Commit Graph

1286 Commits

Author SHA1 Message Date
Dan Walsh
0daa8b731a - Fix fusefs handling
- Do not allow sandbox to manage nsplugin_rw_t
- Allow mozilla_plugin_t to connecto its parent
- Allow init_t to connect to plymouthd running as kernel_t
- Add mediawiki policy
- dontaudit sandbox sending signals to itself.  This can happen when they are running at different mcs.
- Disable transition from dbus_session_domain to telepathy for F14
- Allow boinc_project to use shm
- Allow certmonger to search through directories that contain certs
- Allow fail2ban the DAC Override so it can read log files owned by non root users
2010-10-07 09:19:43 -04:00
Dan Walsh
f73c8ed42e - Start adding support for use_fusefs_home_dirs
- Add /var/lib/syslog directory file context
- Add /etc/localtime as locale file context
2010-10-04 15:05:52 -04:00
Dan Walsh
b1cbbd0768 - Start adding support for use_fusefs_home_dirs
- Add /var/lib/syslog directory file context
- Add /etc/localtime as locale file context
2010-10-04 14:50:39 -04:00
Dan Walsh
991ee5f4d3 - Turn off default transition to mozilla_plugin and telepathy domains from unconfined user
- Turn off iptables from unconfined user
- Allow sudo to send signals to any domains the user could have transitioned to.
- Passwd in single user mode needs to talk to console_device_t
- Mozilla_plugin_t needs to connect to web ports, needs to write to video device, and read alsa_home_t alsa setsup pulseaudio
- locate tried to read a symbolic link, will dontaudit
- New labels for telepathy-sunshine content in homedir
- Google is storing other binaries under /opt/google/talkplugin
- bluetooth/kernel is creating unlabeled_t socket that I will allow it to use until kernel fixes bug
- Add boolean for unconfined_t transition to mozilla_plugin_t and telepathy domains, turned off in F14 on in F15
- modemmanger and bluetooth send dbus messages to devicekit_power
- Samba needs to getquota on filesystems labeld samba_share_t
2010-10-03 07:52:48 -04:00
Dan Walsh
fbd9ca071a - Turn off default transition to mozilla_plugin and telepathy domains from unconfined user
- Turn off iptables from unconfined user
- Allow sudo to send signals to any domains the user could have transitioned to.
- Passwd in single user mode needs to talk to console_device_t
- Mozilla_plugin_t needs to connect to web ports, needs to write to video device, and read alsa_home_t alsa setsup pulseaudio
- locate tried to read a symbolic link, will dontaudit
- New labels for telepathy-sunshine content in homedir
- Google is storing other binaries under /opt/google/talkplugin
- bluetooth/kernel is creating unlabeled_t socket that I will allow it to use until kernel fixes bug
- Add boolean for unconfined_t transition to mozilla_plugin_t and telepathy domains, turned off in F14 on in F15
- modemmanger and bluetooth send dbus messages to devicekit_power
- Samba needs to getquota on filesystems labeld samba_share_t
2010-10-01 12:06:09 -04:00
Dan Walsh
5ae8fb66d8 - Dontaudit attempts by xdm_t to write to bin_t for kdm
- Allow initrc_t to manage system_conf_t
2010-09-30 09:50:49 -04:00
Dan Walsh
7c487e9739 - Fixes to allow mozilla_plugin_t to create nsplugin_home_t directory.
- Allow mozilla_plugin_t to create tcp/udp/netlink_route sockets
- Allow confined users to read xdm_etc_t files
- Allow xdm_t to transition to xauth_t for lxdm program
2010-09-27 10:31:36 -04:00
Dan Walsh
ab8faf7dcf - Pull in cleanups from dgrift
- Allow mozilla_plugin_t to execute mozilla_home_t
- Allow rpc.quota to do quotamod
2010-09-25 06:35:22 -04:00
Dan Walsh
e25799116a - Pull in cleanups from dgrift
- Allow mozilla_plugin_t to execute mozilla_home_t
- Allow rpc.quota to do quotamod
2010-09-24 12:03:50 -04:00
Dan Walsh
42c814d215 - Cleanup policy via dgrift
- Allow dovecot_deliver to append to inherited log files
- Lots of fixes for consolehelper
2010-09-23 17:40:24 -04:00
Dan Walsh
1d153ea0ea - Fix up Xguest policy 2010-09-22 18:36:47 -04:00
Dan Walsh
ea3b7b5dff - Add vnstat policy
- allow libvirt to send audit messages
- Allow chrome-sandbox to search nfs_t
2010-09-16 18:00:00 -04:00
Dan Walsh
a24e6a6700 - Update to upstream 2010-09-16 07:59:03 -04:00
Dan Walsh
ba8c31f5cd - Allow all domains that can use cgroups to search tmpfs_t directory
- Allow init to send audit messages
2010-09-14 16:16:56 -04:00
Dan Walsh
a0e8efd42c - Update to upstream 2010-09-13 16:17:15 -04:00
Dan Walsh
30a7d17203 - Add policy for ajaxterm 2010-09-09 09:58:12 -04:00
Dan Walsh
6e2d7f3a82 - Handle /var/db/sudo
- Allow pulseaudio to read alsa config
- Allow init to send initrc_t dbus messages
