RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
6,053 Commits 3 Branches 49 Tags 19 MiB
Commit Graph

6053 Commits

Author SHA1 Message Date
Chris PeBenito 2ef2028c57 various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-10-05 14:59:44 -04:00
Chris PeBenito 6e8ba12dcb Merge pull request #410 from pedrxd/nginxcache 2021-10-05 14:59:06 -04:00
Chris PeBenito 6c1f5fb926 Merge pull request #406 from 0xC0ncord/git-type 2021-10-05 14:58:17 -04:00
Chris PeBenito 0f2ed8ae16 filesystem: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-10-05 14:49:56 -04:00
Gao Xiang a885f70d50 Add erofs as a SELinux capable file system 
EROFS supported the security xattr handler from Linux v4.19.
Add erofs to the filesystem policy now.

Reported-by: David Michael <fedora.dm0@gmail.com>
Signed-off-by: Gao Xiang <xiang@kernel.org>
 2021-10-05 14:49:16 -04:00
Pedro 26db30a650
File context for nginx cache files 
Signed-off-by: Pedro <peruvapedro99@gmail.com>
 2021-10-04 14:48:10 +02:00
Kenton Groombridge 64e637d895 git, roles: add policy for git client 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-01 13:19:52 -04:00
Chris PeBenito 338d05482a wireguard: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-09-28 13:14:34 -04:00
Chris PeBenito 247b1300ad Merge pull request #408 from ffontaine/master 2021-09-28 13:13:52 -04:00
Chris PeBenito f60be8247a
Merge pull request #409 from yizhao1/fix 
rpc: remove obsolete comment line
 2021-09-28 11:55:31 -04:00
Yi Zhao 5968e9eae0 rpc: remove obsolete comment line 
There is no fs_manage_nfsd_fs interface.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2021-09-27 11:25:45 +08:00
Fabrice Fontaine 67394d078c policy/modules/services/wireguard.te: make iptables optional 
Make iptables optional to avoid the following build failure raised since
version 2.20210908 and
7f1a7b1cac:

 Compiling targeted policy.33
 env LD_LIBRARY_PATH="/tmp/instance-0/output-1/host/lib:/tmp/instance-0/output-1/host/usr/lib" /tmp/instance-0/output-1/host/usr/bin/checkpolicy -c 33 -U deny -S -O -E policy.conf -o policy.33
 policy/modules/services/wireguard.te:66:ERROR 'type iptables_exec_t is not within scope' at token ';' on line 591892:
 #line 66
	allow wireguard_t iptables_exec_t:file { getattr open map read execute ioctl };
 checkpolicy:  error(s) encountered while parsing configuration
 make[1]: *** [Rules.monolithic:79: policy.33] Error 1

Fixes:
 - http://autobuild.buildroot.org/results/a4223accc6adb70b06fd4e74ca4f28484446b6fa

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
 2021-09-22 23:55:59 +02:00
Kenton Groombridge 4264f9050a userdomain: add interface to allow mapping all user home content 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-09-20 22:01:01 -04:00
Kenton Groombridge 261768bf10 ssh: add interface to execute and transition to ssh client 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-09-20 22:00:56 -04:00
Chris PeBenito b19be25429 systemd, userdomain, wm: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-09-14 13:55:26 -07:00
Chris PeBenito 938453ddb1 Merge pull request #381 from 0xC0ncord/bugfix/systemd-user-exec-apps 2021-09-14 13:23:23 -07:00
Kenton Groombridge b91c6062ac wm: add user exec domain attribute to wm domains 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-09-14 14:53:48 -04:00
Kenton Groombridge 1a0d3bcfbd systemd: add interface to support monitoring and output capturing of 
child processes

