[meta-selinux][PATCH 0/4] add targeted/minimum policy and some updates

[meta-selinux][PATCH 0/4] add targeted/minimum policy and some updates

[wenzong.fan]

From: Wenzong Fan <wenzong.fan@windriver.com>

Changes:
* backport tmpfs_t patch from upstream;
* add rules for /var/log symlink on poky;
* add targeted policy type
* add minimum targeted policy

The following changes since commit a6079a43719e79e12a57e609923a0cccdba06916:

  refpolicy: fix real path for su.shadow (2014-02-13 10:52:07 -0500)

are available in the git repository at:

  git://git.pokylinux.org/poky-contrib wenzong/ref-minimum
  http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=wenzong/ref-minimum

Wenzong Fan (4):
  refpolicy: associate tmpfs_t (shm) to device_t (devtmpfs) file
    systems
  refpolicy: add rules for /var/log symlink on poky
  refpolicy: add targeted policy type
  refpolicy: add minimum targeted policy

 ...associate-tmpfs_t-shm-to-device_t-devtmpf.patch |   30 +++
 ...ky-policy-add-rules-for-syslogd_t-symlink.patch |   30 +++
 ...rules-for-var-log-symlink-audisp_remote_t.patch |   29 +++
 .../refpolicy/refpolicy-minimum_2.20130424.bb      |   46 +++++
 ...olicy-fix-optional-issue-on-sysadm-module.patch |   60 ++++++
 .../refpolicy-unconfined_u-default-user.patch      |  198 ++++++++++++++++++++
 .../refpolicy/refpolicy-targeted_2.20130424.bb     |   18 ++
 .../refpolicy/refpolicy_2.20130424.inc             |    3 +
 8 files changed, 414 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/filesystem-associate-tmpfs_t-shm-to-device_t-devtmpf.patch
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-syslogd_t-symlink.patch
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
 create mode 100644 recipes-security/refpolicy/refpolicy-minimum_2.20130424.bb
 create mode 100644 recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
 create mode 100644 recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
 create mode 100644 recipes-security/refpolicy/refpolicy-targeted_2.20130424.bb

-- 
1.7.9.5

[meta-selinux][PATCH 1/4] refpolicy: associate tmpfs_t (shm) to device_t (devtmpfs) file systems

[wenzong.fan]

From: Wenzong Fan <wenzong.fan@windriver.com>

The patch is backported from upstream.

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
---
 ...associate-tmpfs_t-shm-to-device_t-devtmpf.patch |   30 ++++++++++++++++++++
 .../refpolicy/refpolicy_2.20130424.inc             |    1 +
 2 files changed, 31 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/filesystem-associate-tmpfs_t-shm-to-device_t-devtmpf.patch

diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/filesystem-associate-tmpfs_t-shm-to-device_t-devtmpf.patch b/recipes-security/refpolicy/refpolicy-2.20130424/filesystem-associate-tmpfs_t-shm-to-device_t-devtmpf.patch
new file mode 100644
index 0000000..094d9e5
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/filesystem-associate-tmpfs_t-shm-to-device_t-devtmpf.patch
@@ -0,0 +1,30 @@
+Upstream-Status: backport
+
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+=========================
+From e3072cb7bf8f9e09598f01c9eb58d9cfb319d8a1 Mon Sep 17 00:00:00 2001
+From: Dominick Grift <dominick.grift@gmail.com>
+Date: Tue, 24 Sep 2013 15:39:21 +0200
+Subject: [PATCH] filesystem: associate tmpfs_t (shm) to device_t (devtmpfs)
+ file systems
+
+Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
+---
+ policy/modules/kernel/filesystem.te |    1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
+index ed59e5e..f72cde1 100644
+--- a/policy/modules/kernel/filesystem.te
++++ b/policy/modules/kernel/filesystem.te
+@@ -177,6 +177,7 @@ genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
+ # tmpfs_t is the type for tmpfs filesystems
+ #
+ type tmpfs_t;
++dev_associate(tmpfs_t)
+ fs_type(tmpfs_t)
+ files_type(tmpfs_t)
+ files_mountpoint(tmpfs_t)
+-- 
+1.7.10.4
+
diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc b/recipes-security/refpolicy/refpolicy_2.20130424.inc
index 9e5e426..08ed04c 100644
--- a/recipes-security/refpolicy/refpolicy_2.20130424.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20130424.inc
@@ -58,6 +58,7 @@ SRC_URI += "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \
 
 # Backport from upstream
 SRC_URI += "file://Allow-ping-to-get-set-capabilities.patch \
+            file://filesystem-associate-tmpfs_t-shm-to-device_t-devtmpf.patch \
            "
 
 include refpolicy_common.inc
-- 
1.7.9.5

[meta-selinux][PATCH 2/4] refpolicy: add rules for /var/log symlink on poky

[wenzong.fan]

From: Wenzong Fan <wenzong.fan@windriver.com>

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
---
 ...ky-policy-add-rules-for-syslogd_t-symlink.patch |   30 ++++++++++++++++++++
 ...rules-for-var-log-symlink-audisp_remote_t.patch |   29 +++++++++++++++++++
 .../refpolicy/refpolicy_2.20130424.inc             |    2 ++
 3 files changed, 61 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-syslogd_t-symlink.patch
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch

diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-syslogd_t-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-syslogd_t-symlink.patch
new file mode 100644
index 0000000..aa9734a
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-syslogd_t-symlink.patch
@@ -0,0 +1,30 @@
+Subject: [PATCH] add rules for the symlink of /var/log - syslogd_t
+
+We have added rules for the symlink of /var/log in logging.if,
+while syslogd_t uses /var/log but does not use the
+interfaces in logging.if. So still need add a individual rule for
+syslogd_t.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/logging.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 2ad9ea5..70427d8 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -384,6 +384,8 @@ rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
+ # Allow access for syslog-ng
+ allow syslogd_t var_log_t:dir { create setattr };
+ 
++allow syslogd_t var_log_t:lnk_file read_lnk_file_perms;
++
+ # manage temporary files
+ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+ manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+-- 
+1.7.11.7
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
new file mode 100644
index 0000000..cbf0f7d
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
@@ -0,0 +1,29 @@
+Subject: [PATCH] add rules for the symlink of /var/log - audisp_remote_t
+
+We have added rules for the symlink of /var/log in logging.if,
+while audisp_remote_t uses /var/log but does not use the
+interfaces in logging.if. So still need add a individual rule for
+audisp_remote_t.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/logging.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 8426a49..2ad9ea5 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -262,6 +262,7 @@ allow audisp_remote_t self:capability { setuid setpcap };
+ allow audisp_remote_t self:process { getcap setcap };
+ allow audisp_remote_t self:tcp_socket create_socket_perms;
+ allow audisp_remote_t var_log_t:dir search_dir_perms;
++allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms;
+ 
+ manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
+ manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
+-- 
+1.7.11.7
+
diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc b/recipes-security/refpolicy/refpolicy_2.20130424.inc
index 08ed04c..c3c7732 100644
--- a/recipes-security/refpolicy/refpolicy_2.20130424.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20130424.inc
@@ -37,6 +37,8 @@ SRC_URI += "file://poky-fc-subs_dist.patch \
 SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \
             file://poky-policy-add-rules-for-var-log-symlink.patch \
             file://poky-policy-add-rules-for-var-log-symlink-apache.patch \
+            file://poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch \
+            file://poky-policy-add-rules-for-syslogd_t-symlink.patch \
             file://poky-policy-add-rules-for-var-cache-symlink.patch \
             file://poky-policy-add-rules-for-tmp-symlink.patch \
             file://poky-policy-add-rules-for-bsdpty_device_t.patch \
-- 
1.7.9.5

[meta-selinux][PATCH 3/4] refpolicy: add targeted policy type

[wenzong.fan]

From: Wenzong Fan <wenzong.fan@windriver.com>

This SELinux policy would targeted most of service domains for lock
down, and users and admins will login in with unconfined_t domain.

So they would have the same access to the system as if SELinux was not
enabled, when running commands and services which are not targeted.

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
---
 ...olicy-fix-optional-issue-on-sysadm-module.patch |   60 ++++++
 .../refpolicy-unconfined_u-default-user.patch      |  198 ++++++++++++++++++++
 .../refpolicy/refpolicy-targeted_2.20130424.bb     |   18 ++
 3 files changed, 276 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
 create mode 100644 recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
 create mode 100644 recipes-security/refpolicy/refpolicy-targeted_2.20130424.bb

diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
new file mode 100644
index 0000000..44dff5e
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
@@ -0,0 +1,60 @@
+Subject: [PATCH] refpolicy: fix optional issue on sysadm module
+
+init and locallogin modules have a depend for sysadm module because
+they have called sysadm interfaces(sysadm_shell_domtrans). Since
+sysadm is not a core module, we could make the sysadm_shell_domtrans
+calls optionally by optional_policy.
+
+So, we could make the minimum policy without sysadm module.
+
+Upstream-Status: pending
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/init.te       | 14 ++++++++------
+ policy/modules/system/locallogin.te |  4 +++-
+ 2 files changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 4a88fa1..4548a7e 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -188,12 +188,14 @@ ifdef(`distro_redhat',`
+ 	fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
+ ')
+ 
+-tunable_policy(`init_upstart',`
+-	corecmd_shell_domtrans(init_t, initrc_t)
+-',`
+-	# Run the shell in the sysadm role for single-user mode.
+-	# causes problems with upstart
+-	sysadm_shell_domtrans(init_t)
++# Run the shell in the sysadm role for single-user mode.
++# causes problems with upstart
++optional_policy(`
++	tunable_policy(`init_upstart',`
++		corecmd_shell_domtrans(init_t, initrc_t)
++	',`
++		sysadm_shell_domtrans(init_t)
++	')
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
+index f5a5de7..d942f05 100644
+--- a/policy/modules/system/locallogin.te
++++ b/policy/modules/system/locallogin.te
+@@ -239,7 +239,9 @@ userdom_use_unpriv_users_fds(sulogin_t)
+ userdom_search_user_home_dirs(sulogin_t)
+ userdom_use_user_ptys(sulogin_t)
+ 
+-sysadm_shell_domtrans(sulogin_t)
++optional_policy(`
++	sysadm_shell_domtrans(sulogin_t)
++')
+ 
+ # suse and debian do not use pam with sulogin...
+ ifdef(`distro_suse', `define(`sulogin_no_pam')')
+-- 
+1.7.11.7
+
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
new file mode 100644
index 0000000..e39afca
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
@@ -0,0 +1,198 @@
+Subject: [PATCH] refpolicy: make unconfined_u the default selinux user
+
+For targeted policy type, we define unconfined_u as the default selinux
+user for root and normal users, so users could login in and run most
+commands and services on unconfined domains.
+
+Also add rules for users to run init scripts directly, instead of via
+run_init.
+
+Upstream-Status: Inappropriate [configuration] 
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ config/appconfig-mcs/seusers        |    4 +-
+ policy/modules/roles/sysadm.te      |    1 +
+ policy/modules/system/init.if       |   47 +++++++++++++++++++++++++++++------
+ policy/modules/system/unconfined.te |    7 +++++
+ policy/users                        |   14 +++------
+ 5 files changed, 54 insertions(+), 19 deletions(-)
+
+diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers
+index dc5f1e4..4428da8 100644
+--- a/config/appconfig-mcs/seusers
++++ b/config/appconfig-mcs/seusers
+@@ -1,3 +1,3 @@
+ system_u:system_u:s0-mcs_systemhigh
+-root:root:s0-mcs_systemhigh
+-__default__:user_u:s0
++root:unconfined_u:s0-mcs_systemhigh
++__default__:unconfined_u:s0
+diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
+index 85ff145..77d7bdc 100644
+--- a/policy/modules/roles/sysadm.te
++++ b/policy/modules/roles/sysadm.te
+@@ -37,6 +37,7 @@ ubac_file_exempt(sysadm_t)
+ ubac_fd_exempt(sysadm_t)
+ 
+ init_exec(sysadm_t)
++init_script_role_transition(sysadm_r)
+ 
+ # Add/remove user home directories
+ userdom_manage_user_home_dirs(sysadm_t)
+diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
+index d26fe81..fa46786 100644
+--- a/policy/modules/system/init.if
++++ b/policy/modules/system/init.if
+@@ -803,11 +803,12 @@ interface(`init_script_file_entry_type',`
+ #
+ interface(`init_spec_domtrans_script',`
+ 	gen_require(`
+-		type initrc_t, initrc_exec_t;
++		type initrc_t;
++		attribute init_script_file_type;
+ 	')
+ 
+ 	files_list_etc($1)
+-	spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
++	spec_domtrans_pattern($1, init_script_file_type, initrc_t)
+ 
+ 	ifdef(`distro_gentoo',`
+ 		gen_require(`
+@@ -818,11 +819,11 @@ interface(`init_spec_domtrans_script',`
+ 	')
+ 
+ 	ifdef(`enable_mcs',`
+-		range_transition $1 initrc_exec_t:process s0;
++		range_transition $1 init_script_file_type:process s0;
+ 	')
+ 
+ 	ifdef(`enable_mls',`
+-		range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
++		range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
+ 	')
+ ')
+ 
+@@ -838,18 +839,19 @@ interface(`init_spec_domtrans_script',`
+ #
+ interface(`init_domtrans_script',`
+ 	gen_require(`
+-		type initrc_t, initrc_exec_t;
++		type initrc_t;
++		attribute init_script_file_type;
+ 	')
+ 
+ 	files_list_etc($1)
+-	domtrans_pattern($1, initrc_exec_t, initrc_t)
++	domtrans_pattern($1, init_script_file_type, initrc_t)
+ 
+ 	ifdef(`enable_mcs',`
+-		range_transition $1 initrc_exec_t:process s0;
++		range_transition $1 init_script_file_type:process s0;
+ 	')
+ 
+ 	ifdef(`enable_mls',`
+-		range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
++		range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
+ 	')
+ ')
+ 
+@@ -1792,3 +1794,32 @@ interface(`init_udp_recvfrom_all_daemons',`
+ 	')
+ 	corenet_udp_recvfrom_labeled($1, daemon)
+ ')
++
++########################################
++## <summary>
++##	Transition to system_r when execute an init script
++## </summary>
++## <desc>
++##	<p>
++##	Execute a init script in a specified role
++##	</p>
++##	<p>
++##	No interprocess communication (signals, pipes,
++##	etc.) is provided by this interface since
++##	the domains are not owned by this module.
++##	</p>
++## </desc>
++## <param name="source_role">
++##	<summary>
++##	Role to transition from.
++##	</summary>
++## </param>
++#
++interface(`init_script_role_transition',`
++	gen_require(`
++		attribute init_script_file_type;
++	')
++
++	role_transition $1 init_script_file_type system_r;
++')
++
+diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
+index 0280b32..00b4dcf 100644
+--- a/policy/modules/system/unconfined.te
++++ b/policy/modules/system/unconfined.te
+@@ -20,6 +20,11 @@ type unconfined_execmem_t;
+ type unconfined_execmem_exec_t;
+ init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
+ role unconfined_r types unconfined_execmem_t;
++role unconfined_r types unconfined_t;
++role system_r types unconfined_t;
++role_transition system_r unconfined_exec_t unconfined_r;
++allow system_r unconfined_r;
++allow unconfined_r system_r;
+ 
+ ########################################
+ #
+@@ -34,6 +39,8 @@ mcs_killall(unconfined_t)
+ mcs_ptrace_all(unconfined_t)
+ 
+ init_run_daemon(unconfined_t, unconfined_r)
++init_domtrans_script(unconfined_t)
++init_script_role_transition(unconfined_r)
+ 
+ libs_run_ldconfig(unconfined_t, unconfined_r)
+ 
+diff --git a/policy/users b/policy/users
+index c4ebc7e..f300f22 100644
+--- a/policy/users
++++ b/policy/users
+@@ -15,7 +15,7 @@
+ # and a user process should never be assigned the system user
+ # identity.
+ #
+-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
++gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+ 
+ #
+ # user_u is a generic user identity for Linux users who have no
+@@ -25,11 +25,11 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+ # permit any access to such users, then remove this entry.
+ #
+ gen_user(user_u, user, user_r, s0, s0)
+-gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
+-gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
++gen_user(staff_u, user, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
++gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
+ 
+ # Until order dependence is fixed for users:
+-gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
++gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+ 
+ #
+ # The following users correspond to Unix identities.
+@@ -38,8 +38,4 @@ gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_al
+ # role should use the staff_r role instead of the user_r role when
+ # not in the sysadm_r.
+ #
+-ifdef(`direct_sysadm_daemon',`
+-	gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+-',`
+-	gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
+-')
++gen_user(root, user, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+-- 
+1.7.1
+
diff --git a/recipes-security/refpolicy/refpolicy-targeted_2.20130424.bb b/recipes-security/refpolicy/refpolicy-targeted_2.20130424.bb
new file mode 100644
index 0000000..0f954ec
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-targeted_2.20130424.bb
@@ -0,0 +1,18 @@
+SUMMARY = "SELinux targeted policy"
+DESCRIPTION = "\
+This is the reference policy for SELinux targeted most of service domains \
+for lock down. \
+Users and admins will login in with unconfined_t domain, so they would have \
+the same access to the system as if SELinux was not enabled.\
+"
+
+FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-${PV}:"
+
+POLICY_NAME = "targeted"
+POLICY_TYPE = "mcs"
+POLICY_MLS_SENS = "0"
+
+include refpolicy_${PV}.inc
+
+SRC_URI += "file://refpolicy-fix-optional-issue-on-sysadm-module.patch \
+	file://refpolicy-unconfined_u-default-user.patch"
-- 
1.7.9.5

