Commit Graph

1493 Commits

Author SHA1 Message Date
Miroslav Grepl
2b1129da49 - Add net_admin also for systemd_passwd_agent_t
- Allow Associate usermodehelper_t to sysfs filesystem
- Allow gdm to create /var/gdm with correct labeling
- Allow domains to append rkhunterl lib files. #1057982
- Allow systemd_tmpfiles_t net_admin to communicate with journald
- update libs_filetrans_named_content() to have support for /usr/lib/debug directory
- Adding a new service script to enable setcheckreqprot
- Add interface to getattr on an isid_type for any type of file
- Allow initrc_t domtrans to authconfig if unconfined is enabled
- Add labeling for snapper.log
- Allow tumbler to execute dbusd-daemon in thumb_t
- Add dbus_exec_dbusd()
- Add snapperd_data_t type
- Add additional fixes for snapperd
- FIx bad calling in samba.te
- Allow smbd to create tmpfs
- Allow rhsmcertd-worker send signull to rpm process
- Allow net_admin capability and send system log msgs
- Allow lldpad send dgram to NM
- Add networkmanager_dgram_send()
- rkhunter_var_lib_t is correct type
- Allow openlmi-storage to read removable devices
- Allow system cron jobs to manage rkhunter lib files
- Add rkhunter_manage_lib_files()
- Fix ftpd_use_fusefs boolean to allow manage also symlinks
- Allow smbcontrob block_suspend cap2
- Allow slpd to read network and system state info
- Allow NM domtrans to iscsid_t if iscsiadm is executed
- Allow slapd to send a signal itself
- Allow sslget running as pki_ra_t to contact port 8443, the secure port of the CA.
- Fix plymouthd_create_log() interface
- Add rkhunter policy with files type definition for /var/lib/rkhunter until it is fixed in rkhunter package
- Allow postfix and cyrus-imapd to work out of box
- Remove logwatch_can_sendmail which is no longer used
- Allow fcoemon to talk with unpriv user domain using unix_stream_socket
- snapperd is D-Bus service
- Allow OpenLMI PowerManagement to call 'systemctl --force reboot
2014-01-28 22:06:09 +01:00
Dan Walsh
98a685257a Fix the day of the week 2014-01-28 15:59:39 -05:00
Miroslav Grepl
f8d85476fd - Add haproxy_connect_any boolean
- Allow haproxy also to use http cache port by default
- Fix /usr/lib/firefox/plugin-container decl
- Allow haproxy to work as simple HTTP proxy. HAProxy For TCP And HTTP Based Applications
- Label also /usr/libexec/WebKitPluginProcess as mozilla_plugin_exec_t
- Fix type in docker.te
- Fix bs_filetrans_named_content() to have support for /usr/lib/debug directory
- Adding a new service script to enable setcheckreqprot
- Add interface to getattr on an isid_type for any type of file
- Allow initrc_t domtrans to authconfig if unconfined is enabled
type in docker.te
- Add mozilla_plugin_exec_t labeling for /usr/lib/firefox/plugin-container
2014-01-24 17:52:42 +01:00
Miroslav Grepl
254b1593d0 - init calling needs to be optional in domain.te
- Allow docker and mount on devpts chr_file
- Allow docker to transition to unconfined_t if boolean set
- Label also /usr/libexec/WebKitPluginProcess as mozilla_plugin_exec_t
- Fix type in docker.te
- Add mozilla_plugin_exec_t labeling for /usr/lib/firefox/plugin-contai
- Allow docker to use the network and build images
- Allow docker to read selinux files for labeling, and mount on devpts
- Allow domains that transition to svirt_sandbox to send it signals
- Allow docker to transition to unconfined_t if boolean set
2014-01-23 11:03:30 +01:00
Miroslav Grepl
f4d3efd317 Remove conflict for pki-selinux 2014-01-22 13:15:32 +01:00
Miroslav Grepl
d7f0c3cf54 - New access needed to allow docker + lxc +SELinux to work together
- Allow apache to write to the owncloud data directory in /var/www/html...
