diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy-git')
64 files changed, 1744 insertions, 1215 deletions
diff --git a/recipes-security/refpolicy/refpolicy-git/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch b/recipes-security/refpolicy/refpolicy-git/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch new file mode 100644 index 0000000..5e38b8c --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch @@ -0,0 +1,36 @@ +From ab97bea9248f62e735526292fc1253ebb1ecfa6c Mon Sep 17 00:00:00 2001 +From: Joe MacDonald <joe_macdonald@mentor.com> +Date: Thu, 28 Mar 2019 16:14:09 -0400 +Subject: [PATCH 01/34] fc/subs/volatile: alias common /var/volatile paths + +Ensure /var/volatile paths get the appropriate base file context. + +Upstream-Status: Pending + +Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> +Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +--- + config/file_contexts.subs_dist | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist +index 346d920e..be532d7f 100644 +--- a/config/file_contexts.subs_dist ++++ b/config/file_contexts.subs_dist +@@ -31,3 +31,13 @@ + # not for refpolicy intern, but for /var/run using applications, + # like systemd tmpfiles or systemd socket configurations + /var/run /run ++ ++# volatile aliases ++# ensure the policy applied to the base filesystem objects are reflected in the ++# volatile hierarchy. ++/var/volatile/log /var/log ++/var/volatile/run /var/run ++/var/volatile/cache /var/cache ++/var/volatile/tmp /var/tmp ++/var/volatile/lock /var/lock ++/var/volatile/run/lock /var/lock +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch b/recipes-security/refpolicy/refpolicy-git/0001-fix-update-alternatives-for-sysvinit.patch index 3f6a5c8..98d98d4 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysvinit.patch +++ b/recipes-security/refpolicy/refpolicy-git/0001-fix-update-alternatives-for-sysvinit.patch @@ -1,34 +1,34 @@ -From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001 +From cf2f08bdb2d64b38b6c83c96f409c1cd9975fe6a Mon Sep 17 00:00:00 2001 From: Xin Ouyang <Xin.Ouyang@windriver.com> Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH 1/4] fix update-alternatives for sysvinit +Subject: [PATCH] fix update-alternatives for sysvinit Upstream-Status: Inappropriate [only for Poky] Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> --- - policy/modules/contrib/shutdown.fc | 1 + - policy/modules/kernel/corecommands.fc | 1 + - policy/modules/system/init.fc | 1 + + policy/modules/admin/shutdown.fc | 1 + + policy/modules/kernel/corecommands.fc | 1 + + policy/modules/system/init.fc | 1 + 3 files changed, 3 insertions(+) ---- a/policy/modules/contrib/shutdown.fc -+++ b/policy/modules/contrib/shutdown.fc -@@ -3,7 +3,8 @@ - /usr/bin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) - +diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc +index 03a2230c..2ba049ff 100644 +--- a/policy/modules/admin/shutdown.fc ++++ b/policy/modules/admin/shutdown.fc +@@ -5,5 +5,6 @@ /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) +/usr/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0) /run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) +diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc +index cf3848db..86920167 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc -@@ -144,10 +144,11 @@ ifdef(`distro_gentoo',` - /usr/bin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) - /usr/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0) +@@ -149,6 +149,7 @@ ifdef(`distro_gentoo',` /usr/bin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) /usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0) @@ -36,19 +36,18 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> /usr/bin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/bin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) - /usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0) - /usr/bin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) +diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc +index 11a6ce93..93e9d2b4 100644 --- a/policy/modules/system/init.fc +++ b/policy/modules/system/init.fc -@@ -40,10 +40,11 @@ ifdef(`distro_gentoo', ` - - /usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) - /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) - - /usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) +@@ -23,6 +23,7 @@ ifdef(`distro_gentoo',` + # /usr + # + /usr/bin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) +/usr/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0) - /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) - /usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) - - ifdef(`distro_gentoo', ` - /usr/sbin/rc -- gen_context(system_u:object_r:rc_exec_t,s0) + /usr/bin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) + /usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0) + /usr/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0) +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch b/recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch new file mode 100644 index 0000000..3cc5395 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch @@ -0,0 +1,68 @@ +From 0f25b7c345d516eccd1c02c93f752ce073b84865 Mon Sep 17 00:00:00 2001 +From: Shrikant Bobade <shrikant_bobade@mentor.com> +Date: Fri, 26 Aug 2016 17:51:44 +0530 +Subject: [PATCH 1/9] refpolicy-minimum: audit: logging: getty: audit related + allow rules + +add allow rules for audit.log file & resolve dependent avc denials. + +without this change we are getting audit avc denials mixed into bootlog & +audit other avc denials. + +audit: type=1400 audit(): avc: denied { getattr } for pid=217 comm="mount" +name="/" dev="proc" ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_0 +audit: type=1400 audit(): avc: denied { sendto } for pid=310 comm="klogd" +path="/run/systemd/journal/dev-log" scontext=sy0 +audit: type=1400 audit(): avc: denied { sendto } for pid=310 comm="klogd" +path="/run/systemd/journal/dev-log" scontext=system_u:system_r:klogd_t:s0 +audit(): avc: denied { open } for pid=540 comm="agetty" path="/var/ +volatile/log/wtmp" dev="tmpfs" ino=9536 scontext=system_u:system_r:getty_t +:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 + +Upstream-Status: Pending + +Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> +Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +--- + policy/modules/system/getty.te | 3 +++ + policy/modules/system/logging.te | 8 ++++++++ + 2 files changed, 11 insertions(+) + +diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te +index 6d3c4284..423db0cc 100644 +--- a/policy/modules/system/getty.te ++++ b/policy/modules/system/getty.te +@@ -129,3 +129,6 @@ optional_policy(` + optional_policy(` + udev_read_db(getty_t) + ') ++ ++allow getty_t tmpfs_t:dir search; ++allow getty_t tmpfs_t:file { open write lock }; +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index e6221a02..4cc73327 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -249,6 +249,7 @@ allow audisp_t self:unix_stream_socket create_stream_socket_perms; + allow audisp_t self:unix_dgram_socket create_socket_perms; + + allow audisp_t auditd_t:unix_stream_socket rw_socket_perms; ++allow audisp_t initrc_t:unix_dgram_socket sendto; + + manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t) + files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file) +@@ -620,3 +621,10 @@ optional_policy(` + # log to the xconsole + xserver_rw_console(syslogd_t) + ') ++ ++ ++allow auditd_t tmpfs_t:file { getattr setattr create open read append }; ++allow auditd_t tmpfs_t:dir { open read search add_name write getattr search }; ++allow auditd_t initrc_t:unix_dgram_socket sendto; ++ ++allow klogd_t initrc_t:unix_dgram_socket sendto; +\ No newline at end of file +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch b/recipes-security/refpolicy/refpolicy-git/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch new file mode 100644 index 0000000..22eab15 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch @@ -0,0 +1,31 @@ +From a47fb4d6a25574d900213ef63b5c7e3ce7182419 Mon Sep 17 00:00:00 2001 +From: Joe MacDonald <joe_macdonald@mentor.com> +Date: Thu, 28 Mar 2019 20:48:10 -0400 +Subject: [PATCH 02/34] fc/subs/busybox: set aliases for bin, sbin and usr + +The objects in /usr/lib/busybox/* should have the same policy applied as +the corresponding objects in the / hierarchy. + +Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +--- + config/file_contexts.subs_dist | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist +index be532d7f..04fca3c3 100644 +--- a/config/file_contexts.subs_dist ++++ b/config/file_contexts.subs_dist +@@ -41,3 +41,10 @@ + /var/volatile/tmp /var/tmp + /var/volatile/lock /var/lock + /var/volatile/run/lock /var/lock ++ ++# busybox aliases ++# quickly match up the busybox built-in tree to the base filesystem tree ++/usr/lib/busybox/bin /bin ++/usr/lib/busybox/sbin /sbin ++/usr/lib/busybox/usr /usr ++ +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch b/recipes-security/refpolicy/refpolicy-git/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch new file mode 100644 index 0000000..e2c6c89 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0002-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch @@ -0,0 +1,54 @@ +From b69a82237ccc8de3f5b822739760f5cb6596fe51 Mon Sep 17 00:00:00 2001 +From: Shrikant Bobade <shrikant_bobade@mentor.com> +Date: Fri, 26 Aug 2016 17:53:46 +0530 +Subject: [PATCH 2/9] refpolicy-minimum: locallogin: add allow rules for type + local_login_t + +add allow rules for locallogin module avc denials. + +without this change we are getting errors like these: + +type=AVC msg=audit(): avc: denied { read write open } for pid=353 +comm="login" path="/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext +=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r: +var_log_t:s0 tclass=file permissive=1 + +type=AVC msg=audit(): avc: denied { sendto } for pid=353 comm="login" +path="/run/systemd/journal/dev-log" scontext=system_u:system_r: +local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 +tclass=unix_dgram_socket permissive=1 + +type=AVC msg=audit(): avc: denied { lock } for pid=353 comm="login" path= +"/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext=system_u:system_r +:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass +=file permissive=1 + +Upstream-Status: Pending + +Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> +Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +--- + policy/modules/system/locallogin.te | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te +index 4c679ff3..75750e4c 100644 +--- a/policy/modules/system/locallogin.te ++++ b/policy/modules/system/locallogin.te +@@ -288,3 +288,13 @@ optional_policy(` + optional_policy(` + nscd_use(sulogin_t) + ') ++ ++allow local_login_t initrc_t:fd use; ++allow local_login_t initrc_t:unix_dgram_socket sendto; ++allow local_login_t initrc_t:unix_stream_socket connectto; ++allow local_login_t self:capability net_admin; ++allow local_login_t var_log_t:file { create lock open read write }; ++allow local_login_t var_run_t:file { open read write lock}; ++allow local_login_t var_run_t:sock_file write; ++allow local_login_t tmpfs_t:dir { add_name write search}; ++allow local_login_t tmpfs_t:file { create open read write lock }; +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-git/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch index 737c0a2..f194d6d 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch +++ b/recipes-security/refpolicy/refpolicy-git/0003-fc-sysklogd-apply-policy-to-sysklogd-symlink.patch @@ -1,33 +1,33 @@ -From 4964fa5593349916d8f5c69edb0b16f611586098 Mon Sep 17 00:00:00 2001 +From d0fd07dda45b349af634e4671a70e47fef102386 Mon Sep 17 00:00:00 2001 From: Xin Ouyang <Xin.Ouyang@windriver.com> Date: Thu, 22 Aug 2013 13:39:41 +0800 -Subject: [PATCH 2/4] fix update-alternatives for sysklogd +Subject: [PATCH 03/34] fc/sysklogd: apply policy to sysklogd symlink -/etc/syslog.conf is a symlink to /etc/syslog.conf.sysklogd, so a allow rule -for syslogd_t to read syslog_conf_t lnk_file is needed. +/etc/syslog.conf is a symlink to /etc/syslog.conf.sysklogd, so a allow +rule for syslogd_t to read syslog_conf_t lnk_file is needed. Upstream-Status: Inappropriate [only for Poky] Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> --- - policy/modules/system/logging.fc | 4 ++++ - policy/modules/system/logging.te | 1 + - 2 files changed, 5 insertions(+) + policy/modules/system/logging.fc | 3 +++ + policy/modules/system/logging.te | 1 + + 2 files changed, 4 insertions(+) -Index: refpolicy/policy/modules/system/logging.fc -=================================================================== ---- refpolicy.orig/policy/modules/system/logging.fc -+++ refpolicy/policy/modules/system/logging.fc +diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc +index 6693d87b..0cf108e0 100644 +--- a/policy/modules/system/logging.fc ++++ b/policy/modules/system/logging.fc @@ -2,6 +2,7 @@ - /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) - /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) -+/etc/syslog.conf\.sysklogd gen_context(system_u:object_r:syslog_conf_t,s0) - /etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0) - /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) - /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0) -@@ -30,10 +31,12 @@ + /etc/rsyslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0) + /etc/syslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0) ++/etc/syslog\.conf\.sysklogd gen_context(system_u:object_r:syslog_conf_t,s0) + /etc/rsyslog\.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0) + /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) + /etc/systemd/journal.*\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0) +@@ -32,10 +33,12 @@ /usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) /usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) @@ -40,11 +40,11 @@ Index: refpolicy/policy/modules/system/logging.fc /usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) -Index: refpolicy/policy/modules/system/logging.te -=================================================================== ---- refpolicy.orig/policy/modules/system/logging.te -+++ refpolicy/policy/modules/system/logging.te -@@ -396,6 +396,7 @@ allow syslogd_t self:udp_socket create_s +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index 0c5be1cd..38ccfe3a 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -399,6 +399,7 @@ allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; allow syslogd_t syslog_conf_t:file read_file_perms; @@ -52,3 +52,6 @@ Index: refpolicy/policy/modules/system/logging.te allow syslogd_t syslog_conf_t:dir list_dir_perms; # Create and bind to /dev/log or /var/run/log. +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch b/recipes-security/refpolicy/refpolicy-git/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch new file mode 100644 index 0000000..968a9be --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0003-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch @@ -0,0 +1,121 @@ +From ec36df125da565fe1a9b64000151afaf40c2887d Mon Sep 17 00:00:00 2001 +From: Shrikant Bobade <shrikant_bobade@mentor.com> +Date: Fri, 26 Aug 2016 17:51:32 +0530 +Subject: [PATCH 3/9] refpolicy-minimum: systemd:unconfined:lib: add systemd + services allow rules + +systemd allow rules for systemd service file operations: start, stop, restart +& allow rule for unconfined systemd service. + +without this change we are getting these errors: +:~# systemctl status selinux-init.service +Failed to get properties: Access denied + +:~# systemctl stop selinux-init.service +Failed to stop selinux-init.service: Access denied + +:~# systemctl restart selinux-init.service +audit: type=1107 audit: pid=1 uid=0 auid=4294967295 ses=4294967295 subj= +system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 +gid=0 path="/lib/systemd/system/selinux-init.service" cmdline="systemctl +restart selinux-init.service" scontext=unconfined_u:unconfined_r: +unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service + +Upstream-Status: Pending + +Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> +Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +--- + policy/modules/system/init.te | 4 +++ + policy/modules/system/libraries.te | 3 +++ + policy/modules/system/systemd.if | 39 +++++++++++++++++++++++++++++ + policy/modules/system/unconfined.te | 6 +++++ + 4 files changed, 52 insertions(+) + +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index d8696580..e15ec4b9 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -1425,3 +1425,7 @@ optional_policy(` + allow kernel_t init_t:process dyntransition; + allow devpts_t device_t:filesystem associate; + allow init_t self:capability2 block_suspend; ++allow init_t