Chris PeBenito
aa6c3f4da3
apt, rpm: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-07-27 09:05:53 -04:00
Chris PeBenito
7d7280ca21
Merge pull request #287 from bigon/packagekit
2020-07-27 09:03:13 -04:00
Laurent Bigonville
e4f0709788
Label /usr/libexec/packagekitd as apt_exec_t on debian
...
The daemon has now moved from /usr/lib/packagekit/packagekitd to
/usr/libexec/packagekitd
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2020-07-27 13:26:06 +02:00
Chris PeBenito
9cb8472967
Merge pull request #285 from pebenito/move-users
...
Move user definitions to the right place during compilation.
2020-07-21 08:21:26 -04:00
Chris PeBenito
d41607c714
Move user definitions to the right place during compilation.
...
This will allow user definitions in modules to work for monolithic policies
and base module.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2020-07-16 10:52:39 -04:00
Chris PeBenito
c5ac0d52c4
openvpn: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-07-16 09:31:56 -04:00
Chris PeBenito
7f601b8bcf
Merge pull request #284 from alexminder/openvpn
2020-07-16 09:31:06 -04:00
Alexander Miroshnichenko
67c4238e8e
openvpn: update file context regex for ipp.txt
...
Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
2020-07-14 13:34:58 +03:00
Chris PeBenito
ac02273502
tmp2: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-07-10 08:51:57 -04:00
Chris PeBenito
a9d3c01bf6
Merge pull request #283 from dsugar100/master
2020-07-10 08:50:20 -04:00
Alexander Miroshnichenko
aff9c6e91c
openvpn: more versatile file context regex for ipp.txt
...
Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
2020-07-07 15:22:29 +03:00
Dave Sugar
7a03f4a00f
Interfaces for tpm2
...
Add interfaces tpm2_use_fds, tpm2_dontaudit_use_fds, and tpm2_read_pipes
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2020-07-06 22:34:39 -04:00
Chris PeBenito
613708cad6
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-07-04 09:30:45 -04:00
Chris PeBenito
fb353cc4f6
Merge pull request #278 from pebenito/pid-if-rename
2020-07-04 09:29:29 -04:00
Chris PeBenito
0992763548
Update callers for "pid" to "runtime" interface rename.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-28 16:03:45 -04:00
Chris PeBenito
be04bb3e7e
Rename "pid" interfaces to "runtime" interfaces.
...
Rename interfaces to bring consistency with previous pid->runtime type
renaming. See PR #106 or 69a403cd
original type renaming.
Interfaces that are still in use were renamed with a compatibility
interface. Unused interfaces were fully deprecated for removal.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-28 14:33:17 -04:00
Chris PeBenito
07c08fa41e
kernel: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-18 08:30:42 -04:00
Chris PeBenito
81e3d79c59
Merge pull request #277 from dsugar100/master
2020-06-18 08:30:26 -04:00
Dave Sugar
50c24ca481
Resolve neverallow failure introduced in #273
...
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2020-06-17 19:05:08 -04:00
Chris PeBenito
fbdb3755cf
.travis.yml: Add CI tests with no unconfined.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-17 09:22:34 -04:00
Chris PeBenito
c63e5410a9
systemd: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-17 08:48:41 -04:00
Chris PeBenito
d162e87fb1
Merge pull request #276 from pebenito/merge-systemd-generators
2020-06-17 08:47:29 -04:00
Chris PeBenito
c2a142d762
systemd: Merge generator domains.
...
If these processes are compromised they can write units to do malicious
actions, so trying to tightly protect the resources for each generator
is not effective.
Made the fstools_exec() optional, although it is unlikely that a system
would not have the module.
Only aliases for removed types in previous releases are added. The
systemd_unit_generator() interface and systemd_generator_type attribute
were not released and are dropped without deprecation.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-15 09:47:20 -04:00
Chris PeBenito
71002cdfe0
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-15 08:57:44 -04:00
Chris PeBenito
91087f8ff1
Merge pull request #274 from bauen1/remove-dead-weight
2020-06-15 08:56:42 -04:00
Chris PeBenito
9169113d42
Merge pull request #271 from bauen1/misc-fixes-2
2020-06-15 08:56:40 -04:00
Chris PeBenito
edbe7e9af7
Merge pull request #267 from bauen1/target-systemd-sysusers
2020-06-15 08:56:24 -04:00
bauen1
fc904634ac
dpkg: domaintrans to sysusers if necessary
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-15 14:52:53 +02:00
bauen1
77f891c7bf
Remove the ada module, it is unecessary and not touched since ~2008
...
It is only used to allow the compiler execmem / execstack but we have
unconfined_execmem_t for that.
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-15 14:47:14 +02:00
bauen1
cbdf1fad22
systemd: systemd-tempfiles will relabel tmpfs if mounted over e.g. /tmp
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-15 14:45:07 +02:00
bauen1
e12d84181b
corecommands: correct label for debian ssh-agent helper script
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-15 14:45:07 +02:00
bauen1
cb2d84b0d1
gpg: don't allow gpg-agent to read /proc/kcore
...
This was probably a typo and shouldn't have been merged.
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-15 14:45:07 +02:00
bauen1
083e5d1d58
dpkg: dpkg scripts are part of dpkg and therefor also an application domain
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-15 14:45:07 +02:00
bauen1
583f435c7b
systemd: systemd --user add essential permissions
...
Allow selinux awareness (libselinux) and access to setsockcreatecon to
correctly set the label of sockets.
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-15 14:45:07 +02:00
bauen1
e7fc029a95
dpkg: allow dpkg frontends to acquire lock by labeling it correctly
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-15 14:45:07 +02:00
Chris PeBenito
2f097a0c6d
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-15 08:43:30 -04:00
bauen1
66b4101b36
systemd: maintain /memfd:systemd-state
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-15 14:43:18 +02:00
bauen1
a42a15dd4d
authlogin: unix_chkpwd is linked to libselinux
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-15 14:43:18 +02:00
bauen1
6f7bc3da46
init: systemd will run chkpwd to start user@1000
...
This was likely also hidden by the unconfined module.
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-15 14:43:17 +02:00
bauen1
a5c3c70385
thunderbird: label files under /tmp
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-15 14:43:17 +02:00
Chris PeBenito
ca6628ebc6
Merge pull request #273 from bauen1/confined-debian-fixes2
2020-06-15 08:42:40 -04:00
bauen1
6ce9865e6c
systemd: fixed systemd_rfkill_t denial spam
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-15 14:41:30 +02:00
bauen1
a9ff07d886
postfix: add filetrans for sendmail and postfix for aliases db operations
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-15 14:41:30 +02:00
bauen1
0f4eb2a324
init: fix systemd boot
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-11 19:10:35 +02:00
bauen1
93beef3ce5
systemd-logind.service sandbox required permissions
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-11 19:10:35 +02:00
bauen1
e20db26b7b
systemd-timesyncd.service sandbox requried permissions
...
For every services sandbox systemd will create a (or more ?) tmpfs including symlinks for various files, e.g.:
Jun 11 14:03:17 selinux-pr-test1 audit[284]: AVC avc: granted { create } for pid=284 comm="(imesyncd)" name="stderr" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-11 19:10:35 +02:00
bauen1
83a39ad4fd
udev.service sandbox required permissions
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-11 19:10:35 +02:00
bauen1
0a596401f1
logrotate.service sandbox required permissions
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-11 19:10:34 +02:00
bauen1
d9a58c8434
terminal: cleanup term_create interfaces
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-11 19:10:34 +02:00
bauen1
aa6c7f28f2
allow most common permissions for systemd sandboxing options
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-11 19:10:28 +02:00