SELinux policy configuration
833e3136e5
- Allow tomcat services create link file in /tmp - Label /etc/shorewall6 as shorewall_etc_t - Allow winbind_t domain kill in user namespaces - Allow firewalld_t domain to read random device - Allow abrt_t domain to do execmem - Allow geoclue_t domain to execute own var_lib_t files - Allow openfortivpn_t domain to read system network state - Allow dnsmasq_t domain to read networkmanager lib files - sssd: Allow to limit capabilities using libcap - sssd: Remove unnecessary capability - sssd: Do not audit usage of lib nss_systemd.so - Fix bug in nsd.fc, /var/run/nsd.ctl is socket file not file - Add correct namespace_init_exec_t context to /etc/security/namespace.d/* - Update nscd_socket_use to allow caller domain to mmap nscd_var_run_t files - Allow exim_t domain to mmap bin files - Allow mysqld_t domain to executed with nnp transition - Allow svirt_t domain to mmap svirt_image_t block files - Add caps dac_read_search and dav_override to pesign_t domain - Allow iscsid_t domain to mmap userio chr files - Add read interfaces for mysqld_log_t that was added in commit df832bf - Allow boltd_t to dbus chat with xdm_t - Conntrackd need to load kernel module to work - Allow mysqld sys_nice capability - Update boltd policy based on SELinux denials from rhbz#1607974 - Allow systemd to create symlinks in for /var/lib - Add comment to show that template call also allows changing shells - Document userdom_change_password_template() behaviour - update files_mounton_kernel_symbol_table() interface to allow caller domain also mounton system_map_t file - Fix typo in logging SELinux module - Allow usertype to mmap user_tmp_type files - In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue - Revert "Add execute_no_trans permission to mmap_exec_file_perms pattern" - Add boolean: domain_can_mmap_files. - Allow ipsec_t domian to mmap own tmp files - Add .gitignore file - Add execute_no_trans permission to mmap_exec_file_perms pattern - Allow sudodomain to search caller domain proc info - Allow audisp_remote_t domain to read auditd_etc_t - netlabel: Remove unnecessary sssd nsswitch related macros - Allow to use sss module in auth_use_nsswitch - Limit communication with init_t over dbus - Add actual modules.conf to the git repo - Add few interfaces to optional block - Allow sysadm_t and staff_t domain to manage systemd unit files - Add interface dev_map_userio_dev() |
||
---|---|---|
.gitignore | ||
booleans-minimum.conf | ||
booleans-mls.conf | ||
booleans-targeted.conf | ||
booleans.subs_dist | ||
COPYING | ||
customizable_types | ||
file_contexts.subs_dist | ||
make-rhat-patches.sh | ||
Makefile | ||
Makefile.devel | ||
modules-minimum.conf | ||
modules-mls-base.conf | ||
modules-mls-contrib.conf | ||
modules-targeted-base.conf | ||
modules-targeted-contrib.conf | ||
modules-targeted.conf | ||
permissivedomains.cil | ||
README | ||
rpm.macros | ||
securetty_types-minimum | ||
securetty_types-mls | ||
securetty_types-targeted | ||
selinux-factory-reset | ||
selinux-factory-reset@.service | ||
selinux-policy.conf | ||
selinux-policy.spec | ||
setrans-minimum.conf | ||
setrans-mls.conf | ||
setrans-targeted.conf | ||
seusers | ||
sources | ||
users-minimum | ||
users-mls | ||
users-targeted |
## Purpose SELinux Fedora Policy is a large patch off the mainline. The [fedora-selinux/selinux-policy](https://github.com/selinux-policy/selinux-policy.git) makes Fedora Policy packaging more simple and transparent for developers, upstream developers and users. It is used for applying downstream Fedora fixes, for communication about proposed/committed changes, for communication with upstream and the community. It reflects upstream repository structure to make submitting patches to upstream easy. ## Structure ### github On GitHub, we have two repositories (selinux-policy and selinux-policy-contrib ) for dist-git repository. $ cd selinux-policy $ git remote -v origin git@github.com:fedora-selinux/selinux-policy.git (fetch) $ git branch -r origin/HEAD -> origin/master origin/f27 origin/f28 origin/master origin/rawhide $ cd selinux-policy-contrib $ git remote -v origin git@github.com:fedora-selinux/selinux-policy-contrib.git (fetch) $ git branch -r origin/HEAD -> origin/master origin/f27 origin/f28 origin/master origin/rawhide Note: _master_ branch on GitHub does not reflect master branch in dist-git. For this purpose, we created the _rawhide github branches in both selinux-policy and selinux-policy-contrib repositories. ### dist-git Package sources in dist-git are generally composed from a _selinux-policy and _selinux-policy-contrib repository snapshots tarballs and from other config files. ## Build process 1. clone [fedora-selinux/selinux-policy](https://github.com/fedora-selinux/selinux-policy) repository $ cd ~/devel/github $ git clone git@github.com:fedora-selinux/selinux-policy.git $ cd selinux-policy 2. clone [fedora-selinux/selinux-policy-contrib](https://github.com/fedora-selinux/selinux-policy-contrib) repository $ cd ~/devel/github $ git clone git@github.com:fedora-selinux/selinux-policy-contrib.git $ cd selinux-policy-contrib 3. create, backport, cherry-pick needed changes to a particular branch and push them 4. clone **selinux-policy** dist-git repository $ cd ~/devel/dist-git $ fedpkg clone selinux-policy $ cd selinux-policy 4. Download the latest snaphots from selinux-policy and selinux-policy-contrib github repositories $ ./make-rhat-patches.sh 5. add changes to the dist-git repository, bump release, create a changelog entry, commit and push 6. build the package $ fedpkg build