/eudev/files/init b/recipes-core/eudev/files/init index ee64f86..daa4079 100644 --- a/recipes-core/eudev/files/init +++ b/recipes-core/eudev/files/init @@ -3,7 +3,7 @@ ### BEGIN INIT INFO # Provides: udev # Required-Start: mountvirtfs -# Required-Stop: +# Required-Stop: # Default-Start: S # Default-Stop: # Short-Description: Start udevd, populate /dev and load drivers. @@ -14,23 +14,10 @@ export TZ=/etc/localtime [ -d /sys/class ] || exit 1 [ -r /proc/mounts ] || exit 1 [ -x @UDEVD@ ] || exit 1 -if [ "$use_udev_cache" != "" ]; then - [ -f /etc/default/udev-cache ] && . /etc/default/udev-cache -fi + [ -f /etc/udev/udev.conf ] && . /etc/udev/udev.conf [ -f /etc/default/rcS ] && . /etc/default/rcS -readfiles () { - READDATA="" - for filename in $@; do - if [ -r $filename ]; then - while read line; do - READDATA="$READDATA$line" - done < $filename - fi - done -} - kill_udevd () { pid=`pidof -x udevd` [ -n "$pid" ] && kill $pid @@ -59,58 +46,27 @@ case "$1" in # the automount rule for udev needs /tmp directory available, as /tmp is a symlink # to /var/tmp which in turn is a symlink to /var/volatile/tmp, we need to make sure # /var/volatile/tmp directory to be available. - mkdir -p /var/volatile/tmp + mkdir -m 1777 -p /var/volatile/tmp # restorecon /run early to allow mdadm creating dir /run/mdadm test ! -x /sbin/restorecon || /sbin/restorecon -F /run - # Cache handling. - # A list of files which are used as a criteria to judge whether the udev cache could be reused. - CMP_FILE_LIST="/proc/version /proc/cmdline /proc/devices /proc/atags" - if [ "$use_udev_cache" != "" ]; then - if [ "$DEVCACHE" != "" ]; then - if [ -e $DEVCACHE ]; then - readfiles $CMP_FILE_LIST - NEWDATA="$READDATA" - readfiles /etc/udev/cache.data - OLDDATA="$READDATA" - if [ "$OLDDATA" = "$NEWDATA" ]; then - tar --directory=/ -xf $DEVCACHE > /dev/null 2>&1 - not_first_boot=1 - [ "$VERBOSE" != "no" ] && echo "udev: using cache file $DEVCACHE" - [ -e /dev/shm/udev.cache ] && rm -f /dev/shm/udev.cache - else - # Output detailed reason why the cached /dev is not used - if [ "$VERBOSE" != "no" ]; then - echo "udev: udev cache not used" - echo "udev: we use $CMP_FILE_LIST as criteria to judge whether the cache /dev could be resued" - echo "udev: olddata: $OLDDATA" - echo "udev: newdata: $NEWDATA" - fi - echo "$NEWDATA" > /dev/shm/udev.cache - fi - else - if [ "$ROOTFS_READ_ONLY" != "yes" ]; then - # If rootfs is not read-only, it's possible that a new udev cache would be generated; - # otherwise, we do not bother to read files. - readfiles $CMP_FILE_LIST - echo "$READDATA" > /dev/shm/udev.cache - fi - fi - fi - fi - # make_extra_nodes kill_udevd > "/dev/null" 2>&1 # trigger the sorted events - echo -e '\000\000\000\000' > /proc/sys/kernel/hotplug + [ -e /proc/sys/kernel/hotplug ] && echo -e '\000' >/proc/sys/kernel/hotplug @UDEVD@ -d udevadm control --env=STARTUP=1 if [ "$not_first_boot" != "" ];then - udevadm trigger --action=add --subsystem-nomatch=tty --subsystem-nomatch=mem --subsystem-nomatch=vc --subsystem-nomatch=vtconsole --subsystem-nomatch=misc --subsystem-nomatch=dcon --subsystem-nomatch=pci_bus --subsystem-nomatch=graphics --subsystem-nomatch=backlight --subsystem-nomatch=video4linux --subsystem-nomatch=platform - (udevadm settle --timeout=10; udevadm control --env=STARTUP=)& + if [ "$PROBE_PLATFORM_BUS" != "yes" ]; then + PLATFORM_BUS_NOMATCH="--subsystem-nomatch=platform" + else + PLATFORM_BUS_NOMATCH="" + fi + udevadm trigger --action=add --subsystem-nomatch=tty --subsystem-nomatch=mem --subsystem-nomatch=vc --subsystem-nomatch=vtconsole --subsystem-nomatch=misc --subsystem-nomatch=dcon --subsystem-nomatch=pci_bus --subsystem-nomatch=graphics --subsystem-nomatch=backlight --subsystem-nomatch=video4linux $PLATFORM_BUS_NOMATCH + (udevadm settle --timeout=3; udevadm control --env=STARTUP=)& else udevadm trigger --action=add udevadm settle diff --git a/recipes-core/eudev/files/udev-cache b/recipes-core/eudev/files/udev-cache deleted file mode 100644 index 6898577..0000000 --- a/recipes-core/eudev/files/udev-cache +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/sh -e - -### BEGIN INIT INFO -# Provides: udev-cache -# Required-Start: mountall -# Required-Stop: -# Default-Start: S -# Default-Stop: -# Short-Description: cache /dev to speedup the udev next boot -### END INIT INFO - -export TZ=/etc/localtime - -[ -r /proc/mounts ] || exit 1 -[ -x @UDEVD@ ] || exit 1 -[ -d /sys/class ] || exit 1 - -[ -f /etc/default/rcS ] && . /etc/default/rcS -[ -f /etc/default/udev-cache ] && . /etc/default/udev-cache - -if [ "$ROOTFS_READ_ONLY" = "yes" ]; then - [ "$VERBOSE" != "no" ] && echo "udev-cache: read-only rootfs, skip generating udev-cache" - exit 0 -fi - -if [ "$DEVCACHE" != "" -a -e /dev/shm/udev.cache ]; then - echo "Populating dev cache" - tar --directory=/ --selinux --xattrs -cf "$DEVCACHE" dev - mv /dev/shm/udev.cache /etc/udev/cache.data -fi - -exit 0 diff --git a/recipes-core/glib-2.0/glib-2.0_%.bbappend b/recipes-core/glib-2.0/glib-2.0_%.bbappend index e5d2f6f..74e22b3 100644 --- a/recipes-core/glib-2.0/glib-2.0_%.bbappend +++ b/recipes-core/glib-2.0/glib-2.0_%.bbappend @@ -1 +1 @@ -inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'meson-selinux', '', d)} +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-selinux', '', d)} diff --git a/recipes-core/initscripts/initscripts-1.0_selinux.inc b/recipes-core/initscripts/initscripts-1.0_selinux.inc index 6e8a9b6..6530a87 100644 --- a/recipes-core/initscripts/initscripts-1.0_selinux.inc +++ b/recipes-core/initscripts/initscripts-1.0_selinux.inc @@ -1,10 +1,10 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/files:" +FILESEXTRAPATHS:prepend := "${THISDIR}/files:" -do_install_append () { +do_install:append () { cat <<-EOF >> ${D}${sysconfdir}/init.d/populate-volatile.sh touch /var/log/lastlog test ! -x /sbin/restorecon || /sbin/restorecon -iRF /var/volatile/ /var/lib /run \ - /etc/resolv.conf /etc/adjtime + /etc/resolv.conf /etc/adjtime /tmp /var/tmp /var/log /var/lock /var/run EOF sed -i '/mount -n -o remount,$rootmode/i\test ! -x /sbin/restorecon || /sbin/restorecon -iRF /run' \ ${D}${sysconfdir}/init.d/checkroot.sh diff --git a/recipes-core/libcgroup/libcgroup_%.bbappend b/recipes-core/libcgroup/libcgroup_%.bbappend deleted file mode 100644 index 7719d3b..0000000 --- a/recipes-core/libcgroup/libcgroup_%.bbappend +++ /dev/null @@ -1 +0,0 @@ -require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)} diff --git a/recipes-core/libcgroup/libcgroup_selinux.inc b/recipes-core/libcgroup/libcgroup_selinux.inc deleted file mode 100644 index 9d9ebfc..0000000 --- a/recipes-core/libcgroup/libcgroup_selinux.inc +++ /dev/null @@ -1,10 +0,0 @@ -EXTRA_OECONF_append_class-native = " --enable-pam=no" - -do_install_append() { - test ! -f ${D}${base_libdir}/security/pam_cgroup.so.0.0.0 || { - mv -f ${D}${base_libdir}/security/pam_cgroup.so.0.0.0 ${D}${base_libdir}/security/pam_cgroup.so - rm -f ${D}${base_libdir}/security/pam_cgroup.so.* - } -} - -BBCLASSEXTEND = "native" diff --git a/recipes-core/systemd/systemd_selinux.inc b/recipes-core/systemd/systemd_selinux.inc index b17e70a..7d466ee 100644 --- a/recipes-core/systemd/systemd_selinux.inc +++ b/recipes-core/systemd/systemd_selinux.inc @@ -1,6 +1,6 @@ -inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-audit', '', d)} +inherit enable-selinux enable-audit -do_install_append() { +do_install:append() { if ${@bb.utils.contains('PACKAGECONFIG', 'backlight', 'true', 'false', d)}; then install -d ${D}${localstatedir}/lib/systemd/backlight fi diff --git a/recipes-core/sysvinit/files/sysvinit-fix-is_selinux_enabled.patch b/recipes-core/sysvinit/files/sysvinit-fix-is_selinux_enabled.patch deleted file mode 100644 index 62703b1..0000000 --- a/recipes-core/sysvinit/files/sysvinit-fix-is_selinux_enabled.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 0db0276202094c8d902fc93a18eca453b6211f8a Mon Sep 17 00:00:00 2001 -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Thu, 12 Apr 2012 10:48:04 +0800 -Subject: [PATCH] sysvinit: Fix is_selinux_enabled() for libselinux - -is_selinux_enabled()!=1 means SELinux is disabled by kernel -or SELinux is enabled but policy is not loaded. -Only at this time, /sbin/init program should call -selinux_init_load_policy() to detect whether SELinux is enabled -and to load SELinux policy. - -This is fixed already in the upstream sysvinit, -http://svn.savannah.nongnu.org/viewvc/sysvinit/trunk/src/init.c?root=sysvinit&r1=72&r2=90 ---- - src/init.c | 33 +++++++++++++-------------------- - 1 files changed, 13 insertions(+), 20 deletions(-) - -diff --git a/src/init.c b/src/init.c -index 27532ad..75ccf25 100644 ---- a/src/init.c -+++ b/src/init.c -@@ -54,10 +54,6 @@ - - #ifdef WITH_SELINUX - # include <selinux/selinux.h> --# include <sys/mount.h> --# ifndef MNT_DETACH /* present in glibc 2.10, missing in 2.7 */ --# define MNT_DETACH 2 --# endif - #endif - - #ifdef __i386__ -@@ -2869,22 +2865,19 @@ int main(int argc, char **argv) - - #ifdef WITH_SELINUX - if (getenv("SELINUX_INIT") == NULL) { -- const int rc = mount("proc", "/proc", "proc", 0, 0); -- if (is_selinux_enabled() > 0) { -- putenv("SELINUX_INIT=YES"); -- if (rc == 0) umount2("/proc", MNT_DETACH); -- if (selinux_init_load_policy(&enforce) == 0) { -- execv(myname, argv); -- } else { -- if (enforce > 0) { -- /* SELinux in enforcing mode but load_policy failed */ -- /* At this point, we probably can't open /dev/console, so log() won't work */ -- fprintf(stderr,"Unable to load SELinux Policy. Machine is in enforcing mode. Halting now.\n"); -- exit(1); -- } -- } -- } -- if (rc == 0) umount2("/proc", MNT_DETACH); -+ if (is_selinux_enabled() != 1) { -+ if (selinux_init_load_policy(&enforce) == 0) { -+ putenv("SELINUX_INIT=YES"); -+ execv(myname, argv); -+ } else { -+ if (enforce > 0) { -+ /* SELinux in enforcing mode but load_policy failed */ -+ /* At this point, we probably can't open /dev/console, so log() won't work */ -+ fprintf(stderr,"Unable to load SELinux Policy. Machine is in enforcing mode. Halting now.\n"); -+ exit(1); -+ } -+ } -+ } - } - #endif - /* Start booting. */ --- -1.7.5.4 - diff --git a/recipes-core/sysvinit/sysvinit-2.88dsf_selinux.inc b/recipes-core/sysvinit/sysvinit-2.88dsf_selinux.inc deleted file mode 100644 index fcfbdb7..0000000 --- a/recipes-core/sysvinit/sysvinit-2.88dsf_selinux.inc +++ /dev/null @@ -1,11 +0,0 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/files:" - -B = "${S}" - -SRC_URI += "file://sysvinit-fix-is_selinux_enabled.patch" - -inherit selinux - -DEPENDS += "${LIBSELINUX}" - -EXTRA_OEMAKE += "${@target_selinux(d, 'WITH_SELINUX=\"yes\"')}" diff --git a/recipes-core/sysvinit/sysvinit_2.88dsf.bbappend b/recipes-core/sysvinit/sysvinit_3.%.bbappend index 9df30b6..4ec2267 100644 --- a/recipes-core/sysvinit/sysvinit_2.88dsf.bbappend +++ b/recipes-core/sysvinit/sysvinit_3.%.bbappend @@ -1 +1 @@ -require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'sysvinit-2.88dsf_selinux.inc', '', d)} +require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'sysvinit_selinux.inc', '', d)} diff --git a/recipes-extended/logrotate/logrotate_selinux.inc b/recipes-core/sysvinit/sysvinit_selinux.inc index 1bdca98..1bdca98 100644 --- a/recipes-extended/logrotate/logrotate_selinux.inc +++ b/recipes-core/sysvinit/sysvinit_selinux.inc diff --git a/recipes-core/util-linux/util-linux/fix-libmount_la_DEPENDENCIES.patch b/recipes-core/util-linux/util-linux/fix-libmount_la_DEPENDENCIES.patch deleted file mode 100644 index ab54818..0000000 --- a/recipes-core/util-linux/util-linux/fix-libmount_la_DEPENDENCIES.patch +++ /dev/null @@ -1,28 +0,0 @@ -Subject: [PATCH] util-linux: fix libmount_la_DEPENDENCIES. - -Upstream-Status: Pending - -libmount_la_LIBADD contains "-lselinux", this is not a object that -could consider as a dependency target. So fix this. - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> ---- - libmount/src/Makemodule.am | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - -diff --git a/libmount/src/Makemodule.am b/libmount/src/Makemodule.am -index 494e02a..bf494a4 100644 ---- a/libmount/src/Makemodule.am -+++ b/libmount/src/Makemodule.am -@@ -38,7 +38,7 @@ libmount_la_CFLAGS = \ - -I$(top_srcdir)/libmount/src - - libmount_la_DEPENDENCIES = \ -- $(libmount_la_LIBADD) \ -+ libcommon.la libblkid.la \ - libmount/src/libmount.sym \ - libmount/src/libmount.h.in - --- -1.7.5.4 - diff --git a/recipes-core/util-linux/util-linux_%.bbappend b/recipes-core/util-linux/util-linux_%.bbappend index b01ad25..74e22b3 100644 --- a/recipes-core/util-linux/util-linux_%.bbappend +++ b/recipes-core/util-linux/util-linux_%.bbappend @@ -1 +1 @@ -inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'with-selinux', '', d)} +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-selinux', '', d)} diff --git a/recipes-devtools/e2fsprogs/e2fsprogs_%.bbappend b/recipes-devtools/e2fsprogs/e2fsprogs_%.bbappend deleted file mode 100644 index 7719d3b..0000000 --- a/recipes-devtools/e2fsprogs/e2fsprogs_%.bbappend +++ /dev/null @@ -1 +0,0 @@ -require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)} diff --git a/recipes-devtools/e2fsprogs/e2fsprogs_selinux.inc b/recipes-devtools/e2fsprogs/e2fsprogs_selinux.inc deleted file mode 100644 index 9cbb7fe..0000000 --- a/recipes-devtools/e2fsprogs/e2fsprogs_selinux.inc +++ /dev/null @@ -1,3 +0,0 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/files:" - -SRC_URI += "file://misc_create_inode.c-label_rootfs.patch" diff --git a/recipes-devtools/e2fsprogs/files/lib-ext2fs-ext2_ext_attr.h-add-xattr-index.patch b/recipes-devtools/e2fsprogs/files/lib-ext2fs-ext2_ext_attr.h-add-xattr-index.patch deleted file mode 100644 index b87c414..0000000 --- a/recipes-devtools/e2fsprogs/files/lib-ext2fs-ext2_ext_attr.h-add-xattr-index.patch +++ /dev/null @@ -1,20 +0,0 @@ -Add xattr name index for xattrs with the 'security' prefix. These are defined -in the ext(2|3|4)/xattr.h in the kernel. We use the EXT2 prefix for consistency -with e2fslibs naming. - -Signed-off-by: Philip Tricca <flihp@twobit.us> - -Index: e2fsprogs-1.42.9/lib/ext2fs/ext2_ext_attr.h -=================================================================== ---- e2fsprogs-1.42.9.orig/lib/ext2fs/ext2_ext_attr.h -+++ e2fsprogs-1.42.9/lib/ext2fs/ext2_ext_attr.h -@@ -15,6 +15,9 @@ - /* Maximum number of references to one attribute block */ - #define EXT2_EXT_ATTR_REFCOUNT_MAX 1024 - -+/* Name indexes */ -+#define EXT2_XATTR_INDEX_SECURITY 6 -+ - struct ext2_ext_attr_header { - __u32 h_magic; /* magic number for identification */ - __u32 h_refcount; /* reference count */ diff --git a/recipes-devtools/e2fsprogs/files/misc_create_inode.c-label_rootfs.patch b/recipes-devtools/e2fsprogs/files/misc_create_inode.c-label_rootfs.patch deleted file mode 100644 index 046e521..0000000 --- a/recipes-devtools/e2fsprogs/files/misc_create_inode.c-label_rootfs.patch +++ /dev/null @@ -1,45 +0,0 @@ -From: Philip Tricca <flihp@twobit.us> -To: tytso@mit.edu -Cc: liezhi.yang@windriver.com -Date: Sat, 20 Feb 2016 18:58:58 +0000 -Subject: [PATCH] misc/create_inode.c: Copy xattrs from root directory when populating fs. - -When copying a file system using the -d option the xattrs from the root -directory need to be copied before the populate_fs recusion starts. - -Signed-off-by: Philip Tricca <flihp@twobit.us> -Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com> - ---- - misc/create_inode.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/misc/create_inode.c b/misc/create_inode.c -index a7b6d348..cfd15922 100644 ---- a/misc/create_inode.c -+++ b/misc/create_inode.c -@@ -979,6 +979,13 @@ errcode_t populate_fs2(ext2_filsys fs, ext2_ino_t parent_ino, - return retval; - } - -+ retval = set_inode_xattr(fs, root, source_dir); -+ if (retval) { -+ com_err(__func__, retval, -+ _("while setting xattrs for \"%s\""), source_dir); -+ goto out; -+ } -+ - file_info.path_len = 0; - file_info.path_max_len = 255; - file_info.path = calloc(file_info.path_max_len, 1); -@@ -987,6 +994,7 @@ errcode_t populate_fs2(ext2_filsys fs, ext2_ino_t parent_ino, - &file_info, fs_callbacks); - - free(file_info.path); -+out: - free(hdlinks.hdl); - return retval; - } --- -2.11.1 - diff --git a/recipes-devtools/python/files/sitecustomize.py b/recipes-devtools/python/files/sitecustomize.py deleted file mode 100644 index d2b71fa..0000000 --- a/recipes-devtools/python/files/sitecustomize.py +++ /dev/null @@ -1,26 +0,0 @@ -# OpenEmbedded sitecustomize.py (C) 2002-2008 Michael 'Mickey' Lauer <mlauer@vanille-media.de> -# GPLv2 or later -# Version: 20081123 -# Features: -# * set proper default encoding -# Features removed for SELinux: -# * enable readline completion in the interactive interpreter -# * load command line history on startup -# * save command line history on exit - -import os - -def __enableDefaultEncoding(): - import sys - try: - sys.setdefaultencoding( "utf8" ) - except LookupError: - pass - -import sys -try: - import rlcompleter, readline -except ImportError: - pass -else: - __enableDefaultEncoding() diff --git a/recipes-devtools/python/python-ipy_0.83.bb b/recipes-devtools/python/python-ipy_0.83.bb deleted file mode 100644 index df060fa..0000000 --- a/recipes-devtools/python/python-ipy_0.83.bb +++ /dev/null @@ -1,32 +0,0 @@ -SUMMARY = "Python module for handling IPv4 and IPv6 Addresses and Networks" -DESCRIPTION = "IPy is a Python module for handling IPv4 and IPv6 Addresses and Networks \ -in a fashion similar to perl's Net::IP and friends. The IP class allows \ -a comfortable parsing and handling for most notations in use for IPv4 \ -and IPv6 Addresses and Networks." -SECTION = "devel/python" -HOMEPAGE = "https://github.com/haypo/python-ipy" -DEPENDS = "python" -LICENSE = "BSD" -LIC_FILES_CHKSUM = "file://COPYING;md5=ebc0028ff5cdaf7796604875027dcd55" - -SRC_URI = "https://pypi.python.org/packages/source/I/IPy/IPy-${PV}.tar.gz" - -SRC_URI[md5sum] = "7b8c6eb4111b15aea31b67108e769712" -SRC_URI[sha256sum] = "61da5a532b159b387176f6eabf11946e7458b6df8fb8b91ff1d345ca7a6edab8" - -S = "${WORKDIR}/IPy-${PV}" - -inherit distutils - -# need to export these variables for python-config to work -export BUILD_SYS -export HOST_SYS -export STAGING_INCDIR -export STAGING_LIBDIR - -BBCLASSEXTEND = "native" - -do_install_append() { - install -d ${D}/${datadir}/doc/${BPN}-${PV} - install AUTHORS COPYING ChangeLog README ${D}/${datadir}/doc/${BPN}-${PV} -} diff --git a/recipes-devtools/python/python_%.bbappend b/recipes-devtools/python/python_%.bbappend deleted file mode 100644 index 7719d3b..0000000 --- a/recipes-devtools/python/python_%.bbappend +++ /dev/null @@ -1 +0,0 @@ -require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)} diff --git a/recipes-devtools/python/python_selinux.inc b/recipes-devtools/python/python_selinux.inc deleted file mode 100644 index bb54a90..0000000 --- a/recipes-devtools/python/python_selinux.inc +++ /dev/null @@ -1,5 +0,0 @@ -# If selinux enabled, disable handlers to rw command history file -FILESEXTRAPATHS_prepend := "${THISDIR}/files:" - -inherit selinux - diff --git a/recipes-devtools/rpm/rpm_selinux.inc b/recipes-devtools/rpm/rpm_selinux.inc index 983dda7..8c11cac 100644 --- a/recipes-devtools/rpm/rpm_selinux.inc +++ b/recipes-devtools/rpm/rpm_selinux.inc @@ -1,2 +1 @@ -inherit with-selinux -PACKAGECONFIG[selinux] = "${WITH_SELINUX},${WITHOUT_SELINUX},libsemanage," +inherit enable-selinux diff --git a/recipes-extended/at/at_%.bbappend b/recipes-extended/at/at_%.bbappend index b01ad25..74e22b3 100644 --- a/recipes-extended/at/at_%.bbappend +++ b/recipes-extended/at/at_%.bbappend @@ -1 +1 @@ -inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'with-selinux', '', d)} +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-selinux', '', d)} diff --git a/recipes-extended/cronie/cronie_%.bbappend b/recipes-extended/cronie/cronie_%.bbappend index cfa56ca..7c3a686 100644 --- a/recipes-extended/cronie/cronie_%.bbappend +++ b/recipes-extended/cronie/cronie_%.bbappend @@ -1,2 +1 @@ -inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'with-audit', '', d)} -inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'with-selinux', '', d)} +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-selinux enable-audit', '', d)} diff --git a/recipes-extended/findutils/findutils-4.2.31/findutils-selinux.patch b/recipes-extended/findutils/findutils-4.2.31/findutils-selinux.patch deleted file mode 100644 index 73a9747..0000000 --- a/recipes-extended/findutils/findutils-4.2.31/findutils-selinux.patch +++ /dev/null @@ -1,499 +0,0 @@ -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Thu, 21 Jun 2012 17:01:39 +0800 -Subject: [PATCH] findutils: support selinux. - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> ---- - configure.in | 10 +++++ - doc/find.texi | 12 +++++++ - find/Makefile.am | 2 +- - find/defs.h | 15 ++++++++- - find/find.1 | 4 ++ - find/find.c | 97 +++++++++++++++++++++++++++++++++++++++++++++++++++++- - find/parser.c | 50 ++++++++++++++++++++++++++-- - find/pred.c | 53 +++++++++++++++++++++++++++++ - find/util.c | 3 ++ - 9 files changed, 240 insertions(+), 6 deletions(-) - -diff --git a/configure.in b/configure.in -index 6a20f15..00dd7f8 100644 ---- a/configure.in -+++ b/configure.in -@@ -101,6 +101,16 @@ dnl C library, try -lsun. - AC_CHECK_FUNC(getpwnam, [], - [AC_CHECK_LIB(sun, getpwnam)]) - -+AC_ARG_WITH([selinux], -+ AS_HELP_STRING([--without-selinux], [disable SELinux support]), -+ [:], -+[AC_CHECK_LIB([selinux], [is_selinux_enabled], -+ [with_selinux=yes], [with_selinux=no])]) -+if test x$with_selinux != xno; then -+ AC_DEFINE([WITH_SELINUX], [1], [Define to support SELinux]) -+ AC_SUBST([LIBSELINUX], [-lselinux]) -+fi -+ - dnl Checks for header files. - AC_HEADER_STDC - dnl Assume unistd.h is present - coreutils does too. -diff --git a/doc/find.texi b/doc/find.texi -index 5b5f0cf..e1ad433 100644 ---- a/doc/find.texi -+++ b/doc/find.texi -@@ -1091,6 +1091,14 @@ will probably be made in early 2006. - - @end deffn - -+@deffn Test -context pattern -+True if file's SELinux context matches the pattern @var{pattern}. -+The pattern uses shell glob matching. -+ -+This predicate is supported only on @code{find} versions compiled with -+SELinux support and only when SELinux is enabled. -+@end deffn -+ - @node Contents - @section Contents - -@@ -1599,6 +1607,10 @@ semantics, you will see a difference between the mode as printed by - @item %M - File's permissions (in symbolic form, as for @code{ls}). This - directive is supported in findutils 4.2.5 and later. -+ -+@item %Z -+File's SELinux context, or empty string if the file has no SELinux context -+or this version of find does not support SELinux. - @end table - - @node Size Directives -diff --git a/find/Makefile.am b/find/Makefile.am -index 8e71a32..405955a 100644 ---- a/find/Makefile.am -+++ b/find/Makefile.am -@@ -6,7 +6,7 @@ bin_PROGRAMS = find - find_SOURCES = find.c fstype.c parser.c pred.c tree.c util.c version.c - EXTRA_DIST = defs.h $(man_MANS) - INCLUDES = -I../gnulib/lib -I$(top_srcdir)/lib -I$(top_srcdir)/gnulib/lib -I../intl -DLOCALEDIR=\"$(localedir)\" --LDADD = ../lib/libfind.a ../gnulib/lib/libgnulib.a @INTLLIBS@ -+LDADD = ../lib/libfind.a ../gnulib/lib/libgnulib.a @INTLLIBS@ @LIBSELINUX@ - man_MANS = find.1 - SUBDIRS = testsuite - -diff --git a/find/defs.h b/find/defs.h -index 9369c9a..8a8cf28 100644 ---- a/find/defs.h -+++ b/find/defs.h -@@ -131,6 +131,10 @@ int get_statinfo PARAMS((const char *pathname, const char *name, struct stat *p) - #define MODE_RWX (S_IXUSR | S_IXGRP | S_IXOTH | MODE_RW) - #define MODE_ALL (S_ISUID | S_ISGID | S_ISVTX | MODE_RWX) - -+#ifdef WITH_SELINUX -+#include <selinux/selinux.h> -+#endif -+ - #if 1 - #include <stdbool.h> - typedef bool boolean; -@@ -320,6 +324,9 @@ struct predicate - struct dir_id fileid; /* samefile */ - mode_t type; /* type */ - FILE *stream; /* ls fls fprint0 */ -+#ifdef WITH_SELINUX -+ security_context_t scontext; /* scontext */ -+#endif - struct format_val printf_vec; /* printf fprintf fprint */ - } args; - -@@ -481,7 +488,9 @@ boolean pred_uid PARAMS((char *pathname, struct stat *stat_buf, struct predicate - boolean pred_used PARAMS((char *pathname, struct stat *stat_buf, struct predicate *pred_ptr)); - boolean pred_user PARAMS((char *pathname, struct stat *stat_buf, struct predicate *pred_ptr)); - boolean pred_xtype PARAMS((char *pathname, struct stat *stat_buf, struct predicate *pred_ptr)); -- -+#ifdef WITH_SELINUX -+boolean pred_context PARAMS((char *pathname, struct stat *stat_buf, struct predicate *pred_ptr)); -+#endif - - - int launch PARAMS((const struct buildcmd_control *ctl, -@@ -570,6 +579,10 @@ struct options - * can be changed with the positional option, -regextype. - */ - int regex_options; -+ -+#ifdef WITH_SELINUX -+ int (*x_getfilecon) (); -+#endif - }; - extern struct options options; - -diff --git a/find/find.1 b/find/find.1 -index 9be362f..2753d47 100644 ---- a/find/find.1 -+++ b/find/find.1 -@@ -487,6 +487,8 @@ links: if the \-H or \-P option was specified, true if the file is a - link to a file of type \fIc\fR; if the \-L option has been given, true - if \fIc\fR is `l'. In other words, for symbolic links, \-xtype checks - the type of the file that \-type does not check. -+.IP "\-context \fIpattern\fR" -+(SELinux only) Security context of the file matches glob \fIpattern\fR. - - .SS ACTIONS - .IP "\-delete\fR" -@@ -789,6 +791,8 @@ File's numeric user ID. - File's type (like in ls \-l), U=unknown type (shouldn't happen) - .IP %Y - File's type (like %y), plus follow symlinks: L=loop, N=nonexistent -+.IP %Z -+(SELinux only) file's security context - .PP - A `%' character followed by any other character is discarded, but the - other character is printed (don't rely on this, as further format -diff --git a/find/find.c b/find/find.c -index df28db6..6b3a2de 100644 ---- a/find/find.c -+++ b/find/find.c -@@ -245,6 +245,92 @@ optionp_stat(const char *name, struct stat *p) - return lstat(name, p); - } - -+#ifdef WITH_SELINUX -+static int -+fallback_getfilecon(const char *name, security_context_t *p, int prev_rv) -+{ -+ /* Our original getfilecon() call failed. Perhaps we can't follow a -+ * symbolic link. If that might be the problem, lgetfilecon() the link. -+ * Otherwise, admit defeat. -+ */ -+ switch (errno) -+ { -+ case ENOENT: -+ case ENOTDIR: -+#ifdef DEBUG_STAT -+ fprintf(stderr, "fallback_getfilecon(): getfilecon(%s) failed; falling back on lgetfilecon()\n", name); -+#endif -+ return lgetfilecon(name, p); -+ -+ case EACCES: -+ case EIO: -+ case ELOOP: -+ case ENAMETOOLONG: -+#ifdef EOVERFLOW -+ case EOVERFLOW: /* EOVERFLOW is not #defined on UNICOS. */ -+#endif -+ default: -+ return prev_rv; -+ } -+} -+ -+/* optionh_getfilecon() implements the getfilecon operation when the -+ * -H option is in effect. -+ * -+ * If the item to be examined is a command-line argument, we follow -+ * symbolic links. If the getfilecon() call fails on the command-line -+ * item, we fall back on the properties of the symbolic link. -+ * -+ * If the item to be examined is not a command-line argument, we -+ * examine the link itself. -+ */ -+int -+optionh_getfilecon(const char *name, security_context_t *p) -+{ -+ if (0 == state.curdepth) -+ { -+ /* This file is from the command line; deference the link (if it -+ * is a link). -+ */ -+ int rv = getfilecon(name, p); -+ if (0 == rv) -+ return 0; /* success */ -+ else -+ return fallback_getfilecon(name, p, rv); -+ } -+ else -+ { -+ /* Not a file on the command line; do not derefernce the link. -+ */ -+ return lgetfilecon(name, p); -+ } -+} -+ -+/* optionl_getfilecon() implements the getfilecon operation when the -+ * -L option is in effect. That option makes us examine the thing the -+ * symbolic link points to, not the symbolic link itself. -+ */ -+int -+optionl_getfilecon(const char *name, security_context_t *p) -+{ -+ int rv = getfilecon(name, p); -+ if (0 == rv) -+ return 0; /* normal case. */ -+ else -+ return fallback_getfilecon(name, p, rv); -+} -+ -+/* optionp_getfilecon() implements the stat operation when the -P -+ * option is in effect (this is also the default). That option makes -+ * us examine the symbolic link itself, not the thing it points to. -+ */ -+int -+optionp_getfilecon(const char *name, security_context_t *p) -+{ -+ return lgetfilecon(name, p); -+} -+#endif /* WITH_SELINUX */ -+ - #ifdef DEBUG_STAT - static uintmax_t stat_count = 0u; - -@@ -272,11 +358,17 @@ set_follow_state(enum SymlinkOption opt) - { - case SYMLINK_ALWAYS_DEREF: /* -L */ - options.xstat = optionl_stat; -+#ifdef WITH_SELINUX -+ options.x_getfilecon = optionl_getfilecon; -+#endif - options.no_leaf_check = true; - break; - - case SYMLINK_NEVER_DEREF: /* -P (default) */ - options.xstat = optionp_stat; -+#ifdef WITH_SELINUX -+ options.x_getfilecon = optionp_getfilecon; -+#endif - /* Can't turn no_leaf_check off because the user might have specified - * -noleaf anyway - */ -@@ -284,6 +376,9 @@ set_follow_state(enum SymlinkOption opt) - - case SYMLINK_DEREF_ARGSONLY: /* -H */ - options.xstat = optionh_stat; -+#ifdef WITH_SELINUX -+ options.x_getfilecon = optionh_getfilecon; -+#endif - options.no_leaf_check = true; - } - -@@ -1807,7 +1902,7 @@ complete_pending_execs(struct predicate *p) - static void - process_dir (char *pathname, char *name, int pathlen, struct stat *statp, char *parent) - { -- int subdirs_left; /* Number of unexamined subdirs in PATHNAME. */ -+ int subdirs_left = 0; /* Number of unexamined subdirs in PATHNAME. */ - boolean subdirs_unreliable; /* if true, cannot use dir link count as subdir limif (if false, it may STILL be unreliable) */ - int idx; /* Which entry are we on? */ - struct stat stat_buf; -diff --git a/find/parser.c b/find/parser.c -index fcdb98a..e67e09f 100644 ---- a/find/parser.c -+++ b/find/parser.c -@@ -48,6 +48,10 @@ - /* We need <unistd.h> for isatty(). */ - #include <unistd.h> - -+#ifdef WITH_SELINUX -+#include <selinux/selinux.h> -+#endif -+ - #if ENABLE_NLS - # include <libintl.h> - # define _(Text) gettext (Text) -@@ -148,7 +152,9 @@ static boolean parse_noignore_race PARAMS((const struct parser_table*, char *arg - static boolean parse_warn PARAMS((const struct parser_table*, char *argv[], int *arg_ptr)); - static boolean parse_xtype PARAMS((const struct parser_table*, char *argv[], int *arg_ptr)); - static boolean parse_quit PARAMS((const struct parser_table*, char *argv[], int *arg_ptr)); -- -+#ifdef WITH_SELINUX -+static boolean parse_context PARAMS((const struct parser_table*, char *argv[], int *arg_ptr)); -+#endif - - - boolean parse_print PARAMS((const struct parser_table*, char *argv[], int *arg_ptr)); -@@ -216,6 +222,9 @@ static struct parser_table const parse_table[] = - PARSE_TEST ("cmin", cmin), /* GNU */ - PARSE_TEST ("cnewer", cnewer), /* GNU */ - PARSE_TEST ("ctime", ctime), -+#ifdef WITH_SELINUX -+ PARSE_TEST ("context", context), /* GNU */ -+#endif - PARSE_POSOPT ("daystart", daystart), /* GNU */ - PARSE_ACTION ("delete", delete), /* GNU, Mac OS, FreeBSD */ - PARSE_OPTION ("d", d), /* Mac OS X, FreeBSD, NetBSD, OpenBSD, but deprecated in favour of -depth */ -@@ -801,8 +810,12 @@ tests (N can be +N or -N or N): -amin N -anewer FILE -atime N -cmin N\n\ - puts (_("\ - -nouser -nogroup -path PATTERN -perm [+-]MODE -regex PATTERN\n\ - -wholename PATTERN -size N[bcwkMG] -true -type [bcdpflsD] -uid N\n\ -- -used N -user NAME -xtype [bcdpfls]\n")); -+ -used N -user NAME -xtype [bcdpfls]")); -+#ifdef WITH_SELINUX - puts (_("\ -+ -context CONTEXT\n")); -+#endif -+ puts (_("\n\ - actions: -delete -print0 -printf FORMAT -fprintf FILE FORMAT -print \n\ - -fprint0 FILE -fprint FILE -ls -fls FILE -prune -quit\n\ - -exec COMMAND ; -exec COMMAND {} + -ok COMMAND ;\n\ -@@ -1718,6 +1731,10 @@ parse_version (const struct parser_table* entry, char **argv, int *arg_ptr) - printf("LEAF_OPTIMISATION "); - ++features; - #endif -+#if defined(WITH_SELINUX) -+ printf("SELINUX "); -+ ++features; -+#endif - if (0 == features) - { - /* For the moment, leave this as English in case someone wants -@@ -1729,6 +1746,32 @@ parse_version (const struct parser_table* entry, char **argv, int *arg_ptr) - exit (0); - } - -+#ifdef WITH_SELINUX -+static boolean -+parse_context (const struct parser_table* entry, char **argv, int *arg_ptr) -+{ -+ struct predicate *our_pred; -+ -+ if ((argv == NULL) || (argv[*arg_ptr] == NULL)) -+ return false; -+ -+ if (is_selinux_enabled() <= 0) -+ { -+ error (1, 0, _("invalid predicate -context: SELinux is not enabled.")); -+ return false; -+ } -+ our_pred = insert_primary (entry); -+ our_pred->need_stat = false; -+#ifdef DEBUG -+ our_pred->p_name = find_pred_name (pred_context); -+#endif /*DEBUG*/ -+ our_pred->args.scontext = argv[*arg_ptr]; -+ -+ (*arg_ptr)++; -+ return true; -+} -+#endif /* WITH_SELINUX */ -+ - static boolean - parse_xdev (const struct parser_table* entry, char **argv, int *arg_ptr) - { -@@ -1971,7 +2014,7 @@ insert_fprintf (FILE *fp, const struct parser_table *entry, PRED_FUNC func, char - if (*scan2 == '.') - for (scan2++; ISDIGIT (*scan2); scan2++) - /* Do nothing. */ ; -- if (strchr ("abcdDfFgGhHiklmMnpPstuUyY", *scan2)) -+ if (strchr ("abcdDfFgGhHiklmMnpPstuUyYZ", *scan2)) - { - segmentp = make_segment (segmentp, format, scan2 - format, - (int) *scan2); -@@ -2046,6 +2089,7 @@ make_segment (struct segment **segment, char *format, int len, int kind) - case 'u': /* user name */ - case 'y': /* file type */ - case 'Y': /* symlink pointed file type */ -+ case 'Z': /* SELinux security context */ - fprintf_stat_needed = true; - /* FALLTHROUGH */ - case 'f': /* basename of path */ -diff --git a/find/pred.c b/find/pred.c -index 9ec10a4..1da49dc 100644 ---- a/find/pred.c -+++ b/find/pred.c -@@ -38,6 +38,10 @@ - #include "buildcmd.h" - #include "yesno.h" - -+#ifdef WITH_SELINUX -+#include <selinux/selinux.h> -+#endif /*WITH_SELINUX*/ -+ - #if ENABLE_NLS - # include <libintl.h> - # define _(Text) gettext (Text) -@@ -217,6 +221,9 @@ struct pred_assoc pred_table[] = - {pred_used, "used "}, - {pred_user, "user "}, - {pred_xtype, "xtype "}, -+#ifdef WITH_SELINUX -+ {pred_context, "context"}, -+#endif /*WITH_SELINUX*/ - {0, "none "} - }; - -@@ -905,6 +912,27 @@ pred_fprintf (char *pathname, struct stat *stat_buf, struct predicate *pred_ptr) - mode_to_filetype(stat_buf->st_mode & S_IFMT)); - } - break; -+ case 'Z': /* SELinux security context */ -+#ifdef WITH_SELINUX -+ { -+ security_context_t scontext; -+ int rv; -+ rv = (*options.x_getfilecon) (state.rel_pathname, &scontext); -+ -+ if (rv < 0) -+ { -+ fprintf (stderr, "getfilecon(%s): %s", pathname, -+ strerror(errno)); -+ fflush (stderr); -+ } -+ else -+ { -+ fprintf (fp, segment->text, scontext); -+ freecon (scontext); -+ } -+ } -+#endif /* WITH_SELINUX */ -+ break; - } - } - return true; -@@ -1497,6 +1525,31 @@ pred_xtype (char *pathname, struct stat *stat_buf, struct predicate *pred_ptr) - */ - return (pred_type (pathname, &sbuf, pred_ptr)); - } -+ -+#ifdef WITH_SELINUX -+ -+boolean -+pred_context (char *pathname, struct stat *stat_buf, -+ struct predicate *pred_ptr) -+{ -+ int rv; -+ security_context_t scontext; -+ -+ rv = (*options.x_getfilecon) (state.rel_pathname, &scontext); -+ -+ if (rv < 0) -+ { -+ fprintf (stderr, "getfilecon(%s): %s\n", pathname, strerror(errno)); -+ fflush (stderr); -+ return false; -+ } -+ -+ rv = (fnmatch (pred_ptr->args.scontext, scontext, 0) == 0); -+ freecon (scontext); -+ return rv; -+} -+ -+#endif /*WITH_SELINUX*/ - - /* 1) fork to get a child; parent remembers the child pid - 2) child execs the command requested -diff --git a/find/util.c b/find/util.c -index 97c8687..77bdfa8 100644 ---- a/find/util.c -+++ b/find/util.c -@@ -78,6 +78,9 @@ get_new_pred (const struct parser_table *entry) - last_pred->need_stat = true; - last_pred->need_type = true; - last_pred->args.str = NULL; -+#ifdef WITH_SELINUX -+ last_pred->args.scontext = NULL; -+#endif - last_pred->pred_next = NULL; - last_pred->pred_left = NULL; - last_pred->pred_right = NULL; --- -1.7.5.4 - diff --git a/recipes-devtools/prelink/prelink_git.bbappend b/recipes-extended/findutils/findutils_%.bbappend index 74e22b3..74e22b3 100644 --- a/recipes-devtools/prelink/prelink_git.bbappend +++ b/recipes-extended/findutils/findutils_%.bbappend diff --git a/recipes-extended/findutils/findutils_4.6.%.bbappend b/recipes-extended/findutils/findutils_4.6.%.bbappend deleted file mode 100644 index b01ad25..0000000 --- a/recipes-extended/findutils/findutils_4.6.%.bbappend +++ /dev/null @@ -1 +0,0 @@ -inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'with-selinux', '', d)} diff --git a/recipes-extended/logrotate/logrotate_%.bbappend b/recipes-extended/logrotate/logrotate_%.bbappend deleted file mode 100644 index 7719d3b..0000000 --- a/recipes-extended/logrotate/logrotate_%.bbappend +++ /dev/null @@ -1 +0,0 @@ -require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)} diff --git a/recipes-extended/lsof/lsof_selinux.inc b/recipes-extended/lsof/lsof_selinux.inc index 6691b4c..9021f38 100644 --- a/recipes-extended/lsof/lsof_selinux.inc +++ b/recipes-extended/lsof/lsof_selinux.inc @@ -2,7 +2,7 @@ inherit selinux DEPENDS += "${LIBSELINUX}" -do_configure_prepend () { +do_configure:prepend () { export LINUX_HASSELINUX="${@target_selinux(d, 'Y', 'N')}" export LSOF_CFGF="${CFLAGS}" export LSOF_CFGL="${LDFLAGS}" diff --git a/recipes-extended/net-tools/files/netstat-selinux-support.patch b/recipes-extended/net-tools/files/netstat-selinux-support.patch deleted file mode 100644 index f089041..0000000 --- a/recipes-extended/net-tools/files/netstat-selinux-support.patch +++ /dev/null @@ -1,244 +0,0 @@ -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Wed, 13 Jun 2012 13:32:01 +0800 -Subject: [PATCH] net-tools: netstat add SELinux support. - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Adrian Dudau <adrian.dudau@enea.com> ---- - Makefile | 9 ++++++++- - netstat.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--- - 2 files changed, 74 insertions(+), 4 deletions(-) - -diff --git a/Makefile b/Makefile -index 8fcc55c..0b5c395 100644 ---- a/Makefile -+++ b/Makefile -@@ -116,6 +116,13 @@ NET_LIB = $(NET_LIB_PATH)/lib$(NET_LIB_NAME).a - CFLAGS = $(COPTS) -I. -idirafter ./include/ -I$(NET_LIB_PATH) - LDFLAGS = $(LOPTS) -L$(NET_LIB_PATH) - -+ifeq ($(HAVE_SELINUX),1) -+SELINUX_LDFLAGS = -lselinux -+CFLAGS += -DHAVE_SELINUX -+else -+SELINUX_LDFLAGS = -+endif -+ - SUBDIRS = man/ $(NET_LIB_PATH)/ - - ifeq ($(origin CC), undefined) -@@ -209,7 +216,7 @@ plipconfig: $(NET_LIB) plipconfig.o - $(CC) $(LDFLAGS) -o plipconfig plipconfig.o $(NLIB) - - netstat: $(NET_LIB) netstat.o statistics.o -- $(CC) $(LDFLAGS) -o netstat netstat.o statistics.o $(NLIB) $(RESLIB) -+ $(CC) $(SELINUX_LDFLAGS) $(LDFLAGS) -o netstat netstat.o statistics.o $(NLIB) $(RESLIB) - - iptunnel: $(NET_LIB) iptunnel.o - $(CC) $(LDFLAGS) -o iptunnel iptunnel.o $(NLIB) $(RESLIB) -diff --git a/netstat.c b/netstat.c -index fc10414..a773e81 100644 ---- a/netstat.c -+++ b/netstat.c -@@ -90,6 +90,12 @@ - #include <sys/types.h> - #include <asm-generic/param.h> - -+#if HAVE_SELINUX -+#include <selinux/selinux.h> -+#else -+#define security_context_t char* -+#endif -+ - #include "net-support.h" - #include "pathnames.h" - #include "version.h" -@@ -101,6 +107,7 @@ - #include "proc.h" - - #define PROGNAME_WIDTH 20 -+#define SELINUX_WIDTH 50 - - #if !defined(s6_addr32) && defined(in6a_words) - #define s6_addr32 in6a_words /* libinet6 */ -@@ -180,6 +187,7 @@ int flag_wide= 0; - int flag_prg = 0; - int flag_arg = 0; - int flag_ver = 0; -+int flag_selinux = 0; - - FILE *procinfo; - -@@ -243,12 +251,17 @@ FILE *procinfo; - #define PROGNAME_WIDTH1(s) PROGNAME_WIDTH2(s) - #define PROGNAME_WIDTH2(s) #s - -+#define SELINUX_WIDTHs SELINUX_WIDTH1(SELINUX_WIDTH) -+#define SELINUX_WIDTH1(s) SELINUX_WIDTH2(s) -+#define SELINUX_WIDTH2(s) #s -+ - #define PRG_HASH_SIZE 211 - - static struct prg_node { - struct prg_node *next; - unsigned long inode; - char name[PROGNAME_WIDTH]; -+ char scon[SELINUX_WIDTH]; - } *prg_hash[PRG_HASH_SIZE]; - - static char prg_cache_loaded = 0; -@@ -256,9 +269,12 @@ static char prg_cache_loaded = 0; - #define PRG_HASHIT(x) ((x) % PRG_HASH_SIZE) - - #define PROGNAME_BANNER "PID/Program name" -+#define SELINUX_BANNER "Security Context" - - #define print_progname_banner() do { if (flag_prg) printf("%-" PROGNAME_WIDTHs "s"," " PROGNAME_BANNER); } while (0) - -+#define print_selinux_banner() do { if (flag_selinux) printf("%-" SELINUX_WIDTHs "s"," " SELINUX_BANNER); } while (0) -+ - #define PRG_LOCAL_ADDRESS "local_address" - #define PRG_INODE "inode" - #define PRG_SOCKET_PFX "socket:[" -@@ -280,7 +296,7 @@ static char prg_cache_loaded = 0; - /* NOT working as of glibc-2.0.7: */ - #undef DIRENT_HAVE_D_TYPE_WORKS - --static void prg_cache_add(unsigned long inode, char *name) -+static void prg_cache_add(unsigned long inode, char *name, char *scon) - { - unsigned hi = PRG_HASHIT(inode); - struct prg_node **pnp,*pn; -@@ -301,6 +317,14 @@ static void prg_cache_add(unsigned long inode, char *name) - if (strlen(name)>sizeof(pn->name)-1) - name[sizeof(pn->name)-1]='\0'; - strcpy(pn->name,name); -+ -+ { -+ int len=(strlen(scon)-sizeof(pn->scon))+1; -+ if (len > 0) -+ strcpy(pn->scon,&scon[len+1]); -+ else -+ strcpy(pn->scon,scon); -+ } - } - - static const char *prg_cache_get(unsigned long inode) -@@ -313,6 +337,16 @@ static const char *prg_cache_get(unsigned long inode) - return("-"); - } - -+static const char *prg_cache_get_con(unsigned long inode) -+{ -+ unsigned hi=PRG_HASHIT(inode); -+ struct prg_node *pn; -+ -+ for (pn=prg_hash[hi];pn;pn=pn->next) -+ if (pn->inode==inode) return(pn->scon); -+ return("-"); -+} -+ - static void prg_cache_clear(void) - { - struct prg_node **pnp,*pn; -@@ -384,6 +418,7 @@ static void prg_cache_load(void) - const char *cs,*cmdlp; - DIR *dirproc=NULL,*dirfd=NULL; - struct dirent *direproc,*direfd; -+ security_context_t scon=NULL; - - if (prg_cache_loaded || !flag_prg) return; - prg_cache_loaded=1; -@@ -453,7 +488,15 @@ static void prg_cache_load(void) - } - - snprintf(finbuf, sizeof(finbuf), "%s/%s", direproc->d_name, cmdlp); -- prg_cache_add(inode, finbuf); -+#if HAVE_SELINUX -+ if (getpidcon(atoi(direproc->d_name), &scon) == -1) { -+ scon=strdup("-"); -+ } -+ prg_cache_add(inode, finbuf, scon); -+ freecon(scon); -+#else -+ prg_cache_add(inode, finbuf, "-"); -+#endif - } - closedir(dirfd); - dirfd = NULL; -@@ -573,6 +616,8 @@ static void finish_this_one(int uid, unsigned long inode, const char *timers) - } - if (flag_prg) - printf(" %-16s",prg_cache_get(inode)); -+ if (flag_selinux) -+ printf("%-" SELINUX_WIDTHs "s",prg_cache_get_con(inode)); - if (flag_opt) - printf(" %s", timers); - putchar('\n'); -@@ -1566,6 +1611,8 @@ static void unix_do_one(int nr, const char *line) - printf("- "); - if (flag_prg) - printf("%-" PROGNAME_WIDTHs "s",(has & HAS_INODE?prg_cache_get(inode):"-")); -+ if (flag_selinux) -+ printf("%-" SELINUX_WIDTHs "s",(has & HAS_INODE?prg_cache_get_con(inode):"-")); - puts(path); - } - -@@ -1584,6 +1631,7 @@ static int unix_info(void) - - printf(_("\nProto RefCnt Flags Type State I-Node ")); - print_progname_banner(); -+ print_selinux_banner(); - printf(_(" Path\n")); /* xxx */ - - { -@@ -1874,6 +1922,7 @@ static void usage(void) - fprintf(stderr, _(" -o, --timers display timers\n")); - fprintf(stderr, _(" -F, --fib display Forwarding Information Base (default)\n")); - fprintf(stderr, _(" -C, --cache display routing cache instead of FIB\n\n")); -+ fprintf(stderr, _(" -Z, --context display SELinux security context for sockets\n\n")); - - fprintf(stderr, _(" <Socket>={-t|--tcp} {-u|--udp} {-S|--sctp} {-w|--raw} {-x|--unix} --ax25 --ipx --netrom\n")); - fprintf(stderr, _(" <AF>=Use '-6|-4' or '-A <af>' or '--<af>'; default: %s\n"), DFLT_AF); -@@ -1920,6 +1969,7 @@ int main - {"cache", 0, 0, 'C'}, - {"fib", 0, 0, 'F'}, - {"groups", 0, 0, 'g'}, -+ {"context", 0, 0, 'Z'}, - {NULL, 0, 0, 0} - }; - -@@ -1931,7 +1981,7 @@ int main - getroute_init(); /* Set up AF routing support */ - - afname[0] = '\0'; -- while ((i = getopt_long(argc, argv, "MCFA:acdegphinNorstuSWVv?wxl64", longopts, &lop)) != EOF) -+ while ((i = getopt_long(argc, argv, "MCFA:acdegphinNorstuSWVv?wxlZ64", longopts, &lop)) != EOF) - switch (i) { - case -1: - break; -@@ -2036,6 +2086,19 @@ int main - if (aftrans_opt("unix")) - exit(1); - break; -+ case 'Z': -+#if HAVE_SELINUX -+ if (is_selinux_enabled() <= 0) { -+ fprintf(stderr, _("SELinux is not enabled on this machine.\n")); -+ exit(1); -+ } -+ flag_prg++; -+ flag_selinux++; -+#else -+ fprintf(stderr, _("SELinux is not enabled for this application.\n")); -+ exit(1); -+#endif -+ break; - case '?': - case 'h': - usage(); --- -1.9.1 - diff --git a/recipes-extended/net-tools/net-tools_selinux.inc b/recipes-extended/net-tools/net-tools_selinux.inc index cc3196f..6454205 100644 --- a/recipes-extended/net-tools/net-tools_selinux.inc +++ b/recipes-extended/net-tools/net-tools_selinux.inc @@ -1,9 +1,10 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/files:" +inherit enable-selinux -SRC_URI += "file://netstat-selinux-support.patch" +PACKAGECONFIG[selinux] = ",,libselinux" -inherit selinux - -DEPENDS += "${LIBSELINUX}" - -EXTRA_OEMAKE += "${@target_selinux(d, 'HAVE_SELINUX=1', 'HAVE_SELINUX=0')}" +do_configure:append() { + if ${@bb.utils.contains('PACKAGECONFIG', 'selinux', 'true', 'false', d)} ; then + echo "#define HAVE_SELINUX 1" >> ${S}/config.h + echo "HAVE_SELINUX=1" >> ${S}/config.make + fi +} diff --git a/recipes-extended/pam/libpam_selinux.inc b/recipes-extended/pam/libpam_selinux.inc index adcf938..2f8b945 100644 --- a/recipes-extended/pam/libpam_selinux.inc +++ b/recipes-extended/pam/libpam_selinux.inc @@ -1,3 +1,4 @@ inherit enable-selinux -RDEPENDS_${PN}-runtime += "${@target_selinux(d, 'pam-plugin-selinux')}" +PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux" +RDEPENDS:${PN}-runtime += "${@target_selinux(d, 'pam-plugin-selinux')}" diff --git a/recipes-extended/parted/parted_%.bbappend b/recipes-extended/sed/sed_4.%.bbappend index 74e22b3..74e22b3 100644 --- a/recipes-extended/parted/parted_%.bbappend +++ b/recipes-extended/sed/sed_4.%.bbappend diff --git a/recipes-extended/sed/sed_4.2.2.bbappend b/recipes-extended/sed/sed_4.2.2.bbappend deleted file mode 100644 index b01ad25..0000000 --- a/recipes-extended/sed/sed_4.2.2.bbappend +++ /dev/null @@ -1 +0,0 @@ -inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'with-selinux', '', d)} diff --git a/recipes-extended/shadow/shadow_selinux.inc b/recipes-extended/shadow/shadow_selinux.inc index 496ea6a..e719ebc 100644 --- a/recipes-extended/shadow/shadow_selinux.inc +++ b/recipes-extended/shadow/shadow_selinux.inc @@ -1,6 +1,3 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/files:" - -inherit with-selinux with-audit - -PACKAGECONFIG[selinux] = "--with-selinux,--without-selinux,libselinux libsemanage," +FILESEXTRAPATHS:prepend := "${THISDIR}/files:" +inherit enable-selinux enable-audit diff --git a/recipes-extended/sudo/sudo_%.bbappend b/recipes-extended/sudo/sudo_%.bbappend index b01ad25..7c3a686 100644 --- a/recipes-extended/sudo/sudo_%.bbappend +++ b/recipes-extended/sudo/sudo_%.bbappend @@ -1 +1 @@ -inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'with-selinux', '', d)} +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-selinux enable-audit', '', d)} diff --git a/recipes-extended/sysklogd/files/sysklogd b/recipes-extended/sysklogd/files/sysklogd index 8c6eeb5..2a7eae4 100755..100644 --- a/recipes-extended/sysklogd/files/sysklogd +++ b/recipes-extended/sysklogd/files/sysklogd @@ -12,15 +12,19 @@ # Short-Description: System logger ### END INIT INFO +# Source function library. +. /etc/init.d/functions + PATH=/bin:/usr/bin:/sbin:/usr/sbin pidfile_syslogd=/var/run/syslogd.pid -pidfile_klogd=/var/run/klogd.pid -binpath_syslogd=/sbin/syslogd -binpath_klogd=/sbin/klogd +binpath_syslogd=/usr/sbin/syslogd test -x $binpath || exit 0 +# run secure by default +SYSLOGD="-ss" + test ! -r /etc/default/syslogd || . /etc/default/syslogd create_xconsole() @@ -87,43 +91,47 @@ running() return 0 } +waitpid () +{ + pid=$1 + # Give pid a chance to exit before we restart with a 5s timeout in 1s intervals + if [ -z "$pid" ]; then + return + fi + timeout=5; + while [ $timeout -gt 0 ] + do + timeout=$(( $timeout-1 )) + kill -0 $pid 2> /dev/null || break + sleep 1 + done +} + case "$1" in start) log_begin_msg "Starting system log daemon..." create_xconsole + test ! -x /sbin/restorecon || /sbin/restorecon -F /var/log start-stop-daemon --start --quiet --pidfile $pidfile_syslogd --name syslogd --startas $binpath_syslogd -- $SYSLOGD - test ! -x /sbin/restorecon || /sbin/restorecon -RF /dev/log /var/log/ - log_end_msg $? - log_begin_msg "Starting kernel log daemon..." - start-stop-daemon --start --quiet --pidfile $pidfile_klogd --name klogd --startas $binpath_klogd -- $KLOGD log_end_msg $? ;; stop) log_begin_msg "Stopping system log daemon..." start-stop-daemon --stop --quiet --pidfile $pidfile_syslogd --name syslogd log_end_msg $? - log_begin_msg "Stopping kernel log daemon..." - start-stop-daemon --stop --quiet --retry 3 --exec $binpath_klogd --pidfile $pidfile_klogd - log_end_msg $? ;; reload|force-reload) log_begin_msg "Reloading system log daemon..." start-stop-daemon --stop --quiet --signal 1 --pidfile $pidfile_syslogd --name syslogd log_end_msg $? - log_begin_msg "Reloading kernel log daemon..." - start-stop-daemon --stop --quiet --retry 3 --exec $binpath_klogd --pidfile $pidfile_klogd - start-stop-daemon --start --quiet --pidfile $pidfile_klogd --name klogd --startas $binpath_klogd -- $KLOGD - log_end_msg $? ;; restart) log_begin_msg "Restarting system log daemon..." + pid=`cat $pidfile_syslogd 2> /dev/null` start-stop-daemon --stop --retry 5 --quiet --pidfile $pidfile_syslogd --name syslogd + waitpid $pid start-stop-daemon --start --quiet --pidfile $pidfile_syslogd --name syslogd --startas $binpath_syslogd -- $SYSLOGD log_end_msg $? - log_begin_msg "Reloading kernel log daemon..." - start-stop-daemon --stop --quiet --retry 3 --exec $binpath_klogd --pidfile $pidfile_klogd - start-stop-daemon --start --quiet --pidfile $pidfile_klogd --name klogd --startas $binpath_klogd -- $KLOGD - log_end_msg $? ;; reload-or-restart) if running @@ -133,8 +141,14 @@ case "$1" in $0 start fi ;; + status) + status syslogd + RETVAL=$? + [ $RETVAL -eq 0 ] && exit $rval + exit $RETVAL + ;; *) - log_success_msg "Usage: /etc/init.d/sysklogd {start|stop|reload|restart|force-reload|reload-or-restart}" + log_success_msg "Usage: /etc/init.d/sysklogd {start|stop|reload|restart|force-reload|reload-or-restart|status}" exit 1 esac diff --git a/recipes-extended/sysklogd/sysklogd_selinux.inc b/recipes-extended/sysklogd/sysklogd_selinux.inc index 81fe7b7..8802adb 100644 --- a/recipes-extended/sysklogd/sysklogd_selinux.inc +++ b/recipes-extended/sysklogd/sysklogd_selinux.inc @@ -1 +1 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/files:" +FILESEXTRAPATHS:prepend := "${THISDIR}/files:" diff --git a/recipes-extended/tar/tar_selinux.inc b/recipes-extended/tar/tar_selinux.inc index 341df8b..8c11cac 100644 --- a/recipes-extended/tar/tar_selinux.inc +++ b/recipes-extended/tar/tar_selinux.inc @@ -1,3 +1 @@ -inherit with-selinux - -PACKAGECONFIG_append = "${@bb.utils.contains('DISTRO_FEATURES', 'acl', ' acl', '', d)}" +inherit enable-selinux diff --git a/recipes-graphics/mesa/mesa_%.bbappend b/recipes-graphics/mesa/mesa_%.bbappend index b0b03ec..ef81ec4 100644 --- a/recipes-graphics/mesa/mesa_%.bbappend +++ b/recipes-graphics/mesa/mesa_%.bbappend @@ -1,2 +1,2 @@ -require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)} - +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-selinux', '', d)} +PACKAGECONFIG[selinux] = "-Dselinux=true,-Dselinux=false,libselinux" diff --git a/recipes-graphics/mesa/mesa_selinux.inc b/recipes-graphics/mesa/mesa_selinux.inc deleted file mode 100644 index 0004f71..0000000 --- a/recipes-graphics/mesa/mesa_selinux.inc +++ /dev/null @@ -1,6 +0,0 @@ -inherit enable-selinux - -# But wait! There's more! mesa builds a host program named builtin_compiler -# and it needs selinux, too. We replace the PACKAGECONFIG[] in the bbclass. -# -PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux libselinux-native," diff --git a/recipes-graphics/xcb/libxcb_selinux.inc b/recipes-graphics/xcb/libxcb_selinux.inc deleted file mode 100644 index 29bdadb..0000000 --- a/recipes-graphics/xcb/libxcb_selinux.inc +++ /dev/null @@ -1,6 +0,0 @@ -inherit enable-selinux -# libxcb-xselinux will not build with libselinux, so remove the depend -PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,," - -PACKAGES += "${PN}-xselinux" -FILES_${PN}-xselinux += "${libdir}/libxcb-xselinux.so.*" diff --git a/recipes-graphics/xcb/libxcb_%.bbappend b/recipes-graphics/xorg-lib/libxcb_%.bbappend index 7719d3b..7719d3b 100644 --- a/recipes-graphics/xcb/libxcb_%.bbappend +++ b/recipes-graphics/xorg-lib/libxcb_%.bbappend diff --git a/recipes-graphics/xorg-lib/libxcb_selinux.inc b/recipes-graphics/xorg-lib/libxcb_selinux.inc new file mode 100644 index 0000000..04c66c1 --- /dev/null +++ b/recipes-graphics/xorg-lib/libxcb_selinux.inc @@ -0,0 +1,5 @@ +inherit enable-selinux +PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux" + +PACKAGES += "${PN}-xselinux" +FILES:${PN}-xselinux += "${libdir}/libxcb-xselinux.so.*" diff --git a/recipes-kernel/linux/files/selinux.cfg b/recipes-kernel/linux/files/selinux.cfg index 2edd366..8333a05 100644 --- a/recipes-kernel/linux/files/selinux.cfg +++ b/recipes-kernel/linux/files/selinux.cfg @@ -23,9 +23,6 @@ CONFIG_SECURITYFS=y CONFIG_SECURITY_NETWORK=y CONFIG_SECURITY_SELINUX=y CONFIG_SECURITY_SELINUX_BOOTPARAM=y -CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1 -CONFIG_SECURITY_SELINUX_DISABLE=y CONFIG_SECURITY_SELINUX_DEVELOP=y CONFIG_SECURITY_SELINUX_AVC_STATS=y -CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 CONFIG_AUDIT_GENERIC=y diff --git a/recipes-connectivity/dhcp/dhcp_%.bbappend b/recipes-kernel/linux/linux-yocto_%.bbappend index 7719d3b..7719d3b 100644 --- a/recipes-connectivity/dhcp/dhcp_%.bbappend +++ b/recipes-kernel/linux/linux-yocto_%.bbappend diff --git a/recipes-kernel/linux/linux-yocto_4.%.bbappend b/recipes-kernel/linux/linux-yocto_4.%.bbappend deleted file mode 100644 index 7719d3b..0000000 --- a/recipes-kernel/linux/linux-yocto_4.%.bbappend +++ /dev/null @@ -1 +0,0 @@ -require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)} diff --git a/recipes-kernel/linux/linux-yocto_5.%.bbappend b/recipes-kernel/linux/linux-yocto_5.%.bbappend deleted file mode 100644 index 7719d3b..0000000 --- a/recipes-kernel/linux/linux-yocto_5.%.bbappend +++ /dev/null @@ -1 +0,0 @@ -require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)} diff --git a/recipes-kernel/linux/linux-yocto_selinux.inc b/recipes-kernel/linux/linux-yocto_selinux.inc index 3312e06..ba078f7 100644 --- a/recipes-kernel/linux/linux-yocto_selinux.inc +++ b/recipes-kernel/linux/linux-yocto_selinux.inc @@ -1,4 +1,4 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/files:" +FILESEXTRAPATHS:prepend := "${THISDIR}/files:" # Enable selinux support in the kernel if the feature is enabled SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'file://selinux.cfg', '', d)}" diff --git a/recipes-kernel/perf/perf_selinux.inc b/recipes-kernel/perf/perf_selinux.inc index bed3cc2..f1bdaf8 100644 --- a/recipes-kernel/perf/perf_selinux.inc +++ b/recipes-kernel/perf/perf_selinux.inc @@ -1 +1 @@ -DEPENDS .= "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', ' audit', '', d)}" +inherit enable-audit diff --git a/recipes-security/audit/audit/0001-Remove-strdupa-as-suggested-in-pull-request-25.patch b/recipes-security/audit/audit/0001-Remove-strdupa-as-suggested-in-pull-request-25.patch deleted file mode 100644 index 38029aa..0000000 --- a/recipes-security/audit/audit/0001-Remove-strdupa-as-suggested-in-pull-request-25.patch +++ /dev/null @@ -1,47 +0,0 @@ -From a1782b58b687b74249dc8b2411a3f646b821ebd6 Mon Sep 17 00:00:00 2001 -From: Steve Grubb <sgrubb@redhat.com> -Date: Thu, 4 Oct 2018 08:45:47 -0400 -Subject: [PATCH] Remove strdupa as suggested in pull request #25 - ---- - src/auditd.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -Origin: https://github.com/linux-audit/audit-userspace/commit/a1782b58b687b74249dc8b2411a3f646b821ebd6 -Applied-Upstream: yes - -diff --git a/src/auditd.c b/src/auditd.c -index b0952db..c826ec0 100644 ---- a/src/auditd.c -+++ b/src/auditd.c -@@ -209,21 +209,22 @@ static void cont_handler(struct ev_loop *loop, struct ev_signal *sig, - - static int extract_type(const char *str) - { -- const char *tptr, *ptr2, *ptr = str; -+ const char *ptr2, *ptr = str; - if (*str == 'n') { - ptr = strchr(str+1, ' '); - if (ptr == NULL) - return -1; // Malformed - bomb out - ptr++; - } -+ - // ptr should be at 't' - ptr2 = strchr(ptr, ' '); -- // get type=xxx in a buffer -- tptr = strndupa(ptr, ptr2 - ptr); -+ - // find = -- str = strchr(tptr, '='); -- if (str == NULL) -+ str = strchr(ptr, '='); -+ if (str == NULL || str >= ptr2) - return -1; // Malformed - bomb out -+ - // name is 1 past - str++; - return audit_name_to_msg_type(str); --- -2.20.1 - diff --git a/recipes-security/audit/audit/0002-Add-substitue-functions-for-strndupa-rawmemchr.patch b/recipes-security/audit/audit/0002-Add-substitue-functions-for-strndupa-rawmemchr.patch deleted file mode 100644 index c948aa3..0000000 --- a/recipes-security/audit/audit/0002-Add-substitue-functions-for-strndupa-rawmemchr.patch +++ /dev/null @@ -1,134 +0,0 @@ -From 5346b6af0ca67a2965ca5846ae150f3021a2aa17 Mon Sep 17 00:00:00 2001 -From: Steve Grubb <sgrubb@redhat.com> -Date: Tue, 26 Feb 2019 18:33:33 -0500 -Subject: [PATCH] Add substitue functions for strndupa & rawmemchr - ---- -Origin: https://github.com/linux-audit/audit-userspace/commit/d579a08bb1cde71f939c13ac6b2261052ae9f77e -Applied-Upstream: yes - - auparse/auparse.c | 12 +++++++++++- - auparse/interpret.c | 9 ++++++++- - configure.ac | 14 +++++++++++++- - src/ausearch-lol.c | 12 +++++++++++- - 4 files changed, 43 insertions(+), 4 deletions(-) - -diff --git a/auparse/auparse.c b/auparse/auparse.c -index f84712e..3764046 100644 ---- a/auparse/auparse.c -+++ b/auparse/auparse.c -@@ -1,5 +1,5 @@ - /* auparse.c -- -- * Copyright 2006-08,2012-17 Red Hat Inc., Durham, North Carolina. -+ * Copyright 2006-08,2012-19 Red Hat Inc., Durham, North Carolina. - * All Rights Reserved. - * - * This library is free software; you can redistribute it and/or -@@ -1100,6 +1100,16 @@ static int str2event(char *s, au_event_t *e) - return 0; - } - -+#ifndef HAVE_STRNDUPA -+static inline char *strndupa(const char *old, size_t n) -+{ -+ size_t len = strnlen(old, n); -+ char *tmp = alloca(len + 1); -+ tmp[len] = 0; -+ return memcpy(tmp, old, len); -+} -+#endif -+ - /* Returns 0 on success and 1 on error */ - static int extract_timestamp(const char *b, au_event_t *e) - { -diff --git a/auparse/interpret.c b/auparse/interpret.c -index 1846f9d..8540bd1 100644 ---- a/auparse/interpret.c -+++ b/auparse/interpret.c -@@ -853,6 +853,13 @@ err_out: - return print_escaped(id->val); - } - -+// rawmemchr is faster. Let's use it if we have it. -+#ifdef HAVE_RAWMEMCHR -+#define STRCHR rawmemchr -+#else -+#define STRCHR strchr -+#endif -+ - static const char *print_proctitle(const char *val) - { - char *out = (char *)print_escaped(val); -@@ -863,7 +870,7 @@ static const char *print_proctitle(const char *val) - // Proctitle has arguments separated by NUL bytes - // We need to write over the NUL bytes with a space - // so that we can see the arguments -- while ((ptr = rawmemchr(ptr, '\0'))) { -+ while ((ptr = STRCHR(ptr, '\0'))) { - if (ptr >= end) - break; - *ptr = ' '; -diff --git a/configure.ac b/configure.ac -index ede7109..97b547f 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -1,7 +1,7 @@ - dnl - define([AC_INIT_NOTICE], - [### Generated automatically using autoconf version] AC_ACVERSION [ --### Copyright 2005-18 Steve Grubb <sgrubb@redhat.com> -+### Copyright 2005-19 Steve Grubb <sgrubb@redhat.com> - ### - ### Permission is hereby granted, free of charge, to any person obtaining a - ### copy of this software and associated documentation files (the "Software"), -@@ -72,6 +72,18 @@ dnl; posix_fallocate is used in audisp-remote - AC_CHECK_FUNCS([posix_fallocate]) - dnl; signalfd is needed for libev - AC_CHECK_FUNC([signalfd], [], [ AC_MSG_ERROR([The signalfd system call is necessary for auditd]) ]) -+dnl; check if rawmemchr is available -+AC_CHECK_FUNCS([rawmemchr]) -+dnl; check if strndupa is available -+AC_LINK_IFELSE( -+ [AC_LANG_SOURCE( -+ [[ -+ #define _GNU_SOURCE -+ #include <string.h> -+ int main() { (void) strndupa("test", 10); return 0; }]])], -+ [AC_DEFINE(HAVE_STRNDUPA, 1, [Let us know if we have it or not])], -+ [] -+) - - ALLWARNS="" - ALLDEBUG="-g" -diff --git a/src/ausearch-lol.c b/src/ausearch-lol.c -index 4fbfbae..5eecefe 100644 ---- a/src/ausearch-lol.c -+++ b/src/ausearch-lol.c -@@ -1,6 +1,6 @@ - /* - * ausearch-lol.c - linked list of linked lists library --* Copyright (c) 2008,2010,2014,2016 Red Hat Inc., Durham, North Carolina. -+* Copyright (c) 2008,2010,2014,2016,2019 Red Hat Inc., Durham, North Carolina. - * All Rights Reserved. - * - * This software may be freely redistributed and/or modified under the -@@ -131,6 +131,16 @@ static int inline events_are_equal(event *e1, event *e2) - return 1; - } - -+#ifndef HAVE_STRNDUPA -+static inline char *strndupa(const char *old, size_t n) -+{ -+ size_t len = strnlen(old, n); -+ char *tmp = alloca(len + 1); -+ tmp[len] = 0; -+ return memcpy(tmp, old, len); -+} -+#endif -+ - /* - * This function will look at the line and pick out pieces of it. - */ --- -2.20.1 - diff --git a/recipes-security/audit/audit/audit-python-configure.patch b/recipes-security/audit/audit/audit-python-configure.patch deleted file mode 100644 index cb62ec3..0000000 --- a/recipes-security/audit/audit/audit-python-configure.patch +++ /dev/null @@ -1,46 +0,0 @@ -From be689ee1748c6aa531dbca982e0218d077ac901c Mon Sep 17 00:00:00 2001 -From: Li xin <lixin.fnst@cn.fujitsu.com> -Date: Sun, 19 Jul 2015 00:49:13 +0900 -Subject: [PATCH] audit: python cross-compile - -Upstream-Status: pending - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Li Xin <lixin.fnst@cn.fujitsu.com> -Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> -Signed-off-by: T.O. Radzy Radzykewycz <radzy@windriver.com> ---- - configure.ac | 17 ++--------------- - 1 file changed, 2 insertions(+), 15 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 1f48cb4..cdb5219 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -94,21 +94,8 @@ if test x$use_python = xno ; then - else - AC_MSG_RESULT(testing) - AM_PATH_PYTHON --PYINCLUDEDIR=`python${am_cv_python_version} -c "from distutils import sysconfig; print(sysconfig.get_config_var('INCLUDEPY'))"` --if test -f ${PYINCLUDEDIR}/Python.h ; then -- python_found="yes" -- AC_SUBST(PYINCLUDEDIR) -- pybind_dir="python" -- AC_SUBST(pybind_dir) -- AC_MSG_NOTICE(Python bindings will be built) --else -- python_found="no" -- if test "x$use_python" = xyes ; then -- AC_MSG_ERROR([Python explicitly requested and python headers were not found]) -- else -- AC_MSG_WARN("Python headers not found - python bindings will not be made") -- fi --fi -+python_found="yes" -+AC_MSG_NOTICE(Python bindings will be built) - fi - AM_CONDITIONAL(HAVE_PYTHON, test ${python_found} = "yes") - --- -1.9.1 - diff --git a/recipes-security/audit/audit/audit-python.patch b/recipes-security/audit/audit/audit-python.patch deleted file mode 100644 index 0c2dc1c..0000000 --- a/recipes-security/audit/audit/audit-python.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 9c8fd14feabe985242ef08e52c3e866d7755fa6e Mon Sep 17 00:00:00 2001 -From: Li xin <lixin.fnst@cn.fujitsu.com> -Date: Sun, 19 Jul 2015 01:40:48 +0900 -Subject: [PATCH] Remove hard coded python include directory - -Signed-off-by: Mark Hatle <mark.hatle@windriver.com> ---- - bindings/Makefile.am | 8 +++++++- - bindings/python/python2/Makefile.am | 3 ++- - bindings/swig/python/Makefile.am | 5 +++-- - 3 files changed, 12 insertions(+), 4 deletions(-) - -diff --git a/bindings/Makefile.am b/bindings/Makefile.am -index cc68df3..998b990 100644 ---- a/bindings/Makefile.am -+++ b/bindings/Makefile.am -@@ -22,4 +22,10 @@ - - CONFIG_CLEAN_FILES = *.loT *.rej *.orig - --SUBDIRS = python golang swig -+SUBDIRS = swig -+if HAVE_PYTHON -+SUBDIRS += python -+endif -+if HAVE_GOLANG -+SUBDIRS += golang -+endif -diff --git a/bindings/python/python2/Makefile.am b/bindings/python/python2/Makefile.am -index 1dcb5bc..6226358 100644 ---- a/bindings/python/python2/Makefile.am -+++ b/bindings/python/python2/Makefile.am -@@ -23,7 +23,8 @@ - - CONFIG_CLEAN_FILES = *.loT *.rej *.orig - AM_CFLAGS = -fPIC -DPIC -fno-strict-aliasing --AM_CPPFLAGS = -I$(top_builddir) -I@PYINCLUDEDIR@ -+PYINC ?= /usr/include/python$(PYTHON_VERSION) -+AM_CPPFLAGS = -I$(top_builddir) -I${PYINC} - - pyexec_LTLIBRARIES = auparse.la - -diff --git a/bindings/swig/python/Makefile.am b/bindings/swig/python/Makefile.am -index 8c98b94..ae7c52b 100644 ---- a/bindings/swig/python/Makefile.am -+++ b/bindings/swig/python/Makefile.am -@@ -21,9 +21,10 @@ - # - CONFIG_CLEAN_FILES = *.loT *.rej *.orig - AM_CFLAGS = -fPIC -DPIC -fno-strict-aliasing --AM_CPPFLAGS = -I. -I$(top_builddir) -I${top_srcdir}/lib -I@PYINCLUDEDIR@ -+PYINC ?= /usr/include/$(PYLIBVER) -+AM_CPPFLAGS = -I. -I$(top_builddir) -I${top_srcdir}/lib -I${PYINC} - SWIG_FLAGS = -python --SWIG_INCLUDES = -I. -I$(top_builddir) -I${top_srcdir}/lib -I@PYINCLUDEDIR@ -+SWIG_INCLUDES = -I. -I$(top_builddir) -I${top_srcdir}/lib -I${PYINC} - pyexec_PYTHON = audit.py - pyexec_LTLIBRARIES = _audit.la - pyexec_SOLIBRARIES = _audit.so --- -1.8.4.2 - diff --git a/recipes-security/audit/audit/audit-volatile.conf b/recipes-security/audit/audit/audit-volatile.conf deleted file mode 100644 index 9cbe154..0000000 --- a/recipes-security/audit/audit/audit-volatile.conf +++ /dev/null @@ -1 +0,0 @@ -d /var/log/audit 0750 root root - diff --git a/recipes-security/audit/audit/auditd b/recipes-security/audit/audit/auditd deleted file mode 100755 index fcd96c9..0000000 --- a/recipes-security/audit/audit/auditd +++ /dev/null @@ -1,153 +0,0 @@ -#! /bin/sh -### BEGIN INIT INFO -# Provides: auditd -# Required-Start: $local_fs -# Required-Stop: $local_fs -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: Audit Daemon -# Description: Collects audit information from Linux 2.6 Kernels. -### END INIT INFO - -# Author: Philipp Matthias Hahn <pmhahn@debian.org> -# Based on Debians /etc/init.d/skeleton and Auditds init.d/auditd.init - -# June, 2012: Adopted for yocto <amy.fong@windriver.com> - -# PATH should only include /usr/* if it runs after the mountnfs.sh script -PATH=/sbin:/bin:/usr/sbin:/usr/bin -DESC="audit daemon" -NAME=auditd -DAEMON=/sbin/auditd -PIDFILE=/var/run/"$NAME".pid -SCRIPTNAME=/etc/init.d/"$NAME" - -# Exit if the package is not installed -[ -x "$DAEMON" ] || exit 0 - -# Read configuration variable file if it is present -[ -r /etc/default/"$NAME" ] && . /etc/default/"$NAME" - -. /etc/default/rcS - -. /etc/init.d/functions - -# -# Function that starts the daemon/service -# -do_start() -{ - # Return - # 0 if daemon has been started - # 1 if daemon was already running - # 2 if daemon could not be started - start-stop-daemon -S --quiet --pidfile "$PIDFILE" --exec "$DAEMON" --test > /dev/null \ - || return 1 - start-stop-daemon -S --quiet --pidfile "$PIDFILE" --exec "$DAEMON" -- \ - $EXTRAOPTIONS \ - || return 2 - if [ -f /etc/audit/audit.rules ] - then - /sbin/auditctl -R /etc/audit/audit.rules >/dev/null - fi -} - -# -# Function that stops the daemon/service -# -do_stop() -{ - # Return - # 0 if daemon has been stopped - # 1 if daemon was already stopped - # 2 if daemon could not be stopped - # other if a failure occurred - start-stop-daemon -K --quiet --pidfile "$PIDFILE" --name "$NAME" - RETVAL="$?" - [ "$RETVAL" = 2 ] && return 2 - # Many daemons don't delete their pidfiles when they exit. - rm -f "$PIDFILE" - rm -f /var/run/audit_events - # Remove watches so shutdown works cleanly - case "$AUDITD_CLEAN_STOP" in - no|NO) ;; - *) /sbin/auditctl -D >/dev/null ;; - esac - return "$RETVAL" -} - -# -# Function that sends a SIGHUP to the daemon/service -# -do_reload() { - start-stop-daemon -K --signal HUP --quiet --pidfile $PIDFILE --name $NAME - return 0 -} - -if [ ! -e /var/log/audit ]; then - mkdir -p /var/log/audit - [ -x /sbin/restorecon ] && /sbin/restorecon -F /var/log/audit -fi - -case "$1" in - start) - [ "$VERBOSE" != no ] && echo "Starting $DESC" "$NAME" - do_start - case "$?" in - 0|1) [ "$VERBOSE" != no ] && echo 0 ;; - 2) [ "$VERBOSE" != no ] && echo 1 ;; - esac - ;; - stop) - [ "$VERBOSE" != no ] && echo "Stopping $DESC" "$NAME" - do_stop - case "$?" in - 0|1) [ "$VERBOSE" != no ] && echo 0 ;; - 2) [ "$VERBOSE" != no ] && echo 1 ;; - esac - ;; - reload|force-reload) - echo "Reloading $DESC" "$NAME" - do_reload - echo $? - ;; - restart) - echo "Restarting $DESC" "$NAME" - do_stop - case "$?" in - 0|1) - do_start - case "$?" in - 0) echo 0 ;; - 1) echo 1 ;; # Old process is still running - *) echo 1 ;; # Failed to start - esac - ;; - *) - # Failed to stop - echo 1 - ;; - esac - ;; - rotate) - echo "Rotating $DESC logs" "$NAME" - start-stop-daemon -K --signal USR1 --quiet --pidfile "$PIDFILE" --name "$NAME" - echo $? - ;; - status) - pidofproc "$DAEMON" >/dev/null - status=$? - if [ $status -eq 0 ]; then - echo "$NAME is running." - else - echo "$NAME is not running." - fi - exit $status - ;; - *) - echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload|rotate|status}" >&2 - exit 3 - ;; -esac - -: diff --git a/recipes-security/audit/audit/auditd.service b/recipes-security/audit/audit/auditd.service deleted file mode 100644 index ebc0798..0000000 --- a/recipes-security/audit/audit/auditd.service +++ /dev/null @@ -1,20 +0,0 @@ -[Unit] -Description=Security Auditing Service -DefaultDependencies=no -After=local-fs.target -Conflicts=shutdown.target -Before=sysinit.target shutdown.target -After=systemd-tmpfiles-setup.service - -[Service] -ExecStart=/sbin/auditd -n -## To use augenrules, copy this file to /etc/systemd/system/auditd.service -## and uncomment the next line and delete/comment out the auditctl line. -## Then copy existing rules to /etc/audit/rules.d/ -## Not doing this last step can cause loss of existing rules -#ExecStartPost=-/sbin/augenrules --load -ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules -ExecReload=/bin/kill -HUP $MAINPID - -[Install] -WantedBy=multi-user.target diff --git a/recipes-security/audit/audit/fix-swig-host-contamination.patch b/recipes-security/audit/audit/fix-swig-host-contamination.patch deleted file mode 100644 index faeeeeb..0000000 --- a/recipes-security/audit/audit/fix-swig-host-contamination.patch +++ /dev/null @@ -1,58 +0,0 @@ -From d7577e1e55595123e3bcec78fa4a79fe8a314fe5 Mon Sep 17 00:00:00 2001 -From: Li xin <lixin.fnst@cn.fujitsu.com> -Date: Sun, 19 Jul 2015 02:42:58 +0900 -Subject: [PATCH] audit: Fixed swig host contamination issue - -The audit build uses swig to generate a python wrapper. -Unfortunately, the swig info file references host include -directories. Some of these were previously noticed and -eliminated, but the one fixed here was not. - -Upstream Status: pending - -Signed-off-by: Anders Hedlund <anders.hedlund@windriver.com> -Signed-off-by: Joe Slater <jslater@windriver.com> ---- - bindings/swig/python/Makefile.am | 3 ++- - bindings/swig/src/auditswig.i | 4 ++-- - 2 files changed, 4 insertions(+), 3 deletions(-) - -diff --git a/bindings/swig/python/Makefile.am b/bindings/swig/python/Makefile.am -index ae7c52b..d1bb93c 100644 ---- a/bindings/swig/python/Makefile.am -+++ b/bindings/swig/python/Makefile.am -@@ -22,6 +22,7 @@ - CONFIG_CLEAN_FILES = *.loT *.rej *.orig - AM_CFLAGS = -fPIC -DPIC -fno-strict-aliasing - PYINC ?= /usr/include/$(PYLIBVER) -+STDINC ?= /usr/include - AM_CPPFLAGS = -I. -I$(top_builddir) -I${top_srcdir}/lib -I${PYINC} - SWIG_FLAGS = -python - SWIG_INCLUDES = -I. -I$(top_builddir) -I${top_srcdir}/lib -I${PYINC} -@@ -35,7 +36,7 @@ _audit_la_DEPENDENCIES =${top_srcdir}/lib/libaudit.h ${top_builddir}/lib/libaudi - _audit_la_LIBADD = $(top_builddir)/lib/libaudit.la - nodist__audit_la_SOURCES = audit_wrap.c - audit.py audit_wrap.c: ${srcdir}/../src/auditswig.i -- swig -o audit_wrap.c ${SWIG_FLAGS} ${SWIG_INCLUDES} ${srcdir}/../src/auditswig.i -+ swig -o audit_wrap.c ${SWIG_FLAGS} ${SWIG_INCLUDES} -I$(STDINC) ${srcdir}/../src/auditswig.i - - CLEANFILES = audit.py* audit_wrap.c *~ - -diff --git a/bindings/swig/src/auditswig.i b/bindings/swig/src/auditswig.i -index 9364ac4..48667d4 100644 ---- a/bindings/swig/src/auditswig.i -+++ b/bindings/swig/src/auditswig.i -@@ -39,8 +39,8 @@ signed - #define __attribute(X) /*nothing*/ - typedef unsigned __u32; - typedef unsigned uid_t; --%include "/usr/include/linux/audit.h" -+%include "linux/audit.h" - #define __extension__ /*nothing*/ --%include "/usr/include/stdint.h" -+%include "stdint.h" - %include "../lib/libaudit.h" - --- -1.8.4.2 - diff --git a/recipes-security/audit/audit_2.8.4.bb b/recipes-security/audit/audit_2.8.4.bb deleted file mode 100644 index 594786a..0000000 --- a/recipes-security/audit/audit_2.8.4.bb +++ /dev/null @@ -1,106 +0,0 @@ -SUMMARY = "User space tools for kernel auditing" -DESCRIPTION = "The audit package contains the user space utilities for \ -storing and searching the audit records generated by the audit subsystem \ -in the Linux kernel." -HOMEPAGE = "http://people.redhat.com/sgrubb/audit/" -SECTION = "base" -LICENSE = "GPLv2+ & LGPLv2+" -LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" - -SRC_URI = "http://people.redhat.com/sgrubb/${BPN}/${BPN}-${PV}.tar.gz \ - file://audit-python-configure.patch \ - file://audit-python.patch \ - file://fix-swig-host-contamination.patch \ - file://0001-Remove-strdupa-as-suggested-in-pull-request-25.patch \ - file://0002-Add-substitue-functions-for-strndupa-rawmemchr.patch \ - file://auditd \ - file://auditd.service \ - file://audit-volatile.conf \ -" -SRC_URI[md5sum] = "ec9510312564c3d9483bccf8dbda4779" -SRC_URI[sha256sum] = "a410694d09fc5708d980a61a5abcb9633a591364f1ecc7e97ad5daef9c898c38" - -inherit autotools pythonnative update-rc.d systemd - -UPDATERCPN = "auditd" -INITSCRIPT_NAME = "auditd" -INITSCRIPT_PARAMS = "defaults" - -SYSTEMD_PACKAGES = "auditd" -SYSTEMD_SERVICE_auditd = "auditd.service" - -DEPENDS += "python tcp-wrappers libcap-ng linux-libc-headers (>= 2.6.30) swig-native" - -EXTRA_OECONF += "--without-prelude \ - --with-libwrap \ - --enable-gssapi-krb5=no \ - --with-libcap-ng=yes \ - --with-python=yes \ - --libdir=${base_libdir} \ - --sbindir=${base_sbindir} \ - --without-python3 \ - --disable-zos-remote \ - " -EXTRA_OECONF_append_arm = " --with-arm=yes" -EXTRA_OECONF_append_aarch64 = " --with-aarch64=yes" - -EXTRA_OEMAKE += "PYLIBVER='python${PYTHON_BASEVERSION}' \ - PYINC='${STAGING_INCDIR}/$(PYLIBVER)' \ - pyexecdir=${libdir}/python${PYTHON_BASEVERSION}/site-packages \ - STDINC='${STAGING_INCDIR}' \ - pkgconfigdir=${libdir}/pkgconfig \ - " - -SUMMARY_audispd-plugins = "Plugins for the audit event dispatcher" -DESCRIPTION_audispd-plugins = "The audispd-plugins package provides plugins for the real-time \ -interface to the audit system, audispd. These plugins can do things \ -like relay events to remote machines or analyze events for suspicious \ -behavior." - -PACKAGES =+ "audispd-plugins" -PACKAGES += "auditd ${PN}-python" - -FILES_${PN} = "${sysconfdir}/libaudit.conf ${base_libdir}/libaudit.so.1* ${base_libdir}/libauparse.so.*" -FILES_auditd += "${bindir}/* ${base_sbindir}/* ${sysconfdir}/*" -FILES_audispd-plugins += "${sysconfdir}/audisp/audisp-remote.conf \ - ${sysconfdir}/audisp/plugins.d/au-remote.conf \ - ${sbindir}/audisp-remote ${localstatedir}/spool/audit \ - " -FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/*/.debug" -FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}" - -CONFFILES_auditd += "${sysconfdir}/audit/audit.rules" -RDEPENDS_auditd += "bash" - -do_install_append() { - rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.a - rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.la - - # reuse auditd config - [ ! -e ${D}/etc/default ] && mkdir ${D}/etc/default - mv ${D}/etc/sysconfig/auditd ${D}/etc/default - rmdir ${D}/etc/sysconfig/ - - # replace init.d - install -D -m 0755 ${WORKDIR}/auditd ${D}/etc/init.d/auditd - rm -rf ${D}/etc/rc.d - - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then - install -d ${D}${sysconfdir}/tmpfiles.d/ - install -m 0644 ${WORKDIR}/audit-volatile.conf ${D}${sysconfdir}/tmpfiles.d/ - fi - - # install systemd unit files - install -d ${D}${systemd_unitdir}/system - install -m 0644 ${WORKDIR}/auditd.service ${D}${systemd_unitdir}/system - - # audit-2.5 doesn't install any rules by default, so we do that here - mkdir -p ${D}/etc/audit ${D}/etc/audit/rules.d - cp ${S}/rules/10-base-config.rules ${D}/etc/audit/rules.d/audit.rules - - chmod 750 ${D}/etc/audit ${D}/etc/audit/rules.d - chmod 640 ${D}/etc/audit/auditd.conf ${D}/etc/audit/rules.d/audit.rules - - # Based on the audit.spec "Copy default rules into place on new installation" - cp ${D}/etc/audit/rules.d/audit.rules ${D}/etc/audit/audit.rules -} diff --git a/recipes-security/packagegroups/packagegroup-core-selinux.bb b/recipes-security/packagegroups/packagegroup-core-selinux.bb index a4cf1b8..148c8a2 100644 --- a/recipes-security/packagegroups/packagegroup-core-selinux.bb +++ b/recipes-security/packagegroups/packagegroup-core-selinux.bb @@ -6,9 +6,9 @@ PACKAGES = "\ ${PN} \ " -ALLOW_EMPTY_${PN} = "1" +ALLOW_EMPTY:${PN} = "1" -RDEPENDS_${PN} = " \ +RDEPENDS:${PN} = " \ libsepol \ libsepol-bin \ libselinux \ @@ -24,4 +24,5 @@ RDEPENDS_${PN} = " \ selinux-labeldev \ refpolicy \ coreutils \ + auditd \ " diff --git a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb index e198e84..0f9abae 100644 --- a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb +++ b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb @@ -6,9 +6,9 @@ PACKAGES = "\ ${PN} \ " -ALLOW_EMPTY_${PN} = "1" +ALLOW_EMPTY:${PN} = "1" -RDEPENDS_${PN} = "\ +RDEPENDS:${PN} = "\ coreutils \ libsepol \ libselinux \ diff --git a/recipes-security/packagegroups/packagegroup-selinux-policycoreutils.bb b/recipes-security/packagegroups/packagegroup-selinux-policycoreutils.bb index 2263592..7fd5d1c 100644 --- a/recipes-security/packagegroups/packagegroup-selinux-policycoreutils.bb +++ b/recipes-security/packagegroups/packagegroup-selinux-policycoreutils.bb @@ -6,9 +6,9 @@ PACKAGES = "\ ${PN} \ " -ALLOW_EMPTY_${PN} = "1" +ALLOW_EMPTY:${PN} = "1" -RDEPENDS_${PN} = "\ +RDEPENDS:${PN} = "\ policycoreutils-fixfiles \ policycoreutils-genhomedircon \ policycoreutils-loadpolicy \ diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch deleted file mode 100644 index 2692ffa..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 49dd08e69938debc792ac9c3ac3e81a38929d11f Mon Sep 17 00:00:00 2001 -From: Joe MacDonald <joe_macdonald@mentor.com> -Date: Thu, 28 Mar 2019 16:14:09 -0400 -Subject: [PATCH 01/34] fc/subs/volatile: alias common /var/volatile paths - -Ensure /var/volatile paths get the appropriate base file context. - -Upstream-Status: Pending - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - config/file_contexts.subs_dist | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist -index 346d920e..be532d7f 100644 ---- a/config/file_contexts.subs_dist -+++ b/config/file_contexts.subs_dist -@@ -31,3 +31,13 @@ - # not for refpolicy intern, but for /var/run using applications, - # like systemd tmpfiles or systemd socket configurations - /var/run /run -+ -+# volatile aliases -+# ensure the policy applied to the base filesystem objects are reflected in the -+# volatile hierarchy. -+/var/volatile/log /var/log -+/var/volatile/run /var/run -+/var/volatile/cache /var/cache -+/var/volatile/tmp /var/tmp -+/var/volatile/lock /var/lock -+/var/volatile/run/lock /var/lock --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch deleted file mode 100644 index f92ddb8..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch +++ /dev/null @@ -1,68 +0,0 @@ -From aa79b5e7803232a4e57e2cf60613f6fb7dcfc025 Mon Sep 17 00:00:00 2001 -From: Shrikant Bobade <shrikant_bobade@mentor.com> -Date: Fri, 26 Aug 2016 17:51:44 +0530 -Subject: [PATCH 1/9] refpolicy-minimum: audit: logging: getty: audit related - allow rules - -add allow rules for audit.log file & resolve dependent avc denials. - -without this change we are getting audit avc denials mixed into bootlog & -audit other avc denials. - -audit: type=1400 audit(): avc: denied { getattr } for pid=217 comm="mount" -name="/" dev="proc" ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_0 -audit: type=1400 audit(): avc: denied { sendto } for pid=310 comm="klogd" -path="/run/systemd/journal/dev-log" scontext=sy0 -audit: type=1400 audit(): avc: denied { sendto } for pid=310 comm="klogd" -path="/run/systemd/journal/dev-log" scontext=system_u:system_r:klogd_t:s0 -audit(): avc: denied { open } for pid=540 comm="agetty" path="/var/ -volatile/log/wtmp" dev="tmpfs" ino=9536 scontext=system_u:system_r:getty_t -:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 - -Upstream-Status: Pending - -Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/getty.te | 3 +++ - policy/modules/system/logging.te | 8 ++++++++ - 2 files changed, 11 insertions(+) - -diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te -index 6d3c4284..423db0cc 100644 ---- a/policy/modules/system/getty.te -+++ b/policy/modules/system/getty.te -@@ -129,3 +129,6 @@ optional_policy(` - optional_policy(` - udev_read_db(getty_t) - ') -+ -+allow getty_t tmpfs_t:dir search; -+allow getty_t tmpfs_t:file { open write lock }; -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 63e92a8e..8ab46925 100644 ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -249,6 +249,7 @@ allow audisp_t self:unix_stream_socket create_stream_socket_perms; - allow audisp_t self:unix_dgram_socket create_socket_perms; - - allow audisp_t auditd_t:unix_stream_socket rw_socket_perms; -+allow audisp_t initrc_t:unix_dgram_socket sendto; - - manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t) - files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file) -@@ -620,3 +621,10 @@ optional_policy(` - # log to the xconsole - xserver_rw_console(syslogd_t) - ') -+ -+ -+allow auditd_t tmpfs_t:file { getattr setattr create open read append }; -+allow auditd_t tmpfs_t:dir { open read search add_name write getattr search }; -+allow auditd_t initrc_t:unix_dgram_socket sendto; -+ -+allow klogd_t initrc_t:unix_dgram_socket sendto; -\ No newline at end of file --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch deleted file mode 100644 index a963751..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch +++ /dev/null @@ -1,31 +0,0 @@ -From c02445a1073ca6fcb42c771c233ab8aa822cbdda Mon Sep 17 00:00:00 2001 -From: Joe MacDonald <joe_macdonald@mentor.com> -Date: Thu, 28 Mar 2019 20:48:10 -0400 -Subject: [PATCH 02/34] fc/subs/busybox: set aliases for bin, sbin and usr - -The objects in /usr/lib/busybox/* should have the same policy applied as -the corresponding objects in the / hierarchy. - -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - config/file_contexts.subs_dist | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist -index be532d7f..04fca3c3 100644 ---- a/config/file_contexts.subs_dist -+++ b/config/file_contexts.subs_dist -@@ -41,3 +41,10 @@ - /var/volatile/tmp /var/tmp - /var/volatile/lock /var/lock - /var/volatile/run/lock /var/lock -+ -+# busybox aliases -+# quickly match up the busybox built-in tree to the base filesystem tree -+/usr/lib/busybox/bin /bin -+/usr/lib/busybox/sbin /sbin -+/usr/lib/busybox/usr /usr -+ --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch deleted file mode 100644 index 37423ec..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch +++ /dev/null @@ -1,54 +0,0 @@ -From d8fe68150ae85657b2091bc193b11bd77f7b1f31 Mon Sep 17 00:00:00 2001 -From: Shrikant Bobade <shrikant_bobade@mentor.com> -Date: Fri, 26 Aug 2016 17:53:46 +0530 -Subject: [PATCH 2/9] refpolicy-minimum: locallogin: add allow rules for type - local_login_t - -add allow rules for locallogin module avc denials. - -without this change we are getting errors like these: - -type=AVC msg=audit(): avc: denied { read write open } for pid=353 -comm="login" path="/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext -=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r: -var_log_t:s0 tclass=file permissive=1 - -type=AVC msg=audit(): avc: denied { sendto } for pid=353 comm="login" -path="/run/systemd/journal/dev-log" scontext=system_u:system_r: -local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 -tclass=unix_dgram_socket permissive=1 - -type=AVC msg=audit(): avc: denied { lock } for pid=353 comm="login" path= -"/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext=system_u:system_r -:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass -=file permissive=1 - -Upstream-Status: Pending - -Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/locallogin.te | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te -index 4c679ff3..75750e4c 100644 ---- a/policy/modules/system/locallogin.te -+++ b/policy/modules/system/locallogin.te -@@ -288,3 +288,13 @@ optional_policy(` - optional_policy(` - nscd_use(sulogin_t) - ') -+ -+allow local_login_t initrc_t:fd use; -+allow local_login_t initrc_t:unix_dgram_socket sendto; -+allow local_login_t initrc_t:unix_stream_socket connectto; -+allow local_login_t self:capability net_admin; -+allow local_login_t var_log_t:file { create lock open read write }; -+allow local_login_t var_run_t:file { open read write lock}; -+allow local_login_t var_run_t:sock_file write; -+allow local_login_t tmpfs_t:dir { add_name write search}; -+allow local_login_t tmpfs_t:file { create open read write lock }; --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch deleted file mode 100644 index ad94252..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch +++ /dev/null @@ -1,57 +0,0 @@ -From fdbd4461bbd6ce8a7f2b2702f7801ed07c41d5a9 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Thu, 22 Aug 2013 13:39:41 +0800 -Subject: [PATCH 03/34] fc/sysklogd: apply policy to sysklogd symlink - -/etc/syslog.conf is a symlink to /etc/syslog.conf.sysklogd, so a allow -rule for syslogd_t to read syslog_conf_t lnk_file is needed. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/logging.fc | 3 +++ - policy/modules/system/logging.te | 1 + - 2 files changed, 4 insertions(+) - -diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc -index 6693d87b..0cf108e0 100644 ---- a/policy/modules/system/logging.fc -+++ b/policy/modules/system/logging.fc -@@ -2,6 +2,7 @@ - - /etc/rsyslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0) - /etc/syslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0) -+/etc/syslog\.conf\.sysklogd gen_context(system_u:object_r:syslog_conf_t,s0) - /etc/rsyslog\.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0) - /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) - /etc/systemd/journal.*\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0) -@@ -32,10 +33,12 @@ - /usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) - /usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) - /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) -+/usr/sbin/klogd\.sysklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) - /usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0) - /usr/sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) - /usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) - /usr/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) -+/usr/sbin/syslogd\.sysklogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) - /usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) - /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) - -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index adc628f8..07ed546d 100644 ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -399,6 +399,7 @@ allow syslogd_t self:udp_socket create_socket_perms; - allow syslogd_t self:tcp_socket create_stream_socket_perms; - - allow syslogd_t syslog_conf_t:file read_file_perms; -+allow syslogd_t syslog_conf_t:lnk_file read_file_perms; - allow syslogd_t syslog_conf_t:dir list_dir_perms; - - # Create and bind to /dev/log or /var/run/log. --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch deleted file mode 100644 index ed470e4..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch +++ /dev/null @@ -1,121 +0,0 @@ -From 53aaf2acb8bc3fb115e5d5327f6e7a994cfbf0bd Mon Sep 17 00:00:00 2001 -From: Shrikant Bobade <shrikant_bobade@mentor.com> -Date: Fri, 26 Aug 2016 17:51:32 +0530 -Subject: [PATCH 3/9] refpolicy-minimum: systemd:unconfined:lib: add systemd - services allow rules - -systemd allow rules for systemd service file operations: start, stop, restart -& allow rule for unconfined systemd service. - -without this change we are getting these errors: -:~# systemctl status selinux-init.service -Failed to get properties: Access denied - -:~# systemctl stop selinux-init.service -Failed to stop selinux-init.service: Access denied - -:~# systemctl restart selinux-init.service -audit: type=1107 audit: pid=1 uid=0 auid=4294967295 ses=4294967295 subj= -system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 -gid=0 path="/lib/systemd/system/selinux-init.service" cmdline="systemctl -restart selinux-init.service" scontext=unconfined_u:unconfined_r: -unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service - -Upstream-Status: Pending - -Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/init.te | 4 +++ - policy/modules/system/libraries.te | 3 +++ - policy/modules/system/systemd.if | 39 +++++++++++++++++++++++++++++ - policy/modules/system/unconfined.te | 6 +++++ - 4 files changed, 52 insertions(+) - -diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 8352428a..15745c83 100644 ---- a/policy/modules/system/init.te -+++ b/policy/modules/system/init.te -@@ -1425,3 +1425,7 @@ optional_policy(` - allow kernel_t init_t:process dyntransition; - allow devpts_t device_t:filesystem associate; - allow init_t self:capability2 block_suspend; -+allow init_t self:capability2 audit_read; -+ -+allow initrc_t init_t:system { start status }; -+allow initrc_t init_var_run_t:service { start status }; -diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te -index 422b0ea1..80b0c9a5 100644 ---- a/policy/modules/system/libraries.te -+++ b/policy/modules/system/libraries.te -@@ -145,3 +145,6 @@ optional_policy(` - optional_policy(` - unconfined_domain(ldconfig_t) - ') -+ -+# systemd: init domain to start lib domain service -+systemd_service_lib_function(lib_t) -diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if -index 8d2bb8da..8fc61843 100644 ---- a/policy/modules/system/systemd.if -+++ b/policy/modules/system/systemd.if -@@ -887,3 +887,42 @@ interface(`systemd_getattr_updated_runtime',` - - getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t) - ') -+ -+######################################## -+## <summary> -+## Allow specified domain to start stop reset systemd service -+## </summary> -+## <param name="domain"> -+## <summary> -+## Domain to not audit. -+## </summary> -+## </param> -+# -+interface(`systemd_service_file_operations',` -+ gen_require(` -+ class service { start status stop }; -+ ') -+ -+ allow $1 lib_t:service { start status stop }; -+ -+') -+ -+ -+######################################## -+## <summary> -+## Allow init domain to start lib domain service -+## </summary> -+## <param name="domain"> -+## <summary> -+## Domain to not audit. -+## </summary> -+## </param> -+# -+interface(`systemd_service_lib_function',` -+ gen_require(` -+ class service start; -+ ') -+ -+ allow initrc_t $1:service start; -+ -+') -diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te -index 12cc0d7c..c09e94a5 100644 ---- a/policy/modules/system/unconfined.te -+++ b/policy/modules/system/unconfined.te -@@ -240,3 +240,9 @@ unconfined_domain_noaudit(unconfined_execmem_t) - optional_policy(` - unconfined_dbus_chat(unconfined_execmem_t) - ') -+ -+ -+# systemd: specified domain to start stop reset systemd service -+systemd_service_file_operations(unconfined_t) -+ -+allow unconfined_t init_t:system reload; --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch deleted file mode 100644 index 98b6156..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 5694d5bdc5ff824c4d5848dcd61cf021305b5e00 Mon Sep 17 00:00:00 2001 -From: Shrikant Bobade <shrikant_bobade@mentor.com> -Date: Fri, 26 Aug 2016 17:53:37 +0530 -Subject: [PATCH 4/9] refpolicy-minimum: systemd: mount: logging: authlogin: - add allow rules - -add allow rules for avc denails for systemd, mount, logging & authlogin -modules. - -without this change we are getting avc denial like these: - -type=AVC msg=audit(): avc: denied { sendto } for pid=893 comm="systemd- -tmpfile" path="/run/systemd/journal/socket" scontext=system_u:system_r: -systemd_tmpfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass= -unix_dgram_socket permissive=0 - -type=AVC msg=audit(): avc: denied { open } for pid=703 comm="systemd- -tmpfile" path="/proc/1/environ" dev="proc" ino=8841 scontext=system_u: -system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass= -file permissive=0 - -type=AVC msg=audit(): avc: denied { read write } for pid=486 comm="mount" -path="socket:[9717]" dev="sockfs" ino=9717 scontext=system_u:system_r: -mount_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=udp_socket - -type=AVC msg=audit(): avc: denied { unix_read unix_write } for pid=292 -comm="syslogd" key=1095648583 scontext=system_u:system_r:syslogd_t:s0 -tcontext=system_u:system_r:syslogd_t:s0 tclass=shm permissive=1 - -Upstream-Status: Pending - -Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/authlogin.te | 2 ++ - policy/modules/system/logging.te | 7 ++++++- - policy/modules/system/mount.te | 3 +++ - policy/modules/system/systemd.te | 5 +++++ - 4 files changed, 16 insertions(+), 1 deletion(-) - -diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 345e07f3..39f860e0 100644 ---- a/policy/modules/system/authlogin.te -+++ b/policy/modules/system/authlogin.te -@@ -472,3 +472,5 @@ optional_policy(` - samba_read_var_files(nsswitch_domain) - samba_dontaudit_write_var_files(nsswitch_domain) - ') -+ -+allow chkpwd_t proc_t:filesystem getattr; -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 8ab46925..520f7da6 100644 ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -627,4 +627,9 @@ allow auditd_t tmpfs_t:file { getattr setattr create open read append }; - allow auditd_t tmpfs_t:dir { open read search add_name write getattr search }; - allow auditd_t initrc_t:unix_dgram_socket sendto; - --allow klogd_t initrc_t:unix_dgram_socket sendto; -\ No newline at end of file -+allow klogd_t initrc_t:unix_dgram_socket sendto; -+ -+allow syslogd_t self:shm create; -+allow syslogd_t self:sem { create read unix_write write }; -+allow syslogd_t self:shm { read unix_read unix_write write }; -+allow syslogd_t tmpfs_t:file { read write }; -diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 3dcb8493..a87d0e82 100644 ---- a/policy/modules/system/mount.te -+++ b/policy/modules/system/mount.te -@@ -231,3 +231,6 @@ optional_policy(` - files_etc_filetrans_etc_runtime(unconfined_mount_t, file) - unconfined_domain(unconfined_mount_t) - ') -+ -+allow mount_t proc_t:filesystem getattr; -+allow mount_t initrc_t:udp_socket { read write }; -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index a6f09dfd..68b80de3 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -993,6 +993,11 @@ allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto }; - allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms; - allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms; - -+allow systemd_tmpfiles_t init_t:dir search; -+allow systemd_tmpfiles_t proc_t:filesystem getattr; -+allow systemd_tmpfiles_t init_t:file read; -+allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto; -+ - kernel_getattr_proc(systemd_tmpfiles_t) - kernel_read_kernel_sysctls(systemd_tmpfiles_t) - kernel_read_network_state(systemd_tmpfiles_t) --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch deleted file mode 100644 index 7d7908f..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch +++ /dev/null @@ -1,37 +0,0 @@ -From bf8da1fd057ce11e8ce6e445ccd532fde11868a6 Mon Sep 17 00:00:00 2001 -From: Shrikant Bobade <shrikant_bobade@mentor.com> -Date: Fri, 26 Aug 2016 17:53:53 +0530 -Subject: [PATCH 5/9] refpolicy-minimum: init: fix reboot with systemd as init - manager. - -add allow rule to fix avc denial during system reboot. - -without this change we are getting: - -audit: type=1107 audit(): pid=1 uid=0 auid=4294967295 ses=4294967295 subj= -system_u:system_r:init_t:s0 msg='avc: denied { reboot } for auid=n/a uid=0 -gid=0 cmdline="/bin/systemctl --force reboot" scontext=system_u:system_r: -initrc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system - -Upstream-Status: Pending - -Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/init.te | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 15745c83..d6a0270a 100644 ---- a/policy/modules/system/init.te -+++ b/policy/modules/system/init.te -@@ -1427,5 +1427,5 @@ allow devpts_t device_t:filesystem associate; - allow init_t self:capability2 block_suspend; - allow init_t self:capability2 audit_read; - --allow initrc_t init_t:system { start status }; -+allow initrc_t init_t:system { start status reboot }; - allow initrc_t init_var_run_t:service { start status }; --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch deleted file mode 100644 index f318c23..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 8614bc85ab13b72f7f83892ffd227c73b3df42bc Mon Sep 17 00:00:00 2001 -From: Joe MacDonald <joe_macdonald@mentor.com> -Date: Thu, 4 Apr 2019 10:45:03 -0400 -Subject: [PATCH 06/34] fc/resolv.conf: label resolv.conf in var/run/ properly - -Upstream-Status: Pending - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> - -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/sysnetwork.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc -index 1e5432a4..ac7c2dd1 100644 ---- a/policy/modules/system/sysnetwork.fc -+++ b/policy/modules/system/sysnetwork.fc -@@ -22,6 +22,7 @@ ifdef(`distro_debian',` - /etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0) - /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) - /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) -+/var/run/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) - - /etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0) - /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0) --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch deleted file mode 100644 index 4f7d916..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 853b6611e50369b386a77d5bd8a28eeb9ef4cb9b Mon Sep 17 00:00:00 2001 -From: Joe MacDonald <joe_macdonald@mentor.com> -Date: Wed, 3 Apr 2019 14:51:29 -0400 -Subject: [PATCH 6/9] refpolicy-minimum: systemd: mount: enable required - refpolicy booleans - -enable required refpolicy booleans for these modules - -i. mount: allow_mount_anyfile -without enabling this boolean we are getting below avc denial - -audit(): avc: denied { mounton } for pid=462 comm="mount" path="/run/media -/mmcblk2p1" dev="tmpfs" ino=11523 scontext=system_u:system_r:mount_t:s0 -tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=0 - -This avc can be allowed using the boolean 'allow_mount_anyfile' -allow mount_t initrc_var_run_t:dir mounton; - -ii. systemd : systemd_tmpfiles_manage_all -without enabling this boolean we are not getting access to mount systemd -essential tmpfs during bootup, also not getting access to create audit.log - -audit(): avc: denied { search } for pid=168 comm="systemd-tmpfile" name= -"sys" dev="proc" ino=4026531855 scontext=system_u:system_r:systemd_tmpfiles -_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=dir permissive=0 - - ls /var/log - /var/log -> volatile/log -:~# - -The old refpolicy included a pre-generated booleans.conf that could be -patched. That's no longer the case so we're left with a few options, -tweak the default directly or create a template booleans.conf file which -will be updated during build time. Since this is intended to be applied -only for specific configuraitons it seems like the same either way and -this avoids us playing games to work around .gitignore. - -Upstream-Status: Pending - -Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/booleans.conf | 9 +++++++++ - policy/modules/system/mount.te | 2 +- - policy/modules/system/systemd.te | 2 +- - 3 files changed, 11 insertions(+), 2 deletions(-) - create mode 100644 policy/booleans.conf - -diff --git a/policy/booleans.conf b/policy/booleans.conf -new file mode 100644 -index 00000000..850f56ed ---- /dev/null -+++ b/policy/booleans.conf -@@ -0,0 +1,9 @@ -+# -+# Allow the mount command to mount any directory or file. -+# -+allow_mount_anyfile = true -+ -+# -+# Enable support for systemd-tmpfiles to manage all non-security files. -+# -+systemd_tmpfiles_manage_all = true -diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index a87d0e82..868052b7 100644 ---- a/policy/modules/system/mount.te -+++ b/policy/modules/system/mount.te -@@ -10,7 +10,7 @@ policy_module(mount, 1.20.0) - ## Allow the mount command to mount any directory or file. - ## </p> - ## </desc> --gen_tunable(allow_mount_anyfile, false) -+gen_tunable(allow_mount_anyfile, true) - - attribute_role mount_roles; - roleattribute system_r mount_roles; -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 68b80de3..a1ef6990 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -10,7 +10,7 @@ policy_module(systemd, 1.7.0) - ## Enable support for systemd-tmpfiles to manage all non-security files. - ## </p> - ## </desc> --gen_tunable(systemd_tmpfiles_manage_all, false) -+gen_tunable(systemd_tmpfiles_manage_all, true) - - ## <desc> - ## <p> --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch deleted file mode 100644 index 27cbc9f..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch +++ /dev/null @@ -1,103 +0,0 @@ -From 34630eecb211199c60c9b01fd77f0ede6e182712 Mon Sep 17 00:00:00 2001 -From: Shrikant Bobade <shrikant_bobade@mentor.com> -Date: Fri, 26 Aug 2016 17:54:09 +0530 -Subject: [PATCH 7/9] refpolicy-minimum: systemd: fix for login & journal - service - -1. fix for systemd services: login & journal wile using refpolicy-minimum and -systemd as init manager. -2. fix login duration after providing root password. - -without these changes we are getting avc denails like these and below -systemd services failure: - -audit[]: AVC avc: denied { write } for pid=422 comm="login" path="/run/ -systemd/sessions/c1.ref" dev="tmpfs" ino=13455 scontext=system_u:system_r: -local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0 -tclass=fifo_file permissive=0 - -audit[]: AVC avc: denied { open } for pid=216 comm="systemd-tmpfile" path -="/proc/1/environ" dev="proc" ino=9221 scontext=system_u:system_r: -systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file - -audit[]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u: -system_r:init_t:s0 msg='avc: denied { stop } for auid=n/a uid=0 gid=0 path -="/lib/systemd/system/systemd-journald.service" cmdline="/bin/journalctl ---flush" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r: -lib_t:s0 tclass=service - -[FAILED] Failed to start Flush Journal to Persistent Storage. -See 'systemctl status systemd-journal-flush.service' for details. - -[FAILED] Failed to start Login Service. -See 'systemctl status systemd-logind.service' for details. - -[FAILED] Failed to start Avahi mDNS/DNS-SD Stack. -See 'systemctl status avahi-daemon.service' for details. - -Upstream-Status: Pending - -Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/init.te | 2 ++ - policy/modules/system/locallogin.te | 3 +++ - policy/modules/system/systemd.if | 6 ++++-- - policy/modules/system/systemd.te | 2 +- - 4 files changed, 10 insertions(+), 3 deletions(-) - -diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index d6a0270a..035c7ad2 100644 ---- a/policy/modules/system/init.te -+++ b/policy/modules/system/init.te -@@ -1429,3 +1429,5 @@ allow init_t self:capability2 audit_read; - - allow initrc_t init_t:system { start status reboot }; - allow initrc_t init_var_run_t:service { start status }; -+ -+allow initrc_t init_var_run_t:service stop; -diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te -index 75750e4c..2c2cfc7d 100644 ---- a/policy/modules/system/locallogin.te -+++ b/policy/modules/system/locallogin.te -@@ -298,3 +298,6 @@ allow local_login_t var_run_t:file { open read write lock}; - allow local_login_t var_run_t:sock_file write; - allow local_login_t tmpfs_t:dir { add_name write search}; - allow local_login_t tmpfs_t:file { create open read write lock }; -+allow local_login_t init_var_run_t:fifo_file write; -+allow local_login_t initrc_t:dbus send_msg; -+allow initrc_t local_login_t:dbus send_msg; -diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if -index 8fc61843..1166505f 100644 ---- a/policy/modules/system/systemd.if -+++ b/policy/modules/system/systemd.if -@@ -920,9 +920,11 @@ interface(`systemd_service_file_operations',` - # - interface(`systemd_service_lib_function',` - gen_require(` -- class service start; -+ class service { start status stop }; -+ class file { execmod open }; - ') - -- allow initrc_t $1:service start; -+ allow initrc_t $1:service { start status stop }; -+ allow initrc_t $1:file execmod; - - ') -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index a1ef6990..a62c3c38 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -995,7 +995,7 @@ allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms; - - allow systemd_tmpfiles_t init_t:dir search; - allow systemd_tmpfiles_t proc_t:filesystem getattr; --allow systemd_tmpfiles_t init_t:file read; -+allow systemd_tmpfiles_t init_t:file { open getattr read }; - allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto; - - kernel_getattr_proc(systemd_tmpfiles_t) --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0008-fc-bind-fix-real-path-for-bind.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0008-fc-bind-fix-real-path-for-bind.patch deleted file mode 100644 index 7a9f3f2..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0008-fc-bind-fix-real-path-for-bind.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 878b005462f7b2208427af60ed6b670dca697b6c Mon Sep 17 00:00:00 2001 -From: Joe MacDonald <joe_macdonald@mentor.com> -Date: Thu, 28 Mar 2019 21:58:53 -0400 -Subject: [PATCH 08/34] fc/bind: fix real path for bind - -Upstream-Status: Pending - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/services/bind.fc | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc -index b4879dc1..59498e25 100644 ---- a/policy/modules/services/bind.fc -+++ b/policy/modules/services/bind.fc -@@ -1,8 +1,10 @@ - /etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/bind -- gen_context(system_u:object_r:named_initrc_exec_t,s0) - /etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) - - /etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) - /etc/bind/named\.conf.* -- gen_context(system_u:object_r:named_conf_t,s0) -+/etc/bind/rndc\.conf -- gen_context(system_u:object_r:named_conf_t,s0) - /etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) - /etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0) - /etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0) --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch deleted file mode 100644 index efe81a4..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch +++ /dev/null @@ -1,109 +0,0 @@ -From 6ac3c261a7cfc3a5d38ccc420f1ea371258c49fa Mon Sep 17 00:00:00 2001 -From: Shrikant Bobade <shrikant_bobade@mentor.com> -Date: Fri, 26 Aug 2016 17:54:17 +0530 -Subject: [PATCH 8/9] refpolicy-minimum: systemd: fix for systemd tmp-files - services - -fix for systemd tmp files setup service while using refpolicy-minimum and -systemd as init manager. - -these allow rules require kernel domain & files access, so added interfaces -at systemd.te to merge these allow rules. - -without these changes we are getting avc denails like these and below -systemd services failure: - -audit[]: AVC avc: denied { getattr } for pid=232 comm="systemd-tmpfile" -path="/var/tmp" dev="mmcblk2p2" ino=4993 scontext=system_u:system_r:systemd -_tmpfiles_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=lnk_file - -audit[]: AVC avc: denied { search } for pid=232 comm="systemd-tmpfile" -name="kernel" dev="proc" ino=9341 scontext=system_u:system_r: -systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 -tclass=dir permissive=0 - -[FAILED] Failed to start Create Static Device Nodes in /dev. -See 'systemctl status systemd-tmpfiles-setup-dev.service' for details. - -[FAILED] Failed to start Create Volatile Files and Directories. -See 'systemctl status systemd-tmpfiles-setup.service' for details. - -Upstream-Status: Pending - -Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/kernel/files.if | 19 +++++++++++++++++++ - policy/modules/kernel/kernel.if | 21 +++++++++++++++++++++ - policy/modules/system/systemd.te | 2 ++ - 3 files changed, 42 insertions(+) - -diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index eb067ad3..ff74f55a 100644 ---- a/policy/modules/kernel/files.if -+++ b/policy/modules/kernel/files.if -@@ -7076,3 +7076,22 @@ interface(`files_unconfined',` - - typeattribute $1 files_unconfined_type; - ') -+ -+######################################## -+## <summary> -+## systemd tmp files access to kernel tmp files domain -+## </summary> -+## <param name="domain"> -+## <summary> -+## Domain allowed access. -+## </summary> -+## </param> -+# -+interface(`systemd_service_allow_kernel_files_domain_to_tmp_t',` -+ gen_require(` -+ type tmp_t; -+ class lnk_file getattr; -+ ') -+ -+ allow $1 tmp_t:lnk_file getattr; -+') -diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index 1ad282aa..342eb033 100644 ---- a/policy/modules/kernel/kernel.if -+++ b/policy/modules/kernel/kernel.if -@@ -3584,3 +3584,24 @@ interface(`kernel_ib_manage_subnet_unlabeled_endports',` - allow $1 unlabeled_t:infiniband_endport manage_subnet; - ') - -+######################################## -+## <summary> -+## systemd tmp files access to kernel sysctl domain -+## </summary> -+## <param name="domain"> -+## <summary> -+## Domain allowed access. -+## </summary> -+## </param> -+# -+interface(`systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t',` -+ gen_require(` -+ type sysctl_kernel_t; -+ class dir search; -+ class file { open read }; -+ ') -+ -+ allow $1 sysctl_kernel_t:dir search; -+ allow $1 sysctl_kernel_t:file { open read }; -+ -+') -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index a62c3c38..9b696823 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -1121,3 +1121,5 @@ files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated - - kernel_read_system_state(systemd_update_done_t) - -+systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t(systemd_tmpfiles_t) -+systemd_service_allow_kernel_files_domain_to_tmp_t(systemd_tmpfiles_t) --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0009-fc-hwclock-add-hwclock-alternatives.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0009-fc-hwclock-add-hwclock-alternatives.patch deleted file mode 100644 index 6039f49..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0009-fc-hwclock-add-hwclock-alternatives.patch +++ /dev/null @@ -1,28 +0,0 @@ -From d21287d2c0b63e19e1004f098a1934b6b02a0c05 Mon Sep 17 00:00:00 2001 -From: Joe MacDonald <joe_macdonald@mentor.com> -Date: Thu, 28 Mar 2019 21:59:18 -0400 -Subject: [PATCH 09/34] fc/hwclock: add hwclock alternatives - -Upstream-Status: Pending - -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/clock.fc | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc -index 30196589..e0dc4b6f 100644 ---- a/policy/modules/system/clock.fc -+++ b/policy/modules/system/clock.fc -@@ -2,4 +2,7 @@ - - /usr/bin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) - --/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) -+/usr/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0) -+/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) -+/usr/lib/busybox/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) -+/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0009-refpolicy-minimum-systemd-fix-for-syslog.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0009-refpolicy-minimum-systemd-fix-for-syslog.patch deleted file mode 100644 index f67221a..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0009-refpolicy-minimum-systemd-fix-for-syslog.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 57d554187619e32ecf925ecb015a60f1fca26fb8 Mon Sep 17 00:00:00 2001 -From: Shrikant Bobade <shrikant_bobade@mentor.com> -Date: Fri, 26 Aug 2016 17:54:29 +0530 -Subject: [PATCH 9/9] refpolicy-minimum: systemd: fix for syslog - -syslog & getty related allow rules required to fix the syslog mixup with -boot log, while using systemd as init manager. - -without this change we are getting these avc denials: - -audit: avc: denied { search } for pid=484 comm="syslogd" name="/" -dev="tmpfs" ino=7269 scontext=system_u:system_r:syslogd_t:s0 tcontext= -system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 - -audit: avc: denied { write } for pid=372 comm="syslogd" name="log" dev= -"tmpfs" ino=954 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u: -object_r:tmpfs_t:s0 tclass=dir permissive=0 - -audit: avc: denied { add_name } for pid=390 comm="syslogd" name= -"messages" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r -:tmpfs_t:s0 tclass=dir permissive=0 - -audit: avc: denied { sendto } for pid=558 comm="agetty" path="/run/systemd -/journal/dev-log" scontext=system_u:system_r:getty_t:s0 tcontext=system_u: -system_r:initrc_t:s0 tclass=unix_dgram_socket permissive=0 - -audit: avc: denied { create } for pid=374 comm="syslogd" name="messages" -scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t: -s0 tclass=file permissive=0 - -audit: avc: denied { append } for pid=423 comm="syslogd" name="messages" -dev="tmpfs" ino=7995 scontext=system_u:system_r:syslogd_t:s0 tcontext= -system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 - -audit: avc: denied { getattr } for pid=425 comm="syslogd" path="/var/ -volatile/log/messages" dev="tmpfs" ino=8857 scontext=system_u:system_r: -syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 - -Upstream-Status: Pending - -Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/getty.te | 1 + - policy/modules/system/logging.te | 3 ++- - 2 files changed, 3 insertions(+), 1 deletion(-) - -diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te -index 423db0cc..9ab03956 100644 ---- a/policy/modules/system/getty.te -+++ b/policy/modules/system/getty.te -@@ -132,3 +132,4 @@ optional_policy(` - - allow getty_t tmpfs_t:dir search; - allow getty_t tmpfs_t:file { open write lock }; -+allow getty_t initrc_t:unix_dgram_socket sendto; -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 520f7da6..4e02dab8 100644 ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -632,4 +632,5 @@ allow klogd_t initrc_t:unix_dgram_socket sendto; - allow syslogd_t self:shm create; - allow syslogd_t self:sem { create read unix_write write }; - allow syslogd_t self:shm { read unix_read unix_write write }; --allow syslogd_t tmpfs_t:file { read write }; -+allow syslogd_t tmpfs_t:file { read write create getattr append open }; -+allow syslogd_t tmpfs_t:dir { search write add_name }; --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch deleted file mode 100644 index dc715c4..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 0ee40e0a68645e23f59842929629a94ebe9873b4 Mon Sep 17 00:00:00 2001 -From: Joe MacDonald <joe_macdonald@mentor.com> -Date: Fri, 29 Mar 2019 08:26:55 -0400 -Subject: [PATCH 10/34] fc/dmesg: apply policy to dmesg alternatives - -Upstream-Status: Pending - -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/admin/dmesg.fc | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc -index e52fdfcf..85d15127 100644 ---- a/policy/modules/admin/dmesg.fc -+++ b/policy/modules/admin/dmesg.fc -@@ -1 +1,3 @@ --/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) -+/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) -+/usr/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0) -+/usr/lib/busybox/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch deleted file mode 100644 index 495b82f..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch +++ /dev/null @@ -1,28 +0,0 @@ -From e38e269b172ec75dcd218cfeac64271fbb3d17db Mon Sep 17 00:00:00 2001 -From: Joe MacDonald <joe_macdonald@mentor.com> -Date: Fri, 29 Mar 2019 09:36:08 -0400 -Subject: [PATCH 13/34] fc/udev: apply policy to udevadm in libexec - -Upstream-Status: Pending - -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/udev.fc | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc -index 009d821a..cc438609 100644 ---- a/policy/modules/system/udev.fc -+++ b/policy/modules/system/udev.fc -@@ -28,6 +28,8 @@ ifdef(`distro_debian',` - /usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0) - /usr/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0) - -+/usr/libexec/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) -+ - ifdef(`distro_redhat',` - /usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) - ') --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch deleted file mode 100644 index 6ffabe4..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 8d730316e752601949346c9ebd4aff8a3cb2b1bf Mon Sep 17 00:00:00 2001 -From: Joe MacDonald <joe_macdonald@mentor.com> -Date: Fri, 29 Mar 2019 09:54:07 -0400 -Subject: [PATCH 14/34] fc/rpm: apply rpm_exec policy to cpio binaries - -Upstream-Status: Pending - -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/admin/rpm.fc | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc -index 578d465c..f2b8003a 100644 ---- a/policy/modules/admin/rpm.fc -+++ b/policy/modules/admin/rpm.fc -@@ -65,5 +65,8 @@ ifdef(`distro_redhat',` - /run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) - - ifdef(`enable_mls',` --/usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/bin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/bin/cpio.cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) - ') -+ --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch deleted file mode 100644 index b253f84..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 0036dfb42db831e2dd6c6dc71c093e983a30dbd6 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH 18/34] policy/module/logging: add rules for the symlink of - /var/log - -/var/log is a symlink in poky, so we need allow rules for files to read -lnk_file while doing search/list/delete/rw... in /var/log/ directory. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/logging.fc | 1 + - policy/modules/system/logging.if | 6 ++++++ - policy/modules/system/logging.te | 2 ++ - 3 files changed, 9 insertions(+) - -diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc -index 0cf108e0..5bec7e99 100644 ---- a/policy/modules/system/logging.fc -+++ b/policy/modules/system/logging.fc -@@ -55,6 +55,7 @@ ifdef(`distro_suse', ` - /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) - - /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) -+/var/log -l gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) - /var/log/.