Commit Graph

4892 Commits

Author SHA1 Message Date
Dan Walsh
e1f17eb990 Policy update should not modify local contexts 2011-10-21 09:42:14 -04:00
Dan Walsh
052e175084 Remove ada policy 2011-10-20 14:33:31 -04:00
Dan Walsh
b01657ac51 Remove ada policy 2011-10-20 14:21:03 -04:00
Dan Walsh
61fa8d555e Remove tzdata policy
Remove ada policy
Add labeling for udev
Add cloudform policy
Fixes for bootloader policy
2011-10-20 12:30:06 -04:00
Dan Walsh
8214f7881a Remove tzdata policy
Remove ada domain
2011-10-20 12:24:32 -04:00
Miroslav
1944b1a36e Remove tzdata policy 2011-10-20 18:00:51 +02:00
Miroslav
5deba1c4da Add cloudform to modules-targetd.conf 2011-10-20 17:51:34 +02:00
Dan Walsh
087aaea152 Remove tzdata domain, only necessary to make sure stuff is labeled correctly. 2011-10-20 11:43:18 -04:00
Dan Walsh
a56e13e7b8 Add policies for nova openstack 2011-10-19 08:31:34 -04:00
Dan Walsh
4dba2eb895 Allow svirt_lxc_domain to chr_file and blk_file devices if they are in the domain
Allow init process to setrlimit on itself
Take away transition rules for users executing ssh-keygen
Allow setroubleshoot_fixit_t to read /dev/urand
Allow sshd to relbale tunnel sockets
Allow fail2ban domtrans to shorewall in the same way as with iptables
Add support for lnk files in the /var/lib/sssd directory
Allow system mail to connect to courier-authdaemon over an unix stream socket
2011-10-19 08:29:33 -04:00
Dan Walsh
1414f9f3a7 Allow svirt_lxc_domain to chr_file and blk_file devices if they are in the domain
Allow init process to setrlimit on itself
Take away transition rules for users executing ssh-keygen
Allow setroubleshoot_fixit_t to read /dev/urand
Allow sshd to relbale tunnel sockets
Allow fail2ban domtrans to shorewall in the same way as with iptables
Add support for lnk files in the /var/lib/sssd directory
Allow system mail to connect to courier-authdaemon over an unix stream socket
2011-10-18 10:12:22 -04:00
Dan Walsh
9bf3aa2c96 Add passwd_file_t for /etc/ptmptmp 2011-10-17 15:51:24 -04:00
Dan Walsh
e29441a5cc Dontaudit access checks for all executables, gnome-shell is doing access(EXEC, X_OK)
Make corosync to be able to relabelto cluster lib fies
Allow samba domains to search /var/run/nmbd
Allow dirsrv to use pam
Allow thumb to call getuid
chrome less likely to get mmap_zero bug so removing dontaudit
gimp help-browser has built in javascript
Best guess is that devices named /dev/bsr4096 should be labeled as cpu_device_t
Re-write glance policy
2011-10-14 09:50:55 -04:00
Dan Walsh
2453975e3d Move dontaudit sys_ptrace line from permissive.te to domain.te
Remove policy for hal, it no longer exists
2011-10-13 15:43:15 -04:00
Dan Walsh
042e3a325f Don't check md5 size or mtime on certain config files 2011-10-12 15:42:07 -04:00
Dan Walsh
2f4dfeb425 Remove allow_ptrace and replace it with deny_ptrace, which will remove all
ptrace from the system
Remove 2000 dontaudit rules between confined domains on transition
and replace with single
dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
2011-10-12 10:13:18 -04:00
Dan Walsh
80347b11c4 Remove allow_ptrace and replace it with deny_ptrace, which will remove all
ptrace from the system
Remove 2000 dontaudit rules between confined domains on transition
and replace with single
dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
2011-10-11 16:48:46 -04:00
Dan Walsh
3af504b2d1 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy
Conflicts:
	selinux-policy.spec
2011-10-11 16:48:17 -04:00
Dan Walsh
6554bb3cca Remove allow_ptrace and replace it with deny_ptrace, which will remove all
ptrace from the system
Remove 2000 dontaudit rules between confined domains on transition
and replace with single
dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
2011-10-11 16:46:26 -04:00
Miroslav
62760c4b9e - Fixes for bootloader policy
- $1_gkeyringd_t needs to read $HOME/%USER/.local/share/keystore
- Allow nsplugin to read /usr/share/config
- Allow sa-update to update rules
- Add use_fusefs_home_dirs for chroot ssh option
- Fixes for grub2
- Update systemd_exec_systemctl() interface
- Allow gpg to read the mail spool
- More fixes for sa-update running out of cron job
- Allow ipsec_mgmt_t to read hardware state information
- Allow pptp_t to connect to unreserved_port_t
- Dontaudit getattr on initctl in /dev from chfn
- Dontaudit getattr on kernel_core from chfn
- Add systemd_list_unit_dirs to systemd_exec_systemctl call
- Fixes for collectd policy
- CHange sysadm_t to create content as user_tmp_t under /tmp
2011-10-11 00:50:27 +02:00
Dan Walsh
2a89dffbb5 Shrink size of policy through use of attributes for userdomain and apache 2011-10-06 10:53:27 -04:00
