RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
6,344 Commits 3 Branches 49 Tags 18 MiB
Commit Graph

6344 Commits

Author SHA1 Message Date
Kenton Groombridge d0ab317582 unconfined: fixes for bluetooth dbus chat and systemd 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-03-23 10:57:57 -04:00
Kenton Groombridge 12b2cd7e55 getty, locallogin: cgroup fixes 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-03-23 10:57:57 -04:00
Kenton Groombridge 12888e7e70 systemd: add support for systemd-resolved stubs 
When using systemd-resolved, the recommended configuration is to symlink
/etc/resolv.conf to one of the stub files in /run/systemd/resolve. To
support this, daemons that can read net_conf_t must be able to search
the init runtime and read etc_t symlinks. Allow this access if systemd
is enabled.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-03-23 10:57:57 -04:00
Kenton Groombridge caaa441072 systemd: various fixes 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-03-23 10:57:57 -04:00
Kenton Groombridge c5df944429 authlogin: dontaudit getcap chkpwd 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-03-23 10:57:57 -04:00
Kenton Groombridge ee773d64c8 locallogin: fix for polyinstantiation 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-03-23 10:57:57 -04:00
Kenton Groombridge 910e36829e sudo: fixes for polyinstantiation 
PAM can be configured to allow sudo to unmount/remount private tmp
directories when invoked. Allow this access if enabled.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-03-23 10:57:57 -04:00
Kenton Groombridge 82461e6172 files, init: allow init to remount filesystems mounted on /boot 
The context= mount option can be used to label, for example, a DOS
filesystem mounted on boot to be boot_t instead of dosfs_t. Explicitly
allow init (systemd) to remount boot_t filesystems so that options like
ProtectSystem=full work properly.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-03-23 10:57:57 -04:00
Kenton Groombridge 30ea630d9d init: allow systemd to nnp_transition and nosuid_transition to daemon domains 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-03-23 10:57:47 -04:00
Chris PeBenito a7de85503e
Merge pull request #479 from 0xC0ncord/dbus-broker 
Add type for systemd runtime units and add dbus-broker support
 2022-03-18 16:36:21 -04:00
Chris PeBenito 2f2c0e3f20
Merge pull request #482 from 0xC0ncord/podman-conmon-ranged-transition 
podman: add explicit range transition for conmon
 2022-03-18 15:30:53 -04:00
Kenton Groombridge d47cc12801 docker, podman: container units now have the runtime unit type 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-03-18 13:12:11 -04:00
Kenton Groombridge da9382afbd dbus, policykit: add tunables for dbus-broker access 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-03-18 13:12:11 -04:00
Kenton Groombridge db4b647a29 dbus: fixes for dbus-broker 
dbus-broker manages files in a tmpfs. dbus-broker fails to start without
this access.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-03-18 13:12:11 -04:00
Kenton Groombridge d9e660c3a9 init: split access for systemd runtime units 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-03-18 13:12:10 -04:00
Kenton Groombridge fe7d5287c4 podman: add explicit range transition for conmon 
Ensure that when conmon is started, it runs in s0 and is able to
communicate with the container.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-03-18 13:03:33 -04:00
Chris PeBenito c5add64587
Merge pull request #477 from jpds/networkd-dhcpd-bind 
systemd.te: Added boolean for allowing dhcpd server packets
 2022-03-17 12:47:09 -04:00
Jonathan Davies 126c234b5c systemd.te: Added boolean for allowing dhcpd server packets. 
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2022-03-15 14:56:51 +00:00
Chris PeBenito dd803cfef5
Merge pull request #475 from pebenito/drop-broken-symptoms-blocks 
Make hide_broken_symptoms unconditional.
 2022-03-15 10:13:27 -04:00
Chris PeBenito 1b40c87a68 mailmain: Fix SELint issues. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2022-03-14 10:01:26 -04:00
Chris PeBenito 341abff611 mailmain: Fix check_fc_files issue. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2022-03-14 09:54:38 -04:00
Russell Coker dd312a6be6 mailman3 V3 
Fixed the issues Chris raised with the previous patch.  I think this is
ready to merge.

Signed-off-by: Russell Coker <russell@coker.com.au>
 2022-03-14 09:46:37 -04:00
Chris PeBenito 43d0b184b5 matrixd: SELint fixes. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2022-02-18 14:57:02 -05:00
Chris PeBenito 2ab6d0bc91 matrixd: Cleanups. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2022-02-18 13:46:24 -05:00
Russell Coker 05b5de6282 matrixd-synapse policy V3 
Here's the latest version of the matrixd-synapse policy including all the
suggestions from a year ago.

Probably ready to merge.
Signed-off-by: Russell Coker <russell@coker.com.au>
 2022-02-18 13:29:17 -05:00
Chris PeBenito a1d36a317b puppet: Style fixes. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2022-02-18 13:25:04 -05:00
Russell Coker 73533c0755 puppet V3 
Removed the entrypoint stuff that was controversial, the rest should be fine.

