Signed-off-by: Philip Tricca <fl...@twobit.us>
---
.../poky-policy-fix-new-SELINUXMNT-in-sys.patch | 100 ++++++---------------
1 file changed, 25 insertions(+), 75 deletions(-)
diff --git
a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-new-SELINUXMNT-in-sys.patch
b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-new-SELINUXMNT-in-sys.patch
index 302a38f..005e28f 100644
---
a/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-new-SELINUXMNT-in-sys.patch
+++
b/recipes-security/refpolicy/refpolicy-git/poky-policy-fix-new-SELINUXMNT-in-sys.patch
@@ -14,8 +14,10 @@ Signed-off-by: Joe MacDonald <joe_macdon...@mentor.com>
policy/modules/kernel/selinux.if | 34 ++++++++++++++++++++++++++++++++--
1 file changed, 32 insertions(+), 2 deletions(-)
---- a/policy/modules/kernel/selinux.if
-+++ b/policy/modules/kernel/selinux.if
+Index: refpolicy/policy/modules/kernel/selinux.if
+===================================================================
+--- refpolicy.orig/policy/modules/kernel/selinux.if
++++ refpolicy/policy/modules/kernel/selinux.if
@@ -58,6 +58,10 @@ interface(`selinux_get_fs_mount',`
type security_t;
')
@@ -27,7 +29,7 @@ Signed-off-by: Joe MacDonald <joe_macdon...@mentor.com>
# starting in libselinux 2.0.5, init_selinuxmnt() will
# attempt to short circuit by checking if SELINUXMNT
# (/selinux) is already a selinuxfs
-@@ -84,6 +88,7 @@ interface(`selinux_dontaudit_get_fs_moun
+@@ -88,6 +92,7 @@ interface(`selinux_dontaudit_get_fs_moun
type security_t;
')
@@ -35,7 +37,7 @@ Signed-off-by: Joe MacDonald <joe_macdon...@mentor.com>
# starting in libselinux 2.0.5, init_selinuxmnt() will
# attempt to short circuit by checking if SELINUXMNT
# (/selinux) is already a selinuxfs
-@@ -109,6 +114,8 @@ interface(`selinux_mount_fs',`
+@@ -117,6 +122,8 @@ interface(`selinux_mount_fs',`
type security_t;
')
@@ -44,7 +46,7 @@ Signed-off-by: Joe MacDonald <joe_macdon...@mentor.com>
allow $1 security_t:filesystem mount;
')
-@@ -128,6 +135,8 @@ interface(`selinux_remount_fs',`
+@@ -136,6 +143,8 @@ interface(`selinux_remount_fs',`
type security_t;
')
@@ -53,7 +55,7 @@ Signed-off-by: Joe MacDonald <joe_macdon...@mentor.com>
allow $1 security_t:filesystem remount;
')
-@@ -146,6 +155,8 @@ interface(`selinux_unmount_fs',`
+@@ -154,6 +163,8 @@ interface(`selinux_unmount_fs',`
type security_t;
')
@@ -62,24 +64,24 @@ Signed-off-by: Joe MacDonald <joe_macdon...@mentor.com>
allow $1 security_t:filesystem unmount;
')
-@@ -164,6 +175,8 @@ interface(`selinux_getattr_fs',`
+@@ -172,6 +183,8 @@ interface(`selinux_getattr_fs',`
type security_t;
')
+ dev_getattr_sysfs_dirs($1)
+ dev_search_sysfs($1)
allow $1 security_t:filesystem getattr;
- ')
-@@ -183,6 +196,7 @@ interface(`selinux_dontaudit_getattr_fs'
+ dev_getattr_sysfs($1)
+@@ -194,6 +207,7 @@ interface(`selinux_dontaudit_getattr_fs'
type security_t;
')
+ dev_dontaudit_search_sysfs($1)
dontaudit $1 security_t:filesystem getattr;
- ')
-@@ -202,6 +216,7 @@ interface(`selinux_dontaudit_getattr_dir
+ dev_dontaudit_getattr_sysfs($1)
+@@ -216,6 +230,7 @@ interface(`selinux_dontaudit_getattr_dir
type security_t;
')
@@ -87,7 +89,7 @@ Signed-off-by: Joe MacDonald <joe_macdon...@mentor.com>
dontaudit $1 security_t:dir getattr;
')
-@@ -220,6 +235,7 @@ interface(`selinux_search_fs',`
+@@ -234,6 +249,7 @@ interface(`selinux_search_fs',`
type security_t;
')
@@ -95,7 +97,7 @@ Signed-off-by: Joe MacDonald <joe_macdon...@mentor.com>
dev_search_sysfs($1)
allow $1 security_t:dir search_dir_perms;
')
-@@ -239,6 +255,7 @@ interface(`selinux_dontaudit_search_fs',
+@@ -253,6 +269,7 @@ interface(`selinux_dontaudit_search_fs',
type security_t;
')
