Fabrice Fontaine
d5c571c855
policy/modules/apps/wireshark.te: make xdg optional
...
Make xdg optional to fix the following build failure:
Compiling targeted policy.31
env LD_LIBRARY_PATH="/tmp/instance-0/output-1/host/lib:/tmp/instance-0/output-1/host/usr/lib" /tmp/instance-0/output-1/host/usr/bin/checkpolicy -c 31 -U deny -S -O -E policy.conf -o policy.31
policy/modules/apps/wireshark.te:96:ERROR 'unknown type xdg_downloads_t' at token ';' on line 645315:
#line 96
allow wireshark_t xdg_downloads_t:dir { getattr search open };
checkpolicy: error(s) encountered while parsing configuration
make[1]: *** [Rules.monolithic:79: policy.31] Error 1
Fixes:
- http://autobuild.buildroot.org/results/dfbc667e0c17072ddab89a03244f572d5234da50
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
2021-09-05 11:06:21 +02:00
Chris PeBenito
e45d2fd1ef
cvs, ifplugd: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-08-10 14:54:38 -04:00
Fabrice Fontaine
0dd9d69d92
policy/modules/services/ifplugd.te: make netutils optional
...
Make netutils optional to avoid the following build failure:
Compiling targeted policy.30
env LD_LIBRARY_PATH="/tmp/instance-3/output-1/host/lib:/tmp/instance-3/output-1/host/usr/lib" /tmp/instance-3/output-1/host/usr/bin/checkpolicy -c 30 -U deny -S -O -E policy.conf -o policy.30
policy/modules/services/ifplugd.te:62:ERROR 'type netutils_exec_t is not within scope' at token ';' on line 73694:
#line 62
allow ifplugd_t netutils_exec_t:file { getattr open map read execute ioctl };
checkpolicy: error(s) encountered while parsing configuration
Fixes:
- http://autobuild.buildroot.org/results/1e27f5b193d40dfb7c73fbe15d1bef91cb92c27d
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
2021-08-09 22:51:46 +02:00
Fabrice Fontaine
db73b1dd90
policy/modules/services/cvs.te: make inetd optional
...
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
2021-08-06 16:33:36 +02:00
Chris PeBenito
b09c03f7dd
ftp: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-08-06 10:15:11 -04:00
Fabrice Fontaine
f26d4bc1b2
policy/modules/services/ftp.te: make ssh optional
...
Make ssh optional to avoid the following build failure:
Compiling targeted policy.30
env LD_LIBRARY_PATH="/home/fabrice/buildroot/output/host/lib:/home/fabrice/buildroot/output/host/usr/lib" /home/fabrice/buildroot/output/host/usr/bin/checkpolicy -c 30 -U deny -S -O -E policy.conf -o policy.30
policy/modules/services/ftp.te:484:ERROR 'type ssh_home_t is not within scope' at token ';' on line 92051:
allow sftpd_t ssh_home_t:dir { open read getattr lock search ioctl add_name remove_name write };
#line 484
checkpolicy: error(s) encountered while parsing configuration
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
2021-07-30 22:43:40 +02:00
Chris PeBenito
7f4ffffd71
minidlna: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-07-30 14:47:28 -04:00
Fabrice Fontaine
65c87bdfb1
policy/modules/services/minidlna.te: make xdg optional
...
Make xdg optional to avoid the following build failure:
Compiling targeted policy.28
env LD_LIBRARY_PATH="/home/buildroot/autobuild/instance-1/output-1/host/lib:/home/buildroot/autobuild/instance-1/output-1/host/usr/lib" /home/buildroot/autobuild/instance-1/output-1/host/usr/bin/checkpolicy -c 28 -U deny -S -O -E policy.conf -o policy.28
policy/modules/services/minidlna.te:85:ERROR 'unknown type xdg_music_t' at token ';' on line 146109:
#line 85
allow minidlna_t xdg_music_t:dir { getattr search open };
checkpolicy: error(s) encountered while parsing configuration
Rules.monolithic:78: recipe for target 'policy.28' failed
Fixes:
- http://autobuild.buildroot.org/results/52490172afd9b72b08a7deb0bd3c2124398bbffa/build-end.log
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
2021-07-30 09:16:35 +02:00
Chris PeBenito
dde0d22c8b
virt: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-07-16 09:41:40 -04:00
Chris PeBenito
b4a9fe913a
virt: Move lines.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-07-16 09:41:24 -04:00
Jonathan Davies
075785a94a
virt: Defined a virt_common_runtime_t type for the new
...
common/system.token file and added permissions to virtd_t and virtlogd_t.
