Commit Graph

5214 Commits

Author SHA1 Message Date
Dan Walsh
f264f9cf08 Need to fix label on /sys/kernel/uevent_handler 2014-01-17 10:03:23 -05:00
Miroslav Grepl
5bd1f1afd6 * Mon Jan 13 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-13
- Remove file_t from the system and realias it with unlabeled_
2014-01-13 12:25:57 +01:00
Miroslav Grepl
0a96c38442 Add latest changes from selinux-policy.git 2014-01-10 14:55:21 +01:00
Miroslav Grepl
01969cfc26 Don't transition roles when executing daemons from unconfined_t 2014-01-09 23:12:05 +01:00
Miroslav Grepl
af2dcd6ac0 Revert Try to change ssh_exec to ssh_basic_client for glusterd_t 2014-01-09 16:48:21 +01:00
Miroslav Grepl
9b85087129 - Add gluster fixes
- Remove ability to transition to unconfined_t from confined domains
- Additional allow rules to get libvirt-lxc containers working with docker
2014-01-09 15:11:05 +01:00
Miroslav Grepl
c0bc504789 Use userdom_filetrans_type instead of userdom_filetrans_domain in userdomain.te 2014-01-06 09:14:52 +01:00
Miroslav Grepl
9d88e18305 - Allow mozilla plugin to chat with policykit, needed for spice
- Allow gssprozy to change user and gid, as well as read user keyrings
- Allow sandbox apps to attempt to set and get capabilties
- Label upgrades directory under /var/www as httpd_sys_rw_content_t, add other filetrans rules to label content correctly
- allow modemmanger to read /dev/urand
- Allow polipo to connect to http_cache_ports
- Allow cron jobs to manage apache var lib content
- Allow yppassword to manage the passwd_file_t
- Allow showall_t to send itself signals
- Allow cobbler to restart dhcpc, dnsmasq and bind services
- Allow rsync_t to manage all non auth files
- Allow certmonger to manage home cert files
- Allow user_mail_domains to write certain files to the /root and ~/ directories
- Allow apcuspd_t to status and start the power unit file
- Allow cgroupdrulesengd to create content in cgoups directories
- Add new access for mythtv
- Allow irc_t to execute shell and bin-t files:
- Allow smbd_t to signull cluster
- Allow sssd to read systemd_login_var_run_t
- Allow gluster daemon to create fifo files in glusterd_brick_t and sock_file in glusterd_var_lib_t
- Add label for /var/spool/cron.aquota.user
- Allow sandbox_x domains to use work with the mozilla plugin semaphore
- Added new policy for speech-dispatcher
- Added dontaudit rule for insmod_exec_t  in rasdaemon policy
- Updated rasdaemon policy
- Allow virt_domains to read cert files
- Allow system_mail_t to transition to postfix_postdrop_t
- Clean up mirrormanager policy
- Allow subscription-manager running as sosreport_t to manage rhsmcertd
- Remove ability to do mount/sys_admin by default in virt_sandbox domains
- New rules required to run docker images within libivrt
- Fixed bumblebee_admin() and mip6d_admin()
- Add log support for sensord
- Add label for ~/.cvsignore
- Change mirrormanager to be run by cron
- Add mirrormanager policy
- Additional fixes for docker.te
- Allow cobblerd to read/write undionly.kpxe located in /var/lib/tftpboot
- Add tftp_write_rw_content/tftp_read_rw_content interfaces
- Allow amanda to do backups over UDP
2014-01-06 07:31:14 +01:00
Miroslav Grepl
804870d8a3 policy-rawhide-contrib-apache-content.patch is no longer needed. Merged to policy-rawhide-contrib.patch. 2014-01-06 06:56:06 +01:00
Dan Walsh
70c60d82d0 Fix usage of semanage import line 2014-01-02 14:17:35 -05:00
Lukas Vrabec
162a2c3802 Added speech-dispatcher to modules-targeted-contrib.conf 2013-12-20 15:28:27 +01:00
Miroslav Grepl
e0c1a1b49f Turn on mirrormanager policy 2013-12-19 21:10:46 +01:00
Miroslav Grepl
a8441cafab Fix userdom_manage_home_texlive() interface 2013-12-16 14:10:25 +01:00
Miroslav Grepl
b305c2adc0 Fix mozilla.te 2013-12-16 13:42:56 +01:00
Miroslav Grepl
fa3915aa88 Additional fixes for docker.te 2013-12-16 12:38:58 +01:00
Miroslav Grepl
1fe4113ea7 Fix docker policy 2013-12-16 12:25:11 +01:00
Miroslav Grepl
c9394c3ea7 Add selinux/minimum/contexts/users/sysadm_u also for minimum policy 2013-12-16 12:05:05 +01:00
Miroslav Grepl
