selinux-refpolicy

Commit Graph

Author	SHA1	Message	Date
Chris PeBenito	613708cad6	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-07-04 09:30:45 -04:00
Chris PeBenito	0992763548	Update callers for "pid" to "runtime" interface rename. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-06-28 16:03:45 -04:00
Chris PeBenito	309f655fdc	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-06-10 15:02:27 -04:00
Topi Miettinen	1d8333d7a7	Remove unlabeled packet access When SECMARK or Netlabel packet labeling is used, it's useful to forbid receiving and sending unlabeled packets. If packet labeling is not active, there's no effect. Signed-off-by: Topi Miettinen <toiwoton@gmail.com>	2020-06-03 23:16:19 +03:00
Chris PeBenito	a7a327a921	sysnetwork, filesystem, userdomain: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-05-04 09:10:54 -04:00
Nicolas Iooss	c99cfb2c16	sysnetwork: allow using "ip netns" When using network namespaces with `ip netns`, command `ip` creates files in `/run/netns` that are mountpoints for `nsfs`. For example: $ ip netns add VPN $ ls -Z /run/netns/VPN system_u:object_r:nsfs_t /run/netns/VPN $ findmnt /run/netns/VPN TARGET SOURCE FSTYPE OPTIONS /run/netns/VPN nsfs[net:[4026532371]] nsfs rw /run/netns/VPN nsfs[net:[4026532371]] nsfs rw From a shell CLI, it is possible to retrieve the name of the current network namespace: $ ip netns exec VPN bash $ ip netns identify $$ VPN This requires reading `/proc/$PID/ns/net`, which is labelled as a user domain. Allow this access using `userdom_read_all_users_state()`. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>	2020-04-19 11:52:29 +02:00
Chris PeBenito	1bdbba4fb2	corenetwork, sysadm, sysnetwork: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-03-08 15:52:56 -04:00
Chris PeBenito	b2f72e833b	Bump module versions for release. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-02-29 16:54:39 -05:00
Chris PeBenito	7af9eb3e91	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-01-15 10:42:45 -05:00
Stephen Smalley	161bda392e	access_vectors: Remove unused permissions Remove unused permission definitions from SELinux. Many of these were only ever used in pre-mainline versions of SELinux, prior to Linux 2.6.0. Some of them were used in the legacy network or compat_net=1 checks that were disabled by default in Linux 2.6.18 and fully removed in Linux 2.6.30. The corresponding classmap declarations were removed from the mainline kernel in: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42a9699a9fa179c0054ea3cf5ad3cc67104a6162 Permissions never used in mainline Linux: file swapon filesystem transition tcp_socket { connectto newconn acceptfrom } node enforce_dest unix_stream_socket { newconn acceptfrom } Legacy network checks, removed in 2.6.30: socket { recv_msg send_msg } node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send } netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send } Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>	2020-01-14 13:41:50 -05:00
Chris PeBenito	291f68a119	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-09-30 20:39:31 -04:00
Chris PeBenito	61ecff5c31	Remove old aliases. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-09-30 20:02:43 -04:00
Chris PeBenito	d6c7154f1c	Reorder declarations based on *_runtime_t renaming. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-09-30 20:02:43 -04:00
Chris PeBenito	69a403cd97	Rename _var_run_t types to _runtime_t. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-09-30 20:02:43 -04:00
Chris PeBenito	445cbed7c7	Bump module versions for release.	2019-02-01 15:03:42 -05:00
Chris PeBenito	b6396ffe19	various: Module version bump.	2019-01-29 18:59:50 -05:00
Russell Coker	3d65c79750	yet another little patch This should all be obvious.	2019-01-29 18:45:30 -05:00
