selinux-refpolicy

Author	SHA1	Message	Date
Chris PeBenito	51d0d6d15e	logging: Add audit_control for journald. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2021-11-18 16:25:38 -05:00
Chris PeBenito	580c3da195	systemd: User runtime reads user cgroup files. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2021-11-18 16:25:35 -05:00
Chris PeBenito	c66fefcbf1	systemd: Revise tmpfiles factory to allow writing all configs. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2021-11-18 16:25:33 -05:00
Chris PeBenito	6ce1e64c49	systemd: Unit generator fixes. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2021-11-18 16:25:30 -05:00
Chris PeBenito	96ea14ed59	systemd, ssh, ntp: Read fips_enabled crypto sysctl. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2021-11-18 16:25:25 -05:00
Kenton Groombridge	64380b4d33	wine: fix roleattribute statement Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-11-16 12:11:59 -05:00
Chris PeBenito	096eb775fa	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-11-15 15:34:27 -05:00
Chris PeBenito	55d91c13f3	Merge pull request #415 from 0xC0ncord/constraints-update	2021-11-15 15:34:06 -05:00
Chris PeBenito	af39a6ed86	Merge pull request #432 from vmojzis/warning Report warning on duplicate definition of interface	2021-11-15 08:56:21 -05:00
Vit Mojzis	051d166cd0	Improve error message on duplicate definition of interface Specify which file contains the original definition. Old: ipa.if:284: Error: duplicate definition of ipa_cert_filetrans_named_content(). Original definition on 284. New: ipa.if:284: Error: duplicate definition of ipa_cert_filetrans_named_content(). Original definition on /usr/share/selinux/devel/include/contrib/ipa.if:284. Signed-off-by: Vit Mojzis <vmojzis@redhat.com>	2021-11-15 10:23:48 +01:00
Chris PeBenito	47a229198d	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-11-14 18:57:40 -05:00
Chris PeBenito	e0d1b94c8e	Merge pull request #412 from 0xC0ncord/bugfix/systemd-user-exec-apps-hookup	2021-11-14 18:57:19 -05:00
Kenton Groombridge	a29cb4a2b3	guest, xguest: remove apache role access Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-11-12 14:57:36 -05:00
Kenton Groombridge	5ea601c011	mcs: only constrain mcs_constrained_type for db accesses Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-11-09 13:59:08 -05:00
Kenton Groombridge	b006b259f4	mcs: constrain context contain access Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-11-09 13:56:27 -05:00
Kenton Groombridge	e701e18e7f	corenet: make netlabel_peer_t mcs constrained Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-11-09 13:55:30 -05:00
Kenton Groombridge	e7fb65980f	various: deprecate mcs override interfaces Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-11-09 13:55:26 -05:00
Kenton Groombridge	10bfc890d2	mcs: combine single-level object creation constraints Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-11-09 13:55:18 -05:00
Kenton Groombridge	d355d046d2	mcs: constrain misc IPC objects Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-11-09 13:55:12 -05:00
Kenton Groombridge	814d4d3f38	mcs: add additional constraints to databases Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-11-09 13:55:09 -05:00
Chris PeBenito	2d371fcee2	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-11-09 11:13:37 -05:00
Chris PeBenito	9369323629	Merge pull request #429 from 0xC0ncord/various-20211106	2021-11-09 11:13:21 -05:00
Kenton Groombridge	b24d350780	spamassassin: fix file contexts for rspamd symlinks rspamd installs symlinks to /usr/bin that point to the real rspam* binaries. Make these files bin_t so that other programs can read them without any additional access needed. Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-11-09 11:05:48 -05:00
Kenton Groombridge	282c291cb2	policykit, systemd: allow policykit to watch systemd logins and sessions Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-11-09 11:05:48 -05:00
Kenton Groombridge	2e6cc2d281	netutils: fix ping Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-11-09 11:05:48 -05:00
Kenton Groombridge	ae0a8b7fba	bind: fixes for unbound Unbound maintains a copy of the root key in /etc/unbound/cache and needs to be able to manage it. Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-11-09 11:05:48 -05:00
Kenton Groombridge	60d3cf03ed	asterisk: allow reading generic certs Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-11-09 11:05:48 -05:00
Kenton Groombridge	82767eaade	sysadm, systemd: fixes for systemd-networkd Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-11-09 11:05:48 -05:00
Kenton Groombridge	397d4a379f	ssh: fix for polyinstantiation If using polyinstantiation, sshd needs to be able to create a new tmp directory for remote users. Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-11-09 11:05:48 -05:00
