RepoMirrors/selinux-refpolicy
1
0
Fork 0
mirror of https://github.com/SELinuxProject/refpolicy synced 2025-03-11 07:40:18 +00:00
Code Issues Packages Projects Releases Wiki Activity
5,831 Commits 3 Branches 50 Tags 21 MiB
2d9e297f22
Commit Graph

5831 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Chris PeBenito
2ab326ab2d Merge pull request #253 from cgzones/selint 2020-05-14 10:27:00 -04:00
Chris PeBenito
d9d94a93fd
Merge pull request #257 from pebenito/drop-py2-compat 
genhomedircon: Drop Python 2 compatibility code.
 2020-05-14 10:22:55 -04:00
bauen1
09c028ead9
dnsmasq: watch for new dns resolvers 
dnsmasq will watch /etc/resolv.conf for any changes to add new dns
servers immediately.

Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-14 09:31:51 +02:00
bauen1
096b8f59f2
semanage: create directories for new policies 
semodule will try to create a directory under /etc/selinux if the policy
it is modifying doesn't exist (e.g. it is being build for the first time).

Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-14 09:31:31 +02:00
bauen1
4f9772e309
systemd-fstab-generator needs to know about all mountpoints 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-14 09:31:30 +02:00
bauen1
da561748d0
corecommands: fix atrild label 
atrild is a daemon shipped by atril, see shell/Makefile.am of
https://github.com/mate-desktop/atril

Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-14 09:31:30 +02:00
bauen1
955c5c5253
lvm: create /etc/lvm/archive if it doesn't exist 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-14 09:31:27 +02:00
bauen1
67dfa3651f
init: read default context during boot 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-14 09:31:26 +02:00
bauen1
2b11987003
quota: allow quota to modify /aquota even if immutable 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-14 09:31:26 +02:00
bauen1
0ff1f78619
systemd: allow regular users to run systemd-analyze 
Same deal as with systemd-run this is potentially useful for non
privileged users and especially useful for admins.

Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-14 09:31:17 +02:00
Chris PeBenito
a229fb0e39 genhomedircon: Drop Python 2 compatibility code. 
Python 2 is end-of-life.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2020-05-13 16:12:53 -04:00
Christian Göttsche
57d570f01c chromium/libraries: move lib_t filecontext to defining module 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-05-12 20:09:44 +02:00
Christian Göttsche
2884cfe4bc files/miscfiles: move usr_t filecontext to defining module 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-05-12 20:09:44 +02:00
Christian Göttsche
75b3bcaf3e files/logging: move var_run_t filecontext to defining module 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-05-12 20:09:44 +02:00
Chris PeBenito
e7dad518eb application: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-05-12 11:24:40 -04:00
Chris PeBenito
5387a29b40 Merge pull request #255 from bauen1/fix-sudo-ssh 2020-05-12 11:24:10 -04:00
bauen1
dd8ed0ba14
application: applications can be executed from ssh without pty 
For example ansible uses `ssh localhost sudo id` to become root.
This doesn't appear to be necessary in redhat due to https://src.fedoraproject.org/rpms/openssh/blob/master/f/openssh-6.6p1-privsep-selinux.patch

Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-12 16:52:59 +02:00
Chris PeBenito
68a076bf43 dirmngr: Module version bump 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-05-12 10:50:57 -04:00
Chris PeBenito
5e5b57b1eb Merge pull request #256 from bauen1/fix-dirmngr 2020-05-12 10:49:43 -04:00
Christian Göttsche
0ac9f4cb22 tpm2: small fixes 
* Drop permissions implied by domtrans_pattern
* Use fifo_file permission macro for fifo_file class

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-05-11 21:42:50 +02:00
Christian Göttsche
d769c71848 init/systemd: move systemd_manage_all_units to init_manage_all_units 
The attribute systemdunit is defined in the file init.te, so interfaces
granting access on it should be defined in init.if

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-05-11 21:42:50 +02:00
Christian Göttsche
e683d67f46 portage: drop bizarre conditional TODO blocks 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-05-11 21:42:50 +02:00
Christian Göttsche
8f308eb846 unconfined: clarify unconfined_t stub usage in unconfined_domain_noaudit() 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-05-11 21:42:50 +02:00
Christian Göttsche
f6a7365cc0 consolesetup: drop unused requires 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-05-11 21:42:50 +02:00
Christian Göttsche
20323a2ab5 example: use module name matching file name 
Using a different name in a non-base module will be rejected by checkmodule

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-05-11 21:42:50 +02:00
Christian Göttsche
31153edcb4 chromium: drop dead conditional block 
The condition `use_alsa` is nowhere defined, and the contained interface
`alsa_domain` does not exist.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-05-11 21:42:50 +02:00
Christian Göttsche
c7d77a32b9 samba: fix wrong interface context smbd_runtime_t 
Commit 69a403cd97 renamed smbd_var_run_t to smbd_runtime_t,
but smbd_runtime_t does not exist.
Commit 61ecff5c31 removed the alias smbd_var_run_t to samba_runtime_t.