Modelled on: 1f761d0bbd
libvirt change introducing this: cbfebfc747
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
2021-07-15 20:36:18 +01:00
Chris PeBenito
559551a003
dhcp, radvd, sysnetwork: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-07-14 09:36:17 -04:00
Chris PeBenito
99a8c23897
radvd: Whitespace fix.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-07-14 09:35:51 -04:00
Jonathan Davies
25d645144f
dhcp.te: Added corenet_sendrecv_icmp_packets().
...
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
2021-07-10 02:09:03 +01:00
Jonathan Davies
73885f2845
radvd.te: Added corenet_sendrecv_icmp_packets().
...
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
2021-07-10 02:08:35 +01:00
Jonathan Davies
5b6591a91a
sysnetwork: dhcpc_t: Added corenet_sendrecv_icmp_packets()
...
DHCP client needs to handle ICMPv6 packets required for router solicitation
when combined with secmark.
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
2021-07-09 14:45:34 +01:00
Chris PeBenito
2c4ae75eb8
Merge pull request #384 from maage/missing-requires
...
cleanup: Missing requires
2021-07-08 09:46:43 -04:00
Chris PeBenito
19924201dc
dmesg, devices, sysadm: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-07-08 09:45:15 -04:00
Chris PeBenito
c3a756d81f
Merge pull request #391 from jpds/xen-fixes
2021-07-08 09:44:31 -04:00
Markus Linnala
111a93eb03
policy: files: files_get_etc_unit_status/files_{start,stop}_etc_service: fix require
...
Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
2021-07-07 14:00:55 +03:00
Markus Linnala
7a85214310
policy:ssh: ssh_server_template: fix require
...
Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
2021-07-07 14:00:55 +03:00
Markus Linnala
59bce0d34c
policy: xserver: xserver_dbus_chat: fix require
...
Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
2021-07-07 14:00:55 +03:00
Jonathan Davies
27325c9beb
sysadm.te: Allow sysadm_t to read/write Xen character devices so
...
userspace tooling works.
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
2021-07-06 15:54:35 +01:00
Jonathan Davies
ccecf33e67
devices.fc: Added missing Xen character files.
...
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
2021-07-06 15:52:27 +01:00
Jonathan Davies
de8839aad2
dmesg.te: Added files_read_etc_files() as some distros store terminfo
...
files in /etc/.
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
2021-07-06 15:48:28 +01:00
Chris PeBenito
6c2f4bff7b
Merge pull request #388 from maage/doc-style
...
style: policy: interfaces: doc: indent param blocks consistently
2021-07-06 09:37:44 -04:00
Chris PeBenito
f1084e0b3c
Merge pull request #387 from maage/mixed-order
...
fix: Mixed order
2021-07-06 09:29:35 -04:00
Chris PeBenito
55cc7b4652
Merge pull request #386 from maage/missing-params
...
cleanup: policy avahi: avahi_filetrans_pid: doc: add missing params
2021-07-06 09:28:23 -04:00
Chris PeBenito
d21ef64068
Merge pull request #385 from maage/interface-doc
...
cleanup: Interface docs
2021-07-06 09:26:03 -04:00
Markus Linnala
c373a63e48
policy avahi: avahi_filetrans_pid: doc: add missing params
...
Even if interface is deprecated, still use all documented parameters.
Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
2021-07-05 12:41:42 +03:00
Markus Linnala
9127219358
policy: interfaces: doc: indent param blocks consistently
...
There is more than 5000 parameter documentations. Only about 300 are
differently done. Change them to be consistently indented.
param with one space
and content inside with one tab
This was done with:
sed -ri '
/^##[[:space:]]*<param/,/^##[[:space:]]*<[/]param>/{
s/^##[[:space:]]*/##\t/;
s/^##[[:space:]]*(<[/]?summary)/##\t\1/;
s/^##[[:space:]]*(<[/]?param)/## \1/;
}' policy/modules/*/*.if
Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
2021-07-02 12:19:25 +03:00
Markus Linnala
22a3272bfd
policy kismet: kismer_role: parameter order mixed in kismet_run
...
kismet_run parameters are domain, role
kismet_role parameters are role, domain
Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
2021-07-02 12:07:54 +03:00
Markus Linnala
af1ec6b172
policy seunshare: seunshare_role: parameters usage partially mixed
...
