Commit Graph

1175 Commits

Author SHA1 Message Date
Miroslav
2f3d113f19 - Allow insmod_t to use fds leaked from devicekit
- dontaudit getattr between insmod_t and init_t unix_stream_sockets
- Change sysctl unit file interfaces to use systemctl
- Add support for chronyd unit file
- Allow mozilla_plugin to read gnome_usr_config
- Add policy for new gpsd
- Allow cups to create kerberos rhost cache files
- Add authlogin_filetrans_named_content, to unconfined_t to make sure shadow and other log files get labeled correctly
2011-08-24 10:24:46 +02:00
Dan Walsh
22a1cfd7d6 Make users_extra and seusers.final into config(noreplace) so semanage users and login does not get overwritten 2011-08-23 13:59:04 -04:00
Dan Walsh
ba2e58cd41 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2011-08-23 13:54:26 -04:00
Dan Walsh
39eb9ea8c1 Make users_extra and seusers.final into config no replace so semanage users and semanage login files do not get overwritten 2011-08-23 13:54:16 -04:00
Miroslav
24041fb3a0 - Add policy for sa-update being run out of cron jobs
- Add create perms to postgresql_manage_db
- ntpd using a gps has to be able to read/write generic tty_device_t
- If you disable unconfined and unconfineduser, rpm needs more privs to ma
- fix spec file
- Remove qemu_domtrans_unconfined() interface
- Make passenger working together with puppet
- Add init_dontaudit_rw_stream_socket interface
- Fixes for wordpress
2011-08-23 11:03:30 +02:00
Dan Walsh
5d837b2d13 Do not do preinstall if there is not previous install 2011-08-22 16:30:00 -04:00
Miroslav
8d13f53c05 - Turn on allow_domain_fd_use boolean on F16
- Allow syslog to manage all log files
- Add use_fusefs_home_dirs boolean for chrome
- Make vdagent working with confined users
- Add abrt_handle_event_t domain for ABRT event scripts
- Labeled /usr/sbin/rhnreg_ks as rpm_exec_t and added changes related to this change
- Allow httpd_git_script_t to read passwd data
- Allow openvpn to set its process priority when the nice parameter is used
2011-08-11 16:50:01 +02:00
Dan Walsh
10f0de0090 livecd fixes
spec file fixes
2011-08-10 14:00:28 -04:00
Dan Walsh
8a78e8623e Cleanup spec file to remove rpmnew files 2011-08-05 16:16:08 -04:00
Miroslav
913fabe1c8 - fetchmail can use kerberos
- ksmtuned reads in shell programs
- gnome_systemctl_t reads the process state of ntp
- dnsmasq_t asks the kernel to load multiple kernel mod
- Add rules for domains executing systemctl
- Bogus text within fc file
2011-08-04 22:32:55 +02:00
Dan Walsh
41a18182a5 storage should be in base 2011-08-03 16:21:21 -04:00
Dan Walsh
8becfd3523 Add cfengine policy 2011-08-03 10:22:38 -04:00
Miroslav
2aa62d446f - Add abrt_domain attribute
- Allow corosync to manage cluster lib files
- Allow corosync to connect to the system DBUS
2011-08-02 21:35:30 +02:00
Miroslav
58f5509584 - More fixes of rules which cause an explosion in rules by Dan Walsh 2011-07-29 14:18:40 +02:00
Miroslav
0c240d9a87 - Allow rcsmcertd to perform DNS name resolution
- Add dirsrvadmin_unconfined_script_t domain type for 389-ds admin scripts
- Allow tmux to run as screen
- New policy for collectd
- Allow gkeyring_t to interact with all user apps
- Add rules to allow firstboot to run on machines with the unconfined.pp module
2011-07-26 17:21:09 +02:00
Miroslav
f5593ed9be - Allow systemd_logind to send dbus messages with users
- allow accountsd to read wtmp file
- Allow dhcpd to get and set capabilities
2011-07-23 09:10:19 +02:00
Miroslav
6e9c2276f7 - Fix oracledb_port definition
- Allow mount to mounton the selinux file system
- Allow users to list /var directories
2011-07-22 12:37:49 +02:00
Miroslav
273e934611 systemd fixes 2011-07-21 17:22:47 +02:00
Miroslav
2ed5289fc9 - Add initial policy for abrt_dump_oops_t
- xtables-multi wants to getattr of the proc fs
- Smoltclient is connecting to abrt
- Dontaudit leaked file descriptors to postdrop
- Allow abrt_dump_oops to look at kernel sysctls
- Abrt_dump_oops_t reads kernel ring buffer
- Allow mysqld to request the kernel to load modules
- systemd-login needs fowner
- Allow postfix_cleanup_t to searh maildrop
2011-07-19 17:44:23 +02:00
Miroslav Grepl
805cc3bcdf - Initial systemd_logind policy
- Add policy for systemd_logger and additional proivs for systemd_logind
- More fixes for systemd policies
2011-07-18 08:17:03 +02:00
Miroslav Grepl
2b7c0552d7 - Allow setsched for virsh
- Systemd needs to impersonate cups, which means it needs to create tcp_sock
- iptables: the various /sbin/ip6?tables.* are now symlinks for /sbin/xtables-mult
2011-07-14 18:49:37 +02:00
Miroslav Grepl
50f07b8abf Fix spec file 2011-07-12 14:59:13 +02:00
Miroslav Grepl
330eac5848 - A lot of users are running yum -y update while in /root which is causing ldc
- Allow colord to interact with the users through the tmpfs file system
- Since we changed the label on deferred, we need to allow postfix_qmgr_t to b
- Add label for /var/log/mcelog
- Allow asterisk to read /dev/random if it uses TLS
