SELinux policy configuration
9fad02a45b
- Label user cron spool file with user_cron_spool_t - Update gnome_role_template() template to allow sysadm_t confined user to login to xsession - Allow lograte_t domain to manage collect_rw_content files and dirs - Add interface collectd_manage_rw_content() - Allow systemd_hostnamed_t domain to dbus chat with sosreport_t domain - Update tomcat_can_network_connect_db boolean to allow tomcat domains also connect to redis ports - Allow mysqld_t domain to manage cluster pid files - Relabel /usr/sbin/virtlockd from virt_exec_t to virtlogd_exec_t. - Allow ptp4l_t domain to write to pmc socket which is created by pmc command line tool - Allow dkim-milter to send e-mails BZ(1716937) - Update spamassasin policy to make working /usr/share/spamassassin/sa-update.cron script BZ(1711799) - Update svnserve_t policy to make working svnserve hooks - Allow varnishlog_t domain to check for presence of varnishd_t domains - Update sandboxX policy to make working firefox inside SELinux sandbox - Remove allow rule from svirt_transition_svirt_sandbox interface to don't allow containers to connect to random services - Allow httpd_t domain to read /var/lib/softhsm/tokens to allow httpd daemon to use pkcs#11 devices - Allow gssd_t domain to list tmpfs_t dirs - Allow mdadm_t domain to read tmpfs_t files - Allow sbd_t domain to check presence of processes labeled as cluster_t - Dontaudit httpd_sys_script_t to read systemd unit files - Allow blkmapd_t domain to read nvme devices - Update cpucontrol_t domain to make working microcode service - Allow domain transition from logwatch_t do postfix_postqueue_t - Allow chronyc_t domain to create and write to non_security files in case when sysadmin is redirecting output to file e.g: 'chronyc -n tracking > /var/lib/test' - Allow httpd_sys_script_t domain to mmap httpcontent - Allow sbd_t to manage cgroups_t files - Update wireshark policy to make working tshar labeled as wireshark_t - Update virt_use_nfs boolean to allow svirt_t domain to mmap nfs_t files - Allow sysadm_t domain to create netlink selinux sockets - Make cgdcbxd active in Fedora upstream sources - Allow sysadm_t domain to dbus chat with rtkit daemon - Allow x_userdomains to nnp domain transition to thumb_t domain - Allow unconfined_domain_type to setattr own process lnk files. - Add interface files_write_generic_pid_sockets() - Dontaudit writing to user home dirs by gnome-keyring-daemon - Allow staff and admin domains to setpcap in user namespace - Allow staff and sysadm to use lockdev - Allow staff and sysadm users to run iotop. - Dontaudit traceroute_t domain require sys_admin capability - Dontaudit dbus chat between kernel_t and init_t - Allow systemd labeled as init_t to create mountpoints without any specific label as default_t |
||
|---|---|---|
| tests | ||
| .gitignore | ||
| booleans-minimum.conf | ||
| booleans-mls.conf | ||
| booleans-targeted.conf | ||
| booleans.subs_dist | ||
| COPYING | ||
| customizable_types | ||
| file_contexts.subs_dist | ||
| make-rhat-patches.sh | ||
| Makefile | ||
| Makefile.devel | ||
| modules-minimum.conf | ||
| modules-mls-base.conf | ||
| modules-mls-contrib.conf | ||
| modules-targeted-base.conf | ||
| modules-targeted-contrib.conf | ||
| modules-targeted.conf | ||
| permissivedomains.cil | ||
| README | ||
| rpm.macros | ||
| securetty_types-minimum | ||
| securetty_types-mls | ||
| securetty_types-targeted | ||
| selinux-factory-reset | ||
| selinux-factory-reset@.service | ||
| selinux-policy.conf | ||
| selinux-policy.spec | ||
| setrans-minimum.conf | ||
| setrans-mls.conf | ||
| setrans-targeted.conf | ||
| seusers | ||
| sources | ||
| users-minimum | ||
| users-mls | ||
| users-targeted | ||
## Purpose
SELinux Fedora Policy is a large patch off the mainline. The [fedora-selinux/selinux-policy](https://github.com/selinux-policy/selinux-policy.git) makes Fedora Policy packaging more simple and transparent for developers, upstream developers and users. It is used for applying downstream Fedora fixes, for communication about proposed/committed changes, for communication with upstream and the community. It reflects upstream repository structure to make submitting patches to upstream easy.
## Structure
### github
On GitHub, we have two repositories (selinux-policy and selinux-policy-contrib ) for dist-git repository.
$ cd selinux-policy
$ git remote -v
origin git@github.com:fedora-selinux/selinux-policy.git (fetch)
$ git branch -r
origin/HEAD -> origin/master
origin/f27
origin/f28
origin/master
origin/rawhide
$ cd selinux-policy-contrib
$ git remote -v
origin git@github.com:fedora-selinux/selinux-policy-contrib.git (fetch)
$ git branch -r
origin/HEAD -> origin/master
origin/f27
origin/f28
origin/master
origin/rawhide
Note: _master_ branch on GitHub does not reflect master branch in dist-git. For this purpose, we created the _rawhide github branches in both selinux-policy and selinux-policy-contrib repositories.
### dist-git
Package sources in dist-git are generally composed from a _selinux-policy and _selinux-policy-contrib repository snapshots tarballs and from other config files.
## Build process
1. clone [fedora-selinux/selinux-policy](https://github.com/fedora-selinux/selinux-policy) repository
$ cd ~/devel/github
$ git clone git@github.com:fedora-selinux/selinux-policy.git
$ cd selinux-policy
2. clone [fedora-selinux/selinux-policy-contrib](https://github.com/fedora-selinux/selinux-policy-contrib) repository
$ cd ~/devel/github
$ git clone git@github.com:fedora-selinux/selinux-policy-contrib.git
$ cd selinux-policy-contrib
3. create, backport, cherry-pick needed changes to a particular branch and push them
4. clone **selinux-policy** dist-git repository
$ cd ~/devel/dist-git
$ fedpkg clone selinux-policy
$ cd selinux-policy
4. Download the latest snaphots from selinux-policy and selinux-policy-contrib github repositories
$ ./make-rhat-patches.sh
5. add changes to the dist-git repository, bump release, create a changelog entry, commit and push
6. build the package
$ fedpkg build