Documentation states 1st parameter is role and 2nd is domain.
So role clause should get role parameter
and seunshare_domtrans gets domain.
Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
2021-07-02 12:07:29 +03:00
Markus Linnala
214d49461a
policy gpg: doc: add documents for all *filterans parameters
...
Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
2021-07-02 11:53:24 +03:00
Markus Linnala
6c3cbdc16d
policy chromium: chromium_tmp_filetrans: doc: add missing 2nd param documentation
...
Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
2021-07-02 11:53:24 +03:00
Markus Linnala
d949eb5d6e
policy gnome: gnome_dbus_chat_gconfd: doc: does not have 1st param of role_prefix
...
Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
2021-07-02 11:53:24 +03:00
Markus Linnala
f82742e09a
policy devices: dev_filetrans: doc: change param from file to file_type
...
Like other instances.
Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
2021-07-02 11:53:19 +03:00
Markus Linnala
277046ecc6
policy: files: files_spool_filetrans: doc: change param from file to file_type
...
Like other instances.
Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
2021-07-02 11:52:40 +03:00
Markus Linnala
0804193e01
policy: init: there is no enabled_mls, it is enable_mls
...
This will enable su_restricted_domain_template where it was meant to be
enabled before, but was not actually.
Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
2021-07-02 11:35:08 +03:00
Chris PeBenito
8dfa9e4fce
xserver: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-06-28 08:38:56 -04:00
Chris PeBenito
55df36bc2e
xserver: Move fc lines.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-06-28 08:37:51 -04:00
Andreas Freimuth
064e88aef5
Set user_fonts_config_t for conf.d
...
Signed-off-by: Andreas Freimuth <andreas.freimuth@frmth.de>
2021-06-26 12:31:36 +02:00
Andreas Freimuth
eba72de614
Prefer user_fonts_config_t over xdg_config_t
...
Signed-off-by: Andreas Freimuth <andreas.freimuth@frmth.de>
2021-06-26 12:31:36 +02:00
Chris PeBenito
ad7217f906
Merge pull request #375 from cgzones/infer
...
Use correct interface or template declaration
2021-06-03 09:13:05 -04:00
Chris PeBenito
c9913a0e8c
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-05-19 08:46:41 -04:00
Chris PeBenito
3fc11ce1e4
Merge pull request #376 from xwsong/ubifs-policy
2021-05-19 08:45:45 -04:00
Chris PeBenito
0ecd14f47a
staff, sysadm, unprivuser: Move lines.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-05-19 08:45:36 -04:00
Xiongwei Song
9224d62dbd
Add ubifs to filesystem policy
...
The ubifs in linux kernel supported the security xattr handler as early
as version 3.19.0 -rc6. Now add ubifs to the filesystem policy.
Signed-off-by: Xiongwei Song <xiongwei.song@windriver.com>
2021-05-19 10:06:01 +08:00
Yi Zhao
7ee15a0681
roles: move dbus_role_template to userdom_common_user_template
...
After commit cc8374fd24
(various: systemd
user fixes and additional support), the dbus_role_template is required
for all roles. Move it to userdom_common_user_template.
Before the patch if set DISTRO=redhat:
root@qemux86-64:~# ps xZ | grep "systemd --user"
root:sysadm_r:sysadm_t 240 ? Ss 0:00 /lib/systemd/systemd --user
After the patch:
root@qemux86-64:~# ps xZ | grep "systemd --user"
root:sysadm_r:sysadm_systemd_t 218 ? Ss 0:00 /lib/systemd/systemd --user
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2021-05-19 10:00:33 +08:00
Christian Göttsche
6c5928d65a
Use correct interface or template declaration
...
Following the guideline of interfaces not allowed to declare anything
and not use prefix parameters, declare interfaces doing so as templates.
Also declare templates not using those features and not calling
templates themselves as interfaces.
These changes originate from the discussion in
https://github.com/TresysTechnology/selint/issues/205 and are found by
new proposed SELint checks at
https://github.com/TresysTechnology/selint/pull/206 .
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-05-13 17:22:59 +02:00