- Allow colord to read ini files which are labeled as bin_t
- Allow dirsrvadmin sys_resource and setrlimit to use ulimit
- Systemd needs to be able to create sock_files for every label in /var/run di
- Also lists /var and /var/spool directories
- Add openl2tpd to l2tpd policy
- qpidd is reading the sysfs file
2011-07-12 09:44:07 +02:00
Dan Walsh
fb5b77fade Fully path the semodule command 2011-07-01 06:35:11 -04:00
Miroslav Grepl
975370d58e - Change usbmuxd_t to dontaudit attempts to read chr_file
- Add mysld_safe_exec_t for libra domains to be able to start private mysql dom
- Allow pppd to search /var/lock dir
- Add rhsmcertd policy
2011-06-30 17:55:41 +02:00
Miroslav Grepl
ade486af72 Update to upstream 2011-06-27 18:02:16 +02:00
Miroslav Grepl
2885bf8a6e - More fixes
* http://git.fedorahosted.org/git/?p=selinux-policy.git
2011-06-27 08:43:05 +02:00
Dan Walsh
7e1b615aa4 Next attempt at getting selinux-policy-* to work without rebuilding policy. 2011-06-16 12:01:25 -04:00
Dan Walsh
cf012ea57e Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2011-06-16 08:58:41 -04:00
Dan Walsh
8782a92ced Change required policycoreutils and libsemanage 2011-06-16 08:58:19 -04:00
Miroslav Grepl
4fb7b43f62 - Add dspam policy
- Add lldpad policy
- dovecot auth wants to search statfs #713555
- Allow systemd passwd apps to read init fifo_file
- Allow prelink to use inherited terminals
- Run cherokee in the httpd_t domain
- Allow mcs constraints on node connections
- Implement pyicqt policy
- Fixes for zarafa policy
- Allow cobblerd to send syslog messages
2011-06-16 10:42:42 +02:00
Dan Walsh
857c813190 Eliminate olpc stuff and other no longer needed files. Update to new system to build policy.* file within payload. 2011-06-09 22:36:45 -04:00
Dan Walsh
d0597c1c15 apply merge 2011-06-08 12:17:39 -04:00
Miroslav Grepl
183e54f534 Old passanger module needs to be removed in spec file 2011-06-08 17:41:02 +02:00
Miroslav Grepl
d8b121329f - Fixes for zabbix
- init script needs to be able to manage sanlock_var_run_...
- Allow sandlock and wdmd to create /var/run directories...
- mixclip.so has been compiled correctly
- Fix passenger policy module name
2011-06-08 17:32:27 +02:00
Dan Walsh
5253d49ee9 Update from git 2011-06-07 14:43:31 -04:00
Miroslav Grepl
94cdbacbd8 - Add mailscanner policy from dgrift
- Allow chrome to optionally be transitioned to
- Zabbix needs these rules when starting the zabbix_server_mysql
- Implement a type for freedesktop openicc standard (~/.local/share/icc)
- Allow system_dbusd_t to read inherited icc_data_home_t files.
- Allow colord_t to read icc_data_home_t content. #706975
- Label stuff under /usr/lib/debug as if it was labeled under /
2011-06-07 18:12:04 +02:00
Dan Walsh
0535650520 Allow policy.VERSION and modules to ship with package 2011-06-07 11:09:32 -04:00
Miroslav Grepl
0e70f655b4 Fix spec file 2011-06-02 15:17:47 +02:00
Miroslav Grepl
a56fb9fa8f - Fixes for sanlock policy
- Fixes for colord policy
- Other fixes
       * http://git.fedorahosted.org/git/?p=selinux-policy.git;a=log
2011-06-02 15:16:46 +02:00
Miroslav Grepl
a8e065be61 - Add rhev policy module to modules-targeted.conf 2011-05-26 14:16:59 +02:00
Miroslav Grepl
ace25237f9 - Lot of fixes
* http://git.fedorahosted.org/git/?p=selinux-policy.git;a=log
2011-05-24 16:38:28 +02:00
Dan Walsh
d97c92c34b New policy patch requires updated checkpolicy package 2011-05-23 18:27:11 -04:00
Miroslav Grepl
cb71de50e9 - Allow logrotate to execute systemctl
- Allow nsplugin_t to getattr on gpmctl
- Fix dev_getattr_all_chr_files() interface
- Allow shorewall to use inherited terms
- Allow userhelper to getattr all chr_file devices
- sandbox domains should be able to getattr and dontaudit search of sysctl_kernel_t
- Fix labeling for ABRT Retrace Server
2011-05-19 18:12:32 +02:00
Dan Walsh
7fbbd6f924 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2011-05-09 14:40:43 -04:00
Miroslav Grepl
27bf70c04e - Dontaudit sys_module for ifconfig
- Make telepathy and gkeyringd daemon working with confined users
- colord wants to read files in users homedir
- Remote login should be creating user_tmp_t not its own tmp files
2011-05-09 20:39:25 +00:00
Dan Walsh
ff120d7be5 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2011-05-06 10:51:56 -04:00
Miroslav Grepl
cfc00b53cb - Fix label for /usr/share/munin/plugins/munin_* plugins
- Add support for zarafa-indexer
- Fix boolean description
- Allow colord to getattr on /proc/scsi/scsi
- Add label for /lib/upstart/init
- Colord needs to list /mnt
2011-05-05 14:39:44 +00:00
Dan Walsh
e81c7996c4 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2011-05-03 16:37:04 -04:00
Miroslav Grepl
6347ee7725 - Forard port changes from F15 for telepathy
- NetworkManager should be allowed to use /dev/rfkill
- Fix dontaudit messages to say Domain to not audit
- Allow telepathy domains to read/write gnome_cache files
- Allow telepathy domains to call getpw
- Fixes for colord and vnstatd policy
2011-05-03 19:46:26 +00:00