nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
6,307 Commits 1 Branch 0 Tags 16 MiB
c86645f836
Commit Graph

406 Commits

Author SHA1 Message Date
Kenton Groombridge
cec7f0d3e2 various: various userns capability permissions 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:02 -05:00
Kenton Groombridge
262cee592b container, gpg, userdom: allow container engines to execute gpg 
Container engines need to be able to execute gpg in order to verify
container image signatures if they are signed.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:02 -05:00
Kenton Groombridge
499b35eac9 various: remove various mcs ranged transitions 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-06 20:58:28 -05:00
Chris PeBenito
78276fc43b Drop module versioning. 
Semodule stopped using this many years ago. The policy_module() macro will
continue to support an optional second parameter as version.
If it is not specified, a default value of 1 is set.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2022-01-06 09:19:13 -05:00
Kenton Groombridge
64380b4d33 wine: fix roleattribute statement 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-11-16 12:11:59 -05:00
Chris PeBenito
47a229198d various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-11-14 18:57:40 -05:00
Kenton Groombridge
c7e4c1da8c mpd, pulseaudio: split domtrans and client access 
Split `pulseaudio_domtrans()` into two interfaces: one that grants
transition access and the other the `pulseaudio_client` attribute. This
fixes a build error because calls to `pulseaudio_domtrans()` by the role
would associate the client attribute with the user exec domain
attribute.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:08:42 -04:00
Kenton Groombridge
5a7837efd9 mono: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:08:42 -04:00
Kenton Groombridge
d675ea2aa0 wine: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:08:42 -04:00
Kenton Groombridge
b591857dcd cryfs, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:34 -04:00
Kenton Groombridge
77ed833ba2 wm, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:34 -04:00
Kenton Groombridge
7ba794a6a7 wireshark, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:34 -04:00
Kenton Groombridge
92330a3119 vmware, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:34 -04:00
Kenton Groombridge
6d9dd8d5dc userhelper, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:34 -04:00
Kenton Groombridge
32acf9ccac uml, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:34 -04:00
Kenton Groombridge
787cb62e75 tvtime, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:34 -04:00
Kenton Groombridge
2efb746c67 thunderbird, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:34 -04:00
Kenton Groombridge
04725f303b telepathy, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:34 -04:00
Kenton Groombridge
0ac3f4ea2c rssh, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:34 -04:00
Kenton Groombridge
0a78bb05eb pulseaudio, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:34 -04:00
Kenton Groombridge
9554af912d openoffice, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:34 -04:00
Kenton Groombridge
ffdbf9c86e mplayer, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:34 -04:00
Kenton Groombridge
f5f0af2c24 mozilla, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:34 -04:00
Kenton Groombridge
8bdab0397c libmtp, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:34 -04:00
Kenton Groombridge
0f650e0dc5 java, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:34 -04:00
Kenton Groombridge
b7980a45fc irc, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:34 -04:00
Kenton Groombridge
56a50fb56c gpg, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:34 -04:00
Kenton Groombridge
7cd14e0c49 gnome, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:34 -04:00
Kenton Groombridge
d5246d98aa games, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:34 -04:00
Kenton Groombridge
ab30d35882 evolution, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:34 -04:00
Kenton Groombridge
4d7eb76fb9 chromium, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:34 -04:00
Kenton Groombridge
99c2c94507 cdrecord, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:34 -04:00
Kenton Groombridge
b90d40db67 xserver, roles, various: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:34 -04:00
Kenton Groombridge
dd7abf1f47 xscreensaver, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:33 -04:00
Kenton Groombridge
a3f02b2f6c syncthing, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:24 -04:00
Kenton Groombridge
150353158a screen, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:13 -04:00
Chris PeBenito
b19be25429 systemd, userdomain, wm: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-09-14 13:55:26 -07:00
Chris PeBenito
938453ddb1 Merge pull request #381 from 0xC0ncord/bugfix/systemd-user-exec-apps 2021-09-14 13:23:23 -07:00
Kenton Groombridge
b91c6062ac wm: add user exec domain attribute to wm domains 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-09-14 14:53:48 -04:00
Chris PeBenito
4248e38824 Bump module versions for release. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-09-08 10:53:44 -04:00
Chris PeBenito
322037695e wireshark: Module version bump 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-09-08 10:52:38 -04:00
Fabrice Fontaine
d5c571c855 policy/modules/apps/wireshark.te: make xdg optional 
Make xdg optional to fix the following build failure:

 Compiling targeted policy.31
 env LD_LIBRARY_PATH="/tmp/instance-0/output-1/host/lib:/tmp/instance-0/output-1/host/usr/lib" /tmp/instance-0/output-1/host/usr/bin/checkpolicy -c 31 -U deny -S -O -E policy.conf -o policy.31
 policy/modules/apps/wireshark.te:96:ERROR 'unknown type xdg_downloads_t' at token ';' on line 645315:
 #line 96
	allow wireshark_t xdg_downloads_t:dir { getattr search open };
 checkpolicy:  error(s) encountered while parsing configuration
 make[1]: *** [Rules.monolithic:79: policy.31] Error 1

Fixes:
 - http://autobuild.buildroot.org/results/dfbc667e0c17072ddab89a03244f572d5234da50

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
 2021-09-05 11:06:21 +02:00
Chris PeBenito
6c2f4bff7b
Merge pull request #388 from maage/doc-style 
style: policy: interfaces: doc: indent param blocks consistently
 2021-07-06 09:37:44 -04:00
Chris PeBenito
f1084e0b3c
Merge pull request #387 from maage/mixed-order 
fix: Mixed order
 2021-07-06 09:29:35 -04:00
Markus Linnala
9127219358 policy: interfaces: doc: indent param blocks consistently 
There is more than 5000 parameter documentations. Only about 300 are
differently done. Change them to be consistently indented.

param with one space
and content inside with one tab

This was done with:

sed -ri '
/^##[[:space:]]*<param/,/^##[[:space:]]*<[/]param>/{
	s/^##[[:space:]]*/##\t/;
	s/^##[[:space:]]*(<[/]?summary)/##\t\1/;
	s/^##[[:space:]]*(<[/]?param)/## \1/;
}' policy/modules/*/*.if

Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
 2021-07-02 12:19:25 +03:00
Markus Linnala
af1ec6b172 policy seunshare: seunshare_role: parameters usage partially mixed 
Documentation states 1st parameter is role and 2nd is domain.

So role clause should get role parameter
and seunshare_domtrans gets domain.

Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
 2021-07-02 12:07:29 +03:00
Markus Linnala
214d49461a policy gpg: doc: add documents for all *filterans parameters 
Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
 2021-07-02 11:53:24 +03:00
Markus Linnala
6c3cbdc16d policy chromium: chromium_tmp_filetrans: doc: add missing 2nd param documentation 
Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
 2021-07-02 11:53:24 +03:00
Markus Linnala
d949eb5d6e policy gnome: gnome_dbus_chat_gconfd: doc: does not have 1st param of role_prefix 
Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
 2021-07-02 11:53:24 +03:00
Christian Göttsche
6c5928d65a Use correct interface or template declaration 
Following the guideline of interfaces not allowed to declare anything
and not use prefix parameters, declare interfaces doing so as templates.

Also declare templates not using those features and not calling
templates themselves as interfaces.

These changes originate from the discussion in
https://github.com/TresysTechnology/selint/issues/205 and are found by
new proposed SELint checks at
https://github.com/TresysTechnology/selint/pull/206.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2021-05-13 17:22:59 +02:00