Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refpolicy aos vm #2

Closed
wants to merge 333 commits into from
Closed

Refpolicy aos vm #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
333 commits
Select commit Hold shift + click to select a range
06f06bb
logging: allow systemd-journal to manage syslogd_runtime_t sock_file
yizhao1 Feb 4, 2016
ac25e5a
radius: fixes for freeradius
yizhao1 Jul 3, 2020
d7a7ea3
Merge pull request #545 from yizhao1/radius
pebenito Oct 4, 2022
e94bd84
Merge pull request #548 from yizhao1/systemd-journal
pebenito Oct 4, 2022
cdfa072
fix: issue #550 - compile failed when DIRECT_INITRC=y
dsugar100 Oct 3, 2022
2b349d7
fapolicyd: fagenrules chgrp's the compiled.rules
dsugar100 Oct 3, 2022
847cffd
Add 'DIRECT_INITRC' config to automated tests
dsugar100 Oct 8, 2022
f8dabbe
Merge pull request #551 from dsugar100/fapolicyd_fixes
pebenito Oct 8, 2022
4257f87
usermanage: add file context for chpasswd in /usr/bin
0xC0ncord Sep 23, 2022
1206a74
node_exporter: add file context for node_exporter in /usr/bin
0xC0ncord Sep 23, 2022
56fed5b
usbguard: add file context for usbguard in /usr/bin
0xC0ncord Sep 23, 2022
9ee16f9
init: add file context for systemd units in dracut modules
0xC0ncord Oct 8, 2022
389ae8d
git: add file contexts for other git utilities
0xC0ncord Oct 8, 2022
e1cdd5a
dbus, init, mount, rpc: minor fixes for mount.nfs
0xC0ncord Oct 2, 2022
d0f30da
zfs: allow reading exports
0xC0ncord Oct 6, 2022
d4f3b21
systemd: allow systemd-generator to use dns resolution
0xC0ncord Oct 6, 2022
ef70117
Sympa list server
etbe Sep 25, 2022
6a0a900
sympa: Move lines.
pebenito Oct 10, 2022
be2ba4e
sympa: Drop module version.
pebenito Oct 10, 2022
3fd5341
sympa, mta, exim: Revise interfaces.
pebenito Oct 10, 2022
accdce9
sympa, logging; Fix lint errors.
pebenito Oct 10, 2022
4f157b5
rpc: allow rpc admins to rw nfsd fs
0xC0ncord Oct 5, 2022
630c41b
Merge pull request #552 from 0xC0ncord/various-20220923
pebenito Oct 11, 2022
cc2d06a
Merge pull request #554 from pebenito/sympa
pebenito Oct 12, 2022
5399afb
container: Add missing UDP node bind access on container engines.
pebenito Oct 12, 2022
93575af
udev: allow udev_read_runtime_files to read link files
yizhao1 Oct 16, 2022
c15094f
Merge pull request #557 from yizhao1/udev
pebenito Oct 17, 2022
8b3fee9
Merge pull request #555 from pebenito/container-engine-udp-bind
pebenito Oct 17, 2022
44873ba
watchdog: allow watchdog to create /var/log/watchdog directory
yizhao1 Oct 19, 2022
e639a14
Merge pull request #558 from yizhao1/watchdog
pebenito Oct 19, 2022
b1f16bf
systemd: allow systemd-resolved to manage link files
yizhao1 Jan 25, 2021
77fd73e
sysnetwork: fix privilege separation functionality of dhcpcd
yizhao1 Sep 24, 2020
6ed9c66
sysnetwork: allow dhcpcd to send and receive messages from systemd re…
yizhao1 Jan 25, 2021
eff8a2b
Merge pull request #549 from yizhao1/dhcpcd-fixes
pebenito Oct 27, 2022
31a32f5
rpm: add label for dnf-automatic and dnf-3
yizhao1 Oct 31, 2022
c98bb9c
systemd: allow systemd-backlight to read kernel sysctl settings
yizhao1 Oct 31, 2022
d4b1995
systemd: allow systemd-rfkill to get attributes of all fs
yizhao1 Oct 31, 2022
72399fc
systemd: allow systemd-hostnamed to read selinux configuration files
yizhao1 Nov 1, 2022
c572595
