This will enable su_restricted_domain_template where it was meant to be
enabled before, but was not actually.
Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
The ubifs in linux kernel supported the security xattr handler as early
as version 3.19.0 -rc6. Now add ubifs to the filesystem policy.
Signed-off-by: Xiongwei Song <xiongwei.song@windriver.com>
After commit cc8374fd24 (various: systemd
user fixes and additional support), the dbus_role_template is required
for all roles. Move it to userdom_common_user_template.
Before the patch if set DISTRO=redhat:
root@qemux86-64:~# ps xZ | grep "systemd --user"
root:sysadm_r:sysadm_t 240 ? Ss 0:00 /lib/systemd/systemd --user
After the patch:
root@qemux86-64:~# ps xZ | grep "systemd --user"
root:sysadm_r:sysadm_systemd_t 218 ? Ss 0:00 /lib/systemd/systemd --user
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Following the guideline of interfaces not allowed to declare anything
and not use prefix parameters, declare interfaces doing so as templates.
Also declare templates not using those features and not calling
templates themselves as interfaces.
These changes originate from the discussion in
https://github.com/TresysTechnology/selint/issues/205 and are found by
new proposed SELint checks at
https://github.com/TresysTechnology/selint/pull/206.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
systemd-tmpfiles can manage various file classes but the permissions
vary depending on the class.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
/usr/bin/checkpolicy -c 31 -U deny policy.conf -o policy.31
/usr/bin/checkpolicy: loading policy configuration from policy.conf
policy/modules/roles/secadm.te:10:ERROR 'duplicate filename transition for: filename_trans generator.early auditadm_systemd_t systemd_user_runtime_t:dir' at token ';' on line 2191007:
type_transition systemd_user_session_type systemd_user_runtime_t:dir systemd_user_runtime_unit_t "generator.early";
checkpolicy: error(s) encountered while parsing configuration
make: *** [policy.31] Error 1
This was introduced in cc8374fd24 but becuase
they are in a template used multiple times they are getting defined
multiple times and maybe checkpolicy on RHEL7 isn't happy with that.
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
This normally uses memfd which uses posix shm under the hood.
Additionally, a direct shm use is a fallback if memfd is not available.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Newer versions of grub modify EFI variables on efivarfs. This commit
adds a dontaudit on the legacy /sys/fs/efi/vars files.
Signed-off-by: Kenton Groombridge <me@concord.sh>
This is in response to systemd needing to write to .pwd.lock in support
of dynamic users, which is currently labeled shadow_t despite systemd
seemingly not making any actual modifications to /etc/passwd or
/etc/shadow. Instead of granting potentially overly permissive access,
this commit assigns a new type to these lock files.
Signed-off-by: Kenton Groombridge <me@concord.sh>
