Commit Graph

4289 Commits

Author SHA1 Message Date
Chris PeBenito
0e80a8a7cf Revert "bootloader: stricter permissions and more tailored file contexts"
This reverts commit b0c13980d2.
2017-02-11 14:26:48 -05:00
Chris PeBenito
cd29a19479 Fix contrib commit. 2017-02-08 17:19:26 -05:00
Chris PeBenito
aeea0d9f3f mon policy from Russell Coker. 2017-02-08 16:56:09 -05:00
Chris PeBenito
2fdc11be47 Update contrib. 2017-02-07 19:09:45 -05:00
Chris PeBenito
7aafe9d8b7 Systemd tmpfiles fix for kmod.conf from Russell Coker. 2017-02-07 19:03:59 -05:00
Chris PeBenito
69da46ae18 usrmerge FC fixes from Russell Coker. 2017-02-07 18:51:58 -05:00
Chris PeBenito
2e7553db63 Create / to /usr equivalence for bin, sbin, and lib, from Russell Coker. 2017-02-04 15:19:35 -05:00
Chris PeBenito
c205e90e75 Update Changelog and VERSION for release. 2017-02-04 13:30:54 -05:00
Chris PeBenito
69ede859e8 Bump module versions for release. 2017-02-04 13:30:53 -05:00
Chris PeBenito
23001afc0c Module version bump for xkb fix from Jason Zaman. 2017-01-29 12:48:01 -05:00
Jason Zaman
20c5fddc08 xserver: allow X roles to read xkb libs to set keymaps
commit d76d9e13b1
xserver: restrict executable memory permissions
changed XKB libs which made them no longer readable by users.
setting xkeymaps fails with the following errors:

$ setxkbmap -option "ctrl:nocaps"
Couldn't find rules file (evdev)

type=AVC msg=audit(1485357942.135:4458): avc:  denied  { search } for
pid=5359 comm="X" name="20990" dev="proc" ino=103804
scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=dir permissive=0
type=AVC msg=audit(1485357942.136:4459): avc:  denied  { search } for
pid=20990 comm="setxkbmap" name="xkb" dev="zfs" ino=130112
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xkb_var_lib_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1485357942.136:4460): avc:  denied  { search } for
pid=20990 comm="setxkbmap" name="xkb" dev="zfs" ino=130112
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xkb_var_lib_t:s0 tclass=dir permissive=0
2017-01-29 12:47:22 -05:00
Chris PeBenito
a848a0d465 Module version bump for cups patch from Guido Trentalancia. 2017-01-23 18:50:53 -05:00
Guido Trentalancia
3254ed2759 udev: execute HPLIP applications in their own domain
Execute HP Linux Imaging and Printing (HPLIP) applications launched
by udev in their own domain.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2017-01-23 18:49:31 -05:00
Chris PeBenito
81bd76fe85 Fix contrib. 2017-01-15 13:33:25 -05:00
Chris PeBenito
24016954fb Update contrib. 2017-01-15 13:18:09 -05:00
Stephen Smalley
4637cd6f89 refpolicy: drop unused socket security classes
A few of the socket classes added by commit 09ebf2b59a ("refpolicy:
Define extended_socket_class policy capability and socket classes") are
never used because sockets can never be created with the associated
address family.  Remove these unused socket security classes.
The removed classes are bridge_socket for PF_BRIDGE, ib_socket for PF_IB,
and mpls_socket for PF_MPLS.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-01-15 13:03:57 -05:00
Chris PeBenito
b05d72b0d3 Module version bump for cpu_online genfscon from Laurent Bigonville. 2017-01-09 20:36:27 -05:00
Laurent Bigonville
3d8669d8ce Use genfscon to label /sys/devices/system/cpu/online as cpu_online_t
Since 8e01472078763ebc1eaea089a1adab75dd982ccd, it's possible to use
genfscon for sysfs.

This patch should help to deprecate distribution specific call to
restorecon or tmpfiles to restore /sys/devices/system/cpu/online during
boot.

