Chris PeBenito
3726cd58f6
Module version bump for changes from cgzones.
2017-02-18 12:28:38 -05:00
Chris PeBenito
959f78de99
Merge branch 'setfiles_getattr' of git://github.com/cgzones/refpolicy
2017-02-18 11:34:23 -05:00
Chris PeBenito
cb35cd587f
Little misc patches from Russell Coker.
2017-02-18 09:39:01 -05:00
cgzones
61b72e0796
selinuxutil: adjustments
...
* no negative permission matching for newrole_t:process
* do not label /usr/lib/selinux as policy_src_t, otherwise semodule can not run /usr/lib/selinux/hll/pp
* reorder label for /run/restorecond.pid
* fix systemd related denials
2017-02-16 16:53:06 +01:00
cgzones
7539f65bc2
setfiles: allow getattr to kernel pseudo fs
...
userdomains should not alter labels of kernel pseudo filesystems, but allowing setfiles/restorecon(d) to check the contexts helps spotting incorrect labels
2017-02-16 15:26:29 +01:00
Chris PeBenito
1720e109a3
Sort capabilities permissions from Russell Coker.
2017-02-15 18:47:33 -05:00
Chris PeBenito
2e7553db63
Create / to /usr equivalence for bin, sbin, and lib, from Russell Coker.
2017-02-04 15:19:35 -05:00
Chris PeBenito
69ede859e8
Bump module versions for release.
2017-02-04 13:30:53 -05:00
Chris PeBenito
67c435f1fc
Module version bump for fc updates from Nicolas Iooss.
2016-12-28 14:38:05 -05:00
Chris PeBenito
f850ec37df
Module version bumps for /run fc changes from cgzones.
2016-12-22 15:54:46 -05:00
Chris PeBenito
34055cae87
Bump module versions for release.
2016-10-23 16:58:59 -04:00
Chris PeBenito
c3523f3c85
Module version bump for selinuxutil fix from Jason Zaman.
2016-09-18 16:41:47 -04:00
Jason Zaman via refpolicy
4869c224bd
selinuxutil: allow setfiles to read semanage store
...
commit a7334eb0de98af11ec38b6263536fa01bc2a606c
libsemanage: validate and compile file contexts before installing
validates the fcontexts when they are still in /var/lib/selinux. Without
setfiles_t having access to read the files, validation fails and the
policy cannot be updated.
2016-09-18 16:40:45 -04:00
Chris PeBenito
71a425fdcd
Systemd units from Russell Coker.
2016-08-06 19:14:18 -04:00
Chris PeBenito
f72f1a48d9
Module version bump for Debian fc entries from Laurent Bigonville.
2016-03-28 09:59:02 -04:00
Chris PeBenito
c23353bcd8
Bump module versions for release.
2015-12-08 09:53:02 -05:00
Chris PeBenito
17694adc7b
Module version bump for systemd additions.
2015-10-23 14:53:14 -04:00
Chris PeBenito
60d8b699fb
Change policy_config_t to a security file type.
...
This fixes an assertion error with systemd_tmpfiles_t. It should
have been a security file for a while.
2015-10-23 10:17:46 -04:00
Chris PeBenito
0a088aa8ac
Module version bumps for further init_startstop_service() changes from Jason Zaman.
2015-05-27 14:50:45 -04:00
Chris PeBenito
468185f5f7
Bump module versions for release.
2014-12-03 13:37:38 -05:00
Chris PeBenito
b86c6004d4
Module version bump for module store move from Steve Lawrence.
2014-12-03 13:37:02 -05:00
Steve Lawrence
418b3c78bb
Update policy for selinux userspace moving the policy store to /var/lib/selinux
...
With the new userspace, the only files in /var/lib/selinux are selinux
store related files, so label it and everything inside it as
semanage_store_t. semanage_var_lib_t is completely removed and now
aliases semanage_store_t for backwards compatibility. This differs from
the v2 patch in that it adds back the ability to manage
selinux_config_t, which is necessary to manage the old module store for
things like migrating from the old to new store and backwards
compatability.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2014-12-03 13:36:31 -05:00
Chris PeBenito
3b697dbb25
Module version bump for 2 patch sets from Laurent Bigonville.
...
* xattrfs attribute
* Misc Debian fixes
2014-04-11 11:21:03 -04:00
Laurent Bigonville
86a429de23
Use new fs_getattr_all_xattr_fs interface for setfiles_t and restorecond_t
...
Use the new fs_getattr_all_xattr_fs() interface to allow setfiles_t and
restorecond_t domain to also get the attributes on pseudo-filesystems
that support xattr
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740682
2014-04-11 09:08:19 -04:00
Chris PeBenito
10ff4d0fa3
Bump module versions for release.