* gen_context(system_u:object_r:var_log_t,s0) - /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0) - /var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0) -diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 16091eb6..e83cb5b5 100644 ---- a/policy/modules/system/logging.if -+++ b/policy/modules/system/logging.if -@@ -948,10 +948,12 @@ interface(`logging_append_all_inherited_logs',` - interface(`logging_read_all_logs',` - gen_require(` - attribute logfile; -+ type var_log_t; - ') - - files_search_var($1) - allow $1 logfile:dir list_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - read_files_pattern($1, logfile, logfile) - ') - -@@ -970,10 +972,12 @@ interface(`logging_read_all_logs',` - interface(`logging_exec_all_logs',` - gen_require(` - attribute logfile; -+ type var_log_t; - ') - - files_search_var($1) - allow $1 logfile:dir list_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - can_exec($1, logfile) - ') - -@@ -1075,6 +1079,7 @@ interface(`logging_read_generic_logs',` - - files_search_var($1) - allow $1 var_log_t:dir list_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - read_files_pattern($1, var_log_t, var_log_t) - ') - -@@ -1176,6 +1181,7 @@ interface(`logging_manage_generic_logs',` - - files_search_var($1) - manage_files_pattern($1, var_log_t, var_log_t) -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index a7b69932..fa5664b0 100644 ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -161,6 +161,7 @@ manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) - allow auditd_t auditd_log_t:dir setattr; - manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) - allow auditd_t var_log_t:dir search_dir_perms; -+allow auditd_t var_log_t:lnk_file read_lnk_file_perms; - - manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) - manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) -@@ -288,6 +289,7 @@ allow audisp_remote_t self:capability { setpcap setuid }; - allow audisp_remote_t self:process { getcap setcap }; - allow audisp_remote_t self:tcp_socket create_socket_perms; - allow audisp_remote_t var_log_t:dir search_dir_perms; -+allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms; - - manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) - manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch deleted file mode 100644 index 588c5c6..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 51e282aa2730e4c6e038d42a84a561c080f41187 Mon Sep 17 00:00:00 2001 -From: Joe MacDonald <joe_macdonald@mentor.com> -Date: Fri, 29 Mar 2019 10:33:18 -0400 -Subject: [PATCH 19/34] policy/module/logging: add rules for syslogd symlink of - /var/log - -We have added rules for the symlink of /var/log in logging.if, while -syslogd_t uses /var/log but does not use the interfaces in logging.if. So -still need add a individual rule for syslogd_t. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/logging.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index fa5664b0..63e92a8e 100644 ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -417,6 +417,7 @@ files_search_spool(syslogd_t) - - # Allow access for syslog-ng - allow syslogd_t var_log_t:dir { create setattr }; -+allow syslogd_t var_log_t:lnk_file read_lnk_file_perms; - - # for systemd but can not be conditional - files_pid_filetrans(syslogd_t, syslogd_tmp_t, dir, "log") --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch deleted file mode 100644 index 3d55476..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 6a0b9c735253a2596bfb2a453694e620a1fdc50b Mon Sep 17 00:00:00 2001 -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Fri, 23 Aug 2013 11:20:00 +0800 -Subject: [PATCH 20/34] policy/module/logging: add domain rules for the subdir - symlinks in /var/ - -Except /var/log,/var/run,/var/lock, there still other subdir symlinks in -/var for poky, so we need allow rules for all domains to read these -symlinks. Domains still need their practical allow rules to read the -contents, so this is still a secure relax. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/kernel/domain.te | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index 1a55e3d2..babb794f 100644 ---- a/policy/modules/kernel/domain.te -+++ b/policy/modules/kernel/domain.te -@@ -110,6 +110,9 @@ term_use_controlling_term(domain) - # list the root directory - files_list_root(domain) - -+# Yocto/oe-core use some var volatile links -+files_read_var_symlinks(domain) -+ - ifdef(`hide_broken_symptoms',` - # This check is in the general socket - # listen code, before protocol-specific --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch deleted file mode 100644 index 3281ae8..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch +++ /dev/null @@ -1,123 +0,0 @@ -From 2512a367f4c16d4af6dd90d5f93f223466595d86 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH 22/34] policy/module/terminals: add rules for bsdpty_device_t - to complete pty devices. - -Upstream-Status: Pending - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/kernel/terminal.if | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if -index 61308843..a84787e6 100644 ---- a/policy/modules/kernel/terminal.if -+++ b/policy/modules/kernel/terminal.if -@@ -623,9 +623,11 @@ interface(`term_getattr_generic_ptys',` - interface(`term_dontaudit_getattr_generic_ptys',` - gen_require(` - type devpts_t; -+ type bsdpty_device_t; - ') - - dontaudit $1 devpts_t:chr_file getattr; -+ dontaudit $1 bsdpty_device_t:chr_file getattr; - ') - ######################################## - ## <summary> -@@ -641,11 +643,13 @@ interface(`term_dontaudit_getattr_generic_ptys',` - interface(`term_ioctl_generic_ptys',` - gen_require(` - type devpts_t; -+ type bsdpty_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devpts_t:dir search; - allow $1 devpts_t:chr_file ioctl; -+ allow $1 bsdpty_device_t:chr_file ioctl; - ') - - ######################################## -@@ -663,9 +667,11 @@ interface(`term_ioctl_generic_ptys',` - interface(`term_setattr_generic_ptys',` - gen_require(` - type devpts_t; -+ type bsdpty_device_t; - ') - - allow $1 devpts_t:chr_file setattr; -+ allow $1 bsdpty_device_t:chr_file setattr; - ') - - ######################################## -@@ -683,9 +689,11 @@ interface(`term_setattr_generic_ptys',` - interface(`term_dontaudit_setattr_generic_ptys',` - gen_require(` - type devpts_t; -+ type bsdpty_device_t; - ') - - dontaudit $1 devpts_t:chr_file setattr; -+ dontaudit $1 bsdpty_device_t:chr_file setattr; - ') - - ######################################## -@@ -703,11 +711,13 @@ interface(`term_dontaudit_setattr_generic_ptys',` - interface(`term_use_generic_ptys',` - gen_require(` - type devpts_t; -+ type bsdpty_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devpts_t:dir list_dir_perms; - allow $1 devpts_t:chr_file { rw_term_perms lock append }; -+ allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append }; - ') - - ######################################## -@@ -725,9 +735,11 @@ interface(`term_use_generic_ptys',` - interface(`term_dontaudit_use_generic_ptys',` - gen_require(` - type devpts_t; -+ type bsdpty_device_t; - ') - - dontaudit $1 devpts_t:chr_file { getattr read write ioctl }; -+ dontaudit $1 bsdpty_device_t:chr_file { getattr read write ioctl }; - ') - - ####################################### -@@ -743,10 +755,12 @@ interface(`term_dontaudit_use_generic_ptys',` - interface(`term_setattr_controlling_term',` - gen_require(` - type devtty_t; -+ type bsdpty_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devtty_t:chr_file setattr; -+ allow $1 bsdpty_device_t:chr_file setattr; - ') - - ######################################## -@@ -763,10 +777,12 @@ interface(`term_setattr_controlling_term',` - interface(`term_use_controlling_term',` - gen_require(` - type devtty_t; -+ type bsdpty_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devtty_t:chr_file { rw_term_perms lock append }; -+ allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append }; - ') - - ####################################### --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch deleted file mode 100644 index 0188fa9..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 85d5fc695ae69956715b502a8f1d95e9070dfbcc Mon Sep 17 00:00:00 2001 -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH 24/34] policy/module/rpc: allow nfsd to exec shell commands. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/services/rpc.te | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te -index 47fa2fd0..d4209231 100644 ---- a/policy/modules/services/rpc.te -+++ b/policy/modules/services/rpc.te -@@ -227,7 +227,7 @@ kernel_read_network_state(nfsd_t) - kernel_dontaudit_getattr_core_if(nfsd_t) - kernel_setsched(nfsd_t) - kernel_request_load_module(nfsd_t) --# kernel_mounton_proc(nfsd_t) -+kernel_mounton_proc(nfsd_t) - - corenet_sendrecv_nfs_server_packets(nfsd_t) - corenet_tcp_bind_nfs_port(nfsd_t) --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch deleted file mode 100644 index b4befdd..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 97a6eec0d2ea437b5155090ba880a88666f40059 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Fri, 23 Aug 2013 12:01:53 +0800 -Subject: [PATCH 25/34] policy/module/rpc: fix policy for nfsserver to mount - nfsd_fs_t. - -Upstream-Status: Pending - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/kernel/filesystem.te | 1 + - policy/modules/kernel/kernel.te | 2 ++ - policy/modules/services/rpc.te | 5 +++++ - policy/modules/services/rpcbind.te | 5 +++++ - 4 files changed, 13 insertions(+) - -diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index 1db0c652..bf1c0173 100644 ---- a/policy/modules/kernel/filesystem.te -+++ b/policy/modules/kernel/filesystem.te -@@ -129,6 +129,7 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) - - type nfsd_fs_t; - fs_type(nfsd_fs_t) -+files_mountpoint(nfsd_fs_t) - genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0) - - type nsfs_t; -diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index e971c533..ad7c823a 100644 ---- a/policy/modules/kernel/kernel.te -+++ b/policy/modules/kernel/kernel.te -@@ -334,6 +334,8 @@ mls_process_read_all_levels(kernel_t) - mls_process_write_all_levels(kernel_t) - mls_file_write_all_levels(kernel_t) - mls_file_read_all_levels(kernel_t) -+mls_socket_write_all_levels(kernel_t) -+mls_fd_use_all_levels(kernel_t) - - ifdef(`distro_redhat',` - # Bugzilla 222337 -diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te -index d4209231..a2327b44 100644 ---- a/policy/modules/services/rpc.te -+++ b/policy/modules/services/rpc.te -@@ -280,6 +280,11 @@ tunable_policy(`nfs_export_all_ro',` - - optional_policy(` - mount_exec(nfsd_t) -+ # Should domtrans to mount_t while mounting nfsd_fs_t. -+ mount_domtrans(nfsd_t) -+ # nfsd_t need to chdir to /var/lib/nfs and read files. -+ files_list_var(nfsd_t) -+ rpc_read_nfs_state_data(nfsd_t) - ') - - ######################################## -diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te -index 5914af99..2055c114 100644 ---- a/policy/modules/services/rpcbind.te -+++ b/policy/modules/services/rpcbind.te -@@ -75,6 +75,11 @@ logging_send_syslog_msg(rpcbind_t) - - miscfiles_read_localization(rpcbind_t) - -+# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t, -+# because the are running in different level. So add rules to allow this. -+mls_socket_read_all_levels(rpcbind_t) -+mls_socket_write_all_levels(rpcbind_t) -+ - ifdef(`distro_debian',` - term_dontaudit_use_unallocated_ttys(rpcbind_t) - ') --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch deleted file mode 100644 index 94b7dd3..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch +++ /dev/null @@ -1,126 +0,0 @@ -From 00d81a825519cac67d88e513d75e82ab3269124c Mon Sep 17 00:00:00 2001 -From: Joe MacDonald <joe_macdonald@mentor.com> -Date: Fri, 29 Mar 2019 11:16:37 -0400 -Subject: [PATCH 26/34] policy/module/sysfs: fix for new SELINUXMNT in /sys - -SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should -add rules to access sysfs. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/kernel/selinux.if | 19 +++++++++++++++++++ - 1 file changed, 19 insertions(+) - -diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if -index 6790e5d0..2c95db81 100644 ---- a/policy/modules/kernel/selinux.if -+++ b/policy/modules/kernel/selinux.if -@@ -117,6 +117,9 @@ interface(`selinux_mount_fs',` - type security_t; - ') - -+ dev_getattr_sysfs($1) -+ dev_search_sysfs($1) -+ - allow $1 security_t:filesystem mount; - ') - -@@ -136,6 +139,9 @@ interface(`selinux_remount_fs',` - type security_t; - ') - -+ dev_getattr_sysfs($1) -+ dev_search_sysfs($1) -+ - allow $1 security_t:filesystem remount; - ') - -@@ -155,6 +161,9 @@ interface(`selinux_unmount_fs',` - ') - - allow $1 security_t:filesystem unmount; -+ -+ dev_getattr_sysfs($1) -+ dev_search_sysfs($1) - ') - - ######################################## -@@ -217,6 +226,8 @@ interface(`selinux_dontaudit_getattr_dir',` - ') - - dontaudit $1 security_t:dir getattr; -+ dev_dontaudit_getattr_sysfs($1) -+ dev_dontaudit_search_sysfs($1) - ') - - ######################################## -@@ -253,6 +264,7 @@ interface(`selinux_dontaudit_search_fs',` - type security_t; - ') - -+ dev_dontaudit_search_sysfs($1) - dontaudit $1 security_t:dir search_dir_perms; - ') - -@@ -272,6 +284,7 @@ interface(`selinux_dontaudit_read_fs',` - type security_t; - ') - -+ dev_dontaudit_getattr_sysfs($1) - dontaudit $1 security_t:dir search_dir_perms; - dontaudit $1 security_t:file read_file_perms; - ') -@@ -361,6 +374,7 @@ interface(`selinux_read_policy',` - type security_t; - ') - -+ dev_getattr_sysfs($1) - dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file read_file_perms; -@@ -394,6 +408,7 @@ interface(`selinux_set_generic_booleans',` - type security_t; - ') - -+ dev_getattr_sysfs($1) - dev_search_sysfs($1) - - allow $1 security_t:dir list_dir_perms; -@@ -431,6 +446,7 @@ interface(`selinux_set_all_booleans',` - bool secure_mode_policyload; - ') - -+ dev_getattr_sysfs($1) - dev_search_sysfs($1) - - allow $1 security_t:dir list_dir_perms; -@@ -512,6 +528,7 @@ interface(`selinux_dontaudit_validate_context',` - type security_t; - ') - -+ dev_dontaudit_search_sysfs($1) - dontaudit $1 security_t:dir list_dir_perms; - dontaudit $1 security_t:file rw_file_perms; - dontaudit $1 security_t:security check_context; -@@ -533,6 +550,7 @@ interface(`selinux_compute_access_vector',` - type security_t; - ') - -+ dev_getattr_sysfs($1) - dev_search_sysfs($1) - allow $1 self:netlink_selinux_socket create_socket_perms; - allow $1 security_t:dir list_dir_perms; -@@ -629,6 +647,7 @@ interface(`selinux_compute_user_contexts',` - type security_t; - ') - -+ dev_getattr_sysfs($1) - dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch deleted file mode 100644 index c20dd5f..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch +++ /dev/null @@ -1,31 +0,0 @@ -From fbb7431a4288c7dd2739bc3adfa521d427e6375a Mon Sep 17 00:00:00 2001 -From: Roy Li <rongqing.li@windriver.com> -Date: Sat, 15 Feb 2014 09:45:00 +0800 -Subject: [PATCH 27/34] policy/module/rpc: allow sysadm to run rpcinfo - -Upstream-Status: Pending - -type=AVC msg=audit(1392427946.976:264): avc: denied { connectto } for pid=2111 comm="rpcinfo" path="/run/rpcbind.sock" scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tclass=unix_stream_socket -type=SYSCALL msg=audit(1392427946.976:264): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff3aa20000 a2=17 a3=22 items=0 ppid=2108 pid=2111 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="rpcinfo" exe="/usr/sbin/rpcinfo" subj=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 key=(null) - -Signed-off-by: Roy Li <rongqing.li@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/roles/sysadm.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index e411d4fd..f326d1d7 100644 ---- a/policy/modules/roles/sysadm.te -+++ b/policy/modules/roles/sysadm.te -@@ -939,6 +939,7 @@ optional_policy(` - ') - - optional_policy(` -+ rpcbind_stream_connect(sysadm_t) - rpcbind_admin(sysadm_t, sysadm_r) - ') - --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch deleted file mode 100644 index e0208aa..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 8a3c685c1f868f04cb4a7953d14443527b920310 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH 28/34] policy/module/userdomain: fix selinux utils to manage - config files - -Upstream-Status: Pending - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/selinuxutil.if | 1 + - policy/modules/system/userdomain.if | 4 ++++ - 2 files changed, 5 insertions(+) - -diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if -index 20024993..0fdc8c10 100644 ---- a/policy/modules/system/selinuxutil.if -+++ b/policy/modules/system/selinuxutil.if -@@ -674,6 +674,7 @@ interface(`seutil_manage_config',` - ') - - files_search_etc($1) -+ manage_dirs_pattern($1, selinux_config_t, selinux_config_t) - manage_files_pattern($1, selinux_config_t, selinux_config_t) - read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) - ') -diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 5221bd13..4cf987d1 100644 ---- a/policy/modules/system/userdomain.if -+++ b/policy/modules/system/userdomain.if -@@ -1431,6 +1431,10 @@ template(`userdom_security_admin_template',` - logging_read_audit_config($1) - - seutil_manage_bin_policy($1) -+ seutil_manage_default_contexts($1) -+ seutil_manage_file_contexts($1) -+ seutil_manage_module_store($1) -+ seutil_manage_config($1) - seutil_run_checkpolicy($1, $2) - seutil_run_loadpolicy($1, $2) - seutil_run_semanage($1, $2) --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch deleted file mode 100644 index e62c81e..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 524f823bb07e0eb763683b72f18999ef29ae43c9 Mon Sep 17 00:00:00 2001 -From: Joe MacDonald <joe_macdonald@mentor.com> -Date: Fri, 29 Mar 2019 11:30:27 -0400 -Subject: [PATCH 29/34] policy/module/selinuxutil: fix setfiles statvfs to get - file count - -New setfiles will read /proc/mounts and use statvfs in -file_system_count() to get file count of filesystems. - -Upstream-Status: Pending - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/selinuxutil.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index db6bb368..98fed2d0 100644 ---- a/policy/modules/system/selinuxutil.te -+++ b/policy/modules/system/selinuxutil.te -@@ -607,6 +607,7 @@ files_relabel_all_files(setfiles_t) - files_read_usr_symlinks(setfiles_t) - files_dontaudit_read_all_symlinks(setfiles_t) - -+fs_getattr_all_fs(setfiles_t) - fs_getattr_all_xattr_fs(setfiles_t) - fs_getattr_cgroup(setfiles_t) - fs_getattr_nfs(setfiles_t) --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch deleted file mode 100644 index 88c94c5..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 78210f371391ccfad1d18b89a91ffb5a83f451e0 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Fri, 23 Aug 2013 16:36:09 +0800 -Subject: [PATCH 30/34] policy/module/admin: fix dmesg to use /dev/kmsg as - default input - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/admin/dmesg.if | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if -index e1973c78..739a4bc5 100644 ---- a/policy/modules/admin/dmesg.if -+++ b/policy/modules/admin/dmesg.if -@@ -37,4 +37,5 @@ interface(`dmesg_exec',` - - corecmd_search_bin($1) - can_exec($1, dmesg_exec_t) -+ dev_read_kmsg($1) - ') --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch deleted file mode 100644 index d002830..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch +++ /dev/null @@ -1,41 +0,0 @@ -From a406bcd2838772573e2cdde1a408ea52a60adc87 Mon Sep 17 00:00:00 2001 -From: Roy Li <rongqing.li@windriver.com> -Date: Mon, 10 Feb 2014 18:10:12 +0800 -Subject: [PATCH 31/34] policy/module/ftp: add ftpd_t to - mls_file_write_all_levels - -Proftpd will create file under /var/run, but its mls is in high, and -can not write to lowlevel - -Upstream-Status: Pending - -type=AVC msg=audit(1392347709.621:15): avc: denied { write } for pid=545 comm="proftpd" name="/" dev="tmpfs" ino=5853 scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir -type=AVC msg=audit(1392347709.621:15): avc: denied { add_name } for pid=545 comm="proftpd" name="proftpd.delay" scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir -type=SYSCALL msg=audit(1392347709.621:15): arch=c000003e syscall=2 success=yes exit=3 a0=471910 a1=42 a2=1b6 a3=8 items=0 ppid=539 pid=545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s15:c0.c1023 key=(null) - -root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name - allow ftpd_t var_run_t : dir { ioctl read write getattr lock add_name remove_name search open } ; -root@localhost:~# - -Signed-off-by: Roy Li <rongqing.li@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/services/ftp.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te -index 29bc077c..d582cf80 100644 ---- a/policy/modules/services/ftp.te -+++ b/policy/modules/services/ftp.te -@@ -150,6 +150,8 @@ role ftpdctl_roles types ftpdctl_t; - type ftpdctl_tmp_t; - files_tmp_file(ftpdctl_tmp_t) - -+mls_file_write_all_levels(ftpd_t) -+ - type sftpd_t; - domain_type(sftpd_t) - role system_r types sftpd_t; --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0032-policy-module-init-update-for-systemd-related-allow-.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0032-policy-module-init-update-for-systemd-related-allow-.patch deleted file mode 100644 index 37d180c..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0032-policy-module-init-update-for-systemd-related-allow-.patch +++ /dev/null @@ -1,32 +0,0 @@ -From dfbda15401f92e5d1b9b55c7ba24a543deea18e8 Mon Sep 17 00:00:00 2001 -From: Shrikant Bobade <shrikant_bobade@mentor.com> -Date: Fri, 12 Jun 2015 19:37:52 +0530 -Subject: [PATCH 32/34] policy/module/init: update for systemd related allow - rules - -It provide, the systemd support related allow rules - -Upstream-Status: Pending - -Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/init.te | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index eabba1ed..5da25cd6 100644 ---- a/policy/modules/system/init.te -+++ b/policy/modules/system/init.te -@@ -1418,3 +1418,8 @@ optional_policy(` - userdom_dontaudit_rw_all_users_stream_sockets(systemprocess) - userdom_dontaudit_write_user_tmp_files(systemprocess) - ') -+ -+# systemd related allow rules -+allow kernel_t init_t:process dyntransition; -+allow devpts_t device_t:filesystem associate; -+allow init_t self:capability2 block_suspend; --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0033-refpolicy-minimum-make-sysadmin-module-optional.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0033-refpolicy-minimum-make-sysadmin-module-optional.patch deleted file mode 100644 index 644c2cd..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0033-refpolicy-minimum-make-sysadmin-module-optional.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 937924e34c516c4a18d183084958b2612439ba52 Mon Sep 17 00:00:00 2001 -From: Joe MacDonald <joe_macdonald@mentor.com> -Date: Fri, 5 Apr 2019 11:53:28 -0400 -Subject: [PATCH 33/34] refpolicy/minimum: make sysadmin module optional - -init and locallogin modules have a depend for sysadm module because -they have called sysadm interfaces(sysadm_shell_domtrans). Since -sysadm is not a core module, we could make the sysadm_shell_domtrans -calls optionally by optional_policy. - -So, we could make the minimum policy without sysadm module. - -Upstream-Status: pending - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/init.te | 16 +++++++++------- - policy/modules/system/locallogin.te | 4 +++- - 2 files changed, 12 insertions(+), 8 deletions(-) - -diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 5da25cd6..8352428a 100644 ---- a/policy/modules/system/init.te -+++ b/policy/modules/system/init.te -@@ -446,13 +446,15 @@ ifdef(`init_systemd',` - modutils_domtrans(init_t) - ') - ',` -- tunable_policy(`init_upstart',` -- corecmd_shell_domtrans(init_t, initrc_t) -- ',` -- # Run the shell in the sysadm role for single-user mode. -- # causes problems with upstart -- ifndef(`distro_debian',` -- sysadm_shell_domtrans(init_t) -+ optional_policy(` -+ tunable_policy(`init_upstart',` -+ corecmd_shell_domtrans(init_t, initrc_t) -+ ',` -+ # Run the shell in the sysadm role for single-user mode. -+ # causes problems with upstart -+ ifndef(`distro_debian',` -+ sysadm_shell_domtrans(init_t) -+ ') - ') - ') - ') -diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te -index a56f3d1f..4c679ff3 100644 ---- a/policy/modules/system/locallogin.te -+++ b/policy/modules/system/locallogin.te -@@ -266,7 +266,9 @@ userdom_use_unpriv_users_fds(sulogin_t) - userdom_search_user_home_dirs(sulogin_t) - userdom_use_user_ptys(sulogin_t) - --sysadm_shell_domtrans(sulogin_t) -+optional_policy(` -+ sysadm_shell_domtrans(sulogin_t) -+') - - # by default, sulogin does not use pam... - # sulogin_pam might need to be defined otherwise --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch deleted file mode 100644 index c374384..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch +++ /dev/null @@ -1,33 +0,0 @@ -From bbad13d008ab4df827ac2ba8dfc6dd3e430f6dd6 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Thu, 22 Aug 2013 19:36:44 +0800 -Subject: [PATCH 34/34] policy/module/apache: add rules for the symlink of - /var/log - apache2 - -We have added rules for the symlink of /var/log in logging.if, -while apache.te uses /var/log but does not use the interfaces in -logging.if. So still need add a individual rule for apache.te. - -Upstream-Status: Pending - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/services/apache.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 15c4ea53..596370b1 100644 ---- a/policy/modules/services/apache.te -+++ b/policy/modules/services/apache.te -@@ -412,6 +412,7 @@ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t) - read_files_pattern(httpd_t, httpd_log_t, httpd_log_t) - setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t) - read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t) -+read_lnk_files_pattern(httpd_t, var_log_t, var_log_t) - logging_log_filetrans(httpd_t, httpd_log_t, file) - - allow httpd_t httpd_modules_t:dir list_dir_perms; --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0001-fix-update-alternatives-for-sysvinit.patch b/recipes-security/refpolicy/refpolicy-git/0001-fix-update-alternatives-for-sysvinit.patch deleted file mode 100644 index 98d98d4..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0001-fix-update-alternatives-for-sysvinit.patch +++ /dev/null @@ -1,53 +0,0 @@ -From cf2f08bdb2d64b38b6c83c96f409c1cd9975fe6a Mon Sep 17 00:00:00 2001 -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH] fix update-alternatives for sysvinit - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/admin/shutdown.fc | 1 + - policy/modules/kernel/corecommands.fc | 1 + - policy/modules/system/init.fc | 1 + - 3 files changed, 3 insertions(+) - -diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc -index 03a2230c..2ba049ff 100644 ---- a/policy/modules/admin/shutdown.fc -+++ b/policy/modules/admin/shutdown.fc -@@ -5,5 +5,6 @@ - /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) - - /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) -+/usr/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0) - - /run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) -diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index cf3848db..86920167 100644 ---- a/policy/modules/kernel/corecommands.fc -+++ b/policy/modules/kernel/corecommands.fc -@@ -149,6 +149,7 @@ ifdef(`distro_gentoo',` - /usr/bin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) - /usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) - /usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0) -+/usr/bin/mountpoint\.sysvinit -- gen_context(system_u:object_r:bin_t,s0) - /usr/bin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) - /usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) - /usr/bin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) -diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc -index 11a6ce93..93e9d2b4 100644 ---- a/policy/modules/system/init.fc -+++ b/policy/modules/system/init.fc -@@ -23,6 +23,7 @@ ifdef(`distro_gentoo',` - # /usr - # - /usr/bin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) -+/usr/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0) - /usr/bin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) - /usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0) - /usr/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0) --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch b/recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch deleted file mode 100644 index 3cc5395..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 0f25b7c345d516eccd1c02c93f752ce073b84865 Mon Sep 17 00:00:00 2001 -From: Shrikant Bobade <shrikant_bobade@mentor.com> -Date: Fri, 26 Aug 2016 17:51:44 +0530 -Subject: [PATCH 1/9] refpolicy-minimum: audit: logging: getty: audit related - allow rules - -add allow rules for audit.log file & resolve dependent avc denials. - -without this change we are getting audit avc denials mixed into bootlog & -audit other avc denials. - -audit: type=1400 audit(): avc: denied { getattr } for pid=217 comm="mount" -name="/" dev="proc" ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_0 -audit: type=1400 audit(): avc: denied { sendto } for pid=310 comm="klogd" -path="/run/systemd/journal/dev-log" scontext=sy0 -audit: type=1400 audit(): avc: denied { sendto } for pid=310 comm="klogd" -path="/run/systemd/journal/dev-log" scontext=system_u:system_r:klogd_t:s0 -audit(): avc: denied { open } for pid=540 comm="agetty" path="/var/ -volatile/log/wtmp" dev="tmpfs" ino=9536 scontext=system_u:system_r:getty_t -:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 - -Upstream-Status: Pending - -Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/getty.te | 3 +++ - policy/modules/system/logging.te | 8 ++++++++ - 2 files changed, 11 insertions(+) - -diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te -index 6d3c4284..423db0cc 100644 ---- a/policy/modules/system/getty.te -+++ b/policy/modules/system/getty.te -@@ -129,3 +129,6 @@ optional_policy(` - optional_policy(` - udev_read_db(getty_t) - ') -+ -+allow getty_t tmpfs_t:dir search; -+allow getty_t tmpfs_t:file { open write lock }; -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index e6221a02..4cc73327 100644 ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -249,6 +249,7 @@ allow audisp_t self:unix_stream_socket create_stream_socket_perms; - allow audisp_t self:unix_dgram_socket create_socket_perms; - - allow audisp_t auditd_t:unix_stream_socket rw_socket_perms; -+allow audisp_t initrc_t:unix_dgram_socket sendto; - - manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t) - files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file) -@@ -620,3 +621,10 @@ optional_policy(` - # log to the xconsole - xserver_rw_console(syslogd_t) - ') -+ -+ -+allow auditd_t tmpfs_t:file { getattr setattr create open read append }; -+allow auditd_t tmpfs_t:dir { open read search add_name write getattr search }; -+allow auditd_t initrc_t:unix_dgram_socket sendto; -+ -+allow klogd_t initrc_t:unix_dgram_socket sendto; -\ No newline at end of file --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch b/recipes-security/refpolicy/refpolicy-git/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch deleted file mode 100644 index e2c6c89..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch +++ /dev/null @@ -1,54 +0,0 @@ -From b69a82237ccc8de3f5b822739760f5cb6596fe51 Mon Sep 17 00:00:00 2001 -From: Shrikant Bobade <shrikant_bobade@mentor.com> -Date: Fri, 26 Aug 2016 17:53:46 +0530 -Subject: [PATCH 2/9] refpolicy-minimum: locallogin: add allow rules for type - local_login_t - -add allow rules for locallogin module avc denials. - -without this change we are getting errors like these: - -type=AVC msg=audit(): avc: denied { read write open } for pid=353 -comm="login" path="/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext -=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r: -var_log_t:s0 tclass=file permissive=1 - -type=AVC msg=audit(): avc: denied { sendto } for pid=353 comm="login" -path="/run/systemd/journal/dev-log" scontext=system_u:system_r: -local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 -tclass=unix_dgram_socket permissive=1 - -type=AVC msg=audit(): avc: denied { lock } for pid=353 comm="login" path= -"/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext=system_u:system_r -:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass -=file permissive=1 - -Upstream-Status: Pending - -Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/locallogin.te | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te -index 4c679ff3..75750e4c 100644 ---- a/policy/modules/system/locallogin.te -+++ b/policy/modules/system/locallogin.te -@@ -288,3 +288,13 @@ optional_policy(` - optional_policy(` - nscd_use(sulogin_t) - ') -+ -+allow local_login_t initrc_t:fd use; -+allow local_login_t initrc_t:unix_dgram_socket sendto; -+allow local_login_t initrc_t:unix_stream_socket connectto; -+allow local_login_t self:capability net_admin; -+allow local_login_t var_log_t:file { create lock open read write }; -+allow local_login_t var_run_t:file { open read write lock}; -+allow local_login_t var_run_t:sock_file write; -+allow local_login_t tmpfs_t:dir { add_name write search}; -+allow local_login_t tmpfs_t:file { create open read write lock }; --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch b/recipes-security/refpolicy/refpolicy-git/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch deleted file mode 100644 index f194d6d..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch +++ /dev/null @@ -1,57 +0,0 @@ -From d0fd07dda45b349af634e4671a70e47fef102386 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Thu, 22 Aug 2013 13:39:41 +0800 -Subject: [PATCH 03/34] fc/sysklogd: apply policy to sysklogd symlink - -/etc/syslog.conf is a symlink to /etc/syslog.conf.sysklogd, so a allow -rule for syslogd_t to read syslog_conf_t lnk_file is needed. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/logging.fc | 3 +++ - policy/modules/system/logging.te | 1 + - 2 files changed, 4 insertions(+) - -diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc -index 6693d87b..0cf108e0 100644 ---- a/policy/modules/system/logging.fc -+++ b/policy/modules/system/logging.fc -@@ -2,6 +2,7 @@ - - /etc/rsyslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0) - /etc/syslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0) -+/etc/syslog\.conf\.sysklogd gen_context(system_u:object_r:syslog_conf_t,s0) - /etc/rsyslog\.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0) - /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) - /etc/systemd/journal.*\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0) -@@ -32,10 +33,12 @@ - /usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) - /usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) - /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) -+/usr/sbin/klogd\.sysklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) - /usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0) - /usr/sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) - /usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) - /usr/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) -+/usr/sbin/syslogd\.sysklogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) - /usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) - /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) - -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 0c5be1cd..38ccfe3a 100644 ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -399,6 +399,7 @@ allow syslogd_t self:udp_socket create_socket_perms; - allow syslogd_t self:tcp_socket create_stream_socket_perms; - - allow syslogd_t syslog_conf_t:file read_file_perms; -+allow syslogd_t syslog_conf_t:lnk_file read_file_perms; - allow syslogd_t syslog_conf_t:dir list_dir_perms; - - # Create and bind to /dev/log or /var/run/log. --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch b/recipes-security/refpolicy/refpolicy-git/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch deleted file mode 100644 index 968a9be..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch +++ /dev/null @@ -1,121 +0,0 @@ -From ec36df125da565fe1a9b64000151afaf40c2887d Mon Sep 17 00:00:00 2001 -From: Shrikant Bobade <shrikant_bobade@mentor.com> -Date: Fri, 26 Aug 2016 17:51:32 +0530 -Subject: [PATCH 3/9] refpolicy-minimum: systemd:unconfined:lib: add systemd - services allow rules - -systemd allow rules for systemd service file operations: start, stop, restart -& allow rule for unconfined systemd service. - -without this change we are getting these errors: -:~# systemctl status selinux-init.service -Failed to get properties: Access denied - -:~# systemctl stop selinux-init.service -Failed to stop selinux-init.service: Access denied - -:~# systemctl restart selinux-init.service -audit: type=1107 audit: pid=1 uid=0 auid=4294967295 ses=4294967295 subj= -system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 -gid=0 path="/lib/systemd/system/selinux-init.service" cmdline="systemctl -restart selinux-init.service" scontext=unconfined_u:unconfined_r: -unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service - -Upstream-Status: Pending - -Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/init.te | 4 +++ - policy/modules/system/libraries.te | 3 +++ - policy/modules/system/systemd.if | 39 +++++++++++++++++++++++++++++ - policy/modules/system/unconfined.te | 6 +++++ - 4 files changed, 52 insertions(+) - -diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index d8696580..e15ec4b9 100644 ---- a/policy/modules/system/init.te -+++ b/policy/modules/system/init.te -@@ -1425,3 +1425,7 @@ optional_policy(` - allow kernel_t init_t:process dyntransition; - allow devpts_t device_t:filesystem associate; - allow init_t self:capability2 block_suspend; -+allow init_t self:capability2 audit_read; -+ -+allow initrc_t init_t:system { start status }; -+allow initrc_t init_var_run_t:service { start status }; -diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te -index 422b0ea1..80b0c9a5 100644 ---- a/policy/modules/system/libraries.te -+++ b/policy/modules/system/libraries.te -@@ -145,3 +145,6 @@ optional_policy(` - optional_policy(` - unconfined_domain(ldconfig_t) - ') -+ -+# systemd: init domain to start lib domain service -+systemd_service_lib_function(lib_t) -diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if -index 6353ca69..4519a448 100644 ---- a/policy/modules/system/systemd.if -+++ b/policy/modules/system/systemd.if -@@ -905,3 +905,42 @@ interface(`systemd_getattr_updated_runtime',` - - getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t) - ') -+ -+######################################## -+## <summary> -+## Allow specified domain to start stop reset systemd service -+## </summary> -+## <param name="domain"> -+## <summary> -+## Domain to not audit. -+## </summary> -+## </param> -+# -+interface(`systemd_service_file_operations',` -+ gen_require(` -+ class service { start status stop }; -+ ') -+ -+ allow $1 lib_t:service { start status stop }; -+ -+') -+ -+ -+######################################## -+## <summary> -+## Allow init domain to start lib domain service -+## </summary> -+## <param name="domain"> -+## <summary> -+## Domain to not audit. -+## </summary> -+## </param> -+# -+interface(`systemd_service_lib_function',` -+ gen_require(` -+ class service start; -+ ') -+ -+ allow initrc_t $1:service start; -+ -+') -diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te -index 12cc0d7c..c09e94a5 100644 ---- a/policy/modules/system/unconfined.te -+++ b/policy/modules/system/unconfined.te -@@ -240,3 +240,9 @@ unconfined_domain_noaudit(unconfined_execmem_t) - optional_policy(` - unconfined_dbus_chat(unconfined_execmem_t) - ') -+ -+ -+# systemd: specified domain to start stop reset systemd service -+systemd_service_file_operations(unconfined_t) -+ -+allow unconfined_t init_t:system reload; --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch b/recipes-security/refpolicy/refpolicy-git/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch deleted file mode 100644 index 36bfdcf..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch +++ /dev/null @@ -1,27 +0,0 @@ -From abd7d9fa3398be45e733930ebaec9e05b1aba252 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH 04/34] fc/hostname: apply policy to common yocto hostname - alternatives - -Upstream-Status: Inappropriate [only for Yocto] - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/hostname.fc | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc -index 83ddeb57..653e038d 100644 ---- a/policy/modules/system/hostname.fc -+++ b/policy/modules/system/hostname.fc -@@ -1 +1,5 @@ -+/usr/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0) -+/usr/bin/hostname\.coreutils -- gen_context(system_u:object_r:hostname_exec_t,s0) -+/usr/lib/busybox/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) -+ - /usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch b/recipes-security/refpolicy/refpolicy-git/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch deleted file mode 100644 index 06b9192..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 0918b156dcf4d126fd0e36de5a6c61f114448c8a Mon Sep 17 00:00:00 2001 -From: Shrikant Bobade <shrikant_bobade@mentor.com> -Date: Fri, 26 Aug 2016 17:53:37 +0530 -Subject: [PATCH 4/9] refpolicy-minimum: systemd: mount: logging: authlogin: - add allow rules - -add allow rules for avc denails for systemd, mount, logging & authlogin -modules. - -without this change we are getting avc denial like these: - -type=AVC msg=audit(): avc: denied { sendto } for pid=893 comm="systemd- -tmpfile" path="/run/systemd/journal/socket" scontext=system_u:system_r: -systemd_tmpfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass= -unix_dgram_socket permissive=0 - -type=AVC msg=audit(): avc: denied { open } for pid=703 comm="systemd- -tmpfile" path="/proc/1/environ" dev="proc" ino=8841 scontext=system_u: -system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass= -file permissive=0 - -type=AVC msg=audit(): avc: denied { read write } for pid=486 comm="mount" -path="socket:[9717]" dev="sockfs" ino=9717 scontext=system_u:system_r: -mount_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=udp_socket - -type=AVC msg=audit(): avc: denied { unix_read unix_write } for pid=292 -comm="syslogd" key=1095648583 scontext=system_u:system_r:syslogd_t:s0 -tcontext=system_u:system_r:syslogd_t:s0 tclass=shm permissive=1 - -Upstream-Status: Pending - -Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/authlogin.te | 2 ++ - policy/modules/system/logging.te | 7 ++++++- - policy/modules/system/mount.te | 3 +++ - policy/modules/system/systemd.te | 5 +++++ - 4 files changed, 16 insertions(+), 1 deletion(-) - -diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 28f74bac..dfa46612 100644 ---- a/policy/modules/system/authlogin.te -+++ b/policy/modules/system/authlogin.te -@@ -479,3 +479,5 @@ optional_policy(` - samba_read_var_files(nsswitch_domain) - samba_dontaudit_write_var_files(nsswitch_domain) - ') -+ -+allow chkpwd_t proc_t:filesystem getattr; -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 4cc73327..98c2bd19 100644 ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -627,4 +627,9 @@ allow auditd_t tmpfs_t:file { getattr setattr create open read append }; - allow auditd_t tmpfs_t:dir { open read search add_name write getattr search }; - allow auditd_t initrc_t:unix_dgram_socket sendto; - --allow klogd_t initrc_t:unix_dgram_socket sendto; -\ No newline at end of file -+allow klogd_t initrc_t:unix_dgram_socket sendto; -+ -+allow syslogd_t self:shm create; -+allow syslogd_t self:sem { create read unix_write write }; -+allow syslogd_t self:shm { read unix_read unix_write write }; -+allow syslogd_t tmpfs_t:file { read write }; -diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 3dcb8493..a87d0e82 100644 ---- a/policy/modules/system/mount.te -+++ b/policy/modules/system/mount.te -@@ -231,3 +231,6 @@ optional_policy(` - files_etc_filetrans_etc_runtime(unconfined_mount_t, file) - unconfined_domain(unconfined_mount_t) - ') -+ -+allow mount_t proc_t:filesystem getattr; -+allow mount_t initrc_t:udp_socket { read write }; -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index f6455f6f..b13337b9 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -1011,6 +1011,11 @@ allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto }; - allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms; - allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms; - -+allow systemd_tmpfiles_t init_t:dir search; -+allow systemd_tmpfiles_t proc_t:filesystem getattr; -+allow systemd_tmpfiles_t init_t:file read; -+allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto; -+ - kernel_getattr_proc(systemd_tmpfiles_t) - kernel_read_kernel_sysctls(systemd_tmpfiles_t) - kernel_read_network_state(systemd_tmpfiles_t) --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch b/recipes-security/refpolicy/refpolicy-git/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch deleted file mode 100644 index 194a474..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 783ba03eff9d5b94363fff148aa1c745ff02ddd4 Mon Sep 17 00:00:00 2001 -From: Joe MacDonald <joe_macdonald@mentor.com> -Date: Thu, 28 Mar 2019 21:37:32 -0400 -Subject: [PATCH 05/34] fc/bash: apply /usr/bin/bash context to /bin/bash.bash - -We include /bin/bash.bash as a valid alias for /bin/bash, so ensure we apply -the proper context to the target for our policy. - -Upstream-Status: Inappropriate [only for Yocto] - -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/kernel/corecommands.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index e7415cac..cf3848db 100644 ---- a/policy/modules/kernel/corecommands.fc -+++ b/policy/modules/kernel/corecommands.fc -@@ -141,6 +141,7 @@ ifdef(`distro_gentoo',` - /usr/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) - /usr/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) - /usr/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) -+/usr/bin/bash.bash -- gen_context(system_u:object_r:shell_exec_t,s0) - /usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) - /usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) - /usr/bin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch b/recipes-security/refpolicy/refpolicy-git/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch deleted file mode 100644 index aec54cd..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 54a00a22a0d9aca794440bf51511f5477e9249d2 Mon Sep 17 00:00:00 2001 -From: Shrikant Bobade <shrikant_bobade@mentor.com> -Date: Fri, 26 Aug 2016 17:53:53 +0530 -Subject: [PATCH 5/9] refpolicy-minimum: init: fix reboot with systemd as init - manager. - -add allow rule to fix avc denial during system reboot. - -without this change we are getting: - -audit: type=1107 audit(): pid=1 uid=0 auid=4294967295 ses=4294967295 subj= -system_u:system_r:init_t:s0 msg='avc: denied { reboot } for auid=n/a uid=0 -gid=0 cmdline="/bin/systemctl --force reboot" scontext=system_u:system_r: -initrc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system - -Upstream-Status: Pending - -Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/init.te | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index e15ec4b9..843fdcff 100644 ---- a/policy/modules/system/init.te -+++ b/policy/modules/system/init.te -@@ -1427,5 +1427,5 @@ allow devpts_t device_t:filesystem associate; - allow init_t self:capability2 block_suspend; - allow init_t self:capability2 audit_read; - --allow initrc_t init_t:system { start status }; -+allow initrc_t init_t:system { start status reboot }; - allow initrc_t init_var_run_t:service { start status }; --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch b/recipes-security/refpolicy/refpolicy-git/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch deleted file mode 100644 index d098118..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 9818faa2a732d6d1cda72926526f104de74bd992 Mon Sep 17 00:00:00 2001 -From: Joe MacDonald <joe_macdonald@mentor.com> -Date: Thu, 4 Apr 2019 10:45:03 -0400 -Subject: [PATCH 06/34] fc/resolv.conf: label resolv.conf in var/run/ properly - -Upstream-Status: Pending - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> - -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/sysnetwork.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc -index 1e5432a4..ac7c2dd1 100644 ---- a/policy/modules/system/sysnetwork.fc -+++ b/policy/modules/system/sysnetwork.fc -@@ -22,6 +22,7 @@ ifdef(`distro_debian',` - /etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0) - /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) - /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) -+/var/run/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) - - /etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0) - /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0) --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch b/recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch deleted file mode 100644 index bf770d9..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch +++ /dev/null @@ -1,92 +0,0 @@ -From ca6644e1f1066a8354f2f6dbb068713f59225f37 Mon Sep 17 00:00:00 2001 -From: Joe MacDonald <joe_macdonald@mentor.com> -Date: Wed, 3 Apr 2019 14:51:29 -0400 -Subject: [PATCH 6/9] refpolicy-minimum: systemd: mount: enable required - refpolicy booleans - -enable required refpolicy booleans for these modules - -i. mount: allow_mount_anyfile -without enabling this boolean we are getting below avc denial - -audit(): avc: denied { mounton } for pid=462 comm="mount" path="/run/media -/mmcblk2p1" dev="tmpfs" ino=11523 scontext=system_u:system_r:mount_t:s0 -tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=0 - -This avc can be allowed using the boolean 'allow_mount_anyfile' -allow mount_t initrc_var_run_t:dir mounton; - -ii. systemd : systemd_tmpfiles_manage_all -without enabling this boolean we are not getting access to mount systemd -essential tmpfs during bootup, also not getting access to create audit.log - -audit(): avc: denied { search } for pid=168 comm="systemd-tmpfile" name= -"sys" dev="proc" ino=4026531855 scontext=system_u:system_r:systemd_tmpfiles -_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=dir permissive=0 - - ls /var/log - /var/log -> volatile/log -:~# - -The old refpolicy included a pre-generated booleans.conf that could be -patched. That's no longer the case so we're left with a few options, -tweak the default directly or create a template booleans.conf file which -will be updated during build time. Since this is intended to be applied -only for specific configuraitons it seems like the same either way and -this avoids us playing games to work around .gitignore. - -Upstream-Status: Pending - -Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/booleans.conf | 9 +++++++++ - policy/modules/system/mount.te | 2 +- - policy/modules/system/systemd.te | 2 +- - 3 files changed, 11 insertions(+), 2 deletions(-) - create mode 100644 policy/booleans.conf - -diff --git a/policy/booleans.conf b/policy/booleans.conf -new file mode 100644 -index 00000000..850f56ed ---- /dev/null -+++ b/policy/booleans.conf -@@ -0,0 +1,9 @@ -+# -+# Allow the mount command to mount any directory or file. -+# -+allow_mount_anyfile = true -+ -+# -+# Enable support for systemd-tmpfiles to manage all non-security files. -+# -+systemd_tmpfiles_manage_all = true -diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index a87d0e82..868052b7 100644 ---- a/policy/modules/system/mount.te -+++ b/policy/modules/system/mount.te -@@ -10,7 +10,7 @@ policy_module(mount, 1.20.0) - ## Allow the mount command to mount any directory or file. - ## </p> - ## </desc> --gen_tunable(allow_mount_anyfile, false) -+gen_tunable(allow_mount_anyfile, true) - - attribute_role mount_roles; - roleattribute system_r mount_roles; -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index b13337b9..74f9c1cb 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -10,7 +10,7 @@ policy_module(systemd, 1.7.5) - ## Enable support for systemd-tmpfiles to manage all non-security files. - ## </p> - ## </desc> --gen_tunable(systemd_tmpfiles_manage_all, false) -+gen_tunable(systemd_tmpfiles_manage_all, true) - - ## <desc> - ## <p> --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0007-fc-login-apply-login-context-to-login.shadow.patch b/recipes-security/refpolicy/refpolicy-git/0007-fc-login-apply-login-context-to-login.shadow.patch deleted file mode 100644 index 824c136..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0007-fc-login-apply-login-context-to-login.shadow.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 3323cd185bd27a010fb4353d16cb6c3a8608fd20 Mon Sep 17 00:00:00 2001 -From: Joe MacDonald <joe_macdonald@mentor.com> -Date: Thu, 28 Mar 2019 21:43:53 -0400 -Subject: [PATCH 07/34] fc/login: apply login context to login.shadow - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/authlogin.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc -index e22945cd..a42bc0da 100644 ---- a/policy/modules/system/authlogin.fc -+++ b/policy/modules/system/authlogin.fc -@@ -5,6 +5,7 @@ - /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) - - /usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0) -+/usr/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0) - /usr/bin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) - /usr/bin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) - /usr/bin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch b/recipes-security/refpolicy/refpolicy-git/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch deleted file mode 100644 index 307574c..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch +++ /dev/null @@ -1,103 +0,0 @@ -From a1b92a176fe791468e750b95fa8299e8beecf2b1 Mon Sep 17 00:00:00 2001 -From: Shrikant Bobade <shrikant_bobade@mentor.com> -Date: Fri, 26 Aug 2016 17:54:09 +0530 -Subject: [PATCH 7/9] refpolicy-minimum: systemd: fix for login & journal - service - -1. fix for systemd services: login & journal wile using refpolicy-minimum and -systemd as init manager. -2. fix login duration after providing root password. - -without these changes we are getting avc denails like these and below -systemd services failure: - -audit[]: AVC avc: denied { write } for pid=422 comm="login" path="/run/ -systemd/sessions/c1.ref" dev="tmpfs" ino=13455 scontext=system_u:system_r: -local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0 -tclass=fifo_file permissive=0 - -audit[]: AVC avc: denied { open } for pid=216 comm="systemd-tmpfile" path -="/proc/1/environ" dev="proc" ino=9221 scontext=system_u:system_r: -systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file - -audit[]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u: -system_r:init_t:s0 msg='avc: denied { stop } for auid=n/a uid=0 gid=0 path -="/lib/systemd/system/systemd-journald.service" cmdline="/bin/journalctl ---flush" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r: -lib_t:s0 tclass=service - -[FAILED] Failed to start Flush Journal to Persistent Storage. -See 'systemctl status systemd-journal-flush.service' for details. - -[FAILED] Failed to start Login Service. -See 'systemctl status systemd-logind.service' for details. - -[FAILED] Failed to start Avahi mDNS/DNS-SD Stack. -See 'systemctl status avahi-daemon.service' for details. - -Upstream-Status: Pending - -Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/init.te | 2 ++ - policy/modules/system/locallogin.te | 3 +++ - policy/modules/system/systemd.if | 6 ++++-- - policy/modules/system/systemd.te | 2 +- - 4 files changed, 10 insertions(+), 3 deletions(-) - -diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 843fdcff..ca8678b8 100644 ---- a/policy/modules/system/init.te -+++ b/policy/modules/system/init.te -@@ -1429,3 +1429,5 @@ allow init_t self:capability2 audit_read; - - allow initrc_t init_t:system { start status reboot }; - allow initrc_t init_var_run_t:service { start status }; -+ -+allow initrc_t init_var_run_t:service stop; -diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te -index 75750e4c..2c2cfc7d 100644 ---- a/policy/modules/system/locallogin.te -+++ b/policy/modules/system/locallogin.te -@@ -298,3 +298,6 @@ allow local_login_t var_run_t:file { open read write lock}; - allow local_login_t var_run_t:sock_file write; - allow local_login_t tmpfs_t:dir { add_name write search}; - allow local_login_t tmpfs_t:file { create open read write lock }; -+allow local_login_t init_var_run_t:fifo_file write; -+allow local_login_t initrc_t:dbus send_msg; -+allow initrc_t local_login_t:dbus send_msg; -diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if -index 4519a448..79133e6f 100644 ---- a/policy/modules/system/systemd.if -+++ b/policy/modules/system/systemd.if -@@ -938,9 +938,11 @@ interface(`systemd_service_file_operations',` - # - interface(`systemd_service_lib_function',` - gen_require(` -- class service start; -+ class service { start status stop }; -+ class file { execmod open }; - ') - -- allow initrc_t $1:service start; -+ allow initrc_t $1:service { start status stop }; -+ allow initrc_t $1:file execmod; - - ') -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 74f9c1cb..f1d26a44 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -1013,7 +1013,7 @@ allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms; - - allow systemd_tmpfiles_t init_t:dir search; - allow systemd_tmpfiles_t proc_t:filesystem getattr; --allow systemd_tmpfiles_t init_t:file read; -+allow systemd_tmpfiles_t init_t:file { open getattr read }; - allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto; - - kernel_getattr_proc(systemd_tmpfiles_t) --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0008-fc-bind-fix-real-path-for-bind.patch b/recipes-security/refpolicy/refpolicy-git/0008-fc-bind-fix-real-path-for-bind.patch deleted file mode 100644 index 6472a21..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0008-fc-bind-fix-real-path-for-bind.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 9207386c0a860b3b6520eca5e509b9633c67c1e4 Mon Sep 17 00:00:00 2001 -From: Joe MacDonald <joe_macdonald@mentor.com> -Date: Thu, 28 Mar 2019 21:58:53 -0400 -Subject: [PATCH 08/34] fc/bind: fix real path for bind - -Upstream-Status: Pending - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/services/bind.fc | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc -index b4879dc1..59498e25 100644 ---- a/policy/modules/services/bind.fc -+++ b/policy/modules/services/bind.fc -@@ -1,8 +1,10 @@ - /etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/bind -- gen_context(system_u:object_r:named_initrc_exec_t,s0) - /etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) - - /etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) - /etc/bind/named\.conf.* -- gen_context(system_u:object_r:named_conf_t,s0) -+/etc/bind/rndc\.conf -- gen_context(system_u:object_r:named_conf_t,s0) - /etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) - /etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0) - /etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0) --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch b/recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch deleted file mode 100644 index 05543da..