Chris PeBenito
ff983a6239
Bump module versions for release.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-02-03 08:38:26 -05:00
Chris PeBenito
255c5a4ccd
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-02-02 14:30:10 -05:00
Chris PeBenito
5ab1b2ee67
Merge pull request #350 from 0xC0ncord/bugfix/various_dontaudit_20200202
2021-02-02 14:28:42 -05:00
Chris PeBenito
6aaa8ee1c7
Merge pull request #349 from 0xC0ncord/bugfix/lvm_tmpfs_perms
2021-02-02 14:28:40 -05:00
Chris PeBenito
8c042fb9be
systemd: Rename systemd_use_machined_devpts().
...
Renamed to systemd_use_inherited_machined_ptys().
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-02-02 14:11:47 -05:00
Chris PeBenito
072f850e23
Merge pull request #348 from cgzones/monolithic
...
Improve monolithic policy build support
2021-02-02 14:10:44 -05:00
Chris PeBenito
e6fbff4948
systemd: Fix lint errors.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-02-02 14:02:49 -05:00
Chris PeBenito
4436cd0d6d
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-02-02 13:58:24 -05:00
Chris PeBenito
a673712d8a
systemd: Move lines.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-02-02 13:50:45 -05:00
Russell Coker
ab0367b4b6
machined
...
This patch is for systemd-machined. Some of it will probably need
discussion but some is obviously good, so Chris maybe you could take
the bits you like for this release?
Signed-off-by: Russell Coker <russell@coker.com.au>
2021-02-02 13:46:42 -05:00
Chris PeBenito
eae12d8418
apt, bootloader: Move lines.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-02-02 13:32:42 -05:00
Russell Coker
8b4f1e3384
misc apps and admin patches
...
Send again without the section Dominick didn't like. I think it's ready for inclusion.
Signed-off-by: Russell Coker <russell@coker.com.au>
2021-02-02 13:29:48 -05:00
Kenton Groombridge
edd4ba6f32
Various fixes
...
Allow dovecot to watch the mail spool, and add various dontaudit rules
for several other domains.
Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-02-02 10:52:59 -05:00
Chris PeBenito
cfb48c28d0
screen: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-02-02 08:47:55 -05:00
Chris PeBenito
460cd1a4b1
Merge pull request #346 from jpds/tmux-xdg-config
2021-02-02 08:47:31 -05:00
Chris PeBenito
aa35a710a5
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-02-02 08:47:00 -05:00
Chris PeBenito
9e195ea6ae
dpkg, aptcatcher, milter, mysql, systemd: Rename interfaces.
...
Rename interfaces from a7f3fdabad
2021-02-02 08:46:41 -05:00
Russell Coker
a7f3fdabad
new version of filetrans patch
...
Name changes suggested by Dominick and some more additions.
Signed-off-by: Russell Coker <russell@coker.com.au>
2021-02-02 08:31:14 -05:00
Jonathan Davies
9ec80c1b2f
apps/screen.te: Allow screen to search xdg directories.
...
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
2021-02-01 21:42:12 +00:00
Chris PeBenito
e7065e2442
certbot: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-02-01 15:56:31 -05:00
Chris PeBenito
16ede470f6
Merge pull request #347 from 0xC0ncord/feature/acme-sh_certbot
2021-02-01 15:56:03 -05:00
Kenton Groombridge
ed5d860a8c
lvm: add lvm_tmpfs_t type and rules
...
cryptsetup uses tmpfs when performing some operations on encrypted
volumes such as changing keys.
Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-02-01 15:46:24 -05:00
Kenton Groombridge
3ce27e68d9
certbot: add support for acme.sh
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-02-01 15:29:24 -05:00
Christian Göttsche
ad74df28e7
Rules.monolithic: add missing phony declarations
...
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-02-01 20:09:27 +01:00
Christian Göttsche
511f3b57f3
Rules.monolithic: drop dead variable
...
USEPWD is nowhere declared or documented.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-02-01 20:08:54 +01:00
Christian Göttsche
de6cdd96c6
Rules.monolithic: tweak checkpolicy arguments
...
- enable optimizations (3.0 071247e8f462a91d7d719077c5c056
2021-02-01 20:07:40 +01:00
Christian Göttsche
991d597199
Rules.monolithic: do not suppress load_policy warning messages
...
Also do not supply the policy path, it is ignored since at least 2008
(13cd4c8960
2021-02-01 20:05:19 +01:00
Christian Göttsche
2d9e297f22
Preset OUTPUT_POLICY to 32
...
32 is the policy version of the latest SELinux userland release, 3.1 .
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-02-01 15:33:25 +01:00
Christian Göttsche
be0f5f0d68
gitignore: ignore monolithic generated files
...
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-02-01 15:33:25 +01:00
Christian Göttsche
02f1c1c06b
Rules.monolithic: ignore version mismatch
...
Ignore version mismatch when OUTPUT_POLICY is defined and the kernel
supports a higher policy version.
