[yocto] [meta-selinux][warrior][PATCH 2/2] refpolicy: fix labels for busybox init.sysvinit and start_getty

Yi Zhao Thu, 21 Nov 2019 22:49:00 -0800

Fix busybox directory aliases issue.
Set correct labels for /sbin/init.sysvinit and /bin/start_getty.


Signed-off-by: Yi Zhao <[email protected]>
---
 ...bs_dist-fix-busybox-directory-aliase.patch | 32 +++++++++++++++++++
 ...fc-set-correct-label-for-start_getty.patch | 32 +++++++++++++++++++
 ...-set-correct-label-for-init.sysvinit.patch | 29 +++++++++++++++++
 ...bs_dist-fix-busybox-directory-aliase.patch | 32 +++++++++++++++++++
 ...fc-set-correct-label-for-start_getty.patch | 32 +++++++++++++++++++
 ...-set-correct-label-for-init.sysvinit.patch | 29 +++++++++++++++++
 .../refpolicy/refpolicy_common.inc            |  3 ++
 7 files changed, 189 insertions(+)
 create mode 100644 
recipes-security/refpolicy/refpolicy-2.20190201/file_contexts.subs_dist-fix-busybox-directory-aliase.patch
 create mode 100644 
recipes-security/refpolicy/refpolicy-2.20190201/getty.fc-set-correct-label-for-start_getty.patch
 create mode 100644 
recipes-security/refpolicy/refpolicy-2.20190201/init.fc-set-correct-label-for-init.sysvinit.patch
 create mode 100644 
recipes-security/refpolicy/refpolicy-git/file_contexts.subs_dist-fix-busybox-directory-aliase.patch
 create mode 100644 
recipes-security/refpolicy/refpolicy-git/getty.fc-set-correct-label-for-start_getty.patch
 create mode 100644 
recipes-security/refpolicy/refpolicy-git/init.fc-set-correct-label-for-init.sysvinit.patch

diff --git 
a/recipes-security/refpolicy/refpolicy-2.20190201/file_contexts.subs_dist-fix-busybox-directory-aliase.patch
 
b/recipes-security/refpolicy/refpolicy-2.20190201/file_contexts.subs_dist-fix-busybox-directory-aliase.patch
new file mode 100644
index 0000000..9fe2548
--- /dev/null
+++ 
b/recipes-security/refpolicy/refpolicy-2.20190201/file_contexts.subs_dist-fix-busybox-directory-aliase.patch
@@ -0,0 +1,32 @@
+From 24c0c6a35c13c6156dfa385cf22a130b6893f24a Mon Sep 17 00:00:00 2001
+From: Yi Zhao <[email protected]>
+Date: Fri, 22 Nov 2019 14:01:08 +0800
+Subject: [PATCH] file_contexts.subs_dist: fix busybox directory aliases
+
+The /usr/bin and /usr/sbin are the original paths which configured in
+file contextes.
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <[email protected]>
+---
+ config/file_contexts.subs_dist | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
+index 04fca3c..c720871 100644
+--- a/config/file_contexts.subs_dist
++++ b/config/file_contexts.subs_dist
+@@ -44,7 +44,7 @@
+ 
+ # busybox aliases
+ # quickly match up the busybox built-in tree to the base filesystem tree
+-/usr/lib/busybox/bin /bin
+-/usr/lib/busybox/sbin /sbin
++/usr/lib/busybox/bin /usr/bin
++/usr/lib/busybox/sbin /usr/sbin
+ /usr/lib/busybox/usr /usr
+ 
+-- 
+2.7.4
+
diff --git 
a/recipes-security/refpolicy/refpolicy-2.20190201/getty.fc-set-correct-label-for-start_getty.patch
 
