nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
5,956 Commits 1 Branch 0 Tags 16 MiB
07dc9a3c80
Commit Graph

3996 Commits

Author SHA1 Message Date
Chris PeBenito
07dc9a3c80 Merge pull request #369 from jpds/irc-sock-and-screen-fixes 2021-05-11 08:38:37 -04:00
Jonathan Davies
5703b622cd irc.te: Allowed client access to screen runtime sock file. 
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2021-05-10 10:52:41 +01:00
Jonathan Davies
bad206ee3b screen.if: Added interface to allow executing sock file. 
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2021-05-10 10:52:41 +01:00
Jonathan Davies
508289a967 irc.te: Allow irc_t access to unix_dgram_socket sendto to allow clients to 
connect to a SOCKS proxy.

Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2021-05-10 10:52:25 +01:00
Chris PeBenito
f5d97c7eda Revert "systemd.if minor fix" 
This reverts commit bf6cc10e16.
 2021-05-07 13:39:26 -04:00
Dave Sugar
d51d49eb92 Resolve when building monolithic on RHEL7 
/usr/bin/checkpolicy -c 31 -U deny policy.conf -o policy.31
/usr/bin/checkpolicy:  loading policy configuration from policy.conf
policy/modules/roles/secadm.te:10:ERROR 'duplicate filename transition for: filename_trans generator.early auditadm_systemd_t systemd_user_runtime_t:dir' at token ';' on line 2191007:
	type_transition systemd_user_session_type systemd_user_runtime_t:dir systemd_user_runtime_unit_t "generator.early";
checkpolicy:  error(s) encountered while parsing configuration
make: *** [policy.31] Error 1

This was introduced in cc8374fd24 but becuase
they are in a template used multiple times they are getting defined
multiple times and maybe checkpolicy on RHEL7 isn't happy with that.

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2021-05-06 12:20:24 -04:00
Dave Sugar
bf6cc10e16 systemd.if minor fix 
I think this is interface not template no types are being defined.

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2021-05-06 12:20:24 -04:00
Chris PeBenito
cd783138ac logging, secadm, staff, sysadm: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-04-26 13:55:03 -04:00
Chris PeBenito
149ee62c7b Merge pull request #368 from jpds/admin-log-watch 2021-04-26 13:54:23 -04:00
Jonathan Davies
431f03f3b9 roles: Added log watching permissions to secadm and sysadm. 
Signed-off-by: Jonathan Davies <jd+github@upthedownstair.com>
 2021-04-25 19:15:08 +01:00
Jonathan Davies
5873a528a9 logging.if: Added interfaces for watching all and audit logs. 
Signed-off-by: Jonathan Davies <jd+github@upthedownstair.com>
 2021-04-25 17:50:43 +01:00
Jonathan Davies
63eb925698 staff.te: Allow staff access to the virt stream, needed for when the 
sockets are access remotely over SSH.

Signed-off-by: Jonathan Davies <jd+github@upthedownstair.com>
 2021-04-24 17:14:06 +01:00
Chris PeBenito
ffdefbeb62 authlogin, hadoop, pwauth: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-04-23 14:53:32 -04:00
Chris PeBenito
163c153c33 authlogin: Deprecate auth_domtrans_chk_passwd(). 
This is a duplicate interface.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-04-23 14:40:46 -04:00
Chris PeBenito
3945473b5e authlogin: Remove redundant rule in auth_domtrans_chk_passwd(). 
This is provided by the auth_use_nsswitch() call.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-04-20 10:36:23 -04:00
Chris PeBenito
13a32a4616 authlogin: Add tunable for allowing shadow access on non-PAM systems. 
Fixes #342

