RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
6,024 Commits 3 Branches 49 Tags 19 MiB
Commit Graph

6024 Commits

Author SHA1 Message Date
Chris PeBenito 6a98ef8c63 Merge pull request #405 from ffontaine/master 2021-09-08 10:51:18 -04:00
Fabrice Fontaine d5c571c855 policy/modules/apps/wireshark.te: make xdg optional 
Make xdg optional to fix the following build failure:

 Compiling targeted policy.31
 env LD_LIBRARY_PATH="/tmp/instance-0/output-1/host/lib:/tmp/instance-0/output-1/host/usr/lib" /tmp/instance-0/output-1/host/usr/bin/checkpolicy -c 31 -U deny -S -O -E policy.conf -o policy.31
 policy/modules/apps/wireshark.te:96:ERROR 'unknown type xdg_downloads_t' at token ';' on line 645315:
 #line 96
	allow wireshark_t xdg_downloads_t:dir { getattr search open };
 checkpolicy:  error(s) encountered while parsing configuration
 make[1]: *** [Rules.monolithic:79: policy.31] Error 1

Fixes:
 - http://autobuild.buildroot.org/results/dfbc667e0c17072ddab89a03244f572d5234da50

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
 2021-09-05 11:06:21 +02:00
Chris PeBenito e45d2fd1ef cvs, ifplugd: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-08-10 14:54:38 -04:00
Chris PeBenito 1236ef9843 Merge pull request #402 from ffontaine/master 2021-08-10 14:53:09 -04:00
Fabrice Fontaine 0dd9d69d92 policy/modules/services/ifplugd.te: make netutils optional 
Make netutils optional to avoid the following build failure:

 Compiling targeted policy.30
 env LD_LIBRARY_PATH="/tmp/instance-3/output-1/host/lib:/tmp/instance-3/output-1/host/usr/lib" /tmp/instance-3/output-1/host/usr/bin/checkpolicy -c 30 -U deny -S -O -E policy.conf -o policy.30
 policy/modules/services/ifplugd.te:62:ERROR 'type netutils_exec_t is not within scope' at token ';' on line 73694:
 #line 62
 	allow ifplugd_t netutils_exec_t:file { getattr open map read execute ioctl };
 checkpolicy:  error(s) encountered while parsing configuration

Fixes:
 - http://autobuild.buildroot.org/results/1e27f5b193d40dfb7c73fbe15d1bef91cb92c27d

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
 2021-08-09 22:51:46 +02:00
Chris PeBenito ed9f3cbde1 Merge pull request #401 from ffontaine/master 2021-08-09 16:48:59 -04:00
Fabrice Fontaine db73b1dd90 policy/modules/services/cvs.te: make inetd optional 
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
 2021-08-06 16:33:36 +02:00
Chris PeBenito b09c03f7dd ftp: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-08-06 10:15:11 -04:00
Chris PeBenito a465c31c13 Merge pull request #399 from ffontaine/master 2021-08-06 10:14:15 -04:00
Fabrice Fontaine f26d4bc1b2 policy/modules/services/ftp.te: make ssh optional 
Make ssh optional to avoid the following build failure:

 Compiling targeted policy.30
 env LD_LIBRARY_PATH="/home/fabrice/buildroot/output/host/lib:/home/fabrice/buildroot/output/host/usr/lib" /home/fabrice/buildroot/output/host/usr/bin/checkpolicy -c 30 -U deny -S -O -E policy.conf -o policy.30
 policy/modules/services/ftp.te:484:ERROR 'type ssh_home_t is not within scope' at token ';' on line 92051:
 	allow sftpd_t ssh_home_t:dir { open read getattr lock search ioctl add_name remove_name write };
 #line 484
 checkpolicy:  error(s) encountered while parsing configuration