The 'systemd_user_app_status' interface is intended to be used by any
interfaces or templates that grant run access to a user domain. These
rules are to support a situation in which an app run by a systemd user
instance runs another, and to allow that app to have its status and output
captured by the systemd user instance (i.e. to journald) without
explicitly granting permissions for the systemd user instance to run
that application.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-09-14 14:53:41 -04:00
Kenton Groombridge f151d36e5b systemd: assign user exec attribute to systemd --user instances 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-09-14 12:12:43 -04:00
Kenton Groombridge 84e26170a1 userdomain: add user exec domain attribute and interface 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-09-14 12:12:39 -04:00
Chris PeBenito 24701593d2 chronyd: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-09-14 06:37:22 -07:00
Chris PeBenito 3c0eccb2df Merge pull request #404 from jpds/chronyd/netadmin 2021-09-14 06:33:41 -07:00
Jonathan Davies f3ff01e332 chronyd.te: Added chronyd_hwtimestamp boolean for chronyd_t to access net_admin 
capability, this is required for its `hwtimestamp` option, which otherwise returns:

    ioctl(SIOCSHWTSTAMP) failed : Operation not permitted

Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2021-09-13 23:35:09 +01:00
Chris PeBenito c804cef2c8 samba: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-09-13 13:21:56 -07:00
Chris PeBenito 3988924056 Merge pull request #407 from ffontaine/master 2021-09-13 13:20:12 -07:00
Fabrice Fontaine ce436299be policy/modules/services/samba.te: make crack optional 
Make crack optional to avoid the following build failure:

 Compiling targeted policy.31
 env LD_LIBRARY_PATH="/tmp/instance-5/output-1/host/lib:/tmp/instance-5/output-1/host/usr/lib" /tmp/instance-5/output-1/host/usr/bin/checkpolicy -c 31 -U deny -S -O -E policy.conf -o policy.31
 policy/modules/services/samba.te:399:ERROR 'type crack_db_t is not within scope' at token ';' on line 360232:
 	allow smbd_t crack_db_t:dir { getattr search open };
 #line 399
 checkpolicy:  error(s) encountered while parsing configuration

Fixes:
 - http://autobuild.buildroot.org/results/ab7098948d1920e42fa587e07f0513f23ba7fc74

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
 2021-09-09 07:48:33 +02:00
Chris PeBenito c2254a64b9 Update Changelog and VERSION for release 2.20210908. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-09-08 10:53:44 -04:00
Chris PeBenito 4248e38824 Bump module versions for release. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-09-08 10:53:44 -04:00
Chris PeBenito 322037695e wireshark: Module version bump 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-09-08 10:52:38 -04:00
Chris PeBenito 6a98ef8c63 Merge pull request #405 from ffontaine/master 2021-09-08 10:51:18 -04:00
Fabrice Fontaine d5c571c855 policy/modules/apps/wireshark.te: make xdg optional 
Make xdg optional to fix the following build failure:

 Compiling targeted policy.31
 env LD_LIBRARY_PATH="/tmp/instance-0/output-1/host/lib:/tmp/instance-0/output-1/host/usr/lib" /tmp/instance-0/output-1/host/usr/bin/checkpolicy -c 31 -U deny -S -O -E policy.conf -o policy.31
 policy/modules/apps/wireshark.te:96:ERROR 'unknown type xdg_downloads_t' at token ';' on line 645315:
 #line 96
	allow wireshark_t xdg_downloads_t:dir { getattr search open };
 checkpolicy:  error(s) encountered while parsing configuration
 make[1]: *** [Rules.monolithic:79: policy.31] Error 1

Fixes:
 - http://autobuild.buildroot.org/results/dfbc667e0c17072ddab89a03244f572d5234da50

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
 2021-09-05 11:06:21 +02:00
Chris PeBenito e45d2fd1ef cvs, ifplugd: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-08-10 14:54:38 -04:00
Chris PeBenito 1236ef9843 Merge pull request #402 from ffontaine/master 2021-08-10 14:53:09 -04:00
Fabrice Fontaine 0dd9d69d92 policy/modules/services/ifplugd.te: make netutils optional 
Make netutils optional to avoid the following build failure:

 Compiling targeted policy.30
 env LD_LIBRARY_PATH="/tmp/instance-3/output-1/host/lib:/tmp/instance-3/output-1/host/usr/lib" /tmp/instance-3/output-1/host/usr/bin/checkpolicy -c 30 -U deny -S -O -E policy.conf -o policy.30
 policy/modules/services/ifplugd.te:62:ERROR 'type netutils_exec_t is not within scope' at token ';' on line 73694:
 #line 62
 	allow ifplugd_t netutils_exec_t:file { getattr open map read execute ioctl };
 checkpolicy:  error(s) encountered while parsing configuration

