RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
3,980 Commits 3 Branches 49 Tags 18 MiB
Commit Graph

2231 Commits

Author SHA1 Message Date
Jason Zaman b3a95b4aeb Add overlayfs as an XATTR capable fs 
The module is called "overlay" in the kernel
 2015-10-12 09:13:53 -04:00
Chris PeBenito 778dfaf776 Update contrib. 2015-09-15 08:39:38 -04:00
Chris PeBenito cfaeb62603 Module version bump for vfio device from Alexander Wetzel. 2015-09-15 08:39:21 -04:00
Alexander Wetzel 9ae4033beb adds vfio device support to base policy 
Signed-off-by: Alexander Wetzel <alexander.wetzel@web.de>
 2015-09-15 08:17:31 -04:00
Chris PeBenito 1d51a2f4c4 Module version bump for APR build script labeling from Luis Ressel. 2015-08-11 08:46:41 -04:00
Luis Ressel fd5e40b047 Mark APR build scripts as bin_t 
I don't know why those are in /usr/share/build-1/ instead of
/usr/share/apr-0/build/ here, but it doesn't appear to be
Gentoo-specific.
 2015-08-11 08:42:25 -04:00
Chris PeBenito c8c2b8b0c8 Module version bump for ssh-agent -k fix from Luis Ressel. 2015-07-20 10:01:52 -04:00
Luis Ressel d8071a8e1b Allow ssh-agent to send signals to itself 
This is neccessary for "ssh-agent -k".
 2015-07-20 09:57:35 -04:00
Chris PeBenito 95248e4919 Module version bump for cron_admin for sysadm from Jason Zaman. 2015-07-17 08:56:43 -04:00
Jason Zaman 13cfdd788f add new cron_admin interface to sysadm 2015-07-17 08:13:43 -04:00
Chris PeBenito d74c9bd6b8 Module version bumps for admin interfaces from Jason Zaman. 2015-07-14 11:18:35 -04:00
Jason Zaman 0023b30946 Introduce setrans_admin interface 2015-07-14 11:04:44 -04:00
Jason Zaman e1f2a8b9d6 Introduce ipsec_admin interface 2015-07-14 11:04:44 -04:00
Jason Zaman 8bee8e80af Introduce lvm_admin interface 2015-07-14 11:04:44 -04:00
Chris PeBenito 11697e1a69 Update contrib. 2015-06-09 08:39:51 -04:00
Chris PeBenito acabb517e6 Module version bump for admin interface changes from Jason Zaman. 2015-06-09 08:39:18 -04:00
Jason Zaman 9c49f9d7fa Add all the missing _admin interfaces to sysadm 
Lots of the foo_admin() interfaces were not applied to sysadm. This
patch adds all the ones that were missing.

The tests pass for all combinations of distros, monolithic,
direct_initrc, standard/mcs/mls.
 2015-06-09 08:29:51 -04:00
Jason Zaman 43da2d2ad0 Introduce iptables_admin 2015-06-09 08:29:51 -04:00
Chris PeBenito 0a088aa8ac Module version bumps for further init_startstop_service() changes from Jason Zaman. 2015-05-27 14:50:45 -04:00
Jason Zaman dd21231043 Add openrc support to init_startstop_service 
Adds the openrc rules in ifdef distro_gentoo to transition
to run_init correctly.
 2015-05-27 14:37:41 -04:00
Jason Zaman 45b281db62 postgresql: use init_startstop_service in _admin interface 
The postgresql_admin interfaces had rules for RedHat sysvinit. This
replaces them with the interface init_startstop_service which can
easily be changed for other init systems.
 2015-05-27 14:37:40 -04:00
Jason Zaman a324fab096 logging: use init_startstop_service in _admin interface 
The logging_admin interfaces had rules for RedHat sysvinit. This
replaces them with the interface init_startstop_service which can
easily be changed for other init systems.
 2015-05-27 14:37:40 -04:00
Chris PeBenito 74bc8b3a55 Update contrib. 2015-05-22 14:27:21 -04:00
Chris PeBenito a87e54ef07 Module version bump for init_startstop_service from Jason Zaman. 2015-05-22 14:25:04 -04:00
Jason Zaman 3d174b0481 Introduce init_startstop_service interface 
This is to be used where a role needs to start and stop a labeled
service. It centralizes all the rules for redhat < 6 sysvinit that
were used in the _admin interfaces. The rules for other inits will
be added later.
 2015-05-22 14:01:22 -04:00
Chris PeBenito ae1adbe868 Update contrib. 2015-05-22 09:26:46 -04:00
Chris PeBenito a38c3be208 Module version bump for updated netlink sockets from Stephen Smalley 2015-05-22 08:38:53 -04:00
Stephen Smalley 58b3029576 Update netlink socket classes. 
Define new netlink socket security classes introduced by kernel commit
223ae516404a7a65f09e79a1c0291521c233336e.

