Commit Graph

734 Commits

Author SHA1 Message Date
Eamon Walsh
e4928c5f79 Add separate x_pointer and x_keyboard classes inheriting from x_device.
This is needed to allow more fine-grained control over X devices without
using different types.  Using different types is problematic because
devices act as subjects in the X Flask implementation, and subjects
cannot be labeled through a type transition (since the output role is
hardcoded to object_r).

Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
2009-10-14 08:44:44 -04:00
Chris PeBenito
808341bb9b revise MCS constraints to use only MCS-specific attributes. 2009-10-07 11:48:14 -04:00
Chris PeBenito
4be8dd10b9 add seunshare from dan. 2009-09-28 15:40:06 -04:00
Chris PeBenito
5a6b1fe2b4 add dkim from stefan schulze frielinghaus. 2009-09-17 09:12:33 -04:00
Chris PeBenito
21b1d1096f add gnomeclock from dan. 2009-09-16 08:38:58 -04:00
Chris PeBenito
ed70158a39 add rtkit from dan. 2009-09-15 09:53:24 -04:00
Chris PeBenito
1d3b9e384c clean up xscreensaver. 2009-09-15 09:41:42 -04:00
corentin.labbe
31f9c109c1 SELinux xscreensaver policy support
Hello

This a patch for adding xscreensaver policy.

I think it need a specific policy because of the auth_domtrans_chk_passwd.

cordially

Signed-off-by: LABBE Corentin <corentin.labbe@geomatys.fr>
2009-09-15 08:46:28 -04:00
Chris PeBenito
c141d835f1 add modemmanager from dan. 2009-09-14 09:48:13 -04:00
Chris PeBenito
e3a90e358a add abrt from dan. 2009-09-14 09:22:24 -04:00
Chris PeBenito
6af53d08ed rearrange readahead rules. 2009-09-09 09:53:28 -04:00
Chris PeBenito
c1e5b195f7 readahead patch from dan. 2009-09-09 09:45:34 -04:00
Chris PeBenito
937b2c4d91 nscd patch from dan. 2009-09-09 09:35:37 -04:00
Chris PeBenito
c61b35048a cron patch from dan. 2009-09-09 09:28:04 -04:00
Chris PeBenito
163ddfaa80 prelink patch from dan. 2009-09-09 08:18:51 -04:00
Chris PeBenito
81bca10b28 nslcd policy from dan. 2009-09-08 10:31:19 -04:00
Chris PeBenito
f67bc918d4 term_write_all_terms() patch from Stefan Schulze Frielinghaus 2009-09-08 10:06:38 -04:00
Chris PeBenito
dbed95369c add gitosis from miroslav grepl. 2009-09-03 09:52:08 -04:00
Chris PeBenito
634a13c21f cpufreqselector patch from dan. 2009-09-03 09:15:17 -04:00
Chris PeBenito
f6137171f3 add an additional vmware host program. 2009-09-03 08:56:58 -04:00
Chris PeBenito
6fdef06522 screen patch from dan. 2009-09-03 08:49:26 -04:00
Chris PeBenito
72b834ccb0 remove stale screen_dir_t references
The screen_dir_t was made an alias of the screen_var_run_t type.
Remove the remaining references to this type.
2009-09-03 08:39:42 -04:00
Chris PeBenito
ca7fa520e7 gpg patch from dan.
gpg sends sigstop and signull

