Commit Graph

1425 Commits

Author SHA1 Message Date
Dan Walsh
6a97c74b42 Man pages are now generated in the build process
- Allow cgred to list inotifyfs filesystem
2013-02-22 16:38:27 +01:00
Miroslav Grepl
cc78bcd4dc New POLICYCOREUTILSVER is required 2013-02-22 13:45:09 +01:00
Miroslav Grepl
2aca9b6e0b * Thu Feb 21 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-15
- Man pages are now generated in the build process
- Allow cgred to list inotifyfs filesystem
2013-02-21 17:13:10 +01:00
Dan Walsh
a7c9a93681 Switch to building man pages and html pages on the fly 2013-02-21 16:30:31 +01:00
Miroslav Grepl
26cbc57930 - Allow gluster to get attrs on all fs
- New access required for virt-sandbox
- Allow dnsmasq to execute bin_t
- Allow dnsmasq to create content in /var/run/NetworkManager
- Fix openshift_initrc_signal() interface
- Dontaudit openshift domains doing getattr on other domains
- Allow consolehelper domain to communicate with session bus
- Mock should not be transitioning to any other domains,  we should ke
- Update virt_qemu_ga_t policy
- Allow authconfig running from realmd to restart oddjob service
- Add systemd support for oddjob
- Add initial policy for realmd_consolehelper_t which if for authconfi
- Add labeling for gnashpluginrc
- Allow chrome_nacl to execute /dev/zero
- Allow condor domains to read /proc
- mozilla_plugin_t will getattr on /core if firefox crashes
- Allow condor domains to read /etc/passwd
- Allow dnsmasq to execute shell scripts, openstack requires this acce
- Fix glusterd labeling
- Allow virtd_t to interact with the socket type
- Allow nmbd_t to override dac if you turned on sharing all files
- Allow tuned to created kobject_uevent socket
- Allow guest user to run fusermount
- Allow openshift to read /proc and locale
- Allow realmd to dbus chat with rpm
- Add new interface for virt
- Remove depracated interfaces
- Allow systemd_domains read access on etc, etc_runtime and usr files,
- /usr/share/munin/plugins/plugin.sh should be labeled as bin_t
- Remove some more unconfined_t process transitions, that I don't beli
- Stop transitioning uncofnined_t to checkpc
- dmraid creates /var/lock/dmraid
- Allow systemd_localed to creatre unix_dgram_sockets
- Allow systemd_localed to write kernel messages.
- Also cleanup systemd definition a little.
- Fix userdom_restricted_xwindows_user_template() interface
- Label any block devices or char devices under /dev/infiniband as fix
- User accounts need to dbus chat with accountsd daemon
- Gnome requires all users to be able to read /proc/1/
2013-02-20 14:47:02 +01:00
Dan Walsh
f0628b3cd7 Always run restorecon at install time to make sure key files are labeled correctly 2013-02-20 14:13:08 +01:00
Dan Walsh
5eea0f4403 Always run restorecon at install time to make sure key files are labeled correctly 2013-02-20 14:12:19 +01:00
Dan Walsh
3460d4cd12 Remove shutdown policy. Shutdown is now a symlink to systemctl. 2013-02-20 06:31:55 +01:00
Miroslav Grepl
2599f2f590 - virsh now does a setexeccon call
- Additional rules required by openshift domains
- Allow svirt_lxc_domains to use inherited terminals, needed to make virt-sandbox-serv
- Allow spamd_update_t to search spamc_home_t
- Avcs discovered by mounting an isci device under /mnt
- Allow lspci running as logrotate to read pci.ids
- Additional fix for networkmanager_read_pid_files()
- Fix networkmanager_read_pid_files() interface
- Allow all svirt domains to connect to svirt_socket_t
- Allow virsh to set SELinux context for a process.
- Allow tuned to create netlink_kobject_uevent_socket
- Allow systemd-timestamp to set SELinux context
- Add support for /var/lib/systemd/linger
- Fix ssh_sysadm_login to be working on MLS as expected
2013-02-14 19:06:59 +01:00
Dan Walsh
79355670f4 Bump required versions for tool chain. 2013-02-13 09:24:21 -05:00
Miroslav Grepl
7980df38fe - Rename files_rw_inherited_tmp_files to files_rw_inherited_tmp_file
- Add missing files_rw_inherited_tmp_files interface
- Add additional interface for ecryptfs
- ALlow nova-cert to connect to postgresql
- Allow keystone to connect to postgresql
- Allow all cups domains to getattr on filesystems
- Allow pppd to send signull
- Allow tuned to execute ldconfig
- Allow gpg to read fips_enabled
- Add additional fixes for ecryptfs
- Allow httpd to work with posgresql
- Allow keystone getsched and setsched
2013-02-11 16:57:33 +01:00
Miroslav Grepl
ad094338a5 - Allow gpg to read fips_enabled
- Add support for /var/cache/realmd
- Add support for /usr/sbin/blazer_usb and systemd support for nut
- Add labeling for fenced_sanlock and allow sanclok transition to fen
- bitlbee wants to read own log file
- Allow glance domain to send a signal itself
- Allow xend_t to request that the kernel load a kernel module
- Allow pacemaker to execute heartbeat lib files
- cleanup new swift policy
2013-02-08 14:01:21 +01:00
Miroslav Grepl
953ff14b8b Fix spec file 2013-02-05 11:02:32 +01:00
Miroslav Grepl
da973f3722 - Add xserver_xdm_ioctl_log() interface
- Allow Xusers to ioctl lxdm.log to make lxdm working
- Add MLS fixes to make MLS boot/log-in working
- Add mls_socket_write_all_levels() also for syslogd
- fsck.xfs needs to read passwd
- Fix ntp_filetrans_named_content calling in init.te
- Allow postgresql to create pg_log dir
- Allow sshd to read rsync_data_t to make rsync <backuphost> working
