[yocto] [PATCH 1/1] refpolicy: backport two patches to fix dhclient, hostname and ifconfig

rongqing.li at windriver.com rongqing.li at windriver.com
Sun Feb 9 23:12:08 PST 2014 

From: Roy Li <rongqing.li at windriver.com>

Signed-off-by: Roy Li <rongqing.li at windriver.com>
---
 ...-not-audit-attempts-by-hostname-to-read-a.patch |   59 ++++++++++++++++++++
 ...dhcpc-binds-socket-to-random-high-udp-por.patch |   41 ++++++++++++++
 .../refpolicy/refpolicy_2.20130424.inc             |    2 +
 3 files changed, 102 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/hostname-do-not-audit-attempts-by-hostname-to-read-a.patch
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch

diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/hostname-do-not-audit-attempts-by-hostname-to-read-a.patch b/recipes-security/refpolicy/refpolicy-2.20130424/hostname-do-not-audit-attempts-by-hostname-to-read-a.patch
new file mode 100644
index 0000000..edba56d
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/hostname-do-not-audit-attempts-by-hostname-to-read-a.patch
@@ -0,0 +1,59 @@
+From 0857061b58e5ec0bf00e78839254f21519ed55d4 Mon Sep 17 00:00:00 2001
+From: Dominick Grift <dominick.grift at gmail.com>
+Date: Fri, 27 Sep 2013 10:36:14 +0200
+Subject: [PATCH] hostname: do not audit attempts by hostname to read and
+ write dhcpc udp sockets (looks like a leaked fd)
+
+Upstream-Status: backport
+
+Signed-off-by: Dominick Grift <dominick.grift at gmail.com>
+---
+ policy/modules/system/hostname.te   |    1 +
+ policy/modules/system/sysnetwork.if |   19 +++++++++++++++++++
+ 2 files changed, 20 insertions(+)
+
+diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
+index f6cbda9..380197b 100644
+--- a/policy/modules/system/hostname.te
++++ b/policy/modules/system/hostname.te
+@@ -51,6 +51,7 @@ logging_send_syslog_msg(hostname_t)
+ 
+ miscfiles_read_localization(hostname_t)
+ 
++sysnet_dontaudit_rw_dhcpc_udp_sockets(hostname_t)
+ sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t)
+ sysnet_read_config(hostname_t)
+ sysnet_dns_name_resolve(hostname_t)
+diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
+index 52b548c..2cea692 100644
+--- a/policy/modules/system/sysnetwork.if
++++ b/policy/modules/system/sysnetwork.if
+@@ -47,6 +47,25 @@ interface(`sysnet_run_dhcpc',`
+ 
+ ########################################
+ ## <summary>
++##	Do not audit attempts to read and
++##	write dhcpc udp socket descriptors.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`sysnet_dontaudit_rw_dhcpc_udp_sockets',`
++	gen_require(`
++		type dhcpc_t;
++	')
++
++	dontaudit $1 dhcpc_t:udp_socket { read write };
++')
++
++########################################
++## <summary>
+ ##	Do not audit attempts to use
+ ##	the dhcp file descriptors.
+ ## </summary>
+-- 
+1.7.10.4
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch b/recipes-security/refpolicy/refpolicy-2.20130424/sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch
new file mode 100644
index 0000000..e95d675
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch
@@ -0,0 +1,41 @@
+From b1599e01fe3f3e7a1c2048d1c466e3e842952924 Mon Sep 17 00:00:00 2001
+From: Dominick Grift <dominick.grift at gmail.com>
+Date: Fri, 27 Sep 2013 11:35:41 +0200
+Subject: [PATCH] sysnetwork: dhcpc binds socket to random high udp ports
+ sysnetwork: do not audit attempts by ifconfig to read, and
+ write dhcpc udp sockets (looks like a leaked fd)
+
+Upstream-Status: backport
+
+Signed-off-by: Dominick Grift <dominick.grift at gmail.com>
+---
+ policy/modules/system/sysnetwork.te |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
+index f9dce11..67709b5 100644
+--- a/policy/modules/system/sysnetwork.te
++++ b/policy/modules/system/sysnetwork.te
+@@ -111,7 +111,9 @@ corenet_tcp_bind_dhcpc_port(dhcpc_t)
+ corenet_udp_bind_dhcpc_port(dhcpc_t)
+ corenet_tcp_connect_all_ports(dhcpc_t)
+ corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
+-corenet_sendrecv_dhcpc_server_packets(dhcpc_t)
++
++corenet_sendrecv_all_server_packets(dhcpc_t)
++corenet_udp_bind_all_unreserved_ports(dhcpc_t)
+ 
+ dev_read_sysfs(dhcpc_t)
+ # for SSP:
+@@ -313,6 +315,8 @@ modutils_domtrans_insmod(ifconfig_t)
+ 
+ seutil_use_runinit_fds(ifconfig_t)
+ 
++sysnet_dontaudit_rw_dhcpc_udp_sockets(ifconfig_t)
++
+ userdom_use_user_terminals(ifconfig_t)
+ userdom_use_all_users_fds(ifconfig_t)
+ 
+-- 
+1.7.10.4
+
diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc b/recipes-security/refpolicy/refpolicy_2.20130424.inc
index 4b618b2..a052a2c 100644
--- a/recipes-security/refpolicy/refpolicy_2.20130424.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20130424.inc
@@ -50,6 +50,8 @@ SRC_URI += "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \
             file://poky-policy-fix-seutils-manage-config-files.patch \
             file://poky-policy-fix-setfiles-statvfs-get-file-count.patch \
             file://poky-policy-fix-dmesg-to-use-dev-kmsg.patch \
+            file://hostname-do-not-audit-attempts-by-hostname-to-read-a.patch \
+            file://sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch \
            "
 
 # Backport from upstream
-- 
1.7.10.4

More information about the yocto mailing list