selinux-refpolicy

Author	SHA1	Message	Date
Chris PeBenito	6f947e604a	Merge pull request #472 from bigon/dockerd_path docker: On debian dockerd and docker-proxy are in /usr/sbin	2022-02-02 09:22:11 -05:00
Laurent Bigonville	43cb910e38	container: On Debian, runc is installed in /usr/sbin Signed-off-by: Laurent Bigonville <bigon@bigon.be>	2022-02-02 12:41:49 +01:00
Laurent Bigonville	5c9fa6d268	docker: On debian dockerd and docker-proxy are in /usr/sbin Signed-off-by: Laurent Bigonville <bigon@bigon.be>	2022-02-02 12:18:20 +01:00
Chris PeBenito	c86645f836	Merge pull request #468 from jpds/node_exporter-addition node_exporter: Added initial policy	2022-02-01 11:59:42 -05:00
Chris PeBenito	709bfd95f9	Merge pull request #462 from pebenito/systemd-updates Systemd updates including systemd-homed and systemd-userdbd.	2022-02-01 09:17:00 -05:00
Chris PeBenito	c58823f748	Merge pull request #471 from pebenito/revert-mcs-users Revert mcs users	2022-02-01 09:15:54 -05:00
Chris PeBenito	80598ee30d	systemd: Updates for generators and kmod-static-nodes.service. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>	2022-02-01 09:07:31 -05:00
Chris PeBenito	0b19aaef3c	systemd: Additional fixes for fs getattrs. This may need to be allowed more broadly. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>	2022-02-01 09:07:31 -05:00
Chris PeBenito	71b3fce22b	systemd, ssh: Crypto sysctl use. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>	2022-02-01 09:07:31 -05:00
Chris PeBenito	d6a676f0a6	systemd: Add systemd-homed and systemd-userdbd. Systemd-homed does not completely work since the code does not label the filesystems it creates. systemd-userdbd partially derived from the Fedora policy. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>	2022-02-01 09:07:28 -05:00
Chris PeBenito	6013141bb4	Revert "users: remove MCS categories from default users" This reverts commit `7d53784332`. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2022-02-01 09:00:19 -05:00
Jonathan Davies	8d03e35e22	node_exporter: Added initial policy. Signed-off-by: Jonathan Davies <jpds@protonmail.com>	2022-02-01 00:35:54 +00:00
Chris PeBenito	32ecefdf28	Merge pull request #470 from 0xC0ncord/docker-init-daemon-domain docker: add missing call to init_daemon_domain()	2022-01-31 08:44:06 -05:00
Kenton Groombridge	800039c671	docker: add missing call to init_daemon_domain() Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-30 18:09:12 -05:00
Chris PeBenito	242e371ac2	Merge pull request #469 from cgzones/selint Revert "tests.yml: Disable policy_module() selint checks."	2022-01-30 09:12:10 -05:00
Christian Göttsche	0e06f23e07	Revert "tests.yml: Disable policy_module() selint checks." This reverts commit `5781a2393c`. SELint 1.2.1 supports the new policy_module syntax. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2022-01-30 14:27:08 +01:00
Chris PeBenito	f84770f5ce	Merge pull request #467 from 0xC0ncord/docker-rootlesskit-optional docker: make rootlesskit optional	2022-01-24 20:44:22 -05:00
Kenton Groombridge	70836481d0	docker: make rootlesskit optional Avoid a potential build error and circular dependency by making rootlesskit optional. Note that rootlesskit is still required in order for rootless docker to function. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 17:39:10 -05:00
Chris PeBenito	dc2d89df05	Merge pull request #434 from 0xC0ncord/containers Add container module	2022-01-24 14:01:18 -05:00
Kenton Groombridge	86b90b4bc7	container: allow containers to getsession Found to be required by a jellyfin container when testing. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:08:50 -05:00
Kenton Groombridge	f4d34fcc34	lxc_contexts: add ro_file and sandbox_lxc_process contexts Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:45 -05:00
Kenton Groombridge	76f189a883	container: drop old commented rules Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:45 -05:00
Kenton Groombridge	36289d588c	docker: call rootlesskit access in docker access Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:45 -05:00
Kenton Groombridge	5105a4c344	container, docker, rootlesskit: add support for rootless docker Rootless docker runs as root in a user namespace. Because of this, rootless docker containers will run as spc_user_t as docker cannot be SELinux-aware in its own container. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:45 -05:00
Kenton Groombridge	ad714e7c71	rootlesskit: new policy module Rootlesskit is required by rootless docker Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:45 -05:00