Kenton Groombridge	19d787597f	usbguard, sysadm: misc fixes Fixes for usbguard and allow sysadm to connect to usbguard to manage devices at runtime. Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-11-09 11:05:48 -05:00
Kenton Groombridge	2d33258db7	certbot, various: allow various services to read certbot certs Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-11-09 11:05:44 -05:00
Chris PeBenito	85a3e84a92	Merge pull request #431 from 0xC0ncord/git-type	2021-11-09 11:01:59 -05:00
Chris PeBenito	8500c2da93	Merge pull request #430 from jpds/virt-common-fix	2021-11-09 11:01:42 -05:00
Chris PeBenito	5c942164e4	Merge pull request #426 from yizhao1/passwd	2021-11-09 11:01:20 -05:00
Chris PeBenito	8269a22128	Merge pull request #425 from yizhao1/bind	2021-11-09 11:01:04 -05:00
Chris PeBenito	17b8159a95	Merge pull request #424 from yizhao1/rngd	2021-11-09 11:00:55 -05:00
Chris PeBenito	494e35fcc3	Merge pull request #423 from cgzones/ramfs	2021-11-09 11:00:49 -05:00
Chris PeBenito	1570c0a58d	Merge pull request #419 from 0xC0ncord/noxattrfs-split	2021-11-09 11:00:37 -05:00
Kenton Groombridge	fbadd1ae4f	mta, spamassassin: fixes for rspamd rspamc needs to be able to read the mail spool when learning spam and ham. Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-11-09 10:59:41 -05:00
Kenton Groombridge	a531f60b2a	dovecot, spamassassin: allow dovecot to execute spamc Allow dovecot to execute spamc in order to learn spam and ham when a user manipulates spam mails in their mailbox. Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-11-09 10:59:37 -05:00
Kenton Groombridge	bfc4fb4955	git: fix typo in git hook exec access Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-11-08 11:59:03 -05:00
Jonathan Davies	d4080ab8bd	virt.te: Fixed typo in virtlogd_t virt_common_runtime_t manage_files_pattern. Signed-off-by: Jonathan Davies <jpds@protonmail.com>	2021-11-08 15:59:36 +00:00
Kenton Groombridge	46346a1e5d	devices: make usbfs pseudofs instead of noxattrfs Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-11-02 23:11:08 -04:00
Kenton Groombridge	fe122d7ff8	fs: add pseudofs attribute and interfaces Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-11-02 23:11:05 -04:00
Yi Zhao	d173de67de	passwd: allow passwd to map SELinux status page We encountered a passwd runtime error with selinux 3.3: $ passwd user1 passwd: avc.c:73: avc_context_to_sid_raw: Assertion `avc_running' failed. Aborted Fixes: avc: denied { map } for pid=325 comm="passwd" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=root: sysadm_r:passwd_t tcontext=system_u:object_r:security_t tclass=file permissive=1 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2021-10-31 23:44:56 +08:00
Yi Zhao	31c276c7b4	bind: fixes for bind * add fcontext for /etc/rc.d/init.d/bind and /etc/bind/rndc.conf * add getsched for named process Fixes: avc: denied { getsched } for pid=418 comm="named" scontext=system_u:system_r:named_t tcontext=system_u:system_r:named_t tclass=process permissive=0 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2021-10-31 00:17:55 +08:00
Yi Zhao	5a24f59407	dbus: allow dbus-daemon to map SELinux status page Fixes: avc: denied { map } for pid=328 comm="dbus-daemon" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:security_t tclass=file permissive=0 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2021-10-30 16:28:40 +08:00
Yi Zhao	39858a7528	rngd: fixes for rngd * allow rngd_t to read certificates * allow rngd_t to getsched/setsched Fixes: avc: denied { search } for pid=332 comm="rngd" name="ssl" dev="vda" ino=588 scontext=system_u:system_r:rngd_t tcontext=system_u:object_r:cert_t tclass=dir permissive=1 avc: denied { read } for pid=332 comm="rngd" name="openssl.cnf" dev="vda" ino=849 scontext=system_u:system_r:rngd_t tcontext=system_u:object_r:cert_t tclass=file permissive=1 avc: denied { open } for pid=332 comm="rngd" path="/etc/ssl/openssl.cnf" dev="vda" ino=849 scontext=system_u:system_r:rngd_t tcontext=system_u:object_r:cert_t tclass=file permissive=1 avc: denied { getattr } for pid=332 comm="rngd" path="/etc/ssl/openssl.cnf" dev="vda" ino=849 scontext=system_u:system_r:rngd_t tcontext=system_u:object_r:cert_t tclass=file permissive=1 avc: denied { getsched } for pid=370 comm="rngd" scontext=system_u:system_r:rngd_t tcontext=system_u:system_r:rngd_t tclass=process permissive=1 avc: denied { setsched } for pid=370 comm="rngd" scontext=system_u:system_r:rngd_t tcontext=system_u:system_r:rngd_t tclass=process permissive=1 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2021-10-30 14:19:58 +08:00
Kenton Groombridge	39a19daa3c	mcs: restrict create, relabelto on mcs files Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-10-29 16:53:26 -04:00
Kenton Groombridge	8d83b25353	mcs: deprecate mcs overrides Deprecate mcs overrides in favor of using mcs_constrained_type. Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-10-29 16:53:25 -04:00

1 2 3 4 5 ...

4200 Commits