Compare commits

...

No commits in common. "c8" and "c9-beta" have entirely different histories.
c8 ... c9-beta

13 changed files with 2004 additions and 15593 deletions

3
.gitignore vendored
View File

@ -1,3 +1,2 @@
SOURCES/container-selinux.tgz SOURCES/container-selinux.tgz
SOURCES/selinux-policy-contrib-aadacd8.tar.gz SOURCES/selinux-policy-b98a9aa.tar.gz
SOURCES/selinux-policy-fa87f85.tar.gz

View File

@ -1,3 +1,2 @@
34a078fbec0190b407d64c1664aaa0887204ba2e SOURCES/container-selinux.tgz 83e255994e12003389147092377c0b3d5f51f7c3 SOURCES/container-selinux.tgz
470eeffd45f8dd003edb6ddbff4104e573b6c08d SOURCES/selinux-policy-contrib-aadacd8.tar.gz 045b58e800983c60b5994d3d765544ccfc787c6d SOURCES/selinux-policy-b98a9aa.tar.gz
91c17cd38073aba5562898449fe3b4f2bbffac8e SOURCES/selinux-policy-fa87f85.tar.gz

View File

@ -12,7 +12,6 @@ pppd_can_insmod = false
privoxy_connect_any = true privoxy_connect_any = true
selinuxuser_direct_dri_enabled = true selinuxuser_direct_dri_enabled = true
selinuxuser_execmem = true selinuxuser_execmem = true
selinuxuser_execmod = true
selinuxuser_execstack = true selinuxuser_execstack = true
selinuxuser_rw_noexattrfile=true selinuxuser_rw_noexattrfile=true
selinuxuser_ping = true selinuxuser_ping = true
@ -22,3 +21,4 @@ unconfined_chrome_sandbox_transition=true
unconfined_mozilla_plugin_transition=true unconfined_mozilla_plugin_transition=true
xguest_exec_content = true xguest_exec_content = true
mozilla_plugin_can_network_connect = true mozilla_plugin_can_network_connect = true
use_virtualbox = true

View File

@ -2,6 +2,7 @@
/run/lock /var/lock /run/lock /var/lock
/run/systemd/system /usr/lib/systemd/system /run/systemd/system /usr/lib/systemd/system
/run/systemd/generator /usr/lib/systemd/system /run/systemd/generator /usr/lib/systemd/system
/run/systemd/generator.early /usr/lib/systemd/system
/run/systemd/generator.late /usr/lib/systemd/system /run/systemd/generator.late /usr/lib/systemd/system
/lib /usr/lib /lib /usr/lib
/lib64 /usr/lib /lib64 /usr/lib
@ -12,9 +13,12 @@
/var/lib/xguest/home /home /var/lib/xguest/home /home
/var/named/chroot/usr/lib64 /usr/lib /var/named/chroot/usr/lib64 /usr/lib
/var/named/chroot/lib64 /usr/lib /var/named/chroot/lib64 /usr/lib
/var/named/chroot/var /var
/home-inst /home /home-inst /home
/home/home-inst /home /home/home-inst /home
/var/roothome /root /var/roothome /root
/sbin /usr/sbin /sbin /usr/sbin
/sysroot/tmp /tmp /sysroot/tmp /tmp
/var/usrlocal /usr/local /var/usrlocal /usr/local
/var/mnt /mnt
/bin /usr/bin

View File

@ -691,6 +691,13 @@ logwatch = module
# #
lpd = module lpd = module
# Layer: services
# Module: lsm
#
# lsm policy
#
lsm = module
# Layer: services # Layer: services
# Module: mailman # Module: mailman
# #

View File

@ -391,10 +391,3 @@ udev = module
# The unconfined domain. # The unconfined domain.
# #
unconfined = module unconfined = module
# Layer: system
# Module: kdbus
#
# Policy for kdbus.
#
kdbus = module

