From patchwork Thu Oct 12 10:31:58 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adam Duskett X-Patchwork-Id: 1847361 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org) Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4S5mDZ3YHkz1yqj for ; Thu, 12 Oct 2023 21:32:46 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id BBBA860FC6; Thu, 12 Oct 2023 10:32:42 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org BBBA860FC6 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nwXFA4HS8Rl8; Thu, 12 Oct 2023 10:32:41 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp3.osuosl.org (Postfix) with ESMTP id 8E67661282; Thu, 12 Oct 2023 10:32:40 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 8E67661282 X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by ash.osuosl.org (Postfix) with ESMTP id BE7EB1BF2B9 for ; Thu, 12 Oct 2023 10:32:29 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 97FD28223A for ; Thu, 12 Oct 2023 10:32:29 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 97FD28223A X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 74vtTwHhZbWo for ; Thu, 12 Oct 2023 10:32:28 +0000 (UTC) Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) by smtp1.osuosl.org (Postfix) with ESMTPS id 3C5B682211 for ; Thu, 12 Oct 2023 10:32:28 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 3C5B682211 Received: by mail-ej1-x62a.google.com with SMTP id a640c23a62f3a-9ae7383b7ecso421509566b.0 for ; Thu, 12 Oct 2023 03:32:28 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697106746; x=1697711546; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3KUCLyGQes6xxheYEJK7gtrJveDd5gkiwIgAmPsE1l4=; b=Z6e+vLH78oTwSYm2YeHUoKkeUbGftSNh1nm1lQYfd47iXQ+fAiT79WTLXrH2g13x+c mmSDxSQigxMQZBaPEfvmdr8WmoEYzRjtDUdoZmYWr8T/0N2gMBDs3dtb6wk+mE6zXGcB 5TB7FEGaYciG3HRXb2y1lln5ymVLT6k9imLW4oy8HR9WsMMTGNIp2peeUmt/RHVSgKUX ylTBYSZQoJ5KpoehZufwWFLZOgrsXJAE5bXyA1OmxQ12TAAHE9YOIftmoBxyyFuNzwrU XEe7WN/+UiaszTpU97+UoufvLk+bw/J5YMuQvcv3j5+g7EWNjrkGv3kKkcuFuXTnZtqO wmeQ== X-Gm-Message-State: AOJu0Yz7P58ayxIDBJGWHUAAPYxs63hLtp3LnMMVdeiUmS6/Pait9/2A 3pVeQzIajvYljUasEie/BZEX5+vSQGqGLiQKDyIQwA== X-Google-Smtp-Source: AGHT+IEysTi26L4Wp/r8dHlZNs+Uw4/IbAuyNAguUyXJix/lqczKY6tvpBNAdsbNpeYWwRKfmUmg+A== X-Received: by 2002:a17:906:748d:b0:9ae:5513:e475 with SMTP id e13-20020a170906748d00b009ae5513e475mr18999674ejl.9.1697106746118; Thu, 12 Oct 2023 03:32:26 -0700 (PDT) Received: from localhost.localdomain ([2001:b07:6467:4426:3fb7:fc38:9be:dc4c]) by smtp.gmail.com with ESMTPSA id gx13-20020a170906f1cd00b009ad8d444be4sm10847131ejb.43.2023.10.12.03.32.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 12 Oct 2023 03:32:25 -0700 (PDT) From: Adam Duskett To: buildroot@buildroot.org Date: Thu, 12 Oct 2023 12:31:58 +0200 Message-ID: <20231012103210.2915871-2-adam.duskett@amarulasolutions.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20231012103210.2915871-1-adam.duskett@amarulasolutions.com> References: <20231012103210.2915871-1-adam.duskett@amarulasolutions.com> MIME-Version: 1.0 X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amarulasolutions.com; s=google; t=1697106746; x=1697711546; darn=buildroot.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=3KUCLyGQes6xxheYEJK7gtrJveDd5gkiwIgAmPsE1l4=; b=nK3+1WT+EhOKaab6eDQC7xpswlIw9qozCDxt6QFBvQT/iY8BxUMZXbbHrgGIGIb50d gI//VnSKLnc1PfyIBxu9pvOa3pXAt1OxfLEjJBkAoH2bjtOaQZYtK0TGX/7W8VD5nhEe cyZTlvZ28RrtqaRhErHFkkmUgsyi9MC56rNWM= X-Mailman-Original-Authentication-Results: smtp1.osuosl.org; dkim=pass (1024-bit key) header.d=amarulasolutions.com header.i=@amarulasolutions.com header.a=rsa-sha256 header.s=google header.b=nK3+1WT+ Subject: [Buildroot] [PATCH 01/12] package/refpolicy/selinux: Add buildroot base policy X-BeenThere: buildroot@buildroot.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Adam Duskett , Marek Belisko , Antoine Tenart , Sen Hastings , Norbert Lange , "Yann E . MORIN" Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" This policy is the first in several that supports running Buildroot in enforcing mode without any denials. This is a generic set of Buildroot-specific permissions that are tied to the enabled repolicy modules enabled when a user selects the upstream version of refpolicy. Signed-off-by: Adam Duskett --- DEVELOPERS | 1 + package/refpolicy/selinux/buildroot.fc | 0 package/refpolicy/selinux/buildroot.if | 1 + package/refpolicy/selinux/buildroot.te | 67 ++++++++++++++++++++++++++ 4 files changed, 69 insertions(+) create mode 100644 package/refpolicy/selinux/buildroot.fc create mode 100644 package/refpolicy/selinux/buildroot.if create mode 100644 package/refpolicy/selinux/buildroot.te diff --git a/DEVELOPERS b/DEVELOPERS index 3fffc4346c..e863d06535 100644 --- a/DEVELOPERS +++ b/DEVELOPERS @@ -37,6 +37,7 @@ F: package/flutter-engine/ F: package/flutter-gallery/ F: package/flutter-pi/ F: package/flutter-sdk-bin/ +F: package/refpolicy/selinux/ F: support/testing/tests/package/test_flutter.py N: Adam Heinrich diff --git a/package/refpolicy/selinux/buildroot.fc b/package/refpolicy/selinux/buildroot.fc new file mode 100644 index 0000000000..e69de29bb2 diff --git a/package/refpolicy/selinux/buildroot.if b/package/refpolicy/selinux/buildroot.if new file mode 100644 index 0000000000..acf797e604 --- /dev/null +++ b/package/refpolicy/selinux/buildroot.if @@ -0,0 +1 @@ +## Buildroot rules diff --git a/package/refpolicy/selinux/buildroot.te b/package/refpolicy/selinux/buildroot.te new file mode 100644 index 0000000000..1e004452ae --- /dev/null +++ b/package/refpolicy/selinux/buildroot.te @@ -0,0 +1,67 @@ +policy_module(buildroot, 1.0.0) + +#============= chkpwd_t ============== +allow chkpwd_t tmpfs_t:dir search; + +#============= getty_t ============== +allow getty_t device_t:chr_file { getattr ioctl open read setattr write }; +allow getty_t getty_runtime_t:file watch; +allow getty_t init_runtime_t:dir read; +allow getty_t init_runtime_t:sock_file write; +allow getty_t init_tmpfs_t:file { lock open read write }; +allow getty_t init_t:unix_stream_socket connectto; +allow getty_t proc_t:filesystem getattr; +allow getty_t sysctl_kernel_t:dir search; +allow getty_t sysctl_kernel_t:file { open read }; +allow getty_t sysctl_t:dir search; +allow getty_t tmpfs_t:dir search; +allow getty_t var_t:lnk_file read; + +#============= local_login_t ============== +allow local_login_t bin_t:file execute; +allow local_login_t device_t:chr_file { ioctl open read relabelfrom relabelto write }; +allow local_login_t init_tmpfs_t:file { lock open read write }; +allow local_login_t proc_t:filesystem getattr; +allow local_login_t var_log_t:file { create lock open read write }; +allow local_login_t var_run_t:dir { add_name write }; +allow local_login_t var_run_t:file { create lock open read write }; + +#============= semanage_t ============== +allow semanage_t tmpfs_t:dir search; + +#============= syslogd_t ============== +allow syslogd_t device_t:chr_file { open read write }; +allow syslogd_t self:capability audit_control; +allow syslogd_t self:netlink_audit_socket nlmsg_write; +allow syslogd_t tmpfs_t:dir { add_name search write }; +allow syslogd_t tmpfs_t:file { append create getattr open }; +allow syslogd_t var_t:dir { add_name write }; +allow syslogd_t var_t:file { append create }; +allow syslogd_t var_t:lnk_file read; + +#============= sysadm_t ============== +allow sysadm_t device_t:chr_file { ioctl open read write }; +allow sysadm_t kernel_t:fd use; +allow sysadm_t kernel_t:system module_request; +allow sysadm_t node_t:tcp_socket node_bind; +allow sysadm_t self:capability { audit_control audit_write}; +allow sysadm_t self:netlink_audit_socket { nlmsg_read nlmsg_write }; +allow sysadm_t selinux_config_t:file watch; +allow sysadm_t tmpfs_t:dir watch; +allow sysadm_t unlabeled_t:file { execute map read }; +allow sysadm_t unlabeled_t:lnk_file read; +allow sysadm_t var_t:dir watch; + +#============= klogd_t ============== +allow klogd_t device_t:chr_file { read write }; +allow klogd_t selinux_config_t:dir search; + +#============= ifconfig_t ============== +allow ifconfig_t device_t:chr_file { getattr ioctl read write }; +allow ifconfig_t proc_t:filesystem getattr; +allow ifconfig_t root_t:chr_file { read write }; +allow ifconfig_t sysctl_kernel_t:dir search; +allow ifconfig_t sysctl_kernel_t:file { open read }; + +#============= kernel_t ============== +allow kernel_t sysadm_t:process transition; From patchwork Thu Oct 12 10:31:59 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adam Duskett X-Patchwork-Id: 1847362 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org) Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4S5mDp0BCMz1yqj for ; Thu, 12 Oct 2023 21:32:57 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 16B98614A3; Thu, 12 Oct 2023 10:32:56 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 16B98614A3 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7dE7ly6jsKcw; Thu, 12 Oct 2023 10:32:55 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp3.osuosl.org (Postfix) with ESMTP id 1C86160A77; Thu, 12 Oct 2023 10:32:54 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 1C86160A77 X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id A31FC1BF2B9 for ; Thu, 12 Oct 2023 10:32:31 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 7CA9460FE7 for ; Thu, 12 Oct 2023 10:32:31 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 7CA9460FE7 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AUiEj1qwX8AS for ; Thu, 12 Oct 2023 10:32:30 +0000 (UTC) Received: from mail-ej1-x62c.google.com (mail-ej1-x62c.google.com [IPv6:2a00:1450:4864:20::62c]) by smtp3.osuosl.org (Postfix) with ESMTPS id 90A9060E2F for ; Thu, 12 Oct 2023 10:32:30 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 90A9060E2F Received: by mail-ej1-x62c.google.com with SMTP id a640c23a62f3a-9ba1eb73c27so130668966b.3 for ; Thu, 12 Oct 2023 03:32:30 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697106748; x=1697711548; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=AEZUzilz3poSj08kISaboOesZhc2zEgZRSY/AToDpCc=; b=RZMxskeFEoGIcgtMi+vafyZ7igO+b+vtyWB4GfTAHYx+CuIT8FP6Vi6I/GZ3VNXUHL 5vnVmjeiXypstq+HRWICgf91QIuMuY/HT/zWJJtRZdfj+dp/dkprCH1abmVtZMQ+jBQd 3jp0FQ0GV4lhyIWqfVf8uVSUHh839PrrRi+TAU5weDJqV+zlJUJvMJRdkDtyYY1AOGFC yyj37mmpxz4nSeb/Yb8FvO7fKSewiq9UfM2AHv5znGBZ86T7Ar3ble1ozxsoV6QNVVWu 9UKS1VGL1k84/eOwjcWtbWOp7yWDJmP5JFPpJfslx62sNKGfpnqozLet/wGIUGtv0hij M/Jg== X-Gm-Message-State: AOJu0Yw+s4a1VAWb3Tz1b8Znei+Ve/BIqcTWOrkBPBEjTUY4Qzlfxl8y wvg0R75mFFDCOs9gzvfQ1ZzLH/sr4iV8S4Nv3SdSyQ== X-Google-Smtp-Source: AGHT+IHuIqgtDdeiIeNH7br6Bq75lHzj1Zjs04cg+msvNK3jXCjoYFU5Ozobc/2Fl46XNcy1XyeRqg== X-Received: by 2002:a17:906:10dc:b0:9ae:6ffd:be12 with SMTP id v28-20020a17090610dc00b009ae6ffdbe12mr23534098ejv.76.1697106748414; Thu, 12 Oct 2023 03:32:28 -0700 (PDT) Received: from localhost.localdomain ([2001:b07:6467:4426:3fb7:fc38:9be:dc4c]) by smtp.gmail.com with ESMTPSA id gx13-20020a170906f1cd00b009ad8d444be4sm10847131ejb.43.2023.10.12.03.32.