Commit Graph

4538 Commits

Author SHA1 Message Date
Dan Walsh
c555617b33 Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy; branches 'master', 'master', 'master', 'master' and 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2010-11-16 10:59:01 -05:00
Miroslav Grepl
582d2c5d2c - Update to upstream
- Dontaudit leaked sockets from userdomains to user domains
- Fixes for mcelog to handle scripts
- Apply patch from Ruben Kerkhof
- Allow syslog to search spool dirs
2010-11-16 09:46:19 +01:00
Dan Walsh
13670f615f Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy; branches 'master', 'master' and 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2010-11-15 16:11:49 -05:00
Miroslav Grepl
cbb8d59931 - Allow nagios plugins to read usr files
- Allow mysqld-safe to send system log messages
- Fixes fpr ddclient policy
- Fix sasl_admin interface
- Allow apache to search zarafa config
- Allow munin plugins to search /var/lib directory
- Allow gpsd to read sysfs_t
- Fix labels on /etc/mcelog/triggers to bin_t
2010-11-15 18:27:23 +01:00
Dan Walsh
763342ad3a - Remove saslauthd_tmp_t and transition tmp files to krb5_host_rcache_t
- Allow saslauthd_t to create krb5_host_rcache_t files in /tmp
- Fix xserver interface
- Fix definition of /var/run/lxdm
2010-11-12 11:08:35 -05:00
Dan Walsh
519b05a70f - Remove saslauthd_tmp_t and transition tmp files to krb5_host_rcache_t 2010-11-12 10:59:01 -05:00
Dan Walsh
50dacaca09 - kdump leaks kdump_etc_t to ifconfig, add dontaudit
- uux needs to transition to uucpd_t
- More init fixes relabels man,faillog
- Remove maxima defs in libraries.fc
- insmod needs to be able to create tmpfs_t files
- ping needs setcap
- init executes mcelog, initrc_t needs to manage faillog.
- fix xserver_ralabel_xdm_tmp_dirs
- Allow dovecot_deliver_t to list dovecot_etc_t
- Run acroread as execmem_t
2010-11-12 09:56:06 -05:00
Miroslav Grepl
9238df00c5 - Turn on mediawiki policy
- kdump leaks kdump_etc_t to ifconfig, add dontaudit
- uux needs to transition to uucpd_t
- More init fixes relabels man,faillog
- Remove maxima defs in libraries.fc
- insmod needs to be able to create tmpfs_t files
- ping needs setcap
2010-11-12 13:47:15 +01:00
Dan Walsh
7297a334b4 - Fix init to be able to relabel wtmp, tmp files 2010-11-10 14:39:23 -05:00
Miroslav Grepl
5d168a352b - Allow groupd transition to fenced domain when executes fence_node
- Fixes for rchs policy
- Allow mpd to be able to read samba/nfs files
2010-11-10 11:04:39 +01:00
Dan Walsh
ded1efb9d8 - Fix up corecommands.fc to match upstream
- Make sure /lib/systemd/* is labeled init_exec_t
- mount wants to setattr on all mountpoints
- dovecot auth wants to read dovecot etc files
- nscd daemon looks at the exe file of the comunicating daemon
- openvpn wants to read utmp file
- postfix apps now set sys_nice and lower limits
- remote_login (telnetd/login) wants to use telnetd_devpts_t and user_devpts_t to work correctly
- Also resolves nsswitch
- Fix labels on /etc/hosts.*
- Cleanup to make upsteam patch work
- allow abrt to read etc_runtime_t
2010-11-09 17:41:15 -05:00
Dan Walsh
fc9bf2f03d - Add conflicts for dirsrv package 2010-11-09 07:55:52 -05:00
Dan Walsh
3e0b7834a6 - Update to upstream
- Add vlock policy
2010-11-05 14:22:36 -04:00
Dan Walsh
6e50b74774 - Update to upstream
- Add vlock policy
2010-11-05 12:40:49 -04:00
Dan Walsh
06262c1566 - Update to upstream
- Add vlock policy
2010-11-05 12:40:07 -04:00
Dan Walsh
c52856e6d8 - Fix sandbox to work on nfs homedirs
- Allow cdrecord to setrlimit
- Allow mozilla_plugin to read xauth
- Change label on systemd-logger to syslogd_exec_t
- Install dirsrv policy from dirsrv package
2010-11-05 07:32:45 -04:00
Dan Walsh
9896599663 - 2010-11-02 17:07:21 -04:00
Dan Walsh
9754f472c7 - Allow NetworkManager to read openvpn_etc_t
