selinux-refpolicy

Commit Graph

Author	SHA1	Message	Date
Kenton Groombridge	ba4971ba89	git: add missing file contexts Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-04-27 18:13:43 -04:00
Kenton Groombridge	fb531e2688	sysadm: allow sysadm to watch journal directories Required when using 'podman logs -f' Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-04-02 13:47:39 -04:00
Kenton Groombridge	cf21387e29	podman: allow podman to watch journal dirs Watch access is required for 'podman logs -f' to function. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-04-02 13:46:14 -04:00
Kenton Groombridge	c1d007563e	container: also allow containers to watch public content Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-04-01 10:39:30 -04:00
Kenton Groombridge	f0c980b36c	container: add missing capabilities Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-04-01 09:15:19 -04:00
Kenton Groombridge	53e708e724	container: add tunables to allow containers to access public content Note that container engines only need read access to these files even if manage access is enabled. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-04-01 09:15:18 -04:00
Kenton Groombridge	5dbc5aa25d	container: allow generic containers to read the vm_overcommit sysctl Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-04-01 09:15:17 -04:00
Kenton Groombridge	0e3ce95c94	container, init: allow init to remount container filesystems Allow init to remount container filesystems. This is in support of other services starting with NoNewPrivileges while already running containers have mounted filesystems. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-04-01 09:15:15 -04:00
Kenton Groombridge	4fd2a2ecbc	podman: add rules for systemd container units Allow conmon to use init file descriptors and read-write init unix stream sockets. This is in support of containers started as systemd units. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-04-01 09:15:14 -04:00
Kenton Groombridge	fcb295578e	container, podman: allow containers to interact with conmon Allow containers to use inherited conmon file descriptors and read and write unnamed conmon pipes. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-04-01 09:15:11 -04:00
Kenton Groombridge	8fee419513	podman: fix role associations Add conmon to the system role and make podman/conmon user domains user applications. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-04-01 09:15:09 -04:00
Kenton Groombridge	91da5e861b	podman: allow system podman to interact with container transient units Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-04-01 09:15:06 -04:00
Kenton Groombridge	db2ec49444	container, podman: allow podman to create and write config files Podman 4.0 now creates the CNI network config files if they do not exist. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-04-01 09:15:04 -04:00
Russell Coker	6e5a6bffdb	new sddm V2 This patch addresses all previous issues and I think it's ready to merge. Signed-off-by: Russell Coker <russell@coker.com.au>	2022-03-28 10:09:24 -04:00
Chris PeBenito	42e57f4d1e	Merge pull request #487 from jpds/userdb-lnk-read systemd.if: Allowed reading symlinks in systemd_stream_connect_userdb()	2022-03-25 12:39:34 -04:00
Chris PeBenito	eaccf044f3	apache: Remove unnecessary require in apache_exec(). Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2022-03-25 11:32:26 -04:00
Chris PeBenito	2aff07c23a	postfix: Move lines. No rule change. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2022-03-25 11:32:26 -04:00
Russell Coker	68353358d4	init dbus patch for GetDynamicUsers with systemd_use_nss() V2 Same as before but moved to the top of my patch list so it will apply to the git policy. Should be ready to merge now. Signed-off-by: Russell Coker <russell@coker.com.au>	2022-03-25 11:32:26 -04:00
Russell Coker	7849012937	certbot V3 Same as the last one but with the directory names for the auto trans rules removed. I think it's ready for merging. Signed-off-by: Russell Coker <russell@coker.com.au>	2022-03-25 11:32:26 -04:00
Jonathan Davies	5f49d2b692	systemd.if: Allowed reading systemd_userdbd_runtime_t symlinks in systemd_stream_connect_userdb(). Signed-off-by: Jonathan Davies <jpds@protonmail.com>	2022-03-25 00:39:05 +00:00
Chris PeBenito	f72bc70ff8	Merge pull request #481 from 0xC0ncord/various-20211109 Various fixes, mostly systemd-related	2022-03-24 10:41:15 -04:00
Kenton Groombridge	8ba17d1397	networkmanager: allow getting systemd system status Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-03-23 10:57:57 -04:00
Kenton Groombridge	a70907c1d2	udev: allow udev to start the systemd system object Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-03-23 10:57:57 -04:00
Kenton Groombridge	d0ab317582	unconfined: fixes for bluetooth dbus chat and systemd Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-03-23 10:57:57 -04:00
Kenton Groombridge	12b2cd7e55	getty, locallogin: cgroup fixes Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-03-23 10:57:57 -04:00
