RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
4,541 Commits 3 Branches 49 Tags 18 MiB
Commit Graph

94 Commits

Author SHA1 Message Date
Chris PeBenito 495e2c203b Remove complement and wildcard in allow rules. 
Remove complement (~) and wildcard (*) in allow rules so that there are no
unintentional additions when new permissions are declared.

This patch does not add or remove permissions from any rules.
 2017-08-13 16:21:44 -04:00
Chris PeBenito aa0eecf3e3 Bump module versions for release. 2017-08-05 12:59:42 -04:00
Chris PeBenito 5ab11a8454 Module version bump for patches from cgzones. 2017-06-08 18:53:51 -04:00
Chris PeBenito a599f28196 Module version bump for /usr/bin fc fixes from Nicolas Iooss. 2017-05-04 08:27:46 -04:00
Chris PeBenito 8527b86621 Further strict systemd fixes from Russell Coker. 2017-04-20 20:00:34 -04:00
Chris PeBenito 73d8b3026c Systemd-related changes from Russell Coker. 2017-04-06 17:37:50 -04:00
Chris PeBenito 43f197494a dontaudit net_admin for SO_SNDBUFFORCE 
The following patch adds dontaudit rules for where the net_admin capability
is requested due to SO_SNDBUFFORCE.  This forces the caller to use SO_SNDBUF
which gives the same result but possibly a smaller buffer.

From Russell Coker
 2017-03-25 12:32:01 -04:00
Chris PeBenito 4d028498d8 Module version bumps for fixes from cgzones. 2017-03-05 10:48:42 -05:00
Chris PeBenito 1720e109a3 Sort capabilities permissions from Russell Coker. 2017-02-15 18:47:33 -05:00
Chris PeBenito 69ede859e8 Bump module versions for release. 2017-02-04 13:30:53 -05:00
Chris PeBenito f850ec37df Module version bumps for /run fc changes from cgzones. 2016-12-22 15:54:46 -05:00
cgzones 901a905cbb update policy/support macros 
- add systemd service macro sets
- add some documentation
- add some recursion to some macro sets (ipv perm, object class sets)
- deprecate domain_trans and domain_auto_trans
- remove unpriv_socket_class_set
 2016-12-01 19:38:14 +01:00
Chris PeBenito 34055cae87 Bump module versions for release. 2016-10-23 16:58:59 -04:00
Chris PeBenito 994f605a2c Module version bump for Xorg and SSH patches from Nicolas Iooss. 2016-01-05 13:38:19 -05:00
Nicolas Iooss ce2982bf50 Label OpenSSH systemd unit files 
On Arch Linux, OpenSSH unit files are:
    /usr/lib/systemd/system/sshdgenkeys.service
    /usr/lib/systemd/system/sshd.service
    /usr/lib/systemd/system/sshd@.service
    /usr/lib/systemd/system/sshd.socket

On Debian jessie, the unit files are:
    /lib/systemd/system/ssh.service
    /lib/systemd/system/ssh@.service
    /lib/systemd/system/ssh.socket

On Fedora 22, the unit files are:
    /usr/lib/systemd/system/sshd-keygen.service
    /usr/lib/systemd/system/sshd.service
    /usr/lib/systemd/system/sshd@.service
    /usr/lib/systemd/system/sshd.socket

