@@ -1,4 +1,4 @@
-From 8eefd8242e8b08fee6886d6bba12c4af202890d0 Mon Sep 17 00:00:00 2001
+From a733674bb530f070ce5363c0b50848d3cb4e113b Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH] fc/init: fix update-alternatives for sysvinit
@@ -15,16 +15,17 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
3 files changed, 4 insertions(+)
diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc
-index 89d682d36..354f4d1d9 100644
+index 2e47783c2..e359539be 100644
--- a/policy/modules/admin/shutdown.fc
+++ b/policy/modules/admin/shutdown.fc
-@@ -7,5 +7,6 @@
+@@ -7,6 +7,7 @@
/usr/sbin/halt -- gen_context(system_u:object_r:shutdown_exec_t,s0)
/usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+/usr/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0)
/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_runtime_t,s0)
+
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 7d2efef0a..9a5711a83 100644
--- a/policy/modules/kernel/corecommands.fc
@@ -39,7 +40,7 @@ index 7d2efef0a..9a5711a83 100644
/usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/bin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
-index 07b12de2e..d99767ce8 100644
+index 75c75e7d1..962f18099 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -49,6 +49,7 @@ ifdef(`distro_gentoo',`
@@ -1,4 +1,4 @@
-From b81fc26631ad56608eed244c3a07f6f9b0c7e8c7 Mon Sep 17 00:00:00 2001
+From b5dae809f2b46b82b75abcb562974212b370aa39 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Fri, 8 Dec 2023 14:16:26 +0800
Subject: [PATCH] policy/modules/system/authlogin: fix login errors after
@@ -67,7 +67,7 @@ index dce1a0ea9..c55cdfc09 100644
auth_create_faillog_files($1_su_t)
auth_rw_faillog($1_su_t)
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 3a5d1ac3e..f9d50a8d4 100644
+index 5d675bc15..2ca79e95d 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -10,7 +10,7 @@ policy_module(authlogin)
@@ -80,10 +80,10 @@ index 3a5d1ac3e..f9d50a8d4 100644
## <desc>
## <p>
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index 3eedf82c3..875f0a02f 100644
+index ebc1abc10..c6b2ec47a 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
-@@ -247,6 +247,7 @@ allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_re
+@@ -251,6 +251,7 @@ allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_re
read_files_pattern(newrole_t, default_context_t, default_context_t)
read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
@@ -91,10 +91,10 @@ index 3eedf82c3..875f0a02f 100644
kernel_read_system_state(newrole_t)
kernel_read_kernel_sysctls(newrole_t)
kernel_dontaudit_getattr_proc(newrole_t)
-@@ -290,6 +291,7 @@ auth_use_nsswitch(newrole_t)
- auth_run_chk_passwd(newrole_t, newrole_roles)
+@@ -295,6 +296,7 @@ auth_run_chk_passwd(newrole_t, newrole_roles)
auth_run_upd_passwd(newrole_t, newrole_roles)
auth_rw_faillog(newrole_t)
+ auth_search_faillog(newrole_t)
+auth_read_shadow(newrole_t)
# Write to utmp.
@@ -2,7 +2,7 @@ PV = "2.20240226+git"
SRC_URI = "git://github.com/SELinuxProject/refpolicy.git;protocol=https;branch=main;name=refpolicy;destsuffix=refpolicy"
-SRCREV_refpolicy ?= "6507eebc238b4495b1e0d3baa2bc0bb737f9819a"
+SRCREV_refpolicy ?= "c920fc5d9e626874b9af8693e5aa697200f76a12"
UPSTREAM_CHECK_GITTAGREGEX = "RELEASE_(?P<pver>\d+_\d+)"
* 2102055d4 devices: Change dev_rw_uhid() to use a policy pattern * 1cbe455a5 device: Move dev_rw_uhid definition * 7a33b4bc8 Sepolicy changes for bluez to access uhid * c6dd4087d selinuxutil: make policykit optional * 10feb47e5 newrole: allow newrole to search faillock runtime directory * bf34d3e5e sysnetwork: fixes for dhcpcd * 4663e613f Adding Sepolicy rules to allow bluetoothctl and dbus-daemon to access unix stream sockets * 27602a932 various: various fixes * 63d50bbaa container, crio, kubernetes: minor fixes * 11e729e27 container, podman: various fixes * ef5954a0e systemd: allow systemd-sysctl to search tmpfs * 472e0442e container: allow containers to getcap * 7876e5151 container: allow system container engines to mmap runtime files * d917092a8 matrixd: add tunable for binding to all unreserved ports * 3dba91dd4 bootloader: allow systemd-boot to manage EFI binaries * ddf395d5d asterisk: allow binding to all unreserved UDP ports * 3bad3696b postgres: add a standalone execmem tunable * ef28f7879 userdom: allow users to read user home dir symlinks * 03711caea dovecot: allow dovecot-auth to read SASL keytab * cd781e783 fail2ban: allow reading net sysctls * ddc6ac493 init: allow systemd to use sshd pidfds * b9c457d80 files context for merged-usr profile on gentoo * 5040dd3b6 Need map perm for cockpit 300.4 * 2ef9838db tests.yml: Add sechecker testing * c62bd5c6c cockpit: Change $1_cockpit_tmpfs_t to a tmpfs file type * 1c694125b certbot: Drop execmem * 349411d55 xen: Drop xend/xm stack * 2a261f916 Allow systemd to pass down sig mask * 2577feb83 cups: Remove PTAL * 5b02b44e5 xen: Revoke kernel module loading permissions * 1c20c002c minissdpd: Revoke kernel module loading permissions * 5671390e2 docker: Fix dockerc typo in container_engine_executable_file * e1bc4830d cron: Use raw entrypoint rule for system_cronjob_t * 0f71792c8 uml: Remove excessive access from user domains on uml_exec_t * 511223e2d Set the type on /etc/machine-info to net_conf_t so hostnamectl can manipulate it (CRUD) * 72fc1b2a3 fix: minor correction in MCS_CATS range comment * cbf56c8ae systemd: allow notify client to stat socket Signed-off-by: Yi Zhao <yi.zhao@windriver.com> --- ...c-init-fix-update-alternatives-for-sysvinit.patch | 9 +++++---- ...dules-system-authlogin-fix-login-errors-aft.patch | 12 ++++++------ recipes-security/refpolicy/refpolicy_git.inc | 2 +- 3 files changed, 12 insertions(+), 11 deletions(-)