Kenton Groombridge	256236f2a1	systemd: add supporting interfaces for user daemons Add an interface to allow systemd user daemons to use systemd notify and an interface to write to the systemd user runtime named socket. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:45 -05:00
Kenton Groombridge	4be52b7fb3	systemd: use stream socket perms in systemd_user_app_status Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:45 -05:00
Kenton Groombridge	a3f32e322b	systemd: allow systemd user managers to execute user bin files Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:45 -05:00
Kenton Groombridge	3b144c0dec	userdomain: add type for user bin files Add a type and allow execute access to executable files that may be freely managed by users in their home directories. Although users may normally execute anything labeled user_home_t, this type is intended to be executed by user services such as the user's systemd --user instance. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:45 -05:00
Kenton Groombridge	7dc0fb9438	container: call docker access in container access Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:45 -05:00
Kenton Groombridge	29ac8a3fcf	container, docker: add initial support for docker Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:45 -05:00
Kenton Groombridge	81d26ac72e	kernel: add filetrans interface for unlabeled dirs Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:45 -05:00
Kenton Groombridge	52dc8d8a26	container, podman: add policy for conmon Make conmon run in a separate domain and allow podman types to transition to it. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:45 -05:00
Kenton Groombridge	34abc09255	xdg: add interface to search xdg data directories Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:45 -05:00
Kenton Groombridge	321591144b	container, iptables: dontaudit iptables rw on /ptmx Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:45 -05:00
Kenton Groombridge	405d3aed7d	container: add tunable to allow engines to mounton non security Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:45 -05:00
Kenton Groombridge	e05d996f8e	container: add tunables for containers to use nfs and cifs Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:45 -05:00
Kenton Groombridge	01e5c8e1fb	container: add tunable for containers to manage cgroups systemd running inside containers needs to be able to manage cgroups. Add this feature behind a tunable. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:45 -05:00
Kenton Groombridge	4aca3bab15	container: allow containers to read read-only container files Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:44 -05:00
Kenton Groombridge	e272db844c	container: add policy for privileged containers Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:02 -05:00
Kenton Groombridge	cf5b35795b	staff, unconfined: allow container user access Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:02 -05:00
Kenton Groombridge	819cef6a76	container: call podman access in container access Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:02 -05:00
Kenton Groombridge	093e280e77	sysadm: allow container admin access Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:02 -05:00
Kenton Groombridge	7a0b01bd2a	container: add required admin rules Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:02 -05:00
Kenton Groombridge	526dd08ff3	container, podman, systemd: initial support for rootless podman Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:02 -05:00
Kenton Groombridge	e55a346fc2	container: add role access templates Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:02 -05:00
Kenton Groombridge	31e614f7f1	systemd: add private type for systemd user manager units Make user@.service (systemd --user) units a private type. This is in support of container engines which may want to restart the unit, and we can allow this access without allowing other generic units to be interacted with. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:02 -05:00
Kenton Groombridge	b3e42c3f15	dbus: add supporting interfaces and rules for rootless podman Add interfaces to getattr and write to the session dbus socket. Also dontaudit managing the ptrace capability in user namespaces. Lastly, allow session dbus daemons to get the attributes of the cgroup filesystem and the proc filesystem. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:02 -05:00
Kenton Groombridge	c998839e98	filesystem: add supporting FUSEFS interfaces Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:02 -05:00
Kenton Groombridge	83df290da3	container, podman: initial support for podman Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:02 -05:00

1 2 3 4 5 ...

6310 Commits