selinux-policy

SELinux policy configuration

Go to file

Lukas Vrabec c8c754cba3 * Fri Jul 26 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-25 - Allow spamd_update_t domain to read network state of system BZ(1733172) - Allow dlm_controld_t domain to transition to the lvm_t - Allow sandbox_web_client_t domain to do sys_chroot in user namespace - Allow virtlockd process read virtlockd.conf file - Add more permissions for session dbus types to make working dbus broker with systemd user sessions - Allow sssd_t domain to read gnome config and named cache files - Allow brltty to request to load kernel module - Add svnserve_tmp_t label forl svnserve temp files to system private tmp - Allow sssd_t domain to read kernel net sysctls BZ(1732185) - Run timedatex service as timedatex_t - Allow mysqld_t domain to domtrans to ifconfig_t domain when executing ifconfig tool - Allow cyrus work with PrivateTmp - Make cgdcbxd_t domain working with SELinux enforcing. - Make working wireshark execute byt confined users staff_t and sysadm_t - Dontaudit virt_domain to manage ~/.cache dirs BZ(1730963) - Allow svnserve_t domain to read system state - allow named_t to map named_cache_t files - Label user cron spool file with user_cron_spool_t - Update gnome_role_template() template to allow sysadm_t confined user to login to xsession - Allow lograte_t domain to manage collect_rw_content files and dirs - Add interface collectd_manage_rw_content() - Allow ifconfig_t domain to manage vmware logs - Remove system_r role from staff_u user. - Make new timedatex policy module active - Add systemd_private_tmp_type attribute - Allow systemd to load kernel modules during boot process. - Allow sysadm_t and staff_t domains to read wireshark shared memory - Label /usr/libexec/utempter/utempter as utemper_exec_t - Allow ipsec_t domain to read/write l2tpd pipe BZ(1731197) - Allow sysadm_t domain to create netlink selinux sockets - Make cgdcbxd active in Fedora upstream sources		2019-07-26 10:28:53 +02:00
tests	Fix OSCI gating.	2019-04-12 22:29:26 +02:00
.gitignore	* Fri Jul 26 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-25	2019-07-26 10:28:53 +02:00
booleans-minimum.conf	Remove ftp_home_dir boolean from distgit	2016-04-26 14:04:52 +02:00
booleans-mls.conf	Make rawhide == f18	2012-12-17 17:21:00 +01:00
booleans-targeted.conf	Switch default value of SELinux boolean httpd_graceful_shutdown to off.	2017-10-03 14:17:18 +02:00
booleans.subs_dist	subs virt_sandbox_use_nfs by virt_use_nfs	2016-07-16 17:52:41 +02:00
COPYING	remove extra level of directory	2006-07-12 20:32:27 +00:00
customizable_types	* Mon Oct 17 2016 Miroslav Grepl <mgrepl@redhat.com> - 3.13.1-221	2016-10-17 20:52:01 +02:00
file_contexts.subs_dist	Drop /var/home -> /home equivalency rule	2019-02-06 10:53:08 -05:00
make-rhat-patches.sh	Make macro-expander script executable	2019-07-06 16:59:57 +02:00
Makefile	* Mon Jan 08 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-310	2018-01-08 12:28:09 +01:00
Makefile.devel	Hard code to MLSENABLED	2011-08-22 16:30:20 -04:00
modules-minimum.conf	- More access needed for devicekit	2010-08-30 11:58:36 -04:00
modules-mls-base.conf	Add fixes for selinux-policy packages to reflect the latest changes related to policy module store migration.	2015-07-16 09:10:21 +02:00
modules-mls-contrib.conf	Make active lsm module in MLS policy	2019-04-05 11:03:51 +02:00
modules-targeted-base.conf	Activate kdbus.pp	2015-08-03 17:47:45 +02:00
modules-targeted-contrib.conf	Make timedatex module active	2019-07-23 12:49:04 +02:00
modules-targeted.conf	We should not build vbetool anylonger	2014-10-12 07:15:24 -04:00
permissivedomains.cil	Remove all domains from permissive domains, it looks these policies are tested already	2019-01-13 19:28:55 +01:00
README	Add README file with build process of selinux-policy rpm package	2018-08-25 00:09:29 +02:00
rpm.macros	* Tue Jan 15 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-18	2019-01-15 18:29:10 +01:00
securetty_types-minimum	- Update to upstream	2010-03-18 15:47:35 +00:00
securetty_types-mls	- Update to upstream	2010-03-18 15:47:35 +00:00
securetty_types-targeted	- Update to upstream	2010-03-18 15:47:35 +00:00
selinux-factory-reset	Do a factory reset when there's no policy.kern file in a store	2016-09-15 13:51:31 +02:00
selinux-factory-reset@.service	Do a factory reset when there's no policy.kern file in a store	2016-09-15 13:51:31 +02:00
selinux-policy.conf	We need to setcheckreqprot to 0 for security purposes	2015-04-16 14:00:38 -04:00
selinux-policy.spec	* Fri Jul 26 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-25	2019-07-26 10:28:53 +02:00
setrans-minimum.conf	- Update to Latest upstream	2009-03-03 20:10:30 +00:00
setrans-mls.conf	- Multiple policy fixes	2006-09-19 14:59:46 +00:00
setrans-targeted.conf	- Update to Latest upstream	2009-03-03 20:10:30 +00:00
seusers	- Fix cron jobs to run under the correct context	2006-09-21 23:05:49 +00:00
sources	* Fri Jul 26 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-25	2019-07-26 10:28:53 +02:00
users-minimum	- Move users file to selection by spec file.	2010-01-12 13:36:10 +00:00
users-mls	- Move users file to selection by spec file.	2010-01-11 22:06:55 +00:00
users-targeted	- Move users file to selection by spec file.	2010-01-12 13:36:10 +00:00

