RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
4,904 Commits 3 Branches 49 Tags 19 MiB
Commit Graph

107 Commits

Author SHA1 Message Date
Chris PeBenito 83ebbd23d3 corecommands, staff, unprivuser, ssh, locallogin, systemd: Module version bump. 2019-02-01 14:21:55 -05:00
Russell Coker 044da0b8b9 more misc stuff 
Here's the latest stuff, most of which is to make staff_t usable as a login
domain.  Please merge whatever you think is good and skip the rest.
 2019-02-01 14:16:57 -05:00
Chris PeBenito e6a67f295c various: Module name bump. 2019-01-12 15:03:59 -05:00
Russell Coker da1de46f66 some little stuff 
Tiny and I think they are all obvious.
 2019-01-12 14:16:33 -05:00
Chris PeBenito e8ba31557d various: Module version bump. 2019-01-06 14:11:08 -05:00
Russell Coker ef6c7f155e systemd misc 
This patch has policy changes related to systemd and the systemd versions
of system programs.

Also has some dbus policy which probably isn't strictly a systemd thing, but it
all came at the same time.
 2019-01-06 13:11:51 -05:00
Chris PeBenito d6b46686cd many: Module version bumps for changes from Russell Coker. 2019-01-05 14:33:50 -05:00
Russell Coker 678c9e0b7a misc services patches 
Lots of little patches to services.
 2019-01-05 13:30:30 -05:00
Chris PeBenito 35463351a0 clamav, ssh, init: Module version bump. 2018-10-27 15:10:10 -04:00
Luis Ressel a42ff404bd services/ssh: Don't audit accesses from ssh_t to /dev/random 
OpenSSL 1.1 always opens both /dev/urandom and /dev/random, which
generates spurious denial messages for ssh_t, ssh_keygen_t and probably
various other domains too.

The code only uses /dev/random as a fallback and can cope with an open()
failure just fine, so I'm dontauditing the access. However, I don't have
strong feelings about this -- if someone would prefer to allow these
accesses instead, I'd be okay with that too.
 2018-10-27 14:56:34 -04:00
Chris PeBenito 4d5b06428b Bump module versions for release. 2018-01-14 14:08:09 -05:00
Chris PeBenito 2037c8f294 kernel, mls, sysadm, ssh, xserver, authlogin, locallogin, userdomain: Module version bumps. 2017-11-04 14:16:20 -04:00
Jason Zaman 6efe498a9b Add key interfaces and perms 
Mostly taken from the fedora rawhide policy
 2017-11-04 14:00:56 -04:00
Chris PeBenito 495e2c203b Remove complement and wildcard in allow rules. 
Remove complement (~) and wildcard (*) in allow rules so that there are no
unintentional additions when new permissions are declared.

This patch does not add or remove permissions from any rules.
 2017-08-13 16:21:44 -04:00
Chris PeBenito aa0eecf3e3 Bump module versions for release. 2017-08-05 12:59:42 -04:00
Chris PeBenito 5ab11a8454 Module version bump for patches from cgzones. 2017-06-08 18:53:51 -04:00
Chris PeBenito a599f28196 Module version bump for /usr/bin fc fixes from Nicolas Iooss. 2017-05-04 08:27:46 -04:00
Chris PeBenito 8527b86621 Further strict systemd fixes from Russell Coker. 2017-04-20 20:00:34 -04:00
Chris PeBenito 73d8b3026c Systemd-related changes from Russell Coker. 2017-04-06 17:37:50 -04:00
Chris PeBenito 43f197494a dontaudit net_admin for SO_SNDBUFFORCE 
The following patch adds dontaudit rules for where the net_admin capability
is requested due to SO_SNDBUFFORCE.  This forces the caller to use SO_SNDBUF
which gives the same result but possibly a smaller buffer.

From Russell Coker
 2017-03-25 12:32:01 -04:00
Chris PeBenito 4d028498d8 Module version bumps for fixes from cgzones. 2017-03-05 10:48:42 -05:00
Chris PeBenito 1720e109a3 Sort capabilities permissions from Russell Coker. 2017-02-15 18:47:33 -05:00
Chris PeBenito 69ede859e8 Bump module versions for release. 2017-02-04 13:30:53 -05:00
Chris PeBenito f850ec37df Module version bumps for /run fc changes from cgzones. 2016-12-22 15:54:46 -05:00
cgzones 901a905cbb update policy/support macros 
- add systemd service macro sets
- add some documentation
- add some recursion to some macro sets (ipv perm, object class sets)
- deprecate domain_trans and domain_auto_trans
- remove unpriv_socket_class_set
 2016-12-01 19:38:14 +01:00
Chris PeBenito 34055cae87 Bump module versions for release. 2016-10-23 16:58:59 -04:00
Chris PeBenito 994f605a2c Module version bump for Xorg and SSH patches from Nicolas Iooss. 2016-01-05 13:38:19 -05:00
Nicolas Iooss ce2982bf50 Label OpenSSH systemd unit files 
On Arch Linux, OpenSSH unit files are:
    /usr/lib/systemd/system/sshdgenkeys.service
    /usr/lib/systemd/system/sshd.service
    /usr/lib/systemd/system/sshd@.service
    /usr/lib/systemd/system/sshd.socket

