RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
5,736 Commits 3 Branches 49 Tags 18 MiB
Commit Graph

3810 Commits

Author SHA1 Message Date
Yi Zhao 25251b1f3b sysnet: allow dhcpcd to create socket file 
The dhcpcd needs to create socket file under /run/dhcpcd directory.

Fixes:
AVC avc:  denied  { create } for  pid=331 comm="dhcpcd" name="eth0.sock"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:dhcpc_runtime_t:s0 tclass=sock_file
permissive=0

AVC avc:  denied  { setattr } for  pid=331 comm="dhcpcd"
name="eth0.sock" dev="tmpfs" ino=19153
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:dhcpc_runtime_t:s0 tclass=sock_file
permissive=0

AVC avc:  denied  { sendto } for  pid=331 comm="dhcpcd"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tclass=unix_dgram_socket permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2020-09-21 14:23:09 +08:00
Antoine Tenart 23f1e4316b sysnetwork: allow to read network configuration files 
Fixes:

avc:  denied  { getattr } for  pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1

avc:  denied  { getattr } for  pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1

avc:  denied  { read } for  pid=55 comm="systemd-udevd" name="network"
dev="vda" ino=128 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1

avc:  denied  { read } for  pid=55 comm="systemd-udevd" name="network"
dev="vda" ino=128 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1

avc:  denied  { open } for  pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1

avc:  denied  { open } for  pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1

avc:  denied  { getattr } for  pid=59 comm="systemd-network"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1

avc:  denied  { read } for  pid=59 comm="systemd-network" name="network"
dev="vda" ino=128 scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1

avc:  denied  { open } for  pid=59 comm="systemd-network"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1

avc:  denied  { search } for  pid=59 comm="systemd-network"
name="network" dev="vda" ino=128
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1

avc:  denied  { getattr } for  pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-09-18 14:34:34 +02:00
Antoine Tenart 5c604e806b logging: allow systemd-journal to write messages to the audit socket 
Fixes:

avc:  denied  { nlmsg_write } for  pid=46 comm="systemd-journal"
scontext=system_u:system_r:syslogd_t
tcontext=system_u:system_r:syslogd_t tclass=netlink_audit_socket
permissive=1

avc:  denied  { nlmsg_write } for  pid=46 comm="systemd-journal"
scontext=system_u:system_r:syslogd_t
tcontext=system_u:system_r:syslogd_t tclass=netlink_audit_socket
permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-09-18 14:34:34 +02:00
Antoine Tenart 8cb806fbdf locallogin: allow login to get attributes of procfs 
Fixes:
avc:  denied  { getattr } for  pid=88 comm="login" name="/" dev="proc"
ino=1 scontext=system_u:system_r:local_login_t
tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-09-18 14:34:34 +02:00
Antoine Tenart 7014af08ff udev: allow udevadm to retrieve xattrs 
Fixes:

avc:  denied  { getattr } for  pid=50 comm="udevadm" name="/" dev="vda"
ino=2 scontext=system_u:system_r:udevadm_t
tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0

avc:  denied  { getattr } for  pid=52 comm="udevadm" name="/" dev="vda"
ino=2 scontext=system_u:system_r:udevadm_t
tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-09-18 14:34:34 +02:00
Chris PeBenito c33866e1f6 selinux, init, systemd, rpm: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-09-09 16:55:06 -04:00
Chris PeBenito 4e2b3545c6 Merge pull request #308 from cgzones/systemd_status 2020-09-09 16:54:23 -04:00
Christian Göttsche 24827d8073 selinux: add selinux_use_status_page and deprecate selinux_map_security_files 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-09-09 21:00:47 +02:00
Chris PeBenito a0aee3cbcc bind: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-09-09 11:25:28 -04:00
Dominick Grift 93113bce78 bind: add a few fc specs for unbound 
unbound-checkconf is the unbound bind-checkconf equivalent
unbound-control is the unbound bind ndc equivalent

