[meta-selinux][warrior][PATCH 2/2] refpolicy: fix labels for busybox init.sysvinit and start_getty

Home Messages Hashtags Subgroups

#47377

[meta-selinux][warrior][PATCH 2/2] refpolicy: fix labels for busybox init.sysvinit and start_getty

Yi Zhao #47377 Fix busybox directory aliases issue. Set correct labels for /sbin/init.sysvinit and /bin/start_getty. Signed-off-by: Yi Zhao <yi.zhao@...> --- ...bs_dist-fix-busybox-directory-aliase.patch \| 32 +++++++++++++++++++ ...fc-set-correct-label-for-start_getty.patch \| 32 +++++++++++++++++++ ...-set-correct-label-for-init.sysvinit.patch \| 29 +++++++++++++++++ ...bs_dist-fix-busybox-directory-aliase.patch \| 32 +++++++++++++++++++ ...fc-set-correct-label-for-start_getty.patch \| 32 +++++++++++++++++++ ...-set-correct-label-for-init.sysvinit.patch \| 29 +++++++++++++++++ .../refpolicy/refpolicy_common.inc \| 3 ++ 7 files changed, 189 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/file_contexts.subs_dist-fix-busybox-directory-aliase.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/getty.fc-set-correct-label-for-start_getty.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/init.fc-set-correct-label-for-init.sysvinit.patch create mode 100644 recipes-security/refpolicy/refpolicy-git/file_contexts.subs_dist-fix-busybox-directory-aliase.patch create mode 100644 recipes-security/refpolicy/refpolicy-git/getty.fc-set-correct-label-for-start_getty.patch create mode 100644 recipes-security/refpolicy/refpolicy-git/init.fc-set-correct-label-for-init.sysvinit.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/file_contexts.subs_dist-fix-busybox-directory-aliase.patch b/recipes-security/refpolicy/refpolicy-2.20190201/file_contexts.subs_dist-fix-busybox-directory-aliase.patch new file mode 100644 index 0000000..9fe2548 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20190201/file_contexts.subs_dist-fix-busybox-directory-aliase.patch @@ -0,0 +1,32 @@ +From 24c0c6a35c13c6156dfa385cf22a130b6893f24a Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@...> +Date: Fri, 22 Nov 2019 14:01:08 +0800 +Subject: [PATCH] file_contexts.subs_dist: fix busybox directory aliases + +The /usr/bin and /usr/sbin are the original paths which configured in +file contextes. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao <yi.zhao@...> +--- + config/file_contexts.subs_dist \| 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist +index 04fca3c..c720871 100644 +--- a/config/file_contexts.subs_dist ++++ b/config/file_contexts.subs_dist +@@ -44,7 +44,7 @@ + + # busybox aliases + # quickly match up the busybox built-in tree to the base filesystem tree +-/usr/lib/busybox/bin /bin +-/usr/lib/busybox/sbin /sbin ++/usr/lib/busybox/bin /usr/bin ++/usr/lib/busybox/sbin /usr/sbin + /usr/lib/busybox/usr /usr + +-- +2.7.4 + diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/getty.fc-set-correct-label-for-start_getty.patch b/recipes-security/refpolicy/refpolicy-2.20190201/getty.fc-set-correct-label-for-start_getty.patch new file mode 100644 index 0000000..35e8eed --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20190201/getty.fc-set-correct-label-for-start_getty.patch @@ -0,0 +1,32 @@ +From 83ba87de0b5163cd7f3db8ef0a1f10f89240afa6 Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@...> +Date: Fri, 22 Nov 2019 14:12:55 +0800 +Subject: [PATCH] getty.fc: set correct label for start_getty + +The start_getty label should be set to bin_t not getty_exec_t. + +Fix error: +setsid: failed to execute /sbin/getty: Permission denied + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao <yi.zhao@...> +--- + policy/modules/system/getty.fc \| 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc +index 116ea64..53ff613 100644 +--- a/policy/modules/system/getty.fc ++++ b/policy/modules/system/getty.fc +@@ -4,6 +4,7 @@ + /run/agetty\.reload -- gen_context(system_u:object_r:getty_runtime_t,s0) + + /usr/bin/.getty -- gen_context(system_u:object_r:getty_exec_t,s0) ++/usr/bin/start_getty -- gen_context(system_u:object_r:bin_t,s0) + + /usr/sbin/.getty -- gen_context(system_u:object_r:getty_exec_t,s0) + +-- +2.7.4 + diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/init.fc-set-correct-label-for-init.sysvinit.patch b/recipes-security/refpolicy/refpolicy-2.20190201/init.fc-set-correct-label-for-init.sysvinit.patch new file mode 100644 index 0000000..0f024c6 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20190201/init.fc-set-correct-label-for-init.sysvinit.patch @@ -0,0 +1,29 @@ +From 99f1d3d2caf1281ee922ce2c8e93fb53fea576a2 Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@...> +Date: Fri, 22 Nov 2019 14:09:44 +0800 +Subject: [PATCH] init.fc: set correct label for init.sysvinit + +The /sbin/init.sysvinit should be set the label init_exec_t. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao <yi.zhao@...