systemd: add capability sys_admin to systemd_generator_t
yizhao1 Nov 1, 2022
89488a5
Merge pull request #559 from yizhao1/fixes
pebenito Nov 1, 2022
03d486e
Update Changelog and VERSION for release 2.20221101.
pebenito Nov 1, 2022
79aeab7
corenet: add portcon for kubernetes
0xC0ncord Apr 27, 2022
d387288
kubernetes: initial policy module
0xC0ncord May 10, 2022
f171852
sysadm: allow running kubernetes
0xC0ncord May 10, 2022
12590a8
crio: new policy module
0xC0ncord May 16, 2022
16a928d
crio, kubernetes: allow k8s admins to run CRI-O
0xC0ncord May 17, 2022
466ea4b
container: add type for container plugins
0xC0ncord Jun 7, 2022
141971a
various: fixes for kubernetes
0xC0ncord Jun 7, 2022
1512723
kubernetes: add policy for kubectl
0xC0ncord Jun 8, 2022
cd929e8
various: fixes for kubernetes
0xC0ncord Jun 17, 2022
dc66fd7
container, kernel: add tunable to allow spc to create NFS servers
0xC0ncord Aug 1, 2022
9216a7a
container: add tunable to allow containers to use huge pages
0xC0ncord Oct 1, 2022
3ae0575
container, kubernetes: add private type for generic container devices
0xC0ncord Oct 2, 2022
6c2124d
container: add tunable to use dri devices
0xC0ncord Oct 2, 2022
3b3d371
container, kubernetes: add rules for device plugins running as spc
0xC0ncord Oct 2, 2022
d4c5bd9
various: allow using glusterfs as backing storage for k8s
0xC0ncord Oct 2, 2022
d9314ae
container, miscfiles: transition to s0 for public content created by …
0xC0ncord Oct 25, 2022
c7a0cc0
container: add tunable to allow spc to use tun-tap devices
0xC0ncord Oct 10, 2022
fb835d0
container: correct admin_pattern() usage
0xC0ncord Nov 4, 2022
4d219e1
Merge pull request #511 from 0xC0ncord/k8s
pebenito Nov 8, 2022
ef68579
rng-tools updated to 6.15 (on RHEL9) seeing the following denials:
dsugar100 Nov 23, 2022
48e4788
Merge pull request #560 from dsugar100/master
pebenito Nov 23, 2022
090f4ca
udev: permit to read hwdb
montjoie Dec 1, 2022
ced7229
Merge pull request #563 from montjoie/gentoo-udev
pebenito Dec 5, 2022
3ca0cd5
This patch removes deprecated interfaces that were deprecated in the …
etbe Dec 8, 2022
410e4b1
Merge pull request #568 from etbe/master
pebenito Dec 8, 2022
ee3610e
tests.yml: Pin ubuntu 20.04.
pebenito Dec 12, 2022
31bee5d
Merge pull request #570 from pebenito/fix-ci
pebenito Dec 12, 2022
d4ee0d3
systemd: add policy for systemd-pcrphase
0xC0ncord Dec 10, 2022
84a78f6
Merge pull request #569 from 0xC0ncord/systemd-pcrphase
pebenito Dec 12, 2022
d55395c
This patch removes deprecated interfaces that were deprecated in the …
etbe Dec 8, 2022
065c6a0
tests.yml: Pin ubuntu 20.04.
pebenito Dec 12, 2022
26f9727
hddtemp: add missing rules for interactive usage
0xC0ncord Dec 7, 2022
b85d3f6
netutils: minor fixes for nmap and traceroute
0xC0ncord Dec 7, 2022
a6db7cb
container: add rules required for metallb BGP speakers
0xC0ncord Dec 7, 2022
d34dd95
filesystem, init: allow systemd to setattr on ramfs dirs
0xC0ncord Dec 7, 2022
d96b591
logging: allow domains sending syslog messages to connect to kernel unix
0xC0ncord Dec 7, 2022
e59404b
init, sysadm: allow sysadm to manage systemd runtime units
0xC0ncord Dec 7, 2022
7662001
podman: allow podman to stop systemd transient units
0xC0ncord Dec 7, 2022
810cc48
userdom: allow admin users to use tcpdiag netlink sockets
0xC0ncord Dec 7, 2022
22ece2b
container: allow container admins the sysadm capability in user
0xC0ncord Dec 7, 2022
9290f19
postfix: allow postfix master to map data files
0xC0ncord Dec 7, 2022
52e90d4
sasl: add filecon for /etc/sasl2 keytab
0xC0ncord Dec 7, 2022
db8bf1a
obj_perm_sets: add mmap_manage_file_perms
0xC0ncord Dec 8, 2022
d38a213
various: use mmap_manage_file_perms
0xC0ncord Dec 12, 2022
2354b4f
postfix, sasl: allow postfix smtp daemon to read SASL keytab
0xC0ncord Dec 7, 2022
a364dd4
various: fixes for libvirtd and systemd-machined
0xC0ncord Dec 7, 2022
50f2c7a
Merge pull request #566 from 0xC0ncord/various-20221207
pebenito Dec 12, 2022
3d4e2de
fstools: handle gentoo place for drivedb.h
montjoie Nov 30, 2022
3c93ad9
Merge pull request #562 from montjoie/smartmon-drivedbh
pebenito Dec 13, 2022
eca2a04
fstools: Move lines.
pebenito Dec 13, 2022
ec4af44
Merge pull request #571 from pebenito/master
pebenito Dec 13, 2022
43f3608
Fix templates parsing in gentemplates.sh
miroshko Dec 15, 2022
4d0febd
Merge pull request #572 from miroshko/master
pebenito Dec 15, 2022
207b09a
mount: dbus interface must be optional
montjoie Dec 27, 2022
95db1dd
mcelog: add missing file context for triggers
montjoie Jan 3, 2023
ce225e1
Merge pull request #574 from montjoie/mount-dbus-optional
pebenito Jan 3, 2023
95d5195
Merge pull request #578 from montjoie/mcelog-bin
pebenito Jan 3, 2023
42a0387
munin: add file context for common functions file
montjoie Dec 26, 2022
31f6577
rsyslog: add label for /var/empty/dev/log
montjoie Dec 16, 2022
e9a4a12
munin: disk-plugin: transition to fsadm
montjoie Dec 26, 2022
ccbfadc
Merge pull request #575 from montjoie/munin-plugin-common-pr
pebenito Jan 4, 2023
fa7f795
munin: Move munin_rw_tcp_sockets() implementation.
pebenito Jan 4, 2023
7f12646
Merge pull request #576 from montjoie/munin-disk-smart-run
pebenito Jan 4, 2023
c594d3b
Merge pull request #573 from montjoie/rsyslog-empty-dev
pebenito Jan 5, 2023
c9cdcc7
munin: add fc for munin-node plugin state
montjoie Dec 28, 2022
19da71e
munin: Whitespace change.
pebenito Jan 6, 2023
e235fd2
Merge pull request #580 from montjoie/munin-node-fc
pebenito Jan 6, 2023
4e81910
usermanage: permit groupadd to read kernel sysctl
montjoie Jan 9, 2023
a07dbbc
portage: label eix cache as portage_cache_t
0xC0ncord Jan 27, 2021
17f81aa
portage: Remove old binary location
montjoie Jan 10, 2023
51f52b5
portage: add go/hg source control files
montjoie Jan 10, 2023
d7f25ea
portage: add new location for portage commands
montjoie Jan 10, 2023
02a38ab
Merge pull request #586 from montjoie/gentoo-port-portagefc
pebenito Jan 11, 2023
8bf564f
Merge pull request #582 from montjoie/groupadd
pebenito Jan 11, 2023
868cc9f
portage: add missing go/hg context in new distfiles location
montjoie Jan 17, 2023
6732acf
mandb: permit to read inherited cron files
montjoie Jan 5, 2023
b06c8a0
selinuxutil: do not audit load_policy trying to use portage ptys
montjoie Jan 9, 2023
c1a352a
systemd: Tmpfilesd can correct seusers on files.
pebenito Jan 17, 2023
ffc581d
Merge pull request #585 from montjoie/selinuxutil-loadpolicy-portage
pebenito Jan 17, 2023
8aa2f1d
Merge pull request #589 from montjoie/portage-gh-svn-new
pebenito Jan 17, 2023
7fd7f67
Merge pull request #590 from pebenito/tmpfiles-bug
pebenito Jan 18, 2023
