| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ChangeLog:
https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20240916
Notable Changes
Added sechecker configuration for GitHub CI actions.
Cleaned up concerning permissions uncovered by sechecker
Removed extremely deprecated domains in cups (ptal) and xen (xend/xm)
Systemd updates up to v256
Various container fixes
New Modules
haproxy
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Update policy for systemd-v256
c20cf2214 systemd: allow systemd-hostnamed to read vsock device
4f3437040 systemd: fix policy for systemd-ssh-generator
d852b7540 devices: add label vsock_device_t for /dev/vsock
a4a7b830f systemd: add policy for systemd-nsresourced
47081be47 systemd: allow system --user to create netlink_route_socket
78cacc708 systemd: allow systemd-networkd to manage sock files under
/run/systemd/netif
29d0bb8c3 systemd: set context to systemd_networkd_var_lib_t for
/var/lib/systemd/network
22fd3ddad Allow interactive user terminal output for the NetLabel
management tool.
c1284c601 bluetooth: Move line.
50a5555f2 Adding SE Policy rules to allow usage of unix stream sockets
by dbus and bluetooth contexts when Gatt notifications are
turned on by remote.
2b8fa2b4a kubernetes: allow kubelet to connect all TCP ports
9ab94df30 container: allow reading generic certs
7530dfa3c testing: add container_kvm_t to net admin exempt list
47eced9be Makefile: drop duplicate quotes
b0b0d52dd various: rules required for DV manipulation in kubevirt
21e4a44c0 container: add container_kvm_t and supporting kubevirt rules
a9bd177bb iptables: allow reading container engine tmp files
af0b40824 container: allow spc various rules for kubevirt
d585f08c2 container, kubernetes: add supporting rules for kubevirt and
multus
9f37f86b2 dbus: dontaudit session bus domains the netadmin capability
d9ca32f5a container: allow super privileged containers to manage BPF
dirs
1900fbe68 kubernetes: allow kubelet to create unlabeled dirs
b9c8ba607 haproxy: allow interactive usage
846804c58 podman: allow managing init runtime units
8787b3d8d iptables: allow reading usr files
* Drop obsolete patches:
0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch
0039-policy-modules-system-authlogin-fix-login-errors-aft.patch
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* a6cf20736 filesystem, devices: move gadgetfs to usbfs_t
* 75492f95f systemd: make xdg optional
* 097d688ff sshd: label sshd-session as sshd_exec_t
* b57b6005c Setting bluetooth helper domain for bluetoothctl
* 30f451d6a Adding Sepolicy rules to allow pulseaudio to access
bluetooth sockets.
* 7037c341f systemd: allow logind to use locallogin pidfds
* 5f7f494d1 userdomain: allow administrative user to get attributes of
shadow history file
* 0126cb1e6 node_exporter: allow reading RPC sysctls
* 9c90f9f7d asterisk: allow reading certbot lib
* bfcaec9ba postfix: allow postfix pipe to watch mail spool
* 06a80c3d8 netutils: allow ping to read net sysctls
* 2e0509c9e node_exporter: allow reading localization
* 50a8cddd1 container: allow containers to execute tmpfs files
* 09a747a16 sysadm: make haproxy admin
* c8c3ae2cb haproxy: initial policy
* 4e97f87ce init: use pidfds from local login
* 7fd9032d8 dbus, init: add interface for pidfd usage
* a6d6921a9 asterisk: allow watching spool dirs
* 72c1d912f su, sudo: allow sudo to signal all su domains
* 8b3178248 sudo: allow systemd-logind to read cgroup state of sudo
* 871f0b0dd postfix: allow smtpd to mmap SASL keytab files
* 578375480 sysnetwork: allow ifconfig to read usr files
* 6916e9b20 systemd: allow systemd-logind to use sshd pidfds
* 96ebb7c4e Reorder perms and classes
* cb68df087 tests.yml: Add policy diff on PRs.
* 99258825c tests.yml: Divide into reusable workflows.
