Commit Graph

5289 Commits

Author SHA1 Message Date
Dan Walsh
2676121267 Add interface to dontaudit getattr access on sysctls
- Allow sshd to execute /bin/login
- Looks like xdm is recreating the xdm directory in ~/.cache/ on login
- Allow syslog to use the leaked kernel_t unix_dgram_socket from system-jounald
-  Fix semanage to work with unconfined domain disabled on F18
- Dontaudit attempts by mozilla plugins to getattr on all kernel sysctls
- Virt seems to be using lock files
- Dovecot seems to be searching directories of every mountpoint
- Allow jockey to read random/urandom, execute shell and install third-party drivers
- Add aditional params to allow cachedfiles to manage its content
- gpg agent needs to read /dev/random
- The kernel hands an svirt domains /SYSxxxxx which is a tmpfs that httpd wants to read and write
- Add a bunch of dontaudit rules to quiet svirt_lxc domains
- Additional perms needed to run svirt_lxc domains
- Allow cgclear to read cgconfig
- Allow sys_ptrace capability for snmp
- Allow freshclam to read /proc
- Allow procmail to manage /home/user/Maildir content
- Allow NM to execute wpa_cli
- Allow amavis to read clamd system state
- Regenerate man pages
2012-07-24 15:56:40 -04:00
Miroslav Grepl
9ba137b17b * Mon Jul 23 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-12
- Add interface to dontaudit getattr access on sysctls
- Allow sshd to execute /bin/login
- Looks like xdm is recreating the xdm directory in ~/.cache/ on login
- Allow syslog to use the leaked kernel_t unix_dgram_socket from system-jou
-  Fix semanage to work with unconfined domain disabled on F18
- Dontaudit attempts by mozilla plugins to getattr on all kernel sysctls
- Virt seems to be using lock files
- Dovecot seems to be searching directories of every mountpoint
- Allow jockey to read random/urandom, execute shell and install third-part
- Add aditional params to allow cachedfiles to manage its content
- gpg agent needs to read /dev/random
- The kernel hands an svirt domains /SYSxxxxx which is a tmpfs that httpd w
- Add a bunch of dontaudit rules to quiet svirt_lxc domains
- Additional perms needed to run svirt_lxc domains
- Allow cgclear to read cgconfig
- Allow sys_ptrace capability for snmp
- Allow freshclam to read /proc
- Allow procmail to manage /home/user/Maildir content
- Allow NM to execute wpa_cli
- Allow amavis to read clamd system state
- Regenerate man page
2012-07-23 17:47:41 +02:00
Miroslav Grepl
355c11db63 Fix nsswitch_booleans list in genman 2012-07-23 17:32:58 +02:00
Miroslav Grepl
1c38921365 Fix genman.py to correct PORT part 2012-07-23 17:13:29 +02:00
Miroslav Grepl
9c935861d2 Fix genman.py script to descrite nsswitch_domain booleans for domain types 2012-07-23 16:38:28 +02:00
Dennis Gilmore
c07f6435e4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild 2012-07-21 14:21:28 -05:00
Miroslav Grepl
3da13de031 +- Add realmd and stapserver policies
+- Allow useradd to manage stap-server lib files
+- Tighten up capabilities for confined users
+- Label /etc/security/opasswd as shadow_t
+- Add label for /dev/ecryptfs
+- Allow condor_startd_t to start sshd with the ranged
+- Allow lpstat.cups to read fips_enabled file
+- Allow pyzor running as spamc_t to create /root/.pyzor directory
+- Add labelinf for amavisd-snmp init script
+- Add support for amavisd-snmp
+- Allow fprintd sigkill self
+- Allow xend (w/o libvirt) to start virtual machines
+- Allow aiccu to read /etc/passwd
+- Allow condor_startd to Make specified domain MCS trusted for setting any category set fo
+- Add condor_startd_ranged_domtrans_to() interface
+- Add ssd_conf_t for /etc/sssd
+- accountsd needs to fchown some files/directories
+- Add ICACLient and zibrauserdata as mozilla_filetrans_home_content
+- SELinux reports afs_t needs dac_override to read /etc/mtab, even though everything works
+- Allow xend_t to read the /etc/passwd file
 Please enter the commit message for your changes. Lines starting
 with '#' will be ignored, and an empty message aborts the commit.