Chris PeBenito	238bd4f91f	logging, sysnetwork, systemd: Module version bump.	2019-01-16 18:19:22 -05:00
Chris PeBenito	d6b46686cd	many: Module version bumps for changes from Russell Coker.	2019-01-05 14:33:50 -05:00
Chris PeBenito	5a9982de70	sysnetwork: Move lines.	2019-01-05 13:56:15 -05:00
Russell Coker	5125b8eb2d	last misc stuff More tiny patches. Note that this and the other 2 patches I just sent are not dependent on each other, please apply any that you like.	2019-01-05 13:54:38 -05:00
Chris PeBenito	b4d7c65fc4	Various modules: Version bump.	2018-11-11 15:58:59 -05:00
Chris PeBenito	65e8f758ca	Bump module versions for release.	2018-07-01 11:02:33 -04:00
Chris PeBenito	a6313231d6	sysnetwork: Module version bump.	2018-06-23 10:50:14 -04:00
Chris PeBenito	c95e835170	sysnetwork: Module version bump.	2018-04-25 17:34:13 -04:00
Chris PeBenito	ac9363d662	init, logging, sysnetwork, systemd, udev: Module version bump.	2018-04-17 20:20:27 -04:00
Chris PeBenito	4d5b06428b	Bump module versions for release.	2018-01-14 14:08:09 -05:00
Chris PeBenito	61a31f6cea	xserver, sysnetwork, systemd: Module version bump.	2017-12-07 19:02:02 -05:00
Chris PeBenito	1b405f4a90	files, init, sysnetwork, systemd: Module version bumps.	2017-10-12 18:48:29 -04:00
Chris PeBenito	42d109d30c	Module version bump for fixes from Nicolas Iooss.	2017-08-19 12:02:58 -04:00
Nicolas Iooss	98170eaf55	Allow dhcpcd to use generic netlink and raw IP sockets dhcpcd uses a raw IPv6 socket to receive router advertisement and neighbor advertisement packets in https://roy.marples.name/git/dhcpcd.git/tree/ipv6nd.c?h=dhcpcd-6.11.5 and uses NETLINK_GENERIC in https://roy.marples.name/git/dhcpcd.git/tree/if-linux.c?h=dhcpcd-6.11.5 for some NetLink sockets.	2017-08-19 12:01:56 -04:00
Chris PeBenito	495e2c203b	Remove complement and wildcard in allow rules. Remove complement (~) and wildcard (*) in allow rules so that there are no unintentional additions when new permissions are declared. This patch does not add or remove permissions from any rules.	2017-08-13 16:21:44 -04:00
Chris PeBenito	aa0eecf3e3	Bump module versions for release.	2017-08-05 12:59:42 -04:00
Chris PeBenito	a599f28196	Module version bump for /usr/bin fc fixes from Nicolas Iooss.	2017-05-04 08:27:46 -04:00
Chris PeBenito	73d8b3026c	Systemd-related changes from Russell Coker.	2017-04-06 17:37:50 -04:00
Chris PeBenito	5e20a0ee5b	/var/run -> /run again Here's the latest version of my patch to remove all /var/run when it's not needed. I have removed the subst thing from the patch, but kept a distro_debian bit that relies on it. So with this patch the policy won't install if you build it with distro_debian unless you have my subst patch. Chris, if your automated tests require that it build and install with distro_debian then skip the patch for sysnetwork.fc. From Russell Coker	2017-03-25 12:56:03 -04:00
Chris PeBenito	4d028498d8	Module version bumps for fixes from cgzones.	2017-03-05 10:48:42 -05:00
cgzones	4b79a54b41	modutils: adopt callers to new interfaces	2017-03-03 12:28:17 +01:00
Chris PeBenito	9f99cfb771	Network daemon patches from Russell Coker.	2017-02-25 11:20:19 -05:00
Chris PeBenito	cb35cd587f	Little misc patches from Russell Coker.	2017-02-18 09:39:01 -05:00
Chris PeBenito	1720e109a3	Sort capabilities permissions from Russell Coker.	2017-02-15 18:47:33 -05:00
Chris PeBenito	69da46ae18	usrmerge FC fixes from Russell Coker.	2017-02-07 18:51:58 -05:00
Chris PeBenito	2e7553db63	Create / to /usr equivalence for bin, sbin, and lib, from Russell Coker.	2017-02-04 15:19:35 -05:00
Chris PeBenito	69ede859e8	Bump module versions for release.	2017-02-04 13:30:53 -05:00
Chris PeBenito	67c435f1fc	Module version bump for fc updates from Nicolas Iooss.	2016-12-28 14:38:05 -05:00
Chris PeBenito	f850ec37df	Module version bumps for /run fc changes from cgzones.	2016-12-22 15:54:46 -05:00
