[PATCH 0/1] refpolicy: allow portmap to create portmap

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH 0/1] refpolicy: allow portmap to create portmap_t type socket
@ 2014-02-10  7:58 rongqing.li
  2014-02-10  7:58 ` [PATCH 1/1] " rongqing.li
  0 siblings, 1 reply; 3+ messages in thread
From: rongqing.li @ 2014-02-10  7:58 UTC (permalink / raw)
  To: yocto

From: Roy Li <rongqing.li@windriver.com>

The following changes since commit e8092ae5cbe4e19cc086fed51216d45dafae900e:

  refpolicy: backport two patches to fix dhclient, hostname and ifconfig (2014-02-10 11:07:23 +0800)

are available in the git repository at:

  git://git.pokylinux.org/poky-contrib roy/portmap
  http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=roy/portmap

Roy Li (1):
  refpolicy: allow portmap to create portmap_t type socket

 .../portmap-allow-portmap-to-create-socket.patch   |   28 ++++++++++++++++++++
 .../refpolicy/refpolicy_2.20130424.inc             |    1 +
 2 files changed, 29 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/portmap-allow-portmap-to-create-socket.patch

-- 
1.7.10.4



^ permalink raw reply	[flat|nested] 3+ messages in thread

* [PATCH 1/1] refpolicy: allow portmap to create portmap_t type socket
  2014-02-10  7:58 [PATCH 0/1] refpolicy: allow portmap to create portmap_t type socket rongqing.li
@ 2014-02-10  7:58 ` rongqing.li
  2014-02-13  9:31   ` Pascal Ouyang
  0 siblings, 1 reply; 3+ messages in thread
From: rongqing.li @ 2014-02-10  7:58 UTC (permalink / raw)
  To: yocto

From: Roy Li <rongqing.li@windriver.com>

Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
 .../portmap-allow-portmap-to-create-socket.patch   |   28 ++++++++++++++++++++
 .../refpolicy/refpolicy_2.20130424.inc             |    1 +
 2 files changed, 29 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/portmap-allow-portmap-to-create-socket.patch

diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/portmap-allow-portmap-to-create-socket.patch b/recipes-security/refpolicy/refpolicy-2.20130424/portmap-allow-portmap-to-create-socket.patch
new file mode 100644
index 0000000..aa89a98
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/portmap-allow-portmap-to-create-socket.patch
@@ -0,0 +1,28 @@
+portmap: allow portmap to manage portmap_t type socket
+
+Upstream-Status: Pending
+
+portmap needs to create socket to receive message
+
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+---
+ policy/modules/contrib/portmap.te |    3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/policy/modules/contrib/portmap.te b/policy/modules/contrib/portmap.te
+index 18b255e..bacf66b 100644
+--- a/policy/modules/contrib/portmap.te
++++ b/policy/modules/contrib/portmap.te
+@@ -16,6 +16,9 @@ type portmap_helper_exec_t;
+ init_system_domain(portmap_helper_t, portmap_helper_exec_t)
+ role portmap_helper_roles types portmap_helper_t;
+ 
++allow portmap_t self:tcp_socket create_socket_perms;
++allow portmap_t self:udp_socket create_socket_perms;
++
+ type portmap_initrc_exec_t;
+ init_script_file(portmap_initrc_exec_t)
+ 
+-- 
+1.7.10.4
+
diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc b/recipes-security/refpolicy/refpolicy_2.20130424.inc
index a052a2c..5d55030 100644
--- a/recipes-security/refpolicy/refpolicy_2.20130424.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20130424.inc
@@ -52,6 +52,7 @@ SRC_URI += "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \
             file://poky-policy-fix-dmesg-to-use-dev-kmsg.patch \
             file://hostname-do-not-audit-attempts-by-hostname-to-read-a.patch \
             file://sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch \
+            file://portmap-allow-portmap-to-create-socket.patch \
            "
 
 # Backport from upstream
-- 
1.7.10.4



^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH 1/1] refpolicy: allow portmap to create portmap_t type socket
  2014-02-10  7:58 ` [PATCH 1/1] " rongqing.li
@ 2014-02-13  9:31   ` Pascal Ouyang
  0 siblings, 0 replies; 3+ messages in thread
From: Pascal Ouyang @ 2014-02-13  9:31 UTC (permalink / raw)
  To: rongqing.li, yocto

于 14-2-10 下午3:58, rongqing.li@windriver.com 写道:
> From: Roy Li <rongqing.li@windriver.com>
>
> Signed-off-by: Roy Li <rongqing.li@windriver.com>
> ---
>   .../portmap-allow-portmap-to-create-socket.patch   |   28 ++++++++++++++++++++
>   .../refpolicy/refpolicy_2.20130424.inc             |    1 +
>   2 files changed, 29 insertions(+)
>   create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/portmap-allow-portmap-to-create-socket.patch
>
> diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/portmap-allow-portmap-to-create-socket.patch b/recipes-security/refpolicy/refpolicy-2.20130424/portmap-allow-portmap-to-create-socket.patch
> new file mode 100644
> index 0000000..aa89a98
> --- /dev/null
> +++ b/recipes-security/refpolicy/refpolicy-2.20130424/portmap-allow-portmap-to-create-socket.patch
> @@ -0,0 +1,28 @@
> +portmap: allow portmap to manage portmap_t type socket
> +
> +Upstream-Status: Pending
> +
> +portmap needs to create socket to receive message
> +
> +Signed-off-by: Roy Li <rongqing.li@windriver.com>
> +---
> + policy/modules/contrib/portmap.te |    3 +++
> + 1 file changed, 3 insertions(+)
> +
> +diff --git a/policy/modules/contrib/portmap.te b/policy/modules/contrib/portmap.te
> +index 18b255e..bacf66b 100644
> +--- a/policy/modules/contrib/portmap.te
> ++++ b/policy/modules/contrib/portmap.te
> +@@ -16,6 +16,9 @@ type portmap_helper_exec_t;
> + init_system_domain(portmap_helper_t, portmap_helper_exec_t)
> + role portmap_helper_roles types portmap_helper_t;
> +
> ++allow portmap_t self:tcp_socket create_socket_perms;
> ++allow portmap_t self:udp_socket create_socket_perms;
> ++
> + type portmap_initrc_exec_t;
> + init_script_file(portmap_initrc_exec_t)
> +
> +--
> +1.7.10.4
> +
> diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc b/recipes-security/refpolicy/refpolicy_2.20130424.inc
> index a052a2c..5d55030 100644
> --- a/recipes-security/refpolicy/refpolicy_2.20130424.inc
> +++ b/recipes-security/refpolicy/refpolicy_2.20130424.inc
> @@ -52,6 +52,7 @@ SRC_URI += "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \
>               file://poky-policy-fix-dmesg-to-use-dev-kmsg.patch \
>               file://hostname-do-not-audit-attempts-by-hostname-to-read-a.patch \
>               file://sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch \
> +            file://portmap-allow-portmap-to-create-socket.patch \
>              "
>
>   # Backport from upstream
>

Ack.

These rules are in old versions, and droped in 12d4d8.
https://github.com/xinpascal/selinux-refpolicy-contrib/commit/12d4d86602452c9b6fd6f74fc47ce29d5ae55ba9
It is better if you have time to dig.

Any way, I agree to merge this.

Thanks, Roy. :)

-- 
- Pascal


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2014-02-13  9:33 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-02-10  7:58 [PATCH 0/1] refpolicy: allow portmap to create portmap_t type socket rongqing.li
2014-02-10  7:58 ` [PATCH 1/1] " rongqing.li
2014-02-13  9:31   ` Pascal Ouyang

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.