[yocto] [meta-selinux][thud][PATCH] refpolicy: Forward patch to apply cleanly on thud

Khem Raj raj.khem at gmail.com
Tue Feb 26 11:44:43 PST 2019 

Also fix devtool generated warnings by refreshing patches

Signed-off-by: Khem Raj <raj.khem at gmail.com>
---
 ...poky-fc-update-alternatives_sysklogd.patch | 17 +++--------------
 ...add-rules-for-var-log-symlink-apache.patch | 10 +++-------
 ...m-systemd-fix-for-systemd-tmp-files-.patch | 19 +++++--------------
 3 files changed, 11 insertions(+), 35 deletions(-)

diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch
index e9a0464..aa928c6 100644
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch
@@ -17,8 +17,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald at mentor.com>
 
 --- a/policy/modules/system/logging.fc
 +++ b/policy/modules/system/logging.fc
-@@ -1,9 +1,10 @@
- /dev/log		-s	gen_context(system_u:object_r:devlog_t,mls_systemhigh)
+@@ -2,6 +2,7 @@
  
  /etc/rsyslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
  /etc/syslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
@@ -26,11 +25,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald at mentor.com>
  /etc/audit(/.*)?		gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
  /etc/rc\.d/init\.d/auditd --	gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
  /etc/rc\.d/init\.d/rsyslog --	gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
- 
- /usr/bin/audispd	--	gen_context(system_u:object_r:audisp_exec_t,s0)
-@@ -27,14 +28,16 @@
- /usr/sbin/audispd	--	gen_context(system_u:object_r:audisp_exec_t,s0)
- /usr/sbin/audisp-remote	--	gen_context(system_u:object_r:audisp_remote_exec_t,s0)
+@@ -27,10 +28,12 @@
  /usr/sbin/auditctl	--	gen_context(system_u:object_r:auditctl_exec_t,s0)
  /usr/sbin/auditd	--	gen_context(system_u:object_r:auditd_exec_t,s0)
  /usr/sbin/klogd		--	gen_context(system_u:object_r:klogd_exec_t,s0)
@@ -43,13 +38,9 @@ Signed-off-by: Joe MacDonald <joe_macdonald at mentor.com>
  /usr/sbin/syslog-ng	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
  /usr/sbin/syslogd	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
  
- /var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
- /var/lib/syslog-ng(/.*)? 	gen_context(system_u:object_r:syslogd_var_lib_t,s0)
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
-@@ -390,10 +390,12 @@ allow syslogd_t self:unix_dgram_socket s
- allow syslogd_t self:fifo_file rw_fifo_file_perms;
- allow syslogd_t self:udp_socket create_socket_perms;
+@@ -390,6 +390,8 @@ allow syslogd_t self:udp_socket create_s
  allow syslogd_t self:tcp_socket create_stream_socket_perms;
  
  allow syslogd_t syslog_conf_t:file read_file_perms;
@@ -58,5 +49,3 @@ Signed-off-by: Joe MacDonald <joe_macdonald at mentor.com>
  
  # Create and bind to /dev/log or /var/run/log.
  allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
- files_pid_filetrans(syslogd_t, devlog_t, sock_file)
- init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log")
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch
index fb912b5..6c96e33 100644
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch
@@ -17,15 +17,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald at mentor.com>
 
 --- a/policy/modules/contrib/apache.te
 +++ b/policy/modules/contrib/apache.te
-@@ -407,10 +407,11 @@ allow httpd_t httpd_lock_t:file manage_f
- files_lock_filetrans(httpd_t, httpd_lock_t, { file dir })
- 
- manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
- manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+@@ -411,6 +411,7 @@ create_files_pattern(httpd_t, httpd_log_
+ append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
  read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
 +read_lnk_files_pattern(httpd_t, var_log_t, var_log_t)
  logging_log_filetrans(httpd_t, httpd_log_t, file)
  
  allow httpd_t httpd_modules_t:dir list_dir_perms;
- mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
- read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch b/recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch
index a7338e1..f5a767d 100644
--- a/recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch
+++ b/recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch
@@ -37,11 +37,9 @@ Signed-off-by: Shrikant Bobade <shrikant_bobade at mentor.com>
  policy/modules/system/systemd.te |  3 +++
  3 files changed, 45 insertions(+)
 
-diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 1cedea2..4ea7d55 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
-@@ -6729,3 +6729,22 @@ interface(`files_unconfined',`
+@@ -6906,3 +6906,22 @@ interface(`files_unconfined',`
  
  	typeattribute $1 files_unconfined_type;
  ')
@@ -64,13 +62,11 @@ index 1cedea2..4ea7d55 100644
 +
 +	allow $1 tmp_t:lnk_file getattr;
 +')
-diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index f1130d1..4604441 100644
 --- a/policy/modules/kernel/kernel.if
 +++ b/policy/modules/kernel/kernel.if
-@@ -3323,3 +3323,26 @@ interface(`kernel_unconfined',`
- 	typeattribute $1 kern_unconfined;
- 	kernel_load_module($1)
+@@ -3418,3 +3418,26 @@ interface(`kernel_rw_vm_overcommit_sysct
+ 	kernel_search_vm_sysctl($1)
+ 	allow $1 sysctl_vm_overcommit_t:file rw_file_perms;
  ')
 +
 +########################################
@@ -95,17 +91,12 @@ index f1130d1..4604441 100644
 +
 +')
 +
-diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index 22021eb..8813664 100644
 --- a/policy/modules/system/systemd.te
 +++ b/policy/modules/system/systemd.te
-@@ -269,3 +269,6 @@ allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto;
+@@ -374,3 +374,6 @@ allow systemd_tmpfiles_t initrc_t:unix_d
  allow systemd_tmpfiles_t self:capability net_admin;
  
  allow systemd_tmpfiles_t init_t:file { open getattr read };
 +
 +systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t(systemd_tmpfiles_t)
 +systemd_service_allow_kernel_files_domain_to_tmp_t(systemd_tmpfiles_t)
--- 
-1.9.1
-
-- 
2.21.0

More information about the yocto mailing list