<div dir="ltr"><div><div><div><div>Hello,<br><br></div>Please provide review comments or feedback if any, It will be a great help. <br></div>@Ping. <br><br></div>Thanks<br></div>Shrikant<br><div><div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Nov 19, 2014 at 1:43 PM, Shrikant Bobade <span dir="ltr"><<a href="mailto:bobadeshrikant@gmail.com" target="_blank">bobadeshrikant@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">From: Shrikant Bobade <<a href="mailto:Shrikant_Bobade@mentor.com">Shrikant_Bobade@mentor.com</a>><br>
<br>
Systemd init type and related allow rules<br>
updated for refpolicy.<br>
<br>
Signed-off-by: Shrikant Bobade <<a href="mailto:Shrikant_Bobade@mentor.com">Shrikant_Bobade@mentor.com</a>><br>
---<br>
 .../refpolicy-update-for_systemd.patch       |  46 ++++++++++++++++++++<br>
 .../refpolicy/refpolicy_2.20140311.inc       |  1 +<br>
 2 files changed, 47 insertions(+)<br>
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch<br>
<br>
diff --git a/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch b/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch<br>
new file mode 100644<br>
index 0000000..80b420c<br>
--- /dev/null<br>
+++ b/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch<br>
@@ -0,0 +1,46 @@<br>
+refpolicy: update for systemd<br>
+<br>
+It provides the systemd support for refpolicy<br>
+and related allow rules.<br>
+The restorecon provides systemd init labeled<br>
+as init_exec_t.<br>
+<br>
+Upstream-Status: Pending<br>
+<br>
+<br>
+Signed-off-by: Shrikant Bobade <<a href="mailto:Shrikant_Bobade@mentor.com">Shrikant_Bobade@mentor.com</a>><br>
+<br>
+--- a/policy/modules/contrib/shutdown.fc<br>
++++ b/policy/modules/contrib/shutdown.fc<br>
+@@ -5,6 +5,9 @@<br>
+ /sbin/shutdown    --   gen_context(system_u:object_r:shutdown_exec_t,s0)<br>
+ /sbin/shutdown\.sysvinit   --   gen_context(system_u:object_r:shutdown_exec_t,s0)<br>
+<br>
++# systemd support<br>
++/bin/systemctl    --   gen_context(system_u:object_r:shutdown_exec_t,s0)<br>
++<br>
+ /usr/lib/upstart/shutdown   --   gen_context(system_u:object_r:shutdown_exec_t,s0)<br>
+<br>
+ /usr/sbin/shutdown  --   gen_context(system_u:object_r:shutdown_exec_t,s0)<br>
+--- a/policy/modules/system/init.fc<br>
++++ b/policy/modules/system/init.fc<br>
+@@ -31,6 +31,8 @@<br>
+ #<br>
+ /sbin/init(ng)?        --   gen_context(system_u:object_r:init_exec_t,s0)<br>
+ /sbin/init\.sysvinit --   gen_context(system_u:object_r:init_exec_t,s0)<br>
++# systemd support<br>
++/lib/systemd/systemd --   gen_context(system_u:object_r:init_exec_t,s0)<br>
+ # because nowadays, /sbin/init is often a symlink to /sbin/upstart<br>
+ /sbin/upstart     --   gen_context(system_u:object_r:init_exec_t,s0)<br>
+<br>
+--- a/policy/modules/system/init.te<br>
++++ b/policy/modules/system/init.te<br>
+@@ -913,3 +913,8 @@<br>
+ optional_policy(`<br>
+Â Â Â Â zebra_read_config(initrc_t)<br>
+ ')<br>
++<br>
++# systemd related allow rules<br>
++allow kernel_t init_t:process dyntransition;<br>
++allow devpts_t device_t:filesystem associate;<br>
++allow init_t self:capability2 block_suspend;<br>
diff --git a/recipes-security/refpolicy/refpolicy_2.20140311.inc b/recipes-security/refpolicy/refpolicy_2.20140311.inc<br>
index 8894583..557b4ab 100644<br>
--- a/recipes-security/refpolicy/refpolicy_2.20140311.inc<br>
+++ b/recipes-security/refpolicy/refpolicy_2.20140311.inc<br>
@@ -29,6 +29,7 @@ SRC_URI += "file://poky-fc-subs_dist.patch \<br>
       file://poky-fc-rpm.patch \<br>
       file://poky-fc-ftpwho-dir.patch \<br>
       file://poky-fc-fix-real-path_su.patch \<br>
+Â Â Â Â Â Â file://refpolicy-update-for_systemd.patch \<br>
      "<br>
<br>
 # Specific policy for Poky<br>
--<br>
1.7.9.5<br>
<br>
</div></div></blockquote></div><br></div></div></div></div></div></div>