SELinux policy configuration
Go to file
Zdenek Pytela ac73b2b07b * Wed Jan 24 2024 Zdenek Pytela <zpytela@redhat.com> - 40.10-1
- Allow chronyd-restricted read chronyd key files
- Allow conntrackd_t to use bpf capability2
- Allow systemd-networkd manage its runtime socket files
- Allow init_t nnp domain transition to colord_t
- Allow polkit status systemd services
- nova: Fix duplicate declarations
- Allow httpd work with PrivateTmp
- Add interfaces for watching and reading ifconfig_var_run_t
- Allow collectd read raw fixed disk device
- Allow collectd read udev pid files
- Set correct label on /etc/pki/pki-tomcat/kra
- Allow systemd domains watch system dbus pid socket files
- Allow certmonger read network sysctls
- Allow mdadm list stratisd data directories
- Allow syslog to run unconfined scripts conditionally
- Allow syslogd_t nnp_transition to syslogd_unconfined_script_t
- Allow qatlib set attributes of vfio device files
2024-01-24 21:28:05 +01:00
.fmf Add plans/tests.fmf 2023-10-11 13:27:51 +02:00
plans Add plans/tests.fmf 2023-10-11 13:27:51 +02:00
tests test-reboot.yml: test.log is mandatory, improve results format 2020-08-27 07:49:02 +02:00
.gitignore Clean up .gitignore 2020-11-03 12:25:19 +01:00
booleans-minimum.conf Remove ftp_home_dir boolean from distgit 2016-04-26 14:04:52 +02:00
booleans-mls.conf Make rawhide == f18 2012-12-17 17:21:00 +01:00
booleans-targeted.conf Change default value of use_virtualbox boolean 2019-09-16 16:08:14 +02:00
booleans.subs_dist subs virt_sandbox_use_nfs by virt_use_nfs 2016-07-16 17:52:41 +02:00
COPYING remove extra level of directory 2006-07-12 20:32:27 +00:00
customizable_types * Mon Oct 17 2016 Miroslav Grepl <mgrepl@redhat.com> - 3.13.1-221 2016-10-17 20:52:01 +02:00
file_contexts.subs_dist Add /bin = /usr/bin file context equivalency 2023-12-14 08:35:49 +00:00
ifndefy.py Add a script for enclosing interfaces in ifndef statements 2022-06-29 18:34:21 +00:00
make-rhat-patches.sh Use the rawhide branch instead of master 2021-02-04 17:12:07 +01:00
Makefile.devel Hard code to MLSENABLED 2011-08-22 16:30:20 -04:00
modules-minimum.conf - More access needed for devicekit 2010-08-30 11:58:36 -04:00
modules-mls-base.conf Add fixes for selinux-policy packages to reflect the latest changes related to policy module store migration. 2015-07-16 09:10:21 +02:00
modules-mls-contrib.conf Make active lsm module in MLS policy 2019-04-05 11:03:51 +02:00
modules-targeted-base.conf * Mon Aug 03 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-23 2020-08-03 13:25:54 +02:00
modules-targeted-contrib.conf Add afterburn to modules-targeted-contrib.conf 2023-11-28 13:56:53 +00:00
modules-targeted.conf * Fri Aug 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.17-3 2021-08-27 11:50:45 +02:00
permissivedomains.cil Remove all domains from permissive domains, it looks these policies are tested already 2019-01-13 19:28:55 +01:00
README.md Fix typos and grammar in README 2020-12-02 09:41:43 +01:00
rpm.macros Update rpm.macros file fomr the upstream repo 2019-11-05 17:50:20 +01:00
securetty_types-minimum - Update to upstream 2010-03-18 15:47:35 +00:00
securetty_types-mls - Update to upstream 2010-03-18 15:47:35 +00:00
securetty_types-targeted - Update to upstream 2010-03-18 15:47:35 +00:00
selinux-check-proper-disable.service Add a systemd service to check that SELinux is disabled properly 2021-06-22 09:38:56 +00:00
selinux-policy.conf We need to setcheckreqprot to 0 for security purposes 2015-04-16 14:00:38 -04:00
selinux-policy.spec * Wed Jan 24 2024 Zdenek Pytela <zpytela@redhat.com> - 40.10-1 2024-01-24 21:28:05 +01:00
setrans-minimum.conf - Update to Latest upstream 2009-03-03 20:10:30 +00:00
setrans-mls.conf - Multiple policy fixes 2006-09-19 14:59:46 +00:00
setrans-targeted.conf - Update to Latest upstream 2009-03-03 20:10:30 +00:00
sources * Wed Jan 24 2024 Zdenek Pytela <zpytela@redhat.com> - 40.10-1 2024-01-24 21:28:05 +01:00
users-minimum Users have to be generated is policy/users to make 3.4 userspace happy 2022-05-02 13:14:01 +00:00
users-mls Users have to be generated is policy/users to make 3.4 userspace happy 2022-05-02 13:14:01 +00:00
users-targeted Users have to be generated is policy/users to make 3.4 userspace happy 2022-05-02 13:14:01 +00:00

Purpose

SELinux Fedora Policy is a fork of the SELinux reference policy. The fedora-selinux/selinux-policy repo makes Fedora packaging simpler and more transparent for packagers, upstream developers, and users. It is used for applying downstream Fedora fixes, for communication about proposed/committed changes, and for communication with upstream and the community. It reflects the upstream repository structure to make submitting patches to upstream easy.

Structure

GitHub

On GitHub, we have one repository containing the policy sources.

$ cd selinux-policy
$ git remote -v
origin	git@github.com:fedora-selinux/selinux-policy.git (fetch)

$ git branch -r
origin/HEAD -> origin/master
origin/f27
origin/f28
origin/master
origin/rawhide

Note: As opposed to dist-git, the Rawhide content resides in the rawhide branch rather than master.

dist-git

Package sources in dist-git are composed from the selinux-policy repository snapshot tarball, container-selinux policy files snapshot, the macro-expander script snapshot, and from other config files.

Build process

  1. Clone the fedora-selinux/selinux-policy repository.

     $ cd ~/devel/github
     $ git clone git@github.com:fedora-selinux/selinux-policy.git
     $ cd selinux-policy
    
  2. Create, backport, or cherry-pick needed changes to a particular branch and push them.

  3. Clone the selinux-policy dist-git repository.

     $ cd ~/devel/dist-git
     $ fedpkg clone selinux-policy
     $ cd selinux-policy
    
  4. Download the latest snapshot from the selinux-policy GitHub repository.

     $ ./make-rhat-patches.sh
    
  5. Add changes to the dist-git repository, bump release, create a changelog entry, commit, and push.

  6. Build the package.

     $ fedpkg build