445cbed7c7
Bump module versions for release.
2019-02-01 15:03:42 -05:00
b6396ffe19
various: Module version bump.
2019-01-29 18:59:50 -05:00
3d65c79750
yet another little patch
...
This should all be obvious.
2019-01-29 18:45:30 -05:00
238bd4f91f
logging, sysnetwork, systemd: Module version bump.
2019-01-16 18:19:22 -05:00
d6b46686cd
many: Module version bumps for changes from Russell Coker.
2019-01-05 14:33:50 -05:00
5a9982de70
sysnetwork: Move lines.
2019-01-05 13:56:15 -05:00
5125b8eb2d
last misc stuff
...
More tiny patches. Note that this and the other 2 patches I just sent are not
dependent on each other, please apply any that you like.
2019-01-05 13:54:38 -05:00
b4d7c65fc4
Various modules: Version bump.
2018-11-11 15:58:59 -05:00
65e8f758ca
Bump module versions for release.
2018-07-01 11:02:33 -04:00
a6313231d6
sysnetwork: Module version bump.
2018-06-23 10:50:14 -04:00
c95e835170
sysnetwork: Module version bump.
2018-04-25 17:34:13 -04:00
ac9363d662
init, logging, sysnetwork, systemd, udev: Module version bump.
2018-04-17 20:20:27 -04:00
4d5b06428b
Bump module versions for release.
2018-01-14 14:08:09 -05:00
61a31f6cea
xserver, sysnetwork, systemd: Module version bump.
2017-12-07 19:02:02 -05:00
1b405f4a90
files, init, sysnetwork, systemd: Module version bumps.
2017-10-12 18:48:29 -04:00
42d109d30c
Module version bump for fixes from Nicolas Iooss.
2017-08-19 12:02:58 -04:00
98170eaf55
Allow dhcpcd to use generic netlink and raw IP sockets
...
dhcpcd uses a raw IPv6 socket to receive router advertisement and
neighbor advertisement packets in
https://roy.marples.name/git/dhcpcd.git/tree/ipv6nd.c?h=dhcpcd-6.11.5
and uses NETLINK_GENERIC in
https://roy.marples.name/git/dhcpcd.git/tree/if-linux.c?h=dhcpcd-6.11.5
for some NetLink sockets.
2017-08-19 12:01:56 -04:00
495e2c203b
Remove complement and wildcard in allow rules.
...
Remove complement (~) and wildcard (*) in allow rules so that there are no
unintentional additions when new permissions are declared.
This patch does not add or remove permissions from any rules.
2017-08-13 16:21:44 -04:00
aa0eecf3e3
Bump module versions for release.
2017-08-05 12:59:42 -04:00
a599f28196
Module version bump for /usr/bin fc fixes from Nicolas Iooss.
2017-05-04 08:27:46 -04:00
73d8b3026c
Systemd-related changes from Russell Coker.
2017-04-06 17:37:50 -04:00
5e20a0ee5b
/var/run -> /run again
...
Here's the latest version of my patch to remove all /var/run when it's not
needed. I have removed the subst thing from the patch, but kept a
distro_debian bit that relies on it. So with this patch the policy won't
install if you build it with distro_debian unless you have my subst patch.
Chris, if your automated tests require that it build and install with
distro_debian then skip the patch for sysnetwork.fc.
From Russell Coker
2017-03-25 12:56:03 -04:00
4d028498d8
Module version bumps for fixes from cgzones.
2017-03-05 10:48:42 -05:00
4b79a54b41
modutils: adopt callers to new interfaces
2017-03-03 12:28:17 +01:00
9f99cfb771
Network daemon patches from Russell Coker.
2017-02-25 11:20:19 -05:00
cb35cd587f
Little misc patches from Russell Coker.
2017-02-18 09:39:01 -05:00
1720e109a3
Sort capabilities permissions from Russell Coker.
2017-02-15 18:47:33 -05:00
69da46ae18
usrmerge FC fixes from Russell Coker.
2017-02-07 18:51:58 -05:00
2e7553db63
Create / to /usr equivalence for bin, sbin, and lib, from Russell Coker.
2017-02-04 15:19:35 -05:00
69ede859e8
Bump module versions for release.
2017-02-04 13:30:53 -05:00
67c435f1fc
Module version bump for fc updates from Nicolas Iooss.
