RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
4,316 Commits 3 Branches 49 Tags 19 MiB
Commit Graph

2590 Commits

Author SHA1 Message Date
Chris PeBenito 2fcce0a88f Merge branch 'master' of github.com:TresysTechnology/refpolicy 2017-02-18 14:02:36 -05:00
Chris PeBenito 14566f96a9 Module version bump for hostname fix from cgzones. 2017-02-18 13:58:29 -05:00
Chris PeBenito 36fa3d8916 Merge branch 'hostname_module' of git://github.com/cgzones/refpolicy 2017-02-18 13:32:23 -05:00
Chris PeBenito 7d9a3be9f0 Merge pull request #98 from cgzones/admin_process_pattern 
add admin_process_pattern macro
 2017-02-18 12:38:23 -05:00
Chris PeBenito 3726cd58f6 Module version bump for changes from cgzones. 2017-02-18 12:28:38 -05:00
Chris PeBenito abe9e18f73 Merge branch 'var_and_run' of git://github.com/cgzones/refpolicy 2017-02-18 11:54:16 -05:00
Chris PeBenito e96c357b79 Merge branch 'corecmd_module' of git://github.com/cgzones/refpolicy 2017-02-18 11:51:40 -05:00
Chris PeBenito 8b6525e992 Merge branch 'sysadm_fixes' of git://github.com/cgzones/refpolicy 2017-02-18 11:39:05 -05:00
Chris PeBenito 959f78de99 Merge branch 'setfiles_getattr' of git://github.com/cgzones/refpolicy 2017-02-18 11:34:23 -05:00
Chris PeBenito 74d6a63ff9 mon: Fix deprecated interface usage. 2017-02-18 11:21:34 -05:00
Chris PeBenito dd03d589e2 Implement WERROR build option to treat warnings as errors. 
Add this to all Travis-CI builds.
 2017-02-18 10:20:20 -05:00
Chris PeBenito cb35cd587f Little misc patches from Russell Coker. 2017-02-18 09:39:01 -05:00
cgzones dd4cfd8a77 add admin_process_pattern macro 
useful for MODULE_admin interfaces
 2017-02-17 16:26:22 +01:00
cgzones 7ff92a886a files: no default types for /run and /var/lock 
encourage private types for /run and /var/lock by not providing default contexts anymore
 2017-02-16 17:14:38 +01:00
cgzones da1ea093cb corecommands: label some binaries as bin_t 2017-02-16 17:05:26 +01:00
cgzones d9fcbdfbb3 hostname: small adjustments 
* reorder process - capabilities statements
* remove unsighted debian block
 2017-02-16 16:39:50 +01:00
cgzones 60983561be sysadm: fix denials 
allow to read kmesg and the selinux policy
 2017-02-16 16:00:14 +01:00
cgzones 7539f65bc2 setfiles: allow getattr to kernel pseudo fs 
userdomains should not alter labels of kernel pseudo filesystems, but allowing setfiles/restorecon(d) to check the contexts helps spotting incorrect labels
 2017-02-16 15:26:29 +01:00
Chris PeBenito d9980666a4 Update contrib. 2017-02-15 19:08:32 -05:00
Russell Coker 5a6251efc6 tiny mon patch 
When you merged the mon patch you removed the ability for mon_t to execute
lib_t files.

The following patch re-enables the ability to execute alert scripts.
 2017-02-15 18:51:39 -05:00
Chris PeBenito 1720e109a3 Sort capabilities permissions from Russell Coker. 2017-02-15 18:47:33 -05:00
Chris PeBenito 629b8af1e1 Update contrib. 2017-02-13 20:00:52 -05:00
Russell Coker 69215f0664 inherited file and fifo perms 
The following patch defines new macros rw_inherited_fifo_file_perms and
rw_inherited_term_perms for the obvious reason.

I've had this in Debian for a while and some Debian policy relies on it.

I think it's appropriate to include this before including any policy that
relies on it because it's an obvious foundation for writing good policy.