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 12 Oct 2023 03:32:28 -0700 (PDT) From: Adam Duskett To: buildroot@buildroot.org Date: Thu, 12 Oct 2023 12:31:59 +0200 Message-ID: <20231012103210.2915871-3-adam.duskett@amarulasolutions.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20231012103210.2915871-1-adam.duskett@amarulasolutions.com> References: <20231012103210.2915871-1-adam.duskett@amarulasolutions.com> MIME-Version: 1.0 X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amarulasolutions.com; s=google; t=1697106748; x=1697711548; darn=buildroot.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=AEZUzilz3poSj08kISaboOesZhc2zEgZRSY/AToDpCc=; b=kwUmwCaXQovcVeppN8B9Fbec+LHGyshkNQR5ZL72MHWkI874nqj1OkPeTJkQosh47S WVkYXmFs9aGcKaDp7vgNVvcjrArdOb9phOg9cb9HbN+cuU9gr8Aw/OaaaKSw9fHBAib0 y3ndZKFfkaLcxoQ8AHu7vDaUfBfJuuSShwYY0= X-Mailman-Original-Authentication-Results: smtp3.osuosl.org; dkim=pass (1024-bit key) header.d=amarulasolutions.com header.i=@amarulasolutions.com header.a=rsa-sha256 header.s=google header.b=kwUmwCaX Subject: [Buildroot] [PATCH 02/12] package/busybox/selinux: Add buildroot busybox policy X-BeenThere: buildroot@buildroot.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Adam Duskett , Marek Belisko , Antoine Tenart , Sen Hastings , Norbert Lange , "Yann E . MORIN" Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" This is a minimal selinux policy required to run busybox in enforcing mode without denials. It is based off of the applets that Buildroot selects by default. Signed-off-by: Adam Duskett --- DEVELOPERS | 1 + package/busybox/selinux/buildroot-busybox.fc | 1 + package/busybox/selinux/buildroot-busybox.if | 1 + package/busybox/selinux/buildroot-busybox.te | 16 ++++++++++++++++ 4 files changed, 19 insertions(+) create mode 100644 package/busybox/selinux/buildroot-busybox.fc create mode 100644 package/busybox/selinux/buildroot-busybox.if create mode 100644 package/busybox/selinux/buildroot-busybox.te diff --git a/DEVELOPERS b/DEVELOPERS index e863d06535..c206f5262f 100644 --- a/DEVELOPERS +++ b/DEVELOPERS @@ -32,6 +32,7 @@ F: package/vulkan-loader/ F: package/vulkan-tools/ N: Adam Duskett +F: package/busybox/selinux/ F: package/depot-tools/ F: package/flutter-engine/ F: package/flutter-gallery/ diff --git a/package/busybox/selinux/buildroot-busybox.fc b/package/busybox/selinux/buildroot-busybox.fc new file mode 100644 index 0000000000..6785e466f3 --- /dev/null +++ b/package/busybox/selinux/buildroot-busybox.fc @@ -0,0 +1 @@ +/lib/libbusybox* -- gen_context(system_u:object_r:lib_t,s0) diff --git a/package/busybox/selinux/buildroot-busybox.if b/package/busybox/selinux/buildroot-busybox.if new file mode 100644 index 0000000000..60ea4b190d --- /dev/null +++ b/package/busybox/selinux/buildroot-busybox.if @@ -0,0 +1 @@ +## Buildroot busybox rules diff --git a/package/busybox/selinux/buildroot-busybox.te b/package/busybox/selinux/buildroot-busybox.te new file mode 100644 index 0000000000..e7d0f510b9 --- /dev/null +++ b/package/busybox/selinux/buildroot-busybox.te @@ -0,0 +1,16 @@ +policy_module(buildroot-busybox, 1.0.0) + +#============= init_tmpfs_t ============== +allow init_tmpfs_t self:file { lock open read write }; + +#============= getty_t ============== +allow getty_t local_login_t:file { lock open read write }; +allow getty_t local_login_t:process { noatsecure rlimitinh siginh }; +allow getty_t security_t:filesystem getattr; +allow getty_t selinux_config_t:dir search; + +#============= local_login_t ============== +allow local_login_t device_t:chr_file { getattr setattr }; +allow local_login_t shadow_t:file { getattr open read }; +allow local_login_t sysadm_t:process { noatsecure siginh rlimitinh }; + From patchwork Thu Oct 12 10:32:00 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adam Duskett X-Patchwork-Id: 1847363 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org) Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4S5mF329SXz1yqj for ; Thu, 12 Oct 2023 21:33:11 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 6F9306149E; Thu, 12 Oct 2023 10:33:09 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 6F9306149E X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RDAymNGRjDhM; Thu, 12 Oct 2023 10:33:08 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp3.osuosl.org (Postfix) with ESMTP id 3D202611FD; Thu, 12 Oct 2023 10:33:07 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 3D202611FD X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by ash.osuosl.org (Postfix) with ESMTP id EF8791BF2B9 for ; Thu, 12 Oct 2023 10:32:35 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id C7A74404F8 for ; Thu, 12 Oct 2023 10:32:35 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org C7A74404F8 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vuwJ18W9ALnW for ; Thu, 12 Oct 2023 10:32:35 +0000 (UTC) Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) by smtp4.osuosl.org (Postfix) with ESMTPS id 70CB8404D1 for ; Thu, 12 Oct 2023 10:32:34 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 70CB8404D1 Received: by mail-ej1-x629.google.com with SMTP id a640c23a62f3a-9b64b98656bso127161166b.0 for ; Thu, 12 Oct 2023 03:32:34 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697106752; x=1697711552; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=IoN4d84A5z5niylPar4x6Wpsrp1HpQhzLOE8Hdpv8RQ=; b=VPxtVsVpBkP8mPD/S/by+49RCfawKNi+ddLqQxSUw3OhrrHUobXTFYaFNx+vV7xYaK 0K6LNZsjiCLvOPUNT2yH59RsyC7ZB4ecNlqEdGj+bFiPbXzCtYaNI6lHNZywB0VhmOGN cD3EFkxEh/bsI9ZZBIHyyTm+ldNgaPPZ9ybj/qP7S3D7/PocDrmwV4az2S19ormZuWGa wg2XmXvdlorRvPZbM9QpE+Fy3y3yZPOtHBwd1Z00IXBEMC9omtS8TKSO1qD7m6XtH3TR G8XRPqgaOzKhdLedOgZz3njgplfqaah9sf2+mCGrkyWVgmGeRfZLHpiLtWLoMuTGTPdV 0Usw== X-Gm-Message-State: AOJu0Yx5ayl3Nb9c8ROMHfKKvEGHowJ5ncPf0GfxBf8nGJlZPKx7YTDi ssNIgUlfwLd8YZOhuufKnq4+YYpCUSFECpazgJD3Jw== X-Google-Smtp-Source: AGHT+IGZ3JKIWYFKasZoSPbHZcfZBymwiG1jok7zZO2O/ZQiJiG1/EhA3n2Tx41Z2vP9b0cjmrd2gg== X-Received: by 2002:a17:906:538f:b0:9a1:fa4e:ca83 with SMTP id g15-20020a170906538f00b009a1fa4eca83mr23137836ejo.65.1697106752172; Thu, 12 Oct 2023 03:32:32 -0700 (PDT) Received: from localhost.localdomain ([2001:b07:6467:4426:3fb7:fc38:9be:dc4c]) by smtp.gmail.com with ESMTPSA id gx13-20020a170906f1cd00b009ad8d444be4sm10847131ejb.43.2023.10.12.03.32.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 12 Oct 2023 03:32:31 -0700 (PDT) From: Adam Duskett To: buildroot@buildroot.org Date: Thu, 12 Oct 2023 12:32:00 +0200 Message-ID: <20231012103210.2915871-4-adam.duskett@amarulasolutions.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20231012103210.2915871-1-adam.duskett@amarulasolutions.com> References: <20231012103210.2915871-1-adam.duskett@amarulasolutions.com> MIME-Version: 1.0 X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amarulasolutions.com; s=google; t=1697106752; x=1697711552; darn=buildroot.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=IoN4d84A5z5niylPar4x6Wpsrp1HpQhzLOE8Hdpv8RQ=; b=O0dw16iJkVTUe5J4FbnlT5ausW8WN4GEMSMHt/MoJh5DVHYxoiLnAF6c+LQeCAPZkH JHM0jspy15ZlgpoUO7lhyxiGAtZuiNTWcINBS0hO8XatzTN1rEoe9xpv4m7DgP9Uzo4U 3Q5OctqxK1Yvk/xyM5uD5UdqQB6FoSo8DGcnE= X-Mailman-Original-Authentication-Results: smtp4.osuosl.org; dkim=pass (1024-bit key) header.d=amarulasolutions.com header.i=@amarulasolutions.com header.a=rsa-sha256 header.s=google header.b=O0dw16iJ Subject: [Buildroot] [PATCH 03/12] package/sysvinit/selinux: Add buildroot sysvinit policy X-BeenThere: buildroot@buildroot.