diff --git a/recipes-core/busybox/busybox-ifplugd/ifplugd b/recipes-core/busybox/busybox-ifplugd/ifplugd new file mode 100755 index 0000000000..96646da004 --- /dev/null +++ b/recipes-core/busybox/busybox-ifplugd/ifplugd @@ -0,0 +1,110 @@ +#!/bin/sh +# $Id: ifplugd.init.in 86 2004-01-26 15:34:24Z lennart $ + +# This file is part of ifplugd. +# +# ifplugd is free software; you can redistribute it and/or modify it under +# the terms of the GNU General Public License as published by the Free +# Software Foundation; either version 2 of the License, or (at your +# option) any later version. +# +# ifplugd is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# You should have received a copy of the GNU General Public License +# along with ifplugd; if not, write to the Free Software Foundation, +# Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. + +# ifplugd Brings up/down network automatically +# +# chkconfig: 2345 11 89 +# description: Brings networks interfaces up and down automatically when \ +# the cable is removed / inserted +# +# processname: /usr/sbin/ifplugd +# config: /etc/ifplugd/ifplugd.conf + +### BEGIN INIT INFO +# Provides: ifplugd +# Required-Start: $network +# X-UnitedLinux-Should-Start: +# Required-Stop: $network +# X-UnitedLinux-Should-Stop: $ +# Default-Start: 3 5 +# Default-Stop: 0 1 2 6 +# Short-Description: ifplugd daemon +# Description: Start ifplugd +### END INIT INFO + +CFG=/etc/ifplugd/ifplugd.conf + +IFPLUGD=/usr/sbin/ifplugd +test -x $IFPLUGD || exit 0 + +if [ `id -u` != "0" ] && [ "$1" = "start" -o "$1" = "stop" ] ; then + echo "You must be root to start, stop or restart ifplugd." + exit 1 +fi + +[ -f $CFG ] && . $CFG + +VERB="$1" +shift + +[ "x$*" != "x" ] && INTERFACES="$*" + +[ "x$INTERFACES" = "xauto" ] && INTERFACES="`cat /proc/net/dev | awk '{ print $1 }' | egrep '^(eth|wlan)' | cut -d: -f1`" + +case "$VERB" in + start) + echo -n "Starting Network Interface Plugging Daemon:" + for IF in $INTERFACES ; do + A="`eval echo \$\{ARGS_${IF}\}`" + [ -z "$A" ] && A="$ARGS" + $IFPLUGD -i $IF $A + echo -n " $IF" + done + echo "." + ;; + stop) + echo -n "Stopping Network Interface Plugging Daemon:" + for IF in $INTERFACES ; do + $IFPLUGD -k -i $IF + echo -n " $IF" + done + echo "." + ;; + status) + for IF in $INTERFACES ; do + $IFPLUGD -c -i $IF + done + ;; + suspend) + echo -n "Suspending Network Interface Plugging Daemon:" + for IF in $INTERFACES ; do + $IFPLUGD -S -i $IF + echo -n " $IF" + done + echo "." + ;; + resume) + echo -n "Resuming Network Interface Plugging Daemon:" + for IF in $INTERFACES ; do + $IFPLUGD -R -i $IF + echo -n " $IF" + done + echo "." + ;; + force-reload|restart) + $0 stop $INTERFACES + sleep 3 + $0 start $INTERFACES + ;; + *) + echo "Usage: $0 {start|stop|restart|force-reload|status|suspend|resume}" + exit 1 +esac + +exit 0 diff --git a/recipes-core/busybox/busybox-ifplugd/ifplugd.action b/recipes-core/busybox/busybox-ifplugd/ifplugd.action new file mode 100755 index 0000000000..860d07d110 --- /dev/null +++ b/recipes-core/busybox/busybox-ifplugd/ifplugd.action @@ -0,0 +1,30 @@ +#!/bin/sh +# $Id: ifplugd.action 99 2004-02-08 20:17:59Z lennart $ + +# This file is part of ifplugd. +# +# ifplugd is free software; you can redistribute it and/or modify it under +# the terms of the GNU General Public License as published by the Free +# Software Foundation; either version 2 of the License, or (at your +# option) any later version. +# +# ifplugd is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# You should have received a copy of the GNU General Public License +# along with ifplugd; if not, write to the Free Software Foundation, +# Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. + +set -e + +if [ -z "$1" ] || [ -z "$2" ] ; then + echo "Wrong arguments" > /dev/stderr + exit 1 +fi + +[ "$2" = "up" ] && exec /sbin/ifup $1 +[ "$2" = "down" ] && exec /sbin/ifdown $1 + +exit 1 diff --git a/recipes-core/busybox/busybox-ifplugd/ifplugd.conf b/recipes-core/busybox/busybox-ifplugd/ifplugd.conf new file mode 100644 index 0000000000..9239cd5276 --- /dev/null +++ b/recipes-core/busybox/busybox-ifplugd/ifplugd.conf @@ -0,0 +1,42 @@ +# -*-sh-*- +# $Id: ifplugd.conf 43 2003-09-13 11:25:11Z lennart $ + +# This file is part of ifplugd. +# +# ifplugd is free software; you can redistribute it and/or modify it under +# the terms of the GNU General Public License as published by the Free +# Software Foundation; either version 2 of the License, or (at your +# option) any later version. +# +# ifplugd is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# You should have received a copy of the GNU General Public License +# along with ifplugd; if not, write to the Free Software Foundation, +# Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. + +# ifplugd configuration file + +# Please note that this is a bourne shell fragment sourced by the +# init script of ifplugd. + +# Specify the interfaces to control here, separated by spaces. +# Ifplugd processes will be started for each of these interfaces when +# the ifplugd init script is called with the "start" argument. You may +# use the magic string "auto" to make the init script start or stop +# ifplugd processes for ALL eth and wlan interfaces that are available +# according to /proc/net/dev. Note that the list of interfaces +# appearing in /proc/net/dev may depend on which kernel modules you +# have loaded. +INTERFACES="eth0" + +# Additional parameters for ifplugd. +# (Run "ifplugd -h" for further information.) +ARGS="-fIM -u0 -d0" + +# Additional parameters for ifplugd for the specified interface. Note +# that $ARGS is ignored, when a variable like this is set for an +# interface +#ARGS_wlan0="-MwI -u5 -d5" diff --git a/recipes-core/busybox/busybox-ifplugd_1.0.bb b/recipes-core/busybox/busybox-ifplugd_1.0.bb new file mode 100644 index 0000000000..c49c6fcb70 --- /dev/null +++ b/recipes-core/busybox/busybox-ifplugd_1.0.bb @@ -0,0 +1,29 @@ +DESCRIPTION = "ifplugd initscript and conf for busybox" +LICENSE = "GPLv2" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6" + +SRC_URI = " \ + file://ifplugd \ + file://ifplugd.action \ + file://ifplugd.conf \ +" + +inherit update-rc.d allarch + +INITSCRIPT_NAME = "ifplugd" +INITSCRIPT_PARAMS = "defaults 30" + +CONFFILES_${PN} = "${sysconfdir}/ifplugd/ifplugd.conf" + +do_install_append() { + install -d ${D}${sysconfdir}/ifplugd + install -m 0644 ${WORKDIR}/ifplugd.conf ${D}${sysconfdir}/ifplugd/ + install -m 0755 ${WORKDIR}/ifplugd.action ${D}${sysconfdir}/ifplugd/ + + install -d ${D}${sysconfdir}/init.d + install -m 0755 ${WORKDIR}/ifplugd ${D}${sysconfdir}/init.d/ +} + +RDEPENDS_${PN} += " \ + busybox \ +" diff --git a/recipes-core/busybox/busybox_%.bbappend b/recipes-core/busybox/busybox_%.bbappend index c64795bcc6..3c1c407c1d 100644 --- a/recipes-core/busybox/busybox_%.bbappend +++ b/recipes-core/busybox/busybox_%.bbappend @@ -16,6 +16,7 @@ SRC_URI += " \ file://syslog.cfg \ file://sysutils.cfg \ file://tftp.cfg \ + file://ifplugd-dont-leak-fds.patch \ " # We should use sh wrappers instead of links so the commands could get correct diff --git a/recipes-core/busybox/files/ifplugd-dont-leak-fds.patch b/recipes-core/busybox/files/ifplugd-dont-leak-fds.patch new file mode 100644 index 0000000000..1a44be18b1 --- /dev/null +++ b/recipes-core/busybox/files/ifplugd-dont-leak-fds.patch @@ -0,0 +1,19 @@ +ifplugd: Don't leak FDs. + +These don't need to end up in any spawned children. Set cloexec so +they don't leak. + +--- a/networking/ifplugd.c ++++ b/networking/ifplugd.c +@@ -603,9 +603,11 @@ int ifplugd_main(int argc UNUSED_PARAM, + bb_daemonize_or_rexec(DAEMON_CHDIR_ROOT, argv); + + xmove_fd(xsocket(AF_INET, SOCK_DGRAM, 0), ioctl_fd); ++ close_on_exec_on(ioctl_fd); + if (opts & FLAG_MONITOR) { + int fd = create_and_bind_to_netlink(NETLINK_ROUTE, RTMGRP_LINK, 0); + xmove_fd(fd, netlink_fd); ++ close_on_exec_on(netlink_fd); + } + + write_pidfile(pidfile_name); diff --git a/recipes-core/busybox/files/netutils.cfg b/recipes-core/busybox/files/netutils.cfg index e0e4e728cf..3307340910 100644 --- a/recipes-core/busybox/files/netutils.cfg +++ b/recipes-core/busybox/files/netutils.cfg @@ -10,6 +10,8 @@ CONFIG_FEATURE_IFCONFIG_BROADCAST_PLUS=y CONFIG_IFUPDOWN=y CONFIG_FEATURE_IFUPDOWN_IP=y +CONFIG_IFPLUGD=y + CONFIG_NETSTAT=y CONFIG_FEATURE_NETSTAT_WIDE=y CONFIG_FEATURE_NETSTAT_PRG=y diff --git a/recipes-core/images/xenclient-syncvm-image.bb b/recipes-core/images/xenclient-syncvm-image.bb index eef90db4af..a7b9557ff8 100644 --- a/recipes-core/images/xenclient-syncvm-image.bb +++ b/recipes-core/images/xenclient-syncvm-image.bb @@ -38,6 +38,7 @@ IMAGE_INSTALL = "\ openssh \ wget \ sync-client \ + busybox-ifplugd \ xenclient-syncvm-tweaks \ ${@bb.utils.contains('DISTRO_FEATURES', 'blktap2', 'xen-tools-blktap', 'xen-tools-blktap3', d)} \ " diff --git a/recipes-core/init-ifupdown/init-ifupdown-1.0/xenclient-dom0/interfaces b/recipes-core/init-ifupdown/init-ifupdown-1.0/xenclient-dom0/interfaces index 7cbfb03f8a..e70b50234a 100644 --- a/recipes-core/init-ifupdown/init-ifupdown-1.0/xenclient-dom0/interfaces +++ b/recipes-core/init-ifupdown/init-ifupdown-1.0/xenclient-dom0/interfaces @@ -3,20 +3,4 @@ auto lo iface lo inet loopback auto eth0 -iface eth0 inet manual - -auto uivm -iface uivm inet manual - -auto brinternal -iface brinternal inet manual - -auto brshared -iface brshared inet manual - -auto brwireless -iface brwireless inet manual - -auto brbridged -iface brbridged inet dhcp - +iface eth0 inet dhcp diff --git a/recipes-core/initscripts/initscripts-1.0/populate-volatile.sh b/recipes-core/initscripts/initscripts-1.0/populate-volatile.sh deleted file mode 100644 index cac6c77456..0000000000 --- a/recipes-core/initscripts/initscripts-1.0/populate-volatile.sh +++ /dev/null @@ -1,235 +0,0 @@ -#!/bin/sh -### BEGIN INIT INFO -# Provides: volatile -# Required-Start: $local_fs -# Required-Stop: $local_fs -# Default-Start: S -# Default-Stop: -# Short-Description: Populate the volatile filesystem -### END INIT INFO - -# Get ROOT_DIR -DIRNAME=`dirname $0` -ROOT_DIR=`echo $DIRNAME | sed -ne 's:/etc/.*::p'` - -[ -e ${ROOT_DIR}/etc/default/rcS ] && . ${ROOT_DIR}/etc/default/rcS -# When running populate-volatile.sh at rootfs time, disable cache. -[ -n "$ROOT_DIR" ] && VOLATILE_ENABLE_CACHE=no -# If rootfs is read-only, disable cache. -[ "$ROOTFS_READ_ONLY" = "yes" ] && VOLATILE_ENABLE_CACHE=no - -CFGDIR="${ROOT_DIR}/etc/default/volatiles" -TMPROOT="${ROOT_DIR}/tmp" -COREDEF="00_core" -RESTORECON="${ROOT_DIR}/sbin/restorecon" - -[ "${VERBOSE}" != "no" ] && echo "Populating volatile Filesystems." - -create_file() { - EXEC=" - touch \"$1\"; - [ -x ${RESTORECON} ] && ${RESTORECON} \"$1\" >/dev/tty0 2>&1; - chown ${TUSER}.${TGROUP} $1 || echo \"Failed to set owner -${TUSER}- for -$1-.\" >/dev/tty0 2>&1; - chmod ${TMODE} $1 || echo \"Failed to set mode -${TMODE}- for -$1-.\" >/dev/tty0 2>&1 " - - test "$VOLATILE_ENABLE_CACHE" = yes && echo "$EXEC" >> /etc/volatile.cache.build - - [ -e "$1" ] && { - [ "${VERBOSE}" != "no" ] && echo "Target already exists. Skipping." - } || { - if [ -z "$ROOT_DIR" ]; then - eval $EXEC - else - # Creating some files at rootfs time may fail and should fail, - # but these failures should not be logged to make sure the do_rootfs - # process doesn't fail. This does no harm, as this script will - # run on target to set up the correct files and directories. - eval $EXEC > /dev/null 2>&1 - fi - } -} - -mk_dir() { - EXEC=" - mkdir -p \"$1\"; - [ -x ${RESTORECON} ] && ${RESTORECON} \"$1\" >/dev/tty0 2>&1; - chown ${TUSER}.${TGROUP} $1 || echo \"Failed to set owner -${TUSER}- for -$1-.\" >/dev/tty0 2>&1; - chmod ${TMODE} $1 || echo \"Failed to set mode -${TMODE}- for -$1-.\" >/dev/tty0 2>&1 " - - test "$VOLATILE_ENABLE_CACHE" = yes && echo "$EXEC" >> /etc/volatile.cache.build - [ -e "$1" ] && { - [ "${VERBOSE}" != "no" ] && echo "Target already exists. Skipping." - } || { - if [ -z "$ROOT_DIR" ]; then - eval $EXEC - else - # For the same reason with create_file(), failures should - # not be logged. - eval $EXEC > /dev/null 2>&1 - fi - } -} - -link_file() { - EXEC=" - if [ -L \"$2\" ]; then - [ \"\$(readlink -f \"$2\")\" != \"$1\" ] && { rm -f \"$2\"; ln -sf \"$1\" \"$2\"; }; - elif [ -d \"$2\" ]; then - if awk '\$2 == \"$2\" {exit 1}' /proc/mounts; then - cp -a $2/* $1 2>/dev/null; - cp -a $2/.[!.]* $1 2>/dev/null; - rm -rf \"$2\"; - ln -sf \"$1\" \"$2\"; - fi - else - ln -sf \"$1\" \"$2\"; - fi - " - - test "$VOLATILE_ENABLE_CACHE" = yes && echo " $EXEC" >> /etc/volatile.cache.build - - if [ -z "$ROOT_DIR" ]; then - eval $EXEC - else - # For the same reason with create_file(), failures should - # not be logged. - eval $EXEC > /dev/null 2>&1 - fi -} - -check_requirements() { - cleanup() { - rm "${TMP_INTERMED}" - rm "${TMP_DEFINED}" - rm "${TMP_COMBINED}" - } - - CFGFILE="$1" - [ `basename "${CFGFILE}"` = "${COREDEF}" ] && return 0 - - TMP_INTERMED="${TMPROOT}/tmp.$$" - TMP_DEFINED="${TMPROOT}/tmpdefined.$$" - TMP_COMBINED="${TMPROOT}/tmpcombined.$$" - - sed 's@\(^:\)*:.*@\1@' ${ROOT_DIR}/etc/passwd | sort | uniq > "${TMP_DEFINED}" - cat ${CFGFILE} | grep -v "^#" | cut -s -d " " -f 2 > "${TMP_INTERMED}" - cat "${TMP_DEFINED}" "${TMP_INTERMED}" | sort | uniq > "${TMP_COMBINED}" - NR_DEFINED_USERS="`cat "${TMP_DEFINED}" | wc -l`" - NR_COMBINED_USERS="`cat "${TMP_COMBINED}" | wc -l`" - - [ "${NR_DEFINED_USERS}" -ne "${NR_COMBINED_USERS}" ] && { - echo "Undefined users:" - diff "${TMP_DEFINED}" "${TMP_COMBINED}" | grep "^>" - cleanup - return 1 - } - - - sed 's@\(^:\)*:.*@\1@' ${ROOT_DIR}/etc/group | sort | uniq > "${TMP_DEFINED}" - cat ${CFGFILE} | grep -v "^#" | cut -s -d " " -f 3 > "${TMP_INTERMED}" - cat "${TMP_DEFINED}" "${TMP_INTERMED}" | sort | uniq > "${TMP_COMBINED}" - - NR_DEFINED_GROUPS="`cat "${TMP_DEFINED}" | wc -l`" - NR_COMBINED_GROUPS="`cat "${TMP_COMBINED}" | wc -l`" - - [ "${NR_DEFINED_GROUPS}" -ne "${NR_COMBINED_GROUPS}" ] && { - echo "Undefined groups:" - diff "${TMP_DEFINED}" "${TMP_COMBINED}" | grep "^>" - cleanup - return 1 - } - - # Add checks for required directories here - - cleanup - return 0 -} - -apply_cfgfile() { - CFGFILE="$1" - - check_requirements "${CFGFILE}" || { - echo "Skipping ${CFGFILE}" - return 1 - } - - cat ${CFGFILE} | sed 's/#.*//' | \ - while read TTYPE TUSER TGROUP TMODE TNAME TLTARGET; do - test -z "${TLTARGET}" && continue - TNAME=${ROOT_DIR}${TNAME} - [ "${VERBOSE}" != "no" ] && echo "Checking for -${TNAME}-." - - [ "${TTYPE}" = "l" ] && { - TSOURCE="$TLTARGET" - [ "${VERBOSE}" != "no" ] && echo "Creating link -${TNAME}- pointing to -${TSOURCE}-." - link_file "${TSOURCE}" "${TNAME}" - continue - } - - [ "${TTYPE}" = "b" ] && { - TSOURCE="$TLTARGET" - [ "${VERBOSE}" != "no" ] && echo "Creating mount-bind -${TNAME}- from -${TSOURCE}-." - mount --bind "${TSOURCE}" "${TNAME}" - EXEC=" - mount --bind \"${TSOURCE}\" \"${TNAME}\"" - test "$VOLATILE_ENABLE_CACHE" = yes && echo "$EXEC" >> /etc/volatile.cache.build - continue - } - - [ -L "${TNAME}" ] && { - [ "${VERBOSE}" != "no" ] && echo "Found link." - NEWNAME=`ls -l "${TNAME}" | sed -e 's/^.*-> \(.*\)$/\1/'` - echo ${NEWNAME} | grep -v "^/" >/dev/null && { - TNAME="`echo ${TNAME} | sed -e 's@\(.*\)/.*@\1@'`/${NEWNAME}" - [ "${VERBOSE}" != "no" ] && echo "Converted relative linktarget to absolute path -${TNAME}-." - } || { - TNAME="${NEWNAME}" - [ "${VERBOSE}" != "no" ] && echo "Using absolute link target -${TNAME}-." - } - } - - case "${TTYPE}" in - "f") [ "${VERBOSE}" != "no" ] && echo "Creating file -${TNAME}-." - create_file "${TNAME}" - ;; - "d") [ "${VERBOSE}" != "no" ] && echo "Creating directory -${TNAME}-." - mk_dir "${TNAME}" - # Add check to see if there's an entry in fstab to mount. - ;; - *) [ "${VERBOSE}" != "no" ] && echo "Invalid type -${TTYPE}-." - continue - ;; - esac - done - return 0 -} - -clearcache=0 -exec 9&- - -if test -e ${ROOT_DIR}/etc/volatile.cache -a "$VOLATILE_ENABLE_CACHE" = "yes" -a "x$1" != "xupdate" -a "x$clearcache" = "x0" -then - sh ${ROOT_DIR}/etc/volatile.cache -else - rm -f ${ROOT_DIR}/etc/volatile.cache ${ROOT_DIR}/etc/volatile.cache.build - for file in `ls -1 "${CFGDIR}" | sort`; do - apply_cfgfile "${CFGDIR}/${file}" - done - - [ -e ${ROOT_DIR}/etc/volatile.cache.build ] && sync && mv ${ROOT_DIR}/etc/volatile.cache.build ${ROOT_DIR}/etc/volatile.cache -fi - -if [ -z "${ROOT_DIR}" ] && [ -f /etc/ld.so.cache ] && [ ! -f /var/run/ld.so.cache ] -then - ln -s /etc/ld.so.cache /var/run/ld.so.cache -fi diff --git a/recipes-core/initscripts/initscripts-1.0/xenclient-dom0/volatiles b/recipes-core/initscripts/initscripts-1.0/xenclient-dom0/volatiles index 8c726075b8..73fea9d45c 100644 --- a/recipes-core/initscripts/initscripts-1.0/xenclient-dom0/volatiles +++ b/recipes-core/initscripts/initscripts-1.0/xenclient-dom0/volatiles @@ -26,6 +26,7 @@ l root root 1777 /var/lock /run/lock d root root 0755 /var/lock/subsys none f root root 0644 /var/log/lastlog none f root root 0664 /var/run/utmp none +d root root 0755 /var/volatile/tmp none d root root 0755 /var/volatile/etc none l root root 0777 /etc/asound.conf /var/volatile/etc/asound.conf f root root 0644 /etc/asound.conf none diff --git a/recipes-core/initscripts/initscripts-1.0/xenclient-uivm/volatiles b/recipes-core/initscripts/initscripts-1.0/xenclient-uivm/volatiles index 0c3d0fae0f..f93afa4efc 100644 --- a/recipes-core/initscripts/initscripts-1.0/xenclient-uivm/volatiles +++ b/recipes-core/initscripts/initscripts-1.0/xenclient-uivm/volatiles @@ -26,6 +26,7 @@ l root root 1777 /var/lock /run/lock d root root 0755 /var/lock/subsys none f root root 0644 /var/log/lastlog none f root root 0664 /var/run/utmp none +d root root 1777 /var/volatile/tmp none d root root 0755 /var/volatile/etc none d root root 0755 /var/volatile/etc/asound none f root root 0644 /var/volatile/etc/resolv.conf none diff --git a/recipes-core/packagegroups/packagegroup-xenclient-dom0.bb b/recipes-core/packagegroups/packagegroup-xenclient-dom0.bb index ee08cccc22..6512f4664c 100644 --- a/recipes-core/packagegroups/packagegroup-xenclient-dom0.bb +++ b/recipes-core/packagegroups/packagegroup-xenclient-dom0.bb @@ -110,6 +110,7 @@ RDEPENDS_${PN} = " \ udev-extraconf-dom0 \ vglass \ disman \ + busybox-ifplugd \ " # OE upgrade - temporarly disabled: diff --git a/recipes-security/refpolicy/refpolicy-mcs-2.%/patches/ifplugd-tweaks.patch b/recipes-security/refpolicy/refpolicy-mcs-2.%/patches/ifplugd-tweaks.patch new file mode 100644 index 0000000000..8b15579d59 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-mcs-2.%/patches/ifplugd-tweaks.patch @@ -0,0 +1,16 @@ +Fixup ifplugd for + +This may be partially from our buysbox implementation. + +--- a/policy/modules/services/ifplugd.te ++++ b/policy/modules/services/ifplugd.te +@@ -70,3 +70,9 @@ sysnet_signal_dhcpc(ifplugd_t) + optional_policy(` + consoletype_exec(ifplugd_t) + ') ++ ++# Busybox creates /run/ifstate.new and then renames to ifstate ++files_create_etc_runtime(ifplugd_t, "ifstate.new") ++# It tries to modpribe netdev-eth0, which we don't really need. ++kernel_dontaudit_request_load_module(ifplugd_t) ++dontaudit ifplugd_t self:capability sys_module; diff --git a/recipes-security/refpolicy/refpolicy-mcs-2.%/patches/policy.modules.system.sysnetwork.patch b/recipes-security/refpolicy/refpolicy-mcs-2.%/patches/policy.modules.system.sysnetwork.patch index a67438e604..89bb6eb994 100644 --- a/recipes-security/refpolicy/refpolicy-mcs-2.%/patches/policy.modules.system.sysnetwork.patch +++ b/recipes-security/refpolicy/refpolicy-mcs-2.%/patches/policy.modules.system.sysnetwork.patch @@ -1,6 +1,6 @@ --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc -@@ -18,9 +18,11 @@ ifdef(`distro_debian',` +@@ -18,11 +18,13 @@ ifdef(`distro_debian',` /etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0) /etc/hosts\.allow.* -- gen_context(system_u:object_r:net_conf_t,s0) /etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0) @@ -11,8 +11,11 @@ -/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) +/etc/resolv\.conf.* gen_context(system_u:object_r:net_conf_t,s0) /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) - /var/run/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) +-/var/run/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) ++/run/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) + /etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0) + /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0) @@ -34,6 +36,15 @@ ifdef(`distro_redhat',` /etc/sysconfig/networking(/.*)? gen_context(system_u:object_r:net_conf_t,s0) /etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0) diff --git a/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules-upstream.conf b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules-upstream.conf index f6e05830f7..0d2f0880bc 100644 --- a/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules-upstream.conf +++ b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules-upstream.conf @@ -1647,7 +1647,7 @@ icecast = off # # Bring up/down ethernet interfaces based on cable detection. # -ifplugd = off +ifplugd = on # Layer: services # Module: imaze diff --git a/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/apps/xec.te b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/apps/xec.te index a36c2beee1..0ba785b7d4 100644 --- a/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/apps/xec.te +++ b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/apps/xec.te @@ -94,6 +94,9 @@ allow xec_t self:capability { dac_override dac_read_search }; statusreport_write_storage_files(xec_t) statusreport_getattr_storage_files(xec_t) +# The vGlass initscript uses xec to query xenmgr for GPUs +init_dontaudit_use_fds(xec_t) + ####################################### # # xentop local policy diff --git a/recipes-security/refpolicy/refpolicy-mcs_2.%.bbappend b/recipes-security/refpolicy/refpolicy-mcs_2.%.bbappend index 32f88c4130..8e79eef0bb 100644 --- a/recipes-security/refpolicy/refpolicy-mcs_2.%.bbappend +++ b/recipes-security/refpolicy/refpolicy-mcs_2.%.bbappend @@ -163,6 +163,7 @@ SRC_URI += " \ file://patches/add-missing-dbusd-permissions.patch \ file://patches/xl-sysadm-interfaces.patch \ file://patches/policy.modules.admin.bootloader.diff \ + file://patches/ifplugd-tweaks.patch \ " DEPENDS_append += " \