Kenton Groombridge
ba4971ba89
git: add missing file contexts
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-04-27 18:13:43 -04:00
Kenton Groombridge
fb531e2688
sysadm: allow sysadm to watch journal directories
...
Required when using 'podman logs -f'
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-04-02 13:47:39 -04:00
Kenton Groombridge
cf21387e29
podman: allow podman to watch journal dirs
...
Watch access is required for 'podman logs -f' to function.
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-04-02 13:46:14 -04:00
Kenton Groombridge
c1d007563e
container: also allow containers to watch public content
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-04-01 10:39:30 -04:00
Kenton Groombridge
f0c980b36c
container: add missing capabilities
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-04-01 09:15:19 -04:00
Kenton Groombridge
53e708e724
container: add tunables to allow containers to access public content
...
Note that container engines only need read access to these files even if
manage access is enabled.
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-04-01 09:15:18 -04:00
Kenton Groombridge
5dbc5aa25d
container: allow generic containers to read the vm_overcommit sysctl
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-04-01 09:15:17 -04:00
Kenton Groombridge
0e3ce95c94
container, init: allow init to remount container filesystems
...
Allow init to remount container filesystems. This is in support of other
services starting with NoNewPrivileges while already running containers
have mounted filesystems.
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-04-01 09:15:15 -04:00
Kenton Groombridge
4fd2a2ecbc
podman: add rules for systemd container units
...
Allow conmon to use init file descriptors and read-write init unix
stream sockets. This is in support of containers started as systemd
units.
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-04-01 09:15:14 -04:00
Kenton Groombridge
fcb295578e
container, podman: allow containers to interact with conmon
...
Allow containers to use inherited conmon file descriptors and read and
write unnamed conmon pipes.
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-04-01 09:15:11 -04:00
Kenton Groombridge
8fee419513
podman: fix role associations
...
Add conmon to the system role and make podman/conmon user domains user
applications.
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-04-01 09:15:09 -04:00
Kenton Groombridge
91da5e861b
podman: allow system podman to interact with container transient units
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-04-01 09:15:06 -04:00
Kenton Groombridge
db2ec49444
container, podman: allow podman to create and write config files
...
Podman 4.0 now creates the CNI network config files if they do not
exist.
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-04-01 09:15:04 -04:00
Russell Coker
6e5a6bffdb
new sddm V2
...
This patch addresses all previous issues and I think it's ready to merge.
Signed-off-by: Russell Coker <russell@coker.com.au>
2022-03-28 10:09:24 -04:00
Chris PeBenito
42e57f4d1e
Merge pull request #487 from jpds/userdb-lnk-read
...
systemd.if: Allowed reading symlinks in systemd_stream_connect_userdb()
2022-03-25 12:39:34 -04:00
Chris PeBenito
eaccf044f3
apache: Remove unnecessary require in apache_exec().
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2022-03-25 11:32:26 -04:00
Chris PeBenito
2aff07c23a
postfix: Move lines.
...
No rule change.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2022-03-25 11:32:26 -04:00
Russell Coker
68353358d4
init dbus patch for GetDynamicUsers with systemd_use_nss() V2
...
Same as before but moved to the top of my patch list so it will apply to the
git policy.
Should be ready to merge now.
Signed-off-by: Russell Coker <russell@coker.com.au>
2022-03-25 11:32:26 -04:00
Russell Coker
7849012937
certbot V3
...
Same as the last one but with the directory names for the auto trans rules
removed. I think it's ready for merging.
Signed-off-by: Russell Coker <russell@coker.com.au>
2022-03-25 11:32:26 -04:00
Jonathan Davies
5f49d2b692
systemd.if: Allowed reading systemd_userdbd_runtime_t symlinks in
...
systemd_stream_connect_userdb().
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
2022-03-25 00:39:05 +00:00
Chris PeBenito
f72bc70ff8
Merge pull request #481 from 0xC0ncord/various-20211109
...
Various fixes, mostly systemd-related
2022-03-24 10:41:15 -04:00
Kenton Groombridge
8ba17d1397
networkmanager: allow getting systemd system status
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-03-23 10:57:57 -04:00
Kenton Groombridge
a70907c1d2
udev: allow udev to start the systemd system object
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-03-23 10:57:57 -04:00
Kenton Groombridge
d0ab317582
unconfined: fixes for bluetooth dbus chat and systemd
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-03-23 10:57:57 -04:00
Kenton Groombridge
12b2cd7e55
getty, locallogin: cgroup fixes
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-03-23 10:57:57 -04:00
Kenton Groombridge
12888e7e70
systemd: add support for systemd-resolved stubs
...
