于 14-2-13 下午4:13, Rongqing Li 写道:
On 02/11/2014 01:31 PM, rongqing...@windriver.com wrote:
From: Roy Li <rongqing...@windriver.com>
Signed-off-by: Roy Li <rongqing...@windriver.com>
---
...y-policy-ftp-make-proftpd-be-able-to-work.patch | 85
++++++++++++++++++++
.../refpolicy/refpolicy_2.20130424.inc | 1 +
2 files changed, 86 insertions(+)
create mode 100644
recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch
diff --git
a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch
b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch
new file mode 100644
index 0000000..9521fcf
--- /dev/null
+++
b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch
@@ -0,0 +1,85 @@
+ftp: make proftpd be able to work
+
+Upstream-Status: pending
+
+1. proftpd need not to access and communicate with avahi, so
dontaudit them
+2. ftpd_t is transited to mls_systemhigh, the running created files
under
+/var/run is in mls_systemlow, so put ftpd_t to write_all_levels
+
+Signed-off-by: Roy Li <rongqing...@windriver.com>
+---
+ policy/modules/contrib/avahi.if | 40
+++++++++++++++++++++++++++++++++++++++
+ policy/modules/contrib/ftp.te | 6 ++++++
+ 2 files changed, 46 insertions(+)
+
+diff --git a/policy/modules/contrib/avahi.if
b/policy/modules/contrib/avahi.if
+index aebe7cb..0e7a748 100644
+--- a/policy/modules/contrib/avahi.if
++++ b/policy/modules/contrib/avahi.if
+@@ -135,6 +135,46 @@ interface(`avahi_dontaudit_search_pid',`
+
+ ########################################
+ ## <summary>
++## Do not audit attempts to rw
++## avahi var directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`avahi_dontaudit_rw_var',`
++ gen_require(`
++ type avahi_var_run_t;
++ ')
++
++ dontaudit $1 avahi_var_run_t:file rw_term_perms;
++')
++
++
++########################################
++## <summary>
++## Do not audit attempts to connectto
++## avahi unix socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`avahi_dontaudit_connectto',`
++ gen_require(`
++ type avahi_t;
++ ')
++
++ dontaudit $1 avahi_t:unix_stream_socket connectto;
++')
++
++
++########################################
++## <summary>
+ ## All of the rules required to
+ ## administrate an avahi environment.
+ ## </summary>
+diff --git a/policy/modules/contrib/ftp.te
b/policy/modules/contrib/ftp.te
+index 544c512..12492d2 100644
+--- a/policy/modules/contrib/ftp.te
++++ b/policy/modules/contrib/ftp.te
+@@ -144,6 +144,12 @@ role ftpdctl_roles types ftpdctl_t;
+ type ftpdctl_tmp_t;
+ files_tmp_file(ftpdctl_tmp_t)
+
++mls_file_write_all_levels(ftpd_t)
++
++avahi_dontaudit_connectto(ftpd_t)
++
++avahi_dontaudit_rw_var(ftpd_t)
Please drop it, we should not donaudit ftpd_t to connect avahi.
we should allow this operation, since ftpd_t call libnss which
will create socket and connect these socket.
1846 open("/lib64/libnss_mdns4.so.2", O_RDONLY|O_CLOEXEC) = 3
1846 read(3,
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\v\0\0\0\0\0\0"
..., 832) = 832
1846 fstat(3, {st_mode=S_IFREG|0755, st_size=9904, ...}) = 0
1846 mmap(NULL, 2105160, PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
= 0x7f49e1a63000
1846 mprotect(0x7f49e1a65000, 2093056, PROT_NONE) = 0
1846 mmap(0x7f49e1c64000, 4096, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP
_DENYWRITE, 3, 0x1000) = 0x7f49e1c64000
1846 close(3) = 0
1846 socket(PF_LOCAL, SOCK_STREAM, 0) = 3
1846 fcntl(3, F_GETFD) = 0
1846 fcntl(3, F_SETFD, FD_CLOEXEC) = 0
1846 connect(3, {sa_family=AF_LOCAL,
sun_path="/var/run/avahi-daemon/socket"},
110) = 0
-Roy
++
+ type sftpd_t;
+ domain_type(sftpd_t)
+ role system_r types sftpd_t;
+--
+1.7.10.4
+
diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc
b/recipes-security/refpolicy/refpolicy_2.20130424.inc
index 5d55030..422c974 100644
--- a/recipes-security/refpolicy/refpolicy_2.20130424.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20130424.inc
@@ -53,6 +53,7 @@ SRC_URI +=
"file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \
file://hostname-do-not-audit-attempts-by-hostname-to-read-a.patch \
file://sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch \
file://portmap-allow-portmap-to-create-socket.patch \
+ file://poky-policy-ftp-make-proftpd-be-able-to-work.patch \
"
# Backport from upstream
By auth_use_nsswith(ftpd)
ftpd_t already works well with nsswitch now. So, please find the root
cause in other places.
Thanks. :)
--
- Pascal
_______________________________________________
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto