aboutsummaryrefslogtreecommitdiffstats
path: root/package/system/selinux-policy
Commit message (Collapse)AuthorAgeFilesLines
* selinux-policy: update to version 1.1Dominick Grift2022-05-031-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | try to clean up some labeling inconsistencies iwinfo loose ends ucode loose ends Makefile: adjust mintesttgt (adds blockmount/blockd) nftables: reads inherited netifd pipe ucode: reads inherited netifd pipes mountroot: fowner sandbox: writes inherited dropbear pipes unbound related to /tmp/etc/ssl unbound loose ends adds a sslconftmpfile for /tmp/etc/ssl README: maintain a wish list in the README iwinfo: netifd forgot write gptfdisk loose ends iwinfo: netifd wpad reads/writes inherited netifd fifo files netifd (mac80211.sh) executes iwinfo luci: executes wireguard luci-cgi: audits xtables execute access rcuhttpd: lists ssl certfile dirs iwinfo, wifi,nftables usage of ttyd pty if available urandomseed: seedrng needs cap_sys_admin iwinfo iwinfo, nftables and some chronyd rules related to ntp nts server nftables, wifi and adds iwinfo skel nftables, rpcd, ucode nftables, ucode and seedrng ucode, fw3/nftables, luci adds ucode skel and some fw3/nftables related urandomseed: some seedrng rules fw3 adds some support for fw4 urandomseed: /etc/seedrng is for seed.credit hotplugcal: runs ucode which is interpreter like adds a nftables skeleton and makes xtables optional agent: allow all agents to write inherited dropbear pipes urandomseed: this seems to be replaced by seedrng kmodloader: label /etc/modules.conf kmodloader.conffile Revert "shelexecfile: remove auditallow rule" Makefile: sort the modules to process by secilc Moves back to git.defensec.nl unbound odhcpd (ip) reads net proc tcp dump shelexecfile: remove auditallow rule rrd.cil: fixes indent Target rddtool from cgi-io instead of runnit it without transition rrd.cil related rrd, rpcd, cgiio clean ups related to luci-app-statistics Rules for rrd files and luci-statistics unboundcontrol ordering Several missing permissions blockmount, dnsmasq, hotplugcall, rpcd, unbound adds mctp_socket (linux 5.15) ip: forgot tc-tiny type transition to go along with the fc spec ip: adds a fc spec for tc-tiny (called by sqm) adds ttyACM fc spec and various assorted loose ends .gitattributes: do not export the github workflows workflow use selinux 3.3 project moved back to https://git.defensec.nl/selinux-policy.git Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> (cherry picked from commit 43794570986e33770d9039399d16a665f6c7c495)
* selinux-policy: update to version 1.0Dominick Grift2021-10-281-3/+3
| | | | | | | | | | | | | | | | | wifi: writes to terminal hotplugcall and sqm read class sysfile symlinks unbound and sqm related loose ends support/example: policycoreutils host-compile is required TODO: this was wrong and it is actually needed linguist detectable does not work this way linguist-detectable updates README adds workflows adds a note about persistent /var option project moved to https://github.com/DefenSec/selinux-policy Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
* selinux-policy: update to version 0.9Daniel Golle2021-08-201-2/+2
| | | | | | | | | | | | | | | | | | | | | | 592ac0f add a note 4bacd14 sslcertfile: list /etc/ssl 7bdefa4 example: indicate that skip is an option d1e9a85 wifi: sys pipe usage eb903e1 README: add note about policycoreutils-setfiles weak dependency 762e011 ttyd: signull all subjects fbfc079 acme: add basic support for acme_cleanup.sh and acme_setup.sh 9ac7592 acme: transition to sys.subj on generic initscript execution f3dd1ba acme: missing rules related to sys.subj trans on file.initscriptfile ae273fa odhcp6c/netifd: support drop-in directories 5fa9b41 subj: do not encourage misconfiguration 44722b6 blockd, logd, odhcpc6, ubiutil, mtdstordev a775d93 21.02 related a473691 rcboot runs rcuhttpd which creates /tmp/etc for /tmp/etc/uhttpd 290e9fb rcuhttpd: related to rcboot and uci-defaults 3fc0d8b rcuhttpd: lists /etc/uci-defaults 1f5ef48 removes ubvol.lock policy and adds move mtd/ubi partitions Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* selinux-policy: update to version v0.8Dominick Grift2021-03-141-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 3d7da7a igmpproxy tidy some loose ends c84ba0f rcigmpproxy: add entries to /etc when creating /etc/igmpproxy.conf 5a18967 adds igmpproxy skeleton 7e6a218 logread: support resolving dns names e39ca8b netifd: add support for /etc/udhcpc.user 7952bd0 odhcp6c: support /etc/odhcp6c.user ba0eb4e swconfig, fwenv, agent 4556b8a pppd cosmetic 9324d9d pppd: sends AT commands to model using /dev/ttyUSBN 417b14a ttydev: add some more ttyUSB ed739dc example: dont depend on policycoreutils 97613f9 dropbear: using dropbear as scp: dns name resolving 12c193b dropbear tcp connect ssh ports for scp c050077 rcdnsmasq: remove redundant rule and make rcsysntpd optional 8c5de35 this is a bug 8d5c463 uhttpd rcboot rcdnsmasq 094266e hostapd and wpa_supplicant aef0bd7 mountroot: maintains /tmp/sysupgrade.tar 24f0406 dropbear: allow it to read tmp.fs files 2901433 firstboot mkfsf2fs rcboot 2c4afb7 blockmount mmc 465ca98 adds industrial i/o (iio) nodedev 82f686e mtd stordev: back that ubiblock0_4p1 up with a filecon 7df78bd ubus: "support" older ubusd versions that run as root 4458bce swconfig: allow using terminal (to print output) e8d606d sslcert: openssl linked: this shaves off 200 bytes 93afffb jshn ntpdhotplug 0b847f0 wpad: reads /etc/ssl/openssl.cnf f14ee34 indent fix a0c7cad mtd, uhttpd, ubus and ntpdhotplug d74f98f adds a not about checkreqprot requirement in some scenarios affacce example: add policycoreutils-setfiles for make check 4f944dc kmodloader and fwenv: efe36a3 netifd: adds a comment/reminder 581b087 more fw_printenv loose ends 30177a4 fw_setenv: needs mtd write access to set and delete env da28f4c fw_printenv: some minor clean ups a062053 fw_printenv missing rules 244ba5f blockmount: extroot and /rwm 0745a6a squid: allow squid to run sslcrtd with domain transition b851df6 squid fix 8c55acd squid: adds certfile and allow connect http but... b7c1f6d Makefile: exclude tinyproxy from mintesttgt (using squid) 5ff39bd squid: forgot about luci 5366c97 squid/rcsquid some basic fill in 8743da6 squid skeleton 687a43b adds squid 3128 port to httpproxy port Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
* selinux-policy: update to version 0.7Daniel Golle2021-02-281-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | a857b45 resolv/locale: eventually this should be more efficient 11ed281 some more optimization 764a475 add redundant calls to file.search_conffile_dirs() 7d4558e fs: treat devtmpfs that same as tmpfs 81b677e adds irqbalance skeleton 5506244 irqbalance rules cc96cd8 adds usbutil and gtpfdisk skels 01e2a55 some fsck, gptfdisk, mkfs and usbutil rules d6d1e7d usbutil: output to terminal da576fa fsck, gptfdisk and usbutil rules 09b39e9 unbound 241a029 hotplugcall: allow dac_read_search (is a subset of dac_override) af0fe90 adds label for tcsh 160f79e adds tcpdump 6d02b96 adds coreutil execfile for busybox alternatives ac54884 coreutilexecfile: these are known to require privileges, so exclude 8cb3b66 adds chrootexecfile 6d329d3 this saves 9KiB and its a bit more robust 88e2425 move addpart/delpart/partx to gptfdisk.cil 261012d ntphotplug: reads ubox data files 0473ace various 740e820 work through to genfs_seclabel_symlinks loose ends (Linux 5.10) bef21f5 TODO adds a note about how I dont need to upgrade to polver 33 from 31 cb2e5a3 ubus uses ntpdhotplug fd, and some genfs_seclabel_symlink changes 07df9b9 luci, rpcd and wpad (mainly genfs_selabel related but not all) 8d86cab genfs_seclabel loose ends for blockmount, hotplugcall, irqbalance, zram-swap b8156cd adds a note about how i forgot to target blockd 6e82ab8 adds blockd and related 254ff43 Makefile: exclude blockd from mintesttgt 4dc6bc2 pppd update related and unbound-odhcp rules Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* selinux-policy: update to version 0.6Daniel Golle2021-02-051-2/+2
| | | | Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* selinux-policy: update to git tag v0.5Daniel Golle2021-01-311-2/+2
| | | | Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* selinux-policy: update to version 0.4Daniel Golle2020-12-121-2/+3
| | | | Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* selinux-policy: update to git tag v0.3Daniel Golle2020-10-161-3/+3
| | | | Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* selinux-policy: adds new packageDominick Grift2020-10-092-0/+55
Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>