selinux-refpolicy

Author	SHA1	Message	Date
Kenton Groombridge	cf5b35795b	staff, unconfined: allow container user access Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:02 -05:00
Kenton Groombridge	819cef6a76	container: call podman access in container access Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:02 -05:00
Kenton Groombridge	093e280e77	sysadm: allow container admin access Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:02 -05:00
Kenton Groombridge	7a0b01bd2a	container: add required admin rules Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:02 -05:00
Kenton Groombridge	526dd08ff3	container, podman, systemd: initial support for rootless podman Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:02 -05:00
Kenton Groombridge	e55a346fc2	container: add role access templates Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:02 -05:00
Kenton Groombridge	31e614f7f1	systemd: add private type for systemd user manager units Make user@.service (systemd --user) units a private type. This is in support of container engines which may want to restart the unit, and we can allow this access without allowing other generic units to be interacted with. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:02 -05:00
Kenton Groombridge	b3e42c3f15	dbus: add supporting interfaces and rules for rootless podman Add interfaces to getattr and write to the session dbus socket. Also dontaudit managing the ptrace capability in user namespaces. Lastly, allow session dbus daemons to get the attributes of the cgroup filesystem and the proc filesystem. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:02 -05:00
Kenton Groombridge	c998839e98	filesystem: add supporting FUSEFS interfaces Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:02 -05:00
Kenton Groombridge	83df290da3	container, podman: initial support for podman Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:02 -05:00
Kenton Groombridge	678242b878	container: allow containers to watch all container files Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:02 -05:00
Kenton Groombridge	10262cdae8	container: allow containers various userns capabilities Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:02 -05:00
Kenton Groombridge	d098ffc59d	container: allow containers the chroot capability Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:02 -05:00
Kenton Groombridge	cec7f0d3e2	various: various userns capability permissions Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:02 -05:00
Kenton Groombridge	8d5d89c1e6	container, mount: allow mount to getattr on container fs Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:02 -05:00
Kenton Groombridge	6a1052077f	container: allow containers to use container ptys Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:02 -05:00
Kenton Groombridge	262cee592b	container, gpg, userdom: allow container engines to execute gpg Container engines need to be able to execute gpg in order to verify container image signatures if they are signed. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:02 -05:00
Kenton Groombridge	ed054cc543	container: initial support for container engines Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:01 -05:00
Kenton Groombridge	ab36308baa	container: add base attributes for containers and container engines And split container network access to container_net_domain Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-21 15:03:36 -05:00
Kenton Groombridge	8d904bb54f	various: make various types a mountpoint for containers Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-21 15:03:35 -05:00
Kenton Groombridge	5f86d07ddc	container: add interface to identify container mountpoints Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-21 15:03:34 -05:00
Kenton Groombridge	a3cd63ca9a	container: fixup rules Move a common container rule to the proper location, remove a redundant access, and make container files an entrypoint for containers. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-21 15:03:33 -05:00
Kenton Groombridge	172446cf66	container: svirt_lxc_net_t is now container_t svirt_lxc_domain is now container_domain and svirt_lxc_net_t is now container_t. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-21 15:03:32 -05:00
Kenton Groombridge	729bb32388	container, virt: move svirt lxc domains to new container module Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-21 15:03:28 -05:00
Kenton Groombridge	c7ce013889	sysnetwork: add interfaces for /run/netns Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-21 15:03:27 -05:00
Kenton Groombridge	2de1dc6c39	init: allow systemd to renice all other domains Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-21 15:03:26 -05:00
Kenton Groombridge	43c778e646	init: add interface to setsched on init Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-21 15:03:25 -05:00