74b303ea26 Fix spec file 2013-12-13 15:10:55 +01:00
Miroslav Grepl
2397102af8 - Allow freeipmi_ipmidetectd_t to use freeipmi port
- Update freeipmi_domain_template()
- Allow journalctl running as ABRT to read /run/log/journal
- Allow NM to read dispatcher.d directory
- Update freeipmi policy
- Type transitions with a filename not allowed inside conditionals
- Allow tor to bind to hplip port
- Make new type to texlive files in homedir
- Allow zabbix_agent to transition to dmidecode
- Add rules for docker
- Allow sosreport to send signull to unconfined_t
- Add virt_noatsecure and virt_rlimitinh interfaces
- Fix labeling in thumb.fc to add support for /usr/lib64/tumbler-1/tumblerddd support for freeipm
- Add sysadm_u_default_contexts
- Add logging_read_syslog_pid()
- Fix userdom_manage_home_texlive() interface
- Make new type to texlive files in homedir
- Add filename transitions for /run and /lock links
- Allow virtd to inherit rlimit information
2013-12-12 17:23:54 +01:00
Lukas Vrabec
0dc67d04d6 Added vmtools to modules-targeted-contrib.conf 2013-12-10 11:26:08 +01:00
Miroslav Grepl
4b8334da4c - DRM master and input event devices are used by the TakeDevice API
- Clean up bumblebee policy
- Update pegasus_openlmi_storage_t policy
- opensm policy clean up
- openwsman policy clean up
- ninfod policy clean up
- Allow conman to connect to freeipmi services and clean up conman policy
- Allow conmand just bind on 7890 port
- Add freeipmi_stream_connect() interface
- Allow logwatch read madm.conf to support RAID setup
- Add raid_read_conf_files() interface
- Allow up2date running as rpm_t create up2date log file with rpm_log_t labeling
- add rpm_named_filetrans_log_files() interface
- Added policy for conmand
- Allow dkim-milter to create files/dirs in /tmp
- update freeipmi policy
- Add policy for freeipmi services
- Added rdisc_admin and rdisc_systemctl interfaces
- Fix aliases in pegasus.te
- Allow chrome sandbox to read generic cache files in homedir
- Dontaudit mandb searching all mountpoints
- Make sure wine domains create .wine with the correct label
- Add proper aliases for pegasus_openlmi_services_exec_t and pegasus_openlmi_services_t
- Allow windbind the kill capability
- DRM master and input event devices are used by  the TakeDevice API
- add dev_rw_inherited_dri() and dev_rw_inherited_input_dev()
- Added support for default conman port
- Add interfaces for ipmi devices
- Make sure wine domains create .wine with the correct label
- Allow manage dirs in kernel_manage_debugfs interface.
- Allow systemctl running in ipsec_mgmt_t to access /usr/lib/systemd/system/ipsec.service
- Label /usr/lib/systemd/system/ipsec.service as ipsec_mgmt_unit_file_t
- Fix userdom_confined_admin_template()
- Add back exec_content boolean for secadm, logadm, auditadm
- Fix files_filetrans_system_db_named_files() interface
- Allow sulogin to getattr on /proc/kcore
- Add filename transition also for servicelog.db-journal
- Add files_dontaudit_access_check_root()
- Add lvm_dontaudit_access_check_lock() interface
2013-12-09 08:16:07 +01:00
Lukas Vrabec
5689bdb03b Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2013-12-06 11:18:21 +01:00
Lukas Vrabec
d487bf5144 Added conman to modules-targeted-contrib.conf 2013-12-06 11:17:48 +01:00
Miroslav Grepl
6de8b20964 Add freeipmi policy 2013-12-06 10:00:23 +01:00
Lukas Vrabec
65289ba44b Added ninfod and openwsman to modules-targeted-contrib.conf 2013-12-05 15:43:22 +01:00
Miroslav Grepl
676f0e4eb9 - Add back fixes for gnome_role_template()
- Label /usr/sbin/htcacheclean as httpd_exec_t
- Add missing alias for pegasus_openlmi_service_exec_t
- Added support for rdisc unit file
- Added new policy for ninfod
- Added new policy for openwsman
- Add antivirus_db_t labeling for /var/lib/clamav-unofficial-sigs
- Allow runuser running as logrotate connections to system DBUS
- Add connectto perm for NM unix stream socket
- Allow watchdog to be executed from cron
- Allow cloud_init to transition to rpm_script_t
- Allow lsmd_plugin_t send system log messages
