Commit Graph

4910 Commits

Author SHA1 Message Date
Miroslav Grepl
003088b3f0 Add modules-*.conf files 2012-12-17 17:22:13 +01:00
Miroslav Grepl
a270091f19 Make rawhide == f18 2012-12-17 17:21:00 +01:00
rhatdan
5991fc8049 Make sure content created in the homedir by uncnfined domains get created with the corect label. specifically /.readahead 2012-08-08 11:20:07 -04:00
Miroslav Grepl
e88478c88d +* Tue Aug 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-3
+- Add role rules for realmd, sambagui
2012-08-07 17:16:15 +02:00
Miroslav Grepl
711b0e2035 * Tue Aug 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-2
- Add new type selinux_login_config_t for /etc/selinux/<type>/logins/
- Additional fixes for seutil_manage_module_store()
- dbus_system_domain() should be used with optional_policy
- Fix svirt to be allowed to use fusefs file system
- Allow login programs to read /run/ data created by systemd_login
- sssd wants to write /etc/selinux/<policy>/logins/ for SELinux PAM modu
- Fix svirt to be allowed to use fusefs file system
- Allow piranha domain to use nsswitch
- Sanlock needs to send Kill Signals to non root processes
- Pulseaudio wants to execute /run/user/PID/.orc
2012-08-07 16:51:57 +02:00
Miroslav Grepl
e2915aed43 * Fri Aug 3 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11
- Fix saslauthd when it tries to read /etc/shadow
- Label gnome-boxes as a virt homedir
- Need to allow svirt_t ability to getattr on nfs_t file
- Update sanlock policy to solve all AVC's
- Change confined users can optionally manage virt conte
- Handle new directories under ~/.cache
- Add block suspend to appropriate domains
- More rules required for containers
- Allow login programs to read /run/ data created by sys
- Allow staff users to run svirt_t processes
2012-08-03 16:06:03 +02:00
Dan Walsh
5301232759 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2012-08-02 11:44:51 -04:00
Dan Walsh
42bb16fcc9 Shut off httpd_tty_comm by default since this is handled by systemd now 2012-08-02 09:37:12 -04:00
Miroslav Grepl
e1fa9080b6 Fix typo in virt.te 2012-08-02 08:32:00 +02:00
Miroslav Grepl
46a9c6067c * Thu Aug 2 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-0
- Update to upstream
2012-08-02 07:43:02 +02:00
Dan Walsh
f9f0731de4 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2012-08-01 15:30:03 -04:00
Miroslav Grepl
3c848e8da5 * Mon Jul 30 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-15
- More fixes for systemd to make rawhide booting from Dan Walsh
2012-07-30 22:23:31 +02:00
Dan Walsh
16f884ba73 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2012-07-30 14:59:50 -04:00
Miroslav Grepl
e08c8795d8 Fix duplicate declaration 2012-07-30 18:27:10 +02:00
Dan Walsh
6e4df5a8d6 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2012-07-30 12:03:01 -04:00
Miroslav Grepl
42c4091430 * Mon Jul 30 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-
- Add systemd fixes to make rawhide booting
2012-07-30 17:37:17 +02:00
Dan Walsh
fc246ab63a Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2012-07-30 10:06:14 -04:00
Dan Walsh
4dd322f258 Add equivalency for /usr/local -> /usr 2012-07-30 10:05:45 -04:00
Miroslav Grepl
20ce6a9e49 Fix systemd.fc 2012-07-27 16:47:16 +02:00
Miroslav Grepl
b4a78ad40d - Add systemd_logind_inhibit_var_run_t attribute
- Remove corenet_all_recvfrom_unlabeled() for non-contrib policies because we moved it to domain.if for all domain_type
- Add interface for mysqld to dontaudit signull to all processes
- Label new /var/run/journal directory correctly
- Allow users to inhibit suspend via systemd
- Add new type for the /var/run/inhibit directory
- Add interface to send signull to systemd_login so avahi can send them
- Allow systemd_passwd to send syslog messages
- Remove corenet_all_recvfrom_unlabeled() calling fro policy files
- Allow       editparams.cgi running as httpd_bugzilla_script_t to read /etc/group
- Allow smbd to read cluster config
- Add additional labeling for passenger
- Allow dbus to inhibit suspend via systemd
- Allow avahi to send signull to systemd_login
2012-07-27 16:32:49 +02:00
Dan Walsh
