Commit Graph

864 Commits

Author SHA1 Message Date
Dominick Grift
59c0340548 Use permission sets where possible.
Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Signed-off-by: Dominick Grift <domg472@gmail.com>

Use permission sets where possible.

Signed-off-by: Dominick Grift <domg472@gmail.com>

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.
2010-09-16 12:18:33 +02:00
Dominick Grift
ba6db03dc0 Redundant: mta_sendmail_domtrans calls domtrans_pattern which already includes these permissions. 2010-09-16 12:18:33 +02:00
Dominick Grift
b35d259348 XML summary ffixes.
XML summary fixes.

Signed-off-by: Dominick Grift <domg472@gmail.com>

XML summary fixes.
2010-09-16 12:18:33 +02:00
Dominick Grift
f92662114a Search parent directory to be able to interact with target content.
Search parent directory to be able to interact with target content.

Search parent directory to be able to interact with target content.

Signed-off-by: Dominick Grift <domg472@gmail.com>

Search parent directory to be able to interact with target content.

Search parent directory to be able to interact with target content.

Signed-off-by: Dominick Grift <domg472@gmail.com>

Search parent directory to be able to interact with target content.

Search parent directory to be able to interact with target content.

Search parent directory to be able to interact with target content.
2010-09-16 12:18:33 +02:00
Dominick Grift
4ff4ddfaa3 Allow users to ptrace and send any kind of signal to spamassassin agents. 2010-09-16 12:18:33 +02:00
Dominick Grift
c5caddd673 This type is not required here. 2010-09-16 12:18:33 +02:00
Dominick Grift
b0e9aaafb9 This is not a role capability.
This is not a role capability.

Signed-off-by: Dominick Grift <domg472@gmail.com>

This is not a role capability.
2010-09-16 12:18:31 +02:00
Dominick Grift
a3d20a3c3a Use relabel permission sets where possible. 2010-09-16 12:18:31 +02:00
Dominick Grift
9a2fd7d144 Redundant: This is included with userdom_read_user_home_content_files.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-16 12:18:31 +02:00
Dominick Grift
50e85752ad Allow users to ptrace and send any kind of signal to their ssh agent instead of only a generic signal.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-16 12:18:31 +02:00
Dominick Grift
f416df73dd Redundant: This is included with userdom_search_user_home_content.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-16 12:18:31 +02:00
Dominick Grift
a87e8f736c Redundant: domtrans_pattern includes these.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-16 12:18:31 +02:00
Dominick Grift
d0b7562f02 Do not audit interface should not provide permission to read parent directories.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-16 12:18:31 +02:00
Dominick Grift
5ebd1a52a5 Use domtrans_pattern because it include permission the sigchld target domain and other required access to domain transition.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-16 12:18:31 +02:00
Dominick Grift
2d102f8402 Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-16 12:18:31 +02:00
Dominick Grift
60d27bf8ab Tunable, optional, if(n)def block go below.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-16 10:43:14 +02:00
Dominick Grift
2e2a24e07d Use stream_connect_pattern.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-16 10:43:14 +02:00
Dan Walsh
4d71bc3534 Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy 2010-09-15 16:06:43 -04:00
Dominick Grift
83029ff3c5 Use relabel permission sets where possible.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-15 17:42:29 +02:00
Dominick Grift
4ec4a49e8a Add missing admin_patterns to rpcbind_admin.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-15 17:42:29 +02:00
Dominick Grift
ac13ad949b Use stream connect pattern.
Use stream_connect_pattern.

Use stream_connect_pattern.

Use stream_connect_pattern.

Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-15 17:42:29 +02:00
Dominick Grift
ad424545db Use ps_process_pattern to read state.
Use ps_process_pattern.

Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-15 17:42:29 +02:00
Dominick Grift
87cd6eef3a Reduntant: Is already included with userdom_search_user_home_dirs.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-15 17:42:29 +02:00
Dominick Grift
4eaffd271f Access to get attributes of target pppd_t domain is included with ps_process_pattern.
Access to get attributes of target privoxy_t domain is included with ps_process_pattern.