- Change ntp.conf to be labeled net_conf_t
- Allow useradd to create homedirs in /run.  ircd-ratbox does this and we sho
- Allow xdm_t to execute gstreamer home content
- Allod initrc_t and unconfined domains, and sysadm_t to manage ntp
- New policy for openstack swift domains
- More access required for openshift_cron_t
- Use cupsd_log_t instead of cupsd_var_log_t
- rpm_script_roles should be used in rpm_run
- Fix rpm_run() interface
- Fix openshift_initrc_run()
- Fix sssd_dontaudit_stream_connect() interface
- Fix sssd_dontaudit_stream_connect() interface
- Allow LDA's job to deliver mail to the mailbox
- dontaudit block_suspend for mozilla_plugin_t
- Allow l2tpd_t to all signal perms
- Allow uuidgen to read /dev/random
- Allow mozilla-plugin-config to read power_supply info
- Implement cups_domain attribute for cups domains
- We now need access to user terminals since we start by executing a command
- We now need access to user terminals since we start by executing a command
- svirt lxc containers want to execute userhelper apps, need these changes to
- Add containment of openshift cron jobs
- Allow system cron jobs to create tmp directories
- Make userhelp_conf_t a config file
- Change rpm to use rpm_script_roles
- More fixes for rsync to make rsync <backuphost> wokring
- Allow logwatch to domtrans to mdadm
- Allow pacemaker to domtrans to ifconfig
- Allow pacemaker to setattr on corosync.log
- Add pacemaker_use_execmem for memcheck-amd64 command
- Allow block_suspend capability
- Allow create fifo_file in /tmp with pacemaker_tmp_t
- Allow systat to getattr on fixed disk
- Relabel /etc/ntp.conf to be net_conf_t
- ntp_admin should create files in /etc with the correct label
- Add interface to create ntp_conf_t files in /etc
- Add additional labeling for quantum
- Allow quantum to execute dnsmasq with transition
2013-02-05 11:01:00 +01:00
Miroslav Grepl
f125066d3c * Wed Jan 30 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-9
- boinc_cliean wants also execmem as boinc projecs have
- Allow sa-update to search admin home for /root/.spamassassin
- Allow sa-update to search admin home for /root/.spamassassin
- Allow antivirus domain to read net sysctl
- Dontaudit attempts from thumb_t to connect to ssd
- Dontaudit attempts by readahead to read sock_files
- Dontaudit attempts by readahead to read sock_files
- Create tmpfs file while running as wine as user_tmpfs_t
- Dontaudit attempts by readahead to read sock_files
- libmpg ships badly created librarie
2013-01-30 12:41:36 +01:00
Dan Walsh
45852f5fe5 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy
Conflicts:
	selinux-policy.spec
2013-01-28 15:39:02 -05:00
Dan Walsh
b59d07ae28 Do a better job of cleaning up old policy files, trigger relabel of /home on upgrade to F19 2013-01-28 15:36:16 -05:00
Miroslav Grepl
aab1932f46 - Change ssh_use_pts to use macro and only inherited sshd_devpts_t
- Allow confined users to read systemd_logind seat information
- libmpg ships badly created libraries
- Add support for strongswan.service
- Add labeling for strongswan
- Allow l2tpd_t to read network manager content in /run directory
- Allow rsync to getattr any file in rsync_data_t
- Add labeling and filename transition for .grl-podcasts
2013-01-28 20:11:03 +01:00
Miroslav Grepl
1802bef984 * Fri Jan 25 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-7
- mount.glusterfs executes glusterfsd binary
- Allow systemd_hostnamed_t to stream connect to systemd
- Dontaudit any user doing a access check
- Allow obex-data-server to request the kernel to load a modul
- Allow gpg-agent to manage gnome content (~/.cache/gpg-agent-
- Allow gpg-agent to read /proc/sys/crypto/fips_enabled
- Add new types for antivirus.pp policy module
- Allow gnomesystemmm_t caps because of ioprio_set
- Make sure if mozilla_plugin creates files while in permissiv
- Allow gnomesystemmm_t caps because of ioprio_set
- Allow NM rawip socket
- files_relabel_non_security_files can not be used with boolea
- Add interface to thumb_t dbus_chat to allow it to read remot
- ALlow logrotate to domtrans to mdadm_t
- kde gnomeclock wants to write content to /tmp
2013-01-25 14:24:33 +01:00
Miroslav Grepl
4c3676d47a clamav and amavis has been merge to antivirus policy 2013-01-25 14:17:56 +01:00
Miroslav Grepl
b591902d83 * Wed Jan 23 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-6
- kde gnomeclock wants to write content to /tmp
- /usr/libexec/kde4/kcmdatetimehelper attempts to create /root/.kde
- Allow blueman_t to rwx zero_device_t, for some kind of jre
- Allow mozilla_plugin_t to rwx zero_device_t, for some kind of jre
- Ftp full access should be allowed to create directories as well as files
- Add boolean to allow rsync_full_acces, so that an rsync server can write all
- over the local machine
- logrotate needs to rotate logs in openshift directories, needs back port to RHEL6
- Add missing vpnc_roles type line
- Allow stapserver to write content in /tmp
- Allow gnome keyring to create keyrings dir in ~/.local/share
- Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on
- Add interface to colord_t dbus_chat to allow it to read remote process state
- Allow colord_t to read cupsd_t state
- Add mate-thumbnail-font as thumnailer
- Allow sectoolm to sys_ptrace since it is looking at other proceses /proc data.
