140ee81094
travis-ci: add SELint
...
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-08-13 21:23:43 +02:00
fbc60f2319
Merge pull request #296 from cgzones/diff-check
...
whitespace cleanup
2020-08-13 09:19:48 -04:00
5d6f436800
Merge pull request #293 from cgzones/spelling
...
Fix several misspellings
2020-08-13 08:55:28 -04:00
72b2c66256
whitespace cleanup
...
Remove trailing white spaces and mixed up indents
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-08-13 14:34:57 +02:00
3bb507efa6
Fix several misspellings
...
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-08-13 14:08:58 +02:00
71e653980b
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-08-11 08:35:00 -04:00
cd141fa2ea
Merge pull request #290 from pebenito/fs-image
2020-08-11 08:33:26 -04:00
32b2332d36
Merge pull request #289 from pebenito/remove-unlabeled-file
2020-08-11 08:33:22 -04:00
e915d785b2
Merge pull request #288 from pebenito/init-startstop
2020-08-11 08:33:18 -04:00
777fe47c19
kernel, fstools, lvm, mount: Update to use filesystem image interfaces.
...
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2020-07-29 14:33:39 -04:00
04fb9404c8
filesystem: Create a filesystem image concept.
...
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2020-07-29 14:29:26 -04:00
27deadbecd
files: Restore mounton access to files_mounton_all_mountpoints().
...
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2020-07-28 10:33:09 -04:00
fe737c405d
selinuxuntil, userdomain: Restore relabelfrom access for unlabeled files.
...
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2020-07-28 10:33:07 -04:00
662d55ed5e
kernel: Drop unlabeled_t as a files_mountpoint().
...
This made unlabeled_t a file and provided much more access than an
unlabeled file should have. Access to unlabeled objects should be
explicit.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2020-07-28 10:09:24 -04:00
4c7926a3c0
init: Revise init_startstop_service() build option blocks.
...
Revise to use ifelse to have a clear set of criteria for enabling the
various options. Additionally, if no options are enabled, run_init
permissions are provided as a default.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2020-07-27 11:40:36 -04:00
e167e1a4d4
Makefile: Give a value to build options so they can be used in ifelse.
...
Set build options to expand to "true". This will enable writing build
options using m4 ifelse, for example:
ifelse(`init_systemd',`true',`
[init_systemd rules]
',`direct_sysadm_daemon',`true',
[direct_sysadm_daemon rules]
',` dnl else
[else rules]
')
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2020-07-27 11:37:32 -04:00
aa6c3f4da3
apt, rpm: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-07-27 09:05:53 -04:00
7d7280ca21
Merge pull request #287 from bigon/packagekit
2020-07-27 09:03:13 -04:00
e4f0709788
Label /usr/libexec/packagekitd as apt_exec_t on debian
...
The daemon has now moved from /usr/lib/packagekit/packagekitd to
/usr/libexec/packagekitd
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2020-07-27 13:26:06 +02:00
9cb8472967
Merge pull request #285 from pebenito/move-users
...
Move user definitions to the right place during compilation.
2020-07-21 08:21:26 -04:00
d41607c714
Move user definitions to the right place during compilation.
...
This will allow user definitions in modules to work for monolithic policies
and base module.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2020-07-16 10:52:39 -04:00
c5ac0d52c4
openvpn: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-07-16 09:31:56 -04:00
7f601b8bcf
Merge pull request #284 from alexminder/openvpn
2020-07-16 09:31:06 -04:00
67c4238e8e
openvpn: update file context regex for ipp.txt
...
Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
2020-07-14 13:34:58 +03:00
ac02273502
tmp2: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-07-10 08:51:57 -04:00
a9d3c01bf6
Merge pull request #283 from dsugar100/master
2020-07-10 08:50:20 -04:00
aff9c6e91c
openvpn: more versatile file context regex for ipp.txt
...
Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
2020-07-07 15:22:29 +03:00
7a03f4a00f
Interfaces for tpm2
...
Add interfaces tpm2_use_fds, tpm2_dontaudit_use_fds, and tpm2_read_pipes
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2020-07-06 22:34:39 -04:00
613708cad6
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-07-04 09:30:45 -04:00
fb353cc4f6
Merge pull request #278 from pebenito/pid-if-rename
2020-07-04 09:29:29 -04:00
0992763548
Update callers for "pid" to "runtime" interface rename.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-28 16:03:45 -04:00
be04bb3e7e
Rename "pid" interfaces to "runtime" interfaces.
...
Rename interfaces to bring consistency with previous pid->runtime type
renaming. See PR #106 or 69a403cd
2020-06-28 14:33:17 -04:00
07c08fa41e
kernel: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-18 08:30:42 -04:00
81e3d79c59
Merge pull request #277 from dsugar100/master
2020-06-18 08:30:26 -04:00
50c24ca481
Resolve neverallow failure introduced in #273
...
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2020-06-17 19:05:08 -04:00
fbdb3755cf
.travis.yml: Add CI tests with no unconfined.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-17 09:22:34 -04:00
c63e5410a9
systemd: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-17 08:48:41 -04:00
d162e87fb1
Merge pull request #276 from pebenito/merge-systemd-generators
2020-06-17 08:47:29 -04:00
c2a142d762
systemd: Merge generator domains.
...
If these processes are compromised they can write units to do malicious
actions, so trying to tightly protect the resources for each generator
is not effective.
Made the fstools_exec() optional, although it is unlikely that a system
would not have the module.
Only aliases for removed types in previous releases are added. The
systemd_unit_generator() interface and systemd_generator_type attribute
were not released and are dropped without deprecation.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-15 09:47:20 -04:00
71002cdfe0
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-15 08:57:44 -04:00
91087f8ff1
Merge pull request #274 from bauen1/remove-dead-weight
2020-06-15 08:56:42 -04:00
9169113d42
Merge pull request #271 from bauen1/misc-fixes-2
2020-06-15 08:56:40 -04:00
edbe7e9af7
Merge pull request #267 from bauen1/target-systemd-sysusers
2020-06-15 08:56:24 -04:00
fc904634ac
dpkg: domaintrans to sysusers if necessary
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-15 14:52:53 +02:00
77f891c7bf
Remove the ada module, it is unecessary and not touched since ~2008
...
It is only used to allow the compiler execmem / execstack but we have
unconfined_execmem_t for that.
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-15 14:47:14 +02:00
cbdf1fad22
systemd: systemd-tempfiles will relabel tmpfs if mounted over e.g. /tmp
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-15 14:45:07 +02:00
e12d84181b
corecommands: correct label for debian ssh-agent helper script
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-15 14:45:07 +02:00
cb2d84b0d1
gpg: don't allow gpg-agent to read /proc/kcore
...
This was probably a typo and shouldn't have been merged.
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-15 14:45:07 +02:00
083e5d1d58
dpkg: dpkg scripts are part of dpkg and therefor also an application domain
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-15 14:45:07 +02:00
583f435c7b
systemd: systemd --user add essential permissions
...
Allow selinux awareness (libselinux) and access to setsockcreatecon to
correctly set the label of sockets.
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-06-15 14:45:07 +02:00
Christian Göttsche
Chris PeBenito
Chris PeBenito
Laurent Bigonville
Alexander Miroshnichenko
Dave Sugar
bauen1