nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
5,986 Commits 1 Branch 0 Tags 16 MiB
55cc7b4652
Commit Graph

5986 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Chris PeBenito
55cc7b4652
Merge pull request #386 from maage/missing-params 
cleanup: policy avahi: avahi_filetrans_pid: doc: add missing params
 2021-07-06 09:28:23 -04:00
Chris PeBenito
d21ef64068
Merge pull request #385 from maage/interface-doc 
cleanup: Interface docs
 2021-07-06 09:26:03 -04:00
Chris PeBenito
d7bb1b2e73
Merge pull request #383 from maage/enable_mls 
fix: policy: init: there is no enabled_mls, it is enable_mls
 2021-07-06 09:15:46 -04:00
Markus Linnala
c373a63e48 policy avahi: avahi_filetrans_pid: doc: add missing params 
Even if interface is deprecated, still use all documented parameters.

Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
 2021-07-05 12:41:42 +03:00
Markus Linnala
214d49461a policy gpg: doc: add documents for all *filterans parameters 
Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
 2021-07-02 11:53:24 +03:00
Markus Linnala
6c3cbdc16d policy chromium: chromium_tmp_filetrans: doc: add missing 2nd param documentation 
Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
 2021-07-02 11:53:24 +03:00
Markus Linnala
d949eb5d6e policy gnome: gnome_dbus_chat_gconfd: doc: does not have 1st param of role_prefix 
Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
 2021-07-02 11:53:24 +03:00
Markus Linnala
f82742e09a policy devices: dev_filetrans: doc: change param from file to file_type 
Like other instances.

Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
 2021-07-02 11:53:19 +03:00
Markus Linnala
277046ecc6 policy: files: files_spool_filetrans: doc: change param from file to file_type 
Like other instances.

Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
 2021-07-02 11:52:40 +03:00
Markus Linnala
0804193e01 policy: init: there is no enabled_mls, it is enable_mls 
This will enable su_restricted_domain_template where it was meant to be
enabled before, but was not actually.

Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
 2021-07-02 11:35:08 +03:00
Chris PeBenito
8dfa9e4fce xserver: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-06-28 08:38:56 -04:00
Chris PeBenito
55df36bc2e xserver: Move fc lines. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-06-28 08:37:51 -04:00
Chris PeBenito
5937972f50 Merge pull request #382 from x539/font-config 2021-06-28 08:33:18 -04:00
Andreas Freimuth
064e88aef5 Set user_fonts_config_t for conf.d 
Signed-off-by: Andreas Freimuth <andreas.freimuth@frmth.de>
 2021-06-26 12:31:36 +02:00
Andreas Freimuth
eba72de614 Prefer user_fonts_config_t over xdg_config_t 
Signed-off-by: Andreas Freimuth <andreas.freimuth@frmth.de>
 2021-06-26 12:31:36 +02:00
Chris PeBenito
ad7217f906
Merge pull request #375 from cgzones/infer 
Use correct interface or template declaration
 2021-06-03 09:13:05 -04:00
Chris PeBenito
c9913a0e8c various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-05-19 08:46:41 -04:00
Chris PeBenito
3fc11ce1e4 Merge pull request #376 from xwsong/ubifs-policy 2021-05-19 08:45:45 -04:00
Chris PeBenito
0ecd14f47a staff, sysadm, unprivuser: Move lines. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-05-19 08:45:36 -04:00
Chris PeBenito
0d37ce804d Merge pull request #374 from yizhao1/fix 2021-05-19 08:45:27 -04:00
Xiongwei Song
9224d62dbd Add ubifs to filesystem policy 
The ubifs in linux kernel supported the security xattr handler as early
as version 3.19.0 -rc6. Now add ubifs to the filesystem policy.

Signed-off-by: Xiongwei Song <xiongwei.song@windriver.com>
 2021-05-19 10:06:01 +08:00
Yi Zhao
7ee15a0681 roles: move dbus_role_template to userdom_common_user_template 
After commit cc8374fd24 (various: systemd
user fixes and additional support), the dbus_role_template is required
for all roles. Move it to userdom_common_user_template.

Before the patch if set DISTRO=redhat:
root@qemux86-64:~# ps xZ | grep "systemd --user"
root:sysadm_r:sysadm_t  240 ? Ss 0:00 /lib/systemd/systemd --user

After the patch:
root@qemux86-64:~# ps xZ | grep "systemd --user"
root:sysadm_r:sysadm_systemd_t  218 ? Ss 0:00 /lib/systemd/systemd --user

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2021-05-19 10:00:33 +08:00
Christian Göttsche
6c5928d65a Use correct interface or template declaration 
Following the guideline of interfaces not allowed to declare anything
and not use prefix parameters, declare interfaces doing so as templates.

Also declare templates not using those features and not calling
templates themselves as interfaces.

These changes originate from the discussion in
https://github.com/TresysTechnology/selint/issues/205 and are found by
new proposed SELint checks at
https://github.com/TresysTechnology/selint/pull/206.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2021-05-13 17:22:59 +02:00
Chris PeBenito
4412ad507c various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-05-11 08:41:48 -04:00
Chris PeBenito
924e56c9e2 Merge pull request #373 from pebenito/systemd-tmpfiles-managed 2021-05-11 08:38:53 -04:00
Chris PeBenito
61bc896a67 Merge pull request #371 from pebenito/systemd-StandardInputText 2021-05-11 08:38:48 -04:00
Chris PeBenito
07dc9a3c80 Merge pull request #369 from jpds/irc-sock-and-screen-fixes 2021-05-11 08:38:37 -04:00
Jonathan Davies
5703b622cd irc.te: Allowed client access to screen runtime sock file. 
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2021-05-10 10:52:41 +01:00
Jonathan Davies
bad206ee3b screen.if: Added interface to allow executing sock file. 
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2021-05-10 10:52:41 +01:00
Jonathan Davies
508289a967 irc.te: Allow irc_t access to unix_dgram_socket sendto to allow clients to 
connect to a SOCKS proxy.

Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2021-05-10 10:52:25 +01:00
Chris PeBenito
460d0eb5bd systemd: Drop second parameter in systemd_tmpfilesd_managed(). 
systemd-tmpfiles can manage various file classes but the permissions
vary depending on the class.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2021-05-07 13:43:31 -04:00
Chris PeBenito
f5d97c7eda Revert "systemd.if minor fix" 
This reverts commit bf6cc10e16.
 2021-05-07 13:39:26 -04:00
Chris PeBenito
0c5a622fea
Merge pull request #372 from dsugar100/master 
Minor Fixes
 2021-05-07 11:31:14 -04:00
Dave Sugar
d51d49eb92 Resolve when building monolithic on RHEL7 
/usr/bin/checkpolicy -c 31 -U deny policy.conf -o policy.31
/usr/bin/checkpolicy:  loading policy configuration from policy.conf
policy/modules/roles/secadm.te:10:ERROR 'duplicate filename transition for: filename_trans generator.early auditadm_systemd_t systemd_user_runtime_t:dir' at token ';' on line 2191007:
	type_transition systemd_user_session_type systemd_user_runtime_t:dir systemd_user_runtime_unit_t "generator.early";
checkpolicy:  error(s) encountered while parsing configuration
make: *** [policy.31] Error 1

This was introduced in cc8374fd24 but becuase
they are in a template used multiple times they are getting defined
multiple times and maybe checkpolicy on RHEL7 isn't happy with that.

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2021-05-06 12:20:24 -04:00
Dave Sugar
bf6cc10e16 systemd.if minor fix 
I think this is interface not template no types are being defined.

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2021-05-06 12:20:24 -04:00
Chris PeBenito
2d0cb88590 .gitignore: Remove duplicate lines. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2021-05-06 10:41:17 -04:00
Chris PeBenito
998d6a6fda .gitignore: Ignore vscode data dir. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2021-05-06 10:33:32 -04:00
Chris PeBenito
2e1c1c6240 init: Add support for systemd StandardInputText. 
This normally uses memfd which uses posix shm under the hood.
Additionally, a direct shm use is a fallback if memfd is not available.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2021-05-06 10:32:27 -04:00
Chris PeBenito
cd783138ac logging, secadm, staff, sysadm: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-04-26 13:55:03 -04:00
Chris PeBenito
149ee62c7b Merge pull request #368 from jpds/admin-log-watch 2021-04-26 13:54:23 -04:00
Chris PeBenito
37d6892c94 Merge pull request #367 from jpds/staff-virt-stream-access 2021-04-26 13:54:19 -04:00
Jonathan Davies
431f03f3b9 roles: Added log watching permissions to secadm and sysadm. 
Signed-off-by: Jonathan Davies <jd+github@upthedownstair.com>
 2021-04-25 19:15:08 +01:00
Jonathan Davies
5873a528a9 logging.if: Added interfaces for watching all and audit logs. 
Signed-off-by: Jonathan Davies <jd+github@upthedownstair.com>
 2021-04-25 17:50:43 +01:00
Jonathan Davies
63eb925698 staff.te: Allow staff access to the virt stream, needed for when the 
sockets are access remotely over SSH.

Signed-off-by: Jonathan Davies <jd+github@upthedownstair.com>
 2021-04-24 17:14:06 +01:00
Chris PeBenito
ffdefbeb62 authlogin, hadoop, pwauth: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-04-23 14:53:32 -04:00
Chris PeBenito
a5b41cbcf4 Merge pull request #364 from pebenito/refine-authlogin 2021-04-23 14:52:53 -04:00
Chris PeBenito
163c153c33 authlogin: Deprecate auth_domtrans_chk_passwd(). 
This is a duplicate interface.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-04-23 14:40:46 -04:00
Chris PeBenito
8407a5eafc stale.yml: Fix labels with spaces. 
However, a bug prevents this from working on PRs, see actions/stale#98.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-04-21 09:33:53 -04:00
Chris PeBenito
63270d2cd4
Create stale.yml 2021-04-20 11:02:35 -04:00
Chris PeBenito
3945473b5e authlogin: Remove redundant rule in auth_domtrans_chk_passwd(). 
This is provided by the auth_use_nsswitch() call.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-04-20 10:36:23 -04:00