diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy-2.20190201/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy-2.20190201/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch | 77 |
1 files changed, 0 insertions, 77 deletions
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch deleted file mode 100644 index b4befdd..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 97a6eec0d2ea437b5155090ba880a88666f40059 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Fri, 23 Aug 2013 12:01:53 +0800 -Subject: [PATCH 25/34] policy/module/rpc: fix policy for nfsserver to mount - nfsd_fs_t. - -Upstream-Status: Pending - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/kernel/filesystem.te | 1 + - policy/modules/kernel/kernel.te | 2 ++ - policy/modules/services/rpc.te | 5 +++++ - policy/modules/services/rpcbind.te | 5 +++++ - 4 files changed, 13 insertions(+) - -diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index 1db0c652..bf1c0173 100644 ---- a/policy/modules/kernel/filesystem.te -+++ b/policy/modules/kernel/filesystem.te -@@ -129,6 +129,7 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) - - type nfsd_fs_t; - fs_type(nfsd_fs_t) -+files_mountpoint(nfsd_fs_t) - genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0) - - type nsfs_t; -diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index e971c533..ad7c823a 100644 ---- a/policy/modules/kernel/kernel.te -+++ b/policy/modules/kernel/kernel.te -@@ -334,6 +334,8 @@ mls_process_read_all_levels(kernel_t) - mls_process_write_all_levels(kernel_t) - mls_file_write_all_levels(kernel_t) - mls_file_read_all_levels(kernel_t) -+mls_socket_write_all_levels(kernel_t) -+mls_fd_use_all_levels(kernel_t) - - ifdef(`distro_redhat',` - # Bugzilla 222337 -diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te -index d4209231..a2327b44 100644 ---- a/policy/modules/services/rpc.te -+++ b/policy/modules/services/rpc.te -@@ -280,6 +280,11 @@ tunable_policy(`nfs_export_all_ro',` - - optional_policy(` - mount_exec(nfsd_t) -+ # Should domtrans to mount_t while mounting nfsd_fs_t. -+ mount_domtrans(nfsd_t) -+ # nfsd_t need to chdir to /var/lib/nfs and read files. -+ files_list_var(nfsd_t) -+ rpc_read_nfs_state_data(nfsd_t) - ') - - ######################################## -diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te -index 5914af99..2055c114 100644 ---- a/policy/modules/services/rpcbind.te -+++ b/policy/modules/services/rpcbind.te -@@ -75,6 +75,11 @@ logging_send_syslog_msg(rpcbind_t) - - miscfiles_read_localization(rpcbind_t) - -+# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t, -+# because the are running in different level. So add rules to allow this. -+mls_socket_read_all_levels(rpcbind_t) -+mls_socket_write_all_levels(rpcbind_t) -+ - ifdef(`distro_debian',` - term_dontaudit_use_unallocated_ttys(rpcbind_t) - ') --- -2.19.1 - |