Compare commits
No commits in common. "c8" and "c9-beta" have entirely different histories.
3
.gitignore
vendored
3
.gitignore
vendored
@ -1,3 +1,2 @@
|
|||||||
SOURCES/container-selinux.tgz
|
SOURCES/container-selinux.tgz
|
||||||
SOURCES/selinux-policy-contrib-aadacd8.tar.gz
|
SOURCES/selinux-policy-b98a9aa.tar.gz
|
||||||
SOURCES/selinux-policy-fa87f85.tar.gz
|
|
||||||
|
@ -1,3 +1,2 @@
|
|||||||
34a078fbec0190b407d64c1664aaa0887204ba2e SOURCES/container-selinux.tgz
|
83e255994e12003389147092377c0b3d5f51f7c3 SOURCES/container-selinux.tgz
|
||||||
470eeffd45f8dd003edb6ddbff4104e573b6c08d SOURCES/selinux-policy-contrib-aadacd8.tar.gz
|
045b58e800983c60b5994d3d765544ccfc787c6d SOURCES/selinux-policy-b98a9aa.tar.gz
|
||||||
91c17cd38073aba5562898449fe3b4f2bbffac8e SOURCES/selinux-policy-fa87f85.tar.gz
|
|
||||||
|
@ -12,7 +12,6 @@ pppd_can_insmod = false
|
|||||||
privoxy_connect_any = true
|
privoxy_connect_any = true
|
||||||
selinuxuser_direct_dri_enabled = true
|
selinuxuser_direct_dri_enabled = true
|
||||||
selinuxuser_execmem = true
|
selinuxuser_execmem = true
|
||||||
selinuxuser_execmod = true
|
|
||||||
selinuxuser_execstack = true
|
selinuxuser_execstack = true
|
||||||
selinuxuser_rw_noexattrfile=true
|
selinuxuser_rw_noexattrfile=true
|
||||||
selinuxuser_ping = true
|
selinuxuser_ping = true
|
||||||
@ -22,3 +21,4 @@ unconfined_chrome_sandbox_transition=true
|
|||||||
unconfined_mozilla_plugin_transition=true
|
unconfined_mozilla_plugin_transition=true
|
||||||
xguest_exec_content = true
|
xguest_exec_content = true
|
||||||
mozilla_plugin_can_network_connect = true
|
mozilla_plugin_can_network_connect = true
|
||||||
|
use_virtualbox = true
|
||||||
|
@ -2,6 +2,7 @@
|
|||||||
/run/lock /var/lock
|
/run/lock /var/lock
|
||||||
/run/systemd/system /usr/lib/systemd/system
|
/run/systemd/system /usr/lib/systemd/system
|
||||||
/run/systemd/generator /usr/lib/systemd/system
|
/run/systemd/generator /usr/lib/systemd/system
|
||||||
|
/run/systemd/generator.early /usr/lib/systemd/system
|
||||||
/run/systemd/generator.late /usr/lib/systemd/system
|
/run/systemd/generator.late /usr/lib/systemd/system
|
||||||
/lib /usr/lib
|
/lib /usr/lib
|
||||||
/lib64 /usr/lib
|
/lib64 /usr/lib
|
||||||
@ -12,9 +13,12 @@
|
|||||||
/var/lib/xguest/home /home
|
/var/lib/xguest/home /home
|
||||||
/var/named/chroot/usr/lib64 /usr/lib
|
/var/named/chroot/usr/lib64 /usr/lib
|
||||||
/var/named/chroot/lib64 /usr/lib
|
/var/named/chroot/lib64 /usr/lib
|
||||||
|
/var/named/chroot/var /var
|
||||||
/home-inst /home
|
/home-inst /home
|
||||||
/home/home-inst /home