2014-03-11 08:16:57 -04:00
Chris PeBenito
0075ffb8b3
Module version bump for module store labeling fixes from Laurent Bigonville.
2014-01-17 08:54:08 -05:00
Laurent Bigonville
be12f4dc18
Label /etc/selinux/([^/]*/)?modules(/.*)? as semanage_store_t
...
Move the filetrans_patern out of the seutil_manage_module_store
interface as only semanage_t should be creating this directory
2014-01-16 16:12:44 -05:00
Chris PeBenito
9d6546a472
Module version bumps for syslog-ng and semodule updates.
2013-11-13 09:27:21 -05:00
Chris PeBenito
20471346ed
Silence symlink reading by setfiles since it doesn't follow symlinks anyway.
2013-09-27 17:09:43 -04:00
Chris PeBenito
7174140178
Module version bump for xserver and selinuxutil updates from Dominick Grift.
2013-09-26 08:32:33 -04:00
Chris PeBenito
b2eaf87020
Add comment for setfiles using /dev/console when it needs to be relabeled.
2013-09-26 08:31:41 -04:00
Dominick Grift
dae823c43a
Restorecon reads, and writes /dev/console before it is properly labeled
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-09-26 08:30:00 -04:00
Chris PeBenito
3516535aa6
Bump module versions for release.
2012-07-25 14:33:06 -04:00
Chris PeBenito
8e00a439ef
Module verion bump for simplify file contexts based on file context path substitutions, from Sven Vermeulen.
2012-05-10 10:36:06 -04:00
Chris PeBenito
4f24b1841c
Add optional name for kernel and system filetrans interfaces.
2012-05-10 09:53:45 -04:00
Chris PeBenito
b72101a116
Module version bump and changelog for non-auth file attribute to eliminate set expressions, from James Carter.
2012-05-04 09:14:00 -04:00
James Carter
624e73955d
Changed non-contrib policy to use the new non_auth_file_type interfaces
...
Replaced calls to interfaces allowing access to all files except
auth_file_type files with calls to interfaces allowing access to
non_auth_file_type files.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2012-05-04 08:47:49 -04:00
Chris PeBenito
ee8210c690
Module version bump for make role attributes able to type their "own" types patch from Harry Ciao.
2012-02-27 10:25:08 -05:00
Chris PeBenito
e707a70819
Rearrange role lines from "own" patch.
2012-02-27 10:18:00 -05:00
Harry Ciao
93c3ee8b7f
Make role attributes able to type their "own" types.
...
By default, any role attribute should be able to type their "own" types
that share the same prefix and used in the run interface. For example,
role newrole_roles types newrole_t;
so that the calling domain of the seutil_run_newrole() interface could
properly tansition into newrole_t. Without above role rule, the caller's
role won't be associated with newrole_t.
Other role attributes such as useradd_roles, groupadd_roles, chfn_roles
and run_init_roles should be fixed in the same way.
2012-02-27 10:12:57 -05:00
Chris PeBenito
f65edd8280
Bump module versions for release.
2012-02-15 14:32:45 -05:00
Chris PeBenito
7d6b1e5889
Module version bump and changelog for role attributes usage.
2011-09-21 09:16:34 -04:00
Chris PeBenito
08cf443ff6
Add role attributes in newrole and run_init.
2011-09-21 08:27:34 -04:00
Chris PeBenito
e3a043d18d
Convert selinuxutil over to role attributes for semanage.
2011-09-21 08:26:58 -04:00
Chris PeBenito
f718181930
Module version bump for semanage permissive mode feature support.
2011-09-13 12:43:37 -04:00
Sven Vermeulen
f12ebf31e2
Support semanage permissive mode
...
The semanage application supports a "semanage permissive" feature,
allowing certain domains to be marked for running permissive (rather
than the entire system).
To support this feature, we introduce a semanage_var_lib_t type for the
location where semanage will keep its permissive_<domain>.* files, and
allow semanage_t to work with fifo_files (needed for the command to
work).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-09-13 12:36:48 -04:00
Chris PeBenito
f07bc3f973
Module version and changelog for openrc and portage updates from Sven Vermeulen.
2011-09-06 14:02:12 -04:00
Chris PeBenito
ca4d39d31c
Rename init_rc_exec() to init_exec_rc().
2011-09-06 13:58:04 -04:00
Sven Vermeulen
c5cbefb892
Gentoo integrated run_init support re-executes rc
...
When an init script is launched, Gentoo's integrated run_init support
will re-execute /sbin/rc (an all-in-one binary) for various functions.
The run_init_t domain here should not be allowed to transition yet, so
we allow it to execute /sbin/rc without transitioning.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-09-06 13:22:37 -04:00
Chris PeBenito
4a586153a1
Module version bump for load_policy dontaudit of leaked portage fds from Sven Vermeulen.
2011-08-25 07:46:26 -04:00
Chris PeBenito
8dc4e0f223
Whitespace fixes in selinuxutil.
2011-08-25 07:43:36 -04:00
Sven Vermeulen
5d77246f5f
Do not audit the use of portage' filedescriptors from load_policy_t
...
During build and eventual activation of the base policy, the load_policy_t
domain attempts to use a portage file descriptor. However, this serves no
purpose (the loading is done correctly and everything is logged
appropriately).
Hence, we dontaudit this use.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-25 07:42:34 -04:00
Chris PeBenito
78e65fb36c
Module version bump for setfiles audit message patch from Roy Li.
2011-08-23 08:21:40 -04:00
Chris PeBenito
5d834aa7dd
Whitespace fix in selinuxutil.
2011-08-23 08:21:40 -04:00
Roy.Li
0bd595020c
Make setfiles be able to send audit messages.
...
When audit subsystem is enabled, and setfiles works from root
dir, setfiles would send the AUDIT_FS_RELABEL information to
audit system, If no permission to send the information to audit
by netlink, setfiles would return error.
The test cases to reproduce this defect:
=> restorecon -R /
=> echo $?
255
=>
Signed-off-by: Roy.Li <rongqing.li@windriver.com>
2011-08-23 08:21:40 -04:00
Chris PeBenito
aa4dad379b
Module version bump for release.
2011-07-26 08:11:01 -04:00
Chris PeBenito
a29c7b86e1
Module version bump and Changelog for auth file patches from Matthew Ife.
2011-07-18 13:48:05 -04:00
Matthew Ife
4ff4e1c505
Replace deprecated *_except_shadow macro calls with *_except_auth_files calls.
2011-07-18 13:40:38 -04:00
Chris PeBenito
decb7de030
Module version bump and changelog for semanage update from Harry Ciao.
2011-01-10 09:21:11 -05:00
Chris PeBenito
60a2ca249e
Remove redundant semanage rule.
2011-01-10 09:20:39 -05:00
Harry Ciao
f2b3338362
semanage_t able to read from user homedirs.
...
Make semanage_t able to read from user homedirs or /tmp. Otherwise it
would fail to upgrade a .pp installed in there with below error messages.
BTW, semanage_t should be able to upgrade existing pp no matter if the
MLS is enabled or not.
root@qemu-host:/root> semodule -u selinuxutil.pp
type=1400 audit(1288862875.298:60): avc: denied { search } for pid=759 comm="semodule" name="root" dev=sda ino=81921 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0-s15:c0.c1023 tclass=dir
semodule: Failed on selinuxutil.pp!
root@qemu-host:/root> setenforce 0
type=1404 audit(1288862957.386:61): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295
root@qemu-host:/root> semodule -u selinuxutil.pp
type=1400 audit(1288862959.494:62): avc: denied { search } for pid=761 comm="semodule" name="root" dev=sda ino=81921 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0-s15:c0.c1023 tclass=dir
type=1400 audit(1288862959.498:63): avc: denied { read } for pid=761 comm="semodule" name="selinuxutil.pp" dev=sda ino=82505 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file
type=1400 audit(1288862959.503:64): avc: denied { open } for pid=761 comm="semodule" name="selinuxutil.pp" dev=sda ino=82505 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file
type=1400 audit(1288862959.507:65): avc: denied { getattr } for pid=761 comm="semodule" path="/root/selinuxutil.pp" dev=sda ino=82505 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file
type=1403 audit(1288863419.918:66): policy loaded auid=4294967295 ses=4294967295
root@qemu-host:/root>
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
2011-01-10 09:13:23 -05:00
Chris PeBenito
48f99a81c0
Whitespace change: drop unnecessary blank line at the start of .te files.
2010-06-10 08:16:35 -04:00
Chris PeBenito
29af4c13e7
Bump module versions for release.
2010-05-24 15:32:01 -04:00
Chris PeBenito
72c8a37c2b
Setfiles fix from Gentoo.
2010-02-17 20:30:42 -05:00
Chris PeBenito
c3c753f786
Remove concept of user from terminal module interfaces dealing with ptynode and ttynode since these attributes are not specific to users.
2010-02-11 14:20:10 -05:00
Chris PeBenito
9570b28801
module version number bump for release 2.20090730 that was mistakenly omitted.