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
 2020-09-09 11:24:43 -04:00
Christian Göttsche 1103350ee3 init/systemd: allow systemd to map the SELinux status page 
systemd v247 will access the SELinux status page.
This affects all domains currently opening the label database, having
the permission seutil_read_file_contexts.

see https://github.com/systemd/systemd/pull/16821

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-09-08 13:18:18 +02:00
Chris PeBenito dcf7ae9f48 userdomain: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-08-31 15:36:14 -04:00
Jonathan Davies 9d3321e4fe userdomain.if: Marked usbguard user modify tunable as optional so usbguard may be excluded. 
Thanks to Dominick Grift for helping me pin-point this.

Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2020-08-29 20:43:38 +00:00
Chris PeBenito 72e221fd4d various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-08-28 15:30:52 -04:00
Chris PeBenito cc15ff2086 Merge pull request #302 from dsugar100/master 2020-08-28 15:26:50 -04:00
Chris PeBenito 74b37e16db Merge pull request #301 from bauen1/fix-selint-s-010 2020-08-28 15:26:47 -04:00
bauen1 fa59d0e9bc
selint: fix S-010 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-08-28 17:39:09 +02:00
Dave Sugar 1627ab361e Looks like this got dropped in pull request #294 
Seeing the following denial - adding back in:
localhost kernel: type=1400 audit(1598497795.109:57): avc:  denied  { map } for  pid=1054 comm="modprobe" path="/usr/lib/modules/3.10.0-1127.19.1.el7.x86_64/modules.dep.bin" dev="dm-0" ino=23711 scontext=system_u:system_r:kmod_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2020-08-27 08:10:58 -04:00
Chris PeBenito f8b0c1641c acpi: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-08-26 12:52:59 -07:00
Chris PeBenito 3991ecf54f Merge branch 'acpid_shutdown' of https://github.com/jpds/refpolicy into jpds-acpid_shutdown 2020-08-26 12:49:14 -07:00
Jonathan Davies 99ad371868 acpi.te: Removed unnecessary init_write_initctl(). 
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2020-08-25 22:53:40 +00:00
Christian Göttsche 850fefc626 postfixpolicyd: split multi-class rule 
The rule uses the permission manage_file_perms on the classes file and
sock_file.  This won't result in a change in the actual policy
generated, but if the definitions of macros are changed going forward,
the mismatches could cause issues.

Found by SELint

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-08-25 20:44:16 +02:00
Jonathan Davies ec0ebc8b11 acpi.te: Allow acpid_t to shutdown the system - this is required to handle shutdown calls from libvirt. Fixes #298. 
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2020-08-23 20:00:29 +00:00
Chris PeBenito d387e79989 Bump module versions for release. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-08-18 09:09:10 -04:00
Chris PeBenito ab47695bdb files, init, modutils, systemd, udev: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-08-14 09:38:09 -04:00
Chris PeBenito e10d956f38 Merge pull request #294 from cgzones/selint 2020-08-14 09:36:44 -04:00
Chris PeBenito 60516aaeaa xserver: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-08-14 08:53:38 -04:00
Yi Zhao afb2021524 xserver: allow xserver_t to connect to resmgrd 
This was probably a typo:
resmgr_stream_connect(xdm_t) -> resmgr_stream_connect(xserver_t)

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2020-08-14 11:13:34 +08:00
Yi Zhao 8322f0e0d9 Remove duplicated rules 
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2020-08-14 10:55:31 +08:00
Christian Göttsche 09ed84b632 files/modutils: unify modules_object_t usage into files module 
modutils.te:         50: (W): No explicit declaration for modules_object_t from module files.  You should access it via interface call or use a require block. (W-001)
modutils.te:         51: (W): No explicit declaration for modules_object_t from module files.  You should access it via interface call or use a require block. (W-001)
modutils.te:         52: (W): No explicit declaration for modules_object_t from module files.  You should access it via interface call or use a require block. (W-001)
modutils.te:         53: (W): No explicit declaration for modules_object_t from module files.  You should access it via interface call or use a require block. (W-001)
modutils.if:         15: (W): Definition of declared type modules_object_t not found in own module, but in module files (W-011)
modutils.if:         52: (W): Definition of declared type modules_object_t not found in own module, but in module files (W-011)
modutils.fc:         24: (S): Type modules_object_t is declared in module files, but used in file context here. (S-002)

