RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
6,408 Commits 3 Branches 49 Tags 19 MiB
Commit Graph

6408 Commits

Author SHA1 Message Date
Kenton Groombridge dcc90a0c3c container, podman: allow podman to restart container units 
podman auto-update will automatically start the container unit when it
is updated.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge 43a9841746 container: add separate type for container engine units 
and add a filecon for container units themselves.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge eff1b1ecad init, systemd: allow unpriv users to read the catalog 
Label /var/lib/systemd/catalog the journal type, and allow unpriv users
to search /var/lib/systemd. This is to fix this warning when an
unprivileged user uses journalctl:

Failed to find catalog entry: Permission denied

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge 001d51d267 systemd: minor fixes to systemd user domains 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge c2b0d7e7fb ssh: add tunable to allow sshd to use remote port forwarding 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge 7624e8dd7d container: allow container engines to manage tmp symlinks 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge 3560273d54 container: allow containers to manipulate own fds 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge 1a0acc9c0d sysnetwork, systemd: allow DNS resolution over io.systemd.Resolve 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge 3cac9e0e5d sudo: allow sudo domains to create netlink selinux sockets 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge 6fa7d7349d bind: fixes for named working on dnssec files 
Unbound manages DNSSEC root keys in /etc/unbound. Rewrite these rules so
that the necessary rules are added in order to allow this access.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge ed28c58eba postfix: allow postfix master fsetid capability 
The postfix master will try to correct permissions on its queue
directories with chown. This can be reproduced with 'postfix
set-permissions'.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge 932bef5721 postfix: allow postfix master to get the state of init 
postfix master wants to read /proc/1/environ.

type=PROCTITLE msg=audit(1636823237.886:5323): proctitle=2F7573722F7362696E2F706F7374666978007374617274
type=PATH msg=audit(1636823237.886:5323): item=0 name="/proc/1/environ" nametype=UNKNOWN cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1636823237.886:5323): cwd="/"
type=SYSCALL msg=audit(1636823237.886:5323): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7bee3e1fb760 a2=80000 a3=0 items=1 ppid=1 pid=765167 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="postfix" exe="/usr/sbin/postfix" subj=system_u:system_r:postfix_master_t:s0 key=(null)
type=AVC msg=audit(1636823237.886:5323): avc:  denied  { search } for  pid=765167 comm="postfix" name="1" dev="proc" ino=1551198 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=0

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge 2b63f7bcd1 postfix: allow postfix-map to read certbot certs 
Postfix supports TLS SNI. Postfix expects the certificate chain to be a
concatenated single file and must be mapped with postfix-map. Allow
postfix-map to read certbot certs in order to support this
configuration.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge 4ff0a19212 modutils: allow kmod to write to kmsg 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge e0d44df4ac fail2ban: allow fail2ban to getsched on its processes 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge 3e22b4bb2a matrixd: various fixes 
Allow matrix to getsched of its own processes and also allow it to
connect to all TCP ports if federation is enabled. There are seemingly
some servers out there on weird federation ports, so allow this access.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-17 13:56:08 -04:00
Kenton Groombridge df59df505d bootloader, files: allow bootloader to getattr on boot_t filesystems 
If the system is using a boot partition that is formatted vfat (such as
the case of using the ESP as the boot partition itself), the filesystem
may also be explicitly labeled boot_t instead of dosfs_t. Allow the
bootloader to get the attributes of such a filesystem.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-17 13:56:08 -04:00
Kenton Groombridge 37bbbbec79 raid: allow mdadm to use user ptys 
This is normally dontaudited, but without this access we cannot use
the mdadm utility interactively (to check the status of arrays, etc).

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-17 13:56:08 -04:00
Kenton Groombridge 9584ccf76d systemd: dontaudit systemd-generator getattr on all dirs 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-17 13:56:08 -04:00
Kenton Groombridge 3a22db2410 systemd: systemd-resolved is linked to libselinux 
systemd-resolved as of systemd 250 fails to start with this error:

Failed to initialize SELinux labeling handle: No such file or directory

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-17 13:56:08 -04:00
Chris PeBenito ed9e2c99ca
Merge pull request #499 from 0xC0ncord/udica-templates 
Add udica templates
 2022-05-07 14:16:21 -04:00
Kenton Groombridge 082fbdfcb8 github: test install of udica templates 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-07 09:21:17 -04:00
Kenton Groombridge 9c9d675e6e makefile: add install target for udica templates 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-07 09:21:14 -04:00
Kenton Groombridge f95131dadf udica-templates: initial commit of udica templates 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-07 09:20:55 -04:00
Chris PeBenito 8f4ca1fb90
Merge pull request #497 from 0xC0ncord/git-credentials-fc 
git: add missing file contexts
 2022-05-01 07:42:06 -04:00
Chris PeBenito 291f89aab8
Merge pull request #495 from pebenito/vuln-policy 
Add a vulnerability handling process.
 2022-04-28 16:20:59 -04:00
Chris PeBenito 596ad3830e Add a vulnerability handling process. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2022-04-28 15:51:16 -04:00
Kenton Groombridge ba4971ba89
git: add missing file contexts 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-04-27 18:13:43 -04:00
Chris PeBenito b6998e496d
Merge pull request #494 from pebenito/sddm-seuser 
seusers: Remove sddm.
 2022-04-25 09:13:06 -04:00
Chris PeBenito 95d367fd9b seusers: Remove sddm. 
This breaks systems that do not have the xserver module.

This partially reverts 6e5a6bffdb.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2022-04-21 11:21:18 -04:00
Chris PeBenito 75599a2358
Merge pull request #491 from 0xC0ncord/containers-watch-public 
container: minor additions
 2022-04-15 13:23:20 -04:00
Kenton Groombridge fb531e2688 sysadm: allow sysadm to watch journal directories 
Required when using 'podman logs -f'

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-04-02 13:47:39 -04:00
Kenton Groombridge cf21387e29 podman: allow podman to watch journal dirs 
Watch access is required for 'podman logs -f' to function.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-04-02 13:46:14 -04:00
Kenton Groombridge c1d007563e container: also allow containers to watch public content 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-04-01 10:39:30 -04:00
Chris PeBenito 0724f54381
Merge pull request #490 from 0xC0ncord/containers-20220331 
Various container fixes
 2022-04-01 10:29:14 -04:00
Kenton Groombridge f0c980b36c container: add missing capabilities 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-04-01 09:15:19 -04:00
Kenton Groombridge 53e708e724 container: add tunables to allow containers to access public content 
Note that container engines only need read access to these files even if
manage access is enabled.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-04-01 09:15:18 -04:00
Kenton Groombridge 5dbc5aa25d container: allow generic containers to read the vm_overcommit sysctl 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-04-01 09:15:17 -04:00
Kenton Groombridge 0e3ce95c94 container, init: allow init to remount container filesystems 
Allow init to remount container filesystems. This is in support of other
services starting with NoNewPrivileges while already running containers
have mounted filesystems.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-04-01 09:15:15 -04:00
Kenton Groombridge 4fd2a2ecbc podman: add rules for systemd container units 
Allow conmon to use init file descriptors and read-write init unix
stream sockets. This is in support of containers started as systemd
units.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-04-01 09:15:14 -04:00
Kenton Groombridge fcb295578e container, podman: allow containers to interact with conmon 
Allow containers to use inherited conmon file descriptors and read and
write unnamed conmon pipes.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-04-01 09:15:11 -04:00
Kenton Groombridge 8fee419513 podman: fix role associations 
Add conmon to the system role and make podman/conmon user domains user
applications.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-04-01 09:15:09 -04:00
Kenton Groombridge 91da5e861b podman: allow system podman to interact with container transient units 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-04-01 09:15:06 -04:00
Kenton Groombridge db2ec49444 container, podman: allow podman to create and write config files 
Podman 4.0 now creates the CNI network config files if they do not
exist.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-04-01 09:15:04 -04:00
Russell Coker 6e5a6bffdb new sddm V2 
This patch addresses all previous issues and I think it's ready to merge.

Signed-off-by: Russell Coker <russell@coker.com.au>
 2022-03-28 10:09:24 -04:00
Chris PeBenito 42e57f4d1e
Merge pull request #487 from jpds/userdb-lnk-read 
systemd.if: Allowed reading symlinks in systemd_stream_connect_userdb()
 2022-03-25 12:39:34 -04:00
Chris PeBenito eaccf044f3 apache: Remove unnecessary require in apache_exec(). 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2022-03-25 11:32:26 -04:00
Chris PeBenito 2aff07c23a postfix: Move lines. 
No rule change.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2022-03-25 11:32:26 -04:00
Russell Coker 68353358d4 init dbus patch for GetDynamicUsers with systemd_use_nss() V2 
Same as before but moved to the top of my patch list so it will apply to the
git policy.

Should be ready to merge now.

Signed-off-by: Russell Coker <russell@coker.com.au>
 2022-03-25 11:32:26 -04:00
Russell Coker 7849012937 certbot V3 
Same as the last one but with the directory names for the auto trans rules
removed.  I think it's ready for merging.

Signed-off-by: Russell Coker <russell@coker.com.au>
 2022-03-25 11:32:26 -04:00