selinux-refpolicy

Author	SHA1	Message	Date
Kenton Groombridge	cec7f0d3e2	various: various userns capability permissions Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-01-24 11:07:02 -05:00
Chris PeBenito	78276fc43b	Drop module versioning. Semodule stopped using this many years ago. The policy_module() macro will continue to support an optional second parameter as version. If it is not specified, a default value of 1 is set. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2022-01-06 09:19:13 -05:00
Chris PeBenito	9788933467	ntp, samba: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-11-30 11:24:41 -05:00
Yi Zhao	5e7b58612e	samba: fixes for smbd/nmbd * Do not audit capability net_admin for smbd_t/nmbd_t * Allow nmbd_t to manage samba_var_t dirs Fixes: avc: denied { net_admin } for pid=334 comm="smbd" capability=12 scontext=system_u:system_r:smbd_t tcontext=system_u:system_r:smbd_t tclass=capability permissive=1 avc: denied { net_admin } for pid=273 comm="nmbd" capability=12 scontext=system_u:system_r:nmbd_t tcontext=system_u:system_r:nmbd_t tclass=capability permissive=1 avc: denied { create } for pid=273 comm="nmbd" name="msg.lock" scontext=system_u:system_r:nmbd_t tcontext=system_u:object_r:samba_var_t tclass=dir permissive=1 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2021-11-30 21:52:43 +08:00
Chris PeBenito	1e1deaebf2	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-10-27 09:15:09 -04:00
Yi Zhao	6a3bba766f	samba: allow smbd_t to send and receive messages from avahi over dbus Fixes: avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.Avahi.Server member=GetAPIVersion dest=org.freedesktop.Avahi spid=481 tpid=508 scontext=system_u:system_r:smbd_t tcontext=system_u:system_r:avahi_t tclass=dbus permissive=1 avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.Avahi.Server member=StateChanged dest=org.freedesktop.DBus spid=508 tpid=481 scontext=system_u:system_r:avahi_t tcontext=system_u:system_r:smbd_t tclass=dbus permissive=1 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2021-10-19 11:04:38 +08:00
Chris PeBenito	c804cef2c8	samba: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-09-13 13:21:56 -07:00
Fabrice Fontaine	ce436299be	policy/modules/services/samba.te: make crack optional Make crack optional to avoid the following build failure: Compiling targeted policy.31 env LD_LIBRARY_PATH="/tmp/instance-5/output-1/host/lib:/tmp/instance-5/output-1/host/usr/lib" /tmp/instance-5/output-1/host/usr/bin/checkpolicy -c 31 -U deny -S -O -E policy.conf -o policy.31 policy/modules/services/samba.te:399:ERROR 'type crack_db_t is not within scope' at token ';' on line 360232: allow smbd_t crack_db_t:dir { getattr search open }; #line 399 checkpolicy: error(s) encountered while parsing configuration Fixes: - http://autobuild.buildroot.org/results/ab7098948d1920e42fa587e07f0513f23ba7fc74 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>	2021-09-09 07:48:33 +02:00
Chris PeBenito	4248e38824	Bump module versions for release. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-09-08 10:53:44 -04:00
Chris PeBenito	ab702bb825	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-03-17 11:16:40 -04:00
Chris PeBenito	8934069f82	Remove additional unused modules Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-03-07 09:29:34 -05:00
Chris PeBenito	ff983a6239	Bump module versions for release. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-02-03 08:38:26 -05:00
Chris PeBenito	98681ea89e	samba: Fix lint error. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-28 14:57:19 -05:00
Chris PeBenito	a3e13450e2	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-28 11:39:49 -05:00
Chris PeBenito	621baf7752	samba: Fix samba_runtime_t alias use. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-28 10:55:54 -05:00
Chris PeBenito	9f8164d35d	devicekit, jabber, samba: Move lines. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-28 10:55:09 -05:00
Chris PeBenito	982cb068c2	apache, mysql, postgrey, samba, squid: Apply new mmap_manage_files_pattern(). Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-28 10:53:04 -05:00
Russell Coker	55c3c1dcaa	misc services patches with changes Dominick and Chris wanted I think this one is ready to merge. Signed-off-by: Russell Coker <russell@coker.com.au>	2021-01-28 10:06:16 -05:00
Chris PeBenito	bb471c3f1c	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-13 15:20:47 -05:00
Chris PeBenito	6c69f6e3de	udev: Drop udev_tbl_t. This usage under /dev/.udev has been unused for a very long time and replaced by functionality in /run/udev. Since these have separate types, take this opportunity to revoke these likely unnecessary rules. Fixes #221 Derived from Laurent Bigonville's work in #230 Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-13 15:12:11 -05:00
Chris PeBenito	d387e79989	Bump module versions for release. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-08-18 09:09:10 -04:00
Yi Zhao	8322f0e0d9	Remove duplicated rules Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2020-08-14 10:55:31 +08:00
Chris PeBenito	613708cad6	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-07-04 09:30:45 -04:00
Chris PeBenito	0992763548	Update callers for "pid" to "runtime" interface rename. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-06-28 16:03:45 -04:00
Chris PeBenito	309f655fdc	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-06-10 15:02:27 -04:00
Topi Miettinen	1d8333d7a7	Remove unlabeled packet access When SECMARK or Netlabel packet labeling is used, it's useful to forbid receiving and sending unlabeled packets. If packet labeling is not active, there's no effect. Signed-off-by: Topi Miettinen <toiwoton@gmail.com>	2020-06-03 23:16:19 +03:00
Chris PeBenito	5b171c223a	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-05-14 10:32:30 -04:00
Chris PeBenito	b2f72e833b	Bump module versions for release. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-02-29 16:54:39 -05:00
Chris PeBenito	7af9eb3e91	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-01-15 10:42:45 -05:00
Stephen Smalley	161bda392e	access_vectors: Remove unused permissions Remove unused permission definitions from SELinux. Many of these were only ever used in pre-mainline versions of SELinux, prior to Linux 2.6.0. Some of them were used in the legacy network or compat_net=1 checks that were disabled by default in Linux 2.6.18 and fully removed in Linux 2.6.30. The corresponding classmap declarations were removed from the mainline kernel in: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42a9699a9fa179c0054ea3cf5ad3cc67104a6162 Permissions never used in mainline Linux: file swapon filesystem transition tcp_socket { connectto newconn acceptfrom } node enforce_dest unix_stream_socket { newconn acceptfrom } Legacy network checks, removed in 2.6.30: socket { recv_msg send_msg } node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send } netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send } Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>	2020-01-14 13:41:50 -05:00
Chris PeBenito	291f68a119	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-09-30 20:39:31 -04:00
Chris PeBenito	61ecff5c31	Remove old aliases. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-09-30 20:02:43 -04:00
Chris PeBenito	d6c7154f1c	Reorder declarations based on *_runtime_t renaming. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-09-30 20:02:43 -04:00
Chris PeBenito	69a403cd97	Rename _var_run_t types to _runtime_t. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-09-30 20:02:43 -04:00
Chris PeBenito	65e8f758ca	Bump module versions for release.	2018-07-01 11:02:33 -04:00
Chris PeBenito	3ab07a0e1e	Move all files out of the old contrib directory.	2018-06-23 10:38:58 -04:00
Chris PeBenito	09248fa0db	Move modules to contrib submodule.	2011-09-09 10:10:03 -04:00
Chris PeBenito	74aaedde68	Whitespace fixes in rsync, samba, and mount.	2011-09-02 09:55:50 -04:00
Chris PeBenito	aa4dad379b	Module version bump for release.	2011-07-26 08:11:01 -04:00
Chris PeBenito	a29c7b86e1	Module version bump and Changelog for auth file patches from Matthew Ife.	2011-07-18 13:48:05 -04:00
Matthew Ife	4ff4e1c505	Replace deprecated _except_shadow macro calls with _except_auth_files calls.	2011-07-18 13:40:38 -04:00
Chris PeBenito	48f99a81c0	Whitespace change: drop unnecessary blank line at the start of .te files.	2010-06-10 08:16:35 -04:00
Chris PeBenito	29af4c13e7	Bump module versions for release.	2010-05-24 15:32:01 -04:00
Chris PeBenito	d7ebbd9d22	Module version bump for 34838aa.	2010-04-26 13:40:21 -04:00
Jeremy Solt	34838aa62a	Samba patch from Dan Walsh - signal interfaces - fusefs support - bug 566984: getattrs on all blk and chr files Did not include: - changes related to samba_unconfined_script_t and samba_unconfined_net_t - samba_helper_template (didn't appear to be used) - manage_lnk_files_pattern in samba_manage_var_files - signal allow rule in samba_domtrans_winbind_helper - samba_role_notrans - userdom_manage_user_home_content Some style and spacing fixes	2010-04-26 13:28:21 -04:00
Chris PeBenito	9570b28801	module version number bump for release 2.20090730 that was mistakenly omitted.	2009-08-05 10:59:21 -04:00
Chris PeBenito	0c89174f7f	pull most of fedora changes to samba.	2009-07-29 14:40:34 -04:00
Chris PeBenito	3f67f722bb	trunk: whitespace fixes	2009-06-26 14:40:13 +00:00
Chris PeBenito	c1262146e0	trunk: Remove node definitions and change node usage to generic nodes.	2009-01-09 19:48:02 +00:00
Chris PeBenito	668b3093ff	trunk: change network interface access from all to generic network interfaces.	2009-01-06 20:24:10 +00:00

1 2

90 Commits