- Dontaudit hplip to write of /usr dirs
- Allow system_mail_t to create /root/dead.letter as mail_home_t
- Add vdagent policy for spice agent daemon
2010-11-01 14:37:25 -04:00
Dan Walsh
7a208696f9 - Dontaudit sandbox sending sigkill to all user domains
- Add policy for rssh_chroot_helper
- Add missing flask definitions
- Allow udev to relabelto removable_t
- Fix label on /var/log/wicd.log
- Transition to initrc_t from init when executing bin_t
- Add audit_access permissions to file
- Make removable_t a device_node
- Fix label on /lib/systemd/*
2010-10-28 15:55:48 -04:00
Dan Walsh
2bb6181f15 - Fixes for systemd to manage /var/run
- Dontaudit leaks by firstboot
2010-10-22 16:35:00 -04:00
Dan Walsh
bac270827d - Allow chome to create netlink_route_socket
- Add additional MATHLAB file context
- Define nsplugin as an application_domain
- Dontaudit sending signals from sandboxed domains to other domains
- systemd requires init to build /tmp /var/auth and /var/lock dirs
- mount wants to read devicekit_power /proc/ entries
- mpd wants to connect to soundd port
- Openoffice causes a setattr on a lib_t file for normal users, add dontaudit
- Treat lib_t and textrel_shlib_t directories the same
- Allow mount read access on virtual images
2010-10-22 08:26:00 -04:00
Dan Walsh
12084526fe - Allow sandbox_x_domains to work with nfs/cifs/fusefs home dirs. 2010-10-18 13:45:08 -04:00
Dan Walsh
4da7659056 - Allow sandbox_x_domains to work with nfs/cifs/fusefs home dirs. 2010-10-18 13:18:55 -04:00
Dan Walsh
c849c84305 - Allow cobblerd to list cobler appache content 2010-10-15 11:35:17 -04:00
Dan Walsh
d33e644851 - Fixup for the latest version of upowed
- Dontaudit sandbox sending SIGNULL to desktop apps
2010-10-15 10:26:39 -04:00
Dan Walsh
618ed7aec9 - Update to upstream 2010-10-13 10:00:44 -04:00
Dan Walsh
5a152bc135 - Update to upstream 2010-10-12 16:47:46 -04:00
Dan Walsh
f0a56ee31d -Mount command from a confined user generates setattr on /etc/mtab file, need to dontaudit this access
- dovecot-auth_t needs ipc_lock
- gpm needs to use the user terminal
- Allow system_mail_t to append ~/dead.letter
- Allow NetworkManager to edit /etc/NetworkManager/NetworkManager.conf
- Add pid file to vnstatd
- Allow mount to communicate with gfs_controld
- Dontaudit hal leaks in setfiles
2010-10-12 16:10:57 -04:00
Dan Walsh
dd20c25744 Rebuild with latest code 2010-10-08 17:00:50 -04:00
Dan Walsh
6f934680a8 - Allow smbd to use sys_admin
- Remove duplicate file context for tcfmgr
- Update to upstream
2010-10-07 14:55:49 -04:00
Dan Walsh
d618232c77 Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy 2010-10-07 14:11:24 -04:00
Dan Walsh
6f256d240d - Allow smbd to use sys_admin
- Remove duplicate file context for tcfmgr
2010-10-07 09:59:45 -04:00
Dan Walsh
3853925449 Remove duplicate filecontext for tcfmgr 2010-10-07 09:57:49 -04:00
Dan Walsh
b3e7610270 Allow smbd_t sys_admin capability so samba can change quota on users. 2010-10-07 09:31:35 -04:00
Dan Walsh
0daa8b731a - Fix fusefs handling
- Do not allow sandbox to manage nsplugin_rw_t
- Allow mozilla_plugin_t to connecto its parent
- Allow init_t to connect to plymouthd running as kernel_t
- Add mediawiki policy
- dontaudit sandbox sending signals to itself.  This can happen when they are running at different mcs.
- Disable transition from dbus_session_domain to telepathy for F14
- Allow boinc_project to use shm
- Allow certmonger to search through directories that contain certs
- Allow fail2ban the DAC Override so it can read log files owned by non root users
2010-10-07 09:19:43 -04:00
Dan Walsh
7ed755ab8b Put back transition change 2010-10-07 09:15:11 -04:00
Dan Walsh
3235a8bbe6 dontaudit sandbox sending signals to itself. This can happen when they are running at different mcs.
