/snapd

data/selinux: merge SELinux policy module #2878

Merged
merged 40 commits into from Feb 23, 2017

Conversation

Reviewers

@zyga zyga

@mvo5 mvo5

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@Conan-Kudo @mvo5 @zyga @niemeyer
@Conan-Kudo
Contributor

Conan-Kudo commented Feb 17, 2017

This PR merges the SELinux policy module I had been developing on my repository on GitLab into the snapd repository.

Hopefully now, SELinux policy development will now be part of snapd development.

Conan-Kudo added some commits Aug 30, 2016

@Conan-Kudo
Initial commit
9d836bc
@Conan-Kudo
Add conditionals for supporting RH/Fedora and Debian paths
1fa9b0c
@Conan-Kudo
Add spec and replace Makefile with new generic one
6ed3a42
@Conan-Kudo
Fix spec and update commit hash
683d445
@Conan-Kudo
Add more files and permissions to policy
76165ef
@Conan-Kudo
Add transition permission for sockets
8542b51
@Conan-Kudo
Mark sockets as sockets 
See selabel_file(5) for details
eefa7ce
@Conan-Kudo
Bump policy module version
afe2b5d
@Conan-Kudo
Add transition patterns for sockets
6ead59b
@Conan-Kudo
Pull in types for transitioning
b8dd711
@Conan-Kudo
Update and fix spec
a789274
@Conan-Kudo
Fix expression for labeling snappy binaries
daa87ed
@Conan-Kudo
Update spec
e429dc3
@Conan-Kudo
Allow http_cache and dns ports to be used by snapd
d83fde8
@Conan-Kudo
Add more DNS permissions
483bfe0
@Conan-Kudo
Add access to configuration files and checking for IPv6
35de0a5
@Conan-Kudo
Add more allowances for net config and systemd access
0cd6dea
@Conan-Kudo
Grant snapd total access to its homedir data
0e2c1fb
@Conan-Kudo
Allow snapd to search NetworkManager's run data
96da693
@Conan-Kudo
Add type declaration for snappy data
90dc45b
@Conan-Kudo
Grant snapd access to SSL certs
3b7e03c
@Conan-Kudo
Allow snapd to manage D-Bus config files
8ba3142
@Conan-Kudo
Add DAC override capability to snapd process
4a3f0a0
@Conan-Kudo
Add more persistent data locations
7530eac
@Conan-Kudo
Add access to udev rules and FUSE device
bcba414
@Conan-Kudo
Grant access to unlabeled files, since snap filesystems are read-only 
snap filesystems currently cannot have the appropriate label applied,
so snapd needs access to unlabeled files for now. On a proper SELinux
system, this should be few and far in between, too.

This should be fixed as soon as possible in a more proper fashion.
6331fd4
@Conan-Kudo
Update spec
b40c121
@Conan-Kudo
Add rules for init_t, proc_t, udev, mount, and tmp
3007115
@Conan-Kudo
Grant snapd the ability to run unsquashfs
a1c2eb5
@Conan-Kudo
Allow init_t to read snappy data, allow snapd to do lots more things
4801509
@Conan-Kudo
Add more capabilities to snapd
6334867
@Conan-Kudo
Add more permissions for unlabeled directories
2d76c7e
@Conan-Kudo
Fix libexec paths
7b986ca
@Conan-Kudo
Add missing domain transition for snappy_home_t
602c0fe
@Conan-Kudo
Remove access to regular home directories
019ae2b
@Conan-Kudo
Add interface for creation of snap home directory
e5c1177
@Conan-Kudo
Mark snappy_t domain as permissive for dev purposes 
See for details: http://danwalsh.livejournal.com/24537.html
4566045
@Conan-Kudo
Merge SELinux policy repository 
Merge in 'master' from 'https://gitlab.com/Conan_Kudo/snapcore-selinux.git'

SELinux policy development will now be part of snapd development.

Signed-off-by: Neal Gompa <ngompa13@gmail.com>

Some checks were not successful

1 failing and 5 successful checks
@mvo5
xenial-ppc64el — autopkgtest finished (failure)
Details
continuous-integration/travis-ci/pr — The Travis CI build passed
Details
@mvo5
xenial-amd64 — autopkgtest finished (success)
Details
@mvo5
xenial-i386 — autopkgtest finished (success)
Details
@mvo5
yakkety-amd64 — autopkgtest finished (success)
Details
@mvo5
zesty-amd64 — autopkgtest finished (success)
Details
c075558

@Conan-Kudo Conan-Kudo changed the title from Merge SELinux policy repository to Merge SELinux policy module Feb 17, 2017

@zyga

zyga reviewed Feb 17, 2017
View changes

Mostly LGTM but questions about the way the license is applied

data/selinux/COPYING
@@ -0,0 +1,339 @@
+ GNU GENERAL PUBLIC LICENSE
@zyga

zyga Feb 17, 2017

Contributor

I wonder if this should go to top-level as COPYING.GPL2, @mvo5 what do you think.

We should be clear about the license that applies to particular part of the code.

@Conan-Kudo I think we need to document the license in the particular files to be compliant.

@Conan-Kudo

Conan-Kudo Feb 18, 2017

Contributor

Done.

data/selinux/README.md
+
+# Licensing
+
+As the work from this is derived from modules from [Fedora's SELinux policy project](https://github.com/fedora-selinux/selinux-policy), it is licensed in the same manner.
@zyga

zyga Feb 17, 2017

Contributor

Could you please re-format this to (vim select + gq) to wrap nicely?

@Conan-Kudo
data/selinux: Wrap text in README.md 
Signed-off-by: Neal Gompa <ngompa13@gmail.com>
5ca7cbe
@mvo5
Collaborator

mvo5 commented Feb 20, 2017

This looks good to me, thank you! Really excited to see SELinux landing :-D
@mvo5

mvo5 approved these changes Feb 20, 2017
View changes

@Conan-Kudo
data/selinux: Add license header to policy files and Makefile 
Signed-off-by: Neal Gompa <ngompa13@gmail.com>

Some checks were not successful

5 failing and 1 successful checks
@mvo5
xenial-amd64 — autopkgtest finished (failure)
Details
@mvo5
xenial-i386 — autopkgtest finished (failure)
Details
@mvo5
xenial-ppc64el — autopkgtest finished (failure)
Details
@mvo5
yakkety-amd64 — autopkgtest finished (failure)
Details
@mvo5
zesty-amd64 — autopkgtest finished (failure)
Details
continuous-integration/travis-ci/pr — The Travis CI build passed
Details
f04da02

@niemeyer niemeyer changed the title from Merge SELinux policy module to data/selinux: merge SELinux policy module Feb 23, 2017

@niemeyer niemeyer merged commit 7493d7f into snapcore:master Feb 23, 2017
1 of 6 checks passed

1 of 6 checks passed

xenial-amd64 autopkgtest finished (failure)
Details
xenial-i386 autopkgtest finished (failure)
Details
xenial-ppc64el autopkgtest finished (failure)
Details
yakkety-amd64 autopkgtest finished (failure)
Details
zesty-amd64 autopkgtest finished (failure)
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

@Conan-Kudo Conan-Kudo deleted the Conan-Kudo:selinux-policy branch Feb 23, 2017

@Conan-Kudo
Contributor

Conan-Kudo commented Feb 23, 2017

🎉
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment