Chris PeBenito
d387e79989
Bump module versions for release.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-08-18 09:09:10 -04:00
Chris PeBenito
71e653980b
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-08-11 08:35:00 -04:00
Chris PeBenito
777fe47c19
kernel, fstools, lvm, mount: Update to use filesystem image interfaces.
...
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2020-07-29 14:33:39 -04:00
Chris PeBenito
613708cad6
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-07-04 09:30:45 -04:00
Chris PeBenito
0992763548
Update callers for "pid" to "runtime" interface rename.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-28 16:03:45 -04:00
Chris PeBenito
309f655fdc
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-10 15:02:27 -04:00
Topi Miettinen
1d8333d7a7
Remove unlabeled packet access
...
When SECMARK or Netlabel packet labeling is used, it's useful to
forbid receiving and sending unlabeled packets. If packet labeling is
not active, there's no effect.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-06-03 23:16:19 +03:00
Chris PeBenito
5b171c223a
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-05-14 10:32:30 -04:00
bauen1
955c5c5253
lvm: create /etc/lvm/archive if it doesn't exist
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-05-14 09:31:27 +02:00
Chris PeBenito
eff4494519
corecommands, init, lvm, systemd: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-04-01 13:15:28 -04:00
Chris PeBenito
b2f72e833b
Bump module versions for release.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-02-29 16:54:39 -05:00
Chris PeBenito
7af9eb3e91
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-01-15 10:42:45 -05:00
Stephen Smalley
161bda392e
access_vectors: Remove unused permissions
...
Remove unused permission definitions from SELinux.
Many of these were only ever used in pre-mainline
versions of SELinux, prior to Linux 2.6.0. Some of them
were used in the legacy network or compat_net=1 checks
that were disabled by default in Linux 2.6.18 and
fully removed in Linux 2.6.30.
The corresponding classmap declarations were removed from the
mainline kernel in:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42a9699a9fa179c0054ea3cf5ad3cc67104a6162
Permissions never used in mainline Linux:
file swapon
filesystem transition
tcp_socket { connectto newconn acceptfrom }
node enforce_dest
unix_stream_socket { newconn acceptfrom }
Legacy network checks, removed in 2.6.30:
socket { recv_msg send_msg }
node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2020-01-14 13:41:50 -05:00
Chris PeBenito
291f68a119
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-30 20:39:31 -04:00
Chris PeBenito
d6c7154f1c
Reorder declarations based on *_runtime_t renaming.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-30 20:02:43 -04:00
Chris PeBenito
69a403cd97
Rename *_var_run_t types to *_runtime_t.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-30 20:02:43 -04:00
Chris PeBenito
8c3893e427
Bump module versions for release.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-06-09 14:05:19 -04:00
Chris PeBenito
4f6614ba7f
ntp, init, lvm: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-03-27 18:49:54 -04:00
Sugar, David
d3c4e19f72
Denial of cryptsetup reading cracklib database
...
When setting up a LUKS encrypted partition, cryptsetup is reading
the cracklib databases to ensure password strength. This is
allowing the needed access.
type=AVC msg=audit(1553216939.261:2652): avc: denied { search } for pid=8107 comm="cryptsetup" name="cracklib" dev="dm-1" ino=6388736 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1553216980.909:2686): avc: denied { read } for pid=8125 comm="cryptsetup" name="pw_dict.pwd" dev="dm-1" ino=6388748 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1
type=AVC msg=audit(1553216980.909:2686): avc: denied { open } for pid=8125 comm="cryptsetup" path="/usr/share/cracklib/pw_dict.pwd" dev="dm-1" ino=6388748 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1
type=AVC msg=audit(1553216980.909:2687): avc: denied { getattr } for pid=8125 comm="cryptsetup" path="/usr/share/cracklib/pw_dict.pwi" dev="dm-1" ino=6388749 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-27 18:48:01 -04:00
Chris PeBenito
445cbed7c7
Bump module versions for release.
2019-02-01 15:03:42 -05:00
Chris PeBenito
b6396ffe19
various: Module version bump.
2019-01-29 18:59:50 -05:00
Russell Coker
3d65c79750
yet another little patch
...
This should all be obvious.
2019-01-29 18:45:30 -05:00
Chris PeBenito
65b7fa3f43
lvm, syncthing: Module version bump.