> +--- + policy/modules/system/init.fc \| 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc +index 11a6ce9..3c063b1 100644 +--- a/policy/modules/system/init.fc ++++ b/policy/modules/system/init.fc +@@ -40,6 +40,7 @@ ifdef(`distro_gentoo',` + /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) + + /usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) ++/usr/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0) + /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) + /usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) + +-- +2.7.4 + diff --git a/recipes-security/refpolicy/refpolicy-git/file_contexts.subs_dist-fix-busybox-directory-aliase.patch b/recipes-security/refpolicy/refpolicy-git/file_contexts.subs_dist-fix-busybox-directory-aliase.patch new file mode 100644 index 0000000..9fe2548 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/file_contexts.subs_dist-fix-busybox-directory-aliase.patch @@ -0,0 +1,32 @@ +From 24c0c6a35c13c6156dfa385cf22a130b6893f24a Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@...> +Date: Fri, 22 Nov 2019 14:01:08 +0800 +Subject: [PATCH] file_contexts.subs_dist: fix busybox directory aliases + +The /usr/bin and /usr/sbin are the original paths which configured in +file contextes. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao <yi.zhao@...> +--- + config/file_contexts.subs_dist \| 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist +index 04fca3c..c720871 100644 +--- a/config/file_contexts.subs_dist ++++ b/config/file_contexts.subs_dist +@@ -44,7 +44,7 @@ + + # busybox aliases + # quickly match up the busybox built-in tree to the base filesystem tree +-/usr/lib/busybox/bin /bin +-/usr/lib/busybox/sbin /sbin ++/usr/lib/busybox/bin /usr/bin ++/usr/lib/busybox/sbin /usr/sbin + /usr/lib/busybox/usr /usr + +-- +2.7.4 + diff --git a/recipes-security/refpolicy/refpolicy-git/getty.fc-set-correct-label-for-start_getty.patch b/recipes-security/refpolicy/refpolicy-git/getty.fc-set-correct-label-for-start_getty.patch new file mode 100644 index 0000000..35e8eed --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/getty.fc-set-correct-label-for-start_getty.patch @@ -0,0 +1,32 @@ +From 83ba87de0b5163cd7f3db8ef0a1f10f89240afa6 Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@...> +Date: Fri, 22 Nov 2019 14:12:55 +0800 +Subject: [PATCH] getty.fc: set correct label for start_getty + +The start_getty label should be set to bin_t not getty_exec_t. + +Fix error: +setsid: failed to execute /sbin/getty: Permission denied + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao <yi.zhao@...> +--- + policy/modules/system/getty.fc \| 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc +index 116ea64..53ff613 100644 +--- a/policy/modules/system/getty.fc ++++ b/policy/modules/system/getty.fc +@@ -4,6 +4,7 @@ + /run/agetty\.reload -- gen_context(system_u:object_r:getty_runtime_t,s0) + + /usr/bin/.getty -- gen_context(system_u:object_r:getty_exec_t,s0) ++/usr/bin/start_getty -- gen_context(system_u:object_r:bin_t,s0) + + /usr/sbin/.getty -- gen_context(system_u:object_r:getty_exec_t,s0) + +-- +2.7.4 + diff --git a/recipes-security/refpolicy/refpolicy-git/init.fc-set-correct-label-for-init.sysvinit.patch b/recipes-security/refpolicy/refpolicy-git/init.fc-set-correct-label-for-init.sysvinit.patch new file mode 100644 index 0000000..0f024c6 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/init.fc-set-correct-label-for-init.sysvinit.patch @@ -0,0 +1,29 @@ +From 99f1d3d2caf1281ee922ce2c8e93fb53fea576a2 Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@...> +Date: Fri, 22 Nov 2019 14:09:44 +0800 +Subject: [PATCH] init.fc: set correct label for init.sysvinit + +The /sbin/init.sysvinit should be set the label init_exec_t. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao <yi.zhao@...> +--- + policy/modules/system/init.fc \| 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc +index 11a6ce9..3c063b1 100644 +--- a/policy/modules/system/init.fc ++++ b/policy/modules/system/init.fc +@@ -40,6 +40,7 @@ ifdef(`distro_gentoo',` + /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) + + /usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) ++/usr/sbin/init\.sysvinit -- gen_context(system_u:object_r:init_exec_t,s0) + /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) + /usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) + +-- +2.7.4 + diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index 137ccee..e567f78 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc @@ -52,6 +52,9 @@ SRC_URI += " \ file://0032-policy-module-init-update-for-systemd-related-allow-.patch \ file://0033-refpolicy-minimum-make-sysadmin-module-optional.patch \ file://0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch \ + file://file_contexts.subs_dist-fix-busybox-directory-aliase.patch \ + file://init.fc-set-correct-label-for-init.sysvinit.patch \ + file://getty.fc-set-correct-label-for-start_getty.patch \ " S = "${WORKDIR}/refpolicy" -- 2.17.1
More All Messages By This Member

#47377

Join yocto@lists.yoctoproject.org to automatically receive all group messages.

Home Hashtags Subgroups Terms