Commit Graph

231 Commits

Author SHA1 Message Date
Miroslav
30ab254413 - Allow gpg and gpg_agent to store sock_file in gpg_secret_t directory
- lxdm startup scripts should be labeled bin_t, so confined users will work
- mcstransd now creates a pid, needs back port to F16
- qpidd should be allowed to connect to the amqp port
- Label devices 010-029 as usb devices
- ypserv packager says ypserv does not use tmp_t so removing selinux policy types
- Remove all ptrace commands that I believe are caused by the kernel/ps avcs
- Add initial Obex policy
- Add logging_syslogd_use_tty boolean
- Add polipo_connect_all_unreserved bolean
- Allow zabbix to connect to ftp port
- Allow systemd-logind to be able to switch VTs
- Allow apache to communicate with memcached through a sock_file
2012-02-03 10:57:34 +01:00
Miroslav
1b62e3889e use entropyd instead of entropy 2012-01-11 13:33:22 +01:00
Dan Walsh
7cf580ebcc Rename audioentropy to entropy to match upstream 2012-01-06 11:52:44 -05:00
Dan Walsh
904f70ac64 Add Zoneminder policy 2011-12-22 19:26:50 +00:00
Dan Walsh
628fb6b378 Merge nsplugin with mozilla_plugin 2011-11-17 13:31:47 -05:00
Dan Walsh
c68d7aa77c Add blueman policy 2011-11-11 08:15:48 -05:00
Dan Walsh
13382d02ea Add more MCS fixes to make sandbox working
Make faillog MLS trusted to make sudo_$1_t working
Allow sandbox_web_client_t to read passwd_file_t
Add .mailrc file context
Remove execheap from openoffice domain
Allow chrome_sandbox_nacl_t to read cpu_info
Allow virtd to relabel generic usb which is need if USB device
Fixes for virt.if interfaces to consider chr_file as image file type
2011-11-07 16:18:33 -05:00
Dan Walsh
b4b0268a28 Remove qemu.pp, everything should use svirt_t or stay in its current domain 2011-10-26 15:42:29 -04:00
Dan Walsh
8214f7881a Remove tzdata policy
Remove ada domain
2011-10-20 12:24:32 -04:00
Dan Walsh
087aaea152 Remove tzdata domain, only necessary to make sure stuff is labeled correctly. 2011-10-20 11:43:18 -04:00
Dan Walsh
2453975e3d Move dontaudit sys_ptrace line from permissive.te to domain.te
Remove policy for hal, it no longer exists
2011-10-13 15:43:15 -04:00
Dan Walsh
f1bc73d0ef Allow logrotate setuid and setgid since logrotate is supposed to do it
Fixes for thumb policy by grift
Add new nfsd ports
Added fix to allow confined apps to execmod on chrome
Add labeling for additional vdsm directories
Allow Exim and Dovecot SASL
Add label for /var/run/nmbd
Add fixes to make virsh and xen working together
Colord executes ls
/var/spool/cron  is now labeled as user_cron_spool_t
2011-10-04 10:50:39 -04:00
Miroslav
0247247d56 +- Add support for Clustered Samba commands
+- Allow ricci_modrpm_t to send log msgs
+- move permissive virt_qmf_t from virt.te to permissivedomains.te
+- Allow ssh_t to use kernel keyrings
+- Add policy for libvirt-qmf and more fixes for linux containers
+- Initial Polipo
+- Sanlock needs to run ranged in order to kill svirt processes
+- Allow smbcontrol to stream connect to ctdbd
2011-09-29 16:25:09 +02:00
Dan Walsh
6a55631bdf Update ephemeral patch and fix modules defs for the thumb images 2011-09-27 11:16:13 -04:00
Dan Walsh
e88b9a2383 add thumbnailer protection 2011-09-26 10:57:37 -04:00
Dan Walsh
624394103f Add glance module definition 2011-08-29 13:35:06 -04:00
Dan Walsh
7c5dd0aa37 Add permissivedomains module 2011-08-26 11:40:56 -04:00
Dan Walsh
8becfd3523 Add cfengine policy 2011-08-03 10:22:38 -04:00
Miroslav
2aa62d446f - Add abrt_domain attribute
- Allow corosync to manage cluster lib files
- Allow corosync to connect to the system DBUS
2011-08-02 21:35:30 +02:00
Dan Walsh
d0fad1166a Add uuidd module 2011-07-29 10:36:34 -04:00