Disable transition from dbus_session_domain to telepathy for F14
Allow boinc_project to use shm
Allow certmonger to search through directories that contain certs
Allow fail2ban the DAC Override so it can read log files owned by non root users
2010-10-07 09:06:56 -04:00
Dan Walsh
039c65f92f Fix mozilla_run_plugin interface 2010-10-06 09:20:27 -04:00
Dan Walsh
596d86ad6c Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy 2010-10-06 09:05:02 -04:00
Dan Walsh
55e9f0e79c Fix fusefs handling
Do not allow sandbox to manage nsplugin_rw_t
Allow mozilla_plugin_t to connecto its parent
Allow init_t to connect to plymouthd running as kernel_t
2010-10-06 09:03:28 -04:00
Miroslav Grepl
d4d13d29c5 Fix version of mediawiki policy 2010-10-05 14:58:52 +02:00
Miroslav Grepl
13692730f0 Alllow vpnc to be able to read /root/.cert 2010-10-05 14:56:02 +02:00
Miroslav Grepl
0def274b96 Add policy for mediawiki 2010-10-05 14:47:38 +02:00
Dan Walsh
f73c8ed42e - Start adding support for use_fusefs_home_dirs
- Add /var/lib/syslog directory file context
- Add /etc/localtime as locale file context
2010-10-04 15:05:52 -04:00
Dan Walsh
b1cbbd0768 - Start adding support for use_fusefs_home_dirs
- Add /var/lib/syslog directory file context
- Add /etc/localtime as locale file context
2010-10-04 14:50:39 -04:00
Dan Walsh
d1c6ba20d5 Start adding support for use_fusefs_home_dirs
Add /var/lib/syslog directory file context
Add /etc/localtime as locale file context
2010-10-04 14:45:52 -04:00
Dan Walsh
991ee5f4d3 - Turn off default transition to mozilla_plugin and telepathy domains from unconfined user
- Turn off iptables from unconfined user
- Allow sudo to send signals to any domains the user could have transitioned to.
- Passwd in single user mode needs to talk to console_device_t
- Mozilla_plugin_t needs to connect to web ports, needs to write to video device, and read alsa_home_t alsa setsup pulseaudio
- locate tried to read a symbolic link, will dontaudit
- New labels for telepathy-sunshine content in homedir
- Google is storing other binaries under /opt/google/talkplugin
- bluetooth/kernel is creating unlabeled_t socket that I will allow it to use until kernel fixes bug
- Add boolean for unconfined_t transition to mozilla_plugin_t and telepathy domains, turned off in F14 on in F15
- modemmanger and bluetooth send dbus messages to devicekit_power
- Samba needs to getquota on filesystems labeld samba_share_t
2010-10-03 07:52:48 -04:00
Dan Walsh
ddd1ccaa93 Allow unconfined_t to transition to alsa_t to make sure labels stay correct
Lots of fixes for mozilla_plugin nsplugin and mozilla_plugin are starting to merge
telepath_msn_t tries to read /proc/1/exe
Allow smokeping cgi scripts to create /var/lib/smokeping dirs.
Allow smbd_t to getquota on multiple file systems
2010-10-03 07:48:01 -04:00
Dan Walsh
fbd9ca071a - Turn off default transition to mozilla_plugin and telepathy domains from unconfined user
- Turn off iptables from unconfined user
- Allow sudo to send signals to any domains the user could have transitioned to.
- Passwd in single user mode needs to talk to console_device_t
- Mozilla_plugin_t needs to connect to web ports, needs to write to video device, and read alsa_home_t alsa setsup pulseaudio
- locate tried to read a symbolic link, will dontaudit
- New labels for telepathy-sunshine content in homedir
- Google is storing other binaries under /opt/google/talkplugin
- bluetooth/kernel is creating unlabeled_t socket that I will allow it to use until kernel fixes bug
- Add boolean for unconfined_t transition to mozilla_plugin_t and telepathy domains, turned off in F14 on in F15
- modemmanger and bluetooth send dbus messages to devicekit_power
- Samba needs to getquota on filesystems labeld samba_share_t
2010-10-01 12:06:09 -04:00
Dan Walsh
b45aaab97c Allow sudo to send signals to any domains the user could have transitioned to.
Passwd in single user mode needs to talk to console_device_t
Mozilla_plugin_t needs to connect to web ports, needs to write to video device, and read alsa_home_t alsa setsup pulseaudio
locate tried to read a symbolic link, will dontaudit
New labels for telepathy-sunshine content in homedir
Google is storing other binaries under /opt/google/talkplugin
bluetooth/kernel is creating unlabeled_t socket that I will allow it to use until kernel fixes bug
Add boolean for unconfined_t transition to mozilla_plugin_t and telepathy domains, turned off in F14 on in F15
modemmanger and bluetooth send dbus messages to devicekit_power
Samba needs to getquota on filesystems labeld samba_share_t
2010-10-01 11:58:15 -04:00