nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
3,778 Commits 1 Branch 0 Tags 16 MiB
18e114dae4
Commit Graph

3778 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Laurent Bigonville
18e114dae4 Label /usr/sbin/lightdm as xdm_exec_t 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=739163
 2014-03-14 11:14:43 -04:00
Laurent Bigonville
81570b1eb4 Properly label git-shell and other git commands for Debian 2014-03-14 11:14:43 -04:00
Chris PeBenito
a4a0d0802f Add symlink to contrib Changelog for easy reference. 2014-03-14 11:00:00 -04:00
Chris PeBenito
4caf0885bf Module version bump for postgresql fc entries from Luis Ressel. 2014-03-14 10:59:45 -04:00
Chris PeBenito
a72bd68428 Whitespace fix in postgresql.fc 2014-03-14 10:10:32 -04:00
Luis Ressel
defc62bf33 Add two postgresql file contexts from gentoo policy 
Gentoo appends version numbers to the names of the init script and the
config directory.
 2014-03-14 10:08:18 -04:00
Nicolas Iooss
c1c11fa2f8 Fix parallel build of the policy 
Before this commit, "make -j2" would execute twice at the same time the rules
written to build tmp/all_post.conf because these rules were applied every time
tmp/all_post.conf, tmp/all_attrs_types.conf and tmp/only_te_rules.conf needed
to be built. However, executing twice in parallel such line is buggy:

    $(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> \
        tmpdir)/all_post.conf

This is why "make" reports following error for parallel builds:

    Compiling refpolicy-patched base module
    /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod
    /usr/bin/checkmodule:  loading policy configuration from base.conf
    policy/modules/kernel/ubac.te":710:ERROR 'syntax error' at token
    'fs_use_trans' on line 26520:
    fs_use_trans devtmpfs system_u:object_r:device_t:s0;

    /usr/bin/checkmodule:  error(s) encountered while parsing configuration
    make: *** [tmp/base.mod] Error 1

