nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
4,007 Commits 1 Branch 0 Tags 16 MiB
6d6370c98a
Commit Graph

4007 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Dominick Grift
6d6370c98a kernel: implement sysctl_vm_overcommit_t for /proc/sys/vm/overcommit_memory 
Whoever requires this type first gets to create the interfaces to operate on this object

Signed-off-by: Dominick Grift <dac.override@gmail.com>
 2015-12-10 14:10:16 -05:00
Dominick Grift
81d15a0273 authlogin: remove duplicate files_list_var_lib(nsswitch_domain) 
Signed-off-by: Dominick Grift <dac.override@gmail.com>
 2015-12-10 14:10:16 -05:00
Chris PeBenito
727949924a Module version bump for systemd-user-sessions fc entry from Dominick Grift 2015-12-09 09:40:55 -05:00
Dominick Grift
e1eeef00a6 systemd: add missing file context spec for systemd-user-sessions executable file 
Signed-off-by: Dominick Grift <dac.override@gmail.com>
 2015-12-09 09:26:59 -05:00
Chris PeBenito
4fd44dc0f6 Update Changelog and VERSION for release. 2015-12-08 09:53:02 -05:00
Chris PeBenito
c23353bcd8 Bump module versions for release. 2015-12-08 09:53:02 -05:00
Laurent Bigonville
624abc4f54 Allow the user cronjobs to run in their userdomain 
When cron_userdomain_transition boolean is set to on, the user cronjobs
are supposed to run in their domains. Without this patch the default
context is not properly computed:

    $ /usr/sbin/getdefaultcon user_u system_u:system_r:crond_t:s0
    /usr/sbin/getdefaultcon: Invalid argument
    $ /usr/sbin/getdefaultcon staff_u system_u:system_r:crond_t:s0
    staff_u:sysadm_r:sysadm_t:s0

With this patch applied:

    $ /usr/sbin/getdefaultcon user_u system_u:system_r:crond_t:s0
    user_u:user_r:user_t:s0
    $ /usr/sbin/getdefaultcon staff_ system_u:system_r:crond_t:s0
    staff_u:staff_r:staff_t:s0
 2015-12-08 09:35:55 -05:00
Chris PeBenito
a2fab1a961 Update contrib. 2015-12-01 10:23:56 -05:00
Chris PeBenito
70ba55c2fc Module version bump for utempter Debian helper from Laurent Bigonville. 2015-12-01 10:23:46 -05:00
Laurent Bigonville
c6efc3ada1 Properly label utempter helper on debian 2015-12-01 09:45:06 -05:00
Chris PeBenito
37d2aeca3d Remove bad interface in systemd.if. 2015-11-05 15:31:53 -05:00
Chris PeBenito
b94f45d760 Revise selinux module interfaces for perms protected by neverallows. 
Use the allow rules on the relevant attributes in selinux.te, rather than
only using the attribute to pass the neverallows.

Closes #14
 2015-11-04 15:10:29 -05:00
Chris PeBenito
a3208c3495 Update contrib for dbus systemd fix. 2015-10-29 07:36:33 -04:00
Chris PeBenito
17694adc7b Module version bump for systemd additions. 2015-10-23 14:53:14 -04:00
Chris PeBenito
8409f39cdb Merge branch 'pebenito-master' 
Closes #8
 2015-10-23 14:51:34 -04:00
Chris PeBenito
60d8b699fb Change policy_config_t to a security file type. 
This fixes an assertion error with systemd_tmpfiles_t. It should
have been a security file for a while.
 2015-10-23 10:17:46 -04:00
Chris PeBenito
4388def2d9 Add refpolicy core socket-activated services. 2015-10-23 10:17:46 -04:00
Chris PeBenito
bdfc7e3eb0 Add sysfs_types attribute. 
Collect all types used to label sysfs entries.
 2015-10-23 10:17:46 -04:00
Chris PeBenito
f7286189b3 Add systemd units for core refpolicy services. 
Only for services that already have a named init script.

Add rules to init_startstop_service(), with conditional arg until
all of refpolicy-contrib callers are updated.
 2015-10-23 10:17:46 -04:00
Chris PeBenito
fc2de5c21c Add rules for sysadm_r to manage the services. 2015-10-23 10:17:46 -04:00
Chris PeBenito
579849912d Add supporting rules for domains tightly-coupled with systemd. 2015-10-23 10:17:46 -04:00
Chris PeBenito
3639880cf6 Implement core systemd policy. 
Significant contributions from the Tresys CLIP team.

