SELinux policy configuration
c04fecfb03
- Allow pdns server to read system state - Allow irqbalance nnp_transition - Fix description tag for the sssd_connect_all_unreserved_ports tunable - Allow journalctl process set its resource limits - Add sssd_access_kernel_keys tunable to conditionally access kernel keys - Make keepalived work with network namespaces - Create sssd_connect_all_unreserved_ports boolean - Allow hypervkvpd to request kernel to load a module - Allow systemd_private_tmp(dirsrv_tmp_t) - Allow microcode_ctl get attributes of sysfs directories - Remove duplicate files_dontaudit_list_tmp(radiusd_t) line - Allow radiusd connect to gssproxy over unix domain stream socket - Add fwupd_cache_t file context for '/var/cache/fwupd(/.*)?' - Allow qemu read and write /dev/mapper/control - Allow tlp_t can_exec() tlp_exec_t - Dontaudit vpnc_t setting its process scheduling - Remove files_mmap_usr_files() call for particular domains - Allow dirsrv_t list cgroup directories - Crete the kerberos_write_kadmind_tmp_files() interface - Allow realmd_t dbus chat with accountsd_t - Label systemd-growfs and systemd-makefs as fsadm_exec_t - Allow staff_u and user_u setattr generic usb devices - Allow sysadm_t dbus chat with accountsd - Modify kernel_rw_key() not to include append permission - Add kernel_rw_key() interface to access to kernel keyrings - Modify systemd_delete_private_tmp() to use delete_*_pattern macros - Allow systemd-modules to load kernel modules - Add cachefiles_dev_t as a typealias to cachefiles_device_t - Allow libkrb5 lib read client keytabs - Allow domain mmap usr_t files - Remove files_mmap_usr_files() call for systemd domains - Allow sshd write to kadmind temporary files - Do not audit staff_t and user_t attempts to manage boot_t entries - Add files_dontaudit_manage_boot_dirs() interface - Allow systemd-tty-ask-password-agent read efivarfs files |
||
|---|---|---|
| tests | ||
| .gitignore | ||
| booleans-minimum.conf | ||
| booleans-mls.conf | ||
| booleans-targeted.conf | ||
| booleans.subs_dist | ||
| COPYING | ||
| customizable_types | ||
| file_contexts.subs_dist | ||
| make-rhat-patches.sh | ||
| Makefile.devel | ||
| modules-minimum.conf | ||
| modules-mls-base.conf | ||
| modules-mls-contrib.conf | ||
| modules-targeted-base.conf | ||
| modules-targeted-contrib.conf | ||
| modules-targeted.conf | ||
| permissivedomains.cil | ||
| README | ||
| rpm.macros | ||
| securetty_types-minimum | ||
| securetty_types-mls | ||
| securetty_types-targeted | ||
| selinux-policy.conf | ||
| selinux-policy.spec | ||
| setrans-minimum.conf | ||
| setrans-mls.conf | ||
| setrans-targeted.conf | ||
| sources | ||
| users-minimum | ||
| users-mls | ||
| users-targeted | ||
## Purpose
SELinux Fedora Policy is a large patch off the mainline. The [fedora-selinux/selinux-policy](https://github.com/selinux-policy/selinux-policy.git) makes Fedora Policy packaging more simple and transparent for developers, upstream developers and users. It is used for applying downstream Fedora fixes, for communication about proposed/committed changes, for communication with upstream and the community. It reflects upstream repository structure to make submitting patches to upstream easy.
## Structure
### github
On GitHub, we have two repositories (selinux-policy and selinux-policy-contrib ) for dist-git repository.
$ cd selinux-policy
$ git remote -v
origin git@github.com:fedora-selinux/selinux-policy.git (fetch)
$ git branch -r
origin/HEAD -> origin/master
origin/f27
origin/f28
origin/master
origin/rawhide
$ cd selinux-policy-contrib
$ git remote -v
origin git@github.com:fedora-selinux/selinux-policy-contrib.git (fetch)
$ git branch -r
origin/HEAD -> origin/master
origin/f27
origin/f28
origin/master
origin/rawhide
Note: _master_ branch on GitHub does not reflect master branch in dist-git. For this purpose, we created the _rawhide github branches in both selinux-policy and selinux-policy-contrib repositories.
### dist-git
Package sources in dist-git are generally composed from a _selinux-policy and _selinux-policy-contrib repository snapshots tarballs and from other config files.
## Build process
1. clone [fedora-selinux/selinux-policy](https://github.com/fedora-selinux/selinux-policy) repository
$ cd ~/devel/github
$ git clone git@github.com:fedora-selinux/selinux-policy.git
$ cd selinux-policy
2. clone [fedora-selinux/selinux-policy-contrib](https://github.com/fedora-selinux/selinux-policy-contrib) repository
$ cd ~/devel/github
$ git clone git@github.com:fedora-selinux/selinux-policy-contrib.git
$ cd selinux-policy-contrib
3. create, backport, cherry-pick needed changes to a particular branch and push them
4. clone **selinux-policy** dist-git repository
$ cd ~/devel/dist-git
$ fedpkg clone selinux-policy
$ cd selinux-policy
4. Download the latest snaphots from selinux-policy and selinux-policy-contrib github repositories
$ ./make-rhat-patches.sh
5. add changes to the dist-git repository, bump release, create a changelog entry, commit and push
6. build the package
$ fedpkg build