nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
6,063 Commits 1 Branch 0 Tags 16 MiB
db42fb615e
Commit Graph

4085 Commits

Author SHA1 Message Date
Jonathan Davies
63eb925698 staff.te: Allow staff access to the virt stream, needed for when the 
sockets are access remotely over SSH.

Signed-off-by: Jonathan Davies <jd+github@upthedownstair.com>
 2021-04-24 17:14:06 +01:00
Chris PeBenito
ffdefbeb62 authlogin, hadoop, pwauth: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-04-23 14:53:32 -04:00
Chris PeBenito
163c153c33 authlogin: Deprecate auth_domtrans_chk_passwd(). 
This is a duplicate interface.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-04-23 14:40:46 -04:00
Chris PeBenito
3945473b5e authlogin: Remove redundant rule in auth_domtrans_chk_passwd(). 
This is provided by the auth_use_nsswitch() call.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-04-20 10:36:23 -04:00
Chris PeBenito
13a32a4616 authlogin: Add tunable for allowing shadow access on non-PAM systems. 
Fixes #342

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-04-20 10:36:07 -04:00
Chris PeBenito
ea9ce5970a various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-04-15 16:01:13 -04:00
Chris PeBenito
747b9eea23 Merge pull request #359 from 0xC0ncord/bugfix/various-20210309 2021-04-15 16:00:31 -04:00
Kenton Groombridge
cd340e1f6f bootloader, devices: dontaudit grub writing on legacy efi variables 
Newer versions of grub modify EFI variables on efivarfs. This commit
adds a dontaudit on the legacy /sys/fs/efi/vars files.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-13 16:48:54 -04:00
Kenton Groombridge
8887862973 filesystem, init: allow systemd to create pstore dirs 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-12 16:33:55 -04:00
Kenton Groombridge
c0b1c7be66 init: allow systemd to rw shadow lock files 
This is in support of dynamic users.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-09 16:42:59 -04:00
Kenton Groombridge
26e9ec7c43 authlogin: add new type for pwd.lock and others 
This is in response to systemd needing to write to .pwd.lock in support
of dynamic users, which is currently labeled shadow_t despite systemd
seemingly not making any actual modifications to /etc/passwd or
/etc/shadow. Instead of granting potentially overly permissive access,
this commit assigns a new type to these lock files.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-09 16:42:53 -04:00
Kenton Groombridge
8eff2c5998 sysadm, systemd: various fixes 
Allow sysadm to communicate with logind over dbus and add missing rules
for systemd-logind.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
69b2259c7d various: several dontaudits 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
95dc0f0de3 udev: allow systemd-vconsole-setup to sys_tty_config 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
42d46c14bc init, udev: various fixes for systemd 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
dbecb3546d systemd: add policy for systemd-sysctl 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
403c4c3470 systemd: allow systemd-resolved to manage its own sock files 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
a838a88717 logging: allow auditd to getattr on audisp-remote binary 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
b3c1dba144 logging: allow auditd to use nsswitch 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
7b8c44ab9b init, systemd: allow logind to watch utmp 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
2166acf355 init, mount: allow systemd to watch utab 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
c56b78f0c8 mount: allow getattr on dos filesystems 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:17 -04:00
Kenton Groombridge
1c552ec38f bootloader, filesystem: various fixes for grub 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 10:35:13 -04:00
Kenton Groombridge
7f1a7b1cac wireguard: allow running iptables 
Wireguard can be configured to run iptables and other such networking
tools when bringing up/down interfaces. Also add a dontaudit for
searching kernel sysctls.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 09:56:04 -04:00
Kenton Groombridge
a1a9c33e88 iptables: allow reading initrc pipes 
The systemd service calls a script which reads the saved rules from a
file piped to stdin.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 09:56:04 -04:00
Kenton Groombridge
7ca9dcea1f init: modify interface to allow reading all pipes 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 09:56:04 -04:00
Kenton Groombridge
c46bbef5f7 udev: various fixes 
Mostly mdraid stuff and a few dontaudits.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 09:56:04 -04:00
Kenton Groombridge
a6df5e653c devicekit: allow devicekit_disk_t to setsched 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 09:56:04 -04:00
Kenton Groombridge
342eefd3b0 ssh: allow ssh_keygen_t to read localization 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 09:56:04 -04:00
Kenton Groombridge
497cb3ca2b files, init, systemd: various fixes 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 09:56:01 -04:00
Kenton Groombridge
dac8c8af27 devices, userdomain: dontaudit userdomain setattr on null device nodes 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-08 09:43:54 -04:00
Kenton Groombridge
02b9bf0a1c redis: allow reading net and vm overcommit sysctls 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-27 19:53:56 -04:00
Kenton Groombridge
9051a09617 spamassassin: allow rspamd to read network sysctls 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-27 19:53:55 -04:00
Kenton Groombridge
d91bef2d24 devices, userdomain: dontaudit userdomain setattr on null device nodes 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-27 19:53:53 -04:00
Kenton Groombridge
f137b5cdcc modutils: allow kmod to read src_t symlinks 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-27 19:53:51 -04:00
Kenton Groombridge
6371411e50 getty: various fixes 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-27 19:53:49 -04:00
Kenton Groombridge
173d2a2bd0 rngd: allow reading sysfs 
rngd tries to read the rng state at boot.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-27 19:53:47 -04:00
Kenton Groombridge
00e210d703 redis: allow reading certs 
Required if redis is to be used with SSL/TLS

