* Patch shadow-utils to address CVE-2023-29383
* Update SPECS/shadow-utils/shadow-utils.spec for spec linting
Co-authored-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
---------
Co-authored-by: Rakshaa Viswanathan <46165429+rakshaa2000@users.noreply.github.com>
Co-authored-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
* first commit of MarinerFedRamp2.0
* first commit for FedRAMP2.0
* patched all the asc cases in source code
* address Daniel's review comments for Mariner 2.0 FedRAMP
* move dsiabling ICMP redirect from source to packer
* Update SPECS/shadow-utils/shadow-utils.spec
Co-authored-by: Christopher Co <35273088+christopherco@users.noreply.github.com>
* Update SPECS/fedramp/fedramp.spec
Co-authored-by: Christopher Co <35273088+christopherco@users.noreply.github.com>
* address the comments in 2nd round reviews
* add asc.spec to replace fedramp.spec
* delete fedramp spec
* fix typo and remove changes for system-password
* update manifest file
* remove some unnecessary changes
* add empty line at end
* update to pass PR check
* address 1st round review comments
* update changelog for license
* address review comments
* remove ssh access
Co-authored-by: rmhsawyer <mingheren@gmail.com>
Co-authored-by: Christopher Co <35273088+christopherco@users.noreply.github.com>
* move su from shadow-utils to util-linux
* update manifests
* remove su pam config from shadow-utils
* restore su pam from shadow-utils
* fix su file
* fix shadow-utils BR
* update changelog
* update based on PR feedback
The current pam.d config sets the loginuid by su/sudo. The loginuid should
always reflect the UID that the user logged in as.
Add pam_selinux.so to login configs so users will have the correct SELinux
context on their session.
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
* Increase maxium number of days a password can be used
* Update shadow utils version for toolchain deps
* Update lint changes as per build logs
* Remove PASS_MAX_DAYS customized value 90 to set default value
* Update var in SPEC file by removing macro
Co-authored-by: Suresh Babu Chalamalasetty <schalam@microsoft.com>
* Add SELinux packages to Mariner.
This commit add the following packages to Mariner to provide basic
SELinux support:
- checkpolicy
- libsemanage
- mcstrans
- policycoreutils
- secilc
- selinux-policy
- setools
The selinux-policy provided here is a generic base policy, which is not
specifically tuned for Mariner, therefore only permissive mode support
is enabled in this commit. (Although users could load a custom policy
to run in enforcing mode). Future phases have been discussed to add
SELinux enforcing mode support.
This commit does not enable SELinux by default. In order to enable
SELinux support, one must first install necessary packages (libselinux,
policycoreutils, secilc, selinux-policy), and then append "lsm=selinux
selinux=1" to the kernel command line. This will trigger an initial
boot to relabel the system, at which point the system will reboot, and
boot into an SELinux enabled system. SELinux state can be queried with
the "getenforce" command line tool. If SELinux has not been enabled, it
will report "Disabled" (the default). If SELinux support has been
enabled as described in this paragraph, it will report "permissive".
This commit also modifies the following packages to enabled SELinux
functionality in existing packages:
- coreutils
- cronie
- dbus
- openssh
- pam
- rpm
- shadow-utils
- systemd
- util-linux
This enables them to build with SELinux support so that when SELinux is
enabled, they have SELinux related functionality available.
Because coreutils is a basic package and requires building with
libselinux-devel present in order to enable key SELinux functionality,
several dependencies in other packages that rely on coreutils (namely
python2, python3 and systemd-bootstrap) had to be removed in order to
avoid circular dependencies. There does not appear to be a functional
impact from this change based on my testing.
Tobias Brick
Sam Meluch
CBL-Mariner-Bot
Minghe Ren
Andrew Phelps
Minghe Ren
rlmenge
Chris PeBenito
Pawel Winogrodzki
Thomas Crain
jslobodzian
Henry Li
Joe Schmitt
chalamalasetty
Daniel Burgener