5922346539
Merge branch 'systemd-1' of git://github.com/bigon/refpolicy into bigon-systemd-1
2016-01-06 09:13:47 -05:00
c08499e9ab
Merge branch 'overcommit-1' of git://github.com/bigon/refpolicy into bigon-overcommit-1
2016-01-06 09:12:25 -05:00
2c465410d9
Add neverallow for mac_override capability. It is not used by SELinux.
2016-01-06 09:09:36 -05:00
994f605a2c
Module version bump for Xorg and SSH patches from Nicolas Iooss.
2016-01-05 13:38:19 -05:00
ce2982bf50
Label OpenSSH systemd unit files
...
On Arch Linux, OpenSSH unit files are:
/usr/lib/systemd/system/sshdgenkeys.service
/usr/lib/systemd/system/sshd.service
/usr/lib/systemd/system/sshd@.service
/usr/lib/systemd/system/sshd.socket
On Debian jessie, the unit files are:
/lib/systemd/system/ssh.service
/lib/systemd/system/ssh@.service
/lib/systemd/system/ssh.socket
On Fedora 22, the unit files are:
/usr/lib/systemd/system/sshd-keygen.service
/usr/lib/systemd/system/sshd.service
/usr/lib/systemd/system/sshd@.service
/usr/lib/systemd/system/sshd.socket
Use a pattern which matches every sshd unit and introduce an other type
for ssh-keygen units.
2016-01-05 13:22:52 -05:00
3505a51d76
Label OpenSSH files correctly on Arch Linux
...
On Arch Linux, OpenSSH installs these binary files in /usr/lib/ssh:
* sftp-server (labeled with ssh_keysign_exec_t type in refpolicy)
* ssh-askpass (symlink to x11-ssh-askpass)
* ssh-keysign
* ssh-pkcs11-helper
* x11-ssh-askpass (from x11-ssh-askpass package)
Label all these files but sftp-server as bin_t.
2016-01-05 13:22:52 -05:00
59e00c5580
Label Xorg server binary correctly on Arch Linux
...
On Arch Linux, /usr/bin/Xorg is only a shell script which executes
/usr/lib/xorg-server/Xorg.wrap, which is a SUID binary wrapper around
/usr/lib/xorg-server/Xorg.
Even though Xorg.wrap is not a full X server, it reads X11 configuration
files, uses the DRM interface to detect KMS, etc. (cf.
http://cgit.freedesktop.org/xorg/xserver/tree/hw/xfree86/xorg-wrapper.c?id=xorg-server-1.18.0
for more details). Therefore label it as xserver_exec_t.
This makes the following AVC appear:
denied { execute_no_trans } for pid=927 comm="X"
path="/usr/lib/xorg-server/Xorg.wrap" dev="dm-0" ino=3152592
scontext=system_u:system_r:xserver_t
tcontext=system_u:object_r:xserver_exec_t tclass=file
Allow /usr/bin/Xorg to execute Xorg.wrap with a can_exec statement.
2016-01-05 13:22:52 -05:00
b02a5d4b55
Allow syslogd_t to read sysctl_vm_overcommit_t
2015-12-16 19:30:47 +01:00
c0e95ed326
On Debian, systemd binaries are installed in / not /usr
...
On Debian, systemd binaries are installed in / not /usr, add an
equivalence for this.
2015-12-14 22:52:47 +01:00
83b15c15b3
Give some systemd domain access to /proc/sys/kernel/random/boot_id
2015-12-14 22:19:24 +01:00
4d0610807f
Update contrib.
2015-12-14 10:40:04 -05:00
2b972fefd1
Module version bump for vm overcommit sysctl interfaces from Laurent Bigonville.
2015-12-14 10:04:14 -05:00
4340b9f8a4
Add interfaces to read/write /proc/sys/vm/overcommit_memory
2015-12-14 10:02:53 -05:00
6b1b2e3965
Module version bumps for 2 patches from Dominick Grift.
2015-12-10 15:46:13 -05:00
6d6370c98a
kernel: implement sysctl_vm_overcommit_t for /proc/sys/vm/overcommit_memory
...
Whoever requires this type first gets to create the interfaces to operate on this object
Signed-off-by: Dominick Grift <dac.override@gmail.com>
2015-12-10 14:10:16 -05:00
81d15a0273
authlogin: remove duplicate files_list_var_lib(nsswitch_domain)
...
Signed-off-by: Dominick Grift <dac.override@gmail.com>
2015-12-10 14:10:16 -05:00
727949924a
Module version bump for systemd-user-sessions fc entry from Dominick Grift
2015-12-09 09:40:55 -05:00
e1eeef00a6
systemd: add missing file context spec for systemd-user-sessions executable file
...
Signed-off-by: Dominick Grift <dac.override@gmail.com>
2015-12-09 09:26:59 -05:00
4fd44dc0f6
Update Changelog and VERSION for release.
2015-12-08 09:53:02 -05:00
c23353bcd8
Bump module versions for release.
2015-12-08 09:53:02 -05:00
a2fab1a961
Update contrib.
2015-12-01 10:23:56 -05:00
70ba55c2fc
Module version bump for utempter Debian helper from Laurent Bigonville.
2015-12-01 10:23:46 -05:00
c6efc3ada1
Properly label utempter helper on debian
2015-12-01 09:45:06 -05:00
37d2aeca3d
Remove bad interface in systemd.if.
2015-11-05 15:31:53 -05:00
b94f45d760
Revise selinux module interfaces for perms protected by neverallows.
...
Use the allow rules on the relevant attributes in selinux.te, rather than
only using the attribute to pass the neverallows.
Closes #14
2015-11-04 15:10:29 -05:00
a3208c3495
Update contrib for dbus systemd fix.
2015-10-29 07:36:33 -04:00
17694adc7b
Module version bump for systemd additions.
2015-10-23 14:53:14 -04:00
60d8b699fb
Change policy_config_t to a security file type.
...
This fixes an assertion error with systemd_tmpfiles_t. It should
have been a security file for a while.
2015-10-23 10:17:46 -04:00
4388def2d9
Add refpolicy core socket-activated services.
2015-10-23 10:17:46 -04:00
bdfc7e3eb0
Add sysfs_types attribute.
...
Collect all types used to label sysfs entries.
2015-10-23 10:17:46 -04:00
f7286189b3
Add systemd units for core refpolicy services.
...
Only for services that already have a named init script.
Add rules to init_startstop_service(), with conditional arg until
all of refpolicy-contrib callers are updated.
2015-10-23 10:17:46 -04:00
fc2de5c21c
Add rules for sysadm_r to manage the services.
2015-10-23 10:17:46 -04:00
579849912d
Add supporting rules for domains tightly-coupled with systemd.
2015-10-23 10:17:46 -04:00
3639880cf6
Implement core systemd policy.
...
Significant contributions from the Tresys CLIP team.
Other changes from Laurent Bigonville.
2015-10-23 10:16:59 -04:00
4d28cb714f
Module version bump for patches from Jason Zaman/Matthias Dahl.
2015-10-12 09:31:18 -04:00
2c0e3d9a24
Rearrange lines in ipsec.te.
2015-10-12 09:30:05 -04:00
775b07e60a
system/ipsec: Add policy for StrongSwan
...
Adds an ipsec_supervisor_t domain for StrongSwan's starter.
Thanks to Matthias Dahl for most of the work on this.
2015-10-12 09:16:28 -04:00
b3a95b4aeb
Add overlayfs as an XATTR capable fs
...
The module is called "overlay" in the kernel
2015-10-12 09:13:53 -04:00
778dfaf776
Update contrib.
2015-09-15 08:39:38 -04:00
cfaeb62603
Module version bump for vfio device from Alexander Wetzel.
2015-09-15 08:39:21 -04:00
9ae4033beb
adds vfio device support to base policy
...
Signed-off-by: Alexander Wetzel <alexander.wetzel@web.de>
2015-09-15 08:17:31 -04:00
1d51a2f4c4
Module version bump for APR build script labeling from Luis Ressel.
2015-08-11 08:46:41 -04:00
fd5e40b047
Mark APR build scripts as bin_t
...
I don't know why those are in /usr/share/build-1/ instead of
/usr/share/apr-0/build/ here, but it doesn't appear to be
Gentoo-specific.
2015-08-11 08:42:25 -04:00
c8c2b8b0c8
Module version bump for ssh-agent -k fix from Luis Ressel.
2015-07-20 10:01:52 -04:00
d8071a8e1b
Allow ssh-agent to send signals to itself
...
This is neccessary for "ssh-agent -k".
2015-07-20 09:57:35 -04:00
95248e4919
Module version bump for cron_admin for sysadm from Jason Zaman.
2015-07-17 08:56:43 -04:00
13cfdd788f
add new cron_admin interface to sysadm
2015-07-17 08:13:43 -04:00
d74c9bd6b8
Module version bumps for admin interfaces from Jason Zaman.
2015-07-14 11:18:35 -04:00
0023b30946
Introduce setrans_admin interface
2015-07-14 11:04:44 -04:00
e1f2a8b9d6
Introduce ipsec_admin interface
2015-07-14 11:04:44 -04:00
Chris PeBenito
Nicolas Iooss
Laurent Bigonville
Dominick Grift
Jason Zaman
Alexander Wetzel
Luis Ressel