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-27 19:53:44 -04:00
Kenton Groombridge
fa5f878f13 usbguard: various fixes 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-27 19:53:42 -04:00
Kenton Groombridge
45dd9358e5 fail2ban: allow reading vm overcommit sysctl 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-27 19:53:37 -04:00
Kenton Groombridge
372f9cc658 systemd, fail2ban: allow fail2ban to watch journal 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-27 19:53:27 -04:00
Chris PeBenito
4aa1562208 files, kernel, selinux: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-03-27 14:21:06 -04:00
Chris PeBenito
838c145fb9 kernel: Add dontaudits when secure_mode_insmod is enabled. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-03-19 15:50:59 -04:00
Chris PeBenito
3d0a6f966f selinux: Add dontaudits when secure mode Booleans are enabled. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-03-19 15:50:59 -04:00
Chris PeBenito
b36334e937 selinux: Set regular file for labeled Booleans genfscons. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-03-19 15:50:59 -04:00
Chris PeBenito
9d57bf3a2e selinux: Change generic Boolean type to boolean_t. 
This will prevent other security_t writers from setting Boolean pending
values, which could be activated unwittingly by setbool processes.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-03-19 15:50:25 -04:00
Chris PeBenito
3a22e9279c various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-03-19 15:17:54 -04:00
Chris PeBenito
93fda6e15d Merge pull request #357 from 0xC0ncord/feature/systemd_user_service 2021-03-19 15:14:24 -04:00
Kenton Groombridge
cc8374fd24
various: systemd user fixes and additional support 
This finishes up a lot of the work originally started on systemd --user
support including interacting with user units, communicating with the
user's systemd instance, and reading the system journal.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-03-18 15:58:17 -04:00
Chris PeBenito
ab702bb825 various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-03-17 11:16:40 -04:00
Chris PeBenito
4dba24e2ad Merge pull request #356 from pebenito/drop-dead-modules2 2021-03-17 11:15:11 -04:00
Chris PeBenito
d84e0ee70f selinux: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-03-12 09:57:36 -05:00
Chris PeBenito
8934069f82 Remove additional unused modules 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-03-07 09:29:34 -05:00
Chris PeBenito
3ab2274e3d selinux: Add a secure_mode_setbool Boolean. 
Enabling this will disable all permissions for setting SELinux Booleans,
even for unconfined domains.