- Allow qpidd to list /tmp. Needed by ssl
- Only allow init_t to transition to rsync_t domain, not initrc_t.  This should be b
- - Added systemd support for ksmtuned
- Added booleans
       ksmtuned_use_nfs
       ksmtuned_use_cifs
- firewalld seems to be creating mmap files which it needs to execute in /run /tmp a
- Looks like qpidd_t needs to read /dev/random
- Lots of probing avc's caused by execugting gpg from staff_t
- Dontaudit senmail triggering a net_admin avc
- Change thumb_role to use thumb_run, not sure why we have a thumb_role, needs back
- Logwatch does access check on mdadm binary
- Add raid_access_check_mdadm() iterface
2013-01-23 12:22:19 +01:00
Dan Walsh
a09a7deb16 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2013-01-16 09:46:42 -05:00
Dan Walsh
6d40a6c274 Add selinux-policy-filesystem for /etc/selinux directory so it can be shared with libsemanage 2013-01-16 09:46:31 -05:00
Miroslav Grepl
207a4dfc95 - Fix systemd_manage_unit_symlinks() interface
- Call systemd_manage_unit_symlinks(() which is correct interface
- Add filename transition for opasswd
- Switch gnomeclock_dbus_chat to systemd_dbus_chat_timedated since we hav
- Allow sytstemd-timedated to get status of init_t
- Add new systemd policies for hostnamed and rename gnomeclock_t to syste
- colord needs to communicate with systemd and systemd_logind, also remov
- Switch gnomeclock_dbus_chat to systemd_dbus_chat_timedated since we hav
- Allow gpg_t to manage all gnome files
- Stop using pcscd_read_pub_files
- New rules for xguest, dontaudit attempts to dbus chat
- Allow firewalld to create its mmap files in tmpfs and tmp directories
- Allow firewalld to create its mmap files in tmpfs and tmp directories
- run unbound-chkconf as named_t, so it can read dnssec
- Colord is reading xdm process state, probably reads state of any apps t
- Allow mdadm_t to change the kernel scheduler
- mythtv policy
- Update mandb_admin() interface
- Allow dsspam to listen on own tpc_socket
2013-01-16 15:13:43 +01:00
Dan Walsh
5f2806ad4e Rename gnomeclock to systemd_timedated 2013-01-15 18:58:56 -05:00
Miroslav Grepl
7f090dbfaa * Mon Jan 14 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-4
- Allow systemd-tmpfiles to relabel lpd spool files
- Ad labeling for texlive bash scripts
- Add xserver_filetrans_fonts_cache_home_content() interface
- Remove duplicate rules from *.te
- Add support for /var/lock/man-db.lock
- Add support for /var/tmp/abrt(/.*)?
- Add additional labeling for munin cgi scripts
- Allow httpd_t to read munin conf files
- Allow certwatch to read meminfo
- Fix nscd_dontaudit_write_sock_file() interfac
- Fix gnome_filetrans_home_content() to include also "fontconfig" dir as cache_home_t
- llow mozilla_plugin_t to create HOMEDIR/.fontconfig with the proper labeling
2013-01-14 13:39:59 +01:00
Miroslav Grepl
a7dce2ac5c * Fri Jan 11 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-3
- Allow gnomeclock to talk to puppet over dbus
- Allow numad access discovered by Dominic
- Add support for HOME_DIR/.maildir
- Fix attribute_role for mozilla_plugin_t domain to allow staff_r to access this d
- Allow udev to relabel udev_var_run_t lnk_files
- New bin_t file in mcelog
2013-01-11 19:30:57 +01:00
Miroslav Grepl
0c265c3817 Add back consolekit but we keep just consolekit.te and .fc was commented 2013-01-11 14:33:08 +01:00
Miroslav Grepl
f851aec1c4 - Remove all mcs overrides and replace with t1 != mcs_constrained_ty
- Add attribute_role for iptables
- mcs_process_set_categories needs to be called for type
- Implement additional role_attribute statements
- Sodo domain is attempting to get the additributes of proc_kcore_t
- Unbound uses port 8953
- Allow svirt_t images to compromise_kernel when using pci-passthrou
- Add label for dns lib files
- Bluetooth aquires a dbus name
- Remove redundant files_read_usr_file calling
- Remove redundant files_read_etc_file calling
- Fix mozilla_run_plugin()
- Add role_attribute support for more domains
2013-01-10 17:31:42 +01:00
Miroslav Grepl
fa970c32f1 use policy.29 2013-01-09 14:52:41 +01:00
Miroslav Grepl
8f47af1bde Require POLICYCOREUTILSVER 2.1.13-53 2013-01-09 14:52:16 +01:00
Miroslav Grepl
23a9442e40 * Wed Jan 9 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-1
- Mass merge with upstream
2013-01-09 13:16:35 +01:00
Miroslav Grepl
e5e41801b0 Upload new upstream sources 2013-01-08 11:50:45 +01:00
Miroslav Grepl
9cdcf52c73 Bump POLICYVER 2013-01-07 17:43:07 +01:00
Miroslav Grepl
fdeb413467 Revert "Upstream uses ctdb instead of ctdbd policy"
This reverts commit 1871109735.