Miroslav
1000555932 Fix spec file 2011-10-05 23:57:40 +02:00
Miroslav
54943f9472 - Allow virsh to read xenstored pid file
- Backport corenetwork fixes from upstream
- Do not audit attempts by thumb to search config_home_t dirs (~/.config)
- label ~/.cache/telepathy/logger telepathy_logger_cache_home_t
- allow thumb to read generic data home files (mime.type)
2011-10-05 23:48:25 +02:00
Dan Walsh
859ba0c85a Allow nmbd to manage sock file in /var/run/nmbd
ricci_modservice send syslog msgs
Stop transitioning from unconfined_t to ldconfig_t, but make sure /etc/ld.so.cache is labeled correctly
Allow systemd_logind_t to manage /run/USER/dconf/user
2011-10-05 17:14:02 -04:00
Dan Walsh
14d7aac744 Fix missing patch from F16 2011-10-04 11:34:14 -04:00
Dan Walsh
3b9467424f Allow logrotate setuid and setgid since logrotate is supposed to do it
Fixes for thumb policy by grift
Add new nfsd ports
Added fix to allow confined apps to execmod on chrome
Add labeling for additional vdsm directories
Allow Exim and Dovecot SASL
Add label for /var/run/nmbd
Add fixes to make virsh and xen working together
Colord executes ls
/var/spool/cron  is now labeled as user_cron_spool_t
2011-10-04 10:53:11 -04:00
Dan Walsh
f1bc73d0ef Allow logrotate setuid and setgid since logrotate is supposed to do it
Fixes for thumb policy by grift
Add new nfsd ports
Added fix to allow confined apps to execmod on chrome
Add labeling for additional vdsm directories
Allow Exim and Dovecot SASL
Add label for /var/run/nmbd
Add fixes to make virsh and xen working together
Colord executes ls
/var/spool/cron  is now labeled as user_cron_spool_t
2011-10-04 10:50:39 -04:00
Dan Walsh
e15ae4fa84 Fixes caused by the labeling of /etc/passwd
Add thumb.patch to transition unconfined_t to thumb_t for Rawhide
2011-09-30 10:22:41 -04:00
Dan Walsh
a004ca8c3a Fixes caused by the labeling of /etc/passwd 2011-09-29 13:50:39 -04:00
Miroslav
0247247d56 +- Add support for Clustered Samba commands
+- Allow ricci_modrpm_t to send log msgs
+- move permissive virt_qmf_t from virt.te to permissivedomains.te
+- Allow ssh_t to use kernel keyrings
+- Add policy for libvirt-qmf and more fixes for linux containers
+- Initial Polipo
+- Sanlock needs to run ranged in order to kill svirt processes
+- Allow smbcontrol to stream connect to ctdbd
2011-09-29 16:25:09 +02:00
Dan Walsh
4d24861bc2 Add label for /etc/passwd 2011-09-28 16:18:43 -04:00
Miroslav
1b20a51a85 Add grub.patch 2011-09-28 01:09:22 +02:00
Miroslav
b8a4bfcacc httpd_can_network_connect_ftp is bad name of interface 2011-09-28 01:00:28 +02:00
Miroslav
69cf5b53d2 Use cobblerd type instread of ftpd 2011-09-27 20:39:21 +02:00
Miroslav
99d7cca4c8 One more 2011-09-27 20:27:58 +02:00
Miroslav
37ce30c21d Use proper interface 2011-09-27 20:17:22 +02:00
Miroslav
0c1fa22604 Fix 2011-09-27 19:41:46 +02:00
Miroslav
7c0196f1f4 more fixes 2011-09-27 19:32:07 +02:00
Miroslav
60e1106a6a More fixes for ephemeral.patch 2011-09-27 19:22:20 +02:00
Miroslav
988daeb615 Fix ephemeral.patch 2011-09-27 19:06:41 +02:00
Miroslav
af391ff269 Fixes for systemd unit files 2011-09-27 18:50:47 +02:00
Dan Walsh
6a55631bdf Update ephemeral patch and fix modules defs for the thumb images 2011-09-27 11:16:13 -04:00
Dan Walsh
24b80bf8d9 Make unconfined domains permissive for rawhide
Add definition for ephermeral ports
2011-09-27 10:16:54 -04:00
Dan Walsh
4ce5381249 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2011-09-26 16:01:48 -04:00
Dan Walsh
e88b9a2383 add thumbnailer protection 2011-09-26 10:57:37 -04:00
Miroslav
02a8a402a1 - Make mta_role() active
- Allow asterisk to connect to jabber client port
- Allow procmail to read utmp
- Add NIS support for systemd_logind_t
- Allow systemd_logind_t to manage /run/user/$USER/dconf dir which is labeled a
- Fix systemd_manage_unit_dirs() interface
- Allow ssh_t to manage directories passed into it
- init needs to be able to create and delete unit file directories
- Fix typo in apache_exec_sys_script
- Add ability for logrotate to transition to awstat domain
2011-09-26 12:32:44 +02:00
Miroslav Grepl
1aafd0f4bc Fix spec file 2011-09-23 17:59:34 +02:00
Miroslav Grepl
031161f80b Fix spec file 2011-09-23 17:58:45 +02:00
Miroslav
f9c350238c +- Change screen to use screen_domain attribute and allow screen_domains to read all process domain state
+- Add SELinux support for ssh pre-auth net process in F17
+- Add logging_syslogd_can_sendmail boolean
2011-09-23 13:57:44 +02:00
Dan Walsh
747b715541 Add definition for ephemeral ports
Define user_tty_device_t as a customizable_type
2011-09-21 08:39:14 -04:00