0992763548
Update callers for "pid" to "runtime" interface rename.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-28 16:03:45 -04:00
be04bb3e7e
Rename "pid" interfaces to "runtime" interfaces.
...
Rename interfaces to bring consistency with previous pid->runtime type
renaming. See PR #106 or 69a403cd
2020-06-28 14:33:17 -04:00
07c08fa41e
kernel: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-18 08:30:42 -04:00
81e3d79c59
Merge pull request #277 from dsugar100/master
2020-06-18 08:30:26 -04:00
50c24ca481
Resolve neverallow failure introduced in #273
...
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2020-06-17 19:05:08 -04:00
fbdb3755cf
.travis.yml: Add CI tests with no unconfined.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-17 09:22:34 -04:00
c63e5410a9
systemd: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-17 08:48:41 -04:00
d162e87fb1
Merge pull request #276 from pebenito/merge-systemd-generators
2020-06-17 08:47:29 -04:00
c2a142d762
systemd: Merge generator domains.
...
If these processes are compromised they can write units to do malicious
actions, so trying to tightly protect the resources for each generator
is not effective.
Made the fstools_exec() optional, although it is unlikely that a system
would not have the module.
Only aliases for removed types in previous releases are added. The
systemd_unit_generator() interface and systemd_generator_type attribute
were not released and are dropped without deprecation.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-15 09:47:20 -04:00
71002cdfe0
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-15 08:57:44 -04:00
91087f8ff1
Merge pull request #274 from bauen1/remove-dead-weight
2020-06-15 08:56:42 -04:00
9169113d42
Merge pull request #271 from bauen1/misc-fixes-2
2020-06-15 08:56:40 -04:00
edbe7e9af7
Merge pull request #267 from bauen1/target-systemd-sysusers
2020-06-15 08:56:24 -04:00
fc904634ac
dpkg: domaintrans to sysusers if necessary
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-15 14:52:53 +02:00
77f891c7bf
Remove the ada module, it is unecessary and not touched since ~2008
...
It is only used to allow the compiler execmem / execstack but we have
unconfined_execmem_t for that.
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-15 14:47:14 +02:00
cbdf1fad22
systemd: systemd-tempfiles will relabel tmpfs if mounted over e.g. /tmp
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-15 14:45:07 +02:00
e12d84181b
corecommands: correct label for debian ssh-agent helper script
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-15 14:45:07 +02:00
cb2d84b0d1
gpg: don't allow gpg-agent to read /proc/kcore
...
This was probably a typo and shouldn't have been merged.
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-15 14:45:07 +02:00
083e5d1d58
dpkg: dpkg scripts are part of dpkg and therefor also an application domain
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-15 14:45:07 +02:00
583f435c7b
systemd: systemd --user add essential permissions
...
Allow selinux awareness (libselinux) and access to setsockcreatecon to
correctly set the label of sockets.
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-15 14:45:07 +02:00
e7fc029a95
dpkg: allow dpkg frontends to acquire lock by labeling it correctly
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-15 14:45:07 +02:00
2f097a0c6d
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-15 08:43:30 -04:00
66b4101b36
systemd: maintain /memfd:systemd-state
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-15 14:43:18 +02:00
a42a15dd4d
authlogin: unix_chkpwd is linked to libselinux
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-15 14:43:18 +02:00
6f7bc3da46
init: systemd will run chkpwd to start user@1000
...
This was likely also hidden by the unconfined module.
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-15 14:43:17 +02:00
a5c3c70385
thunderbird: label files under /tmp
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-15 14:43:17 +02:00
ca6628ebc6
Merge pull request #273 from bauen1/confined-debian-fixes2
2020-06-15 08:42:40 -04:00
6ce9865e6c
systemd: fixed systemd_rfkill_t denial spam
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-15 14:41:30 +02:00
a9ff07d886
postfix: add filetrans for sendmail and postfix for aliases db operations
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-15 14:41:30 +02:00
0f4eb2a324
init: fix systemd boot
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-11 19:10:35 +02:00
93beef3ce5
systemd-logind.service sandbox required permissions
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-11 19:10:35 +02:00
e20db26b7b
systemd-timesyncd.service sandbox requried permissions
...
For every services sandbox systemd will create a (or more ?) tmpfs including symlinks for various files, e.g.:
Jun 11 14:03:17 selinux-pr-test1 audit[284]: AVC avc: granted { create } for pid=284 comm="(imesyncd)" name="stderr" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-11 19:10:35 +02:00
83a39ad4fd
udev.service sandbox required permissions
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-11 19:10:35 +02:00
0a596401f1
logrotate.service sandbox required permissions
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-11 19:10:34 +02:00
d9a58c8434
terminal: cleanup term_create interfaces
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-11 19:10:34 +02:00
aa6c7f28f2
allow most common permissions for systemd sandboxing options
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-11 19:10:28 +02:00
309f655fdc
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-10 15:02:27 -04:00
fe1ed5ef74
Merge pull request #265 from topimiettinen/allow-unlabeled-packets
2020-06-10 15:02:03 -04:00
f4b10de892
Merge pull request #272 from cgzones/spelling
...
Correct some misspellings
2020-06-10 14:49:06 -04:00
cdfd85c35b
Correct some misspellings
...
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-06-05 15:38:43 +02:00
8f782ae820
systemd-sysusers: add policy
...
On systems without the unconfined module this service needs additional
privileges.
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-04 19:53:47 +02:00
1d8333d7a7
Remove unlabeled packet access
...
When SECMARK or Netlabel packet labeling is used, it's useful to
forbid receiving and sending unlabeled packets. If packet labeling is
not active, there's no effect.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-06-03 23:16:19 +03:00
e01cd6c98b
Merge pull request #201 from cgzones/rebuild-if-db
...
Makefile: add target rebuild-interface-db
2020-06-03 13:15:01 -04:00
b4180614b6
apache: quote gen_tunable name argument
...
Match the style of tunable_policy and gen_tunable statements in userdomain
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-06-02 20:35:30 +02:00
dcb01ec4cc
devices/storage: quote arguments to tunable_policy
...
Match the overall style and please sepolgen-ifgen
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-06-02 20:35:30 +02:00
a3811f4eb4
Makefile: add target build-interface-db
...
Build the policy interface database with 'sepolgen-ifgen'.
This database is required for reference style policy generation by
'audit2allow --reference'
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-06-02 20:35:30 +02:00
c950ada4ea
openvpn: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-02 13:35:57 -04:00
ec8b8c5b2a
Merge pull request #268 from McSim85/master
2020-06-02 13:18:02 -04:00
95c43ef3a4
add rule for the management socket file
...
fixed comments from @bauen1
Signed-off-by: McSim85 <maxim@kramarenko.pro>
2020-06-02 13:58:46 +03:00
b38804e328
init, logging: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-05-27 11:36:44 -04:00
Chris PeBenito
Dave Sugar
bauen1
Christian Göttsche
Topi Miettinen
McSim85