pool/selinux-policy
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9dc19e60e0
selinux-policy/users-minimum
Hu 9dc19e60e0 Accepting request 1186574 from home:cahu:security:SELinux:policyupdate072024 
- Enable sap module
- Add equivalency in file_contexts.subs_dist
  * /bin /usr/bin
  * /sbin /usr/bin
  * /usr/sbin /usr/bin
- Update to version 20240710:
  * Change fc in rebootmgr module for /sbin -> /usr/bin
  * Change fc in rpm module for /sbin -> /usr/bin
  * Change fc in rsync module for /sbin -> /usr/bin
  * Change fc in wicked module for /sbin -> /usr/bin
  * Confine libvirt-dbus
  * Allow virtqemud the kill capability in user namespace
  * Allow rshim get options of the netlink class for KOBJECT_UEVENT family
  * Allow dhcpcd the kill capability
  * Allow systemd-networkd list /var/lib/systemd/network
  * Allow sysadm_t run systemd-nsresourced bpf programs
  * Update policy for systemd generators interactions
  * Allow create memory.pressure files with cgroup_memory_pressure_t
  * Add support for libvirt hooks
  * Allow certmonger read and write tpm devices
  * Allow all domains to connect to systemd-nsresourced over a unix socket
  * Allow systemd-machined read the vsock device
  * Update policy for systemd generators
  * Allow ptp4l_t request that the kernel load a kernel module
  * Allow sbd to trace processes in user namespace
  * Allow request-key execute scripts
  * Update policy for haproxyd
  * Update policy for systemd-nsresourced
  * Correct sbin-related file context entries
  * Allow login_userdomain execute systemd-tmpfiles in the caller domain
  * Allow virt_driver_domain read files labeled unconfined_t
  * Allow virt_driver_domain dbus chat with policykit
  * Allow virtqemud manage nfs files when virt_use_nfs boolean is on
  * Add rules for interactions between generators
  * Label memory.pressure files with cgroup_memory_pressure_t
  * Revert "Allow some systemd services write to cgroup files"
  * Update policy for systemd-nsresourced
  * Label /usr/bin/ntfsck with fsadm_exec_t
  * Allow systemd_fstab_generator_t read tmpfs files
  * Update policy for systemd-nsresourced
  * Alias /usr/sbin to /usr/bin and change all /usr/sbin paths to /usr/bin
  * Remove a few lines duplicated between {dkim,milter}.fc
  * Alias /bin → /usr/bin and remove redundant paths
  * Drop duplicate line for /usr/sbin/unix_chkpwd
  * Drop duplicate paths for /usr/sbin
  * Update systemd-generator policy
  * Remove permissive domain for bootupd_t
  * Remove permissive domain for coreos_installer_t
  * Remove permissive domain for afterburn_t
  * Add the sap module to modules.conf
  * Move unconfined_domain(sap_unconfined_t) to an optional block
  * Create the sap module
  * Allow systemd-coredumpd sys_admin and sys_resource capabilities
  * Allow systemd-coredump read nsfs files
  * Allow generators auto file transition only for plain files
  * Allow systemd-hwdb write to the kernel messages device
  * Escape "interface" as a file name in a virt filetrans pattern
  * Allow gnome-software work for login_userdomain
  * Allow systemd-machined manage runtime sockets
  * Revert "Allow systemd-machined manage runtime sockets"
  * Allow postfix_domain connect to postgresql over a unix socket
  * Dontaudit systemd-coredump sys_admin capability
- Update container-selinux

OBS-URL: https://build.opensuse.org/request/show/1186574
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=233
2024-07-10 11:10:28 +00:00

40 lines
1.5 KiB
Plaintext
Raw Blame History

##################################
#
# Core User configuration.
#
#
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
#
# Note: Identities without a prefix wil not be listed
# in the users_extra file used by genhomedircon.
#
# system_u is the user identity for system processes and objects.
# There should be no corresponding Unix user identity for system,
# and a user process should never be assigned the system user
# identity.
#
gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# user_u is a generic user identity for Linux users who have no
# SELinux user identity defined. The modified daemons will use
# this user identity in the security context if there is no matching
# SELinux user identity for a Linux user. If you do not want to
# permit any access to such users, then remove this entry.
#
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# The following users correspond to Unix identities.
# These identities are typically assigned as the user attribute
# when login starts the user shell. Users with access to the sysadm_r
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
Reference in New Issue View Git Blame Copy Permalink