Note that this does not remove the long-since obsolete
netlink_firewall_socket and netlink_ip6_fw_socket classes
from refpolicy in case they are still needed for legacy
distribution policies.

Add the new socket classes to socket_class_set.
Update ubac and mls constraints for the new socket classes.
Add allow rules for a few specific known cases (netutils, iptables,
netlabel, ifconfig, udev) in core policy that require access.
Further refinement for the contrib tree will be needed.  Any allow
rule previously written on :netlink_socket may need to be rewritten or
duplicated for one of the more specific classes.  For now, we retain the
existing :netlink_socket rules for compatibility on older kernels.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
 2015-05-22 08:29:03 -04:00
Chris PeBenito 459a19f18d Module version bump for debufs mount point fc entry from Laurent Bigonville. 2015-05-06 09:50:14 -04:00
Laurent Bigonville c738343b7f Add fc for /sys/kernel/debug as debugfs_t 2015-05-06 09:49:40 -04:00
Chris PeBenito bc4ea17c62 Update contrib. 2015-04-15 12:17:37 -04:00
Chris PeBenito dcda0459b5 Module version bump for fstools blkid fix from Jason Zaman 2015-04-15 12:17:30 -04:00
Jason Zaman 9cf1886c68 fstools: add in filetrans for /run dir 
the blkid tool writes to /run/blkid/. This creates the "fstools_run_t"
type an allows the transition in /run.

type=AVC msg=audit(1428929528.885:149519): avc:  denied  { write } for pid=5590 comm="mkfs.ext4" name="/" dev="tmpfs" ino=17656 scontext=staff_u:sysadm_r:fsadm_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=0

In permissive:
type=AVC msg=audit(1428948565.919:160149): avc:  denied  { write } for  pid=26197 comm="mkfs.ext4" name="/" dev="tmpfs" ino=17656 scontext=staff_u:sysadm_r:fsadm_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=1
type=AVC msg=audit(1428948565.919:160149): avc:  denied  { add_name } for  pid=26197 comm="mkfs.ext4" name="blkid" scontext=staff_u:sysadm_r:fsadm_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=1
type=AVC msg=audit(1428948565.919:160149): avc:  denied  { create } for  pid=26197 comm="mkfs.ext4" name="blkid" scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=dir permissive=1
type=SYSCALL msg=audit(1428948565.919:160149): arch=c000003e syscall=83 success=yes exit=0 a0=2cd79c6d214 a1=1ed a2=ffffffffffffff20 a3=539fe9bc40 items=2 ppid=28115 pid=26197 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="mkfs.ext4" exe="/sbin/mke2fs" subj=staff_u:sysadm_r:fsadm_t key=(null)
type=CWD msg=audit(1428948565.919:160149):  cwd="/root/selinux"
type=PATH msg=audit(1428948565.919:160149): item=0 name="/run/" inode=17656 dev=00:13 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t nametype=PARENT
type=PATH msg=audit(1428948565.919:160149): item=1 name="/run/blkid" inode=4062404 dev=00:13 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:var_run_t nametype=CREATE
type=UNKNOWN[1327] msg=audit(1428948565.919:160149): proctitle=6D6B66732E65787434002F6465762F7A72616D31
type=AVC msg=audit(1428948565.919:160150): avc:  denied  { write } for  pid=26197 comm="mkfs.ext4" name="blkid" dev="tmpfs" ino=4062404 scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=dir permissive=1
type=AVC msg=audit(1428948565.919:160150): avc:  denied  { add_name } for  pid=26197 comm="mkfs.ext4" name="blkid.tab" scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=dir permissive=1
type=AVC msg=audit(1428948565.919:160150): avc:  denied  { create } for  pid=26197 comm="mkfs.ext4" name="blkid.tab" scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=file permissive=1
type=AVC msg=audit(1428948565.919:160150): avc:  denied  { write open } for  pid=26197 comm="mkfs.ext4" path="/run/blkid/blkid.tab" dev="tmpfs" ino=4062405 scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=file permissive=1
type=AVC msg=audit(1428948565.919:160151): avc:  denied  { getattr } for  pid=26197 comm="mkfs.ext4" path="/run/blkid/blkid.tab" dev="tmpfs" ino=4062405 scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=file permissive=1