* 1e4b68930 Reorder perms and classes
Drop 0002-refpolicy-minimum-make-xdg-module-optional.patch and
0040-policy-modules-system-systemd-allow-systemd-logind-t.patch which
have been merged upstream.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* 2102055d4 devices: Change dev_rw_uhid() to use a policy pattern
* 1cbe455a5 device: Move dev_rw_uhid definition
* 7a33b4bc8 Sepolicy changes for bluez to access uhid
* c6dd4087d selinuxutil: make policykit optional
* 10feb47e5 newrole: allow newrole to search faillock runtime directory
* bf34d3e5e sysnetwork: fixes for dhcpcd
* 4663e613f Adding Sepolicy rules to allow bluetoothctl and dbus-daemon
to access unix stream sockets
* 27602a932 various: various fixes
* 63d50bbaa container, crio, kubernetes: minor fixes
* 11e729e27 container, podman: various fixes
* ef5954a0e systemd: allow systemd-sysctl to search tmpfs
* 472e0442e container: allow containers to getcap
* 7876e5151 container: allow system container engines to mmap runtime
files
* d917092a8 matrixd: add tunable for binding to all unreserved ports
* 3dba91dd4 bootloader: allow systemd-boot to manage EFI binaries
* ddf395d5d asterisk: allow binding to all unreserved UDP ports
* 3bad3696b postgres: add a standalone execmem tunable
* ef28f7879 userdom: allow users to read user home dir symlinks
* 03711caea dovecot: allow dovecot-auth to read SASL keytab
* cd781e783 fail2ban: allow reading net sysctls
* ddc6ac493 init: allow systemd to use sshd pidfds
* b9c457d80 files context for merged-usr profile on gentoo
* 5040dd3b6 Need map perm for cockpit 300.4
* 2ef9838db tests.yml: Add sechecker testing
* c62bd5c6c cockpit: Change $1_cockpit_tmpfs_t to a tmpfs file type
* 1c694125b certbot: Drop execmem
* 349411d55 xen: Drop xend/xm stack
* 2a261f916 Allow systemd to pass down sig mask
* 2577feb83 cups: Remove PTAL
* 5b02b44e5 xen: Revoke kernel module loading permissions
* 1c20c002c minissdpd: Revoke kernel module loading permissions
* 5671390e2 docker: Fix dockerc typo in container_engine_executable_file
* e1bc4830d cron: Use raw entrypoint rule for system_cronjob_t
* 0f71792c8 uml: Remove excessive access from user domains on
uml_exec_t
* 511223e2d Set the type on /etc/machine-info to net_conf_t so
hostnamectl can manipulate it (CRUD)
* 72fc1b2a3 fix: minor correction in MCS_CATS range comment
* cbf56c8ae systemd: allow notify client to stat socket
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
|
| |
|
|
|
|
|
|
|
|
| |
* 0aff1990e quote: read localization
* ab13c0421 getty: grant checkpoint_restore
* 3643773ae Update SOS report to work on RHEL9
* 523b279bd Setup domain for dbus selinux interface
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ChangeLog:
https://github.com/SELinuxProject/refpolicy/blob/main/Changelog
Notable Changes:
Many systemd updates up to v255
RPM and dnf fixes
Tighten private key handling for Apache
Many container and kubernetes improvements
Add support for Cilium
Update object class definitions up to io_uring:cmd
Add additional rules to cloud-init based on sysadm_t
* Update to latest git rev.
* Refresh patches.
* Add a patch to fix reboot timeout error.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
| |
Drop SRCPV as this variable is no longer needed in PV[1].
[1] https://git.openembedded.org/openembedded-core/commit/?id=a8e7b0f932b9ea69b3a218fca18041676c65aba0
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
| |
Update to latest rev to fix policy for systemd 255.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* 82b4448e1 Additional file context fix for:
* 65eed16b5 policy/modules/services/smartmon.te: make fstools optional
* 2e27be3c5 Let the certmonger module manage SSL Private Keys and CSR
used for example by the HTTP and/or Mail Transport daemons.
* 912d3a687 Let the webadm role manage Private Keys and CSR for SSL
Certificates used by the HTTP daemon.
