RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
4,086 Commits 3 Branches 49 Tags 19 MiB
Commit Graph

843 Commits

Author SHA1 Message Date
Dominick Grift 3c9fa86f15 systemd: Add support for --log-target 
https://www.freedesktop.org/software/systemd/man/systemd.html#--log-target=

see for discussion: https://github.com/TresysTechnology/refpolicy/pull/22

v2: Add comment about dontaudit rule

Signed-off-by: Dominick Grift <dac.override@gmail.com>
 2016-03-31 08:22:50 -04:00
Chris PeBenito f72f1a48d9 Module version bump for Debian fc entries from Laurent Bigonville. 2016-03-28 09:59:02 -04:00
Laurent Bigonville af61f22e24 Add some labels for SELinux tools path in Debian 2016-03-25 22:35:17 +01:00
Chris PeBenito 0e133c7d74 Module version bump for tboot utils from Luis Ressel and systemd fix from Jason Zaman. 
Update contrib.
 2016-03-08 08:52:25 -05:00
Jason Zaman 7a1ffd80e6 system/init: move systemd_ interfaces into optional_policy 
When ifdef systemd is enabled, some interfaces from systemd are called
unconditionally. This makes migrating from non-systemd to systemd
complicated since init is part of base and systemd is not so loading
fails. Moving them into optional_policy fixes this.
 2016-03-08 08:36:16 -05:00
Chris PeBenito 397c248c31 Module version bump for getty patch from Luis Ressel. 2016-03-07 10:15:37 -05:00
Luis Ressel 7216d000d9 Allow getty the sys_admin capability 
It's required for agetty on kernels with a recent grsecurity patchset.
(The denial itself has been showing up for quite some time, but it
hasn't had any obvious ill effects until recently.)
 2016-03-07 10:15:37 -05:00
Chris PeBenito b5e8ec6346 Module version bump for iptables/firewalld patch from Laurent Bigonville. 2016-02-16 09:48:37 -05:00
Laurent Bigonville a54d52058d Allow {eb,ip,ip6}tables-restore to read files in /run/firewalld 
Since version 0.4.0, firewalld uses *tables-restore to speedup the
load of the rules
 2016-02-13 10:06:58 +01:00
Chris PeBenito 137cca377d Module version bump for iptables fc entries from Laurent Bigonville and Lukas Vrabec. 2016-02-10 10:36:09 -05:00
Chris PeBenito 35baa47094 Whitespace fix in iptables.fc. 2016-02-10 10:34:51 -05:00
Laurent Bigonville 8f19ffbde8 Label /var/run/ebtables.lock as iptables_var_run_t. 
This lock file is used on debian since version 2.0.10.4-3.2. This is
also used on Fedora.
 2016-02-08 22:51:30 +01:00
Lukas Vrabec e16f8a18fd Label /var/run/xtables.lock as iptables_var_run_t. 2016-02-08 22:43:27 +01:00
Chris PeBenito d35f6b7c58 Module version bump for ipset fc entry from Laurent Bigonville. 2016-02-08 08:33:08 -05:00
Laurent Bigonville 958cb89462 Add label for /sbin/ipset 2016-02-05 01:14:30 +01:00
Chris PeBenito 1240e0ab7b Module version bump for efivarfs patches from Dan Walsh, Vit Mojzis, and Laurent Bigonville 2016-02-03 08:49:39 -05:00
Laurent Bigonville 05709538a6 Allow logind to read efivarfs files 2016-02-03 14:14:38 +01:00
Nicolas Iooss c82a479ed8 Fix interface descriptions when duplicate ones are found 
Distinct interfaces should have different comments
 2016-01-19 00:17:34 +01:00
Nicolas Iooss 80d74c2408 Fix typo in init_dbus_chat requirements 
init_dbus_chat interface required initrc_t type but used init_t type.
 2016-01-19 00:17:05 +01:00
Chris PeBenito 4e487ffe3d Module version bump for systemd audit_read capability from Laurent Bigonville 2016-01-15 09:50:01 -05:00
Laurent Bigonville c94097864a Allow systemd the audit_read capability 
At early boot, I get the following messages in dmesg:

audit: type=1400 audit(1452851002.184:3): avc:  denied  { audit_read } for  pid=1 comm="systemd" capability=37 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=capability2 permissive=1
systemd[1]: Listening on Journal Audit Socket.
 2016-01-15 11:43:45 +01:00
Chris PeBenito 24e6175132 Module version bump for systemd PrivateNetwork patch from Nicolas Iooss 2016-01-11 13:26:55 -05:00
Nicolas Iooss 25bc2d5c1d Allow systemd services to use PrivateNetwork feature 
systemd creates a new network namespace for services which are using
PrivateNetwork=yes.