- Label /var/log/up2date as rpm_log_t and allow sosreport to manage rpm log/pid/cache files which is a part of ABRT polic
- Added new capabilities for mip6d policy
- Label bcache devices as fixed_disk_device_t
- Allow systemctl running in ipsec_mgmt_t to access /usr/lib/systemd/system/ipsec.service
- label /usr/lib/systemd/system/ipsec.service as ipsec_mgmt_unit_file_t
2013-12-03 22:01:54 +01:00
Miroslav Grepl
d61adff49b - Add lsmd_plugin_t for lsm plugins
- Allow dovecot-deliver to search mountpoints
- Add labeling for /etc/mdadm.conf
- Allow opelmi admin providers to dbus chat with init_t
- Allow sblim domain to read /dev/urandom and /dev/random
- Add back exec_content boolean for secadm, logadm, auditadm
- Allow sulogin to getattr on /proc/kcore
2013-11-26 18:41:01 +01:00
Miroslav Grepl
04c55cf070 Add glusterd_brick_t type 2013-11-26 13:12:08 +01:00
Miroslav Grepl
c9b9ed2c4d - Add filename transition also for servicelog.db-journal
- Add files_dontaudit_access_check_root()
- Add lvm_dontaudit_access_check_lock() interface
- Allow mount to manage mount_var_run_t files/dirs
- Allow updapwd_t to ignore mls levels for writign shadow_t at a lower level
- Make sure boot.log is created with the correct label
- call logging_relabel_all_log_dirs() in systemd.te
- Allow systemd_tmpfiles to relabel log directories
- Allow staff_t to run frequency command
- Allow staff_t to read xserver_log file
- This reverts commit c0f9f125291f189271cbbca033f87131dab1e22f.
- Label hsperfdata_root as tmp_t
- Add plymouthd_create_log()
- Dontaudit leaks from openshift domains into mail domains, needs back port to RHEL6
- Allow sssd to request the kernel loads modules
- Allow gpg_agent to use ssh-add
- Allow gpg_agent to use ssh-add
- Dontaudit access check on /root for myslqd_safe_t
- Add glusterd_brick_t files type
- Allow ctdb to getattr on al filesystems
- Allow abrt to stream connect to syslog
- Allow dnsmasq to list dnsmasq.d directory
- Watchdog opens the raw socket
- Allow watchdog to read network state info
- Dontaudit access check on lvm lock dir
- Allow sosreport to send signull to setroubleshootd
- Add setroubleshoot_signull() interface
- Fix ldap_read_certs() interface
- Allow sosreport all signal perms
- Allow sosreport to run systemctl
- Allow sosreport to dbus chat with rpm
- Allow zabbix_agentd to read all domain state
- Allow sblim_sfcbd_t to read from /dev/random and /dev/urandom
- Allow smoltclient to execute ldconfig
- Allow sosreport to request the kernel to load a module
- Clean up rtas.if
- Clean up docker.if
- drop /var/lib/glpi/files labeling in cron.fc
- Added new policy for rasdaemon
2013-11-26 11:42:42 +01:00
Miroslav Grepl
6789507ff9 Turn on docker policy 2013-11-22 11:42:15 +01:00
Lukas Vrabec
a2db29cc4f Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2013-11-21 17:36:29 +01:00
Lukas Vrabec
3e4e5fbcd1 Added rasdaemon module to modules-targeted-contrib.conf 2013-11-21 17:35:26 +01:00
Dan Walsh
ae07faa147 Turn off F20 permissive domains, add docker 2013-11-21 09:20:24 -05:00
Lukas Vrabec
8fd86ca941 Added new policies to permissivedomains.te 2013-11-21 12:07:26 +01:00
Lukas Vrabec
ba211c8644 Added new policies to modules-targeted-contrib.conf 2013-11-21 11:13:23 +01:00
Miroslav Grepl
3abf0519c2 * Mon Nov 18 2013 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-5
- Add back /dev/shm labeling
2013-11-18 16:59:45 +01:00
Miroslav Grepl
d20212ac4f * Mon Nov 18 2013 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-4
- Fix gnome_role_template() interface
2013-11-18 15:25:06 +01:00
Miroslav Grepl
4fc70e284d - Add policy-rawhide-contrib-apache-content.patch to re-write apache_content_template() by dwalsh 2013-11-14 22:05:22 +01:00
Dan Walsh
164fa392ee Fix config.tgz to include lxc_contexts and systemd_contexts 2013-11-14 11:05:22 -05:00
Dan Walsh
025a8d6267 Add back correct lxc_contexts and systemd_contexts 2013-11-14 11:03:00 -05:00
Miroslav Grepl
269ef098f1 * Wed Nov 13 2013 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-1
- Update to upstream
2013-11-13 16:05:06 +01:00
Miroslav Grepl
0f9b0de389 Upload new upstream sources 2013-11-13 15:27:57 +01:00