Use a pattern which matches every sshd unit and introduce an other type
for ssh-keygen units.
 2016-01-05 13:22:52 -05:00
Chris PeBenito c23353bcd8 Bump module versions for release. 2015-12-08 09:53:02 -05:00
Chris PeBenito 17694adc7b Module version bump for systemd additions. 2015-10-23 14:53:14 -04:00
Chris PeBenito 579849912d Add supporting rules for domains tightly-coupled with systemd. 2015-10-23 10:17:46 -04:00
Chris PeBenito c8c2b8b0c8 Module version bump for ssh-agent -k fix from Luis Ressel. 2015-07-20 10:01:52 -04:00
Chris PeBenito 468185f5f7 Bump module versions for release. 2014-12-03 13:37:38 -05:00
Chris PeBenito 491683b3e2 Module version bump for init_daemon_pid_file from Sven Vermeulen. 2014-06-30 14:34:51 -04:00
Sven Vermeulen 4a94489be7 Use init_daemon_pid_file instead of init_daemon_run_dir 
Update non-contrib modules to use init_daemon_pid_file instead of
init_daemon_run_dir.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
 2014-06-26 08:34:27 -04:00
Chris PeBenito 10ff4d0fa3 Bump module versions for release. 2014-03-11 08:16:57 -04:00
Chris PeBenito 22d7dac75b Module version bump for ssh use of gpg-agent from Luis Ressel. 2014-02-08 08:41:05 -05:00
Chris PeBenito 7e71b34b09 Rearrange gpg agent calls. 2014-02-08 08:40:37 -05:00
Chris PeBenito 4ef4e0674d Rename gpg_agent_connect to gpg_stream_connect_agent. 2014-02-08 08:24:41 -05:00
Luis Ressel bda6528039 Conditionally allow ssh to use gpg-agent 
gpg-agent also offers an ssh-compatible interface. This is useful e.g.
for smartcard authentication.
 2014-02-08 08:10:16 -05:00
Chris PeBenito b244f47319 Module version bump for pid file directory from Russell Coker/Laurent Bigonville. 2014-02-06 09:14:31 -05:00
Laurent Bigonville d6751cb2f4 Move the ifdef at the end of the declaration block 2014-02-06 09:14:31 -05:00
Chris PeBenito 1a01976fc4 Module version bump for first batch of patches from Dominick Grift. 2013-12-02 14:22:29 -05:00
Dominick Grift 4113f7b0d4 sshd/setrans: make respective init scripts create pid dirs with proper contexts 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-02 08:43:33 -05:00
Chris PeBenito be570944e5 Module version bump for ssh server caps for Debian from Dominick Grift. 2013-09-27 16:25:56 -04:00
Dominick Grift fc8bbe630a ssh: Debian sshd is configured to use capabilities 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-27 16:25:15 -04:00
Chris PeBenito 36e088fa43 Module version bump for kerberos keytab changes for ssh from Dominick Grift. 2013-09-23 14:28:00 -04:00
Dominick Grift 22f71be4e3 The kerberos_keytab_template() template is deprecated: Breaks monolithic built (out-of-scope) 
This keytab functionality should be re-evaluated because it does not
make sense in its current implementation

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-23 14:15:46 -04:00
Chris PeBenito d174521a64 Bump module versions for release. 2013-04-24 16:14:52 -04:00
Chris PeBenito be2e70be8d Module version bump for fixes from Dominick Grift. 2013-01-03 10:53:34 -05:00
Dominick Grift 79e1e4efb9 NSCD related changes in various policy modules 
Use nscd_use instead of nscd_socket_use. This conditionally allows
nscd_shm_use

Remove the nscd_socket_use from ssh_keygen since it was redundant
already allowed by auth_use_nsswitch

Had to make some ssh_keysign_t rules unconditional else
nscd_use(ssh_keysign_t) would not build (nested booleans) but that does
not matter, the only actual domain transition to ssh_keysign_t is
conditional so the other unconditional ssh_keygen_t rules are
conditional in practice

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-01-03 10:43:10 -05:00
Chris PeBenito 79f71729e3 Module version bump from Debian changes from Laurent Bigonville. 2012-12-07 00:46:27 -05:00
Chris PeBenito c48458f8e2 Module version bump for Debian ssh-keysign location from Laurent Bigonville. 2012-11-26 11:13:12 -05:00
Chris PeBenito f65edd8280 Bump module versions for release. 2012-02-15 14:32:45 -05:00
Chris PeBenito e34b1f6cbd Module version bump and changelog for sshd using oddjob_mkhomedir from Sven Vermeulen. 2012-01-04 08:14:11 -05:00
Sven Vermeulen 93e4685552 sshd can call mkhomedir when a new user logs on 
These services are offered through the oddjob module.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
 2012-01-04 07:49:50 -05:00
Chris PeBenito c4fa10ef81 Module version bump for changes from Fedora. 2011-12-15 08:38:06 -05:00
Chris PeBenito ba817fccd9 Add userdom interfaces for user application domains, user tmp files, and user tmpfs files. 2011-10-28 08:49:19 -04:00
Chris PeBenito e2fa4f2e8c Add user application, tmp and tmpfs file interfaces. 2011-10-28 08:48:10 -04:00
Chris PeBenito 7b98e4f436 Clean up stale TODOs. 2011-09-26 11:51:47 -04:00
Chris PeBenito bca0cdb86e Remove duplicate/redundant rules, from Russell Coker. 2010-07-07 08:41:20 -04:00
Chris PeBenito 48f99a81c0 Whitespace change: drop unnecessary blank line at the start of .te files. 2010-06-10 08:16:35 -04:00
Chris PeBenito 29af4c13e7 Bump module versions for release. 2010-05-24 15:32:01 -04:00