This patch fixes the xserver module so that the hidden .ICEauthority
file is created with the proper context (file transition).
It also optimizes a similar interface used for xauth home files.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
This patch adds three new file contexts for script executables
belonging to new Gnome applications (weather application and
sound recorder).
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Added mono_run for unconfined and also xserver_role and allow it to dbus
chat with xdm.
Allow sysadm_t to read kmsg.
Allow user domains to dbus chat with kerneloops for the kerneloops desktop
gui. Also allow them to chat with devicekit disk and power daemons.
Allow gconfd_t to read /var/lib/gconf/defaults and /proc/filesystems
Allow devicekit_power_t to chat to xdm via dbus and log via syslog.
Allow mount_t to do more with it's runtime files and stat more filesystem
types.
Allow xauth to send sigchld to xdm.
Allow semanage to search policy_src_t dirs and read /dev/urandom.
Patches for modutils, at least one of which is needed to generate an initramfs
on Debian.
Patch to allow lvm to talk to fifos from dpkg_script_t for postinst scripts
etc.
Patch for brctl to allow it to create sysfs files.
This patch adds a lot of policy that is needed to setup an initramfs and grub
on Debian nowadays.
Also changed a comment about ia64 to correctly mention EFI.
Put in libx32 subs entries that refer to directories with fc entries.
Allow dpkg_t to transition to dpkg_script_t when it executes bin_t for
dpkg-reconfigure.
Some dontaudit rules for mta processes spawned by mon for notification.
Lots of tiny changes that are obvious.
This patch adds an interface to manage systemd_passwd_var_run_t symlinks that
I'll add another patch to use shortly.
It has a number of changes needed by systemd_logind_t to set permissions for
local logins.
It has some more permissions that systemd_machined_t needs, I don't think it's
everything that systemd_machined_t needs but it's a start.
It has some changes for udev_t for systemd-udevd.
This patch lets mandb_t search init_var_run_t dirs which it needs when running
with systems. Also allows it to fs_getattr_xattr_fs() because it seemed
pointless to put that in a separate patch.
Allow init_t to do several things that it requires when init is systemd.
Allow various operations on var_log_t to access var_log_t symlinks too.
Let auditd setattr it's directory.
This patch doesn't do everything that is needed to have systemd-nspawn work.
But it does everything that is needed and which I have written in a clear and
uncontroversial way. I think it's best to get this upstream now and then
either have a separate discussion about the more difficult issues, or wait
until I devise a way of solving those problems that's not too hacky.
Who knows, maybe someone else will devise a brilliant solution to the remaining
issues after this is accepted upstream.
Also there's a tiny patch for systemd_machined_t that is required by
systemd_nspawn_t.
Description: systemd-nspawn
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2017-03-29
I believe that I have addressed all the issues Chris raised, so here's a newer
version of the patch which applies to today's git version.
Description: systemd-resolved, sessions, and tmpfiles patches
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2017-03-26
Here's the latest version of my patch to remove all /var/run when it's not
needed. I have removed the subst thing from the patch, but kept a
distro_debian bit that relies on it. So with this patch the policy won't
install if you build it with distro_debian unless you have my subst patch.
Chris, if your automated tests require that it build and install with
distro_debian then skip the patch for sysnetwork.fc.
From Russell Coker
The following patch adds dontaudit rules for where the net_admin capability
is requested due to SO_SNDBUFFORCE. This forces the caller to use SO_SNDBUF
which gives the same result but possibly a smaller buffer.
From Russell Coker
When using setfiles to validate file contexts of Debian modular policy
(with DISTRO=debian and MONOLITHIC=n), it fails with:
tmp/all_mods.fc: line 527 is missing fields
tmp/all_mods.fc: line 527 is missing fields
tmp/all_mods.fc: Invalid argument
Here is the content of tmp/all_mods.fc around line 527:
# this is a static /dev dir "backup mount"
# if you want to disable udev, youll have to boot permissive and relabel!
/dev/\.static -d system_u:object_r:device_t
/dev/\.static/dev -d system_u:object_r:device_t
/dev/\.static/dev/(.*)? <<none>>
'
The quote of "you'll" has been eaten by m4 and there is a spurious quote
on the last line, which is reported by setfiles. Fix this by removing
the quote in the comment.
Here is an example of a failed build on Travis-CI:
https://travis-ci.org/fishilico/selinux-refpolicy-patched/jobs/205951446
* reorder file contexts
* rename getty_var_run_t into getty_runtime_t and getty_etc_t into getty_conf_t
* remove unneeded and confusing init permissions
* delete access on generic pids
* remove invalid etc filetrans: getty has no create permissions for its config files
* restrict logfile access
Chris PeBenito
Guido Trentalancia via refpolicy
Guido Trentalancia
cgzones
Jason Zaman
Nicolas Iooss