2013-01-07 14:54:40 +01:00
Miroslav Grepl
c57639b449 Revert "Upstream change:"
This reverts commit 098e5a0968.
2013-01-07 14:54:27 +01:00
Miroslav Grepl
1a1e004154 Revert "Upstream change:"
This reverts commit 7316889d21.
2013-01-07 14:54:15 +01:00
Miroslav Grepl
6e9f07d2e3 Revert "Upstream change:"
This reverts commit 0368b4c345.
2013-01-07 14:54:04 +01:00
Miroslav Grepl
0368b4c345 Upstream change:
-isnsd = module
+isns = module
2013-01-07 14:32:26 +01:00
Miroslav Grepl
7316889d21 Upstream change:
-glusterd =  module
+glusterfs =  module
2013-01-07 12:43:02 +01:00
Miroslav Grepl
098e5a0968 Upstream change:
-fcoemon = module
+fcoe = module
2013-01-07 09:44:43 +01:00
Miroslav Grepl
1871109735 Upstream uses ctdb instead of ctdbd policy 2013-01-07 00:11:42 +01:00
Dan Walsh
01be266ba7 Bump the policy version to 28 to match selinux userspace
- Rebuild versus latest libsepol
2013-01-06 10:35:25 -05:00
Miroslav Grepl
17da016672 * Wed Jan 2 2013 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-69
- Add systemd_status_all_unit_files() interface
- Add support for nshadow
- Allow sysadm_t to administrate the postfix domains
- Add interface to setattr on isid directories for use by tmpreaper
- Allow sshd_t sys_admin for use with afs logins
- Allow systemd to read/write all sysctls
- Allow sshd_t sys_admin for use with afs logins
- Allow systemd to read/write all sysctls
- Add systemd_status_all_unit_files() interface
- Add support for nshadow
- Allow sysadm_t to administrate the postfix domains
- Add interface to setattr on isid directories for use by tmpreaper
- Allow sshd_t sys_admin for use with afs logins
- Allow systemd to read/write all sysctls
- Allow sshd_t sys_admin for use with afs logins
- Add labeling for /var/named/chroot/etc/localtim

* Thu Dec 27 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-68
- Allow setroubleshoot_fixit to execute rpm
- zoneminder needs to connect to httpd ports where remote cameras are listening
- Allow firewalld to execute content created in /run directory
- Allow svirt_t to read generic certs
- Dontaudit leaked ps content to mozilla plugin
- Allow sshd_t sys_admin for use with afs logins
- Allow systemd to read/write all sysctls
- init scripts are creating systemd_unit_file_t directories
2013-01-02 15:52:27 +01:00
Miroslav Grepl
eb0fd25a19 renamed: policy-rawhide.patch -> policy-rawhide-base.patch
renamed:    policy_contrib-rawhide.patch -> policy-rawhide-contrib.patch
2013-01-02 15:50:45 +01:00
Miroslav Grepl
52491466e2 Backport policy from F18 2012-12-21 09:57:21 +01:00
Miroslav Grepl
a270091f19 Make rawhide == f18 2012-12-17 17:21:00 +01:00
rhatdan
5991fc8049 Make sure content created in the homedir by uncnfined domains get created with the corect label. specifically /.readahead 2012-08-08 11:20:07 -04:00
Miroslav Grepl
e88478c88d +* Tue Aug 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-3
+- Add role rules for realmd, sambagui
2012-08-07 17:16:15 +02:00
Miroslav Grepl
711b0e2035 * Tue Aug 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-2
- Add new type selinux_login_config_t for /etc/selinux/<type>/logins/
- Additional fixes for seutil_manage_module_store()
- dbus_system_domain() should be used with optional_policy
- Fix svirt to be allowed to use fusefs file system
- Allow login programs to read /run/ data created by systemd_login
- sssd wants to write /etc/selinux/<policy>/logins/ for SELinux PAM modu
- Fix svirt to be allowed to use fusefs file system
- Allow piranha domain to use nsswitch
- Sanlock needs to send Kill Signals to non root processes
- Pulseaudio wants to execute /run/user/PID/.orc
2012-08-07 16:51:57 +02:00
Miroslav Grepl
e2915aed43 * Fri Aug 3 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11
- Fix saslauthd when it tries to read /etc/shadow
- Label gnome-boxes as a virt homedir
- Need to allow svirt_t ability to getattr on nfs_t file
- Update sanlock policy to solve all AVC's
- Change confined users can optionally manage virt conte
- Handle new directories under ~/.cache
- Add block suspend to appropriate domains
- More rules required for containers
- Allow login programs to read /run/ data created by sys
- Allow staff users to run svirt_t processes
2012-08-03 16:06:03 +02:00
Miroslav Grepl
46a9c6067c * Thu Aug 2 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-0
- Update to upstream
2012-08-02 07:43:02 +02:00
Miroslav Grepl
3c848e8da5 * Mon Jul 30 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-15
- More fixes for systemd to make rawhide booting from Dan Walsh
2012-07-30 22:23:31 +02:00
Miroslav Grepl
42c4091430 * Mon Jul 30 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-