self:capability2 audit_read; ++ ++allow initrc_t init_t:system { start status }; ++allow initrc_t init_var_run_t:service { start status }; +diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te +index 422b0ea1..80b0c9a5 100644 +--- a/policy/modules/system/libraries.te ++++ b/policy/modules/system/libraries.te +@@ -145,3 +145,6 @@ optional_policy(` + optional_policy(` + unconfined_domain(ldconfig_t) + ') ++ ++# systemd: init domain to start lib domain service ++systemd_service_lib_function(lib_t) +diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if +index 6353ca69..4519a448 100644 +--- a/policy/modules/system/systemd.if ++++ b/policy/modules/system/systemd.if +@@ -905,3 +905,42 @@ interface(`systemd_getattr_updated_runtime',` + + getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t) + ') ++ ++######################################## ++## <summary> ++## Allow specified domain to start stop reset systemd service ++## </summary> ++## <param name="domain"> ++## <summary> ++## Domain to not audit. ++## </summary> ++## </param> ++# ++interface(`systemd_service_file_operations',` ++ gen_require(` ++ class service { start status stop }; ++ ') ++ ++ allow $1 lib_t:service { start status stop }; ++ ++') ++ ++ ++######################################## ++## <summary> ++## Allow init domain to start lib domain service ++## </summary> ++## <param name="domain"> ++## <summary> ++## Domain to not audit. ++## </summary> ++## </param> ++# ++interface(`systemd_service_lib_function',` ++ gen_require(` ++ class service start; ++ ') ++ ++ allow initrc_t $1:service start; ++ ++') +diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te +index 12cc0d7c..c09e94a5 100644 +--- a/policy/modules/system/unconfined.te ++++ b/policy/modules/system/unconfined.te +@@ -240,3 +240,9 @@ unconfined_domain_noaudit(unconfined_execmem_t) + optional_policy(` + unconfined_dbus_chat(unconfined_execmem_t) + ') ++ ++ ++# systemd: specified domain to start stop reset systemd service ++systemd_service_file_operations(unconfined_t) ++ ++allow unconfined_t init_t:system reload; +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch b/recipes-security/refpolicy/refpolicy-git/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch new file mode 100644 index 0000000..36bfdcf --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0004-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch @@ -0,0 +1,27 @@ +From abd7d9fa3398be45e733930ebaec9e05b1aba252 Mon Sep 17 00:00:00 2001 +From: Xin Ouyang <Xin.Ouyang@windriver.com> +Date: Thu, 22 Aug 2013 13:37:23 +0800 +Subject: [PATCH 04/34] fc/hostname: apply policy to common yocto hostname + alternatives + +Upstream-Status: Inappropriate [only for Yocto] + +Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> +Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +--- + policy/modules/system/hostname.fc | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc +index 83ddeb57..653e038d 100644 +--- a/policy/modules/system/hostname.fc ++++ b/policy/modules/system/hostname.fc +@@ -1 +1,5 @@ ++/usr/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0) ++/usr/bin/hostname\.coreutils -- gen_context(system_u:object_r:hostname_exec_t,s0) ++/usr/lib/busybox/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) ++ + /usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch b/recipes-security/refpolicy/refpolicy-git/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch new file mode 100644 index 0000000..06b9192 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch @@ -0,0 +1,96 @@ +From 0918b156dcf4d126fd0e36de5a6c61f114448c8a Mon Sep 17 00:00:00 2001 +From: Shrikant Bobade <shrikant_bobade@mentor.com> +Date: Fri, 26 Aug 2016 17:53:37 +0530 +Subject: [PATCH 4/9] refpolicy-minimum: systemd: mount: logging: authlogin: + add allow rules + +add allow rules for avc denails for systemd, mount, logging & authlogin +modules. + +without this change we are getting avc denial like these: + +type=AVC msg=audit(): avc: denied { sendto } for pid=893 comm="systemd- +tmpfile" path="/run/systemd/journal/socket" scontext=system_u:system_r: +systemd_tmpfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass= +unix_dgram_socket permissive=0 + +type=AVC msg=audit(): avc: denied { open } for pid=703 comm="systemd- +tmpfile" path="/proc/1/environ" dev="proc" ino=8841 scontext=system_u: +system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass= +file permissive=0 + +type=AVC msg=audit(): avc: denied { read write } for pid=486 comm="mount" +path="socket:[9717]" dev="sockfs" ino=9717 scontext=system_u:system_r: +mount_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=udp_socket + +type=AVC msg=audit(): avc: denied { unix_read unix_write } for pid=292 +comm="syslogd" key=1095648583 scontext=system_u:system_r:syslogd_t:s0 +tcontext=system_u:system_r:syslogd_t:s0 tclass=shm permissive=1 + +Upstream-Status: Pending + +Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> +Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +--- + policy/modules/system/authlogin.te | 2 ++ + policy/modules/system/logging.te | 7 ++++++- + policy/modules/system/mount.te | 3 +++ + policy/modules/system/systemd.te | 5 +++++ + 4 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te +index 28f74bac..dfa46612 100644 +--- a/policy/modules/system/authlogin.te ++++ b/policy/modules/system/authlogin.te +@@ -479,3 +479,5 @@ optional_policy(` + samba_read_var_files(nsswitch_domain) + samba_dontaudit_write_var_files(nsswitch_domain) + ') ++ ++allow chkpwd_t proc_t:filesystem getattr; +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index 4cc73327..98c2bd19 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -627,4 +627,9 @@ allow auditd_t tmpfs_t:file { getattr setattr create open read append }; + allow auditd_t tmpfs_t:dir { open read search add_name write getattr search }; + allow auditd_t initrc_t:unix_dgram_socket sendto; + +-allow klogd_t initrc_t:unix_dgram_socket sendto; +\ No newline at end of file ++allow klogd_t initrc_t:unix_dgram_socket sendto; ++ ++allow syslogd_t self:shm create; ++allow syslogd_t self:sem { create read unix_write write }; ++allow syslogd_t self:shm { read unix_read unix_write write }; ++allow syslogd_t tmpfs_t:file { read write }; +diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te +index 3dcb8493..a87d0e82 100644 +--- a/policy/modules/system/mount.te ++++ b/policy/modules/system/mount.te +@@ -231,3 +231,6 @@ optional_policy(` + files_etc_filetrans_etc_runtime(unconfined_mount_t, file) + unconfined_domain(unconfined_mount_t) + ') ++ ++allow mount_t proc_t:filesystem getattr; ++allow mount_t initrc_t:udp_socket { read write }; +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index f6455f6f..b13337b9 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -1011,6 +1011,11 @@ allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto }; + allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms; + allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms; + ++allow systemd_tmpfiles_t init_t:dir search; ++allow systemd_tmpfiles_t proc_t:filesystem getattr; ++allow systemd_tmpfiles_t init_t:file read; ++allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto; ++ + kernel_getattr_proc(systemd_tmpfiles_t) + kernel_read_kernel_sysctls(systemd_tmpfiles_t) + kernel_read_network_state(systemd_tmpfiles_t) +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch b/recipes-security/refpolicy/refpolicy-git/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch new file mode 100644 index 0000000..194a474 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0005-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch @@ -0,0 +1,30 @@ +From 783ba03eff9d5b94363fff148aa1c745ff02ddd4 Mon Sep 17 00:00:00 2001 +From: Joe MacDonald <joe_macdonald@mentor.com> +Date: Thu, 28 Mar 2019 21:37:32 -0400 +Subject: [PATCH 05/34] fc/bash: apply /usr/bin/bash context to /bin/bash.bash + +We include /bin/bash.bash as a valid alias for /bin/bash, so ensure we apply +the proper context to the target for our policy. + +Upstream-Status: Inappropriate [only for Yocto] + +Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +--- + policy/modules/kernel/corecommands.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc +index e7415cac..cf3848db 100644 +--- a/policy/modules/kernel/corecommands.fc ++++ b/policy/modules/kernel/corecommands.fc +@@ -141,6 +141,7 @@ ifdef(`distro_gentoo',` + /usr/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) + /usr/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) + /usr/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/bin/bash.bash -- gen_context(system_u:object_r:shell_exec_t,s0) + /usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) + /usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) + /usr/bin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch b/recipes-security/refpolicy/refpolicy-git/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch new file mode 100644 index 0000000..aec54cd --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch @@ -0,0 +1,37 @@ +From 54a00a22a0d9aca794440bf51511f5477e9249d2 Mon Sep 17 00:00:00 2001 +From: Shrikant Bobade <shrikant_bobade@mentor.com> +Date: Fri, 26 Aug 2016 17:53:53 +0530 +Subject: [PATCH 5/9] refpolicy-minimum: init: fix reboot with systemd as init + manager. + +add allow rule to fix avc denial during system reboot. + +without this change we are getting: + +audit: type=1107 audit(): pid=1 uid=0 auid=4294967295 ses=4294967295 subj= +system_u:system_r:init_t:s0 msg='avc: denied { reboot } for auid=n/a uid=0 +gid=0 cmdline="/bin/systemctl --force reboot" scontext=system_u:system_r: +initrc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system + +Upstream-Status: Pending + +Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> +Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +--- + policy/modules/system/init.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index e15ec4b9..843fdcff 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -1427,5 +1427,5 @@ allow devpts_t device_t:filesystem associate; + allow init_t self:capability2 block_suspend; + allow init_t self:capability2 audit_read; + +-allow initrc_t init_t:system { start status }; ++allow initrc_t init_t:system { start status reboot }; + allow initrc_t init_var_run_t:service { start status }; +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_resolv.conf.patch b/recipes-security/refpolicy/refpolicy-git/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch index cd79f45..d098118 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_resolv.conf.patch +++ b/recipes-security/refpolicy/refpolicy-git/0006-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch @@ -1,24 +1,30 @@ -Subject: [PATCH] fix real path for resolv.conf +From 9818faa2a732d6d1cda72926526f104de74bd992 Mon Sep 17 00:00:00 2001 +From: Joe MacDonald <joe_macdonald@mentor.com> +Date: Thu, 4 Apr 2019 10:45:03 -0400 +Subject: [PATCH 06/34] fc/resolv.conf: label resolv.conf in var/run/ properly -Upstream-Status: Inappropriate [only for Poky] +Upstream-Status: Pending Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> + +Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> --- - policy/modules/system/sysnetwork.fc | 1 + + policy/modules/system/sysnetwork.fc | 1 + 1 file changed, 1 insertion(+) +diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc +index 1e5432a4..ac7c2dd1 100644 --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc -@@ -17,10 +17,11 @@ ifdef(`distro_debian',` - /etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0) - /etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0) - /etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0) +@@ -22,6 +22,7 @@ ifdef(`distro_debian',` /etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0) /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) -+/var/run/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) ++/var/run/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) /etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0) - +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch b/recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch new file mode 100644 index 0000000..bf770d9 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0006-refpolicy-minimum-systemd-mount-enable-required-refp.patch @@ -0,0 +1,92 @@ +From ca6644e1f1066a8354f2f6dbb068713f59225f37 Mon Sep 17 00:00:00 2001 +From: Joe MacDonald <joe_macdonald@mentor.com> +Date: Wed, 3 Apr 2019 14:51:29 -0400 +Subject: [PATCH 6/9] refpolicy-minimum: systemd: mount: enable required + refpolicy booleans + +enable required refpolicy booleans for these modules + +i. mount: allow_mount_anyfile +without enabling this boolean we are getting below avc denial + +audit(): avc: denied { mounton } for pid=462 comm="mount" path="/run/media +/mmcblk2p1" dev="tmpfs" ino=11523 scontext=system_u:system_r:mount_t:s0 +tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=0 + +This avc can be allowed using the boolean 'allow_mount_anyfile' +allow mount_t initrc_var_run_t:dir mounton; + +ii. systemd : systemd_tmpfiles_manage_all +without enabling this boolean we are not getting access to mount systemd +essential tmpfs during bootup, also not getting access to create audit.log + +audit(): avc: denied { search } for pid=168 comm="systemd-tmpfile" name= +"sys" dev="proc" ino=4026531855 scontext=system_u:system_r:systemd_tmpfiles +_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=dir permissive=0 + + ls /var/log + /var/log -> volatile/log +:~# + +The old refpolicy included a pre-generated booleans.conf that could be +patched. That's no longer the case so we're left with a few options, +tweak the default directly or create a template booleans.conf file which +will be updated during build time. Since this is intended to be applied +only for specific configuraitons it seems like the same either way and +this avoids us playing games to work around .gitignore. + +Upstream-Status: Pending + +Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> +Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +--- + policy/booleans.conf | 9 +++++++++ + policy/modules/system/mount.te | 2 +- + policy/modules/system/systemd.te | 2 +- + 3 files changed, 11 insertions(+), 2 deletions(-) + create mode 100644 policy/booleans.conf + +diff --git a/policy/booleans.conf b/policy/booleans.conf +new file mode 100644 +index 00000000..850f56ed +--- /dev/null ++++ b/policy/booleans.conf +@@ -0,0 +1,9 @@ ++# ++# Allow the mount command to mount any directory or file. ++# ++allow_mount_anyfile = true ++ ++# ++# Enable support for systemd-tmpfiles to manage all non-security files. ++# ++systemd_tmpfiles_manage_all = true +diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te +index a87d0e82..868052b7 100644 +--- a/policy/modules/system/mount.te ++++ b/policy/modules/system/mount.te +@@ -10,7 +10,7 @@ policy_module(mount, 1.20.0) + ## Allow the mount command to mount any directory or file. + ## </p> + ## </desc> +-gen_tunable(allow_mount_anyfile, false) ++gen_tunable(allow_mount_anyfile, true) + + attribute_role mount_roles; + roleattribute system_r mount_roles; +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index b13337b9..74f9c1cb 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -10,7 +10,7 @@ policy_module(systemd, 1.7.5) + ## Enable support for systemd-tmpfiles to manage all non-security files. + ## </p> + ## </desc> +-gen_tunable(systemd_tmpfiles_manage_all, false) ++gen_tunable(systemd_tmpfiles_manage_all, true) + + ## <desc> + ## <p> +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch b/recipes-security/refpolicy/refpolicy-git/0007-fc-login-apply-login-context-to-login.shadow.patch index 49f4960..824c136 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_login.patch +++ b/recipes-security/refpolicy/refpolicy-git/0007-fc-login-apply-login-context-to-login.shadow.patch @@ -1,25 +1,27 @@ -Subject: [PATCH] fix real path for login commands. +From 3323cd185bd27a010fb4353d16cb6c3a8608fd20 Mon Sep 17 00:00:00 2001 +From: Joe MacDonald <joe_macdonald@mentor.com> +Date: Thu, 28 Mar 2019 21:43:53 -0400 +Subject: [PATCH 07/34] fc/login: apply login context to login.shadow Upstream-Status: Inappropriate [only for Poky] -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> --- - policy/modules/system/authlogin.fc | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) + policy/modules/system/authlogin.fc | 1 + + 1 file changed, 1 insertion(+) +diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc +index e22945cd..a42bc0da 100644 --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc -@@ -3,10 +3,12 @@ - /etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0) - /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) +@@ -5,6 +5,7 @@ /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) /usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0) +/usr/bin/login\.shadow -- gen_context(system_u:object_r:login_exec_t,s0) -+/usr/bin/login\.tinylogin -- gen_context(system_u:object_r:login_exec_t,s0) /usr/bin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) /usr/bin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) /usr/bin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) - /usr/bin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) - /usr/bin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch b/recipes-security/refpolicy/refpolicy-git/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch new file mode 100644 index 0000000..307574c --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch @@ -0,0 +1,103 @@ +From a1b92a176fe791468e750b95fa8299e8beecf2b1 Mon Sep 17 00:00:00 2001 +From: Shrikant Bobade <shrikant_bobade@mentor.com> +Date: Fri, 26 Aug 2016 17:54:09 +0530 +Subject: [PATCH 7/9] refpolicy-minimum: systemd: fix for login & journal + service + +1. fix for systemd services: login & journal wile using refpolicy-minimum and +systemd as init manager. +2. fix login duration after providing root password. + +without these changes we are getting avc denails like these and below +systemd services failure: + +audit[]: AVC avc: denied { write } for pid=422 comm="login" path="/run/ +systemd/sessions/c1.ref" dev="tmpfs" ino=13455 scontext=system_u:system_r: +local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0 +tclass=fifo_file permissive=0 + +audit[]: AVC avc: denied { open } for pid=216 comm="systemd-tmpfile" path +="/proc/1/environ" dev="proc" ino=9221 scontext=system_u:system_r: +systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file + +audit[]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u: +system_r:init_t:s0 msg='avc: denied { stop } for auid=n/a uid=0 gid=0 path +="/lib/systemd/system/systemd-journald.service" cmdline="/bin/journalctl +--flush" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r: +lib_t:s0 tclass=service + +[FAILED] Failed to start Flush Journal to Persistent Storage. +See 'systemctl status systemd-journal-flush.service' for details. + +[FAILED] Failed to start Login Service. +See 'systemctl status systemd-logind.service' for details. + +[FAILED] Failed to start Avahi mDNS/DNS-SD Stack. +See 'systemctl status avahi-daemon.service' for details. + +Upstream-Status: Pending + +Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> +Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +--- + policy/modules/system/init.te | 2 ++ + policy/modules/system/locallogin.te | 3 +++ + policy/modules/system/systemd.if | 6 ++++-- + policy/modules/system/systemd.te | 2 +- + 4 files changed, 10 insertions(+), 3 deletions(-) + +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index 843fdcff..ca8678b8 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -1429,3 +1429,5 @@ allow init_t self:capability2 audit_read; + + allow initrc_t init_t:system { start status reboot }; + allow initrc_t init_var_run_t:service { start status }; ++ ++allow initrc_t init_var_run_t:service stop; +diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te +index 75750e4c..2c2cfc7d 100644 +--- a/policy/modules/system/locallogin.te ++++ b/policy/modules/system/locallogin.te +@@ -298,3 +298,6 @@ allow local_login_t var_run_t:file { open read write lock}; + allow local_login_t var_run_t:sock_file write; + allow local_login_t tmpfs_t:dir { add_name write search}; + allow local_login_t tmpfs_t:file { create open read write lock }; ++allow local_login_t init_var_run_t:fifo_file write; ++allow local_login_t initrc_t:dbus send_msg; ++allow initrc_t local_login_t:dbus send_msg; +diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if +index 4519a448..79133e6f 100644 +--- a/policy/modules/system/systemd.if ++++ b/policy/modules/system/systemd.if +@@ -938,9 +938,11 @@ interface(`systemd_service_file_operations',` + # + interface(`systemd_service_lib_function',` + gen_require(` +- class service start; ++ class service { start status stop }; ++ class file { execmod open }; + ') + +- allow initrc_t $1:service start; ++ allow initrc_t $1:service { start status stop }; ++ allow initrc_t $1:file execmod; + + ') +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 74f9c1cb..f1d26a44 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -1013,7 +1013,7 @@ allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms; + + allow systemd_tmpfiles_t init_t:dir search; + allow systemd_tmpfiles_t proc_t:filesystem getattr; +-allow systemd_tmpfiles_t init_t:file read; ++allow systemd_tmpfiles_t init_t:file { open getattr read }; + allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto; + + kernel_getattr_proc(systemd_tmpfiles_t) +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-bind.patch b/recipes-security/refpolicy/refpolicy-git/0008-fc-bind-fix-real-path-for-bind.patch index 3218c88..6472a21 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-bind.patch +++ b/recipes-security/refpolicy/refpolicy-git/0008-fc-bind-fix-real-path-for-bind.patch @@ -1,19 +1,21 @@ -From e438a9466a615db3f63421157d5ee3bd6d055403 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Thu, 22 Aug 2013 19:09:11 +0800 -Subject: [PATCH] refpolicy: fix real path for bind. +From 9207386c0a860b3b6520eca5e509b9633c67c1e4 Mon Sep 17 00:00:00 2001 +From: Joe MacDonald <joe_macdonald@mentor.com> +Date: Thu, 28 Mar 2019 21:58:53 -0400 +Subject: [PATCH 08/34] fc/bind: fix real path for bind -Upstream-Status: Inappropriate [configuration] +Upstream-Status: Pending Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> --- - policy/modules/contrib/bind.fc | 2 ++ + policy/modules/services/bind.fc | 2 ++ 1 file changed, 2 insertions(+) ---- a/policy/modules/contrib/bind.fc -+++ b/policy/modules/contrib/bind.fc -@@ -1,10 +1,12 @@ +diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc +index b4879dc1..59498e25 100644 +--- a/policy/modules/services/bind.fc ++++ b/policy/modules/services/bind.fc +@@ -1,8 +1,10 @@ /etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) +/etc/rc\.d/init\.d/bind -- gen_context(system_u:object_r:named_initrc_exec_t,s0) /etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) @@ -24,5 +26,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> /etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) /etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0) /etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0) - /etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0) - /etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch b/recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch new file mode 100644 index 0000000..05543da --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch @@ -0,0 +1,110 @@ +From c268b15ec696aa23be73e040daae433b509fa82f Mon Sep 17 00:00:00 2001 +From: Shrikant Bobade <shrikant_bobade@mentor.com> +Date: Fri, 26 Aug 2016 17:54:17 +0530 +Subject: [PATCH 8/9] refpolicy-minimum: systemd: fix for systemd tmp-files + services + +fix for systemd tmp files setup service while using refpolicy-minimum and +systemd as init manager. + +these allow rules require kernel domain & files access, so added interfaces +at systemd.te to merge these allow rules. + +without these changes we are getting avc denails like these and below +systemd services failure: + +audit[]: AVC avc: denied { getattr } for pid=232 comm="systemd-tmpfile" +path="/var/tmp" dev="mmcblk2p2" ino=4993 scontext=system_u:system_r:systemd +_tmpfiles_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=lnk_file + +audit[]: AVC avc: denied { search } for pid=232 comm="systemd-tmpfile" +name="kernel" dev="proc" ino=9341 scontext=system_u:system_r: +systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 +tclass=dir permissive=0 + +[FAILED] Failed to start Create Static Device Nodes in /dev. +See 'systemctl status systemd-tmpfiles-setup-dev.service' for details. + +[FAILED] Failed to start Create Volatile Files and Directories. +See 'systemctl status systemd-tmpfiles-setup.service' for details. + +Upstream-Status: Pending + +Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> +Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +--- + policy/modules/kernel/files.if | 19 +++++++++++++++++++ + policy/modules/kernel/kernel.if | 21 +++++++++++++++++++++ + policy/modules/system/systemd.te | 2 ++ + 3 files changed, 42 insertions(+) + +diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if +index eb067ad3..ff74f55a 100644 +--- a/policy/modules/kernel/files.if ++++ b/policy/modules/kernel/files.if +@@ -7076,3 +7076,22 @@ interface(`files_unconfined',` + + typeattribute $1 files_unconfined_type; + ') ++ ++######################################## ++## <summary> ++## systemd tmp files access to kernel tmp files domain ++## </summary> ++## <param name="domain"> ++## <summary> ++## Domain allowed access. ++## </summary> ++## </param> ++# ++interface(`systemd_service_allow_kernel_files_domain_to_tmp_t',` ++ gen_require(` ++ type tmp_t; ++ class lnk_file getattr; ++ ') ++ ++ allow $1 tmp_t:lnk_file getattr; ++') +diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if +index 1ad282aa..342eb033 100644 +--- a/policy/modules/kernel/kernel.if ++++ b/policy/modules/kernel/kernel.if +@@ -3584,3 +3584,24 @@ interface(`kernel_ib_manage_subnet_unlabeled_endports',` + allow $1 unlabeled_t:infiniband_endport manage_subnet; + ') + ++######################################## ++## <summary> ++## systemd tmp files access to kernel sysctl domain ++## </summary> ++## <param name="domain"> ++## <summary> ++## Domain allowed access. ++## </summary> ++## </param> ++# ++interface(`systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t',` ++ gen_require(` ++ type sysctl_kernel_t; ++ class dir search; ++ class file { open read }; ++ ') ++ ++ allow $1 sysctl_kernel_t:dir search; ++ allow $1 sysctl_kernel_t:file { open read }; ++ ++') +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index f1d26a44..b4c64bc1 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -1139,4 +1139,6 @@ files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated + + seutil_read_file_contexts(systemd_update_done_t) + ++systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t(systemd_tmpfiles_t) ++systemd_service_allow_kernel_files_domain_to_tmp_t(systemd_tmpfiles_t) + systemd_log_parse_environment(systemd_update_done_t) +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/0009-fc-hwclock-add-hwclock-alternatives.patch b/recipes-security/refpolicy/refpolicy-git/0009-fc-hwclock-add-hwclock-alternatives.patch new file mode 100644 index 0000000..382a62c --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0009-fc-hwclock-add-hwclock-alternatives.patch @@ -0,0 +1,28 @@ +From afaee985ce8cb915905b9cbef141db5d4b7f228c Mon Sep 17 00:00:00 2001 +From: Joe MacDonald <joe_macdonald@mentor.com> +Date: Thu, 28 Mar 2019 21:59:18 -0400 +Subject: [PATCH 09/34] fc/hwclock: add hwclock alternatives + +Upstream-Status: Pending + +Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +--- + policy/modules/system/clock.fc | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc +index 30196589..e0dc4b6f 100644 +--- a/policy/modules/system/clock.fc ++++ b/policy/modules/system/clock.fc +@@ -2,4 +2,7 @@ + + /usr/bin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) + +-/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) ++/usr/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0) ++/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) ++/usr/lib/busybox/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) ++/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/0009-refpolicy-minimum-systemd-fix-for-syslog.patch b/recipes-security/refpolicy/refpolicy-git/0009-refpolicy-minimum-systemd-fix-for-syslog.patch new file mode 100644 index 0000000..de9180a --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0009-refpolicy-minimum-systemd-fix-for-syslog.patch @@ -0,0 +1,70 @@ +From 3c7c492f060212bf7c854a27ffa6afa5035f4862 Mon Sep 17 00:00:00 2001 +From: Shrikant Bobade <shrikant_bobade@mentor.com> +Date: Fri, 26 Aug 2016 17:54:29 +0530 +Subject: [PATCH 9/9] refpolicy-minimum: systemd: fix for syslog + +syslog & getty related allow rules required to fix the syslog mixup with +boot log, while using systemd as init manager. + +without this change we are getting these avc denials: + +audit: avc: denied { search } for pid=484 comm="syslogd" name="/" +dev="tmpfs" ino=7269 scontext=system_u:system_r:syslogd_t:s0 tcontext= +system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 + +audit: avc: denied { write } for pid=372 comm="syslogd" name="log" dev= +"tmpfs" ino=954 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u: +object_r:tmpfs_t:s0 tclass=dir permissive=0 + +audit: avc: denied { add_name } for pid=390 comm="syslogd" name= +"messages" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r +:tmpfs_t:s0 tclass=dir permissive=0 + +audit: avc: denied { sendto } for pid=558 comm="agetty" path="/run/systemd +/journal/dev-log" scontext=system_u:system_r:getty_t:s0 tcontext=system_u: +system_r:initrc_t:s0 tclass=unix_dgram_socket permissive=0 + +audit: avc: denied { create } for pid=374 comm="syslogd" name="messages" +scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t: +s0 tclass=file permissive=0 + +audit: avc: denied { append } for pid=423 comm="syslogd" name="messages" +dev="tmpfs" ino=7995 scontext=system_u:system_r:syslogd_t:s0 tcontext= +system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 + +audit: avc: denied { getattr } for pid=425 comm="syslogd" path="/var/ +volatile/log/messages" dev="tmpfs" ino=8857 scontext=system_u:system_r: +syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 + +Upstream-Status: Pending + +Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> +Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +--- + policy/modules/system/getty.te | 1 + + policy/modules/system/logging.te | 3 ++- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te +index 423db0cc..9ab03956 100644 +--- a/policy/modules/system/getty.te ++++ b/policy/modules/system/getty.te +@@ -132,3 +132,4 @@ optional_policy(` + + allow getty_t tmpfs_t:dir search; + allow getty_t tmpfs_t:file { open write lock }; ++allow getty_t initrc_t:unix_dgram_socket sendto; +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index 98c2bd19..6a94ac12 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -632,4 +632,5 @@ allow klogd_t initrc_t:unix_dgram_socket sendto; + allow syslogd_t self:shm create; + allow syslogd_t self:sem { create read unix_write write }; + allow syslogd_t self:shm { read unix_read unix_write write }; +-allow syslogd_t tmpfs_t:file { read write }; ++allow syslogd_t tmpfs_t:file { read write create getattr append open }; ++allow syslogd_t tmpfs_t:dir { search write add_name }; +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch b/recipes-security/refpolicy/refpolicy-git/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch new file mode 100644 index 0000000..5de6d0d --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0010-fc-dmesg-apply-policy-to-dmesg-alternatives.patch @@ -0,0 +1,24 @@ +From 9f8b5359ce85eab23a5c46157497c44fd3bc4335 Mon Sep 17 00:00:00 2001 +From: Joe MacDonald <joe_macdonald@mentor.com> +Date: Fri, 29 Mar 2019 08:26:55 -0400 +Subject: [PATCH 10/34] fc/dmesg: apply policy to dmesg alternatives + +Upstream-Status: Pending + +Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +--- + policy/modules/admin/dmesg.fc | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc +index e52fdfcf..85d15127 100644 +--- a/policy/modules/admin/dmesg.fc ++++ b/policy/modules/admin/dmesg.fc +@@ -1 +1,3 @@ +-/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) ++/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) ++/usr/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0) ++/usr/lib/busybox/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch b/recipes-security/refpolicy/refpolicy-git/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch index f01e5aa..ab81b31 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-ssh.patch +++ b/recipes-security/refpolicy/refpolicy-git/0011-fc-ssh-apply-policy-to-ssh-alternatives.patch @@ -1,18 +1,20 @@ -Subject: [PATCH] refpolicy: fix real path for ssh +From c7002e990710f83763a1481ddaa56a1f658defee Mon Sep 17 00:00:00 2001 +From: Joe MacDonald <joe_macdonald@mentor.com> +Date: Fri, 29 Mar 2019 09:20:58 -0400 +Subject: [PATCH 11/34] fc/ssh: apply policy to ssh alternatives -Upstream-Status: Inappropriate [configuration] +Upstream-Status: Pending -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> --- - policy/modules/services/ssh.fc | 1 + + policy/modules/services/ssh.fc | 1 + 1 file changed, 1 insertion(+) +diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc +index 4ac3e733..1f453091 100644 --- a/policy/modules/services/ssh.fc +++ b/policy/modules/services/ssh.fc -@@ -2,10 +2,11 @@ HOME_DIR/\.ssh(/.