- Cleanup sandbox X AVC's
- Allow consolekit to create log dir
- Add support for icinga CGI scripts
- Add support for icinga
- Allow kdumpctl_t to create kdump lock file
- Allow kdump to create lnk lock file
- Allow ABRT write core_pattern
- Allwo ABRT to read core_pattern
- Add policy for Geoclue. Geoclue is a D-Bus service that provides location information
- Allow nscd_t block_suspen capability
- Allow unconfined domain types to manage own transient unit file
- Allow systemd domains to handle transient init unit files
- No longer need the rpm_script_roles line since rpm_transition_script now does this for us
- Add/fix interfaces for usermodehelper_t
- Add interfaces to handle transient
- Fixes for new usermodehelper and proc_securit_t types
2014-01-22 13:00:17 +01:00
Miroslav Grepl
3a0ebd8398 - Add cron unconfined role support for uncofined SELinux user
- Call kernel_rw_usermodehelper_state() in init.te
- Call corenet_udp_bind_all_ports() in milter.te
- Allow fence_virtd to connect to zented port
- Fix header for mirrormanager_admin()
- Allow dkim-milter to bind udp ports
- Allow milter domains to send signull itself
- Allow block_suspend for yum running as mock_t
- Allow beam.smp to manage couchdb files
- Add couchdb_manage_files()
- Add labeling for /var/log/php_errors.log
- Allow bumblebee to stream connect to xserver
- Allow bumblebee to send a signal to xserver
- gnome-thumbnail to stream connect to bumblebee
- Fix calling usermodehelper to use _state in interface name
- Allow xkbcomp running as bumblebee_t to execute  bin_t
- Allow logrotate to read squid.conf
- Additional rules to get docker and lxc to play well with SELinux
- Call kernel_read_usermodhelper/kernel_rw_usermodhelper
- Make rpm_transition_script accept a role
- Added new policy for pcp
- Allow bumbleed to connect to xserver port
- Allow pegasus_openlmi_storage_t to read hwdata
2014-01-20 11:41:09 +01:00
Miroslav Grepl
5dcd635c58 index.html and style.css should be in /usr/share/selinux/devel/htm 2014-01-20 11:24:03 +01:00
Miroslav Grepl
368fb803a8 See spec file 2014-01-17 16:40:25 +01:00
Miroslav Grepl
5bd1f1afd6 * Mon Jan 13 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-13
- Remove file_t from the system and realias it with unlabeled_
2014-01-13 12:25:57 +01:00
Miroslav Grepl
9b85087129 - Add gluster fixes
- Remove ability to transition to unconfined_t from confined domains
- Additional allow rules to get libvirt-lxc containers working with docker
2014-01-09 15:11:05 +01:00
Miroslav Grepl
9d88e18305 - Allow mozilla plugin to chat with policykit, needed for spice
- Allow gssprozy to change user and gid, as well as read user keyrings
- Allow sandbox apps to attempt to set and get capabilties
- Label upgrades directory under /var/www as httpd_sys_rw_content_t, add other filetrans rules to label content correctly
- allow modemmanger to read /dev/urand
- Allow polipo to connect to http_cache_ports
- Allow cron jobs to manage apache var lib content
- Allow yppassword to manage the passwd_file_t
- Allow showall_t to send itself signals
- Allow cobbler to restart dhcpc, dnsmasq and bind services
- Allow rsync_t to manage all non auth files
- Allow certmonger to manage home cert files
- Allow user_mail_domains to write certain files to the /root and ~/ directories
- Allow apcuspd_t to status and start the power unit file
- Allow cgroupdrulesengd to create content in cgoups directories
- Add new access for mythtv
- Allow irc_t to execute shell and bin-t files:
- Allow smbd_t to signull cluster
- Allow sssd to read systemd_login_var_run_t
- Allow gluster daemon to create fifo files in glusterd_brick_t and sock_file in glusterd_var_lib_t
- Add label for /var/spool/cron.aquota.user
