Commit Graph

5572 Commits

Author SHA1 Message Date
bauen1 0a596401f1
logrotate.service sandbox required permissions
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-11 19:10:34 +02:00
bauen1 d9a58c8434
terminal: cleanup term_create interfaces
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-11 19:10:34 +02:00
bauen1 aa6c7f28f2
allow most common permissions for systemd sandboxing options
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-11 19:10:28 +02:00
Chris PeBenito 309f655fdc various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-10 15:02:27 -04:00
Chris PeBenito fe1ed5ef74 Merge pull request #265 from topimiettinen/allow-unlabeled-packets 2020-06-10 15:02:03 -04:00
Chris PeBenito f4b10de892
Merge pull request #272 from cgzones/spelling
Correct some misspellings
2020-06-10 14:49:06 -04:00
Christian Göttsche cdfd85c35b Correct some misspellings
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-06-05 15:38:43 +02:00
Topi Miettinen 1d8333d7a7
Remove unlabeled packet access
When SECMARK or Netlabel packet labeling is used, it's useful to
forbid receiving and sending unlabeled packets. If packet labeling is
not active, there's no effect.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-06-03 23:16:19 +03:00
Chris PeBenito e01cd6c98b
Merge pull request #201 from cgzones/rebuild-if-db
Makefile: add target rebuild-interface-db
2020-06-03 13:15:01 -04:00
Christian Göttsche b4180614b6 apache: quote gen_tunable name argument
Match the style of tunable_policy and gen_tunable statements in userdomain

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-06-02 20:35:30 +02:00
Christian Göttsche dcb01ec4cc devices/storage: quote arguments to tunable_policy
Match the overall style and please sepolgen-ifgen

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-06-02 20:35:30 +02:00
Christian Göttsche a3811f4eb4 Makefile: add target build-interface-db
Build the policy interface database with 'sepolgen-ifgen'.
This database is required for reference style policy generation by
'audit2allow --reference'

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-06-02 20:35:30 +02:00
Chris PeBenito c950ada4ea openvpn: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-02 13:35:57 -04:00
Chris PeBenito ec8b8c5b2a Merge pull request #268 from McSim85/master 2020-06-02 13:18:02 -04:00
McSim85 95c43ef3a4 add rule for the management socket file
fixed comments from  @bauen1

Signed-off-by: McSim85 <maxim@kramarenko.pro>
2020-06-02 13:58:46 +03:00
Chris PeBenito b38804e328 init, logging: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-05-27 11:36:44 -04:00
Chris PeBenito fe0a8d2542 Merge pull request #261 from bauen1/confined-debian-fixes 2020-05-27 11:35:49 -04:00
bauen1 be231899f5
init: replace call to init_domtrans_script
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-05-27 17:09:06 +02:00
Chris PeBenito c75b2f3642 corecommands, files, filesystem, init, systemd: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-05-27 10:52:49 -04:00
Chris PeBenito d8da662d5e Merge pull request #262 from bauen1/misc-fixes-1 2020-05-27 10:52:07 -04:00
Chris PeBenito 382c5f7c09 domain, setrans: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-05-27 10:46:47 -04:00
Chris PeBenito 5374e1ac16 Merge pull request #264 from bauen1/reenable-setrans 2020-05-27 10:46:08 -04:00
bauen1 b184f71bed
init: fix init_manage_pid_symlinks to grant more than just create permissions
This was introduced in 4e842fe209 by me.

Signed-off-by: bauen1 <j2468h@gmail.com>
2020-05-27 14:23:18 +02:00
bauen1 ab2c353048
systemd: allow systemd-user-runtime-dir to do its job
It requires access to /run/user/UID while running as root

Signed-off-by: bauen1 <j2468h@gmail.com>
2020-05-27 14:03:05 +02:00
bauen1 7eae84a8b4
lvm-activation-generator also needs to execute lvm
lvm will also try to read localization.

Signed-off-by: bauen1 <j2468h@gmail.com>
2020-05-27 14:03:05 +02:00
bauen1 ee323d3b9a
filesystem: pathcon for matching tracefs mount
Prevent restorecon from trying to relabel /sys/fs/tracing .

