RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
5,755 Commits 3 Branches 49 Tags 19 MiB
Commit Graph

35 Commits

Author SHA1 Message Date
Christian Göttsche 8f308eb846 unconfined: clarify unconfined_t stub usage in unconfined_domain_noaudit() 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-05-11 21:42:50 +02:00
Daniel Burgener 410a682138 Fix mismatches between object class and permission macro. 
In many cases, this won't result in a change in the actual policy generated, but if the definitions of macros are changed going forward, the mismatches could cause issues.

Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>
 2020-04-20 15:46:33 -04:00
Chris PeBenito 87745f09d9 unconfined: Add namespaced capabilities. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2019-11-15 11:13:58 -05:00
Chris PeBenito da156aea1e systemd: Add initial policy for systemd --user. 
This is just a start; it does not cover all uses.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2019-04-25 11:18:58 -04:00
Dominick Grift a4a219a733
unconfined: add a note about DBUS 
Addresses https://github.com/SELinuxProject/refpolicy/issues/18
 2019-01-14 17:02:56 +01:00
Chris PeBenito 495e2c203b Remove complement and wildcard in allow rules. 
Remove complement (~) and wildcard (*) in allow rules so that there are no
unintentional additions when new permissions are declared.

This patch does not add or remove permissions from any rules.
 2017-08-13 16:21:44 -04:00
Chris PeBenito efa32d9b56 Remove deprecated interfaces older than one year old. 
Additionally one deprecated attribute removed.
 2017-08-06 17:03:17 -04:00
Chris PeBenito 73d8b3026c Systemd-related changes from Russell Coker. 2017-04-06 17:37:50 -04:00
Chris PeBenito 2087bde934 Systemd fixes from Russell Coker. 2017-02-23 20:03:23 -05:00
cgzones b59dc99d56 update unconfined module 
* grant capability2:wake_alarm
* remove deprecated interfaces
 2017-01-06 15:01:45 +01:00
cgzones d8cb498284 remove trailing whitespaces 2016-12-06 13:45:13 +01:00
Nicolas Iooss 4067a18530 Allow unconfined domains to use syslog capability 
When an unconfined_t root user runs dmesg, the kernel complains with
this message in its logs (when SELinux is in enforcing mode):

  dmesg (16289): Attempt to access syslog with CAP_SYS_ADMIN but no
  CAP_SYSLOG (deprecated).

audit.log contains following AVC:

  avc:  denied  { syslog } for  pid=16289 comm="dmesg" capability=34
  scontext=unconfined_u:unconfined_r:unconfined_t
  tcontext=unconfined_u:unconfined_r:unconfined_t tclass=capability2
 2014-06-09 09:28:33 -04:00
Dominick Grift 1a88de7131 Unconfined domains have unconfined access to all of dbus rather than only system bus 
unconfined: unconfined_t is real-time scheduled by rtkit

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-26 10:14:30 -04:00
Chris PeBenito 1c5dacd2c0 Change secure_mode_insmod to control sys_module capability rather than controlling domain transitions to insmod. 
Based on a patch from Dan Walsh.
 2011-09-13 14:45:14 -04:00
Dominick Grift a0546c9d1c System layer xml fixes. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-08-05 09:25:55 -04:00
Chris PeBenito 14e543cb1c Improve the documentation of unconfined_domain(). 2010-02-26 13:47:17 -05:00
Chris PeBenito 3f67f722bb trunk: whitespace fixes 2009-06-26 14:40:13 +00:00
Chris PeBenito 296273a719 trunk: merge UBAC. 2008-11-05 16:10:46 +00:00
Chris PeBenito 82d2775c92 trunk: more open perm fixes. 2008-10-20 16:10:42 +00:00
Chris PeBenito 2cca6b79b4 trunk: remove redundant shared lib calls. 2008-10-17 17:31:04 +00:00
Chris PeBenito 88cf0a9c2b trunk: whitespace fix; collapse multiple blank lines into one. 2008-10-17 15:29:51 +00:00
Chris PeBenito e8cb08aefa trunk: add sepostgresql policy from kaigai kohei. 2008-06-10 15:33:18 +00:00
Chris PeBenito 2c12b471ad trunk: add core xselinux support. 2008-04-01 20:23:23 +00:00
Chris PeBenito ccf6611bdd trunk: add unconfined_run_to(). 2007-11-16 19:50:34 +00:00
Chris PeBenito 9820351703 trunk: add in polmatch for default spd. 2007-11-14 15:53:18 +00:00
Chris PeBenito bdccbacdd6 trunk: add labeled networking support to unconfined. 2007-11-14 14:38:45 +00:00
Chris PeBenito 350b6ab767 trunk: merge strict and targeted policies. merge shlib_t into lib_t. 2007-10-02 16:04:50 +00:00
Chris PeBenito 6b19be3360 patch from dan, Thu, 2007-01-25 at 08:12 -0500 2007-02-16 23:01:42 +00:00
Chris PeBenito c0868a7a3b merge policy patterns to trunk 2006-12-12 20:08:08 +00:00
Chris PeBenito d6d16b9796 patch from dan Wed, 29 Nov 2006 17:06:40 -0500 2006-12-04 20:10:56 +00:00
Chris PeBenito b04eccd87b fix duplicate /usr/bin/mplayer fc match for targeted 2006-10-18 17:31:14 +00:00
Chris PeBenito a5e2133bc8 patch from dan Wed, 23 Aug 2006 14:03:49 -0400 2006-08-29 02:41:00 +00:00
Chris PeBenito 46551033aa patch from dan Wed, 26 Jul 2006 14:42:46 -0400 2006-07-28 15:13:58 +00:00
Chris PeBenito ea3c1f508a add helpers for printing warning and error messages 2006-07-25 17:27:00 +00:00
Chris PeBenito 17de1b790b remove extra level of directory 2006-07-12 20:32:27 +00:00