On Debian jessie, the unit files are:
    /lib/systemd/system/ssh.service
    /lib/systemd/system/ssh@.service
    /lib/systemd/system/ssh.socket

On Fedora 22, the unit files are:
    /usr/lib/systemd/system/sshd-keygen.service
    /usr/lib/systemd/system/sshd.service
    /usr/lib/systemd/system/sshd@.service
    /usr/lib/systemd/system/sshd.socket

Use a pattern which matches every sshd unit and introduce an other type
for ssh-keygen units.
 2016-01-05 13:22:52 -05:00
Chris PeBenito c23353bcd8 Bump module versions for release. 2015-12-08 09:53:02 -05:00
Chris PeBenito 17694adc7b Module version bump for systemd additions. 2015-10-23 14:53:14 -04:00
Chris PeBenito 579849912d Add supporting rules for domains tightly-coupled with systemd. 2015-10-23 10:17:46 -04:00
Chris PeBenito c8c2b8b0c8 Module version bump for ssh-agent -k fix from Luis Ressel. 2015-07-20 10:01:52 -04:00
Chris PeBenito 468185f5f7 Bump module versions for release. 2014-12-03 13:37:38 -05:00
Chris PeBenito 491683b3e2 Module version bump for init_daemon_pid_file from Sven Vermeulen. 2014-06-30 14:34:51 -04:00
Sven Vermeulen 4a94489be7 Use init_daemon_pid_file instead of init_daemon_run_dir 
Update non-contrib modules to use init_daemon_pid_file instead of
init_daemon_run_dir.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
 2014-06-26 08:34:27 -04:00
Chris PeBenito 10ff4d0fa3 Bump module versions for release. 2014-03-11 08:16:57 -04:00
Chris PeBenito 22d7dac75b Module version bump for ssh use of gpg-agent from Luis Ressel. 2014-02-08 08:41:05 -05:00
Chris PeBenito 7e71b34b09 Rearrange gpg agent calls. 2014-02-08 08:40:37 -05:00
Chris PeBenito 4ef4e0674d Rename gpg_agent_connect to gpg_stream_connect_agent. 2014-02-08 08:24:41 -05:00
Luis Ressel bda6528039 Conditionally allow ssh to use gpg-agent 
gpg-agent also offers an ssh-compatible interface. This is useful e.g.
for smartcard authentication.
 2014-02-08 08:10:16 -05:00
Chris PeBenito b244f47319 Module version bump for pid file directory from Russell Coker/Laurent Bigonville. 2014-02-06 09:14:31 -05:00
Laurent Bigonville d6751cb2f4 Move the ifdef at the end of the declaration block 2014-02-06 09:14:31 -05:00
Chris PeBenito 1a01976fc4 Module version bump for first batch of patches from Dominick Grift. 2013-12-02 14:22:29 -05:00
Dominick Grift 4113f7b0d4 sshd/setrans: make respective init scripts create pid dirs with proper contexts 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-02 08:43:33 -05:00
Chris PeBenito be570944e5 Module version bump for ssh server caps for Debian from Dominick Grift. 2013-09-27 16:25:56 -04:00
Dominick Grift fc8bbe630a ssh: Debian sshd is configured to use capabilities 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-27 16:25:15 -04:00
Chris PeBenito 36e088fa43 Module version bump for kerberos keytab changes for ssh from Dominick Grift. 2013-09-23 14:28:00 -04:00
Dominick Grift 22f71be4e3 The kerberos_keytab_template() template is deprecated: Breaks monolithic built (out-of-scope) 
This keytab functionality should be re-evaluated because it does not
make sense in its current implementation

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-23 14:15:46 -04:00
Chris PeBenito d174521a64 Bump module versions for release. 2013-04-24 16:14:52 -04:00
Chris PeBenito be2e70be8d Module version bump for fixes from Dominick Grift. 2013-01-03 10:53:34 -05:00