[yocto] [meta-selinux][PATCH] refpolicy:20140311 update for systemd

Tue Nov 18 03:30:32 PST 2014

From: Shrikant Bobade <Shrikant_Bobade at mentor.com>

Systemd init type and related allow rules
updated for refpolicy.

Signed-off-by: Shrikant Bobade <Shrikant_Bobade at mentor.com>
---
 .../refpolicy-update-for_systemd.patch             |   50 ++++++++++++++++++++
 .../refpolicy/refpolicy_2.20140311.inc             |    1 +
 2 files changed, 51 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch

diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch b/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch
new file mode 100644
index 0000000..634061e
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch
@@ -0,0 +1,50 @@
+refpolicy: update for systemd
+ 
+It provides the systemd support for refpolicy 
+and related allow rules. 
+The restorecon provides systemd init labeled 
+as init_exec_t.
+
+ 
+Signed-off-by: Shrikant Bobade <Shrikant_Bobade at mentor.com>
+
+Index: refpolicy/policy/modules/contrib/shutdown.fc
+===================================================================
+--- refpolicy.orig/policy/modules/contrib/shutdown.fc	2014-11-17 21:01:05.040804419 +0530
++++ refpolicy/policy/modules/contrib/shutdown.fc	2014-11-18 14:38:50.854860908 +0530
+@@ -5,6 +5,9 @@
+ /sbin/shutdown	--	gen_context(system_u:object_r:shutdown_exec_t,s0)
+ /sbin/shutdown\.sysvinit	--	gen_context(system_u:object_r:shutdown_exec_t,s0)
+ 
++# systemd support
++/bin/systemctl	--	gen_context(system_u:object_r:shutdown_exec_t,s0)
++
+ /usr/lib/upstart/shutdown	--	gen_context(system_u:object_r:shutdown_exec_t,s0)
+ 
+ /usr/sbin/shutdown	--	gen_context(system_u:object_r:shutdown_exec_t,s0)
+Index: refpolicy/policy/modules/system/init.fc
+===================================================================
+--- refpolicy.orig/policy/modules/system/init.fc	2014-11-17 21:01:05.040804419 +0530
++++ refpolicy/policy/modules/system/init.fc	2014-11-18 14:38:04.467444078 +0530
+@@ -31,6 +31,8 @@
+ #
+ /sbin/init(ng)?		--	gen_context(system_u:object_r:init_exec_t,s0)
+ /sbin/init\.sysvinit	--	gen_context(system_u:object_r:init_exec_t,s0)
++# systemd support
++/lib/systemd/systemd	--	gen_context(system_u:object_r:init_exec_t,s0)
+ # because nowadays, /sbin/init is often a symlink to /sbin/upstart
+ /sbin/upstart		--	gen_context(system_u:object_r:init_exec_t,s0)
+ 
+Index: refpolicy/policy/modules/system/init.te
+===================================================================
+--- refpolicy.orig/policy/modules/system/init.te	2014-11-17 21:03:01.577129153 +0530
++++ refpolicy/policy/modules/system/init.te	2014-11-18 14:37:45.647680675 +0530
+@@ -913,3 +913,8 @@
+ optional_policy(`
+ 	zebra_read_config(initrc_t)
+ ')
++
++# systemd related allow rules
++allow kernel_t init_t:process dyntransition;
++allow devpts_t device_t:filesystem associate;
++allow init_t self:capability2 block_suspend;
diff --git a/recipes-security/refpolicy/refpolicy_2.20140311.inc b/recipes-security/refpolicy/refpolicy_2.20140311.inc
index 8894583..19b41eb 100644
--- a/recipes-security/refpolicy/refpolicy_2.20140311.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20140311.inc
@@ -29,6 +29,7 @@ SRC_URI += "file://poky-fc-subs_dist.patch \
             file://poky-fc-rpm.patch \
             file://poky-fc-ftpwho-dir.patch \
             file://poky-fc-fix-real-path_su.patch \
+	    file://refpolicy-update-for_systemd.patch \
            "
 
 # Specific policy for Poky
-- 
1.7.9.5


