Adapt to build for scarthgap

Signed-off-by: Mykola Solianko <[email protected]>
aosedge · Oct 11, 2024 · 007e872 · 007e872
1 parent a26487d
commit 007e872
Show file tree

Hide file tree

Showing 22 changed files with 247 additions and 2 deletions.
diff --git a/policy/modules/admin/quota.te b/policy/modules/admin/quota.te
@@ -89,6 +89,9 @@ logging_send_syslog_msg(quota_t)
 userdom_use_user_terminals(quota_t)
 userdom_dontaudit_use_unpriv_user_fds(quota_t)
 
+init_rw_script_stream_sockets(quota_t)
+kernel_use_fds(quota_t)
+
 optional_policy(`
 	mta_queue_filetrans(quota_t, quota_db_t, file)
 	mta_spool_filetrans(quota_t, quota_db_t, file)

diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te
@@ -48,6 +48,9 @@ miscfiles_read_localization(loadkeys_t)
 userdom_use_user_terminals(loadkeys_t)
 userdom_list_user_home_content(loadkeys_t)
 
+init_rw_script_stream_sockets(loadkeys_t)
+kernel_use_fds(loadkeys_t)
+
 optional_policy(`
 	consolesetup_read_conf(loadkeys_t)
 ')

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
@@ -753,6 +753,8 @@ kernel_search_vm_sysctl(container_engine_t)
 
 term_remount_devpts(container_engine_t)
 
+init_rw_script_stream_sockets(container_engine_t)
+
 ifdef(`init_systemd',`
 	# needed by runc, which is also invoked by other engines
 	init_run_bpf(container_engine_domain)

diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
@@ -190,6 +190,9 @@ write_logging_runtime_dirs(system_dbusd_t)
 
 files_map_etc_files(system_dbusd_t)
 
+init_rw_script_stream_sockets(system_dbusd_t)
+kernel_use_fds(system_dbusd_t)
+
 ifdef(`init_systemd', `
 	# gdm3 causes system_dbusd_t to want this access
 	dev_rw_dri(system_dbusd_t)
@@ -229,6 +232,10 @@ optional_policy(`
 	')
 ')
 
+optional_policy(`
+	unconfined_use_fds(system_dbusd_t)
+')
+
 optional_policy(`
 	tunable_policy(`dbus_broker_system_bus',`
 		networkmanager_startstop(system_dbusd_t)

diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
@@ -110,6 +110,8 @@ files_manage_quota_aos(dnsmasq_t)
 
 dev_rw_tee_chr_files(dnsmasq_t)
 
+kernel_use_fds(dnsmasq_t)
+
 optional_policy(`
 	cobbler_read_lib_files(dnsmasq_t)
 ')

diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
@@ -317,3 +317,21 @@ interface(`ntp_admin',`
 		allow ntpd_t $1:dbus send_msg;
 	')
 ')
+
+########################################
+## <summary>
+##     Allow a domain to perform nnp_transition to ntpd_t.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`allow_nnp_transition_to_ntpd', `
+    gen_require(`
+        type ntpd_t;
+    ')
+
+    allow $1 ntpd_t:process2 nnp_transition;
+')
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
@@ -138,6 +138,8 @@ miscfiles_read_localization(ntpd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
 userdom_list_user_home_dirs(ntpd_t)
+init_rw_script_stream_sockets(ntpd_t)
+kernel_use_fds(ntpd_t)
 
 ifdef(`init_systemd',`
 	allow ntpd_t self:process setfscreate;

diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
@@ -282,6 +282,10 @@ userdom_signal_all_users(rpcd_t)
 
 write_logging_runtime_dirs(rpcd_t)
 
+init_rw_script_stream_sockets(rpcd_t)
+
+kernel_use_fds(rpcd_t)
+
 ifdef(`distro_debian',`
 	term_dontaudit_use_unallocated_ttys(rpcd_t)
 ')
@@ -314,7 +318,7 @@ optional_policy(`
 # NFSD local policy
 #
 
-allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
+allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource sys_rawio };
 
 allow nfsd_t exports_t:file read_file_perms;
 allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
@@ -363,6 +367,9 @@ fs_manage_tmpfs_dirs(nfsd_t)
 
 fs_list_hugetlbfs(nfsd_t)
 
+init_rw_script_stream_sockets(nfsd_t)
+kernel_use_fds(nfsd_t)
+
 tunable_policy(`allow_nfsd_anon_write',`
 	miscfiles_manage_public_files(nfsd_t)
 ')

diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
@@ -73,6 +73,9 @@ logging_send_syslog_msg(rpcbind_t)
 
 miscfiles_read_localization(rpcbind_t)
 
+init_rw_script_stream_sockets(rpcbind_t)
+kernel_use_fds(rpcbind_t)
+
 # nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
 # because the are running in different level. So add rules to allow this.
 mls_socket_read_all_levels(rpcbind_t)

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
@@ -265,6 +265,9 @@ files_map_etc_files(sshd_t)
 init_manage_dir_utmp(sshd_t)
 logging_rw_generic_logs(sshd_t)
 
+init_rw_script_stream_sockets(sshd_t)
+kernel_use_fds(sshd_t)
+
 ifdef(`distro_debian',`
 	allow sshd_t self:process { getcap setcap };
 	auth_use_pam_motd_dynamic(sshd_t)
@@ -382,6 +385,8 @@ files_manage_var_dirs(ssh_keygen_t)
 files_manage_var_files(ssh_keygen_t)
 files_map_etc_files(ssh_keygen_t)
 