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch +++ /dev/null @@ -1,110 +0,0 @@ -From c268b15ec696aa23be73e040daae433b509fa82f Mon Sep 17 00:00:00 2001 -From: Shrikant Bobade <shrikant_bobade@mentor.com> -Date: Fri, 26 Aug 2016 17:54:17 +0530 -Subject: [PATCH 8/9] refpolicy-minimum: systemd: fix for systemd tmp-files - services - -fix for systemd tmp files setup service while using refpolicy-minimum and -systemd as init manager. - -these allow rules require kernel domain & files access, so added interfaces -at systemd.te to merge these allow rules. - -without these changes we are getting avc denails like these and below -systemd services failure: - -audit[]: AVC avc: denied { getattr } for pid=232 comm="systemd-tmpfile" -path="/var/tmp" dev="mmcblk2p2" ino=4993 scontext=system_u:system_r:systemd -_tmpfiles_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=lnk_file - -audit[]: AVC avc: denied { search } for pid=232 comm="systemd-tmpfile" -name="kernel" dev="proc" ino=9341 scontext=system_u:system_r: -systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 -tclass=dir permissive=0 - -[FAILED] Failed to start Create Static Device Nodes in /dev. -See 'systemctl status systemd-tmpfiles-setup-dev.service' for details. - -[FAILED] Failed to start Create Volatile Files and Directories. -See 'systemctl status systemd-tmpfiles-setup.service' for details. - -Upstream-Status: Pending - -Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/kernel/files.if | 19 +++++++++++++++++++ - policy/modules/kernel/kernel.if | 21 +++++++++++++++++++++ - policy/modules/system/systemd.te | 2 ++ - 3 files changed, 42 insertions(+) - -diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index eb067ad3..ff74f55a 100644 ---- a/policy/modules/kernel/files.if -+++ b/policy/modules/kernel/files.if -@@ -7076,3 +7076,22 @@ interface(`files_unconfined',` - - typeattribute $1 files_unconfined_type; - ') -+ -+######################################## -+## <summary> -+## systemd tmp files access to kernel tmp files domain -+## </summary> -+## <param name="domain"> -+## <summary> -+## Domain allowed access. -+## </summary> -+## </param> -+# -+interface(`systemd_service_allow_kernel_files_domain_to_tmp_t',` -+ gen_require(` -+ type tmp_t; -+ class lnk_file getattr; -+ ') -+ -+ allow $1 tmp_t:lnk_file getattr; -+') -diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index 1ad282aa..342eb033 100644 ---- a/policy/modules/kernel/kernel.if -+++ b/policy/modules/kernel/kernel.if -@@ -3584,3 +3584,24 @@ interface(`kernel_ib_manage_subnet_unlabeled_endports',` - allow $1 unlabeled_t:infiniband_endport manage_subnet; - ') - -+######################################## -+## <summary> -+## systemd tmp files access to kernel sysctl domain -+## </summary> -+## <param name="domain"> -+## <summary> -+## Domain allowed access. -+## </summary> -+## </param> -+# -+interface(`systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t',` -+ gen_require(` -+ type sysctl_kernel_t; -+ class dir search; -+ class file { open read }; -+ ') -+ -+ allow $1 sysctl_kernel_t:dir search; -+ allow $1 sysctl_kernel_t:file { open read }; -+ -+') -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index f1d26a44..b4c64bc1 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -1139,4 +1139,6 @@ files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated - - seutil_read_file_contexts(systemd_update_done_t) - -+systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t(systemd_tmpfiles_t) -+systemd_service_allow_kernel_files_domain_to_tmp_t(systemd_tmpfiles_t) - systemd_log_parse_environment(systemd_update_done_t) --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0009-fc-hwclock-add-hwclock-alternatives.patch b/recipes-security/refpolicy/refpolicy-git/0009-fc-hwclock-add-hwclock-alternatives.patch deleted file mode 100644 index 382a62c..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0009-fc-hwclock-add-hwclock-alternatives.patch +++ /dev/null @@ -1,28 +0,0 @@ -From afaee985ce8cb915905b9cbef141db5d4b7f228c Mon Sep 17 00:00:00 2001 -From: Joe MacDonald <joe_macdonald@mentor.com> -Date: Thu, 28 Mar 2019 21:59:18 -0400 -Subject: [PATCH 09/34] fc/hwclock: add hwclock alternatives - -Upstream-Status: Pending - -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/clock.fc | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc -index 30196589..e0dc4b6f 100644 ---- a/policy/modules/system/clock.fc -+++ b/policy/modules/system/clock.fc -@@ -2,4 +2,7 @@ - - /usr/bin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) - --/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) -+/usr/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0) -+/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) -+/usr/lib/busybox/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) -+/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0009-refpolicy-minimum-systemd-fix-for-syslog.patch b/recipes-security/refpolicy/refpolicy-git/0009-refpolicy-minimum-systemd-fix-for-syslog.patch deleted file mode 100644 index de9180a..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0009-refpolicy-minimum-systemd-fix-for-syslog.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 3c7c492f060212bf7c854a27ffa6afa5035f4862 Mon Sep 17 00:00:00 2001 -From: Shrikant Bobade <shrikant_bobade@mentor.com> -Date: Fri, 26 Aug 2016 17:54:29 +0530 -Subject: [PATCH 9/9] refpolicy-minimum: systemd: fix for syslog - -syslog & getty related allow rules required to fix the syslog mixup with -boot log, while using systemd as init manager. - -without this change we are getting these avc denials: - -audit: avc: denied { search } for pid=484 comm="syslogd" name="/" -dev="tmpfs" ino=7269 scontext=system_u:system_r:syslogd_t:s0 tcontext= -system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 - -audit: avc: denied { write } for pid=372 comm="syslogd" name="log" dev= -"tmpfs" ino=954 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u: -object_r:tmpfs_t:s0 tclass=dir permissive=0 - -audit: avc: denied { add_name } for pid=390 comm="syslogd" name= -"messages" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r -:tmpfs_t:s0 tclass=dir permissive=0 - -audit: avc: denied { sendto } for pid=558 comm="agetty" path="/run/systemd -/journal/dev-log" scontext=system_u:system_r:getty_t:s0 tcontext=system_u: -system_r:initrc_t:s0 tclass=unix_dgram_socket permissive=0 - -audit: avc: denied { create } for pid=374 comm="syslogd" name="messages" -scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t: -s0 tclass=file permissive=0 - -audit: avc: denied { append } for pid=423 comm="syslogd" name="messages" -dev="tmpfs" ino=7995 scontext=system_u:system_r:syslogd_t:s0 tcontext= -system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 - -audit: avc: denied { getattr } for pid=425 comm="syslogd" path="/var/ -volatile/log/messages" dev="tmpfs" ino=8857 scontext=system_u:system_r: -syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 - -Upstream-Status: Pending - -Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/getty.te | 1 + - policy/modules/system/logging.te | 3 ++- - 2 files changed, 3 insertions(+), 1 deletion(-) - -diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te -index 423db0cc..9ab03956 100644 ---- a/policy/modules/system/getty.te -+++ b/policy/modules/system/getty.te -@@ -132,3 +132,4 @@ optional_policy(` - - allow getty_t tmpfs_t:dir search; - allow getty_t tmpfs_t:file { open write lock }; -+allow getty_t initrc_t:unix_dgram_socket sendto; -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 98c2bd19..6a94ac12 100644 ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -632,4 +632,5 @@ allow klogd_t initrc_t:unix_dgram_socket sendto; - allow syslogd_t self:shm create; - allow syslogd_t self:sem { create read unix_write write }; - allow syslogd_t self:shm { read unix_read unix_write write }; --allow syslogd_t tmpfs_t:file { read write }; -+allow syslogd_t tmpfs_t:file { read write create getattr append open }; -+allow syslogd_t tmpfs_t:dir { search write add_name }; --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch b/recipes-security/refpolicy/refpolicy-git/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch deleted file mode 100644 index 5de6d0d..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 9f8b5359ce85eab23a5c46157497c44fd3bc4335 Mon Sep 17 00:00:00 2001 -From: Joe MacDonald <joe_macdonald@mentor.com> -Date: Fri, 29 Mar 2019 08:26:55 -0400 -Subject: [PATCH 10/34] fc/dmesg: apply policy to dmesg alternatives - -Upstream-Status: Pending - -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/admin/dmesg.fc | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc -index e52fdfcf..85d15127 100644 ---- a/policy/modules/admin/dmesg.fc -+++ b/policy/modules/admin/dmesg.fc -@@ -1 +1,3 @@ --/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) -+/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) -+/usr/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0) -+/usr/lib/busybox/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch b/recipes-security/refpolicy/refpolicy-git/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch deleted file mode 100644 index ab81b31..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch +++ /dev/null @@ -1,27 +0,0 @@ -From c7002e990710f83763a1481ddaa56a1f658defee Mon Sep 17 00:00:00 2001 -From: Joe MacDonald <joe_macdonald@mentor.com> -Date: Fri, 29 Mar 2019 09:20:58 -0400 -Subject: [PATCH 11/34] fc/ssh: apply policy to ssh alternatives - -Upstream-Status: Pending - -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/services/ssh.fc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc -index 4ac3e733..1f453091 100644 ---- a/policy/modules/services/ssh.fc -+++ b/policy/modules/services/ssh.fc -@@ -4,6 +4,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) - /etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0) - - /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0) -+/usr/bin/ssh\.openssh -- gen_context(system_u:object_r:ssh_exec_t,s0) - /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0) - /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0) - /usr/bin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch b/recipes-security/refpolicy/refpolicy-git/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch deleted file mode 100644 index 8346fcf..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 881a9f637b6eec90d1fa20bf4c102bb595225aaf Mon Sep 17 00:00:00 2001 -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Tue, 9 Jun 2015 21:22:52 +0530 -Subject: [PATCH 12/34] fc/sysnetwork: apply policy to ip alternatives - -Upstream-Status: Pending - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/sysnetwork.fc | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc -index ac7c2dd1..4e441503 100644 ---- a/policy/modules/system/sysnetwork.fc -+++ b/policy/modules/system/sysnetwork.fc -@@ -60,6 +60,8 @@ ifdef(`distro_redhat',` - /usr/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) - /usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /usr/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+/usr/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+/usr/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /usr/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /usr/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /usr/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -@@ -67,9 +69,17 @@ ifdef(`distro_redhat',` - /usr/sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /usr/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /usr/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+/usr/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /usr/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0) - /usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - -+# -+# /usr/lib/busybox -+# -+/usr/lib/busybox/bin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+/usr/lib/busybox/bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+/usr/lib/busybox/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+ - # - # /var - # --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch b/recipes-security/refpolicy/refpolicy-git/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch deleted file mode 100644 index 9ec2e21..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 434fe791713127cea8a796529266b87763833117 Mon Sep 17 00:00:00 2001 -From: Joe MacDonald <joe_macdonald@mentor.com> -Date: Fri, 29 Mar 2019 09:36:08 -0400 -Subject: [PATCH 13/34] fc/udev: apply policy to udevadm in libexec - -Upstream-Status: Pending - -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/udev.fc | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc -index 606ad517..2919c0bd 100644 ---- a/policy/modules/system/udev.fc -+++ b/policy/modules/system/udev.fc -@@ -28,6 +28,8 @@ ifdef(`distro_debian',` - /usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0) - /usr/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0) - -+/usr/libexec/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) -+ - ifdef(`distro_redhat',` - /usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) - ') --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch b/recipes-security/refpolicy/refpolicy-git/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch deleted file mode 100644 index fff816a..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch +++ /dev/null @@ -1,29 +0,0 @@ -From c8dbbbaed4371c600d057736d1dab78371066fdd Mon Sep 17 00:00:00 2001 -From: Joe MacDonald <joe_macdonald@mentor.com> -Date: Fri, 29 Mar 2019 09:54:07 -0400 -Subject: [PATCH 14/34] fc/rpm: apply rpm_exec policy to cpio binaries - -Upstream-Status: Pending - -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/admin/rpm.fc | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc -index 578d465c..f2b8003a 100644 ---- a/policy/modules/admin/rpm.fc -+++ b/policy/modules/admin/rpm.fc -@@ -65,5 +65,8 @@ ifdef(`distro_redhat',` - /run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) - - ifdef(`enable_mls',` --/usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/bin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/bin/cpio.cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) - ') -+ --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0015-fc-su-apply-policy-to-su-alternatives.patch b/recipes-security/refpolicy/refpolicy-git/0015-fc-su-apply-policy-to-su-alternatives.patch deleted file mode 100644 index b26eeea..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0015-fc-su-apply-policy-to-su-alternatives.patch +++ /dev/null @@ -1,26 +0,0 @@ -From d6eb7326773a01cea4cb6949e8e8f94e12d145ca Mon Sep 17 00:00:00 2001 -From: Wenzong Fan <wenzong.fan@windriver.com> -Date: Thu, 13 Feb 2014 00:33:07 -0500 -Subject: [PATCH 15/34] fc/su: apply policy to su alternatives - -Upstream-Status: Pending - -Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/admin/su.fc | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc -index 3375c969..435a6892 100644 ---- a/policy/modules/admin/su.fc -+++ b/policy/modules/admin/su.fc -@@ -1,3 +1,5 @@ - /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0) - /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) - /usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) -+/usr/bin/su\.shadow -- gen_context(system_u:object_r:su_exec_t,s0) -+/usr/bin/su\.util-linux -- gen_context(system_u:object_r:su_exec_t,s0) --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0016-fc-fstools-fix-real-path-for-fstools.patch b/recipes-security/refpolicy/refpolicy-git/0016-fc-fstools-fix-real-path-for-fstools.patch deleted file mode 100644 index 35676f8..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0016-fc-fstools-fix-real-path-for-fstools.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 4cc043905534403d2c6c5882ed982bd09a6c605f Mon Sep 17 00:00:00 2001 -From: Wenzong Fan <wenzong.fan@windriver.com> -Date: Mon, 27 Jan 2014 03:54:01 -0500 -Subject: [PATCH 16/34] fc/fstools: fix real path for fstools - -Upstream-Status: Pending - -Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> -Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/fstools.fc | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc -index 8fbd5ce4..d719e22c 100644 ---- a/policy/modules/system/fstools.fc -+++ b/policy/modules/system/fstools.fc -@@ -58,6 +58,7 @@ - /usr/sbin/addpart -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/blkid\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -72,10 +73,12 @@ - /usr/sbin/efibootmgr -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/fatsort -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/fdisk\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/gdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/hdparm\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -88,17 +91,20 @@ - /usr/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/mkswap\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/swapoff\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -108,6 +114,12 @@ - /usr/sbin/zstreamdump -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/ztest -- gen_context(system_u:object_r:fsadm_exec_t,s0) - -+/usr/lib/busybox/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/lib/busybox/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/lib/busybox/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/lib/busybox/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/lib/busybox/sbin/swapon -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+ - /var/swap -- gen_context(system_u:object_r:swapfile_t,s0) - - /var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0) --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch b/recipes-security/refpolicy/refpolicy-git/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch deleted file mode 100644 index af24d90..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch +++ /dev/null @@ -1,33 +0,0 @@ -From f84b1809e45bf08ce2a603827de3ade876ce8683 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH 17/34] policy/module/logging: Add the syslogd_t to trusted - object - -We add the syslogd_t to trusted object, because other process need -to have the right to connectto/sendto /dev/log. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Roy.Li <rongqing.li@windriver.com> -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/logging.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 38ccfe3a..c892f547 100644 ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -501,6 +501,7 @@ fs_getattr_all_fs(syslogd_t) - fs_search_auto_mountpoints(syslogd_t) - - mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories -+mls_trusted_object(syslogd_t) # Other process need to have the right to connectto/sendto /dev/log - - term_write_console(syslogd_t) - # Allow syslog to a terminal --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch b/recipes-security/refpolicy/refpolicy-git/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch deleted file mode 100644 index 6dca744..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch +++ /dev/null @@ -1,100 +0,0 @@ -From ccb0b3884513829a2ab344f1682df6ea6ff4e7de Mon Sep 17 00:00:00 2001 -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH 18/34] policy/module/logging: add rules for the symlink of - /var/log - -/var/log is a symlink in poky, so we need allow rules for files to read -lnk_file while doing search/list/delete/rw... in /var/log/ directory. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/logging.fc | 1 + - policy/modules/system/logging.if | 6 ++++++ - policy/modules/system/logging.te | 2 ++ - 3 files changed, 9 insertions(+) - -diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc -index 0cf108e0..5bec7e99 100644 ---- a/policy/modules/system/logging.fc -+++ b/policy/modules/system/logging.fc -@@ -55,6 +55,7 @@ ifdef(`distro_suse', ` - /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) - - /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) -+/var/log -l gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) - /var/log/.* gen_context(system_u:object_r:var_log_t,s0) - /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0) - /var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0) -diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 7b7644f7..0c7268ff 100644 ---- a/policy/modules/system/logging.if -+++ b/policy/modules/system/logging.if -@@ -972,10 +972,12 @@ interface(`logging_append_all_inherited_logs',` - interface(`logging_read_all_logs',` - gen_require(` - attribute logfile; -+ type var_log_t; - ') - - files_search_var($1) - allow $1 logfile:dir list_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - read_files_pattern($1, logfile, logfile) - ') - -@@ -994,10 +996,12 @@ interface(`logging_read_all_logs',` - interface(`logging_exec_all_logs',` - gen_require(` - attribute logfile; -+ type var_log_t; - ') - - files_search_var($1) - allow $1 logfile:dir list_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - can_exec($1, logfile) - ') - -@@ -1099,6 +1103,7 @@ interface(`logging_read_generic_logs',` - - files_search_var($1) - allow $1 var_log_t:dir list_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - read_files_pattern($1, var_log_t, var_log_t) - ') - -@@ -1200,6 +1205,7 @@ interface(`logging_manage_generic_logs',` - - files_search_var($1) - manage_files_pattern($1, var_log_t, var_log_t) -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index c892f547..499a4552 100644 ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -161,6 +161,7 @@ manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) - allow auditd_t auditd_log_t:dir setattr; - manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) - allow auditd_t var_log_t:dir search_dir_perms; -+allow auditd_t var_log_t:lnk_file read_lnk_file_perms; - - manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) - manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) -@@ -288,6 +289,7 @@ allow audisp_remote_t self:capability { setpcap setuid }; - allow audisp_remote_t self:process { getcap setcap }; - allow audisp_remote_t self:tcp_socket create_socket_perms; - allow audisp_remote_t var_log_t:dir search_dir_perms; -+allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms; - - manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) - manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch b/recipes-security/refpolicy/refpolicy-git/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch deleted file mode 100644 index a494671..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 07456143d9478b345dbe480e1b418b744de96751 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Fri, 23 Aug 2013 11:20:00 +0800 -Subject: [PATCH 20/34] policy/module/logging: add domain rules for the subdir - symlinks in /var/ - -Except /var/log,/var/run,/var/lock, there still other subdir symlinks in -/var for poky, so we need allow rules for all domains to read these -symlinks. Domains still need their practical allow rules to read the -contents, so this is still a secure relax. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/kernel/domain.te | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index 1a55e3d2..babb794f 100644 ---- a/policy/modules/kernel/domain.te -+++ b/policy/modules/kernel/domain.te -@@ -110,6 +110,9 @@ term_use_controlling_term(domain) - # list the root directory - files_list_root(domain) - -+# Yocto/oe-core use some var volatile links -+files_read_var_symlinks(domain) -+ - ifdef(`hide_broken_symptoms',` - # This check is in the general socket - # listen code, before protocol-specific --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch b/recipes-security/refpolicy/refpolicy-git/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch deleted file mode 100644 index aa61a80..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch +++ /dev/null @@ -1,100 +0,0 @@ -From edcfc7eb98658352f3ffdeb8079517c54ba7f984 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH 21/34] policy/module/files: add rules for the symlink of /tmp - -/tmp is a symlink in poky, so we need allow rules for files to read -lnk_file while doing search/list/delete/rw.. in /tmp/ directory. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/kernel/files.fc | 1 + - policy/modules/kernel/files.if | 8 ++++++++ - 2 files changed, 9 insertions(+) - -diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index c3496c21..05b1734b 100644 ---- a/policy/modules/kernel/files.fc -+++ b/policy/modules/kernel/files.fc -@@ -176,6 +176,7 @@ HOME_ROOT/lost\+found/.* <<none>> - # /tmp - # - /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) -+/tmp -l gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) - /tmp/.* <<none>> - /tmp/\.journal <<none>> - -diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f1c94411..eb067ad3 100644 ---- a/policy/modules/kernel/files.if -+++ b/policy/modules/kernel/files.if -@@ -4350,6 +4350,7 @@ interface(`files_search_tmp',` - ') - - allow $1 tmp_t:dir search_dir_perms; -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -4386,6 +4387,7 @@ interface(`files_list_tmp',` - ') - - allow $1 tmp_t:dir list_dir_perms; -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -4422,6 +4424,7 @@ interface(`files_delete_tmp_dir_entry',` - ') - - allow $1 tmp_t:dir del_entry_dir_perms; -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -4440,6 +4443,7 @@ interface(`files_read_generic_tmp_files',` - ') - - read_files_pattern($1, tmp_t, tmp_t) -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -4458,6 +4462,7 @@ interface(`files_manage_generic_tmp_dirs',` - ') - - manage_dirs_pattern($1, tmp_t, tmp_t) -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -4476,6 +4481,7 @@ interface(`files_manage_generic_tmp_files',` - ') - - manage_files_pattern($1, tmp_t, tmp_t) -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -4512,6 +4518,7 @@ interface(`files_rw_generic_tmp_sockets',` - ') - - rw_sock_files_pattern($1, tmp_t, tmp_t) -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -4719,6 +4726,7 @@ interface(`files_tmp_filetrans',` - ') - - filetrans_pattern($1, tmp_t, $2, $3, $4) -+ allow $1 tmp_t:lnk_file read_lnk_file_perms; - ') - - ######################################## --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch b/recipes-security/refpolicy/refpolicy-git/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch deleted file mode 100644 index 68235b1..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch +++ /dev/null @@ -1,123 +0,0 @@ -From 938ae00d2358d6ebad8173fce274ebb70d95cf72 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH 22/34] policy/module/terminals: add rules for bsdpty_device_t - to complete pty devices. - -Upstream-Status: Pending - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/kernel/terminal.if | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if -index 61308843..a84787e6 100644 ---- a/policy/modules/kernel/terminal.if -+++ b/policy/modules/kernel/terminal.if -@@ -623,9 +623,11 @@ interface(`term_getattr_generic_ptys',` - interface(`term_dontaudit_getattr_generic_ptys',` - gen_require(` - type devpts_t; -+ type bsdpty_device_t; - ') - - dontaudit $1 devpts_t:chr_file getattr; -+ dontaudit $1 bsdpty_device_t:chr_file getattr; - ') - ######################################## - ## <summary> -@@ -641,11 +643,13 @@ interface(`term_dontaudit_getattr_generic_ptys',` - interface(`term_ioctl_generic_ptys',` - gen_require(` - type devpts_t; -+ type bsdpty_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devpts_t:dir search; - allow $1 devpts_t:chr_file ioctl; -+ allow $1 bsdpty_device_t:chr_file ioctl; - ') - - ######################################## -@@ -663,9 +667,11 @@ interface(`term_ioctl_generic_ptys',` - interface(`term_setattr_generic_ptys',` - gen_require(` - type devpts_t; -+ type bsdpty_device_t; - ') - - allow $1 devpts_t:chr_file setattr; -+ allow $1 bsdpty_device_t:chr_file setattr; - ') - - ######################################## -@@ -683,9 +689,11 @@ interface(`term_setattr_generic_ptys',` - interface(`term_dontaudit_setattr_generic_ptys',` - gen_require(` - type devpts_t; -+ type bsdpty_device_t; - ') - - dontaudit $1 devpts_t:chr_file setattr; -+ dontaudit $1 bsdpty_device_t:chr_file setattr; - ') - - ######################################## -@@ -703,11 +711,13 @@ interface(`term_dontaudit_setattr_generic_ptys',` - interface(`term_use_generic_ptys',` - gen_require(` - type devpts_t; -+ type bsdpty_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devpts_t:dir list_dir_perms; - allow $1 devpts_t:chr_file { rw_term_perms lock append }; -+ allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append }; - ') - - ######################################## -@@ -725,9 +735,11 @@ interface(`term_use_generic_ptys',` - interface(`term_dontaudit_use_generic_ptys',` - gen_require(` - type devpts_t; -+ type bsdpty_device_t; - ') - - dontaudit $1 devpts_t:chr_file { getattr read write ioctl }; -+ dontaudit $1 bsdpty_device_t:chr_file { getattr read write ioctl }; - ') - - ####################################### -@@ -743,10 +755,12 @@ interface(`term_dontaudit_use_generic_ptys',` - interface(`term_setattr_controlling_term',` - gen_require(` - type devtty_t; -+ type bsdpty_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devtty_t:chr_file setattr; -+ allow $1 bsdpty_device_t:chr_file setattr; - ') - - ######################################## -@@ -763,10 +777,12 @@ interface(`term_setattr_controlling_term',` - interface(`term_use_controlling_term',` - gen_require(` - type devtty_t; -+ type bsdpty_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devtty_t:chr_file { rw_term_perms lock append }; -+ allow $1 bsdpty_device_t:chr_file { rw_term_perms lock append }; - ') - - ####################################### --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch b/recipes-security/refpolicy/refpolicy-git/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch deleted file mode 100644 index 06f9207..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 3f5a9b987211ef511bfd1c76b1a7dffad51fba0c Mon Sep 17 00:00:00 2001 -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH 23/34] policy/module/terminals: don't audit tty_device_t in - term_dontaudit_use_console. - -We should also not audit terminal to rw tty_device_t and fds in -term_dontaudit_use_console. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/kernel/terminal.if | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if -index a84787e6..cf66da2f 100644 ---- a/policy/modules/kernel/terminal.if -+++ b/policy/modules/kernel/terminal.if -@@ -335,9 +335,12 @@ interface(`term_use_console',` - interface(`term_dontaudit_use_console',` - gen_require(` - type console_device_t; -+ type tty_device_t; - ') - -+ init_dontaudit_use_fds($1) - dontaudit $1 console_device_t:chr_file rw_chr_file_perms; -+ dontaudit $1 tty_device_t:chr_file rw_chr_file_perms; - ') - - ######################################## --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-git/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch deleted file mode 100644 index 01f6c8b..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch +++ /dev/null @@ -1,29 +0,0 @@ -From bc1f2fba24fb63cd9a65ec22b34fcc59798bbaff Mon Sep 17 00:00:00 2001 -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH 24/34] policy/module/rpc: allow nfsd to exec shell commands. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/services/rpc.te | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te -index 47fa2fd0..d4209231 100644 ---- a/policy/modules/services/rpc.te -+++ b/policy/modules/services/rpc.te -@@ -227,7 +227,7 @@ kernel_read_network_state(nfsd_t) - kernel_dontaudit_getattr_core_if(nfsd_t) - kernel_setsched(nfsd_t) - kernel_request_load_module(nfsd_t) --# kernel_mounton_proc(nfsd_t) -+kernel_mounton_proc(nfsd_t) - - corenet_sendrecv_nfs_server_packets(nfsd_t) - corenet_tcp_bind_nfs_port(nfsd_t) --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch b/recipes-security/refpolicy/refpolicy-git/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch deleted file mode 100644 index 78a4328..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch +++ /dev/null @@ -1,77 +0,0 @@ -From f24c277f622d1ae72275525c6d5863f1ddce1d58 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Fri, 23 Aug 2013 12:01:53 +0800 -Subject: [PATCH 25/34] policy/module/rpc: fix policy for nfsserver to mount - nfsd_fs_t. - -Upstream-Status: Pending - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/kernel/filesystem.te | 1 + - policy/modules/kernel/kernel.te | 2 ++ - policy/modules/services/rpc.te | 5 +++++ - policy/modules/services/rpcbind.te | 5 +++++ - 4 files changed, 13 insertions(+) - -diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index 41037951..b341ba83 100644 ---- a/policy/modules/kernel/filesystem.te -+++ b/policy/modules/kernel/filesystem.te -@@ -129,6 +129,7 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) - - type nfsd_fs_t; - fs_type(nfsd_fs_t) -+files_mountpoint(nfsd_fs_t) - genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0) - - type nsfs_t; -diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 8e958074..7b81c732 100644 ---- a/policy/modules/kernel/kernel.te -+++ b/policy/modules/kernel/kernel.te -@@ -334,6 +334,8 @@ mls_process_read_all_levels(kernel_t) - mls_process_write_all_levels(kernel_t) - mls_file_write_all_levels(kernel_t) - mls_file_read_all_levels(kernel_t) -+mls_socket_write_all_levels(kernel_t) -+mls_fd_use_all_levels(kernel_t) - - ifdef(`distro_redhat',` - # Bugzilla 222337 -diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te -index d4209231..a2327b44 100644 ---- a/policy/modules/services/rpc.te -+++ b/policy/modules/services/rpc.te -@@ -280,6 +280,11 @@ tunable_policy(`nfs_export_all_ro',` - - optional_policy(` - mount_exec(nfsd_t) -+ # Should domtrans to mount_t while mounting nfsd_fs_t. -+ mount_domtrans(nfsd_t) -+ # nfsd_t need to chdir to /var/lib/nfs and read files. -+ files_list_var(nfsd_t) -+ rpc_read_nfs_state_data(nfsd_t) - ') - - ######################################## -diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te -index 5914af99..2055c114 100644 ---- a/policy/modules/services/rpcbind.te -+++ b/policy/modules/services/rpcbind.te -@@ -75,6 +75,11 @@ logging_send_syslog_msg(rpcbind_t) - - miscfiles_read_localization(rpcbind_t) - -+# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t, -+# because the are running in different level. So add rules to allow this. -+mls_socket_read_all_levels(rpcbind_t) -+mls_socket_write_all_levels(rpcbind_t) -+ - ifdef(`distro_debian',` - term_dontaudit_use_unallocated_ttys(rpcbind_t) - ') --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch b/recipes-security/refpolicy/refpolicy-git/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch deleted file mode 100644 index 257395a..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch +++ /dev/null @@ -1,126 +0,0 @@ -From 06d2bad9325fdc6b0a73858bca7ba51fe591f39d Mon Sep 17 00:00:00 2001 -From: Joe MacDonald <joe_macdonald@mentor.com> -Date: Fri, 29 Mar 2019 11:16:37 -0400 -Subject: [PATCH 26/34] policy/module/sysfs: fix for new SELINUXMNT in /sys - -SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should -add rules to access sysfs. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/kernel/selinux.if | 19 +++++++++++++++++++ - 1 file changed, 19 insertions(+) - -diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if -index 6790e5d0..2c95db81 100644 ---- a/policy/modules/kernel/selinux.if -+++ b/policy/modules/kernel/selinux.if -@@ -117,6 +117,9 @@ interface(`selinux_mount_fs',` - type security_t; - ') - -+ dev_getattr_sysfs($1) -+ dev_search_sysfs($1) -+ - allow $1 security_t:filesystem mount; - ') - -@@ -136,6 +139,9 @@ interface(`selinux_remount_fs',` - type security_t; - ') - -+ dev_getattr_sysfs($1) -+ dev_search_sysfs($1) -+ - allow $1 security_t:filesystem remount; - ') - -@@ -155,6 +161,9 @@ interface(`selinux_unmount_fs',` - ') - - allow $1 security_t:filesystem unmount; -+ -+ dev_getattr_sysfs($1) -+ dev_search_sysfs($1) - ') - - ######################################## -@@ -217,6 +226,8 @@ interface(`selinux_dontaudit_getattr_dir',` - ') - - dontaudit $1 security_t:dir getattr; -+ dev_dontaudit_getattr_sysfs($1) -+ dev_dontaudit_search_sysfs($1) - ') - - ######################################## -@@ -253,6 +264,7 @@ interface(`selinux_dontaudit_search_fs',` - type security_t; - ') - -+ dev_dontaudit_search_sysfs($1) - dontaudit $1 security_t:dir search_dir_perms; - ') - -@@ -272,6 +284,7 @@ interface(`selinux_dontaudit_read_fs',` - type security_t; - ') - -+ dev_dontaudit_getattr_sysfs($1) - dontaudit $1 security_t:dir search_dir_perms; - dontaudit $1 security_t:file read_file_perms; - ') -@@ -361,6 +374,7 @@ interface(`selinux_read_policy',` - type security_t; - ') - -+ dev_getattr_sysfs($1) - dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file read_file_perms; -@@ -394,6 +408,7 @@ interface(`selinux_set_generic_booleans',` - type security_t; - ') - -+ dev_getattr_sysfs($1) - dev_search_sysfs($1) - - allow $1 security_t:dir list_dir_perms; -@@ -431,6 +446,7 @@ interface(`selinux_set_all_booleans',` - bool secure_mode_policyload; - ') - -+ dev_getattr_sysfs($1) - dev_search_sysfs($1) - - allow $1 security_t:dir list_dir_perms; -@@ -512,6 +528,7 @@ interface(`selinux_dontaudit_validate_context',` - type security_t; - ') - -+ dev_dontaudit_search_sysfs($1) - dontaudit $1 security_t:dir list_dir_perms; - dontaudit $1 security_t:file rw_file_perms; - dontaudit $1 security_t:security check_context; -@@ -533,6 +550,7 @@ interface(`selinux_compute_access_vector',` - type security_t; - ') - -+ dev_getattr_sysfs($1) - dev_search_sysfs($1) - allow $1 self:netlink_selinux_socket create_socket_perms; - allow $1 security_t:dir list_dir_perms; -@@ -629,6 +647,7 @@ interface(`selinux_compute_user_contexts',` - type security_t; - ') - -+ dev_getattr_sysfs($1) - dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch b/recipes-security/refpolicy/refpolicy-git/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch deleted file mode 100644 index 23226a0..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 447036f5ead83977933b375f5587595b85307a7d Mon Sep 17 00:00:00 2001 -From: Roy Li <rongqing.li@windriver.com> -Date: Sat, 15 Feb 2014 09:45:00 +0800 -Subject: [PATCH 27/34] policy/module/rpc: allow sysadm to run rpcinfo - -Upstream-Status: Pending - -type=AVC msg=audit(1392427946.976:264): avc: denied { connectto } for pid=2111 comm="rpcinfo" path="/run/rpcbind.sock" scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tcontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tclass=unix_stream_socket -type=SYSCALL msg=audit(1392427946.976:264): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff3aa20000 a2=17 a3=22 items=0 ppid=2108 pid=2111 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm="rpcinfo" exe="/usr/sbin/rpcinfo" subj=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 key=(null) - -Signed-off-by: Roy Li <rongqing.li@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/roles/sysadm.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 2ae952bf..d781378f 100644 ---- a/policy/modules/roles/sysadm.te -+++ b/policy/modules/roles/sysadm.te -@@ -945,6 +945,7 @@ optional_policy(` - ') - - optional_policy(` -+ rpcbind_stream_connect(sysadm_t) - rpcbind_admin(sysadm_t, sysadm_r) - ') - --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch b/recipes-security/refpolicy/refpolicy-git/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch deleted file mode 100644 index 732eaaf..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 391ab30556a3276bac131b3d4bd6c5e52b49c77c Mon Sep 17 00:00:00 2001 -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH 28/34] policy/module/userdomain: fix selinux utils to manage - config files - -Upstream-Status: Pending - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/selinuxutil.if | 1 + - policy/modules/system/userdomain.if | 4 ++++ - 2 files changed, 5 insertions(+) - -diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if -index 20024993..0fdc8c10 100644 ---- a/policy/modules/system/selinuxutil.if -+++ b/policy/modules/system/selinuxutil.if -@@ -674,6 +674,7 @@ interface(`seutil_manage_config',` - ') - - files_search_etc($1) -+ manage_dirs_pattern($1, selinux_config_t, selinux_config_t) - manage_files_pattern($1, selinux_config_t, selinux_config_t) - read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) - ') -diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 5221bd13..4cf987d1 100644 ---- a/policy/modules/system/userdomain.if -+++ b/policy/modules/system/userdomain.if -@@ -1431,6 +1431,10 @@ template(`userdom_security_admin_template',` - logging_read_audit_config($1) - - seutil_manage_bin_policy($1) -+ seutil_manage_default_contexts($1) -+ seutil_manage_file_contexts($1) -+ seutil_manage_module_store($1) -+ seutil_manage_config($1) - seutil_run_checkpolicy($1, $2) - seutil_run_loadpolicy($1, $2) - seutil_run_semanage($1, $2) --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch b/recipes-security/refpolicy/refpolicy-git/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch deleted file mode 100644 index 14734b2..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch +++ /dev/null @@ -1,33 +0,0 @@ -From d97aef0ecdb2ff964b1ed3d0b18ce83c2ab42f14 Mon Sep 17 00:00:00 2001 -From: Joe MacDonald <joe_macdonald@mentor.com> -Date: Fri, 29 Mar 2019 11:30:27 -0400 -Subject: [PATCH 29/34] policy/module/selinuxutil: fix setfiles statvfs to get - file count - -New setfiles will read /proc/mounts and use statvfs in -file_system_count() to get file count of filesystems. - -Upstream-Status: Pending - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/selinuxutil.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index 8a1688cc..a9930e9e 100644 ---- a/policy/modules/system/selinuxutil.te -+++ b/policy/modules/system/selinuxutil.te -@@ -607,6 +607,7 @@ files_relabel_all_files(setfiles_t) - files_read_usr_symlinks(setfiles_t) - files_dontaudit_read_all_symlinks(setfiles_t) - -+fs_getattr_all_fs(setfiles_t) - fs_getattr_all_xattr_fs(setfiles_t) - fs_getattr_cgroup(setfiles_t) - fs_getattr_nfs(setfiles_t) --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch b/recipes-security/refpolicy/refpolicy-git/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch deleted file mode 100644 index aebdcb3..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 43eba9b9205c5e63f634d60ab8eb5302f7bf4408 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Fri, 23 Aug 2013 16:36:09 +0800 -Subject: [PATCH 30/34] policy/module/admin: fix dmesg to use /dev/kmsg as - default input - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/admin/dmesg.if | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if -index e1973c78..739a4bc5 100644 ---- a/policy/modules/admin/dmesg.if -+++ b/policy/modules/admin/dmesg.if -@@ -37,4 +37,5 @@ interface(`dmesg_exec',` - - corecmd_search_bin($1) - can_exec($1, dmesg_exec_t) -+ dev_read_kmsg($1) - ') --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch b/recipes-security/refpolicy/refpolicy-git/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch deleted file mode 100644 index afba90f..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 2d81043e7c98b31b37a1ecd1f037a04c60e662aa Mon Sep 17 00:00:00 2001 -From: Roy Li <rongqing.li@windriver.com> -Date: Mon, 10 Feb 2014 18:10:12 +0800 -Subject: [PATCH 31/34] policy/module/ftp: add ftpd_t to - mls_file_write_all_levels - -Proftpd will create file under /var/run, but its mls is in high, and -can not write to lowlevel - -Upstream-Status: Pending - -type=AVC msg=audit(1392347709.621:15): avc: denied { write } for pid=545 comm="proftpd" name="/" dev="tmpfs" ino=5853 scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir -type=AVC msg=audit(1392347709.621:15): avc: denied { add_name } for pid=545 comm="proftpd" name="proftpd.delay" scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir -type=SYSCALL msg=audit(1392347709.621:15): arch=c000003e syscall=2 success=yes exit=3 a0=471910 a1=42 a2=1b6 a3=8 items=0 ppid=539 pid=545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s15:c0.c1023 key=(null) - -root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name - allow ftpd_t var_run_t : dir { ioctl read write getattr lock add_name remove_name search open } ; -root@localhost:~# - -Signed-off-by: Roy Li <rongqing.li@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/services/ftp.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te -index 29bc077c..d582cf80 100644 ---- a/policy/modules/services/ftp.te -+++ b/policy/modules/services/ftp.te -@@ -150,6 +150,8 @@ role ftpdctl_roles types ftpdctl_t; - type ftpdctl_tmp_t; - files_tmp_file(ftpdctl_tmp_t) - -+mls_file_write_all_levels(ftpd_t) -+ - type sftpd_t; - domain_type(sftpd_t) - role system_r types sftpd_t; --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0032-policy-module-init-update-for-systemd-related-allow-.patch b/recipes-security/refpolicy/refpolicy-git/0032-policy-module-init-update-for-systemd-related-allow-.patch deleted file mode 100644 index ced90be..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0032-policy-module-init-update-for-systemd-related-allow-.patch +++ /dev/null @@ -1,32 +0,0 @@ -From ddb7393018483be0ce1cfc4734043b413e3b8a04 Mon Sep 17 00:00:00 2001 -From: Shrikant Bobade <shrikant_bobade@mentor.com> -Date: Fri, 12 Jun 2015 19:37:52 +0530 -Subject: [PATCH 32/34] policy/module/init: update for systemd related allow - rules - -It provide, the systemd support related allow rules - -Upstream-Status: Pending - -Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/init.te | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index f7635d6f..2e6b57a6 100644 ---- a/policy/modules/system/init.te -+++ b/policy/modules/system/init.te -@@ -1418,3 +1418,8 @@ optional_policy(` - userdom_dontaudit_rw_all_users_stream_sockets(systemprocess) - userdom_dontaudit_write_user_tmp_files(systemprocess) - ') -+ -+# systemd related allow rules -+allow kernel_t init_t:process dyntransition; -+allow devpts_t device_t:filesystem associate; -+allow init_t self:capability2 block_suspend; --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-git/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch b/recipes-security/refpolicy/refpolicy-git/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch deleted file mode 100644 index 03b1439..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 2e2abdbc7a0e57a27518de0d879ecc84053203d8 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Thu, 22 Aug 2013 19:36:44 +0800 -Subject: [PATCH 34/34] policy/module/apache: add rules for the symlink of - /var/log - apache2 - -We have added rules for the symlink of /var/log in logging.if, -while apache.te uses /var/log but does not use the interfaces in -logging.if. So still need add a individual rule for apache.te. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/services/apache.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 15c4ea53..596370b1 100644 ---- a/policy/modules/services/apache.te -+++ b/policy/modules/services/apache.te -@@ -412,6 +412,7 @@ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t) - read_files_pattern(httpd_t, httpd_log_t, httpd_log_t) - setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t) - read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t) -+read_lnk_files_pattern(httpd_t, var_log_t, var_log_t) - logging_log_filetrans(httpd_t, httpd_log_t, file) - - allow httpd_t httpd_modules_t:dir list_dir_perms; --- -2.19.1 - diff --git a/recipes-security/refpolicy/refpolicy-mcs_2.20190201.bb b/recipes-security/refpolicy/refpolicy-mcs_2.20190201.bb deleted file mode 100644 index 062727b..0000000 --- a/recipes-security/refpolicy/refpolicy-mcs_2.20190201.bb +++ /dev/null @@ -1,11 +0,0 @@ -SUMMARY = "MCS (Multi Category Security) variant of the SELinux policy" -DESCRIPTION = "\ -This is the reference policy for SE Linux built with MCS support. \ -An MCS policy is the same as an MLS policy but with only one sensitivity \ -level. This is useful on systems where a hierarchical policy (MLS) isn't \ -needed (pretty much all systems) but the non-hierarchical categories are. \ -" - -POLICY_TYPE = "mcs" - -include refpolicy_${PV}.inc diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20190201.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20190201.bb deleted file mode 100644 index 40abe35..0000000 --- a/recipes-security/refpolicy/refpolicy-minimum_2.20190201.bb +++ /dev/null @@ -1,81 +0,0 @@ -################################################################################ -# Note that -minimum specifically inherits from -targeted. Key policy pieces -# will be missing if you do not preserve this relationship. -include refpolicy-targeted_${PV}.bb - -SUMMARY = "SELinux minimum policy" -DESCRIPTION = "\ -This is a minimum reference policy with just core policy modules, and \ -could be used as a base for customizing targeted policy. \ -Pretty much everything runs as initrc_t or unconfined_t so all of the \ -domains are unconfined. \ -" - -POLICY_NAME = "minimum" - -CORE_POLICY_MODULES = "unconfined \ - selinuxutil \ - storage \ - sysnetwork \ - application \ - libraries \ - miscfiles \ - logging \ - userdomain \ - init \ - mount \ - modutils \ - getty \ - authlogin \ - locallogin \ - " -#systemd dependent policy modules -CORE_POLICY_MODULES += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'clock systemd udev fstools', '', d)}" - -# nscd caches libc-issued requests to the name service. -# Without nscd.pp, commands want to use these caches will be blocked. -EXTRA_POLICY_MODULES += "nscd" - -# pam_mail module enables checking and display of mailbox status upon -# "login", so "login" process will access to /var/spool/mail. -EXTRA_POLICY_MODULES += "mta" - -# sysnetwork requires type definitions (insmod_t, consoletype_t, -# hostname_t, ping_t, netutils_t) from modules: -EXTRA_POLICY_MODULES += "modutils consoletype hostname netutils" - -POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}" - -# re-write the same func from refpolicy_common.inc -prepare_policy_store () { - oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install - POL_PRIORITY=100 - POL_SRC=${D}${datadir}/selinux/${POLICY_NAME} - POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME} - POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY} - - # Prepare to create policy store - mkdir -p ${POL_STORE} - mkdir -p ${POL_ACTIVE_MODS} - - # get hll type from suffix on base policy module - HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print $NF}}') - HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE} - - for i in base ${POLICY_MODULES_MIN}; do - MOD_FILE=${POL_SRC}/${i}.${HLL_TYPE} - MOD_DIR=${POL_ACTIVE_MODS}/${i} - mkdir -p ${MOD_DIR} - echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext - - if ! bzip2 -t ${MOD_FILE} >/dev/null 2>&1; then - ${HLL_BIN} ${MOD_FILE} | bzip2 --stdout > ${MOD_DIR}/cil - bzip2 -f ${MOD_FILE} && mv -f ${MOD_FILE}.bz2 ${MOD_FILE} - else - bunzip2 --stdout ${MOD_FILE} | \ - ${HLL_BIN} | \ - bzip2 --stdout > ${MOD_DIR}/cil - fi - cp ${MOD_FILE} ${MOD_DIR}/hll - done -} diff --git a/recipes-security/refpolicy/refpolicy-minimum_git.bb b/recipes-security/refpolicy/refpolicy-minimum_git.bb index 40abe35..67c3785 100644 --- a/recipes-security/refpolicy/refpolicy-minimum_git.bb +++ b/recipes-security/refpolicy/refpolicy-minimum_git.bb @@ -11,26 +11,31 @@ Pretty much everything runs as initrc_t or unconfined_t so all of the \ domains are unconfined. \ " +SRC_URI += " \ + file://0001-refpolicy-minimum-make-sysadmin-module-optional.patch \ + file://0002-refpolicy-minimum-make-xdg-module-optional.patch \ + " + POLICY_NAME = "minimum" CORE_POLICY_MODULES = "unconfined \ - selinuxutil \ - storage \ - sysnetwork \ - application \ - libraries \ - miscfiles \ - logging \ - userdomain \ - init \ - mount \ - modutils \ - getty \ - authlogin \ - locallogin \ - " -#systemd dependent policy modules -CORE_POLICY_MODULES += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'clock systemd udev fstools', '', d)}" + selinuxutil \ + storage \ + sysnetwork \ + application \ + libraries \ + miscfiles \ + logging \ + userdomain \ + init \ + mount \ + modutils \ + getty \ + authlogin \ + locallogin \ + " +# systemd dependent policy modules +CORE_POLICY_MODULES += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'clock systemd udev fstools dbus', '', d)}" # nscd caches libc-issued requests to the name service. # Without nscd.pp, commands want to use these caches will be blocked. @@ -44,38 +49,48 @@ EXTRA_POLICY_MODULES += "mta" # hostname_t, ping_t, netutils_t) from modules: EXTRA_POLICY_MODULES += "modutils consoletype hostname netutils" +# Add specific policy modules here that should be purged from the system +# policy. Purged modules will not be built and will not be installed on the +# target. To use them at some later time you must specifically build and load +# the modules by hand on the target. +# +# USE WITH CARE! With this feature it is easy to break your policy by purging +# core modules (eg. userdomain) +# +# PURGE_POLICY_MODULES += "xdg xen" + POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}" -# re-write the same func from refpolicy_common.inc -prepare_policy_store () { - oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install - POL_PRIORITY=100 - POL_SRC=${D}${datadir}/selinux/${POLICY_NAME} - POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME} - POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY} +# Re-write the same func from refpolicy_common.inc +prepare_policy_store() { + oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install + POL_PRIORITY=100 + POL_SRC=${D}${datadir}/selinux/${POLICY_NAME} + POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME} + POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY} - # Prepare to create policy store - mkdir -p ${POL_STORE} - mkdir -p ${POL_ACTIVE_MODS} + # Prepare to create policy store + mkdir -p ${POL_STORE} + mkdir -p ${POL_ACTIVE_MODS} - # get hll type from suffix on base policy module - HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print $NF}}') - HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE} + # Get hll type from suffix on base policy module + HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print $NF}}') + HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE} - for i in base ${POLICY_MODULES_MIN}; do - MOD_FILE=${POL_SRC}/${i}.${HLL_TYPE} - MOD_DIR=${POL_ACTIVE_MODS}/${i} - mkdir -p ${MOD_DIR} - echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext + for i in base ${POLICY_MODULES_MIN}; do + MOD_FILE=${POL_SRC}/${i}.${HLL_TYPE} + MOD_DIR=${POL_ACTIVE_MODS}/${i} + mkdir -p ${MOD_DIR} + echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext - if ! bzip2 -t ${MOD_FILE} >/dev/null 2>&1; then - ${HLL_BIN} ${MOD_FILE} | bzip2 --stdout > ${MOD_DIR}/cil - bzip2 -f ${MOD_FILE} && mv -f ${MOD_FILE}.bz2 ${MOD_FILE} - else - bunzip2 --stdout ${MOD_FILE} | \ - ${HLL_BIN} | \ - bzip2 --stdout > ${MOD_DIR}/cil - fi - cp ${MOD_FILE} ${MOD_DIR}/hll - done + if ! bzip2 -t ${MOD_FILE} >/dev/null 2>&1; then + ${HLL_BIN} ${MOD_FILE} | bzip2 --stdout > ${MOD_DIR}/cil + bzip2 -f ${MOD_FILE} && mv -f ${MOD_FILE}.bz2 ${MOD_FILE} + else + bunzip2 --stdout ${MOD_FILE} | \ + ${HLL_BIN} | \ + bzip2 --stdout > ${MOD_DIR}/cil + fi + cp ${MOD_FILE} ${MOD_DIR}/hll + done } diff --git a/recipes-security/refpolicy/refpolicy-mls_2.20190201.bb b/recipes-security/refpolicy/refpolicy-mls_2.20190201.bb deleted file mode 100644 index 7388232..0000000 --- a/recipes-security/refpolicy/refpolicy-mls_2.20190201.bb +++ /dev/null @@ -1,10 +0,0 @@ -SUMMARY = "MLS (Multi Level Security) variant of the SELinux policy" -DESCRIPTION = "\ -This is the reference policy for SE Linux built with MLS support. \ -It allows giving data labels such as \"Top Secret\" and preventing \ -such data from leaking to processes or files with lower classification. \ -" - -POLICY_TYPE = "mls" - -include refpolicy_${PV}.inc diff --git a/recipes-security/refpolicy/refpolicy-standard_2.20190201.bb b/recipes-security/refpolicy/refpolicy-standard_2.20190201.bb deleted file mode 100644 index 3674fdd..0000000 --- a/recipes-security/refpolicy/refpolicy-standard_2.20190201.bb +++ /dev/null @@ -1,8 +0,0 @@ -SUMMARY = "Standard variants of the SELinux policy" -DESCRIPTION = "\ -This is the reference policy for SELinux built with type enforcement \ -only." - -POLICY_TYPE = "standard" - -include refpolicy_${PV}.inc diff --git a/recipes-security/refpolicy/refpolicy-targeted_2.20190201.bb b/recipes-security/refpolicy/refpolicy-targeted_2.20190201.bb deleted file mode 100644 index 1ecdb4e..0000000 --- a/recipes-security/refpolicy/refpolicy-targeted_2.20190201.bb +++ /dev/null @@ -1,35 +0,0 @@ -SUMMARY = "SELinux targeted policy" -DESCRIPTION = "\ -This is the targeted variant of the SELinux reference policy. Most service \ -domains are locked down. Users and admins will login in with unconfined_t \ -domain, so they have the same access to the system as if SELinux was not \ -enabled. \ -" - -FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-${PV}:" - -POLICY_NAME = "targeted" -POLICY_TYPE = "mcs" -POLICY_MLS_SENS = "0" - -include refpolicy_${PV}.inc - -SYSTEMD_REFPOLICY_PATCHES = " \ - file://0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch \ - file://0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch \ - file://0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch \ - file://0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch \ - file://0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch \ - file://0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch \ - file://0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch \ - file://0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch \ - file://0009-refpolicy-minimum-systemd-fix-for-syslog.patch \ - " - -SYSVINIT_REFPOLICY_PATCHES = " \ - file://0001-fix-update-alternatives-for-sysvinit.patch \ - " - -SRC_URI += " \ - ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '${SYSTEMD_REFPOLICY_PATCHES}', '${SYSVINIT_REFPOLICY_PATCHES}', d)} \ - " diff --git a/recipes-security/refpolicy/refpolicy-targeted_git.bb b/recipes-security/refpolicy/refpolicy-targeted_git.bb index 1ecdb4e..de81d46 100644 --- a/recipes-security/refpolicy/refpolicy-targeted_git.bb +++ b/recipes-security/refpolicy/refpolicy-targeted_git.bb @@ -6,30 +6,12 @@ domain, so they have the same access to the system as if SELinux was not \ enabled. \ " -FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-${PV}:" - POLICY_NAME = "targeted" POLICY_TYPE = "mcs" POLICY_MLS_SENS = "0" include refpolicy_${PV}.inc -SYSTEMD_REFPOLICY_PATCHES = " \ - file://0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch \ - file://0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch \ - file://0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch \ - file://0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch \ - file://0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch \ - file://0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch \ - file://0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch \ - file://0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch \ - file://0009-refpolicy-minimum-systemd-fix-for-syslog.patch \ - " - -SYSVINIT_REFPOLICY_PATCHES = " \ - file://0001-fix-update-alternatives-for-sysvinit.patch \ - " - SRC_URI += " \ - ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '${SYSTEMD_REFPOLICY_PATCHES}', '${SYSVINIT_REFPOLICY_PATCHES}', d)} \ - " + file://0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch \ + " diff --git a/recipes-security/refpolicy/refpolicy-git/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch b/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch index 5e38b8c..59169cb 100644 --- a/recipes-security/refpolicy/refpolicy-git/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch +++ b/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch @@ -1,23 +1,24 @@ -From ab97bea9248f62e735526292fc1253ebb1ecfa6c Mon Sep 17 00:00:00 2001 +From 9fdb576862d6a373b4a50e149fcfd4571e01dd1a Mon Sep 17 00:00:00 2001 From: Joe MacDonald <joe_macdonald@mentor.com> Date: Thu, 28 Mar 2019 16:14:09 -0400 -Subject: [PATCH 01/34] fc/subs/volatile: alias common /var/volatile paths +Subject: [PATCH] fc/subs/volatile: alias common /var/volatile paths Ensure /var/volatile paths get the appropriate base file context. -Upstream-Status: Pending +Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> --- - config/file_contexts.subs_dist | 10 ++++++++++ - 1 file changed, 10 insertions(+) + config/file_contexts.subs_dist | 6 ++++++ + 1 file changed, 6 insertions(+) diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist -index 346d920e..be532d7f 100644 +index ba22ce7e7..23d4328f7 100644 --- a/config/file_contexts.subs_dist +++ b/config/file_contexts.subs_dist -@@ -31,3 +31,13 @@ +@@ -33,3 +33,9 @@ # not for refpolicy intern, but for /var/run using applications, # like systemd tmpfiles or systemd socket configurations /var/run /run @@ -26,11 +27,7 @@ index 346d920e..be532d7f 100644 +# ensure the policy applied to the base filesystem objects are reflected in the +# volatile hierarchy. +/var/volatile/log /var/log -+/var/volatile/run /var/run -+/var/volatile/cache /var/cache +/var/volatile/tmp /var/tmp -+/var/volatile/lock /var/lock -+/var/volatile/run/lock /var/lock -- -2.19.1 +2.25.1 diff --git a/recipes-security/refpolicy/refpolicy-git/0033-refpolicy-minimum-make-sysadmin-module-optional.patch b/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch index 09a16fb..820d71e 100644 --- a/recipes-security/refpolicy/refpolicy-git/0033-refpolicy-minimum-make-sysadmin-module-optional.patch +++ b/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch @@ -1,44 +1,44 @@ -From a45624beb571ad5dadfca95d53ff69925c9f628c Mon Sep 17 00:00:00 2001 +From 2d04fadd54814ce01d143262f36edbf0b1700a9b Mon Sep 17 00:00:00 2001 From: Joe MacDonald <joe_macdonald@mentor.com> Date: Fri, 5 Apr 2019 11:53:28 -0400 -Subject: [PATCH 33/34] refpolicy/minimum: make sysadmin module optional +Subject: [PATCH] refpolicy-minimum: make sysadmin module optional -init and locallogin modules have a depend for sysadm module because -they have called sysadm interfaces(sysadm_shell_domtrans). Since -sysadm is not a core module, we could make the sysadm_shell_domtrans -calls optionally by optional_policy. +The init and locallogin modules have a depend for sysadm module +because they have called sysadm interfaces(sysadm_shell_domtrans). +Since sysadm is not a core module, we could make the +sysadm_shell_domtrans calls optionally by optional_policy. So, we could make the minimum policy without sysadm module. -Upstream-Status: pending +Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> --- - policy/modules/system/init.te | 16 +++++++++------- + policy/modules/system/init.te | 14 ++++++++------ policy/modules/system/locallogin.te | 4 +++- - 2 files changed, 12 insertions(+), 8 deletions(-) + 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 2e6b57a6..d8696580 100644 +index c2380d8b4..31f77cf43 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te -@@ -448,13 +448,15 @@ ifdef(`init_systemd',` - modutils_domtrans(init_t) +@@ -645,13 +645,15 @@ ifdef(`init_systemd',` + unconfined_write_keys(init_t) ') ',` - tunable_policy(`init_upstart',` - corecmd_shell_domtrans(init_t, initrc_t) -- ',` ++ optional_policy(` ++ tunable_policy(`init_upstart',` ++ corecmd_shell_domtrans(init_t, initrc_t) + ',` - # Run the shell in the sysadm role for single-user mode. - # causes problems with upstart - ifndef(`distro_debian',` - sysadm_shell_domtrans(init_t) -+ optional_policy(` -+ tunable_policy(`init_upstart',` -+ corecmd_shell_domtrans(init_t, initrc_t) -+ ',` + # Run the shell in the sysadm role for single-user mode. + # causes problems with upstart + ifndef(`distro_debian',` @@ -48,10 +48,10 @@ index 2e6b57a6..d8696580 100644 ') ') diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te -index a56f3d1f..4c679ff3 100644 +index 8330be8a9..933e94b24 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te -@@ -266,7 +266,9 @@ userdom_use_unpriv_users_fds(sulogin_t) +@@ -277,7 +277,9 @@ userdom_use_unpriv_users_fds(sulogin_t) userdom_search_user_home_dirs(sulogin_t) userdom_use_user_ptys(sulogin_t) @@ -63,5 +63,5 @@ index a56f3d1f..4c679ff3 100644 # by default, sulogin does not use pam... # sulogin_pam might need to be defined otherwise -- -2.19.1 +2.25.1 diff --git a/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch b/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch new file mode 100644 index 0000000..f4e4809 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch @@ -0,0 +1,81 @@ +From 15b4f9a17d1f45dc6e15e4a3b0e6490a9a518df6 Mon Sep 17 00:00:00 2001 +From: Xin Ouyang <Xin.Ouyang@windriver.com> +Date: Mon, 20 Apr 2020 11:50:03 +0800 +Subject: [PATCH] refpolicy-targeted: make unconfined_u the default selinux + user + +For targeted policy type, we define unconfined_u as the default selinux +user for root and normal users, so users could login and run most +commands and services on unconfined domains. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> +Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + config/appconfig-mcs/failsafe_context | 2 +- + config/appconfig-mcs/seusers | 4 ++-- + policy/modules/system/unconfined.te | 5 +++++ + policy/users | 6 +++--- + 4 files changed, 11 insertions(+), 6 deletions(-) + +diff --git a/config/appconfig-mcs/failsafe_context b/config/appconfig-mcs/failsafe_context +index 999abd9a3..a50bde775 100644 +--- a/config/appconfig-mcs/failsafe_context ++++ b/config/appconfig-mcs/failsafe_context +@@ -1 +1 @@ +-sysadm_r:sysadm_t:s0 ++unconfined_r:unconfined_t:s0 +diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers +index ce614b41b..c0903d98b 100644 +--- a/config/appconfig-mcs/seusers ++++ b/config/appconfig-mcs/seusers +@@ -1,2 +1,2 @@ +-root:root:s0-mcs_systemhigh +-__default__:user_u:s0 ++root:unconfined_u:s0-mcs_systemhigh ++__default__:unconfined_u:s0 +diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te +index 6c9769b04..01c9a7243 100644 +--- a/policy/modules/system/unconfined.te ++++ b/policy/modules/system/unconfined.te +@@ -20,6 +20,11 @@ type unconfined_execmem_t alias ada_t; + type unconfined_execmem_exec_t alias ada_exec_t; + init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t) + role unconfined_r types unconfined_execmem_t; ++role unconfined_r types unconfined_t; ++role system_r types unconfined_t; ++role_transition system_r unconfined_exec_t unconfined_r; ++allow system_r unconfined_r; ++allow unconfined_r system_r; + + ######################################## + # +diff --git a/policy/users b/policy/users +index ca203758c..e737cd9cc 100644 +--- a/policy/users ++++ b/policy/users +@@ -15,7 +15,7 @@ + # and a user process should never be assigned the system user + # identity. + # +-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) ++gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) + + # + # user_u is a generic user identity for Linux users who have no +@@ -43,7 +43,7 @@ ifdef(`direct_sysadm_daemon',` + # not in the sysadm_r. + # + ifdef(`direct_sysadm_daemon',` +- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) ++ gen_user(root, sysadm, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) + ',` +- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) ++ gen_user(root, sysadm, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) + ') +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch b/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch index 22eab15..b6be830 100644 --- a/recipes-security/refpolicy/refpolicy-git/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch +++ b/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch @@ -1,31 +1,33 @@ -From a47fb4d6a25574d900213ef63b5c7e3ce7182419 Mon Sep 17 00:00:00 2001 +From a3269d08232045835f341e5796da66d9bf948aca Mon Sep 17 00:00:00 2001 From: Joe MacDonald <joe_macdonald@mentor.com> Date: Thu, 28 Mar 2019 20:48:10 -0400 -Subject: [PATCH 02/34] fc/subs/busybox: set aliases for bin, sbin and usr +Subject: [PATCH] fc/subs/busybox: set aliases for bin, sbin and usr The objects in /usr/lib/busybox/* should have the same policy applied as the corresponding objects in the / hierarchy. +Upstream-Status: Inappropriate [embedded specific] + Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> --- - config/file_contexts.subs_dist | 7 +++++++ - 1 file changed, 7 insertions(+) + config/file_contexts.subs_dist | 6 ++++++ + 1 file changed, 6 insertions(+) diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist -index be532d7f..04fca3c3 100644 +index 23d4328f7..690007f22 100644 --- a/config/file_contexts.subs_dist +++ b/config/file_contexts.subs_dist -@@ -41,3 +41,10 @@ +@@ -39,3 +39,9 @@ + # volatile hierarchy. + /var/volatile/log /var/log /var/volatile/tmp /var/tmp - /var/volatile/lock /var/lock - /var/volatile/run/lock /var/lock + +# busybox aliases +# quickly match up the busybox built-in tree to the base filesystem tree -+/usr/lib/busybox/bin /bin -+/usr/lib/busybox/sbin /sbin ++/usr/lib/busybox/bin /usr/bin ++/usr/lib/busybox/sbin /usr/sbin +/usr/lib/busybox/usr /usr -+ -- -2.19.1 +2.25.1 diff --git a/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-make-xdg-module-optional.patch b/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-make-xdg-module-optional.patch new file mode 100644 index 0000000..cc8c0b7 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-make-xdg-module-optional.patch @@ -0,0 +1,40 @@ +From 39b825d24a34864c3d9bae684b083a9b656f641a Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Wed, 29 Sep 2021 11:08:49 +0800 +Subject: [PATCH] refpolicy-minimum: make xdg module optional + +The systemd module invokes xdg_config_content and xdg_data_content +interfaces which are from xdg module. Since xdg is not a core module, we +could make it optional in minimum policy. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/system/systemd.te | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index a0e6bb405..b1fc414ea 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -313,10 +313,14 @@ init_unit_file(systemd_user_manager_unit_t) + + type systemd_conf_home_t; + init_unit_file(systemd_conf_home_t) +-xdg_config_content(systemd_conf_home_t) ++optional_policy(` ++ xdg_config_content(systemd_conf_home_t) ++') + + type systemd_data_home_t; +-xdg_data_content(systemd_data_home_t) ++optional_policy(` ++ xdg_data_content(systemd_data_home_t) ++') + + type systemd_user_runtime_notify_t; + userdom_user_runtime_content(systemd_user_runtime_notify_t) +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch b/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch index 77c6829..69ed556 100644 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch +++ b/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch @@ -1,27 +1,26 @@ -From 85f5825111d4c6d6b276ed07fec2292804b97a39 Mon Sep 17 00:00:00 2001 +From a78f1bf10f489d1abe8a4db9c8ee29af6ac9d02c Mon Sep 17 00:00:00 2001 From: Xin Ouyang <Xin.Ouyang@windriver.com> Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH 04/34] fc/hostname: apply policy to common yocto hostname +Subject: [PATCH] fc/hostname: apply policy to common yocto hostname alternatives -Upstream-Status: Inappropriate [only for Yocto] +Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> --- - policy/modules/system/hostname.fc | 4 ++++ - 1 file changed, 4 insertions(+) + policy/modules/system/hostname.fc | 2 ++ + 1 file changed, 2 insertions(+) diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc -index 83ddeb57..653e038d 100644 +index 83ddeb573..cf523bc4c 100644 --- a/policy/modules/system/hostname.fc +++ b/policy/modules/system/hostname.fc -@@ -1 +1,5 @@ +@@ -1 +1,3 @@ + /usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) +/usr/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0) +/usr/bin/hostname\.coreutils -- gen_context(system_u:object_r:hostname_exec_t,s0) -+/usr/lib/busybox/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) -+ - /usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) -- -2.19.1 +2.25.1 diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch b/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch index 60d585b..1eac7ec 100644 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch +++ b/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch @@ -1,30 +1,31 @@ -From ed53bb0452aab6aee11c6d6442b8524d3b27fa6f Mon Sep 17 00:00:00 2001 +From 0f549b970d42109994c5736e78f0b7d9267b1ae5 Mon Sep 17 00:00:00 2001 From: Joe MacDonald <joe_macdonald@mentor.com> Date: Thu, 28 Mar 2019 21:37:32 -0400 -Subject: [PATCH 05/34] fc/bash: apply /usr/bin/bash context to /bin/bash.bash +Subject: [PATCH] fc/bash: apply /usr/bin/bash context to /bin/bash.bash We include /bin/bash.bash as a valid alias for /bin/bash, so ensure we apply the proper context to the target for our policy. -Upstream-Status: Inappropriate [only for Yocto] +Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> --- policy/modules/kernel/corecommands.fc | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index e7415cac..cf3848db 100644 +index 04d6caa80..7d2efef0a 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc -@@ -141,6 +141,7 @@ ifdef(`distro_gentoo',` +@@ -147,6 +147,7 @@ ifdef(`distro_gentoo',` + /usr/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/bin/bash\.bash -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) -+/usr/bin/bash.bash -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) - /usr/bin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) -- -2.19.1 +2.25.1 diff --git a/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch b/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch new file mode 100644 index 0000000..4329a12 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch @@ -0,0 +1,29 @@ +From d9348cee43dd6d6e2ea971ef22c796956b9677fd Mon Sep 17 00:00:00 2001 +From: Joe MacDonald <joe_macdonald@mentor.com> +Date: Thu, 4 Apr 2019 10:45:03 -0400 +Subject: [PATCH] fc/resolv.conf: label resolv.conf in var/run/ properly + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> +Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/system/sysnetwork.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc +index 14505efe9..c9ec4e5ab 100644 +--- a/policy/modules/system/sysnetwork.fc ++++ b/policy/modules/system/sysnetwork.fc +@@ -84,6 +84,7 @@ ifdef(`distro_redhat',` + /run/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_runtime_t,s0) + /run/netns -d gen_context(system_u:object_r:ifconfig_runtime_t,s0) + /run/netns/[^/]+ -- <<none>> ++/run/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) + + ifdef(`distro_gentoo',` + /var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0007-fc-login-apply-login-context-to-login.shadow.patch b/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch index 8c71c90..cdf71d6 100644 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0007-fc-login-apply-login-context-to-login.shadow.patch +++ b/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch @@ -1,27 +1,28 @@ -From c1f7e3033057dfb613bd92d723094b06c00e82f8 Mon Sep 17 00:00:00 2001 +From df2801c3f9689d6c173dca05ee970756ba3b3d04 Mon Sep 17 00:00:00 2001 From: Joe MacDonald <joe_macdonald@mentor.com> Date: Thu, 28 Mar 2019 21:43:53 -0400 -Subject: [PATCH 07/34] fc/login: apply login context to login.shadow +Subject: [PATCH] fc/login: apply login context to login.shadow -Upstream-Status: Inappropriate [only for Poky] +Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> --- policy/modules/system/authlogin.fc | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc -index e22945cd..a42bc0da 100644 +index adb53a05a..a25a9d607 100644 --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc -@@ -5,6 +5,7 @@ - /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) +@@ -8,6 +8,7 @@ + /etc/security/opasswd\.old -- gen_context(system_u:object_r:shadow_history_t,s0) /usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0) -+/usr/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0) ++/usr/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0) /usr/bin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) /usr/bin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) - /usr/bin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) + /usr/bin/tcb_convert -- gen_context(system_u:object_r:updpwd_exec_t,s0) -- -2.19.1 +2.25.1 diff --git a/recipes-security/refpolicy/refpolicy/0007-fc-hwclock-add-hwclock-alternatives.patch b/recipes-security/refpolicy/refpolicy/0007-fc-hwclock-add-hwclock-alternatives.patch new file mode 100644 index 0000000..db0d93a --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0007-fc-hwclock-add-hwclock-alternatives.patch @@ -0,0 +1,25 @@ +From f274bbf18ef930a506c7fe7cc90c32698e51b318 Mon Sep 17 00:00:00 2001 +From: Joe MacDonald <joe_macdonald@mentor.com> +Date: Thu, 28 Mar 2019 21:59:18 -0400 +Subject: [PATCH] fc/hwclock: add hwclock alternatives + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/system/clock.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc +index 301965892..139485835 100644 +--- a/policy/modules/system/clock.fc ++++ b/policy/modules/system/clock.fc +@@ -3,3 +3,4 @@ + /usr/bin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) + + /usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) ++/usr/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0) +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch b/recipes-security/refpolicy/refpolicy/0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch new file mode 100644 index 0000000..8030e93 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch @@ -0,0 +1,23 @@ +From c69e143640f73d13d82aa6cfcbfce64a02bcb13d Mon Sep 17 00:00:00 2001 +From: Joe MacDonald <joe_macdonald@mentor.com> +Date: Fri, 29 Mar 2019 08:26:55 -0400 +Subject: [PATCH] fc/dmesg: apply policy to dmesg alternatives + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/admin/dmesg.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc +index e52fdfcf8..526b92ed2 100644 +--- a/policy/modules/admin/dmesg.fc ++++ b/policy/modules/admin/dmesg.fc +@@ -1 +1,2 @@ + /usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) ++/usr/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0) +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch b/recipes-security/refpolicy/refpolicy/0009-fc-ssh-apply-policy-to-ssh-alternatives.patch index 09576fa..40b3e8d 100644 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0009-fc-ssh-apply-policy-to-ssh-alternatives.patch @@ -1,27 +1,28 @@ -From 10548eeaba694ff4320fdcbddc9e6cbb71856280 Mon Sep 17 00:00:00 2001 +From 6cb433b296b2085bf1aa54c7722a8bcf7a69cba8 Mon Sep 17 00:00:00 2001 From: Joe MacDonald <joe_macdonald@mentor.com> Date: Fri, 29 Mar 2019 09:20:58 -0400 -Subject: [PATCH 11/34] fc/ssh: apply policy to ssh alternatives +Subject: [PATCH] fc/ssh: apply policy to ssh alternatives -Upstream-Status: Pending +Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> --- policy/modules/services/ssh.fc | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc -index 4ac3e733..1f453091 100644 +index 5c512e972..0448c1877 100644 --- a/policy/modules/services/ssh.fc +++ b/policy/modules/services/ssh.fc @@ -4,6 +4,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) - /etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0) + /etc/ssh/ssh_host.*_key(\.pub)? -- gen_context(system_u:object_r:sshd_key_t,s0) /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0) -+/usr/bin/ssh\.openssh -- gen_context(system_u:object_r:ssh_exec_t,s0) ++/usr/bin/ssh\.openssh -- gen_context(system_u:object_r:ssh_exec_t,s0) /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0) /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0) /usr/bin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) -- -2.19.1 +2.25.1 diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch b/recipes-security/refpolicy/refpolicy/0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch index f02bd3a..6d1b362 100644 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch @@ -1,48 +1,47 @@ -From 457f278717ef53e19392c40ea8645ca216c0ae83 Mon Sep 17 00:00:00 2001 +From 89f23ef679f8f0f842b7b41b85c48266d292bcfc Mon Sep 17 00:00:00 2001 From: Xin Ouyang <Xin.Ouyang@windriver.com> Date: Tue, 9 Jun 2015 21:22:52 +0530 -Subject: [PATCH 12/34] fc/sysnetwork: apply policy to ip alternatives +Subject: [PATCH] fc/sysnetwork: apply policy to network commands alternatives -Upstream-Status: Pending +Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> --- - policy/modules/system/sysnetwork.fc | 10 ++++++++++ - 1 file changed, 10 insertions(+) + policy/modules/system/sysnetwork.fc | 4 ++++ + 1 file changed, 4 insertions(+) diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc -index ac7c2dd1..4e441503 100644 +index c9ec4e5ab..4ca151524 100644 --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc -@@ -60,6 +60,8 @@ ifdef(`distro_redhat',` +@@ -44,6 +44,7 @@ ifdef(`distro_redhat',` + /usr/bin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) + /usr/bin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + /usr/bin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++/usr/bin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + /usr/bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + /usr/bin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) + /usr/bin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) +@@ -60,13 +61,16 @@ ifdef(`distro_redhat',` /usr/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) /usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) /usr/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+/usr/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+/usr/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++/usr/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) /usr/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++/usr/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0) /usr/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) /usr/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -@@ -67,9 +69,17 @@ ifdef(`distro_redhat',` + /usr/sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0) /usr/sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0) /usr/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) /usr/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+/usr/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++/usr/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) /usr/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0) /usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+# -+# /usr/lib/busybox -+# -+/usr/lib/busybox/bin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+/usr/lib/busybox/bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+/usr/lib/busybox/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+ - # - # /var - # -- -2.19.1 +2.25.1 diff --git a/recipes-security/refpolicy/refpolicy/0011-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch b/recipes-security/refpolicy/refpolicy/0011-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch new file mode 100644 index 0000000..86fc796 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0011-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch @@ -0,0 +1,27 @@ +From 2fb2dc1ab37da9d6d1f885b7f4b3eae8db66844a Mon Sep 17 00:00:00 2001 +From: Joe MacDonald <joe_macdonald@mentor.com> +Date: Fri, 29 Mar 2019 09:54:07 -0400 +Subject: [PATCH] fc/rpm: apply rpm_exec policy to cpio binaries + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/admin/rpm.fc | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc +index 7efcf71de..2f83019f0 100644 +--- a/policy/modules/admin/rpm.fc ++++ b/policy/modules/admin/rpm.fc +@@ -74,4 +74,6 @@ ifdef(`distro_redhat',` + + ifdef(`enable_mls',` + /usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/bin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/bin/cpio\.cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) + ') +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0015-fc-su-apply-policy-to-su-alternatives.patch b/recipes-security/refpolicy/refpolicy/0012-fc-su-apply-policy-to-su-alternatives.patch index c0fbb69..69e36e1 100644 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0015-fc-su-apply-policy-to-su-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0012-fc-su-apply-policy-to-su-alternatives.patch @@ -1,26 +1,27 @@ -From d9f2d5857c1d558fa09f7e7864bba8427437bea6 Mon Sep 17 00:00:00 2001 +From 95920611d43a3e6352fc16fcac05977844d57398 Mon Sep 17 00:00:00 2001 From: Wenzong Fan <wenzong.fan@windriver.com> Date: Thu, 13 Feb 2014 00:33:07 -0500 -Subject: [PATCH 15/34] fc/su: apply policy to su alternatives +Subject: [PATCH] fc/su: apply policy to su alternatives -Upstream-Status: Pending +Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> --- policy/modules/admin/su.fc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc -index 3375c969..435a6892 100644 +index 3375c9692..a9868cd58 100644 --- a/policy/modules/admin/su.fc +++ b/policy/modules/admin/su.fc @@ -1,3 +1,5 @@ /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0) /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) /usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) -+/usr/bin/su\.shadow -- gen_context(system_u:object_r:su_exec_t,s0) -+/usr/bin/su\.util-linux -- gen_context(system_u:object_r:su_exec_t,s0) ++/usr/bin/su\.shadow -- gen_context(system_u:object_r:su_exec_t,s0) ++/usr/bin/su\.util-linux -- gen_context(system_u:object_r:su_exec_t,s0) -- -2.19.1 +2.25.1 diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0016-fc-fstools-fix-real-path-for-fstools.patch b/recipes-security/refpolicy/refpolicy/0013-fc-fstools-fix-real-path-for-fstools.patch index 34e9830..55f3175 100644 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0016-fc-fstools-fix-real-path-for-fstools.patch +++ b/recipes-security/refpolicy/refpolicy/0013-fc-fstools-fix-real-path-for-fstools.patch @@ -1,76 +1,74 @@ -From 5d8f2e090c9dbb270156c2f76f1614b03f3b0191 Mon Sep 17 00:00:00 2001 +From 8b5320fbdb29ab1bf601d9cf81ffe7ea7b9bc55f Mon Sep 17 00:00:00 2001 From: Wenzong Fan <wenzong.fan@windriver.com> Date: Mon, 27 Jan 2014 03:54:01 -0500 -Subject: [PATCH 16/34] fc/fstools: fix real path for fstools +Subject: [PATCH] fc/fstools: fix real path for fstools -Upstream-Status: Pending +Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> --- - policy/modules/system/fstools.fc | 12 ++++++++++++ - 1 file changed, 12 insertions(+) + policy/modules/system/fstools.fc | 10 ++++++++++ + 1 file changed, 10 insertions(+) diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc -index 8fbd5ce4..d719e22c 100644 +index 63423802d..124109a68 100644 --- a/policy/modules/system/fstools.fc +++ b/policy/modules/system/fstools.fc -@@ -58,6 +58,7 @@ +@@ -58,7 +58,9 @@ /usr/sbin/addpart -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/blkid\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/blkid\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/blockdev\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -72,10 +73,12 @@ + /usr/sbin/delpart -- gen_context(system_u:object_r:fsadm_exec_t,s0) +@@ -72,10 +74,13 @@ /usr/sbin/efibootmgr -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/fatsort -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/fdisk\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/fdisk\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/findfs\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/gdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/hdparm\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/hdparm\.hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -88,17 +91,20 @@ +@@ -83,13 +88,16 @@ + /usr/sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/mkdosfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/mke2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/mke2fs\.e2fsprogs -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/mkswap\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/mkswap\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/partprobe\.parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0) +@@ -99,8 +107,10 @@ /usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/swapoff\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/swapoff\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/tune2fs\.e2fsprogs -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -108,6 +114,12 @@ - /usr/sbin/zstreamdump -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/ztest -- gen_context(system_u:object_r:fsadm_exec_t,s0) - -+/usr/lib/busybox/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/lib/busybox/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/lib/busybox/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/lib/busybox/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/lib/busybox/sbin/swapon -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+ - /var/swap -- gen_context(system_u:object_r:swapfile_t,s0) - - /var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0) + /usr/sbin/zhack -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/zinject -- gen_context(system_u:object_r:fsadm_exec_t,s0) -- -2.19.1 +2.25.1 diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0001-fix-update-alternatives-for-sysvinit.patch b/recipes-security/refpolicy/refpolicy/0014-fc-init-fix-update-alternatives-for-sysvinit.patch index 62e7da1..73a0d8a 100644 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0001-fix-update-alternatives-for-sysvinit.patch +++ b/recipes-security/refpolicy/refpolicy/0014-fc-init-fix-update-alternatives-for-sysvinit.patch @@ -1,53 +1,55 @@ -From 83508f3365277c0ef8c570e744879b904de64cd7 Mon Sep 17 00:00:00 2001 +From 8eefd8242e8b08fee6886d6bba12c4af202890d0 Mon Sep 17 00:00:00 2001 From: Xin Ouyang <Xin.Ouyang@windriver.com> Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH] fix update-alternatives for sysvinit +Subject: [PATCH] fc/init: fix update-alternatives for sysvinit -Upstream-Status: Inappropriate [only for Poky] +Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> --- policy/modules/admin/shutdown.fc | 1 + - policy/modules/kernel/corecommands.fc | 1 + + policy/modules/kernel/corecommands.fc | 2 ++ policy/modules/system/init.fc | 1 + - 3 files changed, 3 insertions(+) + 3 files changed, 4 insertions(+) diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc -index 03a2230c..2ba049ff 100644 +index 89d682d36..354f4d1d9 100644 --- a/policy/modules/admin/shutdown.fc +++ b/policy/modules/admin/shutdown.fc -@@ -5,5 +5,6 @@ - /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) +@@ -7,5 +7,6 @@ + /usr/sbin/halt -- gen_context(system_u:object_r:shutdown_exec_t,s0) /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) +/usr/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0) - /run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) + /run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_runtime_t,s0) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index cf3848db..86920167 100644 +index 7d2efef0a..9a5711a83 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc -@@ -149,6 +149,7 @@ ifdef(`distro_gentoo',` +@@ -156,6 +156,8 @@ ifdef(`distro_gentoo',` /usr/bin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) /usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0) -+/usr/bin/mountpoint\.sysvinit -- gen_context(system_u:object_r:bin_t,s0) ++/usr/bin/mountpoint\.sysvinit -- gen_context(system_u:object_r:bin_t,s0) ++/usr/bin/mountpoint\.util-linux -- gen_context(system_u:object_r:bin_t,s0) /usr/bin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/bin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc -index 11a6ce93..93e9d2b4 100644 +index 07b12de2e..d99767ce8 100644 --- a/policy/modules/system/init.fc +++ b/policy/modules/system/init.fc -@@ -23,6 +23,7 @@ ifdef(`distro_gentoo',` - # /usr - # - /usr/bin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) +@@ -49,6 +49,7 @@ ifdef(`distro_gentoo',` + /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) + + /usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) +/usr/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0) - /usr/bin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) - /usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0) - /usr/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0) + /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) + /usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) + -- -2.19.1 +2.25.1 diff --git a/recipes-security/refpolicy/refpolicy/0015-fc-brctl-apply-policy-to-brctl-alternatives.patch b/recipes-security/refpolicy/refpolicy/0015-fc-brctl-apply-policy-to-brctl-alternatives.patch new file mode 100644 index 0000000..e21e044 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0015-fc-brctl-apply-policy-to-brctl-alternatives.patch @@ -0,0 +1,24 @@ +From e4bdaafd9684b3b46a6d0a417967f596fbdc36c2 Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Fri, 15 Nov 2019 10:19:54 +0800 +Subject: [PATCH] fc/brctl: apply policy to brctl alternatives + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/admin/brctl.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/admin/brctl.fc b/policy/modules/admin/brctl.fc +index ed472f095..2a852b0fd 100644 +--- a/policy/modules/admin/brctl.fc ++++ b/policy/modules/admin/brctl.fc +@@ -1,3 +1,4 @@ + /usr/bin/brctl -- gen_context(system_u:object_r:brctl_exec_t,s0) + + /usr/sbin/brctl -- gen_context(system_u:object_r:brctl_exec_t,s0) ++/usr/sbin/brctl\.bridge-utils -- gen_context(system_u:object_r:brctl_exec_t,s0) +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0016-fc-corecommands-apply-policy-to-nologin-alternatives.patch b/recipes-security/refpolicy/refpolicy/0016-fc-corecommands-apply-policy-to-nologin-alternatives.patch new file mode 100644 index 0000000..3020814 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0016-fc-corecommands-apply-policy-to-nologin-alternatives.patch @@ -0,0 +1,28 @@ +From 762b0bd9cc26627f7361d5db92ae1cb366c0858b Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Fri, 15 Nov 2019 10:21:51 +0800 +Subject: [PATCH] fc/corecommands: apply policy to nologin alternatives + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/kernel/corecommands.fc | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc +index 9a5711a83..c9009af5f 100644 +--- a/policy/modules/kernel/corecommands.fc ++++ b/policy/modules/kernel/corecommands.fc +@@ -311,6 +311,8 @@ ifdef(`distro_debian',` + /usr/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) + /usr/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) + /usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/sbin/nologin\.shadow -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/sbin/nologin\.util-linux -- gen_context(system_u:object_r:shell_exec_t,s0) + /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) + /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) + /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0017-fc-locallogin-apply-policy-to-sulogin-alternatives.patch b/recipes-security/refpolicy/refpolicy/0017-fc-locallogin-apply-policy-to-sulogin-alternatives.patch new file mode 100644 index 0000000..cd3cb4b --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0017-fc-locallogin-apply-policy-to-sulogin-alternatives.patch @@ -0,0 +1,25 @@ +From d312aa5ea1da9c19eb214a55acb2d2b5347ed68f Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Fri, 15 Nov 2019 10:43:28 +0800 +Subject: [PATCH] fc/locallogin: apply policy to sulogin alternatives + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/system/locallogin.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/locallogin.fc b/policy/modules/system/locallogin.fc +index fc8d58507..59e6e9601 100644 +--- a/policy/modules/system/locallogin.fc ++++ b/policy/modules/system/locallogin.fc +@@ -2,4 +2,5 @@ + /usr/bin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0) + + /usr/sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0) ++/usr/sbin/sulogin\.util-linux -- gen_context(system_u:object_r:sulogin_exec_t,s0) + /usr/sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0) +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0018-fc-ntp-apply-policy-to-ntpd-alternatives.patch b/recipes-security/refpolicy/refpolicy/0018-fc-ntp-apply-policy-to-ntpd-alternatives.patch new file mode 100644 index 0000000..9009120 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0018-fc-ntp-apply-policy-to-ntpd-alternatives.patch @@ -0,0 +1,27 @@ +From 3085ae26b66d82f7c7b3db507153a5976ec26b48 Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Fri, 15 Nov 2019 10:45:23 +0800 +Subject: [PATCH] fc/ntp: apply policy to ntpd alternatives + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/services/ntp.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/services/ntp.fc b/policy/modules/services/ntp.fc +index 9243f3304..e13cf6a9b 100644 +--- a/policy/modules/services/ntp.fc ++++ b/policy/modules/services/ntp.fc +@@ -25,6 +25,7 @@ + /usr/lib/systemd/systemd-timesyncd -- gen_context(system_u:object_r:ntpd_exec_t,s0) + + /usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) ++/usr/sbin/ntpd\.ntp -- gen_context(system_u:object_r:ntpd_exec_t,s0) + /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) + /usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0) + +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0019-fc-kerberos-apply-policy-to-kerberos-alternatives.patch b/recipes-security/refpolicy/refpolicy/0019-fc-kerberos-apply-policy-to-kerberos-alternatives.patch new file mode 100644 index 0000000..9fc5b90 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0019-fc-kerberos-apply-policy-to-kerberos-alternatives.patch @@ -0,0 +1,50 @@ +From 4f377178aff842dc4ce9c6e705a761478d21f4d3 Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Fri, 15 Nov 2019 10:55:05 +0800 +Subject: [PATCH] fc/kerberos: apply policy to kerberos alternatives + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/services/kerberos.fc | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc +index df21fcc78..ce0166edd 100644 +--- a/policy/modules/services/kerberos.fc ++++ b/policy/modules/services/kerberos.fc +@@ -12,6 +12,8 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) + /etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) + /etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) + /etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/krb5-admin-server -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/krb5-kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) + + /usr/bin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) + /usr/bin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) +@@ -26,6 +28,8 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) + + /usr/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) + /usr/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) ++/usr/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0) ++/usr/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0) + + /usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) + /usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) +@@ -41,6 +45,12 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) + /var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) + /var/kerberos/krb5kdc/principal.*\.ok -- gen_context(system_u:object_r:krb5kdc_lock_t,s0) + ++/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) ++/var/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0) ++/var/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) ++/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) ++/var/krb5kdc/principal.*\.ok -- gen_context(system_u:object_r:krb5kdc_lock_t,s0) ++ + /var/log/krb5kdc\.log.* -- gen_context(system_u:object_r:krb5kdc_log_t,s0) + /var/log/kadmin\.log.* -- gen_context(system_u:object_r:kadmind_log_t,s0) + /var/log/kadmind\.log.* -- gen_context(system_u:object_r:kadmind_log_t,s0) +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0020-fc-ldap-apply-policy-to-ldap-alternatives.patch b/recipes-security/refpolicy/refpolicy/0020-fc-ldap-apply-policy-to-ldap-alternatives.patch new file mode 100644 index 0000000..c2247c3 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0020-fc-ldap-apply-policy-to-ldap-alternatives.patch @@ -0,0 +1,40 @@ +From 6de6e53b41602b50ebec3627ceede5e13bad3bb6 Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Fri, 15 Nov 2019 11:06:13 +0800 +Subject: [PATCH] fc/ldap: apply policy to ldap alternatives + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/services/ldap.fc | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc +index 0a1d08d0f..65b202962 100644 +--- a/policy/modules/services/ldap.fc ++++ b/policy/modules/services/ldap.fc +@@ -1,8 +1,10 @@ + /etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0) + /etc/openldap/certs(/.*)? gen_context(system_u:object_r:slapd_cert_t,s0) + /etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) ++/etc/openldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0) + + /etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/openldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) + + /usr/bin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) + +@@ -25,6 +27,9 @@ + /var/log/ldap.* gen_context(system_u:object_r:slapd_log_t,s0) + /var/log/slapd.* gen_context(system_u:object_r:slapd_log_t,s0) + ++/var/openldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) ++/var/openldap/replog(/.*)? gen_context(system_u:object_r:slapd_replog_t,s0) ++ + /run/ldapi -s gen_context(system_u:object_r:slapd_runtime_t,s0) + /run/openldap(/.*)? gen_context(system_u:object_r:slapd_runtime_t,s0) + /run/slapd.* -s gen_context(system_u:object_r:slapd_runtime_t,s0) +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0021-fc-postgresql-apply-policy-to-postgresql-alternative.patch b/recipes-security/refpolicy/refpolicy/0021-fc-postgresql-apply-policy-to-postgresql-alternative.patch new file mode 100644 index 0000000..9d3c2e1 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0021-fc-postgresql-apply-policy-to-postgresql-alternative.patch @@ -0,0 +1,37 @@ +From f523a63f9f209544b9a557e76e94354c23d93959 Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Fri, 15 Nov 2019 11:13:16 +0800 +Subject: [PATCH] fc/postgresql: apply policy to postgresql alternatives + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/services/postgresql.fc | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc +index f31a52cf8..f9bf46870 100644 +--- a/policy/modules/services/postgresql.fc ++++ b/policy/modules/services/postgresql.fc +@@ -27,6 +27,17 @@ + /usr/lib/postgresql(-.*)?/(.*/)?bin/postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0) + /usr/lib/postgresql(-.*)?/(.*/)?bin/postmaster -l gen_context(system_u:object_r:postgresql_exec_t,s0) + ++/usr/bin/pg_archivecleanup -- gen_context(system_u:object_r:postgresql_exec_t,s0) ++/usr/bin/pg_basebackup -- gen_context(system_u:object_r:postgresql_exec_t,s0) ++/usr/bin/pg_controldata -- gen_context(system_u:object_r:postgresql_exec_t,s0) ++/usr/bin/pg_ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0) ++/usr/bin/pg_resetxlog -- gen_context(system_u:object_r:postgresql_exec_t,s0) ++/usr/bin/pg_standby -- gen_context(system_u:object_r:postgresql_exec_t,s0) ++/usr/bin/pg_upgrade -- gen_context(system_u:object_r:postgresql_exec_t,s0) ++/usr/bin/pg_xlogdump -- gen_context(system_u:object_r:postgresql_exec_t,s0) ++/usr/bin/postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0) ++/usr/bin/postmaster -l gen_context(system_u:object_r:postgresql_exec_t,s0) ++ + ifdef(`distro_redhat', ` + /usr/share/jonas/pgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) + ') +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0022-fc-screen-apply-policy-to-screen-alternatives.patch b/recipes-security/refpolicy/refpolicy/0022-fc-screen-apply-policy-to-screen-alternatives.patch new file mode 100644 index 0000000..749c19a --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0022-fc-screen-apply-policy-to-screen-alternatives.patch @@ -0,0 +1,25 @@ +From 57c6a0e69aa9d308ec23dc60dc2420ee5c62bf7f Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Fri, 15 Nov 2019 11:15:33 +0800 +Subject: [PATCH] fc/screen: apply policy to screen alternatives + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/apps/screen.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/apps/screen.fc b/policy/modules/apps/screen.fc +index e51e01d97..238dc263e 100644 +--- a/policy/modules/apps/screen.fc ++++ b/policy/modules/apps/screen.fc +@@ -7,4 +7,5 @@ HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0) + /run/tmux(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0) + + /usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0) ++/usr/bin/screen-.* -- gen_context(system_u:object_r:screen_exec_t,s0) + /usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0) +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0023-fc-usermanage-apply-policy-to-usermanage-alternative.patch b/recipes-security/refpolicy/refpolicy/0023-fc-usermanage-apply-policy-to-usermanage-alternative.patch new file mode 100644 index 0000000..152d147 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0023-fc-usermanage-apply-policy-to-usermanage-alternative.patch @@ -0,0 +1,57 @@ +From f0706a85dca8801d87130102b701c7bc2fd7476d Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Fri, 15 Nov 2019 11:25:34 +0800 +Subject: [PATCH] fc/usermanage: apply policy to usermanage alternatives + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/admin/usermanage.fc | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc +index 7209a8dd0..c9dc1f000 100644 +--- a/policy/modules/admin/usermanage.fc ++++ b/policy/modules/admin/usermanage.fc +@@ -4,8 +4,13 @@ ifdef(`distro_debian',` + + /usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0) + /usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0) ++/usr/bin/chfn\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0) ++/usr/bin/chfn\.util-linux -- gen_context(system_u:object_r:chfn_exec_t,s0) + /usr/bin/chpasswd -- gen_context(system_u:object_r:passwd_exec_t,s0) ++/usr/bin/chpasswd\.shadow -- gen_context(system_u:object_r:passwd_exec_t,s0) + /usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0) ++/usr/bin/chsh\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0) ++/usr/bin/chsh\.util-linux -- gen_context(system_u:object_r:chfn_exec_t,s0) + /usr/bin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) + /usr/bin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) + /usr/bin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0) +@@ -15,6 +20,7 @@ ifdef(`distro_debian',` + /usr/bin/grpconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) + /usr/bin/grpunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) + /usr/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0) ++/usr/bin/passwd\.shadow -- gen_context(system_u:object_r:passwd_exec_t,s0) + /usr/bin/pwconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) + /usr/bin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) + /usr/bin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0) +@@ -26,6 +32,7 @@ ifdef(`distro_debian',` + /usr/lib/cracklib_dict.* -- gen_context(system_u:object_r:crack_db_t,s0) + + /usr/sbin/chpasswd -- gen_context(system_u:object_r:passwd_exec_t,s0) ++/usr/sbin/chpasswd\.shadow -- gen_context(system_u:object_r:passwd_exec_t,s0) + /usr/sbin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) + /usr/sbin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) + /usr/sbin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0) +@@ -41,6 +48,7 @@ ifdef(`distro_debian',` + /usr/sbin/usermod -- gen_context(system_u:object_r:useradd_exec_t,s0) + /usr/sbin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) + /usr/sbin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) ++/usr/sbin/vipw\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) + + /usr/share/cracklib(/.*)? gen_context(system_u:object_r:crack_db_t,s0) + +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0024-fc-getty-add-file-context-to-start_getty.patch b/recipes-security/refpolicy/refpolicy/0024-fc-getty-add-file-context-to-start_getty.patch new file mode 100644 index 0000000..3527e65 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0024-fc-getty-add-file-context-to-start_getty.patch @@ -0,0 +1,27 @@ +From 2ff44df5a5da2246f2198741a05786e89ac9f4e3 Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Fri, 15 Nov 2019 16:07:30 +0800 +Subject: [PATCH] fc/getty: add file context to start_getty + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/system/getty.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc +index 116ea6421..53ff6137b 100644 +--- a/policy/modules/system/getty.fc ++++ b/policy/modules/system/getty.fc +@@ -4,6 +4,7 @@ + /run/agetty\.reload -- gen_context(system_u:object_r:getty_runtime_t,s0) + + /usr/bin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0) ++/usr/bin/start_getty -- gen_context(system_u:object_r:bin_t,s0) + + /usr/sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0) + +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0025-fc-vlock-apply-policy-to-vlock-alternatives.patch b/recipes-security/refpolicy/refpolicy/0025-fc-vlock-apply-policy-to-vlock-alternatives.patch new file mode 100644 index 0000000..331eab9 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0025-fc-vlock-apply-policy-to-vlock-alternatives.patch @@ -0,0 +1,25 @@ +From 42676d53a9c8554ac3e05f826f23792edf8d3c27 Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Wed, 18 Dec 2019 15:04:41 +0800 +Subject: [PATCH] fc/vlock: apply policy to vlock alternatives + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/apps/vlock.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/apps/vlock.fc b/policy/modules/apps/vlock.fc +index f668cde9c..c4bc50984 100644 +--- a/policy/modules/apps/vlock.fc ++++ b/policy/modules/apps/vlock.fc +@@ -1,4 +1,5 @@ + /usr/bin/vlock -- gen_context(system_u:object_r:vlock_exec_t,s0) ++/usr/bin/vlock\.kbd -- gen_context(system_u:object_r:vlock_exec_t,s0) + /usr/bin/vlock-main -- gen_context(system_u:object_r:vlock_exec_t,s0) + + /usr/sbin/vlock-main -- gen_context(system_u:object_r:vlock_exec_t,s0) +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0026-fc-add-fcontext-for-init-scripts-and-systemd-service.patch b/recipes-security/refpolicy/refpolicy/0026-fc-add-fcontext-for-init-scripts-and-systemd-service.patch new file mode 100644 index 0000000..0adb47f --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0026-fc-add-fcontext-for-init-scripts-and-systemd-service.patch @@ -0,0 +1,64 @@ +From 3cf1f270369d7a2c75faf1a90d1485fe699dbbfe Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Tue, 30 Jun 2020 10:45:57 +0800 +Subject: [PATCH] fc: add fcontext for init scripts and systemd service files + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/services/cron.fc | 1 + + policy/modules/services/rngd.fc | 1 + + policy/modules/services/rpc.fc | 2 ++ + policy/modules/system/logging.fc | 1 + + 4 files changed, 5 insertions(+) + +diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc +index 827363d88..e8412396d 100644 +--- a/policy/modules/services/cron.fc ++++ b/policy/modules/services/cron.fc +@@ -1,4 +1,5 @@ + /etc/rc\.d/init\.d/(anacron|atd) -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/crond -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) + + /etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) + /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) +diff --git a/policy/modules/services/rngd.fc b/policy/modules/services/rngd.fc +index 382c067f9..0ecc5acc4 100644 +--- a/policy/modules/services/rngd.fc ++++ b/policy/modules/services/rngd.fc +@@ -1,4 +1,5 @@ + /etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/rng-tools -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0) + + /usr/bin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0) + +diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc +index 7edc09fac..7416fa39f 100644 +--- a/policy/modules/services/rpc.fc ++++ b/policy/modules/services/rpc.fc +@@ -2,7 +2,9 @@ + /etc/exports\.d(/.*)? gen_context(system_u:object_r:exports_t,s0) + + /etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/nfsserver -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0) + /etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/nfscommon -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) + /etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) + + /usr/bin/nfsdcld -- gen_context(system_u:object_r:rpcd_exec_t,s0) +diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc +index 3b0dea51b..0ce2bec4b 100644 +--- a/policy/modules/system/logging.fc ++++ b/policy/modules/system/logging.fc +@@ -24,6 +24,7 @@ + /usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0) + /usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0) + /usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0) ++/usr/lib/systemd/system/syslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0) + /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0) + /usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) + +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0027-file_contexts.subs_dist-set-aliase-for-root-director.patch b/recipes-security/refpolicy/refpolicy/0027-file_contexts.subs_dist-set-aliase-for-root-director.patch new file mode 100644 index 0000000..fbaa44e --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0027-file_contexts.subs_dist-set-aliase-for-root-director.patch @@ -0,0 +1,30 @@ +From 8b5ff44ba4a7819efb694cba6237bc572835628b Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Sun, 5 Apr 2020 22:03:45 +0800 +Subject: [PATCH] file_contexts.subs_dist: set aliase for /root directory + +The genhomedircon.py will expand /root directory to /home/root. +Add an aliase for it + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + config/file_contexts.subs_dist | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist +index 690007f22..f80499ebf 100644 +--- a/config/file_contexts.subs_dist ++++ b/config/file_contexts.subs_dist +@@ -45,3 +45,7 @@ + /usr/lib/busybox/bin /usr/bin + /usr/lib/busybox/sbin /usr/sbin + /usr/lib/busybox/usr /usr ++ ++# The genhomedircon.py will expand /root home directory to /home/root ++# Add an aliase for it ++/root /home/root +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0028-policy-modules-system-logging-add-rules-for-the-syml.patch b/recipes-security/refpolicy/refpolicy/0028-policy-modules-system-logging-add-rules-for-the-syml.patch new file mode 100644 index 0000000..4e97d8a --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0028-policy-modules-system-logging-add-rules-for-the-syml.patch @@ -0,0 +1,91 @@ +From 6f73afe1d8647bd917f6c06b46b0f0cebc276776 Mon Sep 17 00:00:00 2001 +From: Xin Ouyang <Xin.Ouyang@windriver.com> +Date: Thu, 22 Aug 2013 13:37:23 +0800 +Subject: [PATCH] policy/modules/system/logging: add rules for the symlink of + /var/log + +/var/log is a symlink in poky, so we need allow rules for files to read +lnk_file while doing search/list/delete/rw... in /var/log/ directory. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> +Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/system/logging.fc | 1 + + policy/modules/system/logging.if | 7 +++++++ + 2 files changed, 8 insertions(+) + +diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc +index 0ce2bec4b..8957366b0 100644 +--- a/policy/modules/system/logging.fc ++++ b/policy/modules/system/logging.fc +@@ -53,6 +53,7 @@ ifdef(`distro_suse', ` + /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) + + /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) ++/var/log -l gen_context(system_u:object_r:var_log_t,s0) + /var/log/.* gen_context(system_u:object_r:var_log_t,s0) + /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0) + /var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0) +diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if +index 49028a0cb..4381d2e83 100644 +--- a/policy/modules/system/logging.if ++++ b/policy/modules/system/logging.if +@@ -1091,10 +1091,12 @@ interface(`logging_append_all_inherited_logs',` + interface(`logging_read_all_logs',` + gen_require(` + attribute logfile; ++ type var_log_t; + ') + + files_search_var($1) + allow $1 logfile:dir list_dir_perms; ++ allow $1 var_log_t:lnk_file read_lnk_file_perms; + read_files_pattern($1, logfile, logfile) + ') + +@@ -1175,6 +1177,7 @@ interface(`logging_manage_generic_log_dirs',` + + files_search_var($1) + allow $1 var_log_t:dir manage_dir_perms; ++ allow $1 var_log_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -1195,6 +1198,7 @@ interface(`logging_relabel_generic_log_dirs',` + + files_search_var($1) + allow $1 var_log_t:dir relabel_dir_perms; ++ allow $1 var_log_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -1215,6 +1219,7 @@ interface(`logging_read_generic_logs',` + + files_search_var($1) + allow $1 var_log_t:dir list_dir_perms; ++ allow $1 var_log_t:lnk_file read_lnk_file_perms; + read_files_pattern($1, var_log_t, var_log_t) + ') + +@@ -1316,6 +1321,7 @@ interface(`logging_manage_generic_logs',` + + files_search_var($1) + manage_files_pattern($1, var_log_t, var_log_t) ++ allow $1 var_log_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -1334,6 +1340,7 @@ interface(`logging_watch_generic_logs_dir',` + ') + + allow $1 var_log_t:dir watch; ++ allow $1 var_log_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch b/recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-syslogd-.patch index a532316..cfef36b 100644 --- a/recipes-security/refpolicy/refpolicy-git/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch +++ b/recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-syslogd-.patch @@ -1,33 +1,34 @@ -From b52614cce12e4a7d3437350bb35688d5470f92fc Mon Sep 17 00:00:00 2001 +From 9d4f8d201dbdea28a38b5faaef9abc016bcbaab3 Mon Sep 17 00:00:00 2001 From: Joe MacDonald <joe_macdonald@mentor.com> Date: Fri, 29 Mar 2019 10:33:18 -0400 -Subject: [PATCH 19/34] policy/module/logging: add rules for syslogd symlink of - /var/log +Subject: [PATCH] policy/modules/system/logging: add rules for syslogd symlink + of /var/log We have added rules for the symlink of /var/log in logging.if, while syslogd_t uses /var/log but does not use the interfaces in logging.if. So still need add a individual rule for syslogd_t. -Upstream-Status: Inappropriate [only for Poky] +Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> --- policy/modules/system/logging.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 499a4552..e6221a02 100644 +index 9d9a01fcc..45584dba6 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te -@@ -417,6 +417,7 @@ files_search_spool(syslogd_t) +@@ -425,6 +425,7 @@ files_search_spool(syslogd_t) # Allow access for syslog-ng allow syslogd_t var_log_t:dir { create setattr }; +allow syslogd_t var_log_t:lnk_file read_lnk_file_perms; # for systemd but can not be conditional - files_pid_filetrans(syslogd_t, syslogd_tmp_t, dir, "log") + files_runtime_filetrans(syslogd_t, syslogd_tmp_t, dir, "log") -- -2.19.1 +2.25.1 diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch b/recipes-security/refpolicy/refpolicy/0030-policy-modules-kernel-files-add-rules-for-the-symlin.patch index 2546457..62c1593 100644 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch +++ b/recipes-security/refpolicy/refpolicy/0030-policy-modules-kernel-files-add-rules-for-the-symlin.patch @@ -1,37 +1,39 @@ -From 437bb5a3318fd0fb268f6e015564b006135368d1 Mon Sep 17 00:00:00 2001 +From 1ed2b79828a7dd08079ec111b116f6d288450662 Mon Sep 17 00:00:00 2001 From: Xin Ouyang <Xin.Ouyang@windriver.com> Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH 21/34] policy/module/files: add rules for the symlink of /tmp +Subject: [PATCH] policy/modules/kernel/files: add rules for the symlink of + /tmp /tmp is a symlink in poky, so we need allow rules for files to read lnk_file while doing search/list/delete/rw.. in /tmp/ directory. -Upstream-Status: Inappropriate [only for Poky] +Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> --- policy/modules/kernel/files.fc | 1 + policy/modules/kernel/files.if | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index c3496c21..05b1734b 100644 +index b1728d37c..c5012e6b4 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc -@@ -176,6 +176,7 @@ HOME_ROOT/lost\+found/.