0c6e887481
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-11-29 11:40:49 -05:00
92da1b321b
Merge pull request #441 from yizhao1/strongswan
2021-11-29 11:36:25 -05:00
86931401b6
Merge pull request #438 from pebenito/auditd-stat-dispatched
2021-11-29 11:36:16 -05:00
fd367d24eb
Merge pull request #437 from pebenito/ntp-drift-symlink
2021-11-29 11:36:12 -05:00
f3c10c83bd
Merge pull request #436 from pebenito/udev-efi
2021-11-29 11:36:09 -05:00
74b080fcaf
Merge pull request #435 from pebenito/systemd-updates
2021-11-29 11:36:05 -05:00
9e71ad3551
ipsec: fixes for strongswan
...
* Add fcontext for charon-systemd
* Allow ipsec_mgmt_t to list ipsec_conf_file_t dir
* Allow ipsec_mgmt_t to read cert files
Fixes:
avc: denied { search } for pid=372 comm="swanctl" name="strongswan.d"
dev="vda" ino=1461
scontext=system_u:system_r:ipsec_mgmt_t:s0-s15:c0.c1023
tcontext=system_u:object_r:ipsec_conf_file_t:s0 tclass=dir permissive=0
avc: denied { read } for pid=372 comm="swanctl" name="strongswan.d"
dev="vda" ino=1461
scontext=system_u:system_r:ipsec_mgmt_t:s0-s15:c0.c1023
tcontext=system_u:object_r:ipsec_conf_file_t:s0 tclass=dir permissive=0
avc: denied { getattr } for pid=323 comm="swanctl"
path="/etc/ssl/openssl.cnf" dev="vda" ino=1463
scontext=system_u:system_r:ipsec_mgmt_t
tcontext=system_u:object_r:cert_t tclass=file permissive=0
avc: denied { open } for pid=323 comm="swanctl"
path="/etc/ssl/openssl.cnf" dev="vda" ino=1463
scontext=system_u:system_r:ipsec_mgmt_t
tcontext=system_u:object_r:cert_t tclass=file permissive=0
avc: denied { read } for pid=323 comm="swanctl" name="openssl.cnf"
dev="vda" ino=1463 scontext=system_u:system_r:ipsec_mgmt_t
tcontext=system_u:object_r:cert_t tclass=file permissive=0
avc: denied { search } for pid=323 comm="swanctl" name="ssl"
dev="vda" ino=1202 scontext=system_u:system_r:ipsec_mgmt_t
tcontext=system_u:object_r:cert_t tclass=dir permissive=0
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2021-11-29 16:38:12 +08:00
7e3b26e76c
logging: Allow auditd to stat() dispatcher executables.
...
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2021-11-18 16:37:01 -05:00
89c83b8299
ntp: Handle symlink to drift directory.
...
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2021-11-18 16:35:56 -05:00
bc51e2afe0
udev: Manage EFI variables.
...
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2021-11-18 16:34:54 -05:00
51d0d6d15e
logging: Add audit_control for journald.
...
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2021-11-18 16:25:38 -05:00
580c3da195
systemd: User runtime reads user cgroup files.
...
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2021-11-18 16:25:35 -05:00
c66fefcbf1
systemd: Revise tmpfiles factory to allow writing all configs.
...
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2021-11-18 16:25:33 -05:00
6ce1e64c49
systemd: Unit generator fixes.
...
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2021-11-18 16:25:30 -05:00
96ea14ed59
systemd, ssh, ntp: Read fips_enabled crypto sysctl.
...
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2021-11-18 16:25:25 -05:00
6eb1469ce7
Merge pull request #433 from 0xC0ncord/wine-roleattribute
...
wine: fix roleattribute statement
2021-11-18 14:30:57 -05:00
64380b4d33
wine: fix roleattribute statement
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-11-16 12:11:59 -05:00
096eb775fa
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-11-15 15:34:27 -05:00
55d91c13f3
Merge pull request #415 from 0xC0ncord/constraints-update
2021-11-15 15:34:06 -05:00
af39a6ed86
Merge pull request #432 from vmojzis/warning
...
