diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch | 81 |
1 files changed, 81 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch b/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch new file mode 100644 index 0000000..f4e4809 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch @@ -0,0 +1,81 @@ +From 15b4f9a17d1f45dc6e15e4a3b0e6490a9a518df6 Mon Sep 17 00:00:00 2001 +From: Xin Ouyang <Xin.Ouyang@windriver.com> +Date: Mon, 20 Apr 2020 11:50:03 +0800 +Subject: [PATCH] refpolicy-targeted: make unconfined_u the default selinux + user + +For targeted policy type, we define unconfined_u as the default selinux +user for root and normal users, so users could login and run most +commands and services on unconfined domains. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> +Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> +Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + config/appconfig-mcs/failsafe_context | 2 +- + config/appconfig-mcs/seusers | 4 ++-- + policy/modules/system/unconfined.te | 5 +++++ + policy/users | 6 +++--- + 4 files changed, 11 insertions(+), 6 deletions(-) + +diff --git a/config/appconfig-mcs/failsafe_context b/config/appconfig-mcs/failsafe_context +index 999abd9a3..a50bde775 100644 +--- a/config/appconfig-mcs/failsafe_context ++++ b/config/appconfig-mcs/failsafe_context +@@ -1 +1 @@ +-sysadm_r:sysadm_t:s0 ++unconfined_r:unconfined_t:s0 +diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers +index ce614b41b..c0903d98b 100644 +--- a/config/appconfig-mcs/seusers ++++ b/config/appconfig-mcs/seusers +@@ -1,2 +1,2 @@ +-root:root:s0-mcs_systemhigh +-__default__:user_u:s0 ++root:unconfined_u:s0-mcs_systemhigh ++__default__:unconfined_u:s0 +diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te +index 6c9769b04..01c9a7243 100644 +--- a/policy/modules/system/unconfined.te ++++ b/policy/modules/system/unconfined.te +@@ -20,6 +20,11 @@ type unconfined_execmem_t alias ada_t; + type unconfined_execmem_exec_t alias ada_exec_t; + init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t) + role unconfined_r types unconfined_execmem_t; ++role unconfined_r types unconfined_t; ++role system_r types unconfined_t; ++role_transition system_r unconfined_exec_t unconfined_r; ++allow system_r unconfined_r; ++allow unconfined_r system_r; + + ######################################## + # +diff --git a/policy/users b/policy/users +index ca203758c..e737cd9cc 100644 +--- a/policy/users ++++ b/policy/users +@@ -15,7 +15,7 @@ + # and a user process should never be assigned the system user + # identity. + # +-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) ++gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) + + # + # user_u is a generic user identity for Linux users who have no +@@ -43,7 +43,7 @@ ifdef(`direct_sysadm_daemon',` + # not in the sysadm_r. + # + ifdef(`direct_sysadm_daemon',` +- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) ++ gen_user(root, sysadm, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) + ',` +- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) ++ gen_user(root, sysadm, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) + ') +-- +2.25.1 + |