The rule uses the permission manage_file_perms on the classes file and
sock_file. This won't result in a change in the actual policy
generated, but if the definitions of macros are changed going forward,
the mismatches could cause issues.
Found by SELint
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
root: duplicate key: matrix
root: deprecated key sudo (The key `sudo` has no effect anymore.)
root: missing os, using the default linux
root: key matrix is an alias for jobs, using jobs
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
modutils.te: 50: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001)
modutils.te: 51: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001)
modutils.te: 52: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001)
modutils.te: 53: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001)
modutils.if: 15: (W): Definition of declared type modules_object_t not found in own module, but in module files (W-011)
modutils.if: 52: (W): Definition of declared type modules_object_t not found in own module, but in module files (W-011)
modutils.fc: 24: (S): Type modules_object_t is declared in module files, but used in file context here. (S-002)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
- selinuxutil.te: ignore gen_require usage for bool secure_mode
- corenetwork.te: ignore gen_require usage for type unlabeled_t
- files.if: drop unneeded required types in interface
- rpm.if: drop unneeded required type in interface
- xserver.if: ignore interface xserver_restricted_role calling template xserver_common_x_domain_template
- domain.te: add require block with explicit declaration for used type unlabeled_t from module kernel
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
This made unlabeled_t a file and provided much more access than an
unlabeled file should have. Access to unlabeled objects should be
explicit.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Revise to use ifelse to have a clear set of criteria for enabling the
various options. Additionally, if no options are enabled, run_init
permissions are provided as a default.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Set build options to expand to "true". This will enable writing build
options using m4 ifelse, for example:
ifelse(`init_systemd',`true',`
[init_systemd rules]
',`direct_sysadm_daemon',`true',
[direct_sysadm_daemon rules]
',` dnl else
[else rules]
')
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
This will allow user definitions in modules to work for monolithic policies
and base module.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Dave Sugar
Chris PeBenito
Jonathan Davies
Christian Göttsche
Yi Zhao
Chris PeBenito
Laurent Bigonville
Alexander Miroshnichenko
Dave Sugar