nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
5,980 Commits 1 Branch 0 Tags 16 MiB
6c3cbdc16d
Commit Graph

5980 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Kenton Groombridge
26e9ec7c43 authlogin: add new type for pwd.lock and others 
This is in response to systemd needing to write to .pwd.lock in support
of dynamic users, which is currently labeled shadow_t despite systemd
seemingly not making any actual modifications to /etc/passwd or
/etc/shadow. Instead of granting potentially overly permissive access,
this commit assigns a new type to these lock files.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-09 16:42:53 -04:00
Kenton Groombridge
8eff2c5998 sysadm, systemd: various fixes 
Allow sysadm to communicate with logind over dbus and add missing rules
for systemd-logind.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
69b2259c7d various: several dontaudits 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
95dc0f0de3 udev: allow systemd-vconsole-setup to sys_tty_config 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
42d46c14bc init, udev: various fixes for systemd 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
dbecb3546d systemd: add policy for systemd-sysctl 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
403c4c3470 systemd: allow systemd-resolved to manage its own sock files 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
a838a88717 logging: allow auditd to getattr on audisp-remote binary 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
b3c1dba144 logging: allow auditd to use nsswitch 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
7b8c44ab9b init, systemd: allow logind to watch utmp 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
2166acf355 init, mount: allow systemd to watch utab 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
c56b78f0c8 mount: allow getattr on dos filesystems 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
1c552ec38f bootloader, filesystem: various fixes for grub 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:13 -04:00
Kenton Groombridge
7f1a7b1cac wireguard: allow running iptables 
Wireguard can be configured to run iptables and other such networking
tools when bringing up/down interfaces. Also add a dontaudit for
searching kernel sysctls.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 09:56:04 -04:00
Kenton Groombridge
a1a9c33e88 iptables: allow reading initrc pipes 
The systemd service calls a script which reads the saved rules from a
file piped to stdin.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 09:56:04 -04:00
Kenton Groombridge
7ca9dcea1f init: modify interface to allow reading all pipes 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 09:56:04 -04:00
Kenton Groombridge
c46bbef5f7 udev: various fixes 
Mostly mdraid stuff and a few dontaudits.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 09:56:04 -04:00
Kenton Groombridge
a6df5e653c devicekit: allow devicekit_disk_t to setsched 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 09:56:04 -04:00
Kenton Groombridge
342eefd3b0 ssh: allow ssh_keygen_t to read localization 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 09:56:04 -04:00
Kenton Groombridge
497cb3ca2b files, init, systemd: various fixes 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 09:56:01 -04:00
Kenton Groombridge
dac8c8af27 devices, userdomain: dontaudit userdomain setattr on null device nodes 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 09:43:54 -04:00
Kenton Groombridge
02b9bf0a1c redis: allow reading net and vm overcommit sysctls 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-27 19:53:56 -04:00
Kenton Groombridge
9051a09617 spamassassin: allow rspamd to read network sysctls 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-27 19:53:55 -04:00
Kenton Groombridge
d91bef2d24 devices, userdomain: dontaudit userdomain setattr on null device nodes 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-27 19:53:53 -04:00
Kenton Groombridge
f137b5cdcc modutils: allow kmod to read src_t symlinks 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-27 19:53:51 -04:00
Kenton Groombridge
6371411e50 getty: various fixes 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-27 19:53:49 -04:00
Kenton Groombridge
173d2a2bd0 rngd: allow reading sysfs 
rngd tries to read the rng state at boot.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-27 19:53:47 -04:00
Kenton Groombridge
00e210d703 redis: allow reading certs 
Required if redis is to be used with SSL/TLS

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-27 19:53:44 -04:00
Kenton Groombridge
fa5f878f13 usbguard: various fixes 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-27 19:53:42 -04:00
Kenton Groombridge
45dd9358e5 fail2ban: allow reading vm overcommit sysctl 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-27 19:53:37 -04:00
Kenton Groombridge
372f9cc658 systemd, fail2ban: allow fail2ban to watch journal 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-27 19:53:27 -04:00
Chris PeBenito
4aa1562208 files, kernel, selinux: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-03-27 14:21:06 -04:00
Chris PeBenito
e577b84fae Merge pull request #358 from SELinuxProject/generic-bool-label-change 2021-03-27 14:20:16 -04:00
Chris PeBenito
838c145fb9 kernel: Add dontaudits when secure_mode_insmod is enabled. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-03-19 15:50:59 -04:00
Chris PeBenito
3d0a6f966f selinux: Add dontaudits when secure mode Booleans are enabled. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-03-19 15:50:59 -04:00
Chris PeBenito
b36334e937 selinux: Set regular file for labeled Booleans genfscons. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-03-19 15:50:59 -04:00
Chris PeBenito
9d57bf3a2e selinux: Change generic Boolean type to boolean_t. 
This will prevent other security_t writers from setting Boolean pending
values, which could be activated unwittingly by setbool processes.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-03-19 15:50:25 -04:00
Chris PeBenito
df99dfe8ea Rules.modular/Rules.monolithic: Fix intdented labeling statement moves. 
The secure_mode_policyload Boolean labeling statement was lost moving the
statement to the proper place in the policy.conf/base.conf.

Fix this for all other labeling statements too.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-03-19 15:22:46 -04:00
Chris PeBenito
3a22e9279c various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-03-19 15:17:54 -04:00
Chris PeBenito
93fda6e15d Merge pull request #357 from 0xC0ncord/feature/systemd_user_service 2021-03-19 15:14:24 -04:00
Kenton Groombridge
cc8374fd24
various: systemd user fixes and additional support 
This finishes up a lot of the work originally started on systemd --user
support including interacting with user units, communicating with the
user's systemd instance, and reading the system journal.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-18 15:58:17 -04:00
Chris PeBenito
ab702bb825 various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-03-17 11:16:40 -04:00
Chris PeBenito
4dba24e2ad Merge pull request #356 from pebenito/drop-dead-modules2 2021-03-17 11:15:11 -04:00
Chris PeBenito
d84e0ee70f selinux: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-03-12 09:57:36 -05:00
Chris PeBenito
ddacb7a000 Merge pull request #355 from pebenito/secure-mode-setbool 2021-03-10 15:24:01 -05:00
Chris PeBenito
8934069f82 Remove additional unused modules 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-03-07 09:29:34 -05:00
Chris PeBenito
3ab2274e3d selinux: Add a secure_mode_setbool Boolean. 
Enabling this will disable all permissions for setting SELinux Booleans,
even for unconfined domains.

This does not affect setenforce.  Enable secure_mode_policyload along with
secure_mode_setbool to fully lock the SELinux security interface.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-03-05 16:13:11 -05:00
Chris PeBenito
1167739da1 rpc: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-02-16 09:30:31 -05:00
Chris PeBenito
05c08f7b1f rpc: Move lines. 
No rule changes.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-02-16 09:30:13 -05:00
Russell Coker
0a2e267937 blkmapd 
Patch for the blkmapd daemon that's part of the NFS server.

I think this is ready for mergikng.

Signed-off-by: Russell Coker <russell@coker.com.au>
 2021-02-16 09:24:55 -05:00