03f80ae03a Fix genman to stop truncating boolean descriptions that do not end with a '.', allow users to specify a list of domains to produce, fix spelling mistake 2012-07-26 16:11:52 -04:00
Dan Walsh
2676121267 Add interface to dontaudit getattr access on sysctls
- Allow sshd to execute /bin/login
- Looks like xdm is recreating the xdm directory in ~/.cache/ on login
- Allow syslog to use the leaked kernel_t unix_dgram_socket from system-jounald
-  Fix semanage to work with unconfined domain disabled on F18
- Dontaudit attempts by mozilla plugins to getattr on all kernel sysctls
- Virt seems to be using lock files
- Dovecot seems to be searching directories of every mountpoint
- Allow jockey to read random/urandom, execute shell and install third-party drivers
- Add aditional params to allow cachedfiles to manage its content
- gpg agent needs to read /dev/random
- The kernel hands an svirt domains /SYSxxxxx which is a tmpfs that httpd wants to read and write
- Add a bunch of dontaudit rules to quiet svirt_lxc domains
- Additional perms needed to run svirt_lxc domains
- Allow cgclear to read cgconfig
- Allow sys_ptrace capability for snmp
- Allow freshclam to read /proc
- Allow procmail to manage /home/user/Maildir content
- Allow NM to execute wpa_cli
- Allow amavis to read clamd system state
- Regenerate man pages
2012-07-24 15:56:40 -04:00
Miroslav Grepl
9ba137b17b * Mon Jul 23 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-12
- Add interface to dontaudit getattr access on sysctls
- Allow sshd to execute /bin/login
- Looks like xdm is recreating the xdm directory in ~/.cache/ on login
- Allow syslog to use the leaked kernel_t unix_dgram_socket from system-jou
-  Fix semanage to work with unconfined domain disabled on F18
- Dontaudit attempts by mozilla plugins to getattr on all kernel sysctls
- Virt seems to be using lock files
- Dovecot seems to be searching directories of every mountpoint
- Allow jockey to read random/urandom, execute shell and install third-part
- Add aditional params to allow cachedfiles to manage its content
- gpg agent needs to read /dev/random
- The kernel hands an svirt domains /SYSxxxxx which is a tmpfs that httpd w
- Add a bunch of dontaudit rules to quiet svirt_lxc domains
- Additional perms needed to run svirt_lxc domains
- Allow cgclear to read cgconfig
- Allow sys_ptrace capability for snmp
- Allow freshclam to read /proc
- Allow procmail to manage /home/user/Maildir content
- Allow NM to execute wpa_cli
- Allow amavis to read clamd system state
- Regenerate man page
2012-07-23 17:47:41 +02:00
Miroslav Grepl
355c11db63 Fix nsswitch_booleans list in genman 2012-07-23 17:32:58 +02:00
Miroslav Grepl
1c38921365 Fix genman.py to correct PORT part 2012-07-23 17:13:29 +02:00
Miroslav Grepl
9c935861d2 Fix genman.py script to descrite nsswitch_domain booleans for domain types 2012-07-23 16:38:28 +02:00
Dennis Gilmore
c07f6435e4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild 2012-07-21 14:21:28 -05:00
Miroslav Grepl
3da13de031 +- Add realmd and stapserver policies
+- Allow useradd to manage stap-server lib files
+- Tighten up capabilities for confined users
+- Label /etc/security/opasswd as shadow_t
+- Add label for /dev/ecryptfs
+- Allow condor_startd_t to start sshd with the ranged
+- Allow lpstat.cups to read fips_enabled file
+- Allow pyzor running as spamc_t to create /root/.pyzor directory
+- Add labelinf for amavisd-snmp init script
+- Add support for amavisd-snmp
+- Allow fprintd sigkill self
+- Allow xend (w/o libvirt) to start virtual machines
+- Allow aiccu to read /etc/passwd
+- Allow condor_startd to Make specified domain MCS trusted for setting any category set fo
+- Add condor_startd_ranged_domtrans_to() interface
+- Add ssd_conf_t for /etc/sssd
+- accountsd needs to fchown some files/directories
+- Add ICACLient and zibrauserdata as mozilla_filetrans_home_content
+- SELinux reports afs_t needs dac_override to read /etc/mtab, even though everything works
+- Allow xend_t to read the /etc/passwd file
 Please enter the commit message for your changes. Lines starting
 with '#' will be ignored, and an empty message aborts the commit.