 On branch master
 Changes to be committed:
   (use "git reset HEAD <file>..." to unstage)

	modified:   policy-rawhide.patch
	modified:   policy_contrib-rawhide.patch
	modified:   selinux-policy.spec
2012-07-16 00:03:02 +02:00
Miroslav Grepl
3bbc9bb5a8 Add stapserver and realmd policy to modules-targeted.conf 2012-07-15 22:47:22 +02:00
Dan Walsh
18fc0f3c99 Until we figure out how to fix systemd issues, allow all apps that send syslog messages to send them to kernel_t
- Add init_access_check() interface
- Fix label on /usr/bin/pingus to not be labeled as ping_exec_t
- Allow tcpdump to create a netlink_socket
- Label newusers like useradd
- Change xdm log files to be labeled xdm_log_t
- Allow sshd_t with privsep to work in MLS
- Allow freshclam to update databases thru HTTP proxy
- Allow s-m-config to access check on systemd
- Allow abrt to read public files by default
- Fix amavis_create_pid_files() interface
- Add labeling and filename transition for dbomatic.log
- Allow system_dbusd_t to stream connect to bluetooth, and use its socket
- Allow amavisd to execute fsav
- Allow tuned to use sys_admin and sys_nice capabilities
- Add php-fpm policy from Bryan
- Add labeling for aeolus-configserver-thinwrapper
- Allow thin domains to execute shell
- Fix gnome_role_gkeyringd() interface description
- Lot of interface fixes
- Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files
- Allow OpenMPI job to use kerberos
- Make deltacloudd_t as nsswitch_domain
- Allow xend_t to run lsscsi
- Allow qemu-dm running as xend_t to create tun_socket
- Add labeling for /opt/brother/Printers(.*/)?inf
- Allow jockey-backend to read pyconfig-64.h labeled as usr_t
- Fix clamscan_can_scan_system boolean
- Allow lpr to connectto to /run/user/$USER/keyring-22uREb/pkcs11
2012-07-13 16:59:14 -04:00
Dan Walsh
9d1d9952b1 Until we figure out how to fix systemd issues, allow all apps that send syslog messages to send them to kernel_t
- Add init_access_check() interface
- Fix label on /usr/bin/pingus to not be labeled as ping_exec_t
- Allow tcpdump to create a netlink_socket
- Label newusers like useradd
- Change xdm log files to be labeled xdm_log_t
- Allow sshd_t with privsep to work in MLS
- Allow freshclam to update databases thru HTTP proxy
- Allow s-m-config to access check on systemd
- Allow abrt to read public files by default
- Fix amavis_create_pid_files() interface
- Add labeling and filename transition for dbomatic.log
- Allow system_dbusd_t to stream connect to bluetooth, and use its socket
- Allow amavisd to execute fsav
- Allow tuned to use sys_admin and sys_nice capabilities
- Add php-fpm policy from Bryan
- Add labeling for aeolus-configserver-thinwrapper
- Allow thin domains to execute shell
- Fix gnome_role_gkeyringd() interface description
- Lot of interface fixes
- Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files
- Allow OpenMPI job to use kerberos
- Make deltacloudd_t as nsswitch_domain
- Allow xend_t to run lsscsi
- Allow qemu-dm running as xend_t to create tun_socket
- Add labeling for /opt/brother/Printers(.*/)?inf
- Allow jockey-backend to read pyconfig-64.h labeled as usr_t
- Fix clamscan_can_scan_system boolean
- Allow lpr to connectto to /run/user/$USER/keyring-22uREb/pkcs11
2012-07-12 19:20:37 -04:00
Miroslav Grepl
98ec5a124e - Until we figure out how to fix systemd issues, allow all apps that send syslog messag
- Add init_access_check() interface
- Fix label on /usr/bin/pingus to not be labeled as ping_exec_t
- Allow tcpdump to create a netlink_socket
- Label newusers like useradd
- Change xdm log files to be labeled xdm_log_t
- Allow sshd_t with privsep to work in MLS
- Allow freshclam to update databases thru HTTP proxy
- Allow s-m-config to access check on systemd
- Allow abrt to read public files by default
- Fix amavis_create_pid_files() interface
- Add labeling and filename transition for dbomatic.log
- Allow system_dbusd_t to stream connect to bluetooth, and use its socket
- Allow amavisd to execute fsav
- Allow tuned to use sys_admin and sys_nice capabilities
- Add php-fpm policy from Bryan
- Add labeling for aeolus-configserver-thinwrapper
- Allow thin domains to execute shell
- Fix gnome_role_gkeyringd() interface description
- Lot of interface fixes
- Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files
- Allow OpenMPI job to use kerberos
- Make deltacloudd_t as nsswitch_domain
2012-07-11 16:45:33 +02:00
Miroslav Grepl
770036a507 Add php-fpm to modules-targeted.conf 2012-07-10 10:30:39 +02:00
Dan Walsh
9fe965541c Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2012-07-06 06:41:48 -04:00
Dan Walsh
8d8178f83b Copy F17 customizable_types into F18 2012-07-06 06:41:33 -04:00
Miroslav Grepl
0f07ba7f55 * Tue Jul 3 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-8
- initrc is calling exportfs which is not confined so it attempts to read nfsd_files
- Fixes for passenger running within openshift.
