selinux-refpolicy

Author	SHA1	Message	Date
Kenton Groombridge	95dc0f0de3	udev: allow systemd-vconsole-setup to sys_tty_config Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-04-08 10:35:17 -04:00
Kenton Groombridge	42d46c14bc	init, udev: various fixes for systemd Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-04-08 10:35:17 -04:00
Kenton Groombridge	dbecb3546d	systemd: add policy for systemd-sysctl Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-04-08 10:35:17 -04:00
Kenton Groombridge	403c4c3470	systemd: allow systemd-resolved to manage its own sock files Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-04-08 10:35:17 -04:00
Kenton Groombridge	a838a88717	logging: allow auditd to getattr on audisp-remote binary Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-04-08 10:35:17 -04:00
Kenton Groombridge	b3c1dba144	logging: allow auditd to use nsswitch Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-04-08 10:35:17 -04:00
Kenton Groombridge	7b8c44ab9b	init, systemd: allow logind to watch utmp Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-04-08 10:35:17 -04:00
Kenton Groombridge	2166acf355	init, mount: allow systemd to watch utab Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-04-08 10:35:17 -04:00
Kenton Groombridge	c56b78f0c8	mount: allow getattr on dos filesystems Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-04-08 10:35:17 -04:00
Kenton Groombridge	1c552ec38f	bootloader, filesystem: various fixes for grub Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-04-08 10:35:13 -04:00
Kenton Groombridge	7f1a7b1cac	wireguard: allow running iptables Wireguard can be configured to run iptables and other such networking tools when bringing up/down interfaces. Also add a dontaudit for searching kernel sysctls. Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-04-08 09:56:04 -04:00
Kenton Groombridge	a1a9c33e88	iptables: allow reading initrc pipes The systemd service calls a script which reads the saved rules from a file piped to stdin. Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-04-08 09:56:04 -04:00
Kenton Groombridge	7ca9dcea1f	init: modify interface to allow reading all pipes Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-04-08 09:56:04 -04:00
Kenton Groombridge	c46bbef5f7	udev: various fixes Mostly mdraid stuff and a few dontaudits. Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-04-08 09:56:04 -04:00
Kenton Groombridge	a6df5e653c	devicekit: allow devicekit_disk_t to setsched Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-04-08 09:56:04 -04:00
Kenton Groombridge	342eefd3b0	ssh: allow ssh_keygen_t to read localization Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-04-08 09:56:04 -04:00
Kenton Groombridge	497cb3ca2b	files, init, systemd: various fixes Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-04-08 09:56:01 -04:00
Kenton Groombridge	dac8c8af27	devices, userdomain: dontaudit userdomain setattr on null device nodes Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-04-08 09:43:54 -04:00
Kenton Groombridge	02b9bf0a1c	redis: allow reading net and vm overcommit sysctls Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-03-27 19:53:56 -04:00
Kenton Groombridge	9051a09617	spamassassin: allow rspamd to read network sysctls Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-03-27 19:53:55 -04:00
Kenton Groombridge	d91bef2d24	devices, userdomain: dontaudit userdomain setattr on null device nodes Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-03-27 19:53:53 -04:00
Kenton Groombridge	f137b5cdcc	modutils: allow kmod to read src_t symlinks Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-03-27 19:53:51 -04:00
Kenton Groombridge	6371411e50	getty: various fixes Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-03-27 19:53:49 -04:00
Kenton Groombridge	173d2a2bd0	rngd: allow reading sysfs rngd tries to read the rng state at boot. Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-03-27 19:53:47 -04:00
Kenton Groombridge	00e210d703	redis: allow reading certs Required if redis is to be used with SSL/TLS Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-03-27 19:53:44 -04:00
Kenton Groombridge	fa5f878f13	usbguard: various fixes Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-03-27 19:53:42 -04:00
Kenton Groombridge	45dd9358e5	fail2ban: allow reading vm overcommit sysctl Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-03-27 19:53:37 -04:00
Kenton Groombridge	372f9cc658	systemd, fail2ban: allow fail2ban to watch journal Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-03-27 19:53:27 -04:00
Chris PeBenito	3a22e9279c	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-03-19 15:17:54 -04:00
Chris PeBenito	93fda6e15d	Merge pull request #357 from 0xC0ncord/feature/systemd_user_service	2021-03-19 15:14:24 -04:00