[meta-selinux][PATCH 4/4] refpolicy: add minimum targeted policy

[wenzong.fan]

From: Wenzong Fan <wenzong.fan@windriver.com>

This is a minimum targeted policy with just core policy modules, and
could be used as a base for customizing targeted policy.
Pretty much everything runs as initrc_t or unconfined_t so all of the
domains are unconfined.

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
---
 .../refpolicy/refpolicy-minimum_2.20130424.bb      |   46 ++++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy-minimum_2.20130424.bb

diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20130424.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20130424.bb
new file mode 100644
index 0000000..e904810
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-minimum_2.20130424.bb
@@ -0,0 +1,46 @@
+include refpolicy-targeted_${PV}.bb
+
+SUMMARY = "SELinux minimum policy"
+DESCRIPTION = "\
+This is a minimum reference policy with just core policy modules, and \
+could be used as a base for customizing targeted policy. \
+Pretty much everything runs as initrc_t or unconfined_t so all of the \
+domains are unconfined. \
+"
+
+POLICY_NAME = "minimum"
+
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:${THISDIR}/refpolicy-${PV}:${THISDIR}/refpolicy-targeted:"
+
+CORE_POLICY_MODULES = "unconfined \
+	selinuxutil storage sysnetwork \
+	application libraries miscfiles logging userdomain \
+	init mount modutils getty authlogin locallogin \
+	"
+
+# nscd caches libc-issued requests to the name service.
+# Without nscd.pp, commands want to use these caches will be blocked.
+EXTRA_POLICY_MODULES += "nscd"
+
+# pam_mail module enables checking and display of mailbox status upon
+# "login", so "login" process will access to /var/spool/mail.
+EXTRA_POLICY_MODULES += "mta"
+
+POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}"
+
+prepare_policy_store () {
+	oe_runmake install \
+		DESTDIR=${D}
+
+	# Prepare to create policy store
+	mkdir -p ${D}${sysconfdir}/selinux/
+	mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/policy
+	mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules
+	mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files
+	bzip2 -c ${D}${datadir}/selinux/${POLICY_NAME}/base.pp  > \
+		${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp
+	for i in ${POLICY_MODULES_MIN}; do
+		bzip2 -c ${D}${datadir}/selinux/${POLICY_NAME}/$i.pp > \
+			${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/$i.pp
+	done
+}
-- 
1.7.9.5

Re: [meta-selinux][PATCH 0/4] add targeted/minimum policy and some updates

[Pascal Ouyang]

于 14-3-25 上午9:07, wenzong.fan@windriver.com 写道:
> From: Wenzong Fan <wenzong.fan@windriver.com>
> 
> Changes:
> * backport tmpfs_t patch from upstream;
> * add rules for /var/log symlink on poky;
> * add targeted policy type
> * add minimum targeted policy
> 
> The following changes since commit a6079a43719e79e12a57e609923a0cccdba06916:
> 
>    refpolicy: fix real path for su.shadow (2014-02-13 10:52:07 -0500)
> 
> are available in the git repository at:
> 
>    git://git.pokylinux.org/poky-contrib wenzong/ref-minimum
>    http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=wenzong/ref-minimum
> 
> Wenzong Fan (4):
>    refpolicy: associate tmpfs_t (shm) to device_t (devtmpfs) file
>      systems
>    refpolicy: add rules for /var/log symlink on poky
>    refpolicy: add targeted policy type
>    refpolicy: add minimum targeted policy
> 
>   ...associate-tmpfs_t-shm-to-device_t-devtmpf.patch |   30 +++
>   ...ky-policy-add-rules-for-syslogd_t-symlink.patch |   30 +++
>   ...rules-for-var-log-symlink-audisp_remote_t.patch |   29 +++
>   .../refpolicy/refpolicy-minimum_2.20130424.bb      |   46 +++++
>   ...olicy-fix-optional-issue-on-sysadm-module.patch |   60 ++++++
>   .../refpolicy-unconfined_u-default-user.patch      |  198 ++++++++++++++++++++
>   .../refpolicy/refpolicy-targeted_2.20130424.bb     |   18 ++
>   .../refpolicy/refpolicy_2.20130424.inc             |    3 +
>   8 files changed, 414 insertions(+)
>   create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/filesystem-associate-tmpfs_t-shm-to-device_t-devtmpf.patch
>   create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-syslogd_t-symlink.patch
>   create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
>   create mode 100644 recipes-security/refpolicy/refpolicy-minimum_2.20130424.bb
>   create mode 100644 recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
>   create mode 100644 recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
>   create mode 100644 recipes-security/refpolicy/refpolicy-targeted_2.20130424.bb
> 

Ack. :)

-- 
- Pascal

Re: [meta-selinux][PATCH 0/4] add targeted/minimum policy and some updates

[Joe MacDonald]

[-- Attachment #1: Type: text/plain, Size: 3007 bytes --]

Hey Wenzong,

I merged two of these four.

