Chris PeBenito
e96c357b79
Merge branch 'corecmd_module' of git://github.com/cgzones/refpolicy
2017-02-18 11:51:40 -05:00
Chris PeBenito
8b6525e992
Merge branch 'sysadm_fixes' of git://github.com/cgzones/refpolicy
2017-02-18 11:39:05 -05:00
Chris PeBenito
959f78de99
Merge branch 'setfiles_getattr' of git://github.com/cgzones/refpolicy
2017-02-18 11:34:23 -05:00
Chris PeBenito
74d6a63ff9
mon: Fix deprecated interface usage.
2017-02-18 11:21:34 -05:00
Chris PeBenito
c784507bce
Travis-CI: Terminate build immediately on error.
...
See travis-ci/travis-ci#1066 .
2017-02-18 10:37:35 -05:00
Chris PeBenito
1af24ad32b
Fix Travis-CI WERROR support.
2017-02-18 10:25:48 -05:00
Chris PeBenito
dd03d589e2
Implement WERROR build option to treat warnings as errors.
...
Add this to all Travis-CI builds.
2017-02-18 10:20:20 -05:00
Chris PeBenito
cb35cd587f
Little misc patches from Russell Coker.
2017-02-18 09:39:01 -05:00
cgzones
da1ea093cb
corecommands: label some binaries as bin_t
2017-02-16 17:05:26 +01:00
cgzones
60983561be
sysadm: fix denials
...
allow to read kmesg and the selinux policy
2017-02-16 16:00:14 +01:00
cgzones
7539f65bc2
setfiles: allow getattr to kernel pseudo fs
...
userdomains should not alter labels of kernel pseudo filesystems, but allowing setfiles/restorecon(d) to check the contexts helps spotting incorrect labels
2017-02-16 15:26:29 +01:00
Chris PeBenito
d9980666a4
Update contrib.
2017-02-15 19:08:32 -05:00
Russell Coker
5a6251efc6
tiny mon patch
...
When you merged the mon patch you removed the ability for mon_t to execute
lib_t files.
The following patch re-enables the ability to execute alert scripts.
2017-02-15 18:51:39 -05:00
Chris PeBenito
1720e109a3
Sort capabilities permissions from Russell Coker.
2017-02-15 18:47:33 -05:00
Chris PeBenito
629b8af1e1
Update contrib.
2017-02-13 20:00:52 -05:00
Russell Coker
69215f0664
inherited file and fifo perms
...
The following patch defines new macros rw_inherited_fifo_file_perms and
rw_inherited_term_perms for the obvious reason.
I've had this in Debian for a while and some Debian policy relies on it.
I think it's appropriate to include this before including any policy that
relies on it because it's an obvious foundation for writing good policy.
We could have inherited perms macros for other object types, but terminals
and fifos are the main ones that get inherited. The next best candidate
for such a macro is a sock_file, and that's largely due to systemd setting
programs stdout/stderr to unix domain sockets.
2017-02-12 13:55:25 -05:00
Chris PeBenito
e9b2a7943c
Module version bump for bootloader patch revert. Plus compat alias.
2017-02-11 14:51:21 -05:00
Chris PeBenito
0e80a8a7cf
Revert "bootloader: stricter permissions and more tailored file contexts"
...
This reverts commit b0c13980d2
.
2017-02-11 14:26:48 -05:00
Chris PeBenito
cd29a19479
Fix contrib commit.
2017-02-08 17:19:26 -05:00
Chris PeBenito
aeea0d9f3f
mon policy from Russell Coker.
2017-02-08 16:56:09 -05:00
Chris PeBenito
2fdc11be47
Update contrib.
2017-02-07 19:09:45 -05:00
Chris PeBenito
7aafe9d8b7
Systemd tmpfiles fix for kmod.conf from Russell Coker.
2017-02-07 19:03:59 -05:00
Chris PeBenito
69da46ae18
usrmerge FC fixes from Russell Coker.
2017-02-07 18:51:58 -05:00
Chris PeBenito
2e7553db63
Create / to /usr equivalence for bin, sbin, and lib, from Russell Coker.
2017-02-04 15:19:35 -05:00
Chris PeBenito
c205e90e75
Update Changelog and VERSION for release.
2017-02-04 13:30:54 -05:00
Chris PeBenito
69ede859e8
Bump module versions for release.
2017-02-04 13:30:53 -05:00
Chris PeBenito
23001afc0c
Module version bump for xkb fix from Jason Zaman.