Other changes from Laurent Bigonville.
 2015-10-23 10:16:59 -04:00
Chris PeBenito
d326c3878c Add systemd access vectors. 2015-10-20 15:01:27 -04:00
Chris PeBenito
bf0cfe940a Add systemd build option. 2015-10-20 15:01:23 -04:00
Chris PeBenito
4d28cb714f Module version bump for patches from Jason Zaman/Matthias Dahl. 2015-10-12 09:31:18 -04:00
Chris PeBenito
2c0e3d9a24 Rearrange lines in ipsec.te. 2015-10-12 09:30:05 -04:00
Jason Zaman
775b07e60a system/ipsec: Add policy for StrongSwan 
Adds an ipsec_supervisor_t domain for StrongSwan's starter.
Thanks to Matthias Dahl for most of the work on this.
 2015-10-12 09:16:28 -04:00
Jason Zaman
b3a95b4aeb Add overlayfs as an XATTR capable fs 
The module is called "overlay" in the kernel
 2015-10-12 09:13:53 -04:00
Chris PeBenito
778dfaf776 Update contrib. 2015-09-15 08:39:38 -04:00
Chris PeBenito
cfaeb62603 Module version bump for vfio device from Alexander Wetzel. 2015-09-15 08:39:21 -04:00
Alexander Wetzel
9ae4033beb adds vfio device support to base policy 
Signed-off-by: Alexander Wetzel <alexander.wetzel@web.de>
 2015-09-15 08:17:31 -04:00
Chris PeBenito
1d51a2f4c4 Module version bump for APR build script labeling from Luis Ressel. 2015-08-11 08:46:41 -04:00
Luis Ressel
fd5e40b047 Mark APR build scripts as bin_t 
I don't know why those are in /usr/share/build-1/ instead of
/usr/share/apr-0/build/ here, but it doesn't appear to be
Gentoo-specific.
 2015-08-11 08:42:25 -04:00
Chris PeBenito
c8c2b8b0c8 Module version bump for ssh-agent -k fix from Luis Ressel. 2015-07-20 10:01:52 -04:00
Luis Ressel
d8071a8e1b Allow ssh-agent to send signals to itself 
This is neccessary for "ssh-agent -k".
 2015-07-20 09:57:35 -04:00
Chris PeBenito
95248e4919 Module version bump for cron_admin for sysadm from Jason Zaman. 2015-07-17 08:56:43 -04:00
Jason Zaman
13cfdd788f add new cron_admin interface to sysadm 2015-07-17 08:13:43 -04:00
Chris PeBenito
d74c9bd6b8 Module version bumps for admin interfaces from Jason Zaman. 2015-07-14 11:18:35 -04:00
Jason Zaman
0023b30946 Introduce setrans_admin interface 2015-07-14 11:04:44 -04:00
Jason Zaman
e1f2a8b9d6 Introduce ipsec_admin interface 2015-07-14 11:04:44 -04:00
Jason Zaman
8bee8e80af Introduce lvm_admin interface 2015-07-14 11:04:44 -04:00
Chris PeBenito
11697e1a69 Update contrib. 2015-06-09 08:39:51 -04:00
Chris PeBenito
acabb517e6 Module version bump for admin interface changes from Jason Zaman. 2015-06-09 08:39:18 -04:00
Jason Zaman
9c49f9d7fa Add all the missing _admin interfaces to sysadm 
Lots of the foo_admin() interfaces were not applied to sysadm. This
patch adds all the ones that were missing.

The tests pass for all combinations of distros, monolithic,
direct_initrc, standard/mcs/mls.
 2015-06-09 08:29:51 -04:00
Jason Zaman
43da2d2ad0 Introduce iptables_admin 2015-06-09 08:29:51 -04:00
Chris PeBenito
0a088aa8ac Module version bumps for further init_startstop_service() changes from Jason Zaman. 2015-05-27 14:50:45 -04:00
Jason Zaman
dd21231043 Add openrc support to init_startstop_service 
Adds the openrc rules in ifdef distro_gentoo to transition
to run_init correctly.
 2015-05-27 14:37:41 -04:00
Jason Zaman
45b281db62 postgresql: use init_startstop_service in _admin interface 
The postgresql_admin interfaces had rules for RedHat sysvinit. This
replaces them with the interface init_startstop_service which can
easily be changed for other init systems.
 2015-05-27 14:37:40 -04:00
Jason Zaman
a324fab096 logging: use init_startstop_service in _admin interface 
The logging_admin interfaces had rules for RedHat sysvinit. This
replaces them with the interface init_startstop_service which can
easily be changed for other init systems.
 2015-05-27 14:37:40 -04:00
Chris PeBenito
bd994e2a58 Change CI tests to drop DIRECT_INITRC. 
This option is no longer common now that Red Hat and Debian are systemd,
and Gentoo never used it.
 2015-05-22 14:29:46 -04:00