727fe91
selinuxutil: permit run_init to read kernel sysctl
montjoie Jan 25, 2023
a78f4ac
openvpn: Allow netlink genl
dsommers Jan 27, 2023
14b679c
Merge pull request #591 from dsommers/openvpn/allow-netlink-genl
pebenito Jan 27, 2023
3bf5303
portage: add misc mising rules
montjoie Jan 4, 2023
06d97b7
Merge pull request #583 from montjoie/mandb-cron
pebenito Feb 2, 2023
d7b0388
Merge pull request #593 from montjoie/run_init_sysctl
pebenito Feb 2, 2023
1bca60b
iscsi: Read initiatorname.iscsi.
pebenito Feb 7, 2023
307c617
lvm: Add fc entry for /etc/multipath/*
pebenito Feb 7, 2023
cd8b67a
Merge pull request #595 from pebenito/misc
pebenito Feb 8, 2023
7ec9133
container: add missing filetrans and filecon for containerd/docker
0xC0ncord Feb 10, 2023
105e623
Signed-off-by: George Zenner <[email protected]>
Feb 10, 2023
6397079
Merge pull request #596 from 0xC0ncord/master
pebenito Feb 13, 2023
cbde619
sysnetwork: Rename sysnet_dontaudit_rw_dhcpc_unix_dgram_sockets()
pebenito Feb 13, 2023
aedf310
Merge pull request #598 from desultory/master
pebenito Feb 13, 2023
bf11e1b
Set label systemd-oomd
bluca Feb 24, 2023
cfbdaf5
Merge pull request #599 from bluca/oomd
pebenito Mar 1, 2023
3b1d4e7
systemd: add capability sys_resource to systemd_userdbd_t
yizhao1 Mar 2, 2023
5e6fad9
systemd: allow systemd-sysctl to search directories on ramfs
yizhao1 Mar 2, 2023
0e1cc1e
Define user_namespace object class.
pebenito Mar 2, 2023
ffd80c4
chromium: Allow user namespace creation.
pebenito Mar 2, 2023
de41a20
mozilla: Allow user namespace creation.
pebenito Mar 2, 2023
e1a6199
systemd: Allow user namespace creation.
pebenito Mar 2, 2023
313d8f4
container: Allow user namespace creation for all container engines.
pebenito Mar 7, 2023
d03ecd7
Merge pull request #602 from pebenito/user_namespace
pebenito Mar 8, 2023
a25a1a3
smartmon: allow smartd to read fsadm_db_t files
montjoie Jan 4, 2023
86a7f88
Merge pull request #601 from yizhao1/fixes
pebenito Mar 10, 2023
f27b6fc
container, init, systemd: add policy for quadlet
0xC0ncord Feb 25, 2023
d2ec3ce
container: fixes for podman 4.4.0
0xC0ncord Feb 25, 2023
6894aaa
container: fixes for podman run --log-driver=passthrough
0xC0ncord Feb 25, 2023
eaf9f15
node_exporter: various fixes
0xC0ncord Mar 2, 2023
1aab07e
redis: add missing rules for runtime filetrans
0xC0ncord Mar 2, 2023
181077d
podman, selinux: move lines, add missing rules for --network=host
0xC0ncord Mar 2, 2023
1d8b309
netutils: fixes for iftop
0xC0ncord Mar 2, 2023
214149b
kernel, zfs: add filetrans for kernel creating zpool cache file
0xC0ncord Mar 2, 2023
18c1eeb
zfs: allow sending signals to itself
0xC0ncord Mar 2, 2023
011aade
zfs: add runtime filetrans for dirs
0xC0ncord Mar 5, 2023
064a66c
init: make init_runtime_t useable for systemd units
0xC0ncord Mar 6, 2023
079de3d
various: make /etc/machine-id etc_runtime_t
0xC0ncord Mar 6, 2023
9af88f2
init, systemd: allow init to create userdb runtime symlinks
0xC0ncord Mar 6, 2023
5ad6084
init: allow initrc_t to getcap
0xC0ncord Mar 6, 2023
d159334
systemd: allow systemd-userdbd to getcap
0xC0ncord Mar 6, 2023
dea2090
logging: allow systemd-journald to list cgroups
0xC0ncord Mar 6, 2023
02e558b
fs, udev: allow systemd-udevd various cgroup perms
0xC0ncord Mar 6, 2023
f625d5b
Merge pull request #579 from montjoie/portage-misc