|
/home/home-inst /home
|
||||||
/var/roothome /root
|
/var/roothome /root
|
||||||
/sbin /usr/sbin
|
/sbin /usr/sbin
|
||||||
/sysroot/tmp /tmp
|
/sysroot/tmp /tmp
|
||||||
/var/usrlocal /usr/local
|
/var/usrlocal /usr/local
|
||||||
|
/var/mnt /mnt
|
||||||
|
/bin /usr/bin
|
||||||
|
@ -691,6 +691,13 @@ logwatch = module
|
|||||||
#
|
#
|
||||||
lpd = module
|
lpd = module
|
||||||
|
|
||||||
|
# Layer: services
|
||||||
|
# Module: lsm
|
||||||
|
#
|
||||||
|
# lsm policy
|
||||||
|
#
|
||||||
|
lsm = module
|
||||||
|
|
||||||
# Layer: services
|
# Layer: services
|
||||||
# Module: mailman
|
# Module: mailman
|
||||||
#
|
#
|
||||||
|
@ -391,10 +391,3 @@ udev = module
|
|||||||
# The unconfined domain.
|
# The unconfined domain.
|
||||||
#
|
#
|
||||||
unconfined = module
|
unconfined = module
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: kdbus
|
|
||||||
#
|
|
||||||
# Policy for kdbus.
|
|
||||||
#
|
|
||||||
kdbus = module
|
|
||||||
|
@ -292,13 +292,6 @@ cfengine = module
|
|||||||
#
|
#
|
||||||
cgroup = module
|
cgroup = module
|
||||||
|
|
||||||
# Layer: contrib
|
|
||||||
# Module: cgdcbxd
|
|
||||||
#
|
|
||||||
# cgdcbxd policy
|
|
||||||
#
|
|
||||||
cgdcbxd = module
|
|
||||||
|
|
||||||
# Layer: apps
|
# Layer: apps
|
||||||
# Module: chrome
|
# Module: chrome
|
||||||
#
|
#
|
||||||
@ -349,13 +342,6 @@ cmirrord = module
|
|||||||
#
|
#
|
||||||
cobbler = module
|
cobbler = module
|
||||||
|
|
||||||
# Layer: contrib
|
|
||||||
# Module: cockpit
|
|
||||||
#
|
|
||||||
# cockpit - Cockpit runs in a browser and can manage your network of GNU/Linux machines.
|
|
||||||
#
|
|
||||||
cockpit = module
|
|
||||||
|
|
||||||
# Layer: services
|
# Layer: services
|
||||||
# Module: collectd
|
# Module: collectd
|
||||||
#
|
#
|
||||||
@ -2005,7 +1991,7 @@ timidity = off
|
|||||||
tmpreaper = module
|
tmpreaper = module
|
||||||
|
|
||||||
# Layer: contrib
|
# Layer: contrib
|
||||||
# Module: tomcat
|
# Module: glusterd
|
||||||
#
|
#
|
||||||
# policy for tomcat service
|
# policy for tomcat service
|
||||||
#
|
#
|
||||||
@ -2657,9 +2643,107 @@ rrdcached = module
|
|||||||
#
|
#
|
||||||
stratisd = module
|
stratisd = module
|
||||||
|
|
||||||
|
# Layer: contrib
|
||||||
|
# Module: ica
|
||||||
|
#
|
||||||
|
# ica
|
||||||
|
#
|
||||||
|
ica = module
|
||||||
|
|
||||||
# Layer: contrib
|
# Layer: contrib
|
||||||
# Module: insights_client
|
# Module: insights_client
|
||||||
#
|
#
|
||||||
# insights_client
|
# insights_client
|
||||||
#
|
#
|
||||||
insights_client = module
|
insights_client = module
|
||||||
|
|
||||||
