selinux-policy

SELinux policy configuration

Go to file

Zdenek Pytela b8cfdb1921 * Mon Jan 17 2022 Zdenek Pytela <zpytela@redhat.com> - 35.10-1 - Allow login_userdomain watch systemd-machined PID directories - Allow login_userdomain watch systemd-logind PID directories - Allow login_userdomain watch accountsd lib directories - Allow login_userdomain watch localization directories - Allow login_userdomain watch various files and dirs - Allow login_userdomain watch generic directories in /tmp - Allow rhsm-service read/write its private memfd: objects - Allow radiusd connect to the radacct port - Allow systemd-io-bridge ioctl rpm_script_t - Allow systemd-coredump userns capabilities and root mounton - Allow systemd-coredump read and write usermodehelper state - Allow login_userdomain create session_dbusd tmp socket files - Allow gkeyringd_domain write to session_dbusd tmp socket files - Allow systemd-logind delete session_dbusd tmp socket files - Allow gdm-x-session write to session dbus tmp sock files - Label /etc/cockpit/ws-certs.d with cert_t - Allow kpropd get attributes of cgroup filesystems - Allow administrative users the bpf capability - Allow sysadm_t start and stop transient services - Connect triggerin to pcre2 instead of pcre		2022-01-17 18:17:56 +01:00
tests	test-reboot.yml: test.log is mandatory, improve results format	2020-08-27 07:49:02 +02:00
.gitignore	Clean up .gitignore	2020-11-03 12:25:19 +01:00
booleans-minimum.conf	Remove ftp_home_dir boolean from distgit	2016-04-26 14:04:52 +02:00
booleans-mls.conf	Make rawhide == f18	2012-12-17 17:21:00 +01:00
booleans-targeted.conf	Change default value of use_virtualbox boolean	2019-09-16 16:08:14 +02:00
booleans.subs_dist	subs virt_sandbox_use_nfs by virt_use_nfs	2016-07-16 17:52:41 +02:00
COPYING	remove extra level of directory	2006-07-12 20:32:27 +00:00
customizable_types	* Mon Oct 17 2016 Miroslav Grepl <mgrepl@redhat.com> - 3.13.1-221	2016-10-17 20:52:01 +02:00
file_contexts.subs_dist	Add /var/mnt equivalency to /mnt	2021-01-22 10:32:59 +01:00
make-rhat-patches.sh	Use the rawhide branch instead of master	2021-02-04 17:12:07 +01:00
Makefile.devel	Hard code to MLSENABLED	2011-08-22 16:30:20 -04:00
modules-minimum.conf	- More access needed for devicekit	2010-08-30 11:58:36 -04:00
modules-mls-base.conf	Add fixes for selinux-policy packages to reflect the latest changes related to policy module store migration.	2015-07-16 09:10:21 +02:00
modules-mls-contrib.conf	Make active lsm module in MLS policy	2019-04-05 11:03:51 +02:00
modules-targeted-base.conf	* Mon Aug 03 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-23	2020-08-03 13:25:54 +02:00
modules-targeted-contrib.conf	* Thu Oct 07 2021 Zdenek Pytela <zpytela@redhat.com> - 35.1-1	2021-10-07 18:06:06 +02:00
modules-targeted.conf	* Fri Aug 27 2021 Zdenek Pytela <zpytela@redhat.com> - 34.17-3	2021-08-27 11:50:45 +02:00
permissivedomains.cil	Remove all domains from permissive domains, it looks these policies are tested already	2019-01-13 19:28:55 +01:00
README.md	Fix typos and grammar in README	2020-12-02 09:41:43 +01:00
rpm.macros	Update rpm.macros file fomr the upstream repo	2019-11-05 17:50:20 +01:00
securetty_types-minimum	- Update to upstream	2010-03-18 15:47:35 +00:00
securetty_types-mls	- Update to upstream	2010-03-18 15:47:35 +00:00
securetty_types-targeted	- Update to upstream	2010-03-18 15:47:35 +00:00
selinux-check-proper-disable.service	Add a systemd service to check that SELinux is disabled properly	2021-06-22 09:38:56 +00:00
selinux-policy.conf	We need to setcheckreqprot to 0 for security purposes	2015-04-16 14:00:38 -04:00
selinux-policy.spec	* Mon Jan 17 2022 Zdenek Pytela <zpytela@redhat.com> - 35.10-1	2022-01-17 18:17:56 +01:00
setrans-minimum.conf	- Update to Latest upstream	2009-03-03 20:10:30 +00:00
setrans-mls.conf	- Multiple policy fixes	2006-09-19 14:59:46 +00:00
setrans-targeted.conf	- Update to Latest upstream	2009-03-03 20:10:30 +00:00
sources	* Mon Jan 17 2022 Zdenek Pytela <zpytela@redhat.com> - 35.10-1	2022-01-17 18:17:56 +01:00
users-minimum	- Move users file to selection by spec file.	2010-01-12 13:36:10 +00:00
users-mls	- Move users file to selection by spec file.	2010-01-11 22:06:55 +00:00
users-targeted	- Move users file to selection by spec file.	2010-01-12 13:36:10 +00:00

README.md

Purpose

SELinux Fedora Policy is a fork of the SELinux reference policy. The fedora-selinux/selinux-policy repo makes Fedora packaging simpler and more transparent for packagers, upstream developers, and users. It is used for applying downstream Fedora fixes, for communication about proposed/committed changes, and for communication with upstream and the community. It reflects the upstream repository structure to make submitting patches to upstream easy.

Structure

GitHub

On GitHub, we have one repository containing the policy sources.

$ cd selinux-policy
$ git remote -v
origin	git@github.com:fedora-selinux/selinux-policy.git (fetch)

$ git branch -r
origin/HEAD -> origin/master
origin/f27
origin/f28
origin/master
origin/rawhide

Note: As opposed to dist-git, the Rawhide content resides in the rawhide branch rather than master.

dist-git

Package sources in dist-git are composed from the selinux-policy repository snapshot tarball, container-selinux policy files snapshot, the macro-expander script snapshot, and from other config files.

Build process

Clone the fedora-selinux/selinux-policy repository.

 $ cd ~/devel/github
 $ git clone git@github.com:fedora-selinux/selinux-policy.git
 $ cd selinux-policy

Create, backport, or cherry-pick needed changes to a particular branch and push them.

Clone the selinux-policy dist-git repository.

 $ cd ~/devel/dist-git
 $ fedpkg clone selinux-policy
 $ cd selinux-policy

Download the latest snapshot from the selinux-policy GitHub repository.
```
 $ ./make-rhat-patches.sh
```
Add changes to the dist-git repository, bump release, create a changelog entry, commit, and push.
Build the package.
```
 $ fedpkg build
```