Kenton Groombridge
d0ab317582
unconfined: fixes for bluetooth dbus chat and systemd
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-03-23 10:57:57 -04:00
Kenton Groombridge
12b2cd7e55
getty, locallogin: cgroup fixes
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-03-23 10:57:57 -04:00
Kenton Groombridge
12888e7e70
systemd: add support for systemd-resolved stubs
...
When using systemd-resolved, the recommended configuration is to symlink
/etc/resolv.conf to one of the stub files in /run/systemd/resolve. To
support this, daemons that can read net_conf_t must be able to search
the init runtime and read etc_t symlinks. Allow this access if systemd
is enabled.
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-03-23 10:57:57 -04:00
Kenton Groombridge
caaa441072
systemd: various fixes
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-03-23 10:57:57 -04:00
Kenton Groombridge
c5df944429
authlogin: dontaudit getcap chkpwd
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-03-23 10:57:57 -04:00
Kenton Groombridge
ee773d64c8
locallogin: fix for polyinstantiation
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-03-23 10:57:57 -04:00
Kenton Groombridge
910e36829e
sudo: fixes for polyinstantiation
...
PAM can be configured to allow sudo to unmount/remount private tmp
directories when invoked. Allow this access if enabled.
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-03-23 10:57:57 -04:00
Kenton Groombridge
82461e6172
files, init: allow init to remount filesystems mounted on /boot
...
The context= mount option can be used to label, for example, a DOS
filesystem mounted on boot to be boot_t instead of dosfs_t. Explicitly
allow init (systemd) to remount boot_t filesystems so that options like
ProtectSystem=full work properly.
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-03-23 10:57:57 -04:00
Kenton Groombridge
30ea630d9d
init: allow systemd to nnp_transition and nosuid_transition to daemon domains
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-03-23 10:57:47 -04:00
Chris PeBenito
a7de85503e
Merge pull request #479 from 0xC0ncord/dbus-broker
...
Add type for systemd runtime units and add dbus-broker support
2022-03-18 16:36:21 -04:00
Chris PeBenito
2f2c0e3f20
Merge pull request #482 from 0xC0ncord/podman-conmon-ranged-transition
...
podman: add explicit range transition for conmon
2022-03-18 15:30:53 -04:00
Kenton Groombridge
d47cc12801
docker, podman: container units now have the runtime unit type
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-03-18 13:12:11 -04:00
Kenton Groombridge
da9382afbd
dbus, policykit: add tunables for dbus-broker access
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-03-18 13:12:11 -04:00
Kenton Groombridge
db4b647a29
dbus: fixes for dbus-broker
...
dbus-broker manages files in a tmpfs. dbus-broker fails to start without
this access.
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-03-18 13:12:11 -04:00
Kenton Groombridge
d9e660c3a9
init: split access for systemd runtime units
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-03-18 13:12:10 -04:00
Kenton Groombridge
fe7d5287c4
podman: add explicit range transition for conmon
...
Ensure that when conmon is started, it runs in s0 and is able to
communicate with the container.
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-03-18 13:03:33 -04:00
Chris PeBenito
c5add64587
Merge pull request #477 from jpds/networkd-dhcpd-bind
...
systemd.te: Added boolean for allowing dhcpd server packets
2022-03-17 12:47:09 -04:00
Jonathan Davies
126c234b5c
systemd.te: Added boolean for allowing dhcpd server packets.
...
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
2022-03-15 14:56:51 +00:00
Chris PeBenito
dd803cfef5
Merge pull request #475 from pebenito/drop-broken-symptoms-blocks
...
Make hide_broken_symptoms unconditional.
2022-03-15 10:13:27 -04:00
Chris PeBenito
1b40c87a68
mailmain: Fix SELint issues.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2022-03-14 10:01:26 -04:00
Chris PeBenito
341abff611
mailmain: Fix check_fc_files issue.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2022-03-14 09:54:38 -04:00
Russell Coker
dd312a6be6
mailman3 V3
...
Fixed the issues Chris raised with the previous patch. I think this is
ready to merge.
Signed-off-by: Russell Coker <russell@coker.com.au>
2022-03-14 09:46:37 -04:00
Chris PeBenito
43d0b184b5
matrixd: SELint fixes.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2022-02-18 14:57:02 -05:00
Chris PeBenito
2ab6d0bc91
matrixd: Cleanups.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2022-02-18 13:46:24 -05:00
Russell Coker
05b5de6282
matrixd-synapse policy V3
...
Here's the latest version of the matrixd-synapse policy including all the
suggestions from a year ago.
Probably ready to merge.
Signed-off-by: Russell Coker <russell@coker.com.au>
2022-02-18 13:29:17 -05:00
Chris PeBenito
a1d36a317b
puppet: Style fixes.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2022-02-18 13:25:04 -05:00
Russell Coker
73533c0755
puppet V3
...