- Allow sandbox_x domains to use work with the mozilla plugin semaphore
- Added new policy for speech-dispatcher
- Added dontaudit rule for insmod_exec_t  in rasdaemon policy
- Updated rasdaemon policy
- Allow virt_domains to read cert files
- Allow system_mail_t to transition to postfix_postdrop_t
- Clean up mirrormanager policy
- Allow subscription-manager running as sosreport_t to manage rhsmcertd
- Remove ability to do mount/sys_admin by default in virt_sandbox domains
- New rules required to run docker images within libivrt
- Fixed bumblebee_admin() and mip6d_admin()
- Add log support for sensord
- Add label for ~/.cvsignore
- Change mirrormanager to be run by cron
- Add mirrormanager policy
- Additional fixes for docker.te
- Allow cobblerd to read/write undionly.kpxe located in /var/lib/tftpboot
- Add tftp_write_rw_content/tftp_read_rw_content interfaces
- Allow amanda to do backups over UDP
2014-01-06 07:31:14 +01:00
Miroslav Grepl
804870d8a3 policy-rawhide-contrib-apache-content.patch is no longer needed. Merged to policy-rawhide-contrib.patch. 2014-01-06 06:56:06 +01:00
Dan Walsh
70c60d82d0 Fix usage of semanage import line 2014-01-02 14:17:35 -05:00
Miroslav Grepl
c9394c3ea7 Add selinux/minimum/contexts/users/sysadm_u also for minimum policy 2013-12-16 12:05:05 +01:00
Miroslav Grepl
74b303ea26 Fix spec file 2013-12-13 15:10:55 +01:00
Miroslav Grepl
2397102af8 - Allow freeipmi_ipmidetectd_t to use freeipmi port
- Update freeipmi_domain_template()
- Allow journalctl running as ABRT to read /run/log/journal
- Allow NM to read dispatcher.d directory
- Update freeipmi policy
- Type transitions with a filename not allowed inside conditionals
- Allow tor to bind to hplip port
- Make new type to texlive files in homedir
- Allow zabbix_agent to transition to dmidecode
- Add rules for docker
- Allow sosreport to send signull to unconfined_t
- Add virt_noatsecure and virt_rlimitinh interfaces
- Fix labeling in thumb.fc to add support for /usr/lib64/tumbler-1/tumblerddd support for freeipm
- Add sysadm_u_default_contexts
- Add logging_read_syslog_pid()
- Fix userdom_manage_home_texlive() interface
- Make new type to texlive files in homedir
- Add filename transitions for /run and /lock links
- Allow virtd to inherit rlimit information
2013-12-12 17:23:54 +01:00
Miroslav Grepl
4b8334da4c - DRM master and input event devices are used by the TakeDevice API
- Clean up bumblebee policy
- Update pegasus_openlmi_storage_t policy
- opensm policy clean up
- openwsman policy clean up
- ninfod policy clean up
- Allow conman to connect to freeipmi services and clean up conman policy
- Allow conmand just bind on 7890 port
- Add freeipmi_stream_connect() interface
- Allow logwatch read madm.conf to support RAID setup
- Add raid_read_conf_files() interface
- Allow up2date running as rpm_t create up2date log file with rpm_log_t labeling
- add rpm_named_filetrans_log_files() interface
- Added policy for conmand
- Allow dkim-milter to create files/dirs in /tmp
- update freeipmi policy
- Add policy for freeipmi services
- Added rdisc_admin and rdisc_systemctl interfaces
- Fix aliases in pegasus.te
- Allow chrome sandbox to read generic cache files in homedir
- Dontaudit mandb searching all mountpoints
- Make sure wine domains create .wine with the correct label
- Add proper aliases for pegasus_openlmi_services_exec_t and pegasus_openlmi_services_t
- Allow windbind the kill capability
- DRM master and input event devices are used by  the TakeDevice API
- add dev_rw_inherited_dri() and dev_rw_inherited_input_dev()
- Added support for default conman port
- Add interfaces for ipmi devices
- Make sure wine domains create .wine with the correct label
- Allow manage dirs in kernel_manage_debugfs interface.