*)? gen_context(syste - - /etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0) +@@ -4,6 +4,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) /etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0) /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0) @@ -20,5 +22,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0) /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0) /usr/bin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) - - /usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch b/recipes-security/refpolicy/refpolicy-git/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch index 88c8c45..8346fcf 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-sysnetwork.patch +++ b/recipes-security/refpolicy/refpolicy-git/0012-fc-sysnetwork-apply-policy-to-ip-alternatives.patch @@ -1,37 +1,48 @@ -From 56ec3e527f2a03d217d5f07ebb708e6e26fa26ff Mon Sep 17 00:00:00 2001 +From 881a9f637b6eec90d1fa20bf4c102bb595225aaf Mon Sep 17 00:00:00 2001 From: Xin Ouyang <Xin.Ouyang@windriver.com> Date: Tue, 9 Jun 2015 21:22:52 +0530 -Subject: [PATCH] refpolicy: fix real path for sysnetwork +Subject: [PATCH 12/34] fc/sysnetwork: apply policy to ip alternatives -Upstream-Status: Inappropriate [configuration] +Upstream-Status: Pending Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> --- - policy/modules/system/sysnetwork.fc | 3 +++ - 1 file changed, 3 insertions(+) + policy/modules/system/sysnetwork.fc | 10 ++++++++++ + 1 file changed, 10 insertions(+) +diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc +index ac7c2dd1..4e441503 100644 --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc -@@ -54,17 +54,20 @@ ifdef(`distro_redhat',` - /usr/sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) - /usr/sbin/dhcp6c -- gen_context(system_u:object_r:dhcpc_exec_t,s0) +@@ -60,6 +60,8 @@ ifdef(`distro_redhat',` /usr/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0) /usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) /usr/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+/usr/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+/usr/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++/usr/sbin/ifconfig\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++/usr/sbin/ip\.iproute2 -- gen_context(system_u:object_r:ifconfig_exec_t,s0) /usr/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) /usr/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0) /usr/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - /usr/sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0) +@@ -67,9 +69,17 @@ ifdef(`distro_redhat',` /usr/sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0) /usr/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) /usr/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) -+/usr/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++/usr/sbin/mii-tool\.net-tools -- gen_context(system_u:object_r:ifconfig_exec_t,s0) /usr/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0) /usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++# ++# /usr/lib/busybox ++# ++/usr/lib/busybox/bin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++/usr/lib/busybox/bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++/usr/lib/busybox/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) ++ # # /var + # +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch b/recipes-security/refpolicy/refpolicy-git/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch new file mode 100644 index 0000000..9ec2e21 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0013-fc-udev-apply-policy-to-udevadm-in-libexec.patch @@ -0,0 +1,28 @@ +From 434fe791713127cea8a796529266b87763833117 Mon Sep 17 00:00:00 2001 +From: Joe MacDonald <joe_macdonald@mentor.com> +Date: Fri, 29 Mar 2019 09:36:08 -0400 +Subject: [PATCH 13/34] fc/udev: apply policy to udevadm in libexec + +Upstream-Status: Pending + +Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +--- + policy/modules/system/udev.fc | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc +index 606ad517..2919c0bd 100644 +--- a/policy/modules/system/udev.fc ++++ b/policy/modules/system/udev.fc +@@ -28,6 +28,8 @@ ifdef(`distro_debian',` + /usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0) + /usr/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0) + ++/usr/libexec/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) ++ + ifdef(`distro_redhat',` + /usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) + ') +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch b/recipes-security/refpolicy/refpolicy-git/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch new file mode 100644 index 0000000..fff816a --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0014-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch @@ -0,0 +1,29 @@ +From c8dbbbaed4371c600d057736d1dab78371066fdd Mon Sep 17 00:00:00 2001 +From: Joe MacDonald <joe_macdonald@mentor.com> +Date: Fri, 29 Mar 2019 09:54:07 -0400 +Subject: [PATCH 14/34] fc/rpm: apply rpm_exec policy to cpio binaries + +Upstream-Status: Pending + +Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +--- + policy/modules/admin/rpm.fc | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc +index 578d465c..f2b8003a 100644 +--- a/policy/modules/admin/rpm.fc ++++ b/policy/modules/admin/rpm.fc +@@ -65,5 +65,8 @@ ifdef(`distro_redhat',` + /run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) + + ifdef(`enable_mls',` +-/usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/bin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/bin/cpio.cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) + ') ++ +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_su.patch b/recipes-security/refpolicy/refpolicy-git/0015-fc-su-apply-policy-to-su-alternatives.patch index 41c32df..b26eeea 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_su.patch +++ b/recipes-security/refpolicy/refpolicy-git/0015-fc-su-apply-policy-to-su-alternatives.patch @@ -1,20 +1,26 @@ -From 4affa5e9797f5d51597c9b8e0f2503883c766699 Mon Sep 17 00:00:00 2001 +From d6eb7326773a01cea4cb6949e8e8f94e12d145ca Mon Sep 17 00:00:00 2001 From: Wenzong Fan <wenzong.fan@windriver.com> Date: Thu, 13 Feb 2014 00:33:07 -0500 -Subject: [PATCH] fix real path for su.shadow command +Subject: [PATCH 15/34] fc/su: apply policy to su alternatives -Upstream-Status: Inappropriate [only for Poky] +Upstream-Status: Pending Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> --- - policy/modules/admin/su.fc | 2 ++ + policy/modules/admin/su.fc | 2 ++ 1 file changed, 2 insertions(+) +diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc +index 3375c969..435a6892 100644 --- a/policy/modules/admin/su.fc +++ b/policy/modules/admin/su.fc -@@ -1,3 +1,4 @@ +@@ -1,3 +1,5 @@ /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0) /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) /usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) -+/usr/bin/su.shadow -- gen_context(system_u:object_r:su_exec_t,s0) ++/usr/bin/su\.shadow -- gen_context(system_u:object_r:su_exec_t,s0) ++/usr/bin/su\.util-linux -- gen_context(system_u:object_r:su_exec_t,s0) +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch b/recipes-security/refpolicy/refpolicy-git/0016-fc-fstools-fix-real-path-for-fstools.patch index d887e96..35676f8 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fstools.patch +++ b/recipes-security/refpolicy/refpolicy-git/0016-fc-fstools-fix-real-path-for-fstools.patch @@ -1,55 +1,47 @@ -From b420621f7bacdb803bfd104686e9b1785d7a6309 Mon Sep 17 00:00:00 2001 +From 4cc043905534403d2c6c5882ed982bd09a6c605f Mon Sep 17 00:00:00 2001 From: Wenzong Fan <wenzong.fan@windriver.com> Date: Mon, 27 Jan 2014 03:54:01 -0500 -Subject: [PATCH] refpolicy: fix real path for fstools +Subject: [PATCH 16/34] fc/fstools: fix real path for fstools -Upstream-Status: Inappropriate [configuration] +Upstream-Status: Pending Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> +Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> --- - policy/modules/system/fstools.fc | 7 +++++++ - 1 file changed, 7 insertions(+) + policy/modules/system/fstools.fc | 12 ++++++++++++ + 1 file changed, 12 insertions(+) +diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc +index 8fbd5ce4..d719e22c 100644 --- a/policy/modules/system/fstools.fc +++ b/policy/modules/system/fstools.fc -@@ -55,10 +55,11 @@ - /usr/bin/ztest -- gen_context(system_u:object_r:fsadm_exec_t,s0) - +@@ -58,6 +58,7 @@ /usr/sbin/addpart -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/blkid/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/blkid\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/delpart -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -68,14 +69,16 @@ - /usr/sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0) +@@ -72,10 +73,12 @@ /usr/sbin/efibootmgr -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/fatsort -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/fdisk/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/fdisk\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/gdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/hdparm/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/hdparm\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/lsraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -84,21 +87,24 @@ - /usr/sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) +@@ -88,17 +91,20 @@ /usr/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/mkswap/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/mkswap\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -62,9 +54,23 @@ Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> /usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/usr/sbin/swapoff/.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/sbin/swapoff\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/zhack -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/zinject -- gen_context(system_u:object_r:fsadm_exec_t,s0) +@@ -108,6 +114,12 @@ + /usr/sbin/zstreamdump -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/sbin/ztest -- gen_context(system_u:object_r:fsadm_exec_t,s0) + ++/usr/lib/busybox/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/lib/busybox/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/lib/busybox/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/lib/busybox/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/usr/lib/busybox/sbin/swapon -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++ + /var/swap -- gen_context(system_u:object_r:swapfile_t,s0) + + /var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0) +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-syslogd_t-to-trusted-object.patch b/recipes-security/refpolicy/refpolicy-git/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch index b755b45..af24d90 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-syslogd_t-to-trusted-object.patch +++ b/recipes-security/refpolicy/refpolicy-git/0017-policy-module-logging-Add-the-syslogd_t-to-trusted-o.patch @@ -1,7 +1,8 @@ -From 27e62a5d9ab9993760369ccdad83673e9148cbb2 Mon Sep 17 00:00:00 2001 +From f84b1809e45bf08ce2a603827de3ade876ce8683 Mon Sep 17 00:00:00 2001 From: Xin Ouyang <Xin.Ouyang@windriver.com> Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH 1/6] Add the syslogd_t to trusted object +Subject: [PATCH 17/34] policy/module/logging: Add the syslogd_t to trusted + object We add the syslogd_t to trusted object, because other process need to have the right to connectto/sendto /dev/log. @@ -12,14 +13,14 @@ Signed-off-by: Roy.Li <rongqing.li@windriver.com> Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> --- - policy/modules/system/logging.te | 1 + + policy/modules/system/logging.te | 1 + 1 file changed, 1 insertion(+) +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index 38ccfe3a..c892f547 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te -@@ -484,10 +484,11 @@ files_var_lib_filetrans(syslogd_t, syslo - - fs_getattr_all_fs(syslogd_t) +@@ -501,6 +501,7 @@ fs_getattr_all_fs(syslogd_t) fs_search_auto_mountpoints(syslogd_t) mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories @@ -27,5 +28,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> term_write_console(syslogd_t) # Allow syslog to a terminal - term_write_unallocated_ttys(syslogd_t) - +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch b/recipes-security/refpolicy/refpolicy-git/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch new file mode 100644 index 0000000..6dca744 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0018-policy-module-logging-add-rules-for-the-symlink-of-v.patch @@ -0,0 +1,100 @@ +From ccb0b3884513829a2ab344f1682df6ea6ff4e7de Mon Sep 17 00:00:00 2001 +From: Xin Ouyang <Xin.Ouyang@windriver.com> +Date: Thu, 22 Aug 2013 13:37:23 +0800 +Subject: [PATCH 18/34] policy/module/logging: add rules for the symlink of + /var/log + +/var/log is a symlink in poky, so we need allow rules for files to read +lnk_file while doing search/list/delete/rw... in /var/log/ directory. + +Upstream-Status: Inappropriate [only for Poky] + +Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> +Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +--- + policy/modules/system/logging.fc | 1 + + policy/modules/system/logging.if | 6 ++++++ + policy/modules/system/logging.te | 2 ++ + 3 files changed, 9 insertions(+) + +diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc +index 0cf108e0..5bec7e99 100644 +--- a/policy/modules/system/logging.fc ++++ b/policy/modules/system/logging.fc +@@ -55,6 +55,7 @@ ifdef(`distro_suse', ` + /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) + + /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) ++/var/log -l gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) + /var/log/.* gen_context(system_u:object_r:var_log_t,s0) + /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0) + /var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0) +diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if +index 7b7644f7..0c7268ff 100644 +--- a/policy/modules/system/logging.if ++++ b/policy/modules/system/logging.if +@@ -972,10 +972,12 @@ interface(`logging_append_all_inherited_logs',` + interface(`logging_read_all_logs',` + gen_require(` + attribute logfile; ++ type var_log_t; + ') + + files_search_var($1) + allow $1 logfile:dir list_dir_perms; ++ allow $1 var_log_t:lnk_file read_lnk_file_perms; + read_files_pattern($1, logfile, logfile) + ') + +@@ -994,10 +996,12 @@ interface(`logging_read_all_logs',` + interface(`logging_exec_all_logs',` + gen_require(` + attribute logfile; ++ type var_log_t; + ') + + files_search_var($1) + allow $1 logfile:dir list_dir_perms; ++ allow $1 var_log_t:lnk_file read_lnk_file_perms; + can_exec($1, logfile) + ') + +@@ -1099,6 +1103,7 @@ interface(`logging_read_generic_logs',` + + files_search_var($1) + allow $1 var_log_t:dir list_dir_perms; ++ allow $1 var_log_t:lnk_file read_lnk_file_perms; + read_files_pattern($1, var_log_t, var_log_t) + ') + +@@ -1200,6 +1205,7 @@ interface(`logging_manage_generic_logs',` + + files_search_var($1) + manage_files_pattern($1, var_log_t, var_log_t) ++ allow $1 var_log_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index c892f547..499a4552 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -161,6 +161,7 @@ manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) + allow auditd_t auditd_log_t:dir setattr; + manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) + allow auditd_t var_log_t:dir search_dir_perms; ++allow auditd_t var_log_t:lnk_file read_lnk_file_perms; + + manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) + manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) +@@ -288,6 +289,7 @@ allow audisp_remote_t self:capability { setpcap setuid }; + allow audisp_remote_t self:process { getcap setcap }; + allow audisp_remote_t self:tcp_socket create_socket_perms; + allow audisp_remote_t var_log_t:dir search_dir_perms; ++allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms; + + manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) + manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch b/recipes-security/refpolicy/refpolicy-git/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch new file mode 100644 index 0000000..a532316 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0019-policy-module-logging-add-rules-for-syslogd-symlink-.patch @@ -0,0 +1,33 @@ +From b52614cce12e4a7d3437350bb35688d5470f92fc Mon Sep 17 00:00:00 2001 +From: Joe MacDonald <joe_macdonald@mentor.com> +Date: Fri, 29 Mar 2019 10:33:18 -0400 +Subject: [PATCH 19/34] policy/module/logging: add rules for syslogd symlink of + /var/log + +We have added rules for the symlink of /var/log in logging.if, while +syslogd_t uses /var/log but does not use the interfaces in logging.if. So +still need add a individual rule for syslogd_t. + +Upstream-Status: Inappropriate [only for Poky] + +Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> +Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +--- + policy/modules/system/logging.