nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
6,076 Commits 1 Branch 0 Tags 16 MiB
b7980a45fc
Commit Graph

6076 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Kenton Groombridge
b7980a45fc irc, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:34 -04:00
Kenton Groombridge
56a50fb56c gpg, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:34 -04:00
Kenton Groombridge
7cd14e0c49 gnome, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:34 -04:00
Kenton Groombridge
d5246d98aa games, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:34 -04:00
Kenton Groombridge
ab30d35882 evolution, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:34 -04:00
Kenton Groombridge
8875024efc dirmngr, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:34 -04:00
Kenton Groombridge
95cf374eee cron, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:34 -04:00
Kenton Groombridge
4d7eb76fb9 chromium, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:34 -04:00
Kenton Groombridge
99c2c94507 cdrecord, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:34 -04:00
Kenton Groombridge
afa5769b4c bluetooth, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:34 -04:00
Kenton Groombridge
386d00de34 authlogin, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:34 -04:00
Kenton Groombridge
b90d40db67 xserver, roles, various: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:34 -04:00
Kenton Groombridge
dd7abf1f47 xscreensaver, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:33 -04:00
Kenton Groombridge
a3f02b2f6c syncthing, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:24 -04:00
Kenton Groombridge
3d11a43da1 sudo, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:13 -04:00
Kenton Groombridge
562d61bda9 ssh, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:13 -04:00
Kenton Groombridge
86462c81ec postgresql, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:13 -04:00
Kenton Groombridge
48a7d3db51 git, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:13 -04:00
Kenton Groombridge
150353158a screen, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:13 -04:00
Kenton Groombridge
76a6ee4fb9 apache, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:12 -04:00
Chris PeBenito
e49243a08f authlogin: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-10-08 10:41:12 -04:00
Chris PeBenito
b51a297af5 Merge pull request #411 from besser82/topic/besser82/tcb 2021-10-08 10:40:53 -04:00
Björn Esser
bc88a1ca4b
authlogin: add fcontext for tcb 
tcb is an alternative password shadowing scheme used by some Linux
distributions, like ALT Linux, Mandriva, OWL, and some others.

The /etc/tcb directory tree is used to store a single shadow file
inside of a subdirectory created for every local user.

The tcb_chkpwd binary is meant to provide the same functionality
as the unix_chkpwd binary.

The tcb_convert and tcb_uncovert binaries are used for conversions
from a UNIX shadow file to the tcb password shadowing scheme and
vice-versa.

Signed-off-by: Björn Esser <besser82@fedoraproject.org>
 2021-10-08 00:58:37 +02:00
Chris PeBenito
2ef2028c57 various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-10-05 14:59:44 -04:00
Chris PeBenito
6e8ba12dcb Merge pull request #410 from pedrxd/nginxcache 2021-10-05 14:59:06 -04:00
Chris PeBenito
6c1f5fb926 Merge pull request #406 from 0xC0ncord/git-type 2021-10-05 14:58:17 -04:00
Chris PeBenito
0f2ed8ae16 filesystem: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-10-05 14:49:56 -04:00
Gao Xiang
a885f70d50 Add erofs as a SELinux capable file system 
EROFS supported the security xattr handler from Linux v4.19.
Add erofs to the filesystem policy now.

Reported-by: David Michael <fedora.dm0@gmail.com>
Signed-off-by: Gao Xiang <xiang@kernel.org>
 2021-10-05 14:49:16 -04:00
Pedro
26db30a650
File context for nginx cache files 
Signed-off-by: Pedro <peruvapedro99@gmail.com>
 2021-10-04 14:48:10 +02:00
Kenton Groombridge
64e637d895 git, roles: add policy for git client 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-01 13:19:52 -04:00
Chris PeBenito
338d05482a wireguard: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-09-28 13:14:34 -04:00
Chris PeBenito
247b1300ad Merge pull request #408 from ffontaine/master 2021-09-28 13:13:52 -04:00
Chris PeBenito
f60be8247a
Merge pull request #409 from yizhao1/fix 
rpc: remove obsolete comment line
 2021-09-28 11:55:31 -04:00
Yi Zhao
5968e9eae0 rpc: remove obsolete comment line 
There is no fs_manage_nfsd_fs interface.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2021-09-27 11:25:45 +08:00
Fabrice Fontaine
67394d078c policy/modules/services/wireguard.te: make iptables optional 
Make iptables optional to avoid the following build failure raised since
version 2.20210908 and
7f1a7b1cac:

 Compiling targeted policy.33
 env LD_LIBRARY_PATH="/tmp/instance-0/output-1/host/lib:/tmp/instance-0/output-1/host/usr/lib" /tmp/instance-0/output-1/host/usr/bin/checkpolicy -c 33 -U deny -S -O -E policy.conf -o policy.33
 policy/modules/services/wireguard.te:66:ERROR 'type iptables_exec_t is not within scope' at token ';' on line 591892:
 #line 66
	allow wireguard_t iptables_exec_t:file { getattr open map read execute ioctl };
 checkpolicy:  error(s) encountered while parsing configuration
 make[1]: *** [Rules.monolithic:79: policy.33] Error 1

Fixes:
 - http://autobuild.buildroot.org/results/a4223accc6adb70b06fd4e74ca4f28484446b6fa

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
 2021-09-22 23:55:59 +02:00
Kenton Groombridge
4264f9050a userdomain: add interface to allow mapping all user home content 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-09-20 22:01:01 -04:00
Kenton Groombridge
261768bf10 ssh: add interface to execute and transition to ssh client 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-09-20 22:00:56 -04:00
Chris PeBenito
b19be25429 systemd, userdomain, wm: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-09-14 13:55:26 -07:00
Chris PeBenito
938453ddb1 Merge pull request #381 from 0xC0ncord/bugfix/systemd-user-exec-apps 2021-09-14 13:23:23 -07:00
Kenton Groombridge
b91c6062ac wm: add user exec domain attribute to wm domains 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-09-14 14:53:48 -04:00
Kenton Groombridge
1a0d3bcfbd systemd: add interface to support monitoring and output capturing of 
child processes

The 'systemd_user_app_status' interface is intended to be used by any
interfaces or templates that grant run access to a user domain. These
rules are to support a situation in which an app run by a systemd user
instance runs another, and to allow that app to have its status and output
captured by the systemd user instance (i.e. to journald) without
explicitly granting permissions for the systemd user instance to run
that application.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-09-14 14:53:41 -04:00
Kenton Groombridge
f151d36e5b systemd: assign user exec attribute to systemd --user instances 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-09-14 12:12:43 -04:00
Kenton Groombridge
84e26170a1 userdomain: add user exec domain attribute and interface 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-09-14 12:12:39 -04:00
Chris PeBenito
24701593d2 chronyd: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-09-14 06:37:22 -07:00
Chris PeBenito
3c0eccb2df Merge pull request #404 from jpds/chronyd/netadmin 2021-09-14 06:33:41 -07:00
Jonathan Davies
f3ff01e332 chronyd.te: Added chronyd_hwtimestamp boolean for chronyd_t to access net_admin 
capability, this is required for its `hwtimestamp` option, which otherwise returns:

    ioctl(SIOCSHWTSTAMP) failed : Operation not permitted

Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2021-09-13 23:35:09 +01:00
Chris PeBenito
c804cef2c8 samba: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-09-13 13:21:56 -07:00
Chris PeBenito
3988924056 Merge pull request #407 from ffontaine/master 2021-09-13 13:20:12 -07:00
Fabrice Fontaine
ce436299be policy/modules/services/samba.te: make crack optional 
Make crack optional to avoid the following build failure:

 Compiling targeted policy.31
 env LD_LIBRARY_PATH="/tmp/instance-5/output-1/host/lib:/tmp/instance-5/output-1/host/usr/lib" /tmp/instance-5/output-1/host/usr/bin/checkpolicy -c 31 -U deny -S -O -E policy.conf -o policy.31
 policy/modules/services/samba.te:399:ERROR 'type crack_db_t is not within scope' at token ';' on line 360232:
 	allow smbd_t crack_db_t:dir { getattr search open };
 #line 399
 checkpolicy:  error(s) encountered while parsing configuration

Fixes:
 - http://autobuild.buildroot.org/results/ab7098948d1920e42fa587e07f0513f23ba7fc74

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
 2021-09-09 07:48:33 +02:00
Chris PeBenito
c2254a64b9 Update Changelog and VERSION for release 2.20210908. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-09-08 10:53:44 -04:00