rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity
2,939 Commits 8 Branches 92 Tags 37 MiB
1215dfb87c
Commit Graph

2939 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Dominick Grift
1215dfb87c Allow pads_admin to search parent directories to be able to interact with pads content. 
Allow plymouthd_admin to search parent directories to be able to interact with plymouthd content.

Allow postgresql admin to search parent directories to be able to manage postgresql content.

Allow prelude_admin to search parent directories to be able to manage prelude content.

Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-15 17:42:28 +02:00
Dominick Grift
d183137edb XML summary fix. 
XML summary fix.

XML summary fix.

Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-15 17:42:28 +02:00
Dominick Grift
dcbbeeada3 Access to get attributes of target accountsd_t domain is included with ps_process_pattern. 
Permission to get attributes of target arpwatch_t domain is included with ps_process_pattern.

Access to get attributes of target asterisk_t domain is included with ps_process_pattern.

Permission to get attributes of target automount_t domain is included with ps_process_pattern.

Access to get attributes of target ntpd_t domain is included with ps_process_pattern.

Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-15 17:42:28 +02:00
Dominick Grift
b6d0a79f2c Use admin_pattern. Allow nslcd_admin to search parent directories to be able to interact with nslcd content. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-15 17:42:28 +02:00
Dominick Grift
eb12bc3076 Source is required to search generic pid directories to be able to interact with mysql sockets in var_run. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-15 17:42:28 +02:00
Dominick Grift
f386b9002d Use the stream_connect_pattern. 
Use stream_connect_pattern.

Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-15 17:42:28 +02:00
Dominick Grift
c5e7db7a71 Allow mpd_admin to manage mpd tmpfs content. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-15 17:42:28 +02:00
Dominick Grift
0ba923e7d9 Source is required to search generic tmpfs directories to be able to interact with mpd tmpfs content. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-15 17:42:28 +02:00
Dominick Grift
0ab415250b Redundant: mpd_search_lib already includes files_search_var_lib. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-15 17:42:28 +02:00
Dominick Grift
7d34935ff2 Memcached_admin is required to search generic pid directories to be able to manage memcached pid content. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-15 17:42:28 +02:00
Dominick Grift
aa5baa96ed Allow icecast_admin to ptrace and signal the icecast_t domain. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-15 17:42:28 +02:00
Dominick Grift
4b81a55013 This is redundant since base user can search generic proc directories and included ps_process_pattern call permits all else. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-15 17:42:28 +02:00
Dominick Grift
7d36c9fa13 Permission to search proc_t directories is required to be able to read abrt state. 
Signed-off-by: Dominick Grift <domg472@gmail.com>