* <<none>> +@@ -172,6 +172,7 @@ HOME_ROOT/lost\+found/.* <<none>> # /tmp # /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) -+/tmp -l gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) ++/tmp -l gen_context(system_u:object_r:tmp_t,s0) /tmp/.* <<none>> /tmp/\.journal <<none>> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f1c94411..eb067ad3 100644 +index 472b5bb38..a2aa85b1c 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if -@@ -4350,6 +4350,7 @@ interface(`files_search_tmp',` +@@ -4819,6 +4819,7 @@ interface(`files_search_tmp',` ') allow $1 tmp_t:dir search_dir_perms; @@ -39,7 +41,7 @@ index f1c94411..eb067ad3 100644 ') ######################################## -@@ -4386,6 +4387,7 @@ interface(`files_list_tmp',` +@@ -4855,6 +4856,7 @@ interface(`files_list_tmp',` ') allow $1 tmp_t:dir list_dir_perms; @@ -47,7 +49,7 @@ index f1c94411..eb067ad3 100644 ') ######################################## -@@ -4422,6 +4424,7 @@ interface(`files_delete_tmp_dir_entry',` +@@ -4891,6 +4893,7 @@ interface(`files_delete_tmp_dir_entry',` ') allow $1 tmp_t:dir del_entry_dir_perms; @@ -55,7 +57,7 @@ index f1c94411..eb067ad3 100644 ') ######################################## -@@ -4440,6 +4443,7 @@ interface(`files_read_generic_tmp_files',` +@@ -4909,6 +4912,7 @@ interface(`files_read_generic_tmp_files',` ') read_files_pattern($1, tmp_t, tmp_t) @@ -63,7 +65,7 @@ index f1c94411..eb067ad3 100644 ') ######################################## -@@ -4458,6 +4462,7 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4927,6 +4931,7 @@ interface(`files_manage_generic_tmp_dirs',` ') manage_dirs_pattern($1, tmp_t, tmp_t) @@ -71,7 +73,7 @@ index f1c94411..eb067ad3 100644 ') ######################################## -@@ -4476,6 +4481,7 @@ interface(`files_manage_generic_tmp_files',` +@@ -4963,6 +4968,7 @@ interface(`files_manage_generic_tmp_files',` ') manage_files_pattern($1, tmp_t, tmp_t) @@ -79,7 +81,7 @@ index f1c94411..eb067ad3 100644 ') ######################################## -@@ -4512,6 +4518,7 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4999,6 +5005,7 @@ interface(`files_rw_generic_tmp_sockets',` ') rw_sock_files_pattern($1, tmp_t, tmp_t) @@ -87,7 +89,7 @@ index f1c94411..eb067ad3 100644 ') ######################################## -@@ -4719,6 +4726,7 @@ interface(`files_tmp_filetrans',` +@@ -5206,6 +5213,7 @@ interface(`files_tmp_filetrans',` ') filetrans_pattern($1, tmp_t, $2, $3, $4) @@ -96,5 +98,5 @@ index f1c94411..eb067ad3 100644 ######################################## -- -2.19.1 +2.25.1 diff --git a/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch b/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch new file mode 100644 index 0000000..e9e717b --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch @@ -0,0 +1,41 @@ +From d7dfe01114f9a1449ce2efd792ddf4b18fe91a45 Mon Sep 17 00:00:00 2001 +From: Xin Ouyang <Xin.Ouyang@windriver.com> +Date: Thu, 22 Aug 2013 13:37:23 +0800 +Subject: [PATCH] policy/modules/system/logging: fix auditd startup failures + +Fixes: +avc: denied { read } for pid=321 comm="auditd" name="log" dev="vda" +ino=12552 scontext=system_u:system_r:auditd_t +tcontext=system_u:object_r:var_log_t tclass=lnk_file permissive=0 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/system/logging.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index 45584dba6..8bc70b81d 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -177,6 +177,7 @@ dontaudit auditd_t auditd_etc_t:file map; + manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) + allow auditd_t auditd_log_t:dir setattr; + manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) ++allow auditd_t var_log_t:lnk_file read_lnk_file_perms; + allow auditd_t var_log_t:dir search_dir_perms; + + manage_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t) +@@ -306,6 +307,7 @@ optional_policy(` + allow audisp_remote_t self:capability { setpcap setuid }; + allow audisp_remote_t self:process { getcap setcap }; + allow audisp_remote_t self:tcp_socket create_socket_perms; ++allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms; + allow audisp_remote_t var_log_t:dir search_dir_perms; + + manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch b/recipes-security/refpolicy/refpolicy/0032-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch index 887af46..b3dd24f 100644 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch +++ b/recipes-security/refpolicy/refpolicy/0032-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch @@ -1,22 +1,23 @@ -From fcf756e6906bba50d09224184d64ac56f40b6424 Mon Sep 17 00:00:00 2001 +From 3da00356bee8be72115652850d535c9ec5f1b333 Mon Sep 17 00:00:00 2001 From: Xin Ouyang <Xin.Ouyang@windriver.com> Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH 23/34] policy/module/terminals: don't audit tty_device_t in - term_dontaudit_use_console. +Subject: [PATCH] policy/modules/kernel/terminal: don't audit tty_device_t in + term_dontaudit_use_console We should also not audit terminal to rw tty_device_t and fds in term_dontaudit_use_console. -Upstream-Status: Inappropriate [only for Poky] +Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> --- policy/modules/kernel/terminal.if | 3 +++ 1 file changed, 3 insertions(+) diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if -index a84787e6..cf66da2f 100644 +index e5645c7c5..6e9f654ac 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -335,9 +335,12 @@ interface(`term_use_console',` @@ -33,5 +34,5 @@ index a84787e6..cf66da2f 100644 ######################################## -- -2.19.1 +2.25.1 diff --git a/recipes-security/refpolicy/refpolicy/0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch b/recipes-security/refpolicy/refpolicy/0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch new file mode 100644 index 0000000..073068e --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch @@ -0,0 +1,34 @@ +From 8cbc09769a08cf3f5dcb611d471e5da298bde67c Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Wed, 1 Jul 2020 08:44:07 +0800 +Subject: [PATCH] policy/modules/services/rpcbind: allow rpcbind_t to create + directory with label rpcbind_runtime_t + +Fixes: +avc: denied { create } for pid=136 comm="rpcbind" name="rpcbind" +scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=0 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/services/rpcbind.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te +index 137c21ece..2a712192b 100644 +--- a/policy/modules/services/rpcbind.te ++++ b/policy/modules/services/rpcbind.te +@@ -25,7 +25,7 @@ files_type(rpcbind_var_lib_t) + # Local policy + # + +-allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config }; ++allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config chown }; + # net_admin is for SO_SNDBUFFORCE + dontaudit rpcbind_t self:capability net_admin; + allow rpcbind_t self:fifo_file rw_fifo_file_perms; +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-systemd-enable-support-for-sys.patch b/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-systemd-enable-support-for-sys.patch new file mode 100644 index 0000000..556069a --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-systemd-enable-support-for-sys.patch @@ -0,0 +1,46 @@ +From 59b8730de7af45617a6125c7e23cecf896c30ce4 Mon Sep 17 00:00:00 2001 +From: Wenzong Fan <wenzong.fan@windriver.com> +Date: Thu, 4 Feb 2016 06:03:19 -0500 +Subject: [PATCH] policy/modules/system/systemd: enable support for + systemd-tmpfiles to manage all non-security files + +Fixes: +systemd-tmpfiles[226]: Failed to create directory or subvolume "/root/.ssh", ignoring: Permission denied +systemd-tmpfiles[226]: Failed to create directory or subvolume "/var/lib/systemd/ephemeral-trees": Permission denied + +AVC avc: denied { relabelfrom } for pid=226 comm="systemd-tmpfile" +name="root" dev="vda" ino=643 scontext=system_u:system_r:systemd_tmpfiles_t +tcontext=root:object_r:user_home_dir_t tclass=dir permissive=0 + +AVC avc: denied { write } for pid=226 comm="systemd-tmpfile" +name="root" dev="vda" ino=643 scontext=system_u:system_r:systemd_tmpfiles_t +tcontext=root:object_r:user_home_dir_t tclass=dir permissive=0 + +AVC avc: denied { create } for pid=226 comm="systemd-tmpfile" +name="ephemeral-trees" scontext=system_u:system_r:systemd_tmpfiles_t +tcontext=system_u:object_r:init_var_lib_t tclass=dir permissive=0 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/system/systemd.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index aa9198591..abc324cf1 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -10,7 +10,7 @@ policy_module(systemd) + ## Enable support for systemd-tmpfiles to manage all non-security files. + ## </p> + ## </desc> +-gen_tunable(systemd_tmpfiles_manage_all, false) ++gen_tunable(systemd_tmpfiles_manage_all, true) + + ## <desc> + ## <p> +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-logging-allow-systemd-tmpfiles.patch b/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-logging-allow-systemd-tmpfiles.patch new file mode 100644 index 0000000..30c7d12 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-logging-allow-systemd-tmpfiles.patch @@ -0,0 +1,43 @@ +From feb50cfed6d7a08bb4e61b47f95df729a4fba9ea Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Sat, 30 Sep 2023 17:20:29 +0800 +Subject: [PATCH] policy/modules/system/logging: allow systemd-tmpfiles to + create /var/log/audit + +Fixes: +systemd[1]: Starting Security Auditing Service... +auditd[246]: Could not open dir /var/log/audit (No such file or directory) +auditd[246]: The audit daemon is exiting. +systemd[1]: auditd.service: Control process exited, code=exited, status=6/NOTCONFIGURED +systemd[1]: auditd.service: Failed with result 'exit-code'. +systemd[1]: Failed to start Security Auditing Service. + +AVC avc: denied { create } for pid=224 comm="systemd-tmpfile" +name="audit" scontext=system_u:system_r:systemd_tmpfiles_t +tcontext=system_u:object_r:auditd_log_t tclass=dir permissive=0 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/system/logging.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index 8bc70b81d..3cab14381 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -27,6 +27,10 @@ type auditd_log_t; + files_security_file(auditd_log_t) + files_security_mountpoint(auditd_log_t) + ++optional_policy(` ++ systemd_tmpfilesd_managed(auditd_log_t) ++') ++ + type audit_spool_t; + files_security_file(audit_spool_t) + files_security_mountpoint(audit_spool_t) +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0036-policy-modules-system-systemd-allow-systemd_logind_t.patch b/recipes-security/refpolicy/refpolicy/0036-policy-modules-system-systemd-allow-systemd_logind_t.patch new file mode 100644 index 0000000..568f820 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0036-policy-modules-system-systemd-allow-systemd_logind_t.patch @@ -0,0 +1,43 @@ +From c21d5186e0625fd83c9d674c3284cfd98c2f02b9 Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Sat, 18 Dec 2021 09:26:43 +0800 +Subject: [PATCH] policy/modules/system/systemd: allow systemd_logind_t to read + the process state of all domains + +We encountered the following su runtime error: +$ useradd user1 +$ passwd user1 +New password: +Retype new password: +passwd: password updated successfully +$ su - user1 +Session terminated, terminating shell...Hangup + +Fixes: +avc: denied { use } for pid=344 comm="su" +path="/run/systemd/sessions/c4.ref" dev="tmpfs" ino=661 +scontext=root:sysadm_r:sysadm_su_t +tcontext=system_u:system_r:systemd_logind_t tclass=fd permissive=0 + +Upstream-Status: Pending + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/system/systemd.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index abc324cf1..ffce3c0e8 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -1006,6 +1006,7 @@ userdom_relabelfrom_user_runtime_dirs(systemd_logind_t) + userdom_relabelto_user_runtime_dirs(systemd_logind_t) + userdom_setattr_user_ttys(systemd_logind_t) + userdom_use_user_ttys(systemd_logind_t) ++domain_read_all_domains_state(systemd_logind_t) + + # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x + # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96 +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch b/recipes-security/refpolicy/refpolicy/0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch new file mode 100644 index 0000000..7d29f23 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch @@ -0,0 +1,36 @@ +From e561ad9a73c949768f0b4e91943a32f10a9f4acc Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Fri, 28 Oct 2022 11:56:09 +0800 +Subject: [PATCH] policy/modules/roles/sysadm: allow sysadm to use init file + descriptors + +Root can not login via console without this. + +Fixes: +avc: denied { use } for pid=323 comm="sh" path="/dev/tty1" +dev="devtmpfs" ino=21 scontext=root:sysadm_r:sysadm_t +tcontext=system_u:system_r:init_t tclass=fd permissive=0 + +Upstream-Status: Pending + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/roles/sysadm.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te +index 08cc0e117..c08226dc3 100644 +--- a/policy/modules/roles/sysadm.te ++++ b/policy/modules/roles/sysadm.te +@@ -95,6 +95,8 @@ ifdef(`init_systemd',` + # LookupDynamicUserByUID on org.freedesktop.systemd1. + init_dbus_chat(sysadm_t) + ++ init_use_fds(sysadm_t) ++ + # Allow sysadm to get the status of and set properties of other users, + # sessions, and seats on the system. + systemd_dbus_chat_logind(sysadm_t) +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch b/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch new file mode 100644 index 0000000..9499e77 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch @@ -0,0 +1,91 @@ +From 33164c889a759f4d4f2dc31244b9e2937cba854f Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Thu, 4 Feb 2021 10:48:54 +0800 +Subject: [PATCH] policy/modules/system/systemd: systemd --user fixes + +Fixes: +systemctl[277]: Failed to connect to bus: No medium found + +avc: denied { mknod } for pid=297 comm="systemd" capability=27 +scontext=root:sysadm_r:sysadm_systemd_t +tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability permissive=0 + +avc: denied { bpf } for pid=297 comm="systemd" capability=39 +scontext=root:sysadm_r:sysadm_systemd_t +tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability2 permissive=0 + +avc: denied { sys_admin } for pid=297 comm="systemd" capability=21 +scontext=root:sysadm_r:sysadm_systemd_t +tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability permissive=0 + +avc: denied { perfmon } for pid=297 comm="systemd" capability=38 +scontext=root:sysadm_r:sysadm_systemd_t +tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability2 permissive=0 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/system/systemd.if | 30 +++++++++++++++++++++++++++++ + policy/modules/system/userdomain.if | 4 ++++ + 2 files changed, 34 insertions(+) + +diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if +index 28f0ad089..d7219dc37 100644 +--- a/policy/modules/system/systemd.if ++++ b/policy/modules/system/systemd.if +@@ -228,6 +228,36 @@ template(`systemd_role_template',` + ') + ') + ++###################################### ++## <summary> ++## Admin role for systemd --user ++## </summary> ++## <param name="prefix"> ++## <summary> ++## Prefix for generated types ++## </summary> ++## </param> ++## <param name="role"> ++## <summary> ++## The admin role. ++## </summary> ++## </param> ++## <param name="userdomain"> ++## <summary> ++## The amdin domain for the role. ++## </summary> ++## </param> ++# ++template(`systemd_admin_role_extra',` ++ gen_require(` ++ type $1_systemd_t; ++ ') ++ ++ allow $1_systemd_t $3:process noatsecure; ++ allow $1_systemd_t self:capability { mknod sys_admin }; ++ allow $1_systemd_t self:capability2 { bpf perfmon }; ++') ++ + ###################################### + ## <summary> + ## Allow the specified domain to be started as a daemon by the +diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if +index 088cb87b2..504747917 100644 +--- a/policy/modules/system/userdomain.if ++++ b/policy/modules/system/userdomain.if +@@ -1464,6 +1464,10 @@ template(`userdom_admin_user_template',` + optional_policy(` + userhelper_exec($1_t) + ') ++ ++ optional_policy(` ++ systemd_admin_role_extra($1, $1_r, $1_t) ++ ') + ') + + ######################################## +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-authlogin-fix-login-errors-aft.patch b/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-authlogin-fix-login-errors-aft.patch new file mode 100644 index 0000000..ab5b967 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-authlogin-fix-login-errors-aft.patch @@ -0,0 +1,104 @@ +From b81fc26631ad56608eed244c3a07f6f9b0c7e8c7 Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Fri, 8 Dec 2023 14:16:26 +0800 +Subject: [PATCH] policy/modules/system/authlogin: fix login errors after + enabling systemd DynamicUser + +Allow domains using PAM to read /etc/shadow to fix login errors after +enabling systemd DynamicUser. + +Fixes: +avc: denied { read } for pid=434 comm="login" name="shadow" +dev="sda2" ino=26314 +scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 + +avc: denied { open } for pid=434 comm="login" path="/etc/shadow" +dev="sda2" ino=26314 +scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 + +avc: denied { getattr } for pid=434 comm="login" path="/etc/shadow" +dev="sda2" ino=26314 +scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 + +avc: denied { read } for pid=457 comm="sshd" name="shadow" dev="sda2" +ino=26314 scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 + +avc: denied { open } for pid=457 comm="sshd" path="/etc/shadow" +dev="sda2" ino=26314 scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 + +avc: denied { getattr } for pid=457 comm="sshd" path="/etc/shadow" +dev="sda2" ino=26314 scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/admin/su.if | 4 ++-- + policy/modules/system/authlogin.te | 2 +- + policy/modules/system/selinuxutil.te | 2 ++ + 3 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if +index dce1a0ea9..c55cdfc09 100644 +--- a/policy/modules/admin/su.if ++++ b/policy/modules/admin/su.if +@@ -76,7 +76,7 @@ template(`su_restricted_domain_template', ` + selinux_compute_access_vector($1_su_t) + + auth_domtrans_chk_passwd($1_su_t) +- auth_dontaudit_read_shadow($1_su_t) ++ auth_read_shadow($1_su_t) + auth_use_nsswitch($1_su_t) + auth_create_faillog_files($1_su_t) + auth_rw_faillog($1_su_t) +@@ -183,7 +183,7 @@ template(`su_role_template',` + selinux_use_status_page($1_su_t) + + auth_domtrans_chk_passwd($1_su_t) +- auth_dontaudit_read_shadow($1_su_t) ++ auth_read_shadow($1_su_t) + auth_use_nsswitch($1_su_t) + auth_create_faillog_files($1_su_t) + auth_rw_faillog($1_su_t) +diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te +index 3a5d1ac3e..f9d50a8d4 100644 +--- a/policy/modules/system/authlogin.te ++++ b/policy/modules/system/authlogin.te +@@ -10,7 +10,7 @@ policy_module(authlogin) + ## Allow PAM usage. If disabled, read access /etc/shadow is allowed for domains that normally use PAM. + ## </p> + ## </desc> +-gen_tunable(authlogin_pam, true) ++gen_tunable(authlogin_pam, false) + + ## <desc> + ## <p> +diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te +index 3eedf82c3..875f0a02f 100644 +--- a/policy/modules/system/selinuxutil.te ++++ b/policy/modules/system/selinuxutil.te +@@ -247,6 +247,7 @@ allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_re + read_files_pattern(newrole_t, default_context_t, default_context_t) + read_lnk_files_pattern(newrole_t, default_context_t, default_context_t) + ++kernel_getattr_proc(newrole_t) + kernel_read_system_state(newrole_t) + kernel_read_kernel_sysctls(newrole_t) + kernel_dontaudit_getattr_proc(newrole_t) +@@ -290,6 +291,7 @@ auth_use_nsswitch(newrole_t) + auth_run_chk_passwd(newrole_t, newrole_roles) + auth_run_upd_passwd(newrole_t, newrole_roles) + auth_rw_faillog(newrole_t) ++auth_read_shadow(newrole_t) + + # Write to utmp. + init_rw_utmp(newrole_t) +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0040-policy-modules-system-systemd-allow-systemd-logind-t.patch b/recipes-security/refpolicy/refpolicy/0040-policy-modules-system-systemd-allow-systemd-logind-t.patch new file mode 100644 index 0000000..4322590 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0040-policy-modules-system-systemd-allow-systemd-logind-t.patch @@ -0,0 +1,38 @@ +From 1b8a639bfdce84c9b39cd9e89b6da4c1d06cc7ab Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Sun, 4 Feb 2024 19:40:32 +0800 +Subject: [PATCH] policy/modules/system/systemd: allow systemd-logind to + inherit local login file descriptors + +Fix reboot timeout error: +$ reboot +Failed to set wall message, ignoring: Failed to activate service 'org.freedesktop.login1': timed out (service_start_timeout=25000ms) +Call to Reboot failed: Failed to activate service 'org.freedesktop.login1': timed out (service_start_timeout=25000ms) + +avc: denied { use } for pid=287 comm="systemd-logind" +path="anon_inode:[pidfd]" dev="anon_inodefs" ino=1044 +scontext=system_u:system_r:systemd_logind_t +tcontext=system_u:system_r:local_login_t tclass=fd permissive=0 + +Upstream-Status: Pending + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/system/systemd.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index ffce3c0e8..03aeb8515 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -973,6 +973,7 @@ init_stop_system(systemd_logind_t) + miscfiles_read_localization(systemd_logind_t) + + locallogin_read_state(systemd_logind_t) ++locallogin_use_fds(systemd_logind_t) + + seutil_libselinux_linked(systemd_logind_t) + seutil_read_default_contexts(systemd_logind_t) +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0041-policy-modules-system-mount-make-mount_t-domain-MLS-.patch b/recipes-security/refpolicy/refpolicy/0041-policy-modules-system-mount-make-mount_t-domain-MLS-.patch new file mode 100644 index 0000000..5ced4ae --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0041-policy-modules-system-mount-make-mount_t-domain-MLS-.patch @@ -0,0 +1,35 @@ +From 53a770736133d84be9cab23732811f96304bf737 Mon Sep 17 00:00:00 2001 +From: Wenzong Fan <wenzong.fan@windriver.com> +Date: Sat, 15 Feb 2014 04:22:47 -0500 +Subject: [PATCH] policy/modules/system/mount: make mount_t domain MLS trusted + for writing to processes up to its clearance + +Fixes: +avc: denied { setsched } for pid=148 comm="mount" +scontext=system_u:system_r:mount_t:s0-s15:c0.c1023 +tcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=process +permissive=1 + +Upstream-Status: Inappropriate [embedded specific] + +Signen-off-by: Wenzong Fan <wenzong.fan@windriver.com> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/system/mount.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te +index 8cd51d563..3fc37619e 100644 +--- a/policy/modules/system/mount.te ++++ b/policy/modules/system/mount.te +@@ -117,6 +117,7 @@ fs_dontaudit_write_all_image_files(mount_t) + + mls_file_read_all_levels(mount_t) + mls_file_write_all_levels(mount_t) ++mls_process_write_to_clearance(mount_t) + + selinux_get_enforce_mode(mount_t) + +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0042-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch b/recipes-security/refpolicy/refpolicy/0042-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch new file mode 100644 index 0000000..07a11ea --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0042-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch @@ -0,0 +1,40 @@ +From 93225203c2a3a767cd1319d6620da1fd1f91b25f Mon Sep 17 00:00:00 2001 +From: Xin Ouyang <Xin.Ouyang@windriver.com> +Date: Mon, 28 Jan 2019 14:05:18 +0800 +Subject: [PATCH] policy/modules/roles/sysadm: MLS - sysadm rw to clearance + +The two new rules make sysadm_t domain MLS trusted for: + - reading from files at all levels. + - writing to processes up to its clearance(s0-s15). + +With default MLS policy, root user would login as sysadm_t:s0 by +default. Most processes will run in sysadm_t:s0 because no +domtrans/rangetrans rules, as a result, even root could not access +high level files/processes. + +So with the two new rules, root user could work easier in MLS policy. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/roles/sysadm.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te +index c08226dc3..4f3207d52 100644 +--- a/policy/modules/roles/sysadm.te ++++ b/policy/modules/roles/sysadm.te +@@ -48,6 +48,8 @@ logging_watch_all_logs(sysadm_t) + logging_watch_audit_log(sysadm_t) + + mls_process_read_all_levels(sysadm_t) ++mls_file_read_all_levels(sysadm_t) ++mls_process_write_to_clearance(sysadm_t) + + selinux_read_policy(sysadm_t) + +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0043-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch b/recipes-security/refpolicy/refpolicy/0043-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch new file mode 100644 index 0000000..a0b5cbc --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0043-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch @@ -0,0 +1,48 @@ +From 3b260a0dc07f61b9bf873a8ac976430c80a653c3 Mon Sep 17 00:00:00 2001 +From: Xin Ouyang <Xin.Ouyang@windriver.com> +Date: Fri, 23 Aug 2013 12:01:53 +0800 +Subject: [PATCH] policy/modules/services/rpc: make nfsd_t domain MLS trusted + for reading from files up to its clearance + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> +Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/kernel/kernel.te | 2 ++ + policy/modules/services/rpcbind.te | 5 +++++ + 2 files changed, 7 insertions(+) + +diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te +index 887ca3332..f6ca775e6 100644 +--- a/policy/modules/kernel/kernel.te ++++ b/policy/modules/kernel/kernel.te +@@ -380,6 +380,8 @@ mls_process_read_all_levels(kernel_t) + mls_process_write_all_levels(kernel_t) + mls_file_write_all_levels(kernel_t) + mls_file_read_all_levels(kernel_t) ++mls_socket_write_all_levels(kernel_t) ++mls_fd_use_all_levels(kernel_t) + + ifdef(`distro_redhat',` + # Bugzilla 222337 +diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te +index 2a712192b..923e48db7 100644 +--- a/policy/modules/services/rpcbind.te ++++ b/policy/modules/services/rpcbind.te +@@ -73,6 +73,11 @@ logging_send_syslog_msg(rpcbind_t) + + miscfiles_read_localization(rpcbind_t) + ++# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t, ++# because they are running in different level. So add rules to allow this. ++mls_socket_read_all_levels(rpcbind_t) ++mls_socket_write_all_levels(rpcbind_t) ++ + ifdef(`distro_debian',` + term_dontaudit_use_unallocated_ttys(rpcbind_t) + ') +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0044-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch b/recipes-security/refpolicy/refpolicy/0044-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch new file mode 100644 index 0000000..c5943cb --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0044-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch @@ -0,0 +1,36 @@ +From faad8b18adb9a4f155ec0ec6317522baffff9117 Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Tue, 30 Jun 2020 10:18:20 +0800 +Subject: [PATCH] policy/modules/admin/dmesg: make dmesg_t MLS trusted reading + from files up to its clearance + +Fixes: +avc: denied { read } for pid=255 comm="dmesg" name="kmsg" +dev="devtmpfs" ino=10032 +scontext=system_u:system_r:dmesg_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file +permissive=0 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/admin/dmesg.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te +index f1da315a9..89478c38e 100644 +--- a/policy/modules/admin/dmesg.te ++++ b/policy/modules/admin/dmesg.te +@@ -52,6 +52,8 @@ miscfiles_read_localization(dmesg_t) + userdom_dontaudit_use_unpriv_user_fds(dmesg_t) + userdom_use_user_terminals(dmesg_t) + ++mls_file_read_to_clearance(dmesg_t) ++ + optional_policy(` + seutil_sigchld_newrole(dmesg_t) + ') +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0045-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch b/recipes-security/refpolicy/refpolicy/0045-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch new file mode 100644 index 0000000..a6db8ca --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0045-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch @@ -0,0 +1,76 @@ +From 2892de4636a61c237688d73c277edbf7a46163ab Mon Sep 17 00:00:00 2001 +From: Wenzong Fan <wenzong.fan@windriver.com> +Date: Fri, 13 Oct 2017 07:20:40 +0000 +Subject: [PATCH] policy/modules/kernel/kernel: make kernel_t MLS trusted for + lowering the level of files + +The boot process hangs with the error while using MLS policy: + + [!!!!!!] Failed to mount API filesystems, freezing. + [ 4.085349] systemd[1]: Freezing execution. + +Make kernel_t mls trusted for lowering the level of files to fix below +avc denials and remove the hang issue. + + op=security_validate_transition seresult=denied \ + oldcontext=system_u:object_r:device_t:s15:c0.c1023 \ + newcontext=system_u:object_r:device_t:s0 \ + taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir + systemd[1]: Unable to fix SELinux security context of /dev: Operation not permitted + + avc: denied { create } for pid=1 comm="systemd" name="shm" \ + scontext=system_u:system_r:kernel_t:s15:c0.c1023 \ + tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 + systemd[1]: Failed to mount tmpfs at /dev/shm: No such file or directory + + avc: denied { create } for pid=1 comm="systemd" name="pts" \ + scontext=system_u:system_r:kernel_t:s15:c0.c1023 \ + tcontext=system_u:object_r:devpts_t:s0-s15:c0.c1023 tclass=dir permissive=0 + + op=security_validate_transition seresult=denied \ + oldcontext=system_u:object_r:unlabeled_t:s0 \ + newcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 \ + taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir + + op=security_validate_transition seresult=denied \ + oldcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 \ + newcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 \ + taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir + systemd[1]: Unable to fix SELinux security context of /run: Operation not permitted + + op=security_validate_transition seresult=denied \ + oldcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 \ + newcontext=system_u:object_r:cgroup_t:s0 \ + taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir + systemd[1]: Unable to fix SELinux security context of /sys/fs/cgroup: Operation not permitted + + avc: denied { create } for pid=1 comm="systemd" name="pstore" \ + scontext=system_u:system_r:kernel_t:s15:c0.c1023 \ + tcontext=system_u:object_r:pstore_t:s0 tclass=dir permissive=0 + +Reference: https://bugzilla.redhat.com/show_bug.cgi?id=667370 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/kernel/kernel.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te +index f6ca775e6..b4b089823 100644 +--- a/policy/modules/kernel/kernel.te ++++ b/policy/modules/kernel/kernel.te +@@ -382,6 +382,8 @@ mls_file_write_all_levels(kernel_t) + mls_file_read_all_levels(kernel_t) + mls_socket_write_all_levels(kernel_t) + mls_fd_use_all_levels(kernel_t) ++# https://bugzilla.redhat.com/show_bug.cgi?id=667370 ++mls_file_downgrade(kernel_t) + + ifdef(`distro_redhat',` + # Bugzilla 222337 +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-init-make-init_t-MLS-trusted-f.patch b/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-init-make-init_t-MLS-trusted-f.patch new file mode 100644 index 0000000..b996aa3 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-init-make-init_t-MLS-trusted-f.patch @@ -0,0 +1,46 @@ +From f2ff5081b1a98272c803ccfd24aeea91e8d5c368 Mon Sep 17 00:00:00 2001 +From: Wenzong Fan <wenzong.fan@windriver.com> +Date: Fri, 15 Jan 2016 03:47:05 -0500 +Subject: [PATCH] policy/modules/system/init: make init_t MLS trusted for + lowering/raising the leve of files + +Fix security_validate_transition issues: + + op=security_validate_transition seresult=denied \ + oldcontext=system_u:object_r:device_t:s15:c0.c1023 \ + newcontext=system_u:object_r:device_t:s0 \ + taskcontext=system_u:system_r:init_t:s0-s15:c0.c1023 \ + tclass=dir + + op=security_validate_transition seresult=denied \ + oldcontext=system_u:object_r:var_run_t:s0 \ + newcontext=system_u:object_r:var_log_t:s0-s15:c0.c1023 \ + taskcontext=system_u:system_r:init_t:s0-s15:c0.c1023 \ + tclass=dir + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/system/init.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index 809019873..be9c75155 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -238,6 +238,10 @@ mls_process_write_all_levels(init_t) + mls_fd_use_all_levels(init_t) + mls_process_set_level(init_t) + ++# MLS trusted for lowering/raising the level of files ++mls_file_downgrade(init_t) ++mls_file_upgrade(init_t) ++ + # the following one is needed for libselinux:is_selinux_enabled() + # otherwise the call fails and sysvinit tries to load the policy + # again when using the initramfs +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0047-policy-modules-system-systemd-make-systemd-tmpfiles_.patch b/recipes-security/refpolicy/refpolicy/0047-policy-modules-system-systemd-make-systemd-tmpfiles_.patch new file mode 100644 index 0000000..1b90ba6 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0047-policy-modules-system-systemd-make-systemd-tmpfiles_.patch @@ -0,0 +1,63 @@ +From 3fab5273a7721e603f2034badeaf73949aaa59a2 Mon Sep 17 00:00:00 2001 +From: Wenzong Fan <wenzong.fan@windriver.com> +Date: Thu, 4 Feb 2016 06:03:19 -0500 +Subject: [PATCH] policy/modules/system/systemd: make systemd-tmpfiles_t domain + MLS trusted for raising/lowering the level of files + +Fixes: + avc: denied { search } for pid=92 comm="systemd-tmpfile" name="1" \ + dev="proc" ino=7987 \ + scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \ + tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 \ + tclass=dir + + avc: denied { search } for pid=92 comm="systemd-tmpfile" \ + name="journal" dev="tmpfs" ino=8226 \ + scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \ + tcontext=system_u:object_r:syslogd_var_run_t:s15:c0.c1023 \ + tclass=dir + + avc: denied { write } for pid=92 comm="systemd-tmpfile" \ + name="kmsg" dev="devtmpfs" ino=7242 \ + scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \ + tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 \ + tclass=chr_file + + avc: denied { read } for pid=92 comm="systemd-tmpfile" \ + name="kmod.conf" dev="tmpfs" ino=8660 \ + scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \ + tcontext=system_u:object_r:var_run_t:s0 \ + tclass=file + + avc: denied { search } for pid=92 comm="systemd-tmpfile" \ + name="kernel" dev="proc" ino=8731 \ + scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \ + tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/system/systemd.te | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 03aeb8515..e483d8aea 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -1877,6 +1877,11 @@ sysnet_relabel_config(systemd_tmpfiles_t) + + systemd_log_parse_environment(systemd_tmpfiles_t) + ++mls_file_write_all_levels(systemd_tmpfiles_t) ++mls_file_read_all_levels(systemd_tmpfiles_t) ++mls_file_downgrade(systemd_tmpfiles_t) ++mls_file_upgrade(systemd_tmpfiles_t) ++ + userdom_manage_user_runtime_root_dirs(systemd_tmpfiles_t) + userdom_relabel_user_runtime_root_dirs(systemd_tmpfiles_t) + +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-systemd-systemd-make-systemd_-.patch b/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-systemd-systemd-make-systemd_-.patch new file mode 100644 index 0000000..e3d5db1 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-systemd-systemd-make-systemd_-.patch @@ -0,0 +1,91 @@ +From 4eaa766ef11cb053f010bcde5121e76031aae799 Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Thu, 18 Jun 2020 09:59:58 +0800 +Subject: [PATCH] policy/modules/system/systemd: systemd-*: make systemd_*_t + MLS trusted for writing/reading from files up to its clearance + +Fixes: +audit: type=1400 audit(1592892455.376:3): avc: denied { write } for +pid=120 comm="systemd-gpt-aut" name="kmsg" dev="devtmpfs" ino=10032 +scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file +permissive=0 + +audit: type=1400 audit(1592892455.381:4): avc: denied { write } for +pid=119 comm="systemd-getty-g" name="kmsg" dev="devtmpfs" ino=10032 +scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file +permissive=0 + +avc: denied { read } for pid=125 comm="systemd-gpt-aut" name="sdb" +dev="devtmpfs" ino=42 +scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 +tclass=blk_file permissive=0 + +avc: denied { write } for pid=233 comm="systemd-rfkill" name="kmsg" +dev="devtmpfs" ino=2060 +scontext=system_u:system_r:systemd_rfkill_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file +permissive=0 + +avc: denied { write } for pid=354 comm="systemd-backlig" name="kmsg" +dev="devtmpfs" ino=3081 +scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file +permissive=0 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/system/systemd.te | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index e483d8aea..a0e6bb405 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -391,6 +391,9 @@ files_search_var_lib(systemd_backlight_t) + fs_getattr_all_fs(systemd_backlight_t) + fs_search_cgroup_dirs(systemd_backlight_t) + ++mls_file_read_to_clearance(systemd_backlight_t) ++mls_file_write_to_clearance(systemd_backlight_t) ++ + ####################################### + # + # Binfmt local policy +@@ -560,6 +563,9 @@ term_use_unallocated_ttys(systemd_generator_t) + + udev_read_runtime_files(systemd_generator_t) + ++mls_file_read_to_clearance(systemd_generator_t) ++mls_file_write_to_clearance(systemd_generator_t) ++ + ifdef(`distro_gentoo',` + corecmd_shell_entry_type(systemd_generator_t) + ') +@@ -1009,6 +1015,9 @@ userdom_setattr_user_ttys(systemd_logind_t) + userdom_use_user_ttys(systemd_logind_t) + domain_read_all_domains_state(systemd_logind_t) + ++mls_file_read_all_levels(systemd_logind_t) ++mls_file_write_all_levels(systemd_logind_t) ++ + # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x + # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96 + # should fix the problem where user directories in /run/user/$UID/ are not getting the proper context +@@ -1591,6 +1600,9 @@ udev_read_runtime_files(systemd_rfkill_t) + + systemd_log_parse_environment(systemd_rfkill_t) + ++mls_file_read_to_clearance(systemd_rfkill_t) ++mls_file_write_to_clearance(systemd_rfkill_t) ++ + ######################################### + # + # Resolved local policy +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch b/recipes-security/refpolicy/refpolicy/0049-policy-modules-system-logging-add-the-syslogd_t-to-t.patch index 8455c08..6ea1efd 100644 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch +++ b/recipes-security/refpolicy/refpolicy/0049-policy-modules-system-logging-add-the-syslogd_t-to-t.patch @@ -1,33 +1,36 @@ -From 628281e2e192269468cbe2c2818b6cab40975532 Mon Sep 17 00:00:00 2001 +From de58aa981e1c05ce06938704089c7c87c765add6 Mon Sep 17 00:00:00 2001 From: Xin Ouyang <Xin.Ouyang@windriver.com> Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH 17/34] policy/module/logging: Add the syslogd_t to trusted +Subject: [PATCH] policy/modules/system/logging: add the syslogd_t to trusted object We add the syslogd_t to trusted object, because other process need to have the right to connectto/sendto /dev/log. -Upstream-Status: Inappropriate [only for Poky] +Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Roy.Li <rongqing.li@windriver.com> Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> --- - policy/modules/system/logging.te | 1 + - 1 file changed, 1 insertion(+) + policy/modules/system/logging.te | 3 +++ + 1 file changed, 3 insertions(+) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 07ed546d..a7b69932 100644 +index 3cab14381..caf319f04 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te -@@ -501,6 +501,7 @@ fs_getattr_all_fs(syslogd_t) +@@ -491,6 +491,9 @@ fs_getattr_all_fs(syslogd_t) fs_search_auto_mountpoints(syslogd_t) mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories ++mls_socket_write_all_levels(syslogd_t) # Need to be able to sendto dgram +mls_trusted_object(syslogd_t) # Other process need to have the right to connectto/sendto /dev/log ++mls_fd_use_all_levels(syslogd_t) term_write_console(syslogd_t) # Allow syslog to a terminal -- -2.19.1 +2.25.1 diff --git a/recipes-security/refpolicy/refpolicy/0050-policy-modules-system-init-make-init_t-MLS-trusted-f.patch b/recipes-security/refpolicy/refpolicy/0050-policy-modules-system-init-make-init_t-MLS-trusted-f.patch new file mode 100644 index 0000000..9089cb2 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0050-policy-modules-system-init-make-init_t-MLS-trusted-f.patch @@ -0,0 +1,33 @@ +From a9ceec99a527007a91ba6685d0b86c327fbb6443 Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Tue, 28 May 2019 16:41:37 +0800 +Subject: [PATCH] policy/modules/system/init: make init_t MLS trusted for + writing to keys at all levels + +Fixes: +type=AVC msg=audit(1559024138.454:31): avc: denied { link } for +pid=190 comm="(mkdir)" scontext=system_u:system_r:init_t:s0-s15:c0.c1023 +tcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=key permissive=1 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/system/init.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index be9c75155..458906ac5 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -237,6 +237,7 @@ mls_file_write_all_levels(init_t) + mls_process_write_all_levels(init_t) + mls_fd_use_all_levels(init_t) + mls_process_set_level(init_t) ++mls_key_write_all_levels(init_t) + + # MLS trusted for lowering/raising the level of files + mls_file_downgrade(init_t) +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-all-init_t-to-read-any-le.patch b/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-all-init_t-to-read-any-le.patch new file mode 100644 index 0000000..687e1c9 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-all-init_t-to-read-any-le.patch @@ -0,0 +1,40 @@ +From 980d9d3f3c3e1e3517971715c351ec7b747105d0 Mon Sep 17 00:00:00 2001 +From: Wenzong Fan <wenzong.fan@windriver.com> +Date: Wed, 3 Feb 2016 04:16:06 -0500 +Subject: [PATCH] policy/modules/system/init: all init_t to read any level + sockets + +Fixes: + avc: denied { listen } for pid=1 comm="systemd" \ + path="/run/systemd/journal/stdout" \ + scontext=system_u:system_r:init_t:s0-s15:c0.c1023 \ + tcontext=system_u:system_r:syslogd_t:s15:c0.c1023 \ + tclass=unix_stream_socket permissive=1 + + systemd[1]: Failded to listen on Journal Socket + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/system/init.te | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index 458906ac5..c2380d8b4 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -243,6 +243,9 @@ mls_key_write_all_levels(init_t) + mls_file_downgrade(init_t) + mls_file_upgrade(init_t) + ++# MLS trusted for reading from sockets at any level ++mls_socket_read_all_levels(init_t) ++ + # the following one is needed for libselinux:is_selinux_enabled() + # otherwise the call fails and sysvinit tries to load the policy + # again when using the initramfs +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-logging-allow-auditd_t-to-writ.patch b/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-logging-allow-auditd_t-to-writ.patch new file mode 100644 index 0000000..64a1dfc --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-logging-allow-auditd_t-to-writ.patch @@ -0,0 +1,39 @@ +From 2b64eabf0cf8982bbb3c537e84fc3a99085858d3 Mon Sep 17 00:00:00 2001 +From: Wenzong Fan <wenzong.fan@windriver.com> +Date: Thu, 25 Feb 2016 04:25:08 -0500 +Subject: [PATCH] policy/modules/system/logging: allow auditd_t to write socket + at any level + +Allow auditd_t to write init_t:unix_stream_socket at any level. + +Fixes: + avc: denied { write } for pid=748 comm="auditd" \ + path="socket:[17371]" dev="sockfs" ino=17371 \ + scontext=system_u:system_r:auditd_t:s15:c0.c1023 \ + tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 \ + tclass=unix_stream_socket permissive=1 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/system/logging.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index caf319f04..25e1d1397 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -235,6 +235,8 @@ miscfiles_read_localization(auditd_t) + + mls_file_read_all_levels(auditd_t) + mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory ++mls_fd_use_all_levels(auditd_t) ++mls_socket_write_all_levels(auditd_t) + + seutil_dontaudit_read_config(auditd_t) + +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0053-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch b/recipes-security/refpolicy/refpolicy/0053-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch new file mode 100644 index 0000000..4f3253d --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0053-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch @@ -0,0 +1,31 @@ +From 35351cd7cb07622b5e43254b95d7801a5669358d Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Thu, 31 Oct 2019 17:35:59 +0800 +Subject: [PATCH] policy/modules/kernel/kernel: make kernel_t MLS trusted for + writing to keys at all levels. + +Fixes: +systemd-udevd[216]: regulatory.0: Process '/usr/sbin/crda' failed with exit code 254. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/kernel/kernel.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te +index b4b089823..5835d28b2 100644 +--- a/policy/modules/kernel/kernel.te ++++ b/policy/modules/kernel/kernel.te +@@ -384,6 +384,7 @@ mls_socket_write_all_levels(kernel_t) + mls_fd_use_all_levels(kernel_t) + # https://bugzilla.redhat.com/show_bug.cgi?id=667370 + mls_file_downgrade(kernel_t) ++mls_key_write_all_levels(kernel_t) + + ifdef(`distro_redhat',` + # Bugzilla 222337 +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-setrans-allow-setrans_t-use-fd.patch b/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-setrans-allow-setrans_t-use-fd.patch new file mode 100644 index 0000000..5118ef8 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-setrans-allow-setrans_t-use-fd.patch @@ -0,0 +1,30 @@ +From 6d6e2d34ec63771a01ef258c98f1ad49efdc2f67 Mon Sep 17 00:00:00 2001 +From: Roy Li <rongqing.li@windriver.com> +Date: Sat, 22 Feb 2014 13:35:38 +0800 +Subject: [PATCH] policy/modules/system/setrans: allow setrans_t use fd at any + level + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Roy Li <rongqing.li@windriver.com> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/system/setrans.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te +index 12e66aad9..5510f7fac 100644 +--- a/policy/modules/system/setrans.te ++++ b/policy/modules/system/setrans.te +@@ -69,6 +69,8 @@ mls_net_receive_all_levels(setrans_t) + mls_socket_write_all_levels(setrans_t) + mls_process_read_all_levels(setrans_t) + mls_socket_read_all_levels(setrans_t) ++mls_fd_use_all_levels(setrans_t) ++mls_trusted_object(setrans_t) + + selinux_compute_access_vector(setrans_t) + +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch b/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch new file mode 100644 index 0000000..3e75257 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch @@ -0,0 +1,42 @@ +From 3d5751659380eb04b63f8fc1e6113132dd1310d7 Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Mon, 22 Feb 2021 11:28:12 +0800 +Subject: [PATCH] policy/modules/system/systemd: make *_systemd_t MLS trusted + for writing/reading from files at all levels + +Fixes: +avc: denied { search } for pid=1148 comm="systemd" name="journal" +dev="tmpfs" ino=206 +scontext=root:sysadm_r:sysadm_systemd_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir +permissive=0 +avc: denied { write } for pid=1148 comm="systemd" name="kmsg" +dev="devtmpfs" ino=3081 +scontext=root:sysadm_r:sysadm_systemd_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file +permissive=0 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/system/systemd.if | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if +index d7219dc37..7717e0034 100644 +--- a/policy/modules/system/systemd.if ++++ b/policy/modules/system/systemd.if +@@ -226,6 +226,9 @@ template(`systemd_role_template',` + xdg_read_config_files($1_systemd_t) + xdg_read_data_files($1_systemd_t) + ') ++ ++ mls_file_read_all_levels($1_systemd_t) ++ mls_file_write_all_levels($1_systemd_t) + ') + + ###################################### +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-logging-make-syslogd_runtime_t.patch b/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-logging-make-syslogd_runtime_t.patch new file mode 100644 index 0000000..d07fa91 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-logging-make-syslogd_runtime_t.patch @@ -0,0 +1,48 @@ +From 2476910f6d7f116148bb9311498b5c98692c1ef3 Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Sat, 18 Dec 2021 17:31:45 +0800 +Subject: [PATCH] policy/modules/system/logging: make syslogd_runtime_t MLS + trusted. + +Make syslogd_runtime_t MLS trusted to allow all levels to read and write +the object. + +Fixes: +avc: denied { search } for pid=314 comm="useradd" name="journal" +dev="tmpfs" ino=34 scontext=root:sysadm_r:useradd_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir +permissive=0 + +avc: denied { search } for pid=319 comm="passwd" name="journal" +dev="tmpfs" ino=34 scontext=root:sysadm_r:passwd_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir +permissive=0 + +avc: denied { search } for pid=374 comm="rpc.statd" name="journal" +dev="tmpfs" ino=9854 scontext=system_u:system_r:rpcd_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:syslogd_var_run_t:s15:c0.c1023 tclass=dir +permissive=0 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + policy/modules/system/logging.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index 25e1d1397..ba0fd10e0 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -456,6 +456,8 @@ allow syslogd_t syslogd_runtime_t:file map; + manage_files_pattern(syslogd_t, syslogd_runtime_t, syslogd_runtime_t) + files_runtime_filetrans(syslogd_t, syslogd_runtime_t, file) + ++mls_trusted_object(syslogd_runtime_t) ++ + kernel_read_system_state(syslogd_t) + kernel_read_network_state(syslogd_t) + kernel_read_kernel_sysctls(syslogd_t) +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy_2.20190201.inc b/recipes-security/refpolicy/refpolicy_2.20190201.inc deleted file mode 100644 index 822c0f3..0000000 --- a/recipes-security/refpolicy/refpolicy_2.20190201.inc +++ /dev/null @@ -1,7 +0,0 @@ -SRC_URI = "https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_20190201/refpolicy-${PV}.tar.bz2" -SRC_URI[md5sum] = "76a7a455289c9216ee0fbb8de71c9799" -SRC_URI[sha256sum] = "5e4daee61d89dfdc8c7bf369f81c99845931e337916dc6401e301c5de57ea336" - -FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-2.20190201:" - -include refpolicy_common.inc diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index 137ccee..6ea1fc2 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc @@ -1,91 +1,113 @@ -DEFAULT_ENFORCING ??= "enforcing" - SECTION = "admin" -LICENSE = "GPLv2" +LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833" -PROVIDES += "virtual/refpolicy" -RPROVIDES_${PN} += "refpolicy" +PROVIDES = "virtual/refpolicy" +RPROVIDES:${PN} = "refpolicy" # Specific config files for Poky -SRC_URI += "file://customizable_types \ - file://setrans-mls.conf \ - file://setrans-mcs.conf \ - " +SRC_URI += "file://customizable_types \ + file://setrans-mls.conf \ + file://setrans-mcs.conf \ + " # Base patches applied to all Yocto-based platforms. Your own version of # refpolicy should provide a version of these and place them in your own # refpolicy-${PV} directory. SRC_URI += " \ - file://0001-fc-subs-volatile-alias-common-var-volatile-paths.patch \ - file://0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch \ - file://0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch \ - file://0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch \ - file://0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch \ - file://0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch \ - file://0007-fc-login-apply-login-context-to-login.shadow.patch \ - file://0008-fc-bind-fix-real-path-for-bind.patch \ - file://0009-fc-hwclock-add-hwclock-alternatives.patch \ - file://0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch \ - file://0011-fc-ssh-apply-policy-to-ssh-alternatives.patch \ - file://0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch \ - file://0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch \ - file://0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch \ - file://0015-fc-su-apply-policy-to-su-alternatives.patch \ - file://0016-fc-fstools-fix-real-path-for-fstools.patch \ - file://0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch \ - file://0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch \ - file://0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch \ - file://0020-policy-module-logging-add-domain-rules-for-the-subdi.patch \ - file://0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch \ - file://0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch \ - file://0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch \ - file://0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch \ - file://0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch \ - file://0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch \ - file://0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch \ - file://0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch \ - file://0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch \ - file://0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch \ - file://0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch \ - file://0032-policy-module-init-update-for-systemd-related-allow-.patch \ - file://0033-refpolicy-minimum-make-sysadmin-module-optional.patch \ - file://0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch \ - " + file://0001-fc-subs-volatile-alias-common-var-volatile-paths.patch \ + file://0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch \ + file://0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch \ + file://0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch \ + file://0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch \ + file://0006-fc-login-apply-login-context-to-login.shadow.patch \ + file://0007-fc-hwclock-add-hwclock-alternatives.patch \ + file://0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch \ + file://0009-fc-ssh-apply-policy-to-ssh-alternatives.patch \ + file://0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch \ + file://0011-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch \ + file://0012-fc-su-apply-policy-to-su-alternatives.patch \ + file://0013-fc-fstools-fix-real-path-for-fstools.patch \ + file://0014-fc-init-fix-update-alternatives-for-sysvinit.patch \ + file://0015-fc-brctl-apply-policy-to-brctl-alternatives.patch \ + file://0016-fc-corecommands-apply-policy-to-nologin-alternatives.patch \ + file://0017-fc-locallogin-apply-policy-to-sulogin-alternatives.patch \ + file://0018-fc-ntp-apply-policy-to-ntpd-alternatives.patch \ + file://0019-fc-kerberos-apply-policy-to-kerberos-alternatives.patch \ + file://0020-fc-ldap-apply-policy-to-ldap-alternatives.patch \ + file://0021-fc-postgresql-apply-policy-to-postgresql-alternative.patch \ + file://0022-fc-screen-apply-policy-to-screen-alternatives.patch \ + file://0023-fc-usermanage-apply-policy-to-usermanage-alternative.patch \ + file://0024-fc-getty-add-file-context-to-start_getty.patch \ + file://0025-fc-vlock-apply-policy-to-vlock-alternatives.patch \ + file://0026-fc-add-fcontext-for-init-scripts-and-systemd-service.patch \ + file://0027-file_contexts.subs_dist-set-aliase-for-root-director.patch \ + file://0028-policy-modules-system-logging-add-rules-for-the-syml.patch \ + file://0029-policy-modules-system-logging-add-rules-for-syslogd-.patch \ + file://0030-policy-modules-kernel-files-add-rules-for-the-symlin.patch \ + file://0031-policy-modules-system-logging-fix-auditd-startup-fai.patch \ + file://0032-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch \ + file://0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch \ + file://0034-policy-modules-system-systemd-enable-support-for-sys.patch \ + file://0035-policy-modules-system-logging-allow-systemd-tmpfiles.patch \ + file://0036-policy-modules-system-systemd-allow-systemd_logind_t.patch \ + file://0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch \ + file://0038-policy-modules-system-systemd-systemd-user-fixes.patch \ + file://0039-policy-modules-system-authlogin-fix-login-errors-aft.patch \ + file://0040-policy-modules-system-systemd-allow-systemd-logind-t.patch \ + file://0041-policy-modules-system-mount-make-mount_t-domain-MLS-.patch \ + file://0042-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch \ + file://0043-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch \ + file://0044-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch \ + file://0045-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \ + file://0046-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \ + file://0047-policy-modules-system-systemd-make-systemd-tmpfiles_.patch \ + file://0048-policy-modules-system-systemd-systemd-make-systemd_-.patch \ + file://0049-policy-modules-system-logging-add-the-syslogd_t-to-t.patch \ + file://0050-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \ + file://0051-policy-modules-system-init-all-init_t-to-read-any-le.patch \ + file://0052-policy-modules-system-logging-allow-auditd_t-to-writ.patch \ + file://0053-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \ + file://0054-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \ + file://0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \ + file://0056-policy-modules-system-logging-make-syslogd_runtime_t.patch \ + " S = "${WORKDIR}/refpolicy" -CONFFILES_${PN} += "${sysconfdir}/selinux/config" -FILES_${PN} += " \ - ${sysconfdir}/selinux/${POLICY_NAME}/ \ - ${datadir}/selinux/${POLICY_NAME}/*.pp \ - ${localstatedir}/lib/selinux/${POLICY_NAME}/ \ - " -FILES_${PN}-dev =+ " \ - ${datadir}/selinux/${POLICY_NAME}/include/ \ - ${sysconfdir}/selinux/sepolgen.conf \ -" +CONFFILES:${PN} = "${sysconfdir}/selinux/config" +FILES:${PN} += " \ + ${sysconfdir}/selinux/${POLICY_NAME}/ \ + ${datadir}/selinux/${POLICY_NAME}/*.pp \ + ${localstatedir}/lib/selinux/${POLICY_NAME}/ \ + " +FILES:${PN}-dev =+ " \ + ${datadir}/selinux/${POLICY_NAME}/include/ \ + ${sysconfdir}/selinux/sepolgen.conf \ + " EXTRANATIVEPATH += "bzip2-native" -DEPENDS += "bzip2-replacement-native checkpolicy-native policycoreutils-native semodule-utils-native m4-native" +DEPENDS = "bzip2-replacement-native checkpolicy-native policycoreutils-native semodule-utils-native m4-native" -RDEPENDS_${PN}-dev =+ " \ - python \ -" +RDEPENDS:${PN}-dev = " \ + python3-core \ + " PACKAGE_ARCH = "${MACHINE_ARCH}" -inherit pythonnative +inherit python3native PARALLEL_MAKE = "" +DEFAULT_ENFORCING ??