Reads usb devices

Can encrypts users content in /tmp and the homedir, as well as on NFS and cifs
2009-09-03 08:23:18 -04:00
Chris PeBenito
f2f296ba60 openvpn patch from dan: Openvpn connects to cache ports and stores files in nfs and cifs directories. 2009-09-02 09:24:10 -04:00
Chris PeBenito
93be4ba581 Webalizer does not list inotify, this was caused by leaked file descriptors in either dbus or cron. Both of which have been cleaned up. 2009-09-02 09:10:30 -04:00
Chris PeBenito
625be1b4e6 add shorewall from dan. 2009-09-02 08:58:52 -04:00
Chris PeBenito
71965a1fc5 add kdump from dan. 2009-09-02 08:33:25 -04:00
Chris PeBenito
a4b6385b9d cdrecord patch from dan. 2009-09-01 09:22:40 -04:00
Chris PeBenito
1a79193449 awstats patch from dan. 2009-09-01 08:59:24 -04:00
Chris PeBenito
b2324fa76d certwatch patch from dan. 2009-09-01 08:50:39 -04:00
Chris PeBenito
b515ab0182 mrtg patch from dan. 2009-09-01 08:44:20 -04:00
Chris PeBenito
aa83007d5a add hddtemp from dan. 2009-09-01 08:34:04 -04:00
Chris PeBenito
aac56b12b7 add ptchown policy from dan. 2009-08-31 10:21:01 -04:00
Chris PeBenito
a3dd1499ef pulseaudio patch from dan. 2009-08-31 10:07:57 -04:00
Chris PeBenito
6774578327 module version number bump for nscd patch. 2009-08-31 09:44:38 -04:00
Manoj Srivastava
2a79debe9b nscd cache location changed from /var/db/nscd to /var/cache/nscd
The nscd policy module uses the old nscd cache location. The cache location
changed with glibc 2.7-1, and the current nscd does place the files in
/var/cache/nscd/.

Signed-off-by: Manoj Srivastava <srivasta@debian.org>
2009-08-31 09:43:52 -04:00
Chris PeBenito
a9e9678fc7 kismet patch from dan. 2009-08-31 09:38:47 -04:00
Chris PeBenito
aaff2fcfcd module version number bump for tun patches 2009-08-31 09:17:31 -04:00
Chris PeBenito
0be901ba40 rename admin_tun_type to admindomain. 2009-08-31 09:03:51 -04:00
Chris PeBenito
bd75703c7d reorganize tun patch changes. 2009-08-31 08:49:57 -04:00
Paul Moore
9dc3cd1635 refpol: Policy for the new TUN driver access controls
Add policy for the new TUN driver access controls which allow policy to
control which domains have the ability to create and attach to TUN/TAP
devices.  The policy rules for creating and attaching to a device are as
shown below:

  # create a new device
  allow domain_t self:tun_socket { create };

  # attach to a persistent device (created by tunlbl_t)
  allow domain_t tunlbl_t:tun_socket { relabelfrom };
  allow domain_t self:tun_socket { relabelto };

Further discussion can be found on this thread:

 * http://marc.info/?t=125080850900002&r=1&w=2

Signed-off-by: Paul Moore <paul.moore@hp.com>
2009-08-31 08:36:06 -04:00
Paul Moore
333494fd59 refpol: Add the "tun_socket" object class flask definitions
Add the new "tun_socket" class to the flask definitions.  The "tun_socket"
object class is used by the new TUN driver hooks which allow policy to control
access to TUN/TAP devices.

Signed-off-by: Paul Moore <paul.moore@hp.com>
2009-08-31 08:36:00 -04:00
Chris PeBenito
4279891d1f patch from Eamon Walsh to remove useage of deprecated xserver interfaces. 2009-08-28 13:40:29 -04:00
Chris PeBenito
93c49bdb04 deprecate userdom_xwindows_client_template
The X policy for users is currently split between
userdom_xwindows_client_template() and xserver_role().  Deprecate
the former and put the rules into the latter.