2010-09-08 21:24:49 -04:00
Dan Walsh
64d84cf8ec Allow iptables to read shorewall tmp files
Change chfn and passwd to use auth_use_pam so they can send dbus messages to fpr
intd
label vlc as an execmem_exec_t
Lots of fixes for mozilla_plugin to run google vidio chat
Allow telepath_msn to execute ldconfig and its own tmp files
Fix labels on hugepages
Allow mdadm to read files on /dev
Remove permissive domains and change back to unconfined
Allow freshclam to execute shell and bin_t
Allow devicekit_power to transition to dhcpc
Add boolean to allow icecast to connect to any port
2010-09-08 14:17:07 -04:00
Dan Walsh
c8bf6aa460 - Merge upstream fix of mmap_zero
- Allow mount to write files in debugfs_t
- Allow corosync to communicate with clvmd via tmpfs
- Allow certmaster to read usr_t files
- Allow dbus system services to search cgroup_t
- Define rlogind_t as a login pgm
2010-09-02 16:08:19 -04:00
Dan Walsh
482c9f3ad9 - Merge upstream fix of mmap_zero
- Allow mount to write files in debugfs_t
- Allow corosync to communicate with clvmd via tmpfs
- Allow certmaster to read usr_t files
- Allow dbus system services to search cgroup_t
- Define rlogind_t as a login pgm
2010-09-02 13:43:28 -04:00
Dan Walsh
a7a2367a59 - Merge with upstream 2010-08-30 17:34:52 -04:00
Dan Walsh
6578cf7413 - More access needed for devicekit
- Add dbadm policy
2010-08-30 11:58:36 -04:00
Dan Walsh
acb1aed3a4 - Merge with upstream 2010-08-27 10:21:25 -04:00
Dan Walsh
59475c2524 - Merge with upstream 2010-08-27 08:58:04 -04:00
Dan Walsh
ba77266a14 - Merge with upstream 2010-08-26 20:35:53 -04:00
Dan Walsh
370d04ed3c - Allow seunshare to fowner 2010-08-25 09:45:26 -04:00
Dan Walsh
cc138e86b5 - Allow cron to look at user_cron_spool links
- Lots of fixes for mozilla_plugin_t
- Add sysv file system
- Turn unconfined domains to permissive to find additional avcs
2010-08-24 22:48:06 -04:00
Dan Walsh
3cacc01467 - Update policy for mozilla_plugin_t 2010-08-23 18:16:17 -04:00
Dan Walsh
63265668f0 - Update policy for mozilla_plugin_t 2010-08-23 18:01:46 -04:00
Dan Walsh
66ec626d23 - Allow clamscan to read proc_t
- Allow mount_t to write to debufs_t dir
- Dontaudit mount_t trying to write to security_t dir
2010-08-23 17:33:55 -04:00
Dan Walsh
eee39f9d8e - Allow clamscan to read proc_t
- Allow mount_t to write to debufs_t dir
- Dontaudit mount_t trying to write to security_t dir
2010-08-23 17:29:52 -04:00
Dan Walsh
19988ca76d - Allow clamscan_t execmem if clamd_use_jit set
- Add policy for firefox plugin-container
2010-08-20 09:36:56 -04:00
Dan Walsh
34e74a1baa - label dead.letter as mail_home_t 2010-08-17 10:05:08 -04:00
Dan Walsh
3798ee962a - label dead.letter as mail_home_t 2010-08-17 07:22:11 -04:00
Dan Walsh
b12ede2ac0 * Tue Aug 10 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-12
- Fix devicekit_power bug
- Allow policykit_auth_t more access.
2010-08-11 08:58:16 -04:00
Dan Walsh
922cd61e83 * Tue Aug 10 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-12
- Fix devicekit_power bug
- Allow policykit_auth_t more access.
2010-08-11 07:55:04 -04:00
Fedora Release Engineering
003a26404b dist-git conversion 2010-07-29 12:29:24 +00:00
Daniel J Walsh
d4bb132c2e - Merge in fixes from dgrift repository 2010-07-27 20:34:21 +00:00
Daniel J Walsh
2b65defede - Update boinc policy
- Fix sysstat policy to allow sys_admin
- Change failsafe_context to unconfined_r:unconfined_t:s0
2010-07-27 20:30:56 +00:00
Daniel J Walsh
7f5d8f30d0 - Update boinc policy
- Fix sysstat policy to allow sys_admin
- Change failsafe_context to unconfined_r:unconfined_t:s0
2010-07-27 17:28:04 +00:00
Daniel J Walsh
a1ef703492 - New paths for upstart 2010-07-26 21:46:12 +00:00
Daniel J Walsh
8d55a410dc - New permissions for syslog
- New labels for /lib/upstart
2010-07-26 20:32:18 +00:00
Daniel J Walsh
f3fc10528f - Allow systemd to setsockcon on sockets to immitate other services 2010-07-22 16:58:58 +00:00
Daniel J Walsh
9f811efbbb - Remove debugfs label 2010-07-21 14:57:11 +00:00
Daniel J Walsh
d66bec6356 - Update to latest policy 2010-07-20 17:48:36 +00:00
Daniel J Walsh
1df2fc2bba - Fix eclipse labeling from IBMSupportAssasstant packageing 2010-07-19 21:16:41 +00:00
Daniel J Walsh
3f1005a67d - Make boot with systemd in enforcing mode 2010-07-15 20:04:35 +00:00
Daniel J Walsh
0f2ae00c61 - Update to upstream 2010-07-15 13:11:25 +00:00
Daniel J Walsh
9c1bcc22e3 - Add boolean to turn off port forwarding in sshd. 2010-07-12 21:15:05 +00:00
Miroslav Grepl
be922a1fae - Add support for ebtables
- Fixes for rhcs and corosync policy
2010-07-09 15:28:31 +00:00