Kenton Groombridge	cc8374fd24	various: systemd user fixes and additional support This finishes up a lot of the work originally started on systemd --user support including interacting with user units, communicating with the user's systemd instance, and reading the system journal. Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-03-18 15:58:17 -04:00
Chris PeBenito	ab702bb825	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-03-17 11:16:40 -04:00
Chris PeBenito	4dba24e2ad	Merge pull request #356 from pebenito/drop-dead-modules2	2021-03-17 11:15:11 -04:00
Chris PeBenito	d84e0ee70f	selinux: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-03-12 09:57:36 -05:00
Chris PeBenito	8934069f82	Remove additional unused modules Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-03-07 09:29:34 -05:00
Chris PeBenito	3ab2274e3d	selinux: Add a secure_mode_setbool Boolean. Enabling this will disable all permissions for setting SELinux Booleans, even for unconfined domains. This does not affect setenforce. Enable secure_mode_policyload along with secure_mode_setbool to fully lock the SELinux security interface. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-03-05 16:13:11 -05:00
Chris PeBenito	1167739da1	rpc: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-02-16 09:30:31 -05:00
Chris PeBenito	05c08f7b1f	rpc: Move lines. No rule changes. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-02-16 09:30:13 -05:00
Russell Coker	0a2e267937	blkmapd Patch for the blkmapd daemon that's part of the NFS server. I think this is ready for mergikng. Signed-off-by: Russell Coker <russell@coker.com.au>	2021-02-16 09:24:55 -05:00
Chris PeBenito	3fa4315772	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-02-12 11:18:53 -05:00
Krzysztof Nowicki	6d0ade349e	Allow systemd-tmpfilesd to access nsswitch information Fixes io.systemd.DynamicUser denials. Signed-off-by: Krzysztof Nowicki <krissn@op.pl>	2021-02-09 13:53:21 +01:00
Krzysztof Nowicki	f70f84310a	Fix setting-up sandbox environment for systemd-networkd Systemd starts networkd in a sandbox enviroment for enhanced security. As part of that, several mounts need to be prepared, of which one fails: avc: denied { mounton } for pid=711 comm="(networkd)" path="/run/systemd/unit-root/run/systemd/netif" dev="tmpfs" ino=1538 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_networkd_runtime_t:s0 tclass=dir permissive=1 Fix this by declaring directories of systemd_networkd_runtime_t type as an init daemon mount point. Signed-off-by: Krzysztof Nowicki <krissn@op.pl>	2021-02-09 13:53:21 +01:00
Krzysztof Nowicki	014b2c41d2	Allow systemd-tmpfilesd handle faillog directory Is is being created from a pam-provided tmpfiles.d config. Signed-off-by: Krzysztof Nowicki <krissn@op.pl>	2021-02-09 13:53:20 +01:00
Krzysztof Nowicki	cfe0502ed2	Mark lvm_lock_t as systemd_tmpfilesd-managed lvm2 installs a file into /usr/lib/tmpfliles.d/ to create /run/lock/lvm so systemd-tmpfilesd needs the rights to create it. Signed-off-by: Krzysztof Nowicki <krissn@op.pl>	2021-02-09 13:53:20 +01:00
Krzysztof Nowicki	017d9750a4	Allow systemd-tmpfilesd to set attributes of /var/lock Fixes: avc: denied { setattr } for pid= comm="systemd-tmpfile" name="lock" dev="tmpfs" ino= scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir Signed-off-by: Krzysztof Nowicki <krissn@op.pl>	2021-02-09 13:53:19 +01:00
Krzysztof Nowicki	900a51f134	Allow systemd-tmpfilesd to relabel generic files inside /etc Enable this only with the systemd_tmpfilesd_factory tunable, otherwise silence the messages with a dontaudit rule. Fixes: avc: denied { relabelfrom } for comm="systemd-tmpfile" name="pam.d" dev= ino= scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir Signed-off-by: Krzysztof Nowicki <krissn@op.pl>	2021-02-09 13:52:01 +01:00
Krzysztof Nowicki	68e5f4d3f3	Enable factory directory support in systemd-tmpfilesd /usr/share/factory serves as a template directory for systemd-tmpfilesd. The copy (C) and link (L) commands can utilize this directory as a default source for files, which should be placed in the filesystem. This behaiour is controlled via a tunable as it gives systemd-tmpfilesd manage permissions over etc, which could be considered as a security risk. Relevant denials are silenced in case the policy is disabled. Signed-off-by: Krzysztof Nowicki <krissn@op.pl>	2021-02-09 13:24:52 +01:00
Krzysztof Nowicki	b30437e487	When using systemd_tmpfilesd_managed also grant directory permissions This allows systemd-tmpfilesd to create files inside directories belonging to the subject domain. Signed-off-by: Krzysztof Nowicki <krissn@op.pl>	2021-02-09 13:24:52 +01:00
Krzysztof Nowicki	0111384000	Allow systemd-tmpfilesd populating of /var/lib/dbus Signed-off-by: Krzysztof Nowicki <krissn@op.pl>	2021-02-09 13:24:52 +01:00
Krzysztof Nowicki	0aac6a3d3b	Fix systemd-journal-flush service This service executes journalctl, which needs access to the journald socket. Signed-off-by: Krzysztof Nowicki <krissn@op.pl>	2021-02-09 13:24:51 +01:00

1 2 3 4 5 ...

3967 Commits