|
# Layer: contrib
|
||||||
|
# Module: stalld
|
||||||
|
#
|
||||||
|
# stalld
|
||||||
|
#
|
||||||
|
stalld = module
|
||||||
|
|
||||||
|
# Layer: contrib
|
||||||
|
# Module: rhcd
|
||||||
|
#
|
||||||
|
# rhcd
|
||||||
|
#
|
||||||
|
rhcd = module
|
||||||
|
|
||||||
|
# Layer: contrib
|
||||||
|
# Module: wireguard
|
||||||
|
#
|
||||||
|
# wireguard
|
||||||
|
#
|
||||||
|
wireguard = module
|
||||||
|
|
||||||
|
# Layer: contrib
|
||||||
|
# Module: mptcpd
|
||||||
|
#
|
||||||
|
# mptcpd
|
||||||
|
#
|
||||||
|
mptcpd = module
|
||||||
|
|
||||||
|
# Layer: contrib
|
||||||
|
# Module: rshim
|
||||||
|
#
|
||||||
|
# rshim
|
||||||
|
#
|
||||||
|
rshim = module
|
||||||
|
|
||||||
|
# Layer: contrib
|
||||||
|
# Module: boothd
|
||||||
|
#
|
||||||
|
# boothd - Booth cluster ticket manager
|
||||||
|
#
|
||||||
|
boothd = module
|
||||||
|
|
||||||
|
# Layer: contrib
|
||||||
|
# Module: fdo
|
||||||
|
#
|
||||||
|
# fdo - fido device onboard protocol for IoT devices
|
||||||
|
#
|
||||||
|
fdo = module
|
||||||
|
|
||||||
|
# Layer: contrib
|
||||||
|
# Module: qatlib
|
||||||
|
#
|
||||||
|
# qatlib - Intel QuickAssist technology library and resources management
|
||||||
|
#
|
||||||
|
qatlib = module
|
||||||
|
|
||||||
|
# Layer: contrib
|
||||||
|
# Module: nvme_stas
|
||||||
|
#
|
||||||
|
# nvme_stas
|
||||||
|
#
|
||||||
|
nvme_stas = module
|
||||||
|
|
||||||
|
# Layer: contrib
|
||||||
|
# Module: coreos_installer
|
||||||
|
#
|
||||||
|
# coreos_installer
|
||||||
|
#
|
||||||
|
coreos_installer = module
|
||||||
|
|
||||||
|
# Layer: contrib
|
||||||
|
# Module: afterburn
|
||||||
|
#
|
||||||
|
# afterburn
|
||||||
|
#
|
||||||
|
afterburn = module
|
||||||
|
|
||||||
|
# Layer: contrib
|
||||||
|
# Module: sap_unconfined
|
||||||
|
#
|
||||||
|
# sap_unconfined
|
||||||
|
#
|
||||||
|
sap = module
|
||||||
|
|
||||||
|
# Layer: contrib
|
||||||
|
# Module: bootupd
|
||||||
|
#
|
||||||
|
# bootupd - bootloader update daemon
|
||||||
|
#
|
||||||
|
bootupd = module
|
||||||
|
@ -32,7 +32,6 @@
|
|||||||
# %selinux_requires
|
# %selinux_requires
|
||||||
%selinux_requires \
|
%selinux_requires \
|
||||||
Requires: selinux-policy >= %{_selinux_policy_version} \
|
Requires: selinux-policy >= %{_selinux_policy_version} \
|
||||||
BuildRequires: git \
|
|
||||||
BuildRequires: pkgconfig(systemd) \
|
BuildRequires: pkgconfig(systemd) \
|
||||||
BuildRequires: selinux-policy \
|
BuildRequires: selinux-policy \
|
||||||
BuildRequires: selinux-policy-devel \
|
BuildRequires: selinux-policy-devel \
|
||||||