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Adam Duskett , Marek Belisko , Antoine Tenart , Sen Hastings , Norbert Lange , "Yann E . MORIN" Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" This policy is required to run systems with sysvinit in enforcing mode without denials. Signed-off-by: Adam Duskett --- DEVELOPERS | 1 + package/sysvinit/selinux/buildroot-sysvinit.fc | 0 package/sysvinit/selinux/buildroot-sysvinit.if | 1 + package/sysvinit/selinux/buildroot-sysvinit.te | 8 ++++++++ 4 files changed, 10 insertions(+) create mode 100644 package/sysvinit/selinux/buildroot-sysvinit.fc create mode 100644 package/sysvinit/selinux/buildroot-sysvinit.if create mode 100644 package/sysvinit/selinux/buildroot-sysvinit.te diff --git a/DEVELOPERS b/DEVELOPERS index c206f5262f..36108715bf 100644 --- a/DEVELOPERS +++ b/DEVELOPERS @@ -39,6 +39,7 @@ F: package/flutter-gallery/ F: package/flutter-pi/ F: package/flutter-sdk-bin/ F: package/refpolicy/selinux/ +F: package/sysvinit/selinux/ F: support/testing/tests/package/test_flutter.py N: Adam Heinrich diff --git a/package/sysvinit/selinux/buildroot-sysvinit.fc b/package/sysvinit/selinux/buildroot-sysvinit.fc new file mode 100644 index 0000000000..e69de29bb2 diff --git a/package/sysvinit/selinux/buildroot-sysvinit.if b/package/sysvinit/selinux/buildroot-sysvinit.if new file mode 100644 index 0000000000..2b8195dfe3 --- /dev/null +++ b/package/sysvinit/selinux/buildroot-sysvinit.if @@ -0,0 +1 @@ +## Buildroot sysvinit rules diff --git a/package/sysvinit/selinux/buildroot-sysvinit.te b/package/sysvinit/selinux/buildroot-sysvinit.te new file mode 100644 index 0000000000..58c3e14580 --- /dev/null +++ b/package/sysvinit/selinux/buildroot-sysvinit.te @@ -0,0 +1,8 @@ +policy_module(buildroot-sysvinit, 1.0.0) + +#============= getty_t ============== +allow getty_t tmpfs_t:dir { add_name write }; +allow getty_t tmpfs_t:file { create lock open read write }; + +#============= local_login_t ============== +allow local_login_t tmpfs_t:file { lock open read write }; From patchwork Thu Oct 12 10:32:01 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adam Duskett X-Patchwork-Id: 1847364 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org (client-ip=140.211.166.136; helo=smtp3.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org) Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4S5mFJ0Cqmz1yqj for ; Thu, 12 Oct 2023 21:33:24 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 3D422608D8; Thu, 12 Oct 2023 10:33:22 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 3D422608D8 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YaGVYglDREYT; Thu, 12 Oct 2023 10:33:21 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp3.osuosl.org (Postfix) with ESMTP id 55BDF61497; Thu, 12 Oct 2023 10:33:20 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 55BDF61497 X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by ash.osuosl.org (Postfix) with ESMTP id C76B41BF2B9 for ; Thu, 12 Oct 2023 10:32:38 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id A9D1A40509 for ; Thu, 12 Oct 2023 10:32:38 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org A9D1A40509 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UShih36qZbv7 for ; Thu, 12 Oct 2023 10:32:37 +0000 (UTC) Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) by smtp4.osuosl.org (Postfix) with ESMTPS id 3337F404F8 for ; Thu, 12 Oct 2023 10:32:37 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 3337F404F8 Received: by mail-ej1-x635.google.com with SMTP id a640c23a62f3a-99de884ad25so127757166b.3 for ; Thu, 12 Oct 2023 03:32:37 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697106755; x=1697711555; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=FbBK90yMavF/ytovHor0fYYMcHnrKz5qJp1p7bczmoA=; b=AS7UG4COuL6bjnzXgow/KWCOY+1u5PjcLX2PJEW87U+TMVM9w6WLvDgEOr4Q5vwfhp dyeYJ1UZj6w8nvVljPBo9AoL8yw18p3jbSmOm76FbvxCjkhXUBG63lQL6Dv9JRce219z BonuPaSngYRLpD/R4Ic5b9AjrX0htqTNu4++nkQi8BPRfVXGypuPOnz9bHJB/VIBfbsu WexyCOv+V7IMro5YukrjzMdCja3iwRPAwcxabgzHCmn31zDzeMsyhTlzzFXNGjbplxMh D75mmkUYkgPRaFkkL3nImbBOd9/fXTuvjkoRy7bF2s1Pokr0BB+wxY31N20PTMsS1v6W kzow== X-Gm-Message-State: AOJu0YzdnEUnBwsVyVdGH8/hOlrjIXEMnXr3WPCHSTlXY3VUSl3vVVS7 C36HLlmHVrFccsXV6beq24w2Dtxvr9Sfzw/MxY+hxg== X-Google-Smtp-Source: AGHT+IG6tJ2xYhRacDS7KbpSbwK1meXwu3WLMmMJFt9NBcllR+bnTsitm/u301jIdRX6SaWAAQOvdw== X-Received: by 2002:a17:906:1c:b0:9b2:794d:62d3 with SMTP id 28-20020a170906001c00b009b2794d62d3mr20681632eja.14.1697106754968; Thu, 12 Oct 2023 03:32:34 -0700 (PDT) Received: from localhost.localdomain ([2001:b07:6467:4426:3fb7:fc38:9be:dc4c]) by smtp.gmail.com with ESMTPSA id gx13-20020a170906f1cd00b009ad8d444be4sm10847131ejb.43.2023.10.12.03.32.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 12 Oct 2023 03:32:34 -0700 (PDT) From: Adam Duskett To: buildroot@buildroot.org Date: Thu, 12 Oct 2023 12:32:01 +0200 Message-ID: <20231012103210.2915871-5-adam.duskett@amarulasolutions.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20231012103210.2915871-1-adam.duskett@amarulasolutions.com> References: <20231012103210.2915871-1-adam.duskett@amarulasolutions.com> MIME-Version: 1.0 X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amarulasolutions.com; s=google; t=1697106755; x=1697711555; darn=buildroot.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=FbBK90yMavF/ytovHor0fYYMcHnrKz5qJp1p7bczmoA=; b=BdbPp/VwViBxCInWq0tLGpq1ssV4mvvRBQjGcf4nKmgchsqqwy2BxgPZGe5I2x0HD5 TpHElzNZqg3lsTmV4XJGxL2xa9+8+UFJJNwyfrObElaIm2JcH/VkgliZWS/p0E7OzNIG 9cqoFJSdwFhaHcwUIHnbgRmaR51rO+db7dsHQ= X-Mailman-Original-Authentication-Results: smtp4.osuosl.org; dkim=pass (1024-bit key) header.d=amarulasolutions.com header.i=@amarulasolutions.com header.a=rsa-sha256 header.s=google header.b=BdbPp/Vw Subject: [Buildroot] [PATCH 04/12] package/systemd/selinux: Add buildroot systemd selinux policy X-BeenThere: buildroot@buildroot.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Adam Duskett , Marek Belisko , Antoine Tenart , Sen Hastings , Norbert Lange , "Yann E . MORIN" Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" Systemd requires quite a bit of extra permissions not provided by the refpolicy systemd module to function properly in enforcing mode without denials. This is based off of Maxime Chevallier's previous work found here: https://patchwork.ozlabs.org/project/buildroot/patch/20210107135307.1762186-3-maxime.chevallier@bootlin.com/ Signed-off-by: Adam Duskett --- DEVELOPERS | 1 + package/systemd/selinux/buildroot-systemd.fc | 0 package/systemd/selinux/buildroot-systemd.if | 1 + package/systemd/selinux/buildroot-systemd.te | 66 ++++++++++++++++++++ 4 files changed, 68 insertions(+) create mode 100644 package/systemd/selinux/buildroot-systemd.fc create mode 100644 package/systemd/selinux/buildroot-systemd.if create mode 100644 package/systemd/selinux/buildroot-systemd.te diff --git a/DEVELOPERS b/DEVELOPERS index 36108715bf..e49960f572 100644 --- a/DEVELOPERS +++ b/DEVELOPERS @@ -39,6 +39,7 @@ F: package/flutter-gallery/ F: package/flutter-pi/ F: package/flutter-sdk-bin/ F: package/refpolicy/selinux/ +F: package/systemd/selinux/ F: package/sysvinit/selinux/ F: support/testing/tests/package/test_flutter.py diff --git a/package/systemd/selinux/buildroot-systemd.fc b/package/systemd/selinux/buildroot-systemd.fc new file mode 100644 index 0000000000..e69de29bb2 diff --git a/package/systemd/selinux/buildroot-systemd.if b/package/systemd/selinux/buildroot-systemd.if new file mode 100644 index 0000000000..7c56777c32 --- /dev/null +++ b/package/systemd/selinux/buildroot-systemd.if @@ -0,0 +1 @@ +## Buildroot systemd rules diff --git a/package/systemd/selinux/buildroot-systemd.te b/package/systemd/selinux/buildroot-systemd.te new file mode 100644 index 0000000000..8d6dee99cf --- /dev/null +++ b/package/systemd/selinux/buildroot-systemd.te @@ -0,0 +1,66 @@ +policy_module(buildroot-systemd, 1.0.0) + +#============= sysadm_t ============== +allow sysadm_t init_t:fd use; + +#============= system_dbusd_t ============== +allow system_dbusd_t init_t:unix_stream_socket connectto; + +#============= systemd_generator_t ============== +allow systemd_generator_t locale_t:dir search; +allow systemd_generator_t locale_t:file { getattr open read }; +allow systemd_generator_t locale_t:lnk_file read; +allow systemd_generator_t self:capability dac_override; +allow systemd_generator_t self:process setfscreate; +allow systemd_generator_t selinux_config_t:dir { getattr search }; +allow systemd_generator_t tty_device_t:chr_file { ioctl open read write }; + +#============= systemd_homed_t ============== +allow systemd_homed_t self:unix_stream_socket listen; +allow systemd_homed_t selinux_config_t:dir search; + +#============= systemd_hw_t ============== +# allow systemd_hw_t init_runtime_t:dir search; + +#============= systemd_journal_init_t ============== +allow systemd_journal_init_t self:capability net_admin; +allow systemd_journal_init_t selinux_config_t:dir { getattr search }; + +#============= systemd_networkd_t ============== +allow systemd_networkd_t net_conf_t:dir { getattr open read search }; +allow systemd_networkd_t selinux_config_t:dir { getattr search }; +allow systemd_networkd_t selinux_config_t:dir search; +allow systemd_networkd_t system_dbusd_runtime_t:dir read; +allow systemd_networkd_t system_dbusd_runtime_t:sock_file read; +allow systemd_networkd_t var_run_t:dir read; + +#============= systemd_resolved_t ============== +allow systemd_resolved_t system_dbusd_runtime_t:dir read; +allow systemd_resolved_t system_dbusd_runtime_t:sock_file read; +allow systemd_resolved_t var_run_t:dir read; + +#============= systemd_sessions_t ============== +allow systemd_sessions_t self:capability net_admin; + +#============= systemd_sysctl_t ============== +allow systemd_sysctl_t selinux_config_t:dir { getattr search }; + +#============= systemd_sysusers_t ============== +allow systemd_sysusers_t self:capability net_admin; + +#============= systemd_tmpfiles_t ============== +allow systemd_tmpfiles_t auditd_log_t:dir { create getattr open read relabelfrom relabelto }; +allow systemd_tmpfiles_t etc_t:dir relabelfrom; +allow systemd_tmpfiles_t etc_t:file { relabelfrom relabelto }; +allow systemd_tmpfiles_t init_t:unix_stream_socket connectto; +allow systemd_tmpfiles_t ssh_home_t:dir { getattr relabelfrom relabelto }; +allow systemd_tmpfiles_t system_dbusd_var_lib_t:dir