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index 499a4552..e6221a02 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -417,6 +417,7 @@ files_search_spool(syslogd_t) + + # Allow access for syslog-ng + allow syslogd_t var_log_t:dir { create setattr }; ++allow syslogd_t var_log_t:lnk_file read_lnk_file_perms; + + # for systemd but can not be conditional + files_pid_filetrans(syslogd_t, syslogd_tmp_t, dir, "log") +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-cache-symlink.patch b/recipes-security/refpolicy/refpolicy-git/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch index b828b7a..a494671 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-cache-symlink.patch +++ b/recipes-security/refpolicy/refpolicy-git/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch @@ -1,7 +1,8 @@ -From bad816bc752369a6c1bf40231c505d21d95cab08 Mon Sep 17 00:00:00 2001 +From 07456143d9478b345dbe480e1b418b744de96751 Mon Sep 17 00:00:00 2001 From: Xin Ouyang <Xin.Ouyang@windriver.com> Date: Fri, 23 Aug 2013 11:20:00 +0800 -Subject: [PATCH 4/6] add rules for the subdir symlinks in /var/ +Subject: [PATCH 20/34] policy/module/logging: add domain rules for the subdir + symlinks in /var/ Except /var/log,/var/run,/var/lock, there still other subdir symlinks in /var for poky, so we need allow rules for all domains to read these @@ -13,14 +14,14 @@ Upstream-Status: Inappropriate [only for Poky] Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> --- - policy/modules/kernel/domain.te | 3 +++ + policy/modules/kernel/domain.te | 3 +++ 1 file changed, 3 insertions(+) +diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te +index 1a55e3d2..babb794f 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te -@@ -108,10 +108,13 @@ dev_rw_zero(domain) - term_use_controlling_term(domain) - +@@ -110,6 +110,9 @@ term_use_controlling_term(domain) # list the root directory files_list_root(domain) @@ -30,5 +31,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ifdef(`hide_broken_symptoms',` # This check is in the general socket # listen code, before protocol-specific - # listen function is called, so bad calls - # to listen on UDP sockets should be silenced +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-tmp-symlink.patch b/recipes-security/refpolicy/refpolicy-git/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch index d3c1ee5..aa61a80 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-tmp-symlink.patch +++ b/recipes-security/refpolicy/refpolicy-git/0021-policy-module-files-add-rules-for-the-symlink-of-tmp.patch @@ -1,7 +1,7 @@ -From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001 +From edcfc7eb98658352f3ffdeb8079517c54ba7f984 Mon Sep 17 00:00:00 2001 From: Xin Ouyang <Xin.Ouyang@windriver.com> Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH] add rules for the symlink of /tmp +Subject: [PATCH 21/34] policy/module/files: add rules for the symlink of /tmp /tmp is a symlink in poky, so we need allow rules for files to read lnk_file while doing search/list/delete/rw.. in /tmp/ directory. @@ -11,15 +11,15 @@ Upstream-Status: Inappropriate [only for Poky] Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> --- - policy/modules/kernel/files.fc | 1 + - policy/modules/kernel/files.if | 8 ++++++++ + policy/modules/kernel/files.fc | 1 + + policy/modules/kernel/files.if | 8 ++++++++ 2 files changed, 9 insertions(+) +diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc +index c3496c21..05b1734b 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc -@@ -172,10 +172,11 @@ HOME_ROOT/lost\+found/.* <<none>> - - # +@@ -176,6 +176,7 @@ HOME_ROOT/lost\+found/.* <<none>> # /tmp # /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) @@ -27,13 +27,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> /tmp/.* <<none>> /tmp/\.journal <<none>> - /tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) - /tmp/lost\+found/.* <<none>> +diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if +index f1c94411..eb067ad3 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if -@@ -4579,10 +4579,11 @@ interface(`files_search_tmp',` - gen_require(` - type tmp_t; +@@ -4350,6 +4350,7 @@ interface(`files_search_tmp',` ') allow $1 tmp_t:dir search_dir_perms; @@ -41,11 +39,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ') ######################################## - ## <summary> - ## Do not audit attempts to search the tmp directory (/tmp). -@@ -4615,10 +4616,11 @@ interface(`files_list_tmp',` - gen_require(` - type tmp_t; +@@ -4386,6 +4387,7 @@ interface(`files_list_tmp',` ') allow $1 tmp_t:dir list_dir_perms; @@ -53,11 +47,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ') ######################################## - ## <summary> - ## Do not audit listing of the tmp directory (/tmp). -@@ -4651,10 +4653,11 @@ interface(`files_delete_tmp_dir_entry',` - gen_require(` - type tmp_t; +@@ -4422,6 +4424,7 @@ interface(`files_delete_tmp_dir_entry',` ') allow $1 tmp_t:dir del_entry_dir_perms; @@ -65,11 +55,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ') ######################################## - ## <summary> - ## Read files in the tmp directory (/tmp). -@@ -4669,10 +4672,11 @@ interface(`files_read_generic_tmp_files' - gen_require(` - type tmp_t; +@@ -4440,6 +4443,7 @@ interface(`files_read_generic_tmp_files',` ') read_files_pattern($1, tmp_t, tmp_t) @@ -77,11 +63,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ') ######################################## - ## <summary> - ## Manage temporary directories in /tmp. -@@ -4687,10 +4691,11 @@ interface(`files_manage_generic_tmp_dirs - gen_require(` - type tmp_t; +@@ -4458,6 +4462,7 @@ interface(`files_manage_generic_tmp_dirs',` ') manage_dirs_pattern($1, tmp_t, tmp_t) @@ -89,11 +71,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ') ######################################## - ## <summary> - ## Manage temporary files and directories in /tmp. -@@ -4705,10 +4710,11 @@ interface(`files_manage_generic_tmp_file - gen_require(` - type tmp_t; +@@ -4476,6 +4481,7 @@ interface(`files_manage_generic_tmp_files',` ') manage_files_pattern($1, tmp_t, tmp_t) @@ -101,11 +79,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ') ######################################## - ## <summary> - ## Read symbolic links in the tmp directory (/tmp). -@@ -4741,10 +4747,11 @@ interface(`files_rw_generic_tmp_sockets' - gen_require(` - type tmp_t; +@@ -4512,6 +4518,7 @@ interface(`files_rw_generic_tmp_sockets',` ') rw_sock_files_pattern($1, tmp_t, tmp_t) @@ -113,11 +87,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ') ######################################## - ## <summary> - ## Mount filesystems in the tmp directory (/tmp) -@@ -4948,10 +4955,11 @@ interface(`files_tmp_filetrans',` - gen_require(` - type tmp_t; +@@ -4719,6 +4726,7 @@ interface(`files_tmp_filetrans',` ') filetrans_pattern($1, tmp_t, $2, $3, $4) @@ -125,5 +95,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ') ######################################## - ## <summary> - ## Delete the contents of /tmp. +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-bsdpty_device_t.patch b/recipes-security/refpolicy/refpolicy-git/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch index ad7b5a6..68235b1 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-bsdpty_device_t.patch +++ b/recipes-security/refpolicy/refpolicy-git/0022-policy-module-terminals-add-rules-for-bsdpty_device_.patch @@ -1,21 +1,22 @@ -From c0b65c327b9354ee5c403cbde428e762ce3f327e Mon Sep 17 00:00:00 2001 +From 938ae00d2358d6ebad8173fce274ebb70d95cf72 Mon Sep 17 00:00:00 2001 From: Xin Ouyang <Xin.Ouyang@windriver.com> Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH 5/6] add rules for bsdpty_device_t to complete pty devices. +Subject: [PATCH 22/34] policy/module/terminals: add rules for bsdpty_device_t + to complete pty devices. Upstream-Status: Pending Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> --- - policy/modules/kernel/terminal.if | 16 ++++++++++++++++ + policy/modules/kernel/terminal.if | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) +diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if +index 61308843..a84787e6 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if -@@ -603,13 +603,15 @@ interface(`term_getattr_generic_ptys',` - ## </param> - # +@@ -623,9 +623,11 @@ interface(`term_getattr_generic_ptys',` interface(`term_dontaudit_getattr_generic_ptys',` gen_require(` type devpts_t; @@ -27,11 +28,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ') ######################################## ## <summary> - ## ioctl of generic pty devices. - ## </summary> -@@ -621,15 +623,17 @@ interface(`term_dontaudit_getattr_generi - # - # cjp: added for ppp +@@ -641,11 +643,13 @@ interface(`term_dontaudit_getattr_generic_ptys',` interface(`term_ioctl_generic_ptys',` gen_require(` type devpts_t; @@ -45,11 +42,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ') ######################################## - ## <summary> - ## Allow setting the attributes of -@@ -643,13 +647,15 @@ interface(`term_ioctl_generic_ptys',` - # - # dwalsh: added for rhgb +@@ -663,9 +667,11 @@ interface(`term_ioctl_generic_ptys',` interface(`term_setattr_generic_ptys',` gen_require(` type devpts_t; @@ -61,11 +54,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ') ######################################## - ## <summary> - ## Dontaudit setting the attributes of -@@ -663,13 +669,15 @@ interface(`term_setattr_generic_ptys',` - # - # dwalsh: added for rhgb +@@ -683,9 +689,11 @@ interface(`term_setattr_generic_ptys',` interface(`term_dontaudit_setattr_generic_ptys',` gen_require(` type devpts_t; @@ -77,11 +66,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ') ######################################## - ## <summary> - ## Read and write the generic pty -@@ -683,15 +691,17 @@ interface(`term_dontaudit_setattr_generi - ## </param> - # +@@ -703,11 +711,13 @@ interface(`term_dontaudit_setattr_generic_ptys',` interface(`term_use_generic_ptys',` gen_require(` type devpts_t; @@ -95,11 +80,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ') ######################################## - ## <summary> - ## Dot not audit attempts to read and -@@ -705,13 +715,15 @@ interface(`term_use_generic_ptys',` - ## </param> - # +@@ -725,9 +735,11 @@ interface(`term_use_generic_ptys',` interface(`term_dontaudit_use_generic_ptys',` gen_require(` type devpts_t; @@ -111,11 +92,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ') ####################################### - ## <summary> - ## Set the attributes of the tty device -@@ -723,14 +735,16 @@ interface(`term_dontaudit_use_generic_pt - ## </param> - # +@@ -743,10 +755,12 @@ interface(`term_dontaudit_use_generic_ptys',` interface(`term_setattr_controlling_term',` gen_require(` type devtty_t; @@ -128,11 +105,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ') ######################################## - ## <summary> - ## Read and write the controlling -@@ -743,14 +757,16 @@ interface(`term_setattr_controlling_term - ## </param> - # +@@ -763,10 +777,12 @@ interface(`term_setattr_controlling_term',` interface(`term_use_controlling_term',` gen_require(` type devtty_t; @@ -145,5 +118,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ') ####################################### - ## <summary> - ## Get the attributes of the pty multiplexor (/dev/ptmx). +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-don-t-audit-tty_device_t.patch b/recipes-security/refpolicy/refpolicy-git/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch index e3ea75e..06f9207 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-don-t-audit-tty_device_t.patch +++ b/recipes-security/refpolicy/refpolicy-git/0023-policy-module-terminals-don-t-audit-tty_device_t-in-.patch @@ -1,7 +1,8 @@ -From 29a0d287880f8f83cf4337a3db7c8b94c0c36e1d Mon Sep 17 00:00:00 2001 +From 3f5a9b987211ef511bfd1c76b1a7dffad51fba0c Mon Sep 17 00:00:00 2001 From: Xin Ouyang <Xin.Ouyang@windriver.com> Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH 6/6] don't audit tty_device_t in term_dontaudit_use_console. +Subject: [PATCH 23/34] policy/module/terminals: don't audit tty_device_t in + term_dontaudit_use_console. We should also not audit terminal to rw tty_device_t and fds in term_dontaudit_use_console. @@ -11,14 +12,14 @@ Upstream-Status: Inappropriate [only for Poky] Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> --- - policy/modules/kernel/terminal.if | 3 +++ + policy/modules/kernel/terminal.if | 3 +++ 1 file changed, 3 insertions(+) +diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if +index a84787e6..cf66da2f 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if -@@ -315,13 +315,16 @@ interface(`term_use_console',` - ## </param> - # +@@ -335,9 +335,12 @@ interface(`term_use_console',` interface(`term_dontaudit_use_console',` gen_require(` type console_device_t; @@ -31,5 +32,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ') ######################################## - ## <summary> - ## Set the attributes of the console +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-git/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch new file mode 100644 index 0000000..01f6c8b --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0024-policy-module-rpc-allow-nfsd-to-exec-shell-commands.patch @@ -0,0 +1,29 @@ +From bc1f2fba24fb63cd9a65ec22b34fcc59798bbaff Mon Sep 17 00:00:00 2001 +From: Xin Ouyang <Xin.Ouyang@windriver.com> +Date: Thu, 22 Aug 2013 13:37:23 +0800 +Subject: [PATCH 24/34] policy/module/rpc: allow nfsd to exec shell commands. + +Upstream-Status: Inappropriate [only for Poky] + +Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> +Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +--- + policy/modules/services/rpc.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te +index 47fa2fd0..d4209231 100644 +--- a/policy/modules/services/rpc.te ++++ b/policy/modules/services/rpc.te +@@ -227,7 +227,7 @@ kernel_read_network_state(nfsd_t) + kernel_dontaudit_getattr_core_if(nfsd_t) + kernel_setsched(nfsd_t) + kernel_request_load_module(nfsd_t) +-# kernel_mounton_proc(nfsd_t) ++kernel_mounton_proc(nfsd_t) + + corenet_sendrecv_nfs_server_packets(nfsd_t) + corenet_tcp_bind_nfs_port(nfsd_t) +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch b/recipes-security/refpolicy/refpolicy-git/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch index d0b0073..78a4328 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-nfsd_t-to-mount_nfsd_fs_t.patch +++ b/recipes-security/refpolicy/refpolicy-git/0025-policy-module-rpc-fix-policy-for-nfsserver-to-mount-.patch @@ -1,58 +1,25 @@ -From 054a2d81a42bc127d29a916c64b43ad5a7c97f21 Mon Sep 17 00:00:00 2001 +From f24c277f622d1ae72275525c6d5863f1ddce1d58 Mon Sep 17 00:00:00 2001 From: Xin Ouyang <Xin.Ouyang@windriver.com> Date: Fri, 23 Aug 2013 12:01:53 +0800 -Subject: [PATCH] fix policy for nfsserver to mount nfsd_fs_t. +Subject: [PATCH 25/34] policy/module/rpc: fix policy for nfsserver to mount + nfsd_fs_t. Upstream-Status: Pending Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> --- - policy/modules/contrib/rpc.te | 5 +++++ - policy/modules/contrib/rpcbind.te | 5 +++++ - policy/modules/kernel/filesystem.te | 1 + - policy/modules/kernel/kernel.te | 2 ++ + policy/modules/kernel/filesystem.te | 1 + + policy/modules/kernel/kernel.te | 2 ++ + policy/modules/services/rpc.te | 5 +++++ + policy/modules/services/rpcbind.te | 5 +++++ 4 files changed, 13 insertions(+) ---- a/policy/modules/contrib/rpcbind.te -+++ b/policy/modules/contrib/rpcbind.te -@@ -73,8 +73,13 @@ auth_use_nsswitch(rpcbind_t) - - logging_send_syslog_msg(rpcbind_t) - - miscfiles_read_localization(rpcbind_t) - -+# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t, -+# because the are running in different level. So add rules to allow this. -+mls_socket_read_all_levels(rpcbind_t) -+mls_socket_write_all_levels(rpcbind_t) -+ - ifdef(`distro_debian',` - term_dontaudit_use_unallocated_ttys(rpcbind_t) - ') ---- a/policy/modules/contrib/rpc.te -+++ b/policy/modules/contrib/rpc.te -@@ -277,10 +277,15 @@ tunable_policy(`nfs_export_all_ro',` - files_read_non_auth_files(nfsd_t) - ') - - optional_policy(` - mount_exec(nfsd_t) -+ # Should domtrans to mount_t while mounting nfsd_fs_t. -+ mount_domtrans(nfsd_t) -+ # nfsd_t need to chdir to /var/lib/nfs and read files. -+ files_list_var(nfsd_t) -+ rpc_read_nfs_state_data(nfsd_t) - ') - - ######################################## - # - # GSSD local policy +diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te +index 41037951..b341ba83 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te -@@ -127,10 +127,11 @@ fs_noxattr_type(mvfs_t) - allow mvfs_t