@ -48,20 +47,24 @@ Requires(post): policycoreutils-python \
|
|||||||
|
|
||||||
# %selinux_modules_install [-s <policytype>] [-p <modulepriority>] module [module]...
|
# %selinux_modules_install [-s <policytype>] [-p <modulepriority>] module [module]...
|
||||||
%selinux_modules_install("s:p:") \
|
%selinux_modules_install("s:p:") \
|
||||||
. /etc/selinux/config \
|
if [ -e /etc/selinux/config ]; then \
|
||||||
|
. /etc/selinux/config \
|
||||||
|
fi \
|
||||||
_policytype=%{-s*} \
|
_policytype=%{-s*} \
|
||||||
if [ -z "${_policytype}" ]; then \
|
if [ -z "${_policytype}" ]; then \
|
||||||
_policytype="targeted" \
|
_policytype="targeted" \
|
||||||
fi \
|
fi \
|
||||||
if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
|
if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
|
||||||
%{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* \
|
%{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* || : \
|
||||||
%{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
|
%{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
|
||||||
fi \
|
fi \
|
||||||
%{nil}
|
%{nil}
|
||||||
|
|
||||||
# %selinux_modules_uninstall [-s <policytype>] [-p <modulepriority>] module [module]...
|
# %selinux_modules_uninstall [-s <policytype>] [-p <modulepriority>] module [module]...
|
||||||
%selinux_modules_uninstall("s:p:") \
|
%selinux_modules_uninstall("s:p:") \
|
||||||
. /etc/selinux/config \
|
if [ -e /etc/selinux/config ]; then \
|
||||||
|
. /etc/selinux/config \
|
||||||
|
fi \
|
||||||
_policytype=%{-s*} \
|
_policytype=%{-s*} \
|
||||||
if [ -z "${_policytype}" ]; then \
|
if [ -z "${_policytype}" ]; then \
|
||||||
_policytype="targeted" \
|
_policytype="targeted" \
|
||||||
@ -76,20 +79,26 @@ fi \
|
|||||||
|
|
||||||
# %selinux_relabel_pre [-s <policytype>]
|
# %selinux_relabel_pre [-s <policytype>]
|
||||||
%selinux_relabel_pre("s:") \
|
%selinux_relabel_pre("s:") \
|
||||||
. /etc/selinux/config \
|
if %{_sbindir}/selinuxenabled; then \
|
||||||
_policytype=%{-s*} \
|
if [ -e /etc/selinux/config ]; then \
|
||||||
if [ -z "${_policytype}" ]; then \
|
. /etc/selinux/config \
|
||||||
_policytype="targeted" \
|
fi \
|
||||||
fi \
|
_policytype=%{-s*} \
|
||||||
if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
|
if [ -z "${_policytype}" ]; then \
|
||||||
[ -f %{_file_context_file_pre} ] || cp -f %{_file_context_file} %{_file_context_file_pre} \
|
_policytype="targeted" \
|
||||||
|
fi \
|
||||||
|
if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
|
||||||
|
[ -f %{_file_context_file_pre} ] || cp -f %{_file_context_file} %{_file_context_file_pre} \
