[yocto] [meta-selinux][PATCH 1/3] V2 refpolicy:20140311 update for systemd
Shrikant Bobade
bobadeshrikant at gmail.com
Mon Jan 5 03:42:37 PST 2015
Hello,
Please provide review comments or feedback if any, It will be a great
help.
@Ping.
Thanks
Shrikant
On Wed, Nov 19, 2014 at 1:43 PM, Shrikant Bobade <bobadeshrikant at gmail.com>
wrote:
> From: Shrikant Bobade <Shrikant_Bobade at mentor.com>
>
> Systemd init type and related allow rules
> updated for refpolicy.
>
> Signed-off-by: Shrikant Bobade <Shrikant_Bobade at mentor.com>
> ---
> .../refpolicy-update-for_systemd.patch | 46
> ++++++++++++++++++++
> .../refpolicy/refpolicy_2.20140311.inc | 1 +
> 2 files changed, 47 insertions(+)
> create mode 100644
> recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch
>
> diff --git
> a/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch
> b/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch
> new file mode 100644
> index 0000000..80b420c
> --- /dev/null
> +++
> b/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch
> @@ -0,0 +1,46 @@
> +refpolicy: update for systemd
> +
> +It provides the systemd support for refpolicy
> +and related allow rules.
> +The restorecon provides systemd init labeled
> +as init_exec_t.
> +
> +Upstream-Status: Pending
> +
> +
> +Signed-off-by: Shrikant Bobade <Shrikant_Bobade at mentor.com>
> +
> +--- a/policy/modules/contrib/shutdown.fc
> ++++ b/policy/modules/contrib/shutdown.fc
> +@@ -5,6 +5,9 @@
> + /sbin/shutdown --
> gen_context(system_u:object_r:shutdown_exec_t,s0)
> + /sbin/shutdown\.sysvinit --
> gen_context(system_u:object_r:shutdown_exec_t,s0)
> +
> ++# systemd support
> ++/bin/systemctl --
> gen_context(system_u:object_r:shutdown_exec_t,s0)
> ++
> + /usr/lib/upstart/shutdown --
> gen_context(system_u:object_r:shutdown_exec_t,s0)
> +
> + /usr/sbin/shutdown --
> gen_context(system_u:object_r:shutdown_exec_t,s0)
> +--- a/policy/modules/system/init.fc
> ++++ b/policy/modules/system/init.fc
> +@@ -31,6 +31,8 @@
> + #
> + /sbin/init(ng)? --
> gen_context(system_u:object_r:init_exec_t,s0)
> + /sbin/init\.sysvinit --
> gen_context(system_u:object_r:init_exec_t,s0)
> ++# systemd support
> ++/lib/systemd/systemd --
> gen_context(system_u:object_r:init_exec_t,s0)
> + # because nowadays, /sbin/init is often a symlink to /sbin/upstart
> + /sbin/upstart --
> gen_context(system_u:object_r:init_exec_t,s0)
> +
> +--- a/policy/modules/system/init.te
> ++++ b/policy/modules/system/init.te
> +@@ -913,3 +913,8 @@
> + optional_policy(`
> + zebra_read_config(initrc_t)
> + ')
> ++
> ++# systemd related allow rules
> ++allow kernel_t init_t:process dyntransition;
> ++allow devpts_t device_t:filesystem associate;
> ++allow init_t self:capability2 block_suspend;
> diff --git a/recipes-security/refpolicy/refpolicy_2.20140311.inc
> b/recipes-security/refpolicy/refpolicy_2.20140311.inc
> index 8894583..557b4ab 100644
> --- a/recipes-security/refpolicy/refpolicy_2.20140311.inc
> +++ b/recipes-security/refpolicy/refpolicy_2.20140311.inc
> @@ -29,6 +29,7 @@ SRC_URI += "file://poky-fc-subs_dist.patch \
> file://poky-fc-rpm.patch \
> file://poky-fc-ftpwho-dir.patch \
> file://poky-fc-fix-real-path_su.patch \
> + file://refpolicy-update-for_systemd.patch \
> "
>
> # Specific policy for Poky
> --
> 1.7.9.5
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20150105/5418df86/attachment.html>
More information about the yocto
mailing list