selinux-refpolicy

Author	SHA1	Message	Date
Chris PeBenito	c63e5410a9	systemd: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-06-17 08:48:41 -04:00
Chris PeBenito	c2a142d762	systemd: Merge generator domains. If these processes are compromised they can write units to do malicious actions, so trying to tightly protect the resources for each generator is not effective. Made the fstools_exec() optional, although it is unlikely that a system would not have the module. Only aliases for removed types in previous releases are added. The systemd_unit_generator() interface and systemd_generator_type attribute were not released and are dropped without deprecation. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-06-15 09:47:20 -04:00
Chris PeBenito	71002cdfe0	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-06-15 08:57:44 -04:00
Chris PeBenito	91087f8ff1	Merge pull request #274 from bauen1/remove-dead-weight	2020-06-15 08:56:42 -04:00
Chris PeBenito	9169113d42	Merge pull request #271 from bauen1/misc-fixes-2	2020-06-15 08:56:40 -04:00
Chris PeBenito	edbe7e9af7	Merge pull request #267 from bauen1/target-systemd-sysusers	2020-06-15 08:56:24 -04:00
bauen1	fc904634ac	dpkg: domaintrans to sysusers if necessary Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:52:53 +02:00
bauen1	77f891c7bf	Remove the ada module, it is unecessary and not touched since ~2008 It is only used to allow the compiler execmem / execstack but we have unconfined_execmem_t for that. Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:47:14 +02:00
bauen1	cbdf1fad22	systemd: systemd-tempfiles will relabel tmpfs if mounted over e.g. /tmp Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:45:07 +02:00
bauen1	e12d84181b	corecommands: correct label for debian ssh-agent helper script Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:45:07 +02:00
bauen1	cb2d84b0d1	gpg: don't allow gpg-agent to read /proc/kcore This was probably a typo and shouldn't have been merged. Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:45:07 +02:00
bauen1	083e5d1d58	dpkg: dpkg scripts are part of dpkg and therefor also an application domain Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:45:07 +02:00
bauen1	583f435c7b	systemd: systemd --user add essential permissions Allow selinux awareness (libselinux) and access to setsockcreatecon to correctly set the label of sockets. Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:45:07 +02:00
bauen1	e7fc029a95	dpkg: allow dpkg frontends to acquire lock by labeling it correctly Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:45:07 +02:00
Chris PeBenito	2f097a0c6d	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-06-15 08:43:30 -04:00
bauen1	66b4101b36	systemd: maintain /memfd:systemd-state Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:43:18 +02:00
bauen1	a42a15dd4d	authlogin: unix_chkpwd is linked to libselinux Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:43:18 +02:00
bauen1	6f7bc3da46	init: systemd will run chkpwd to start user@1000 This was likely also hidden by the unconfined module. Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:43:17 +02:00
bauen1	a5c3c70385	thunderbird: label files under /tmp Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:43:17 +02:00
bauen1	6ce9865e6c	systemd: fixed systemd_rfkill_t denial spam Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:41:30 +02:00
bauen1	a9ff07d886	postfix: add filetrans for sendmail and postfix for aliases db operations Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:41:30 +02:00
bauen1	0f4eb2a324	init: fix systemd boot Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-11 19:10:35 +02:00
bauen1	93beef3ce5	systemd-logind.service sandbox required permissions Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-11 19:10:35 +02:00
bauen1	e20db26b7b	systemd-timesyncd.service sandbox requried permissions For every services sandbox systemd will create a (or more ?) tmpfs including symlinks for various files, e.g.: Jun 11 14:03:17 selinux-pr-test1 audit[284]: AVC avc: granted { create } for pid=284 comm="(imesyncd)" name="stderr" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-11 19:10:35 +02:00
bauen1	83a39ad4fd	udev.service sandbox required permissions Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-11 19:10:35 +02:00
bauen1	0a596401f1	logrotate.service sandbox required permissions Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-11 19:10:34 +02:00
bauen1	d9a58c8434	terminal: cleanup term_create interfaces Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-11 19:10:34 +02:00
bauen1	aa6c7f28f2	allow most common permissions for systemd sandboxing options Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-11 19:10:28 +02:00
Chris PeBenito	309f655fdc	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-06-10 15:02:27 -04:00
bauen1	8f782ae820	systemd-sysusers: add policy On systems without the unconfined module this service needs additional privileges. Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-04 19:53:47 +02:00
Topi Miettinen	1d8333d7a7	Remove unlabeled packet access When SECMARK or Netlabel packet labeling is used, it's useful to forbid receiving and sending unlabeled packets. If packet labeling is not active, there's no effect. Signed-off-by: Topi Miettinen <toiwoton@gmail.com>	2020-06-03 23:16:19 +03:00
Christian Göttsche	b4180614b6	apache: quote gen_tunable name argument Match the style of tunable_policy and gen_tunable statements in userdomain Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2020-06-02 20:35:30 +02:00
Christian Göttsche	dcb01ec4cc	devices/storage: quote arguments to tunable_policy Match the overall style and please sepolgen-ifgen Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2020-06-02 20:35:30 +02:00
Chris PeBenito	c950ada4ea	openvpn: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-06-02 13:35:57 -04:00
McSim85	95c43ef3a4	add rule for the management socket file fixed comments from @bauen1 Signed-off-by: McSim85 <maxim@kramarenko.pro>	2020-06-02 13:58:46 +03:00
Chris PeBenito	b38804e328	init, logging: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-05-27 11:36:44 -04:00
Chris PeBenito	fe0a8d2542	Merge pull request #261 from bauen1/confined-debian-fixes	2020-05-27 11:35:49 -04:00
bauen1	be231899f5	init: replace call to init_domtrans_script Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-27 17:09:06 +02:00
Chris PeBenito	c75b2f3642	corecommands, files, filesystem, init, systemd: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-05-27 10:52:49 -04:00
Chris PeBenito	d8da662d5e	Merge pull request #262 from bauen1/misc-fixes-1	2020-05-27 10:52:07 -04:00
Chris PeBenito	382c5f7c09	domain, setrans: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-05-27 10:46:47 -04:00
Chris PeBenito	5374e1ac16	Merge pull request #264 from bauen1/reenable-setrans	2020-05-27 10:46:08 -04:00
bauen1	b184f71bed	init: fix init_manage_pid_symlinks to grant more than just create permissions This was introduced in `4e842fe209` by me. Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-27 14:23:18 +02:00
bauen1	ab2c353048	systemd: allow systemd-user-runtime-dir to do its job It requires access to /run/user/UID while running as root Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-27 14:03:05 +02:00
bauen1	7eae84a8b4	lvm-activation-generator also needs to execute lvm lvm will also try to read localization. Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-27 14:03:05 +02:00
bauen1	ee323d3b9a	filesystem: pathcon for matching tracefs mount Prevent restorecon from trying to relabel /sys/fs/tracing . Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-27 11:51:36 +02:00
bauen1	c9354399f9	corecommands: proper label for unattended-upgrades helpers Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-27 11:51:36 +02:00
bauen1	ef0238d2d5	init: watch /etc/localtime even if it's a symlink Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-27 11:51:36 +02:00
bauen1	70e0d26988	files: add files_watch_etc_symlinks interface Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-27 11:51:36 +02:00
bauen1	9e2e343989	setrans: allow label translation for all domains. This partially reverts commit `65da822c1b` Connecting to setransd is still very much necessary for any domain that uses SELinux labels in any way. Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-22 20:53:47 +02:00

1 2 3 4 5 ...

3583 Commits