Access to get attributes of target radiusd_t domain is included with ps_process_pattern.

Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-15 17:42:29 +02:00
Dominick Grift
39e118bc15 Use ps_process_pattern to read state. Access to get attributes of target afs_t domain is included with ps_process_pattern.
Use ps_process_pattern to read state. Access to get attributes of target boinc_t domain is included with ps_process_pattern.

Use ps_process_pattern to read state. Access to get attributes of target cobblerd_t domain is included with ps_process_pattern.

Use ps_process_pattern to read state. Permission to get attributes of target exim_t domain is included with ps_process_pattern.

Use ps_process_pattern to read state. Access to get attributes of target plymouthd_t domain is included with ps_process_pattern.

Use ps_process_pattern to read state. Access to get attributes of target pportreserve_t domain is included with ps_process_pattern.

Use ps_process_pattern to read state. Access to get attributes of target postfix domains is included with ps_process_pattern.

Use ps_process_pattern to read state. Permission to get attributes of target qpidd_t domain is included with ps_process_pattern.

Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-15 17:42:28 +02:00
Dominick Grift
1215dfb87c Allow pads_admin to search parent directories to be able to interact with pads content.
Allow plymouthd_admin to search parent directories to be able to interact with plymouthd content.

Allow postgresql admin to search parent directories to be able to manage postgresql content.

Allow prelude_admin to search parent directories to be able to manage prelude content.

Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-15 17:42:28 +02:00
Dominick Grift
d183137edb XML summary fix.
XML summary fix.

XML summary fix.

Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-15 17:42:28 +02:00
Dominick Grift
dcbbeeada3 Access to get attributes of target accountsd_t domain is included with ps_process_pattern.
Permission to get attributes of target arpwatch_t domain is included with ps_process_pattern.

Access to get attributes of target asterisk_t domain is included with ps_process_pattern.

Permission to get attributes of target automount_t domain is included with ps_process_pattern.

Access to get attributes of target ntpd_t domain is included with ps_process_pattern.

Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-15 17:42:28 +02:00
Dominick Grift
b6d0a79f2c Use admin_pattern. Allow nslcd_admin to search parent directories to be able to interact with nslcd content.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-15 17:42:28 +02:00
Dominick Grift
eb12bc3076 Source is required to search generic pid directories to be able to interact with mysql sockets in var_run.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-15 17:42:28 +02:00
Dominick Grift
f386b9002d Use the stream_connect_pattern.
Use stream_connect_pattern.

Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-15 17:42:28 +02:00
Dominick Grift
c5e7db7a71 Allow mpd_admin to manage mpd tmpfs content.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-15 17:42:28 +02:00
Dominick Grift
0ba923e7d9 Source is required to search generic tmpfs directories to be able to interact with mpd tmpfs content.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-15 17:42:28 +02:00
Dominick Grift
0ab415250b Redundant: mpd_search_lib already includes files_search_var_lib.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-15 17:42:28 +02:00
Dominick Grift
7d34935ff2 Memcached_admin is required to search generic pid directories to be able to manage memcached pid content.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-15 17:42:28 +02:00
Dominick Grift
aa5baa96ed Allow icecast_admin to ptrace and signal the icecast_t domain.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-15 17:42:28 +02:00
Dominick Grift
4b81a55013 This is redundant since base user can search generic proc directories and included ps_process_pattern call permits all else.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-15 17:42:28 +02:00
Dominick Grift
7d36c9fa13 Permission to search proc_t directories is required to be able to read abrt state.
Signed-off-by: Dominick Grift <domg472@gmail.com>