 On branch master
 Changes to be committed:
   (use "git reset HEAD <file>..." to unstage)

	modified:   policy-rawhide.patch
	modified:   policy_contrib-rawhide.patch
	modified:   selinux-policy.spec
2012-07-16 00:03:02 +02:00
Miroslav Grepl
3bbc9bb5a8 Add stapserver and realmd policy to modules-targeted.conf 2012-07-15 22:47:22 +02:00
Dan Walsh
18fc0f3c99 Until we figure out how to fix systemd issues, allow all apps that send syslog messages to send them to kernel_t
- Add init_access_check() interface
- Fix label on /usr/bin/pingus to not be labeled as ping_exec_t
- Allow tcpdump to create a netlink_socket
- Label newusers like useradd
- Change xdm log files to be labeled xdm_log_t
- Allow sshd_t with privsep to work in MLS
- Allow freshclam to update databases thru HTTP proxy
- Allow s-m-config to access check on systemd
- Allow abrt to read public files by default
- Fix amavis_create_pid_files() interface
- Add labeling and filename transition for dbomatic.log
- Allow system_dbusd_t to stream connect to bluetooth, and use its socket
- Allow amavisd to execute fsav
- Allow tuned to use sys_admin and sys_nice capabilities
- Add php-fpm policy from Bryan
- Add labeling for aeolus-configserver-thinwrapper
- Allow thin domains to execute shell
- Fix gnome_role_gkeyringd() interface description
- Lot of interface fixes
- Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files
- Allow OpenMPI job to use kerberos
- Make deltacloudd_t as nsswitch_domain
- Allow xend_t to run lsscsi
- Allow qemu-dm running as xend_t to create tun_socket
- Add labeling for /opt/brother/Printers(.*/)?inf
- Allow jockey-backend to read pyconfig-64.h labeled as usr_t
- Fix clamscan_can_scan_system boolean
- Allow lpr to connectto to /run/user/$USER/keyring-22uREb/pkcs11
2012-07-13 16:59:14 -04:00
Dan Walsh
9d1d9952b1 Until we figure out how to fix systemd issues, allow all apps that send syslog messages to send them to kernel_t
- Add init_access_check() interface
- Fix label on /usr/bin/pingus to not be labeled as ping_exec_t
- Allow tcpdump to create a netlink_socket
- Label newusers like useradd
- Change xdm log files to be labeled xdm_log_t
- Allow sshd_t with privsep to work in MLS
- Allow freshclam to update databases thru HTTP proxy
- Allow s-m-config to access check on systemd
- Allow abrt to read public files by default
- Fix amavis_create_pid_files() interface
- Add labeling and filename transition for dbomatic.log
- Allow system_dbusd_t to stream connect to bluetooth, and use its socket
- Allow amavisd to execute fsav
- Allow tuned to use sys_admin and sys_nice capabilities
- Add php-fpm policy from Bryan
- Add labeling for aeolus-configserver-thinwrapper
- Allow thin domains to execute shell
- Fix gnome_role_gkeyringd() interface description
- Lot of interface fixes
- Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files
- Allow OpenMPI job to use kerberos
- Make deltacloudd_t as nsswitch_domain
- Allow xend_t to run lsscsi
- Allow qemu-dm running as xend_t to create tun_socket
- Add labeling for /opt/brother/Printers(.*/)?inf
- Allow jockey-backend to read pyconfig-64.h labeled as usr_t
- Fix clamscan_can_scan_system boolean
- Allow lpr to connectto to /run/user/$USER/keyring-22uREb/pkcs11
2012-07-12 19:20:37 -04:00
Miroslav Grepl
98ec5a124e - Until we figure out how to fix systemd issues, allow all apps that send syslog messag
- Add init_access_check() interface
- Fix label on /usr/bin/pingus to not be labeled as ping_exec_t
- Allow tcpdump to create a netlink_socket
- Label newusers like useradd