This commit fixes this bug by splitting the rules in 3 different targets, in
both monolithic and modular builds.
 2014-03-14 08:46:46 -04:00
Chris PeBenito
a82a6a80a1 Update Changelog and VERSION for release. 2014-03-11 08:16:57 -04:00
Chris PeBenito
10ff4d0fa3 Bump module versions for release. 2014-03-11 08:16:57 -04:00
Chris PeBenito
a5054f1135 Update contrib. 2014-03-11 08:15:14 -04:00
Nicolas Iooss
03fa442a61 Create .gitignore 
This .gitignore file ignores every file which is removed by "make clean"
 2014-03-06 08:42:09 -05:00
Chris PeBenito
d6365192c2 Update contrib. 2014-03-03 09:07:16 -05:00
Chris PeBenito
4dbe95d58b Module version bump for bootloader fc fixes from Luis Ressel. 2014-03-03 09:07:00 -05:00
Luis Ressel
f8eb4e3b3b Label grub2-install as bootloader_exec_t 2014-03-03 08:45:10 -05:00
Luis Ressel
c2a9b89c5f Generalize grub2 pattern 
GRUB2 helper programs can be named either grub2-* or grub-*, depending
on distro and configuration.
 2014-03-03 08:44:41 -05:00
Chris PeBenito
681c3d451c Update contrib. 2014-02-15 15:04:12 -05:00
Luis Ressel
a10fefcd39 Label fatsort as fsadm_exec_t. 
FATsort is an utility to sort directory entries on FAT partitions, see
http://fatsort.sourceforge.net/ . It requires direct access to the
block devices.
 2014-02-15 14:39:32 -05:00
Luis Ressel
f824120b6d Use xattr-labeling for squashfs. 
This is taken from the Fedora policy (authors: Dan Walsh, Miroslav
Grepl) and dates back to 2011 there.
 2014-02-15 14:34:10 -05:00
Chris PeBenito
3501307078 Fix read loopback file interface. 2014-02-08 11:35:57 -05:00
Chris PeBenito
92cd2e251c Module version bump for loopback file mounting fixes from Luis Ressel. 2014-02-08 10:50:34 -05:00
Chris PeBenito
acf1229dad Rename mount_read_mount_loopback() to mount_read_loopback_file(). 
Also make kernel block optional since the calls are to a higher layer.
 2014-02-08 10:49:47 -05:00
Chris PeBenito
38a2d8e581 Move loop control interface definition. 2014-02-08 10:48:50 -05:00
Luis Ressel
7ac64b8a5a Grant kernel_t necessary permissions for loopback mounts 
For loopback mounts to work, the kernel requires access permissions to
fd's passed in by mount and to the source files (labeled mount_loopback_t).
 2014-02-08 10:32:45 -05:00
Luis Ressel
24be4c0096 Allow mount_t usage of /dev/loop-control 
If loopback devices are not pregenerated (kernel option
CONFIG_BLK_DEV_LOOP_MIN_COUNT=0), mount needs to write to
/dev/loop-control do create them dynamically when needed.
 2014-02-08 10:32:45 -05:00
Luis Ressel
09370605a3 system/mount.if: Add mount_read_mount_loopback interface 2014-02-08 10:32:44 -05:00
Luis Ressel
781377da9f kernel/devices.if: Add dev_rw_loop_control interface 2014-02-08 10:32:44 -05:00
Chris PeBenito
3bb3d9e79e Module version bump for sesh fc from Nicolas Iooss. 2014-02-08 09:57:32 -05:00
Nicolas Iooss
f003497bcb Label /usr/lib/sudo/sesh as shell_exec_t 2014-02-08 09:50:09 -05:00
Chris PeBenito
3c4a9cde0e Update contrib. 2014-02-08 09:42:54 -05:00
Chris PeBenito
f097b7ab4e Move bin_t fc from couchdb to corecommands. 2014-02-08 09:42:43 -05:00
Chris PeBenito
dd0df56c26 Module version bump for files_dontaudit_list_var() interface from Luis Ressel. 2014-02-08 09:04:18 -05:00
Luis Ressel
7381deb292 kernel/files.if: Add files_dontaudit_list_var interface 
This is required for an update of the couchdb policy.
 2014-02-08 09:02:57 -05:00
Chris PeBenito
22d7dac75b Module version bump for ssh use of gpg-agent from Luis Ressel. 2014-02-08 08:41:05 -05:00
Chris PeBenito
7e71b34b09 Rearrange gpg agent calls. 2014-02-08 08:40:37 -05:00
Chris PeBenito
4ef4e0674d Rename gpg_agent_connect to gpg_stream_connect_agent. 2014-02-08 08:24:41 -05:00
Luis Ressel
bda6528039 Conditionally allow ssh to use gpg-agent 
gpg-agent also offers an ssh-compatible interface. This is useful e.g.
for smartcard authentication.
 2014-02-08 08:10:16 -05:00
Chris PeBenito
b244f47319 Module version bump for pid file directory from Russell Coker/Laurent Bigonville. 2014-02-06 09:14:31 -05:00
Laurent Bigonville
d6751cb2f4 Move the ifdef at the end of the declaration block 2014-02-06 09:14:31 -05:00
Laurent Bigonville
f2313e5304 Add fcontext for sshd pidfile and directory used for privsep 
Also allow sshd_t domain to chroot(2) in this directory as explained in
the README.privsep file in the openssh tarball.

Thanks to Russell Coker for this patch
 2014-02-06 09:14:31 -05:00
Chris PeBenito
33b03a653e Update contrib. 2014-01-31 22:54:14 -05:00
Chris PeBenito
d5a562246e Module version bump for logging fc patch from Laurent Bigonville. 2014-01-31 22:24:08 -05:00
Laurent Bigonville
64be72b662 Add fcontext for rsyslog pidfile 2014-01-31 21:54:40 -05:00
Chris PeBenito
41ee5421a7 Module version bump for unconfined transition to dpkg from Laurent Bigonville. 2014-01-27 13:19:57 -05:00
Laurent Bigonville
0e1c64f3bb Allow unconfined users to transition to dpkg_t domain 
dpkg is now using rpm_execcon()/setexecfilecon()-like function to
transition to the dpkg_script_t domain. This function will fail in
enforcing mode if the transition is not allowed.
 2014-01-27 12:41:45 -05:00
Chris PeBenito
3ffc91fff4 Module version bump for ZFS tools fc entries from Matthew Thode. 2014-01-21 08:55:37 -05:00
Chris PeBenito
734aebb02d Rearrange ZFS fc entries. 2014-01-21 08:55:28 -05:00
Chris PeBenito
496faf8c43 Fix ZFS fc escaping in mount. 2014-01-21 08:54:59 -05:00
Chris PeBenito
971c2fa6a4 Remove ZFS symlink labeling. 2014-01-21 08:52:24 -05:00
Matthew Thode
fd9c2fc1e6 Extending support for SELinux on ZFS 
Signed-off-by: Matthew Thode <mthode@mthode.org>
 2014-01-21 08:43:40 -05:00
Chris PeBenito
0075ffb8b3 Module version bump for module store labeling fixes from Laurent Bigonville. 2014-01-17 08:54:08 -05:00