|
||||||
|
fi \
|
||||||
fi \
|
fi \
|
||||||
%{nil}
|
%{nil}
|
||||||
|
|
||||||
|
|
||||||
# %selinux_relabel_post [-s <policytype>]
|
# %selinux_relabel_post [-s <policytype>]
|
||||||
%selinux_relabel_post("s:") \
|
%selinux_relabel_post("s:") \
|
||||||
. /etc/selinux/config \
|
if [ -e /etc/selinux/config ]; then \
|
||||||
|
. /etc/selinux/config \
|
||||||
|
fi \
|
||||||
_policytype=%{-s*} \
|
_policytype=%{-s*} \
|
||||||
if [ -z "${_policytype}" ]; then \
|
if [ -z "${_policytype}" ]; then \
|
||||||
_policytype="targeted" \
|
_policytype="targeted" \
|
||||||
@ -104,7 +113,9 @@ fi \
|
|||||||
|
|
||||||
# %selinux_set_booleans [-s <policytype>] boolean [boolean]...
|
# %selinux_set_booleans [-s <policytype>] boolean [boolean]...
|
||||||
%selinux_set_booleans("s:") \
|
%selinux_set_booleans("s:") \
|
||||||
. /etc/selinux/config \
|
if [ -e /etc/selinux/config ]; then \
|
||||||
|
. /etc/selinux/config \
|
||||||
|
fi \
|
||||||
_policytype=%{-s*} \
|
_policytype=%{-s*} \
|
||||||
if [ -z "${_policytype}" ]; then \
|
if [ -z "${_policytype}" ]; then \
|
||||||
_policytype="targeted" \
|
_policytype="targeted" \
|
||||||
@ -143,7 +154,9 @@ fi \
|
|||||||
|
|
||||||
# %selinux_unset_booleans [-s <policytype>] boolean [boolean]...
|
# %selinux_unset_booleans [-s <policytype>] boolean [boolean]...
|
||||||
%selinux_unset_booleans("s:") \
|
%selinux_unset_booleans("s:") \
|
||||||
. /etc/selinux/config \
|
if [ -e /etc/selinux/config ]; then \
|
||||||
|
. /etc/selinux/config \
|
||||||
|
fi \
|
||||||
_policytype=%{-s*} \
|
_policytype=%{-s*} \
|
||||||
if [ -z "${_policytype}" ]; then \
|
if [ -z "${_policytype}" ]; then \
|
||||||
_policytype="targeted" \
|
_policytype="targeted" \
|
||||||
|
15
SOURCES/selinux-check-proper-disable.service
Normal file
15
SOURCES/selinux-check-proper-disable.service
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Check that SELinux is not disabled the unsafe way
|
||||||
|
ConditionKernelCommandLine=!selinux=0
|
||||||
|
After=sysinit.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
EnvironmentFile=/etc/selinux/config
|
||||||
|
ExecCondition=test "$SELINUX" = disabled
|
||||||
|
ExecStart=/usr/bin/echo 'SELINUX=disabled in /etc/selinux/config, but no selinux=0 on kernel command line - SELinux may not be fully disabled. Please update bootloader configuration to pass selinux=0 to kernel at boot.'
|
||||||
|
StandardOutput=journal+console
|
||||||
|
SyslogLevel=warning
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
@ -25,7 +25,7 @@ gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
|||||||
# permit any access to such users, then remove this entry.
|
# permit any access to such users, then remove this entry.
|
||||||
#
|
#
|
||||||
gen_user(user_u, user, user_r, s0, s0)
|
gen_user(user_u, user, user_r, s0, s0)
|
||||||
gen_user(staff_u, user, staff_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||||
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -36,3 +36,4 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
|||||||
# not in the sysadm_r.
|
# not in the sysadm_r.
|
||||||
#
|
#
|
||||||
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||||
|
gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||||
|
@ -25,7 +25,7 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
|||||||
# permit any access to such users, then remove this entry.
|
# permit any access to such users, then remove this entry.
|
||||||
#
|
#
|
||||||
gen_user(user_u, user, user_r, s0, s0)
|
gen_user(user_u, user, user_r, s0, s0)
|
||||||
gen_user(staff_u, user, staff_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||||
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -36,3 +36,5 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
|||||||
# not in the sysadm_r.
|
# not in the sysadm_r.
|
||||||
#
|
#
|
||||||
gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||||
|
gen_user(guest_u, user, guest_r, s0, s0)
|
||||||
|
gen_user(xguest_u, user, xguest_r, s0, s0)
|
||||||
|
@ -25,7 +25,7 @@ gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
|||||||
# permit any access to such users, then remove this entry.
|
# permit any access to such users, then remove this entry.
|
||||||
#
|
#
|
||||||
gen_user(user_u, user, user_r, s0, s0)
|
gen_user(user_u, user, user_r, s0, s0)
|
||||||
gen_user(staff_u, user, staff_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||||
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -36,3 +36,6 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
|||||||
# not in the sysadm_r.
|
# not in the sysadm_r.
|
||||||
#
|
#
|
||||||
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||||
|
gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||||
|
gen_user(guest_u, user, guest_r, s0, s0)
|
||||||
|
gen_user(xguest_u, user, xguest_r, s0, s0)
|
||||||
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user