pebenito Mar 10, 2023
eed80c8
logging, systemd: allow relabelfrom,relabelto on systemd journal
0xC0ncord Mar 6, 2023
716f47d
files, systemd: allow systemd-tmpfiles to relabel config file symlinks
0xC0ncord Mar 6, 2023
20fbb55
systemd: add rules for systemd-zram-generator
0xC0ncord Mar 6, 2023
48af8ca
systemd: allow systemd-pcrphase to read generic certs
0xC0ncord Mar 7, 2023
104e201
fs, init: allow systemd-init to set the attributes of efivarfs files
0xC0ncord Mar 7, 2023
9307110
init: allow systemd-init to set the attributes of unallocated terminals
0xC0ncord Mar 7, 2023
5b0aa89
systemd: allow systemd-resolved to bind to UDP port 5353
0xC0ncord Mar 7, 2023
edef7a8
init: allow initrc_t to create netlink_kobject_uevent_sockets
0xC0ncord Mar 7, 2023
69e6c33
raid: allow mdadm to read udev runtime files
0xC0ncord Mar 6, 2023
6ad1768
raid: allow mdadm to create generic links in /dev/md
0xC0ncord Mar 6, 2023
228e8e3
fstools: allow fsadm to read utab
0xC0ncord Mar 7, 2023
bf546e4
glusterfs: allow glusterd to bind to all TCP unreserved ports
0xC0ncord Mar 7, 2023
9b4e8bd
kubernetes: allow kubelet to read etc runtime files
0xC0ncord Mar 8, 2023
7416ac1
Merge pull request #603 from 0xC0ncord/various-20230224
pebenito Mar 13, 2023
c75a32f
systemd: allow systemd-resolved to search directories on tmpfs and ramfs
yizhao1 Mar 15, 2023
8e8f5e3
Merge pull request #606 from yizhao1/systemd-resolved
pebenito Mar 17, 2023
6dd2c3b
Add separate label for cgroup's memory.pressure files
bluca Mar 15, 2023
6ecba6f
systemd: also allow to mounton memory.pressure
bluca Mar 15, 2023
d0d4e8f
systemd: allow daemons to access memory.pressure
bluca Mar 15, 2023
8f70644
The pulseaudio daemon and client do not normally need to use
gtrentalancia Apr 5, 2023
a098f2b
mplayer:vlc paths
freedom1b2830 Mar 25, 2023
7815e48
Merge pull request #610 from gtrentalancia/master
pebenito Apr 6, 2023
7831981
Merge pull request #609 from freedom1b2830/master
pebenito Apr 6, 2023
cb068f0
smartmon: add domain for update-smart-drivedb
montjoie Jan 25, 2023
ac6b47c
dovecot: add missing permissions
montjoie Mar 21, 2023
218c42f
Merge pull request #608 from montjoie/dovecot
pebenito Apr 17, 2023
ad527f9
Merge pull request #592 from montjoie/update-smart-drivedb
pebenito Apr 17, 2023
f52070b
container: set default context for local-path-provisioner
jcpunk Apr 18, 2023
d22e18a
Merge pull request #612 from jcpunk/local-path-provisioner
pebenito Apr 28, 2023
232b4ab
Shell functions used during boot by initrc_t shall be bin_t and defin…
plsph May 3, 2023
d769f31
Dir transition goes with dir create perms.
plsph May 3, 2023
9ef053d
Merge pull request #614 from plsph/initrc-zfs-config
pebenito May 3, 2023
8f563f5
Merge pull request #615 from plsph/zfs-dir-transition
pebenito May 3, 2023
80d52aa
Keep context of blkid file/dir when created by zpool.
plsph May 10, 2023
6f8056d
Merge pull request #618 from plsph/zfs_t-blkid
pebenito May 18, 2023
429b268
Merge pull request #607 from bluca/mempressure
pebenito May 18, 2023
6ac468d
chromium: allow chromium-naclhelper to create user namespaces
0xC0ncord May 25, 2023
d6b44b9
Merge pull request #620 from 0xC0ncord/chromium-userns
pebenito Jun 19, 2023
feaf607
container: fix cilium denial
tormath1 Jun 21, 2023
d4e64bb