read; +allow systemd_tmpfiles_t systemd_journal_t:lnk_file { read getattr relabelfrom relabelto }; +allow systemd_tmpfiles_t user_home_dir_t:dir { getattr search relabelfrom relabelto }; +allow systemd_tmpfiles_t user_home_t:dir { getattr search relabelfrom relabelto }; +allow systemd_tmpfiles_t usr_t:dir read; +allow systemd_tmpfiles_t usr_t:file { open read }; +allow systemd_tmpfiles_t var_spool_t:dir create; + +#============= systemd_update_done_t ============== +allow systemd_update_done_t self:capability net_admin; From patchwork Thu Oct 12 10:32:02 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adam Duskett X-Patchwork-Id: 1847365 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org) Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4S5mFX49gTz1yqj for ; Thu, 12 Oct 2023 21:33:36 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id D326260FC6; Thu, 12 Oct 2023 10:33:34 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org D326260FC6 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h2qCRTaWF1xC; Thu, 12 Oct 2023 10:33:34 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp3.osuosl.org (Postfix) with ESMTP id 2039660A81; Thu, 12 Oct 2023 10:33:33 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 2039660A81 X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id 466611BF2B9 for ; Thu, 12 Oct 2023 10:32:41 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id EE09760FE7 for ; Thu, 12 Oct 2023 10:32:40 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org EE09760FE7 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MDoZYlgs9B5E for ; Thu, 12 Oct 2023 10:32:39 +0000 (UTC) Received: from mail-ej1-x630.google.com (mail-ej1-x630.google.com [IPv6:2a00:1450:4864:20::630]) by smtp3.osuosl.org (Postfix) with ESMTPS id 62C7A60E2F for ; Thu, 12 Oct 2023 10:32:39 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 62C7A60E2F Received: by mail-ej1-x630.google.com with SMTP id a640c23a62f3a-9b1ebc80d0aso124530666b.0 for ; Thu, 12 Oct 2023 03:32:39 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697106757; x=1697711557; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=jYqCBzHNDt7VP1aifp2wCGQdoi4zUFX27k/TBjFgzFY=; b=LEeKO1wEMmawNqYsO1CMhuSs4KLOGJ1/4bK8PglkdI2RjUnWPJD+d5RYOyKM1vlkTp ss/VBmaIo7pwsAkRUI9HwysODioyrvNHZka/0paBkPlo2j0mQ/+Ya+UMpXUYr+iUDNNY wQq11SPrhdJJ9BZBNyQfp8goawnhITVZIj8SilWecSLrI7dTsGlKix6wGhrfaamRvDQx SVuCX4U82pWww+hQDj1pe3VHV5DNlnphH09F2guffr5ZxytuACwkCvimP55xorkgB6nj uw+blrds3Zax+gbUmy7giKQ1ThwgfmDyNQ2ARLzBTgpJ/+d8+mCpDGX6BIz7h8vSrjgu /OHw== X-Gm-Message-State: AOJu0YxTt2FYi/L08qDQmZO9o3LKBGpg2AeMIsmf3cHwE6RToFdTnEWX 73hx8G+ttIY3waLDUQbA5JuGR30VTxPlhS7yIDYW3g== X-Google-Smtp-Source: AGHT+IEbfk1EjOf3PCzAr19XWU5ivd7oHufXxnfmdU0OvRVtUFlHPz/8czuKACLYNaKEpdUHbvFoOA== X-Received: by 2002:a17:906:55:b0:9ae:68bf:bec with SMTP id 21-20020a170906005500b009ae68bf0becmr22166854ejg.75.1697106757373; Thu, 12 Oct 2023 03:32:37 -0700 (PDT) Received: from localhost.localdomain ([2001:b07:6467:4426:3fb7:fc38:9be:dc4c]) by smtp.gmail.com with ESMTPSA id gx13-20020a170906f1cd00b009ad8d444be4sm10847131ejb.43.2023.10.12.03.32.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 12 Oct 2023 03:32:37 -0700 (PDT) From: Adam Duskett To: buildroot@buildroot.org Date: Thu, 12 Oct 2023 12:32:02 +0200 Message-ID: <20231012103210.2915871-6-adam.duskett@amarulasolutions.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20231012103210.2915871-1-adam.duskett@amarulasolutions.com> References: <20231012103210.2915871-1-adam.duskett@amarulasolutions.com> MIME-Version: 1.0 X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amarulasolutions.com; s=google; t=1697106757; x=1697711557; darn=buildroot.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=jYqCBzHNDt7VP1aifp2wCGQdoi4zUFX27k/TBjFgzFY=; b=ghLw1+tRiXOGIkcD3yQV+CUR/NW5byS5TI4GGqMZb4AbB/CJORpUCFMfD2UsZyUw4l tr2vzQSn3V/PnlAXsayT/arnq8oVnqeRp/4aKBzdCZQR0qdIeolwY40SSxgK0zd/xp3E Dtm2xjO4cBx8yUUQTKm64UEJwWSwVO/W90shQ= X-Mailman-Original-Authentication-Results: smtp3.osuosl.org; dkim=pass (1024-bit key) header.d=amarulasolutions.com header.i=@amarulasolutions.com header.a=rsa-sha256 header.s=google header.b=ghLw1+tR Subject: [Buildroot] [PATCH 05/12] package/openssh/selinux: Add buildroot openssh policy X-BeenThere: buildroot@buildroot.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Adam Duskett , Marek Belisko , Antoine Tenart , Sen Hastings , Norbert Lange , "Yann E . MORIN" Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" This is a basic policy necessary for OpenSSH to work properly in enforcing mode without any denials. Signed-off-by: Adam Duskett --- DEVELOPERS | 1 + package/openssh/selinux/buildroot-openssh.fc | 0 package/openssh/selinux/buildroot-openssh.if | 1 + package/openssh/selinux/buildroot-openssh.te | 23 ++++++++++++++++++++ 4 files changed, 25 insertions(+) create mode 100644 package/openssh/selinux/buildroot-openssh.fc create mode 100644 package/openssh/selinux/buildroot-openssh.if create mode 100644 package/openssh/selinux/buildroot-openssh.te diff --git a/DEVELOPERS b/DEVELOPERS index e49960f572..a90f453261 100644 --- a/DEVELOPERS +++ b/DEVELOPERS @@ -38,6 +38,7 @@ F: package/flutter-engine/ F: package/flutter-gallery/ F: package/flutter-pi/ F: package/flutter-sdk-bin/ +F: package/openssh/selinux/ F: package/refpolicy/selinux/ F: package/systemd/selinux/ F: package/sysvinit/selinux/ diff --git a/package/openssh/selinux/buildroot-openssh.fc b/package/openssh/selinux/buildroot-openssh.fc new file mode 100644 index 0000000000..e69de29bb2 diff --git a/package/openssh/selinux/buildroot-openssh.if b/package/openssh/selinux/buildroot-openssh.if new file mode 100644 index 0000000000..1969c20a4b --- /dev/null +++ b/package/openssh/selinux/buildroot-openssh.if @@ -0,0 +1 @@ +## Buildroot openssh rules diff --git a/package/openssh/selinux/buildroot-openssh.te b/package/openssh/selinux/buildroot-openssh.te new file mode 100644 index 0000000000..5dc8945c3e --- /dev/null +++ b/package/openssh/selinux/buildroot-openssh.te @@ -0,0 +1,23 @@ +policy_module(buildroot-openssh, 1.0.0) + +#============= sshd_t ============== +allow sshd_t device_t:chr_file { getattr open read write }; +allow sshd_t kernel_t:fd use; +allow sshd_t root_t:chr_file { read write }; +allow sshd_t sysadm_t:process { noatsecure rlimitinh siginh }; +allow sshd_t sysadm_t:process transition; +allow sshd_t var_t:lnk_file read; + +#============= ssh_keygen_t ============== +allow ssh_keygen_t cert_t:dir search; +allow ssh_keygen_t cert_t:file { getattr open read }; +allow ssh_keygen_t device_t:chr_file { open read write }; +allow ssh_keygen_t kernel_t:fd use; +allow ssh_keygen_t root_t:chr_file { getattr ioctl read write }; +allow ssh_keygen_t security_t:filesystem getattr; +allow ssh_keygen_t selinux_config_t:dir search; +allow ssh_keygen_t tmpfs_t:dir search; + +#============= restorecond_t ============== +allow restorecond_t ssh_home_t:dir watch; + From patchwork Thu Oct 12 10:32:03 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adam Duskett X-Patchwork-Id: 1847366 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org) Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4S5mFp1Nqfz1yqj for ; Thu, 12 Oct 2023 21:33:50 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 6AEBA60A77; Thu, 12 Oct 2023 10:33:48 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 6AEBA60A77 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mc0rz4hbgVJg; Thu, 12 Oct 2023 10:33:47 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp3.osuosl.org (Postfix) with ESMTP id 4FFA160FC6; Thu, 12 Oct 2023 10:33:46 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 4FFA160FC6 X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by ash.osuosl.org (Postfix) with ESMTP id E8D9F1BF2B9 for ; Thu, 12 Oct 2023 10:32:43 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id CFDCD404B9 for ; Thu, 12 Oct 2023 10:32:43 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org CFDCD404B9 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OrT3qjhNSU2V for ; Thu, 12 Oct 2023 10:32:43 +0000 (UTC) Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) by smtp2.osuosl.org (Postfix) with ESMTPS id 1142F40004 for ; Thu, 12 Oct 2023 10:32:42 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 1142F40004 Received: by mail-ej1-x631.google.com with SMTP id a640c23a62f3a-9b1ebc80d0aso124541166b.0 for ; Thu, 12 Oct 2023 03:32:42 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697106761; x=1697711561; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=cmcnY/4dDVKz8J2UjSlW1GtRYoBR8JxEmXpwnnUZYfI=; b=CYOqbfxHdRjtn2RlWgHHqW7965+jb0GrRJW1UBZfl03adfkhw9y8Yceqy5/ukrL8aW fsWLtPYWL/E5UUno9yUwab0E6qJI5Lfkg1Q4di0tM060Epe4BwxL0ev0pqkxIx4Plu8F ds9btLiZItwH9LHgtGMCikhMgfaLydrqRFz32PfTeCej6dQHQLZtb0iorQrUHTMMHpQC VMgV1wQidcCYOHht+Nat5C2GoIsA6jWZZ8IyaDsacY6y7idllC1cGPXNCLLDLgYIcSmE +87jzUM4RrmmspeQaGHWhmFT4Pze3ATjNJdb/0QWjsfmJCE9Q+EZmGU9mMADzu8tiKep ne1Q== X-Gm-Message-State: AOJu0YzVpSxnEni5J+dnOSgxu8Q+3j401pwY8mr76vFJG015Ixs/cjSA zJoeEUoAFbYbODbjzHbuj+xPHH+0PkxAPIC3PVBofw== X-Google-Smtp-Source: AGHT+IFNWwK3XpbEY+0jSCe/OrvV932JvVEMDTDFoZ4fdOjwJ+9zgDWGJC5swmvnGDPwf/N2Q9DrMw== X-Received: by 2002:a17:907:7749:b0:9b2:b9bd:a369 with SMTP id kx9-20020a170907774900b009b2b9bda369mr19801108ejc.45.1697106761049; Thu, 12 Oct 2023 03:32:41 -0700 (PDT) Received: from localhost.localdomain ([2001:b07:6467:4426:3fb7:fc38:9be:dc4c]) by smtp.gmail.com with ESMTPSA id gx13-20020a170906f1cd00b009ad8d444be4sm10847131ejb.43.2023.10.12.03.32.