selinux-refpolicy

Commit Graph

Author	SHA1	Message	Date
Chris PeBenito	fe29a74cad	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-11-22 14:03:11 -05:00
Jason Zaman	d03b8ffdf5	systemd: make remaining dbus_* optional Almost all calls to dbus_ interfaces were already optional, this makes the remaining one optional_policy so that the modules can be installed / upgraded easier. Signed-off-by: Jason Zaman <perfinion@gentoo.org> Signed-off-by: Jason Zaman <jason@perfinion.com>	2020-11-22 14:00:34 -05:00
Chris PeBenito	14a45a594b	devices, filesystem, systemd, ntp: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-10-09 09:45:11 -04:00
Chris PeBenito	785677771d	Merge pull request #313 from bootlin/buildroot-systemd-fixes	2020-10-09 09:42:40 -04:00
Chris PeBenito	b5525a3fca	systemd: Move systemd-pstore block up in alphabetical order. No rule change. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-10-09 09:42:31 -04:00
Antoine Tenart	e9228b49bb	systemd: allow systemd-network to list the runtime directory Fixes: avc: denied { read } for pid=58 comm="systemd-network" name="/" dev="tmpfs" ino=652 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=1 avc: denied { read } for pid=58 comm="systemd-network" name="/" dev="tmpfs" ino=652 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-10-09 08:58:31 +02:00
Antoine Tenart	49a0771dd3	systemd: allow systemd-getty-generator to read and write unallocated ttys Fixes: avc: denied { read write } for pid=40 comm="systemd-getty-g" name="ttyS0" dev="devtmpfs" ino=612 scontext=system_u:system_r:systemd_generator_t tcontext=system_u:object_r:tty_device_t tclass=chr_file permissive=1 avc: denied { open } for pid=40 comm="systemd-getty-g" path="/dev/ttyS0" dev="devtmpfs" ino=612 scontext=system_u:system_r:systemd_generator_t tcontext=system_u:object_r:tty_device_t tclass=chr_file permissive=1 avc: denied { ioctl } for pid=40 comm="systemd-getty-g" path="/dev/ttyS0" dev="devtmpfs" ino=612 ioctlcmd=0x5401 scontext=system_u:system_r:systemd_generator_t tcontext=system_u:object_r:tty_device_t tclass=chr_file permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-10-09 08:58:31 +02:00
Deepak Rawat	f5c8a117d9	Add selinux-policy for systemd-pstore service systemd-pstore is a service to archive contents of pstore. Signed-off-by: Deepak Rawat <drawat.floss@gmail.com>	2020-10-09 03:20:09 +00:00
Chris PeBenito	39e2af539d	corecommands, dbus, locallogin, logging, sysnetwork, systemd, udev: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-09-22 08:27:05 -04:00
Antoine Tenart	fdda7befa5	systemd: allow systemd-resolve to read in tmpfs Fixes: avc: denied { read } for pid=76 comm="systemd-resolve" name="/" dev="tmpfs" ino=651 scontext=system_u:system_r:systemd_resolved_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-09-21 16:25:09 +02:00
Antoine Tenart	34547434b8	systemd: allow systemd-network to get attributes of fs Fixes: avc: denied { getattr } for pid=57 comm="systemd-network" name="/" dev="vda" ino=2 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-09-21 16:25:09 +02:00
Antoine Tenart	1ee738f708	systemd: allow systemd-hwdb to search init runtime directories Fixes: avc: denied { search } for pid=54 comm="systemd-hwdb" name="systemd" dev="tmpfs" ino=664 scontext=system_u:system_r:systemd_hw_t tcontext=system_u:object_r:init_runtime_t tclass=dir permissive=1 avc: denied { search } for pid=54 comm="systemd-hwdb" name="systemd" dev="tmpfs" ino=664 scontext=system_u:system_r:systemd_hw_t tcontext=system_u:object_r:init_runtime_t tclass=dir permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-09-21 16:15:37 +02:00
Antoine Tenart	f71d288e54	systemd: add extra systemd_generator_t rules Fixes: avc: denied { setfscreate } for pid=41 comm="systemd-getty-g" scontext=system_u:system_r:systemd_generator_t tcontext=system_u:system_r:systemd_generator_t tclass=process permissive=1 avc: denied { dac_override } for pid=40 comm="systemd-fstab-g" capability=1 scontext=system_u:system_r:systemd_generator_t tcontext=system_u:system_r:systemd_generator_t tclass=capability permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-09-21 16:15:37 +02:00
Chris PeBenito	c33866e1f6	selinux, init, systemd, rpm: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-09-09 16:55:06 -04:00
Christian Göttsche	24827d8073	selinux: add selinux_use_status_page and deprecate selinux_map_security_files Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2020-09-09 21:00:47 +02:00
Christian Göttsche	1103350ee3	init/systemd: allow systemd to map the SELinux status page systemd v247 will access the SELinux status page. This affects all domains currently opening the label database, having the permission seutil_read_file_contexts. see https://github.com/systemd/systemd/pull/16821 Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2020-09-08 13:18:18 +02:00
Chris PeBenito	72e221fd4d	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-08-28 15:30:52 -04:00
Chris PeBenito	74b37e16db	Merge pull request #301 from bauen1/fix-selint-s-010	2020-08-28 15:26:47 -04:00
bauen1	fa59d0e9bc	selint: fix S-010 Signed-off-by: bauen1 <j2468h@gmail.com>	2020-08-28 17:39:09 +02:00
Chris PeBenito	d387e79989	Bump module versions for release. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-08-18 09:09:10 -04:00
Chris PeBenito	ab47695bdb	files, init, modutils, systemd, udev: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-08-14 09:38:09 -04:00