Use samba_runtime_t instead.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-05-11 21:42:50 +02:00
Chris PeBenito
ded295d16f
Merge pull request #252 from bauen1/add-lockdown-class 
define lockdown class and access
 2020-05-11 08:48:47 -04:00
bauen1
3cdae47364
dirmngr: ~/.gnupg/crls.d might not exist 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-10 14:44:41 +02:00
bauen1
a356bce2d4
dirmngr: also requires access to /dev/urandom 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-10 14:44:41 +02:00
bauen1
5bd2650602
dirmngr: allow to probe for tor 
dirmngr will test if tor is running, even if it isn't and this check
fails dirmngr will fail to retrieve any keys, this is the default (see
https://www.gnupg.org/documentation/manuals/gnupg/Dirmngr-Options.html
for --use-tor)

Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-10 14:44:40 +02:00
bauen1
f9758ae558
define lockdown class and access 
This was introduced in the merge b1dba2473114588be3df916bf629a61bdcc83737 in the linux kernel.

Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-08 19:18:52 +02:00
Chris PeBenito
6df603e814 apache, bird, ntp: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-05-05 13:35:34 -04:00
Chris PeBenito
370160dcb9 Merge pull request #251 from bauen1/fix-systemd-timesyncd 2020-05-05 13:28:54 -04:00
Chris PeBenito
45733fcfb1 Merge pull request #250 from bauen1/nginx 2020-05-05 13:28:31 -04:00
Chris PeBenito
809c39fa50 Merge pull request #239 from bauen1/fix-bird2 2020-05-05 13:27:55 -04:00
bauen1
5a18466573
ntpd: fixes for systemd-timesyncd after linux 5.4 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-05 18:09:56 +02:00
bauen1
6b90780fdd
apache: add nginx to policy 
This is better than the current status quo of running nginx under
initrc_t, a lot of other webservers are already under the apache policy
(e.g. lighttpd) and this requires no additional permissions.

See also the discussion from March 2013 on the selinux-refpolicy mailing
list: https://lore.kernel.org/selinux-refpolicy/20110318110259.GA25236@localhost.localdomain/

Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-05 12:42:07 +02:00
Chris PeBenito
a7a327a921 sysnetwork, filesystem, userdomain: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-05-04 09:10:54 -04:00
Chris PeBenito
100a3fb02b Merge pull request #233 from fishilico/ip-netns 2020-05-04 09:05:34 -04:00
Chris PeBenito
6819d8883e
Merge pull request #236 from cgzones/all_interfaces 
Override old all_interfaces.conf.tmp file
 2020-05-04 09:02:48 -04:00
Chris PeBenito
4ae3713c45 various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-05-04 08:55:09 -04:00
Chris PeBenito
a1c97cbab2 Merge pull request #249 from topimiettinen/ping-sendrecv-icmp 2020-05-04 08:47:55 -04:00
Chris PeBenito
271e4bb8c9 Merge pull request #248 from dburgener/remove-outdated-stunnel-port-access 2020-05-04 08:47:07 -04:00
Chris PeBenito
6137441c69 Merge pull request #247 from dburgener/repeated-perms 2020-05-04 08:46:42 -04:00
Chris PeBenito
671d5da3d7 Merge pull request #245 from dburgener/tty-pty-cleanup 2020-05-04 08:46:15 -04:00
Chris PeBenito
82a127f0a9 Merge pull request #244 from dsugar100/master 2020-05-04 08:37:30 -04:00
Topi Miettinen
a614e755ae
netutils: allow ping to send and receive ICMP packets 
Let ping send and receive ICMP packets when Netfilter SECMARK packet
labeling is active.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-05-04 12:43:18 +03:00
Daniel Burgener
a01820155f Remove out of date "hack" from stunnel. The underlying problem needing 
a require was fixed back in 2011, so using corenet_tcp_bind_stunnel_port
would be an option now, but stunnel_t already has
corenet_tcp_bind_all_ports, so this access is redundant.

Signed-off-by: Daniel Burgener <Daniel.Burgener@Microsoft.com>
 2020-05-02 16:24:53 -04:00
Daniel Burgener
ce8f00538a Remove the second copy of a permission in instances where the exact same permission is repeated twice in a row 
Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>
 2020-05-01 12:22:40 -04:00