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 12 Oct 2023 03:32:40 -0700 (PDT) From: Adam Duskett To: buildroot@buildroot.org Date: Thu, 12 Oct 2023 12:32:03 +0200 Message-ID: <20231012103210.2915871-7-adam.duskett@amarulasolutions.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20231012103210.2915871-1-adam.duskett@amarulasolutions.com> References: <20231012103210.2915871-1-adam.duskett@amarulasolutions.com> MIME-Version: 1.0 X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amarulasolutions.com; s=google; t=1697106761; x=1697711561; darn=buildroot.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=cmcnY/4dDVKz8J2UjSlW1GtRYoBR8JxEmXpwnnUZYfI=; b=fra7dl+q49tmc/VlE4sDHYNhdXjtesWP4dB+l1LToczauIpHs4ZZas4O8lTqaiy+sr S1KcB5VDP94txva/fysYMBfA9ijb1CGW+x3jn1yT9exeQzMy16LtORSnd5OpxDFvZv/d UPugLix1GiQkh5RRxRDpCPb3lzBUVk3jJlD8w= X-Mailman-Original-Authentication-Results: smtp2.osuosl.org; dkim=pass (1024-bit key) header.d=amarulasolutions.com header.i=@amarulasolutions.com header.a=rsa-sha256 header.s=google header.b=fra7dl+q Subject: [Buildroot] [PATCH 06/12] package/audit/selinux: Add buildroot audit policy X-BeenThere: buildroot@buildroot.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Adam Duskett , Marek Belisko , Antoine Tenart , Sen Hastings , Norbert Lange , "Yann E . MORIN" Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" This is a basic policy necessary for audit to work properly in enforcing mode without any denials. Signed-off-by: Adam Duskett --- DEVELOPERS | 1 + package/audit/selinux/buildroot-audit.fc | 0 package/audit/selinux/buildroot-audit.if | 1 + package/audit/selinux/buildroot-audit.te | 13 +++++++++++++ 4 files changed, 15 insertions(+) create mode 100644 package/audit/selinux/buildroot-audit.fc create mode 100644 package/audit/selinux/buildroot-audit.if create mode 100644 package/audit/selinux/buildroot-audit.te diff --git a/DEVELOPERS b/DEVELOPERS index a90f453261..5f4b7320ba 100644 --- a/DEVELOPERS +++ b/DEVELOPERS @@ -32,6 +32,7 @@ F: package/vulkan-loader/ F: package/vulkan-tools/ N: Adam Duskett +F: package/audit/selinux/ F: package/busybox/selinux/ F: package/depot-tools/ F: package/flutter-engine/ diff --git a/package/audit/selinux/buildroot-audit.fc b/package/audit/selinux/buildroot-audit.fc new file mode 100644 index 0000000000..e69de29bb2 diff --git a/package/audit/selinux/buildroot-audit.if b/package/audit/selinux/buildroot-audit.if new file mode 100644 index 0000000000..2a739a1113 --- /dev/null +++ b/package/audit/selinux/buildroot-audit.if @@ -0,0 +1 @@ +## Buildroot audit rules diff --git a/package/audit/selinux/buildroot-audit.te b/package/audit/selinux/buildroot-audit.te new file mode 100644 index 0000000000..3cac330d30 --- /dev/null +++ b/package/audit/selinux/buildroot-audit.te @@ -0,0 +1,13 @@ +policy_module(buildroot-audit, 1.0.0) + +#============= auditd_t ============== +allow auditd_t auditd_etc_t:file map; +allow auditd_t device_t:chr_file { open read write }; +allow auditd_t kernel_t:fd use; +allow auditd_t root_t:chr_file { read write }; +allow auditd_t selinux_config_t:dir search; +allow auditd_t tmpfs_t:dir { remove_name add_name search write }; +allow auditd_t tmpfs_t:file { create open write unlink }; +allow auditd_t tmp_t:dir { add_name getattr open read search setattr write }; +allow auditd_t tmp_t:file { append create setattr getattr read open }; +allow auditd_t var_t:lnk_file read; From patchwork Thu Oct 12 10:32:04 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adam Duskett X-Patchwork-Id: 1847367 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org (client-ip=140.211.166.136; helo=smtp3.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org) Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4S5mG22JF0z1yqj for ; Thu, 12 Oct 2023 21:34:02 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 82B0B60F13; Thu, 12 Oct 2023 10:34:00 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 82B0B60F13 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uwQ3FJmoTmm9; Thu, 12 Oct 2023 10:33:59 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp3.osuosl.org (Postfix) with ESMTP id BD550614A4; Thu, 12 Oct 2023 10:33:58 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org BD550614A4 X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id 684B11BF2B9 for ; Thu, 12 Oct 2023 10:32:48 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 41C5660A77 for ; Thu, 12 Oct 2023 10:32:48 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 41C5660A77 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7_AADtpgolNe for ; Thu, 12 Oct 2023 10:32:45 +0000 (UTC) Received: from mail-ej1-x636.google.com (mail-ej1-x636.google.com [IPv6:2a00:1450:4864:20::636]) by smtp3.osuosl.org (Postfix) with ESMTPS id 50CC5608D8 for ; Thu, 12 Oct 2023 10:32:45 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 50CC5608D8 Received: by mail-ej1-x636.google.com with SMTP id a640c23a62f3a-9b2f73e3af3so120717666b.3 for ; Thu, 12 Oct 2023 03:32:45 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697106763; x=1697711563; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=gqiOUqmeVwQd4TBUsxTeLr9exRV6AiaDw+M8dsrW95o=; b=Pu9UifGHX/hVLoDXwcZvhYlshj/38FrS6fURZvpOzC2obXEYnfvLNTffV9y/IhG83X J5r1+gdeD9/N5F1egO77KJT1xpqorq6SOygmQ6dYsu+ggeWOQF1qDv7Sth1DJzVbcNQ2 jxky/fxD8pc2gcXe9K0+jSZpuH6VWCln00qViSBAu5lO45Ddmgnf0uqBFprx1DCa2QZL QX8Zjic0Xa+6GP13116iaenX5I4fxhF1w5uUs6edbisXTjWY2/Q+jTVzBUluqrjeGdRi NTC5dT0J/2Rl8tEr5cf1sCfJRSl1dzOcHFvZKN8d0Jfg/FoHKqvVlE4uWnsO1DEkL/Rl YITw== X-Gm-Message-State: AOJu0YzzqwF3f2YWrP2FDoeOfNNit0zvY1U5SpiTCvBIdIsRrZYENlJb 9wRs+4NVRORZc+GYy2uA0ueZoCeFHaspTXkKnJm7jQ== X-Google-Smtp-Source: AGHT+IHM22LlBceI9SDTZD21J9lGJg0d3079V1+MfJltgLtahp8TNt7dsDX2O/sdAHPRv8NYH2INtg== X-Received: by 2002:a17:907:7850:b0:9b9:ae5e:79ae with SMTP id lb16-20020a170907785000b009b9ae5e79aemr17456172ejc.60.1697106763237; Thu, 12 Oct 2023 03:32:43 -0700 (PDT) Received: from localhost.localdomain ([2001:b07:6467:4426:3fb7:fc38:9be:dc4c]) by smtp.gmail.com with ESMTPSA id gx13-20020a170906f1cd00b009ad8d444be4sm10847131ejb.43.2023.10.12.03.32.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 12 Oct 2023 03:32:42 -0700 (PDT) From: Adam Duskett To: buildroot@buildroot.org Date: Thu, 12 Oct 2023 12:32:04 +0200 Message-ID: <20231012103210.2915871-8-adam.duskett@amarulasolutions.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20231012103210.2915871-1-adam.duskett@amarulasolutions.com> References: <20231012103210.2915871-1-adam.duskett@amarulasolutions.com> MIME-Version: 1.0 X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amarulasolutions.com; s=google; t=1697106763; x=1697711563; darn=buildroot.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=gqiOUqmeVwQd4TBUsxTeLr9exRV6AiaDw+M8dsrW95o=; b=iUkpLA5gRtVToz0jxFpWhiLbacvQuFMQFeoRLQdMbhbXvp+KI3sw2Yqg+mq3ovUDaz JRkqbSF84eizP2WEx+4LFAI7opXE837MEq3yo+UGn2Ed2NIqG2zIr3v0PBMxKvbhmR3z l4wLJQ5S2ehOXhRFgHHVGh3c35e2ZY0/wwYi4= X-Mailman-Original-Authentication-Results: smtp3.osuosl.org; dkim=pass (1024-bit key) header.d=amarulasolutions.com header.i=@amarulasolutions.com header.a=rsa-sha256 header.s=google header.b=iUkpLA5g Subject: [Buildroot] [PATCH 07/12] package/polkit/selinux: Add buildroot polkit policy X-BeenThere: buildroot@buildroot.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Adam Duskett , Marek Belisko , Antoine Tenart , Sen Hastings , Norbert Lange , "Yann E . MORIN" Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" This is a basic policy necessary for polkit to work properly in enforcing mode without any denials. Signed-off-by: Adam Duskett --- DEVELOPERS | 1 + package/polkit/selinux/buildroot-polkit.fc | 0 package/polkit/selinux/buildroot-polkit.if | 1 + package/polkit/selinux/buildroot-polkit.te | 5 +++++ 4 files changed, 7 insertions(+) create mode 100644 package/polkit/selinux/buildroot-polkit.fc create mode 100644 package/polkit/selinux/buildroot-polkit.if create mode 100644 package/polkit/selinux/buildroot-polkit.te diff --git a/DEVELOPERS b/DEVELOPERS index 5f4b7320ba..f7506da57a 100644 --- a/DEVELOPERS +++ b/DEVELOPERS @@ -40,6 +40,7 @@ F: package/flutter-gallery/ F: package/flutter-pi/ F: package/flutter-sdk-bin/ F: package/openssh/selinux/ +F: package/polkit/selinux/ F: package/refpolicy/selinux/ F: package/systemd/selinux/ F: package/sysvinit/selinux/ diff --git a/package/polkit/selinux/buildroot-polkit.fc b/package/polkit/selinux/buildroot-polkit.fc new file mode 100644 index 0000000000..e69de29bb2 diff --git a/package/polkit/selinux/buildroot-polkit.if b/package/polkit/selinux/buildroot-polkit.if new file mode 100644 index 0000000000..8db3562fa5 --- /dev/null +++ b/package/polkit/selinux/buildroot-polkit.if @@ -0,0 +1 @@ +## Buildroot polkit rules diff --git a/package/polkit/selinux/buildroot-polkit.te b/package/polkit/selinux/buildroot-polkit.te new file mode 100644 index 0000000000..3cc244868c --- /dev/null +++ b/package/polkit/selinux/buildroot-polkit.te @@ -0,0 +1,5 @@ +policy_module(buildroot-polkit, 1.0.0) + +#============= policykit_t ============== +allow policykit_t security_t:filesystem getattr; +allow policykit_t selinux_config_t:dir search; From patchwork Thu Oct 12 10:32:05 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adam Duskett X-Patchwork-Id: 1847368 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org) Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4S5mGH2xGDz1yqj for ; Thu, 12 Oct 2023 21:34:15 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 7CFFA60A77; Thu, 12 Oct 2023 10:34:13 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 7CFFA60A77 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Eml9c3K1f3U; Thu, 12 Oct 2023 10:34:12 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp3.osuosl.org (Postfix) with ESMTP id 641D360F13; Thu, 12 Oct 2023 10:34:11 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 641D360F13 X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id 7BD0A1BF2B9 for ; Thu, 12 Oct 2023 10:32:49 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 625DD60A77 for ; Thu, 12 Oct 2023 10:32:49 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 625DD60A77 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eF2gWVxzcN-w for ; Thu, 12 Oct 2023 10:32:48 +0000 (UTC) Received: from mail-ej1-x62c.google.com (mail-ej1-x62c.google.com [IPv6:2a00:1450:4864:20::62c]) by smtp3.osuosl.org (Postfix) with ESMTPS id 8193E608D8 for ; Thu, 12 Oct 2023 10:32:48 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 8193E608D8 Received: by mail-ej1-x62c.google.com with SMTP id a640c23a62f3a-99c3c8adb27so125198366b.1 for ; Thu, 12 Oct 2023 03:32:48 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697106766; x=1697711566; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=U2fsOPaQxcnve5taOW7LwelSj4IO6c7CxevgVGFqa7E=; b=by3aSWHxxtoskCFlN1JFtvFuHcX9Kx56RqNG4m+IZRZYyUJq/kDRfz6jx0W1U7nJ9E cB3Vz0brL3LUle5TAva00+7skY7y6C6QGfwtE917EtQlqERBtuL34GYRU+0+8pEaUvn0 kfaxDxl67IE7GnYxwwZNaYRNNQMhG53IzbzgYR8m4DMJYGex3iv0Wv4mlHclIUay8S8o 7yg4U2zFtAA4UxxKWVSw/aNUXxn9Ss5VHZDljtN6g66QvSiMuQzDKn54aXIpzjEkD/Bc hAMcyUPo8YI9QBi8Utywg/3mvK3XmJG/l4icaQ6dyZGjtNqD/jPYpQXoGFp81nFHx+kb OAjA== X-Gm-Message-State: AOJu0YxWoJHNTFI0wOPR+6/NOEc4MX15d7Q2WIhjVA/+EOmh1ckUzSw9 RslIrFpFbI2yeB/aHq1bbMrIk9hVJvhVwHDqc8BOAw== X-Google-Smtp-Source: AGHT+IGFpMLZMLc00lvl8KxakyEqh2XRxV3TUQhx0x19nhe+T49+LjB++KpZD7gUNf1eLX96fp4EIg== X-Received: by 2002:a17:906:76d0:b0:9ae:43be:e5f5 with SMTP id q16-20020a17090676d000b009ae43bee5f5mr21032753ejn.4.1697106766146; Thu, 12 Oct 2023 03:32:46 -0700 (PDT) Received: from localhost.localdomain ([2001:b07:6467:4426:3fb7:fc38:9be:dc4c]) by smtp.gmail.com with ESMTPSA id gx13-20020a170906f1cd00b009ad8d444be4sm10847131ejb.43.2023.10.12.03.32.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 12 Oct 2023 03:32:45 -0700 (PDT) From: Adam Duskett To: buildroot@buildroot.org Date: Thu, 12 Oct 2023 12:32:05 +0200 Message-ID: <20231012103210.2915871-9-adam.duskett@amarulasolutions.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20231012103210.2915871-1-adam.duskett@amarulasolutions.com> References: <20231012103210.2915871-1-adam.duskett@amarulasolutions.com> MIME-Version: 1.0 X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amarulasolutions.com; s=google; t=1697106766; x=1697711566; darn=buildroot.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=U2fsOPaQxcnve5taOW7LwelSj4IO6c7CxevgVGFqa7E=; b=ZP2uDYf/97REFLgwMziCgHsy0A9qT1leB71OrYBa9jEFhUrVzQ1B7hSPNn7cVTlUeT xhPPFP1iPILK/A7tz+n5BmrbujPo9jUJEizkjn1y/vtn/Kcgn5LeK8+9Nyy1n3DZgSKq XEORY1JVb+OfRwzrtqcjVGQDkeYBdJ++alknU= X-Mailman-Original-Authentication-Results: smtp3.osuosl.org; dkim=pass (1024-bit key) header.d=amarulasolutions.com header.i=@amarulasolutions.com header.a=rsa-sha256 header.s=google header.b=ZP2uDYf/ Subject: [Buildroot] [PATCH 08/12] package/restorecond/selinux: Add buildroot restorecond policy X-BeenThere: buildroot@buildroot.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Adam Duskett , Marek Belisko , Antoine Tenart , Sen Hastings , Norbert Lange , "Yann E . MORIN" Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" This is a basic policy necessary for restorecond to work properly in enforcing mode without any denials. Signed-off-by: Adam Duskett --- DEVELOPERS | 1 + .../restorecond/selinux/buildroot-restorecond.fc | 0 .../restorecond/selinux/buildroot-restorecond.if | 1 + .../restorecond/selinux/buildroot-restorecond.te | 13 +++++++++++++ 4 files changed, 15 insertions(+) create mode 100644 package/restorecond/selinux/buildroot-restorecond.fc create mode 100644 package/restorecond/selinux/buildroot-restorecond.if create mode 100644 package/restorecond/selinux/buildroot-restorecond.te diff --git a/DEVELOPERS b/DEVELOPERS index f7506da57a..5082448b56 100644 --- a/DEVELOPERS +++ b/DEVELOPERS @@ -42,6 +42,7 @@ F: package/flutter-sdk-bin/ F: package/openssh/selinux/ F: package/polkit/selinux/ F: package/refpolicy/selinux/ +F: package/restorecond/selinux/ F: package/systemd/selinux/ F: package/sysvinit/selinux/ F: support/testing/tests/package/test_flutter.py diff --git a/package/restorecond/selinux/buildroot-restorecond.fc b/package/restorecond/selinux/buildroot-restorecond.fc new file mode 100644 index 0000000000..e69de29bb2 diff --git a/package/restorecond/selinux/buildroot-restorecond.if b/package/restorecond/selinux/buildroot-restorecond.if new file mode 100644 index 0000000000..cec6d9d9a4 --- /dev/null +++ b/package/restorecond/selinux/buildroot-restorecond.if @@ -0,0 +1 @@ +## Buildroot restorecond rules diff --git a/package/restorecond/selinux/buildroot-restorecond.te b/package/restorecond/selinux/buildroot-restorecond.te new file mode 100644 index 0000000000..382e4c8f54 --- /dev/null +++ b/package/restorecond/selinux/buildroot-restorecond.te @@ -0,0 +1,13 @@ +policy_module(buildroot-restorecond, 1.0.0) + +#============= restorecond_t ============== +allow restorecond_t device_t:chr_file { open read write }; +allow restorecond_t etc_t:dir watch; +allow restorecond_t file_context_t:file { open read }; +allow restorecond_t selinux_config_t:file watch; +allow restorecond_t tmpfs_t:dir { remove_name write watch }; +allow restorecond_t tmpfs_t:file { append getattr open lock read write unlink }; +allow restorecond_t user_home_dir_t:dir watch; +allow restorecond_t var_log_t:dir watch; +allow restorecond_t var_run_t:dir watch; +allow restorecond_t var_t:dir watch; From patchwork Thu Oct 12 10:32:06 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adam Duskett X-Patchwork-Id: 1847369 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org) Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4S5mGk3Qt5z1yqj for ; Thu, 12 Oct 2023 21:34:38 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 9EEDE6151E; Thu, 12 Oct 2023 10:34:36 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 9EEDE6151E X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id No8STDZRvdB4; Thu, 12 Oct 2023 10:34:35 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp3.osuosl.org (Postfix) with ESMTP id C571E60FC6; Thu, 12 Oct 2023 10:34:34 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org C571E60FC6 X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id C40161BF2B9 for ; Thu, 12 Oct 2023 10:32:52 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id A8C9D61451 for ; Thu, 12 Oct 2023 10:32:52 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org A8C9D61451 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SXpeZCTgSWyU for ; Thu, 12 Oct 2023 10:32:51 +0000 (UTC) Received: from mail-ej1-x62c.google.com (mail-ej1-x62c.google.com [IPv6:2a00:1450:4864:20::62c]) by smtp3.osuosl.org (Postfix) with ESMTPS id 068C060A81 for ; Thu, 12 Oct 2023 10:32:50 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 068C060A81 Received: by mail-ej1-x62c.google.com with SMTP id a640c23a62f3a-991c786369cso128499766b.1 for ; Thu, 12 Oct 2023 03:32:50 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697106769; x=1697711569; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xh3BO9ZdQYfwjlacnIuYMGzjpC5yoWVpEo40NbPndLc=; b=CuODqac/q+RsiAhs1S/2RRxeS+Tvyq3w9onu2F4beXY2YoHS9SXk30pgVx5GCBMjuw D83LhETVuSxAGPxR2ImXToHk2+WT+t+rwzurXM/akGniig4qlHnkm7hsF2mqKuG2X6Rs lAMIIQGGK7Hq+kbpmDepXPsVHpI7DNxNtgmYW9JErVEj/ruYFGoWmkCOmwNVXpUktmuy oXodEnLuPRa/MeX0bwvWuLLhWVupgYpXdKAqbQYuvV53cItv5r981HJJC4GUiexQ8jjP RAaiIpFvtbiC5UrZhdLA9NvqRhTLWJ5greW+XLI515gEbc8NFu5q+p82JN1sx9D5u5s2 DBvA== X-Gm-Message-State: AOJu0Yx+8Tn7Rjo+QvjKv2fgdCFh26zpZrhbnLmWoaaFYU63ZTkeGTAi r4p8F2UgccM0MW8Zhyk8jEVNwKJUAz5m5ATUlEoREQ== X-Google-Smtp-Source: AGHT+IELW/6ueGCW9PTgdC68rLinO9lKRBPWb92bnFQgKcGpm5bcaqnH9ac/fDkTogSnRj+Ctnulog== X-Received: by 2002:a17:906:2d2:b0:9b9:ed52:8230 with SMTP id 18-20020a17090602d200b009b9ed528230mr17403771ejk.62.1697106768696; Thu, 12 Oct 2023 03:32:48 -0700 (PDT) Received: from localhost.localdomain ([2001:b07:6467:4426:3fb7:fc38:9be:dc4c]) by smtp.gmail.com with ESMTPSA id gx13-20020a170906f1cd00b009ad8d444be4sm10847131ejb.43.2023.10.12.03.32.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 12 Oct 2023 03:32:48 -0700 (PDT) From: Adam Duskett To: buildroot@buildroot.org Date: Thu, 12 Oct 2023 12:32:06 +0200 Message-ID: <20231012103210.2915871-10-adam.duskett@amarulasolutions.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20231012103210.2915871-1-adam.duskett@amarulasolutions.com> References: <20231012103210.2915871-1-adam.duskett@amarulasolutions.com> MIME-Version: 1.0 X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amarulasolutions.com; s=google; t=1697106769; x=1697711569; darn=buildroot.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=xh3BO9ZdQYfwjlacnIuYMGzjpC5yoWVpEo40NbPndLc=; b=jJQJrGd2ySIzkRMpnBQhzKHeUeyOdmYT0QzzF/RLAbpRAhmnEitaj1VXu0XuUkVIma NUrrqw8i86ASfVruXk5rYsYtJ7XDF6clA+TEmOJibBUtINk6Skn2l+2dJrtVa5TEJcIa 8KCjvbKk/I4y5nwy8uSHrmGmbfXQedGahSiDk= X-Mailman-Original-Authentication-Results: smtp3.osuosl.org; dkim=pass (1024-bit key) header.d=amarulasolutions.com header.i=@amarulasolutions.com header.a=rsa-sha256 header.s=google header.b=jJQJrGd2 Subject: [Buildroot] [PATCH 09/12] package/acpid/selinux: Add buildroot acpid policy X-BeenThere: buildroot@buildroot.