Dan Walsh
c1eb3ef122 Remove howl, hotplug and kudzu modules, since they are no longer used 2011-07-29 09:49:16 -04:00
Miroslav
0c240d9a87 - Allow rcsmcertd to perform DNS name resolution
- Add dirsrvadmin_unconfined_script_t domain type for 389-ds admin scripts
- Allow tmux to run as screen
- New policy for collectd
- Allow gkeyring_t to interact with all user apps
- Add rules to allow firstboot to run on machines with the unconfined.pp module
2011-07-26 17:21:09 +02:00
Dan Walsh
8193baf6c3 Add collectd module to targeted policy 2011-07-25 11:30:08 -04:00
Dan Walsh
dd16c38c4b Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2011-07-19 08:17:17 -04:00
Miroslav Grepl
805cc3bcdf - Initial systemd_logind policy
- Add policy for systemd_logger and additional proivs for systemd_logind
- More fixes for systemd policies
2011-07-18 08:17:03 +02:00
Dan Walsh
854346f783 add ctdbd policy module 2011-07-14 13:39:22 -04:00
Miroslav Grepl
40468c4016 Fix typo in modules-targeted.conf 2011-07-12 10:14:13 +02:00
Dan Walsh
5a8295ac0d add l2tpd daemon policy 2011-07-05 16:20:25 -04:00
Miroslav Grepl
975370d58e - Change usbmuxd_t to dontaudit attempts to read chr_file
- Add mysld_safe_exec_t for libra domains to be able to start private mysql dom
- Allow pppd to search /var/lock dir
- Add rhsmcertd policy
2011-06-30 17:55:41 +02:00
Miroslav Grepl
ade486af72 Update to upstream 2011-06-27 18:02:16 +02:00
Miroslav Grepl
4fb7b43f62 - Add dspam policy
- Add lldpad policy
- dovecot auth wants to search statfs #713555
- Allow systemd passwd apps to read init fifo_file
- Allow prelink to use inherited terminals
- Run cherokee in the httpd_t domain
- Allow mcs constraints on node connections
- Implement pyicqt policy
- Fixes for zarafa policy
- Allow cobblerd to send syslog messages
2011-06-16 10:42:42 +02:00
Miroslav Grepl
94cdbacbd8 - Add mailscanner policy from dgrift
- Allow chrome to optionally be transitioned to
- Zabbix needs these rules when starting the zabbix_server_mysql
- Implement a type for freedesktop openicc standard (~/.local/share/icc)
- Allow system_dbusd_t to read inherited icc_data_home_t files.
- Allow colord_t to read icc_data_home_t content. #706975
- Label stuff under /usr/lib/debug as if it was labeled under /
2011-06-07 18:12:04 +02:00
Miroslav Grepl
a8e065be61 - Add rhev policy module to modules-targeted.conf 2011-05-26 14:16:59 +02:00
Dan Walsh
7920a06561 add sanlock and wdmd policy 2011-05-23 18:37:50 -04:00
Dan Walsh
d34689e1c3 Add callweaver module 2011-05-17 11:02:03 +02:00
Miroslav Grepl
af4c0d3f1e - Initial policy for matahari
- Add dev_read_watchdog
- Allow clamd to connect clamd port
- Add support for kcmdatetimehelper
- Allow shutdown to setrlimit and sys_nice
- Allow systemd_passwd to talk to /dev/log before udev or syslog is runni
- Purge chr_file and blk files on /tmp
- Fixes for pads
- Fixes for piranha-pulse
- gpg_t needs to be able to encyprt anything owned by the user
2011-03-15 20:59:57 +00:00
Miroslav Grepl
a72013a386 Add colord policy 2011-03-08 18:32:49 +00:00
Dan Walsh
731e693460 - Add tcsd policy 2011-02-01 16:45:17 -05:00
Miroslav Grepl
116d73139a - gnomeclock executes a shell
- Update for screen policy to handle pipe in homedir
- Fixes for polyinstatiated homedir
- Fixes for namespace policy and other fixes related to polyinstantiation
- Add namespace policy
- Allow dovecot-deliver transition to sendmail which is needed by sieve scri
- Fixes for init, psad policy which relate with confined users
- Do not audit bootloader attempts to read devicekit pid files
- Allow nagios service plugins to read /proc
2011-01-14 17:48:34 +00:00
Miroslav Grepl
b1863350de - Add firewalld policy
- Allow vmware_host to read samba config
- Kernel wants to read /proc Fix duplicate grub def in cobbler
- Chrony sends mail, executes shell, uses fifo_file and reads /proc
- devicekitdisk getattr all file systems
- sambd daemon writes wtmp file
- libvirt transitions to dmidecode
2011-01-11 13:44:47 +00:00
Miroslav Grepl
b559c4ec49 - Add initial policy for system-setup-keyboard which is now daemon
- Label /var/lock/subsys/shorewall as shorewall_lock_t
- Allow users to communicate with the gpg_agent_t
- Dontaudit mozilla_plugin_t using the inherited terminal
- Allow sambagui to read files in /usr
- webalizer manages squid log files
- Allow unconfined domains to bind ports to raw_ip_sockets
- Allow abrt to manage rpm logs when running yum
- Need labels for /var/run/bittlebee
- Label .ssh under amanda
- Remove unused genrequires for virt_domain_template
- Allow virt_domain to use fd inherited from virtd_t
- Allow iptables to read shorewall config
2011-01-05 10:08:57 +00:00
Dan Walsh
b96903aaa0 - Gnome apps list config_home_t
- mpd creates lnk files in homedir
- apache leaks write to mail apps on tmp files
- /var/stockmaniac/templates_cache contains log files
- Abrt list the connects of mount_tmp_t dirs
- passwd agent reads files under /dev and reads utmp file
- squid apache script connects to the squid port
- fix name of plymouth log file
- teamviewer is a wine app
- allow dmesg to read system state
- Stop labeling files under /var/lib/mock so restorecon will not go into this
- nsplugin needs to read network state for google talk
2010-12-28 15:41:30 -05:00
Dan Walsh
c68e37c2c7 Make alsa a module rather then in base 2010-12-21 09:24:00 -05:00
Miroslav Grepl
3c0b9eac8c - Turn on systemd policy
- mozilla_plugin needs to read certs in the homedir.
- Dontaudit leaked file descriptors from devicekit
- Fix ircssi to use auth_use_nsswitch
- Change to use interface without param in corenet to disable unlabelednet
- Allow init to relabel sockets and fifo files in /dev
- certmonger needs dac* capabilities to manage cert files not owned by root
- dovecot needs fsetid to change group membership on mail
- plymouthd removes /var/log/boot.log
- systemd is creating symlinks in /dev
- Change label on /etc/httpd/alias to be all cert_t
2010-12-13 18:56:13 +00:00
Miroslav Grepl
c2ad3681fa - Push fixes to allow disabling of unlabeled_t packet access
- Enable unlabelednet policy
2010-12-07 17:51:16 +00:00
Miroslav Grepl
4eb45ebeaa - Turn on allow_postfix_local_write_mail_spool
- Allow initrc_t to transition to shutdown_t
- Allow logwatch and cron to mls_read_to_clearance for MLS boxes
- Allow wm to send signull to all applications and receive them from users
- lircd patch from field
- Login programs have to read /etc/samba
- New programs under /lib/systemd
- Abrt needs to read config files
2010-11-18 17:37:29 +01:00
Dan Walsh
763342ad3a - Remove saslauthd_tmp_t and transition tmp files to krb5_host_rcache_t
- Allow saslauthd_t to create krb5_host_rcache_t files in /tmp
- Fix xserver interface
- Fix definition of /var/run/lxdm
2010-11-12 11:08:35 -05:00
Miroslav Grepl
9238df00c5 - Turn on mediawiki policy
- kdump leaks kdump_etc_t to ifconfig, add dontaudit
- uux needs to transition to uucpd_t
- More init fixes relabels man,faillog
- Remove maxima defs in libraries.fc
- insmod needs to be able to create tmpfs_t files
- ping needs setcap
2010-11-12 13:47:15 +01:00
Dan Walsh
fc9bf2f03d - Add conflicts for dirsrv package 2010-11-09 07:55:52 -05:00
Dan Walsh
06262c1566 - Update to upstream
- Add vlock policy
2010-11-05 12:40:07 -04:00