SELinux policy configuration
c04fecfb03
- Allow pdns server to read system state - Allow irqbalance nnp_transition - Fix description tag for the sssd_connect_all_unreserved_ports tunable - Allow journalctl process set its resource limits - Add sssd_access_kernel_keys tunable to conditionally access kernel keys - Make keepalived work with network namespaces - Create sssd_connect_all_unreserved_ports boolean - Allow hypervkvpd to request kernel to load a module - Allow systemd_private_tmp(dirsrv_tmp_t) - Allow microcode_ctl get attributes of sysfs directories - Remove duplicate files_dontaudit_list_tmp(radiusd_t) line - Allow radiusd connect to gssproxy over unix domain stream socket - Add fwupd_cache_t file context for '/var/cache/fwupd(/.*)?' - Allow qemu read and write /dev/mapper/control - Allow tlp_t can_exec() tlp_exec_t - Dontaudit vpnc_t setting its process scheduling - Remove files_mmap_usr_files() call for particular domains - Allow dirsrv_t list cgroup directories - Crete the kerberos_write_kadmind_tmp_files() interface - Allow realmd_t dbus chat with accountsd_t - Label systemd-growfs and systemd-makefs as fsadm_exec_t - Allow staff_u and user_u setattr generic usb devices - Allow sysadm_t dbus chat with accountsd - Modify kernel_rw_key() not to include append permission - Add kernel_rw_key() interface to access to kernel keyrings - Modify systemd_delete_private_tmp() to use delete_*_pattern macros - Allow systemd-modules to load kernel modules - Add cachefiles_dev_t as a typealias to cachefiles_device_t - Allow libkrb5 lib read client keytabs - Allow domain mmap usr_t files - Remove files_mmap_usr_files() call for systemd domains - Allow sshd write to kadmind temporary files - Do not audit staff_t and user_t attempts to manage boot_t entries - Add files_dontaudit_manage_boot_dirs() interface - Allow systemd-tty-ask-password-agent read efivarfs files |
||
---|---|---|
tests | ||
.gitignore | ||
booleans-minimum.conf | ||
booleans-mls.conf | ||
booleans-targeted.conf | ||
booleans.subs_dist | ||
COPYING | ||
customizable_types | ||
file_contexts.subs_dist | ||
make-rhat-patches.sh | ||
Makefile.devel | ||
modules-minimum.conf | ||
modules-mls-base.conf | ||
modules-mls-contrib.conf | ||
modules-targeted-base.conf | ||
modules-targeted-contrib.conf | ||
modules-targeted.conf | ||
permissivedomains.cil | ||
README | ||
rpm.macros | ||
securetty_types-minimum | ||
securetty_types-mls | ||
securetty_types-targeted | ||
selinux-policy.conf | ||
selinux-policy.spec | ||
setrans-minimum.conf | ||
setrans-mls.conf | ||
setrans-targeted.conf | ||
sources | ||
users-minimum | ||
users-mls | ||
users-targeted |
## Purpose SELinux Fedora Policy is a large patch off the mainline. The [fedora-selinux/selinux-policy](https://github.com/selinux-policy/selinux-policy.git) makes Fedora Policy packaging more simple and transparent for developers, upstream developers and users. It is used for applying downstream Fedora fixes, for communication about proposed/committed changes, for communication with upstream and the community. It reflects upstream repository structure to make submitting patches to upstream easy. ## Structure ### github On GitHub, we have two repositories (selinux-policy and selinux-policy-contrib ) for dist-git repository. $ cd selinux-policy $ git remote -v origin git@github.com:fedora-selinux/selinux-policy.git (fetch) $ git branch -r origin/HEAD -> origin/master origin/f27 origin/f28 origin/master origin/rawhide $ cd selinux-policy-contrib $ git remote -v origin git@github.com:fedora-selinux/selinux-policy-contrib.git (fetch) $ git branch -r origin/HEAD -> origin/master origin/f27 origin/f28 origin/master origin/rawhide Note: _master_ branch on GitHub does not reflect master branch in dist-git. For this purpose, we created the _rawhide github branches in both selinux-policy and selinux-policy-contrib repositories. ### dist-git Package sources in dist-git are generally composed from a _selinux-policy and _selinux-policy-contrib repository snapshots tarballs and from other config files. ## Build process 1. clone [fedora-selinux/selinux-policy](https://github.com/fedora-selinux/selinux-policy) repository $ cd ~/devel/github $ git clone git@github.com:fedora-selinux/selinux-policy.git $ cd selinux-policy 2. clone [fedora-selinux/selinux-policy-contrib](https://github.com/fedora-selinux/selinux-policy-contrib) repository $ cd ~/devel/github $ git clone git@github.com:fedora-selinux/selinux-policy-contrib.git $ cd selinux-policy-contrib 3. create, backport, cherry-pick needed changes to a particular branch and push them 4. clone **selinux-policy** dist-git repository $ cd ~/devel/dist-git $ fedpkg clone selinux-policy $ cd selinux-policy 4. Download the latest snaphots from selinux-policy and selinux-policy-contrib github repositories $ ./make-rhat-patches.sh 5. add changes to the dist-git repository, bump release, create a changelog entry, commit and push 6. build the package $ fedpkg build