* [meta-selinux][PATCH 1/3] V2 refpolicy:20140311 update for systemd
@ 2014-11-19 8:13 Shrikant Bobade
2015-01-05 11:42 ` Shrikant Bobade
0 siblings, 1 reply; 3+ messages in thread
From: Shrikant Bobade @ 2014-11-19 8:13 UTC (permalink / raw)
To: yocto; +Cc: Shrikant Bobade
From: Shrikant Bobade <Shrikant_Bobade@mentor.com>
Systemd init type and related allow rules
updated for refpolicy.
Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
---
.../refpolicy-update-for_systemd.patch | 46 ++++++++++++++++++++
.../refpolicy/refpolicy_2.20140311.inc | 1 +
2 files changed, 47 insertions(+)
create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch b/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch
new file mode 100644
index 0000000..80b420c
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch
@@ -0,0 +1,46 @@
+refpolicy: update for systemd
+
+It provides the systemd support for refpolicy
+and related allow rules.
+The restorecon provides systemd init labeled
+as init_exec_t.
+
+Upstream-Status: Pending
+
+
+Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
+
+--- a/policy/modules/contrib/shutdown.fc
++++ b/policy/modules/contrib/shutdown.fc
+@@ -5,6 +5,9 @@
+ /sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+ /sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+
++# systemd support
++/bin/systemctl -- gen_context(system_u:object_r:shutdown_exec_t,s0)
++
+ /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+
+ /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+--- a/policy/modules/system/init.fc
++++ b/policy/modules/system/init.fc
+@@ -31,6 +31,8 @@
+ #
+ /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
+ /sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0)
++# systemd support
++/lib/systemd/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
+ # because nowadays, /sbin/init is often a symlink to /sbin/upstart
+ /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
+
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -913,3 +913,8 @@
+ optional_policy(`
+ zebra_read_config(initrc_t)
+ ')
++
++# systemd related allow rules
++allow kernel_t init_t:process dyntransition;
++allow devpts_t device_t:filesystem associate;
++allow init_t self:capability2 block_suspend;
diff --git a/recipes-security/refpolicy/refpolicy_2.20140311.inc b/recipes-security/refpolicy/refpolicy_2.20140311.inc
index 8894583..557b4ab 100644
--- a/recipes-security/refpolicy/refpolicy_2.20140311.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20140311.inc
@@ -29,6 +29,7 @@ SRC_URI += "file://poky-fc-subs_dist.patch \
file://poky-fc-rpm.patch \
file://poky-fc-ftpwho-dir.patch \
file://poky-fc-fix-real-path_su.patch \
+ file://refpolicy-update-for_systemd.patch \
"
# Specific policy for Poky
--
1.7.9.5
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [meta-selinux][PATCH 1/3] V2 refpolicy:20140311 update for systemd
2014-11-19 8:13 [meta-selinux][PATCH 1/3] V2 refpolicy:20140311 update for systemd Shrikant Bobade
@ 2015-01-05 11:42 ` Shrikant Bobade
2015-01-12 20:02 ` Joe MacDonald
0 siblings, 1 reply; 3+ messages in thread
From: Shrikant Bobade @ 2015-01-05 11:42 UTC (permalink / raw)
To: yocto; +Cc: Shrikant Bobade
[-- Attachment #1: Type: text/plain, Size: 3486 bytes --]
Hello,
Please provide review comments or feedback if any, It will be a great
help.
@Ping.
Thanks
Shrikant
On Wed, Nov 19, 2014 at 1:43 PM, Shrikant Bobade <bobadeshrikant@gmail.com>
wrote:
> From: Shrikant Bobade <Shrikant_Bobade@mentor.com>
>
> Systemd init type and related allow rules
> updated for refpolicy.
>
> Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
> ---
> .../refpolicy-update-for_systemd.patch | 46
> ++++++++++++++++++++
> .../refpolicy/refpolicy_2.20140311.inc | 1 +
> 2 files changed, 47 insertions(+)
> create mode 100644
> recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch
>
> diff --git
> a/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch
> b/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch
> new file mode 100644
> index 0000000..80b420c
> --- /dev/null
> +++
> b/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch
> @@ -0,0 +1,46 @@
> +refpolicy: update for systemd
> +
> +It provides the systemd support for refpolicy
> +and related allow rules.