Merge pull request #621 from tormath1/tormath1/cilium
pebenito Jun 21, 2023
34cba22
kubernetes: allow kubelet to read /proc/sys/vm files.
rmsc Jul 3, 2023
4370d6b
Merge pull request #625 from rmsc/main
pebenito Jul 5, 2023
cf09279
Add label and interfaces for kernel PSI files
fajs Jun 29, 2023
c6424be
Merge pull request #623 from fajs/psi_t
pebenito Jul 6, 2023
26eb377
systemd-generator: systemd_generator_t load kernel modules used for e…
chrisschnei Jun 23, 2023
bee1bcb
Merge pull request #622 from chrisschnei/zram-permission
pebenito Jul 11, 2023
f1e7404
container: rework capabilities
0xC0ncord May 25, 2023
a120ea8
Allow local login to read /run/motd
dsugar100 Jul 14, 2023
90d3f5c
Merge pull request #619 from 0xC0ncord/container-caps-rework
pebenito Jul 18, 2023
97e35d8
Merge pull request #626 from dsugar100/main
pebenito Aug 2, 2023
5e0627b
[meta-selinux] Import upstream meta-selinux patches
Sep 7, 2022
a787bfb
[refpolicy-targeted] Make unconfined_u the default selinux user
Sep 14, 2022
6f0667e
[files.if] Allow manage /var/run dir
Sep 14, 2022
3e70ba7
[filesystem.if] Allow manage efivarfs filesystems
Sep 14, 2022
f9cf371
[kernel.if] Allow read kernel files
Sep 14, 2022
e406c3a
[dbus.if] Allow search udev dir
Sep 14, 2022
e704b98
[dnsmasq.if] Allow read dnsmasq files
Sep 14, 2022
9830562
[init] Allow read init script and search key
Sep 14, 2022
c352a9a
[logging.if] Allow read files from syslogd
Sep 14, 2022
f51e6a3
[aos] Add policies for aos components
Sep 14, 2022
3d2afed
[systemd] Allow getaatr access to cgroup domain
LKomaryanskiy Jan 21, 2022
3b953d8
[systemd_networkd_t] Allow reading var_t
LKomaryanskiy Dec 17, 2021
8a377ef
[dnsmasq] Fix policies to use dnsmasq CNI plagin
LKomaryanskiy Dec 21, 2021
1116aad
[systemd] Allow systemd_generator get aos_var_run file attributes
LKomaryanskiy Dec 21, 2021
93eefcf
[mount] Allow mount access to var_aos
LKomaryanskiy Jan 4, 2022
0d77384
[quota] Allow quota_t manage aos_var_run_t files
LKomaryanskiy Jan 4, 2022
f350ab6
[aos] Allow process execmem
Sep 7, 2022
c943b26
[modutils] Allow modprobe dac_read_search
Sep 7, 2022
2c52cea
[unconfined] Allow systemd to watch utab
Sep 7, 2022
2c29efe
[dnsmasq] Allow dnsmasq read search dac
Sep 7, 2022
865fad0
[selinuxutil] Allow read unlabeled_t link files
Sep 7, 2022
03730f7
[aos.if] Allow quota for /var/aos filesystem
Sep 7, 2022
ea16aeb
[mount] Allow relabeled aos_var_run_t
Sep 7, 2022
09c1177
[files.if] Allow kernal_t load rootfs module
Sep 7, 2022
b69cf2f
[journald,mount] Allow using machine-id for ro rootfs
LKomaryanskiy Dec 14, 2021
6d375b8
[README] Add how to edit SELinux
Sep 8, 2022
5cc8890
[systemd] Allow systemd-tmpfile map to /etc/group
Sep 8, 2022
6948b20
[logging] Allow klogd write into dev-log
Sep 9, 2022
f44cf45
[container] Allow containers works with host filesystem
Sep 9, 2022
f15e9dc
[dnsmasq] Allow write syslog to runtime dirs
Sep 10, 2022
5711830
Add rules for login into system
Aug 14, 2023
6f2f1d1
Add rules for provisioning
Aug 16, 2023
9b81e58
Add rules for services
Aug 16, 2023
a49fd8c
Implement login policy
Aug 29, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
131 changes: 85 additions & 46 deletions .github/workflows/tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,30 +3,42 @@ name: Build tests
on: [push, pull_request]

