b9470d408a
Allow systemd to relabel startup-important directories
...
Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
2021-02-09 13:24:49 +01:00
5082648629
Fix interface naming convention (plural predicates)
...
Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
2021-02-09 13:24:43 +01:00
bfa73f3c59
dovecot, postfix: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-02-03 13:05:46 -05:00
a7ac056982
Merge pull request #351 from 0xC0ncord/feature/postfix_dovecot_backend
2021-02-03 13:05:27 -05:00
5b0eee1093
dovecot, postfix: add missing accesses
...
postfix_pipe_t requires reading dovecot configuration and connecting to
dovecot stream sockets if configured to use dovecot for local mail
delivery.
Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-02-03 11:36:42 -05:00
11612378e7
Update Changelog and VERSION for release 2.20210203.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-02-03 08:38:27 -05:00
ff983a6239
Bump module versions for release.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-02-03 08:38:26 -05:00
255c5a4ccd
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-02-02 14:30:10 -05:00
5ab1b2ee67
Merge pull request #350 from 0xC0ncord/bugfix/various_dontaudit_20200202
2021-02-02 14:28:42 -05:00
6aaa8ee1c7
Merge pull request #349 from 0xC0ncord/bugfix/lvm_tmpfs_perms
2021-02-02 14:28:40 -05:00
8c042fb9be
systemd: Rename systemd_use_machined_devpts().
...
Renamed to systemd_use_inherited_machined_ptys().
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-02-02 14:11:47 -05:00
072f850e23
Merge pull request #348 from cgzones/monolithic
...
Improve monolithic policy build support
2021-02-02 14:10:44 -05:00
e6fbff4948
systemd: Fix lint errors.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-02-02 14:02:49 -05:00
4436cd0d6d
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-02-02 13:58:24 -05:00
a673712d8a
systemd: Move lines.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-02-02 13:50:45 -05:00
ab0367b4b6
machined
...
This patch is for systemd-machined. Some of it will probably need
discussion but some is obviously good, so Chris maybe you could take
the bits you like for this release?
Signed-off-by: Russell Coker <russell@coker.com.au>
2021-02-02 13:46:42 -05:00
eae12d8418
apt, bootloader: Move lines.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-02-02 13:32:42 -05:00
8b4f1e3384
misc apps and admin patches
...
Send again without the section Dominick didn't like. I think it's ready for inclusion.
Signed-off-by: Russell Coker <russell@coker.com.au>
2021-02-02 13:29:48 -05:00
edd4ba6f32
Various fixes
...
Allow dovecot to watch the mail spool, and add various dontaudit rules
for several other domains.
Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-02-02 10:52:59 -05:00
cfb48c28d0
screen: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-02-02 08:47:55 -05:00
460cd1a4b1
Merge pull request #346 from jpds/tmux-xdg-config
2021-02-02 08:47:31 -05:00
aa35a710a5
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-02-02 08:47:00 -05:00
9e195ea6ae
dpkg, aptcatcher, milter, mysql, systemd: Rename interfaces.
...
Rename interfaces from a7f3fdabad
2021-02-02 08:46:41 -05:00
a7f3fdabad
new version of filetrans patch
...
Name changes suggested by Dominick and some more additions.
Signed-off-by: Russell Coker <russell@coker.com.au>
2021-02-02 08:31:14 -05:00
9ec80c1b2f
apps/screen.te: Allow screen to search xdg directories.
...
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
2021-02-01 21:42:12 +00:00
e7065e2442
certbot: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-02-01 15:56:31 -05:00
16ede470f6
Merge pull request #347 from 0xC0ncord/feature/acme-sh_certbot
2021-02-01 15:56:03 -05:00
ed5d860a8c
lvm: add lvm_tmpfs_t type and rules
...
cryptsetup uses tmpfs when performing some operations on encrypted
volumes such as changing keys.
Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-02-01 15:46:24 -05:00
3ce27e68d9
certbot: add support for acme.sh
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-02-01 15:29:24 -05:00
ad74df28e7
Rules.monolithic: add missing phony declarations
...
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-02-01 20:09:27 +01:00
511f3b57f3
Rules.monolithic: drop dead variable
...
USEPWD is nowhere declared or documented.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-02-01 20:08:54 +01:00
de6cdd96c6
Rules.monolithic: tweak checkpolicy arguments
...