Signed-off-by: bauen1 <j2468h@gmail.com>
2020-05-27 11:51:36 +02:00
bauen1 c9354399f9
corecommands: proper label for unattended-upgrades helpers
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-05-27 11:51:36 +02:00
bauen1 ef0238d2d5
init: watch /etc/localtime even if it's a symlink
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-05-27 11:51:36 +02:00
bauen1 70e0d26988
files: add files_watch_etc_symlinks interface
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-05-27 11:51:36 +02:00
bauen1 9e2e343989
setrans: allow label translation for all domains.
This partially reverts commit 65da822c1b
Connecting to setransd is still very much necessary for any domain that
uses SELinux labels in any way.

Signed-off-by: bauen1 <j2468h@gmail.com>
2020-05-22 20:53:47 +02:00
bauen1 8784dd0c66
init: allow systemd to activate journald-audit.socket
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-05-22 20:51:46 +02:00
bauen1 5fb8157616
init: make initrc_t a init_domain to simplify the policy
This also allows init_t initrc_t:process2 nnp_transition which can be
required if the service isn't targeted.

Signed-off-by: bauen1 <j2468h@gmail.com>
2020-05-22 20:51:39 +02:00
Chris PeBenito 14acb02b90
Merge pull request #259 from cgzones/apache
apache: use correct content types in apache_manage_all_user_content()
2020-05-22 14:50:11 -04:00
bauen1 51d76f956f
init: allow systemd to setup mount namespaces
This is required to boot without the unconfined module.

Signed-off-by: bauen1 <j2468h@gmail.com>
2020-05-22 20:48:13 +02:00
Chris PeBenito 72f7f7bfb1
Merge pull request #263 from cgzones/makefile_suffixes
Makefile: remove obsolete .SUFFIXES
2020-05-22 14:22:56 -04:00
Chris PeBenito f60bdf2d1b
Merge pull request #260 from cgzones/can_exec
can_exec(): move from misc_macros to misc_patterns
2020-05-22 14:21:20 -04:00
Christian Göttsche 7366235e1e Makefile: remove obsolete .SUFFIXES
With the removal of fc_sort there are no more .c files in the repository.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-05-21 11:42:45 +02:00
Christian Göttsche 40a59af329 can_exec(): move from misc_macros to misc_patterns
The file misc_macros.spt is due heavy usage of the m4 language
hard to parse for third party tools.
Move the macro can_exec() to misc_patterns.spt, which contains
only interface like define blocks.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-05-15 15:59:13 +02:00
Christian Göttsche 160e2016bb apache: use correct content types in apache_manage_all_user_content()
The content types are named httpd_user_rw_content_t and
httpd_user_ra_content_t not httpd_user_content_rw_t and
httpd_user_content_ra_t in apache_content_template()

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-05-15 00:01:02 +02:00
Chris PeBenito 5b171c223a various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-05-14 10:32:30 -04:00
Chris PeBenito 28bf3cb4fb Merge pull request #258 from bauen1/misc-fixes-1 2020-05-14 10:27:04 -04:00
Chris PeBenito 2ab326ab2d Merge pull request #253 from cgzones/selint 2020-05-14 10:27:00 -04:00
Chris PeBenito d9d94a93fd
Merge pull request #257 from pebenito/drop-py2-compat
genhomedircon: Drop Python 2 compatibility code.
2020-05-14 10:22:55 -04:00
bauen1 09c028ead9
dnsmasq: watch for new dns resolvers
dnsmasq will watch /etc/resolv.conf for any changes to add new dns
servers immediately.

Signed-off-by: bauen1 <j2468h@gmail.com>
2020-05-14 09:31:51 +02:00
bauen1 096b8f59f2
semanage: create directories for new policies
semodule will try to create a directory under /etc/selinux if the policy
it is modifying doesn't exist (e.g. it is being build for the first time).

Signed-off-by: bauen1 <j2468h@gmail.com>
2020-05-14 09:31:31 +02:00
bauen1 4f9772e309
systemd-fstab-generator needs to know about all mountpoints
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-05-14 09:31:30 +02:00
bauen1 da561748d0
corecommands: fix atrild label
atrild is a daemon shipped by atril, see shell/Makefile.am of
https://github.com/mate-desktop/atril

Signed-off-by: bauen1 <j2468h@gmail.com>
2020-05-14 09:31:30 +02:00
bauen1 955c5c5253
lvm: create /etc/lvm/archive if it doesn't exist
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-05-14 09:31:27 +02:00
bauen1 67dfa3651f
init: read default context during boot
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-05-14 09:31:26 +02:00
bauen1 2b11987003
quota: allow quota to modify /aquota even if immutable
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-05-14 09:31:26 +02:00