- Add labeling for all tomcat6 dirs
- Add support for tomcat6
- Allow cobblerd to read /etc/passwd
- Allow jockey to read sysfs and and execute binaries with bin_t
- Allow thum to use user terminals
- Allow cgclear to read cgconfig config files
- Fix bcf2g.fc
- Remove sysnet_dns_name_resolve() from policies where auth_use_nsswitch() is used for other
- Allow dbomatic to execute ruby
- abrt_watch_log should be abrt_domain
- Allow mozilla_plugin to connect to gatekeeper port
2012-07-03 23:11:32 +02:00
Miroslav Grepl
1de5de6450 - add ptrace_child access to process
- remove files_read_etc_files() calling from all policies which hav
- Allow boinc domains to manage boinc_lib_t lnk_files
- Add support for boinc-client.service unit file
- Add support for boinc.log
- Allow mozilla_plugin execmod on mozilla home files if allow_ex
- Allow dovecot_deliver_t to read dovecot_var_run_t
- Allow ldconfig and insmod to manage kdumpctl tmp files
- Move thin policy out from cloudform.pp and add a new thin poli
- pacemaker needs to communicate with corosync streams
- abrt is now started on demand by dbus
- Allow certmonger to talk directly to Dogtag servers
- Change labeling for /var/lib/cobbler/webui_sessions to httpd_c
- Allow mozila_plugin to execute gstreamer home files
- Allow useradd to delete all file types stored in the users hom
- rhsmcertd reads the rpm database
- Add support for lightdm
2012-06-27 12:53:34 +02:00
Miroslav Grepl
52ac61da45 * Mon Jun 25 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-6
- Add tomcat policy
- Remove pyzor/razor policy
- rhsmcertd reads the rpm database
- Dontaudit  thumb to setattr on xdm_tmp dir
- Allow wicd to execute ldconfig in the networkmanager_t domain
- Add /var/run/cherokee\.pid labeling
- Allow mozilla_plugin to create mozilla_plugin_tmp_t lnk files too
- Allow postfix-master to r/w pipes other postfix domains
- Allow snort to create netlink_socket
- Add kdumpctl policy
- Allow firstboot to create tmp_t files/directories
- /usr/bin/paster should not be labeled as piranha_exec_t
- remove initrc_domain from tomcat
- Allow ddclient to read /etc/passwd
- Allow useradd to delete all file types stored in the users homedir
- Allow ldconfig and insmod to manage kdumpctl tmp files
- Firstboot should be just creating tmp_t dirs and xauth should be allowed to write to those
- Transition xauth files within firstboot_tmp_t
- Fix labeling of /run/media to match /media
- Label all lxdm.log as xserver_log_t
- Add port definition for mxi port
- Allow local_login_t to execute tmux
2012-06-25 07:09:24 +02:00
Dan Walsh
a3e9dc0c92 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2012-06-20 14:33:29 -04:00
Dan Walsh
7f9b7d5c03 Remove pyzor and razor modules 2012-06-20 14:33:23 -04:00
Miroslav Grepl
c74d194317 - apcupsd needs to read /etc/passwd
- Sanlock allso sends sigkill
- Allow glance_registry to connect to the mysqld port
- Dontaudit mozilla_plugin trying to getattr on /dev/gpmctl
- Allow firefox plugins/flash to connect to port 1234
- Allow mozilla plugins to delete user_tmp_t files
- Add transition name rule for printers.conf.O
- Allow virt_lxc_t to read urand
- Allow systemd_loigind to list gstreamer_home_dirs
- Fix labeling for /usr/bin
- Fixes for cloudform services
  * support FIPS
- Allow polipo to work as web caching
- Allow chfn to execute tmux
2012-06-19 13:40:53 +02:00
Miroslav Grepl
bfc280fd5b - Add support for ecryptfs
* ecryptfs does not support xattr
  * we need labeling for HOMEDIR
- Add policy for (u)mount.ecryptfs*
- Fix labeling of kerbero host cache files, allow rpc.svcgssd to manage
- Allow dovecot to manage Maildir content, fix transitions to Maildir
- Allow postfix_local to transition to dovecot_deliver
- Dontaudit attempts to setattr on xdm_tmp_t, looks like bogus code
- Cleanup interface definitions
- Allow apmd to change with the logind daemon
- Changes required for sanlock in rhel6
- Label /run/user/apache as httpd_tmp_t
- Allow thumb to use lib_t as execmod if boolean turned on
- Allow squid to create the squid directory in /var with the correct la