Chris PeBenito	16b7b5573b	Module version bumps for patches from cgzones.	2016-12-04 13:30:54 -05:00
cgzones	598700325b	allow dhcp_t to domtrans into avahi #============= dhcpc_t ============== # audit(1459860992.664:6): # scontext="system_u:system_r:dhcpc_t:s0" tcontext="system_u:object_r:avahi_exec_t:s0" # class="file" perms="execute_no_trans" # comm="dhclient-script" exe="" path="" # message="/var/log/syslog.2.gz:Apr 5 14:56:32 debianSe kernel: [ 4.830761] # audit: type=1400 audit(1459860992.664:6): avc: denied { execute_no_trans } # for pid=412 comm="dhclient-script" path="/usr/sbin/avahi-autoipd" dev="sda1" # ino=140521 scontext=system_u:system_r:dhcpc_t:s0 # tcontext=system_u:object_r:avahi_exec_t:s0 tclass=file permissive=1 " # audit(1454514879.616:134): # scontext="system_u:system_r:dhcpc_t:s0" tcontext="system_u:object_r:avahi_exec_t:s0" # class="file" perms="execute_no_trans" # comm="dhclient-script" exe="" path="" # message="/var/log/syslog.5.gz:Feb 3 16:54:39 debianSe kernel: [ 13.237496] # audit: type=1400 audit(1454514879.616:134): avc: denied { execute_no_trans # } for pid=464 comm="dhclient-script" path="/usr/sbin/avahi-autoipd" # dev="sda1" ino=140521 scontext=system_u:system_r:dhcpc_t # tcontext=system_u:object_r:avahi_exec_t tclass=file permissive=1 " allow dhcpc_t avahi_exec_t:file execute_no_trans; # audit(1459860992.660:4): # scontext="system_u:system_r:dhcpc_t:s0" tcontext="system_u:object_r:avahi_exec_t:s0" # class="file" perms="execute" # comm="dhclient-script" exe="" path="" # message="/var/log/syslog.2.gz:Apr 5 14:56:32 debianSe kernel: [ 4.827312] # audit: type=1400 audit(1459860992.660:4): avc: denied { execute } for # pid=412 comm="dhclient-script" name="avahi-autoipd" dev="sda1" ino=140521 # scontext=system_u:system_r:dhcpc_t:s0 # tcontext=system_u:object_r:avahi_exec_t:s0 tclass=file permissive=1 " # audit(1459860992.664:5): # scontext="system_u:system_r:dhcpc_t:s0" tcontext="system_u:object_r:avahi_exec_t:s0" # class="file" perms="{ read open }" # comm="dhclient-script" exe="" path="" # message="/var/log/syslog.2.gz:Apr 5 14:56:32 debianSe kernel: [ 4.829009] # audit: type=1400 audit(1459860992.664:5): avc: denied { read open } for # pid=412 comm="dhclient-script" path="/usr/sbin/avahi-autoipd" dev="sda1" # ino=140521 scontext=system_u:system_r:dhcpc_t:s0 # tcontext=system_u:object_r:avahi_exec_t:s0 tclass=file permissive=1 " # audit(1454514879.616:132): # scontext="system_u:system_r:dhcpc_t:s0" tcontext="system_u:object_r:avahi_exec_t:s0" # class="file" perms="execute" # comm="dhclient-script" exe="" path="" # message="/var/log/syslog.5.gz:Feb 3 16:54:39 debianSe kernel: [ 13.237297] # audit: type=1400 audit(1454514879.616:132): avc: denied { execute } for # pid=464 comm="dhclient-script" name="avahi-autoipd" dev="sda1" ino=140521 # scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:avahi_exec_t # tclass=file permissive=1 " # audit(1454514879.616:133): # scontext="system_u:system_r:dhcpc_t:s0" tcontext="system_u:object_r:avahi_exec_t:s0" # class="file" perms="{ read open }" # comm="dhclient-script" exe="" path="" # message="/var/log/syslog.5.gz:Feb 3 16:54:39 debianSe kernel: [ 13.237309] # audit: type=1400 audit(1454514879.616:133): avc: denied { read open } for # pid=464 comm="dhclient-script" path="/usr/sbin/avahi-autoipd" dev="sda1" # ino=140521 scontext=system_u:system_r:dhcpc_t # tcontext=system_u:object_r:avahi_exec_t tclass=file permissive=1 " #!!!! This avc is allowed in the current policy allow dhcpc_t avahi_exec_t:file { read execute open };	2016-12-04 17:34:11 +01:00
Chris PeBenito	34055cae87	Bump module versions for release.	2016-10-23 16:58:59 -04:00
Chris PeBenito	187019a615	Module version bump for various patches from Guido Trentalancia.	2016-08-14 14:58:57 -04:00

1 2 3

148 Commits