nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
5,964 Commits 1 Branch 0 Tags 16 MiB
9224d62dbd
Commit Graph

5964 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Xiongwei Song
9224d62dbd Add ubifs to filesystem policy 
The ubifs in linux kernel supported the security xattr handler as early
as version 3.19.0 -rc6. Now add ubifs to the filesystem policy.

Signed-off-by: Xiongwei Song <xiongwei.song@windriver.com>
 2021-05-19 10:06:01 +08:00
Chris PeBenito
4412ad507c various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-05-11 08:41:48 -04:00
Chris PeBenito
924e56c9e2 Merge pull request #373 from pebenito/systemd-tmpfiles-managed 2021-05-11 08:38:53 -04:00
Chris PeBenito
61bc896a67 Merge pull request #371 from pebenito/systemd-StandardInputText 2021-05-11 08:38:48 -04:00
Chris PeBenito
07dc9a3c80 Merge pull request #369 from jpds/irc-sock-and-screen-fixes 2021-05-11 08:38:37 -04:00
Jonathan Davies
5703b622cd irc.te: Allowed client access to screen runtime sock file. 
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2021-05-10 10:52:41 +01:00
Jonathan Davies
bad206ee3b screen.if: Added interface to allow executing sock file. 
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2021-05-10 10:52:41 +01:00
Jonathan Davies
508289a967 irc.te: Allow irc_t access to unix_dgram_socket sendto to allow clients to 
connect to a SOCKS proxy.

Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2021-05-10 10:52:25 +01:00
Chris PeBenito
460d0eb5bd systemd: Drop second parameter in systemd_tmpfilesd_managed(). 
systemd-tmpfiles can manage various file classes but the permissions
vary depending on the class.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2021-05-07 13:43:31 -04:00
Chris PeBenito
f5d97c7eda Revert "systemd.if minor fix" 
This reverts commit bf6cc10e16.
 2021-05-07 13:39:26 -04:00
Chris PeBenito
0c5a622fea
Merge pull request #372 from dsugar100/master 
Minor Fixes
 2021-05-07 11:31:14 -04:00
Dave Sugar
d51d49eb92 Resolve when building monolithic on RHEL7 
/usr/bin/checkpolicy -c 31 -U deny policy.conf -o policy.31
/usr/bin/checkpolicy:  loading policy configuration from policy.conf
policy/modules/roles/secadm.te:10:ERROR 'duplicate filename transition for: filename_trans generator.early auditadm_systemd_t systemd_user_runtime_t:dir' at token ';' on line 2191007:
	type_transition systemd_user_session_type systemd_user_runtime_t:dir systemd_user_runtime_unit_t "generator.early";
checkpolicy:  error(s) encountered while parsing configuration
make: *** [policy.31] Error 1

This was introduced in cc8374fd24 but becuase
they are in a template used multiple times they are getting defined
multiple times and maybe checkpolicy on RHEL7 isn't happy with that.

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2021-05-06 12:20:24 -04:00
Dave Sugar
bf6cc10e16 systemd.if minor fix 
I think this is interface not template no types are being defined.

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2021-05-06 12:20:24 -04:00
Chris PeBenito
2d0cb88590 .gitignore: Remove duplicate lines. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2021-05-06 10:41:17 -04:00
Chris PeBenito
998d6a6fda .gitignore: Ignore vscode data dir. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2021-05-06 10:33:32 -04:00
Chris PeBenito
2e1c1c6240 init: Add support for systemd StandardInputText. 
This normally uses memfd which uses posix shm under the hood.
Additionally, a direct shm use is a fallback if memfd is not available.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2021-05-06 10:32:27 -04:00
Chris PeBenito
cd783138ac logging, secadm, staff, sysadm: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-04-26 13:55:03 -04:00
Chris PeBenito
149ee62c7b Merge pull request #368 from jpds/admin-log-watch 2021-04-26 13:54:23 -04:00
Chris PeBenito
37d6892c94 Merge pull request #367 from jpds/staff-virt-stream-access 2021-04-26 13:54:19 -04:00
Jonathan Davies
431f03f3b9 roles: Added log watching permissions to secadm and sysadm. 
Signed-off-by: Jonathan Davies <jd+github@upthedownstair.com>
 2021-04-25 19:15:08 +01:00
Jonathan Davies
5873a528a9 logging.if: Added interfaces for watching all and audit logs. 
Signed-off-by: Jonathan Davies <jd+github@upthedownstair.com>
 2021-04-25 17:50:43 +01:00
Jonathan Davies
63eb925698 staff.te: Allow staff access to the virt stream, needed for when the 
sockets are access remotely over SSH.