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-08-13 21:23:43 +02:00
Christian Göttsche e9b2e1ea4f work on SELint issues 
- selinuxutil.te: ignore gen_require usage for bool secure_mode
- corenetwork.te: ignore gen_require usage for type unlabeled_t
- files.if: drop unneeded required types in interface
- rpm.if: drop unneeded required type in interface
- xserver.if: ignore interface xserver_restricted_role calling template xserver_common_x_domain_template
- domain.te: add require block with explicit declaration for used type unlabeled_t from module kernel

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-08-13 21:23:43 +02:00
Chris PeBenito fbc60f2319
Merge pull request #296 from cgzones/diff-check 
whitespace cleanup
 2020-08-13 09:19:48 -04:00
Christian Göttsche 72b2c66256 whitespace cleanup 
Remove trailing white spaces and mixed up indents

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-08-13 14:34:57 +02:00
Christian Göttsche 3bb507efa6 Fix several misspellings 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-08-13 14:08:58 +02:00
Chris PeBenito 71e653980b various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-08-11 08:35:00 -04:00
Chris PeBenito cd141fa2ea Merge pull request #290 from pebenito/fs-image 2020-08-11 08:33:26 -04:00
Chris PeBenito 32b2332d36 Merge pull request #289 from pebenito/remove-unlabeled-file 2020-08-11 08:33:22 -04:00
Chris PeBenito 777fe47c19 kernel, fstools, lvm, mount: Update to use filesystem image interfaces. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2020-07-29 14:33:39 -04:00
Chris PeBenito 04fb9404c8 filesystem: Create a filesystem image concept. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2020-07-29 14:29:26 -04:00
Chris PeBenito 27deadbecd files: Restore mounton access to files_mounton_all_mountpoints(). 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2020-07-28 10:33:09 -04:00
Chris PeBenito fe737c405d selinuxuntil, userdomain: Restore relabelfrom access for unlabeled files. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2020-07-28 10:33:07 -04:00
Chris PeBenito 662d55ed5e kernel: Drop unlabeled_t as a files_mountpoint(). 
This made unlabeled_t a file and provided much more access than an
unlabeled file should have.  Access to unlabeled objects should be
explicit.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2020-07-28 10:09:24 -04:00
Chris PeBenito 4c7926a3c0 init: Revise init_startstop_service() build option blocks. 
Revise to use ifelse to have a clear set of criteria for enabling the
various options.  Additionally, if no options are enabled, run_init
permissions are provided as a default.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2020-07-27 11:40:36 -04:00
Chris PeBenito aa6c3f4da3 apt, rpm: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-07-27 09:05:53 -04:00
Laurent Bigonville e4f0709788 Label /usr/libexec/packagekitd as apt_exec_t on debian 
The daemon has now moved from /usr/lib/packagekit/packagekitd to
/usr/libexec/packagekitd

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
 2020-07-27 13:26:06 +02:00
Chris PeBenito c5ac0d52c4 openvpn: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-07-16 09:31:56 -04:00
Chris PeBenito 7f601b8bcf Merge pull request #284 from alexminder/openvpn 2020-07-16 09:31:06 -04:00
Alexander Miroshnichenko 67c4238e8e openvpn: update file context regex for ipp.txt 
Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
 2020-07-14 13:34:58 +03:00
Chris PeBenito ac02273502 tmp2: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-07-10 08:51:57 -04:00
Alexander Miroshnichenko aff9c6e91c openvpn: more versatile file context regex for ipp.txt 
Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
 2020-07-07 15:22:29 +03:00
Dave Sugar 7a03f4a00f Interfaces for tpm2 
Add interfaces tpm2_use_fds, tpm2_dontaudit_use_fds, and tpm2_read_pipes

