RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
4,535 Commits 3 Branches 49 Tags 19 MiB
Commit Graph

4535 Commits

Author SHA1 Message Date
Chris PeBenito 498fb3c6e8 Module version bump for cgroups systemd fix from cgzones. 2017-02-20 11:21:00 -05:00
Chris PeBenito e72556c6dd Merge branch 'cgroups_fix' of git://github.com/cgzones/refpolicy 2017-02-20 11:13:07 -05:00
Chris PeBenito 132db642bd Module version bump for selinuxutil and systmd changes from cgzones. 2017-02-20 10:57:50 -05:00
Chris PeBenito 34cfce5410 Merge branch 'selinuxutil_module' of git://github.com/cgzones/refpolicy 2017-02-20 10:53:56 -05:00
Chris PeBenito e52b701f59 Merge branch 'systemd_transient' of git://github.com/cgzones/refpolicy 2017-02-20 10:43:18 -05:00
Chris PeBenito 3b1909d1d1 fetchmail, mysql, tor: Misc fixes from Russell Coker. 2017-02-20 10:33:23 -05:00
Chris PeBenito b5497053e9 monit: Fix build error. 
Uncovered by Travis-CI.
 2017-02-20 08:43:12 -05:00
cgzones 5770a8ee7c update init_ACTION_all_units 
When with systemd a program does not ship a systemd unit file but only a init script, systemd creates a pseudo service on the fly.
To be able to act on this service, add the target attribute init_script_file_type to the init_ACTION_all_units interfaces.

Useful for monit.
 2017-02-20 14:24:56 +01:00
cgzones e4f3940729 add fs_getattr_dos_dirs() 
useful
 2017-02-20 14:20:33 +01:00
cgzones c753c066d1 add corecmd_check_exec_bin_files() 
useful for monit
 2017-02-20 14:20:33 +01:00
cgzones 9b5d89fcf6 newrole: fix denials 
dontaudit net_admin access due to setsockopt
allow communication with systemd-logind
 2017-02-20 14:10:17 +01:00
Chris PeBenito ede0dadc05 Monit policy from Russell Coker and cgzones. 2017-02-19 16:39:35 -05:00
Chris PeBenito 53fb3a3ba4 dpkg: Updates from Russell Coker. 2017-02-19 16:13:14 -05:00
cgzones ba0e51c5b0 su: some adjustments 
* systemd fixes
* remove unused attribute su_domain_type
* remove hide_broken_symptoms sections
* dontaudit init_t proc files access
* dontaudit net_admin capability due to setsockopt
 2017-02-18 21:50:45 +01:00
cgzones 4d413fd0cb authlogin: introduce auth_use_pam_systemd 
add special interface for pam_systemd module permissions
 2017-02-18 21:50:45 +01:00
Chris PeBenito 2fcce0a88f Merge branch 'master' of github.com:TresysTechnology/refpolicy 2017-02-18 14:02:36 -05:00
Chris PeBenito 4c16ca2d66 Only display the WERROR notice if there actually are errors. 2017-02-18 13:59:33 -05:00
Chris PeBenito 14566f96a9 Module version bump for hostname fix from cgzones. 2017-02-18 13:58:29 -05:00
cgzones a5658b85a0 locallogin: adjustments 
* do not grant permissions by negativ matching
* separate dbus from consolekit block for systemd
 2017-02-18 19:36:44 +01:00
Chris PeBenito 36fa3d8916 Merge branch 'hostname_module' of git://github.com/cgzones/refpolicy 2017-02-18 13:32:23 -05:00
cgzones 8266424bcb systemd_cgroups_t: fix denials 2017-02-18 18:41:45 +01:00
Chris PeBenito 7d9a3be9f0 Merge pull request #98 from cgzones/admin_process_pattern 
add admin_process_pattern macro
 2017-02-18 12:38:23 -05:00
Chris PeBenito 3726cd58f6 Module version bump for changes from cgzones. 2017-02-18 12:28:38 -05:00
Chris PeBenito abe9e18f73 Merge branch 'var_and_run' of git://github.com/cgzones/refpolicy 2017-02-18 11:54:16 -05:00
Chris PeBenito e96c357b79 Merge branch 'corecmd_module' of git://github.com/cgzones/refpolicy 2017-02-18 11:51:40 -05:00
Chris PeBenito 8b6525e992 Merge branch 'sysadm_fixes' of git://github.com/cgzones/refpolicy 2017-02-18 11:39:05 -05:00
Chris PeBenito 959f78de99 Merge branch 'setfiles_getattr' of git://github.com/cgzones/refpolicy 2017-02-18 11:34:23 -05:00
Chris PeBenito 74d6a63ff9 mon: Fix deprecated interface usage. 2017-02-18 11:21:34 -05:00
Chris PeBenito c784507bce Travis-CI: Terminate build immediately on error. 
See travis-ci/travis-ci#1066.
 2017-02-18 10:37:35 -05:00
Chris PeBenito 1af24ad32b Fix Travis-CI WERROR support. 2017-02-18 10:25:48 -05:00
Chris PeBenito dd03d589e2 Implement WERROR build option to treat warnings as errors. 
Add this to all Travis-CI builds.
 2017-02-18 10:20:20 -05:00
Chris PeBenito cb35cd587f Little misc patches from Russell Coker. 2017-02-18 09:39:01 -05:00
cgzones dd4cfd8a77 add admin_process_pattern macro 
useful for MODULE_admin interfaces
 2017-02-17 16:26:22 +01:00
cgzones 7ff92a886a files: no default types for /run and /var/lock 
encourage private types for /run and /var/lock by not providing default contexts anymore
 2017-02-16 17:14:38 +01:00
cgzones da1ea093cb corecommands: label some binaries as bin_t 2017-02-16 17:05:26 +01:00
cgzones 61b72e0796 selinuxutil: adjustments 
* no negative permission matching for newrole_t:process
* do not label /usr/lib/selinux as policy_src_t, otherwise semodule can not run /usr/lib/selinux/hll/pp
* reorder label for /run/restorecond.pid
* fix systemd related denials
 2017-02-16 16:53:06 +01:00
cgzones d9fcbdfbb3 hostname: small adjustments 
* reorder process - capabilities statements
* remove unsighted debian block
 2017-02-16 16:39:50 +01:00
cgzones 60983561be sysadm: fix denials 
allow to read kmesg and the selinux policy
 2017-02-16 16:00:14 +01:00
cgzones 7539f65bc2 setfiles: allow getattr to kernel pseudo fs 
userdomains should not alter labels of kernel pseudo filesystems, but allowing setfiles/restorecon(d) to check the contexts helps spotting incorrect labels
 2017-02-16 15:26:29 +01:00
Chris PeBenito d9980666a4 Update contrib. 2017-02-15 19:08:32 -05:00
Russell Coker 5a6251efc6 tiny mon patch 
When you merged the mon patch you removed the ability for mon_t to execute
lib_t files.