View File

@ -292,13 +292,6 @@ cfengine = module
# #
cgroup = module cgroup = module
# Layer: contrib
# Module: cgdcbxd
#
# cgdcbxd policy
#
cgdcbxd = module
# Layer: apps # Layer: apps
# Module: chrome # Module: chrome
# #
@ -349,13 +342,6 @@ cmirrord = module
# #
cobbler = module cobbler = module
# Layer: contrib
# Module: cockpit
#
# cockpit - Cockpit runs in a browser and can manage your network of GNU/Linux machines.
#
cockpit = module
# Layer: services # Layer: services
# Module: collectd # Module: collectd
# #
@ -2005,7 +1991,7 @@ timidity = off
tmpreaper = module tmpreaper = module
# Layer: contrib # Layer: contrib
# Module: tomcat # Module: glusterd
# #
# policy for tomcat service # policy for tomcat service
# #
@ -2657,9 +2643,107 @@ rrdcached = module
# #
stratisd = module stratisd = module
# Layer: contrib
# Module: ica
#
# ica
#
ica = module
# Layer: contrib # Layer: contrib
# Module: insights_client # Module: insights_client
# #
# insights_client # insights_client
# #
insights_client = module insights_client = module
# Layer: contrib
# Module: stalld
#
# stalld
#
stalld = module
# Layer: contrib
# Module: rhcd
#
# rhcd
#
rhcd = module
# Layer: contrib
# Module: wireguard
#
# wireguard
#
wireguard = module
# Layer: contrib
# Module: mptcpd
#
# mptcpd
#
mptcpd = module
# Layer: contrib
# Module: rshim
#
# rshim
#
rshim = module
# Layer: contrib
# Module: boothd
#
# boothd - Booth cluster ticket manager
#
boothd = module
# Layer: contrib
# Module: fdo
#
# fdo - fido device onboard protocol for IoT devices
#
fdo = module
# Layer: contrib
# Module: qatlib
#
# qatlib - Intel QuickAssist technology library and resources management
#
qatlib = module
# Layer: contrib
# Module: nvme_stas
#
# nvme_stas
#
nvme_stas = module
# Layer: contrib
# Module: coreos_installer
#
# coreos_installer
#
coreos_installer = module
# Layer: contrib
# Module: afterburn
#
# afterburn
#
afterburn = module
# Layer: contrib
# Module: sap_unconfined
#
# sap_unconfined
#
sap = module
# Layer: contrib
# Module: bootupd
#
# bootupd - bootloader update daemon
#
bootupd = module