This does not affect setenforce.  Enable secure_mode_policyload along with
secure_mode_setbool to fully lock the SELinux security interface.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-03-05 16:13:11 -05:00
Chris PeBenito
1167739da1 rpc: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-02-16 09:30:31 -05:00
Chris PeBenito
05c08f7b1f rpc: Move lines. 
No rule changes.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-02-16 09:30:13 -05:00
Russell Coker
0a2e267937 blkmapd 
Patch for the blkmapd daemon that's part of the NFS server.

I think this is ready for mergikng.

Signed-off-by: Russell Coker <russell@coker.com.au>
 2021-02-16 09:24:55 -05:00
Chris PeBenito
3fa4315772 various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-02-12 11:18:53 -05:00
Krzysztof Nowicki
6d0ade349e Allow systemd-tmpfilesd to access nsswitch information 
Fixes io.systemd.DynamicUser denials.

Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
 2021-02-09 13:53:21 +01:00
Krzysztof Nowicki
f70f84310a Fix setting-up sandbox environment for systemd-networkd 
Systemd starts networkd in a sandbox enviroment for enhanced
security. As part of that, several mounts need to be prepared, of
which one fails:

avc:  denied  { mounton } for  pid=711 comm="(networkd)"
path="/run/systemd/unit-root/run/systemd/netif" dev="tmpfs" ino=1538
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:systemd_networkd_runtime_t:s0 tclass=dir
permissive=1

Fix this by declaring directories of systemd_networkd_runtime_t type
as an init daemon mount point.

Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
 2021-02-09 13:53:21 +01:00
Krzysztof Nowicki
014b2c41d2 Allow systemd-tmpfilesd handle faillog directory 
Is is being created from a pam-provided tmpfiles.d config.

Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
 2021-02-09 13:53:20 +01:00
Krzysztof Nowicki
cfe0502ed2 Mark lvm_lock_t as systemd_tmpfilesd-managed 
lvm2 installs a file into /usr/lib/tmpfliles.d/ to create
/run/lock/lvm so systemd-tmpfilesd needs the rights to create it.

Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
 2021-02-09 13:53:20 +01:00
Krzysztof Nowicki
017d9750a4 Allow systemd-tmpfilesd to set attributes of /var/lock 
Fixes:

avc:  denied  { setattr } for pid= comm="systemd-tmpfile" name="lock"
dev="tmpfs" ino= scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:object_r:var_lock_t:s0 tclass=dir

Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
 2021-02-09 13:53:19 +01:00
Krzysztof Nowicki
900a51f134 Allow systemd-tmpfilesd to relabel generic files inside /etc 
Enable this only with the systemd_tmpfilesd_factory tunable, otherwise
silence the messages with a dontaudit rule.

Fixes:

avc:  denied  { relabelfrom } for comm="systemd-tmpfile"
name="pam.d" dev= ino=
scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=dir

Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
 2021-02-09 13:52:01 +01:00
Krzysztof Nowicki
68e5f4d3f3 Enable factory directory support in systemd-tmpfilesd 
/usr/share/factory serves as a template directory for
systemd-tmpfilesd. The copy (C) and link (L) commands can utilize this
directory as a default source for files, which should be placed in the
filesystem.

This behaiour is controlled via a tunable as it gives
systemd-tmpfilesd manage permissions over etc, which could be
considered as a security risk.

Relevant denials are silenced in case the policy is disabled.

Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
 2021-02-09 13:24:52 +01:00
Krzysztof Nowicki
b30437e487 When using systemd_tmpfilesd_managed also grant directory permissions 
This allows systemd-tmpfilesd to create files inside directories
belonging to the subject domain.

Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
 2021-02-09 13:24:52 +01:00
Krzysztof Nowicki
0111384000 Allow systemd-tmpfilesd populating of /var/lib/dbus 
Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
 2021-02-09 13:24:52 +01:00
Krzysztof Nowicki
0aac6a3d3b Fix systemd-journal-flush service 
This service executes journalctl, which needs access to the journald
socket.

Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
 2021-02-09 13:24:51 +01:00
Krzysztof Nowicki
364621e6ec Allow use of systemd UNIX sockets created at initrd execution 
Systemd uses a number of UNIX sockets for communication (notify
socket [1], journald socket). These sockets are normally created at
start-up after the SELinux policy is loaded, which means that the
kernel socket objects have proper security contexts of the creating
processes.

Unfortunately things look different when the system is started with an
initrd that is also running systemd (e.g. dracut). In such case the
sockets are created in the initrd systemd environment before the
SELinux policy is loaded and therefore the socket object is assigned
the default kernel context (system_u:system_r:kernel_t). When the
initrd systemd transfers control to the main systemd the notify socket
descriptors are passed to the main systemd process [2]. This means
that when the main system is running the sockets will use the default
kernel securint context until they are recreated, which for some
sockets (notify socket) never happens.

Until there is a way to change the context of an already open socket
object all processes, that wish to use systemd sockets need to be
able to send datagrams to system_u:system_r:kernel_t sockets.

Parts of this workaround were earlier hidden behind RedHat-specific
rules, since this distribution is the prime user of systemd+dracut
combo. Since other distros may want to use similar configuration it
makes sense to enable this globally.

[1] sd_notify(3)
[2] https://github.com/systemd/systemd/issues/16714

Signed-off-by: Krzysztof Nowicki <krissn@op.pl>

tmp
 2021-02-09 13:24:51 +01:00
Krzysztof Nowicki
2cd6ffb654 Also grant directory permissions in sysnet_manage_config 
On systemd, systemd-networkd keeps its configuration in
/etc/systemd/network, where both files and directories are labelled as
net_conf_t. When granting network configuration management permissions
also include directory management rights when systemd is in use.

This fixes denials from udev trying to parse systemd network
configuration.

Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
 2021-02-09 13:24:50 +01:00
Krzysztof Nowicki
ba9fa00010 Allow execution of shell-scripted systemd generators 
While systemd recommends to use native binaries as generators due to
performance reasons, there is nothing that really prevents from them
being shell scripts.

This is Gentoo-specific as the affected generator is provided by
the distribution, not by upstream systemd.

Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
 2021-02-09 13:24:50 +01:00
Krzysztof Nowicki
b9470d408a Allow systemd to relabel startup-important directories 
Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
 2021-02-09 13:24:49 +01:00
Krzysztof Nowicki
5082648629 Fix interface naming convention (plural predicates) 
Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
 2021-02-09 13:24:43 +01:00
Chris PeBenito
bfa73f3c59 dovecot, postfix: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-02-03 13:05:46 -05:00
Chris PeBenito
a7ac056982 Merge pull request #351 from 0xC0ncord/feature/postfix_dovecot_backend 2021-02-03 13:05:27 -05:00
Kenton Groombridge
5b0eee1093
dovecot, postfix: add missing accesses 
postfix_pipe_t requires reading dovecot configuration and connecting to
dovecot stream sockets if configured to use dovecot for local mail
delivery.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-02-03 11:36:42 -05:00
Chris PeBenito
ff983a6239 Bump module versions for release. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-02-03 08:38:26 -05:00
Chris PeBenito
255c5a4ccd various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-02-02 14:30:10 -05:00
Chris PeBenito
5ab1b2ee67 Merge pull request #350 from 0xC0ncord/bugfix/various_dontaudit_20200202 2021-02-02 14:28:42 -05:00
Chris PeBenito
6aaa8ee1c7 Merge pull request #349 from 0xC0ncord/bugfix/lvm_tmpfs_perms 2021-02-02 14:28:40 -05:00
Chris PeBenito
8c042fb9be systemd: Rename systemd_use_machined_devpts(). 
Renamed to systemd_use_inherited_machined_ptys().