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-04-20 10:36:07 -04:00
Chris PeBenito
ea9ce5970a various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-04-15 16:01:13 -04:00
Chris PeBenito
747b9eea23 Merge pull request #359 from 0xC0ncord/bugfix/various-20210309 2021-04-15 16:00:31 -04:00
Kenton Groombridge
cd340e1f6f bootloader, devices: dontaudit grub writing on legacy efi variables 
Newer versions of grub modify EFI variables on efivarfs. This commit
adds a dontaudit on the legacy /sys/fs/efi/vars files.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-13 16:48:54 -04:00
Kenton Groombridge
8887862973 filesystem, init: allow systemd to create pstore dirs 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-12 16:33:55 -04:00
Kenton Groombridge
c0b1c7be66 init: allow systemd to rw shadow lock files 
This is in support of dynamic users.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-09 16:42:59 -04:00
Kenton Groombridge
26e9ec7c43 authlogin: add new type for pwd.lock and others 
This is in response to systemd needing to write to .pwd.lock in support
of dynamic users, which is currently labeled shadow_t despite systemd
seemingly not making any actual modifications to /etc/passwd or
/etc/shadow. Instead of granting potentially overly permissive access,
this commit assigns a new type to these lock files.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-09 16:42:53 -04:00
Kenton Groombridge
8eff2c5998 sysadm, systemd: various fixes 
Allow sysadm to communicate with logind over dbus and add missing rules
for systemd-logind.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
69b2259c7d various: several dontaudits 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
95dc0f0de3 udev: allow systemd-vconsole-setup to sys_tty_config 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
42d46c14bc init, udev: various fixes for systemd 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
dbecb3546d systemd: add policy for systemd-sysctl 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
403c4c3470 systemd: allow systemd-resolved to manage its own sock files 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
a838a88717 logging: allow auditd to getattr on audisp-remote binary 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
b3c1dba144 logging: allow auditd to use nsswitch 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
7b8c44ab9b init, systemd: allow logind to watch utmp 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
2166acf355 init, mount: allow systemd to watch utab 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
c56b78f0c8 mount: allow getattr on dos filesystems 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
1c552ec38f bootloader, filesystem: various fixes for grub 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:13 -04:00
Kenton Groombridge
7f1a7b1cac wireguard: allow running iptables 
Wireguard can be configured to run iptables and other such networking
tools when bringing up/down interfaces. Also add a dontaudit for
searching kernel sysctls.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 09:56:04 -04:00
Kenton Groombridge
a1a9c33e88 iptables: allow reading initrc pipes 
The systemd service calls a script which reads the saved rules from a
file piped to stdin.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 09:56:04 -04:00
Kenton Groombridge
7ca9dcea1f init: modify interface to allow reading all pipes 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 09:56:04 -04:00
Kenton Groombridge
c46bbef5f7 udev: various fixes 
Mostly mdraid stuff and a few dontaudits.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 09:56:04 -04:00
Kenton Groombridge
a6df5e653c devicekit: allow devicekit_disk_t to setsched 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 09:56:04 -04:00
Kenton Groombridge
342eefd3b0 ssh: allow ssh_keygen_t to read localization 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 09:56:04 -04:00
Kenton Groombridge
497cb3ca2b files, init, systemd: various fixes 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 09:56:01 -04:00
Kenton Groombridge
dac8c8af27 devices, userdomain: dontaudit userdomain setattr on null device nodes 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 09:43:54 -04:00
Kenton Groombridge
02b9bf0a1c redis: allow reading net and vm overcommit sysctls 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-27 19:53:56 -04:00
Kenton Groombridge
9051a09617 spamassassin: allow rspamd to read network sysctls 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-27 19:53:55 -04:00
Kenton Groombridge
d91bef2d24 devices, userdomain: dontaudit userdomain setattr on null device nodes 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-27 19:53:53 -04:00
Kenton Groombridge
f137b5cdcc modutils: allow kmod to read src_t symlinks 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-27 19:53:51 -04:00
Kenton Groombridge
6371411e50 getty: various fixes 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-27 19:53:49 -04:00
Kenton Groombridge
173d2a2bd0 rngd: allow reading sysfs 
rngd tries to read the rng state at boot.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-27 19:53:47 -04:00
Kenton Groombridge
00e210d703 redis: allow reading certs 
Required if redis is to be used with SSL/TLS

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-27 19:53:44 -04:00
Kenton Groombridge
fa5f878f13 usbguard: various fixes 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-27 19:53:42 -04:00