[[yocto] [meta-selinux][PATCH 0/4] add targeted/minimum policy and some updates] On 14.03.24 (Mon 21:07) wenzong.fan@windriver.com wrote:

> From: Wenzong Fan <wenzong.fan@windriver.com>
> 
> Changes:
> * backport tmpfs_t patch from upstream;
> * add rules for /var/log symlink on poky;

These both went in.  These:

> * add targeted policy type
> * add minimum targeted policy

I'm less clear on.  They both look like significant changes to
refpolicy-* behaviour, which is fine, but in that case I think it'd be
better to give them a different name.  Or one that differentiates them
significantly.  For example the "minimum" policy has users unconfined
and applications confined?  Or neither?  I'm not sure what the value is
of these.

If they really are just specialized versions of the standard reference
policy, they should at least be ported to use the refpolicy_common
infrastructure Phil set up a while back.

Thanks,
-J.

> 
> The following changes since commit a6079a43719e79e12a57e609923a0cccdba06916:
> 
>   refpolicy: fix real path for su.shadow (2014-02-13 10:52:07 -0500)
> 
> are available in the git repository at:
> 
>   git://git.pokylinux.org/poky-contrib wenzong/ref-minimum
>   http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=wenzong/ref-minimum
> 
> Wenzong Fan (4):
>   refpolicy: associate tmpfs_t (shm) to device_t (devtmpfs) file
>     systems
>   refpolicy: add rules for /var/log symlink on poky
>   refpolicy: add targeted policy type
>   refpolicy: add minimum targeted policy
> 
>  ...associate-tmpfs_t-shm-to-device_t-devtmpf.patch |   30 +++
>  ...ky-policy-add-rules-for-syslogd_t-symlink.patch |   30 +++
>  ...rules-for-var-log-symlink-audisp_remote_t.patch |   29 +++
>  .../refpolicy/refpolicy-minimum_2.20130424.bb      |   46 +++++
>  ...olicy-fix-optional-issue-on-sysadm-module.patch |   60 ++++++
>  .../refpolicy-unconfined_u-default-user.patch      |  198 ++++++++++++++++++++
>  .../refpolicy/refpolicy-targeted_2.20130424.bb     |   18 ++
>  .../refpolicy/refpolicy_2.20130424.inc             |    3 +
>  8 files changed, 414 insertions(+)
>  create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/filesystem-associate-tmpfs_t-shm-to-device_t-devtmpf.patch
>  create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-syslogd_t-symlink.patch
>  create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
>  create mode 100644 recipes-security/refpolicy/refpolicy-minimum_2.20130424.bb
>  create mode 100644 recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
>  create mode 100644 recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
>  create mode 100644 recipes-security/refpolicy/refpolicy-targeted_2.20130424.bb
> 
-- 
-Joe MacDonald.
:wq

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 205 bytes --]

Re: [meta-selinux][PATCH 0/4] add targeted/minimum policy and some updates

[Pascal Ouyang]

于 14-4-4 上午3:20, Joe MacDonald 写道:
> Hey Wenzong,
>
> I merged two of these four.
>
> [[yocto] [meta-selinux][PATCH 0/4] add targeted/minimum policy and some updates] On 14.03.24 (Mon 21:07) wenzong.fan@windriver.com wrote:
>
>> From: Wenzong Fan <wenzong.fan@windriver.com>
>>
>> Changes:
>> * backport tmpfs_t patch from upstream;
>> * add rules for /var/log symlink on poky;
>
> These both went in.  These:
>
>> * add targeted policy type
>> * add minimum targeted policy
>
> I'm less clear on.  They both look like significant changes to
> refpolicy-* behaviour, which is fine, but in that case I think it'd be
> better to give them a different name.  Or one that differentiates them
> significantly.  For example the "minimum" policy has users unconfined
> and applications confined?  Or neither?  I'm not sure what the value is
> of these.
>
> If they really are just specialized versions of the standard reference
> policy, they should at least be ported to use the refpolicy_common
> infrastructure Phil set up a while back.

Hi Joe&Wenzong,

According to the origin design, both policy types are targeted policies.

For targeted policies,
* Users will login into shells on unconfined domain.
* For applications with no policy module or with policy module disabled, 
they will also run on unconfined domain.
* For applications "targeted", they would have policy module enabled, 
with rules to do domtrans from unconfined/init* domain to their own domain.

The result will be:
- standard/mls :
   un-ruled applications(usually bin_t) will run on unconfined domain, 
so operations will *not* be blocked.
- targeted/minimum
   un-ruled applications will run on user's current domain, such as 
user_t,sysadm_t, so most privileged operations will be blocked.


Difference between refpolicy-minium&refpolicy-targeted
* refpolicy-minium = targeted policy with only core policies
   It should just be used for admins to defined their own policy.
   For example, a httpd server could just use refpolicy-minium + httpd 
module. Actually, I have thought to use refpolicy-targeted-minium as its 
name, but not in the end.
* refpolicy-targeted = targeted policy with all 300+ modules

Thanks. :)