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-02-02 14:11:47 -05:00
Chris PeBenito
e6fbff4948 systemd: Fix lint errors. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-02-02 14:02:49 -05:00
Chris PeBenito
4436cd0d6d various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-02-02 13:58:24 -05:00
Chris PeBenito
a673712d8a systemd: Move lines. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-02-02 13:50:45 -05:00
Russell Coker
ab0367b4b6 machined 
This patch is for systemd-machined.  Some of it will probably need
discussion but some is obviously good, so Chris maybe you could take
the bits you like for this release?

Signed-off-by: Russell Coker <russell@coker.com.au>
 2021-02-02 13:46:42 -05:00
Chris PeBenito
eae12d8418 apt, bootloader: Move lines. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-02-02 13:32:42 -05:00
Russell Coker
8b4f1e3384 misc apps and admin patches 
Send again without the section Dominick didn't like.  I think it's ready for inclusion.

Signed-off-by: Russell Coker <russell@coker.com.au>
 2021-02-02 13:29:48 -05:00
Kenton Groombridge
edd4ba6f32
Various fixes 
Allow dovecot to watch the mail spool, and add various dontaudit rules
for several other domains.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-02-02 10:52:59 -05:00
Chris PeBenito
cfb48c28d0 screen: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-02-02 08:47:55 -05:00
Chris PeBenito
460cd1a4b1 Merge pull request #346 from jpds/tmux-xdg-config 2021-02-02 08:47:31 -05:00
Chris PeBenito
aa35a710a5 various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-02-02 08:47:00 -05:00
Chris PeBenito
9e195ea6ae dpkg, aptcatcher, milter, mysql, systemd: Rename interfaces. 
Rename interfaces from a7f3fdabad.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-02-02 08:46:41 -05:00
Russell Coker
a7f3fdabad new version of filetrans patch 
Name changes suggested by Dominick and some more additions.

Signed-off-by: Russell Coker <russell@coker.com.au>
 2021-02-02 08:31:14 -05:00
Jonathan Davies
9ec80c1b2f apps/screen.te: Allow screen to search xdg directories. 
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2021-02-01 21:42:12 +00:00
Chris PeBenito
e7065e2442 certbot: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-02-01 15:56:31 -05:00
Kenton Groombridge
ed5d860a8c
lvm: add lvm_tmpfs_t type and rules 
cryptsetup uses tmpfs when performing some operations on encrypted
volumes such as changing keys.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-02-01 15:46:24 -05:00
Kenton Groombridge
3ce27e68d9
certbot: add support for acme.sh 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-02-01 15:29:24 -05:00
Jonathan Davies
2bdfc5c742 apps/screen.fc: Added fcontext for tmux xdg directory. 
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2021-01-29 14:56:29 +00:00
Chris PeBenito
072c0a9458 userdomain, gpg: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-29 08:35:12 -05:00
Dave Sugar
09bd4af708 Work with xdg module disabled 
These two cases I see when building on a system without graphical interface.
Move userdom_xdg_user_template into optional block
gpg module doesn't require a graphical front end, move xdg_read_data_files into optional block

