refpolicy fixes

conf/distro/openxt-main.conf

@@ -62,8 +62,6 @@ PREFERRED_VERSION_network-manager-applet = "1.8.22"
 PREFERRED_PROVIDER_iasl = "acpica"
 PREFERRED_PROVIDER_iasl-native = "${PREFERRED_PROVIDER_iasl}-native"
 
-PREFERRED_VERSION_refpolicy-mcs = "2.20200229"
-
 # Select our preferred providers
 PREFERRED_PROVIDER_sysvinit-inittab = "sysvinit"
 PREFERRED_PROVIDER_virtual/java-initial = "cacao-initial"

recipes-kernel/linux/6.1/defconfigs/openxt-installer/defconfig

@@ -448,7 +448,6 @@ CONFIG_SECURITY_NETWORK=y
 CONFIG_SECURITY_PATH=y
 CONFIG_SECURITY_SELINUX=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM=y
-CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
 CONFIG_CRYPTO_SEQIV=y
 CONFIG_CRYPTO_ECHAINIV=y
 CONFIG_CRYPTO_XTS=y

recipes-kernel/linux/6.1/defconfigs/xenclient-dom0/defconfig

@@ -366,7 +366,6 @@ CONFIG_SECURITY_NETWORK=y
 CONFIG_SECURITY_PATH=y
 CONFIG_SECURITY_SELINUX=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM=y
-CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
 CONFIG_CRYPTO_CCM=m
 CONFIG_CRYPTO_ECHAINIV=m
 CONFIG_CRYPTO_XTS=m

recipes-kernel/linux/6.1/defconfigs/xenclient-ndvm/defconfig

@@ -201,7 +201,6 @@ CONFIG_SECURITY_NETWORK=y
 # CONFIG_PAGE_TABLE_ISOLATION is not set
 CONFIG_SECURITY_SELINUX=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM=y
-CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
 CONFIG_CRYPTO_ARC4=y
 # CONFIG_CRYPTO_HW is not set
 CONFIG_CRC_T10DIF=y

recipes-security/refpolicy/refpolicy-mcs/patches/0001-udev-allow-udev_t-to-watch-udev_rules_t-dir.patch

@@ -0,0 +1,61 @@
+From 7ae40510fd1b7704ef4e08b0377a71f7522dcef2 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Sun, 10 Oct 2021 23:21:09 +0800
+Subject: [PATCH] udev: allow udev_t to watch udev_rules_t dir
+
+Fixes:
+avc: denied { watch } for pid=187 comm="udevd" path="/lib/udev/rules.d"
+dev="vda" ino=1060 scontext=system_u:system_r:udev_t
+tcontext=system_u:object_r:lib_t tclass=dir permissive=0
+
+avc: denied { watch } for pid=187 comm="udevd" path="/etc/udev/rules.d"
+dev="vda" ino=886 scontext=system_u:system_r:udev_t
+tcontext=system_u:object_r:udev_rules_t tclass=dir permissive=0
+
+avc: denied { watch } for pid=187 comm="udevd" path="/run/udev/rules.d"
+dev="tmpfs" ino=4 scontext=system_u:system_r:udev_t
+tcontext=system_u:object_r:udev_runtime_t tclass=dir permissive=0
+
+avc: denied { watch } for pid=196 comm="udevadm" path="/run/udev"
+dev="tmpfs" ino=2 scontext=system_u:system_r:udev_t
+tcontext=system_u:object_r:udev_runtime_t tclass=dir permissive=0
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/udev.fc | 2 ++
+ policy/modules/system/udev.te | 2 ++
+ 2 files changed, 4 insertions(+)
+
+--- a/policy/modules/system/udev.fc
++++ b/policy/modules/system/udev.fc
+@@ -36,10 +36,12 @@ ifdef(`distro_redhat',`
+
+ /usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
+ /usr/lib/udev/udev-acl --	gen_context(system_u:object_r:udev_exec_t,s0)
++/usr/lib/udev/rules\.d(/.*)? gen_context(system_u:object_r:udev_rules_t,s0)
+
+ /usr/share/virtualbox/VBoxCreateUSBNode\.sh	--	gen_context(system_u:object_r:udev_helper_exec_t,s0)
+
+ /run/udev(/.*)?	gen_context(system_u:object_r:udev_runtime_t,s0)
++/run/udev/rules\.d(/.*)? gen_context(system_u:object_r:udev_rules_t,s0)
+
+ ifdef(`distro_debian',`
+ /run/xen-hotplug -d	gen_context(system_u:object_r:udev_runtime_t,s0)
+--- a/policy/modules/system/udev.te
++++ b/policy/modules/system/udev.te
+@@ -78,6 +78,7 @@ can_exec(udev_t, udev_helper_exec_t)
+
+ # read udev config
+ allow udev_t udev_etc_t:file read_file_perms;
++allow udev_t udev_runtime_t:dir watch;
+
+ allow udev_t udev_tbl_t:file manage_file_perms;
+ dev_filetrans(udev_t, udev_tbl_t, file)
+@@ -85,6 +86,7 @@ dev_filetrans(udev_t, udev_tbl_t, file)
+ list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t)
+ manage_files_pattern(udev_t, udev_rules_t, udev_rules_t)
+ manage_lnk_files_pattern(udev_t, udev_rules_t, udev_rules_t)
++allow udev_t udev_rules_t:dir watch;
+
+ manage_dirs_pattern(udev_t, udev_runtime_t, udev_runtime_t)
+ manage_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)