When using systemd-resolved, the recommended configuration is to symlink
/etc/resolv.conf to one of the stub files in /run/systemd/resolve. To
support this, daemons that can read net_conf_t must be able to search
the init runtime and read etc_t symlinks. Allow this access if systemd
is enabled.
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-03-23 10:57:57 -04:00
Kenton Groombridge
caaa441072
systemd: various fixes
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-03-23 10:57:57 -04:00
Kenton Groombridge
c5df944429
authlogin: dontaudit getcap chkpwd
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-03-23 10:57:57 -04:00
Kenton Groombridge
ee773d64c8
locallogin: fix for polyinstantiation
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-03-23 10:57:57 -04:00
Kenton Groombridge
910e36829e
sudo: fixes for polyinstantiation
...
PAM can be configured to allow sudo to unmount/remount private tmp
directories when invoked. Allow this access if enabled.
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-03-23 10:57:57 -04:00
Kenton Groombridge
82461e6172
files, init: allow init to remount filesystems mounted on /boot
...
The context= mount option can be used to label, for example, a DOS
filesystem mounted on boot to be boot_t instead of dosfs_t. Explicitly
allow init (systemd) to remount boot_t filesystems so that options like
ProtectSystem=full work properly.
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-03-23 10:57:57 -04:00
Kenton Groombridge
30ea630d9d
init: allow systemd to nnp_transition and nosuid_transition to daemon domains
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-03-23 10:57:47 -04:00
Christian Göttsche
9aeabd2a3e
policy_capabilities: add ioctl_skip_cloexec
...
Add new future policy capability ioctl_skip_cloexec.
Drop estimate comments from genfs_seclabel_symlinks.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-03-22 19:05:45 +01:00
Christian Göttsche
9193208a43
flask: add new kernel security classes
...
Add new kernel security classes mctp_socket, anon_inode and io_uring.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-03-22 19:05:45 +01:00
Chris PeBenito
a7de85503e
Merge pull request #479 from 0xC0ncord/dbus-broker
...
Add type for systemd runtime units and add dbus-broker support
2022-03-18 16:36:21 -04:00
Chris PeBenito
2f2c0e3f20
Merge pull request #482 from 0xC0ncord/podman-conmon-ranged-transition
...
podman: add explicit range transition for conmon
2022-03-18 15:30:53 -04:00
Kenton Groombridge
d47cc12801
docker, podman: container units now have the runtime unit type
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-03-18 13:12:11 -04:00
Kenton Groombridge
da9382afbd
dbus, policykit: add tunables for dbus-broker access
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-03-18 13:12:11 -04:00
Kenton Groombridge
db4b647a29
dbus: fixes for dbus-broker
...
dbus-broker manages files in a tmpfs. dbus-broker fails to start without
this access.
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-03-18 13:12:11 -04:00
Kenton Groombridge
d9e660c3a9
init: split access for systemd runtime units
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-03-18 13:12:10 -04:00
Kenton Groombridge
fe7d5287c4
podman: add explicit range transition for conmon
...
Ensure that when conmon is started, it runs in s0 and is able to
communicate with the container.
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-03-18 13:03:33 -04:00
Chris PeBenito
c5add64587
Merge pull request #477 from jpds/networkd-dhcpd-bind
...
systemd.te: Added boolean for allowing dhcpd server packets
2022-03-17 12:47:09 -04:00
Jonathan Davies
126c234b5c
systemd.te: Added boolean for allowing dhcpd server packets.
...
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
2022-03-15 14:56:51 +00:00
Chris PeBenito
dd803cfef5
Merge pull request #475 from pebenito/drop-broken-symptoms-blocks
...
Make hide_broken_symptoms unconditional.
2022-03-15 10:13:27 -04:00
Chris PeBenito
1b40c87a68
mailmain: Fix SELint issues.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2022-03-14 10:01:26 -04:00
Chris PeBenito
341abff611
mailmain: Fix check_fc_files issue.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2022-03-14 09:54:38 -04:00
Russell Coker
dd312a6be6
mailman3 V3
...
Fixed the issues Chris raised with the previous patch. I think this is
ready to merge.
Signed-off-by: Russell Coker <russell@coker.com.au>
2022-03-14 09:46:37 -04:00
Chris PeBenito
43d0b184b5
matrixd: SELint fixes.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2022-02-18 14:57:02 -05:00
Chris PeBenito
2ab6d0bc91
matrixd: Cleanups.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2022-02-18 13:46:24 -05:00
Russell Coker
05b5de6282
matrixd-synapse policy V3
...
Here's the latest version of the matrixd-synapse policy including all the
suggestions from a year ago.
Probably ready to merge.
Signed-off-by: Russell Coker <russell@coker.com.au>
2022-02-18 13:29:17 -05:00