Kenton Groombridge	00d16e45f8	userdom: add interfaces to relabel generic user home content Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-21 15:03:24 -05:00
Kenton Groombridge	b2ed289221	systemd: add interface to dbus chat with systemd-machined Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-21 15:03:23 -05:00
Kenton Groombridge	582f390f85	init: add interface to run init bpf programs Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-21 15:03:22 -05:00
Kenton Groombridge	c9eb093f2b	devices: add interfaces to remount sysfs and device filesystems Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-21 15:03:21 -05:00
Kenton Groombridge	dea8a63ed3	devices, kernel: deprecate dev_mounton_sysfs dev_mounton_sysfs is a duplicate of dev_mounton_sysfs_dirs Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-21 15:03:20 -05:00
Kenton Groombridge	bd5fb161df	kernel, rpc, systemd: deprecate kernel_mounton_proc Deprecate kernel_mounton_proc in favor of kernel_mounton_proc_dirs. The former seems to be a duplicate interface. Also fixup the summary of kernel_mounton_proc_dirs. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-21 15:03:19 -05:00
Kenton Groombridge	842b390ff1	kernel: add various supporting interfaces for containers kernel: add interface to getattr on nsfs filesystems kernel: add interface to dontaudit searching fs sysctls Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-21 15:03:17 -05:00
Chris PeBenito	8f0f10e527	Merge pull request #465 from hbakken/work/snmp-fix-typo snmp: Fix typo in /var/net-snmp rule	2022-01-20 16:04:40 -05:00
Henrik Grindal Bakken	f51824e800	snmp: Fix typo in /var/net-snmp rule Signed-off-by: Henrik Grindal Bakken <henribak@cisco.com>	2022-01-19 10:24:42 +01:00
Chris PeBenito	d55544121b	Merge pull request #454 from jpds/rwnetlinksocketperms-typo obj_perm_sets.spt: Fixed typo in rw_netlink_socket_perms.	2022-01-11 15:04:31 -05:00
Jonathan Davies	6178cd096b	policy/*: Replaced rw_netlink_socket_perms with create_netlink_socket_perms. Signed-off-by: Jonathan Davies <jpds@protonmail.com>	2022-01-11 19:44:11 +00:00
Chris PeBenito	a440f1d90f	Merge pull request #461 from pebenito/journal-mls systemd: Change journal file context to MLS system high.	2022-01-11 08:20:52 -05:00
Chris PeBenito	e09733d6b4	systemd: Change journal file context to MLS system high. Fixes issues like this: audit(1640354247.630:3): op=security_validate_transition seresult=denied oldcontext=system_u:object_r:systemd_journal_t:s15:c0.c1023 newcontext=system_u:object_r:systemd_journal_t:s0 taskcontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 tclass=file Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2022-01-10 08:41:59 -05:00
Chris PeBenito	9fc775c3cb	Merge pull request #459 from 0xC0ncord/user-mcs-removal Remove MCS categories from default users	2022-01-09 07:45:09 -05:00
Kenton Groombridge	499b35eac9	various: remove various mcs ranged transitions Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-06 20:58:28 -05:00
Kenton Groombridge	7d53784332	users: remove MCS categories from default users Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-06 20:58:22 -05:00
Chris PeBenito	bfc448e688	Merge pull request #456 from pebenito/drop-module-versioning Drop module versioning.	2022-01-06 11:09:21 -05:00
Chris PeBenito	5781a2393c	tests.yml: Disable policy_module() selint checks. It does not support single-parameter policy_module(). Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2022-01-06 09:20:18 -05:00
Chris PeBenito	78276fc43b	Drop module versioning. Semodule stopped using this many years ago. The policy_module() macro will continue to support an optional second parameter as version. If it is not specified, a default value of 1 is set. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2022-01-06 09:19:13 -05:00
Chris PeBenito	60a3d5af67	modutils: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2022-01-06 09:11:09 -05:00
Chris PeBenito	7e871f6573	Merge pull request #451 from yizhao1/kmod-fixes	2022-01-06 08:37:45 -05:00
Yi Zhao	b7258b3d6d	modutils: allow kmod_t to write keys Fixes: $ modprobe cfg80211 kernel: cfg80211: Loading compiled-in X.509 certificates for regulatory database kernel: cfg80211: Problem loading in-kernel X.509 certificate (-13) kernel: cfg80211: loaded regulatory.db is malformed or signature is missing/invalid avc: denied { write } for pid=219 comm="modprobe" scontext=system_u:system_r:kmod_t tcontext=system_u:system_r:kmod_t tclass=key permissive=0 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2022-01-06 10:10:50 +08:00
Jonathan Davies	5abf92037f	obj_perm_sets.spt: Fixed typo in rw_netlink_socket_perms. Signed-off-by: Jonathan Davies <jpds@protonmail.com>	2022-01-04 16:27:16 +00:00

... 3 4 5 6 7 ...

6470 Commits