2017-01-29 12:48:01 -05:00
Jason Zaman
20c5fddc08
xserver: allow X roles to read xkb libs to set keymaps
...
commit d76d9e13b1
xserver: restrict executable memory permissions
changed XKB libs which made them no longer readable by users.
setting xkeymaps fails with the following errors:
$ setxkbmap -option "ctrl:nocaps"
Couldn't find rules file (evdev)
type=AVC msg=audit(1485357942.135:4458): avc: denied { search } for
pid=5359 comm="X" name="20990" dev="proc" ino=103804
scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=dir permissive=0
type=AVC msg=audit(1485357942.136:4459): avc: denied { search } for
pid=20990 comm="setxkbmap" name="xkb" dev="zfs" ino=130112
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xkb_var_lib_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1485357942.136:4460): avc: denied { search } for
pid=20990 comm="setxkbmap" name="xkb" dev="zfs" ino=130112
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xkb_var_lib_t:s0 tclass=dir permissive=0
2017-01-29 12:47:22 -05:00
Chris PeBenito
a848a0d465
Module version bump for cups patch from Guido Trentalancia.
2017-01-23 18:50:53 -05:00
Guido Trentalancia
3254ed2759
udev: execute HPLIP applications in their own domain
...
Execute HP Linux Imaging and Printing (HPLIP) applications launched
by udev in their own domain.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2017-01-23 18:49:31 -05:00
Chris PeBenito
81bd76fe85
Fix contrib.
2017-01-15 13:33:25 -05:00
Chris PeBenito
24016954fb
Update contrib.
2017-01-15 13:18:09 -05:00
Stephen Smalley
4637cd6f89
refpolicy: drop unused socket security classes
...
A few of the socket classes added by commit 09ebf2b59a
("refpolicy:
Define extended_socket_class policy capability and socket classes") are
never used because sockets can never be created with the associated
address family. Remove these unused socket security classes.
The removed classes are bridge_socket for PF_BRIDGE, ib_socket for PF_IB,
and mpls_socket for PF_MPLS.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-01-15 13:03:57 -05:00
Chris PeBenito
b05d72b0d3
Module version bump for cpu_online genfscon from Laurent Bigonville.
2017-01-09 20:36:27 -05:00
Laurent Bigonville
3d8669d8ce
Use genfscon to label /sys/devices/system/cpu/online as cpu_online_t
...
Since 8e01472078763ebc1eaea089a1adab75dd982ccd, it's possible to use
genfscon for sysfs.
This patch should help to deprecate distribution specific call to
restorecon or tmpfiles to restore /sys/devices/system/cpu/online during
boot.
Thanks to Dominick for the tip.
2017-01-09 20:35:47 -05:00
Chris PeBenito
0fe21742cd
Module version bumps for patches from cgzones.
2017-01-09 20:34:15 -05:00
Chris PeBenito
a00d401c1b
Merge branch 'auditd_fixes' of git://github.com/cgzones/refpolicy
2017-01-09 18:19:35 -05:00
Chris PeBenito
694e85cc6f
Merge branch 'unconfined_module' of git://github.com/cgzones/refpolicy
2017-01-09 18:13:47 -05:00
Chris PeBenito
9387d5c324
Merge branch 'files_search_src' of git://github.com/cgzones/refpolicy
2017-01-09 18:12:38 -05:00
Chris PeBenito
41661ed4b3
Merge branch 'terminal_module' of git://github.com/cgzones/refpolicy
2017-01-09 18:12:02 -05:00
Chris PeBenito
4f34f6d220
Merge branch 'mount_module' of git://github.com/cgzones/refpolicy
2017-01-09 18:10:57 -05:00
Chris PeBenito
1497fe2f54
Merge branch 'corenetork_module' of git://github.com/cgzones/refpolicy
2017-01-09 18:05:18 -05:00
cgzones
2526c96a2c
update mount module
...
* rename mount_var_run_t to mount_runtime_t
* delete kernel_read_unlabeled_files(mount_t)
* add selinux_getattr_fs(mount_t)
2017-01-08 14:59:08 +01:00
Chris PeBenito
2d8da56da4
Merge pull request #94 from cgzones/travis
...
use travis cache
2017-01-07 15:29:31 -05:00
cgzones
79ff2a45bf
use travis cache
...
cache SELinux userspace build
2017-01-06 19:55:17 +01:00
cgzones
05a9fdfe6e
update corenetwork module
...
* remove deprecated interfaces
* label tcp port 2812 for monit
2017-01-06 15:06:37 +01:00
cgzones
11a0508ede
update terminal module
...
* label content of /dev/pts/ correctly
* remove deprecated interfaces
2017-01-06 15:03:08 +01:00
cgzones
b59dc99d56
update unconfined module
...
* grant capability2:wake_alarm
* remove deprecated interfaces
2017-01-06 15:01:45 +01:00
Chris PeBenito
15ccd01cac
Merge pull request #62 from cgzones/fix_permission_segenxml
...
fix permission of installed segenxml.py by install-headers
2017-01-05 18:34:38 -05:00
cgzones
ab652e1f59
add files_search_src()
...
required by loadkeys
2017-01-05 12:47:58 +01:00