@@ -103,7 +105,7 @@ Signed-off-by: Joe MacDonald <joe_macdon...@mentor.com>
dontaudit $1 security_t:dir search_dir_perms;
')
-@@ -258,6 +275,7 @@ interface(`selinux_dontaudit_read_fs',`
+@@ -272,6 +289,7 @@ interface(`selinux_dontaudit_read_fs',`
type security_t;
')
@@ -111,7 +113,7 @@ Signed-off-by: Joe MacDonald <joe_macdon...@mentor.com>
dontaudit $1 security_t:dir search_dir_perms;
dontaudit $1 security_t:file read_file_perms;
')
-@@ -279,6 +297,7 @@ interface(`selinux_get_enforce_mode',`
+@@ -293,6 +311,7 @@ interface(`selinux_get_enforce_mode',`
type security_t;
')
@@ -119,23 +121,7 @@ Signed-off-by: Joe MacDonald <joe_macdon...@mentor.com>
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file read_file_perms;
-@@ -313,6 +332,7 @@ interface(`selinux_set_enforce_mode',`
- bool secure_mode_policyload;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
-@@ -345,6 +365,7 @@ interface(`selinux_load_policy',`
- bool secure_mode_policyload;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
-@@ -375,6 +396,7 @@ interface(`selinux_read_policy',`
+@@ -361,6 +380,7 @@ interface(`selinux_read_policy',`
type security_t;
')
@@ -143,35 +129,23 @@ Signed-off-by: Joe MacDonald <joe_macdon...@mentor.com>
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file read_file_perms;
-@@ -440,8 +462,8 @@ interface(`selinux_set_generic_booleans'
+@@ -426,6 +446,7 @@ interface(`selinux_set_generic_booleans'
type security_t;
')
+ dev_getattr_sysfs_dirs($1)
dev_search_sysfs($1)
--
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
-@@ -482,8 +504,8 @@ interface(`selinux_set_all_booleans',`
+ allow $1 security_t:dir list_dir_perms;
+@@ -463,6 +484,7 @@ interface(`selinux_set_all_booleans',`
bool secure_mode_policyload;
')
+ dev_getattr_sysfs_dirs($1)
dev_search_sysfs($1)
--
- allow $1 security_t:dir list_dir_perms;
- allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms;
- allow $1 secure_mode_policyload_t:file read_file_perms;
-@@ -528,6 +550,7 @@ interface(`selinux_set_parameters',`
- attribute can_setsecparam;
- ')
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
-@@ -552,6 +575,7 @@ interface(`selinux_validate_context',`
+@@ -522,6 +544,7 @@ interface(`selinux_validate_context',`
type security_t;
')
@@ -179,7 +153,7 @@ Signed-off-by: Joe MacDonald <joe_macdon...@mentor.com>
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
-@@ -574,6 +598,7 @@ interface(`selinux_dontaudit_validate_co
+@@ -544,6 +567,7 @@ interface(`selinux_dontaudit_validate_co
type security_t;
')
@@ -187,31 +161,7 @@ Signed-off-by: Joe MacDonald <joe_macdon...@mentor.com>
dontaudit $1 security_t:dir list_dir_perms;
dontaudit $1 security_t:file rw_file_perms;
dontaudit $1 security_t:security check_context;
-@@ -595,6 +620,7 @@ interface(`selinux_compute_access_vector
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
-@@ -617,6 +643,7 @@ interface(`selinux_compute_create_contex
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
-@@ -639,6 +666,7 @@ interface(`selinux_compute_member',`
- type security_t;
- ')
-
-+ dev_getattr_sysfs_dirs($1)
- dev_search_sysfs($1)
- allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
-@@ -669,6 +697,7 @@ interface(`selinux_compute_relabel_conte
+@@ -565,6 +589,7 @@ interface(`selinux_compute_access_vector
type security_t;
')
@@ -219,7 +169,7 @@ Signed-off-by: Joe MacDonald <joe_macdon...@mentor.com>
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
-@@ -690,6 +719,7 @@ interface(`selinux_compute_user_contexts
+@@ -660,6 +685,7 @@ interface(`selinux_compute_user_contexts
type security_t;
')
--
2.1.4
--
_______________________________________________
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