self:filesystem associate; - genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) +@@ -129,6 +129,7 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) type nfsd_fs_t; fs_type(nfsd_fs_t) @@ -60,13 +27,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0) type nsfs_t; - fs_type(nsfs_t) - genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0) +diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te +index 8e958074..7b81c732 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te -@@ -325,10 +325,12 @@ mcs_process_set_categories(kernel_t) - - mls_process_read_all_levels(kernel_t) +@@ -334,6 +334,8 @@ mls_process_read_all_levels(kernel_t) mls_process_write_all_levels(kernel_t) mls_file_write_all_levels(kernel_t) mls_file_read_all_levels(kernel_t) @@ -75,5 +40,38 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ifdef(`distro_redhat',` # Bugzilla 222337 - fs_rw_tmpfs_chr_files(kernel_t) +diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te +index d4209231..a2327b44 100644 +--- a/policy/modules/services/rpc.te ++++ b/policy/modules/services/rpc.te +@@ -280,6 +280,11 @@ tunable_policy(`nfs_export_all_ro',` + + optional_policy(` + mount_exec(nfsd_t) ++ # Should domtrans to mount_t while mounting nfsd_fs_t. ++ mount_domtrans(nfsd_t) ++ # nfsd_t need to chdir to /var/lib/nfs and read files. ++ files_list_var(nfsd_t) ++ rpc_read_nfs_state_data(nfsd_t) ') + + ######################################## +diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te +index 5914af99..2055c114 100644 +--- a/policy/modules/services/rpcbind.te ++++ b/policy/modules/services/rpcbind.te +@@ -75,6 +75,11 @@ logging_send_syslog_msg(rpcbind_t) + + miscfiles_read_localization(rpcbind_t) + ++# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t, ++# because the are running in different level. So add rules to allow this. ++mls_socket_read_all_levels(rpcbind_t) ++mls_socket_write_all_levels(rpcbind_t) ++ + ifdef(`distro_debian',` + term_dontaudit_use_unallocated_ttys(rpcbind_t) + ') +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch b/recipes-security/refpolicy/refpolicy-git/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch new file mode 100644 index 0000000..257395a --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0026-policy-module-sysfs-fix-for-new-SELINUXMNT-in-sys.patch @@ -0,0 +1,126 @@ +From 06d2bad9325fdc6b0a73858bca7ba51fe591f39d Mon Sep 17 00:00:00 2001 +From: Joe MacDonald <joe_macdonald@mentor.com> +Date: Fri, 29 Mar 2019 11:16:37 -0400 +Subject: [PATCH 26/34] policy/module/sysfs: fix for new SELINUXMNT in /sys + +SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should +add rules to access sysfs. + +Upstream-Status: Inappropriate [only for Poky] + +Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> +Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +--- + policy/modules/kernel/selinux.if | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if +index 6790e5d0..2c95db81 100644 +--- a/policy/modules/kernel/selinux.if ++++ b/policy/modules/kernel/selinux.if +@@ -117,6 +117,9 @@ interface(`selinux_mount_fs',` + type security_t; + ') + ++ dev_getattr_sysfs($1) ++ dev_search_sysfs($1) ++ + allow $1 security_t:filesystem mount; + ') + +@@ -136,6 +139,9 @@ interface(`selinux_remount_fs',` + type security_t; + ') + ++ dev_getattr_sysfs($1) ++ dev_search_sysfs($1) ++ + allow $1 security_t:filesystem remount; + ') + +@@ -155,6 +161,9 @@ interface(`selinux_unmount_fs',` + ') + + allow $1 security_t:filesystem unmount; ++ ++ dev_getattr_sysfs($1) ++ dev_search_sysfs($1) + ') + + ######################################## +@@ -217,6 +226,8 @@ interface(`selinux_dontaudit_getattr_dir',` + ') + + dontaudit $1 security_t:dir getattr; ++ dev_dontaudit_getattr_sysfs($1) ++ dev_dontaudit_search_sysfs($1) + ') + + ######################################## +@@ -253,6 +264,7 @@ interface(`selinux_dontaudit_search_fs',` + type security_t; + ') + ++ dev_dontaudit_search_sysfs($1) + dontaudit $1 security_t:dir search_dir_perms; + ') + +@@ -272,6 +284,7 @@ interface(`selinux_dontaudit_read_fs',` + type security_t; + ') + ++ dev_dontaudit_getattr_sysfs($1) + dontaudit $1 security_t:dir search_dir_perms; + dontaudit $1 security_t:file read_file_perms; + ') +@@ -361,6 +374,7 @@ interface(`selinux_read_policy',` + type security_t; + ') + ++ dev_getattr_sysfs($1) + dev_search_sysfs($1) + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file read_file_perms; +@@ -394,6 +408,7 @@ interface(`selinux_set_generic_booleans',` + type security_t; + ') + ++ dev_getattr_sysfs($1) + dev_search_sysfs($1) + + allow $1 security_t:dir list_dir_perms; +@@ -431,6 +446,7 @@ interface(`selinux_set_all_booleans',` + bool secure_mode_policyload; + ') + ++ dev_getattr_sysfs($1) + dev_search_sysfs($1) + + allow $1 security_t:dir list_dir_perms; +@@ -512,6 +528,7 @@ interface(`selinux_dontaudit_validate_context',` + type security_t; + ') + ++ dev_dontaudit_search_sysfs($1) + dontaudit $1 security_t:dir list_dir_perms; + dontaudit $1 security_t:file rw_file_perms; + dontaudit $1 security_t:security check_context; +@@ -533,6 +550,7 @@ interface(`selinux_compute_access_vector',` + type security_t; + ') + ++ dev_getattr_sysfs($1) + dev_search_sysfs($1) + allow $1 self:netlink_selinux_socket create_socket_perms; + allow $1 security_t:dir list_dir_perms; +@@ -629,6 +647,7 @@ interface(`selinux_compute_user_contexts',` + type security_t; + ') + ++ dev_getattr_sysfs($1) + dev_search_sysfs($1) + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file rw_file_perms; +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-sysadm-to-run-rpcinfo.patch b/recipes-security/refpolicy/refpolicy-git/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch index a1fda13..23226a0 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-sysadm-to-run-rpcinfo.patch +++ b/recipes-security/refpolicy/refpolicy-git/0027-policy-module-rpc-allow-sysadm-to-run-rpcinfo.patch @@ -1,7 +1,7 @@ -From 7005533d61770fed5a3312aa9dfd1c18dae88c16 Mon Sep 17 00:00:00 2001 +From 447036f5ead83977933b375f5587595b85307a7d Mon Sep 17 00:00:00 2001 From: Roy Li <rongqing.li@windriver.com> Date: Sat, 15 Feb 2014 09:45:00 +0800 -Subject: [PATCH] allow sysadm to run rpcinfo +Subject: [PATCH 27/34] policy/module/rpc: allow sysadm to run rpcinfo Upstream-Status: Pending @@ -11,23 +11,21 @@ type=SYSCALL msg=audit(1392427946.976:264): arch=c000003e syscall=42 success=no Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> --- - policy/modules/roles/sysadm.te | 4 ++++ - 1 file changed, 4 insertions(+) + policy/modules/roles/sysadm.te | 1 + + 1 file changed, 1 insertion(+) +diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te +index 2ae952bf..d781378f 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te -@@ -1169,10 +1169,14 @@ optional_policy(` - virt_admin(sysadm_t, sysadm_r) - virt_stream_connect(sysadm_t) +@@ -945,6 +945,7 @@ optional_policy(` ') optional_policy(` + rpcbind_stream_connect(sysadm_t) -+') -+ -+optional_policy(` - vmware_role(sysadm_r, sysadm_t) + rpcbind_admin(sysadm_t, sysadm_r) ') - optional_policy(` - vnstatd_admin(sysadm_t, sysadm_r) +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-seutils-manage-config-files.patch b/recipes-security/refpolicy/refpolicy-git/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch index e0f8c1a..732eaaf 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-seutils-manage-config-files.patch +++ b/recipes-security/refpolicy/refpolicy-git/0028-policy-module-userdomain-fix-selinux-utils-to-manage.patch @@ -1,22 +1,23 @@ -From be8e015aec19553d3753af132861d24da9ed0265 Mon Sep 17 00:00:00 2001 +From 391ab30556a3276bac131b3d4bd6c5e52b49c77c Mon Sep 17 00:00:00 2001 From: Xin Ouyang <Xin.Ouyang@windriver.com> Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH 2/2] refpolicy: fix selinux utils to manage config files +Subject: [PATCH 28/34] policy/module/userdomain: fix selinux utils to manage + config files Upstream-Status: Pending Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> --- - policy/modules/system/selinuxutil.if | 1 + - policy/modules/system/userdomain.if | 4 ++++ + policy/modules/system/selinuxutil.if | 1 + + policy/modules/system/userdomain.if | 4 ++++ 2 files changed, 5 insertions(+) +diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if +index 20024993..0fdc8c10 100644 --- a/policy/modules/system/selinuxutil.if +++ b/policy/modules/system/selinuxutil.if -@@ -753,10 +753,11 @@ interface(`seutil_manage_config',` - gen_require(` - type selinux_config_t; +@@ -674,6 +674,7 @@ interface(`seutil_manage_config',` ') files_search_etc($1) @@ -24,13 +25,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> manage_files_pattern($1, selinux_config_t, selinux_config_t) read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) ') - - ####################################### +diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if +index 5221bd13..4cf987d1 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if -@@ -1361,10 +1361,14 @@ template(`userdom_security_admin_templat - logging_read_audit_log($1) - logging_read_generic_logs($1) +@@ -1431,6 +1431,10 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -41,5 +40,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> seutil_run_checkpolicy($1, $2) seutil_run_loadpolicy($1, $2) seutil_run_semanage($1, $2) - seutil_run_setfiles($1, $2) - +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch b/recipes-security/refpolicy/refpolicy-git/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch new file mode 100644 index 0000000..14734b2 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0029-policy-module-selinuxutil-fix-setfiles-statvfs-to-ge.patch @@ -0,0 +1,33 @@ +From d97aef0ecdb2ff964b1ed3d0b18ce83c2ab42f14 Mon Sep 17 00:00:00 2001 +From: Joe MacDonald <joe_macdonald@mentor.com> +Date: Fri, 29 Mar 2019 11:30:27 -0400 +Subject: [PATCH 29/34] policy/module/selinuxutil: fix setfiles statvfs to get + file count + +New setfiles will read /proc/mounts and use statvfs in +file_system_count() to get file count of filesystems. + +Upstream-Status: Pending + +Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> +Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> +Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +--- + policy/modules/system/selinuxutil.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te +index 8a1688cc..a9930e9e 100644 +--- a/policy/modules/system/selinuxutil.te ++++ b/policy/modules/system/selinuxutil.te +@@ -607,6 +607,7 @@ files_relabel_all_files(setfiles_t) + files_read_usr_symlinks(setfiles_t) + files_dontaudit_read_all_symlinks(setfiles_t) + ++fs_getattr_all_fs(setfiles_t) + fs_getattr_all_xattr_fs(setfiles_t) + fs_getattr_cgroup(setfiles_t) + fs_getattr_nfs(setfiles_t) +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch b/recipes-security/refpolicy/refpolicy-git/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch new file mode 100644 index 0000000..aebdcb3 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0030-policy-module-admin-fix-dmesg-to-use-dev-kmsg-as-def.patch @@ -0,0 +1,25 @@ +From 43eba9b9205c5e63f634d60ab8eb5302f7bf4408 Mon Sep 17 00:00:00 2001 +From: Xin Ouyang <Xin.Ouyang@windriver.com> +Date: Fri, 23 Aug 2013 16:36:09 +0800 +Subject: [PATCH 30/34] policy/module/admin: fix dmesg to use /dev/kmsg as + default input + +Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> +Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +--- + policy/modules/admin/dmesg.if | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if +index e1973c78..739a4bc5 100644 +--- a/policy/modules/admin/dmesg.if ++++ b/policy/modules/admin/dmesg.if +@@ -37,4 +37,5 @@ interface(`dmesg_exec',` + + corecmd_search_bin($1) + can_exec($1, dmesg_exec_t) ++ dev_read_kmsg($1) + ') +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch b/recipes-security/refpolicy/refpolicy-git/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch index 85c40a4..afba90f 100644 --- a/recipes-security/refpolicy/refpolicy-git/ftp-add-ftpd_t-to-mlsfilewrite.patch +++ b/recipes-security/refpolicy/refpolicy-git/0031-policy-module-ftp-add-ftpd_t-to-mls_file_write_all_l.patch @@ -1,7 +1,8 @@ -From e4e95b723d31c7b678a05cd81a96b10185978b4e Mon Sep 17 00:00:00 2001 +From 2d81043e7c98b31b37a1ecd1f037a04c60e662aa Mon Sep 17 00:00:00 2001 From: Roy Li <rongqing.li@windriver.com> Date: Mon, 10 Feb 2014 18:10:12 +0800 -Subject: [PATCH] ftp: add ftpd_t to mls_file_write_all_levels +Subject: [PATCH 31/34] policy/module/ftp: add ftpd_t to + mls_file_write_all_levels Proftpd will create file under /var/run, but its mls is in high, and can not write to lowlevel @@ -12,21 +13,21 @@ type=AVC msg=audit(1392347709.621:15): avc: denied { write } for pid=545 comm type=AVC msg=audit(1392347709.621:15): avc: denied { add_name } for pid=545 comm="proftpd" name="proftpd.delay" scontext=system_u:system_r:ftpd_t:s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 tclass=dir type=SYSCALL msg=audit(1392347709.621:15): arch=c000003e syscall=2 success=yes exit=3 a0=471910 a1=42 a2=1b6 a3=8 items=0 ppid=539 pid=545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s15:c0.c1023 key=(null) -root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name - allow ftpd_t var_run_t : dir { ioctl read write getattr lock add_name remove_name search open } ; +root@localhost:~# sesearch --allow -s ftpd_t -t var_run_t|grep dir|grep add_name + allow ftpd_t var_run_t : dir { ioctl read write getattr lock add_name remove_name search open } ; root@localhost:~# Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> --- - policy/modules/contrib/ftp.te | 2 ++ + policy/modules/services/ftp.te | 2 ++ 1 file changed, 2 insertions(+) ---- a/policy/modules/contrib/ftp.te -+++ b/policy/modules/contrib/ftp.te -@@ -148,10 +148,12 @@ init_system_domain(ftpdctl_t, ftpdctl_ex - role ftpdctl_roles types ftpdctl_t; - +diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te +index 29bc077c..d582cf80 100644 +--- a/policy/modules/services/ftp.te ++++ b/policy/modules/services/ftp.te +@@ -150,6 +150,8 @@ role ftpdctl_roles types ftpdctl_t; type ftpdctl_tmp_t; files_tmp_file(ftpdctl_tmp_t) @@ -35,5 +36,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> type sftpd_t; domain_type(sftpd_t) role system_r types sftpd_t; - - type xferlog_t; +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch b/recipes-security/refpolicy/refpolicy-git/0032-policy-module-init-update-for-systemd-related-allow-.patch index 6eba356..ced90be 100644 --- a/recipes-security/refpolicy/refpolicy-git/refpolicy-update-for_systemd.patch +++ b/recipes-security/refpolicy/refpolicy-git/0032-policy-module-init-update-for-systemd-related-allow-.patch @@ -1,7 +1,8 @@ -From 07553727dca51631c93bca482442da8d0c50ac94 Mon Sep 17 00:00:00 2001 +From ddb7393018483be0ce1cfc4734043b413e3b8a04 Mon Sep 17 00:00:00 2001 From: Shrikant Bobade <shrikant_bobade@mentor.com> Date: Fri, 12 Jun 2015 19:37:52 +0530 -Subject: [PATCH] refpolicy: update for systemd related allow rules +Subject: [PATCH 32/34] policy/module/init: update for systemd related allow + rules It provide, the systemd support related allow rules @@ -10,14 +11,14 @@ Upstream-Status: Pending Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> --- - policy/modules/system/init.te | 5 +++++ + policy/modules/system/init.te | 5 +++++ 1 file changed, 5 insertions(+) +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index f7635d6f..2e6b57a6 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te -@@ -1387,5 +1387,10 @@ dontaudit systemprocess init_t:unix_stre - optional_policy(` - userdom_dontaudit_search_user_home_dirs(systemprocess) +@@ -1418,3 +1418,8 @@ optional_policy(` userdom_dontaudit_rw_all_users_stream_sockets(systemprocess) userdom_dontaudit_write_user_tmp_files(systemprocess) ') @@ -26,3 +27,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +allow kernel_t init_t:process dyntransition; +allow devpts_t device_t:filesystem associate; +allow init_t self:capability2 block_suspend; +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/0033-refpolicy-minimum-make-sysadmin-module-optional.patch b/recipes-security/refpolicy/refpolicy-git/0033-refpolicy-minimum-make-sysadmin-module-optional.patch new file mode 100644 index 0000000..09a16fb --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0033-refpolicy-minimum-make-sysadmin-module-optional.patch @@ -0,0 +1,67 @@ +From a45624beb571ad5dadfca95d53ff69925c9f628c Mon Sep 17 00:00:00 2001 +From: Joe MacDonald <joe_macdonald@mentor.com> +Date: Fri, 5 Apr 2019 11:53:28 -0400 +Subject: [PATCH 33/34] refpolicy/minimum: make sysadmin module optional + +init and locallogin modules have a depend for sysadm module because +they have called sysadm interfaces(sysadm_shell_domtrans). Since +sysadm is not a core module, we could make the sysadm_shell_domtrans +calls optionally by optional_policy. + +So, we could make the