Removed the entrypoint stuff that was controversial, the rest should be fine.
I think it's ready to merge.
Signed-off-by: Russell Coker <russell@coker.com.au>
2022-02-18 13:19:53 -05:00
Chris PeBenito
651dc11f36
Make hide_broken_symptoms unconditional.
...
These blocks are always enabled.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2022-02-16 12:04:21 -05:00
Chris PeBenito
e580e00bb6
cron, dbus, policykit, postfix: Minor style fixes.
...
No rule changes.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2022-02-16 11:04:33 -05:00
Russell Coker
4137954aa3
dontaudit net_admin without hide_broken_symptoms
...
Sending this patch again without the ifdef, I agree that the ifdef isn't very
useful nowadays.
Signed-off-by: Russell Coker <russell@coker.com.au>
2022-02-16 10:58:32 -05:00
Chris PeBenito
ef910e11c5
postfix, spamassassin: Fix missed type renames after alias removals.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2022-02-16 07:03:34 -05:00
Russell Coker
8e633b70dd
remove aliases from 20210203
...
This patch against version 20220106 removes the typealias rules that were in
version 20210203. If we include this now then the typealias rules in
question will have been there for 3 consecutive releases. But if you think
we should wait until after the next release that's OK.
It's obvious that this patch should be included sooner or later, I think now
is a reasonable time.
Signed-off-by: Russell Coker <russell@coker.com.au>
2022-02-16 06:54:26 -05:00
Chris PeBenito
d96d8b5977
Merge pull request #473 from pebenito/allow-lockdown
...
domain: Allow lockdown for all domains.
2022-02-04 08:37:02 -05:00
Chris PeBenito
ffe2f2294f
domain: Allow lockdown for all domains.
...
The checks for this class were removed in 5.16. This object
class will be removed in the future.
For more info:
https://lore.kernel.org/selinux/163243191040.178880.4295195865966623164.stgit@olly
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2022-02-02 15:37:28 -05:00
Chris PeBenito
6f947e604a
Merge pull request #472 from bigon/dockerd_path
...
docker: On debian dockerd and docker-proxy are in /usr/sbin
2022-02-02 09:22:11 -05:00
Laurent Bigonville
43cb910e38
container: On Debian, runc is installed in /usr/sbin
...
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2022-02-02 12:41:49 +01:00
Laurent Bigonville
5c9fa6d268
docker: On debian dockerd and docker-proxy are in /usr/sbin
...
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2022-02-02 12:18:20 +01:00
Chris PeBenito
c86645f836
Merge pull request #468 from jpds/node_exporter-addition
...
node_exporter: Added initial policy
2022-02-01 11:59:42 -05:00
Chris PeBenito
709bfd95f9
Merge pull request #462 from pebenito/systemd-updates
...
Systemd updates including systemd-homed and systemd-userdbd.
2022-02-01 09:17:00 -05:00
Chris PeBenito
c58823f748
Merge pull request #471 from pebenito/revert-mcs-users
...
Revert mcs users
2022-02-01 09:15:54 -05:00
Chris PeBenito
80598ee30d
systemd: Updates for generators and kmod-static-nodes.service.
...
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2022-02-01 09:07:31 -05:00
Chris PeBenito
0b19aaef3c
systemd: Additional fixes for fs getattrs.
...
This may need to be allowed more broadly.
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2022-02-01 09:07:31 -05:00
Chris PeBenito
71b3fce22b
systemd, ssh: Crypto sysctl use.
...
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2022-02-01 09:07:31 -05:00
Chris PeBenito
d6a676f0a6
systemd: Add systemd-homed and systemd-userdbd.
...
Systemd-homed does not completely work since the code does not label
the filesystems it creates.
systemd-userdbd partially derived from the Fedora policy.
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2022-02-01 09:07:28 -05:00
Chris PeBenito
6013141bb4
Revert "users: remove MCS categories from default users"
...
This reverts commit 7d53784332
.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2022-02-01 09:00:19 -05:00
Jonathan Davies
8d03e35e22
node_exporter: Added initial policy.
...
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
2022-02-01 00:35:54 +00:00
Chris PeBenito
32ecefdf28
Merge pull request #470 from 0xC0ncord/docker-init-daemon-domain
...
docker: add missing call to init_daemon_domain()
2022-01-31 08:44:06 -05:00
Kenton Groombridge
800039c671
docker: add missing call to init_daemon_domain()
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-01-30 18:09:12 -05:00
Chris PeBenito
242e371ac2
Merge pull request #469 from cgzones/selint
...
Revert "tests.yml: Disable policy_module() selint checks."
2022-01-30 09:12:10 -05:00
Christian Göttsche
0e06f23e07
Revert "tests.yml: Disable policy_module() selint checks."
...
This reverts commit 5781a2393c
.
SELint 1.2.1 supports the new policy_module syntax.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-01-30 14:27:08 +01:00