RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
5,943 Commits 3 Branches 49 Tags 19 MiB
Commit Graph

3985 Commits

Author SHA1 Message Date
Jonathan Davies 63eb925698 staff.te: Allow staff access to the virt stream, needed for when the 
sockets are access remotely over SSH.

Signed-off-by: Jonathan Davies <jd+github@upthedownstair.com>
 2021-04-24 17:14:06 +01:00
Chris PeBenito ffdefbeb62 authlogin, hadoop, pwauth: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-04-23 14:53:32 -04:00
Chris PeBenito 163c153c33 authlogin: Deprecate auth_domtrans_chk_passwd(). 
This is a duplicate interface.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-04-23 14:40:46 -04:00
Chris PeBenito 3945473b5e authlogin: Remove redundant rule in auth_domtrans_chk_passwd(). 
This is provided by the auth_use_nsswitch() call.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-04-20 10:36:23 -04:00
Chris PeBenito 13a32a4616 authlogin: Add tunable for allowing shadow access on non-PAM systems. 
Fixes #342

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-04-20 10:36:07 -04:00
Chris PeBenito ea9ce5970a various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-04-15 16:01:13 -04:00
Chris PeBenito 747b9eea23 Merge pull request #359 from 0xC0ncord/bugfix/various-20210309 2021-04-15 16:00:31 -04:00
Kenton Groombridge cd340e1f6f bootloader, devices: dontaudit grub writing on legacy efi variables 
Newer versions of grub modify EFI variables on efivarfs. This commit
adds a dontaudit on the legacy /sys/fs/efi/vars files.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-13 16:48:54 -04:00
Kenton Groombridge 8887862973 filesystem, init: allow systemd to create pstore dirs 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-12 16:33:55 -04:00
Kenton Groombridge c0b1c7be66 init: allow systemd to rw shadow lock files 
This is in support of dynamic users.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-09 16:42:59 -04:00
Kenton Groombridge 26e9ec7c43 authlogin: add new type for pwd.lock and others 
This is in response to systemd needing to write to .pwd.lock in support
of dynamic users, which is currently labeled shadow_t despite systemd
seemingly not making any actual modifications to /etc/passwd or
/etc/shadow. Instead of granting potentially overly permissive access,
this commit assigns a new type to these lock files.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-09 16:42:53 -04:00
Kenton Groombridge 8eff2c5998 sysadm, systemd: various fixes 
Allow sysadm to communicate with logind over dbus and add missing rules
for systemd-logind.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge 69b2259c7d various: several dontaudits 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge 95dc0f0de3 udev: allow systemd-vconsole-setup to sys_tty_config 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge 42d46c14bc init, udev: various fixes for systemd 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge dbecb3546d systemd: add policy for systemd-sysctl 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge 403c4c3470 systemd: allow systemd-resolved to manage its own sock files 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge a838a88717 logging: allow auditd to getattr on audisp-remote binary 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge b3c1dba144 logging: allow auditd to use nsswitch 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge 7b8c44ab9b init, systemd: allow logind to watch utmp 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge 2166acf355 init, mount: allow systemd to watch utab 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge c56b78f0c8 mount: allow getattr on dos filesystems 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge 1c552ec38f bootloader, filesystem: various fixes for grub 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:13 -04:00
Kenton Groombridge 7f1a7b1cac wireguard: allow running iptables 
Wireguard can be configured to run iptables and other such networking
tools when bringing up/down interfaces. Also add a dontaudit for
searching kernel sysctls.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 09:56:04 -04:00
Kenton Groombridge a1a9c33e88 iptables: allow reading initrc pipes 
The systemd service calls a script which reads the saved rules from a
file piped to stdin.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 09:56:04 -04:00
Kenton Groombridge 7ca9dcea1f init: modify interface to allow reading all pipes 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 09:56:04 -04:00
Kenton Groombridge c46bbef5f7 udev: various fixes 
Mostly mdraid stuff and a few dontaudits.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 09:56:04 -04:00
Kenton Groombridge a6df5e653c devicekit: allow devicekit_disk_t to setsched 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 09:56:04 -04:00
Kenton Groombridge 342eefd3b0 ssh: allow ssh_keygen_t to read localization 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 09:56:04 -04:00
Kenton Groombridge 497cb3ca2b files, init, systemd: various fixes 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 09:56:01 -04:00
Kenton Groombridge dac8c8af27 devices, userdomain: dontaudit userdomain setattr on null device nodes 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 09:43:54 -04:00
Kenton Groombridge 02b9bf0a1c redis: allow reading net and vm overcommit sysctls 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-27 19:53:56 -04:00
Kenton Groombridge 9051a09617 spamassassin: allow rspamd to read network sysctls 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-27 19:53:55 -04:00
Kenton Groombridge d91bef2d24 devices, userdomain: dontaudit userdomain setattr on null device nodes 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-27 19:53:53 -04:00
Kenton Groombridge f137b5cdcc modutils: allow kmod to read src_t symlinks 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-27 19:53:51 -04:00
Kenton Groombridge 6371411e50 getty: various fixes 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-27 19:53:49 -04:00
Kenton Groombridge 173d2a2bd0 rngd: allow reading sysfs 
rngd tries to read the rng state at boot.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-27 19:53:47 -04:00
Kenton Groombridge 00e210d703 redis: allow reading certs 
Required if redis is to be used with SSL/TLS

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-27 19:53:44 -04:00
Kenton Groombridge fa5f878f13 usbguard: various fixes 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-27 19:53:42 -04:00
Kenton Groombridge 45dd9358e5 fail2ban: allow reading vm overcommit sysctl 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-27 19:53:37 -04:00
Kenton Groombridge 372f9cc658 systemd, fail2ban: allow fail2ban to watch journal 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-27 19:53:27 -04:00
Chris PeBenito 4aa1562208 files, kernel, selinux: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-03-27 14:21:06 -04:00
Chris PeBenito 838c145fb9 kernel: Add dontaudits when secure_mode_insmod is enabled. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-03-19 15:50:59 -04:00
Chris PeBenito 3d0a6f966f selinux: Add dontaudits when secure mode Booleans are enabled. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-03-19 15:50:59 -04:00
Chris PeBenito b36334e937 selinux: Set regular file for labeled Booleans genfscons. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-03-19 15:50:59 -04:00
Chris PeBenito 9d57bf3a2e selinux: Change generic Boolean type to boolean_t. 
This will prevent other security_t writers from setting Boolean pending
values, which could be activated unwittingly by setbool processes.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-03-19 15:50:25 -04:00
Chris PeBenito 3a22e9279c various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-03-19 15:17:54 -04:00
Chris PeBenito 93fda6e15d Merge pull request #357 from 0xC0ncord/feature/systemd_user_service 2021-03-19 15:14:24 -04:00
Kenton Groombridge cc8374fd24
various: systemd user fixes and additional support 
This finishes up a lot of the work originally started on systemd --user
support including interacting with user units, communicating with the
user's systemd instance, and reading the system journal.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-18 15:58:17 -04:00
Chris PeBenito ab702bb825 various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-03-17 11:16:40 -04:00