env:
# Minimum userspace version to build refpolicy.
SELINUX_USERSPACE_VERSION: checkpolicy-3.1

jobs:
lint:
runs-on: ubuntu-latest
runs-on: ubuntu-20.04

steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v3

# This version should be the minimum required to run the fc checker
- name: Set up Python
uses: actions/setup-python@v2
uses: actions/setup-python@v4
with:
python-version: 3.7

- name: Install dependencies
run: |
sudo apt-get update -qq
sudo apt-get update -q
sudo apt-get install -qy autoconf-archive bison flex libconfuse-dev uthash-dev

# Install SELint from Debian testing
wget -O - https://ftp-master.debian.org/keys/archive-key-10.asc 2>/dev/null | sudo apt-key add -
sudo add-apt-repository 'deb http://deb.debian.org/debian/ testing main' -y
sudo apt-get install -qqy selint
selint -V
- name: Checkout SELint
uses: actions/checkout@v3
with:
repository: SELinuxProject/selint
# support exclusions in interface arguments
ref: 'v1.3.0'
path: selint

- name: Build SELint
run: |
cd selint/
./autogen.sh
./configure --without-check
make -j$(nproc)
sudo make install

- name: Create generated policy files
run: |
Expand All @@ -39,60 +51,86 @@ jobs:
- name: Run SELint
run: |
# disable C-005 (Permissions in av rule or class declaration not ordered) for now: needs fixing
# disable C-008 (Conditional expression identifier from foreign module) for now: needs fixing
# disable W-005 (Interface call from module not in optional_policy block): refpolicy does not follow this rule
selint --source --recursive --summary --fail --disable C-005 --disable W-005 policy
selint --source --recursive --summary --fail --disable C-005 --disable C-008 --disable W-005 policy

build:
runs-on: ubuntu-latest

needs: lint
runs-on: ubuntu-20.04

strategy:
fail-fast: false

matrix:
build-opts:
- {type: standard, distro: redhat, monolithic: y, systemd: y}
- {type: standard, distro: redhat, monolithic: n, systemd: y}
- {type: standard, distro: debian, monolithic: y, systemd: y}
- {type: standard, distro: debian, monolithic: n, systemd: y}
- {type: standard, distro: gentoo, monolithic: y, systemd: n}
- {type: standard, distro: gentoo, monolithic: n, systemd: n}
- {type: mcs, distro: redhat, monolithic: y, systemd: y}
- {type: mcs, distro: redhat, monolithic: n, systemd: y}
- {type: mcs, distro: debian, monolithic: y, systemd: y}
- {type: mcs, distro: debian, monolithic: n, systemd: y}
- {type: mcs, distro: gentoo, monolithic: y, systemd: n}
- {type: mcs, distro: gentoo, monolithic: n, systemd: n}
- {type: mls, distro: redhat, monolithic: y, systemd: y}
- {type: mls, distro: redhat, monolithic: n, systemd: y}
- {type: mls, distro: debian, monolithic: y, systemd: y}
- {type: mls, distro: debian, monolithic: n, systemd: y}
- {type: mls, distro: gentoo, monolithic: y, systemd: n}
- {type: mls, distro: gentoo, monolithic: n, systemd: n}
- {type: standard, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined}
- {type: standard, distro: debian, monolithic: y, systemd: y, apps-off: unconfined}
- {type: standard, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined}
- {type: mcs, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined}
- {type: mcs, distro: debian, monolithic: y, systemd: y, apps-off: unconfined}
- {type: mcs, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined}
- {type: mls, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined}
- {type: mls, distro: debian, monolithic: y, systemd: y, apps-off: unconfined}
- {type: mls, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined}

