selinux-refpolicy

Author	SHA1	Message	Date
Russell Coker	05b5de6282	matrixd-synapse policy V3 Here's the latest version of the matrixd-synapse policy including all the suggestions from a year ago. Probably ready to merge. Signed-off-by: Russell Coker <russell@coker.com.au>	2022-02-18 13:29:17 -05:00
Chris PeBenito	a1d36a317b	puppet: Style fixes. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2022-02-18 13:25:04 -05:00
Russell Coker	73533c0755	puppet V3 Removed the entrypoint stuff that was controversial, the rest should be fine. I think it's ready to merge. Signed-off-by: Russell Coker <russell@coker.com.au>	2022-02-18 13:19:53 -05:00
Chris PeBenito	651dc11f36	Make hide_broken_symptoms unconditional. These blocks are always enabled. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2022-02-16 12:04:21 -05:00
Chris PeBenito	e580e00bb6	cron, dbus, policykit, postfix: Minor style fixes. No rule changes. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2022-02-16 11:04:33 -05:00
Russell Coker	4137954aa3	dontaudit net_admin without hide_broken_symptoms Sending this patch again without the ifdef, I agree that the ifdef isn't very useful nowadays. Signed-off-by: Russell Coker <russell@coker.com.au>	2022-02-16 10:58:32 -05:00
Chris PeBenito	ef910e11c5	postfix, spamassassin: Fix missed type renames after alias removals. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2022-02-16 07:03:34 -05:00
Russell Coker	8e633b70dd	remove aliases from 20210203 This patch against version 20220106 removes the typealias rules that were in version 20210203. If we include this now then the typealias rules in question will have been there for 3 consecutive releases. But if you think we should wait until after the next release that's OK. It's obvious that this patch should be included sooner or later, I think now is a reasonable time. Signed-off-by: Russell Coker <russell@coker.com.au>	2022-02-16 06:54:26 -05:00
Chris PeBenito	d96d8b5977	Merge pull request #473 from pebenito/allow-lockdown domain: Allow lockdown for all domains.	2022-02-04 08:37:02 -05:00
Chris PeBenito	ffe2f2294f	domain: Allow lockdown for all domains. The checks for this class were removed in 5.16. This object class will be removed in the future. For more info: https://lore.kernel.org/selinux/163243191040.178880.4295195865966623164.stgit@olly Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2022-02-02 15:37:28 -05:00
Chris PeBenito	6f947e604a	Merge pull request #472 from bigon/dockerd_path docker: On debian dockerd and docker-proxy are in /usr/sbin	2022-02-02 09:22:11 -05:00
Laurent Bigonville	43cb910e38	container: On Debian, runc is installed in /usr/sbin Signed-off-by: Laurent Bigonville <bigon@bigon.be>	2022-02-02 12:41:49 +01:00
Laurent Bigonville	5c9fa6d268	docker: On debian dockerd and docker-proxy are in /usr/sbin Signed-off-by: Laurent Bigonville <bigon@bigon.be>	2022-02-02 12:18:20 +01:00
Chris PeBenito	c86645f836	Merge pull request #468 from jpds/node_exporter-addition node_exporter: Added initial policy	2022-02-01 11:59:42 -05:00
Chris PeBenito	709bfd95f9	Merge pull request #462 from pebenito/systemd-updates Systemd updates including systemd-homed and systemd-userdbd.	2022-02-01 09:17:00 -05:00
Chris PeBenito	c58823f748	Merge pull request #471 from pebenito/revert-mcs-users Revert mcs users	2022-02-01 09:15:54 -05:00
Chris PeBenito	80598ee30d	systemd: Updates for generators and kmod-static-nodes.service. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>	2022-02-01 09:07:31 -05:00
Chris PeBenito	0b19aaef3c	systemd: Additional fixes for fs getattrs. This may need to be allowed more broadly. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>	2022-02-01 09:07:31 -05:00
Chris PeBenito	71b3fce22b	systemd, ssh: Crypto sysctl use. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>	2022-02-01 09:07:31 -05:00
Chris PeBenito	d6a676f0a6	systemd: Add systemd-homed and systemd-userdbd. Systemd-homed does not completely work since the code does not label the filesystems it creates. systemd-userdbd partially derived from the Fedora policy. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>	2022-02-01 09:07:28 -05:00
Chris PeBenito	6013141bb4	Revert "users: remove MCS categories from default users" This reverts commit `7d53784332`. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2022-02-01 09:00:19 -05:00
Jonathan Davies	8d03e35e22	node_exporter: Added initial policy. Signed-off-by: Jonathan Davies <jpds@protonmail.com>	2022-02-01 00:35:54 +00:00
Chris PeBenito	32ecefdf28	Merge pull request #470 from 0xC0ncord/docker-init-daemon-domain docker: add missing call to init_daemon_domain()	2022-01-31 08:44:06 -05:00
Kenton Groombridge	800039c671	docker: add missing call to init_daemon_domain() Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-30 18:09:12 -05:00
Chris PeBenito	242e371ac2	Merge pull request #469 from cgzones/selint Revert "tests.yml: Disable policy_module() selint checks."	2022-01-30 09:12:10 -05:00
Christian Göttsche	0e06f23e07	Revert "tests.yml: Disable policy_module() selint checks." This reverts commit `5781a2393c`. SELint 1.2.1 supports the new policy_module syntax. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2022-01-30 14:27:08 +01:00
Chris PeBenito	f84770f5ce	Merge pull request #467 from 0xC0ncord/docker-rootlesskit-optional docker: make rootlesskit optional	2022-01-24 20:44:22 -05:00
Kenton Groombridge	70836481d0	docker: make rootlesskit optional Avoid a potential build error and circular dependency by making rootlesskit optional. Note that rootlesskit is still required in order for rootless docker to function. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 17:39:10 -05:00
Chris PeBenito	dc2d89df05	Merge pull request #434 from 0xC0ncord/containers Add container module	2022-01-24 14:01:18 -05:00
Kenton Groombridge	86b90b4bc7	container: allow containers to getsession Found to be required by a jellyfin container when testing. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:08:50 -05:00
Kenton Groombridge	f4d34fcc34	lxc_contexts: add ro_file and sandbox_lxc_process contexts Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:45 -05:00
Kenton Groombridge	76f189a883	container: drop old commented rules Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:45 -05:00
Kenton Groombridge	36289d588c	docker: call rootlesskit access in docker access Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:45 -05:00
Kenton Groombridge	5105a4c344	container, docker, rootlesskit: add support for rootless docker Rootless docker runs as root in a user namespace. Because of this, rootless docker containers will run as spc_user_t as docker cannot be SELinux-aware in its own container. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:45 -05:00
Kenton Groombridge	ad714e7c71	rootlesskit: new policy module Rootlesskit is required by rootless docker Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:45 -05:00
Kenton Groombridge	256236f2a1	systemd: add supporting interfaces for user daemons Add an interface to allow systemd user daemons to use systemd notify and an interface to write to the systemd user runtime named socket. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:45 -05:00
Kenton Groombridge	4be52b7fb3	systemd: use stream socket perms in systemd_user_app_status Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:45 -05:00
Kenton Groombridge	a3f32e322b	systemd: allow systemd user managers to execute user bin files Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:45 -05:00
Kenton Groombridge	3b144c0dec	userdomain: add type for user bin files Add a type and allow execute access to executable files that may be freely managed by users in their home directories. Although users may normally execute anything labeled user_home_t, this type is intended to be executed by user services such as the user's systemd --user instance. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:45 -05:00
Kenton Groombridge	7dc0fb9438	container: call docker access in container access Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:45 -05:00
Kenton Groombridge	29ac8a3fcf	container, docker: add initial support for docker Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:45 -05:00
Kenton Groombridge	81d26ac72e	kernel: add filetrans interface for unlabeled dirs Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:45 -05:00
Kenton Groombridge	52dc8d8a26	container, podman: add policy for conmon Make conmon run in a separate domain and allow podman types to transition to it. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:45 -05:00
Kenton Groombridge	34abc09255	xdg: add interface to search xdg data directories Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:45 -05:00
Kenton Groombridge	321591144b	container, iptables: dontaudit iptables rw on /ptmx Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:45 -05:00
Kenton Groombridge	405d3aed7d	container: add tunable to allow engines to mounton non security Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:45 -05:00
Kenton Groombridge	e05d996f8e	container: add tunables for containers to use nfs and cifs Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:45 -05:00
Kenton Groombridge	01e5c8e1fb	container: add tunable for containers to manage cgroups systemd running inside containers needs to be able to manage cgroups. Add this feature behind a tunable. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:45 -05:00
Kenton Groombridge	4aca3bab15	container: allow containers to read read-only container files Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:44 -05:00
Kenton Groombridge	e272db844c	container: add policy for privileged containers Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:02 -05:00

... 2 3 4 5 6 ...

6470 Commits