Report warning on duplicate definition of interface
2021-11-15 08:56:21 -05:00
051d166cd0
Improve error message on duplicate definition of interface
...
Specify which file contains the original definition.
Old:
ipa.if:284: Error: duplicate definition of
ipa_cert_filetrans_named_content(). Original definition on 284.
New:
ipa.if:284: Error: duplicate definition of
ipa_cert_filetrans_named_content(). Original definition on
/usr/share/selinux/devel/include/contrib/ipa.if:284.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2021-11-15 10:23:48 +01:00
47a229198d
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-11-14 18:57:40 -05:00
e0d1b94c8e
Merge pull request #412 from 0xC0ncord/bugfix/systemd-user-exec-apps-hookup
2021-11-14 18:57:19 -05:00
a29cb4a2b3
guest, xguest: remove apache role access
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-11-12 14:57:36 -05:00
5ea601c011
mcs: only constrain mcs_constrained_type for db accesses
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-11-09 13:59:08 -05:00
b006b259f4
mcs: constrain context contain access
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-11-09 13:56:27 -05:00
e701e18e7f
corenet: make netlabel_peer_t mcs constrained
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-11-09 13:55:30 -05:00
e7fb65980f
various: deprecate mcs override interfaces
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-11-09 13:55:26 -05:00
10bfc890d2
mcs: combine single-level object creation constraints
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-11-09 13:55:18 -05:00
d355d046d2
mcs: constrain misc IPC objects
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-11-09 13:55:12 -05:00
814d4d3f38
mcs: add additional constraints to databases
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-11-09 13:55:09 -05:00
2d371fcee2
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-11-09 11:13:37 -05:00
9369323629
Merge pull request #429 from 0xC0ncord/various-20211106
2021-11-09 11:13:21 -05:00
b24d350780
spamassassin: fix file contexts for rspamd symlinks
...
rspamd installs symlinks to /usr/bin that point to the real rspam*
binaries. Make these files bin_t so that other programs can read them
without any additional access needed.
Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-11-09 11:05:48 -05:00
282c291cb2
policykit, systemd: allow policykit to watch systemd logins and sessions
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-11-09 11:05:48 -05:00
2e6cc2d281
netutils: fix ping
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-11-09 11:05:48 -05:00
ae0a8b7fba
bind: fixes for unbound
...
Unbound maintains a copy of the root key in /etc/unbound/cache and needs
to be able to manage it.
Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-11-09 11:05:48 -05:00
60d3cf03ed
asterisk: allow reading generic certs
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-11-09 11:05:48 -05:00
82767eaade
sysadm, systemd: fixes for systemd-networkd
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-11-09 11:05:48 -05:00
397d4a379f
ssh: fix for polyinstantiation
...
If using polyinstantiation, sshd needs to be able to create a new tmp
directory for remote users.
Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-11-09 11:05:48 -05:00
19d787597f
usbguard, sysadm: misc fixes
...
Fixes for usbguard and allow sysadm to connect to usbguard to manage
devices at runtime.
Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-11-09 11:05:48 -05:00
2d33258db7
certbot, various: allow various services to read certbot certs
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-11-09 11:05:44 -05:00
85a3e84a92
Merge pull request #431 from 0xC0ncord/git-type
2021-11-09 11:01:59 -05:00
8500c2da93
Merge pull request #430 from jpds/virt-common-fix
2021-11-09 11:01:42 -05:00
959ad8ad4d
Merge pull request #428 from cgzones/install-headers
2021-11-09 11:01:31 -05:00
5c942164e4
Merge pull request #426 from yizhao1/passwd
2021-11-09 11:01:20 -05:00
8269a22128
Merge pull request #425 from yizhao1/bind
2021-11-09 11:01:04 -05:00
17b8159a95
Merge pull request #424 from yizhao1/rngd
2021-11-09 11:00:55 -05:00
494e35fcc3
Merge pull request #423 from cgzones/ramfs
2021-11-09 11:00:49 -05:00
1570c0a58d
Merge pull request #419 from 0xC0ncord/noxattrfs-split
2021-11-09 11:00:37 -05:00
Chris PeBenito
Yi Zhao
Chris PeBenito
Kenton Groombridge
Vit Mojzis