rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity
SELinux policy configuration
6,077 Commits 8 Branches 90 Tags 36 MiB
Shell 100%
Go to file
Zdenek Pytela 8263376e4d * Tue Dec 06 2022 Zdenek Pytela <zpytela@redhat.com> - 38.2-1 
- Don't make kernel_t an unconfined domain
- Don't allow kernel_t to execute bin_t/usr_t binaries without a transition
- Allow kernel_t to execute systemctl to do a poweroff/reboot
- Grant basic permissions to the domain created by systemd_systemctl_domain()
- Allow kernel_t to request module loading
- Allow kernel_t to do compute_create
- Allow kernel_t to manage perf events
- Grant almost all capabilities to kernel_t
- Allow kernel_t to fully manage all devices
- Revert "In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue"
- Allow pulseaudio to write to session_dbusd tmp socket files
- Allow systemd and unconfined_domain_type create user_namespace
- Add the user_namespace security class
- Reuse tmpfs_t also for the ramfs filesystem
- Label udf tools with fsadm_exec_t
- Allow networkmanager_dispatcher_plugin work with nscd
- Watch_sb all file type directories.
- Allow spamc read hardware state information files
- Allow sysadm read ipmi devices
- Allow insights client communicate with cupsd, mysqld, openvswitch, redis
- Allow insights client read raw memory devices
- Allow the spamd_update_t domain get generic filesystem attributes
- Dontaudit systemd-gpt-generator the sys_admin capability
- Allow ipsec_t only read tpm devices
- Allow cups-pdf connect to the system log service
- Allow postfix/smtpd read kerberos key table
- Allow syslogd read network sysctls
- Allow cdcc mmap dcc-client-map files
- Add watch and watch_sb dosfs interface
 		2022-12-06 19:21:23 +01:00
tests test-reboot.yml: test.log is mandatory, improve results format 2020-08-27 07:49:02 +02:00
.gitignore Clean up .gitignore 2020-11-03 12:25:19 +01:00
COPYING remove extra level of directory 2006-07-12 20:32:27 +00:00
Makefile.devel Hard code to MLSENABLED 2011-08-22 16:30:20 -04:00
README.md Fix typos and grammar in README 2020-12-02 09:41:43 +01:00
booleans-minimum.conf Remove ftp_home_dir boolean from distgit 2016-04-26 14:04:52 +02:00
booleans-mls.conf Make rawhide == f18 2012-12-17 17:21:00 +01:00
booleans-targeted.conf Change default value of use_virtualbox boolean 2019-09-16 16:08:14 +02:00
booleans.subs_dist subs virt_sandbox_use_nfs by virt_use_nfs 2016-07-16 17:52:41 +02:00
customizable_types * Mon Oct 17 2016 Miroslav Grepl <mgrepl@redhat.com> - 3.13.1-221 2016-10-17 20:52:01 +02:00
file_contexts.subs_dist Add /var/mnt equivalency to /mnt 2021-01-22 10:32:59 +01:00
ifndefy.py Add a script for enclosing interfaces in ifndef statements 2022-06-29 18:34:21 +00:00
make-rhat-patches.sh Use the rawhide branch instead of master 2021-02-04 17:12:07 +01:00
modules-minimum.conf - More access needed for devicekit 2010-08-30 11:58:36 -04:00
modules-mls-base.conf Add fixes for selinux-policy packages to reflect the latest changes related to policy module store migration. 2015-07-16 09:10:21 +02:00
modules-mls-contrib.conf Make active lsm module in MLS policy 2019-04-05 11:03:51 +02:00
modules-targeted-base.conf * Mon Aug 03 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-23 2020-08-03 13:25:54 +02:00
modules-targeted-contrib.conf * Mon Nov 21 2022 Zdenek Pytela <zpytela@redhat.com> - 38.1-1 2022-11-21 17:04:56 +01:00
modules-targeted.conf * Fri Aug 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.17-3 2021-08-27 11:50:45 +02:00
permissivedomains.cil Remove all domains from permissive domains, it looks these policies are tested already 2019-01-13 19:28:55 +01:00
rpm.macros Update rpm.macros file fomr the upstream repo 2019-11-05 17:50:20 +01:00
securetty_types-minimum - Update to upstream 2010-03-18 15:47:35 +00:00
securetty_types-mls - Update to upstream 2010-03-18 15:47:35 +00:00
securetty_types-targeted - Update to upstream 2010-03-18 15:47:35 +00:00
selinux-check-proper-disable.service Add a systemd service to check that SELinux is disabled properly 2021-06-22 09:38:56 +00:00
selinux-policy.conf We need to setcheckreqprot to 0 for security purposes 2015-04-16 14:00:38 -04:00
selinux-policy.spec * Tue Dec 06 2022 Zdenek Pytela <zpytela@redhat.com> - 38.2-1 2022-12-06 19:21:23 +01:00
setrans-minimum.conf - Update to Latest upstream 2009-03-03 20:10:30 +00:00
setrans-mls.conf - Multiple policy fixes 2006-09-19 14:59:46 +00:00
setrans-targeted.conf - Update to Latest upstream 2009-03-03 20:10:30 +00:00
sources * Tue Dec 06 2022 Zdenek Pytela <zpytela@redhat.com> - 38.2-1 2022-12-06 19:21:23 +01:00
users-minimum Users have to be generated is policy/users to make 3.4 userspace happy 2022-05-02 13:14:01 +00:00
users-mls Users have to be generated is policy/users to make 3.4 userspace happy 2022-05-02 13:14:01 +00:00
users-targeted Users have to be generated is policy/users to make 3.4 userspace happy 2022-05-02 13:14:01 +00:00

README.md

Purpose

SELinux Fedora Policy is a fork of the SELinux reference policy. The fedora-selinux/selinux-policy repo makes Fedora packaging simpler and more transparent for packagers, upstream developers, and users. It is used for applying downstream Fedora fixes, for communication about proposed/committed changes, and for communication with upstream and the community. It reflects the upstream repository structure to make submitting patches to upstream easy.

Structure

GitHub

On GitHub, we have one repository containing the policy sources.

$ cd selinux-policy
$ git remote -v
origin	git@github.com:fedora-selinux/selinux-policy.git (fetch)

$ git branch -r
origin/HEAD -> origin/master
origin/f27
origin/f28
origin/master
origin/rawhide

Note: As opposed to dist-git, the Rawhide content resides in the rawhide branch rather than master.

dist-git

Package sources in dist-git are composed from the selinux-policy repository snapshot tarball, container-selinux policy files snapshot, the macro-expander script snapshot, and from other config files.

Build process

  1. Clone the fedora-selinux/selinux-policy repository.

     $ cd ~/devel/github
 $ git clone git@github.com:fedora-selinux/selinux-policy.git
 $ cd selinux-policy

  2. Create, backport, or cherry-pick needed changes to a particular branch and push them.

  3. Clone the selinux-policy dist-git repository.

     $ cd ~/devel/dist-git
 $ fedpkg clone selinux-policy
 $ cd selinux-policy

  4. Download the latest snapshot from the selinux-policy GitHub repository.

     $ ./make-rhat-patches.sh

  5. Add changes to the dist-git repository, bump release, create a changelog entry, commit, and push.

  6. Build the package.

     $ fedpkg build