d387e79989
Bump module versions for release.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-08-18 09:09:10 -04:00
71e653980b
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-08-11 08:35:00 -04:00
777fe47c19
kernel, fstools, lvm, mount: Update to use filesystem image interfaces.
...
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2020-07-29 14:33:39 -04:00
613708cad6
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-07-04 09:30:45 -04:00
0992763548
Update callers for "pid" to "runtime" interface rename.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-28 16:03:45 -04:00
309f655fdc
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-10 15:02:27 -04:00
1d8333d7a7
Remove unlabeled packet access
...
When SECMARK or Netlabel packet labeling is used, it's useful to
forbid receiving and sending unlabeled packets. If packet labeling is
not active, there's no effect.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-06-03 23:16:19 +03:00
5b171c223a
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-05-14 10:32:30 -04:00
955c5c5253
lvm: create /etc/lvm/archive if it doesn't exist
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-05-14 09:31:27 +02:00
eff4494519
corecommands, init, lvm, systemd: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-04-01 13:15:28 -04:00
b2f72e833b
Bump module versions for release.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-02-29 16:54:39 -05:00
7af9eb3e91
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-01-15 10:42:45 -05:00
161bda392e
access_vectors: Remove unused permissions
...
Remove unused permission definitions from SELinux.
Many of these were only ever used in pre-mainline
versions of SELinux, prior to Linux 2.6.0. Some of them
were used in the legacy network or compat_net=1 checks
that were disabled by default in Linux 2.6.18 and
fully removed in Linux 2.6.30.
The corresponding classmap declarations were removed from the
mainline kernel in:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42a9699a9fa179c0054ea3cf5ad3cc67104a6162
Permissions never used in mainline Linux:
file swapon
filesystem transition
tcp_socket { connectto newconn acceptfrom }
node enforce_dest
unix_stream_socket { newconn acceptfrom }
Legacy network checks, removed in 2.6.30:
socket { recv_msg send_msg }
node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2020-01-14 13:41:50 -05:00
291f68a119
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-30 20:39:31 -04:00
d6c7154f1c
Reorder declarations based on *_runtime_t renaming.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-30 20:02:43 -04:00
69a403cd97
Rename *_var_run_t types to *_runtime_t.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-30 20:02:43 -04:00
8c3893e427
Bump module versions for release.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-06-09 14:05:19 -04:00
4f6614ba7f
ntp, init, lvm: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-03-27 18:49:54 -04:00
d3c4e19f72
Denial of cryptsetup reading cracklib database
...
When setting up a LUKS encrypted partition, cryptsetup is reading
the cracklib databases to ensure password strength. This is
allowing the needed access.
type=AVC msg=audit(1553216939.261:2652): avc: denied { search } for pid=8107 comm="cryptsetup" name="cracklib" dev="dm-1" ino=6388736 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1553216980.909:2686): avc: denied { read } for pid=8125 comm="cryptsetup" name="pw_dict.pwd" dev="dm-1" ino=6388748 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1
type=AVC msg=audit(1553216980.909:2686): avc: denied { open } for pid=8125 comm="cryptsetup" path="/usr/share/cracklib/pw_dict.pwd" dev="dm-1" ino=6388748 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1
type=AVC msg=audit(1553216980.909:2687): avc: denied { getattr } for pid=8125 comm="cryptsetup" path="/usr/share/cracklib/pw_dict.pwi" dev="dm-1" ino=6388749 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-27 18:48:01 -04:00
445cbed7c7
Bump module versions for release.
2019-02-01 15:03:42 -05:00
b6396ffe19
various: Module version bump.
2019-01-29 18:59:50 -05:00
3d65c79750
yet another little patch
...
This should all be obvious.
2019-01-29 18:45:30 -05:00
65b7fa3f43
lvm, syncthing: Module version bump.
2019-01-03 17:52:03 -05:00
29bbe7b958
Add comment for map on lvm_metadata_t.
2019-01-03 10:15:07 +03:00
eca583b86c
Add map permission to lvm_t on lvm_metadata_t.
...
On musl libc system lvm requires map permission.
2018-12-30 18:57:56 +03:00
65e8f758ca
Bump module versions for release.
2018-07-01 11:02:33 -04:00
03e2f1a809
Simple map patch from Russell Coker.
2018-02-15 17:10:34 -05:00
aa0eecf3e3
Bump module versions for release.
2017-08-05 12:59:42 -04:00
a599f28196
Module version bump for /usr/bin fc fixes from Nicolas Iooss.
2017-05-04 08:27:46 -04:00
c2b04d1ea2
kmod, lvm, brctl patches from Russell Coker
...
Patches for modutils, at least one of which is needed to generate an initramfs
on Debian.
Patch to allow lvm to talk to fifos from dpkg_script_t for postinst scripts
etc.
Patch for brctl to allow it to create sysfs files.
2017-04-18 21:17:36 -04:00
73d8b3026c
Systemd-related changes from Russell Coker.
2017-04-06 17:37:50 -04:00
b690079a93
Misc fc changes from Russell Coker.
2017-04-06 17:00:28 -04:00
63a6a44b3d
Module version bump for fixes from cgzones.
2017-03-12 16:36:49 -04:00
d62ce5b4e8
lvm: small adjustments
...
* align file contexts
* fix lvm_admin()
* call user_use_inherited_user_terminals and remove useless dontaudit call
2017-03-12 10:32:02 +01:00
4d028498d8
Module version bumps for fixes from cgzones.
2017-03-05 10:48:42 -05:00
4b79a54b41
modutils: adopt callers to new interfaces
2017-03-03 12:28:17 +01:00
e527ebaadf
systemd: Further revisions from Russell Coker.
2017-02-25 09:35:10 -05:00
2087bde934
Systemd fixes from Russell Coker.
2017-02-23 20:03:23 -05:00
cb35cd587f
Little misc patches from Russell Coker.
2017-02-18 09:39:01 -05:00
1720e109a3
Sort capabilities permissions from Russell Coker.
2017-02-15 18:47:33 -05:00
2e7553db63
Create / to /usr equivalence for bin, sbin, and lib, from Russell Coker.
2017-02-04 15:19:35 -05:00
69ede859e8
Bump module versions for release.
2017-02-04 13:30:53 -05:00
67c435f1fc
Module version bump for fc updates from Nicolas Iooss.
2016-12-28 14:38:05 -05:00
f850ec37df
Module version bumps for /run fc changes from cgzones.
2016-12-22 15:54:46 -05:00
34055cae87
Bump module versions for release.
2016-10-23 16:58:59 -04:00
76f05a2c15
Module version bumps for LVM and useromain patches from Guido Trentalancia.
2016-09-07 18:02:18 -04:00
cbccb5aedf
Update the lvm module
...
Update the lvm module to add a permission needed by cryptsetup.
At the moment the SELinux kernel code is not able yet to distinguish
the sockets in the AF_ALG namespace that are used for interfacing to
the kernel Crypto API.
In the future the SELinux kernel code will be updated to distinguish
the new socket class and so this permission will change its class
from the generic "socket" to the new socket (e.g. "alg_socket").
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-09-07 17:43:16 -04:00
c23353bcd8
Bump module versions for release.
2015-12-08 09:53:02 -05:00
17694adc7b
Module version bump for systemd additions.
2015-10-23 14:53:14 -04:00
4388def2d9
Add refpolicy core socket-activated services.
2015-10-23 10:17:46 -04:00
Chris PeBenito
Chris PeBenito
Topi Miettinen
bauen1
Stephen Smalley
Sugar, David
Russell Coker
Alexander Miroshnichenko
cgzones
Guido Trentalancia
Chris PeBenito