Permission to search generic proc directories is required to read hald_t state.
2010-09-15 17:42:28 +02:00
Dominick Grift
b36824efdf Permit fetchmail_admin to ptrace and signal the fetchmail_t domain.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-15 17:42:28 +02:00
Dominick Grift
cf152b4953 Replace some type statements by comma delimiters.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-15 17:42:28 +02:00
Dominick Grift
47cf98ddd5 Permission to get attributes of target devicekit_t, devicekit_disk_t and devicekit_power_t domains are included with ps_process_patterns.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-15 17:42:28 +02:00
Dominick Grift
5ecaacae61 Type system_cronjob_var_run_t is not required here.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-15 17:42:27 +02:00
Dominick Grift
beb9c35b25 Types crontab_exec_t, cron_spool_t and user_cron_spool_t are required here.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-15 17:42:27 +02:00
Dominick Grift
d8d33a15bf Permission to search generic pid directories is included with files_pid_filetrans.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-15 17:42:27 +02:00
Dominick Grift
0540e22fcc Use ps_process_pattern to read state. Permission to seach proc_t directories is required to read automount state.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-15 17:42:27 +02:00
Dan Walsh
9461b60657 Add the ability to send audit messages to confined admin policies
Remove permissive domain from cmirrord and dontaudit sys_tty_config
Split out unconfined_domain() calls from other unconfined_ calls so we can disable unconfined.pp and leave unconfineduser
virt needs to be able to read processes to clearance for MLS
2010-09-15 11:31:20 -04:00
Miroslav Grepl
3b0a9c74bb Allow iscsid to manage tgtd semaphores 2010-09-15 16:50:07 +02:00
Chris PeBenito
fee48647ac Module version bump for c17ad38 5271920 2a2b6a7 01c4413 c4fbfae a831710
67effb0 483be01 c6c63f6 b0d8d59 5b082e4 b8097d6 689d954 5afc3d3 f3c5e77
a59e50c cf87233 17759c7 dc1db54 e9bf16d 4f95198 bf40792 622c63b c20842c
dc7cc4d 792d448
2010-09-15 10:42:34 -04:00
Jeremy Solt
792d44840c radvd patch from Dan Walsh 2010-09-15 09:14:55 -04:00
Jeremy Solt
dc7cc4d5c1 snort patch from Dan Walsh 2010-09-15 09:14:55 -04:00
Jeremy Solt
c20842caf8 stunnel patch from Dan Walsh 2010-09-15 09:14:55 -04:00
Jeremy Solt
622c63b4e3 zabbix patch from Dan Walsh 2010-09-15 09:14:55 -04:00
Jeremy Solt
bf40792ae5 zebra patch from Dan Walsh 2010-09-15 09:14:54 -04:00
Jeremy Solt
e9bf16d2d9 certmaster patch from Dan Walsh 2010-09-15 09:14:54 -04:00
Jeremy Solt
dc1db5407a pcscd patch from Dan Walsh
Edit: removed the dev_list_sysfs call, dev_read_sysfs takes care of it
2010-09-15 09:14:54 -04:00
Jeremy Solt
17759c7326 postgresql patch from Dan Walsh 2010-09-15 09:14:54 -04:00
Jeremy Solt
cf872339b2 postgrey patch from Dan Walsh 2010-09-15 09:14:54 -04:00
Jeremy Solt
a59e50c12c prelude patch from Dan Walsh 2010-09-15 09:14:54 -04:00
Jeremy Solt
