SELinux policy configuration
c4065f7c94
- Allow fontconfig file transition for xguest_u user - Add gnome_filetrans_fontconfig_home_content interface - Add permissions needed by systemd's machinectl shell/login - Update SELinux policy for xen services - Add dac_override capability for kdumpctl_t process domain - Allow chronyd_t domain to exec shell - Fix varnisncsa typo - Allow init start freenx-server BZ(1678025) - Create logrotate_use_fusefs boolean - Add tcpd_wrapped_domain for telnetd BZ(1676940) - Allow tcpd bind to services ports BZ(1676940) - Update mysql_filetrans_named_content() to allow cluster to create mysql dirs in /var/run with proper label mysqld_var_run_t - Make shell_exec_t type as entrypoint for vmtools_unconfined_t. - Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy-contrib into rawhide - Allow virtlogd_t domain to create virt_etc_rw_t files in virt_etc_t - Allow esmtp access .esmtprc BZ(1691149) - Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy-contrib into rawhide - Allow tlp_t domain to read nvme block devices BZ(1692154) - Add support for smart card authentication in cockpit BZ(1690444) - Add permissions needed by systemd's machinectl shell/login - Allow kmod_t domain to mmap modules_dep_t files. - Allow systemd_machined_t dac_override capability BZ(1670787) - Update modutils_read_module_deps_files() interface to also allow mmap module_deps_t files - Allow unconfined_domain_type to use bpf tools BZ(1694115) - Revert "Allow unconfined_domain_type to use bpf tools BZ(1694115)" - Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide - Allow unconfined_domain_type to use bpf tools BZ(1694115) - Allow init_t read mnt_t symlinks BZ(1637070) - Update dev_filetrans_all_named_dev() interface - Allow xdm_t domain to execmod temp files BZ(1686675) - Revert "Allow xdm_t domain to create own tmp files BZ(1686675)" - Allow getty_t, local_login_t, chkpwd_t and passwd_t to use usbttys. BZ(1691582) - Allow confined users labeled as staff_t to run iptables. - Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide - Allow xdm_t domain to create own tmp files BZ(1686675) - Add miscfiles_dontaudit_map_generic_certs interface. |
||
|---|---|---|
| tests | ||
| .gitignore | ||
| booleans-minimum.conf | ||
| booleans-mls.conf | ||
| booleans-targeted.conf | ||
| booleans.subs_dist | ||
| COPYING | ||
| customizable_types | ||
| file_contexts.subs_dist | ||
| make-rhat-patches.sh | ||
| Makefile | ||
| Makefile.devel | ||
| modules-minimum.conf | ||
| modules-mls-base.conf | ||
| modules-mls-contrib.conf | ||
| modules-targeted-base.conf | ||
| modules-targeted-contrib.conf | ||
| modules-targeted.conf | ||
| permissivedomains.cil | ||
| README | ||
| rpm.macros | ||
| securetty_types-minimum | ||
| securetty_types-mls | ||
| securetty_types-targeted | ||
| selinux-factory-reset | ||
| selinux-factory-reset@.service | ||
| selinux-policy.conf | ||
| selinux-policy.spec | ||
| setrans-minimum.conf | ||
| setrans-mls.conf | ||
| setrans-targeted.conf | ||
| seusers | ||
| sources | ||
| users-minimum | ||
| users-mls | ||
| users-targeted | ||
## Purpose
SELinux Fedora Policy is a large patch off the mainline. The [fedora-selinux/selinux-policy](https://github.com/selinux-policy/selinux-policy.git) makes Fedora Policy packaging more simple and transparent for developers, upstream developers and users. It is used for applying downstream Fedora fixes, for communication about proposed/committed changes, for communication with upstream and the community. It reflects upstream repository structure to make submitting patches to upstream easy.
## Structure
### github
On GitHub, we have two repositories (selinux-policy and selinux-policy-contrib ) for dist-git repository.
$ cd selinux-policy
$ git remote -v
origin git@github.com:fedora-selinux/selinux-policy.git (fetch)
$ git branch -r
origin/HEAD -> origin/master
origin/f27
origin/f28
origin/master
origin/rawhide
$ cd selinux-policy-contrib
$ git remote -v
origin git@github.com:fedora-selinux/selinux-policy-contrib.git (fetch)
$ git branch -r
origin/HEAD -> origin/master
origin/f27
origin/f28
origin/master
origin/rawhide
Note: _master_ branch on GitHub does not reflect master branch in dist-git. For this purpose, we created the _rawhide github branches in both selinux-policy and selinux-policy-contrib repositories.
### dist-git
Package sources in dist-git are generally composed from a _selinux-policy and _selinux-policy-contrib repository snapshots tarballs and from other config files.
## Build process
1. clone [fedora-selinux/selinux-policy](https://github.com/fedora-selinux/selinux-policy) repository
$ cd ~/devel/github
$ git clone git@github.com:fedora-selinux/selinux-policy.git
$ cd selinux-policy
2. clone [fedora-selinux/selinux-policy-contrib](https://github.com/fedora-selinux/selinux-policy-contrib) repository
$ cd ~/devel/github
$ git clone git@github.com:fedora-selinux/selinux-policy-contrib.git
$ cd selinux-policy-contrib
3. create, backport, cherry-pick needed changes to a particular branch and push them
4. clone **selinux-policy** dist-git repository
$ cd ~/devel/dist-git
$ fedpkg clone selinux-policy
$ cd selinux-policy
4. Download the latest snaphots from selinux-policy and selinux-policy-contrib github repositories
$ ./make-rhat-patches.sh
5. add changes to the dist-git repository, bump release, create a changelog entry, commit and push
6. build the package
$ fedpkg build