Thanks to Dominick for the tip.
2017-01-09 20:35:47 -05:00
Chris PeBenito
0fe21742cd Module version bumps for patches from cgzones. 2017-01-09 20:34:15 -05:00
Chris PeBenito
a00d401c1b Merge branch 'auditd_fixes' of git://github.com/cgzones/refpolicy 2017-01-09 18:19:35 -05:00
Chris PeBenito
694e85cc6f Merge branch 'unconfined_module' of git://github.com/cgzones/refpolicy 2017-01-09 18:13:47 -05:00
Chris PeBenito
9387d5c324 Merge branch 'files_search_src' of git://github.com/cgzones/refpolicy 2017-01-09 18:12:38 -05:00
Chris PeBenito
41661ed4b3 Merge branch 'terminal_module' of git://github.com/cgzones/refpolicy 2017-01-09 18:12:02 -05:00
Chris PeBenito
4f34f6d220 Merge branch 'mount_module' of git://github.com/cgzones/refpolicy 2017-01-09 18:10:57 -05:00
Chris PeBenito
1497fe2f54 Merge branch 'corenetork_module' of git://github.com/cgzones/refpolicy 2017-01-09 18:05:18 -05:00
cgzones
2526c96a2c update mount module
* rename mount_var_run_t to mount_runtime_t
* delete kernel_read_unlabeled_files(mount_t)
* add selinux_getattr_fs(mount_t)
2017-01-08 14:59:08 +01:00
Chris PeBenito
2d8da56da4 Merge pull request #94 from cgzones/travis
use travis cache
2017-01-07 15:29:31 -05:00
cgzones
79ff2a45bf use travis cache
cache SELinux userspace build
2017-01-06 19:55:17 +01:00
cgzones
05a9fdfe6e update corenetwork module
* remove deprecated interfaces
* label tcp port 2812 for monit
2017-01-06 15:06:37 +01:00
cgzones
11a0508ede update terminal module
* label content of /dev/pts/ correctly
* remove deprecated interfaces
2017-01-06 15:03:08 +01:00
cgzones
b59dc99d56 update unconfined module
* grant capability2:wake_alarm
* remove deprecated interfaces
2017-01-06 15:01:45 +01:00
Chris PeBenito
15ccd01cac Merge pull request #62 from cgzones/fix_permission_segenxml
fix permission of installed segenxml.py by install-headers
2017-01-05 18:34:38 -05:00
cgzones
ab652e1f59 add files_search_src()
required by loadkeys
2017-01-05 12:47:58 +01:00
cgzones
e83058d205 auditd / auditctl: fix audits 2017-01-05 11:53:06 +01:00
cgzones
2315912719 fix permission of installed segenxml.py by install-headers 2017-01-05 10:54:08 +01:00
Chris PeBenito
a67c2a819d Module version bump for patches from Guido Trentalancia. 2017-01-03 19:35:56 -05:00
Guido Trentalancia
b66c2f2ad0 init: support sysvinit
Add a permission needed for the correct functioning of sysvinit
on systems using the initramfs.

Without the selinux_get_fs_mount() interface call, the call to
libselinux:is_selinux_enabled() fails and sysvinit tries to do
the initial policy load again.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2017-01-03 19:33:54 -05:00
Guido Trentalancia
d76d9e13b1 xserver: restrict executable memory permissions
The dangerous execheap permission is removed from xdm and the
dangerous execmem permission is only enabled for the Gnome
Display Manager (gnome-shell running in gdm mode) through a
new "xserver_gnome_xdm" boolean.

This patch also updates the XKB libs file context with their
default location (which at the moment is not compliant with
FHS3 due to the fact that it allows by default to write the
output from xkbcomp), adds the ability to read udev pid files
and finally adds a few permissions so that xconsole can run
smoothly.

The anomalous permission to execute XKB var library files has
been removed and the old X11R6 library location has been
updated so that subdirectories are also labeled as xkb_var_lib.

This patch includes various improvements and bug fixes as
kindly suggested in reviews made by Christopher PeBenito.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2017-01-03 19:33:27 -05:00
Chris PeBenito
5fe6fbca54 xserver: Update from Russell Coker for boinc. 2017-01-02 13:11:31 -05:00
Chris PeBenito
49545aad8f Module version bump for patches from Guido Trentalancia. 2016-12-30 14:15:06 -05:00
Guido Trentalancia via refpolicy
84176263dd sysadm: add the shutdown role
Add the shutdown role interface call to the sysadm role module.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-12-30 13:13:58 -05:00
Guido Trentalancia
cd85f4705d kernel: add missing plymouth interface
Add a previously missed optional plymouth interface to the kernel
module.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-12-30 12:57:20 -05:00
Guido Trentalancia
1c9c592a2f xserver: introduce new fc and interface to manage X session logs
The following patch (split in two parts, one for base and
another one for contrib) introduces a new file context for
the X session log files and two new interface to manage
them (instead of allowing to manage the whole user home
content files).

It is required after the recent confinement of graphical
desktop components (e.g. wm, xscreensaver).

The second version of the patch correctly uses file type
transitions and uses more tight permissions.

The third version simply moves some interface calls.

The fourth version introduces the new template for
username-dependent file contexts.

The fifth version moves other interface calls thanks to
further revisions from Christopher PeBenito (the corresponding
contrib policy part remains unchanged at version 4).

This sixth version, adds the missing diff relative to the
xserver.te policy file to declare the new xsession_log_t type.

The corresponding base policy patch is at version 4.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-12-30 12:41:59 -05:00
Chris PeBenito
67c435f1fc Module version bump for fc updates from Nicolas Iooss. 2016-12-28 14:38:05 -05:00
Chris PeBenito
b6b7173fb1 Merge branch 'usr-fc' of git://github.com/fishilico/selinux-refpolicy-patched 2016-12-28 14:30:19 -05:00
Nicolas Iooss
85d678bd2f
Add file contexts in /usr for /bin, /usr/sbin and /usr/lib
Some policy modules define file contexts in /bin, /sbin and /lib without
defining similar file contexts in the same directory under /usr.

Add these missing file contexts when there are outside ifdef blocks.
2016-12-27 17:06:54 +01:00
Chris PeBenito
e378390e8d Module version bump for systemd patch from Nicolas Iooss. 2016-12-27 10:56:39 -05:00
Chris PeBenito
9fa51f58c3 Merge branch '2016-12-27_systemd' of git://github.com/fishilico/selinux-refpolicy-patched 2016-12-27 10:54:31 -05:00
Chris PeBenito
19c3addb99 Module version bump for patches from Guido Trentalancia. 2016-12-27 10:51:56 -05:00
Guido Trentalancia
d52463b9fe kernel: missing permissions for confined execution
This patch adds missing permissions in the kernel module that prevent
to run it without the unconfined module.

This second version improves the comment section of new interfaces:
"Domain" is replaced by "Domain allowed access".

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-12-27 10:38:07 -05:00