Commit Graph

2445 Commits

Author SHA1 Message Date
Eamon Walsh
5025a463cf Drop the xserver_unprotected interface.
The motivation for this was xdm_t objects not getting cleaned up,
so the user session tried to interact with them.  But since the
default user type is unconfined this problem has gone away for now.

Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2009-10-30 08:55:58 -04:00
Eamon Walsh
b624268b9f X Object manager policy revisions to x_contexts.
X Object manager policy revisions to x_contexts.

Many of the specific event, extension, and property types have been
removed for the time being.  Polyinstantiation allows selections and
properties to be separated in a different way, and new X server support
for labeling individual extension requests (as opposed to entire extensions)
should make the extension querying problem easier to solve in the future.

Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2009-10-28 10:03:35 -04:00
Eamon Walsh
5242ecceac X Object Manager policy revisions to xserver.if.
X Object Manager policy revisions to xserver.if.

This commit consists of two parts:

1. Revisions to xserver_object_types_template and
   xserver_common_x_domain_template.  This reflects the dropping
   of many of the specific event, extension, and property types.

2. New interfaces:
   xserver_manage_core_devices: Gives control over core mouse/keyboard.
   xserver_unprotected: Allows all clients to access a domain's X objects.
   Modified interfaces:
   xserver_unconfined: Added x_domain typeattribute statement.

Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2009-10-28 10:03:26 -04:00
Eamon Walsh
f267f85390 X Object Manager policy revisions to xserver.te.
X Object Manager policy revisions to xserver.te.

This commit consists of three main parts:

1. Code movement.  There were X object manager-related statements
   scattered somewhat throughout the file; these have been consolidated,
   which resulted in some other statements moving (e.g. iceauth_t).

2. Type changes.  Many of the specific event, extension, and property
   types have been dropped for the time being.  The rootwindow_t and
   remote_xclient_t types have been renamed, and a root_xcolormap_t
   type has been (re-)added.  This is for naming consistency.
   An "xserver_unprotected" alias has been added for use in labeling
   clients whose resources should be globally accessible (e.g. xdm_t).

3. Policy changes.  These are mostly related to devices, which now have
   separate x_keyboard and x_pointer classes.  The "Hacks" section
   has been cleaned up, and various other classes have had the default
   permissions tweaked.

Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2009-10-28 10:03:22 -04:00
Chris PeBenito
b04669aaea add tuned from miroslav grepl. 2009-10-26 09:42:11 -04:00
Chris PeBenito
cee508bcb5 Install the seusers file for monolithic policy. 2009-10-23 11:20:07 -04:00
Chris PeBenito
a1a45de06e reorganize a92ee50 2009-10-22 10:35:45 -04:00
Dominick Grift
a92ee50126 Implement screen-locking feature.
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2009-10-22 10:33:05 -04:00
Justin P. Mattock
5b6bd09213 Fix a typo of SElinux to SELinux.
Signed-off-by: Justin P. Mattock <justinmattock@gmail.com>
2009-10-22 09:47:52 -04:00
Chris PeBenito
c5967300e2 add changelog entry for e4928c5f79 2009-10-22 09:22:14 -04:00
Chris PeBenito
7ca3f559d7 add open to search_dir_perms. 2009-10-22 09:13:04 -04:00
Eamon Walsh
e4928c5f79 Add separate x_pointer and x_keyboard classes inheriting from x_device.
This is needed to allow more fine-grained control over X devices without
using different types.  Using different types is problematic because
devices act as subjects in the X Flask implementation, and subjects
cannot be labeled through a type transition (since the output role is
hardcoded to object_r).

Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
2009-10-14 08:44:44 -04:00
Chris PeBenito
808341bb9b revise MCS constraints to use only MCS-specific attributes. 2009-10-07 11:48:14 -04:00
Chris PeBenito
4be8dd10b9 add seunshare from dan. 2009-09-28 15:40:06 -04:00
Chris PeBenito
5a6b1fe2b4 add dkim from stefan schulze frielinghaus. 2009-09-17 09:12:33 -04:00
Chris PeBenito
21b1d1096f add gnomeclock from dan. 2009-09-16 08:38:58 -04:00
Chris PeBenito
ed70158a39 add rtkit from dan. 2009-09-15 09:53:24 -04:00
Chris PeBenito
1d3b9e384c clean up xscreensaver. 2009-09-15 09:41:42 -04:00
corentin.labbe
31f9c109c1 SELinux xscreensaver policy support
Hello

This a patch for adding xscreensaver policy.

I think it need a specific policy because of the auth_domtrans_chk_passwd.

cordially

Signed-off-by: LABBE Corentin <corentin.labbe@geomatys.fr>
2009-09-15 08:46:28 -04:00
Chris PeBenito
c141d835f1 add modemmanager from dan. 2009-09-14 09:48:13 -04:00
Chris PeBenito
e3a90e358a add abrt from dan. 2009-09-14 09:22:24 -04:00
Chris PeBenito
6af53d08ed rearrange readahead rules. 2009-09-09 09:53:28 -04:00
Chris PeBenito
c1e5b195f7 readahead patch from dan. 2009-09-09 09:45:34 -04:00
Chris PeBenito
937b2c4d91 nscd patch from dan. 2009-09-09 09:35:37 -04:00
Chris PeBenito
c61b35048a cron patch from dan. 2009-09-09 09:28:04 -04:00
Chris PeBenito
163ddfaa80 prelink patch from dan. 2009-09-09 08:18:51 -04:00
Chris PeBenito
81bca10b28 nslcd policy from dan. 2009-09-08 10:31:19 -04:00
Chris PeBenito
f67bc918d4 term_write_all_terms() patch from Stefan Schulze Frielinghaus 2009-09-08 10:06:38 -04:00
Chris PeBenito
dbed95369c add gitosis from miroslav grepl. 2009-09-03 09:52:08 -04:00
Chris PeBenito
634a13c21f cpufreqselector patch from dan. 2009-09-03 09:15:17 -04:00
Chris PeBenito
f6137171f3 add an additional vmware host program. 2009-09-03 08:56:58 -04:00
Chris PeBenito
6fdef06522 screen patch from dan. 2009-09-03 08:49:26 -04:00
Chris PeBenito
72b834ccb0 remove stale screen_dir_t references
The screen_dir_t was made an alias of the screen_var_run_t type.
Remove the remaining references to this type.
2009-09-03 08:39:42 -04:00
Chris PeBenito
ca7fa520e7 gpg patch from dan.
gpg sends sigstop and signull

Reads usb devices

Can encrypts users content in /tmp and the homedir, as well as on NFS and cifs
2009-09-03 08:23:18 -04:00
Chris PeBenito
f2f296ba60 openvpn patch from dan: Openvpn connects to cache ports and stores files in nfs and cifs directories. 2009-09-02 09:24:10 -04:00
Chris PeBenito
93be4ba581 Webalizer does not list inotify, this was caused by leaked file descriptors in either dbus or cron. Both of which have been cleaned up. 2009-09-02 09:10:30 -04:00
Chris PeBenito
625be1b4e6 add shorewall from dan. 2009-09-02 08:58:52 -04:00
Chris PeBenito
71965a1fc5 add kdump from dan. 2009-09-02 08:33:25 -04:00
Chris PeBenito
a4b6385b9d cdrecord patch from dan. 2009-09-01 09:22:40 -04:00
Chris PeBenito
1a79193449 awstats patch from dan. 2009-09-01 08:59:24 -04:00
Chris PeBenito
b2324fa76d certwatch patch from dan. 2009-09-01 08:50:39 -04:00
Chris PeBenito
b515ab0182 mrtg patch from dan. 2009-09-01 08:44:20 -04:00
Chris PeBenito
aa83007d5a add hddtemp from dan. 2009-09-01 08:34:04 -04:00
Chris PeBenito
aac56b12b7 add ptchown policy from dan. 2009-08-31 10:21:01 -04:00
Chris PeBenito
a3dd1499ef pulseaudio patch from dan. 2009-08-31 10:07:57 -04:00
Chris PeBenito
da4332a3c5 man page update from dan. 2009-08-31 09:57:55 -04:00
Chris PeBenito
6774578327 module version number bump for nscd patch. 2009-08-31 09:44:38 -04:00
Manoj Srivastava
2a79debe9b nscd cache location changed from /var/db/nscd to /var/cache/nscd
The nscd policy module uses the old nscd cache location. The cache location
changed with glibc 2.7-1, and the current nscd does place the files in
/var/cache/nscd/.

Signed-off-by: Manoj Srivastava <srivasta@debian.org>
2009-08-31 09:43:52 -04:00
Chris PeBenito
a9e9678fc7 kismet patch from dan. 2009-08-31 09:38:47 -04:00
Chris PeBenito
aaff2fcfcd module version number bump for tun patches 2009-08-31 09:17:31 -04:00