- {type: standard, distro: redhat, monolithic: y, systemd: y, direct_initrc: n}
- {type: standard, distro: redhat, monolithic: n, systemd: y, direct_initrc: n}
- {type: standard, distro: debian, monolithic: y, systemd: y, direct_initrc: n}
- {type: standard, distro: debian, monolithic: n, systemd: y, direct_initrc: n}
- {type: standard, distro: gentoo, monolithic: y, systemd: n, direct_initrc: n}
- {type: standard, distro: gentoo, monolithic: n, systemd: n, direct_initrc: n}
- {type: mcs, distro: redhat, monolithic: y, systemd: y, direct_initrc: n}
- {type: mcs, distro: redhat, monolithic: n, systemd: y, direct_initrc: n}
- {type: mcs, distro: debian, monolithic: y, systemd: y, direct_initrc: n}
- {type: mcs, distro: debian, monolithic: n, systemd: y, direct_initrc: n}
- {type: mcs, distro: gentoo, monolithic: y, systemd: n, direct_initrc: n}
- {type: mcs, distro: gentoo, monolithic: n, systemd: n, direct_initrc: n}
- {type: mls, distro: redhat, monolithic: y, systemd: y, direct_initrc: n}
- {type: mls, distro: redhat, monolithic: n, systemd: y, direct_initrc: n}
- {type: mls, distro: debian, monolithic: y, systemd: y, direct_initrc: n}
- {type: mls, distro: debian, monolithic: n, systemd: y, direct_initrc: n}
- {type: mls, distro: gentoo, monolithic: y, systemd: n, direct_initrc: n}
- {type: mls, distro: gentoo, monolithic: n, systemd: n, direct_initrc: n}
- {type: standard, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
- {type: standard, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
- {type: standard, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: n}
- {type: mcs, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
- {type: mcs, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
- {type: mcs, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: n}
- {type: mls, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
- {type: mls, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: n}
- {type: mls, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: n}
- {type: standard, distro: redhat, monolithic: y, systemd: y, direct_initrc: y}
- {type: standard, distro: redhat, monolithic: n, systemd: y, direct_initrc: y}
- {type: standard, distro: debian, monolithic: y, systemd: y, direct_initrc: y}
- {type: standard, distro: debian, monolithic: n, systemd: y, direct_initrc: y}
- {type: standard, distro: gentoo, monolithic: y, systemd: n, direct_initrc: y}
- {type: standard, distro: gentoo, monolithic: n, systemd: n, direct_initrc: y}
- {type: mcs, distro: redhat, monolithic: y, systemd: y, direct_initrc: y}
- {type: mcs, distro: redhat, monolithic: n, systemd: y, direct_initrc: y}
- {type: mcs, distro: debian, monolithic: y, systemd: y, direct_initrc: y}
- {type: mcs, distro: debian, monolithic: n, systemd: y, direct_initrc: y}
- {type: mcs, distro: gentoo, monolithic: y, systemd: n, direct_initrc: y}
- {type: mcs, distro: gentoo, monolithic: n, systemd: n, direct_initrc: y}
- {type: mls, distro: redhat, monolithic: y, systemd: y, direct_initrc: y}
- {type: mls, distro: redhat, monolithic: n, systemd: y, direct_initrc: y}
- {type: mls, distro: debian, monolithic: y, systemd: y, direct_initrc: y}
- {type: mls, distro: debian, monolithic: n, systemd: y, direct_initrc: y}
- {type: mls, distro: gentoo, monolithic: y, systemd: n, direct_initrc: y}
- {type: mls, distro: gentoo, monolithic: n, systemd: n, direct_initrc: y}
- {type: standard, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
- {type: standard, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
- {type: standard, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: y}
- {type: mcs, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
- {type: mcs, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
- {type: mcs, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: y}
- {type: mls, distro: redhat, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
- {type: mls, distro: debian, monolithic: y, systemd: y, apps-off: unconfined, direct_initrc: y}
- {type: mls, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: y}

steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v3

# This should be the minimum required Python version to build refpolicy.
- name: Set up Python
uses: actions/setup-python@v2
uses: actions/setup-python@v4
with:
python-version: 3.5

- name: Install dependencies
run: |
sudo apt-get update -qq
sudo apt-get install -qqy \
sudo apt-get update -q
sudo apt-get install -qy \
bison \
flex \
gettext \
Expand All @@ -113,6 +151,7 @@ jobs:
echo "MONOLITHIC=${{matrix.build-opts.monolithic}}" >> $GITHUB_ENV
echo "SYSTEMD=${{matrix.build-opts.systemd}}" >> $GITHUB_ENV
echo "APPS_OFF=${{matrix.build-opts.apps-off}}" >> $GITHUB_ENV
echo "DIRECT_INITRC=${{matrix.build-opts.direct_initrc}}" >> $GITHUB_ENV
echo "WERROR=y" >> $GITHUB_ENV

- name: Build toolchain
Expand All @@ -133,7 +172,7 @@ jobs:
- name: Build refpolicy
run: |
# Drop build.conf settings to listen to env vars
sed -r -i -e '/(MONOLITHIC|TYPE|DISTRO|SYSTEMD|WERROR)/d' build.conf
sed -r -i -e '/(MONOLITHIC|TYPE|DISTRO|SYSTEMD|DIRECT_INITRC|WERROR)/d' build.conf

make bare
make conf
Expand Down
Loading
Loading