2016-12-28 14:38:05 -05:00
f850ec37df
Module version bumps for /run fc changes from cgzones.
2016-12-22 15:54:46 -05:00
16b7b5573b
Module version bumps for patches from cgzones.
2016-12-04 13:30:54 -05:00
598700325b
allow dhcp_t to domtrans into avahi
...
#============= dhcpc_t ==============
# audit(1459860992.664:6):
# scontext="system_u:system_r:dhcpc_t:s0" tcontext="system_u:object_r:avahi_exec_t:s0"
# class="file" perms="execute_no_trans"
# comm="dhclient-script" exe="" path=""
# message="/var/log/syslog.2.gz:Apr 5 14:56:32 debianSe kernel: [ 4.830761]
# audit: type=1400 audit(1459860992.664:6): avc: denied { execute_no_trans }
# for pid=412 comm="dhclient-script" path="/usr/sbin/avahi-autoipd" dev="sda1"
# ino=140521 scontext=system_u:system_r:dhcpc_t:s0
# tcontext=system_u:object_r:avahi_exec_t:s0 tclass=file permissive=1 "
# audit(1454514879.616:134):
# scontext="system_u:system_r:dhcpc_t:s0" tcontext="system_u:object_r:avahi_exec_t:s0"
# class="file" perms="execute_no_trans"
# comm="dhclient-script" exe="" path=""
# message="/var/log/syslog.5.gz:Feb 3 16:54:39 debianSe kernel: [ 13.237496]
# audit: type=1400 audit(1454514879.616:134): avc: denied { execute_no_trans
# } for pid=464 comm="dhclient-script" path="/usr/sbin/avahi-autoipd"
# dev="sda1" ino=140521 scontext=system_u:system_r:dhcpc_t
# tcontext=system_u:object_r:avahi_exec_t tclass=file permissive=1 "
allow dhcpc_t avahi_exec_t:file execute_no_trans;
# audit(1459860992.660:4):
# scontext="system_u:system_r:dhcpc_t:s0" tcontext="system_u:object_r:avahi_exec_t:s0"
# class="file" perms="execute"
# comm="dhclient-script" exe="" path=""
# message="/var/log/syslog.2.gz:Apr 5 14:56:32 debianSe kernel: [ 4.827312]
# audit: type=1400 audit(1459860992.660:4): avc: denied { execute } for
# pid=412 comm="dhclient-script" name="avahi-autoipd" dev="sda1" ino=140521
# scontext=system_u:system_r:dhcpc_t:s0
# tcontext=system_u:object_r:avahi_exec_t:s0 tclass=file permissive=1 "
# audit(1459860992.664:5):
# scontext="system_u:system_r:dhcpc_t:s0" tcontext="system_u:object_r:avahi_exec_t:s0"
# class="file" perms="{ read open }"
# comm="dhclient-script" exe="" path=""
# message="/var/log/syslog.2.gz:Apr 5 14:56:32 debianSe kernel: [ 4.829009]
# audit: type=1400 audit(1459860992.664:5): avc: denied { read open } for
# pid=412 comm="dhclient-script" path="/usr/sbin/avahi-autoipd" dev="sda1"
# ino=140521 scontext=system_u:system_r:dhcpc_t:s0
# tcontext=system_u:object_r:avahi_exec_t:s0 tclass=file permissive=1 "
# audit(1454514879.616:132):
# scontext="system_u:system_r:dhcpc_t:s0" tcontext="system_u:object_r:avahi_exec_t:s0"
# class="file" perms="execute"
# comm="dhclient-script" exe="" path=""
# message="/var/log/syslog.5.gz:Feb 3 16:54:39 debianSe kernel: [ 13.237297]
# audit: type=1400 audit(1454514879.616:132): avc: denied { execute } for
# pid=464 comm="dhclient-script" name="avahi-autoipd" dev="sda1" ino=140521
# scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:avahi_exec_t
# tclass=file permissive=1 "
# audit(1454514879.616:133):
# scontext="system_u:system_r:dhcpc_t:s0" tcontext="system_u:object_r:avahi_exec_t:s0"
# class="file" perms="{ read open }"
# comm="dhclient-script" exe="" path=""
# message="/var/log/syslog.5.gz:Feb 3 16:54:39 debianSe kernel: [ 13.237309]
# audit: type=1400 audit(1454514879.616:133): avc: denied { read open } for
# pid=464 comm="dhclient-script" path="/usr/sbin/avahi-autoipd" dev="sda1"
# ino=140521 scontext=system_u:system_r:dhcpc_t
# tcontext=system_u:object_r:avahi_exec_t tclass=file permissive=1 "
#!!!! This avc is allowed in the current policy
allow dhcpc_t avahi_exec_t:file { read execute open };
2016-12-04 17:34:11 +01:00
34055cae87
Bump module versions for release.