- Pascal

>
> Thanks,
> -J.
>
>>
>> The following changes since commit a6079a43719e79e12a57e609923a0cccdba06916:
>>
>>    refpolicy: fix real path for su.shadow (2014-02-13 10:52:07 -0500)
>>
>> are available in the git repository at:
>>
>>    git://git.pokylinux.org/poky-contrib wenzong/ref-minimum
>>    http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=wenzong/ref-minimum
>>
>> Wenzong Fan (4):
>>    refpolicy: associate tmpfs_t (shm) to device_t (devtmpfs) file
>>      systems
>>    refpolicy: add rules for /var/log symlink on poky
>>    refpolicy: add targeted policy type
>>    refpolicy: add minimum targeted policy
>>
>>   ...associate-tmpfs_t-shm-to-device_t-devtmpf.patch |   30 +++
>>   ...ky-policy-add-rules-for-syslogd_t-symlink.patch |   30 +++
>>   ...rules-for-var-log-symlink-audisp_remote_t.patch |   29 +++
>>   .../refpolicy/refpolicy-minimum_2.20130424.bb      |   46 +++++
>>   ...olicy-fix-optional-issue-on-sysadm-module.patch |   60 ++++++
>>   .../refpolicy-unconfined_u-default-user.patch      |  198 ++++++++++++++++++++
>>   .../refpolicy/refpolicy-targeted_2.20130424.bb     |   18 ++
>>   .../refpolicy/refpolicy_2.20130424.inc             |    3 +
>>   8 files changed, 414 insertions(+)
>>   create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/filesystem-associate-tmpfs_t-shm-to-device_t-devtmpf.patch
>>   create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-syslogd_t-symlink.patch
>>   create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
>>   create mode 100644 recipes-security/refpolicy/refpolicy-minimum_2.20130424.bb
>>   create mode 100644 recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
>>   create mode 100644 recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
>>   create mode 100644 recipes-security/refpolicy/refpolicy-targeted_2.20130424.bb
>>


-- 
- Pascal

Re: [meta-selinux][PATCH 0/4] add targeted/minimum policy and some updates

[Pascal Ouyang]

于 14-4-4 下午2:57, Pascal Ouyang 写道:
> 于 14-4-4 上午3:20, Joe MacDonald 写道:
>> Hey Wenzong,
>>
>> I merged two of these four.
>>
>> [[yocto] [meta-selinux][PATCH 0/4] add targeted/minimum policy and
>> some updates] On 14.03.24 (Mon 21:07) wenzong.fan@windriver.com wrote:
>>
>>> From: Wenzong Fan <wenzong.fan@windriver.com>
>>>
>>> Changes:
>>> * backport tmpfs_t patch from upstream;
>>> * add rules for /var/log symlink on poky;
>>
>> These both went in.  These:
>>
>>> * add targeted policy type
>>> * add minimum targeted policy
>>
>> I'm less clear on.  They both look like significant changes to
>> refpolicy-* behaviour, which is fine, but in that case I think it'd be
>> better to give them a different name.  Or one that differentiates them
>> significantly.  For example the "minimum" policy has users unconfined
>> and applications confined?  Or neither?  I'm not sure what the value is
>> of these.
>>
>> If they really are just specialized versions of the standard reference
>> policy, they should at least be ported to use the refpolicy_common
>> infrastructure Phil set up a while back.
>
> Hi Joe&Wenzong,
>
> According to the origin design, both policy types are targeted policies.
>
> For targeted policies,
> * Users will login into shells on unconfined domain.
> * For applications with no policy module or with policy module disabled,
> they will also run on unconfined domain.
> * For applications "targeted", they would have policy module enabled,
> with rules to do domtrans from unconfined/init* domain to their own domain.
>
> The result will be:
> - standard/mls :
>    un-ruled applications(usually bin_t) will run on unconfined domain,
> so operations will *not* be blocked.

s#standard/mls#targeted/minimum#

> - targeted/minimum
>    un-ruled applications will run on user's current domain, such as
> user_t,sysadm_t, so most privileged operations will be blocked.
>

s#targeted/minimum#standard/mls#

:-;

- Pascal

>
> Difference between refpolicy-minium&refpolicy-targeted
> * refpolicy-minium = targeted policy with only core policies
>    It should just be used for admins to defined their own policy.
>    For example, a httpd server could just use refpolicy-minium + httpd
> module. Actually, I have thought to use refpolicy-targeted-minium as its
> name, but not in the end.
> * refpolicy-targeted = targeted policy with all 300+ modules
>
> Thanks. :)
>
> - Pascal
>
>>
>> Thanks,
>> -J.
>>
>>>
>>> The following changes since commit
>>> a6079a43719e79e12a57e609923a0cccdba06916:
>>>
>>>    refpolicy: fix real path for su.shadow (2014-02-13 10:52:07 -0500)
>>>
>>> are available in the git repository at:
>>>
>>>    git://git.pokylinux.org/poky-contrib wenzong/ref-minimum
>>>
>>> http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=wenzong/ref-minimum
>>>
>>>
>>> Wenzong Fan (4):
>>>    refpolicy: associate tmpfs_t (shm) to device_t (devtmpfs) file
>>>      systems
>>>    refpolicy: add rules for /var/log symlink on poky
>>>    refpolicy: add targeted policy type
>>>    refpolicy: add minimum targeted policy
>>>
>>>   ...associate-tmpfs_t-shm-to-device_t-devtmpf.patch |   30 +++
>>>   ...ky-policy-add-rules-for-syslogd_t-symlink.patch |   30 +++
>>>   ...rules-for-var-log-symlink-audisp_remote_t.patch |   29 +++
>>>   .../refpolicy/refpolicy-minimum_2.20130424.bb      |   46 +++++
>>>   ...olicy-fix-optional-issue-on-sysadm-module.patch |   60 ++++++
>>>   .../refpolicy-unconfined_u-default-user.patch      |  198
>>> ++++++++++++++++++++
>>>   .../refpolicy/refpolicy-targeted_2.20130424.bb     |   18 ++
>>>   .../refpolicy/refpolicy_2.20130424.inc             |    3 +
>>>   8 files changed, 414 insertions(+)
>>>   create mode 100644
>>> recipes-security/refpolicy/refpolicy-2.20130424/filesystem-associate-tmpfs_t-shm-to-device_t-devtmpf.patch
>>>
>>>   create mode 100644
>>> recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-syslogd_t-symlink.patch
>>>
>>>   create mode 100644
>>> recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
>>>
>>>   create mode 100644
>>> recipes-security/refpolicy/refpolicy-minimum_2.20130424.bb
>>>   create mode 100644
>>> recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
>>>
>>>   create mode 100644
>>> recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
>>>
>>>   create mode 100644
>>> recipes-security/refpolicy/refpolicy-targeted_2.20130424.bb
>>>
>
>


-- 
- Pascal

Re: [meta-selinux][PATCH 0/4] add targeted/minimum policy and some updates

[Joe MacDonald]

[-- Attachment #1: Type: text/plain, Size: 5189 bytes --]

Hey guys,

Sorry about the delayed response on these, I merged them today with a
minor update to the targeted description based on the explanation below.

Thanks,
-J.

[Re: [yocto] [meta-selinux][PATCH 0/4] add targeted/minimum policy and some updates] On 14.04.04 (Fri 15:57) Pascal Ouyang wrote:

> 于 14-4-4 下午2:57, Pascal Ouyang 写道:
> >于 14-4-4 上午3:20, Joe MacDonald 写道:
> >>Hey Wenzong,
> >>
> >>I merged two of these four.
> >>
> >>[[yocto] [meta-selinux][PATCH 0/4] add targeted/minimum policy and
> >>some updates] On 14.03.24 (Mon 21:07) wenzong.fan@windriver.com wrote:
> >>
> >>>From: Wenzong Fan <wenzong.fan@windriver.com>
> >>>
> >>>Changes:
> >>>* backport tmpfs_t patch from upstream;
> >>>* add rules for /var/log symlink on poky;
> >>
> >>These both went in.  These:
> >>
> >>>* add targeted policy type
> >>>* add minimum targeted policy
> >>
> >>I'm less clear on.  They both look like significant changes to
> >>refpolicy-* behaviour, which is fine, but in that case I think it'd be
> >>better to give them a different name.  Or one that differentiates them
> >>significantly.  For example the "minimum" policy has users unconfined
> >>and applications confined?  Or neither?  I'm not sure what the value is
> >>of these.
> >>
> >>If they really are just specialized versions of the standard reference
> >>policy, they should at least be ported to use the refpolicy_common
> >>infrastructure Phil set up a while back.
> >
> >Hi Joe&Wenzong,
> >
> >According to the origin design, both policy types are targeted policies.
> >
> >For targeted policies,
> >* Users will login into shells on unconfined domain.
> >* For applications with no policy module or with policy module disabled,
> >they will also run on unconfined domain.
> >* For applications "targeted", they would have policy module enabled,
> >with rules to do domtrans from unconfined/init* domain to their own domain.
> >
> >The result will be:
> >- standard/mls :
> >   un-ruled applications(usually bin_t) will run on unconfined domain,
> >so operations will *not* be blocked.
> 
> s#standard/mls#targeted/minimum#
> 
> >- targeted/minimum
> >   un-ruled applications will run on user's current domain, such as
> >user_t,sysadm_t, so most privileged operations will be blocked.
> >
> 
> s#targeted/minimum#standard/mls#
> 
> :-;
> 
> - Pascal
> 
> >
> >Difference between refpolicy-minium&refpolicy-targeted
> >* refpolicy-minium = targeted policy with only core policies
> >   It should just be used for admins to defined their own policy.
> >   For example, a httpd server could just use refpolicy-minium + httpd
> >module. Actually, I have thought to use refpolicy-targeted-minium as its
> >name, but not in the end.
> >* refpolicy-targeted = targeted policy with all 300+ modules
> >
> >Thanks. :)
> >
> >- Pascal
> >
> >>
> >>Thanks,
> >>-J.
> >>
> >>>
> >>>The following changes since commit
> >>>a6079a43719e79e12a57e609923a0cccdba06916:
> >>>
> >>>   refpolicy: fix real path for su.shadow (2014-02-13 10:52:07 -0500)
> >>>
> >>>are available in the git repository at:
> >>>
> >>>   git://git.pokylinux.org/poky-contrib wenzong/ref-minimum
> >>>
> >>>http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=wenzong/ref-minimum
> >>>
> >>>
> >>>Wenzong Fan (4):
> >>>   refpolicy: associate tmpfs_t (shm) to device_t (devtmpfs) file
> >>>     systems
> >>>   refpolicy: add rules for /var/log symlink on poky
> >>>   refpolicy: add targeted policy type
> >>>   refpolicy: add minimum targeted policy
> >>>
> >>>  ...associate-tmpfs_t-shm-to-device_t-devtmpf.patch |   30 +++
> >>>  ...ky-policy-add-rules-for-syslogd_t-symlink.patch |   30 +++
> >>>  ...rules-for-var-log-symlink-audisp_remote_t.patch |   29 +++
> >>>  .../refpolicy/refpolicy-minimum_2.20130424.bb      |   46 +++++
> >>>  ...olicy-fix-optional-issue-on-sysadm-module.patch |   60 ++++++
> >>>  .../refpolicy-unconfined_u-default-user.patch      |  198
> >>>++++++++++++++++++++
> >>>  .../refpolicy/refpolicy-targeted_2.20130424.bb     |   18 ++
> >>>  .../refpolicy/refpolicy_2.20130424.inc             |    3 +
> >>>  8 files changed, 414 insertions(+)
> >>>  create mode 100644
> >>>recipes-security/refpolicy/refpolicy-2.20130424/filesystem-associate-tmpfs_t-shm-to-device_t-devtmpf.patch
> >>>
> >>>  create mode 100644
> >>>recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-syslogd_t-symlink.patch
> >>>
> >>>  create mode 100644
> >>>recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
> >>>
> >>>  create mode 100644
> >>>recipes-security/refpolicy/refpolicy-minimum_2.20130424.bb
> >>>  create mode 100644
> >>>recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
> >>>
> >>>  create mode 100644
> >>>recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
> >>>
> >>>  create mode 100644
> >>>recipes-security/refpolicy/refpolicy-targeted_2.20130424.bb
> >>>
> >
> >
> 
> 
-- 
-Joe MacDonald.
:wq

