Hu
9dc19e60e0
- Enable sap module
- Add equivalency in file_contexts.subs_dist
* /bin /usr/bin
* /sbin /usr/bin
* /usr/sbin /usr/bin
- Update to version 20240710:
* Change fc in rebootmgr module for /sbin -> /usr/bin
* Change fc in rpm module for /sbin -> /usr/bin
* Change fc in rsync module for /sbin -> /usr/bin
* Change fc in wicked module for /sbin -> /usr/bin
* Confine libvirt-dbus
* Allow virtqemud the kill capability in user namespace
* Allow rshim get options of the netlink class for KOBJECT_UEVENT family
* Allow dhcpcd the kill capability
* Allow systemd-networkd list /var/lib/systemd/network
* Allow sysadm_t run systemd-nsresourced bpf programs
* Update policy for systemd generators interactions
* Allow create memory.pressure files with cgroup_memory_pressure_t
* Add support for libvirt hooks
* Allow certmonger read and write tpm devices
* Allow all domains to connect to systemd-nsresourced over a unix socket
* Allow systemd-machined read the vsock device
* Update policy for systemd generators
* Allow ptp4l_t request that the kernel load a kernel module
* Allow sbd to trace processes in user namespace
* Allow request-key execute scripts
* Update policy for haproxyd
* Update policy for systemd-nsresourced
* Correct sbin-related file context entries
* Allow login_userdomain execute systemd-tmpfiles in the caller domain
* Allow virt_driver_domain read files labeled unconfined_t
* Allow virt_driver_domain dbus chat with policykit
* Allow virtqemud manage nfs files when virt_use_nfs boolean is on
* Add rules for interactions between generators
* Label memory.pressure files with cgroup_memory_pressure_t
* Revert "Allow some systemd services write to cgroup files"
* Update policy for systemd-nsresourced
* Label /usr/bin/ntfsck with fsadm_exec_t
* Allow systemd_fstab_generator_t read tmpfs files
* Update policy for systemd-nsresourced
* Alias /usr/sbin to /usr/bin and change all /usr/sbin paths to /usr/bin
* Remove a few lines duplicated between {dkim,milter}.fc
* Alias /bin → /usr/bin and remove redundant paths
* Drop duplicate line for /usr/sbin/unix_chkpwd
* Drop duplicate paths for /usr/sbin
* Update systemd-generator policy
* Remove permissive domain for bootupd_t
* Remove permissive domain for coreos_installer_t
* Remove permissive domain for afterburn_t
* Add the sap module to modules.conf
* Move unconfined_domain(sap_unconfined_t) to an optional block
* Create the sap module
* Allow systemd-coredumpd sys_admin and sys_resource capabilities
* Allow systemd-coredump read nsfs files
* Allow generators auto file transition only for plain files
* Allow systemd-hwdb write to the kernel messages device
* Escape "interface" as a file name in a virt filetrans pattern
* Allow gnome-software work for login_userdomain
* Allow systemd-machined manage runtime sockets
* Revert "Allow systemd-machined manage runtime sockets"
* Allow postfix_domain connect to postgresql over a unix socket
* Dontaudit systemd-coredump sys_admin capability
- Update container-selinux
OBS-URL: https://build.opensuse.org/request/show/1186574
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=233
53 lines
1.3 KiB
Plaintext
53 lines
1.3 KiB
Plaintext
#
|
|
# Multi-Level Security translation table for SELinux
|
|
#
|
|
# Uncomment the following to disable translation libary
|
|
# disable=1
|
|
#
|
|
# Objects can be labeled with one of 16 levels and be categorized with 0-1023
|
|
# categories defined by the admin.
|
|
# Objects can be in more than one category at a time.
|
|
# Users can modify this table to translate the MLS labels for different purpose.
|
|
#
|
|
# Assumptions: using below MLS labels.
|
|
# SystemLow
|
|
# SystemHigh
|
|
# Unclassified
|
|
# Secret with compartments A and B.
|
|
#
|
|
# SystemLow and SystemHigh
|
|
s0=SystemLow
|
|
s15:c0.c1023=SystemHigh
|
|
s0-s15:c0.c1023=SystemLow-SystemHigh
|
|
|
|
# Unclassified level
|
|
s1=Unclassified
|
|
|
|
# Secret level with compartments
|
|
s2=Secret
|
|
s2:c0=A
|
|
s2:c1=B
|
|
|
|
# ranges for Unclassified
|
|
s0-s1=SystemLow-Unclassified
|
|
s1-s2=Unclassified-Secret
|
|
s1-s15:c0.c1023=Unclassified-SystemHigh
|
|
|
|
# ranges for Secret with compartments
|
|
s0-s2=SystemLow-Secret
|
|
s0-s2:c0=SystemLow-Secret:A
|
|
s0-s2:c1=SystemLow-Secret:B
|
|
s0-s2:c0,c1=SystemLow-Secret:AB
|
|
s1-s2:c0=Unclassified-Secret:A
|
|
s1-s2:c1=Unclassified-Secret:B
|
|
s1-s2:c0,c1=Unclassified-Secret:AB
|
|
s2-s2:c0=Secret-Secret:A
|
|
s2-s2:c1=Secret-Secret:B
|
|
s2-s2:c0,c1=Secret-Secret:AB
|
|
s2-s15:c0.c1023=Secret-SystemHigh
|
|
s2:c0-s2:c0,c1=Secret:A-Secret:AB
|
|
s2:c0-s15:c0.c1023=Secret:A-SystemHigh
|
|
s2:c1-s2:c0,c1=Secret:B-Secret:AB
|
|
s2:c1-s15:c0.c1023=Secret:B-SystemHigh
|
|
s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh
|