Kenton Groombridge	12888e7e70	systemd: add support for systemd-resolved stubs When using systemd-resolved, the recommended configuration is to symlink /etc/resolv.conf to one of the stub files in /run/systemd/resolve. To support this, daemons that can read net_conf_t must be able to search the init runtime and read etc_t symlinks. Allow this access if systemd is enabled. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-03-23 10:57:57 -04:00
Kenton Groombridge	caaa441072	systemd: various fixes Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-03-23 10:57:57 -04:00
Kenton Groombridge	c5df944429	authlogin: dontaudit getcap chkpwd Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-03-23 10:57:57 -04:00
Kenton Groombridge	ee773d64c8	locallogin: fix for polyinstantiation Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-03-23 10:57:57 -04:00
Kenton Groombridge	910e36829e	sudo: fixes for polyinstantiation PAM can be configured to allow sudo to unmount/remount private tmp directories when invoked. Allow this access if enabled. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-03-23 10:57:57 -04:00
Kenton Groombridge	82461e6172	files, init: allow init to remount filesystems mounted on /boot The context= mount option can be used to label, for example, a DOS filesystem mounted on boot to be boot_t instead of dosfs_t. Explicitly allow init (systemd) to remount boot_t filesystems so that options like ProtectSystem=full work properly. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-03-23 10:57:57 -04:00
Kenton Groombridge	30ea630d9d	init: allow systemd to nnp_transition and nosuid_transition to daemon domains Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-03-23 10:57:47 -04:00
Christian Göttsche	9aeabd2a3e	policy_capabilities: add ioctl_skip_cloexec Add new future policy capability ioctl_skip_cloexec. Drop estimate comments from genfs_seclabel_symlinks. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2022-03-22 19:05:45 +01:00
Christian Göttsche	9193208a43	flask: add new kernel security classes Add new kernel security classes mctp_socket, anon_inode and io_uring. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2022-03-22 19:05:45 +01:00
Chris PeBenito	a7de85503e	Merge pull request #479 from 0xC0ncord/dbus-broker Add type for systemd runtime units and add dbus-broker support	2022-03-18 16:36:21 -04:00
Chris PeBenito	2f2c0e3f20	Merge pull request #482 from 0xC0ncord/podman-conmon-ranged-transition podman: add explicit range transition for conmon	2022-03-18 15:30:53 -04:00
Kenton Groombridge	d47cc12801	docker, podman: container units now have the runtime unit type Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-03-18 13:12:11 -04:00
Kenton Groombridge	da9382afbd	dbus, policykit: add tunables for dbus-broker access Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-03-18 13:12:11 -04:00
Kenton Groombridge	db4b647a29	dbus: fixes for dbus-broker dbus-broker manages files in a tmpfs. dbus-broker fails to start without this access. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-03-18 13:12:11 -04:00
Kenton Groombridge	d9e660c3a9	init: split access for systemd runtime units Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-03-18 13:12:10 -04:00
Kenton Groombridge	fe7d5287c4	podman: add explicit range transition for conmon Ensure that when conmon is started, it runs in s0 and is able to communicate with the container. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-03-18 13:03:33 -04:00
Chris PeBenito	c5add64587	Merge pull request #477 from jpds/networkd-dhcpd-bind systemd.te: Added boolean for allowing dhcpd server packets	2022-03-17 12:47:09 -04:00
Jonathan Davies	126c234b5c	systemd.te: Added boolean for allowing dhcpd server packets. Signed-off-by: Jonathan Davies <jpds@protonmail.com>	2022-03-15 14:56:51 +00:00
Chris PeBenito	dd803cfef5	Merge pull request #475 from pebenito/drop-broken-symptoms-blocks Make hide_broken_symptoms unconditional.	2022-03-15 10:13:27 -04:00
Chris PeBenito	1b40c87a68	mailmain: Fix SELint issues. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2022-03-14 10:01:26 -04:00
Chris PeBenito	341abff611	mailmain: Fix check_fc_files issue. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2022-03-14 09:54:38 -04:00
Russell Coker	dd312a6be6	mailman3 V3 Fixed the issues Chris raised with the previous patch. I think this is ready to merge. Signed-off-by: Russell Coker <russell@coker.com.au>	2022-03-14 09:46:37 -04:00
Chris PeBenito	43d0b184b5	matrixd: SELint fixes. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2022-02-18 14:57:02 -05:00
Chris PeBenito	2ab6d0bc91	matrixd: Cleanups. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2022-02-18 13:46:24 -05:00
Russell Coker	05b5de6282	matrixd-synapse policy V3 Here's the latest version of the matrixd-synapse policy including all the suggestions from a year ago. Probably ready to merge. Signed-off-by: Russell Coker <russell@coker.com.au>	2022-02-18 13:29:17 -05:00

1 2 3 4 5 ...

4366 Commits