b8097d6ec4 amavis patch from Dan Walsh 2010-09-15 09:14:53 -04:00
Jeremy Solt
5b082e4acf arpwatch patch from Dan Walsh 2010-09-15 09:14:53 -04:00
Jeremy Solt
b0d8d59ff0 canna patch from Dan Walsh 2010-09-15 09:14:53 -04:00
Jeremy Solt
c6c63f63c7 certmonger patch from Dan Walsh 2010-09-15 09:14:53 -04:00
Jeremy Solt
483be01302 courier patch from Dan Walsh 2010-09-15 09:14:53 -04:00
Jeremy Solt
67effb0450 dcc patch from Dan Walsh 2010-09-15 09:14:53 -04:00
Jeremy Solt
a831710a6a style change to djbdns.te 2010-09-15 09:14:52 -04:00
Jeremy Solt
c4fbfaecdd fetchmail patch from Dan Walsh 2010-09-15 09:14:52 -04:00
Jeremy Solt
01c441355e icecast patch from Dan Walsh 2010-09-15 09:14:52 -04:00
Jeremy Solt
2a2b6a79fa nslcd patch from Dan Walsh 2010-09-15 09:14:52 -04:00
Jeremy Solt
5271920764 nut patch from Dan Walsh 2010-09-15 09:14:52 -04:00
Jeremy Solt
c17ad385ac openct patch from Dan Walsh 2010-09-15 09:14:52 -04:00
Dan Walsh
c2dae98501 Allow a couple of sandbox issues.
Remove postgresl managing of etc_files, until I find out why it is needed.
Dontaudit leaks from rpm to mount
2010-09-14 10:02:43 -04:00
Dan Walsh
5ef740e54b Fix gnome_setattr_config_home
Allow exec of sandbox_file_type by calling apps
Fix typos
2010-09-13 14:47:02 -04:00
Dan Walsh
3034a8d941 Fix some names in passenger policy 2010-09-13 10:26:10 -04:00
Miroslav Grepl
94820e4290 Move passenger policy to services 2010-09-13 15:10:30 +02:00
Dan Walsh
536f28a2bf Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy 2010-09-13 08:43:40 -04:00
Dan Walsh
1a40cbf63e Fix boolean descriptions 2010-09-13 08:43:35 -04:00
Miroslav Grepl
3a3212619a Allow dovecot-deliver to create tmp files
Allow tor to send signals to itself
2010-09-13 13:12:24 +02:00
Miroslav Grepl
d7de04f8d4 - Add passenger policy 2010-09-13 11:49:37 +02:00
Dan Walsh
366396d855 Fix cert calls in telepath, boinc, kerberos
Add sys_admin to xend to allow it to start
Add oident calls to staff_t
2010-09-10 13:18:49 -04:00
Dan Walsh
cab9bc9c58 Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy; branch 'master' of http://oss.tresys.com/git/refpolicy
Conflicts:
	policy/modules/admin/amanda.if
	policy/modules/system/init.te
	policy/modules/system/miscfiles.if
	policy/modules/system/miscfiles.te
	policy/modules/system/userdomain.if
2010-09-10 13:02:25 -04:00
Dan Walsh
0b8f4cfe16 More fixes for mozilla_plugin_t
Allow telepathy domains to send themselves sigkill
Label /etc/httpd/alias/*db as cert_t
Allow fprintd to sys_nice
2010-09-10 12:10:13 -04:00
Chris PeBenito
da12b54802 Module version bumps for cert patch. 2010-09-10 11:31:22 -04:00
Chris PeBenito
e9d6dfb8b1 Fix missed deprecated interface usage from the cert patch. Add back a few rolecap tags. 2010-09-10 11:31:00 -04:00
Dominick Grift
8340621920 Implement miscfiles_cert_type().
This is based on Fedoras' miscfiles_cert_type implementation.
The idea was that openvpn needs to be able read home certificates (home_cert_t) which is not implemented in refpolicy yet, as well as generic cert_t certificates.