- Allow systemctl running in ipsec_mgmt_t to access /usr/lib/systemd/system/ipsec.service
- Label /usr/lib/systemd/system/ipsec.service as ipsec_mgmt_unit_file_t
- Fix userdom_confined_admin_template()
- Add back exec_content boolean for secadm, logadm, auditadm
- Fix files_filetrans_system_db_named_files() interface
- Allow sulogin to getattr on /proc/kcore
- Add filename transition also for servicelog.db-journal
- Add files_dontaudit_access_check_root()
- Add lvm_dontaudit_access_check_lock() interface
2013-12-09 08:16:07 +01:00
Miroslav Grepl
676f0e4eb9 - Add back fixes for gnome_role_template()
- Label /usr/sbin/htcacheclean as httpd_exec_t
- Add missing alias for pegasus_openlmi_service_exec_t
- Added support for rdisc unit file
- Added new policy for ninfod
- Added new policy for openwsman
- Add antivirus_db_t labeling for /var/lib/clamav-unofficial-sigs
- Allow runuser running as logrotate connections to system DBUS
- Add connectto perm for NM unix stream socket
- Allow watchdog to be executed from cron
- Allow cloud_init to transition to rpm_script_t
- Allow lsmd_plugin_t send system log messages
- Label /var/log/up2date as rpm_log_t and allow sosreport to manage rpm log/pid/cache files which is a part of ABRT polic
- Added new capabilities for mip6d policy
- Label bcache devices as fixed_disk_device_t
- Allow systemctl running in ipsec_mgmt_t to access /usr/lib/systemd/system/ipsec.service
- label /usr/lib/systemd/system/ipsec.service as ipsec_mgmt_unit_file_t
2013-12-03 22:01:54 +01:00
Miroslav Grepl
d61adff49b - Add lsmd_plugin_t for lsm plugins
- Allow dovecot-deliver to search mountpoints
- Add labeling for /etc/mdadm.conf
- Allow opelmi admin providers to dbus chat with init_t
- Allow sblim domain to read /dev/urandom and /dev/random
- Add back exec_content boolean for secadm, logadm, auditadm
- Allow sulogin to getattr on /proc/kcore
2013-11-26 18:41:01 +01:00
Miroslav Grepl
c9b9ed2c4d - Add filename transition also for servicelog.db-journal
- Add files_dontaudit_access_check_root()
- Add lvm_dontaudit_access_check_lock() interface
- Allow mount to manage mount_var_run_t files/dirs
- Allow updapwd_t to ignore mls levels for writign shadow_t at a lower level
- Make sure boot.log is created with the correct label
- call logging_relabel_all_log_dirs() in systemd.te
- Allow systemd_tmpfiles to relabel log directories
- Allow staff_t to run frequency command
- Allow staff_t to read xserver_log file
- This reverts commit c0f9f125291f189271cbbca033f87131dab1e22f.