README

## Purpose

SELinux Fedora Policy is a large patch off the mainline. The [fedora-selinux/selinux-policy](https://github.com/selinux-policy/selinux-policy.git) makes Fedora Policy packaging more simple and transparent for developers, upstream developers and users. It is used for applying downstream Fedora fixes, for communication about proposed/committed changes, for communication with upstream and the community. It reflects upstream repository structure to make submitting patches to upstream easy.

## Structure

### github
On GitHub, we have two repositories (selinux-policy and selinux-policy-contrib ) for dist-git repository.

$ cd selinux-policy
$ git remote -v
origin git@github.com:fedora-selinux/selinux-policy.git (fetch)

$ git branch -r
origin/HEAD -> origin/master
origin/f27
origin/f28
origin/master
origin/rawhide

$ cd selinux-policy-contrib
$ git remote -v
origin git@github.com:fedora-selinux/selinux-policy-contrib.git (fetch)

$ git branch -r
origin/HEAD -> origin/master
origin/f27
origin/f28
origin/master
origin/rawhide

Note: _master_ branch on GitHub does not reflect master branch in dist-git. For this purpose, we created the _rawhide github branches in both selinux-policy and selinux-policy-contrib repositories.

### dist-git
Package sources in dist-git are generally composed from a _selinux-policy and _selinux-policy-contrib repository snapshots tarballs and from other config files.

## Build process

1. clone [fedora-selinux/selinux-policy](https://github.com/fedora-selinux/selinux-policy) repository

$ cd ~/devel/github
$ git clone git@github.com:fedora-selinux/selinux-policy.git
$ cd selinux-policy

2. clone [fedora-selinux/selinux-policy-contrib](https://github.com/fedora-selinux/selinux-policy-contrib) repository

$ cd ~/devel/github
$ git clone git@github.com:fedora-selinux/selinux-policy-contrib.git
$ cd selinux-policy-contrib

3. create, backport, cherry-pick needed changes to a particular branch and push them

4. clone **selinux-policy** dist-git repository

$ cd ~/devel/dist-git
$ fedpkg clone selinux-policy
$ cd selinux-policy

4. Download the latest snaphots from selinux-policy and selinux-policy-contrib github repositories

$ ./make-rhat-patches.sh

5. add changes to the dist-git repository, bump release, create a changelog entry, commit and push
6. build the package

$ fedpkg build