* 5c9038ec9 Create new TLS Private Keys file contexts for the Apache
HTTP server according to the default locations:
* b38583a79 The LDAP server only needs to read generic certificate
files, not manage them.
* 100a853c0 rpm: fixes for dnf
* 8839a7137 Modify the gpg module so that gpg and the gpg_agent can
manage gpg_runtime_t socket files.
* 780adb80a Simple patch for Brother printer drivers as described in:
https://etbe.coker.com.au/2023/10/22/brother-mfc-j4440dw-printer/
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
| |
* Switch branch to main.
* Update to latest git rev.
* Drop obsolete and useless patches.
* Refresh patches.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
| |
Drop 0003-refpolicy-minimum-make-dbus-module-optional.patch as the issue
has been fixed upstream.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
| |
* Update to latest git rev.
* Drop obsolete and useless patches.
* Rebase patches.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Update to latest git rev.
* Drop obsolete and useless patches.
* Rebase patches.
* Set POLICY_DISTRO from redhat to debian, which can reduce the amount
of local patches.
* Set max kernel policy version from 31 to 33.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
| |
Update SRC_URIs using git to include branch=master if no branch is set
and also to use protocol=https for github urls.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
| |
This is the result of automated script conversion:
poky/scripts/contrib/convert-overrides.py meta-selinux
Converting the metadata to use ":" as the override character instead of "_".
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
| |
* Update to latest git rev.
* Drop obsolete and unused patches.
* Rebase patches.
* Add patches to make systemd --user work.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
| |
* Drop obsolete and unused patches.
* Rebase patches.
* Add patches to make systemd and sysvinit can work with all policy types.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
| |
Add UPSTREAM_CHECK_GITTAGREGEX to make devtool check-upgrade-status
works.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
| |
Additionally, the README has fallen out of date, update it to reflect the
current reality of layer dependencies.
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
| |
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Using AUTOREV in the main repository has its downsides.
1. The checked out version isn't actually the version depicted
by PV.
2. Breaks builds in scenarios where network isn't available
or BB_NO_NETWORK is used even after sources are already
fetched.
1 is self explanatory, for 2 whenever SRCREV is set to AUTOREV and
SRCPV is used in PV the fetcher tries to access the network in order
to determine SRCPV (bb.fetch2.get_srcrev) and fails for obvious
reasons during parsing even when versioned recipes are used as
PREFERRED_VERSION because parsing still happens for recipes that are
in BB's search paths and we see.
Traceback (most recent call last):
bb.data_smart.ExpansionError: Failure expanding variable SRCPV, expression was ${@bb.fetch2.get_srcrev(d)} which triggered exception NetworkAccess: Network access disabled through BB_NO_NETWORK (or set indirectly due to use of BB_FETCH_PREMIRRORONLY) but access requested with command git -c core.fsyncobjectfiles=0 ls-remote git://github.com/TresysTechnology/refpolicy.git (for url git://github.com/TresysTechnology/refpolicy.git)
So we lock the REVs and do that with a soft assignment which
allows overriding the REVs from elsewhere.
Signed-off-by: Awais Belal <awais_belal@mentor.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
|
| |
|
|
| |
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
| |
|
|
| |
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
| |
|
|
| |
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
|
|
| |
The targeted, mls and minimum recipes had fallen far behind the upstream
refpolicy repository. Refresh all patches and discard ones that are
obviously no longer needed. This should not have any functional change on
the policies.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
|
|
| |
A number of upstream changes caused patch conflicts or duplication in the
final policy. Update the list of git patches appropriately.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
| |
|
|
|
| |
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
|
A straight update from refpolicy 2.20140311 to refpolicy git
repository for the core policy variants and forward-porting
of policy patches as appropriate.
This approach is useful for building refpolicy & refpolicy-contrib
directly from the git repos, rather than release tarballs.
It helps to check the refpolicy based on source commits by just
updating the git repo rev. as appropriate in refpolicy_git.inc
ref: https://github.com/TresysTechnology/refpolicy/wiki
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
