RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
selinux-refpolicy/policy/modules/system
History
Guido Trentalancia 39e550f9ee Improve tunable support for rw operations on noxattr fs / removable media 
Improve the existing user domain template policy:

- better support for the "user_rw_noexattrfile" boolean (enable
  write operations on filesystems that do not support extended
  attributes, such as FAT or cdrom filesystem);
- add support for a new "user_exec_noexattrfile" boolean to
  control the execution of files from filesystems that do not
  support extended attributes (potentially dangerous);
- add support for a new "user_write_removable" boolean which
  enables write operations on removable devices (such as
  external removable USB memory, USB mobile phones, etc).

Note that devices might be removable but support extended
attributes (Linux xattr filesystems on external USB mass storage
devices), so two separate booleans are needed for optimal
configuration flexibility.

Writing to removable mass storage devices is a major cause of
leakage of confidential information, so the new boolean defaults
to false.

Disable raw access for MLS policies (thanks to Christoper
PeBenito for suggesting this).

This new version of the patch correctly includes the definitions
of the new booleans (by including the .te file differences).

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
 		2016-09-07 17:43:16 -04:00
..
application.fc
application.if
application.te
authlogin.fc authlogin: remove fcontext for /var/run/user 2016-06-01 13:22:39 -04:00
authlogin.if Implement core systemd policy. 2015-10-23 10:16:59 -04:00
authlogin.te Module version bumps + contrib update for user_runtime from Jason Zaman. 2016-06-01 13:34:14 -04:00
clock.fc
clock.if Rearrange interfaces in files, clock, and udev. 2012-10-30 14:16:30 -04:00
clock.te Bump module versions for release. 2014-03-11 08:16:57 -04:00
fstools.fc fstools: add in filetrans for /run dir 2015-04-15 12:16:32 -04:00
fstools.if system/fstools.if: Add fstools_use_fds interface 2014-08-18 15:24:46 -04:00
fstools.te Bump module versions for release. 2015-12-08 09:53:02 -05:00
getty.fc
getty.if
getty.te Module version bump for getty patch from Luis Ressel. 2016-03-07 10:15:37 -05:00
hostname.fc
hostname.if
hostname.te Bump module versions for release. 2014-03-11 08:16:57 -04:00
hotplug.fc
hotplug.if
hotplug.te Bump module versions for release. 2014-03-11 08:16:57 -04:00
init.fc Implement core systemd policy. 2015-10-23 10:16:59 -04:00
init.if Fix typo in init_dbus_chat requirements 2016-01-19 00:17:05 +01:00
init.te Module version bump for various patches from Guido Trentalancia. 2016-08-14 14:58:57 -04:00
ipsec.fc system/ipsec: Add policy for StrongSwan 2015-10-12 09:16:28 -04:00
ipsec.if Add systemd units for core refpolicy services. 2015-10-23 10:17:46 -04:00
ipsec.te Bump module versions for release. 2015-12-08 09:53:02 -05:00
iptables.fc iptables: add fcontext for nftables 2016-05-16 09:13:30 -04:00
iptables.if Fix interface descriptions when duplicate ones are found 2016-01-19 00:17:34 +01:00
iptables.te Module version bump for nftables fc entry from Jason Zaman. 2016-05-16 09:20:30 -04:00
libraries.fc libraries: Move libsystemd fc entry. 2016-08-02 20:21:24 -04:00
libraries.if
libraries.te libraries: Module version bump for libsystemd fc entry from Lukas Vrabec. 2016-08-02 20:22:06 -04:00
locallogin.fc
locallogin.if Fix interface descriptions when duplicate ones are found 2016-01-19 00:17:34 +01:00
locallogin.te Bump module versions for release. 2015-12-08 09:53:02 -05:00
logging.fc Systemd units from Russell Coker. 2016-08-06 19:14:18 -04:00
logging.if Add systemd units for core refpolicy services. 2015-10-23 10:17:46 -04:00
logging.te Systemd units from Russell Coker. 2016-08-06 19:14:18 -04:00
lvm.fc Add systemd units for core refpolicy services. 2015-10-23 10:17:46 -04:00
lvm.if Add systemd units for core refpolicy services. 2015-10-23 10:17:46 -04:00
lvm.te Update the lvm module 2016-09-07 17:43:16 -04:00
metadata.xml
miscfiles.fc Label /etc/locale.alias as locale_t on Debian 2014-04-21 09:02:26 -04:00
miscfiles.if Fix interface descriptions when duplicate ones are found 2016-01-19 00:17:34 +01:00
miscfiles.te Bump module versions for release. 2014-12-03 13:37:38 -05:00
modutils.fc split kmod fc into two lines. 2012-10-02 10:08:09 -04:00
modutils.if Fix interface descriptions when duplicate ones are found 2016-01-19 00:17:34 +01:00
modutils.te Bump module versions for release. 2015-12-08 09:53:02 -05:00
mount.fc Rearrange ZFS fc entries. 2014-01-21 08:55:28 -05:00
mount.if system/mount.if: Add mount_rw_loopback_files interface 2014-08-18 15:24:46 -04:00
mount.te Bump module versions for release. 2014-12-03 13:37:38 -05:00
netlabel.fc
netlabel.if
netlabel.te Bump module versions for release. 2015-12-08 09:53:02 -05:00
selinuxutil.fc Systemd units from Russell Coker. 2016-08-06 19:14:18 -04:00
selinuxutil.if Fix interface descriptions when duplicate ones are found 2016-01-19 00:17:34 +01:00
selinuxutil.te Systemd units from Russell Coker. 2016-08-06 19:14:18 -04:00
setrans.fc Systemd units from Russell Coker. 2016-08-06 19:14:18 -04:00
setrans.if Add systemd units for core refpolicy services. 2015-10-23 10:17:46 -04:00
setrans.te Systemd units from Russell Coker. 2016-08-06 19:14:18 -04:00
sysnetwork.fc Label /sbin/iw as ifconfig_exec_t 2014-10-23 08:07:44 -04:00
sysnetwork.if hostname: do not audit attempts by hostname to read and write dhcpc udp sockets (looks like a leaked fd) 2013-09-27 15:13:19 -04:00
sysnetwork.te Module version bump for various patches from Guido Trentalancia. 2016-08-14 14:58:57 -04:00
systemd.fc Add policy for systemd-resolved 2016-05-26 08:52:23 -04:00
systemd.if systemd: Add support for --log-target 2016-03-31 08:22:50 -04:00
systemd.te Module version bump for systemd-resolved patch from Laurent BIgonville. 2016-05-26 08:53:00 -04:00
udev.fc Label /usr/share/virtualbox/VBoxCreateUSBNode.sh as udev_helper_exec_t 2014-04-21 10:15:51 -04:00
udev.if Implement core systemd policy. 2015-10-23 10:16:59 -04:00
udev.te Module version bump for various patches from Guido Trentalancia. 2016-08-14 14:58:57 -04:00
unconfined.fc Simplify .fc in light of file_contexts.subs_dist 2012-05-10 10:09:00 -04:00
unconfined.if Allow unconfined domains to use syslog capability 2014-06-09 09:28:33 -04:00
unconfined.te Bump module versions for release. 2014-12-03 13:37:38 -05:00
userdomain.fc userdomain: Introduce types for /run/user 2016-06-01 13:22:39 -04:00
userdomain.if Improve tunable support for rw operations on noxattr fs / removable media 2016-09-07 17:43:16 -04:00
userdomain.te Improve tunable support for rw operations on noxattr fs / removable media 2016-09-07 17:43:16 -04:00