- Change xdm log files to be labeled xdm_log_t
- Allow sshd_t with privsep to work in MLS
- Allow freshclam to update databases thru HTTP proxy
- Allow s-m-config to access check on systemd
- Allow abrt to read public files by default
- Fix amavis_create_pid_files() interface
- Add labeling and filename transition for dbomatic.log
- Allow system_dbusd_t to stream connect to bluetooth, and use its socket
- Allow amavisd to execute fsav
- Allow tuned to use sys_admin and sys_nice capabilities
- Add php-fpm policy from Bryan
- Add labeling for aeolus-configserver-thinwrapper
- Allow thin domains to execute shell
- Fix gnome_role_gkeyringd() interface description
- Lot of interface fixes
- Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files
- Allow OpenMPI job to use kerberos
- Make deltacloudd_t as nsswitch_domain
2012-07-11 16:45:33 +02:00
Miroslav Grepl
770036a507 Add php-fpm to modules-targeted.conf 2012-07-10 10:30:39 +02:00
Dan Walsh
9fe965541c Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2012-07-06 06:41:48 -04:00
Dan Walsh
8d8178f83b Copy F17 customizable_types into F18 2012-07-06 06:41:33 -04:00
Miroslav Grepl
0f07ba7f55 * Tue Jul 3 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-8
- initrc is calling exportfs which is not confined so it attempts to read nfsd_files
- Fixes for passenger running within openshift.
- Add labeling for all tomcat6 dirs
- Add support for tomcat6
- Allow cobblerd to read /etc/passwd
- Allow jockey to read sysfs and and execute binaries with bin_t
- Allow thum to use user terminals
- Allow cgclear to read cgconfig config files
- Fix bcf2g.fc
- Remove sysnet_dns_name_resolve() from policies where auth_use_nsswitch() is used for other
- Allow dbomatic to execute ruby
- abrt_watch_log should be abrt_domain
- Allow mozilla_plugin to connect to gatekeeper port
2012-07-03 23:11:32 +02:00
Miroslav Grepl
1de5de6450 - add ptrace_child access to process
- remove files_read_etc_files() calling from all policies which hav
- Allow boinc domains to manage boinc_lib_t lnk_files
- Add support for boinc-client.service unit file
- Add support for boinc.log
- Allow mozilla_plugin execmod on mozilla home files if allow_ex
- Allow dovecot_deliver_t to read dovecot_var_run_t
- Allow ldconfig and insmod to manage kdumpctl tmp files
- Move thin policy out from cloudform.pp and add a new thin poli
- pacemaker needs to communicate with corosync streams
- abrt is now started on demand by dbus
- Allow certmonger to talk directly to Dogtag servers
- Change labeling for /var/lib/cobbler/webui_sessions to httpd_c
- Allow mozila_plugin to execute gstreamer home files
- Allow useradd to delete all file types stored in the users hom
- rhsmcertd reads the rpm database
- Add support for lightdm
2012-06-27 12:53:34 +02:00
Miroslav Grepl
52ac61da45 * Mon Jun 25 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-6
- Add tomcat policy
- Remove pyzor/razor policy
- rhsmcertd reads the rpm database
- Dontaudit  thumb to setattr on xdm_tmp dir
- Allow wicd to execute ldconfig in the networkmanager_t domain
- Add /var/run/cherokee\.pid labeling
- Allow mozilla_plugin to create mozilla_plugin_tmp_t lnk files too
- Allow postfix-master to r/w pipes other postfix domains
- Allow snort to create netlink_socket
- Add kdumpctl policy
- Allow firstboot to create tmp_t files/directories
- /usr/bin/paster should not be labeled as piranha_exec_t
- remove initrc_domain from tomcat
- Allow ddclient to read /etc/passwd
- Allow useradd to delete all file types stored in the users homedir
