a789dba85b
- Update samba-bgqd policy Resolves: RHEL-69512 - Allow samba-bgqd read cups config files Resolves: RHEL-69512 - Allow virtqemud additional permissions for tmpfs_t blk devices Resolves: RHEL-61235 - Allow virtqemud rw access to svirt_image_t chr files Resolves: RHEL-61235 - Allow virtqemud rw and setattr access to fixed block devices Resolves: RHEL-61235 - Label /etc/mdevctl.d/scripts.d with bin_t Resolves: RHEL-39893 - Fix the /etc/mdevctl\.d(/.*)? regexp Resolves: RHEL-39893 - Allow virtnodedev watch mdevctl config dirs Resolves: RHEL-39893 - Make mdevctl_conf_t member of the file_type attribute Resolves: RHEL-39893 - Label /etc/mdevctl.d with mdevctl_conf_t Resolves: RHEL-39893 - Allow virtqemud relabelfrom virt_log_t files Resolves: RHEL-48236 - Allow virtqemud_t relabel virtqemud_var_run_t sock_files Resolves: RHEL-48236 - Allow virtqemud relabelfrom virtqemud_var_run_t dirs Resolves: RHEL-48236 - Allow svirt_tcg_t read virtqemud_t fifo_files Resolves: RHEL-48236 - Allow virtqemud rw and setattr access to sev devices Resolves: RHEL-69128 - Allow virtqemud directly read and write to a fixed disk Resolves: RHEL-61235 - Allow svirt_t the sys_rawio capability Resolves: RHEL-61235 - Allow svirt_t the sys_rawio capability Resolves: RHEL-61235 - Allow virtqemud connect to sanlock over a unix stream socket Resolves: RHEL-44352 - allow gdm and iiosensorproxy talk to each other via D-bus Resolves: RHEL-70850 - Allow sendmail to map mail server configuration files Related: RHEL-54014 - Allow procmail to read mail aliases Resolves: RHEL-54014 - Grant rhsmcertd chown capability & userdb access Resolves: RHEL-68481 |
||
|---|---|---|
| .fmf | ||
| plans | ||
| tests | ||
| .gitignore | ||
| changelog | ||
| COPYING | ||
| gating.yaml | ||
| ifndefy.py | ||
| make-rhat-patches.sh | ||
| Makefile.devel | ||
| modules-minimum.lst | ||
| permissivedomains.cil | ||
| README.md | ||
| rpm.macros | ||
| selinux-check-proper-disable.service | ||
| selinux-policy-mls.conf | ||
| selinux-policy-targeted.conf | ||
| selinux-policy.conf | ||
| selinux-policy.spec | ||
| sources | ||
| varrun-convert.sh | ||
Purpose
SELinux Fedora Policy is a fork of the SELinux reference policy. The fedora-selinux/selinux-policy repo makes Fedora packaging simpler and more transparent for packagers, upstream developers, and users. It is used for applying downstream Fedora fixes, for communication about proposed/committed changes, and for communication with upstream and the community. It reflects the upstream repository structure to make submitting patches to upstream easy.
Structure
GitHub
On GitHub, we have one repository containing the policy sources.
$ cd selinux-policy
$ git remote -v
origin git@github.com:fedora-selinux/selinux-policy.git (fetch)
$ git branch -r
origin/HEAD -> origin/master
origin/f27
origin/f28
origin/master
origin/rawhide
Note: As opposed to dist-git, the Rawhide content resides in the rawhide branch rather than master.
dist-git
Package sources in dist-git are composed from the selinux-policy repository snapshot tarball, container-selinux policy files snapshot, the macro-expander script snapshot, and from other config files.
Build process
-
Clone the fedora-selinux/selinux-policy repository.
$ cd ~/devel/github $ git clone git@github.com:fedora-selinux/selinux-policy.git $ cd selinux-policy -
Create, backport, or cherry-pick needed changes to a particular branch and push them.
-
Clone the selinux-policy dist-git repository.
$ cd ~/devel/dist-git $ fedpkg clone selinux-policy $ cd selinux-policy -
Download the latest snapshot from the selinux-policy GitHub repository.
$ ./make-rhat-patches.sh -
Add changes to the dist-git repository, bump release, create a changelog entry, commit, and push.
-
Build the package.
$ fedpkg build