> +The restorecon provides systemd init labeled
> +as init_exec_t.
> +
> +Upstream-Status: Pending
> +
> +
> +Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
> +
> +--- a/policy/modules/contrib/shutdown.fc
> ++++ b/policy/modules/contrib/shutdown.fc
> +@@ -5,6 +5,9 @@
> + /sbin/shutdown --
> gen_context(system_u:object_r:shutdown_exec_t,s0)
> + /sbin/shutdown\.sysvinit --
> gen_context(system_u:object_r:shutdown_exec_t,s0)
> +
> ++# systemd support
> ++/bin/systemctl --
> gen_context(system_u:object_r:shutdown_exec_t,s0)
> ++
> + /usr/lib/upstart/shutdown --
> gen_context(system_u:object_r:shutdown_exec_t,s0)
> +
> + /usr/sbin/shutdown --
> gen_context(system_u:object_r:shutdown_exec_t,s0)
> +--- a/policy/modules/system/init.fc
> ++++ b/policy/modules/system/init.fc
> +@@ -31,6 +31,8 @@
> + #
> + /sbin/init(ng)? --
> gen_context(system_u:object_r:init_exec_t,s0)
> + /sbin/init\.sysvinit --
> gen_context(system_u:object_r:init_exec_t,s0)
> ++# systemd support
> ++/lib/systemd/systemd --
> gen_context(system_u:object_r:init_exec_t,s0)
> + # because nowadays, /sbin/init is often a symlink to /sbin/upstart
> + /sbin/upstart --
> gen_context(system_u:object_r:init_exec_t,s0)
> +
> +--- a/policy/modules/system/init.te
> ++++ b/policy/modules/system/init.te
> +@@ -913,3 +913,8 @@
> + optional_policy(`
> + zebra_read_config(initrc_t)
> + ')
> ++
> ++# systemd related allow rules
> ++allow kernel_t init_t:process dyntransition;
> ++allow devpts_t device_t:filesystem associate;
> ++allow init_t self:capability2 block_suspend;
> diff --git a/recipes-security/refpolicy/refpolicy_2.20140311.inc
> b/recipes-security/refpolicy/refpolicy_2.20140311.inc
> index 8894583..557b4ab 100644
> --- a/recipes-security/refpolicy/refpolicy_2.20140311.inc
> +++ b/recipes-security/refpolicy/refpolicy_2.20140311.inc
> @@ -29,6 +29,7 @@ SRC_URI += "file://poky-fc-subs_dist.patch \
> file://poky-fc-rpm.patch \
> file://poky-fc-ftpwho-dir.patch \
> file://poky-fc-fix-real-path_su.patch \
> + file://refpolicy-update-for_systemd.patch \
> "
>
> # Specific policy for Poky
> --
> 1.7.9.5
>
>
[-- Attachment #2: Type: text/html, Size: 4389 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [meta-selinux][PATCH 1/3] V2 refpolicy:20140311 update for systemd
2015-01-05 11:42 ` Shrikant Bobade
@ 2015-01-12 20:02 ` Joe MacDonald
0 siblings, 0 replies; 3+ messages in thread
From: Joe MacDonald @ 2015-01-12 20:02 UTC (permalink / raw)
To: Shrikant Bobade; +Cc: yocto, Shrikant Bobade
[-- Attachment #1: Type: text/plain, Size: 4228 bytes --]
Hi Shrikant,
All three of these have been merged. Thanks. And my apologies to
everyone on the delay for these patches.
-J.
[Re: [yocto] [meta-selinux][PATCH 1/3] V2 refpolicy:20140311 update for systemd] On 15.01.05 (Mon 17:12) Shrikant Bobade wrote:
> Hello,
>
> Please provide review comments or feedback if any, It will be a great help.
> @Ping.
>
> Thanks
> Shrikant
>
> On Wed, Nov 19, 2014 at 1:43 PM, Shrikant Bobade <bobadeshrikant@gmail.com>
> wrote:
>
> From: Shrikant Bobade <Shrikant_Bobade@mentor.com>
>
> Systemd init type and related allow rules
> updated for refpolicy.
>
> Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
> ---
> .../refpolicy-update-for_systemd.patch | 46
> ++++++++++++++++++++
> .../refpolicy/refpolicy_2.20140311.inc | 1 +
> 2 files changed, 47 insertions(+)
> create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/
> refpolicy-update-for_systemd.patch
>
> diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/
> refpolicy-update-for_systemd.patch b/recipes-security/refpolicy/
> refpolicy-2.20140311/refpolicy-update-for_systemd.patch
> new file mode 100644
> index 0000000..80b420c
> --- /dev/null
> +++ b/recipes-security/refpolicy/refpolicy-2.20140311/
> refpolicy-update-for_systemd.patch
> @@ -0,0 +1,46 @@
> +refpolicy: update for systemd
> +
> +It provides the systemd support for refpolicy
> +and related allow rules.
> +The restorecon provides systemd init labeled
> +as init_exec_t.
> +
> +Upstream-Status: Pending
> +
> +
> +Signed-off-by: Shrikant Bobade <Shrikant_Bobade@mentor.com>
> +
> +--- a/policy/modules/contrib/shutdown.fc
> ++++ b/policy/modules/contrib/shutdown.fc
> +@@ -5,6 +5,9 @@
> + /sbin/shutdown -- gen_context
> (system_u:object_r:shutdown_exec_t,s0)
> + /sbin/shutdown\.sysvinit -- gen_context
> (system_u:object_r:shutdown_exec_t,s0)
> +
> ++# systemd support
> ++/bin/systemctl -- gen_context
> (system_u:object_r:shutdown_exec_t,s0)
> ++
> + /usr/lib/upstart/shutdown -- gen_context
> (system_u:object_r:shutdown_exec_t,s0)
> +
> + /usr/sbin/shutdown -- gen_context
> (system_u:object_r:shutdown_exec_t,s0)
> +--- a/policy/modules/system/init.fc
> ++++ b/policy/modules/system/init.fc
> +@@ -31,6 +31,8 @@
> + #
> + /sbin/init(ng)? -- gen_context
> (system_u:object_r:init_exec_t,s0)
> + /sbin/init\.sysvinit -- gen_context
> (system_u:object_r:init_exec_t,s0)
> ++# systemd support
> ++/lib/systemd/systemd -- gen_context
> (system_u:object_r:init_exec_t,s0)
> + # because nowadays, /sbin/init is often a symlink to /sbin/upstart
> + /sbin/upstart -- gen_context
> (system_u:object_r:init_exec_t,s0)
> +
> +--- a/policy/modules/system/init.te
> ++++ b/policy/modules/system/init.te
> +@@ -913,3 +913,8 @@
> + optional_policy(`
> + zebra_read_config(initrc_t)
> + ')
> ++
> ++# systemd related allow rules
> ++allow kernel_t init_t:process dyntransition;
> ++allow devpts_t device_t:filesystem associate;
> ++allow init_t self:capability2 block_suspend;
> diff --git a/recipes-security/refpolicy/refpolicy_2.20140311.inc b/
> recipes-security/refpolicy/refpolicy_2.20140311.inc
> index 8894583..557b4ab 100644
> --- a/recipes-security/refpolicy/refpolicy_2.20140311.inc
> +++ b/recipes-security/refpolicy/refpolicy_2.20140311.inc
> @@ -29,6 +29,7 @@ SRC_URI += "file://poky-fc-subs_dist.patch \
> file://poky-fc-rpm.patch \
> file://poky-fc-ftpwho-dir.patch \
> file://poky-fc-fix-real-path_su.patch \
> + file://refpolicy-update-for_systemd.patch \
> "
>
> # Specific policy for Poky
> --
> 1.7.9.5
>
>
>
--
-Joe MacDonald.
:wq
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 501 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-01-12 20:03 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-11-19 8:13 [meta-selinux][PATCH 1/3] V2 refpolicy:20140311 update for systemd Shrikant Bobade
2015-01-05 11:42 ` Shrikant Bobade
2015-01-12 20:02 ` Joe MacDonald
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.