+init_rw_script_stream_sockets(ssh_keygen_t)
+
 optional_policy(`
 	seutil_sigchld_newrole(ssh_keygen_t)
 ')

diff --git a/policy/modules/system/aos.if b/policy/modules/system/aos.if
@@ -167,6 +167,26 @@ interface(`files_manage_quota_aos',`
 	allow $1 aos_var_run_t:filesystem { quotaget quotamod remount getattr };
 ')
 
+# allow $1 aos_var_run_t:file { getattr };
+
+########################################
+## <summary>
+##	Manage update rootfs files in /var/aos directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_update_rootfs_aos',`
+	gen_require(`
+		type aos_var_run_t;
+	')
+
+	allow $1 aos_var_run_t:file { getattr };
+')
+
 ########################################
 ## <summary>
 ##	Manage overlay files in /var/aos directory.

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
@@ -926,12 +926,21 @@ miscfiles_manage_generic_cert_files(initrc_t)
 
 seutil_read_config(initrc_t)
 
+allow_nnp_transition_to_systemd_logind(initrc_t)
+allow_nnp_transition_to_systemd_networkd(initrc_t)
+allow_nnp_transition_to_syslogd(initrc_t)
+allow_nnp_transition_to_systemd_userdbd(initrc_t)
+allow_nnp_transition_to_ntpd(initrc_t)
+allow_nnp_transition_to_systemd_resolved(initrc_t)
+allow_nnp_transition_to_systemd_hostnamed(initrc_t)
+
 userdom_read_user_home_content_files(initrc_t)
 # Allow access to the sysadm TTYs. Note that this will give access to the
 # TTYs to any process in the initrc_t domain. Therefore, daemons and such
 # started from init should be placed in their own domain.
 userdom_use_inherited_user_terminals(initrc_t)
 
+
 ifdef(`distro_debian',`
 	kernel_getattr_core_if(initrc_t)
 

diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
@@ -524,6 +524,24 @@ interface(`logging_audit_socket_activation', `
 	allow $1 syslogd_t:netlink_audit_socket create_socket_perms;
 ')
 
+########################################
+## <summary>
+##     Allow a domain to perform nnp_transition to syslogd_t.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`allow_nnp_transition_to_syslogd', `
+    gen_require(`
+        type syslogd_t;
+    ')
+
+    allow $1 syslogd_t:process2 nnp_transition;
+')
+
 ########################################
 ## <summary>
 ##	Relabel to and from syslog temporary file type.

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
@@ -372,7 +372,10 @@ miscfiles_read_localization(klogd_t)
 
 mls_file_read_all_levels(klogd_t)
 
+init_rw_script_stream_sockets(klogd_t)
+
 userdom_dontaudit_search_user_home_dirs(klogd_t)
+kernel_use_fds(klogd_t)
 
 ifdef(`distro_ubuntu',`
 	optional_policy(`
@@ -541,6 +544,8 @@ seutil_read_config(syslogd_t)
 userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
 userdom_dontaudit_search_user_home_dirs(syslogd_t)
 
+init_rw_script_stream_sockets(syslogd_t)
+
 ifdef(`init_systemd',`
 	# for systemd-journal
 	allow syslogd_t self:capability audit_control;

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
@@ -229,6 +229,9 @@ fs_manage_bpf_dirs(lvm_t)
 init_search_keys(lvm_t)
 miscfiles_manage_generic_cert_files(lvm_t)
 
+init_rw_script_stream_sockets(lvm_t)
+write_logging_runtime_dirs(lvm_t)
+
 ifdef(`init_systemd',`
 	init_rw_stream_sockets(lvm_t)
 

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
@@ -118,6 +118,8 @@ userdom_use_user_terminals(kmod_t)
 
 userdom_dontaudit_search_user_home_dirs(kmod_t)
 
+init_rw_script_stream_sockets(kmod_t)
+
 ifdef(`init_systemd',`
 	# for /run/tmpfiles.d/kmod.conf
 	allow kmod_t kmod_tmpfiles_conf_t:file manage_file_perms;

diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
@@ -161,6 +161,11 @@ files_allow_manage_var_files(mount_t)
 files_allow_manage_var_chr_files(mount_t)
 files_allow_manage_etc_files(mount_t)
 
+init_rw_script_stream_sockets(mount_t)
+fs_list_nfsd_fs(mount_t)
+fs_getattr_tracefs_dirs(mount_t)
+kernel_use_fds(mount_t)
+
 ifdef(`distro_redhat',`
 	optional_policy(`
 		auth_read_pam_console_data(mount_t)

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
@@ -671,6 +671,8 @@ userdom_use_all_users_fds(setfiles_t)
 # for config files in a home directory
 userdom_read_user_home_content_files(setfiles_t)
 
+init_rw_script_stream_sockets(setfiles_t)
+
 ifdef(`distro_debian',`
 	# udev tmpfs is populated with static device nodes
 	# and then relabeled afterwards; thus

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
@@ -374,6 +374,8 @@ dev_rw_xen(ifconfig_t)
 
 var_run_file_operations(ifconfig_t)
 
+init_rw_script_stream_sockets(ifconfig_t)
+
 # For "ip netns identify $$"
 userdom_read_all_users_state(ifconfig_t)
 userdom_use_user_terminals(ifconfig_t)