Chris PeBenito	e10d956f38	Merge pull request #294 from cgzones/selint	2020-08-14 09:36:44 -04:00
Yi Zhao	8322f0e0d9	Remove duplicated rules Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2020-08-14 10:55:31 +08:00
Christian Göttsche	09ed84b632	files/modutils: unify modules_object_t usage into files module modutils.te: 50: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001) modutils.te: 51: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001) modutils.te: 52: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001) modutils.te: 53: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001) modutils.if: 15: (W): Definition of declared type modules_object_t not found in own module, but in module files (W-011) modutils.if: 52: (W): Definition of declared type modules_object_t not found in own module, but in module files (W-011) modutils.fc: 24: (S): Type modules_object_t is declared in module files, but used in file context here. (S-002) Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2020-08-13 21:23:43 +02:00
Christian Göttsche	3bb507efa6	Fix several misspellings Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2020-08-13 14:08:58 +02:00
Chris PeBenito	613708cad6	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-07-04 09:30:45 -04:00
Chris PeBenito	0992763548	Update callers for "pid" to "runtime" interface rename. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-06-28 16:03:45 -04:00
Chris PeBenito	c63e5410a9	systemd: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-06-17 08:48:41 -04:00
Chris PeBenito	c2a142d762	systemd: Merge generator domains. If these processes are compromised they can write units to do malicious actions, so trying to tightly protect the resources for each generator is not effective. Made the fstools_exec() optional, although it is unlikely that a system would not have the module. Only aliases for removed types in previous releases are added. The systemd_unit_generator() interface and systemd_generator_type attribute were not released and are dropped without deprecation. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-06-15 09:47:20 -04:00
Chris PeBenito	71002cdfe0	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-06-15 08:57:44 -04:00
Chris PeBenito	9169113d42	Merge pull request #271 from bauen1/misc-fixes-2	2020-06-15 08:56:40 -04:00
Chris PeBenito	edbe7e9af7	Merge pull request #267 from bauen1/target-systemd-sysusers	2020-06-15 08:56:24 -04:00
bauen1	fc904634ac	dpkg: domaintrans to sysusers if necessary Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:52:53 +02:00
bauen1	cbdf1fad22	systemd: systemd-tempfiles will relabel tmpfs if mounted over e.g. /tmp Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:45:07 +02:00
bauen1	583f435c7b	systemd: systemd --user add essential permissions Allow selinux awareness (libselinux) and access to setsockcreatecon to correctly set the label of sockets. Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:45:07 +02:00
Chris PeBenito	2f097a0c6d	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-06-15 08:43:30 -04:00
bauen1	6ce9865e6c	systemd: fixed systemd_rfkill_t denial spam Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:41:30 +02:00
bauen1	93beef3ce5	systemd-logind.service sandbox required permissions Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-11 19:10:35 +02:00
bauen1	8f782ae820	systemd-sysusers: add policy On systems without the unconfined module this service needs additional privileges. Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-04 19:53:47 +02:00
Chris PeBenito	c75b2f3642	corecommands, files, filesystem, init, systemd: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-05-27 10:52:49 -04:00
bauen1	ab2c353048	systemd: allow systemd-user-runtime-dir to do its job It requires access to /run/user/UID while running as root Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-27 14:03:05 +02:00
bauen1	7eae84a8b4	lvm-activation-generator also needs to execute lvm lvm will also try to read localization. Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-27 14:03:05 +02:00
Chris PeBenito	5b171c223a	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-05-14 10:32:30 -04:00
bauen1	4f9772e309	systemd-fstab-generator needs to know about all mountpoints Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-14 09:31:30 +02:00
Chris PeBenito	4ae3713c45	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-05-04 08:55:09 -04:00
Daniel Burgener	5ba931d49d	Fix a few places where command line applications were only granted one of tty or pty permissions and could be used from either Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>	2020-04-30 14:53:31 -04:00
Chris PeBenito	d401ff2a21	systemd, ssh, wm: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-04-24 10:22:30 -04:00
Chris PeBenito	01990a484e	corenetwork, systemd: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-04-22 10:21:45 -04:00
Chris PeBenito	4ebd33c46d	Merge pull request #234 from topimiettinen/systemd-networkd-allow-icmp-dhcpc	2020-04-22 10:21:16 -04:00
Topi Miettinen	a3b688d1cf	Allow systemd-networkd to handle ICMP and DHCP packets Allow systemd-networkd to send and receive ICMPv6 Router Solicitation and Router Advertisement packets (in reality all ICMP/ICMPv6 packets) and DHCP client packets. Signed-off-by: Topi Miettinen <toiwoton@gmail.com>	2020-04-22 15:46:56 +03:00

1 2 3 4 5

226 Commits