[yocto] [PATCH 1/1] refpolicy: make proftpd be able to work
rongqing.li at windriver.com
rongqing.li at windriver.com
Mon Feb 10 21:31:43 PST 2014
From: Roy Li <rongqing.li at windriver.com>
Signed-off-by: Roy Li <rongqing.li at windriver.com>
---
...y-policy-ftp-make-proftpd-be-able-to-work.patch | 85 ++++++++++++++++++++
.../refpolicy/refpolicy_2.20130424.inc | 1 +
2 files changed, 86 insertions(+)
create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch
new file mode 100644
index 0000000..9521fcf
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch
@@ -0,0 +1,85 @@
+ftp: make proftpd be able to work
+
+Upstream-Status: pending
+
+1. proftpd need not to access and communicate with avahi, so dontaudit them
+2. ftpd_t is transited to mls_systemhigh, the running created files under
+/var/run is in mls_systemlow, so put ftpd_t to write_all_levels
+
+Signed-off-by: Roy Li <rongqing.li at windriver.com>
+---
+ policy/modules/contrib/avahi.if | 40 +++++++++++++++++++++++++++++++++++++++
+ policy/modules/contrib/ftp.te | 6 ++++++
+ 2 files changed, 46 insertions(+)
+
+diff --git a/policy/modules/contrib/avahi.if b/policy/modules/contrib/avahi.if
+index aebe7cb..0e7a748 100644
+--- a/policy/modules/contrib/avahi.if
++++ b/policy/modules/contrib/avahi.if
+@@ -135,6 +135,46 @@ interface(`avahi_dontaudit_search_pid',`
+
+ ########################################
+ ## <summary>
++## Do not audit attempts to rw
++## avahi var directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`avahi_dontaudit_rw_var',`
++ gen_require(`
++ type avahi_var_run_t;
++ ')
++
++ dontaudit $1 avahi_var_run_t:file rw_term_perms;
++')
++
++
++########################################
++## <summary>
++## Do not audit attempts to connectto
++## avahi unix socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`avahi_dontaudit_connectto',`
++ gen_require(`
++ type avahi_t;
++ ')
++
++ dontaudit $1 avahi_t:unix_stream_socket connectto;
++')
++
++
++########################################
++## <summary>
+ ## All of the rules required to
+ ## administrate an avahi environment.
+ ## </summary>
+diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
+index 544c512..12492d2 100644
+--- a/policy/modules/contrib/ftp.te
++++ b/policy/modules/contrib/ftp.te
+@@ -144,6 +144,12 @@ role ftpdctl_roles types ftpdctl_t;
+ type ftpdctl_tmp_t;
+ files_tmp_file(ftpdctl_tmp_t)
+
++mls_file_write_all_levels(ftpd_t)
++
++avahi_dontaudit_connectto(ftpd_t)
++
++avahi_dontaudit_rw_var(ftpd_t)
++
+ type sftpd_t;
+ domain_type(sftpd_t)
+ role system_r types sftpd_t;
+--
+1.7.10.4
+
diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc b/recipes-security/refpolicy/refpolicy_2.20130424.inc
index 5d55030..422c974 100644
--- a/recipes-security/refpolicy/refpolicy_2.20130424.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20130424.inc
@@ -53,6 +53,7 @@ SRC_URI += "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \
file://hostname-do-not-audit-attempts-by-hostname-to-read-a.patch \
file://sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch \
file://portmap-allow-portmap-to-create-socket.patch \
+ file://poky-policy-ftp-make-proftpd-be-able-to-work.patch \
"
# Backport from upstream
--
1.7.10.4
More information about the yocto
mailing list