- enable optimizations (3.0 071247e8f462a91d7d719077c5c056
2021-02-01 20:07:40 +01:00
991d597199
Rules.monolithic: do not suppress load_policy warning messages
...
Also do not supply the policy path, it is ignored since at least 2008
(13cd4c8960
2021-02-01 20:05:19 +01:00
2d9e297f22
Preset OUTPUT_POLICY to 32
...
32 is the policy version of the latest SELinux userland release, 3.1 .
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-02-01 15:33:25 +01:00
be0f5f0d68
gitignore: ignore monolithic generated files
...
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-02-01 15:33:25 +01:00
02f1c1c06b
Rules.monolithic: ignore version mismatch
...
Ignore version mismatch when OUTPUT_POLICY is defined and the kernel
supports a higher policy version.
Currently Debian ships SELinux userland tools 3.1, which supports
version 32, and Linux 5.10, which supports version 33.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-02-01 15:33:25 +01:00
627a453910
genhomedircon: improve error messages for min uid search
...
Only grep if the files exist.
grep returns 1 on no match, check against 1 instead of 256.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-01-31 21:53:33 +01:00
27e3099f40
genhomedircon: misc pylint cleanup
...
support/genhomedircon.py:297:5: R1714: Consider merging these comparisons with "in" to "o in ('--type', '-t')" (consider-using-in)
support/genhomedircon.py:299:5: R1714: Consider merging these comparisons with "in" to "o in ('--nopasswd', '-n')" (consider-using-in)
support/genhomedircon.py:301:5: R1714: Consider merging these comparisons with "in" to "o in ('--dir', '-d')" (consider-using-in)
support/genhomedircon.py:238:2: R1705: Unnecessary "else" after "return" (no-else-return)
support/genhomedircon.py:207:11: C0201: Consider iterating the dictionary directly instead of calling .keys() (consider-iterating-dictionary)
support/genhomedircon.py:146:2: R1705: Unnecessary "else" after "return" (no-else-return)
support/genhomedircon.py:144:1: R1710: Either all return statements in a function should return an expression, or none of them should. (inconsistent-return-statements)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-01-31 21:53:33 +01:00
9e48ce1f2e
genhomedircon: generate file contexts for %{USERNAME} and %{USERID}
...
Generate substituted file contexts for templated paths containing
%{USERNAME} or %{USERID}, like semodules' genhomedircon.
Example:
/run/user/%{USERID} -d gen_context(system_u:object_r:user_runtime_t,s0)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-01-31 21:53:33 +01:00
cf8f7bbea7
genhomedircon: drop unused functions
...
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-01-31 21:50:21 +01:00
806a0d12f8
genhomedircon: require match for home directory name
...
Use regular expression '/[^/]+' instead of '/[^/]*', like semodule's
genhomedircon.
Generates file contexts like '/home/[^/]+/dead\.letter'
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-01-31 21:50:18 +01:00
577373f0db
genhomedircon: drop backwards compatibility section
...
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-01-31 21:50:11 +01:00
2bdfc5c742
apps/screen.fc: Added fcontext for tmux xdg directory.
...
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
2021-01-29 14:56:29 +00:00
072c0a9458
userdomain, gpg: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-01-29 08:35:12 -05:00
2d51dad467
Merge pull request #344 from dsugar100/master
2021-01-29 08:34:49 -05:00
0ce90920ad
Merge pull request #343 from 0xC0ncord/bugfix/systemd_system_custom_unit_fc
...
init: label systemd units in /etc
2021-01-29 08:25:43 -05:00
09bd4af708
Work with xdg module disabled
...
These two cases I see when building on a system without graphical interface.
Move userdom_xdg_user_template into optional block
gpg module doesn't require a graphical front end, move xdg_read_data_files into optional block
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2021-01-28 18:13:33 -05:00
38a7334fa7
init: label systemd units in /etc
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-01-28 16:00:05 -05:00
3d8e755d85
pacemaker: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-01-28 15:28:06 -05:00
9a40ead091
Merge pull request #341 from dsugar100/master
2021-01-28 15:27:53 -05:00
Krzysztof Nowicki
Chris PeBenito
Kenton Groombridge
Russell Coker
Jonathan Davies
Christian Göttsche
Dave Sugar