= "enforcing" + POLICY_NAME ?= "${POLICY_TYPE}" -POLICY_DISTRO ?= "redhat" +POLICY_DISTRO ?= "debian" POLICY_UBAC ?= "n" POLICY_UNK_PERMS ?= "allow" -POLICY_DIRECT_INITRC ?= "n" +POLICY_DIRECT_INITRC ?= "y" POLICY_SYSTEMD ?= "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'y', 'n', d)}" POLICY_MONOLITHIC ?= "n" POLICY_CUSTOM_BUILDOPT ?= "" @@ -94,73 +116,83 @@ POLICY_MLS_SENS ?= "16" POLICY_MLS_CATS ?= "1024" POLICY_MCS_CATS ?= "1024" -EXTRA_OEMAKE += "NAME=${POLICY_NAME} \ - TYPE=${POLICY_TYPE} \ - DISTRO=${POLICY_DISTRO} \ - UBAC=${POLICY_UBAC} \ - UNK_PERMS=${POLICY_UNK_PERMS} \ - DIRECT_INITRC=${POLICY_DIRECT_INITRC} \ - SYSTEMD=${POLICY_SYSTEMD} \ - MONOLITHIC=${POLICY_MONOLITHIC} \ - CUSTOM_BUILDOPT=${POLICY_CUSTOM_BUILDOPT} \ - QUIET=${POLICY_QUIET} \ - MLS_SENS=${POLICY_MLS_SENS} \ - MLS_CATS=${POLICY_MLS_CATS} \ - MCS_CATS=${POLICY_MCS_CATS}" +EXTRA_OEMAKE = "NAME=${POLICY_NAME} \ + TYPE=${POLICY_TYPE} \ + DISTRO=${POLICY_DISTRO} \ + UBAC=${POLICY_UBAC} \ + UNK_PERMS=${POLICY_UNK_PERMS} \ + DIRECT_INITRC=${POLICY_DIRECT_INITRC} \ + SYSTEMD=${POLICY_SYSTEMD} \ + MONOLITHIC=${POLICY_MONOLITHIC} \ + CUSTOM_BUILDOPT=${POLICY_CUSTOM_BUILDOPT} \ + QUIET=${POLICY_QUIET} \ + MLS_SENS=${POLICY_MLS_SENS} \ + MLS_CATS=${POLICY_MLS_CATS} \ + MCS_CATS=${POLICY_MCS_CATS}" EXTRA_OEMAKE += "tc_usrbindir=${STAGING_BINDIR_NATIVE}" EXTRA_OEMAKE += "OUTPUT_POLICY=`${STAGING_BINDIR_NATIVE}/checkpolicy -V | cut -d' ' -f1`" EXTRA_OEMAKE += "CC='${BUILD_CC}' CFLAGS='${BUILD_CFLAGS}' PYTHON='${PYTHON}'" -python __anonymous () { +python __anonymous() { import re - # make sure DEFAULT_ENFORCING is something sane + # Make sure DEFAULT_ENFORCING is something sane if not re.match('^(enforcing|permissive|disabled)$', - d.getVar('DEFAULT_ENFORCING', True), + d.getVar('DEFAULT_ENFORCING'), flags=0): d.setVar('DEFAULT_ENFORCING', 'permissive') } +disable_policy_modules() { + for module in ${PURGE_POLICY_MODULES} ; do + sed -i "s/^\(\<${module}\>\) *= *.*$/\1 = off/" ${S}/policy/modules.conf + done +} + do_compile() { - oe_runmake conf - oe_runmake policy + if [ -f "${WORKDIR}/modules.conf" ] ; then + cp -f ${WORKDIR}/modules.conf ${S}/policy/modules.conf + fi + oe_runmake conf + disable_policy_modules + oe_runmake policy } -prepare_policy_store () { - oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install - POL_PRIORITY=100 - POL_SRC=${D}${datadir}/selinux/${POLICY_NAME} - POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME} - POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY} - - # Prepare to create policy store - mkdir -p ${POL_STORE} - mkdir -p ${POL_ACTIVE_MODS} - - # get hll type from suffix on base policy module - HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print $NF}}') - HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE} - - for i in ${POL_SRC}/*.${HLL_TYPE}; do - MOD_NAME=$(basename $i | sed "s/\.${HLL_TYPE}$//") - MOD_DIR=${POL_ACTIVE_MODS}/${MOD_NAME} - mkdir -p ${MOD_DIR} - echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext - if ! bzip2 -t $i >/dev/null 2>&1; then - ${HLL_BIN} $i | bzip2 --stdout > ${MOD_DIR}/cil - bzip2 -f $i && mv -f $i.bz2 $i - else - bunzip2 --stdout $i | \ - ${HLL_BIN} | \ - bzip2 --stdout > ${MOD_DIR}/cil - fi - cp $i ${MOD_DIR}/hll - done +prepare_policy_store() { + oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install + POL_PRIORITY=100 + POL_SRC=${D}${datadir}/selinux/${POLICY_NAME} + POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME} + POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY} + + # Prepare to create policy store + mkdir -p ${POL_STORE} + mkdir -p ${POL_ACTIVE_MODS} + + # Get hll type from suffix on base policy module + HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print $NF}}') + HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE} + + for i in ${POL_SRC}/*.${HLL_TYPE}; do + MOD_NAME=$(basename $i | sed "s/\.${HLL_TYPE}$//") + MOD_DIR=${POL_ACTIVE_MODS}/${MOD_NAME} + mkdir -p ${MOD_DIR} + echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext + if ! bzip2 -t $i >/dev/null 2>&1; then + ${HLL_BIN} $i | bzip2 --stdout > ${MOD_DIR}/cil + bzip2 -f $i && mv -f $i.bz2 $i + else + bunzip2 --stdout $i | \ + ${HLL_BIN} | \ + bzip2 --stdout > ${MOD_DIR}/cil + fi + cp $i ${MOD_DIR}/hll + done } -rebuild_policy () { - cat <<-EOF > ${D}${sysconfdir}/selinux/semanage.conf +rebuild_policy() { + cat <<-EOF > ${D}${sysconfdir}/selinux/semanage.conf module-store = direct [setfiles] path = ${STAGING_DIR_NATIVE}${base_sbindir_native}/setfiles @@ -171,32 +203,32 @@ path = ${STAGING_DIR_NATIVE}${sbindir_native}/sefcontext_compile args = \$@ [end] -policy-version = 30 +policy-version = 33 EOF - # Create policy store and build the policy - semodule -p ${D} -s ${POLICY_NAME} -n -B - rm -f ${D}${sysconfdir}/selinux/semanage.conf - # no need to leave final dir created by semanage laying around - rm -rf ${D}${localstatedir}/lib/selinux/final + # Create policy store and build the policy + semodule -p ${D} -s ${POLICY_NAME} -n -B + rm -f ${D}${sysconfdir}/selinux/semanage.conf + # No need to leave final dir created by semanage laying around + rm -rf ${D}${localstatedir}/lib/selinux/final } -install_misc_files () { - cat ${WORKDIR}/customizable_types >> \ - ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/customizable_types +install_misc_files() { + cat ${WORKDIR}/customizable_types >> \ + ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/customizable_types - # install setrans.conf for mls/mcs policy - if [ -f ${WORKDIR}/setrans-${POLICY_TYPE}.conf ]; then - install -m 0644 ${WORKDIR}/setrans-${POLICY_TYPE}.conf \ - ${D}${sysconfdir}/selinux/${POLICY_NAME}/setrans.conf - fi + # Install setrans.conf for mls/mcs policy + if [ -f ${WORKDIR}/setrans-${POLICY_TYPE}.conf ]; then + install -m 0644 ${WORKDIR}/setrans-${POLICY_TYPE}.conf \ + ${D}${sysconfdir}/selinux/${POLICY_NAME}/setrans.conf + fi - # install policy headers - oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install-headers + # Install policy headers + oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install-headers } -install_config () { - echo "\ +install_config() { + echo "\ # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. @@ -211,22 +243,22 @@ SELINUX=${DEFAULT_ENFORCING} # mcs - Multi Category Security protection. SELINUXTYPE=${POLICY_NAME} " > ${WORKDIR}/config - install -d ${D}/${sysconfdir}/selinux - install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/ + install -d ${D}/${sysconfdir}/selinux + install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/ } -do_install () { - prepare_policy_store - rebuild_policy - install_misc_files - install_config +do_install() { + prepare_policy_store + rebuild_policy + install_misc_files + install_config } -do_install_append(){ - # While building policies on target, Makefile will be searched from SELINUX_DEVEL_PATH - echo "SELINUX_DEVEL_PATH=${datadir}/selinux/${POLICY_NAME}/include" > ${D}${sysconfdir}/selinux/sepolgen.conf +do_install:append() { + # While building policies on target, Makefile will be searched from SELINUX_DEVEL_PATH + echo "SELINUX_DEVEL_PATH=${datadir}/selinux/${POLICY_NAME}/include" > ${D}${sysconfdir}/selinux/sepolgen.conf } -sysroot_stage_all_append () { - sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir} +sysroot_stage_all:append() { + sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir} } diff --git a/recipes-security/refpolicy/refpolicy_git.inc b/recipes-security/refpolicy/refpolicy_git.inc index 8aeaf27..322c277 100644 --- a/recipes-security/refpolicy/refpolicy_git.inc +++ b/recipes-security/refpolicy/refpolicy_git.inc @@ -1,9 +1,11 @@ -PV = "2.20190201+git${SRCPV}" +PV = "2.20240226+git" -SRC_URI = "git://github.com/SELinuxProject/refpolicy.git;protocol=git;branch=master;name=refpolicy;destsuffix=refpolicy" +SRC_URI = "git://github.com/SELinuxProject/refpolicy.git;protocol=https;branch=main;name=refpolicy;destsuffix=refpolicy" -SRCREV_refpolicy ?= "df696a325404b84c2c931c85356510005e5e6916" +SRCREV_refpolicy ?= "6507eebc238b4495b1e0d3baa2bc0bb737f9819a" -FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-git:" +UPSTREAM_CHECK_GITTAGREGEX = "RELEASE_(?P<pver>\d+_\d+)" + +FILESEXTRAPATHS:prepend := "${THISDIR}/refpolicy:" include refpolicy_common.inc diff --git a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.service b/recipes-security/selinux-scripts/selinux-autorelabel/selinux-autorelabel.service index 9520f6e..3c2a576 100644 --- a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.service +++ b/recipes-security/selinux-scripts/selinux-autorelabel/selinux-autorelabel.service @@ -8,4 +8,4 @@ Type=oneshot ExecStart=/usr/bin/selinux-autorelabel.sh [Install] -WantedBy=multi-user.target +WantedBy=sysinit.target diff --git a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh b/recipes-security/selinux-scripts/selinux-autorelabel/selinux-autorelabel.sh index 154dad1..25b6921 100644 --- a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh +++ b/recipes-security/selinux-scripts/selinux-autorelabel/selinux-autorelabel.sh @@ -3,16 +3,19 @@ /usr/sbin/selinuxenabled 2>/dev/null || exit 0 FIXFILES=/sbin/fixfiles +SETENFORCE=/usr/sbin/setenforce -if ! test -x ${FIXFILES}; then - echo "${FIXFILES} is missing in the system." +for i in ${FIXFILES} ${SETENFORCE}; do + test -x $i && continue + echo "$i is missing in the system." echo "Please add \"selinux=0\" in the kernel command line to disable SELinux." exit 1 -fi +done # If /.autorelabel placed, the whole file system should be relabeled if [ -f /.autorelabel ]; then echo "SELinux: /.autorelabel placed, filesystem will be relabeled..." + ${SETENFORCE} 0 ${FIXFILES} -F -f relabel /bin/rm -f /.autorelabel echo " * Relabel done, rebooting the system." diff --git a/recipes-security/selinux/selinux-autorelabel_0.1.bb b/recipes-security/selinux-scripts/selinux-autorelabel_0.1.bb index 4eb2b4e..9fd066c 100644 --- a/recipes-security/selinux/selinux-autorelabel_0.1.bb +++ b/recipes-security/selinux-scripts/selinux-autorelabel_0.1.bb @@ -7,7 +7,7 @@ file is present.\ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" -${PN}_RDEPENDS = " \ +RDEPENDS:${PN} = " \ policycoreutils-setfiles \ " @@ -18,3 +18,9 @@ SRC_URI = "file://${BPN}.sh \ INITSCRIPT_PARAMS = "start 01 S ." require selinux-initsh.inc + +do_install:append() { + if ${@bb.utils.contains('FIRST_BOOT_RELABEL', '1', 'true', 'false', d)}; then + echo "# first boot relabelling" > ${D}/.autorelabel + fi +} diff --git a/recipes-security/selinux/selinux-init/selinux-init.service b/recipes-security/selinux-scripts/selinux-init/selinux-init.service index 49c6d98..91b3e72 100644 --- a/recipes-security/selinux/selinux-init/selinux-init.service +++ b/recipes-security/selinux-scripts/selinux-init/selinux-init.service @@ -9,4 +9,4 @@ Type=oneshot ExecStart=/usr/bin/selinux-init.sh [Install] -WantedBy=multi-user.target +WantedBy=sysinit.target diff --git a/recipes-security/selinux/selinux-init/selinux-init.sh b/recipes-security/selinux-scripts/selinux-init/selinux-init.sh index ead4f00..f93d231 100644 --- a/recipes-security/selinux/selinux-init/selinux-init.sh +++ b/recipes-security/selinux-scripts/selinux-init/selinux-init.sh @@ -33,18 +33,6 @@ check_rootfs() /sbin/shutdown -f -h now } -# If first booting, the security context type of init would be -# "kernel_t", and the whole file system should be relabeled. -if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then - echo "Checking SELinux security contexts:" - check_rootfs - echo " * First booting, filesystem will be relabeled..." - test -x /etc/init.d/auditd && /etc/init.d/auditd start - ${SETENFORCE} 0 - ${RESTORECON} -RF / - ${RESTORECON} -F / - echo " * Relabel done, rebooting the system." - /sbin/reboot -fi +# sysvinit firstboot relabel placeholder HERE exit 0 diff --git a/recipes-security/selinux-scripts/selinux-init/selinux-init.sh.sysvinit b/recipes-security/selinux-scripts/selinux-init/selinux-init.sh.sysvinit new file mode 100644 index 0000000..d4f3f71 --- /dev/null +++ b/recipes-security/selinux-scripts/selinux-init/selinux-init.sh.sysvinit @@ -0,0 +1,14 @@ +# Contents will be added to selinux-init.sh to support relabelling with sysvinit +# If first booting, the security context type of init would be +# "kernel_t", and the whole file system should be relabeled. +if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then + echo "Checking SELinux security contexts:" + check_rootfs + echo " * First booting, filesystem will be relabeled..." + test -x /etc/init.d/auditd && /etc/init.d/auditd start + ${SETENFORCE} 0 + ${RESTORECON} -RF / + ${RESTORECON} -F / + echo " * Relabel done, rebooting the system." + /sbin/reboot +fi diff --git a/recipes-security/selinux/selinux-init_0.1.bb b/recipes-security/selinux-scripts/selinux-init_0.1.bb index 38b5900..c97316e 100644 --- a/recipes-security/selinux/selinux-init_0.1.bb +++ b/recipes-security/selinux-scripts/selinux-init_0.1.bb @@ -7,16 +7,18 @@ boot time. \ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" -${PN}_RDEPENDS = " \ +RDEPENDS:${PN} = " \ coreutils \ libselinux-bin \ policycoreutils-secon \ policycoreutils-setfiles \ " -SRC_URI = "file://${BPN}.sh \ - file://${BPN}.service \ - " +SRC_URI = " \ + file://${BPN}.sh \ + file://${BPN}.sh.sysvinit \ + file://${BPN}.service \ +" INITSCRIPT_PARAMS = "start 01 S ." diff --git a/recipes-security/selinux-scripts/selinux-initsh.inc b/recipes-security/selinux-scripts/selinux-initsh.inc new file mode 100644 index 0000000..f6a3d85 --- /dev/null +++ b/recipes-security/selinux-scripts/selinux-initsh.inc @@ -0,0 +1,41 @@ +S ?= "${WORKDIR}" +SECTION ?= "base" + +# Default is for script name to be the same as the recipe name. +# Script must have .sh suffix. +SELINUX_SCRIPT_SRC ?= "${BPN}" +SELINUX_SCRIPT_DST ?= "${SELINUX_SCRIPT_SRC}" + +INITSCRIPT_NAME ?= "${SELINUX_SCRIPT_DST}" +INITSCRIPT_PARAMS ?= "start 00 S ." + +CONFFILES:${PN} += "${sysconfdir}/init.d/${SELINUX_SCRIPT_DST}" + +PACKAGE_ARCH ?= "${MACHINE_ARCH}" + +inherit update-rc.d systemd + +SYSTEMD_SERVICE:${PN} = "${SELINUX_SCRIPT_SRC}.service" + +FILES:${PN} += "/.autorelabel" + +do_install () { + install -d ${D}${sysconfdir}/init.d/ + install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh ${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST} + # Insert the relabelling code which is only needed with sysvinit + sed -i -e '/HERE/r ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh.sysvinit' \ + -e '/.*HERE$/d' -e '/.*Contents.*sysvinit/d' \ + ${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST} + + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -d ${D}${systemd_unitdir}/system + install -m 0644 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.service ${D}${systemd_unitdir}/system + install -d ${D}${bindir} + install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh ${D}${bindir} + sed -i -e '/.*HERE$/d' ${D}${bindir}/${SELINUX_SCRIPT_SRC}.sh + fi +} + +sysroot_stage_all:append () { + sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir} +} diff --git a/recipes-security/selinux/selinux-labeldev/selinux-labeldev.service b/recipes-security/selinux-scripts/selinux-labeldev/selinux-labeldev.service index d45ecbc..96142a3 100644 --- a/recipes-security/selinux/selinux-labeldev/selinux-labeldev.service +++ b/recipes-security/selinux-scripts/selinux-labeldev/selinux-labeldev.service @@ -8,4 +8,4 @@ Type=oneshot ExecStart=/usr/bin/selinux-labeldev.sh [Install] -WantedBy=multi-user.target +WantedBy=sysinit.target diff --git a/recipes-security/selinux/selinux-labeldev/selinux-labeldev.sh b/recipes-security/selinux-scripts/selinux-labeldev/selinux-labeldev.sh index 62e7a42..62e7a42 100644 --- a/recipes-security/selinux/selinux-labeldev/selinux-labeldev.sh +++ b/recipes-security/selinux-scripts/selinux-labeldev/selinux-labeldev.sh diff --git a/recipes-security/selinux/selinux-labeldev_0.1.bb b/recipes-security/selinux-scripts/selinux-labeldev_0.1.bb index 8eb5db4..d29efec 100644 --- a/recipes-security/selinux/selinux-labeldev_0.1.bb +++ b/recipes-security/selinux-scripts/selinux-labeldev_0.1.bb @@ -4,7 +4,7 @@ DESCRIPTION = "Set SELinux labels for /dev." LICENSE = "MIT" LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" -${PN}_RDEPENDS = " \ +RDEPENDS:${PN} = " \ coreutils \ libselinux-bin \ policycoreutils-setfiles \ diff --git a/recipes-security/selinux/checkpolicy_2.8.bb b/recipes-security/selinux/checkpolicy_2.8.bb deleted file mode 100644 index 05e738e..0000000 --- a/recipes-security/selinux/checkpolicy_2.8.bb +++ /dev/null @@ -1,7 +0,0 @@ -include selinux_20180524.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" - -SRC_URI[md5sum] = "5d23a3209048c8cf70f3c13c4ce4245f" -SRC_URI[sha256sum] = "9dec811c24b88e58c3bf741365eacf1dbb945531a2fcb8f284aacf68098194c8" diff --git a/recipes-security/selinux/checkpolicy.inc b/recipes-security/selinux/checkpolicy_3.6.bb index 1d84ebb..60f506d 100644 --- a/recipes-security/selinux/checkpolicy.inc +++ b/recipes-security/selinux/checkpolicy_3.6.bb @@ -5,18 +5,19 @@ required for building policies. It uses libsepol to generate the \ binary policy. checkpolicy uses the static libsepol since it deals \ with low level details of the policy that have not been \ encapsulated/abstracted by a proper shared library interface." - SECTION = "base" -LICENSE = "GPLv2+" +LICENSE = "GPL-2.0-or-later" +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=393a5ca445f6965873eca0259a17f833" + +require selinux_common.inc -DEPENDS += "libsepol bison-native flex-native" +DEPENDS = "libsepol bison-native" -EXTRA_OEMAKE += "LEX='flex'" -EXTRA_OEMAKE += "LIBSEPOLA=${STAGING_LIBDIR}/libsepol.a" +S = "${WORKDIR}/git/checkpolicy" -do_install_append() { - install test/dismod ${D}/${bindir}/sedismod - install test/dispol ${D}/${bindir}/sedispol +do_install:append() { + install test/dismod ${D}/${bindir}/sedismod + install test/dispol ${D}/${bindir}/sedispol } BBCLASSEXTEND = "native" diff --git a/recipes-security/selinux/libselinux-python_3.6.bb b/recipes-security/selinux/libselinux-python_3.6.bb new file mode 100644 index 0000000..3c5c489 --- /dev/null +++ b/recipes-security/selinux/libselinux-python_3.6.bb @@ -0,0 +1,57 @@ +SUMMARY = "SELinux library and simple utilities" +DESCRIPTION = "libselinux provides an API for SELinux applications to get and set \ +process and file security contexts and to obtain security policy \ +decisions. Required for any applications that use the SELinux API." +SECTION = "base" +LICENSE = "PD" +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=84b4d2c6ef954a2d4081e775a270d0d0" + +require selinux_common.inc + +inherit python3targetconfig pkgconfig + +FILESEXTRAPATHS:prepend := "${THISDIR}/libselinux:" +SRC_URI += "\ + file://0001-Makefile-fix-python-modules-install-path-for-multili.patch \ + file://0002-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch \ + file://0003-libselinux-restore-drop-the-obsolete-LSF-transitiona.patch \ + " + +S = "${WORKDIR}/git/libselinux" + +DEPENDS = "libsepol libpcre2 swig-native python3-setuptools-scm-native" +DEPENDS:append:libc-musl = " fts" + +RDEPENDS:${PN} = "libselinux python3-core python3-shell" + +def get_policyconfigarch(d): + import re + target = d.getVar('TARGET_ARCH') + p = re.compile('i.86') + target = p.sub('i386',target) + return "ARCH=%s" % (target) + +EXTRA_OEMAKE = "${@get_policyconfigarch(d)}" +EXTRA_OEMAKE:append:libc-musl = " FTS_LDLIBS=-lfts" + +FILES:${PN} = "${PYTHON_SITEPACKAGES_DIR}/*" +INSANE_SKIP:${PN} = "dev-so" + +do_compile() { + oe_runmake pywrap -j1 \ + PYLIBVER='python${PYTHON_BASEVERSION}' \ + PYINC='-I${STAGING_INCDIR}/${PYLIBVER}' \ + PYLIBS='-L${STAGING_LIBDIR}/${PYLIBVER} -l${PYLIBVER}' +} + +do_install() { + oe_runmake install-pywrap \ + DESTDIR=${D} \ + PREFIX=${prefix} + PYLIBVER='python${PYTHON_BASEVERSION}' \ + PYTHONLIBDIR='${PYTHON_SITEPACKAGES_DIR}' + + # Fix buildpaths issue + sed -i -e 's,${WORKDIR},,g' \ + ${D}${PYTHON_SITEPACKAGES_DIR}/selinux-${PV}.dist-info/direct_url.json +} diff --git a/recipes-security/selinux/libselinux.inc b/recipes-security/selinux/libselinux.inc deleted file mode 100644 index 6e115e3..0000000 --- a/recipes-security/selinux/libselinux.inc +++ /dev/null @@ -1,44 +0,0 @@ -SUMMARY = "SELinux library and simple utilities" -DESCRIPTION = "libselinux provides an API for SELinux applications to get and set \ -process and file security contexts and to obtain security policy \ -decisions. Required for any applications that use the SELinux API." -SECTION = "base" -LICENSE = "PD" - -inherit lib_package pythonnative - -DEPENDS += "libsepol python libpcre swig-native" -DEPENDS_append_libc-musl = " fts" -RDEPENDS_${PN}-python += "python-core python-shell" - -PACKAGES += "${PN}-python" -FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/*" -FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/site-packages/selinux/.debug/*" - -def get_policyconfigarch(d): - import re - target = d.getVar('TARGET_ARCH', True) - p = re.compile('i.86') - target = p.sub('i386',target) - return "ARCH=%s" % (target) -EXTRA_OEMAKE += "${@get_policyconfigarch(d)}" - -EXTRA_OEMAKE += "LDFLAGS='${LDFLAGS} -lpcre' LIBSEPOLA='${STAGING_LIBDIR}/libsepol.a'" -EXTRA_OEMAKE_append_libc-musl = " FTS_LDLIBS=-lfts" - -do_compile_append() { - oe_runmake pywrap -j1 \ - INCLUDEDIR='${STAGING_INCDIR}' \ - LIBDIR='${STAGING_LIBDIR}' \ - PYINC='-I${STAGING_INCDIR}/python${PYTHON_BASEVERSION}' -} - -do_install_append() { - oe_runmake install-pywrap swigify \ - PYTHONLIBDIR=${D}${libdir}/python${PYTHON_BASEVERSION}/site-packages - if ! ${@bb.utils.contains('DISTRO_FEATURES','usrmerge','true','false',d)}; then - rm -rf ${D}${base_sbindir} - fi -} - -BBCLASSEXTEND = "native" diff --git a/recipes-security/selinux/libselinux/0001-Makefile-fix-python-modules-install-path-for-multili.patch b/recipes-security/selinux/libselinux/0001-Makefile-fix-python-modules-install-path-for-multili.patch new file mode 100644 index 0000000..b307b6f --- /dev/null +++ b/recipes-security/selinux/libselinux/0001-Makefile-fix-python-modules-install-path-for-multili.patch @@ -0,0 +1,28 @@ +From dff260851ccecf9723a6ddfce0103e09f3ba4613 Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Mon, 13 Apr 2020 12:44:23 +0800 +Subject: [PATCH] Makefile: fix python modules install path for multilib + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + src/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/Makefile b/src/Makefile +index d3b981f..265f1be 100644 +--- a/src/Makefile ++++ b/src/Makefile +@@ -191,7 +191,7 @@ install: all + ln -sf --relative $(DESTDIR)$(SHLIBDIR)/$(LIBSO) $(DESTDIR)$(LIBDIR)/$(TARGET) + + install-pywrap: pywrap +- CFLAGS="$(CPPFLAGS) $(CFLAGS) $(SWIG_CFLAGS)" $(PYTHON) -m pip install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR) --ignore-installed --no-deps` $(PYTHON_SETUP_ARGS) . ++ CFLAGS="$(CPPFLAGS) $(CFLAGS) $(SWIG_CFLAGS)" $(PYTHON) -m pip install --prefix=$(PREFIX) --root $(DESTDIR) --ignore-installed --no-deps $(PYTHON_SETUP_ARGS) . + install -m 644 $(SWIGPYOUT) $(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py + ln -sf --relative $(DESTDIR)$(PYTHONLIBDIR)/selinux/_selinux$(PYCEXT) $(DESTDIR)$(PYTHONLIBDIR)/_selinux$(PYCEXT) + +-- +2.25.1 + diff --git a/recipes-security/selinux/libselinux/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch b/recipes-security/selinux/libselinux/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch deleted file mode 100644 index 46cfaaf..0000000 --- a/recipes-security/selinux/libselinux/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 37f3299e8f5c468fe692f36356c2c35f968b6aee Mon Sep 17 00:00:00 2001 -From: Robert Yang <liezhi.yang@windriver.com> -Date: Thu, 18 Feb 2016 02:39:16 +0000 -Subject: [PATCH] src/Makefile: fix includedir in libselinux.pc - -Upstream-Status: Pending - -Signed-off-by: Robert Yang <liezhi.yang@windriver.com> -Signed-off-by: Yi Zhao <yi.zhao@windriver.com> ---- - src/Makefile | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/Makefile b/src/Makefile -index 977b5c8..92a4289 100644 ---- a/src/Makefile -+++ b/src/Makefile -@@ -156,6 +156,7 @@ $(LIBSO): $(LOBJS) - - $(LIBPC): $(LIBPC).in ../VERSION - sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBDIR):; s:@includedir@:$(INCLUDEDIR):; s:@PCRE_MODULE@:$(PCRE_MODULE):' < $< > $@ -+ sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:${libdir}:; s:@includedir@:${prefix}/include:; s:@PCRE_MODULE@:$(PCRE_MODULE):' < $< > $@ - - selinuxswig_python_exception.i: ../include/selinux/selinux.h - bash -e exception.sh > $@ || (rm -f $@ ; false) --- -2.7.4 - diff --git a/recipes-security/selinux/libselinux/0002-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch b/recipes-security/selinux/libselinux/0002-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch new file mode 100644 index 0000000..7ebe64f --- /dev/null +++ b/recipes-security/selinux/libselinux/0002-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch @@ -0,0 +1,52 @@ +From 303d8dfe53fcd02ea5818f976369cdb629bc1114 Mon Sep 17 00:00:00 2001 +From: Thomas Petazzoni <thomas.petazzoni@bootlin.com> +Date: Fri, 25 Oct 2019 13:37:14 +0200 +Subject: [PATCH] Do not use PYCEXT, and rely on the installed file name + +PYCEXT is computed by asking the Python intrepreter what is the +file extension used for native Python modules. + +Unfortunately, when cross-compiling, the host Python doesn't give the +proper result: it gives the result matching the build machine, and not +the target machine. Due to this, the symlink has an incorrect name, +and doesn't point to the .so file that was actually built/installed. + +To address this and keep things simple, this patch just changes the ln +invocation to rely on the name of the _selinux*.so Python module that +was installed. + +[Upstream: https://github.com/SELinuxProject/selinux/pull/184] +Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> + +Upstream-Status: Denied [https://patchwork.kernel.org/patch/11212405/] + +[Refreshed for 3.0] +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + src/Makefile | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/src/Makefile b/src/Makefile +index 265f1be..47e51d6 100644 +--- a/src/Makefile ++++ b/src/Makefile +@@ -15,7 +15,6 @@ INCLUDEDIR ?= $(PREFIX)/include + PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX)) + PYLIBS ?= $(shell $(PKG_CONFIG) --libs $(PYPREFIX)) + PYTHONLIBDIR ?= $(shell $(PYTHON) -c "import sysconfig; print(sysconfig.get_path('platlib', vars={'platbase': '$(PREFIX)', 'base': '$(PREFIX)'}))") +-PYCEXT ?= $(shell $(PYTHON) -c 'import importlib.machinery;print(importlib.machinery.EXTENSION_SUFFIXES[0])') + RUBYINC ?= $(shell $(RUBY) -e 'puts "-I" + RbConfig::CONFIG["rubyarchhdrdir"] + " -I" + RbConfig::CONFIG["rubyhdrdir"]') + RUBYLIBS ?= $(shell $(RUBY) -e 'puts "-L" + RbConfig::CONFIG["libdir"] + " -L" + RbConfig::CONFIG["archlibdir"] + " " + RbConfig::CONFIG["LIBRUBYARG_SHARED"]') + RUBYINSTALL ?= $(shell $(RUBY) -e 'puts RbConfig::CONFIG["vendorarchdir"]') +@@ -193,7 +192,7 @@ install: all + install-pywrap: pywrap + CFLAGS="$(CPPFLAGS) $(CFLAGS) $(SWIG_CFLAGS)" $(PYTHON) -m pip install --prefix=$(PREFIX) --root $(DESTDIR) --ignore-installed --no-deps $(PYTHON_SETUP_ARGS) . + install -m 644 $(SWIGPYOUT) $(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py +- ln -sf --relative $(DESTDIR)$(PYTHONLIBDIR)/selinux/_selinux$(PYCEXT) $(DESTDIR)$(PYTHONLIBDIR)/_selinux$(PYCEXT) ++ ln -sf --relative $(DESTDIR)$(PYTHONLIBDIR)/selinux/_selinux*.so $(DESTDIR)$(PYTHONLIBDIR)/ + + install-rubywrap: rubywrap + test -d $(DESTDIR)$(RUBYINSTALL) || install -m 755 -d $(DESTDIR)$(RUBYINSTALL) +-- +2.25.1 + diff --git a/recipes-security/selinux/libselinux/0003-libselinux-restore-drop-the-obsolete-LSF-transitiona.patch b/recipes-security/selinux/libselinux/0003-libselinux-restore-drop-the-obsolete-LSF-transitiona.patch new file mode 100644 index 0000000..0cd8f20 --- /dev/null +++ b/recipes-security/selinux/libselinux/0003-libselinux-restore-drop-the-obsolete-LSF-transitiona.patch @@ -0,0 +1,40 @@ +From 6c2af45ec8cff9b282d599dc098db0ca127bdc59 Mon Sep 17 00:00:00 2001 +From: Renato Caldas <renato@calgera.com> +Date: Thu, 29 Jun 2023 13:59:11 +0100 +Subject: [PATCH] libselinux: restore: drop the obsolete LSF transitional API. + +The preferred way to enable LSF support on 32 bit systems is to define +_FILE_OFFSET_BITS=64 when building selinux. + +Upstream-Status: Submitted [https://github.com/SELinuxProject/selinux/pull/401] + +Signed-off-by: Renato Caldas <renato@calgera.com> +--- + src/selinux_restorecon.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/selinux_restorecon.c b/src/selinux_restorecon.c +index 38f10f1..5b3d035 100644 +--- a/src/selinux_restorecon.c ++++ b/src/selinux_restorecon.c +@@ -436,7 +436,7 @@ static int filespec_add(ino_t ino, const char *con, const char *file, + file_spec_t *prevfl, *fl; + uint32_t h; + int ret; +- struct stat64 sb; ++ struct stat sb; + + __pthread_mutex_lock(&fl_mutex); + +@@ -450,7 +450,7 @@ static int filespec_add(ino_t ino, const char *con, const char *file, + for (prevfl = &fl_head[h], fl = fl_head[h].next; fl; + prevfl = fl, fl = fl->next) { + if (ino == fl->ino) { +- ret = lstat64(fl->file, &sb); ++ ret = lstat(fl->file, &sb); + if (ret < 0 || sb.st_ino != ino) { + freecon(fl->con); + free(fl->file); +-- +2.25.1 + diff --git a/recipes-security/selinux/libselinux/libselinux-define-FD_CLOEXEC-as-necessary.patch b/recipes-security/selinux/libselinux/libselinux-define-FD_CLOEXEC-as-necessary.patch deleted file mode 100644 index ad18cf5..0000000 --- a/recipes-security/selinux/libselinux/libselinux-define-FD_CLOEXEC-as-necessary.patch +++ /dev/null @@ -1,33 +0,0 @@ -From d0aaf391ab30b253aa22ef6547a039bcac840fc6 Mon Sep 17 00:00:00 2001 -From: Joe MacDonald <joe.macdonald@windriver.com> -Date: Tue, 15 Oct 2013 10:14:41 -0400 -Subject: [PATCH] libselinux: define FD_CLOEXEC as necessary - -In truly old systems, even FD_CLOEXEC may not be defined. Produce a -warning and duplicate the #define for FD_CLOEXEC found in -asm-generic/fcntl.h on more modern platforms. - -Uptream-Status: Inappropriate - -Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com> - ---- - src/setrans_client.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/setrans_client.c b/src/setrans_client.c -index fa188a8..a94f02c 100644 ---- a/src/setrans_client.c -+++ b/src/setrans_client.c -@@ -39,6 +39,11 @@ static pthread_key_t destructor_key; - static int destructor_key_initialized = 0; - static __thread char destructor_initialized; - -+#ifndef FD_CLOEXEC -+#warning FD_CLOEXEC undefined on this platform, this may leak file descriptors -+#define FD_CLOEXEC 1 -+#endif -+ - /* - * setransd_open - * diff --git a/recipes-security/selinux/libselinux/libselinux-drop-Wno-unused-but-set-variable.patch b/recipes-security/selinux/libselinux/libselinux-drop-Wno-unused-but-set-variable.patch deleted file mode 100644 index d58e4eb..0000000 --- a/recipes-security/selinux/libselinux/libselinux-drop-Wno-unused-but-set-variable.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 865b8c40b331235ce2c9df1fcbbb3876c9b79338 Mon Sep 17 00:00:00 2001 -From: Randy MacLeod <Randy.MacLeod@windriver.com> -Date: Tue, 30 Apr 2013 17:28:34 -0400 -Subject: [PATCH] libselinux: drop flag: -Wno-unused-but-set-variable - -Upstream status: inappropriate (older compilers only). - -Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com> - ---- - src/Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/Makefile b/src/Makefile -index 2408fae..a89c0f7 100644 ---- a/src/Makefile -+++ b/src/Makefile -@@ -96,7 +96,7 @@ PCRE_LDLIBS ?= -lpcre - - override CFLAGS += -I../include -D_GNU_SOURCE $(DISABLE_FLAGS) $(PCRE_CFLAGS) - --SWIG_CFLAGS += -Wno-error -Wno-unused-variable -Wno-unused-but-set-variable -Wno-unused-parameter \ -+SWIG_CFLAGS += -Wno-error -Wno-unused-variable -Wno-unused-parameter \ - -Wno-shadow -Wno-uninitialized -Wno-missing-prototypes -Wno-missing-declarations - - RANLIB ?= ranlib diff --git a/recipes-security/selinux/libselinux/libselinux-make-O_CLOEXEC-optional.patch b/recipes-security/selinux/libselinux/libselinux-make-O_CLOEXEC-optional.patch deleted file mode 100644 index 6394bf0..0000000 --- a/recipes-security/selinux/libselinux/libselinux-make-O_CLOEXEC-optional.patch +++ /dev/null @@ -1,99 +0,0 @@ -From 802d224953294463fa9bc793e46f664ecfea057a Mon Sep 17 00:00:00 2001 -From: Joe MacDonald <joe.macdonald@windriver.com> -Date: Fri, 11 Oct 2013 09:56:25 -0400 -Subject: [PATCH] libselinux: make O_CLOEXEC optional - -Various commits in the selinux tree in the current release added O_CLOEXEC -to open() calls in an attempt to address file descriptor leaks as -described: - - http://danwalsh.livejournal.com/53603.html - -However O_CLOEXEC isn't available on all platforms, so make it a -compile-time option and generate a warning when it is not available. The -actual impact of leaking these file descriptors is minimal, though it does -produce curious AVC Denied messages. - -Uptream-Status: Inappropriate [O_CLOEXEC has been in Linux since 2007 and POSIX since 2008] - -Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com> -Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> - ---- - src/procattr.c | 16 ++++++++++++++-- - src/sestatus.c | 8 +++++++- - src/stringrep.c | 8 +++++++- - 3 files changed, 28 insertions(+), 4 deletions(-) - -diff --git a/src/procattr.c b/src/procattr.c -index 48dd8af..8bf8432 100644 ---- a/src/procattr.c -+++ b/src/procattr.c -@@ -79,7 +79,13 @@ static int openattr(pid_t pid, const char *attr, int flags) - rc = asprintf(&path, "/proc/thread-self/attr/%s", attr); - if (rc < 0) - return -1; -- fd = open(path, flags | O_CLOEXEC); -+ fd = open(path, flags -+#ifdef O_CLOEXEC -+ | O_CLOEXEC -+#else -+#warning O_CLOEXEC undefined on this platform, this may leak file descriptors -+#endif -+ ); - if (fd >= 0 || errno != ENOENT) - goto out; - free(path); -@@ -92,7 +98,13 @@ static int openattr(pid_t pid, const char *attr, int flags) - if (rc < 0) - return -1; - -- fd = open(path, flags | O_CLOEXEC); -+ fd = open(path, flags -+#ifdef O_CLOEXEC -+ | O_CLOEXEC -+#else -+#warning O_CLOEXEC undefined on this platform, this may leak file descriptors -+#endif -+ ); - out: - free(path); - return fd; -diff --git a/src/sestatus.c b/src/sestatus.c -index ed29dc5..0cb15b6 100644 ---- a/src/sestatus.c -+++ b/src/sestatus.c -@@ -268,7 +268,13 @@ int selinux_status_open(int fallback) - return -1; - - snprintf(path, sizeof(path), "%s/status", selinux_mnt); -- fd = open(path, O_RDONLY | O_CLOEXEC); -+ fd = open(path, O_RDONLY -+#ifdef O_CLOEXEC -+ | O_CLOEXEC -+#else -+#warning O_CLOEXEC undefined on this platform, this may leak file descriptors -+#endif -+ ); - if (fd < 0) - goto error; - -diff --git a/src/stringrep.c b/src/stringrep.c -index 2d83f96..17e9232 100644 ---- a/src/stringrep.c -+++ b/src/stringrep.c -@@ -105,7 +105,13 @@ static struct discover_class_node * discover_class(const char *s) - struct stat m; - - snprintf(path, sizeof path, "%s/class/%s/perms/%s", selinux_mnt,s,dentry->d_name); -- fd = open(path, O_RDONLY | O_CLOEXEC); -+ fd = open(path, O_RDONLY -+#ifdef O_CLOEXEC -+ | O_CLOEXEC -+#else -+#warning O_CLOEXEC undefined on this platform, this may leak file descriptors -+#endif -+ ); - if (fd < 0) - goto err4; - diff --git a/recipes-security/selinux/libselinux/libselinux-make-SOCK_CLOEXEC-optional.patch b/recipes-security/selinux/libselinux/libselinux-make-SOCK_CLOEXEC-optional.patch deleted file mode 100644 index febced7..0000000 --- a/recipes-security/selinux/libselinux/libselinux-make-SOCK_CLOEXEC-optional.patch +++ /dev/null @@ -1,38 +0,0 @@ -From e630805d15a3b8d09330353f87a7e4a9fcc9998a Mon Sep 17 00:00:00 2001 -From: Joe MacDonald <joe.macdonald@windriver.com> -Date: Tue, 15 Oct 2013 10:07:43 -0400 -Subject: [PATCH] libselinux: make SOCK_CLOEXEC optional - -libselinux/src/setrans_client.c checks for the existence of SOCK_CLOEXEC -before using it, however libselinux/src/avc_internal.c does not. Since -SOCK_CLOEXEC suffers the same problem as O_CLOEXEC on some older -platforms, we need to ensure we protect the references it it in the same -way. - -Uptream-Status: Inappropriate - -Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com> - ---- - src/avc_internal.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/src/avc_internal.c b/src/avc_internal.c -index 49cecc9..148cc83 100644 ---- a/src/avc_internal.c -+++ b/src/avc_internal.c -@@ -60,7 +60,13 @@ int avc_netlink_open(int blocking) - int len, rc = 0; - struct sockaddr_nl addr; - -- fd = socket(PF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_SELINUX); -+ fd = socket(PF_NETLINK, SOCK_RAW -+#ifdef SOCK_CLOEXEC -+ | SOCK_CLOEXEC -+#else -+#warning SOCK_CLOEXEC undefined on this platform, this may leak file descriptors -+#endif -+ , NETLINK_SELINUX); - if (fd < 0) { - rc = fd; - goto out; diff --git a/recipes-security/selinux/libselinux_2.8.bb b/recipes-security/selinux/libselinux_2.8.bb deleted file mode 100644 index 5de4607..0000000 --- a/recipes-security/selinux/libselinux_2.8.bb +++ /dev/null @@ -1,15 +0,0 @@ -include selinux_20180524.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://LICENSE;md5=84b4d2c6ef954a2d4081e775a270d0d0" - -SRC_URI[md5sum] = "56057e60192b21122c1aede8ff723ca2" -SRC_URI[sha256sum] = "31db96ec7643ce10912b3c3f98506a08a9116dcfe151855fd349c3fda96187e1" - -SRC_URI += "\ - file://libselinux-drop-Wno-unused-but-set-variable.patch \ - file://libselinux-make-O_CLOEXEC-optional.patch \ - file://libselinux-make-SOCK_CLOEXEC-optional.patch \ - file://libselinux-define-FD_CLOEXEC-as-necessary.patch \ - file://0001-src-Makefile-fix-includedir-in-libselinux.pc.patch \ - " diff --git a/recipes-security/selinux/libselinux_3.6.bb b/recipes-security/selinux/libselinux_3.6.bb new file mode 100644 index 0000000..b0dcde6 --- /dev/null +++ b/recipes-security/selinux/libselinux_3.6.bb @@ -0,0 +1,33 @@ +SUMMARY = "SELinux library and simple utilities" +DESCRIPTION = "libselinux provides an API for SELinux applications to get and set \ +process and file security contexts and to obtain security policy \ +decisions. Required for any applications that use the SELinux API." +SECTION = "base" +LICENSE = "PD" +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=84b4d2c6ef954a2d4081e775a270d0d0" + +require selinux_common.inc + +inherit lib_package pkgconfig + +FILESEXTRAPATHS:prepend := "${THISDIR}/libselinux:" +SRC_URI += "\ + file://0003-libselinux-restore-drop-the-obsolete-LSF-transitiona.patch \ + " + +S = "${WORKDIR}/git/libselinux" + +DEPENDS = "libsepol libpcre2" +DEPENDS:append:libc-musl = " fts" + +def get_policyconfigarch(d): + import re + target = d.getVar('TARGET_ARCH') + p = re.compile('i.86') + target = p.sub('i386',target) + return "ARCH=%s" % (target) + +EXTRA_OEMAKE = "${@get_policyconfigarch(d)}" +EXTRA_OEMAKE:append:libc-musl = " FTS_LDLIBS=-lfts" + +BBCLASSEXTEND = "native" diff --git a/recipes-security/selinux/libsemanage.inc b/recipes-security/selinux/libsemanage.inc deleted file mode 100644 index be0a5f1..0000000 --- a/recipes-security/selinux/libsemanage.inc +++ /dev/null @@ -1,47 +0,0 @@ -SUMMARY = "SELinux binary policy manipulation library" -DESCRIPTION = "libsemanage provides an API for the manipulation of SELinux binary policies. \ -It is used by checkpolicy (the policy compiler) and similar tools, as well \ -as by programs like load_policy that need to perform specific transformations \ -on binary policies such as customizing policy boolean settings." -SECTION = "base" -LICENSE = "LGPLv2.1+" - -inherit lib_package python-dir - -DEPENDS += "libsepol libselinux bzip2 python bison-native flex-native swig-native" -DEPENDS_append_class-target += "audit" - -PACKAGES =+ "${PN}-python" - -# For /usr/libexec/selinux/semanage_migrate_store -RDEPENDS_${PN}-python += "python" - -FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/* \ - ${libexecdir}/selinux/semanage_migrate_store" -FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/site-packages/.debug/*" - -EXTRA_OEMAKE_class-native += "DISABLE_AUDIT=y" - -do_compile_append() { - oe_runmake pywrap \ - INCLUDEDIR='${STAGING_INCDIR}' \ - LIBDIR='${STAGING_LIBDIR}' \ - PYLIBVER='python${PYTHON_BASEVERSION}' \ - PYINC='-I${STAGING_INCDIR}/$(PYLIBVER)' \ - PYLIB='-L${STAGING_LIBDIR}/$(PYLIBVER) -l$(PYLIBVER)' \ - PYTHONLIBDIR='${PYLIB}' -} - -do_install_append() { - oe_runmake install-pywrap swigify \ - PYCEXT='.so' \ - PYTHONLIBDIR='${D}${libdir}/python${PYTHON_BASEVERSION}/site-packages' \ - PYLIBVER='python${PYTHON_BASEVERSION}' \ - PYLIBDIR='${D}/${libdir}/$(PYLIBVER)' - - # Update "policy-version" for semanage.conf - sed -i 's/^#\s*\(policy-version\s*=\).*$/\1 30/' \ - ${D}/etc/selinux/semanage.conf -} - -BBCLASSEXTEND = "native" diff --git a/recipes-security/selinux/libsemanage/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch b/recipes-security/selinux/libsemanage/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch deleted file mode 100644 index 73613d3..0000000 --- a/recipes-security/selinux/libsemanage/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch +++ /dev/null @@ -1,28 +0,0 @@ -From e773c0952b06370d81e9b113f9b0b3388e323e52 Mon Sep 17 00:00:00 2001 -From: Robert Yang <liezhi.yang@windriver.com> -Date: Thu, 18 Feb 2016 02:39:16 +0000 -Subject: [PATCH] src/Makefile: fix includedir in libselinux.pc - -Upstream-Status: Pending - -Signed-off-by: Robert Yang <liezhi.yang@windriver.com> -Signed-off-by: Yi Zhao <yi.zhao@windriver.com> ---- - src/Makefile | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/Makefile b/src/Makefile -index dea751e..4af4568 100644 ---- a/src/Makefile -+++ b/src/Makefile -@@ -93,6 +93,7 @@ $(LIBSO): $(LOBJS) - - $(LIBPC): $(LIBPC).in ../VERSION - sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBDIR):; s:@includedir@:$(INCLUDEDIR):' < $< > $@ -+ sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:${libdir}:; s:@includedir@:${prefix}/include:' < $< > $@ - - semanageswig_python_exception.i: ../include/semanage/semanage.h - bash -e exception.sh > $@ || (rm -f $@ ; false) --- -2.7.4 - diff --git a/recipes-security/selinux/libsemanage/libsemanage-Fix-execve-segfaults-on-Ubuntu.patch b/recipes-security/selinux/libsemanage/libsemanage-Fix-execve-segfaults-on-Ubuntu.patch index e3c2f82..daaeb3b 100644 --- a/recipes-security/selinux/libsemanage/libsemanage-Fix-execve-segfaults-on-Ubuntu.patch +++ b/recipes-security/selinux/libsemanage/libsemanage-Fix-execve-segfaults-on-Ubuntu.patch @@ -1,4 +1,4 @@ -From c87bef28e768e2f6bc8612a768ebf9099d156576 Mon Sep 17 00:00:00 2001 +From a91134e98ba4b3b6645d12bb68a07976b60f86c8 Mon Sep 17 00:00:00 2001 From: Xin Ouyang <Xin.Ouyang@windriver.com> Date: Mon, 26 Mar 2012 15:15:16 +0800 Subject: [PATCH] libsemanage: Fix execve segfaults on Ubuntu. @@ -9,15 +9,18 @@ Such as "make load" while building refpolicy. http://oss.tresys.com/pipermail/refpolicy/2011-December/004859.html +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> --- src/semanage_store.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/semanage_store.c b/src/semanage_store.c -index 6158d08..1923f0f 100644 +index 27c5d34..519f298 100644 --- a/src/semanage_store.c +++ b/src/semanage_store.c -@@ -1405,7 +1405,7 @@ static int semanage_exec_prog(semanage_handle_t * sh, +@@ -1470,7 +1470,7 @@ static int semanage_exec_prog(semanage_handle_t * sh, if (forkval == 0) { /* child process. file descriptors will be closed * because they were set as close-on-exec. */ @@ -26,3 +29,6 @@ index 6158d08..1923f0f 100644 _exit(EXIT_FAILURE); /* if execve() failed */ } +-- +2.25.1 + diff --git a/recipes-security/selinux/libsemanage/libsemanage-allow-to-disable-audit-support.patch b/recipes-security/selinux/libsemanage/libsemanage-allow-to-disable-audit-support.patch index 205bc97..e9df8be 100644 --- a/recipes-security/selinux/libsemanage/libsemanage-allow-to-disable-audit-support.patch +++ b/recipes-security/selinux/libsemanage/libsemanage-allow-to-disable-audit-support.patch @@ -1,12 +1,11 @@ -From 8981b979e36afe2d8384b63c3f48fa8854d1983a Mon Sep 17 00:00:00 2001 +From c96010440e7a2a87787a535fd0f9ccf26a2b4a5e Mon Sep 17 00:00:00 2001 From: Wenzong Fan <wenzong.fan@windriver.com> Date: Mon, 20 Jan 2014 03:53:48 -0500 Subject: [PATCH] libsemanage: allow to disable audit support -Upstream-Status: Pending +Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> - --- src/Makefile | 10 +++++++++- src/seusers_local.c | 13 +++++++++++++ @@ -14,11 +13,11 @@ Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> 3 files changed, 31 insertions(+), 2 deletions(-) diff --git a/src/Makefile b/src/Makefile -index d457208..e8831ab 100644 +index d525996..2f5e159 100644 --- a/src/Makefile +++ b/src/Makefile -@@ -29,6 +29,14 @@ ifeq ($(DEBUG),1) - export LDFLAGS = -g +@@ -27,6 +27,14 @@ ifeq ($(DEBUG),1) + export LDFLAGS ?= -g endif +DISABLE_AUDIT ?= n @@ -32,17 +31,17 @@ index d457208..e8831ab 100644 LEX = flex LFLAGS = -s YACC = bison -@@ -91,7 +99,7 @@ $(LIBA): $(OBJS) +@@ -90,7 +98,7 @@ $(LIBA): $(OBJS) $(RANLIB) $@ $(LIBSO): $(LOBJS) -- $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -lsepol -laudit -lselinux -lbz2 -Wl,-soname,$(LIBSO),--version-script=libsemanage.map,-z,defs -+ $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -lsepol $(LIBAUDIT) -lselinux -lbz2 -Wl,-soname,$(LIBSO),--version-script=libsemanage.map,-z,defs +- $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -lsepol -laudit -lselinux -lbz2 -Wl,-soname,$(LIBSO),--version-script=libsemanage.map,-z,defs ++ $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -lsepol $(LIBAUDIT) -lselinux -lbz2 -Wl,-soname,$(LIBSO),--version-script=libsemanage.map,-z,defs ln -sf $@ $(TARGET) $(LIBPC): $(LIBPC).in ../VERSION diff --git a/src/seusers_local.c b/src/seusers_local.c -index 42c3a8b..9ee31e2 100644 +index 795a33d..6539cdf 100644 --- a/src/seusers_local.c +++ b/src/seusers_local.c @@ -8,7 +8,11 @@ typedef struct semanage_seuser record_t; @@ -57,7 +56,7 @@ index 42c3a8b..9ee31e2 100644 #include <errno.h> #include "user_internal.h" #include "seuser_internal.h" -@@ -51,6 +55,7 @@ static char *semanage_user_roles(semanage_handle_t * handle, const char *sename) +@@ -56,6 +60,7 @@ static char *semanage_user_roles(semanage_handle_t * handle, const char *sename) return roles; } @@ -65,7 +64,7 @@ index 42c3a8b..9ee31e2 100644 static int semanage_seuser_audit(semanage_handle_t * handle, const semanage_seuser_t * seuser, const semanage_seuser_t * previous, -@@ -114,6 +119,7 @@ err: +@@ -120,6 +125,7 @@ err: free(proles); return rc; } @@ -73,7 +72,7 @@ index 42c3a8b..9ee31e2 100644 int semanage_seuser_modify_local(semanage_handle_t * handle, const semanage_seuser_key_t * key, -@@ -158,8 +164,11 @@ int semanage_seuser_modify_local(semanage_handle_t * handle, +@@ -164,8 +170,11 @@ int semanage_seuser_modify_local(semanage_handle_t * handle, (void) semanage_seuser_query(handle, key, &previous); handle->msg_callback = callback; rc = dbase_modify(handle, dconfig, key, new); @@ -85,7 +84,7 @@ index 42c3a8b..9ee31e2 100644 err: if (previous) semanage_seuser_free(previous); -@@ -175,8 +184,12 @@ int semanage_seuser_del_local(semanage_handle_t * handle, +@@ -181,8 +190,12 @@ int semanage_seuser_del_local(semanage_handle_t * handle, dbase_config_t *dconfig = semanage_seuser_dbase_local(handle); rc = dbase_del(handle, dconfig, key); semanage_seuser_query(handle, key, &seuser); @@ -99,10 +98,10 @@ index 42c3a8b..9ee31e2 100644 semanage_seuser_free(seuser); return rc; diff --git a/tests/Makefile b/tests/Makefile -index 2ef8d30..50d582a 100644 +index 69f49a3..f914492 100644 --- a/tests/Makefile +++ b/tests/Makefile -@@ -6,10 +6,18 @@ SOURCES = $(sort $(wildcard *.c)) +@@ -4,10 +4,18 @@ CILS = $(sort $(wildcard *.cil)) ########################################################################### @@ -120,5 +119,8 @@ index 2ef8d30..50d582a 100644 -override LDLIBS += -lcunit -lbz2 -laudit -lselinux -lsepol +override LDLIBS += -lcunit -lbz2 $(LIBAUDIT) -lselinux -lsepol - OBJECTS = $(SOURCES:.c=.o) - + OBJECTS = $(SOURCES:.c=.o) + POLICIES = $(CILS:.cil=.policy) +-- +2.25.1 + diff --git a/recipes-security/selinux/libsemanage/libsemanage-define-FD_CLOEXEC-as-necessary.patch b/recipes-security/selinux/libsemanage/libsemanage-define-FD_CLOEXEC-as-necessary.patch deleted file mode 100644 index 8b15a80..0000000 --- a/recipes-security/selinux/libsemanage/libsemanage-define-FD_CLOEXEC-as-necessary.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 0e97e4d19627f78bf04445cd51902ccf4f7cf239 Mon Sep 17 00:00:00 2001 -From: Joe MacDonald <joe.macdonald@windriver.com> -Date: Tue, 15 Oct 2013 10:17:38 -0400 -Subject: [PATCH] libsemanage: define FD_CLOEXEC as necessary - -In truly old systems, even FD_CLOEXEC may not be defined. Produce a -warning and duplicate the #define for FD_CLOEXEC found in -asm-generic/fcntl.h on more modern platforms. - -Uptream-Status: Inappropriate - -Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com> - ---- - libsemanage/src/semanage_store.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c -index 1923f0f..f7a8760 100644 ---- a/libsemanage/src/semanage_store.c -+++ b/libsemanage/src/semanage_store.c -@@ -66,6 +66,11 @@ typedef struct dbase_policydb dbase_t; - - #define TRUE 1 - -+#ifndef FD_CLOEXEC -+#warning FD_CLOEXEC undefined on this platform, this may leak file descriptors -+#define FD_CLOEXEC 1 -+#endif -+ - enum semanage_file_defs { - SEMANAGE_ROOT, - SEMANAGE_TRANS_LOCK, diff --git a/recipes-security/selinux/libsemanage/libsemanage-disable-expand-check-on-policy-load.patch b/recipes-security/selinux/libsemanage/libsemanage-disable-expand-check-on-policy-load.patch index ea7ba20..d880e1e 100644 --- a/recipes-security/selinux/libsemanage/libsemanage-disable-expand-check-on-policy-load.patch +++ b/recipes-security/selinux/libsemanage/libsemanage-disable-expand-check-on-policy-load.patch @@ -1,4 +1,4 @@ -From 4376342a5382df384cb387e2a63eaf0bddb51d26 Mon Sep 17 00:00:00 2001 +From 7af73c1684ce0e30ce0cd58b51708bde1e3a1984 Mon Sep 17 00:00:00 2001 From: Joe MacDonald <joe@deserted.net> Date: Wed, 7 May 2014 11:36:27 -0400 Subject: [PATCH] libsemanage: disable expand-check on policy load @@ -12,16 +12,15 @@ Upstream-Status: Denied [upstream developers want to preserve the default checking: http://marc.info/?l=selinux&m=121794804217721&w=2] Signed-off-by: Joe MacDonald <joe@deserted.net> - --- src/semanage.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/semanage.conf b/src/semanage.conf -index dc8d46b..254f156 100644 +index 98d769b..708fa8c 100644 --- a/src/semanage.conf +++ b/src/semanage.conf -@@ -39,3 +39,7 @@ module-store = direct +@@ -40,3 +40,7 @@ module-store = direct # By default, semanage will generate policies for the SELinux target. # To build policies for Xen, uncomment the following line. #target-platform = xen @@ -29,3 +28,6 @@ index dc8d46b..254f156 100644 +# Don't check the entire policy hierarchy when inserting / expanding a policy +# module. This results in a significant speed-up in policy loading. +expand-check=0 +-- +2.25.1 + diff --git a/recipes-security/selinux/libsemanage/libsemanage-drop-Wno-unused-but-set-variable.patch b/recipes-security/selinux/libsemanage/libsemanage-drop-Wno-unused-but-set-variable.patch deleted file mode 100644 index cf88150..0000000 --- a/recipes-security/selinux/libsemanage/libsemanage-drop-Wno-unused-but-set-variable.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 3f65789f172003c499f24f00d73a42867fccd277 Mon Sep 17 00:00:00 2001 -From: Randy MacLeod <Randy.MacLeod@windriver.com> -Date: Tue, 30 Apr 2013 23:15:57 -0400 -Subject: [PATCH] libselinux: drop flag: -Wno-unused-but-set-variable - -Upstream status: inappropriate (older compilers only). - -Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com> - ---- - src/Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/Makefile b/src/Makefile -index fdb178f..d457208 100644 ---- a/src/Makefile -+++ b/src/Makefile -@@ -58,7 +58,7 @@ OBJS= $(patsubst %.c,%.o,$(SRCS)) conf-scan.o conf-parse.o - LOBJS= $(patsubst %.c,%.lo,$(SRCS)) conf-scan.lo conf-parse.lo - CFLAGS ?= -Werror -Wall -W -Wundef -Wshadow -Wmissing-noreturn -Wmissing-format-attribute - --SWIG_CFLAGS += -Wno-error -Wno-unused-but-set-variable -Wno-unused-variable -Wno-shadow \ -+SWIG_CFLAGS += -Wno-error -Wno-unused-variable -Wno-shadow \ - -Wno-unused-parameter - - override CFLAGS += -I../include -D_GNU_SOURCE diff --git a/recipes-security/selinux/libsemanage/libsemanage-fix-path-nologin.patch b/recipes-security/selinux/libsemanage/libsemanage-fix-path-nologin.patch deleted file mode 100644 index 43c5382..0000000 --- a/recipes-security/selinux/libsemanage/libsemanage-fix-path-nologin.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 1f8164e044f2f727b08c28a69bea19cbf49b071b Mon Sep 17 00:00:00 2001 -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Fri, 8 Feb 2013 15:16:07 +0800 -Subject: [PATCH] libsemange: fix incorrect path for nologin - -shadow package of oe-core and Debian has installed nologin into -/usr/sbin, so fix this path. - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> - ---- - src/genhomedircon.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/genhomedircon.c b/src/genhomedircon.c -index b9a74b7..d574ee2 100644 ---- a/src/genhomedircon.c -+++ b/src/genhomedircon.c -@@ -60,7 +60,7 @@ - - /* other paths */ - #define PATH_SHELLS_FILE "/etc/shells" --#define PATH_NOLOGIN_SHELL "/sbin/nologin" -+#define PATH_NOLOGIN_SHELL "/usr/sbin/nologin" - - /* comments written to context file */ - #define COMMENT_FILE_CONTEXT_HEADER "#\n#\n# " \ -@@ -395,7 +395,7 @@ static semanage_list_t *get_home_dirs(genhomedircon_settings_t * s) - - /* NOTE: old genhomedircon printed a warning on match */ - if (hand.matched) { -- WARN(s->h_semanage, "%s homedir %s or its parent directory conflicts with a file context already specified in the policy. This usually indicates an incorrectly defined system account. If it is a system account please make sure its uid is less than %u or greater than %u or its login shell is /sbin/nologin.", pwbuf->pw_name, pwbuf->pw_dir, minuid, maxuid); -+ WARN(s->h_semanage, "%s homedir %s or its parent directory conflicts with a file context already specified in the policy. This usually indicates an incorrectly defined system account. If it is a system account please make sure its uid is less than %u or greater than %u or its login shell is /usr/sbin/nologin.", pwbuf->pw_name, pwbuf->pw_dir, minuid, maxuid); - } else { - if (semanage_list_push(&homedir_list, path)) - goto fail; diff --git a/recipes-security/selinux/libsemanage_2.8.bb b/recipes-security/selinux/libsemanage_2.8.bb deleted file mode 100644 index 38942e3..0000000 --- a/recipes-security/selinux/libsemanage_2.8.bb +++ /dev/null @@ -1,18 +0,0 @@ -include selinux_20180524.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343" - -SRC_URI[md5sum] = "62ed7bb2ede677a735f2750751677a4f" -SRC_URI[sha256sum] = "1c0de8d2c51e5460926c21e371105c84a39087dfd8f8e9f0cc1d017e4cbea8e2" - -SRC_URI += "\ - file://libsemanage-Fix-execve-segfaults-on-Ubuntu.patch \ - file://libsemanage-fix-path-nologin.patch \ - file://libsemanage-drop-Wno-unused-but-set-variable.patch \ - file://libsemanage-define-FD_CLOEXEC-as-necessary.patch;striplevel=2 \ - file://libsemanage-allow-to-disable-audit-support.patch \ - file://libsemanage-disable-expand-check-on-policy-load.patch \ - file://0001-src-Makefile-fix-includedir-in-libselinux.pc.patch \ - " -FILES_${PN} += "/usr/libexec" diff --git a/recipes-security/selinux/libsemanage_3.6.bb b/recipes-security/selinux/libsemanage_3.6.bb new file mode 100644 index 0000000..93eb870 --- /dev/null +++ b/recipes-security/selinux/libsemanage_3.6.bb @@ -0,0 +1,56 @@ +SUMMARY = "SELinux binary policy manipulation library" +DESCRIPTION = "libsemanage provides an API for the manipulation of SELinux binary policies. \ +It is used by checkpolicy (the policy compiler) and similar tools, as well \ +as by programs like load_policy that need to perform specific transformations \ +on binary policies such as customizing policy boolean settings." +SECTION = "base" +LICENSE = "LGPL-2.1-or-later" +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=a6f89e2100d9b6cdffcea4f398e37343" + +require selinux_common.inc + +inherit lib_package python3native + +SRC_URI += "file://libsemanage-Fix-execve-segfaults-on-Ubuntu.patch \ + file://libsemanage-allow-to-disable-audit-support.patch \ + file://libsemanage-disable-expand-check-on-policy-load.patch \ + " + +DEPENDS = "libsepol libselinux python3 bison-native swig-native" + +DEPENDS:append:class-target = " audit" + +S = "${WORKDIR}/git/libsemanage" + +EXTRA_OEMAKE:class-native = "DISABLE_AUDIT=y" + +PACKAGES =+ "${PN}-python" + +# For /usr/libexec/selinux/semanage_migrate_store +RDEPENDS:${PN}-python = "python3-core" + +FILES:${PN}-python = "${PYTHON_SITEPACKAGES_DIR}/* \ + ${libexecdir}/selinux/semanage_migrate_store" +FILES:${PN}-dbg += "${PYTHON_SITEPACKAGES_DIR}/.debug/*" +FILES:${PN} += "${libexecdir}" + +do_compile:append() { + oe_runmake pywrap \ + PYLIBVER='python${PYTHON_BASEVERSION}' \ + PYINC='-I${STAGING_INCDIR}/${PYLIBVER}' \ + PYLIBS='-L${STAGING_LIBDIR}/${PYLIBVER} -l${PYLIBVER}' +} + +do_install:append() { + oe_runmake install-pywrap \ + DESTDIR=${D} \ + PYCEXT='.so' \ + PYLIBVER='python${PYTHON_BASEVERSION}' \ + PYTHONLIBDIR='${PYTHON_SITEPACKAGES_DIR}' + + # Update "policy-version" for semanage.conf + sed -i 's/^#\s*\(policy-version\s*=\).*$/\1 33/' \ + ${D}/etc/selinux/semanage.conf +} + +BBCLASSEXTEND = "native" diff --git a/recipes-security/selinux/libsepol/0001-src-Makefile-fix-includedir-in-libsepol.pc.patch b/recipes-security/selinux/libsepol/0001-src-Makefile-fix-includedir-in-libsepol.pc.patch deleted file mode 100644 index 987fdab..0000000 --- a/recipes-security/selinux/libsepol/0001-src-Makefile-fix-includedir-in-libsepol.pc.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 074dbf2f104d1a6ea1aa048600f44f9701c70a60 Mon Sep 17 00:00:00 2001 -From: Robert Yang <liezhi.yang@windriver.com> -Date: Thu, 18 Feb 2016 02:04:59 +0000 -Subject: [PATCH] src/Makefile: fix includedir in libsepol.pc - -Upstream-Status: Pending - -Signed-off-by: Robert Yang <liezhi.yang@windriver.com> -Signed-off-by: Yi Zhao <yi.zhao@windriver.com> ---- - src/Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/Makefile b/src/Makefile -index ccb7023..2bb6290 100644 ---- a/src/Makefile -+++ b/src/Makefile -@@ -51,7 +51,7 @@ $(LIBSO): $(LOBJS) $(LIBMAP) - ln -sf $@ $(TARGET) - - $(LIBPC): $(LIBPC).in ../VERSION -- sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBDIR):; s:@includedir@:$(INCLUDEDIR):' < $< > $@ -+ sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:${libdir}:; s:@includedir@:${prefix}/include:' < $< > $@ - - $(LIBMAP): $(LIBMAP).in - ifneq ($(DISABLE_CIL),y) --- -2.7.4 - diff --git a/recipes-security/selinux/libsepol_2.8.bb b/recipes-security/selinux/libsepol_2.8.bb deleted file mode 100644 index d1f905b..0000000 --- a/recipes-security/selinux/libsepol_2.8.bb +++ /dev/null @@ -1,9 +0,0 @@ -include selinux_20180524.