Currently Debian ships SELinux userland tools 3.1, which supports
version 32, and Linux 5.10, which supports version 33.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-02-01 15:33:25 +01:00
Christian Göttsche
627a453910
genhomedircon: improve error messages for min uid search
...
Only grep if the files exist.
grep returns 1 on no match, check against 1 instead of 256.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-01-31 21:53:33 +01:00
Christian Göttsche
27e3099f40
genhomedircon: misc pylint cleanup
...
support/genhomedircon.py:297:5: R1714: Consider merging these comparisons with "in" to "o in ('--type', '-t')" (consider-using-in)
support/genhomedircon.py:299:5: R1714: Consider merging these comparisons with "in" to "o in ('--nopasswd', '-n')" (consider-using-in)
support/genhomedircon.py:301:5: R1714: Consider merging these comparisons with "in" to "o in ('--dir', '-d')" (consider-using-in)
support/genhomedircon.py:238:2: R1705: Unnecessary "else" after "return" (no-else-return)
support/genhomedircon.py:207:11: C0201: Consider iterating the dictionary directly instead of calling .keys() (consider-iterating-dictionary)
support/genhomedircon.py:146:2: R1705: Unnecessary "else" after "return" (no-else-return)
support/genhomedircon.py:144:1: R1710: Either all return statements in a function should return an expression, or none of them should. (inconsistent-return-statements)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-01-31 21:53:33 +01:00
Christian Göttsche
9e48ce1f2e
genhomedircon: generate file contexts for %{USERNAME} and %{USERID}
...
Generate substituted file contexts for templated paths containing
%{USERNAME} or %{USERID}, like semodules' genhomedircon.
Example:
/run/user/%{USERID} -d gen_context(system_u:object_r:user_runtime_t,s0)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-01-31 21:53:33 +01:00
Christian Göttsche
cf8f7bbea7
genhomedircon: drop unused functions
...
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-01-31 21:50:21 +01:00
Christian Göttsche
806a0d12f8
genhomedircon: require match for home directory name
...
Use regular expression '/[^/]+' instead of '/[^/]*', like semodule's
genhomedircon.
Generates file contexts like '/home/[^/]+/dead\.letter'
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-01-31 21:50:18 +01:00
Christian Göttsche
577373f0db
genhomedircon: drop backwards compatibility section
...
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-01-31 21:50:11 +01:00
Jonathan Davies
2bdfc5c742
apps/screen.fc: Added fcontext for tmux xdg directory.
...
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
2021-01-29 14:56:29 +00:00
Chris PeBenito
072c0a9458
userdomain, gpg: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-01-29 08:35:12 -05:00
Chris PeBenito
2d51dad467
Merge pull request #344 from dsugar100/master
2021-01-29 08:34:49 -05:00
Chris PeBenito
0ce90920ad
Merge pull request #343 from 0xC0ncord/bugfix/systemd_system_custom_unit_fc
...
init: label systemd units in /etc
2021-01-29 08:25:43 -05:00
Dave Sugar
09bd4af708
Work with xdg module disabled
...
These two cases I see when building on a system without graphical interface.
Move userdom_xdg_user_template into optional block
gpg module doesn't require a graphical front end, move xdg_read_data_files into optional block
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2021-01-28 18:13:33 -05:00
Kenton Groombridge
38a7334fa7
init: label systemd units in /etc
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-01-28 16:00:05 -05:00
Chris PeBenito
3d8e755d85
pacemaker: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-01-28 15:28:06 -05:00
Chris PeBenito
9a40ead091
Merge pull request #341 from dsugar100/master
2021-01-28 15:27:53 -05:00
Chris PeBenito
bc746ff391
sudo, spamassassin: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-01-28 15:27:03 -05:00
Chris PeBenito
2e6d7b8cb9
Merge pull request #339 from 0xC0ncord/feature/sudodomain_http_connect_boolean
2021-01-28 15:24:38 -05:00
Chris PeBenito
733e8519cc
Merge pull request #336 from 0xC0ncord/feature/rspamd_extra_rules
2021-01-28 15:24:34 -05:00
Dave Sugar
f6987e9d82
pcs_snmpd_agent_t fix denials to allow it to read needed queues
...
Jan 27 18:16:51 audispd: node=virtual type=AVC msg=audit(1611771411.553:9337): avc: denied { search } for pid=13880 comm="cibadmin" name="qb-6671-13880-13-bRhDEX" dev="tmpfs" ino=88809 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:pacemaker_tmpfs_t:s0 tclass=dir permissive=0
Jan 27 19:53:46 audispd: node=virtual type=AVC msg=audit(1611777226.144:25975): avc: denied { getattr } for pid=29489 comm="systemctl" name="/" dev="tmpfs" ino=14072 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2021-01-28 15:20:20 -05:00
Kenton Groombridge
95dd9ebf61
sudo: add tunable for HTTP connections
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-01-28 15:11:19 -05:00
Chris PeBenito
98681ea89e
samba: Fix lint error.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-01-28 14:57:19 -05:00
