4d21d7d728
- Allow systemd nnp_transition to login_userdomain
Resolves: rhbz#2039453
- Label /var/run/user/%{USERID}/dbus with session_dbusd_tmp_t
Resolves: rhbz#2000039
- Change /run/user/[0-9]+ to /run/user/%{USERID} for proper labeling
Resolves: rhbz#2000039
- Allow scripts to enter LUKS password
Resolves: rhbz#2048521
- Allow system_mail_t read inherited apache system content rw files
Resolves: rhbz#2049372
- Add apache_read_inherited_sys_content_rw_files() interface
Related: rhbz#2049372
- Allow sanlock get attributes of filesystems with extended attributes
Resolves: rhbz#2047811
- Associate stratisd_data_t with device filesystem
Resolves: rhbz#2039974
- Allow init read stratis data symlinks
Resolves: rhbz#2039974
- Label /run/stratisd with stratisd_var_run_t
Resolves: rhbz#2039974
- Allow domtrans to sssd_t and role access to sssd
Resolves: rhbz#2039757
- Creating interface sssd_run_sssd()
Resolves: rhbz#2039757
- Fix badly indented used interfaces
Resolves: rhbz#2039757
- Allow domain transition to sssd_t
Resolves: rhbz#2039757
- Label /dev/nvme-fabrics with fixed_disk_device_t
Resolves: rhbz#2039759
- Allow local_login_t nnp_transition to login_userdomain
Resolves: rhbz#2039453
- Allow xdm_t nnp_transition to login_userdomain
Resolves: rhbz#2039453
- Make cupsd_lpd_t a daemon
Resolves: rhbz#2039449
- Label utilities for exFAT filesystems with fsadm_exec_t
Resolves: rhbz#1972225
- Dontaudit sfcbd sys_ptrace cap_userns
Resolves: rhbz#2040311
|
||
|---|---|---|
| tests | ||
| .gitignore | ||
| booleans-minimum.conf | ||
| booleans-mls.conf | ||
| booleans-targeted.conf | ||
| booleans.subs_dist | ||
| COPYING | ||
| customizable_types | ||
| file_contexts.subs_dist | ||
| gating.yaml | ||
| make-rhat-patches.sh | ||
| Makefile.devel | ||
| modules-minimum.conf | ||
| modules-mls-base.conf | ||
| modules-mls-contrib.conf | ||
| modules-targeted-base.conf | ||
| modules-targeted-contrib.conf | ||
| modules-targeted.conf | ||
| permissivedomains.cil | ||
| README.md | ||
| rpm.macros | ||
| securetty_types-minimum | ||
| securetty_types-mls | ||
| securetty_types-targeted | ||
| selinux-policy.conf | ||
| selinux-policy.spec | ||
| setrans-minimum.conf | ||
| setrans-mls.conf | ||
| setrans-targeted.conf | ||
| sources | ||
| users-minimum | ||
| users-mls | ||
| users-targeted | ||
Purpose
SELinux Fedora Policy is a fork of the SELinux reference policy. The fedora-selinux/selinux-policy repo makes Fedora packaging simpler and more transparent for packagers, upstream developers, and users. It is used for applying downstream Fedora fixes, for communication about proposed/committed changes, and for communication with upstream and the community. It reflects the upstream repository structure to make submitting patches to upstream easy.
Structure
GitHub
On GitHub, we have one repository containing the policy sources.
$ cd selinux-policy
$ git remote -v
origin git@github.com:fedora-selinux/selinux-policy.git (fetch)
$ git branch -r
origin/HEAD -> origin/master
origin/f27
origin/f28
origin/master
origin/rawhide
Note: As opposed to dist-git, the Rawhide content resides in the rawhide branch rather than master.
dist-git
Package sources in dist-git are composed from the selinux-policy repository snapshot tarball, container-selinux policy files snapshot, the macro-expander script snapshot, and from other config files.
Build process
-
Clone the fedora-selinux/selinux-policy repository.
$ cd ~/devel/github $ git clone git@github.com:fedora-selinux/selinux-policy.git $ cd selinux-policy -
Create, backport, or cherry-pick needed changes to a particular branch and push them.
-
Clone the selinux-policy dist-git repository.
$ cd ~/devel/dist-git $ fedpkg clone selinux-policy $ cd selinux-policy -
Download the latest snapshot from the selinux-policy GitHub repository.
$ ./make-rhat-patches.sh -
Add changes to the dist-git repository, bump release, create a changelog entry, commit, and push.
-
Build the package.
$ fedpkg build