- Add systemd fixes to make rawhide booting
2012-07-30 17:37:17 +02:00
Miroslav Grepl
b4a78ad40d - Add systemd_logind_inhibit_var_run_t attribute
- Remove corenet_all_recvfrom_unlabeled() for non-contrib policies because we moved it to domain.if for all domain_type
- Add interface for mysqld to dontaudit signull to all processes
- Label new /var/run/journal directory correctly
- Allow users to inhibit suspend via systemd
- Add new type for the /var/run/inhibit directory
- Add interface to send signull to systemd_login so avahi can send them
- Allow systemd_passwd to send syslog messages
- Remove corenet_all_recvfrom_unlabeled() calling fro policy files
- Allow       editparams.cgi running as httpd_bugzilla_script_t to read /etc/group
- Allow smbd to read cluster config
- Add additional labeling for passenger
- Allow dbus to inhibit suspend via systemd
- Allow avahi to send signull to systemd_login
2012-07-27 16:32:49 +02:00
Dan Walsh
2676121267 Add interface to dontaudit getattr access on sysctls
- Allow sshd to execute /bin/login
- Looks like xdm is recreating the xdm directory in ~/.cache/ on login
- Allow syslog to use the leaked kernel_t unix_dgram_socket from system-jounald
-  Fix semanage to work with unconfined domain disabled on F18
- Dontaudit attempts by mozilla plugins to getattr on all kernel sysctls
- Virt seems to be using lock files
- Dovecot seems to be searching directories of every mountpoint
- Allow jockey to read random/urandom, execute shell and install third-party drivers
- Add aditional params to allow cachedfiles to manage its content
- gpg agent needs to read /dev/random
- The kernel hands an svirt domains /SYSxxxxx which is a tmpfs that httpd wants to read and write
- Add a bunch of dontaudit rules to quiet svirt_lxc domains
- Additional perms needed to run svirt_lxc domains
- Allow cgclear to read cgconfig
- Allow sys_ptrace capability for snmp
- Allow freshclam to read /proc
- Allow procmail to manage /home/user/Maildir content
- Allow NM to execute wpa_cli
- Allow amavis to read clamd system state
- Regenerate man pages
2012-07-24 15:56:40 -04:00
Miroslav Grepl
9ba137b17b * Mon Jul 23 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-12
- Add interface to dontaudit getattr access on sysctls
- Allow sshd to execute /bin/login
- Looks like xdm is recreating the xdm directory in ~/.cache/ on login
- Allow syslog to use the leaked kernel_t unix_dgram_socket from system-jou
-  Fix semanage to work with unconfined domain disabled on F18
- Dontaudit attempts by mozilla plugins to getattr on all kernel sysctls
- Virt seems to be using lock files
- Dovecot seems to be searching directories of every mountpoint
- Allow jockey to read random/urandom, execute shell and install third-part
- Add aditional params to allow cachedfiles to manage its content
- gpg agent needs to read /dev/random
- The kernel hands an svirt domains /SYSxxxxx which is a tmpfs that httpd w
- Add a bunch of dontaudit rules to quiet svirt_lxc domains
- Additional perms needed to run svirt_lxc domains
- Allow cgclear to read cgconfig
- Allow sys_ptrace capability for snmp
- Allow freshclam to read /proc
- Allow procmail to manage /home/user/Maildir content
- Allow NM to execute wpa_cli
- Allow amavis to read clamd system state
- Regenerate man page
2012-07-23 17:47:41 +02:00
Dennis Gilmore
c07f6435e4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild 2012-07-21 14:21:28 -05:00
Miroslav Grepl
3da13de031 +- Add realmd and stapserver policies
+- Allow useradd to manage stap-server lib files
+- Tighten up capabilities for confined users
+- Label /etc/security/opasswd as shadow_t
+- Add label for /dev/ecryptfs
+- Allow condor_startd_t to start sshd with the ranged
+- Allow lpstat.cups to read fips_enabled file
+- Allow pyzor running as spamc_t to create /root/.pyzor directory
+- Add labelinf for amavisd-snmp init script
+- Add support for amavisd-snmp
+- Allow fprintd sigkill self
+- Allow xend (w/o libvirt) to start virtual machines
+- Allow aiccu to read /etc/passwd
+- Allow condor_startd to Make specified domain MCS trusted for setting any category set fo
+- Add condor_startd_ranged_domtrans_to() interface
+- Add ssd_conf_t for /etc/sssd
+- accountsd needs to fchown some files/directories
+- Add ICACLient and zibrauserdata as mozilla_filetrans_home_content
+- SELinux reports afs_t needs dac_override to read /etc/mtab, even though everything works
+- Allow xend_t to read the /etc/passwd file
 Please enter the commit message for your changes. Lines starting
 with '#' will be ignored, and an empty message aborts the commit.