2009-08-05 10:59:21 -04:00
Chris PeBenito
3f67f722bb
trunk: whitespace fixes
2009-06-26 14:40:13 +00:00
Chris PeBenito
f0435b1ac4
trunk: add support for labeled booleans.
2009-01-13 13:01:48 +00:00
Chris PeBenito
17ec8c1f84
trunk: bump module versions for release.
2008-12-10 19:38:10 +00:00
Chris PeBenito
296273a719
trunk: merge UBAC.
2008-11-05 16:10:46 +00:00
Chris PeBenito
932c3536f8
trunk: additional open fixes.
2008-11-04 14:37:05 +00:00
Chris PeBenito
2cca6b79b4
trunk: remove redundant shared lib calls.
2008-10-17 17:31:04 +00:00
Chris PeBenito
0b36a2146e
trunk: Enable open permission checks policy capability.
2008-10-16 16:09:20 +00:00
Chris PeBenito
5d4f4b5375
trunk: bump version numbers for release.
2008-10-14 15:46:36 +00:00
Chris PeBenito
04d2861035
trunk: missing bits from dan's previous round of patches.
2008-10-09 14:01:53 +00:00
Chris PeBenito
cfcf5004e5
trunk: bump versions for release.
2008-07-02 14:07:57 +00:00
Chris PeBenito
d87efeec73
trunk: fixes for gentoo targeted systems.
2008-05-27 12:07:03 +00:00
Chris PeBenito
e9c6cda7da
trunk: Move user roles into individual modules.
2008-04-29 13:58:34 +00:00
Chris PeBenito
0a14f3ae09
trunk: bump module version numbers for release.
2008-04-02 16:04:43 +00:00
Chris PeBenito
12cf805e1c
trunk: add basic ubuntu support
2008-02-05 18:24:43 +00:00
Chris PeBenito
9323a50bcc
trunk: add run_init domtrans to chk passwd.
2008-01-03 19:46:40 +00:00
Chris PeBenito
f7925f25f7
trunk: bump module versions for release.
2007-12-14 14:23:18 +00:00
Chris PeBenito
f98cfb5a29
trunk: version bump for newrole fixes.
2007-11-28 20:20:49 +00:00
Chris PeBenito
6138d3da0e
trunk: test fix for newrole.
2007-11-28 18:39:47 +00:00
Chris PeBenito
1483be1fe5
trunk: handle early boot on debian, for /dev labeling.
2007-11-26 20:22:17 +00:00
Chris PeBenito
2f5c2f23da
trunk: remove duplicate init_system_domain() call for setfiles, from Vaclav Ovsik.
2007-11-26 19:32:51 +00:00
Chris PeBenito
013783b2b1
trunk: switch newrole and run_init over to use nsswitch.
2007-11-16 15:58:23 +00:00
Chris PeBenito
53da70cdaa
trunk: deprecate seutil_manage_selinux_config() in favor of correctly named seutil_manage_config().
2007-11-16 15:39:55 +00:00
Chris PeBenito
389ad7b48d
trunk: reorganize selinuxutil.
2007-11-16 15:39:09 +00:00
Chris PeBenito
eeef8dc451
trunk: Add interface for libselinux constructor, for libselinux-linked SELinux-enabled programs.
2007-11-16 14:58:17 +00:00
Chris PeBenito
ef659a476e
Deprecate some old file and dir permission set macros in favor of the newer, more consistently-named macros.
2007-10-09 17:29:48 +00:00
Chris PeBenito
12e9ea1ae3
trunk: module version bumps for previous commit.
2007-10-02 17:15:07 +00:00
Chris PeBenito
350b6ab767
trunk: merge strict and targeted policies. merge shlib_t into lib_t.
2007-10-02 16:04:50 +00:00
Chris PeBenito
3480f3f239
trunk: bump version numbers for release.
2007-09-28 13:58:24 +00:00
Chris PeBenito
abc89340c4
trunk: two tiny patches from Stefan Schulze Frielinghaus
2007-09-06 19:29:54 +00:00
Chris PeBenito
f8233ab7b0
trunk: Deprecate mls_file_write_down() and mls_file_read_up(), replaced with mls_write_all_levels() and mls_read_all_levels(), for consistency.
2007-08-20 18:26:08 +00:00
Chris PeBenito
2d0c9cecaf
trunk: several MLS enhancements.
2007-08-20 15:15:03 +00:00
Chris PeBenito
d46cfe45cd
trunk: add application module
2007-07-19 18:57:48 +00:00
Chris PeBenito
116c1da330
trunk: update module version numbers for release.
2007-06-29 14:48:13 +00:00
Chris PeBenito
762d2cb989
merge restorecon into setfiles
2007-05-11 17:10:43 +00:00