View File

@ -32,7 +32,6 @@
# %selinux_requires # %selinux_requires
%selinux_requires \ %selinux_requires \
Requires: selinux-policy >= %{_selinux_policy_version} \ Requires: selinux-policy >= %{_selinux_policy_version} \
BuildRequires: git \
BuildRequires: pkgconfig(systemd) \ BuildRequires: pkgconfig(systemd) \
BuildRequires: selinux-policy \ BuildRequires: selinux-policy \
BuildRequires: selinux-policy-devel \ BuildRequires: selinux-policy-devel \
@ -48,20 +47,24 @@ Requires(post): policycoreutils-python \
# %selinux_modules_install [-s <policytype>] [-p <modulepriority>] module [module]... # %selinux_modules_install [-s <policytype>] [-p <modulepriority>] module [module]...
%selinux_modules_install("s:p:") \ %selinux_modules_install("s:p:") \
. /etc/selinux/config \ if [ -e /etc/selinux/config ]; then \
. /etc/selinux/config \
fi \
_policytype=%{-s*} \ _policytype=%{-s*} \
if [ -z "${_policytype}" ]; then \ if [ -z "${_policytype}" ]; then \
_policytype="targeted" \ _policytype="targeted" \
fi \ fi \
if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
%{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* \ %{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* || : \
%{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \ %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
fi \ fi \
%{nil} %{nil}
# %selinux_modules_uninstall [-s <policytype>] [-p <modulepriority>] module [module]... # %selinux_modules_uninstall [-s <policytype>] [-p <modulepriority>] module [module]...
%selinux_modules_uninstall("s:p:") \ %selinux_modules_uninstall("s:p:") \
. /etc/selinux/config \ if [ -e /etc/selinux/config ]; then \
. /etc/selinux/config \
fi \
_policytype=%{-s*} \ _policytype=%{-s*} \
if [ -z "${_policytype}" ]; then \ if [ -z "${_policytype}" ]; then \
_policytype="targeted" \ _policytype="targeted" \
@ -76,20 +79,26 @@ fi \
# %selinux_relabel_pre [-s <policytype>] # %selinux_relabel_pre [-s <policytype>]
%selinux_relabel_pre("s:") \ %selinux_relabel_pre("s:") \
. /etc/selinux/config \ if %{_sbindir}/selinuxenabled; then \
_policytype=%{-s*} \ if [ -e /etc/selinux/config ]; then \
if [ -z "${_policytype}" ]; then \ . /etc/selinux/config \
_policytype="targeted" \ fi \
fi \ _policytype=%{-s*} \
if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ if [ -z "${_policytype}" ]; then \
[ -f %{_file_context_file_pre} ] || cp -f %{_file_context_file} %{_file_context_file_pre} \ _policytype="targeted" \
fi \
if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
[ -f %{_file_context_file_pre} ] || cp -f %{_file_context_file} %{_file_context_file_pre} \
fi \
fi \ fi \
%{nil} %{nil}
# %selinux_relabel_post [-s <policytype>] # %selinux_relabel_post [-s <policytype>]
%selinux_relabel_post("s:") \ %selinux_relabel_post("s:") \
. /etc/selinux/config \ if [ -e /etc/selinux/config ]; then \
. /etc/selinux/config \
fi \
_policytype=%{-s*} \ _policytype=%{-s*} \
if [ -z "${_policytype}" ]; then \ if [ -z "${_policytype}" ]; then \
_policytype="targeted" \ _policytype="targeted" \
@ -104,7 +113,9 @@ fi \
# %selinux_set_booleans [-s <policytype>] boolean [boolean]... # %selinux_set_booleans [-s <policytype>] boolean [boolean]...
%selinux_set_booleans("s:") \ %selinux_set_booleans("s:") \
. /etc/selinux/config \ if [ -e /etc/selinux/config ]; then \
. /etc/selinux/config \
fi \
_policytype=%{-s*} \ _policytype=%{-s*} \
if [ -z "${_policytype}" ]; then \ if [ -z "${_policytype}" ]; then \
_policytype="targeted" \ _policytype="targeted" \
@ -143,7 +154,9 @@ fi \
# %selinux_unset_booleans [-s <policytype>] boolean [boolean]... # %selinux_unset_booleans [-s <policytype>] boolean [boolean]...
%selinux_unset_booleans("s:") \ %selinux_unset_booleans("s:") \
. /etc/selinux/config \ if [ -e /etc/selinux/config ]; then \
. /etc/selinux/config \
fi \
_policytype=%{-s*} \ _policytype=%{-s*} \
if [ -z "${_policytype}" ]; then \ if [ -z "${_policytype}" ]; then \
_policytype="targeted" \ _policytype="targeted" \

View File

@ -0,0 +1,15 @@
[Unit]
Description=Check that SELinux is not disabled the unsafe way
ConditionKernelCommandLine=!selinux=0
After=sysinit.target
[Service]
Type=oneshot
EnvironmentFile=/etc/selinux/config
ExecCondition=test "$SELINUX" = disabled
ExecStart=/usr/bin/echo 'SELINUX=disabled in /etc/selinux/config, but no selinux=0 on kernel command line - SELinux may not be fully disabled. Please update bootloader configuration to pass selinux=0 to kernel at boot.'
StandardOutput=journal+console
SyslogLevel=warning
[Install]
WantedBy=multi-user.target

View File

@ -25,7 +25,7 @@ gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
# permit any access to such users, then remove this entry. # permit any access to such users, then remove this entry.
# #
gen_user(user_u, user, user_r, s0, s0) gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, user, staff_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
# #
@ -36,3 +36,4 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
# not in the sysadm_r. # not in the sysadm_r.
# #
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)

View File

@ -25,7 +25,7 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
# permit any access to such users, then remove this entry. # permit any access to such users, then remove this entry.
# #
gen_user(user_u, user, user_r, s0, s0) gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, user, staff_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats) gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
# #
@ -36,3 +36,5 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
# not in the sysadm_r. # not in the sysadm_r.
# #
gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(guest_u, user, guest_r, s0, s0)
gen_user(xguest_u, user, xguest_r, s0, s0)

View File

@ -25,7 +25,7 @@ gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
# permit any access to such users, then remove this entry. # permit any access to such users, then remove this entry.
# #
gen_user(user_u, user, user_r, s0, s0) gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, user, staff_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
# #
@ -36,3 +36,6 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
# not in the sysadm_r. # not in the sysadm_r.
# #
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(guest_u, user, guest_r, s0, s0)
gen_user(xguest_u, user, xguest_r, s0, s0)

File diff suppressed because it is too large Load Diff