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2021-01-28 18:13:33 -05:00
Chris PeBenito
3d8e755d85 pacemaker: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-28 15:28:06 -05:00
Chris PeBenito
9a40ead091 Merge pull request #341 from dsugar100/master 2021-01-28 15:27:53 -05:00
Chris PeBenito
bc746ff391 sudo, spamassassin: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-28 15:27:03 -05:00
Chris PeBenito
2e6d7b8cb9 Merge pull request #339 from 0xC0ncord/feature/sudodomain_http_connect_boolean 2021-01-28 15:24:38 -05:00
Chris PeBenito
733e8519cc Merge pull request #336 from 0xC0ncord/feature/rspamd_extra_rules 2021-01-28 15:24:34 -05:00
Dave Sugar
f6987e9d82 pcs_snmpd_agent_t fix denials to allow it to read needed queues 
Jan 27 18:16:51 audispd: node=virtual type=AVC msg=audit(1611771411.553:9337): avc:  denied  { search } for  pid=13880 comm="cibadmin" name="qb-6671-13880-13-bRhDEX" dev="tmpfs" ino=88809 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:pacemaker_tmpfs_t:s0 tclass=dir permissive=0
Jan 27 19:53:46 audispd: node=virtual type=AVC msg=audit(1611777226.144:25975): avc:  denied  { getattr } for  pid=29489 comm="systemctl" name="/" dev="tmpfs" ino=14072 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2021-01-28 15:20:20 -05:00
Kenton Groombridge
95dd9ebf61
sudo: add tunable for HTTP connections 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-01-28 15:11:19 -05:00
Chris PeBenito
98681ea89e samba: Fix lint error. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-28 14:57:19 -05:00
Chris PeBenito
a404dc677e aptcacher: Drop broken config interfaces. 
The aptcacher_etc_t type does not exist in the policy.  The block in cron
will never be enabled because of this, so drop that too.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-28 14:57:08 -05:00
Chris PeBenito
920ecf48ce apache: Really fix lint error. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-28 14:34:02 -05:00
Chris PeBenito
cf91901018 apache: Fix lint error. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-28 14:29:26 -05:00
Chris PeBenito
744290159e apache, fail2ban, stunnel: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-28 14:26:31 -05:00
Chris PeBenito
981e741a51 Merge pull request #337 from 0xC0ncord/bugfix/fail2ban_journald_map 2021-01-28 13:54:16 -05:00
Chris PeBenito
7bf7abd525 Merge pull request #340 from 0xC0ncord/feature/apache_list_dirs_interface 2021-01-28 13:51:17 -05:00
Chris PeBenito
63b25831a4 Merge pull request #338 from 0xC0ncord/feature/stunnel_logging_type 2021-01-28 13:50:46 -05:00
Chris PeBenito
a3e13450e2 various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-28 11:39:49 -05:00
Chris PeBenito
09fd2a29cf samba: Add missing userspace class requirements in unit interfaces. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-28 11:39:34 -05:00
Chris PeBenito
94e424aa9b sysnetwork: Merge dhcpc_manage_samba tunable block with existing samba block. 
This moves the existing samba_manage_config(dhcpc_t) that is not tunable
into the tunable block.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-28 11:30:40 -05:00
Chris PeBenito
5d29c35b89 samba: Move service interface definitions. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-28 11:27:54 -05:00
Russell Coker
ac5b8737fd misc network patches with Dominick's changes*2 
I think this one is good for merging now.

Signed-off-by: Russell Coker <russell@coker.com.au>
 2021-01-28 11:22:07 -05:00
Chris PeBenito
621baf7752 samba: Fix samba_runtime_t alias use. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-28 10:55:54 -05:00
Chris PeBenito
882633aa13 cron: Make backup call for system_cronjob_t optional. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-28 10:55:35 -05:00
Chris PeBenito
9f8164d35d devicekit, jabber, samba: Move lines. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-28 10:55:09 -05:00
Chris PeBenito
982cb068c2 apache, mysql, postgrey, samba, squid: Apply new mmap_manage_files_pattern(). 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-28 10:53:04 -05:00
Chris PeBenito
c4150cd0a5 file_patterns.spt: Add a mmap_manage_files_pattern(). 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-28 10:51:39 -05:00
Russell Coker
55c3c1dcaa misc services patches with changes Dominick and Chris wanted 
I think this one is ready to merge.