For preserving restricted X roles (xguest), divide the rules
into xserver_restricted_role() and xserver_role().
2009-08-28 13:29:36 -04:00
Chris PeBenito
fef5dcf3af Remove excessive permissions in logging_send_syslog_msg(). Ticket #14. 2009-08-26 10:05:36 -04:00
Chris PeBenito
e27827b86c split dev_create_cardmgr_dev() into a create and a filetrans interface. 2009-08-25 09:56:56 -04:00
Chris PeBenito
dbb7dd9484 Merge branch 'master' of ssh://oss.tresys.com/home/git/refpolicy 2009-08-25 09:44:28 -04:00
Chris PeBenito
69347451fd split dev_manage_dri_dev() into a manage and a filetrans interface. 2009-08-25 09:43:38 -04:00
Chris PeBenito
0484277038 reorganize dbus.fc. 2009-08-18 13:37:46 -04:00
Chris PeBenito
62c80e2546 module version bumps and changelog update for the previous 3 commits. 2009-08-18 13:20:01 -04:00
LABBE Corentin
0d700b0fa1 Gentoo dbus in libexec 2009-08-18 13:13:40 -04:00
LABBE Corentin
755c52b8f7 portage need capability sys_nice 2009-08-18 13:13:31 -04:00
LABBE Corentin
58cc9903dd Missing comma in policykit 2009-08-18 13:13:26 -04:00
Chris PeBenito
909922027b Debian policykit fixes from Martin Orr.
The policykit binaries on Debian live in /usr/lib/policykit so add file
contexts for that.  Also a couple of policykit rules.
2009-08-18 09:49:31 -04:00
Chris PeBenito
b2648249d9 Fix unconfined_r use of unconfined_java_t.
The unconfined role is running java in the unconfined_java_t.  The current
policy only has a domtrans interface, so the unconfined_java_t domain is not
added to unconfined_r.  Add a run interface and change the unconfined module
to use this new interface.
2009-08-17 13:19:26 -04:00
Chris PeBenito
4254cec711 Add missing x_device rules for XI2 functions, from Eamon Walsh.
> Whats the difference between add/remove and create/destroy?
>
> The devices are in a kind of hierarchy.  You can now create one or more
> "master devices" (mouse cursor and keyboard focus).  The physical input
> devices are "slave devices" that attach to master devices.
>
> Add/remove controls the ability to add/remove slave devices from a
> master device.  Create/destroy controls the ability to create new master
> devices.
2009-08-14 13:18:16 -04:00
Chris PeBenito
2a77737d4e Add missing rules to make unconfined_cronjob_t a valid cron job domain.
Unconfined_cronjob_t is not a valid cron job domain because the cron
module is lacking a transition from the crond to the unconfined_cronjob_t
domain.  This adds the transition and also a constraints exemption since
part of the transition is also a seuser and role change typically.
2009-08-12 14:15:39 -04:00
Chris PeBenito
97e42114db remove redundant xen_append_log() call in hostname. 2009-08-11 14:19:38 -04:00
Chris PeBenito
e51390dfcb fix refpolicy ticket #48. 2009-08-10 11:14:03 -04:00
Chris PeBenito
02e594d5dc Handle unix_chkpwd usage by useradd and groupadd; fixes ticket #49. 2009-08-05 14:19:54 -04:00
Chris PeBenito
e335910197 Add missing compatibility aliases for xdm_xserver*_t types.
When collapsing all of the xdm_xserver*_t types into xserver*_t, aliases for
compatibility were mistakenly not added to the policy.
2009-08-05 11:17:53 -04:00
Chris PeBenito
9570b28801 module version number bump for release 2.20090730 that was mistakenly omitted. 2009-08-05 10:59:21 -04:00
Chris PeBenito
d69616c625 fix ordering in sysnetwork. 2009-08-05 10:23:50 -04:00
Chris PeBenito
48bf6397fc fix ordering in raid. 2009-08-05 10:19:28 -04:00
Chris PeBenito
4b218bd646 fix ordering in pcmcia. 2009-08-05 10:18:31 -04:00
Chris PeBenito
f0e959b4d2 fix ordering in mount. 2009-08-05 10:16:41 -04:00
Chris PeBenito
54327d48ee fix ordering in modutils. 2009-08-05 10:15:45 -04:00
Chris PeBenito