Signed-off-by: Jonathan Davies <jd+github@upthedownstair.com>
 2021-04-24 17:14:06 +01:00
Chris PeBenito
ffdefbeb62 authlogin, hadoop, pwauth: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-04-23 14:53:32 -04:00
Chris PeBenito
a5b41cbcf4 Merge pull request #364 from pebenito/refine-authlogin 2021-04-23 14:52:53 -04:00
Chris PeBenito
163c153c33 authlogin: Deprecate auth_domtrans_chk_passwd(). 
This is a duplicate interface.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-04-23 14:40:46 -04:00
Chris PeBenito
8407a5eafc stale.yml: Fix labels with spaces. 
However, a bug prevents this from working on PRs, see actions/stale#98.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-04-21 09:33:53 -04:00
Chris PeBenito
63270d2cd4
Create stale.yml 2021-04-20 11:02:35 -04:00
Chris PeBenito
3945473b5e authlogin: Remove redundant rule in auth_domtrans_chk_passwd(). 
This is provided by the auth_use_nsswitch() call.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-04-20 10:36:23 -04:00
Chris PeBenito
13a32a4616 authlogin: Add tunable for allowing shadow access on non-PAM systems. 
Fixes #342

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-04-20 10:36:07 -04:00
Chris PeBenito
ea9ce5970a various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-04-15 16:01:13 -04:00
Chris PeBenito
747b9eea23 Merge pull request #359 from 0xC0ncord/bugfix/various-20210309 2021-04-15 16:00:31 -04:00
Kenton Groombridge
cd340e1f6f bootloader, devices: dontaudit grub writing on legacy efi variables 
Newer versions of grub modify EFI variables on efivarfs. This commit
adds a dontaudit on the legacy /sys/fs/efi/vars files.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-13 16:48:54 -04:00
Kenton Groombridge
8887862973 filesystem, init: allow systemd to create pstore dirs 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-12 16:33:55 -04:00
Kenton Groombridge
c0b1c7be66 init: allow systemd to rw shadow lock files 
This is in support of dynamic users.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-09 16:42:59 -04:00
Kenton Groombridge
26e9ec7c43 authlogin: add new type for pwd.lock and others 
This is in response to systemd needing to write to .pwd.lock in support
of dynamic users, which is currently labeled shadow_t despite systemd
seemingly not making any actual modifications to /etc/passwd or
/etc/shadow. Instead of granting potentially overly permissive access,
this commit assigns a new type to these lock files.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-09 16:42:53 -04:00
Kenton Groombridge
8eff2c5998 sysadm, systemd: various fixes 
Allow sysadm to communicate with logind over dbus and add missing rules
for systemd-logind.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
69b2259c7d various: several dontaudits 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
95dc0f0de3 udev: allow systemd-vconsole-setup to sys_tty_config 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
42d46c14bc init, udev: various fixes for systemd 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
dbecb3546d systemd: add policy for systemd-sysctl 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
403c4c3470 systemd: allow systemd-resolved to manage its own sock files 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
a838a88717 logging: allow auditd to getattr on audisp-remote binary 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
b3c1dba144 logging: allow auditd to use nsswitch 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
7b8c44ab9b init, systemd: allow logind to watch utmp 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
2166acf355 init, mount: allow systemd to watch utab 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
c56b78f0c8 mount: allow getattr on dos filesystems 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
1c552ec38f bootloader, filesystem: various fixes for grub 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:13 -04:00
Kenton Groombridge
7f1a7b1cac wireguard: allow running iptables 
Wireguard can be configured to run iptables and other such networking
tools when bringing up/down interfaces. Also add a dontaudit for
searching kernel sysctls.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 09:56:04 -04:00
Kenton Groombridge
a1a9c33e88 iptables: allow reading initrc pipes 
The systemd service calls a script which reads the saved rules from a
file piped to stdin.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 09:56:04 -04:00
Kenton Groombridge
7ca9dcea1f init: modify interface to allow reading all pipes 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 09:56:04 -04:00