Fixes:
 - http://autobuild.buildroot.org/results/1e27f5b193d40dfb7c73fbe15d1bef91cb92c27d

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
 2021-08-09 22:51:46 +02:00
Chris PeBenito ed9f3cbde1 Merge pull request #401 from ffontaine/master 2021-08-09 16:48:59 -04:00
Fabrice Fontaine db73b1dd90 policy/modules/services/cvs.te: make inetd optional 
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
 2021-08-06 16:33:36 +02:00
Chris PeBenito b09c03f7dd ftp: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-08-06 10:15:11 -04:00
Chris PeBenito a465c31c13 Merge pull request #399 from ffontaine/master 2021-08-06 10:14:15 -04:00
Fabrice Fontaine f26d4bc1b2 policy/modules/services/ftp.te: make ssh optional 
Make ssh optional to avoid the following build failure:

 Compiling targeted policy.30
 env LD_LIBRARY_PATH="/home/fabrice/buildroot/output/host/lib:/home/fabrice/buildroot/output/host/usr/lib" /home/fabrice/buildroot/output/host/usr/bin/checkpolicy -c 30 -U deny -S -O -E policy.conf -o policy.30
 policy/modules/services/ftp.te:484:ERROR 'type ssh_home_t is not within scope' at token ';' on line 92051:
 	allow sftpd_t ssh_home_t:dir { open read getattr lock search ioctl add_name remove_name write };
 #line 484
 checkpolicy:  error(s) encountered while parsing configuration

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
 2021-07-30 22:43:40 +02:00
Chris PeBenito 7f4ffffd71 minidlna: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-07-30 14:47:28 -04:00
Chris PeBenito 7b393e9878 Merge pull request #396 from ffontaine/master 2021-07-30 14:46:46 -04:00
Fabrice Fontaine 65c87bdfb1 policy/modules/services/minidlna.te: make xdg optional 
Make xdg optional to avoid the following build failure:

 Compiling targeted policy.28
 env LD_LIBRARY_PATH="/home/buildroot/autobuild/instance-1/output-1/host/lib:/home/buildroot/autobuild/instance-1/output-1/host/usr/lib" /home/buildroot/autobuild/instance-1/output-1/host/usr/bin/checkpolicy -c 28 -U deny -S -O -E policy.conf -o policy.28
 policy/modules/services/minidlna.te:85:ERROR 'unknown type xdg_music_t' at token ';' on line 146109:
 #line 85
	allow minidlna_t xdg_music_t:dir { getattr search open };
 checkpolicy:  error(s) encountered while parsing configuration
 Rules.monolithic:78: recipe for target 'policy.28' failed

Fixes:
 - http://autobuild.buildroot.org/results/52490172afd9b72b08a7deb0bd3c2124398bbffa/build-end.log

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
 2021-07-30 09:16:35 +02:00
Chris PeBenito dde0d22c8b virt: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-07-16 09:41:40 -04:00
Chris PeBenito b4a9fe913a virt: Move lines. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-07-16 09:41:24 -04:00
Chris PeBenito 21cbe732e4 Merge pull request #395 from jpds/libvirt/runtime-common 2021-07-16 09:39:42 -04:00
Jonathan Davies 075785a94a virt: Defined a virt_common_runtime_t type for the new 
common/system.token file and added permissions to virtd_t and virtlogd_t.

Modelled on: 1f761d0bbd
libvirt change introducing this: cbfebfc747

Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2021-07-15 20:36:18 +01:00
Chris PeBenito 559551a003 dhcp, radvd, sysnetwork: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-07-14 09:36:17 -04:00
Chris PeBenito 99a8c23897 radvd: Whitespace fix. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-07-14 09:35:51 -04:00
Chris PeBenito c0baedd297 Merge pull request #394 from jpds/dhcpcd-icmpv6 2021-07-14 09:34:53 -04:00
Jonathan Davies 25d645144f dhcp.te: Added corenet_sendrecv_icmp_packets(). 
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2021-07-10 02:09:03 +01:00