We could have inherited perms macros for other object types, but terminals
and fifos are the main ones that get inherited.  The next best candidate
for such a macro is a sock_file, and that's largely due to systemd setting
programs stdout/stderr to unix domain sockets.
 2017-02-12 13:55:25 -05:00
Chris PeBenito e9b2a7943c Module version bump for bootloader patch revert. Plus compat alias. 2017-02-11 14:51:21 -05:00
Chris PeBenito 0e80a8a7cf Revert "bootloader: stricter permissions and more tailored file contexts" 
This reverts commit b0c13980d2.
 2017-02-11 14:26:48 -05:00
Chris PeBenito cd29a19479 Fix contrib commit. 2017-02-08 17:19:26 -05:00
Chris PeBenito aeea0d9f3f mon policy from Russell Coker. 2017-02-08 16:56:09 -05:00
Chris PeBenito 2fdc11be47 Update contrib. 2017-02-07 19:09:45 -05:00
Chris PeBenito 7aafe9d8b7 Systemd tmpfiles fix for kmod.conf from Russell Coker. 2017-02-07 19:03:59 -05:00
Chris PeBenito 69da46ae18 usrmerge FC fixes from Russell Coker. 2017-02-07 18:51:58 -05:00
Chris PeBenito 2e7553db63 Create / to /usr equivalence for bin, sbin, and lib, from Russell Coker. 2017-02-04 15:19:35 -05:00
Chris PeBenito c205e90e75 Update Changelog and VERSION for release. 2017-02-04 13:30:54 -05:00
Chris PeBenito 69ede859e8 Bump module versions for release. 2017-02-04 13:30:53 -05:00
Chris PeBenito 23001afc0c Module version bump for xkb fix from Jason Zaman. 2017-01-29 12:48:01 -05:00
Jason Zaman 20c5fddc08 xserver: allow X roles to read xkb libs to set keymaps 
commit d76d9e13b1
xserver: restrict executable memory permissions
changed XKB libs which made them no longer readable by users.
setting xkeymaps fails with the following errors:

$ setxkbmap -option "ctrl:nocaps"
Couldn't find rules file (evdev)

type=AVC msg=audit(1485357942.135:4458): avc:  denied  { search } for
pid=5359 comm="X" name="20990" dev="proc" ino=103804
scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=dir permissive=0
type=AVC msg=audit(1485357942.136:4459): avc:  denied  { search } for
pid=20990 comm="setxkbmap" name="xkb" dev="zfs" ino=130112
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xkb_var_lib_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1485357942.136:4460): avc:  denied  { search } for
pid=20990 comm="setxkbmap" name="xkb" dev="zfs" ino=130112
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xkb_var_lib_t:s0 tclass=dir permissive=0
 2017-01-29 12:47:22 -05:00
Chris PeBenito a848a0d465 Module version bump for cups patch from Guido Trentalancia. 2017-01-23 18:50:53 -05:00
Guido Trentalancia 3254ed2759 udev: execute HPLIP applications in their own domain 
Execute HP Linux Imaging and Printing (HPLIP) applications launched
by udev in their own domain.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
 2017-01-23 18:49:31 -05:00
Chris PeBenito 81bd76fe85 Fix contrib. 2017-01-15 13:33:25 -05:00
Chris PeBenito 24016954fb Update contrib. 2017-01-15 13:18:09 -05:00
Stephen Smalley 4637cd6f89 refpolicy: drop unused socket security classes 
A few of the socket classes added by commit 09ebf2b59a ("refpolicy:
Define extended_socket_class policy capability and socket classes") are
never used because sockets can never be created with the associated
address family.  Remove these unused socket security classes.
The removed classes are bridge_socket for PF_BRIDGE, ib_socket for PF_IB,
and mpls_socket for PF_MPLS.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
 2017-01-15 13:03:57 -05:00
Chris PeBenito b05d72b0d3 Module version bump for cpu_online genfscon from Laurent Bigonville. 2017-01-09 20:36:27 -05:00
Laurent Bigonville 3d8669d8ce Use genfscon to label /sys/devices/system/cpu/online as cpu_online_t 
Since 8e01472078763ebc1eaea089a1adab75dd982ccd, it's possible to use
genfscon for sysfs.

This patch should help to deprecate distribution specific call to
restorecon or tmpfiles to restore /sys/devices/system/cpu/online during
boot.

Thanks to Dominick for the tip.
 2017-01-09 20:35:47 -05:00
Chris PeBenito 0fe21742cd Module version bumps for patches from cgzones. 2017-01-09 20:34:15 -05:00
Chris PeBenito a00d401c1b Merge branch 'auditd_fixes' of git://github.com/cgzones/refpolicy 2017-01-09 18:19:35 -05:00
Chris PeBenito 694e85cc6f Merge branch 'unconfined_module' of git://github.com/cgzones/refpolicy 2017-01-09 18:13:47 -05:00
Chris PeBenito 9387d5c324 Merge branch 'files_search_src' of git://github.com/cgzones/refpolicy 2017-01-09 18:12:38 -05:00
Chris PeBenito 41661ed4b3 Merge branch 'terminal_module' of git://github.com/cgzones/refpolicy 2017-01-09 18:12:02 -05:00
Chris PeBenito 4f34f6d220 Merge branch 'mount_module' of git://github.com/cgzones/refpolicy 2017-01-09 18:10:57 -05:00
cgzones 2526c96a2c update mount module 
* rename mount_var_run_t to mount_runtime_t
* delete kernel_read_unlabeled_files(mount_t)
* add selinux_getattr_fs(mount_t)
 2017-01-08 14:59:08 +01:00
cgzones 05a9fdfe6e update corenetwork module 
* remove deprecated interfaces
* label tcp port 2812 for monit
 2017-01-06 15:06:37 +01:00