infra
/
dch-selinux
1
0
Fork 0
Code Packages
SELinux policy modules
5 Commits
1 Branch
0 Tags
44 KiB
Makefile 61.4%
Shell 38.6%
 
 
Go to file
Dustin 5a0e5de56a
infra/dch-selinux/pipeline/head This commit looks good Details
ci: Build/sign RPMs for multiple Fedora versions 
* Use `matrix` to generate pipelines for multiple Fedora versions
* Sign RPM packages using the Jenkins GPG key
* Publish RPM files to *dch* repository on *files.pyrocufflink.blue*
  instead of Gitea (the latter cannot handle multiple releases of the
  same package)
 		2024-06-03 09:52:43 -05:00
ci ci: Build/sign RPMs for multiple Fedora versions 2024-06-03 09:52:43 -05:00
.gitignore Add RPM spec 2023-10-26 09:24:10 -05:00
Makefile meta: Publish to Gitea 2023-10-26 09:27:04 -05:00
README.md Initial commit 2021-08-26 21:18:41 -05:00
dch-samba.fc Initial commit 2021-08-26 21:18:41 -05:00
dch-samba.if Initial commit 2021-08-26 21:18:41 -05:00
dch-samba.te Initial commit 2021-08-26 21:18:41 -05:00
dch-selinux.spec Add RPM spec 2023-10-26 09:24:10 -05:00

README.md

Dustin's SELinux Policy Modules

This is a collection of SELinux policy modules that fix or augment the default SELinux policy for Fedora/RHEL.

dch-samba

The SELinux reference policy does not have rules for the Samba Active Directory Domain Controller ("samba4"). On Fedora/RHEL, /usr/bin/samba runs in unconfined_service_t. This is fine for the DC functionality itself, but breaks winbindd. The refpolicy does have rules for winbind, but they expect it to run in its own domain, winbind_t. Since winbindd is started by samba when running on a DC, it runs in unconfined_service_t as well.

The dch-samba policy module adds a couple of rules to allow samba to launch winbindd in the correct domain, and fixes up a few other AVC denials that come from doing this.