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Adam Duskett , Marek Belisko , Antoine Tenart , Sen Hastings , Norbert Lange , "Yann E . MORIN" Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" This is a basic policy necessary for acpid to work properly in enforcing mode without any denials. Signed-off-by: Adam Duskett --- DEVELOPERS | 1 + package/acpid/selinux/buildroot-acpid.fc | 0 package/acpid/selinux/buildroot-acpid.if | 1 + package/acpid/selinux/buildroot-acpid.te | 10 ++++++++++ 4 files changed, 12 insertions(+) create mode 100644 package/acpid/selinux/buildroot-acpid.fc create mode 100644 package/acpid/selinux/buildroot-acpid.if create mode 100644 package/acpid/selinux/buildroot-acpid.te diff --git a/DEVELOPERS b/DEVELOPERS index 5082448b56..695738c4a9 100644 --- a/DEVELOPERS +++ b/DEVELOPERS @@ -32,6 +32,7 @@ F: package/vulkan-loader/ F: package/vulkan-tools/ N: Adam Duskett +F: package/acpid/selinux/ F: package/audit/selinux/ F: package/busybox/selinux/ F: package/depot-tools/ diff --git a/package/acpid/selinux/buildroot-acpid.fc b/package/acpid/selinux/buildroot-acpid.fc new file mode 100644 index 0000000000..e69de29bb2 diff --git a/package/acpid/selinux/buildroot-acpid.if b/package/acpid/selinux/buildroot-acpid.if new file mode 100644 index 0000000000..b2b568a823 --- /dev/null +++ b/package/acpid/selinux/buildroot-acpid.if @@ -0,0 +1 @@ +## Buildroot acpid rules diff --git a/package/acpid/selinux/buildroot-acpid.te b/package/acpid/selinux/buildroot-acpid.te new file mode 100644 index 0000000000..dd10e65c42 --- /dev/null +++ b/package/acpid/selinux/buildroot-acpid.te @@ -0,0 +1,10 @@ +policy_module(buildroot-acpid, 1.0.0) + +#============= acpid_t ============== +allow acpid_t device_t:chr_file { read open write ioctl }; +allow acpid_t kernel_t:fd use; +allow acpid_t root_t:chr_file { read write open ioctl }; +allow acpid_t tmpfs_t:dir { add_name write remove_name }; +allow acpid_t tmpfs_t:file { create open write unlink }; +allow acpid_t tmpfs_t:sock_file create; + From patchwork Thu Oct 12 10:32:07 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adam Duskett X-Patchwork-Id: 1847370 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org) Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4S5mGy695qz1yqj for ; Thu, 12 Oct 2023 21:34:50 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 0AB0E60F13; Thu, 12 Oct 2023 10:34:49 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 0AB0E60F13 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kg2XAyv-XplD; Thu, 12 Oct 2023 10:34:48 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp3.osuosl.org (Postfix) with ESMTP id 4FBDB6165C; Thu, 12 Oct 2023 10:34:47 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 4FBDB6165C X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by ash.osuosl.org (Postfix) with ESMTP id 82B031BF2B9 for ; Thu, 12 Oct 2023 10:32:57 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 68D3D404B9 for ; Thu, 12 Oct 2023 10:32:57 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 68D3D404B9 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1nYBhJQHg7W8 for ; Thu, 12 Oct 2023 10:32:55 +0000 (UTC) Received: from mail-ej1-x62b.google.com (mail-ej1-x62b.google.com [IPv6:2a00:1450:4864:20::62b]) by smtp2.osuosl.org (Postfix) with ESMTPS id 405B140004 for ; Thu, 12 Oct 2023 10:32:55 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 405B140004 Received: by mail-ej1-x62b.google.com with SMTP id a640c23a62f3a-99c3d3c3db9so125638566b.3 for ; Thu, 12 Oct 2023 03:32:55 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697106773; x=1697711573; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Y3drO7b1zjoCs7BLpelReJvUW0TCihSkiqv4DQDweo8=; b=rbBCip8gatCYaFeItbIP8CAegooMaQO1pwcdI+LPjUFuxSFbe8NmdPLwnZv4fGzCxP lblCEZDIdk1QkCVIRGvw6AWHuX+YEgVadDPXoOgUWUHY9h6pqjGz+aENG50hSTMMNF+Q WyDCB1eupXrMfIhEXpwrW8TF2/2yck+Qb5gVryu+jY7Ylkjc+eqJuM8hSPQAOsxF8yPR vuASU15bGwkx4SXXhVrfMLmMRI2jLY0xeIZPIBHqS8kFcSnownX84Ix4mcwO0Lp4Mr9h wNYFwAXqDqvoCpadxtw/rcnMMUMkVkkbXcq+7/jy3rZrS/xBEjbs23Wt0ffXBACTZ3j1 yDOQ== X-Gm-Message-State: AOJu0Ywmhk8BWMaNxcs0jBd7YOgGpbqQBf/4PyGtgVDxdOZm1hcrtB69 FH7jGMIdSfE3hnwg1YriSoHOLWma7ORv8UdS5pMBEg== X-Google-Smtp-Source: AGHT+IFN7AI1NENuMmxhAP/nYKpDV1cmTgA5yGepZUJHGTtlo15LrNPA9HCDSSUXky7fVA5fdWZVtw== X-Received: by 2002:a17:906:209d:b0:9ba:246c:1fb6 with SMTP id 29-20020a170906209d00b009ba246c1fb6mr9850495ejq.76.1697106773245; Thu, 12 Oct 2023 03:32:53 -0700 (PDT) Received: from localhost.localdomain ([2001:b07:6467:4426:3fb7:fc38:9be:dc4c]) by smtp.gmail.com with ESMTPSA id gx13-20020a170906f1cd00b009ad8d444be4sm10847131ejb.43.2023.10.12.03.32.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 12 Oct 2023 03:32:52 -0700 (PDT) From: Adam Duskett To: buildroot@buildroot.org Date: Thu, 12 Oct 2023 12:32:07 +0200 Message-ID: <20231012103210.2915871-11-adam.duskett@amarulasolutions.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20231012103210.2915871-1-adam.duskett@amarulasolutions.com> References: <20231012103210.2915871-1-adam.duskett@amarulasolutions.com> MIME-Version: 1.0 X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amarulasolutions.com; s=google; t=1697106773; x=1697711573; darn=buildroot.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Y3drO7b1zjoCs7BLpelReJvUW0TCihSkiqv4DQDweo8=; b=CcmwOadyxsW/CuOgs2mwvBCyuhvDe9yAnTLnr5ZcFZLMHkhUVHsLWBz3iz6Rl6l2dV lDQims3ZgjW58sR7SOaJoSgPrlBRq3HPw+x4E1XDPdrE9/CvUh7eYvw2U+wBkL4fWIIY CyJXYyCh7rPTSGlcqQ/1lGF2+TQEmQOj1TN94= X-Mailman-Original-Authentication-Results: smtp2.osuosl.org; dkim=pass (1024-bit key) header.d=amarulasolutions.com header.i=@amarulasolutions.com header.a=rsa-sha256 header.s=google header.b=CcmwOady Subject: [Buildroot] [PATCH 10/12] package/network-manager/selinux: Add buildroot network-manager policy X-BeenThere: buildroot@buildroot.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Adam Duskett , Marek Belisko , Antoine Tenart , Sen Hastings , Norbert Lange , "Yann E . MORIN" Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" This is a basic policy necessary for network-manager to work properly in enforcing mode without any denials. Signed-off-by: Adam Duskett --- DEVELOPERS | 1 + package/network-manager/selinux/buildroot-network-manager.fc | 0 package/network-manager/selinux/buildroot-network-manager.if | 1 + package/network-manager/selinux/buildroot-network-manager.te | 4 ++++ 4 files changed, 6 insertions(+) create mode 100644 package/network-manager/selinux/buildroot-network-manager.fc create mode 100644 package/network-manager/selinux/buildroot-network-manager.if create mode 100644 package/network-manager/selinux/buildroot-network-manager.te diff --git a/DEVELOPERS b/DEVELOPERS index 695738c4a9..05b4be1830 100644 --- a/DEVELOPERS +++ b/DEVELOPERS @@ -40,6 +40,7 @@ F: package/flutter-engine/ F: package/flutter-gallery/ F: package/flutter-pi/ F: package/flutter-sdk-bin/ +F: package/network-manager/selinux/ F: package/openssh/selinux/ F: package/polkit/selinux/ F: package/refpolicy/selinux/ diff --git a/package/network-manager/selinux/buildroot-network-manager.fc b/package/network-manager/selinux/buildroot-network-manager.fc new file mode 100644 index 0000000000..e69de29bb2 diff --git a/package/network-manager/selinux/buildroot-network-manager.if b/package/network-manager/selinux/buildroot-network-manager.if new file mode 100644 index 0000000000..2f33fa0b81 --- /dev/null +++ b/package/network-manager/selinux/buildroot-network-manager.if @@ -0,0 +1 @@ +## Buildroot network-manager rules diff --git a/package/network-manager/selinux/buildroot-network-manager.te b/package/network-manager/selinux/buildroot-network-manager.te new file mode 100644 index 0000000000..ce5180494c --- /dev/null +++ b/package/network-manager/selinux/buildroot-network-manager.te @@ -0,0 +1,4 @@ +policy_module(buildroot-network-manager, 1.0.0) + +#============= NetworkManager_t ============== +allow NetworkManager_t tmpfs_t:sock_file write; From patchwork Thu Oct 12 10:32:08 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adam Duskett X-Patchwork-Id: 1847371 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org (client-ip=140.211.166.136; helo=smtp3.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org) Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4S5mHC72Zcz23jX for ; Thu, 12 Oct 2023 21:35:03 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id C7579616E2; Thu, 12 Oct 2023 10:35:01 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org C7579616E2 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PMOKg-v2U4qF; Thu, 12 Oct 2023 10:35:01 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp3.osuosl.org (Postfix) with ESMTP id 0120460E2F; Thu, 12 Oct 2023 10:35:00 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 0120460E2F X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by ash.osuosl.org (Postfix) with ESMTP id 14C9C1BF2B9 for ; Thu, 12 Oct 2023 10:33:03 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id E1FFE82269 for ; Thu, 12 Oct 2023 10:33:02 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org E1FFE82269 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BPT1VL8cvcGi for ; Thu, 12 Oct 2023 10:33:02 +0000 (UTC) Received: from mail-ej1-x633.google.com (mail-ej1-x633.google.com [IPv6:2a00:1450:4864:20::633]) by smtp1.osuosl.org (Postfix) with ESMTPS id F3EF082252 for ; Thu, 12 Oct 2023 10:33:01 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org F3EF082252 Received: by mail-ej1-x633.google.com with SMTP id a640c23a62f3a-9b275afb6abso418002966b.1 for ; Thu, 12 Oct 2023 03:33:01 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697106780; x=1697711580; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=RC6MMqAKZlhl8xjotPNI+ZxVP7+GKixv1Eask4a6qkw=; b=YCDZX3jDik74CgtZ9YGKujrbuH7wBPtgUGnrss/nIHJXC7RFxUsyXK3DLczrmDB9Uk KIBdoLZXvhBeUvm27iM40mSpMhOjiVvWA6AwxCALotvPnn3D9oFXANBUM/XFS59KbKfG uxaYNB/ZnJLZbuzvIPdixnOy/tKCjHkDa0LpXBLFvTFv1bxIlRdASgxiJS39EGClaIz5 ASb/TZzqd2SKUJx2512DzJ8OcrE3FdT0f3y/5JqOATbDNRviBgbSyxD1G4QGQx7/8qmq 860t/IjfSIU5JvMlTW08ACmoq7sk/g4PtsCITE6O4DTayomM/NU8PS+cvbCnX6iO8ZWI 1g+w== X-Gm-Message-State: AOJu0YzbCxkJTo5JkWllqF6Z/lsxVcMZgO1AfT6Je6FWXTTrPRM+Lb0n 1LZYZup0BKHbJR78MYW5oztKkF970rgYsufKPe3F3A== X-Google-Smtp-Source: AGHT+IEtVacVAKBssE7bGor0HfIQqtmj4OiLZ4V1YJY8ISsIVUcX34FrMfNu99bm91bYB9LHqbZuFw== X-Received: by 2002:a17:907:2d8c:b0:9ad:93c8:c483 with SMTP id gt12-20020a1709072d8c00b009ad93c8c483mr17657006ejc.2.1697106779880; Thu, 12 Oct 2023 03:32:59 -0700 (PDT) Received: from localhost.localdomain ([2001:b07:6467:4426:3fb7:fc38:9be:dc4c]) by smtp.gmail.com with ESMTPSA id gx13-20020a170906f1cd00b009ad8d444be4sm10847131ejb.43.2023.10.12.03.32.