There is more than 5000 parameter documentations. Only about 300 are
differently done. Change them to be consistently indented.
param with one space
and content inside with one tab
This was done with:
sed -ri '
/^##[[:space:]]*<param/,/^##[[:space:]]*<[/]param>/{
s/^##[[:space:]]*/##\t/;
s/^##[[:space:]]*(<[/]?summary)/##\t\1/;
s/^##[[:space:]]*(<[/]?param)/## \1/;
}' policy/modules/*/*.if
Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
Documentation states 1st parameter is role and 2nd is domain.
So role clause should get role parameter
and seunshare_domtrans gets domain.
Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
This will enable su_restricted_domain_template where it was meant to be
enabled before, but was not actually.
Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
The ubifs in linux kernel supported the security xattr handler as early
as version 3.19.0 -rc6. Now add ubifs to the filesystem policy.
Signed-off-by: Xiongwei Song <xiongwei.song@windriver.com>
After commit cc8374fd24 (various: systemd
user fixes and additional support), the dbus_role_template is required
for all roles. Move it to userdom_common_user_template.
Before the patch if set DISTRO=redhat:
root@qemux86-64:~# ps xZ | grep "systemd --user"
root:sysadm_r:sysadm_t 240 ? Ss 0:00 /lib/systemd/systemd --user
After the patch:
root@qemux86-64:~# ps xZ | grep "systemd --user"
root:sysadm_r:sysadm_systemd_t 218 ? Ss 0:00 /lib/systemd/systemd --user
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Following the guideline of interfaces not allowed to declare anything
and not use prefix parameters, declare interfaces doing so as templates.
Also declare templates not using those features and not calling
templates themselves as interfaces.
These changes originate from the discussion in
https://github.com/TresysTechnology/selint/issues/205 and are found by
new proposed SELint checks at
https://github.com/TresysTechnology/selint/pull/206.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
systemd-tmpfiles can manage various file classes but the permissions
vary depending on the class.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
/usr/bin/checkpolicy -c 31 -U deny policy.conf -o policy.31
/usr/bin/checkpolicy: loading policy configuration from policy.conf
policy/modules/roles/secadm.te:10:ERROR 'duplicate filename transition for: filename_trans generator.early auditadm_systemd_t systemd_user_runtime_t:dir' at token ';' on line 2191007:
type_transition systemd_user_session_type systemd_user_runtime_t:dir systemd_user_runtime_unit_t "generator.early";
checkpolicy: error(s) encountered while parsing configuration
make: *** [policy.31] Error 1
This was introduced in cc8374fd24 but becuase
they are in a template used multiple times they are getting defined
multiple times and maybe checkpolicy on RHEL7 isn't happy with that.
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
This normally uses memfd which uses posix shm under the hood.
Additionally, a direct shm use is a fallback if memfd is not available.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