 On branch master
 Changes to be committed:
   (use "git reset HEAD <file>..." to unstage)

	modified:   policy-rawhide.patch
	modified:   policy_contrib-rawhide.patch
	modified:   selinux-policy.spec
2012-07-16 00:03:02 +02:00
Dan Walsh
18fc0f3c99 Until we figure out how to fix systemd issues, allow all apps that send syslog messages to send them to kernel_t
- Add init_access_check() interface
- Fix label on /usr/bin/pingus to not be labeled as ping_exec_t
- Allow tcpdump to create a netlink_socket
- Label newusers like useradd
- Change xdm log files to be labeled xdm_log_t
- Allow sshd_t with privsep to work in MLS
- Allow freshclam to update databases thru HTTP proxy
- Allow s-m-config to access check on systemd
- Allow abrt to read public files by default
- Fix amavis_create_pid_files() interface
- Add labeling and filename transition for dbomatic.log
- Allow system_dbusd_t to stream connect to bluetooth, and use its socket
- Allow amavisd to execute fsav
- Allow tuned to use sys_admin and sys_nice capabilities
- Add php-fpm policy from Bryan
- Add labeling for aeolus-configserver-thinwrapper
- Allow thin domains to execute shell
- Fix gnome_role_gkeyringd() interface description
- Lot of interface fixes
- Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files
- Allow OpenMPI job to use kerberos
- Make deltacloudd_t as nsswitch_domain
- Allow xend_t to run lsscsi
- Allow qemu-dm running as xend_t to create tun_socket
- Add labeling for /opt/brother/Printers(.*/)?inf
- Allow jockey-backend to read pyconfig-64.h labeled as usr_t
- Fix clamscan_can_scan_system boolean
- Allow lpr to connectto to /run/user/$USER/keyring-22uREb/pkcs11
2012-07-13 16:59:14 -04:00
Dan Walsh
9d1d9952b1 Until we figure out how to fix systemd issues, allow all apps that send syslog messages to send them to kernel_t
- Add init_access_check() interface
- Fix label on /usr/bin/pingus to not be labeled as ping_exec_t
- Allow tcpdump to create a netlink_socket
- Label newusers like useradd
- Change xdm log files to be labeled xdm_log_t
- Allow sshd_t with privsep to work in MLS
- Allow freshclam to update databases thru HTTP proxy
- Allow s-m-config to access check on systemd
- Allow abrt to read public files by default
- Fix amavis_create_pid_files() interface
- Add labeling and filename transition for dbomatic.log
- Allow system_dbusd_t to stream connect to bluetooth, and use its socket
- Allow amavisd to execute fsav
- Allow tuned to use sys_admin and sys_nice capabilities
- Add php-fpm policy from Bryan
- Add labeling for aeolus-configserver-thinwrapper
- Allow thin domains to execute shell
- Fix gnome_role_gkeyringd() interface description
- Lot of interface fixes
- Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files
- Allow OpenMPI job to use kerberos
- Make deltacloudd_t as nsswitch_domain
- Allow xend_t to run lsscsi
- Allow qemu-dm running as xend_t to create tun_socket
- Add labeling for /opt/brother/Printers(.*/)?inf
- Allow jockey-backend to read pyconfig-64.h labeled as usr_t
- Fix clamscan_can_scan_system boolean
- Allow lpr to connectto to /run/user/$USER/keyring-22uREb/pkcs11
2012-07-12 19:20:37 -04:00
Miroslav Grepl
98ec5a124e - Until we figure out how to fix systemd issues, allow all apps that send syslog messag
- Add init_access_check() interface
- Fix label on /usr/bin/pingus to not be labeled as ping_exec_t
- Allow tcpdump to create a netlink_socket
- Label newusers like useradd
- Change xdm log files to be labeled xdm_log_t
- Allow sshd_t with privsep to work in MLS
- Allow freshclam to update databases thru HTTP proxy
- Allow s-m-config to access check on systemd
- Allow abrt to read public files by default
- Fix amavis_create_pid_files() interface
- Add labeling and filename transition for dbomatic.log
- Allow system_dbusd_t to stream connect to bluetooth, and use its socket
- Allow amavisd to execute fsav
- Allow tuned to use sys_admin and sys_nice capabilities
- Add php-fpm policy from Bryan
- Add labeling for aeolus-configserver-thinwrapper
- Allow thin domains to execute shell
- Fix gnome_role_gkeyringd() interface description
- Lot of interface fixes
- Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files
- Allow OpenMPI job to use kerberos
- Make deltacloudd_t as nsswitch_domain
2012-07-11 16:45:33 +02:00
Miroslav Grepl
0f07ba7f55 * Tue Jul 3 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-8
- initrc is calling exportfs which is not confined so it attempts to read nfsd_files
- Fixes for passenger running within openshift.