I think it's ready to merge.

Signed-off-by: Russell Coker <russell@coker.com.au>
 2022-02-18 13:19:53 -05:00
Chris PeBenito 651dc11f36 Make hide_broken_symptoms unconditional. 
These blocks are always enabled.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2022-02-16 12:04:21 -05:00
Chris PeBenito e580e00bb6 cron, dbus, policykit, postfix: Minor style fixes. 
No rule changes.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2022-02-16 11:04:33 -05:00
Russell Coker 4137954aa3 dontaudit net_admin without hide_broken_symptoms 
Sending this patch again without the ifdef, I agree that the ifdef isn't very
useful nowadays.

Signed-off-by: Russell Coker <russell@coker.com.au>
 2022-02-16 10:58:32 -05:00
Chris PeBenito ef910e11c5 postfix, spamassassin: Fix missed type renames after alias removals. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2022-02-16 07:03:34 -05:00
Russell Coker 8e633b70dd remove aliases from 20210203 
This patch against version 20220106 removes the typealias rules that were in
version 20210203.  If we include this now then the typealias rules in
question will have been there for 3 consecutive releases.  But if you think
we should wait until after the next release that's OK.

It's obvious that this patch should be included sooner or later, I think now
is a reasonable time.

Signed-off-by: Russell Coker <russell@coker.com.au>
 2022-02-16 06:54:26 -05:00
Chris PeBenito d96d8b5977
Merge pull request #473 from pebenito/allow-lockdown 
domain: Allow lockdown for all domains.
 2022-02-04 08:37:02 -05:00
Chris PeBenito ffe2f2294f domain: Allow lockdown for all domains. 
The checks for this class were removed in 5.16.  This object
class will be removed in the future.

For more info:
https://lore.kernel.org/selinux/163243191040.178880.4295195865966623164.stgit@olly

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2022-02-02 15:37:28 -05:00
Chris PeBenito 6f947e604a
Merge pull request #472 from bigon/dockerd_path 
docker: On debian dockerd and docker-proxy are in /usr/sbin
 2022-02-02 09:22:11 -05:00
Laurent Bigonville 43cb910e38 container: On Debian, runc is installed in /usr/sbin 
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
 2022-02-02 12:41:49 +01:00
Laurent Bigonville 5c9fa6d268 docker: On debian dockerd and docker-proxy are in /usr/sbin 
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
 2022-02-02 12:18:20 +01:00
Chris PeBenito c86645f836
Merge pull request #468 from jpds/node_exporter-addition 
node_exporter: Added initial policy
 2022-02-01 11:59:42 -05:00
Chris PeBenito 709bfd95f9
Merge pull request #462 from pebenito/systemd-updates 
Systemd updates including systemd-homed and systemd-userdbd.
 2022-02-01 09:17:00 -05:00
Chris PeBenito c58823f748
Merge pull request #471 from pebenito/revert-mcs-users 
Revert mcs users
 2022-02-01 09:15:54 -05:00
Chris PeBenito 80598ee30d systemd: Updates for generators and kmod-static-nodes.service. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-02-01 09:07:31 -05:00
Chris PeBenito 0b19aaef3c systemd: Additional fixes for fs getattrs. 
This may need to be allowed more broadly.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-02-01 09:07:31 -05:00
Chris PeBenito 71b3fce22b systemd, ssh: Crypto sysctl use. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-02-01 09:07:31 -05:00
Chris PeBenito d6a676f0a6 systemd: Add systemd-homed and systemd-userdbd. 
Systemd-homed does not completely work since the code does not label
the filesystems it creates.

systemd-userdbd partially derived from the Fedora policy.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-02-01 09:07:28 -05:00
Chris PeBenito 6013141bb4 Revert "users: remove MCS categories from default users" 
This reverts commit 7d53784332.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2022-02-01 09:00:19 -05:00
Jonathan Davies 8d03e35e22 node_exporter: Added initial policy. 
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2022-02-01 00:35:54 +00:00
Chris PeBenito 32ecefdf28
Merge pull request #470 from 0xC0ncord/docker-init-daemon-domain 
docker: add missing call to init_daemon_domain()
 2022-01-31 08:44:06 -05:00
Kenton Groombridge 800039c671 docker: add missing call to init_daemon_domain() 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-30 18:09:12 -05:00
Chris PeBenito 242e371ac2
Merge pull request #469 from cgzones/selint 
Revert "tests.yml: Disable policy_module() selint checks."
 2022-01-30 09:12:10 -05:00
Christian Göttsche 0e06f23e07 Revert "tests.yml: Disable policy_module() selint checks." 
This reverts commit 5781a2393c.

SELint 1.2.1 supports the new policy_module syntax.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2022-01-30 14:27:08 +01:00