Commit Graph

4306 Commits

Author SHA1 Message Date
Chris PeBenito e96c357b79 Merge branch 'corecmd_module' of git://github.com/cgzones/refpolicy 2017-02-18 11:51:40 -05:00
Chris PeBenito 8b6525e992 Merge branch 'sysadm_fixes' of git://github.com/cgzones/refpolicy 2017-02-18 11:39:05 -05:00
Chris PeBenito 959f78de99 Merge branch 'setfiles_getattr' of git://github.com/cgzones/refpolicy 2017-02-18 11:34:23 -05:00
Chris PeBenito 74d6a63ff9 mon: Fix deprecated interface usage. 2017-02-18 11:21:34 -05:00
Chris PeBenito c784507bce Travis-CI: Terminate build immediately on error.
See travis-ci/travis-ci#1066.
2017-02-18 10:37:35 -05:00
Chris PeBenito 1af24ad32b Fix Travis-CI WERROR support. 2017-02-18 10:25:48 -05:00
Chris PeBenito dd03d589e2 Implement WERROR build option to treat warnings as errors.
Add this to all Travis-CI builds.
2017-02-18 10:20:20 -05:00
Chris PeBenito cb35cd587f Little misc patches from Russell Coker. 2017-02-18 09:39:01 -05:00
cgzones da1ea093cb corecommands: label some binaries as bin_t 2017-02-16 17:05:26 +01:00
cgzones 60983561be sysadm: fix denials
allow to read kmesg and the selinux policy
2017-02-16 16:00:14 +01:00
cgzones 7539f65bc2 setfiles: allow getattr to kernel pseudo fs
userdomains should not alter labels of kernel pseudo filesystems, but allowing setfiles/restorecon(d) to check the contexts helps spotting incorrect labels
2017-02-16 15:26:29 +01:00
Chris PeBenito d9980666a4 Update contrib. 2017-02-15 19:08:32 -05:00
Russell Coker 5a6251efc6 tiny mon patch
When you merged the mon patch you removed the ability for mon_t to execute
lib_t files.

The following patch re-enables the ability to execute alert scripts.
2017-02-15 18:51:39 -05:00
Chris PeBenito 1720e109a3 Sort capabilities permissions from Russell Coker. 2017-02-15 18:47:33 -05:00
Chris PeBenito 629b8af1e1 Update contrib. 2017-02-13 20:00:52 -05:00
Russell Coker 69215f0664 inherited file and fifo perms
The following patch defines new macros rw_inherited_fifo_file_perms and
rw_inherited_term_perms for the obvious reason.

I've had this in Debian for a while and some Debian policy relies on it.

I think it's appropriate to include this before including any policy that
relies on it because it's an obvious foundation for writing good policy.

We could have inherited perms macros for other object types, but terminals
and fifos are the main ones that get inherited.  The next best candidate
for such a macro is a sock_file, and that's largely due to systemd setting
programs stdout/stderr to unix domain sockets.
2017-02-12 13:55:25 -05:00
Chris PeBenito e9b2a7943c Module version bump for bootloader patch revert. Plus compat alias. 2017-02-11 14:51:21 -05:00
Chris PeBenito 0e80a8a7cf Revert "bootloader: stricter permissions and more tailored file contexts"
This reverts commit b0c13980d2.
2017-02-11 14:26:48 -05:00
Chris PeBenito cd29a19479 Fix contrib commit. 2017-02-08 17:19:26 -05:00
Chris PeBenito aeea0d9f3f mon policy from Russell Coker. 2017-02-08 16:56:09 -05:00
Chris PeBenito 2fdc11be47 Update contrib. 2017-02-07 19:09:45 -05:00
Chris PeBenito 7aafe9d8b7 Systemd tmpfiles fix for kmod.conf from Russell Coker. 2017-02-07 19:03:59 -05:00
Chris PeBenito 69da46ae18 usrmerge FC fixes from Russell Coker. 2017-02-07 18:51:58 -05:00
Chris PeBenito 2e7553db63 Create / to /usr equivalence for bin, sbin, and lib, from Russell Coker. 2017-02-04 15:19:35 -05:00
Chris PeBenito c205e90e75 Update Changelog and VERSION for release. 2017-02-04 13:30:54 -05:00
Chris PeBenito 69ede859e8 Bump module versions for release. 2017-02-04 13:30:53 -05:00
Chris PeBenito 23001afc0c Module version bump for xkb fix from Jason Zaman. 2017-01-29 12:48:01 -05:00
Jason Zaman 20c5fddc08 xserver: allow X roles to read xkb libs to set keymaps
commit d76d9e13b1
xserver: restrict executable memory permissions
changed XKB libs which made them no longer readable by users.
setting xkeymaps fails with the following errors:

$ setxkbmap -option "ctrl:nocaps"
Couldn't find rules file (evdev)

type=AVC msg=audit(1485357942.135:4458): avc:  denied  { search } for
pid=5359 comm="X" name="20990" dev="proc" ino=103804
scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=dir permissive=0
type=AVC msg=audit(1485357942.136:4459): avc:  denied  { search } for
pid=20990 comm="setxkbmap" name="xkb" dev="zfs" ino=130112
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xkb_var_lib_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1485357942.136:4460): avc:  denied  { search } for
pid=20990 comm="setxkbmap" name="xkb" dev="zfs" ino=130112
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xkb_var_lib_t:s0 tclass=dir permissive=0
2017-01-29 12:47:22 -05:00
Chris PeBenito a848a0d465 Module version bump for cups patch from Guido Trentalancia. 2017-01-23 18:50:53 -05:00
Guido Trentalancia 3254ed2759 udev: execute HPLIP applications in their own domain
Execute HP Linux Imaging and Printing (HPLIP) applications launched
by udev in their own domain.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2017-01-23 18:49:31 -05:00
Chris PeBenito 81bd76fe85 Fix contrib. 2017-01-15 13:33:25 -05:00
Chris PeBenito 24016954fb Update contrib. 2017-01-15 13:18:09 -05:00
Stephen Smalley 4637cd6f89 refpolicy: drop unused socket security classes
A few of the socket classes added by commit 09ebf2b59a ("refpolicy:
Define extended_socket_class policy capability and socket classes") are
never used because sockets can never be created with the associated
address family.  Remove these unused socket security classes.
The removed classes are bridge_socket for PF_BRIDGE, ib_socket for PF_IB,
and mpls_socket for PF_MPLS.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-01-15 13:03:57 -05:00
Chris PeBenito b05d72b0d3 Module version bump for cpu_online genfscon from Laurent Bigonville. 2017-01-09 20:36:27 -05:00
Laurent Bigonville 3d8669d8ce Use genfscon to label /sys/devices/system/cpu/online as cpu_online_t
Since 8e01472078763ebc1eaea089a1adab75dd982ccd, it's possible to use
genfscon for sysfs.

This patch should help to deprecate distribution specific call to
restorecon or tmpfiles to restore /sys/devices/system/cpu/online during
boot.

Thanks to Dominick for the tip.
2017-01-09 20:35:47 -05:00
Chris PeBenito 0fe21742cd Module version bumps for patches from cgzones. 2017-01-09 20:34:15 -05:00
Chris PeBenito a00d401c1b Merge branch 'auditd_fixes' of git://github.com/cgzones/refpolicy 2017-01-09 18:19:35 -05:00
Chris PeBenito 694e85cc6f Merge branch 'unconfined_module' of git://github.com/cgzones/refpolicy 2017-01-09 18:13:47 -05:00
Chris PeBenito 9387d5c324 Merge branch 'files_search_src' of git://github.com/cgzones/refpolicy 2017-01-09 18:12:38 -05:00
Chris PeBenito 41661ed4b3 Merge branch 'terminal_module' of git://github.com/cgzones/refpolicy 2017-01-09 18:12:02 -05:00
Chris PeBenito 4f34f6d220 Merge branch 'mount_module' of git://github.com/cgzones/refpolicy 2017-01-09 18:10:57 -05:00
Chris PeBenito 1497fe2f54 Merge branch 'corenetork_module' of git://github.com/cgzones/refpolicy 2017-01-09 18:05:18 -05:00
cgzones 2526c96a2c update mount module
* rename mount_var_run_t to mount_runtime_t
* delete kernel_read_unlabeled_files(mount_t)
* add selinux_getattr_fs(mount_t)
2017-01-08 14:59:08 +01:00
Chris PeBenito 2d8da56da4 Merge pull request #94 from cgzones/travis
use travis cache
2017-01-07 15:29:31 -05:00
cgzones 79ff2a45bf use travis cache
cache SELinux userspace build
2017-01-06 19:55:17 +01:00
cgzones 05a9fdfe6e update corenetwork module
* remove deprecated interfaces
* label tcp port 2812 for monit
2017-01-06 15:06:37 +01:00
cgzones 11a0508ede update terminal module
* label content of /dev/pts/ correctly
* remove deprecated interfaces
2017-01-06 15:03:08 +01:00
cgzones b59dc99d56 update unconfined module
* grant capability2:wake_alarm
* remove deprecated interfaces
2017-01-06 15:01:45 +01:00
Chris PeBenito 15ccd01cac Merge pull request #62 from cgzones/fix_permission_segenxml
fix permission of installed segenxml.py by install-headers
2017-01-05 18:34:38 -05:00
cgzones ab652e1f59 add files_search_src()
required by loadkeys
2017-01-05 12:47:58 +01:00