- Add labeling for all tomcat6 dirs
- Add support for tomcat6
- Allow cobblerd to read /etc/passwd
- Allow jockey to read sysfs and and execute binaries with bin_t
- Allow thum to use user terminals
- Allow cgclear to read cgconfig config files
- Fix bcf2g.fc
- Remove sysnet_dns_name_resolve() from policies where auth_use_nsswitch() is used for other
- Allow dbomatic to execute ruby
- abrt_watch_log should be abrt_domain
- Allow mozilla_plugin to connect to gatekeeper port
2012-07-03 23:11:32 +02:00
Miroslav Grepl
1de5de6450 - add ptrace_child access to process
- remove files_read_etc_files() calling from all policies which hav
- Allow boinc domains to manage boinc_lib_t lnk_files
- Add support for boinc-client.service unit file
- Add support for boinc.log
- Allow mozilla_plugin execmod on mozilla home files if allow_ex
- Allow dovecot_deliver_t to read dovecot_var_run_t
- Allow ldconfig and insmod to manage kdumpctl tmp files
- Move thin policy out from cloudform.pp and add a new thin poli
- pacemaker needs to communicate with corosync streams
- abrt is now started on demand by dbus
- Allow certmonger to talk directly to Dogtag servers
- Change labeling for /var/lib/cobbler/webui_sessions to httpd_c
- Allow mozila_plugin to execute gstreamer home files
- Allow useradd to delete all file types stored in the users hom
- rhsmcertd reads the rpm database
- Add support for lightdm
2012-06-27 12:53:34 +02:00
Miroslav Grepl
52ac61da45 * Mon Jun 25 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-6
- Add tomcat policy
- Remove pyzor/razor policy
- rhsmcertd reads the rpm database
- Dontaudit  thumb to setattr on xdm_tmp dir
- Allow wicd to execute ldconfig in the networkmanager_t domain
- Add /var/run/cherokee\.pid labeling
- Allow mozilla_plugin to create mozilla_plugin_tmp_t lnk files too
- Allow postfix-master to r/w pipes other postfix domains
- Allow snort to create netlink_socket
- Add kdumpctl policy
- Allow firstboot to create tmp_t files/directories
- /usr/bin/paster should not be labeled as piranha_exec_t
- remove initrc_domain from tomcat
- Allow ddclient to read /etc/passwd
- Allow useradd to delete all file types stored in the users homedir
- Allow ldconfig and insmod to manage kdumpctl tmp files
- Firstboot should be just creating tmp_t dirs and xauth should be allowed to write to those
- Transition xauth files within firstboot_tmp_t
- Fix labeling of /run/media to match /media
- Label all lxdm.log as xserver_log_t
- Add port definition for mxi port
- Allow local_login_t to execute tmux
2012-06-25 07:09:24 +02:00
Dan Walsh
a3e9dc0c92 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2012-06-20 14:33:29 -04:00
Dan Walsh
7f9b7d5c03 Remove pyzor and razor modules 2012-06-20 14:33:23 -04:00
Miroslav Grepl
c74d194317 - apcupsd needs to read /etc/passwd
- Sanlock allso sends sigkill
- Allow glance_registry to connect to the mysqld port
- Dontaudit mozilla_plugin trying to getattr on /dev/gpmctl
- Allow firefox plugins/flash to connect to port 1234
- Allow mozilla plugins to delete user_tmp_t files
- Add transition name rule for printers.conf.O
- Allow virt_lxc_t to read urand
- Allow systemd_loigind to list gstreamer_home_dirs
- Fix labeling for /usr/bin
- Fixes for cloudform services
  * support FIPS
- Allow polipo to work as web caching
- Allow chfn to execute tmux
2012-06-19 13:40:53 +02:00
Miroslav Grepl
bfc280fd5b - Add support for ecryptfs
* ecryptfs does not support xattr
  * we need labeling for HOMEDIR
- Add policy for (u)mount.ecryptfs*
- Fix labeling of kerbero host cache files, allow rpc.svcgssd to manage
- Allow dovecot to manage Maildir content, fix transitions to Maildir
- Allow postfix_local to transition to dovecot_deliver
- Dontaudit attempts to setattr on xdm_tmp_t, looks like bogus code
- Cleanup interface definitions
- Allow apmd to change with the logind daemon
- Changes required for sanlock in rhel6
- Label /run/user/apache as httpd_tmp_t
- Allow thumb to use lib_t as execmod if boolean turned on
- Allow squid to create the squid directory in /var with the correct la
- Add a new policy for glusterd from Bryan Bickford (bbickfor@redhat.co
- Allow virtd to exec xend_exec_t without transition
- Allow virtd_lxc_t to unmount all file systems
2012-06-15 10:43:55 +02:00
Miroslav Grepl
c8f96d3d71 * Tue Jun 12 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-3
- PolicyKit path has changed
- Allow httpd connect to dirsrv socket
- Allow tuned to write generic kernel sysctls
- Dontaudit logwatch to gettr on /dev/dm-2
- Allow policykit-auth to manage kerberos files
- Make condor_startd and rgmanager as initrc domain
- Allow virsh to read /etc/passwd
- Allow mount to mount on user_tmp_t for /run/user/dwalsh/gvfs
- xdm now needs to execute xsession_exec_t
- Need labels for /var/lib/gdm
- Fix files_filetrans_named_content() interface
- Add new attribute - initrc_domain
- Allow systemd_logind_t to signal, signull, sigkill all processes
- Add filetrans rules for etc_runtime files
2012-06-12 14:33:10 +02:00
Miroslav Grepl
4415dfa1a8 * Sat Jun 9 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-2
- Rename boolean names to remove allow_
2012-06-09 09:07:54 +02:00
Dan Walsh
c3956376c7 Add booleans.subs_dist to selinux-policy package 2012-06-08 10:09:54 -04:00
Dan Walsh
62163c8c51 Trigger a restorecon -R -v /home on the next update 2012-06-07 14:05:06 -04:00
Miroslav Grepl
7efcb84ab9 update selinux-policy.spec file 2012-06-07 13:27:36 +02:00
Miroslav Grepl
1ee0a31352 Add temporary roleattribute patches 2012-06-07 11:58:33 +02:00
Miroslav Grepl
3dd200bfa4 * Thu Jun 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-1
- Mass merge with upstream
  * new policy topology to include contrib policy modules
  * we have now two base policy patches
2012-06-07 00:42:18 +02:00
Miroslav Grepl
e392eca2af Upload new sources 2012-06-06 16:09:49 +02:00
Miroslav Grepl
4a27edfbeb Sync master with F17 2012-06-06 15:25:27 +02:00
Miroslav
de69336bd3 +* Mon Feb 13 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-
+- Allow firewalld to read urand
+- Alias java, execmem_mono to bin_t to allow third parties
+- Add label for kmod
+- /etc/redhat-lsb contains binaries
+- Add boolean to allow gitosis to send mail
+- Add filename transition also for "event20"
+- Allow systemd_tmpfiles_t to delete all file types
+- Allow collectd to ipc_lock
2012-02-13 22:28:38 +01:00
Dan Walsh
4066cfa00d Add dnssec policy and go back to unconfined domains versus permissive domains 2012-02-09 17:38:44 -05:00
Dan Walsh
7bf1025fa8 Revert "Dropping support for snort since it was dropped from Fedora. Users should use nagios"
This reverts commit 76d9bfedb6.