b/recipes-security/refpolicy/refpolicy-2.20190201/getty.fc-set-correct-label-for-start_getty.patch
new file mode 100644
index 0000000..35e8eed
--- /dev/null
+++ 
b/recipes-security/refpolicy/refpolicy-2.20190201/getty.fc-set-correct-label-for-start_getty.patch
@@ -0,0 +1,32 @@
+From 83ba87de0b5163cd7f3db8ef0a1f10f89240afa6 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <[email protected]>
+Date: Fri, 22 Nov 2019 14:12:55 +0800
+Subject: [PATCH] getty.fc: set correct label for start_getty
+
+The start_getty label should be set to bin_t not getty_exec_t.
+
+Fix error:
+setsid: failed to execute /sbin/getty: Permission denied
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <[email protected]>
+---
+ policy/modules/system/getty.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc
+index 116ea64..53ff613 100644
+--- a/policy/modules/system/getty.fc
++++ b/policy/modules/system/getty.fc
+@@ -4,6 +4,7 @@
+ /run/agetty\.reload   --      
gen_context(system_u:object_r:getty_runtime_t,s0)
+ 
+ /usr/bin/.*getty      --      gen_context(system_u:object_r:getty_exec_t,s0)
++/usr/bin/start_getty  --      gen_context(system_u:object_r:bin_t,s0)
+ 
+ /usr/sbin/.*getty     --      gen_context(system_u:object_r:getty_exec_t,s0)
+ 
+-- 
+2.7.4
+
diff --git 
a/recipes-security/refpolicy/refpolicy-2.20190201/init.fc-set-correct-label-for-init.sysvinit.patch
 
b/recipes-security/refpolicy/refpolicy-2.20190201/init.fc-set-correct-label-for-init.sysvinit.patch
new file mode 100644
index 0000000..0f024c6
--- /dev/null
+++ 
b/recipes-security/refpolicy/refpolicy-2.20190201/init.fc-set-correct-label-for-init.sysvinit.patch
@@ -0,0 +1,29 @@
+From 99f1d3d2caf1281ee922ce2c8e93fb53fea576a2 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <[email protected]>
+Date: Fri, 22 Nov 2019 14:09:44 +0800
+Subject: [PATCH] init.fc: set correct label for init.sysvinit
+
+The /sbin/init.sysvinit should be set the label init_exec_t.
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <[email protected]>
+---
+ policy/modules/system/init.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
+index 11a6ce9..3c063b1 100644
+--- a/policy/modules/system/init.fc
++++ b/policy/modules/system/init.fc
+@@ -40,6 +40,7 @@ ifdef(`distro_gentoo',`
+ /usr/libexec/dcc/stop-.* --   gen_context(system_u:object_r:initrc_exec_t,s0)
+ 
+ /usr/sbin/init(ng)?   --      gen_context(system_u:object_r:init_exec_t,s0)
++/usr/sbin/init\.sysvinit      --      
gen_context(system_u:object_r:init_exec_t,s0)
+ /usr/sbin/open_init_pty       --      
gen_context(system_u:object_r:initrc_exec_t,s0)
+ /usr/sbin/upstart     --      gen_context(system_u:object_r:init_exec_t,s0)
+ 
+-- 
+2.7.4
+
diff --git 
a/recipes-security/refpolicy/refpolicy-git/file_contexts.subs_dist-fix-busybox-directory-aliase.patch
 
b/recipes-security/refpolicy/refpolicy-git/file_contexts.subs_dist-fix-busybox-directory-aliase.patch
new file mode 100644
index 0000000..9fe2548
--- /dev/null
+++ 
b/recipes-security/refpolicy/refpolicy-git/file_contexts.subs_dist-fix-busybox-directory-aliase.patch
@@ -0,0 +1,32 @@
+From 24c0c6a35c13c6156dfa385cf22a130b6893f24a Mon Sep 17 00:00:00 2001
+From: Yi Zhao <[email protected]>
+Date: Fri, 22 Nov 2019 14:01:08 +0800
+Subject: [PATCH] file_contexts.subs_dist: fix busybox directory aliases
+
+The /usr/bin and /usr/sbin are the original paths which configured in
+file contextes.
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <[email protected]>
+---
+ config/file_contexts.subs_dist | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
+index 04fca3c..c720871 100644
+--- a/config/file_contexts.subs_dist
++++ b/config/file_contexts.subs_dist
+@@ -44,7 +44,7 @@
+ 
+ # busybox aliases
+ # quickly match up the busybox built-in tree to the base filesystem tree
+-/usr/lib/busybox/bin /bin
+-/usr/lib/busybox/sbin /sbin
++/usr/lib/busybox/bin /usr/bin
++/usr/lib/busybox/sbin /usr/sbin
+ /usr/lib/busybox/usr /usr
+ 
+-- 
+2.7.4
+
diff --git 
a/recipes-security/refpolicy/refpolicy-git/getty.fc-set-correct-label-for-start_getty.patch
 