Miroslav Grepl
73ec2c3819 - Fix passenger_stream_connect interface
- setroubleshoot_fixit wants to read network state
- Allow procmail_t to connect to dovecot stream sockets
- Allow cimprovagt service providers to read network states
- Add labeling for /var/run/mariadb
- pwauth uses lastlog() to update system's lastlog
- Allow account provider to read login records
- Add support for texlive2013
- More fixes for user config files to make crond_t running in userdomain
- Add back disable/reload/enable permissions for system class
- Fix manage_service_perms macro
- Allow passwd_t to connect to gnome keyring to change password
- Update mls config files to have cronjobs in the user domains
- Remove access checks that systemd does not actually do
2013-11-12 12:26:06 +01:00
Miroslav Grepl
e4104d9fc0 Upload updated config.tgz 2013-11-12 12:22:03 +01:00
Miroslav Grepl
73e97a2955 Rebuild permissivedomains.pp with correct selinux-policy-devel pkg 2013-11-12 11:42:46 +01:00
Miroslav Grepl
9637dbab40 Rebuild permisivedomains.pp 2013-11-12 10:09:09 +01:00
Miroslav Grepl
2918baa1a7 Update config.tgz to make cronjob running in userdomain on MLS system 2013-11-11 22:09:41 +01:00
Miroslav Grepl
90f92647e0 * Fri Nov 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-99
- Add support for yubikey in homedir
- Add support for upd/3052 port
- Allow apcupsd to use PowerChute Network Shutdown
- Allow lsmd to execute various lsmplugins
- Add labeling also for /etc/watchdog\.d where are watchdog scripts located too
- Update gluster_export_all_rw boolean to allow relabel all base file types
- Allow x86_energy_perf  tool to modify the MSR
- Fix /var/lib/dspam/data labeling
2013-11-08 21:39:31 +01:00
Miroslav Grepl
c872e59953 - Add files_relabel_base_file_types() interface
- Allow netlabel-config to read passwd
- update gluster_export_all_rw boolean to allow relabel all base file types caused by lsetxattr()
- Allow x86_energy_perf  tool to modify the MSR
- Fix /var/lib/dspam/data labeling
- Allow pegasus to domtrans to mount_t
- Add labeling for unconfined scripts in /usr/libexec/watchdog/scripts
- Add support for unconfined watchdog scripts
- Allow watchdog to manage own log files
2013-11-06 23:12:50 +01:00
Miroslav Grepl
c5e7e5bb30 - Add label only for redhat.repo instead of /etc/yum.repos.d. But probably we will need to switch for the directory.
- Label /etc/yum.repos.d as system_conf_t
- Use sysnet_filetrans_named_content in udev.te instead of generic transition for net_conf_t
- Allow dac_override for sysadm_screen_t
- Allow init_t to read ipsec_conf_t as we had it for initrc_t. Needed by ipsec unit file.
- Allow netlabel-config to read meminfo
- Add interface to allow docker to mounton file_t
- Add new interface to exec unlabeled files
- Allow lvm to use docker semaphores
- Setup transitons for .xsessions-errors.old
- Change labels of files in /var/lib/*/.ssh to transition properly
- Allow staff_t and user_t to look at logs using journalctl
- pluto wants to manage own log file
- Allow pluto running as ipsec_t to create pluto.log
- Fix alias decl in corenetwork.te.in
- Add support for fuse.glusterfs
- Allow dmidecode to read/write /run/lock/subsys/rhsmcertd
- Allow rhsmcertd to manage redhat.repo which is now labeled as system.conf. Allow rhsmcertd to manage all log files.
- Additional access for docker
- Added more rules to sblim policy
- Fix kdumpgui_run_bootloader boolean
- Allow dspam to connect to lmtp port
- Included sfcbd service into sblim policy
- rhsmcertd wants to manaage /etc/pki/consumer dir
- Add kdumpgui_run_bootloader boolean
- Add support for /var/cache/watchdog
- Remove virt_domain attribute for virt_qemu_ga_unconfined_t
- Fixes for handling libvirt containes
- Dontaudit attempts by mysql_safe to write content into /
- Dontaudit attempts by system_mail to modify network config
- Allow dspam to bind to lmtp ports
- Add new policy to allow staff_t and user_t to look at logs using journalctl
- Allow apache cgi scripts to list sysfs
- Dontaudit attempts to write/delete user_tmp_t files
2013-11-06 09:11:46 +01:00