RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
5,797 Commits 3 Branches 49 Tags 19 MiB
Commit Graph

5797 Commits

Author SHA1 Message Date
bauen1 ee323d3b9a
filesystem: pathcon for matching tracefs mount 
Prevent restorecon from trying to relabel /sys/fs/tracing .

Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-27 11:51:36 +02:00
bauen1 c9354399f9
corecommands: proper label for unattended-upgrades helpers 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-27 11:51:36 +02:00
bauen1 ef0238d2d5
init: watch /etc/localtime even if it's a symlink 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-27 11:51:36 +02:00
bauen1 70e0d26988
files: add files_watch_etc_symlinks interface 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-27 11:51:36 +02:00
bauen1 9e2e343989
setrans: allow label translation for all domains. 
This partially reverts commit 65da822c1b
Connecting to setransd is still very much necessary for any domain that
uses SELinux labels in any way.

Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-22 20:53:47 +02:00
bauen1 8784dd0c66
init: allow systemd to activate journald-audit.socket 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-22 20:51:46 +02:00
bauen1 5fb8157616
init: make initrc_t a init_domain to simplify the policy 
This also allows init_t initrc_t:process2 nnp_transition which can be
required if the service isn't targeted.

Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-22 20:51:39 +02:00
Chris PeBenito 14acb02b90
Merge pull request #259 from cgzones/apache 
apache: use correct content types in apache_manage_all_user_content()
 2020-05-22 14:50:11 -04:00
bauen1 51d76f956f
init: allow systemd to setup mount namespaces 
This is required to boot without the unconfined module.

Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-22 20:48:13 +02:00
Chris PeBenito 72f7f7bfb1
Merge pull request #263 from cgzones/makefile_suffixes 
Makefile: remove obsolete .SUFFIXES
 2020-05-22 14:22:56 -04:00
Chris PeBenito f60bdf2d1b
Merge pull request #260 from cgzones/can_exec 
can_exec(): move from misc_macros to misc_patterns
 2020-05-22 14:21:20 -04:00
Christian Göttsche 7366235e1e Makefile: remove obsolete .SUFFIXES 
With the removal of fc_sort there are no more .c files in the repository.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-05-21 11:42:45 +02:00
Christian Göttsche 40a59af329 can_exec(): move from misc_macros to misc_patterns 
The file misc_macros.spt is due heavy usage of the m4 language
hard to parse for third party tools.
Move the macro can_exec() to misc_patterns.spt, which contains
only interface like define blocks.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-05-15 15:59:13 +02:00
Christian Göttsche 160e2016bb apache: use correct content types in apache_manage_all_user_content() 
The content types are named httpd_user_rw_content_t and
httpd_user_ra_content_t not httpd_user_content_rw_t and
httpd_user_content_ra_t in apache_content_template()

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-05-15 00:01:02 +02:00
Chris PeBenito 5b171c223a various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-05-14 10:32:30 -04:00
Chris PeBenito 28bf3cb4fb Merge pull request #258 from bauen1/misc-fixes-1 2020-05-14 10:27:04 -04:00
Chris PeBenito 2ab326ab2d Merge pull request #253 from cgzones/selint 2020-05-14 10:27:00 -04:00
Chris PeBenito d9d94a93fd
Merge pull request #257 from pebenito/drop-py2-compat 
genhomedircon: Drop Python 2 compatibility code.
 2020-05-14 10:22:55 -04:00
bauen1 09c028ead9
dnsmasq: watch for new dns resolvers 
dnsmasq will watch /etc/resolv.conf for any changes to add new dns
servers immediately.

Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-14 09:31:51 +02:00
bauen1 096b8f59f2
semanage: create directories for new policies 
semodule will try to create a directory under /etc/selinux if the policy
it is modifying doesn't exist (e.g. it is being build for the first time).

Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-14 09:31:31 +02:00
bauen1 4f9772e309
systemd-fstab-generator needs to know about all mountpoints 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-14 09:31:30 +02:00
bauen1 da561748d0
corecommands: fix atrild label 
atrild is a daemon shipped by atril, see shell/Makefile.am of
https://github.com/mate-desktop/atril

Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-14 09:31:30 +02:00
bauen1 955c5c5253
lvm: create /etc/lvm/archive if it doesn't exist 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-14 09:31:27 +02:00
bauen1 67dfa3651f
init: read default context during boot 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-14 09:31:26 +02:00
bauen1 2b11987003
quota: allow quota to modify /aquota even if immutable 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-14 09:31:26 +02:00
bauen1 0ff1f78619
systemd: allow regular users to run systemd-analyze 
Same deal as with systemd-run this is potentially useful for non
privileged users and especially useful for admins.

Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-14 09:31:17 +02:00
Chris PeBenito a229fb0e39 genhomedircon: Drop Python 2 compatibility code. 
Python 2 is end-of-life.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2020-05-13 16:12:53 -04:00
Christian Göttsche 57d570f01c chromium/libraries: move lib_t filecontext to defining module 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-05-12 20:09:44 +02:00
Christian Göttsche 2884cfe4bc files/miscfiles: move usr_t filecontext to defining module 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-05-12 20:09:44 +02:00
Christian Göttsche 75b3bcaf3e files/logging: move var_run_t filecontext to defining module 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-05-12 20:09:44 +02:00
Chris PeBenito e7dad518eb application: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-05-12 11:24:40 -04:00
Chris PeBenito 5387a29b40 Merge pull request #255 from bauen1/fix-sudo-ssh 2020-05-12 11:24:10 -04:00
bauen1 dd8ed0ba14
application: applications can be executed from ssh without pty 
For example ansible uses `ssh localhost sudo id` to become root.
This doesn't appear to be necessary in redhat due to https://src.fedoraproject.org/rpms/openssh/blob/master/f/openssh-6.6p1-privsep-selinux.patch

Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-12 16:52:59 +02:00
Chris PeBenito 68a076bf43 dirmngr: Module version bump 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-05-12 10:50:57 -04:00
Chris PeBenito 5e5b57b1eb Merge pull request #256 from bauen1/fix-dirmngr 2020-05-12 10:49:43 -04:00
Christian Göttsche 0ac9f4cb22 tpm2: small fixes 
* Drop permissions implied by domtrans_pattern
* Use fifo_file permission macro for fifo_file class

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-05-11 21:42:50 +02:00
Christian Göttsche d769c71848 init/systemd: move systemd_manage_all_units to init_manage_all_units 
The attribute systemdunit is defined in the file init.te, so interfaces
granting access on it should be defined in init.if

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-05-11 21:42:50 +02:00
Christian Göttsche e683d67f46 portage: drop bizarre conditional TODO blocks 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-05-11 21:42:50 +02:00
Christian Göttsche 8f308eb846 unconfined: clarify unconfined_t stub usage in unconfined_domain_noaudit() 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-05-11 21:42:50 +02:00
Christian Göttsche f6a7365cc0 consolesetup: drop unused requires 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-05-11 21:42:50 +02:00
Christian Göttsche 20323a2ab5 example: use module name matching file name 
Using a different name in a non-base module will be rejected by checkmodule

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-05-11 21:42:50 +02:00
Christian Göttsche 31153edcb4 chromium: drop dead conditional block 
The condition `use_alsa` is nowhere defined, and the contained interface
`alsa_domain` does not exist.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-05-11 21:42:50 +02:00
Christian Göttsche c7d77a32b9 samba: fix wrong interface context smbd_runtime_t 
Commit 69a403cd97 renamed smbd_var_run_t to smbd_runtime_t,
but smbd_runtime_t does not exist.
Commit 61ecff5c31 removed the alias smbd_var_run_t to samba_runtime_t.

Use samba_runtime_t instead.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-05-11 21:42:50 +02:00
Chris PeBenito ded295d16f
Merge pull request #252 from bauen1/add-lockdown-class 
define lockdown class and access
 2020-05-11 08:48:47 -04:00
bauen1 3cdae47364
dirmngr: ~/.gnupg/crls.d might not exist 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-10 14:44:41 +02:00
bauen1 a356bce2d4
dirmngr: also requires access to /dev/urandom 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-10 14:44:41 +02:00
bauen1 5bd2650602
dirmngr: allow to probe for tor 
dirmngr will test if tor is running, even if it isn't and this check
fails dirmngr will fail to retrieve any keys, this is the default (see
https://www.gnupg.org/documentation/manuals/gnupg/Dirmngr-Options.html
for --use-tor)

Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-10 14:44:40 +02:00
bauen1 f9758ae558
define lockdown class and access 
This was introduced in the merge b1dba2473114588be3df916bf629a61bdcc83737 in the linux kernel.

Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-08 19:18:52 +02:00
Chris PeBenito 6df603e814 apache, bird, ntp: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-05-05 13:35:34 -04:00
Chris PeBenito 370160dcb9 Merge pull request #251 from bauen1/fix-systemd-timesyncd 2020-05-05 13:28:54 -04:00