568efbe895 fix ordering of interface calls in lvm. 2009-08-05 10:07:35 -04:00
Chris PeBenito
8cd1306e5b fix ordering of interface calls in locallogin. 2009-08-05 10:06:04 -04:00
Chris PeBenito
e6985f91ab fix ordering of interface calls in iptables. 2009-08-05 10:04:13 -04:00
Chris PeBenito
464ffa57fd fix ordering of interface calls in init. 2009-08-05 10:01:06 -04:00
Chris PeBenito
14d282253f fix ordering of interface calls in hostname. 2009-08-05 09:57:14 -04:00
Chris PeBenito
5b5300c823 fix ordering of interface calls in getty. 2009-08-05 09:55:58 -04:00
Chris PeBenito
79ca728b5f fix ordering of interface calls in fstools. 2009-08-05 09:54:52 -04:00
Chris PeBenito
08638af216 fix ordering of interface calls in clock. 2009-08-05 09:52:34 -04:00
Chris PeBenito
2acba7bbdb fix ordering of interface calls in authlogin. 2009-08-05 09:51:47 -04:00
Chris PeBenito
9c47227c7a fix ordering of interface calls in sudo. 2009-08-05 09:48:46 -04:00
Chris PeBenito
78a9c2815d add bin_t labeling for gentoo dhcpcd-run-hooks location 2009-07-30 09:34:00 -04:00
Chris PeBenito
4c92f08f75 openrc unfortunately mounts a tmpfs at /lib/rc 2009-07-30 08:57:15 -04:00
Chris PeBenito
cfdbf366cb gentoo init script system uses tmpfs for state data 2009-07-30 08:33:43 -04:00
Chris PeBenito
efa0acccea gentoo init script system sends audit messages. 2009-07-29 21:50:32 -04:00
Chris PeBenito
3162277ade alsa file location update for debian, from Manoj. 2009-07-29 15:28:14 -04:00
Chris PeBenito
2a4740c0a0 whitespace fixes in apt. 2009-07-29 15:24:52 -04:00
Chris PeBenito
b5aaa7b72d clean up 6a192f70d4 2009-07-29 15:12:48 -04:00
Manoj Srivastava
6a192f70d4 Update apt/aptitude policy to add support for lock/log files
Signed-off-by: Russell Coker <russell@coker.com.au>
Acked-By: Manoj Srivastava <srivasta@debian.org>
2009-07-29 15:00:39 -04:00
Chris PeBenito
50458c8bb7 pull most of fedora changes to rpc. 2009-07-29 14:55:30 -04:00
Chris PeBenito
0c89174f7f pull most of fedora changes to samba. 2009-07-29 14:40:34 -04:00
Chris PeBenito
105e85ac8e /dev/fuse should be s0 not mls_high
> From my understanding of the FUSE website, the data from the userland FS
> is transferred through this device.  Since the data may go up to system
> high, I believe the device should still be system high.
>
Making it systemhigh will generate lots of AVC messages on every login
at X Since fusefs is mounted at ~/.gfs.  It will also make it unusable I
believe on an MLS machine.  Mostly I have seen fusefs used for remote
access to data.  sshfs for example.
2009-07-29 11:08:50 -04:00
Chris PeBenito
363e8fb98a pull in part of fedora mta changes 2009-07-29 10:59:09 -04:00
Chris PeBenito
20c3ccee1a add fprintd module from dan. 2009-07-29 10:28:31 -04:00
Chris PeBenito
677c4c2fea add devicekit module from dan. 2009-07-29 10:02:06 -04:00
Chris PeBenito
4e7c0a93a6 consolekit patch from dan. 2009-07-29 09:13:54 -04:00
Chris PeBenito
33322290f2 automount patch from dan. 2009-07-29 08:59:26 -04:00
Chris PeBenito
8f3bddfbfd cups patch from dan. 2009-07-28 15:46:26 -04:00
Chris PeBenito
4be3e11094 pull in apache_admin() from fedora 2009-07-28 13:24:08 -04:00
Chris PeBenito
91550027de vmware patch from dan. 2009-07-28 11:37:34 -04:00
Chris PeBenito
423a4a3a2c fix dbus type transition conflict.
switch dbus ranged calls from daemon domain to system domain.  This works
around a type transition conflict.  It is also why the non-ranged
init_system_domain() is used instead of init_daemon_domain().
2009-07-28 11:05:19 -04:00
Chris PeBenito
41ea887598 sudo patch from dan. 2009-07-28 10:29:11 -04:00
Chris PeBenito
83f0b50814 readahead patch from dan. 2009-07-28 10:08:02 -04:00
Chris PeBenito
4083191c4b add missing userdom interfaces 2009-07-28 09:35:46 -04:00