Hu
fade960df6
* Use new kanidm interfaces * Initial module for kanidm * Update bootupd policy * Allow rhsmcertd read/write access to /dev/papr-sysparm * Label /dev/papr-sysparm and /dev/papr-vpd * Allow abrt-dump-journal-core connect to winbindd * Allow systemd-hostnamed shut down nscd * Allow systemd-pstore send a message to syslogd over a unix domain * Allow postfix_domain map postfix_etc_t files * Allow microcode create /sys/devices/system/cpu/microcode/reload * Allow rhsmcertd read, write, and map ica tmpfs files * Support SGX devices * Allow initrc_t transition to passwd_t * Update fstab and cryptsetup generators policy * Allow xdm_t read and write the dma device * Update stalld policy for bpf usage * Allow systemd_gpt_generator to getattr on DOS directories * Make cgroup_memory_pressure_t a part of the file_type attribute * Allow ssh_t to change role to system_r * Update policy for coreos generators * Allow init_t nnp domain transition to firewalld_t * Label /run/modprobe.d with modules_conf_t * Allow virtnodedevd run udev with a domain transition * Allow virtnodedev_t create and use virtnodedev_lock_t * Allow virtstoraged manage files with virt_content_t type * Allow virtqemud unmount a filesystem with extended attributes * Allow svirt_t connect to unconfined_t over a unix domain socket * Update afterburn file transition policy * Allow systemd_generator read attributes of all filesystems * Allow fstab-generator read and write cryptsetup-generator unit file * Allow cryptsetup-generator read and write fstab-generator unit file * Allow systemd_generator map files in /etc * Allow systemd_generator read init's process state * Allow coreos-installer-generator read sssd public files * Allow coreos-installer-generator work with partitions * Label /etc/mdadm.conf.d with mdadm_conf_t * Confine coreos generators * Label /run/metadata with afterburn_runtime_t * Allow afterburn list ssh home directory * Label samba certificates with samba_cert_t * Label /run/coreos-installer-reboot with coreos_installer_var_run_t * Allow virtqemud read virt-dbus process state * Allow staff user dbus chat with virt-dbus * Allow staff use watch /run/systemd * Allow systemd_generator to write kmsg * Allow virtqemud connect to sanlock over a unix stream socket * Allow virtqemud relabel virt_var_run_t directories * Allow svirt_tcg_t read vm sysctls * Allow virtnodedevd connect to systemd-userdbd over a unix socket * Allow svirt read virtqemud fifo files * Allow svirt attach_queue to a virtqemud tun_socket * Allow virtqemud run ssh client with a transition * Allow virt_dbus_t connect to virtqemud_t over a unix stream socket * Update keyutils policy * Allow sshd_keygen_t connect to userdbd over a unix stream socket * Allow postfix-smtpd read mysql config files * Allow locate stream connect to systemd-userdbd * Allow the staff user use wireshark * Allow updatedb connect to userdbd over a unix stream socket * Allow gpg_t set attributes of public-keys.d * Allow gpg_t get attributes of login_userdomain stream * Allow systemd_getty_generator_t read /proc/1/environ * Allow systemd_getty_generator_t to read and write to tty_device_t * Drop publicfile module * Remove permissive domain for systemd_nsresourced_t * Change fs_dontaudit_write_cgroup_files() to apply to cgroup_t * Label /usr/bin/samba-gpupdate with samba_gpupdate_exec_t * Allow to create and delete socket files created by rhsm.service * Allow virtnetworkd exec shell when virt_hooks_unconfined is on * Allow unconfined_service_t transition to passwd_t * Support /var is empty * Allow abrt-dump-journal read all non_security socket files * Allow timemaster write to sysfs files * Dontaudit domain write cgroup files * Label /usr/lib/node_modules/npm/bin with bin_t * Allow ip the setexec permission * Allow systemd-networkd write files in /var/lib/systemd/network * Fix typo in systemd_nsresourced_prog_run_bpf() OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=248
53 lines
1.3 KiB
Plaintext
53 lines
1.3 KiB
Plaintext
#
|
|
# Multi-Level Security translation table for SELinux
|
|
#
|
|
# Uncomment the following to disable translation libary
|
|
# disable=1
|
|
#
|
|
# Objects can be labeled with one of 16 levels and be categorized with 0-1023
|
|
# categories defined by the admin.
|
|
# Objects can be in more than one category at a time.
|
|
# Users can modify this table to translate the MLS labels for different purpose.
|
|
#
|
|
# Assumptions: using below MLS labels.
|
|
# SystemLow
|
|
# SystemHigh
|
|
# Unclassified
|
|
# Secret with compartments A and B.
|
|
#
|
|
# SystemLow and SystemHigh
|
|
s0=SystemLow
|
|
s15:c0.c1023=SystemHigh
|
|
s0-s15:c0.c1023=SystemLow-SystemHigh
|
|
|
|
# Unclassified level
|
|
s1=Unclassified
|
|
|
|
# Secret level with compartments
|
|
s2=Secret
|
|
s2:c0=A
|
|
s2:c1=B
|
|
|
|
# ranges for Unclassified
|
|
s0-s1=SystemLow-Unclassified
|
|
s1-s2=Unclassified-Secret
|
|
s1-s15:c0.c1023=Unclassified-SystemHigh
|
|
|
|
# ranges for Secret with compartments
|
|
s0-s2=SystemLow-Secret
|
|
s0-s2:c0=SystemLow-Secret:A
|
|
s0-s2:c1=SystemLow-Secret:B
|
|
s0-s2:c0,c1=SystemLow-Secret:AB
|
|
s1-s2:c0=Unclassified-Secret:A
|
|
s1-s2:c1=Unclassified-Secret:B
|
|
s1-s2:c0,c1=Unclassified-Secret:AB
|
|
s2-s2:c0=Secret-Secret:A
|
|
s2-s2:c1=Secret-Secret:B
|
|
s2-s2:c0,c1=Secret-Secret:AB
|
|
s2-s15:c0.c1023=Secret-SystemHigh
|
|
s2:c0-s2:c0,c1=Secret:A-Secret:AB
|
|
s2:c0-s15:c0.c1023=Secret:A-SystemHigh
|
|
s2:c1-s2:c0,c1=Secret:B-Secret:AB
|
|
s2:c1-s15:c0.c1023=Secret:B-SystemHigh
|
|
s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh
|