- Label hsperfdata_root as tmp_t
- Add plymouthd_create_log()
- Dontaudit leaks from openshift domains into mail domains, needs back port to RHEL6
- Allow sssd to request the kernel loads modules
- Allow gpg_agent to use ssh-add
- Allow gpg_agent to use ssh-add
- Dontaudit access check on /root for myslqd_safe_t
- Add glusterd_brick_t files type
- Allow ctdb to getattr on al filesystems
- Allow abrt to stream connect to syslog
- Allow dnsmasq to list dnsmasq.d directory
- Watchdog opens the raw socket
- Allow watchdog to read network state info
- Dontaudit access check on lvm lock dir
- Allow sosreport to send signull to setroubleshootd
- Add setroubleshoot_signull() interface
- Fix ldap_read_certs() interface
- Allow sosreport all signal perms
- Allow sosreport to run systemctl
- Allow sosreport to dbus chat with rpm
- Allow zabbix_agentd to read all domain state
- Allow sblim_sfcbd_t to read from /dev/random and /dev/urandom
- Allow smoltclient to execute ldconfig
- Allow sosreport to request the kernel to load a module
- Clean up rtas.if
- Clean up docker.if
- drop /var/lib/glpi/files labeling in cron.fc
- Added new policy for rasdaemon
2013-11-26 11:42:42 +01:00
Miroslav Grepl
3abf0519c2 * Mon Nov 18 2013 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-5
- Add back /dev/shm labeling
2013-11-18 16:59:45 +01:00
Miroslav Grepl
d20212ac4f * Mon Nov 18 2013 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-4
- Fix gnome_role_template() interface
2013-11-18 15:25:06 +01:00
Miroslav Grepl
4fc70e284d - Add policy-rawhide-contrib-apache-content.patch to re-write apache_content_template() by dwalsh 2013-11-14 22:05:22 +01:00
Dan Walsh
164fa392ee Fix config.tgz to include lxc_contexts and systemd_contexts 2013-11-14 11:05:22 -05:00
Miroslav Grepl
269ef098f1 * Wed Nov 13 2013 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-1
- Update to upstream
2013-11-13 16:05:06 +01:00
Miroslav Grepl
0f9b0de389 Upload new upstream sources 2013-11-13 15:27:57 +01:00
Miroslav Grepl
73ec2c3819 - Fix passenger_stream_connect interface
- setroubleshoot_fixit wants to read network state
- Allow procmail_t to connect to dovecot stream sockets
- Allow cimprovagt service providers to read network states
- Add labeling for /var/run/mariadb
- pwauth uses lastlog() to update system's lastlog
- Allow account provider to read login records
- Add support for texlive2013
- More fixes for user config files to make crond_t running in userdomain
- Add back disable/reload/enable permissions for system class
- Fix manage_service_perms macro
- Allow passwd_t to connect to gnome keyring to change password
- Update mls config files to have cronjobs in the user domains
- Remove access checks that systemd does not actually do
2013-11-12 12:26:06 +01:00
Miroslav Grepl
90f92647e0 * Fri Nov 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-99
- Add support for yubikey in homedir
- Add support for upd/3052 port
- Allow apcupsd to use PowerChute Network Shutdown
- Allow lsmd to execute various lsmplugins
- Add labeling also for /etc/watchdog\.d where are watchdog scripts located too
- Update gluster_export_all_rw boolean to allow relabel all base file types
- Allow x86_energy_perf  tool to modify the MSR
- Fix /var/lib/dspam/data labeling
2013-11-08 21:39:31 +01:00
Miroslav Grepl
c872e59953 - Add files_relabel_base_file_types() interface
- Allow netlabel-config to read passwd
- update gluster_export_all_rw boolean to allow relabel all base file types caused by lsetxattr()
- Allow x86_energy_perf  tool to modify the MSR
- Fix /var/lib/dspam/data labeling
- Allow pegasus to domtrans to mount_t
- Add labeling for unconfined scripts in /usr/libexec/watchdog/scripts
- Add support for unconfined watchdog scripts
- Allow watchdog to manage own log files
2013-11-06 23:12:50 +01:00
Miroslav Grepl
c5e7e5bb30 - Add label only for redhat.repo instead of /etc/yum.repos.d. But probably we will need to switch for the directory.
- Label /etc/yum.repos.d as system_conf_t
- Use sysnet_filetrans_named_content in udev.te instead of generic transition for net_conf_t
- Allow dac_override for sysadm_screen_t
- Allow init_t to read ipsec_conf_t as we had it for initrc_t. Needed by ipsec unit file.
- Allow netlabel-config to read meminfo
- Add interface to allow docker to mounton file_t
- Add new interface to exec unlabeled files
- Allow lvm to use docker semaphores
- Setup transitons for .xsessions-errors.old
- Change labels of files in /var/lib/*/.ssh to transition properly
- Allow staff_t and user_t to look at logs using journalctl
- pluto wants to manage own log file
- Allow pluto running as ipsec_t to create pluto.log
- Fix alias decl in corenetwork.te.in
- Add support for fuse.glusterfs
- Allow dmidecode to read/write /run/lock/subsys/rhsmcertd
- Allow rhsmcertd to manage redhat.repo which is now labeled as system.conf. Allow rhsmcertd to manage all log files.