2016-10-23 16:58:59 -04:00
187019a615
Module version bump for various patches from Guido Trentalancia.
2016-08-14 14:58:57 -04:00
19b84c95b1
Remove redundant libs_read_lib_files() for ifconfig_t.
2016-08-14 14:52:32 -04:00
6caa443d18
Ifconfig should be able to read firmware files in /lib (i.e. some network
...
cards need to load their firmware) and it should not audit attempts
to load kernel modules directly.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-08-14 14:52:07 -04:00
5481c1cc84
Update the sysnetwork module to add some permissions needed by
...
the dhcp client (another separate patch makes changes to the
ifconfig part).
Create auxiliary interfaces in the ntp module.
The permission to execute restorecon/setfiles (required by the
dhclient-script script and granted in a previous version of this
patch) is not granted, as it does not break the script functioning.
Include revisions from Chris PeBenito.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-08-14 14:51:42 -04:00
c23353bcd8
Bump module versions for release.
2015-12-08 09:53:02 -05:00
17694adc7b
Module version bump for systemd additions.
2015-10-23 14:53:14 -04:00
579849912d
Add supporting rules for domains tightly-coupled with systemd.
2015-10-23 10:17:46 -04:00
a38c3be208
Module version bump for updated netlink sockets from Stephen Smalley
2015-05-22 08:38:53 -04:00
58b3029576
Update netlink socket classes.
...
Define new netlink socket security classes introduced by kernel commit
223ae516404a7a65f09e79a1c0291521c233336e.
Note that this does not remove the long-since obsolete
netlink_firewall_socket and netlink_ip6_fw_socket classes
from refpolicy in case they are still needed for legacy
distribution policies.
Add the new socket classes to socket_class_set.
Update ubac and mls constraints for the new socket classes.
Add allow rules for a few specific known cases (netutils, iptables,
netlabel, ifconfig, udev) in core policy that require access.
Further refinement for the contrib tree will be needed. Any allow
rule previously written on :netlink_socket may need to be rewritten or
duplicated for one of the more specific classes. For now, we retain the
existing :netlink_socket rules for compatibility on older kernels.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-05-22 08:29:03 -04:00
fd0c07c8b3
Module version bump for optional else block removal from Steve Lawrence.
2015-01-12 08:45:58 -05:00
4bd0277313
Remove optional else block for dhcp ping
...
Else blocks with optional statements are not supported in CIL.
Currently, if the pp to CIL compiler comes across one of these in a pp
module, it just drops the block and outputs a warning. Fortunately,
these are very rare. In fact, this is the only place in refpolicy where
an optional else block is used, and it is not clear if it is even
needed. This patch is untested, and is more to spark discussions to see
if there are any thoughts about whether or not this piece of policy is
needed.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2015-01-12 08:44:39 -05:00
468185f5f7
Bump module versions for release.
2014-12-03 13:37:38 -05:00
8a3a8c7e1b
Module version bump for /sbin/iw support from Nicolas Iooss.
2014-10-23 08:51:53 -04:00
0820cfe75d
Add comment for iw generic netlink socket usage
2014-10-23 08:50:18 -04:00
5fb1249f37
Use create_netlink_socket_perms when allowing netlink socket creation
...
create_netlink_socket_perms is defined as:
{ create_socket_perms nlmsg_read nlmsg_write }
This means that it is redundant to allow create_socket_perms and
nlmsg_read/nlmsg_write.
Clean up things without allowing anything new.
2014-10-23 08:07:44 -04:00
Chris PeBenito
Russell Coker
Nicolas Iooss
cgzones
Chris PeBenito
Stephen Smalley
Steve Lawrence