Changes from v1:
- only transition on dir, not file.
- add fcontext for /run/fsck too.
- the audit log in the previous version was missing some lines.
 2015-04-15 12:16:32 -04:00
Chris PeBenito 600f71a2d9 Update contrib. 2015-03-25 08:28:22 -04:00
Chris PeBenito 9a215ef9d9 Update contrib. 2015-02-17 08:35:52 -05:00
Chris PeBenito f963d6dafa Fix domain_mmap_low() to be a proper tunable. 2015-02-09 16:02:36 -05:00
Chris PeBenito 5f0e495887 Update contrib. 2015-01-30 09:13:49 -05:00
Chris PeBenito fd0c07c8b3 Module version bump for optional else block removal from Steve Lawrence. 2015-01-12 08:45:58 -05:00
Steve Lawrence 4bd0277313 Remove optional else block for dhcp ping 
Else blocks with optional statements are not supported in CIL.
Currently, if the pp to CIL compiler comes across one of these in a pp
module, it just drops the block and outputs a warning. Fortunately,
these are very rare. In fact, this is the only place in refpolicy where
an optional else block is used, and it is not clear if it is even
needed. This patch is untested, and is more to spark discussions to see
if there are any thoughts about whether or not this piece of policy is
needed.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
 2015-01-12 08:44:39 -05:00
Chris PeBenito 960e6cd4e8 Update Changelog and VERSION for release. 2014-12-03 13:37:38 -05:00
Chris PeBenito 468185f5f7 Bump module versions for release. 2014-12-03 13:37:38 -05:00
Chris PeBenito b86c6004d4 Module version bump for module store move from Steve Lawrence. 2014-12-03 13:37:02 -05:00
Steve Lawrence 418b3c78bb Update policy for selinux userspace moving the policy store to /var/lib/selinux 
With the new userspace, the only files in /var/lib/selinux are selinux
store related files, so label it and everything inside it as
semanage_store_t. semanage_var_lib_t is completely removed and now
aliases semanage_store_t for backwards compatibility. This differs from
the v2 patch in that it adds back the ability to manage
selinux_config_t, which is necessary to manage the old module store for
things like migrating from the old to new store and backwards
compatability.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
 2014-12-03 13:36:31 -05:00
Chris PeBenito 3e3a966eea Update contrib. 2014-12-03 08:04:56 -05:00
Chris PeBenito 0735f2ca4a Module version bump for misc fixes from Sven Vermeulen. 2014-12-02 10:29:59 -05:00
Sven Vermeulen 1edfad8247 Add /var/lib/racoon as runtime directory for ipsec 2014-12-02 09:16:06 -05:00
Sven Vermeulen 25b232f49a Add gfisk and efibootmgr as fsadm_exec_t 2014-12-02 09:16:05 -05:00
Sven Vermeulen 363daeed61 Add in LightDM contexts 2014-12-02 09:16:05 -05:00
Sven Vermeulen 84fa2ab1f2 Mark f2fs as a SELinux capable file system 
Since Linux kernel 3.11, F2FS supports XATTR and the security namespace.
See commit
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8ae8f1627f39bae505b90cade50cd8a911b8bda6
 2014-12-02 09:16:05 -05:00
Sven Vermeulen 29292968fe xfce4-notifyd is an executable 2014-12-02 09:16:05 -05:00