Note that openvpn is allowed to read all cert_types, as i know that it needs access to both generic cert_t as well as (future) home_cert_t. Dwalsh noted that other domains may need this as well but because i do not know exactly which domains i will not changes any other domains call to generic cert type interfaces.

Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-10 11:05:46 -04:00
Dan Walsh
1a82786cc8 Allow hugetlbfs_t to be on device_t file system
Allow sudo domains to signal user domains
Dontaudit xdm_t sending signals to all domains
Fix allow_exec* boolean descriptions
2010-09-10 10:10:34 -04:00
Dan Walsh
8e47c02b16 fixes for openvpn suggested by dgrift 2010-09-09 10:35:27 -04:00
Dan Walsh
da07333345 Allow mozilla_plugin to create nsplugin_home_t directories
Allow hugetlbfs_t to be on device_t file system
Fix for ajaxterm policy
Fix type in dbus_delete_pid_files
Change openvpn to only allow search of users home dir
2010-09-09 09:55:31 -04:00
Dan Walsh
5f5963be01 add policy for ajaxterm 2010-09-09 07:11:32 -04:00
Dan Walsh
4c38170781 add policy for ajaxterm 2010-09-09 07:10:24 -04:00
Dan Walsh
ee4b1e0aad Allow crond to manage user_spool_cron_t link files
Allow init to delete dbus message.pid
Allow init and udev to create hugetlbfs directories
2010-09-08 17:54:31 -04:00
Dan Walsh
a75a591e52 Allow virt_domains to exec qumu_exec_t, add boolean to allow svirt_t to connect to x 2010-09-08 15:05:08 -04:00
Dan Walsh
dfe675b8f7 Mozilla_plugin needs to getattr on tmpfs and no longer needs to write to tmpfs_t
cleanup of nsplugin interface definition
Latest pm-utils is causing lots of domains to see a leaked lock file
I want mplayer to run as unconfined_execmem_t
mountpoint is causing dbus and init apps to getattr on all filesystems directories
Miroslav update dkim-milter
NetworkManager dbus chats with init
Allow apps that can read user_fonts_t to read the symbolic link
udev needs to manage etc_t
2010-09-08 12:06:20 -04:00
Dan Walsh
5dd0c28461 Cleanup warnings 2010-09-08 10:43:22 -04:00
Dan Walsh
689bfef3a8 Fix apache interface 2010-09-08 10:29:40 -04:00
Dan Walsh
f79af26649 fix bad patch in xserver 2010-09-08 10:25:03 -04:00
Dan Walsh
0745e42559 fix typo in xserver_stream_connect 2010-09-08 09:29:02 -04:00
Dan Walsh
db879987ca Fix pootle 2010-09-07 16:32:23 -04:00
Dan Walsh
f5b49a5e0b Allow iptables to read shorewall tmp files
Change chfn and passwd to use auth_use_pam so they can send dbus messages to fprintd
label vlc as an execmem_exec_t
Lots of fixes for mozilla_plugin to run google vidio chat
Allow telepath_msn to execute ldconfig and its own tmp files
Fix labels on hugepages
Allow mdadm to read files on /dev
Remove permissive domains and change back to unconfined
Allow freshclam to execute shell and bin_t
Allow devicekit_power to transition to dhcpc
Add boolean to allow icecast to connect to any port
2010-09-07 16:23:09 -04:00
Dan Walsh
ef98a37444 Allow gpg_pinentry_t to use fifo files of apps that transition to gpg_agent
Add mozilla_plugin_tmp_t
Allow mozilla_plugin to interact with pulseaudio tmpfs_t
Add apache labels for poodle
Add boolean to allow apache to connect to memcache_port
nagious sends signal and sigkill to system_mail_t
2010-09-03 17:06:40 -04:00
Dan Walsh
a668127367 Allow certmaster to read usr_t files. All python apps are going to need this.
clvmd creates tmpfs files that corosync needs to communicate with
Allow dbus system services to search the cgroup_t directory
2010-09-02 13:38:00 -04:00
Dan Walsh
cbadf720ba Merge branch 'master' of http://oss.tresys.com/git/refpolicy
Conflicts:
	policy/modules/kernel/domain.if
	policy/modules/services/xserver.te
2010-09-01 14:11:18 -04:00
Chris PeBenito
785ee7988c Module version bump and changelog entry for conditional mmap_zero patch. 2010-09-01 10:08:09 -04:00
Chris PeBenito
a1b42052c9 Fix mmap_zero assertion violation in xserver. 2010-09-01 09:59:39 -04:00
Dan Walsh
09686dc8ee Allow all X apps to use direct dri if user_direct_dri boolean is turned on 2010-09-01 09:56:28 -04:00
Dan Walsh
03527520de firstboot is leaking a netlink_route socket into iptables. We need to dontaudit
tmpfs_t/devpts_t files can be stored on device_t file system
unconfined_mono_t can pass file descriptors to chrome_sandbox, so need transition from all unoconfined users types
Hald can connect to user processes over streams
xdm_t now changes the brightness level on the system
mdadm needs to manage hugetlbfs filesystems
2010-09-01 09:47:50 -04:00
Dominick Grift
623e4f0885 1/1] Make the ability to mmap zero conditional where this is fapplicable.
Retry: forgot to include attribute mmap_low_domain_type attribute to domain_mmap_low()	:

Inspired by similar implementation in Fedora.
Wine and vbetool do not always actually need the ability to mmap a low area of the address space.
In some cases this can be silently denied.

Therefore introduce an interface that facilitates "mmap low" conditionally, and the corresponding boolean.
Also implement booleans for wine and vbetool that enables the ability to not audit attempts by wine and vbetool to mmap a low area of the address space.

Rename domain_mmap_low interface to domain_mmap_low_uncond.

Change call to domain_mmap_low to domain_mmap_low_uncond for xserver_t. Also move this call to distro redhat ifndef block because Redhat does not need this ability.

Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-01 09:41:56 -04:00
Dan Walsh
c6fa935fd5 Fix sandbox tcp_socket calls to create_stream_socket_perms
Dontaudit sandbox_xserver_t trying to get the kernel to load modules
telepathy_msn sends dbus messages to networkmanager
mailman_t trys to read /root/.config
xserver tries to getpgid on processes that start it.
pam_systemd causes /var/run/users to be called for all login programs.  Must allow them to create directories
2010-08-31 18:36:43 -04:00
Dan Walsh
4fccad906d Allow qmail to use uucpd
Fixes found by Tom London for devicekit and udev using usbmuxd socket
2010-08-31 10:51:10 -04:00
Dan Walsh
5fb4db53ad Add Miroslav Grepl patch for jabberd, adding new type for jabberd router. 2010-08-31 08:56:30 -04:00
Dan Walsh
5537e5558b Apply Dominick Grift typo fixes 2010-08-30 17:32:41 -04:00
Dan Walsh
079779a634 Allow hald to transition to netutils
Block signal via mcs systems
2010-08-30 15:15:03 -04:00
Dan Walsh
ddcd5d6350 Dontaudit signals from sandbox domains to domains that transition to them 2010-08-30 13:32:47 -04:00
Dan Walsh
73f7d4f4a2 Fix spelling mistake 2010-08-30 11:30:00 -04:00
Dan Walsh
c71f02c02d More fixes 2010-08-30 11:15:53 -04:00
Dan Walsh
2d4a79a061 Policy fixes 2010-08-30 08:57:06 -04:00
Dan Walsh
ac498fa5d9 More fixes 2010-08-27 10:56:56 -04:00
Dan Walsh
08e567dc56 Latest fixes 2010-08-26 20:30:04 -04:00
Dan Walsh
9561b0ab08 Update f14 2010-08-26 15:42:17 -04:00
Dan Walsh
4765a595e8 Fixes for f14 2010-08-26 15:29:37 -04:00
Dan Walsh
46c24a359b ditto 2010-08-26 13:23:23 -04:00
Dan Walsh
aae38f05a6 whoya 2010-08-26 13:16:02 -04:00
Dan Walsh
2968e06818 Update f14 2010-08-26 12:55:57 -04:00
Dan Walsh
a947daf6df Update f14 2010-08-26 10:27:35 -04:00
Dan Walsh
3eaa993945 UPdate for f14 policy 2010-08-26 09:41:21 -04:00
Chris PeBenito
00ca404a20 Remove unnecessary require on cgroup_admin(). 2010-08-09 09:10:24 -04:00
Chris PeBenito
d687db9b42 Whitespace fixes on cgroup. 2010-08-09 08:52:39 -04:00
Dominick Grift
61d7ee58a4 Confine /sbin/cgclear.
Libcgroup moved cgclear to /sbin.
Confine it so that initrc_t can domain transition to the cgclear_t domain. That way we do not have to extend the initrc_t domains policy.
We might want to add cgroup_run_cgclear to sysadm module.

Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-09 08:47:15 -04:00
Dominick Grift
288845a638 Services layer xml files.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 09:25:29 -04:00
Chris PeBenito
8da88970be Accountsd cleanup. 2010-08-03 09:50:40 -04:00
Chris PeBenito
d0eebed0b7 Move accountsd to services. 2010-08-03 09:31:53 -04:00
Chris PeBenito
a7ee7f819a Docs standardizing on the role portion of run interfaces. Additional docs cleanup. 2010-08-03 09:20:22 -04:00
Chris PeBenito
9d4395a736 MojoMojo from Lain Arnell. 2010-08-02 09:28:06 -04:00
Chris PeBenito
a72e42f485 Interface documentation standardization patch from Dan Walsh. 2010-08-02 09:22:09 -04:00
Chris PeBenito
29f3bfa464 Fix JIT usage for freshclam.
http://marc.info/?l=selinux&m=127893898208934&w=2
2010-07-13 08:39:54 -04:00
Chris PeBenito
4b76ea5f51 Module version bump for fa1847f. 2010-07-12 14:02:18 -04:00
Dominick Grift
fa1847f4a2 Add files_poly_member() to userdom_user_home_content() Remove redundant files_poly_member() calls.
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-07-09 09:43:04 -04:00
Chris PeBenito
3c4e9fce8e Make spamassassin optional for milter, from Russell Coker. 2010-07-07 08:55:57 -04:00
Chris PeBenito
bca0cdb86e Remove duplicate/redundant rules, from Russell Coker. 2010-07-07 08:41:20 -04:00
Chris PeBenito
1db1836ab9 Remove improper usage of userdom_manage_home_role(), userdom_manage_tmp_role(), and userdom_manage_tmpfs_role(). 2010-07-06 13:17:05 -04:00
Dominick Grift
7e5463b58c fix cgroup_admin
When cgroup policy was merged, some changes were made. One of these changes was the renaming of the type for cgroup rules engine daemon configuration file. The cgroup_admin interface was not modified to reflect this change.

Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-07-01 09:02:58 -04:00
Chris PeBenito
113d2e023d Minor tweaks and module version bump for a00fc1c. 2010-06-25 09:51:34 -04:00
Dominick Grift
a00fc1c317 hddtemp fixes.
Clean up network control section.
Implement hddtemp_etc_t for /etc/sysconfig/hddtemp. The advantages are:
- hddtemp_t no longer needs access to read all generic etc_t files.
- allows us to implement a meaningful hddtemp_admin()

Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-06-25 09:43:54 -04:00
Chris PeBenito
9a4d292902 Netutils patch from Dan Walsh.
ping gets leaked log descriptor from nagios.

Label send_arp as ping_exec_t
2010-06-17 10:16:19 -04:00
Chris PeBenito
48f99a81c0 Whitespace change: drop unnecessary blank line at the start of .te files. 2010-06-10 08:16:35 -04:00
Chris PeBenito
5c942ceb83 AFS patch from Dan Walsh. 2010-06-10 08:08:23 -04:00
Chris PeBenito
b521229560 Abrt patch from Dan Walsh.
Abrt uses /var/spool/abrt now and changed the name of its lock

Now uses a stream socket

Installs debuginfo packages

sys_nice itself
2010-06-10 07:58:00 -04:00
Chris PeBenito
53f9abbe68 Clean up cgroup. Rename cgconfigparser to cgconfig. 2010-06-08 09:15:41 -04:00
Chris PeBenito
0041a78ef7 Remove cgroup_t usage in cgroup_admin() since it is not owned by the module. 2010-06-08 09:12:03 -04:00
Chris PeBenito
04dcd73fe3 Whitespace fixes in cgroup and init. 2010-06-08 08:47:26 -04:00
Dominick Grift
ddf821332f add libcg policy.
Libcgroup automates cgroup management.

Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-06-08 08:38:22 -04:00