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2020-07-06 22:34:39 -04:00
Chris PeBenito 613708cad6 various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-07-04 09:30:45 -04:00
Chris PeBenito 0992763548 Update callers for "pid" to "runtime" interface rename. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-06-28 16:03:45 -04:00
Chris PeBenito be04bb3e7e Rename "pid" interfaces to "runtime" interfaces. 
Rename interfaces to bring consistency with previous pid->runtime type
renaming.  See PR #106 or 69a403cd original type renaming.

Interfaces that are still in use were renamed with a compatibility
interface.  Unused interfaces were fully deprecated for removal.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-06-28 14:33:17 -04:00
Chris PeBenito 07c08fa41e kernel: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-06-18 08:30:42 -04:00
Dave Sugar 50c24ca481 Resolve neverallow failure introduced in #273 
Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2020-06-17 19:05:08 -04:00
Chris PeBenito c63e5410a9 systemd: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-06-17 08:48:41 -04:00
Chris PeBenito c2a142d762 systemd: Merge generator domains. 
If these processes are compromised they can write units to do malicious
actions, so trying to tightly protect the resources for each generator
is not effective.

Made the fstools_exec() optional, although it is unlikely that a system
would not have the module.

Only aliases for removed types in previous releases are added.  The
systemd_unit_generator() interface and systemd_generator_type attribute
were not released and are dropped without deprecation.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-06-15 09:47:20 -04:00
Chris PeBenito 71002cdfe0 various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-06-15 08:57:44 -04:00
Chris PeBenito 91087f8ff1 Merge pull request #274 from bauen1/remove-dead-weight 2020-06-15 08:56:42 -04:00
Chris PeBenito 9169113d42 Merge pull request #271 from bauen1/misc-fixes-2 2020-06-15 08:56:40 -04:00
Chris PeBenito edbe7e9af7 Merge pull request #267 from bauen1/target-systemd-sysusers 2020-06-15 08:56:24 -04:00
bauen1 fc904634ac
dpkg: domaintrans to sysusers if necessary 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-06-15 14:52:53 +02:00
bauen1 77f891c7bf
Remove the ada module, it is unecessary and not touched since ~2008 
It is only used to allow the compiler execmem / execstack but we have
unconfined_execmem_t for that.

Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-06-15 14:47:14 +02:00
bauen1 cbdf1fad22
systemd: systemd-tempfiles will relabel tmpfs if mounted over e.g. /tmp 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-06-15 14:45:07 +02:00
bauen1 e12d84181b
corecommands: correct label for debian ssh-agent helper script 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-06-15 14:45:07 +02:00
bauen1 cb2d84b0d1
gpg: don't allow gpg-agent to read /proc/kcore 
This was probably a typo and shouldn't have been merged.

Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-06-15 14:45:07 +02:00
bauen1 083e5d1d58
dpkg: dpkg scripts are part of dpkg and therefor also an application domain 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-06-15 14:45:07 +02:00
bauen1 583f435c7b
systemd: systemd --user add essential permissions 
Allow selinux awareness (libselinux) and access to setsockcreatecon to
correctly set the label of sockets.

Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-06-15 14:45:07 +02:00
bauen1 e7fc029a95
dpkg: allow dpkg frontends to acquire lock by labeling it correctly 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-06-15 14:45:07 +02:00
Chris PeBenito 2f097a0c6d various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-06-15 08:43:30 -04:00
bauen1 66b4101b36
systemd: maintain /memfd:systemd-state 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-06-15 14:43:18 +02:00
bauen1 a42a15dd4d
authlogin: unix_chkpwd is linked to libselinux 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-06-15 14:43:18 +02:00
bauen1 6f7bc3da46
init: systemd will run chkpwd to start user@1000 
This was likely also hidden by the unconfined module.

Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-06-15 14:43:17 +02:00
bauen1 a5c3c70385
thunderbird: label files under /tmp 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-06-15 14:43:17 +02:00
bauen1 6ce9865e6c
systemd: fixed systemd_rfkill_t denial spam 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-06-15 14:41:30 +02:00
bauen1 a9ff07d886
postfix: add filetrans for sendmail and postfix for aliases db operations 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-06-15 14:41:30 +02:00
bauen1 0f4eb2a324
init: fix systemd boot 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-06-11 19:10:35 +02:00
bauen1 93beef3ce5
systemd-logind.service sandbox required permissions 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-06-11 19:10:35 +02:00
bauen1 e20db26b7b
systemd-timesyncd.service sandbox requried permissions 
For every services sandbox systemd will create a (or more ?) tmpfs including symlinks for various files, e.g.:

Jun 11 14:03:17 selinux-pr-test1 audit[284]: AVC avc:  granted  { create } for  pid=284 comm="(imesyncd)" name="stderr" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file

Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-06-11 19:10:35 +02:00
bauen1 83a39ad4fd
udev.service sandbox required permissions 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-06-11 19:10:35 +02:00
bauen1 0a596401f1
logrotate.service sandbox required permissions 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-06-11 19:10:34 +02:00
bauen1 d9a58c8434
terminal: cleanup term_create interfaces 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-06-11 19:10:34 +02:00
bauen1 aa6c7f28f2
allow most common permissions for systemd sandboxing options 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-06-11 19:10:28 +02:00
Chris PeBenito 309f655fdc various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-06-10 15:02:27 -04:00
Chris PeBenito fe1ed5ef74 Merge pull request #265 from topimiettinen/allow-unlabeled-packets 2020-06-10 15:02:03 -04:00
Christian Göttsche cdfd85c35b Correct some misspellings 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-06-05 15:38:43 +02:00
bauen1 8f782ae820
systemd-sysusers: add policy 
On systems without the unconfined module this service needs additional
privileges.

Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-06-04 19:53:47 +02:00
Topi Miettinen 1d8333d7a7
Remove unlabeled packet access 
When SECMARK or Netlabel packet labeling is used, it's useful to
forbid receiving and sending unlabeled packets. If packet labeling is
not active, there's no effect.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-06-03 23:16:19 +03:00
Christian Göttsche b4180614b6 apache: quote gen_tunable name argument 
Match the style of tunable_policy and gen_tunable statements in userdomain

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-06-02 20:35:30 +02:00
Christian Göttsche dcb01ec4cc devices/storage: quote arguments to tunable_policy 
Match the overall style and please sepolgen-ifgen

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-06-02 20:35:30 +02:00
Chris PeBenito c950ada4ea openvpn: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-06-02 13:35:57 -04:00
McSim85 95c43ef3a4 add rule for the management socket file 
fixed comments from  @bauen1

Signed-off-by: McSim85 <maxim@kramarenko.pro>
 2020-06-02 13:58:46 +03:00
Chris PeBenito b38804e328 init, logging: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-05-27 11:36:44 -04:00
Chris PeBenito fe0a8d2542 Merge pull request #261 from bauen1/confined-debian-fixes 2020-05-27 11:35:49 -04:00
bauen1 be231899f5
init: replace call to init_domtrans_script 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-05-27 17:09:06 +02:00
Chris PeBenito c75b2f3642 corecommands, files, filesystem, init, systemd: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-05-27 10:52:49 -04:00
Chris PeBenito d8da662d5e Merge pull request #262 from bauen1/misc-fixes-1 2020-05-27 10:52:07 -04:00
Chris PeBenito 382c5f7c09 domain, setrans: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-05-27 10:46:47 -04:00
Chris PeBenito 5374e1ac16 Merge pull request #264 from bauen1/reenable-setrans 2020-05-27 10:46:08 -04:00