recipes-security/refpolicy/refpolicy-mcs/patches/policy.modules.system.udev.diff

@@ -1,31 +1,8 @@
 ndex: refpolicy/policy/modules/system/udev.fc
 ===================================================================
---- a/policy/modules/system/udev.fc
-+++ b/policy/modules/system/udev.fc
-@@ -2,6 +2,7 @@
- /dev/\.udevdb	--	gen_context(system_u:object_r:udev_tbl_t,s0)
- /dev/udev\.tbl	--	gen_context(system_u:object_r:udev_tbl_t,s0)
-
-+/etc/init\.d/udev	--	gen_context(system_u:object_r:udevrc_exec_t,s0)
- /etc/dev\.d/.+	--	gen_context(system_u:object_r:udev_helper_exec_t,s0)
-
- /etc/hotplug\.d/default/udev.* -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
 --- a/policy/modules/system/udev.te
 +++ b/policy/modules/system/udev.te
-@@ -22,6 +22,12 @@ init_system_domain(udevadm_t, udevadm_ex
- application_domain(udevadm_t, udevadm_exec_t)
- role udevadm_roles types udevadm_t;
-
-+type udevrc_t;
-+type udevrc_exec_t;
-+init_script_domain(udevrc_t, udevrc_exec_t)
-+udev_domtrans(udevrc_t)
-+role system_r types udevrc_t;
-+
- type udev_etc_t alias etc_udev_t;
- files_config_file(udev_etc_t)
-
-@@ -66,6 +72,11 @@ allow udev_t self:rawip_socket create_so
+@@ -66,6 +66,11 @@ allow udev_t self:rawip_socket create_so
  # for systemd-udevd to rename interfaces
  allow udev_t self:netlink_route_socket nlmsg_write;
 
@@ -37,7 +14,7 @@ ndex: refpolicy/policy/modules/system/udev.fc
  can_exec(udev_t, udev_exec_t)
 
  allow udev_t udev_helper_exec_t:dir list_dir_perms;
-@@ -111,6 +122,8 @@ kernel_dontaudit_search_unlabeled(udev_t
+@@ -111,6 +116,8 @@ kernel_dontaudit_search_unlabeled(udev_t
 
  corecmd_exec_all_executables(udev_t)
 
@@ -46,7 +23,7 @@ ndex: refpolicy/policy/modules/system/udev.fc
  dev_rw_sysfs(udev_t)
  dev_manage_all_dev_nodes(udev_t)
  dev_rw_generic_files(udev_t)
-@@ -200,6 +213,8 @@ sysnet_etc_filetrans_config(udev_t)
+@@ -200,6 +207,8 @@ sysnet_etc_filetrans_config(udev_t)
 
  userdom_dontaudit_search_user_home_content(udev_t)
 
@@ -55,7 +32,7 @@ ndex: refpolicy/policy/modules/system/udev.fc
  ifdef(`distro_debian',`
  	# for https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851933
  	files_read_default_files(udev_t)
-@@ -381,12 +396,52 @@ optional_policy(`
+@@ -381,12 +390,22 @@ optional_policy(`
  	xen_manage_log(udev_t)
  	xen_read_image_files(udev_t)
  	fs_manage_xenfs_files(udev_t)
@@ -74,37 +51,12 @@ ndex: refpolicy/policy/modules/system/udev.fc
 +virt_search_dirs(udev_t)
 +
 +vusbd_read_etc_files(udev_t)
-+
-+gen_require(`
-+    type lib_t;
-+')
-+
-+allow udev_t lib_t:dir { watch };
-+allow udev_t udev_rules_t:dir { watch };
-+allow udev_t udev_runtime_t:dir { watch };
-+
-+########################################
-+#
-+# Local policy for udevrc_t
-+#
-+
-+mount_domtrans(udevrc_t)
-+
-+corecmd_exec_bin(udevrc_t)
-+corecmd_exec_shell(udevrc_t)
-+dev_search_sysfs(udevrc_t)
-+files_read_etc_files(udevrc_t)
-+initrc_rw_pid_chr_files(udevrc_t)
-+kernel_read_system_state(udevrc_t)
-+kernel_rw_hotplug_sysctls(udevrc_t)
-+init_dontaudit_use_fds(udevrc_t)
-+term_use_console(udevrc_t)
-+dev_dontaudit_rw_generic_chr_files(udevrc_t)
-+fs_search_tmpfs(udevrc_t)
-+seutil_domtrans_setfiles(udevrc_t)
-+
-+allow udevrc_t self:fifo_file manage_fifo_file_perms;
 +
  ########################################
  #
  # udevadm Local policy
+@@ -427,3 +454,4 @@ seutil_read_file_contexts(udevadm_t)
+
+ init_dontaudit_use_fds(udevadm_t)
+ term_dontaudit_use_console(udevadm_t)
++dev_dontaudit_rw_generic_chr_files(udevadm_t)

recipes-security/refpolicy/refpolicy-mcs/patches/xc-files-interfaces.patch

@@ -58,7 +58,7 @@
 +optional_policy(`
  	xen_dontaudit_rw_unix_stream_sockets(NetworkManager_t)
  	xen_dbus_chat(NetworkManager_t)
- 	dev_rw_xen(NetworkManager_t)
+ 	xen_rw_xenstore(NetworkManager_t)
 --- a/policy/modules/apps/qemu.te
 +++ b/policy/modules/apps/qemu.te
 @@ -116,6 +116,13 @@ optional_policy(`
@@ -307,7 +307,7 @@
 
 --- a/policy/modules/system/udev.te
 +++ b/policy/modules/system/udev.te
-@@ -406,6 +406,13 @@ optional_policy(`
+@@ -400,6 +400,13 @@ optional_policy(`
  ')
 
  optional_policy(`
@@ -321,14 +321,3 @@
  	xserver_read_xdm_runtime_files(udev_t)
  ')
 
-@@ -436,6 +443,10 @@ dev_dontaudit_rw_generic_chr_files(udevr
- fs_search_tmpfs(udevrc_t)
- seutil_domtrans_setfiles(udevrc_t)
-
-+optional_policy(`
-+	xc_config_dir_search(udevrc_t)
-+')
-+
- allow udevrc_t self:fifo_file manage_fifo_file_perms;
-
- ########################################

recipes-security/refpolicy/refpolicy-mcs/policy/modules/apps/xec.te

@@ -94,6 +94,9 @@ allow xec_t self:capability { dac_override dac_read_search };
 statusreport_write_storage_files(xec_t)
 statusreport_getattr_storage_files(xec_t)
 
+# The vGlass initscript uses xec to query xenmgr for GPUs
+init_dontaudit_use_fds(xec_t)
+
 #######################################
 #
 # xentop local policy

recipes-security/refpolicy/refpolicy-mcs_git.bbappend

@@ -91,6 +91,7 @@ SRC_URI += " \
 "
 # Patches.
 SRC_URI += " \
+    file://patches/0001-udev-allow-udev_t-to-watch-udev_rules_t-dir.patch \
     file://patches/fc-subs-config-aliases.patch \
     file://patches/policy.modules.admin.alsa.diff \
     file://patches/policy.modules.admin.brctl.diff \