- Additional access for docker
- Added more rules to sblim policy
- Fix kdumpgui_run_bootloader boolean
- Allow dspam to connect to lmtp port
- Included sfcbd service into sblim policy
- rhsmcertd wants to manaage /etc/pki/consumer dir
- Add kdumpgui_run_bootloader boolean
- Add support for /var/cache/watchdog
- Remove virt_domain attribute for virt_qemu_ga_unconfined_t
- Fixes for handling libvirt containes
- Dontaudit attempts by mysql_safe to write content into /
- Dontaudit attempts by system_mail to modify network config
- Allow dspam to bind to lmtp ports
- Add new policy to allow staff_t and user_t to look at logs using journalctl
- Allow apache cgi scripts to list sysfs
- Dontaudit attempts to write/delete user_tmp_t files
2013-11-06 09:11:46 +01:00
Miroslav Grepl
6bf18ad4aa Fix spec file 2013-11-01 19:29:49 +01:00
Miroslav Grepl
18a1acac8d * Fri Oct 1 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-96
- Add missing permission checks for nscd
2013-11-01 19:24:30 +01:00
Dan Walsh
d11521e32b Do remove regardless. Update config.tgz with new labels for virt. 2013-11-01 12:09:39 -04:00
Miroslav Grepl
cd5d972925 scratch build 2013-10-30 20:24:38 +01:00
Miroslav Grepl
d4e55c7b7a Fix spec file to use systemd_context instead of sytemd_context 2013-10-28 12:03:32 +01:00
Miroslav Grepl
bf4990489d - Allow sysadm_t to read login information
- Allow systemd_tmpfiles to setattr on var_log_t directories
- Udpdate Makefile to include systemd_contexts
- Add systemd_contexts
- Add fs_exec_hugetlbfs_files() interface
- Add daemons_enable_cluster_mode boolean
- Fix rsync_filetrans_named_content()
- Add rhcs_read_cluster_pid_files() interface
- Update rhcs.if with additional interfaces from RHEL6
- Fix rhcs_domain_template() to not create run dirs with cluster_var_run_t
- Allow glusterd_t to mounton glusterd_tmp_t
- Allow glusterd to unmout al filesystems
- Allow xenstored to read virt config
- Add label for swift_server.lock and make add filetrans_named_content to make sure content gets created with the correct lab
- Allow mozilla_plugin_t to mmap hugepages as an executable
2013-10-28 10:06:40 +01:00
Miroslav Grepl
4f67cf89e1 Add fix to place sytemd_contexts 2013-10-25 12:59:16 +02:00
Miroslav Grepl
bb6a1f3c7f * Thu Oct 24 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-93
- Add back userdom_security_admin_template() interface and use it for sysadm_t if sysadm_secadm.pp
2013-10-24 11:31:47 +02:00
Miroslav Grepl
2d3bd44103 - Allow sshd_t to read openshift content, needs backport to RHEL6.5
- Label /usr/lib64/sasl2/libsasldb.so.3.0.0 as textrel_shlib_t
- Make sur kdump lock is created with correct label if kdumpctl is executed
- gnome interface calls should always be made within an optional_block
- Allow syslogd_t to connect to the syslog_tls port
- Add labeling for /var/run/charon.ctl socket
- Add kdump_filetrans_named_content()
- Allo setpgid for fenced_t
- Allow setpgid and r/w cluster tmpfs for fenced_t
- gnome calls should always be within optional blocks
- wicd.pid should be labeled as networkmanager_var_run_t
- Allow sys_resource for lldpad
2013-10-22 12:08:40 +02:00
Miroslav Grepl
71bb644a3b Add rtas policy 2013-10-17 14:57:23 +02:00
Miroslav Grepl
37ab076306 - Allow mailserver_domains to manage and transition to mailman data
- Dontaudit attempts by mozilla plugin to relabel content, caused by using mv
- Allow mailserver_domains to manage and transition to mailman data
- Allow svirt_domains to read sysctl_net_t
- Allow thumb_t to use tmpfs inherited from the user
- Allow mozilla_plugin to bind to the vnc port if running with spice
- Add new attribute to discover confined_admins and assign confined admin to
- Fix zabbix to handle attributes in interfaces
- Fix zabbix to read system states for all zabbix domains
- Fix piranha_domain_template()
- Allow ctdbd to create udp_socket. Allow ndmbd to access ctdbd var files.