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 205 bytes --]

Re: [meta-selinux][PATCH 0/4] add targeted/minimum policy and some updates

[wenzong fan]

On 04/04/2014 02:57 PM, Pascal Ouyang wrote:
> 于 14-4-4 上午3:20, Joe MacDonald 写道:
>> Hey Wenzong,
>>
>> I merged two of these four.
>>
>> [[yocto] [meta-selinux][PATCH 0/4] add targeted/minimum policy and
>> some updates] On 14.03.24 (Mon 21:07) wenzong.fan@windriver.com wrote:
>>
>>> From: Wenzong Fan <wenzong.fan@windriver.com>
>>>
>>> Changes:
>>> * backport tmpfs_t patch from upstream;
>>> * add rules for /var/log symlink on poky;
>>
>> These both went in.  These:
>>
>>> * add targeted policy type
>>> * add minimum targeted policy
>>
>> I'm less clear on.  They both look like significant changes to
>> refpolicy-* behaviour, which is fine, but in that case I think it'd be
>> better to give them a different name.  Or one that differentiates them
>> significantly.  For example the "minimum" policy has users unconfined
>> and applications confined?  Or neither?  I'm not sure what the value is
>> of these.
>>
>> If they really are just specialized versions of the standard reference
>> policy, they should at least be ported to use the refpolicy_common
>> infrastructure Phil set up a while back.

We have used the refpolicy_common via: include refpolicy_${PV}.inc -> 
refpolicy_common.inc

And appreciate for Pascal clarify the usage & difference between those 
two policies:)

Wenzong

>
> Hi Joe&Wenzong,
>
> According to the origin design, both policy types are targeted policies.
>
> For targeted policies,
> * Users will login into shells on unconfined domain.
> * For applications with no policy module or with policy module disabled,
> they will also run on unconfined domain.
> * For applications "targeted", they would have policy module enabled,
> with rules to do domtrans from unconfined/init* domain to their own domain.
>
> The result will be:
> - standard/mls :
>    un-ruled applications(usually bin_t) will run on unconfined domain,
> so operations will *not* be blocked.
> - targeted/minimum
>    un-ruled applications will run on user's current domain, such as
> user_t,sysadm_t, so most privileged operations will be blocked.
>
>
> Difference between refpolicy-minium&refpolicy-targeted
> * refpolicy-minium = targeted policy with only core policies
>    It should just be used for admins to defined their own policy.
>    For example, a httpd server could just use refpolicy-minium + httpd
> module. Actually, I have thought to use refpolicy-targeted-minium as its
> name, but not in the end.
> * refpolicy-targeted = targeted policy with all 300+ modules
>
> Thanks. :)
>
> - Pascal
>
>>
>> Thanks,
>> -J.
>>
>>>
>>> The following changes since commit
>>> a6079a43719e79e12a57e609923a0cccdba06916:
>>>
>>>    refpolicy: fix real path for su.shadow (2014-02-13 10:52:07 -0500)
>>>
>>> are available in the git repository at:
>>>
>>>    git://git.pokylinux.org/poky-contrib wenzong/ref-minimum
>>>
>>> http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=wenzong/ref-minimum
>>>
>>>
>>> Wenzong Fan (4):
>>>    refpolicy: associate tmpfs_t (shm) to device_t (devtmpfs) file
>>>      systems
>>>    refpolicy: add rules for /var/log symlink on poky
>>>    refpolicy: add targeted policy type
>>>    refpolicy: add minimum targeted policy
>>>
>>>   ...associate-tmpfs_t-shm-to-device_t-devtmpf.patch |   30 +++
>>>   ...ky-policy-add-rules-for-syslogd_t-symlink.patch |   30 +++
>>>   ...rules-for-var-log-symlink-audisp_remote_t.patch |   29 +++
>>>   .../refpolicy/refpolicy-minimum_2.20130424.bb      |   46 +++++
>>>   ...olicy-fix-optional-issue-on-sysadm-module.patch |   60 ++++++
>>>   .../refpolicy-unconfined_u-default-user.patch      |  198
>>> ++++++++++++++++++++
>>>   .../refpolicy/refpolicy-targeted_2.20130424.bb     |   18 ++
>>>   .../refpolicy/refpolicy_2.20130424.inc             |    3 +
>>>   8 files changed, 414 insertions(+)
>>>   create mode 100644
>>> recipes-security/refpolicy/refpolicy-2.20130424/filesystem-associate-tmpfs_t-shm-to-device_t-devtmpf.patch
>>>
>>>   create mode 100644
>>> recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-syslogd_t-symlink.patch
>>>
>>>   create mode 100644
>>> recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
>>>
>>>   create mode 100644
>>> recipes-security/refpolicy/refpolicy-minimum_2.20130424.bb
>>>   create mode 100644
>>> recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
>>>
>>>   create mode 100644
>>> recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
>>>
>>>   create mode 100644
>>> recipes-security/refpolicy/refpolicy-targeted_2.20130424.bb
>>>
>
>