From: Shrikant Bobade <[email protected]> Systemd init type and related allow rules updated for refpolicy.
Signed-off-by: Shrikant Bobade <[email protected]> --- .../refpolicy-update-for_systemd.patch | 50 ++++++++++++++++++++ .../refpolicy/refpolicy_2.20140311.inc | 1 + 2 files changed, 51 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch b/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch new file mode 100644 index 0000000..634061e --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch @@ -0,0 +1,50 @@ +refpolicy: update for systemd + +It provides the systemd support for refpolicy +and related allow rules. +The restorecon provides systemd init labeled +as init_exec_t. + + +Signed-off-by: Shrikant Bobade <[email protected]> + +Index: refpolicy/policy/modules/contrib/shutdown.fc +=================================================================== +--- refpolicy.orig/policy/modules/contrib/shutdown.fc 2014-11-17 21:01:05.040804419 +0530 ++++ refpolicy/policy/modules/contrib/shutdown.fc 2014-11-18 14:38:50.854860908 +0530 +@@ -5,6 +5,9 @@ + /sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) + /sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0) + ++# systemd support ++/bin/systemctl -- gen_context(system_u:object_r:shutdown_exec_t,s0) ++ + /usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) + + /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) +Index: refpolicy/policy/modules/system/init.fc +=================================================================== +--- refpolicy.orig/policy/modules/system/init.fc 2014-11-17 21:01:05.040804419 +0530 ++++ refpolicy/policy/modules/system/init.fc 2014-11-18 14:38:04.467444078 +0530 +@@ -31,6 +31,8 @@ + # + /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) + /sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0) ++# systemd support ++/lib/systemd/systemd -- gen_context(system_u:object_r:init_exec_t,s0) + # because nowadays, /sbin/init is often a symlink to /sbin/upstart + /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) + +Index: refpolicy/policy/modules/system/init.te +=================================================================== +--- refpolicy.orig/policy/modules/system/init.te 2014-11-17 21:03:01.577129153 +0530 ++++ refpolicy/policy/modules/system/init.te 2014-11-18 14:37:45.647680675 +0530 +@@ -913,3 +913,8 @@ + optional_policy(` + zebra_read_config(initrc_t) + ') ++ ++# systemd related allow rules ++allow kernel_t init_t:process dyntransition; ++allow devpts_t device_t:filesystem associate; ++allow init_t self:capability2 block_suspend; diff --git a/recipes-security/refpolicy/refpolicy_2.20140311.inc b/recipes-security/refpolicy/refpolicy_2.20140311.inc index 8894583..19b41eb 100644 --- a/recipes-security/refpolicy/refpolicy_2.20140311.inc +++ b/recipes-security/refpolicy/refpolicy_2.20140311.inc @@ -29,6 +29,7 @@ SRC_URI += "file://poky-fc-subs_dist.patch \ file://poky-fc-rpm.patch \ file://poky-fc-ftpwho-dir.patch \ file://poky-fc-fix-real-path_su.patch \ + file://refpolicy-update-for_systemd.patch \ " # Specific policy for Poky -- 1.7.9.5 -- _______________________________________________ yocto mailing list [email protected] https://lists.yoctoproject.org/listinfo/yocto