2019-01-03 17:52:03 -05:00
Alexander Miroshnichenko
29bbe7b958
Add comment for map on lvm_metadata_t.
2019-01-03 10:15:07 +03:00
Alexander Miroshnichenko
eca583b86c
Add map permission to lvm_t on lvm_metadata_t.
...
On musl libc system lvm requires map permission.
2018-12-30 18:57:56 +03:00
Chris PeBenito
65e8f758ca
Bump module versions for release.
2018-07-01 11:02:33 -04:00
Chris PeBenito
03e2f1a809
Simple map patch from Russell Coker.
2018-02-15 17:10:34 -05:00
Chris PeBenito
aa0eecf3e3
Bump module versions for release.
2017-08-05 12:59:42 -04:00
Chris PeBenito
a599f28196
Module version bump for /usr/bin fc fixes from Nicolas Iooss.
2017-05-04 08:27:46 -04:00
Chris PeBenito
c2b04d1ea2
kmod, lvm, brctl patches from Russell Coker
...
Patches for modutils, at least one of which is needed to generate an initramfs
on Debian.
Patch to allow lvm to talk to fifos from dpkg_script_t for postinst scripts
etc.
Patch for brctl to allow it to create sysfs files.
2017-04-18 21:17:36 -04:00
Chris PeBenito
73d8b3026c
Systemd-related changes from Russell Coker.
2017-04-06 17:37:50 -04:00
Chris PeBenito
b690079a93
Misc fc changes from Russell Coker.
2017-04-06 17:00:28 -04:00
Chris PeBenito
63a6a44b3d
Module version bump for fixes from cgzones.
2017-03-12 16:36:49 -04:00
cgzones
d62ce5b4e8
lvm: small adjustments
...
* align file contexts
* fix lvm_admin()
* call user_use_inherited_user_terminals and remove useless dontaudit call
2017-03-12 10:32:02 +01:00
Chris PeBenito
4d028498d8
Module version bumps for fixes from cgzones.
2017-03-05 10:48:42 -05:00
cgzones
4b79a54b41
modutils: adopt callers to new interfaces
2017-03-03 12:28:17 +01:00
Chris PeBenito
e527ebaadf
systemd: Further revisions from Russell Coker.
2017-02-25 09:35:10 -05:00
Chris PeBenito
2087bde934
Systemd fixes from Russell Coker.
2017-02-23 20:03:23 -05:00
Chris PeBenito
cb35cd587f
Little misc patches from Russell Coker.
2017-02-18 09:39:01 -05:00
Chris PeBenito
1720e109a3
Sort capabilities permissions from Russell Coker.
2017-02-15 18:47:33 -05:00
Chris PeBenito
2e7553db63
Create / to /usr equivalence for bin, sbin, and lib, from Russell Coker.
2017-02-04 15:19:35 -05:00
Chris PeBenito
69ede859e8
Bump module versions for release.
2017-02-04 13:30:53 -05:00
Chris PeBenito
67c435f1fc
Module version bump for fc updates from Nicolas Iooss.
2016-12-28 14:38:05 -05:00
Chris PeBenito
f850ec37df
Module version bumps for /run fc changes from cgzones.
2016-12-22 15:54:46 -05:00
Chris PeBenito
34055cae87
Bump module versions for release.
2016-10-23 16:58:59 -04:00
Chris PeBenito
76f05a2c15
Module version bumps for LVM and useromain patches from Guido Trentalancia.
2016-09-07 18:02:18 -04:00
Guido Trentalancia
cbccb5aedf
Update the lvm module
...
Update the lvm module to add a permission needed by cryptsetup.
At the moment the SELinux kernel code is not able yet to distinguish
the sockets in the AF_ALG namespace that are used for interfacing to
the kernel Crypto API.
In the future the SELinux kernel code will be updated to distinguish
the new socket class and so this permission will change its class
from the generic "socket" to the new socket (e.g. "alg_socket").
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-09-07 17:43:16 -04:00
Chris PeBenito
c23353bcd8
Bump module versions for release.
2015-12-08 09:53:02 -05:00
Chris PeBenito
17694adc7b
Module version bump for systemd additions.
2015-10-23 14:53:14 -04:00
Chris PeBenito
4388def2d9
Add refpolicy core socket-activated services.
2015-10-23 10:17:46 -04:00