Without this fix, building a custom module in a directory that contains
a file with special characters in its name (e.g. '(') triggers a syntax
error:
$ cat >foo.te <<EOF
module foo 1.0;
require {
class file entrypoint;
type shell_exec_t;
type vmtools_unconfined_t;
}
allow vmtools_unconfined_t shell_exec_t : file entrypoint;
EOF
$ touch "my broken (file)"
$ make -f /usr/share/selinux/devel/Makefile foo.pp
/bin/sh: -c: line 0: syntax error near unexpected token `('
/bin/sh: -c: line 0: `find anaconda-ks.cfg my broken (file) vncserver.strace systemd.strace rhel-server-7.6-x86_64-boot.iso rt_minimal.c vnc.cil foo.te rsyslog tmp virt-install.log evil_banner.sh livemedia.log program.log foo.if rhel7-minimal.ks TestZip.java TestZip.class foo.fc sudoloop foo.pp strace.log -maxdepth 0 -type d'
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1692676
Reported-by: Renaud Métrich <rmetrich@redhat.com>
Suggested-by: Petr Lautrbach <plautrba@redhat.com>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Have Makefile include CUSTOM_BUILDOPT in generated build.conf
Update Makefile.devel to pass CUSTOM_BUILDOPT while building module
Signed-off-by: Dave Sugar <dsugar@tresys.com>
Update the Makefile to first build the template files (template code
definitions) and then have all segenxml calls use these files.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Every Infiniband network will have a default pkey, so that is labeled.
The rest of the pkey configuration is network specific. The policy allows
access to the default and unlabeled pkeys for sysadm and staff users.
kernel_t is allowed access to all pkeys, which it needs to process and
route management datagrams.
Endports are all unlabeled by default, sysadm users are allowed to
manage the subnet on unlabeled endports. kernel_t is allowed to manage
the subnet on all ibendports, which is required for configuring the HCA.
This patch requires selinux series: "SELinux user space support for
Infiniband RDMA", due to the new ipkeycon labeling mechanism.
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
Since the awk scripts appear to use some GNU extensions, make sure we always use $(AWK).
Fixes an issue where the system /usr/bin/awk may be another implementation, say mawk on a Ubuntu system.
selinux_lxc_contexts_path() function in upstream libselinux points to
this config file. It is ATM used by libvirt.
The file from Fedora also contains sandbox_lxc_process and
sandbox_kvm_process parameters, but I cannot find where they are used,
keep them out of the file for the time being.
The libvirt infrastructure requires the availability of the context files.
In this patch, we add the defaults to the three predefined application
contexts (mls/mcs/standard).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The attached patch adds sepgsql_contexts file into appconfig-*
directory. This configuration is used to initial labeling on
installation time for each database objects.
We can easily look up an appropriate label using selabel_loopup(3)
APIs. The 'sepgsql_contexts' is default for SE-PostgreSQL.
Thanks,
--
KaiGai Kohei <kaigai@ak.jp.nec.com>
The Makefile is currently using the policy TYPE (standard|mls|mcs) rather
than the more informative NAME (eg strict, targeted, etc). Fix the Makefile
to use NAME.
The initrc_context file uses the mls_systemhigh macro and needs to be properly
expanded based on the build.conf settings. Add makefile support to do this.
Ondrej Mosnacek
David Sugar
Chris PeBenito
Sven Vermeulen
Daniel Jurgens
Jason Zaman
cgzones
Jeroen Roovers
Laurent Bigonville
Chris PeBenito
KaiGai Kohei