Signed-off-by: Russell Coker <russell@coker.com.au>
 2021-01-28 10:06:16 -05:00
Kenton Groombridge
4e15f5dfe4
apache: add interface for list dir perms on httpd content 
This is needed by some webservers such as nginx when autoindexing is
enabled.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-01-27 15:41:16 -05:00
Kenton Groombridge
c8f723b96e
spamassassin: add rspamd support and tunable 
Additional rules are required to enable rspamd support. This commit adds
file contexts for rspamd's files and adds a tunable that enables the
additional rules needed for rspamd to function.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-01-26 20:10:54 -05:00
Kenton Groombridge
8fc4aa59a9
fail2ban: allow reading systemd journal 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-01-26 18:19:20 -05:00
Kenton Groombridge
e34e339b96
stunnel: add log type and rules 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-01-26 18:05:56 -05:00
Chris PeBenito
c521270688 memlockd: Fix lint issue. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-25 10:29:42 -05:00
Chris PeBenito
87ffc9472a various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-25 09:48:59 -05:00
Chris PeBenito
9f98b92ee5 memlockd: Whitespace fixes. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-25 09:46:20 -05:00
Chris PeBenito
157b7edcbb memlockd: Move lines. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-25 09:46:04 -05:00
Russell Coker
88c8189207 latest memlockd patch 
Includes the ifndef(`distro_debian' section that was requested.  Should be
ready for merging now.

Signed-off-by: Russell Coker <russell@coker.com.au>
 2021-01-25 09:39:26 -05:00
Russell Coker
da9b6306ea more Chrome stuff 
Patches for some more Chrome stuff

Signed-off-by: Russell Coker <russell@coker.com.au>
 2021-01-25 09:36:56 -05:00
Russell Coker
eef53e3ddc remove deprecated from 20190201 
This patch removes every macro and interface that was deprecated in 20190201.

Some of them date back to 2016 or 2017.  I chose 20190201 as that is the one
that is in the previous release of Debian.  For any distribution I don't
think it makes sense to carry interfaces that were deprecated in version N
to version N+1.

One thing that particularly annoys me is when audit2allow -R gives deprecated
interfaces in it's output.  Removing some of these should reduce the
incidence of that.

I believe this is worthy of merging.

Signed-off-by: Russell Coker <russell@coker.com.au>
 2021-01-25 08:59:34 -05:00
Chris PeBenito
221813c947 various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-25 08:27:35 -05:00
Chris PeBenito
cb93093f4e Merge pull request #335 from pebenito/drop-dead-modules 2021-01-25 08:22:09 -05:00
Chris PeBenito
ea6002ddf9 devices, virt: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-19 10:08:02 -05:00
Chris PeBenito
6c2432c8bc Merge pull request #333 from 0xC0ncord/feature/virt_evdev_tunable 2021-01-19 10:07:29 -05:00
Chris PeBenito
0179413fa3 certbot: Fix lint issues. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-19 10:01:27 -05:00
Chris PeBenito
0f6c861dfb various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-19 09:51:56 -05:00
Chris PeBenito
81b20d6b08 userdomain: Move lines. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-19 09:24:14 -05:00
Russell Coker
c42c407bdc yet more strict patches fixed 
More little strict patches, much of which are needed for KDE.

With the lines that Chris didn't like removed.

Signed-off-by: Russell Coker <russell@coker.com.au>
 2021-01-19 09:14:16 -05:00
Chris PeBenito
a686e854af miscfiles: Rename miscfiles_manage_generic_tls_privkey_lnk_files. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-19 09:02:13 -05:00
Chris PeBenito
0f02829c61 certbot: Reorder fc lines. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-19 09:01:57 -05:00
Chris PeBenito
fb95355f98 certbot: Drop aliases since they have never had the old names in refpolicy. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-19 09:01:40 -05:00
Chris PeBenito
3927e3ca50 certbot: Whitespace changes. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-19 09:01:09 -05:00
Russell Coker
08d32dbc2d latest iteration of certbot policy as patch 
Same .te as sent a few days ago, but as a patch and with the other
files needed.  I think this is ready for inclusion.

Signed-off-by: Russell Coker <russell@coker.com.au>
 2021-01-19 08:49:30 -05:00