- Add a new policy for glusterd from Bryan Bickford (bbickfor@redhat.co
- Allow virtd to exec xend_exec_t without transition
- Allow virtd_lxc_t to unmount all file systems
2012-06-15 10:43:55 +02:00
Miroslav Grepl
c8f96d3d71 * Tue Jun 12 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-3
- PolicyKit path has changed
- Allow httpd connect to dirsrv socket
- Allow tuned to write generic kernel sysctls
- Dontaudit logwatch to gettr on /dev/dm-2
- Allow policykit-auth to manage kerberos files
- Make condor_startd and rgmanager as initrc domain
- Allow virsh to read /etc/passwd
- Allow mount to mount on user_tmp_t for /run/user/dwalsh/gvfs
- xdm now needs to execute xsession_exec_t
- Need labels for /var/lib/gdm
- Fix files_filetrans_named_content() interface
- Add new attribute - initrc_domain
- Allow systemd_logind_t to signal, signull, sigkill all processes
- Add filetrans rules for etc_runtime files
2012-06-12 14:33:10 +02:00
Miroslav Grepl
4415dfa1a8 * Sat Jun 9 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-2
- Rename boolean names to remove allow_
2012-06-09 09:07:54 +02:00
Dan Walsh
c3956376c7 Add booleans.subs_dist to selinux-policy package 2012-06-08 10:09:54 -04:00
Dan Walsh
2815c1a4e4 Remove permissive domains in F17 from F18 2012-06-07 14:12:42 -04:00
Dan Walsh
62163c8c51 Trigger a restorecon -R -v /home on the next update 2012-06-07 14:05:06 -04:00
Dan Walsh
52f92dd376 Fix patch to eliminate sepolgen errors 2012-06-07 10:30:58 -04:00
Dan Walsh
5f75e360e4 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy
Conflicts:
	config.tgz
2012-06-07 10:14:02 -04:00
Miroslav Grepl
2a80c717ae Fix merge context issues 2012-06-07 14:16:42 +02:00
Miroslav Grepl
d68342900a fix sources 2012-06-07 13:40:47 +02:00
Miroslav Grepl
7efcb84ab9 update selinux-policy.spec file 2012-06-07 13:27:36 +02:00
Miroslav Grepl
1ee0a31352 Add temporary roleattribute patches 2012-06-07 11:58:33 +02:00
Miroslav Grepl
922fd7b529 Update config.tgz 2012-06-07 11:56:08 +02:00
Miroslav Grepl
3dd200bfa4 * Thu Jun 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-1
- Mass merge with upstream
  * new policy topology to include contrib policy modules
  * we have now two base policy patches
2012-06-07 00:42:18 +02:00
Miroslav Grepl
e392eca2af Upload new sources 2012-06-06 16:09:49 +02:00
Miroslav Grepl
24c1488494 Update modules-* files 2012-06-06 15:43:16 +02:00
Miroslav Grepl
4daeee80d1 Add permissivedomains module
* sync with F17
2012-06-06 15:26:24 +02:00
Miroslav Grepl
4a27edfbeb Sync master with F17 2012-06-06 15:25:27 +02:00
Dan Walsh
59ed31ee8e Fix contexts file for lxc 2012-04-17 16:32:17 -04:00
Dan Walsh
05c3d969d7 Add lxc context definitions 2012-04-17 13:07:16 -04:00
Miroslav
de69336bd3 +* Mon Feb 13 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-
+- Allow firewalld to read urand
+- Alias java, execmem_mono to bin_t to allow third parties
+- Add label for kmod
+- /etc/redhat-lsb contains binaries
+- Add boolean to allow gitosis to send mail
+- Add filename transition also for "event20"
+- Allow systemd_tmpfiles_t to delete all file types
+- Allow collectd to ipc_lock
2012-02-13 22:28:38 +01:00
Dan Walsh
4066cfa00d Add dnssec policy and go back to unconfined domains versus permissive domains 2012-02-09 17:38:44 -05:00
Dan Walsh
7bf1025fa8 Revert "Dropping support for snort since it was dropped from Fedora. Users should use nagios"
This reverts commit 76d9bfedb6.
2012-02-07 17:18:16 -05:00
Dan Walsh
5c28b0512d Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2012-02-07 17:17:54 -05:00
Dan Walsh
76d9bfedb6 Dropping support for snort since it was dropped from Fedora. Users should use nagios 2012-02-07 17:15:35 -05:00
Dan Walsh
d3a57c6cc7 Fedora no longer ships kerneloops, dropping policy 2012-02-07 17:09:23 -05:00
Miroslav Grepl
81894dfe50 - Add policy for grindengine MPI jobs 2012-02-07 18:18:07 +01:00
Miroslav Grepl
618ef7160b Add label for /etc/WebCalendar 2012-02-07 14:09:10 +01:00
Miroslav Grepl
80d21dc60a Revert "Simplify the build-docs target"
This reverts commit 01be486292.
2012-02-07 14:08:38 +01:00
Miroslav Grepl
3d8eaa7aa5 Fix typo 2012-02-07 00:25:01 +01:00