minimum policy without sysadm module. + +Upstream-Status: pending + +Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> +Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> +Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +--- + policy/modules/system/init.te | 16 +++++++++------- + policy/modules/system/locallogin.te | 4 +++- + 2 files changed, 12 insertions(+), 8 deletions(-) + +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index 2e6b57a6..d8696580 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -448,13 +448,15 @@ ifdef(`init_systemd',` + modutils_domtrans(init_t) + ') + ',` +- tunable_policy(`init_upstart',` +- corecmd_shell_domtrans(init_t, initrc_t) +- ',` +- # Run the shell in the sysadm role for single-user mode. +- # causes problems with upstart +- ifndef(`distro_debian',` +- sysadm_shell_domtrans(init_t) ++ optional_policy(` ++ tunable_policy(`init_upstart',` ++ corecmd_shell_domtrans(init_t, initrc_t) ++ ',` ++ # Run the shell in the sysadm role for single-user mode. ++ # causes problems with upstart ++ ifndef(`distro_debian',` ++ sysadm_shell_domtrans(init_t) ++ ') + ') + ') + ') +diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te +index a56f3d1f..4c679ff3 100644 +--- a/policy/modules/system/locallogin.te ++++ b/policy/modules/system/locallogin.te +@@ -266,7 +266,9 @@ userdom_use_unpriv_users_fds(sulogin_t) + userdom_search_user_home_dirs(sulogin_t) + userdom_use_user_ptys(sulogin_t) + +-sysadm_shell_domtrans(sulogin_t) ++optional_policy(` ++ sysadm_shell_domtrans(sulogin_t) ++') + + # by default, sulogin does not use pam... + # sulogin_pam might need to be defined otherwise +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch b/recipes-security/refpolicy/refpolicy-git/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch index 8d22c21..03b1439 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch +++ b/recipes-security/refpolicy/refpolicy-git/0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch @@ -1,7 +1,8 @@ -From ed2b0a00e2fb78056041b03c7e198e8f5adaf939 Mon Sep 17 00:00:00 2001 +From 2e2abdbc7a0e57a27518de0d879ecc84053203d8 Mon Sep 17 00:00:00 2001 From: Xin Ouyang <Xin.Ouyang@windriver.com> Date: Thu, 22 Aug 2013 19:36:44 +0800 -Subject: [PATCH 3/6] add rules for the symlink of /var/log - apache2 +Subject: [PATCH 34/34] policy/module/apache: add rules for the symlink of + /var/log - apache2 We have added rules for the symlink of /var/log in logging.if, while apache.te uses /var/log but does not use the interfaces in @@ -12,20 +13,21 @@ Upstream-Status: Inappropriate [only for Poky] Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> --- - policy/modules/contrib/apache.te | 1 + + policy/modules/services/apache.te | 1 + 1 file changed, 1 insertion(+) ---- a/policy/modules/contrib/apache.te -+++ b/policy/modules/contrib/apache.te -@@ -409,10 +409,11 @@ allow httpd_t httpd_log_t:dir setattr_di - create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t) - create_files_pattern(httpd_t, httpd_log_t, httpd_log_t) - append_files_pattern(httpd_t, httpd_log_t, httpd_log_t) +diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te +index 15c4ea53..596370b1 100644 +--- a/policy/modules/services/apache.te ++++ b/policy/modules/services/apache.te +@@ -412,6 +412,7 @@ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t) read_files_pattern(httpd_t, httpd_log_t, httpd_log_t) + setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t) read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t) +read_lnk_files_pattern(httpd_t, var_log_t, var_log_t) logging_log_filetrans(httpd_t, httpd_log_t, file) allow httpd_t httpd_modules_t:dir list_dir_perms; - mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) - read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) +-- +2.19.1 + diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch deleted file mode 100644 index 946dcc2..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-clock.patch +++ /dev/null @@ -1,19 +0,0 @@ -Subject: [PATCH] refpolicy: fix real path for clock - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/clock.fc | 1 + - 1 file changed, 1 insertion(+) - ---- a/policy/modules/system/clock.fc -+++ b/policy/modules/system/clock.fc -@@ -1,5 +1,6 @@ - /etc/adjtime -- gen_context(system_u:object_r:adjtime_t,s0) - - /usr/bin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) - -+/usr/sbin/hwclock\.util-linux -- gen_context(system_u:object_r:hwclock_exec_t,s0) - /usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch deleted file mode 100644 index 689c75b..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-dmesg.patch +++ /dev/null @@ -1,15 +0,0 @@ -Subject: [PATCH] refpolicy: fix real path for dmesg - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/admin/dmesg.fc | 1 + - 1 file changed, 1 insertion(+) - ---- a/policy/modules/admin/dmesg.fc -+++ b/policy/modules/admin/dmesg.fc -@@ -1 +1,2 @@ -+/usr/bin/dmesg\.util-linux -- gen_context(system_u:object_r:dmesg_exec_t,s0) - /usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch deleted file mode 100644 index b441257..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-fix-real-path_shadow.patch +++ /dev/null @@ -1,50 +0,0 @@ -Subject: [PATCH] fix real path for shadow commands. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/admin/usermanage.fc | 6 ++++++ - 1 file changed, 6 insertions(+) - ---- a/policy/modules/admin/usermanage.fc -+++ b/policy/modules/admin/usermanage.fc -@@ -2,20 +2,24 @@ ifdef(`distro_debian',` - /etc/cron\.daily/cracklib-runtime -- gen_context(system_u:object_r:crack_exec_t,s0) - ') - - /usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0) - /usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0) -+/usr/bin/chfn\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0) - /usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0) -+/usr/bin/chsh\.shadow -- gen_context(system_u:object_r:chfn_exec_t,s0) - /usr/bin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) - /usr/bin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) - /usr/bin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0) - /usr/bin/groupadd -- gen_context(system_u:object_r:groupadd_exec_t,s0) - /usr/bin/groupdel -- gen_context(system_u:object_r:groupadd_exec_t,s0) - /usr/bin/groupmod -- gen_context(system_u:object_r:groupadd_exec_t,s0) - /usr/bin/grpconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) - /usr/bin/grpunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) - /usr/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0) -+/usr/bin/passwd\.shadow -- gen_context(system_u:object_r:passwd_exec_t,s0) -+/usr/bin/passwd\.tinylogin -- gen_context(system_u:object_r:passwd_exec_t,s0) - /usr/bin/pwconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) - /usr/bin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) - /usr/bin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0) - /usr/bin/userdel -- gen_context(system_u:object_r:useradd_exec_t,s0) - /usr/bin/usermod -- gen_context(system_u:object_r:useradd_exec_t,s0) -@@ -36,10 +40,12 @@ ifdef(`distro_debian',` - /usr/sbin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) - /usr/sbin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0) - /usr/sbin/userdel -- gen_context(system_u:object_r:useradd_exec_t,s0) - /usr/sbin/usermod -- gen_context(system_u:object_r:useradd_exec_t,s0) - /usr/sbin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) -+/usr/sbin/vigr\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) - /usr/sbin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) -+/usr/sbin/vipw\.shadow -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) - - /usr/share/cracklib(/.*)? gen_context(system_u:object_r:crack_db_t,s0) - - /var/cache/cracklib(/.*)? gen_context(system_u:object_r:crack_db_t,s0) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch deleted file mode 100644 index 5ed7eae..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-ftpwho-dir.patch +++ /dev/null @@ -1,27 +0,0 @@ -fix ftpwho install dir - -Upstream-Status: Pending - -ftpwho is installed into /usr/bin/, not /usr/sbin, so fix it - -Signed-off-by: Roy Li <rongqing.li@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/contrib/ftp.fc | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/policy/modules/contrib/ftp.fc -+++ b/policy/modules/contrib/ftp.fc -@@ -15,11 +15,11 @@ - /usr/kerberos/sbin/ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) - - /usr/lib/systemd/system/proftpd.*\.service -- gen_context(system_u:object_r:ftpd_unit_t,s0) - /usr/lib/systemd/system/vsftpd.*\.service -- gen_context(system_u:object_r:ftpd_unit_t,s0) - --/usr/sbin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0) -+/usr/bin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0) - /usr/sbin/in\.ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) - /usr/sbin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) - /usr/sbin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) - /usr/sbin/vsftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) - diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch deleted file mode 100644 index b3e2846..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-mta.patch +++ /dev/null @@ -1,27 +0,0 @@ -From c0bb2996db4f55f3987967bacfb99805fc45d027 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Thu, 22 Aug 2013 19:21:55 +0800 -Subject: [PATCH] refpolicy: fix real path for mta - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/contrib/mta.fc | 1 + - 1 file changed, 1 insertion(+) - ---- a/policy/modules/contrib/mta.fc -+++ b/policy/modules/contrib/mta.fc -@@ -23,10 +23,11 @@ HOME_DIR/\.maildir(/.*)? gen_context(sys - /usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) - - /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) - /usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0) - /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) -+/usr/sbin/msmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) - /usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) - - /var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) - - /var/qmail/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch deleted file mode 100644 index 0adf7c2..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-nscd.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 642fab321a5f1f40495b4ca07f1fca4145024986 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Thu, 22 Aug 2013 19:25:36 +0800 -Subject: [PATCH] refpolicy: fix real path for nscd - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/contrib/nscd.fc | 1 + - 1 file changed, 1 insertion(+) - ---- a/policy/modules/contrib/nscd.fc -+++ b/policy/modules/contrib/nscd.fc -@@ -1,8 +1,9 @@ - /etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0) - - /usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0) -+/usr/bin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0) - - /var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) - - /var/db/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) - diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch deleted file mode 100644 index 3cd766d..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-rpm.patch +++ /dev/null @@ -1,23 +0,0 @@ -From 3ecbd842d51a8e70b3403e857a24203285d4983b Mon Sep 17 00:00:00 2001 -From: Wenzong Fan <wenzong.fan@windriver.com> -Date: Mon, 27 Jan 2014 01:13:06 -0500 -Subject: [PATCH] refpolicy: fix real path for cpio - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/contrib/rpm.fc | 1 + - 1 file changed, 1 insertion(+) - ---- a/policy/modules/contrib/rpm.fc -+++ b/policy/modules/contrib/rpm.fc -@@ -67,6 +67,7 @@ ifdef(`distro_redhat',` - /run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0) - /run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) - - ifdef(`enable_mls',` - /usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/bin/cpio.cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) - ') diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch deleted file mode 100644 index 8ea210e..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-screen.patch +++ /dev/null @@ -1,23 +0,0 @@ -From 3615e2d67f402a37ae7333e62b54f1d9d0a3bfd1 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Thu, 22 Aug 2013 19:27:19 +0800 -Subject: [PATCH] refpolicy: fix real path for screen - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/contrib/screen.fc | 1 + - 1 file changed, 1 insertion(+) - ---- a/policy/modules/contrib/screen.fc -+++ b/policy/modules/contrib/screen.fc -@@ -4,6 +4,7 @@ HOME_DIR/\.tmux\.conf -- gen_context(sys - - /run/screen(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0) - /run/tmux(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0) - - /usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0) -+/usr/bin/screen-.* -- gen_context(system_u:object_r:screen_exec_t,s0) - /usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch deleted file mode 100644 index 8aec193..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-subs_dist.patch +++ /dev/null @@ -1,32 +0,0 @@ -Subject: [PATCH] fix file_contexts.subs_dist for poky - -This file is used for Linux distros to define specific pathes -mapping to the pathes in file_contexts. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - config/file_contexts.subs_dist | 11 +++++++++++ - 1 file changed, 11 insertions(+) - ---- a/config/file_contexts.subs_dist -+++ b/config/file_contexts.subs_dist -@@ -26,5 +26,16 @@ - - # backward compatibility - # not for refpolicy intern, but for /var/run using applications, - # like systemd tmpfiles or systemd socket configurations - /var/run /run -+ -+/var/volatile/log /var/log -+/var/volatile/run /var/run -+/var/volatile/cache /var/cache -+/var/volatile/tmp /var/tmp -+/var/volatile/lock /var/lock -+/var/volatile/run/lock /var/lock -+/www /var/www -+/usr/lib/busybox/bin /bin -+/usr/lib/busybox/sbin /sbin -+/usr/lib/busybox/usr /usr diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch deleted file mode 100644 index f53b551..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-udevd.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 025bd3c77d3eeb0e316413bf7e6353f1ccd7f6b2 Mon Sep 17 00:00:00 2001 -From: Wenzong Fan <wenzong.fan@windriver.com> -Date: Sat, 25 Jan 2014 23:40:05 -0500 -Subject: [PATCH] refpolicy: fix real path for udevd/udevadm - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/udev.fc | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/policy/modules/system/udev.fc -+++ b/policy/modules/system/udev.fc -@@ -32,10 +32,11 @@ ifdef(`distro_redhat',` - /usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) - ') - - /usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0) - /usr/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0) -+/usr/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) - - /usr/share/virtualbox/VBoxCreateUSBNode\.sh -- gen_context(system_u:object_r:udev_helper_exec_t,s0) - - /run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) - diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_bash.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_bash.patch deleted file mode 100644 index 49136e6..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_bash.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index f2e4f51..c39912d 100644 ---- a/policy/modules/kernel/corecommands.fc -+++ b/policy/modules/kernel/corecommands.fc -@@ -141,6 +141,7 @@ ifdef(`distro_gentoo',` - /usr/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) - /usr/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) - /usr/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) -+/usr/bin\.bash -- gen_context(system_u:object_r:shell_exec_t,s0) - /usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) - /usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) - /usr/bin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch deleted file mode 100644 index e3edce1..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_hostname.patch +++ /dev/null @@ -1,19 +0,0 @@ -From 845518a6f196e6e8c49ba38791c85e17276920e1 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH 3/4] fix update-alternatives for hostname - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/hostname.fc | 1 + - 1 file changed, 1 insertion(+) - ---- a/policy/modules/system/hostname.fc -+++ b/policy/modules/system/hostname.fc -@@ -1 +1,3 @@ -+/usr/bin/hostname\.net-tools -- gen_context(system_u:object_r:hostname_exec_t,s0) -+ - /usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch deleted file mode 100644 index b12ee9d..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-syslogd_t-symlink.patch +++ /dev/null @@ -1,29 +0,0 @@ -Subject: [PATCH] add rules for the symlink of /var/log - syslogd_t - -We have added rules for the symlink of /var/log in logging.if, -while syslogd_t uses /var/log but does not use the -interfaces in logging.if. So still need add a individual rule for -syslogd_t. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/logging.te | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -406,10 +406,11 @@ manage_files_pattern(syslogd_t, var_log_ - rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) - files_search_spool(syslogd_t) - - # Allow access for syslog-ng - allow syslogd_t var_log_t:dir { create setattr }; -+allow syslogd_t var_log_t:lnk_file read_lnk_file_perms; - - # for systemd but can not be conditional - files_pid_filetrans(syslogd_t, syslogd_tmp_t, dir, "log") - - # manage temporary files diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch deleted file mode 100644 index 7c7355f..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch +++ /dev/null @@ -1,29 +0,0 @@ -Subject: [PATCH] add rules for the symlink of /var/log - audisp_remote_t - -We have added rules for the symlink of /var/log in logging.if, -while audisp_remote_t uses /var/log but does not use the -interfaces in logging.if. So still need add a individual rule for -audisp_remote_t. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/logging.te | 1 + - 1 file changed, 1 insertion(+) - ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -280,10 +280,11 @@ optional_policy(` - - allow audisp_remote_t self:capability { setpcap setuid }; - allow audisp_remote_t self:process { getcap setcap }; - allow audisp_remote_t self:tcp_socket create_socket_perms; - allow audisp_remote_t var_log_t:dir search_dir_perms; -+allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms; - - manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) - manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) - files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file }) - diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch deleted file mode 100644 index 4a05a2a..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 03cb6534f75812f3a33ac768fe83861e0805b0e0 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH 2/6] add rules for the symlink of /var/log - -/var/log is a symlink in poky, so we need allow rules for files to read -lnk_file while doing search/list/delete/rw.. in /var/log/ directory. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/logging.fc | 1 + - policy/modules/system/logging.if | 14 +++++++++++++- - policy/modules/system/logging.te | 1 + - 3 files changed, 15 insertions(+), 1 deletion(-) - -Index: refpolicy/policy/modules/system/logging.fc -=================================================================== ---- refpolicy.orig/policy/modules/system/logging.fc -+++ refpolicy/policy/modules/system/logging.fc -@@ -53,6 +53,7 @@ ifdef(`distro_suse', ` - /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) - - /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) -+/var/log -l gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) - /var/log/.* gen_context(system_u:object_r:var_log_t,s0) - /var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh) - /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) -Index: refpolicy/policy/modules/system/logging.if -=================================================================== ---- refpolicy.orig/policy/modules/system/logging.if -+++ refpolicy/policy/modules/system/logging.if -@@ -945,10 +945,12 @@ interface(`logging_append_all_inherited_ - interface(`logging_read_all_logs',` - gen_require(` - attribute logfile; -+ type var_log_t; - ') - - files_search_var($1) - allow $1 logfile:dir list_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - read_files_pattern($1, logfile, logfile) - ') - -@@ -967,10 +969,12 @@ interface(`logging_read_all_logs',` - interface(`logging_exec_all_logs',` - gen_require(` - attribute logfile; -+ type var_log_t; - ') - - files_search_var($1) - allow $1 logfile:dir list_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - can_exec($1, logfile) - ') - -@@ -1072,6 +1076,7 @@ interface(`logging_read_generic_logs',` - - files_search_var($1) - allow $1 var_log_t:dir list_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - read_files_pattern($1, var_log_t, var_log_t) - ') - -@@ -1173,6 +1178,7 @@ interface(`logging_manage_generic_logs', - - files_search_var($1) - manage_files_pattern($1, var_log_t, var_log_t) -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - ') - - ######################################## -Index: refpolicy/policy/modules/system/logging.te -=================================================================== ---- refpolicy.orig/policy/modules/system/logging.te -+++ refpolicy/policy/modules/system/logging.te -@@ -159,6 +159,7 @@ manage_files_pattern(auditd_t, auditd_lo - allow auditd_t auditd_log_t:dir setattr; - manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) - allow auditd_t var_log_t:dir search_dir_perms; -+allow auditd_t var_log_t:lnk_file read_lnk_file_perms; - - manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) - manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch deleted file mode 100644 index a9a0a55..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH] allow nfsd to exec shell commands. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/contrib/rpc.te | 2 +- - policy/modules/kernel/kernel.if | 18 ++++++++++++++++++ - 2 files changed, 19 insertions(+), 1 deletion(-) - ---- a/policy/modules/contrib/rpc.te -+++ b/policy/modules/contrib/rpc.te -@@ -224,11 +224,11 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir - - kernel_read_network_state(nfsd_t) - kernel_dontaudit_getattr_core_if(nfsd_t) - kernel_setsched(nfsd_t) - kernel_request_load_module(nfsd_t) --# kernel_mounton_proc(nfsd_t) -+kernel_mounton_proc(nfsd_t) - - corenet_sendrecv_nfs_server_packets(nfsd_t) - corenet_tcp_bind_nfs_port(nfsd_t) - corenet_udp_bind_nfs_port(nfsd_t) - ---- a/policy/modules/kernel/kernel.if -+++ b/policy/modules/kernel/kernel.if -@@ -880,43 +880,42 @@ interface(`kernel_unmount_proc',` - allow $1 proc_t:filesystem unmount; - ') - - ######################################## - ## <summary> --## Get the attributes of the proc filesystem. -+## Mounton a proc filesystem. - ## </summary> - ## <param name="domain"> - ## <summary> - ## Domain allowed access. - ## </summary> - ## </param> - # --interface(`kernel_getattr_proc',` -+interface(`kernel_mounton_proc',` - gen_require(` - type proc_t; - ') - -- allow $1 proc_t:filesystem getattr; -+ allow $1 proc_t:dir mounton; - ') - - ######################################## - ## <summary> --## Mount on proc directories. -+## Get the attributes of the proc filesystem. - ## </summary> - ## <param name="domain"> - ## <summary> - ## Domain allowed access. - ## </summary> - ## </param> --## <rolecap/> - # --interface(`kernel_mounton_proc',` -+interface(`kernel_getattr_proc',` - gen_require(` - type proc_t; - ') - -- allow $1 proc_t:dir mounton; -+ allow $1 proc_t:filesystem getattr; - ') - - ######################################## - ## <summary> - ## Do not audit attempts to set the diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch deleted file mode 100644 index 08e9398..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-setfiles_t-to-read-symlinks.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 87b6daf87a07350a58c1724db8fc0a99b849818a Mon Sep 17 00:00:00 2001 -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH] fix setfiles_t to read symlinks - -Upstream-Status: Pending - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/selinuxutil.te | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/policy/modules/system/selinuxutil.te -+++ b/policy/modules/system/selinuxutil.te -@@ -591,10 +591,13 @@ files_read_etc_files(setfiles_t) - files_list_all(setfiles_t) - files_relabel_all_files(setfiles_t) - files_read_usr_symlinks(setfiles_t) - files_dontaudit_read_all_symlinks(setfiles_t) - -+# needs to be able to read symlinks to make restorecon on symlink working -+files_read_all_symlinks(setfiles_t) -+ - fs_getattr_all_xattr_fs(setfiles_t) - fs_getattr_nfs(setfiles_t) - fs_getattr_pstore_dirs(setfiles_t) - fs_getattr_pstorefs(setfiles_t) - fs_getattr_tracefs(setfiles_t) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch deleted file mode 100644 index 11a6963..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-dmesg-to-use-dev-kmsg.patch +++ /dev/null @@ -1,22 +0,0 @@ -From 2f5981f2244289a1cc79748e9ffdaaea168b1df2 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Fri, 23 Aug 2013 16:36:09 +0800 -Subject: [PATCH] fix dmesg to use /dev/kmsg as default input - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/admin/dmesg.if | 1 + - policy/modules/admin/dmesg.te | 2 ++ - 2 files changed, 3 insertions(+) - ---- a/policy/modules/admin/dmesg.if -+++ b/policy/modules/admin/dmesg.if -@@ -35,6 +35,7 @@ interface(`dmesg_exec',` - type dmesg_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, dmesg_exec_t) -+ dev_read_kmsg($1) - ') diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-new-SELINUXMNT-in-sys.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-new-SELINUXMNT-in-sys.patch deleted file mode 100644 index f3adc70..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-new-SELINUXMNT-in-sys.patch +++ /dev/null @@ -1,253 +0,0 @@ -From 0bd1187768c79ccf7d0563fa8e2bc01494fef167 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Thu, 22 Aug 2013 13:37:23 +0800 -Subject: [PATCH] fix for new SELINUXMNT in /sys - -SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should -add rules to access sysfs. - -Upstream-Status: Inappropriate [only for Poky] - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/kernel/selinux.if | 26 ++++++++++++++++++++++++++ - 1 file changed, 26 insertions(+) - ---- a/policy/modules/kernel/selinux.if -+++ b/policy/modules/kernel/selinux.if -@@ -56,10 +56,14 @@ interface(`selinux_labeled_boolean',` - interface(`selinux_get_fs_mount',` - gen_require(` - type security_t; - ') - -+ # SELINUXMNT is now /sys/fs/selinux, so we should add rules to -+ # access sysfs -+ dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) - # starting in libselinux 2.0.5, init_selinuxmnt() will - # attempt to short circuit by checking if SELINUXMNT - # (/selinux) is already a selinuxfs - allow $1 security_t:filesystem getattr; - -@@ -86,10 +90,11 @@ interface(`selinux_get_fs_mount',` - interface(`selinux_dontaudit_get_fs_mount',` - gen_require(` - type security_t; - ') - -+ dev_dontaudit_search_sysfs($1) - # starting in libselinux 2.0.5, init_selinuxmnt() will - # attempt to short circuit by checking if SELINUXMNT - # (/selinux) is already a selinuxfs - dontaudit $1 security_t:filesystem getattr; - -@@ -115,10 +120,12 @@ interface(`selinux_dontaudit_get_fs_moun - interface(`selinux_mount_fs',` - gen_require(` - type security_t; - ') - -+ dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) - allow $1 security_t:filesystem mount; - ') - - ######################################## - ## <summary> -@@ -134,10 +141,12 @@ interface(`selinux_mount_fs',` - interface(`selinux_remount_fs',` - gen_require(` - type security_t; - ') - -+ dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) - allow $1 security_t:filesystem remount; - ') - - ######################################## - ## <summary> -@@ -152,10 +161,12 @@ interface(`selinux_remount_fs',` - interface(`selinux_unmount_fs',` - gen_require(` - type security_t; - ') - -+ dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) - allow $1 security_t:filesystem unmount; - ') - - ######################################## - ## <summary> -@@ -170,10 +181,12 @@ interface(`selinux_unmount_fs',` - interface(`selinux_getattr_fs',` - gen_require(` - type security_t; - ') - -+ dev_getattr_sysfs_dirs($1) -+ dev_search_sysfs($1) - allow $1 security_t:filesystem getattr; - - dev_getattr_sysfs($1) - dev_search_sysfs($1) - ') -@@ -192,10 +205,11 @@ interface(`selinux_getattr_fs',` - interface(`selinux_dontaudit_getattr_fs',` - gen_require(` - type security_t; - ') - -+ dev_dontaudit_search_sysfs($1) - dontaudit $1 security_t:filesystem getattr; - - dev_dontaudit_getattr_sysfs($1) - dev_dontaudit_search_sysfs($1) - ') -@@ -214,10 +228,11 @@ interface(`selinux_dontaudit_getattr_fs' - interface(`selinux_dontaudit_getattr_dir',` - gen_require(` - type security_t; - ') - -+ dev_dontaudit_search_sysfs($1) - dontaudit $1 security_t:dir getattr; - ') - - ######################################## - ## <summary> -@@ -232,10 +247,11 @@ interface(`selinux_dontaudit_getattr_dir - interface(`selinux_search_fs',` - gen_require(` - type security_t; - ') - -+ dev_getattr_sysfs_dirs($1) - dev_search_sysfs($1) - allow $1 security_t:dir search_dir_perms; - ') - - ######################################## -@@ -251,10 +267,11 @@ interface(`selinux_search_fs',` - interface(`selinux_dontaudit_search_fs',` - gen_require(` - type security_t; - ') - -+ dev_dontaudit_search_sysfs($1) - dontaudit $1 security_t:dir search_dir_perms; - ') - - ######################################## - ## <summary> -@@ -270,10 +287,11 @@ interface(`selinux_dontaudit_search_fs', - interface(`selinux_dontaudit_read_fs',` - gen_require(` - type security_t; - ') - -+ dev_dontaudit_search_sysfs($1) - dontaudit $1 security_t:dir search_dir_perms; - dontaudit $1 security_t:file read_file_perms; - ') - - ######################################## -@@ -291,10 +309,11 @@ interface(`selinux_dontaudit_read_fs',` - interface(`selinux_get_enforce_mode',` - gen_require(` - type security_t; - ') - -+ dev_getattr_sysfs_dirs($1) - dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file read_file_perms; - ') - -@@ -359,10 +378,11 @@ interface(`selinux_load_policy',` - interface(`selinux_read_policy',` - gen_require(` - type security_t; - ') - -+ dev_getattr_sysfs_dirs($1) - dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file read_file_perms; - allow $1 security_t:security read_policy; - ') -@@ -424,10 +444,11 @@ interface(`selinux_set_boolean',` - interface(`selinux_set_generic_booleans',` - gen_require(` - type security_t; - ') - -+ dev_getattr_sysfs_dirs($1) - dev_search_sysfs($1) - - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - -@@ -461,10 +482,11 @@ interface(`selinux_set_all_booleans',` - type security_t, secure_mode_policyload_t; - attribute boolean_type; - bool secure_mode_policyload; - ') - -+ dev_getattr_sysfs_dirs($1) - dev_search_sysfs($1) - - allow $1 security_t:dir list_dir_perms; - allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms; - allow $1 secure_mode_policyload_t:file read_file_perms; -@@ -520,10 +542,11 @@ interface(`selinux_set_parameters',` - interface(`selinux_validate_context',` - gen_require(` - type security_t; - ') - -+ dev_getattr_sysfs_dirs($1) - dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security check_context; - ') -@@ -542,10 +565,11 @@ interface(`selinux_validate_context',` - interface(`selinux_dontaudit_validate_context',` - gen_require(` - type security_t; - ') - -+ dev_dontaudit_search_sysfs($1) - dontaudit $1 security_t:dir list_dir_perms; - dontaudit $1 security_t:file rw_file_perms; - dontaudit $1 security_t:security check_context; - ') - -@@ -563,10 +587,11 @@ interface(`selinux_dontaudit_validate_co - interface(`selinux_compute_access_vector',` - gen_require(` - type security_t; - ') - -+ dev_getattr_sysfs_dirs($1) - dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security compute_av; - ') -@@ -658,10 +683,11 @@ interface(`selinux_compute_relabel_conte - interface(`selinux_compute_user_contexts',` - gen_require(` - type security_t; - ') - -+ dev_getattr_sysfs_dirs($1) - dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security compute_user; - ') diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch deleted file mode 100644 index 0cd8bf9..0000000 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-setfiles-statvfs-get-file-count.patch +++ /dev/null @@ -1,31 +0,0 @@ -From f4e034d6996c5b1f88a9262828dac2ad6ee09b7b Mon Sep 17 00:00:00 2001 -From: Xin Ouyang <Xin.Ouyang@windriver.com> -Date: Fri, 23 Aug 2013 14:38:53 +0800 -Subject: [PATCH] fix setfiles statvfs to get file count - -New setfiles will read /proc/mounts and use statvfs in -file_system_count() to get file count of filesystems. - -Upstream-Status: pending - -Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> -Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com> -Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> ---- - policy/modules/system/selinuxutil.te | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/policy/modules/system/selinuxutil.te -+++ b/policy/modules/system/selinuxutil.te -@@ -594,10 +594,11 @@ files_read_usr_symlinks(setfiles_t) - files_dontaudit_read_all_symlinks(setfiles_t) - - # needs to be able to read symlinks to make restorecon on symlink working - files_read_all_symlinks(setfiles_t) - -+fs_getattr_all_fs(setfiles_t) - fs_getattr_all_xattr_fs(setfiles_t) - fs_getattr_nfs(setfiles_t) - fs_getattr_pstore_dirs(setfiles_t) - fs_getattr_pstorefs(setfiles_t) - fs_getattr_tracefs(setfiles_t) |