The following patch re-enables the ability to execute alert scripts.
 2017-02-15 18:51:39 -05:00
Chris PeBenito 1720e109a3 Sort capabilities permissions from Russell Coker. 2017-02-15 18:47:33 -05:00
Chris PeBenito 629b8af1e1 Update contrib. 2017-02-13 20:00:52 -05:00
Russell Coker 69215f0664 inherited file and fifo perms 
The following patch defines new macros rw_inherited_fifo_file_perms and
rw_inherited_term_perms for the obvious reason.

I've had this in Debian for a while and some Debian policy relies on it.

I think it's appropriate to include this before including any policy that
relies on it because it's an obvious foundation for writing good policy.

We could have inherited perms macros for other object types, but terminals
and fifos are the main ones that get inherited.  The next best candidate
for such a macro is a sock_file, and that's largely due to systemd setting
programs stdout/stderr to unix domain sockets.
 2017-02-12 13:55:25 -05:00
Chris PeBenito e9b2a7943c Module version bump for bootloader patch revert. Plus compat alias. 2017-02-11 14:51:21 -05:00
Chris PeBenito 0e80a8a7cf Revert "bootloader: stricter permissions and more tailored file contexts" 
This reverts commit b0c13980d2.
 2017-02-11 14:26:48 -05:00
Chris PeBenito cd29a19479 Fix contrib commit. 2017-02-08 17:19:26 -05:00
Chris PeBenito aeea0d9f3f mon policy from Russell Coker. 2017-02-08 16:56:09 -05:00
Chris PeBenito 2fdc11be47 Update contrib. 2017-02-07 19:09:45 -05:00
Chris PeBenito 7aafe9d8b7 Systemd tmpfiles fix for kmod.conf from Russell Coker. 2017-02-07 19:03:59 -05:00