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343" - -SRC_URI[md5sum] = "c19aa9dde1e78d1c2bd3109579e4d484" -SRC_URI[sha256sum] = "3ad6916a8352bef0bad49acc8037a5f5b48c56f94e4cb4e1959ca475fa9d24d6" - -SRC_URI += "file://0001-src-Makefile-fix-includedir-in-libsepol.pc.patch" diff --git a/recipes-security/selinux/libsepol.inc b/recipes-security/selinux/libsepol_3.6.bb index a8ee749..0c28e9b 100644 --- a/recipes-security/selinux/libsepol.inc +++ b/recipes-security/selinux/libsepol_3.6.bb @@ -4,14 +4,15 @@ It is used by checkpolicy (the policy compiler) and similar tools, as well \ as by programs like load_policy that need to perform specific transformations \ on binary policies such as customizing policy boolean settings." SECTION = "base" -LICENSE = "LGPLv2+" +LICENSE = "LGPL-2.0-or-later" +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=a6f89e2100d9b6cdffcea4f398e37343" + +require selinux_common.inc inherit lib_package -# Change RANLIB for cross compiling, use host-tools $(AR) rather than -# local ranlib. -EXTRA_OEMAKE += "RANLIB='$(AR) s'" +S = "${WORKDIR}/git/libsepol" -DEPENDS += "flex-native" +DEPENDS = "flex-native" BBCLASSEXTEND = "native" diff --git a/recipes-security/selinux/mcstrans/mcstrans-de-bashify.patch b/recipes-security/selinux/mcstrans/mcstrans-de-bashify.patch index 805d7e5..74ae879 100644 --- a/recipes-security/selinux/mcstrans/mcstrans-de-bashify.patch +++ b/recipes-security/selinux/mcstrans/mcstrans-de-bashify.patch @@ -1,21 +1,23 @@ -commit 54875dcb50f5e40fc86d6fe98dde244bfe4751af -Author: Joe MacDonald <joe_macdonald@mentor.com> -Date: Fri Aug 7 15:16:45 2015 -0400 +From 580a625e9e1266d92c248a5e3f471d12d42c149b Mon Sep 17 00:00:00 2001 +From: Joe MacDonald <joe_macdonald@mentor.com> +Date: Fri, 7 Aug 2015 15:16:45 -0400 +Subject: [PATCH] mcstrans: remove dependency on bash in initscript - mcstrans: remove dependency on bash in initscript +There were no apparent bashisms in mcstrans.init, so remove the +dependency on bash. - There were no apparent bashisms in mcstrans.init, so remove the dependency - on bash. +Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> - Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> - -Upstream-Status: Pending +Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> --- - src/mcstrans.init | 2 +- + src/mcstrans.init | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) +diff --git a/src/mcstrans.init b/src/mcstrans.init +index 2804ec0..8b4737d 100644 --- a/src/mcstrans.init +++ b/src/mcstrans.init @@ -1,4 +1,4 @@ @@ -24,3 +26,6 @@ Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> # # mcstransd This starts and stops mcstransd # +-- +2.25.1 + diff --git a/recipes-security/selinux/mcstrans/0001-mcstrans-fix-the-init-script.patch b/recipes-security/selinux/mcstrans/mcstrans-fix-the-init-script.patch index 5f7163d..a560722 100644 --- a/recipes-security/selinux/mcstrans/0001-mcstrans-fix-the-init-script.patch +++ b/recipes-security/selinux/mcstrans/mcstrans-fix-the-init-script.patch @@ -1,17 +1,21 @@ -[PATCH] mcstrans: fix the init script - -Upstream-Status: Inappropriate [embedded specific] +From 123d5b6413905bfad535a072ff0ab5a495cb2a2a Mon Sep 17 00:00:00 2001 +From: Roy Li <rongqing.li@windriver.com> +Date: Wed, 6 Nov 2019 22:13:33 +0800 +Subject: [PATCH] mcstrans: fix the init script replace daemon with start-stop-daemon, due to not daemon functions +Upstream-Status: Inappropriate [embedded specific] + Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> --- src/mcstrans.init | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/mcstrans.init b/src/mcstrans.init -index 2804ec0..c660290 100644 +index 8b4737d..86c89ea 100644 --- a/src/mcstrans.init +++ b/src/mcstrans.init @@ -51,7 +51,7 @@ start(){ @@ -24,5 +28,5 @@ index 2804ec0..c660290 100644 echo if test $RETVAL = 0 ; then -- -1.9.1 +2.25.1 diff --git a/recipes-security/selinux/mcstrans_2.8.bb b/recipes-security/selinux/mcstrans_2.8.bb deleted file mode 100644 index 8923c3c..0000000 --- a/recipes-security/selinux/mcstrans_2.8.bb +++ /dev/null @@ -1,7 +0,0 @@ -include selinux_20180524.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" - -SRC_URI[md5sum] = "3a0edb2a8b6a255199824abd58c0906c" -SRC_URI[sha256sum] = "ec6ea65660550ed6bbd2a834725ba7526ac53599753d7b95072e4afd4afc14e4" diff --git a/recipes-security/selinux/mcstrans.inc b/recipes-security/selinux/mcstrans_3.6.bb index 2568c8d..4a8482f 100644 --- a/recipes-security/selinux/mcstrans.inc +++ b/recipes-security/selinux/mcstrans_3.6.bb @@ -1,20 +1,30 @@ + SUMMARY = "Daemon to translate SELinux MCS/MLS sensitivity labels" DESCRIPTION = "\ mcstrans provides an translation daemon to translate SELinux categories \ from internal representations to user defined representation." - SECTION = "base" -LICENSE = "GPLv2+" +LICENSE = "GPL-2.0-or-later" +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=94d55d512a9ba36caa9b7df079bae19f" + +require selinux_common.inc + +inherit pkgconfig systemd update-rc.d SRC_URI += "file://mcstrans-de-bashify.patch \ - file://0001-mcstrans-fix-the-init-script.patch \ -" + file://mcstrans-fix-the-init-script.patch \ + " + +DEPENDS = "libsepol libselinux libcap" -inherit systemd update-rc.d +EXTRA_OEMAKE = "SBINDIR=${base_sbindir} \ + INITDIR=${sysconfdir}/init.d \ + SYSTEMDDIR=${systemd_unitdir} \ + " -DEPENDS += "libsepol libselinux libcap" +S = "${WORKDIR}/git/mcstrans" -do_install_append() { +do_install:append() { install -d ${D}${sbindir} install -m 755 utils/untranscon ${D}${sbindir}/ install -m 755 utils/transcon ${D}${sbindir}/ @@ -26,18 +36,18 @@ do_install_append() { else install -d ${D}${sysconfdir}/default/volatiles echo "d root root 0755 /var/run/setrans none" \ - >${D}${sysconfdir}/default/volatiles/volatiles.80_mcstrans + >${D}${sysconfdir}/default/volatiles/80_mcstrans fi install -d ${D}${datadir}/mcstrans cp -r share/* ${D}${datadir}/mcstrans/. } -SYSTEMD_SERVICE_mcstrans = "mcstrans.service" +SYSTEMD_SERVICE:mcstrans = "mcstrans.service" INITSCRIPT_PACKAGES = "mcstrans" -INITSCRIPT_NAME_mcstrans = "mcstrans" -INITSCRIPT_PARAMS_mcstrans = "defaults" +INITSCRIPT_NAME:mcstrans = "mcstrans" +INITSCRIPT_PARAMS:mcstrans = "defaults" -pkg_postinst_mcstrans () { +pkg_postinst:mcstrans () { if [ -z "$D" ]; then if command -v systemd-tmpfiles >/dev/null; then systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/setrans.conf diff --git a/recipes-security/selinux/policycoreutils.inc b/recipes-security/selinux/policycoreutils.inc deleted file mode 100644 index 85ff164..0000000 --- a/recipes-security/selinux/policycoreutils.inc +++ /dev/null @@ -1,182 +0,0 @@ -SUMMARY = "SELinux policy core utilities" -DESCRIPTION = "policycoreutils contains the policy core utilities that are required \ -for basic operation of a SELinux system. These utilities include \ -load_policy to load policies, setfiles to label filesystems, newrole \ -to switch roles, and run_init to run /etc/init.d scripts in the proper \ -context." -SECTION = "base" -LICENSE = "GPLv2+" - -SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ - file://policycoreutils-fixfiles-de-bashify.patch \ - " - -PAM_SRC_URI = "file://pam.d/newrole \ - file://pam.d/run_init \ -" - -DEPENDS += "libsepol libselinux libsemanage libcap gettext-native" -EXTRA_DEPENDS = "libcap-ng libcgroup" -DEPENDS += "${@['', '${EXTRA_DEPENDS}']['${PN}' != '${BPN}-native']}" - -inherit selinux pythonnative - -RDEPENDS_${BPN}-fixfiles += "\ - ${BPN}-setfiles \ - grep \ - findutils \ -" -RDEPENDS_${BPN}-genhomedircon += "\ - ${BPN}-genhomedircon \ - ${BPN}-semodule \ -" -RDEPENDS_${BPN}-loadpolicy += "\ - libselinux \ - libsepol \ -" -RDEPENDS_${BPN}-newrole += "\ - libcap-ng \ - libselinux \ -" -RDEPENDS_${BPN}-runinit += "libselinux" -RDEPENDS_${BPN}-secon += "libselinux" -RDEPENDS_${BPN}-semodule += "\ - libsepol \ - libselinux \ - libsemanage \ -" -# static link to libsepol -RDEPENDS_${BPN}-semodule-expand += "libsepol libselinux" -RDEPENDS_${BPN}-semodule-link += "libsepol libselinux" -RDEPENDS_${BPN}-semodule-package += "libsepol libselinux" -RDEPENDS_${BPN}-sestatus += "libselinux" -RDEPENDS_${BPN}-setfiles += "\ - libselinux \ - libsepol \ -" -RDEPENDS_${BPN}-setsebool += "\ - libsepol \ - libselinux \ - libsemanage \ -" -RDEPENDS_${BPN} += "selinux-python" - -WARN_QA_remove = " unsafe-references-in-scripts" -ERROR_QA_remove = " unsafe-references-in-scripts" - - -PACKAGES =+ "\ - ${PN}-fixfiles \ - ${PN}-genhomedircon \ - ${PN}-hll \ - ${PN}-loadpolicy \ - ${PN}-newrole \ - ${PN}-runinit \ - ${PN}-secon \ - ${PN}-semodule \ - ${PN}-sestatus \ - ${PN}-setfiles \ - ${PN}-setsebool \ -" -FILES_${PN}-fixfiles += "${base_sbindir}/fixfiles" -FILES_${PN}-genhomedircon += "${base_sbindir}/genhomedircon" -FILES_${PN}-loadpolicy += "\ - ${base_sbindir}/load_policy \ -" -FILES_${PN}-newrole += "\ - ${bindir}/newrole \ - ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${sysconfdir}/pam.d/newrole', '', d)} \ -" -FILES_${PN}-runinit += "\ - ${base_sbindir}/run_init \ - ${base_sbindir}/open_init_pty \ - ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${sysconfdir}/pam.d/run_init', '', d)} \ -" -FILES_${PN}-dbg += "${prefix}/libexec/selinux/hll/.debug" -FILES_${PN}-secon += "${bindir}/secon" -FILES_${PN}-semodule += "${base_sbindir}/semodule" -FILES_${PN}-hll += "${prefix}/libexec/selinux/hll/*" -FILES_${PN}-sestatus += "\ - ${base_sbindir}/sestatus \ - ${sysconfdir}/sestatus.conf \ -" -FILES_${PN}-setfiles += "\ - ${base_sbindir}/restorecon \ - ${base_sbindir}/setfiles \ -" -FILES_${PN}-setsebool += "\ - ${base_sbindir}/setsebool \ - ${datadir}/bash-completion/completions/setsebool \ -" - -export STAGING_INCDIR -export STAGING_LIBDIR -export BUILD_SYS -export HOST_SYS - -PACKAGECONFIG_class-target ?= "\ - ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)} \ - audit \ -" - -PACKAGECONFIG[libpam] = ",,libpam," -PACKAGECONFIG[audit] = ",,audit," - -EXTRA_OEMAKE += "\ - ${@bb.utils.contains('PACKAGECONFIG', 'libpam', 'PAMH=y', 'PAMH=', d)} \ - ${@bb.utils.contains('PACKAGECONFIG', 'audit', 'AUDITH=y', 'AUDITH=', d)} \ - INOTIFYH=n \ - PREFIX=${D} \ - SBINDIR=${base_sbindir} \ -" - -BBCLASSEXTEND = "native" - -PCU_NATIVE_CMDS = "setfiles semodule hll" - -do_compile_class-native() { - for PCU_CMD in ${PCU_NATIVE_CMDS} ; do - oe_runmake -C $PCU_CMD \ - INCLUDEDIR='${STAGING_INCDIR}' \ - LIBDIR='${STAGING_LIBDIR}' - done -} - -sysroot_stage_dirs_append_class-native() { - cp -R $from/${prefix}/libexec $to/${prefix}/libexec -} - -do_compile_prepend() { - export PYTHON=python - export PYLIBVER='python${PYTHON_BASEVERSION}' - export PYTHON_CPPFLAGS="-I${STAGING_INCDIR}/${PYLIBVER}" - export PYTHON_LDFLAGS="${STAGING_LIBDIR}/lib${PYLIBVER}.so" - export PYTHON_SITE_PKG="${libdir}/${PYLIBVER}/site-packages" -} - -do_install_prepend() { - export PYTHON=python - export SBINDIR="${D}/${base_sbindir}" -} - -do_install_class-native() { - for PCU_CMD in ${PCU_NATIVE_CMDS} ; do - oe_runmake -C $PCU_CMD install \ - DESTDIR="${D}" \ - PREFIX="${prefix}" \ - SBINDIR="${base_sbindir}" - done -} - -do_install_append_class-target() { - if [ -e ${WORKDIR}/pam.d ]; then - install -d ${D}${sysconfdir}/pam.d/ - install -m 0644 ${WORKDIR}/pam.d/* ${D}${sysconfdir}/pam.d/ - fi - - # /var/lib/selinux is involved by seobject.py: - # + dirname = "/var/lib/selinux" - # and it's required for running command: - # $ semanage permissive [OPTS] - install -d ${D}${localstatedir}/lib/selinux -} diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-fixfiles-de-bashify.patch b/recipes-security/selinux/policycoreutils/policycoreutils-fixfiles-de-bashify.patch index 70cdd4f..5dcb5e4 100644 --- a/recipes-security/selinux/policycoreutils/policycoreutils-fixfiles-de-bashify.patch +++ b/recipes-security/selinux/policycoreutils/policycoreutils-fixfiles-de-bashify.patch @@ -1,4 +1,4 @@ -From 25ca94680f2fe20f49b80e8b5b180a0dbb903f17 Mon Sep 17 00:00:00 2001 +From 624d6231ca9daf494e33352d562ff97cb0219f2d Mon Sep 17 00:00:00 2001 From: Joe MacDonald <joe_macdonald@mentor.com> Date: Fri, 20 Feb 2015 17:00:19 -0500 Subject: [PATCH] fixfiles: de-bashify @@ -10,7 +10,7 @@ necessarily the best option here. Introducing a second invocation of rpm is minimal overhead on an operation that should happen very infrequently, so we'll try that instead. -Upstream-Status: Pending +Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> @@ -19,7 +19,7 @@ Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/scripts/fixfiles b/scripts/fixfiles -index 1aa330f..a10837d 100755 +index 166af6f..a23cdc6 100755 --- a/scripts/fixfiles +++ b/scripts/fixfiles @@ -1,4 +1,4 @@ @@ -51,7 +51,7 @@ index 1aa330f..a10837d 100755 exclude_from_relabelling="$exclude_from_relabelling -e $i" done < /etc/selinux/fixfiles_exclude_dirs fi -@@ -138,7 +139,7 @@ fi +@@ -140,7 +141,7 @@ fi # Log directories excluded from relabelling by configuration file # LogExcluded() { @@ -60,7 +60,7 @@ index 1aa330f..a10837d 100755 echo "skipping the directory $i" done } -@@ -201,8 +202,12 @@ fi +@@ -203,8 +204,12 @@ fi } rpmlist() { @@ -74,8 +74,8 @@ index 1aa330f..a10837d 100755 + fi } - # -@@ -276,7 +281,7 @@ relabel() { + # unmount tmp bind mount before exit +@@ -315,7 +320,7 @@ relabel() { exit 1 fi @@ -85,5 +85,5 @@ index 1aa330f..a10837d 100755 return fi -- -2.13.0 +2.25.1 diff --git a/recipes-security/selinux/policycoreutils_2.8.bb b/recipes-security/selinux/policycoreutils_2.8.bb deleted file mode 100644 index 85f6ff0..0000000 --- a/recipes-security/selinux/policycoreutils_2.8.bb +++ /dev/null @@ -1,8 +0,0 @@ -include selinux_20180524.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" - -SRC_URI[md5sum] = "da5ceb9c7e1e6f8c573731031b91cffe" -SRC_URI[sha256sum] = "986553a235f27bee7ad7c2b7c35ea51eb2ee68e2cf03b661b1585de101bc1099" - diff --git a/recipes-security/selinux/policycoreutils_3.6.bb b/recipes-security/selinux/policycoreutils_3.6.bb new file mode 100644 index 0000000..c106ee7 --- /dev/null +++ b/recipes-security/selinux/policycoreutils_3.6.bb @@ -0,0 +1,179 @@ +SUMMARY = "SELinux policy core utilities" +DESCRIPTION = "policycoreutils contains the policy core utilities that are required \ +for basic operation of a SELinux system. These utilities include \ +load_policy to load policies, setfiles to label filesystems, newrole \ +to switch roles, and run_init to run /etc/init.d scripts in the proper \ +context." +SECTION = "base" +LICENSE = "GPL-2.0-or-later" +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=393a5ca445f6965873eca0259a17f833" + +require selinux_common.inc + +SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ + file://policycoreutils-fixfiles-de-bashify.patch \ + " + +PAM_SRC_URI = "file://pam.d/newrole \ + file://pam.d/run_init \ + " + +DEPENDS = "libsepol libselinux libsemanage gettext-native" +DEPENDS:append:class-target = " libcap-ng" + +S = "${WORKDIR}/git/policycoreutils" + +inherit selinux python3native + +RDEPENDS:${PN}-fixfiles = "\ + ${PN}-setfiles \ + grep \ + findutils \ +" +RDEPENDS:${PN}-genhomedircon = "\ + ${PN}-semodule \ +" +RDEPENDS:${PN}-loadpolicy = "\ + libselinux \ + libsepol \ +" +RDEPENDS:${PN}-newrole = "\ + libcap-ng \ + libselinux \ +" +RDEPENDS:${PN}-runinit = "libselinux" +RDEPENDS:${PN}-secon = "libselinux" +RDEPENDS:${PN}-semodule = "\ + libsepol \ + libselinux \ + libsemanage \ +" +RDEPENDS:${PN}-sestatus = "libselinux" +RDEPENDS:${PN}-setfiles = "\ + libselinux \ + libsepol \ +" +RDEPENDS:${PN}-setsebool = "\ + libsepol \ + libselinux \ + libsemanage \ +" +RDEPENDS:${PN}:class-target = "selinux-python" + +PACKAGES =+ "\ + ${PN}-fixfiles \ + ${PN}-genhomedircon \ + ${PN}-hll \ + ${PN}-loadpolicy \ + ${PN}-newrole \ + ${PN}-runinit \ + ${PN}-secon \ + ${PN}-semodule \ + ${PN}-sestatus \ + ${PN}-setfiles \ + ${PN}-setsebool \ +" +FILES:${PN}-fixfiles = "${base_sbindir}/fixfiles" +FILES:${PN}-genhomedircon = "${base_sbindir}/genhomedircon" +FILES:${PN}-loadpolicy = "\ + ${base_sbindir}/load_policy \ +" +FILES:${PN}-newrole = "\ + ${bindir}/newrole \ + ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${sysconfdir}/pam.d/newrole', '', d)} \ +" +FILES:${PN}-runinit = "\ + ${base_sbindir}/run_init \ + ${base_sbindir}/open_init_pty \ + ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${sysconfdir}/pam.d/run_init', '', d)} \ +" +FILES:${PN}-dbg += "${prefix}/libexec/selinux/hll/.debug" +FILES:${PN}-secon = "${bindir}/secon" +FILES:${PN}-semodule = "${base_sbindir}/semodule" +FILES:${PN}-hll = "${prefix}/libexec/selinux/hll/*" +FILES:${PN}-sestatus = "\ + ${base_sbindir}/sestatus \ + ${sysconfdir}/sestatus.conf \ +" +FILES:${PN}-setfiles = "\ + ${base_sbindir}/restorecon \ + ${base_sbindir}/restorecon_xattr \ + ${base_sbindir}/setfiles \ +" +FILES:${PN}-setsebool = "\ + ${base_sbindir}/setsebool \ + ${datadir}/bash-completion/completions/setsebool \ +" + +export STAGING_INCDIR +export STAGING_LIBDIR +export BUILD_SYS +export HOST_SYS + +PACKAGECONFIG:class-target ?= "\ + ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)} \ + audit \ +" +PACKAGECONFIG:class-native ?= "" + +PACKAGECONFIG[libpam] = ",,libpam," +PACKAGECONFIG[audit] = ",,audit," + +EXTRA_OEMAKE = "\ + ${@bb.utils.contains('PACKAGECONFIG', 'libpam', 'PAMH=y', 'PAMH=', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'audit', 'AUDITH=y', 'AUDITH=', d)} \ + INOTIFYH=n \ + PREFIX=${prefix} \ + SBINDIR=${base_sbindir} \ +" + +BBCLASSEXTEND = "native" + +PCU_NATIVE_CMDS = "setfiles semodule hll" + +do_compile:prepend() { + export PYTHON=python3 + export PYLIBVER='python${PYTHON_BASEVERSION}' + export PYTHON_CPPFLAGS="-I${STAGING_INCDIR}/${PYLIBVER}" + export PYTHON_LDFLAGS="${STAGING_LIBDIR}/lib${PYLIBVER}.so" + export PYTHON_SITE_PKG="${PYTHON_SITEPACKAGES_DIR}" +} + +do_compile:class-native() { + for PCU_CMD in ${PCU_NATIVE_CMDS} ; do + oe_runmake -C $PCU_CMD \ + INCLUDEDIR='${STAGING_INCDIR}' \ + LIBDIR='${STAGING_LIBDIR}' + done +} + +sysroot_stage_dirs:append:class-native() { + cp -R $from/${prefix}/libexec $to/${prefix}/libexec +} + +do_install:prepend() { + export PYTHON=python3 + export SBINDIR="${D}/${base_sbindir}" +} + +do_install:class-native() { + for PCU_CMD in ${PCU_NATIVE_CMDS} ; do + oe_runmake -C $PCU_CMD install \ + DESTDIR="${D}" \ + PREFIX="${prefix}" \ + SBINDIR="${base_sbindir}" + done +} + +do_install:append:class-target() { + if [ -e ${WORKDIR}/pam.d ]; then + install -d ${D}${sysconfdir}/pam.d/ + install -m 0644 ${WORKDIR}/pam.d/* ${D}${sysconfdir}/pam.d/ + fi + + # /var/lib/selinux is involved by seobject.py: + # + dirname = "/var/lib/selinux" + # and it's required for running command: + # $ semanage permissive [OPTS] + install -d ${D}${localstatedir}/lib/selinux +} diff --git a/recipes-security/selinux/restorecond.inc b/recipes-security/selinux/restorecond.inc deleted file mode 100644 index d168303..0000000 --- a/recipes-security/selinux/restorecond.inc +++ /dev/null @@ -1,24 +0,0 @@ -SUMMARY = "Daemon to watch for file creation and set default file context" -DESCRIPTION = "\ -The restorecond daemon uses inotify to watch files listed in the \ -/etc/selinux/restorecond.conf, when they are created, this daemon \ -will make sure they have the correct file context associated with \ -the policy." - -SECTION = "base" -LICENSE = "GPLv2+" - -SRC_URI += "file://policycoreutils-make-O_CLOEXEC-optional.patch \ -" - -inherit systemd update-rc.d - -DEPENDS += "libsepol libselinux libpcre dbus-glib glib-2.0 pkgconfig-native" - -FILES_${PN} += "${datadir}/dbus-1/services/org.selinux.Restorecond.service \ -" - -SYSTEMD_SERVICE_restorecond = "restorecond.service" -INITSCRIPT_PACKAGES = "restorecond" -INITSCRIPT_NAME_restorecond = "restorecond" -INITSCRIPT_PARAMS_restorecond = "defaults" diff --git a/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch b/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch deleted file mode 100644 index ab1a10a..0000000 --- a/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch +++ /dev/null @@ -1,43 +0,0 @@ -Subject: [PATCH] policycoreutils: make O_CLOEXEC optional - -Various commits in the selinux tree in the current release added O_CLOEXEC -to open() calls in an attempt to address file descriptor leaks as -described: - - http://danwalsh.livejournal.com/53603.html - -However O_CLOEXEC isn't available on all platforms, so make it a -compile-time option and generate a warning when it is not available. The -actual impact of leaking these file descriptors is minimal, though it does -produce curious AVC Denied messages. - -Uptream-Status: Inappropriate [O_CLOEXEC has been in Linux since 2007 and POSIX since 2008] - -Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com> -Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> ---- - user.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/user.c b/user.c -index 2c28676..6235772 100644 ---- a/user.c -+++ b/user.c -@@ -202,7 +202,13 @@ static int local_server() { - perror("asprintf"); - return -1; - } -- local_lock_fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW | O_CLOEXEC, S_IRUSR | S_IWUSR); -+ local_lock_fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW -+ #ifdef O_CLOEXEC -+ | O_CLOEXEC -+ #else -+ #warning O_CLOEXEC undefined on this platform, this may leak file descriptors -+ #endif -+ , S_IRUSR | S_IWUSR); - if (debug_mode) - g_warning ("Lock file: %s", ptr); - --- -1.7.9.5 - diff --git a/recipes-security/selinux/restorecond_2.8.bb b/recipes-security/selinux/restorecond_2.8.bb deleted file mode 100644 index 4a83a23..0000000 --- a/recipes-security/selinux/restorecond_2.8.bb +++ /dev/null @@ -1,7 +0,0 @@ -include selinux_20180524.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" - -SRC_URI[md5sum] = "cfe4e4d6184623fdcb9bc2681e693abb" -SRC_URI[sha256sum] = "323cab1128e5308cd85fea0e5c98e3c8973e1ada0b659f2fce76187e192271bf" diff --git a/recipes-security/selinux/restorecond_3.6.bb b/recipes-security/selinux/restorecond_3.6.bb new file mode 100644 index 0000000..8e57283 --- /dev/null +++ b/recipes-security/selinux/restorecond_3.6.bb @@ -0,0 +1,37 @@ +SUMMARY = "Daemon to watch for file creation and set default file context" +DESCRIPTION = "\ +The restorecond daemon uses inotify to watch files listed in the \ +/etc/selinux/restorecond.conf, when they are created, this daemon \ +will make sure they have the correct file context associated with \ +the policy." +SECTION = "base" +LICENSE = "GPL-2.0-or-later" +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=393a5ca445f6965873eca0259a17f833" + +require selinux_common.inc + +inherit pkgconfig systemd update-rc.d + +DEPENDS = "libsepol libselinux glib-2.0" + +EXTRA_OEMAKE = "SYSTEMDSYSTEMUNITDIR=${systemd_system_unitdir} \ + SYSTEMDUSERUNITDIR=${systemd_user_unitdir} \ + " + +S = "${WORKDIR}/git/restorecond" + +FILES:${PN} += "${datadir}/dbus-1/services/org.selinux.Restorecond.service \ + ${systemd_user_unitdir}/* \ + " + +SYSTEMD_SERVICE:restorecond = "restorecond.service" +INITSCRIPT_PACKAGES = "restorecond" +INITSCRIPT_NAME:restorecond = "restorecond" +INITSCRIPT_PARAMS:restorecond = "defaults" + +do_install:append() { + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'false', 'true', d)}; then + # remove /usr/lib/systemd/user + rm -rf ${D}${nonarch_libdir} + fi +} diff --git a/recipes-security/selinux/secilc_2.8.bb b/recipes-security/selinux/secilc_2.8.bb deleted file mode 100644 index 89e0684..0000000 --- a/recipes-security/selinux/secilc_2.8.bb +++ /dev/null @@ -1,7 +0,0 @@ -include selinux_20180524.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=5fb82e8deb357d4e5fd8f3fed01d2f38" - -SRC_URI[md5sum] = "a3c363545842aadc6645a94112b476e7" -SRC_URI[sha256sum] = "cfe15f2e06b3013c9dfc46cf42234ff07fb61866c4c29d739eb8858f83b214d4" diff --git a/recipes-security/selinux/secilc.inc b/recipes-security/selinux/secilc_3.6.bb index e263f11..5e0da3f 100644 --- a/recipes-security/selinux/secilc.inc +++ b/recipes-security/selinux/secilc_3.6.bb @@ -2,10 +2,14 @@ SUMMARY = "SELinux Common Intermediate Language (CIL) compiler" DESCRIPTION = "\ This package contains secilc, the SELinux Common Intermediate \ Language (CIL) compiler." - SECTION = "base" -LICENSE = "BSD" +LICENSE = "BSD-2-Clause" +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=c7e802b9a3b0c2c852669864c08b9138" + +require selinux_common.inc + +DEPENDS = "libsepol xmlto-native" -DEPENDS += "libsepol xmlto-native" +S = "${WORKDIR}/git/secilc" BBCLASSEXTEND = "native" diff --git a/recipes-security/selinux/selinux-dbus_2.8.bb b/recipes-security/selinux/selinux-dbus_2.8.bb deleted file mode 100644 index 5091624..0000000 --- a/recipes-security/selinux/selinux-dbus_2.8.bb +++ /dev/null @@ -1,7 +0,0 @@ -include selinux_20180524.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" - -SRC_URI[md5sum] = "23f0264df3ed123904a17d71f2a5b325" -SRC_URI[sha256sum] = "3339cb9cd77579bab6158afc054409c3bf952e282ef957ea732b19c9f4697bc6" diff --git a/recipes-security/selinux/selinux-dbus.inc b/recipes-security/selinux/selinux-dbus_3.6.bb index 1b66136..b1198af 100644 --- a/recipes-security/selinux/selinux-dbus.inc +++ b/recipes-security/selinux/selinux-dbus_3.6.bb @@ -1,13 +1,17 @@ SUMMARY = "SELinux dbus service files" DESCRIPTION = "\ Provide SELinux dbus service files and scripts." - SECTION = "base" -LICENSE = "GPLv2+" +LICENSE = "GPL-2.0-or-later" +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=393a5ca445f6965873eca0259a17f833" + +require selinux_common.inc + +S = "${WORKDIR}/git/dbus" -RDEPENDS_${PN} += "python selinux-python-sepolicy" +RDEPENDS:${PN} = "python3-core selinux-python-sepolicy" -FILES_${PN} += "\ +FILES:${PN} += "\ ${datadir}/system-config-selinux/selinux_server.py \ ${datadir}/polkit-1/actions/org.selinux.policy \ ${datadir}/dbus-1/system-services/org.selinux.service \ diff --git a/recipes-security/selinux/selinux-gui_2.8.bb b/recipes-security/selinux/selinux-gui_2.8.bb deleted file mode 100644 index 2c0fcd8..0000000 --- a/recipes-security/selinux/selinux-gui_2.8.bb +++ /dev/null @@ -1,7 +0,0 @@ -include selinux_20180524.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" - -SRC_URI[md5sum] = "52000c14ffa86840220915bd1d777845" -SRC_URI[sha256sum] = "17acd3004f01f92b288cc1322317d7964f5039fb26ba1542b6713a7147a2351d" diff --git a/recipes-security/selinux/selinux-gui.inc b/recipes-security/selinux/selinux-gui_3.6.bb index 1096f3f..fbd5e70 100644 --- a/recipes-security/selinux/selinux-gui.inc +++ b/recipes-security/selinux/selinux-gui_3.6.bb @@ -2,13 +2,18 @@ SUMMARY = "SELinux GUI tools" DESCRIPTION = "\ Provide SELinux Management tool (system-config-selinux) and SELinux \ Policy Generation Tool (selinux-polgengui)" - SECTION = "base" -LICENSE = "GPLv2+" +LICENSE = "GPL-2.0-or-later" +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=393a5ca445f6965873eca0259a17f833" + +require selinux_common.inc + +S = "${WORKDIR}/git/gui" -RDEPENDS_${PN} += "python" +DEPENDS = "gettext-native" +RDEPENDS:${PN} = "python3-core" -FILES_${PN} += " \ +FILES:${PN} += " \ ${datadir}/system-config-selinux/* \ ${datadir}/icons/hicolor/* \ ${datadir}/polkit-1/actions/org.selinux.config.policy \ diff --git a/recipes-security/selinux/selinux-initsh.inc b/recipes-security/selinux/selinux-initsh.inc deleted file mode 100644 index bcdd449..0000000 --- a/recipes-security/selinux/selinux-initsh.inc +++ /dev/null @@ -1,35 +0,0 @@ -S ?= "${WORKDIR}" -SECTION ?= "base" - -# Default is for script name to be the same as the recipe name. -# Script must have .sh suffix. -SELINUX_SCRIPT_SRC ?= "${BPN}" -SELINUX_SCRIPT_DST ?= "${SELINUX_SCRIPT_SRC}" - -INITSCRIPT_NAME ?= "${SELINUX_SCRIPT_DST}" -INITSCRIPT_PARAMS ?= "start 00 S ." - -CONFFILES_${PN} += "${sysconfdir}/init.d/${SELINUX_SCRIPT_DST}" - -PACKAGE_ARCH ?= "${MACHINE_ARCH}" - -inherit update-rc.d systemd - -SYSTEMD_SERVICE_${PN} = "${SELINUX_SCRIPT_SRC}.service" - -do_install () { - install -d ${D}${sysconfdir}/init.d/ - install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh ${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST} - - install -d ${D}${systemd_unitdir}/system - install -m 0644 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.service ${D}${systemd_unitdir}/system - - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then - install -d ${D}${bindir} - install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh ${D}${bindir} - fi -} - -sysroot_stage_all_append () { - sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir} -} diff --git a/recipes-security/selinux/selinux-python.inc b/recipes-security/selinux/selinux-python.inc deleted file mode 100644 index c774de4..0000000 --- a/recipes-security/selinux/selinux-python.inc +++ /dev/null @@ -1,108 +0,0 @@ -SUMMARY = "Python modules and various SELinux utilities." -DESCRIPTION = "\ -This package contains Python modules sepolgen, sepolicy; And the \ -SELinux utilities audit2allow, chcat, semanage ..." - -SECTION = "base" -LICENSE = "GPLv2+" - -SRC_URI += "file://fix-sepolicy-install-path.patch \ - file://fix-TypeError-for-seobject.py.patch \ - file://process-ValueError-for-sepolicy-seobject.patch \ -" - -inherit python-dir - -DEPENDS += "python-native libsepol" -RDEPENDS_${BPN}-audit2allow += "\ - python-textutils \ - libselinux-python \ - ${BPN}-sepolgen \ -" -RDEPENDS_${BPN}-chcat += "\ - python-codecs \ - python-shell \ - python-stringold \ - python-unixadmin \ - libselinux-python \ - ${BPN} \ -" -RDEPENDS_${BPN} += "\ - python-codecs \ - python-io \ - python-ipy \ - python-re \ - python-stringold \ - python-syslog \ - python-unixadmin \ - libselinux-python \ - libsemanage-python \ - setools \ -" -RDEPENDS_${BPN}-semanage += "\ - python-core \ - python-ipy \ - python-compression \ - python-xml \ - libselinux-python \ - ${BPN} \ -" -RDEPENDS_${BPN}-sepolicy += "\ - python-argparse \ - python-codecs \ - python-core \ - python-syslog \ - ${BPN} \ -" -RDEPENDS_${BPN}-sepolgen-ifgen += "\ - python \ - libselinux-python \ -" - -PACKAGES =+ "\ - ${PN}-audit2allow \ - ${PN}-sepolgen-ifgen \ - ${PN}-chcat \ - ${PN}-semanage \ - ${PN}-sepolgen \ - ${PN}-sepolicy \ -" -FILES_${PN}-audit2allow = "\ - ${bindir}/audit2allow \ - ${bindir}/audit2why \ -" -FILES_${PN}-chcat = "\ - ${bindir}/chcat \ -" -FILES_${PN}-semanage = "\ - ${sbindir}/semanage \ - ${datadir}/bash-completion/completions/semanage \ -" -# The ${bindir}/sepolgen is a symlink to ${bindir}/sepolicy -FILES_${PN}-sepolicy += "\ - ${bindir}/sepolgen \ - ${bindir}/sepolicy \ - ${datadir}/bash-completion/completions/sepolicy \ -" -FILES_${PN}-sepolgen-ifgen += "\ - ${bindir}/sepolgen-ifgen \ - ${bindir}/sepolgen-ifgen-attr-helper \ -" -FILES_${PN}-sepolgen += "\ - ${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolgen* \ - ${localstatedir}/lib/sepolgen/perm_map \ -" -# Map to policycoreutils-python in 2.6 -FILES_${PN} += "\ - ${libdir}/python${PYTHON_BASEVERSION}/site-packages/seobject.py* \ - ${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy*.egg-info \ - ${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy/* \ -" - -EXTRA_OEMAKE += "LIBSEPOLA=${STAGING_LIBDIR}/libsepol.a" -do_install() { - oe_runmake DESTDIR=${D} \ - LIBDIR="${libdir}" \ - PYTHONLIBDIR='${libdir}/python${PYTHON_BASEVERSION}/site-packages' \ - install -} diff --git a/recipes-security/selinux/selinux-python/fix-TypeError-for-seobject.py.patch b/recipes-security/selinux/selinux-python/fix-TypeError-for-seobject.py.patch deleted file mode 100644 index 62cdeee..0000000 --- a/recipes-security/selinux/selinux-python/fix-TypeError-for-seobject.py.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 98c2944ffa3e35095187e1df9ff33498bbd0fa54 Mon Sep 17 00:00:00 2001 -From: Wenzong Fan <wenzong.fan@windriver.com> -Date: Tue, 1 Apr 2014 02:53:36 -0400 -Subject: [PATCH] policycoreutils: fix TypeError for seobject.py - -File "/usr/lib64/python2.7/site-packages/seobject.py", line 109, in log - message += " sename=" + sename -TypeError: cannot concatenate 'str' and 'NoneType' objects - -Uptream-Status: Pending - -Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> - ---- - semanage/seobject.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/semanage/seobject.py b/semanage/seobject.py -index 70fd192..23ab77e 100644 ---- a/semanage/seobject.py -+++ b/semanage/seobject.py -@@ -146,7 +146,7 @@ except: - - def log(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""): - message = " %s name=%s" % (msg, name) -- if sename != "": -+ if sename != "" and sename != None: - message += " sename=" + sename - if oldsename != "": - message += " oldsename=" + oldsename diff --git a/recipes-security/selinux/selinux-python/fix-sepolicy-install-path.patch b/recipes-security/selinux/selinux-python/fix-sepolicy-install-path.patch index 6f68c94..bc048c1 100644 --- a/recipes-security/selinux/selinux-python/fix-sepolicy-install-path.patch +++ b/recipes-security/selinux/selinux-python/fix-sepolicy-install-path.patch @@ -1,39 +1,30 @@ -From c1aae6cc131371729f098e4b0aa02142a85b5890 Mon Sep 17 00:00:00 2001 +From fb449373ae92a05c324895cd7daee1461a0f0349 Mon Sep 17 00:00:00 2001 From: Xin Ouyang <Xin.Ouyang@windriver.com> Date: Mon, 23 Sep 2013 21:17:59 +0800 -Subject: [PATCH] policycoreutils: fix install path for new pymodule sepolicy +Subject: [PATCH] sepolicy: fix install path for new pymodule sepolicy -Uptream-Status: Pending +Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Yi Zhao <yi.zhao@windriver.com> --- - sepolicy/Makefile | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) + sepolicy/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sepolicy/Makefile b/sepolicy/Makefile -index fb8a132..a6ee749 100644 +index 1a26cfd..6e40691 100644 --- a/sepolicy/Makefile +++ b/sepolicy/Makefile -@@ -8,6 +8,8 @@ BASHCOMPLETIONDIR ?= $(PREFIX)/share/bash-completion/completions - CFLAGS ?= -Wall -Werror -Wextra -W - override CFLAGS += -DPACKAGE="policycoreutils" -DSHARED -shared - -+PYLIBVER ?= $(shell python -c 'import sys;print "python%d.%d" % sys.version_info[0:2]') -+ - BASHCOMPLETIONS=sepolicy-bash-completion.sh - - all: python-build -@@ -26,7 +28,7 @@ test: +@@ -27,7 +27,7 @@ test: @$(PYTHON) test_sepolicy.py -v install: -- $(PYTHON) setup.py install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR)` -+ $(PYTHON) setup.py install --prefix=$(PREFIX) --install-lib $(DESTDIR)$(LIBDIR)/$(PYLIBVER)/site-packages +- $(PYTHON) -m pip install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR) --ignore-installed --no-deps` $(PYTHON_SETUP_ARGS) . ++ $(PYTHON) -m pip install --prefix=$(PREFIX) --root $(DESTDIR) --ignore-installed --no-deps $(PYTHON_SETUP_ARGS) . [ -d $(DESTDIR)$(BINDIR) ] || mkdir -p $(DESTDIR)$(BINDIR) install -m 755 sepolicy.py $(DESTDIR)$(BINDIR)/sepolicy (cd $(DESTDIR)$(BINDIR); ln -sf sepolicy sepolgen) -- -2.7.4 +2.25.1 diff --git a/recipes-security/selinux/selinux-python/process-ValueError-for-sepolicy-seobject.patch b/recipes-security/selinux/selinux-python/process-ValueError-for-sepolicy-seobject.patch deleted file mode 100644 index b0bcd1d..0000000 --- a/recipes-security/selinux/selinux-python/process-ValueError-for-sepolicy-seobject.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 1a8bd0ca13746b5241af5736dee9a25ab360652b Mon Sep 17 00:00:00 2001 -From: Wenzong Fan <wenzong.fan@windriver.com> -Date: Sun, 30 Mar 2014 22:25:59 -0400 -Subject: [PATCH] semanage: process ValueError for sepolicy, seobject - -The sepolicy, seobject modules raise many unprocessed ValueError, just -process them in semanage to make the script proivdes error message but -not error trace. - -Uptream-Status: Pending - -Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> - ---- - semanage/semanage | 11 +++++++---- - 1 file changed, 7 insertions(+), 4 deletions(-) - -diff --git a/semanage/semanage b/semanage/semanage -index 313537c..2977dd0 100644 ---- a/semanage/semanage -+++ b/semanage/semanage -@@ -25,8 +25,14 @@ - - import traceback - import argparse --import seobject - import sys -+try: -+ import seobject -+ import sepolicy -+except ValueError, e: -+ print "Error: %s\n" % e -+ sys.exit(1) -+ - PROGNAME = "policycoreutils" - try: - import gettext -@@ -73,9 +79,6 @@ usage_interface_dict = {' --add': ('-t TYPE', '-r RANGE', 'interface'), ' --modi - usage_boolean = "semanage boolean [-h] [-n] [-N] [-S STORE] [" - usage_boolean_dict = {' --modify': ('(', '--on', '|', '--off', ')', 'boolean'), ' --list': ('-C',), ' --extract': ('',), ' --deleteall': ('',)} - --import sepolicy -- -- - class CheckRole(argparse.Action): - - def __call__(self, parser, namespace, value, option_string=None): diff --git a/recipes-security/selinux/selinux-python_2.8.bb b/recipes-security/selinux/selinux-python_2.8.bb deleted file mode 100644 index d63fdef..0000000 --- a/recipes-security/selinux/selinux-python_2.8.bb +++ /dev/null @@ -1,7 +0,0 @@ -include selinux_20180524.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" - -SRC_URI[md5sum] = "bd9850808203c76f07efd396bde790e3" -SRC_URI[sha256sum] = "e69f5e24820cb247a3d881a9c90efba1e64d76af863c82fb81bc3b87ed71e238" diff --git a/recipes-security/selinux/selinux-python_3.6.bb b/recipes-security/selinux/selinux-python_3.6.bb new file mode 100644 index 0000000..79125d0 --- /dev/null +++ b/recipes-security/selinux/selinux-python_3.6.bb @@ -0,0 +1,122 @@ +SUMMARY = "Python modules and various SELinux utilities." +DESCRIPTION = "\ +This package contains Python modules sepolgen, sepolicy; And the \ +SELinux utilities audit2allow, chcat, semanage ..." +SECTION = "base" +LICENSE = "GPL-2.0-or-later" +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=393a5ca445f6965873eca0259a17f833" + +require selinux_common.inc + +inherit python3targetconfig + +SRC_URI += "file://fix-sepolicy-install-path.patch \ + " + +S = "${WORKDIR}/git/python" + +DEPENDS = "libsepol libselinux gettext-native python3-setuptools-scm-native" + +RDEPENDS:${PN} = "\ + python3-core \ + python3-codecs \ + python3-io \ + python3-ipy \ + python3-stringold \ + python3-syslog \ + python3-unixadmin \ + libselinux-python \ + libsemanage-python \ + setools \ +" +RDEPENDS:${PN}-audit2allow = "\ + python3-core \ + libselinux-python \ + ${PN}-sepolgen \ +" +RDEPENDS:${PN}-chcat = "\ + python3-core \ + python3-codecs \ + python3-shell \ + python3-stringold \ + python3-unixadmin \ + libselinux-python \ + ${PN} \ +" +RDEPENDS:${PN}-semanage = "\ + python3-core \ + python3-ipy \ + python3-compression \ + python3-xml \ + python3-misc \ + libselinux-python \ + audit-python \ + ${PN} \ +" +RDEPENDS:${PN}-sepolicy = "\ + binutils \ + python3-core \ + python3-codecs \ + python3-distro \ + python3-syslog \ + python3-multiprocessing \ + ${PN} \ +" +RDEPENDS:${PN}-sepolgen-ifgen = "\ + python3-core \ + libselinux-python \ +" + +PACKAGES =+ "\ + ${PN}-audit2allow \ + ${PN}-sepolgen-ifgen \ + ${PN}-chcat \ + ${PN}-semanage \ + ${PN}-sepolgen \ + ${PN}-sepolicy \ +" +FILES:${PN}-audit2allow = "\ + ${bindir}/audit2allow \ + ${bindir}/audit2why \ +" +FILES:${PN}-chcat = "\ + ${bindir}/chcat \ +" +FILES:${PN}-semanage = "\ + ${sbindir}/semanage \ + ${datadir}/bash-completion/completions/semanage \ +" +# The ${bindir}/sepolgen is a symlink to ${bindir}/sepolicy +FILES:${PN}-sepolicy = "\ + ${bindir}/sepolgen \ + ${bindir}/sepolicy \ + ${datadir}/bash-completion/completions/sepolicy \ +" +FILES:${PN}-sepolgen-ifgen = "\ + ${bindir}/sepolgen-ifgen \ + ${bindir}/sepolgen-ifgen-attr-helper \ +" +FILES:${PN}-sepolgen = "\ + ${PYTHON_SITEPACKAGES_DIR}/sepolgen* \ + ${localstatedir}/lib/sepolgen/perm_map \ +" + +FILES:${PN} += "\ + ${PYTHON_SITEPACKAGES_DIR}/seobject.py* \ + ${PYTHON_SITEPACKAGES_DIR}/sepolicy*.dist-info \ + ${PYTHON_SITEPACKAGES_DIR}/sepolicy/* \ +" + +do_install() { + oe_runmake DESTDIR="${D}" \ + PYLIBVER='python${PYTHON_BASEVERSION}' \ + PYTHONLIBDIR='${PYTHON_SITEPACKAGES_DIR}' \ + install + + # Remove .pyc files + find ${D} -name *.pyc -delete + + # Fix buildpaths issue + sed -i -e 's,${WORKDIR},,g' \ + ${D}${PYTHON_SITEPACKAGES_DIR}/sepolicy-${PV}.dist-info/direct_url.json +} diff --git a/recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch b/recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch index 18cef4b..6258b7c 100644 --- a/recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch +++ b/recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch @@ -1,4 +1,4 @@ -From d3e778e0062ca441c80e2a3ef2b508f5566e1f70 Mon Sep 17 00:00:00 2001 +From d592d59eb4e7dbf8ce6dc84b3f4c0026fd7cc60c Mon Sep 17 00:00:00 2001 From: Joe MacDonald <joe_macdonald@mentor.com> Date: Fri, 20 Feb 2015 21:07:47 -0500 Subject: [PATCH] sandbox: de-bashify @@ -6,13 +6,14 @@ Subject: [PATCH] sandbox: de-bashify There's no bashisms apparent in either the sandbox initscript nor the sandboxX script, so point them at /bin/sh instead. -Upstream-Status: Pending +Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> --- - sandbox/sandbox.init | 2 +- - sandbox/sandboxX.sh | 2 +- + sandbox.init | 2 +- + sandboxX.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/sandbox.init b/sandbox.init @@ -36,5 +37,5 @@ index eaa500d..8755d75 100644 context=`id -Z | secon -t -l -P` export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8-80`" -- -1.9.1 +2.25.1 diff --git a/recipes-security/selinux/selinux-sandbox_2.8.bb b/recipes-security/selinux/selinux-sandbox_2.8.bb deleted file mode 100644 index 1eb6c2d..0000000 --- a/recipes-security/selinux/selinux-sandbox_2.8.bb +++ /dev/null @@ -1,7 +0,0 @@ -include selinux_20180524.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" - -SRC_URI[md5sum] = "957f5d0fc7724f93f502d1d632568894" -SRC_URI[sha256sum] = "025f84f76e07b7bfc9ba1e9215f4ddb646d41a2e935a65e07560feaa6fc20ef3" diff --git a/recipes-security/selinux/selinux-sandbox.inc b/recipes-security/selinux/selinux-sandbox_3.6.bb index 8616dd7..2cb55d6 100644 --- a/recipes-security/selinux/selinux-sandbox.inc +++ b/recipes-security/selinux/selinux-sandbox_3.6.bb @@ -3,26 +3,29 @@ DESCRIPTION = "\ Run application within a tightly confined SELinux domain. The default \ sandbox domain only allows applications the ability to read and write \ stdin, stdout and any other file descriptors handed to it." - SECTION = "base" -LICENSE = "GPLv2+" +LICENSE = "GPL-2.0-or-later" +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=393a5ca445f6965873eca0259a17f833" + +require selinux_common.inc SRC_URI += "file://sandbox-de-bashify.patch \ -" + " + +S = "${WORKDIR}/git/sandbox" -DEPENDS += "libcap-ng libselinux" +DEPENDS = "libselinux libcap-ng gettext-native" -RDEPENDS_${PN} += "\ - python-math \ - python-shell \ - python-subprocess \ - python-textutils \ - python-unixadmin \ +RDEPENDS:${PN} = "\ + python3-core \ + python3-math \ + python3-shell \ + python3-unixadmin \ libselinux-python \ selinux-python \ " -FILES_${PN} += "\ +FILES:${PN} += "\ ${datadir}/sandbox/sandboxX.sh \ ${datadir}/sandbox/start \ " diff --git a/recipes-security/selinux/selinux_20180524.inc b/recipes-security/selinux/selinux_20180524.inc deleted file mode 100644 index b36b333..0000000 --- a/recipes-security/selinux/selinux_20180524.inc +++ /dev/null @@ -1,5 +0,0 @@ -SELINUX_RELEASE = "20180524" - -SRC_URI = "https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/${SELINUX_RELEASE}/${BPN}-${PV}.tar.gz" - -include selinux_common.inc diff --git a/recipes-security/selinux/selinux_common.inc b/recipes-security/selinux/selinux_common.inc index 383f62d..cecb0b5 100644 --- a/recipes-security/selinux/selinux_common.inc +++ b/recipes-security/selinux/selinux_common.inc @@ -1,17 +1,21 @@ HOMEPAGE = "https://github.com/SELinuxProject" +SRC_URI = "git://github.com/SELinuxProject/selinux.git;branch=main;protocol=https" +SRCREV = "97fa708d867ecb26e8d1c766760947f8e3b9e59a" + +UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+)" + do_compile() { - oe_runmake all \ - INCLUDEDIR='${STAGING_INCDIR}' \ - LIBDIR='${STAGING_LIBDIR}' + oe_runmake all } do_install() { oe_runmake install \ - DESTDIR="${D}" \ - PREFIX="${prefix}" \ - INCLUDEDIR="${includedir}" \ - LIBDIR="${libdir}" \ - SHLIBDIR="${base_libdir}" \ - SYSTEMDDIR="${systemd_unitdir}" + DESTDIR="${D}" \ + PREFIX="${prefix}" \ + INCLUDEDIR="${includedir}" \ + LIBDIR="${libdir}" \ + SHLIBDIR="${base_libdir}" } + +CVE_PRODUCT ?= "kernel:selinux" diff --git a/recipes-security/selinux/semodule-utils_2.8.bb b/recipes-security/selinux/semodule-utils_2.8.bb deleted file mode 100644 index c56f776..0000000 --- a/recipes-security/selinux/semodule-utils_2.8.bb +++ /dev/null @@ -1,7 +0,0 @@ -include selinux_20180524.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" - -SRC_URI[md5sum] = "51c69e612481ce971e2ae825139d2ca0" -SRC_URI[sha256sum] = "44f59c13070c637440b143ceab4dfe1efb9018b1e47828dd8789def74c1ccadf" diff --git a/recipes-security/selinux/semodule-utils.inc b/recipes-security/selinux/semodule-utils_3.6.bb index 23cbd14..0c1c189 100644 --- a/recipes-security/selinux/semodule-utils.inc +++ b/recipes-security/selinux/semodule-utils_3.6.bb @@ -2,23 +2,25 @@ SUMMARY = "Utilities to manipulate SELinux policy module package" DESCRIPTION = "\ The utilities to create, expand, link and show the dependencies between \ the SELinux policy module packages." - SECTION = "base" -LICENSE = "GPLv2+" +LICENSE = "GPL-2.0-or-later" +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=393a5ca445f6965873eca0259a17f833" + +require selinux_common.inc -DEPENDS += "libsepol" -RDEPENDS_${PN}-dev = "" +DEPENDS = "libsepol" -EXTRA_OEMAKE += "LIBSEPOLA=${STAGING_LIBDIR}/libsepol.a" +S = "${WORKDIR}/git/semodule-utils" PACKAGES =+ "\ ${PN}-semodule-expand \ ${PN}-semodule-link \ ${PN}-semodule-package \ " -FILES_${PN}-semodule-expand += "${bindir}/semodule_expand" -FILES_${PN}-semodule-link += "${bindir}/semodule_link" -FILES_${PN}-semodule-package += "\ + +FILES:${PN}-semodule-expand = "${bindir}/semodule_expand" +FILES:${PN}-semodule-link = "${bindir}/semodule_link" +FILES:${PN}-semodule-package = "\ ${bindir}/semodule_package \ ${bindir}/semodule_unpackage \ " diff --git a/recipes-security/setools/setools/Fix-build-failure-with-GCC-7-due-to-possible-truncat.patch b/recipes-security/setools/setools/Fix-build-failure-with-GCC-7-due-to-possible-truncat.patch deleted file mode 100644 index a5af041..0000000 --- a/recipes-security/setools/setools/Fix-build-failure-with-GCC-7-due-to-possible-truncat.patch +++ /dev/null @@ -1,105 +0,0 @@ -Upstream-Status: Backport [https://github.com/TresysTechnology/setools/commit/e41adf0] - -Signed-off-by: Kai Kang <kai.kang@windriver.com> - -From e41adf01647c695b80b112b337e76021bb9f30c3 Mon Sep 17 00:00:00 2001 -From: Laurent Bigonville <bigon@bigon.be> -Date: Tue, 26 Sep 2017 15:15:30 +0200 -Subject: [PATCH] Fix build failure with GCC 7 due to possible truncation of - snprintf output - -setools fails to build under GCC7 -Wformat -Werror with the following error: - -x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -g -O2 -fdebug-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat -Werror=format-security -Wno-sign-compare -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Ilibqpol -Ilibqpol/include -I/usr/include/python3.6m -c libqpol/policy_extend.c -o build/temp.linux-amd64-3.6/libqpol/policy_extend.o -Werror -Wextra -Waggregate-return -Wfloat-equal -Wformat -Wformat=2 -Winit-self -Wmissing-format-attribute -Wmissing-include-dirs -Wnested-externs -Wold-style-definition -Wpointer-arith -Wredundant-decls -Wstrict-prototypes -Wunknown-pragmas -Wwrite-strings -Wno-missing-field-initializers -Wno-unused-parameter -Wno-cast-qual -Wno-shadow -Wno-unreachable-code -fno-exceptions -libqpol/policy_extend.c: In function 'policy_extend': -libqpol/policy_extend.c:161:27: error: '%04zd' directive output may be truncated writing between 4 and 10 bytes into a region of size 5 [-Werror=format-truncation=] - snprintf(buff, 9, "@ttr%04zd", i + 1); - ^~~~~ -libqpol/policy_extend.c:161:22: note: directive argument in the range [1, 4294967295] - snprintf(buff, 9, "@ttr%04zd", i + 1); - ^~~~~~~~~~~ - -Increase the size of the buffer to avoid collisions - -Closes: https://github.com/TresysTechnology/setools/issues/174 -Signed-off-by: Laurent Bigonville <bigon@bigon.be> ---- - libqpol/policy_extend.c | 16 ++++++++-------- - 1 file changed, 8 insertions(+), 8 deletions(-) - -diff --git a/libqpol/policy_extend.c b/libqpol/policy_extend.c -index 742819b..739e184 100644 ---- a/libqpol/policy_extend.c -+++ b/libqpol/policy_extend.c -@@ -110,7 +110,7 @@ static int qpol_policy_remove_bogus_aliases(qpol_policy_t * policy) - * Builds data for the attributes and inserts them into the policydb. - * This function modifies the policydb. Names created for attributes - * are of the form @ttr<value> where value is the value of the attribute -- * as a four digit number (prepended with 0's as needed). -+ * as a ten digit number (prepended with 0's as needed). - * @param policy The policy from which to read the attribute map and - * create the type data for the attributes. This policy will be altered - * by this function. -@@ -125,7 +125,7 @@ static int qpol_policy_build_attrs_from_map(qpol_policy_t * policy) - uint32_t bit = 0, count = 0; - ebitmap_node_t *node = NULL; - type_datum_t *tmp_type = NULL, *orig_type; -- char *tmp_name = NULL, buff[10]; -+ char *tmp_name = NULL, buff[16]; - int error = 0, retv; - - INFO(policy, "%s", "Generating attributes for policy. (Step 4 of 5)"); -@@ -137,7 +137,7 @@ static int qpol_policy_build_attrs_from_map(qpol_policy_t * policy) - - db = &policy->p->p; - -- memset(&buff, 0, 10 * sizeof(char)); -+ memset(&buff, 0, 16 * sizeof(char)); - - for (i = 0; i < db->p_types.nprim; i++) { - /* skip types */ -@@ -158,7 +158,7 @@ static int qpol_policy_build_attrs_from_map(qpol_policy_t * policy) - * with this attribute */ - /* Does not exist */ - if (db->p_type_val_to_name[i] == NULL){ -- snprintf(buff, 9, "@ttr%04zd", i + 1); -+ snprintf(buff, 15, "@ttr%010zd", i + 1); - tmp_name = strdup(buff); - if (!tmp_name) { - error = errno; -@@ -240,7 +240,7 @@ static int qpol_policy_build_attrs_from_map(qpol_policy_t * policy) - * Builds data for empty attributes and inserts them into the policydb. - * This function modifies the policydb. Names created for the attributes - * are of the form @ttr<value> where value is the value of the attribute -- * as a four digit number (prepended with 0's as needed). -+ * as a ten digit number (prepended with 0's as needed). - * @param policy The policy to which to add type data for attributes. - * This policy will be altered by this function. - * @return Returns 0 on success and < 0 on failure; if the call fails, -@@ -251,7 +251,7 @@ static int qpol_policy_build_attrs_from_map(qpol_policy_t * policy) - static int qpol_policy_fill_attr_holes(qpol_policy_t * policy) - { - policydb_t *db = NULL; -- char *tmp_name = NULL, buff[10]; -+ char *tmp_name = NULL, buff[16]; - int error = 0, retv = 0; - ebitmap_t tmp_bmap = { NULL, 0 }; - type_datum_t *tmp_type = NULL; -@@ -265,12 +265,12 @@ static int qpol_policy_fill_attr_holes(qpol_policy_t * policy) - - db = &policy->p->p; - -- memset(&buff, 0, 10 * sizeof(char)); -+ memset(&buff, 0, 16 * sizeof(char)); - - for (i = 0; i < db->p_types.nprim; i++) { - if (db->type_val_to_struct[i]) - continue; -- snprintf(buff, 9, "@ttr%04zd", i + 1); -+ snprintf(buff, 15, "@ttr%010zd", i + 1); - tmp_name = strdup(buff); - if (!tmp_name) { - error = errno; --- -2.20.1 - diff --git a/recipes-security/setools/setools/setools4-fix-cross-compiling-errors-for-powerpc-mips.patch b/recipes-security/setools/setools/setools4-fix-cross-compiling-errors-for-powerpc-mips.patch deleted file mode 100644 index 9a6b818..0000000 --- a/recipes-security/setools/setools/setools4-fix-cross-compiling-errors-for-powerpc-mips.patch +++ /dev/null @@ -1,35 +0,0 @@ -From dc86d880ae0d66233679112a2bf0115c39df68f1 Mon Sep 17 00:00:00 2001 -From: Wenzong Fan <wenzong.fan@windriver.com> -Date: Fri, 17 Feb 2017 08:57:35 +0000 -Subject: [meta-selinux][PATCH] setools4: fix cross-compiling errors for powerpc, mips - -Fix build errors: -| libqpol/policy.c: In function 'qpol_binpol_version': -| libqpol/policy.c:95:24: error: implicit declaration of function 'bswap_32' [-Werror=implicit-function-declaration] -| #define le32_to_cpu(x) bswap_32(x) - -Upstream-Status: Pending - -Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> ---- - libqpol/policy.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/libqpol/policy.c b/libqpol/policy.c -index ae3acb5..b5b87f9 100644 ---- a/libqpol/policy.c -+++ b/libqpol/policy.c -@@ -45,6 +45,10 @@ - # include <asm/types.h> - #endif - -+#if defined(_ARCH_PPC) || defined(mips) -+#include <byteswap.h> -+#endif -+ - #include <sepol/debug.h> - #include <sepol/handle.h> - #include <sepol/policydb/flask_types.h> --- -2.11.0 - diff --git a/recipes-security/setools/setools/setools4-fixes-for-cross-compiling.patch b/recipes-security/setools/setools/setools4-fixes-for-cross-compiling.patch index 5c43c49..cdaa45c 100644 --- a/recipes-security/setools/setools/setools4-fixes-for-cross-compiling.patch +++ b/recipes-security/setools/setools/setools4-fixes-for-cross-compiling.patch @@ -1,7 +1,7 @@ -From a104374147b398838edc04e937c92e762ea3f5d9 Mon Sep 17 00:00:00 2001 +From 673bac44ce13f475845e0b69dc73bfaa5a0866aa Mon Sep 17 00:00:00 2001 From: Wenzong Fan <wenzong.fan@windriver.com> Date: Tue, 14 Feb 2017 06:32:35 +0000 -Subject: [meta-selinux][PATCH] setools4: fixes for cross compiling +Subject: [PATCH] setools4: fixes for cross compiling * search libsepol from $STAGING_LIBDIR * fix manual install path as '/usr/share/man/man1' @@ -9,32 +9,24 @@ Subject: [meta-selinux][PATCH] setools4: fixes for cross compiling Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> --- - setup.py | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) + setup.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py -index 2ca44c9..300ff70 100644 +index 5584e55..057bbb5 100644 --- a/setup.py +++ b/setup.py -@@ -77,7 +77,7 @@ class BuildExtCommand(build_ext): - build_ext.run(self) +@@ -79,7 +79,7 @@ class QtHelpCommand(Command): --base_lib_dirs = ['.', '/usr/lib64', '/usr/lib', '/usr/local/lib'] -+base_lib_dirs = [os.environ["STAGING_LIBDIR"]] - include_dirs = ['libqpol', 'libqpol/include'] + # Library linkage +-lib_dirs = ['.', '/usr/lib64', '/usr/lib', '/usr/local/lib'] ++lib_dirs = [os.environ["STAGING_LIBDIR"]] + include_dirs = [] - try: -@@ -182,7 +182,7 @@ setup(name='setools', - 'build_qhc': QtHelpCommand}, - packages=['setools', 'setools.diff', 'setools.policyrep', 'setoolsgui', 'setoolsgui.apol'], - scripts=['apol', 'sediff', 'seinfo', 'seinfoflow', 'sesearch', 'sedta'], -- data_files=[(join(sys.prefix, 'share/man/man1'), glob.glob("man/*.1"))], -+ data_files=[('/usr/share/man/man1', glob.glob("man/*.1"))], - package_data={'': ['*.ui', '*.qhc', '*.qch'], 'setools': ['perm_map']}, - ext_modules=ext_py_mods, - test_suite='tests', + with suppress(KeyError): -- -2.13.0 +2.25.1 diff --git a/recipes-security/setools/setools_4.1.1.bb b/recipes-security/setools/setools_4.1.1.bb deleted file mode 100644 index c5a2d34..0000000 --- a/recipes-security/setools/setools_4.1.1.bb +++ /dev/null @@ -1,37 +0,0 @@ -SUMMARY = "Policy analysis tools for SELinux" -DESCRIPTION = "\ -SETools is a collection of graphical tools, command-line tools, and \ -libraries designed to facilitate SELinux policy analysis. \ -\n\ -This meta-package depends upon the main packages necessary to run \ -SETools." -SECTION = "base" -LICENSE = "GPLv2 & LGPLv2.1" - -SRC_URI = "https://github.com/TresysTechnology/setools/archive/${PV}.tar.gz;downloadfilename=setools-${PV}.tar.gz \ - file://setools4-fixes-for-cross-compiling.patch \ - file://setools4-fix-cross-compiling-errors-for-powerpc-mips.patch \ - file://Fix-build-failure-with-GCC-7-due-to-possible-truncat.patch \ -" - -SRC_URI[md5sum] = "54cf5c0ca2aa4ef7c6ac153981af34cd" -SRC_URI[sha256sum] = "46a927ea2b163cbe1d35cc35da43e45853e13720c7e02d4cf75a498783c19610" - -LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=83a5eb6974c11f30785e90d0eeccf40c \ - file://${S}/COPYING.GPL;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ - file://${S}/COPYING.LGPL;md5=4fbd65380cdd255951079008b364516c" - -DEPENDS += "bison-native flex-native swig-native python libsepol" - -RDEPENDS_${PN} += "python-networkx python-enum34 python-decorator python-setuptools \ - python-logging python-json python-argparse libselinux-python" - -RPROVIDES_${PN} += "${PN}-console" - -inherit setuptools - -do_install_append() { - # Need PyQt5 support, disable gui tools - rm -f ${D}${bindir}/apol - rm -rf ${D}${libdir}/${PYTHON_DIR}/site-packages/setoolsgui -} diff --git a/recipes-security/setools/setools_4.4.4.bb b/recipes-security/setools/setools_4.4.4.bb new file mode 100644 index 0000000..37bb86a --- /dev/null +++ b/recipes-security/setools/setools_4.4.4.bb @@ -0,0 +1,38 @@ +SUMMARY = "Policy analysis tools for SELinux" +DESCRIPTION = "\ +SETools is a collection of graphical tools, command-line tools, and \ +libraries designed to facilitate SELinux policy analysis." +SECTION = "base" +LICENSE = "GPL-2.0-only & LGPL-2.1-only" + +SRC_URI = "git://github.com/SELinuxProject/${BPN}.git;branch=4.4;protocol=https \ + file://setools4-fixes-for-cross-compiling.patch \ + " +SRCREV = "a04b015459512d0460ff6bc50f28d746861f4a0b" + +LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=69a7b68f0a4a570d7c0c43465333ecbc \ + file://${S}/COPYING.GPL;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ + file://${S}/COPYING.LGPL;md5=4fbd65380cdd255951079008b364516c" + +S = "${WORKDIR}/git" + +DEPENDS = "python3-cython-native libsepol libselinux" + +RDEPENDS:${PN} = "python3-networkx python3-setuptools \ + python3-logging libselinux-python" + +RPROVIDES:${PN} = "${PN}-console" + +inherit setuptools3 + +do_install:prepend() { + sed -i -e 's:${RECIPE_SYSROOT}::g' ${S}/setools/policyrep.c +} + +do_install:append() { + # Need PyQt5 support, disable gui tools + rm -f ${D}${bindir}/apol + rm -rf ${D}${libdir}/${PYTHON_DIR}/site-packages/setoolsgui + rm -rf ${D}${libdir}/${PYTHON_DIR}/site-packages/setools/__pycache__ + rm -rf ${D}${libdir}/${PYTHON_DIR}/site-packages/setools/*/__pycache__ +} diff --git a/recipes-support/attr/attr_selinux.inc b/recipes-support/attr/attr_selinux.inc index ba0314e..efc18b2 100644 --- a/recipes-support/attr/attr_selinux.inc +++ b/recipes-support/attr/attr_selinux.inc @@ -1,5 +1,3 @@ -inherit selinux - -FILESEXTRAPATHS_prepend := "${THISDIR}/files:" +FILESEXTRAPATHS:prepend := "${THISDIR}/files:" SRC_URI += "file://fix-ptest-failures-when-selinux-enabled.patch" diff --git a/recipes-support/gnupg/gnupg_selinux.inc b/recipes-support/gnupg/gnupg_selinux.inc index 12571b4..eee1731 100644 --- a/recipes-support/gnupg/gnupg_selinux.inc +++ b/recipes-support/gnupg/gnupg_selinux.inc @@ -1,3 +1,2 @@ inherit enable-selinux -# gnupg will not build with libselinux, so remove the depend -PACKAGECONFIG[selinux] = "--enable-selinux-support,--disable-selinux-support,," +PACKAGECONFIG[selinux] = "--enable-selinux-support,--disable-selinux-support,libselinux" diff --git a/recipes-support/libpcre/libpcre_%.bbappend b/recipes-support/libpcre/libpcre_%.bbappend deleted file mode 100644 index 7719d3b..0000000 --- a/recipes-support/libpcre/libpcre_%.bbappend +++ /dev/null @@ -1 +0,0 @@ -require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)} diff --git a/recipes-support/libpcre/libpcre_selinux.inc b/recipes-support/libpcre/libpcre_selinux.inc deleted file mode 100644 index 3810078..0000000 --- a/recipes-support/libpcre/libpcre_selinux.inc +++ /dev/null @@ -1,18 +0,0 @@ -do_install_append () { - # This code creates libpcre for both the dev machine (SDK native) - # and for cross-compiling (machine arch). For Linux (SDK Linux native - # + all machine arch), symlinks to the .so files have to be created, - # but not for the Windows SDK native. - if [ ${TARGET_OS} != "mingw32" ]; then - if [ ! ${D}${libdir} -ef ${D}${base_libdir} -a -e ${D}${libdir}/libpcre.so ]; then - realsofile=`readlink ${D}${libdir}/libpcre.so` - mkdir -p ${D}/${base_libdir}/ - mv -f ${D}${libdir}/libpcre.so.* ${D}${base_libdir}/ - relpath=${@os.path.relpath("${base_libdir}", "${libdir}")} - ln -sf ${relpath}/${realsofile} ${D}${libdir}/libpcre.so - ln -sf ${relpath}/${realsofile} ${D}${libdir}/libpcre.so.1 - fi - fi -} - -FILES_${PN} += "${base_libdir}/libpcre.so.*" diff --git a/virtualization-layer/recipes-containers/lxc/lxc_%.bbappend b/virtualization-layer/recipes-containers/lxc/lxc_%.bbappend deleted file mode 100644 index 74e22b3..0000000 --- a/virtualization-layer/recipes-containers/lxc/lxc_%.bbappend +++ /dev/null @@ -1 +0,0 @@ -inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-selinux', '', d)} |