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
 2021-07-30 22:43:40 +02:00
Chris PeBenito 7f4ffffd71 minidlna: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-07-30 14:47:28 -04:00
Chris PeBenito 7b393e9878 Merge pull request #396 from ffontaine/master 2021-07-30 14:46:46 -04:00
Fabrice Fontaine 65c87bdfb1 policy/modules/services/minidlna.te: make xdg optional 
Make xdg optional to avoid the following build failure:

 Compiling targeted policy.28
 env LD_LIBRARY_PATH="/home/buildroot/autobuild/instance-1/output-1/host/lib:/home/buildroot/autobuild/instance-1/output-1/host/usr/lib" /home/buildroot/autobuild/instance-1/output-1/host/usr/bin/checkpolicy -c 28 -U deny -S -O -E policy.conf -o policy.28
 policy/modules/services/minidlna.te:85:ERROR 'unknown type xdg_music_t' at token ';' on line 146109:
 #line 85
	allow minidlna_t xdg_music_t:dir { getattr search open };
 checkpolicy:  error(s) encountered while parsing configuration
 Rules.monolithic:78: recipe for target 'policy.28' failed

Fixes:
 - http://autobuild.buildroot.org/results/52490172afd9b72b08a7deb0bd3c2124398bbffa/build-end.log

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
 2021-07-30 09:16:35 +02:00
Chris PeBenito dde0d22c8b virt: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-07-16 09:41:40 -04:00
Chris PeBenito b4a9fe913a virt: Move lines. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-07-16 09:41:24 -04:00
Chris PeBenito 21cbe732e4 Merge pull request #395 from jpds/libvirt/runtime-common 2021-07-16 09:39:42 -04:00
Jonathan Davies 075785a94a virt: Defined a virt_common_runtime_t type for the new 
common/system.token file and added permissions to virtd_t and virtlogd_t.

Modelled on: 1f761d0bbd
libvirt change introducing this: cbfebfc747

Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2021-07-15 20:36:18 +01:00
Chris PeBenito 559551a003 dhcp, radvd, sysnetwork: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-07-14 09:36:17 -04:00
Chris PeBenito 99a8c23897 radvd: Whitespace fix. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-07-14 09:35:51 -04:00
Chris PeBenito c0baedd297 Merge pull request #394 from jpds/dhcpcd-icmpv6 2021-07-14 09:34:53 -04:00
Jonathan Davies 25d645144f dhcp.te: Added corenet_sendrecv_icmp_packets(). 
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2021-07-10 02:09:03 +01:00
Jonathan Davies 73885f2845 radvd.te: Added corenet_sendrecv_icmp_packets(). 
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2021-07-10 02:08:35 +01:00
Jonathan Davies 5b6591a91a sysnetwork: dhcpc_t: Added corenet_sendrecv_icmp_packets() 
DHCP client needs to handle ICMPv6 packets required for router solicitation
when combined with secmark.

Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2021-07-09 14:45:34 +01:00
Chris PeBenito 2c4ae75eb8
Merge pull request #384 from maage/missing-requires 
cleanup: Missing requires
 2021-07-08 09:46:43 -04:00
Chris PeBenito 19924201dc dmesg, devices, sysadm: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-07-08 09:45:15 -04:00
Chris PeBenito c3a756d81f Merge pull request #391 from jpds/xen-fixes 2021-07-08 09:44:31 -04:00
Chris PeBenito d930165c6a Merge pull request #390 from jpds/dmesg-terminfo 2021-07-08 09:44:29 -04:00
Markus Linnala 111a93eb03 policy: files: files_get_etc_unit_status/files_{start,stop}_etc_service: fix require 
Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
 2021-07-07 14:00:55 +03:00
Markus Linnala 7a85214310 policy:ssh: ssh_server_template: fix require 
Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
 2021-07-07 14:00:55 +03:00
Markus Linnala 59bce0d34c policy: xserver: xserver_dbus_chat: fix require 
Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
 2021-07-07 14:00:55 +03:00
Jonathan Davies 27325c9beb sysadm.te: Allow sysadm_t to read/write Xen character devices so 
userspace tooling works.

Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2021-07-06 15:54:35 +01:00
Jonathan Davies ccecf33e67 devices.fc: Added missing Xen character files. 
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2021-07-06 15:52:27 +01:00
Jonathan Davies de8839aad2 dmesg.te: Added files_read_etc_files() as some distros store terminfo 
files in /etc/.

Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2021-07-06 15:48:28 +01:00
Chris PeBenito 6c2f4bff7b
Merge pull request #388 from maage/doc-style 
style: policy: interfaces: doc: indent param blocks consistently
 2021-07-06 09:37:44 -04:00
Chris PeBenito f1084e0b3c
Merge pull request #387 from maage/mixed-order 
fix: Mixed order
 2021-07-06 09:29:35 -04:00
Chris PeBenito 55cc7b4652
Merge pull request #386 from maage/missing-params 
cleanup: policy avahi: avahi_filetrans_pid: doc: add missing params
 2021-07-06 09:28:23 -04:00
Chris PeBenito d21ef64068
Merge pull request #385 from maage/interface-doc 
cleanup: Interface docs
 2021-07-06 09:26:03 -04:00
Chris PeBenito d7bb1b2e73
Merge pull request #383 from maage/enable_mls 
fix: policy: init: there is no enabled_mls, it is enable_mls
 2021-07-06 09:15:46 -04:00
Markus Linnala c373a63e48 policy avahi: avahi_filetrans_pid: doc: add missing params 
Even if interface is deprecated, still use all documented parameters.

Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
 2021-07-05 12:41:42 +03:00
Markus Linnala 9127219358 policy: interfaces: doc: indent param blocks consistently 
There is more than 5000 parameter documentations. Only about 300 are
differently done. Change them to be consistently indented.

param with one space
and content inside with one tab

This was done with:

sed -ri '
/^##[[:space:]]*<param/,/^##[[:space:]]*<[/]param>/{
	s/^##[[:space:]]*/##\t/;
	s/^##[[:space:]]*(<[/]?summary)/##\t\1/;
	s/^##[[:space:]]*(<[/]?param)/## \1/;
}' policy/modules/*/*.if

Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
 2021-07-02 12:19:25 +03:00
Markus Linnala 22a3272bfd policy kismet: kismer_role: parameter order mixed in kismet_run 
kismet_run parameters are domain, role
kismet_role parameters are role, domain

Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
 2021-07-02 12:07:54 +03:00
Markus Linnala af1ec6b172 policy seunshare: seunshare_role: parameters usage partially mixed 
Documentation states 1st parameter is role and 2nd is domain.

So role clause should get role parameter
and seunshare_domtrans gets domain.

Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
 2021-07-02 12:07:29 +03:00
Markus Linnala 214d49461a policy gpg: doc: add documents for all *filterans parameters 
Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
 2021-07-02 11:53:24 +03:00
Markus Linnala 6c3cbdc16d policy chromium: chromium_tmp_filetrans: doc: add missing 2nd param documentation 
Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
 2021-07-02 11:53:24 +03:00
Markus Linnala d949eb5d6e policy gnome: gnome_dbus_chat_gconfd: doc: does not have 1st param of role_prefix 
Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
 2021-07-02 11:53:24 +03:00
Markus Linnala f82742e09a policy devices: dev_filetrans: doc: change param from file to file_type 
Like other instances.

Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
 2021-07-02 11:53:19 +03:00
Markus Linnala 277046ecc6 policy: files: files_spool_filetrans: doc: change param from file to file_type 
Like other instances.

Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
 2021-07-02 11:52:40 +03:00
Markus Linnala 0804193e01 policy: init: there is no enabled_mls, it is enable_mls 
This will enable su_restricted_domain_template where it was meant to be
enabled before, but was not actually.

Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
 2021-07-02 11:35:08 +03:00
Chris PeBenito 8dfa9e4fce xserver: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-06-28 08:38:56 -04:00
Chris PeBenito 55df36bc2e xserver: Move fc lines. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-06-28 08:37:51 -04:00