2012-02-07 17:18:16 -05:00
Dan Walsh
5c28b0512d Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2012-02-07 17:17:54 -05:00
Dan Walsh
76d9bfedb6 Dropping support for snort since it was dropped from Fedora. Users should use nagios 2012-02-07 17:15:35 -05:00
Dan Walsh
d3a57c6cc7 Fedora no longer ships kerneloops, dropping policy 2012-02-07 17:09:23 -05:00
Miroslav Grepl
81894dfe50 - Add policy for grindengine MPI jobs 2012-02-07 18:18:07 +01:00
Miroslav Grepl
80d21dc60a Revert "Simplify the build-docs target"
This reverts commit 01be486292.
2012-02-07 14:08:38 +01:00
Miroslav Grepl
4689b08b49 - Add new sysadm_secadm.pp module
* contains secadm definition for sysadm_t
- Move user_mail_domain access out of the interface into the
- Allow httpd_t to create httpd_var_lib_t directories as wel
- Allow snmpd to connect to the ricci_modcluster stream
- Allow firewalld to read /etc/passwd
- Add auth_use_nsswitch for colord
- Allow smartd to read network state
- smartdnotify needs to read /etc/group
2012-02-06 23:20:13 +01:00
Dan Walsh
01be486292 Simplify the build-docs target 2012-02-06 15:33:48 -05:00
Dan Walsh
dc4ca7a142 Allow builder to skip build_docs 2012-02-06 12:13:56 -05:00
Miroslav
30ab254413 - Allow gpg and gpg_agent to store sock_file in gpg_secret_t directory
- lxdm startup scripts should be labeled bin_t, so confined users will work
- mcstransd now creates a pid, needs back port to F16
- qpidd should be allowed to connect to the amqp port
- Label devices 010-029 as usb devices
- ypserv packager says ypserv does not use tmp_t so removing selinux policy types
- Remove all ptrace commands that I believe are caused by the kernel/ps avcs
- Add initial Obex policy
- Add logging_syslogd_use_tty boolean
- Add polipo_connect_all_unreserved bolean
- Allow zabbix to connect to ftp port
- Allow systemd-logind to be able to switch VTs
- Allow apache to communicate with memcached through a sock_file
2012-02-03 10:57:34 +01:00
Dan Walsh
3515d8b4e7 Fix file_context.subs_dist for now to work with pre usrmove 2012-01-31 17:01:07 -05:00
Dan Walsh
9382499c6f Fix file_context.subs_dist for now to work with pre usrmove 2012-01-31 15:26:31 -05:00
Miroslav Grepl
fb431d4b29 - More /usr move fixes 2012-01-30 21:28:06 +01:00
Dan Walsh
191c435a9f POLY is no longer used 2012-01-30 10:27:14 -05:00
Dan Walsh
f53135cd92 Make sure /etc/passwd and /etc/group properly labeled 2012-01-26 17:45:12 -05:00
Miroslav
a9d343329b * Thu Jan 26 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-80
- Add zabbix_can_network boolean
- Add httpd_can_connect_zabbix boolean
- Prepare file context labeling for usrmove functions
- Allow system cronjobs to read kernel network state
- Add support for selinux_avcstat munin plugin
- Treat hearbeat with corosync policy
- Allow corosync to read and write to qpidd shared mem
-  mozilla_plugin is trying to run pulseaudio
- Fixes for new sshd patch for running priv sep domains as the users c
- Turn off dontaudit rules when turning on allow_ypbind
- udev now reads /etc/modules.d directory
2012-01-26 19:26:12 +01:00
Miroslav Grepl
0c0b390b07 - Turn on deny_ptrace boolean for the Rawhide run, so we can t
- Cups exchanges dbus messages with init
- udisk2 needs to send syslog messages
- certwatch needs to read /etc/passwd
2012-01-24 16:34:52 +01:00
Miroslav
75a7b93abc +- Add labeling for udisks2
+- Allow fsadmin to communicate with the systemd process
2012-01-23 22:35:48 +01:00
Miroslav Grepl
8cd443307d - Treat Bip with bitlbee policy
* Bip is an IRC proxy
- Add port definition for interwise port
- Add support for ipa_memcached socket
- systemd_jounald needs to getattr on all processes
- mdadmin fixes
     * uses getpw
- amavisd calls getpwnam()
- denyhosts calls getpwall()
2012-01-23 16:15:05 +01:00
Miroslav Grepl
de9114f624 - Setup labeling of /var/rsa and /var/lib/rsa to allow login programs to write there
- bluetooth says they do not use /tmp and want to remove the type
- Allow init to transition to colord
- Mongod needs to read /proc/sys/vm/zone_reclaim_mode
- Allow postfix_smtpd_t to connect to spamd
- Add boolean to allow ftp to connect to all ports > 1023
- Allow sendmain to write to inherited dovecot tmp files
2012-01-20 14:43:02 +01:00