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 12 Oct 2023 03:32:59 -0700 (PDT) From: Adam Duskett To: buildroot@buildroot.org Date: Thu, 12 Oct 2023 12:32:08 +0200 Message-ID: <20231012103210.2915871-12-adam.duskett@amarulasolutions.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20231012103210.2915871-1-adam.duskett@amarulasolutions.com> References: <20231012103210.2915871-1-adam.duskett@amarulasolutions.com> MIME-Version: 1.0 X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amarulasolutions.com; s=google; t=1697106780; x=1697711580; darn=buildroot.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=RC6MMqAKZlhl8xjotPNI+ZxVP7+GKixv1Eask4a6qkw=; b=eGNxn1+Mc7PAaIkQLm2OzJ5O3Okq92V7IOYKDSzE+dOa6cMqwYOhCMZM14xciGu7sD LTQwbuE5ncyMxYquzX13ORjnruIL2rPVtAm7kqY/B3exaylvdmCYtsaRpokdjh/0YQqE Zp43MRkT7gujLBrHgWNO1hkJwGW6+H3r7sSwM= X-Mailman-Original-Authentication-Results: smtp1.osuosl.org; dkim=pass (1024-bit key) header.d=amarulasolutions.com header.i=@amarulasolutions.com header.a=rsa-sha256 header.s=google header.b=eGNxn1+M Subject: [Buildroot] [PATCH 11/12] package/iptables/selinux: Add buildroot iptables policy X-BeenThere: buildroot@buildroot.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Adam Duskett , Marek Belisko , Antoine Tenart , Sen Hastings , Norbert Lange , "Yann E . MORIN" Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" This is a basic policy necessary for iptables to work properly in enforcing mode without any denials. Signed-off-by: Adam Duskett --- DEVELOPERS | 1 + package/iptables/selinux/buildroot-iptables.fc | 0 package/iptables/selinux/buildroot-iptables.if | 1 + package/iptables/selinux/buildroot-iptables.te | 5 +++++ 4 files changed, 7 insertions(+) create mode 100644 package/iptables/selinux/buildroot-iptables.fc create mode 100644 package/iptables/selinux/buildroot-iptables.if create mode 100644 package/iptables/selinux/buildroot-iptables.te diff --git a/DEVELOPERS b/DEVELOPERS index 05b4be1830..cfa0095969 100644 --- a/DEVELOPERS +++ b/DEVELOPERS @@ -40,6 +40,7 @@ F: package/flutter-engine/ F: package/flutter-gallery/ F: package/flutter-pi/ F: package/flutter-sdk-bin/ +F: package/iptables/selinux/ F: package/network-manager/selinux/ F: package/openssh/selinux/ F: package/polkit/selinux/ diff --git a/package/iptables/selinux/buildroot-iptables.fc b/package/iptables/selinux/buildroot-iptables.fc new file mode 100644 index 0000000000..e69de29bb2 diff --git a/package/iptables/selinux/buildroot-iptables.if b/package/iptables/selinux/buildroot-iptables.if new file mode 100644 index 0000000000..cb7e08744e --- /dev/null +++ b/package/iptables/selinux/buildroot-iptables.if @@ -0,0 +1 @@ +## Buildroot iptables rules diff --git a/package/iptables/selinux/buildroot-iptables.te b/package/iptables/selinux/buildroot-iptables.te new file mode 100644 index 0000000000..37107749ea --- /dev/null +++ b/package/iptables/selinux/buildroot-iptables.te @@ -0,0 +1,5 @@ +policy_module(buildroot-iptables, 1.0.0) + +#============= iptables_t ============== +allow iptables_t root_t:chr_file { read write }; + From patchwork Thu Oct 12 10:32:09 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adam Duskett X-Patchwork-Id: 1847373 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org (client-ip=140.211.166.136; helo=smtp3.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org) Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4S5mHS1ZrLz23jX for ; Thu, 12 Oct 2023 21:35:16 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 6AF1860A77; Thu, 12 Oct 2023 10:35:14 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 6AF1860A77 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c0vQe_U2NMHh; Thu, 12 Oct 2023 10:35:13 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp3.osuosl.org (Postfix) with ESMTP id A9BFA6167F; Thu, 12 Oct 2023 10:35:12 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org A9BFA6167F X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by ash.osuosl.org (Postfix) with ESMTP id 7A5231BF2B9 for ; Thu, 12 Oct 2023 10:33:07 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 519FC40611 for ; Thu, 12 Oct 2023 10:33:07 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 519FC40611 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GDV9TE99pvbF for ; Thu, 12 Oct 2023 10:33:05 +0000 (UTC) Received: from mail-ej1-x630.google.com (mail-ej1-x630.google.com [IPv6:2a00:1450:4864:20::630]) by smtp4.osuosl.org (Postfix) with ESMTPS id 0A350405AA for ; Thu, 12 Oct 2023 10:33:04 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 0A350405AA Received: by mail-ej1-x630.google.com with SMTP id a640c23a62f3a-9b29186e20aso120491966b.2 for ; Thu, 12 Oct 2023 03:33:04 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697106782; x=1697711582; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=RgmBy3nwvPZbgZYpJ8ZZ8oiDtDYugsVmDqbIjpMUpu8=; b=EgjAm1wY9tQ2Pz6+QIjgyOqeBBlLPhm3Q8/Z5uIMduyXmlUhm4las1zqRuRYMyxbed +9ccjOyb5ZuoMDgyRKvxZulr6J8Pwe6LKGOYzqdxXHPolvXL7WKz7iLKx8nLz9VnEIot qRjDQH8xMHNauUs+z+y225kCTpiNt8b0UQN4JcEaXsKc/cSk7hVfqJcaPYJjTLdtvHPC Rd8E2qS2v+Fo/3y8Lb2b7rG+hnskco4iPtuKRtQpW4VNRYsEFlCTOj+cELBEEU+qS6wj 2P+VBKSVSS7jIT4ZKfSXWjjy1JvPruf5ulng7RRWvuTRRBksoTAUUFAmi5bZ6/4nv7Kb L6Fg== X-Gm-Message-State: AOJu0YzshbNRG64V9tnJjvGS+r2mvTN9IQf76qcd424RSiDR93+PCsmr ZsVA+VeKmxdmAckAVQ6HG/mPXatDthl24gqbBBML0g== X-Google-Smtp-Source: AGHT+IFTA9CDVzTxOEUpZt9FXnzdWj7PH4Z8x9B2TedoMddPH/+NQiZWfOc7T8TRKo3vBF1auqWEvA== X-Received: by 2002:a17:907:78d9:b0:9bb:a243:e6f1 with SMTP id kv25-20020a17090778d900b009bba243e6f1mr5613379ejc.0.1697106782666; Thu, 12 Oct 2023 03:33:02 -0700 (PDT) Received: from localhost.localdomain ([2001:b07:6467:4426:3fb7:fc38:9be:dc4c]) by smtp.gmail.com with ESMTPSA id gx13-20020a170906f1cd00b009ad8d444be4sm10847131ejb.43.2023.10.12.03.33.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 12 Oct 2023 03:33:02 -0700 (PDT) From: Adam Duskett To: buildroot@buildroot.org Date: Thu, 12 Oct 2023 12:32:09 +0200 Message-ID: <20231012103210.2915871-13-adam.duskett@amarulasolutions.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20231012103210.2915871-1-adam.duskett@amarulasolutions.com> References: <20231012103210.2915871-1-adam.duskett@amarulasolutions.com> MIME-Version: 1.0 X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amarulasolutions.com; s=google; t=1697106782; x=1697711582; darn=buildroot.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=RgmBy3nwvPZbgZYpJ8ZZ8oiDtDYugsVmDqbIjpMUpu8=; b=oi2jfiElCGqxZ9D7OccTtTl3qJGgRMSlyLGFAjoUchWtb8HyWoxgBopiX/Q0KMDPiJ VwMfx5V3dzC8iv0hwxHlMjlE2ksJP61x7Qe1ySD/XrARHd+LAnV8Ohl5JTLs4QsKhmYk k0d1N/rGcznuOrBsiJanTbtLY/PVg5BEbdT50= X-Mailman-Original-Authentication-Results: smtp4.osuosl.org; dkim=pass (1024-bit key) header.d=amarulasolutions.com header.i=@amarulasolutions.com header.a=rsa-sha256 header.s=google header.b=oi2jfiEl Subject: [Buildroot] [PATCH 12/12] package/kmod/selinux: Add buildroot kmod policy X-BeenThere: buildroot@buildroot.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Adam Duskett , Marek Belisko , Antoine Tenart , Sen Hastings , Norbert Lange , "Yann E . MORIN" Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" This is a basic policy necessary for kmod to work properly in enforcing mode without any denials. Signed-off-by: Adam Duskett --- DEVELOPERS | 1 + package/kmod/selinux/buildroot-kmod.fc | 0 package/kmod/selinux/buildroot-kmod.if | 1 + package/kmod/selinux/buildroot-kmod.te | 4 ++++ 4 files changed, 6 insertions(+) create mode 100644 package/kmod/selinux/buildroot-kmod.fc create mode 100644 package/kmod/selinux/buildroot-kmod.if create mode 100644 package/kmod/selinux/buildroot-kmod.te diff --git a/DEVELOPERS b/DEVELOPERS index cfa0095969..879aa96361 100644 --- a/DEVELOPERS +++ b/DEVELOPERS @@ -41,6 +41,7 @@ F: package/flutter-gallery/ F: package/flutter-pi/ F: package/flutter-sdk-bin/ F: package/iptables/selinux/ +F: package/kmod/selinux/ F: package/network-manager/selinux/ F: package/openssh/selinux/ F: package/polkit/selinux/ diff --git a/package/kmod/selinux/buildroot-kmod.fc b/package/kmod/selinux/buildroot-kmod.fc new file mode 100644 index 0000000000..e69de29bb2 diff --git a/package/kmod/selinux/buildroot-kmod.if b/package/kmod/selinux/buildroot-kmod.if new file mode 100644 index 0000000000..fd978bf190 --- /dev/null +++ b/package/kmod/selinux/buildroot-kmod.if @@ -0,0 +1 @@ +## Buildroot kmod rules diff --git a/package/kmod/selinux/buildroot-kmod.te b/package/kmod/selinux/buildroot-kmod.te new file mode 100644 index 0000000000..c06b81345d --- /dev/null +++ b/package/kmod/selinux/buildroot-kmod.te @@ -0,0 +1,4 @@ +policy_module(buildroot-kmod, 1.0.0) + +#============= kmod_t ============== +allow kmod_t proc_t:filesystem getattr;