b/recipes-security/refpolicy/refpolicy-git/getty.fc-set-correct-label-for-start_getty.patch
new file mode 100644
index 0000000..35e8eed
--- /dev/null
+++ 
b/recipes-security/refpolicy/refpolicy-git/getty.fc-set-correct-label-for-start_getty.patch
@@ -0,0 +1,32 @@
+From 83ba87de0b5163cd7f3db8ef0a1f10f89240afa6 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <[email protected]>
+Date: Fri, 22 Nov 2019 14:12:55 +0800
+Subject: [PATCH] getty.fc: set correct label for start_getty
+
+The start_getty label should be set to bin_t not getty_exec_t.
+
+Fix error:
+setsid: failed to execute /sbin/getty: Permission denied
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <[email protected]>
+---
+ policy/modules/system/getty.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc
+index 116ea64..53ff613 100644
+--- a/policy/modules/system/getty.fc
++++ b/policy/modules/system/getty.fc
+@@ -4,6 +4,7 @@
+ /run/agetty\.reload   --      
gen_context(system_u:object_r:getty_runtime_t,s0)
+ 
+ /usr/bin/.*getty      --      gen_context(system_u:object_r:getty_exec_t,s0)
++/usr/bin/start_getty  --      gen_context(system_u:object_r:bin_t,s0)
+ 
+ /usr/sbin/.*getty     --      gen_context(system_u:object_r:getty_exec_t,s0)
+ 
+-- 
+2.7.4
+
diff --git 
a/recipes-security/refpolicy/refpolicy-git/init.fc-set-correct-label-for-init.sysvinit.patch
 
b/recipes-security/refpolicy/refpolicy-git/init.fc-set-correct-label-for-init.sysvinit.patch
new file mode 100644
index 0000000..0f024c6
--- /dev/null
+++ 
b/recipes-security/refpolicy/refpolicy-git/init.fc-set-correct-label-for-init.sysvinit.patch
@@ -0,0 +1,29 @@
+From 99f1d3d2caf1281ee922ce2c8e93fb53fea576a2 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <[email protected]>
+Date: Fri, 22 Nov 2019 14:09:44 +0800
+Subject: [PATCH] init.fc: set correct label for init.sysvinit
+
+The /sbin/init.sysvinit should be set the label init_exec_t.
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <[email protected]>
+---
+ policy/modules/system/init.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
+index 11a6ce9..3c063b1 100644
+--- a/policy/modules/system/init.fc
++++ b/policy/modules/system/init.fc
+@@ -40,6 +40,7 @@ ifdef(`distro_gentoo',`
+ /usr/libexec/dcc/stop-.* --   gen_context(system_u:object_r:initrc_exec_t,s0)
+ 
+ /usr/sbin/init(ng)?   --      gen_context(system_u:object_r:init_exec_t,s0)
++/usr/sbin/init\.sysvinit      --      
gen_context(system_u:object_r:init_exec_t,s0)
+ /usr/sbin/open_init_pty       --      
gen_context(system_u:object_r:initrc_exec_t,s0)
+ /usr/sbin/upstart     --      gen_context(system_u:object_r:init_exec_t,s0)
+ 
+-- 
+2.7.4
+
diff --git a/recipes-security/refpolicy/refpolicy_common.inc 
b/recipes-security/refpolicy/refpolicy_common.inc
index 137ccee..e567f78 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -52,6 +52,9 @@ SRC_URI += " \
        file://0032-policy-module-init-update-for-systemd-related-allow-.patch \
        file://0033-refpolicy-minimum-make-sysadmin-module-optional.patch \
        file://0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch \
+       file://file_contexts.subs_dist-fix-busybox-directory-aliase.patch \
+       file://init.fc-set-correct-label-for-init.sysvinit.patch \
+       file://getty.fc-set-correct-label-for-start_getty.patch \
    "
 
 S = "${WORKDIR}/refpolicy"
-- 
2.17.1

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#47377): https://lists.yoctoproject.org/g/yocto/message/47377
Mute This Topic: https://lists.yoctoproject.org/mt/61517315/21656
Group Owner: [email protected]
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub  
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-selinux][warrior][PATCH 2/2] refpolicy: fix labels for busybox init.sysvinit and start_getty

Reply via email to