In the implementation, systemd uses a socketpair as a storage buffer for
the namespace reference file descriptor (c.f.
https://github.com/systemd/systemd/blob/v228/src/core/namespace.c#L660).
One end of this socketpair is locked (hence the need of "lock" access to
self:unix_dgram_socket for init_t) while systemd opens
/proc/self/ns/net, which lives in nsfs.

While at it, add filesystem_type attribute to nsfs_t.
 2016-01-11 13:17:16 -05:00
Chris PeBenito cc248fc976 Module version bump for syslog and systemd changes from Laurent Bigonville 2016-01-06 09:22:11 -05:00
Chris PeBenito 5922346539 Merge branch 'systemd-1' of git://github.com/bigon/refpolicy into bigon-systemd-1 2016-01-06 09:13:47 -05:00
Laurent Bigonville b02a5d4b55 Allow syslogd_t to read sysctl_vm_overcommit_t 2015-12-16 19:30:47 +01:00
Laurent Bigonville 83b15c15b3 Give some systemd domain access to /proc/sys/kernel/random/boot_id 2015-12-14 22:19:24 +01:00
Chris PeBenito 6b1b2e3965 Module version bumps for 2 patches from Dominick Grift. 2015-12-10 15:46:13 -05:00
Dominick Grift 81d15a0273 authlogin: remove duplicate files_list_var_lib(nsswitch_domain) 
Signed-off-by: Dominick Grift <dac.override@gmail.com>
 2015-12-10 14:10:16 -05:00
Chris PeBenito 727949924a Module version bump for systemd-user-sessions fc entry from Dominick Grift 2015-12-09 09:40:55 -05:00
Dominick Grift e1eeef00a6 systemd: add missing file context spec for systemd-user-sessions executable file 
Signed-off-by: Dominick Grift <dac.override@gmail.com>
 2015-12-09 09:26:59 -05:00
Chris PeBenito c23353bcd8 Bump module versions for release. 2015-12-08 09:53:02 -05:00
Chris PeBenito 70ba55c2fc Module version bump for utempter Debian helper from Laurent Bigonville. 2015-12-01 10:23:46 -05:00
Laurent Bigonville c6efc3ada1 Properly label utempter helper on debian 2015-12-01 09:45:06 -05:00
Chris PeBenito 37d2aeca3d Remove bad interface in systemd.if. 2015-11-05 15:31:53 -05:00
Chris PeBenito 17694adc7b Module version bump for systemd additions. 2015-10-23 14:53:14 -04:00
Chris PeBenito 60d8b699fb Change policy_config_t to a security file type. 
This fixes an assertion error with systemd_tmpfiles_t. It should
have been a security file for a while.
 2015-10-23 10:17:46 -04:00
Chris PeBenito 4388def2d9 Add refpolicy core socket-activated services. 2015-10-23 10:17:46 -04:00
Chris PeBenito bdfc7e3eb0 Add sysfs_types attribute. 
Collect all types used to label sysfs entries.
 2015-10-23 10:17:46 -04:00
Chris PeBenito f7286189b3 Add systemd units for core refpolicy services. 
Only for services that already have a named init script.

Add rules to init_startstop_service(), with conditional arg until
all of refpolicy-contrib callers are updated.
 2015-10-23 10:17:46 -04:00
Chris PeBenito 579849912d Add supporting rules for domains tightly-coupled with systemd. 2015-10-23 10:17:46 -04:00
Chris PeBenito 3639880cf6 Implement core systemd policy. 
Significant contributions from the Tresys CLIP team.

Other changes from Laurent Bigonville.
 2015-10-23 10:16:59 -04:00
Chris PeBenito 4d28cb714f Module version bump for patches from Jason Zaman/Matthias Dahl. 2015-10-12 09:31:18 -04:00
Chris PeBenito 2c0e3d9a24 Rearrange lines in ipsec.te. 2015-10-12 09:30:05 -04:00
Jason Zaman 775b07e60a system/ipsec: Add policy for StrongSwan 
Adds an ipsec_supervisor_t domain for StrongSwan's starter.
Thanks to Matthias Dahl for most of the work on this.
 2015-10-12 09:16:28 -04:00
Chris PeBenito d74c9bd6b8 Module version bumps for admin interfaces from Jason Zaman. 2015-07-14 11:18:35 -04:00
Jason Zaman 0023b30946 Introduce setrans_admin interface 2015-07-14 11:04:44 -04:00
Jason Zaman e1f2a8b9d6 Introduce ipsec_admin interface 2015-07-14 11:04:44 -04:00
Jason Zaman 8bee8e80af Introduce lvm_admin interface 2015-07-14 11:04:44 -04:00
Chris PeBenito acabb517e6 Module version bump for admin interface changes from Jason Zaman. 2015-06-09 08:39:18 -04:00