- Allow lldpad sys_rouserce cap due to #986870
- Allow dovecot-auth to read nologin
- Allow openlmi-networking to read /proc/net/dev
- Allow smsd_t to execute scripts created on the fly labeled as smsd_spool_t
- Add zabbix_domain attribute for zabbix domains to treat them together
- Add labels for zabbix-poxy-* (#1018221)
- Update openlmi-storage policy to reflect #1015067
- Back port piranha tmpfs fixes from RHEL6
- Update httpd_can_sendmail boolean to allow read/write postfix spool maildro
- Add postfix_rw_spool_maildrop_files interface
- Call new userdom_admin_user_templat() also for sysadm_secadm.pp
- Fix typo in userdom_admin_user_template()
- Allow SELinux users to create coolkeypk11sE-Gate in /var/cache/coolkey
- Add new attribute to discover confined_admins
- Fix labeling for /etc/strongswan/ipsec.d
- systemd_logind seems to pass fd to anyone who dbus communicates with it
- Dontaudit leaked write descriptor to dmesg
2013-10-17 08:30:35 +02:00
Miroslav Grepl
99c451355a - Fix gnome_read_generic_data_home_files()
- allow openshift_cgroup_t to read/write inherited openshift file types
- Remove httpd_cobbler_content * from cobbler_admin interface
- Allow svirt sandbox domains to setattr on chr_file and blk_file svirt_sandbox_file_t, so sshd
- Allow httpd_t to read also git sys content symlinks
- Allow init_t to read gnome home data
- Dontaudit setroubleshoot_fixit_t execmem, since it does not seem to really need it.
- Allow virsh to execute systemctl
- Fix for nagios_services plugins
- add type defintion for ctdbd_var_t
- Add support for /var/ctdb. Allow ctdb block_suspend and read /etc/passwd file
- Allow net_admin/netlink_socket all hyperv_domain domains
- Add labeling for zarafa-search.log and zarafa-search.pid
- Fix hypervkvp.te
- Fix nscd_shm_use()
- Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hy
- Add hypervkvp_unit_file_t type
- Fix logging policy
- Allow syslog to bind to tls ports
- Update labeling for /dev/cdc-wdm
- Allow to su_domain to read init states
- Allow init_t to read gnome home data
- Make sure if systemd_logind creates nologin file with the correct label
- Clean up ipsec.te
2013-10-14 08:46:37 +02:00
Dan Walsh
973ebb8068 Need to create the policy.kern symbolic link in the shipping policy.
This patch needs to be pushed into RHEL7.  It fixes a blocker bug.
2013-10-11 16:07:22 -04:00
Miroslav Grepl
ce98dfd270 - Add auth_exec_chkpwd interface
- Fix port definition for ctdb ports
- Allow systemd domains to read /dev/urand
- Dontaudit attempts for mozilla_plugin to append to /dev/random
- Add label for /var/run/charon.*
- Add labeling for /usr/lib/systemd/system/lvm2.*dd policy for motion servi
- Fix for nagios_services plugins
- Fix some bugs in zoneminder policy
- add type defintion for ctdbd_var_t
- Add support for /var/ctdb. Allow ctdb block_suspend and read /etc/passwd
- Allow net_admin/netlink_socket all hyperv_domain domains
- Add labeling for zarafa-search.log and zarafa-search.pid
- glusterd binds to random unreserved ports
- Additional allow rules found by testing glusterfs
- apcupsd needs to send a message to all users on the system so needs to lo
- Fix the label on ~/.juniper_networks
- Dontaudit attempts for mozilla_plugin to append to /dev/random
- Allow polipo_daemon to connect to flash ports
- Allow gssproxy_t to create replay caches
- Fix nscd_shm_use()
- Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which sho
- Add hypervkvp_unit_file_t type
2013-10-08 23:19:39 +02:00
Miroslav Grepl
17233e7dc0 - init reload from systemd_localed_t
- Allow domains that communicate with systemd_logind_sessions to use systemd_logind_t fd
- Allow systemd_localed_t to ask systemd to reload the locale.
