Hello, Please provide review comments or feedback if any, It will be a great help. @Ping.
Thanks Shrikant On Wed, Nov 19, 2014 at 1:43 PM, Shrikant Bobade <bobadeshrik...@gmail.com> wrote: > From: Shrikant Bobade <shrikant_bob...@mentor.com> > > Systemd init type and related allow rules > updated for refpolicy. > > Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com> > --- > .../refpolicy-update-for_systemd.patch | 46 > ++++++++++++++++++++ > .../refpolicy/refpolicy_2.20140311.inc | 1 + > 2 files changed, 47 insertions(+) > create mode 100644 > recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch > > diff --git > a/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch > b/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch > new file mode 100644 > index 0000000..80b420c > --- /dev/null > +++ > b/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch > @@ -0,0 +1,46 @@ > +refpolicy: update for systemd > + > +It provides the systemd support for refpolicy > +and related allow rules. > +The restorecon provides systemd init labeled > +as init_exec_t. > + > +Upstream-Status: Pending > + > + > +Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com> > + > +--- a/policy/modules/contrib/shutdown.fc > ++++ b/policy/modules/contrib/shutdown.fc > +@@ -5,6 +5,9 @@ > + /sbin/shutdown -- > gen_context(system_u:object_r:shutdown_exec_t,s0) > + /sbin/shutdown\.sysvinit -- > gen_context(system_u:object_r:shutdown_exec_t,s0) > + > ++# systemd support > ++/bin/systemctl -- > gen_context(system_u:object_r:shutdown_exec_t,s0) > ++ > + /usr/lib/upstart/shutdown -- > gen_context(system_u:object_r:shutdown_exec_t,s0) > + > + /usr/sbin/shutdown -- > gen_context(system_u:object_r:shutdown_exec_t,s0) > +--- a/policy/modules/system/init.fc > ++++ b/policy/modules/system/init.fc > +@@ -31,6 +31,8 @@ > + # > + /sbin/init(ng)? -- > gen_context(system_u:object_r:init_exec_t,s0) > + /sbin/init\.sysvinit -- > gen_context(system_u:object_r:init_exec_t,s0) > ++# systemd support > ++/lib/systemd/systemd -- > gen_context(system_u:object_r:init_exec_t,s0) > + # because nowadays, /sbin/init is often a symlink to /sbin/upstart > + /sbin/upstart -- > gen_context(system_u:object_r:init_exec_t,s0) > + > +--- a/policy/modules/system/init.te > ++++ b/policy/modules/system/init.te > +@@ -913,3 +913,8 @@ > + optional_policy(` > + zebra_read_config(initrc_t) > + ') > ++ > ++# systemd related allow rules > ++allow kernel_t init_t:process dyntransition; > ++allow devpts_t device_t:filesystem associate; > ++allow init_t self:capability2 block_suspend; > diff --git a/recipes-security/refpolicy/refpolicy_2.20140311.inc > b/recipes-security/refpolicy/refpolicy_2.20140311.inc > index 8894583..557b4ab 100644 > --- a/recipes-security/refpolicy/refpolicy_2.20140311.inc > +++ b/recipes-security/refpolicy/refpolicy_2.20140311.inc > @@ -29,6 +29,7 @@ SRC_URI += "file://poky-fc-subs_dist.patch \ > file://poky-fc-rpm.patch \ > file://poky-fc-ftpwho-dir.patch \ > file://poky-fc-fix-real-path_su.patch \ > + file://refpolicy-update-for_systemd.patch \ > " > > # Specific policy for Poky > -- > 1.7.9.5 > >
-- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto