nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
6,336 Commits 1 Branch 0 Tags 16 MiB
60accdffd9
Commit Graph

6336 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Christian Göttsche
60accdffd9 build.conf: bump policy version in comment 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2022-03-22 19:04:43 +01:00
Chris PeBenito
a7de85503e
Merge pull request #479 from 0xC0ncord/dbus-broker 
Add type for systemd runtime units and add dbus-broker support
 2022-03-18 16:36:21 -04:00
Chris PeBenito
2f2c0e3f20
Merge pull request #482 from 0xC0ncord/podman-conmon-ranged-transition 
podman: add explicit range transition for conmon
 2022-03-18 15:30:53 -04:00
Kenton Groombridge
d47cc12801 docker, podman: container units now have the runtime unit type 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-03-18 13:12:11 -04:00
Kenton Groombridge
da9382afbd dbus, policykit: add tunables for dbus-broker access 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-03-18 13:12:11 -04:00
Kenton Groombridge
db4b647a29 dbus: fixes for dbus-broker 
dbus-broker manages files in a tmpfs. dbus-broker fails to start without
this access.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-03-18 13:12:11 -04:00
Kenton Groombridge
d9e660c3a9 init: split access for systemd runtime units 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-03-18 13:12:10 -04:00
Kenton Groombridge
fe7d5287c4 podman: add explicit range transition for conmon 
Ensure that when conmon is started, it runs in s0 and is able to
communicate with the container.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-03-18 13:03:33 -04:00
Chris PeBenito
c5add64587
Merge pull request #477 from jpds/networkd-dhcpd-bind 
systemd.te: Added boolean for allowing dhcpd server packets
 2022-03-17 12:47:09 -04:00
Jonathan Davies
126c234b5c systemd.te: Added boolean for allowing dhcpd server packets. 
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2022-03-15 14:56:51 +00:00
Chris PeBenito
dd803cfef5
Merge pull request #475 from pebenito/drop-broken-symptoms-blocks 
Make hide_broken_symptoms unconditional.
 2022-03-15 10:13:27 -04:00
Chris PeBenito
1b40c87a68 mailmain: Fix SELint issues. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2022-03-14 10:01:26 -04:00
Chris PeBenito
341abff611 mailmain: Fix check_fc_files issue. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2022-03-14 09:54:38 -04:00
Russell Coker
dd312a6be6 mailman3 V3 
Fixed the issues Chris raised with the previous patch.  I think this is
ready to merge.

Signed-off-by: Russell Coker <russell@coker.com.au>
 2022-03-14 09:46:37 -04:00
Chris PeBenito
43d0b184b5 matrixd: SELint fixes. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2022-02-18 14:57:02 -05:00
Chris PeBenito
2ab6d0bc91 matrixd: Cleanups. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2022-02-18 13:46:24 -05:00
Russell Coker
05b5de6282 matrixd-synapse policy V3 
Here's the latest version of the matrixd-synapse policy including all the
suggestions from a year ago.

Probably ready to merge.
Signed-off-by: Russell Coker <russell@coker.com.au>
 2022-02-18 13:29:17 -05:00
Chris PeBenito
a1d36a317b puppet: Style fixes. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2022-02-18 13:25:04 -05:00
Russell Coker
73533c0755 puppet V3 
Removed the entrypoint stuff that was controversial, the rest should be fine.

I think it's ready to merge.

Signed-off-by: Russell Coker <russell@coker.com.au>
 2022-02-18 13:19:53 -05:00
Chris PeBenito
651dc11f36 Make hide_broken_symptoms unconditional. 
These blocks are always enabled.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2022-02-16 12:04:21 -05:00
Chris PeBenito
e580e00bb6 cron, dbus, policykit, postfix: Minor style fixes. 
No rule changes.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2022-02-16 11:04:33 -05:00
Russell Coker
4137954aa3 dontaudit net_admin without hide_broken_symptoms 
Sending this patch again without the ifdef, I agree that the ifdef isn't very
useful nowadays.

Signed-off-by: Russell Coker <russell@coker.com.au>
 2022-02-16 10:58:32 -05:00
Chris PeBenito
ef910e11c5 postfix, spamassassin: Fix missed type renames after alias removals. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2022-02-16 07:03:34 -05:00
Russell Coker
8e633b70dd remove aliases from 20210203 
This patch against version 20220106 removes the typealias rules that were in
version 20210203.  If we include this now then the typealias rules in
question will have been there for 3 consecutive releases.  But if you think
we should wait until after the next release that's OK.

It's obvious that this patch should be included sooner or later, I think now
is a reasonable time.

Signed-off-by: Russell Coker <russell@coker.com.au>
 2022-02-16 06:54:26 -05:00
Chris PeBenito
d96d8b5977
Merge pull request #473 from pebenito/allow-lockdown 
domain: Allow lockdown for all domains.
 2022-02-04 08:37:02 -05:00
Chris PeBenito
ffe2f2294f domain: Allow lockdown for all domains. 
The checks for this class were removed in 5.16.  This object
class will be removed in the future.

For more info:
https://lore.kernel.org/selinux/163243191040.178880.4295195865966623164.stgit@olly

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2022-02-02 15:37:28 -05:00
Chris PeBenito
6f947e604a
Merge pull request #472 from bigon/dockerd_path 
docker: On debian dockerd and docker-proxy are in /usr/sbin
 2022-02-02 09:22:11 -05:00
Laurent Bigonville
43cb910e38 container: On Debian, runc is installed in /usr/sbin 
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
 2022-02-02 12:41:49 +01:00
Laurent Bigonville
5c9fa6d268 docker: On debian dockerd and docker-proxy are in /usr/sbin 
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
 2022-02-02 12:18:20 +01:00
Chris PeBenito
c86645f836
Merge pull request #468 from jpds/node_exporter-addition 
node_exporter: Added initial policy
 2022-02-01 11:59:42 -05:00
Chris PeBenito
709bfd95f9
Merge pull request #462 from pebenito/systemd-updates 
Systemd updates including systemd-homed and systemd-userdbd.
 2022-02-01 09:17:00 -05:00
Chris PeBenito
c58823f748
Merge pull request #471 from pebenito/revert-mcs-users 
Revert mcs users
 2022-02-01 09:15:54 -05:00
Chris PeBenito
80598ee30d systemd: Updates for generators and kmod-static-nodes.service. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-02-01 09:07:31 -05:00
Chris PeBenito
0b19aaef3c systemd: Additional fixes for fs getattrs. 
This may need to be allowed more broadly.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-02-01 09:07:31 -05:00
Chris PeBenito
71b3fce22b systemd, ssh: Crypto sysctl use. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-02-01 09:07:31 -05:00
Chris PeBenito
d6a676f0a6 systemd: Add systemd-homed and systemd-userdbd. 
Systemd-homed does not completely work since the code does not label
the filesystems it creates.

systemd-userdbd partially derived from the Fedora policy.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-02-01 09:07:28 -05:00
Chris PeBenito
6013141bb4 Revert "users: remove MCS categories from default users" 
This reverts commit 7d53784332.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2022-02-01 09:00:19 -05:00
Jonathan Davies
8d03e35e22 node_exporter: Added initial policy. 
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2022-02-01 00:35:54 +00:00
Chris PeBenito
32ecefdf28
Merge pull request #470 from 0xC0ncord/docker-init-daemon-domain 
docker: add missing call to init_daemon_domain()
 2022-01-31 08:44:06 -05:00
Kenton Groombridge
800039c671 docker: add missing call to init_daemon_domain() 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-30 18:09:12 -05:00
Chris PeBenito
242e371ac2
Merge pull request #469 from cgzones/selint 
Revert "tests.yml: Disable policy_module() selint checks."
 2022-01-30 09:12:10 -05:00
Christian Göttsche
0e06f23e07 Revert "tests.yml: Disable policy_module() selint checks." 
This reverts commit 5781a2393c.

SELint 1.2.1 supports the new policy_module syntax.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2022-01-30 14:27:08 +01:00
Chris PeBenito
f84770f5ce
Merge pull request #467 from 0xC0ncord/docker-rootlesskit-optional 
docker: make rootlesskit optional
 2022-01-24 20:44:22 -05:00
Kenton Groombridge
70836481d0 docker: make rootlesskit optional 
Avoid a potential build error and circular dependency by making
rootlesskit optional. Note that rootlesskit is still required in order
for rootless docker to function.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 17:39:10 -05:00
Chris PeBenito
dc2d89df05
Merge pull request #434 from 0xC0ncord/containers 
Add container module
 2022-01-24 14:01:18 -05:00
Kenton Groombridge
86b90b4bc7 container: allow containers to getsession 
Found to be required by a jellyfin container when testing.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:08:50 -05:00
Kenton Groombridge
f4d34fcc34 lxc_contexts: add ro_file and sandbox_lxc_process contexts 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:45 -05:00
Kenton Groombridge
76f189a883 container: drop old commented rules 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:45 -05:00
Kenton Groombridge
36289d588c docker: call rootlesskit access in docker access 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:45 -05:00
Kenton Groombridge
5105a4c344 container, docker, rootlesskit: add support for rootless docker 
Rootless docker runs as root in a user namespace. Because of this,
rootless docker containers will run as spc_user_t as docker cannot be
SELinux-aware in its own container.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:45 -05:00