- Add systemd_runtime_unit_file_t type for unit files that systemd creates in memory
- Allow readahead to read /dev/urand
- Fix lots of avcs about tuned
- Any file names xenstored in /var/log should be treated as xenstored_var_log_t
- Allow tuned to inderact with hugepages
- Allow condor domains to list etc rw dirs
2013-10-04 20:24:18 +02:00
Miroslav Grepl
7a5c555024 Fix spec file 2013-10-04 00:25:11 +02:00
Miroslav Grepl
06b8c0546b - Fix nscd_shm_use()
- Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also a
- Add hypervkvp_unit_file_t type
- Add additional fixes forpegasus_openlmi_account_t
- Allow mdadm to read /dev/urand
- Allow pegasus_openlmi_storage_t to create mdadm.conf and write it
- Add label/rules for /etc/mdadm.conf
- Allow pegasus_openlmi_storage_t to transition to fsadm_t
- Fixes for interface definition problems
- Dontaudit dovecot-deliver to gettatr on all fs dirs
- Allow domains to search data_home_t directories
- Allow cobblerd to connect to mysql
- Allow mdadm to r/w kdump lock files
- Add support for kdump lock files
- Label zarafa-search as zarafa-indexer
- Openshift cgroup wants to read /etc/passwd
- Add new sandbox domains for kvm
- Allow mpd to interact with pulseaudio if mpd_enable_homedirs is turned on
- Fix labeling for /usr/lib/systemd/system/lvm2.*
- Add labeling for /usr/lib/systemd/system/lvm2.*
- Fix typos to get a new build. We should not cover filename trans rules to prevent duplicate rules
- Add sshd_keygen_t policy for sshd-keygen
- Fix alsa_home_filetrans interface name and definition
- Allow chown for ssh_keygen_t
- Add fs_dontaudit_getattr_all_dirs()
- Allow init_t to manage etc_aliases_t and read xserver_var_lib_t and chrony keys
- Fix up patch to allow systemd to manage home content
- Allow domains to send/recv unlabeled traffic if unlabelednet.pp is enabled
- Allow getty to exec hostname to get info
- Add systemd_home_t for ~/.local/share/systemd directory
2013-10-04 00:19:56 +02:00
Miroslav Grepl
05e00dcdfc * Wed Oct 2 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-85
- Fix lxc labeling in config.tgz
2013-10-02 21:39:51 +02:00
Miroslav Grepl
dc36731280 - Fix labeling for /usr/libexec/kde4/kcmdatetimehelper
- Allow tuned to search all file system directories
- Allow alsa_t to sys_nice, to get top performance for sound management
- Add support for MySQL/PostgreSQL for amavis
- Allow openvpn_t to manage openvpn_var_log_t files.
- Allow dirsrv_t to create tmpfs_t directories
- Allow dirsrv to create dirs in /dev/shm with dirsrv_tmpfs label
- Dontaudit leaked unix_stream_sockets into gnome keyring
- Allow telepathy domains to inhibit pipes on telepathy domains
- Allow cloud-init to domtrans to rpm
- Allow abrt daemon to manage abrt-watch tmp files
- Allow abrt-upload-watcher to search /var/spool directory
- Allow nsswitch domains to manage own process key
- Fix labeling for mgetty.* logs
- Allow systemd to dbus chat with upower
- Allow ipsec to send signull to itself
- Allow setgid cap for ipsec_t
- Match upstream labeling
2013-09-30 18:07:50 +02:00