Permission to search generic proc directories is required to read hald_t state.
 2010-09-15 17:42:28 +02:00
Dominick Grift
b36824efdf Permit fetchmail_admin to ptrace and signal the fetchmail_t domain. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-15 17:42:28 +02:00
Dominick Grift
cf152b4953 Replace some type statements by comma delimiters. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-15 17:42:28 +02:00
Dominick Grift
47cf98ddd5 Permission to get attributes of target devicekit_t, devicekit_disk_t and devicekit_power_t domains are included with ps_process_patterns. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-15 17:42:28 +02:00
Dominick Grift
5ecaacae61 Type system_cronjob_var_run_t is not required here. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-15 17:42:27 +02:00
Dominick Grift
beb9c35b25 Types crontab_exec_t, cron_spool_t and user_cron_spool_t are required here. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-15 17:42:27 +02:00
Dominick Grift
d8d33a15bf Permission to search generic pid directories is included with files_pid_filetrans. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-15 17:42:27 +02:00
Dominick Grift
0540e22fcc Use ps_process_pattern to read state. Permission to seach proc_t directories is required to read automount state. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-15 17:42:27 +02:00
Dominick Grift
cb76ff4560 Type xenstored_var_run_t is required here. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-15 17:42:27 +02:00
Dominick Grift
8c0a06a69a Type print_spool_t is not required here. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-15 17:42:27 +02:00
Miroslav Grepl
3b0a9c74bb Allow iscsid to manage tgtd semaphores 2010-09-15 16:50:07 +02:00
Dan Walsh
6dfe56b4e5 Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy 2010-09-14 16:39:10 -04:00
Dan Walsh
43a0339db4 add labeling for /root/.debug 2010-09-14 15:29:18 -04:00
Dan Walsh
d7f2020c46 - Allow all domains that can use cgroups to search tmpfs_t directory 
- Allow init to send audit messages
 2010-09-14 15:18:34 -04:00
Miroslav Grepl
323c9f13bb Fixes for vmware-host policy 2010-09-14 19:28:55 +02:00
Dan Walsh
c2dae98501 Allow a couple of sandbox issues. 
Remove postgresl managing of etc_files, until I find out why it is needed.
Dontaudit leaks from rpm to mount
 2010-09-14 10:02:43 -04:00
Dan Walsh
4251ae1004 Add labels for /lib/readahead. 
Add back gnome_setattr interface
 2010-09-13 16:15:43 -04:00
Dan Walsh
5ef740e54b Fix gnome_setattr_config_home 
Allow exec of sandbox_file_type by calling apps
Fix typos
 2010-09-13 14:47:02 -04:00
Dan Walsh
3034a8d941 Fix some names in passenger policy 2010-09-13 10:26:10 -04:00
Miroslav Grepl
94820e4290 Move passenger policy to services 2010-09-13 15:10:30 +02:00
Dan Walsh
536f28a2bf Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy 2010-09-13 08:43:40 -04:00
Dan Walsh
1a40cbf63e Fix boolean descriptions 2010-09-13 08:43:35 -04:00
Miroslav Grepl
3a3212619a Allow dovecot-deliver to create tmp files 
Allow tor to send signals to itself
 2010-09-13 13:12:24 +02:00
Miroslav Grepl
d7de04f8d4 - Add passenger policy 2010-09-13 11:49:37 +02:00
Dan Walsh
366396d855 Fix cert calls in telepath, boinc, kerberos 
Add sys_admin to xend to allow it to start
Add oident calls to staff_t
 2010-09-10 13:18:49 -04:00
Dan Walsh
cab9bc9c58 Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy; branch 'master' of http://oss.tresys.com/git/refpolicy 
Conflicts:
	policy/modules/admin/amanda.if
	policy/modules/system/init.te
	policy/modules/system/miscfiles.if
	policy/modules/system/miscfiles.te
	policy/modules/system/userdomain.if
 2010-09-10 13:02:25 -04:00
Dan Walsh
d7544f0d25 rename mdadm_map_t to mdadm_var_run_t 2010-09-10 12:14:25 -04:00
Dan Walsh
0b8f4cfe16 More fixes for mozilla_plugin_t 
Allow telepathy domains to send themselves sigkill
Label /etc/httpd/alias/*db as cert_t
Allow fprintd to sys_nice
 2010-09-10 12:10:13 -04:00
Chris PeBenito
da12b54802 Module version bumps for cert patch. 2010-09-10 11:31:22 -04:00
Chris PeBenito
e9d6dfb8b1 Fix missed deprecated interface usage from the cert patch. Add back a few rolecap tags. 2010-09-10 11:31:00 -04:00
Dominick Grift
8340621920 Implement miscfiles_cert_type(). 
This is based on Fedoras' miscfiles_cert_type implementation.
The idea was that openvpn needs to be able read home certificates (home_cert_t) which is not implemented in refpolicy yet, as well as generic cert_t certificates.

Note that openvpn is allowed to read all cert_types, as i know that it needs access to both generic cert_t as well as (future) home_cert_t. Dwalsh noted that other domains may need this as well but because i do not know exactly which domains i will not changes any other domains call to generic cert type interfaces.

Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-10 11:05:46 -04:00
Dan Walsh
1a82786cc8 Allow hugetlbfs_t to be on device_t file system 
Allow sudo domains to signal user domains
Dontaudit xdm_t sending signals to all domains
Fix allow_exec* boolean descriptions
 2010-09-10 10:10:34 -04:00
Chris PeBenito
8fbea561bb Module version bump for 8296eb2. 2010-09-10 08:51:54 -04:00
Dan Walsh
e81afdf5c9 raid tools now store pid file and sock_file in /dev/md for early boot. 2010-09-09 14:26:32 -04:00
Dan Walsh
8e47c02b16 fixes for openvpn suggested by dgrift 2010-09-09 10:35:27 -04:00
Dan Walsh
da07333345 Allow mozilla_plugin to create nsplugin_home_t directories 
Allow hugetlbfs_t to be on device_t file system
Fix for ajaxterm policy
Fix type in dbus_delete_pid_files
Change openvpn to only allow search of users home dir
 2010-09-09 09:55:31 -04:00
Chris PeBenito
9c2c77403f Remove unallocated tty access in amanda since it was originally there for the old targeted policy, and now all roles have a user tty type. 2010-09-09 09:32:31 -04:00
Dominick Grift
36c6e47384 Clean up Anaconda policy. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-09 08:14:56 -04:00