- Allow ldconfig and insmod to manage kdumpctl tmp files
- Firstboot should be just creating tmp_t dirs and xauth should be allowed to write to those
- Transition xauth files within firstboot_tmp_t
- Fix labeling of /run/media to match /media
- Label all lxdm.log as xserver_log_t
- Add port definition for mxi port
- Allow local_login_t to execute tmux
2012-06-25 07:09:24 +02:00
Dan Walsh
a3e9dc0c92 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2012-06-20 14:33:29 -04:00
Dan Walsh
7f9b7d5c03 Remove pyzor and razor modules 2012-06-20 14:33:23 -04:00
Miroslav Grepl
c74d194317 - apcupsd needs to read /etc/passwd
- Sanlock allso sends sigkill
- Allow glance_registry to connect to the mysqld port
- Dontaudit mozilla_plugin trying to getattr on /dev/gpmctl
- Allow firefox plugins/flash to connect to port 1234
- Allow mozilla plugins to delete user_tmp_t files
- Add transition name rule for printers.conf.O
- Allow virt_lxc_t to read urand
- Allow systemd_loigind to list gstreamer_home_dirs
- Fix labeling for /usr/bin
- Fixes for cloudform services
  * support FIPS
- Allow polipo to work as web caching
- Allow chfn to execute tmux
2012-06-19 13:40:53 +02:00
Miroslav Grepl
bfc280fd5b - Add support for ecryptfs
* ecryptfs does not support xattr
  * we need labeling for HOMEDIR
- Add policy for (u)mount.ecryptfs*
- Fix labeling of kerbero host cache files, allow rpc.svcgssd to manage
- Allow dovecot to manage Maildir content, fix transitions to Maildir
- Allow postfix_local to transition to dovecot_deliver
- Dontaudit attempts to setattr on xdm_tmp_t, looks like bogus code
- Cleanup interface definitions
- Allow apmd to change with the logind daemon
- Changes required for sanlock in rhel6
- Label /run/user/apache as httpd_tmp_t
- Allow thumb to use lib_t as execmod if boolean turned on
- Allow squid to create the squid directory in /var with the correct la
- Add a new policy for glusterd from Bryan Bickford (bbickfor@redhat.co
- Allow virtd to exec xend_exec_t without transition
- Allow virtd_lxc_t to unmount all file systems
2012-06-15 10:43:55 +02:00
Miroslav Grepl
c8f96d3d71 * Tue Jun 12 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-3
- PolicyKit path has changed
- Allow httpd connect to dirsrv socket
- Allow tuned to write generic kernel sysctls
- Dontaudit logwatch to gettr on /dev/dm-2
- Allow policykit-auth to manage kerberos files
- Make condor_startd and rgmanager as initrc domain
- Allow virsh to read /etc/passwd
- Allow mount to mount on user_tmp_t for /run/user/dwalsh/gvfs
- xdm now needs to execute xsession_exec_t
- Need labels for /var/lib/gdm
- Fix files_filetrans_named_content() interface
- Add new attribute - initrc_domain
- Allow systemd_logind_t to signal, signull, sigkill all processes
- Add filetrans rules for etc_runtime files
2012-06-12 14:33:10 +02:00
Miroslav Grepl
4415dfa1a8 * Sat Jun 9 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-2
- Rename boolean names to remove allow_
2012-06-09 09:07:54 +02:00
Dan Walsh
c3956376c7 Add booleans.subs_dist to selinux-policy package 2012-06-08 10:09:54 -04:00
Dan Walsh
2815c1a4e4 Remove permissive domains in F17 from F18 2012-06-07 14:12:42 -04:00
Dan Walsh
62163c8c51 Trigger a restorecon -R -v /home on the next update 2012-06-07 14:05:06 -04:00
Dan Walsh
52f92dd376 Fix patch to eliminate sepolgen errors 2012-06-07 10:30:58 -04:00
Dan Walsh
5f75e360e4 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy
Conflicts:
	config.tgz
2012-06-07 10:14:02 -04:00
Miroslav Grepl
2a80c717ae Fix merge context issues 2012-06-07 14:16:42 +02:00