Commit Graph

5293 Commits

Author SHA1 Message Date
Miroslav
e91d876567 +- Fixes related to /bin, /sbin
+- Allow abrt to getattr on blk files
+- Add type for rhev-agent log file
+- Fix labeling for /dev/dmfm
+- Dontaudit wicd leaking
+- Allow systemd_logind_t to look at process info of apps that exc
+- Label /etc/locale.conf correctly
+- Allow user_mail_t to read /dev/random
+- Allow postfix-smtpd to read MIMEDefang
+- Add label for /var/log/suphp.log
+- Allow swat_t to connect and read/write nmbd_t sock_file
+- Allow systemd-tmpfiles to setattr for /run/user/gdm/dconf
+- Allow systemd-tmpfiles to change user identity in object contex
+- More fixes for rhev_agentd_t consolehelper policy
2011-12-06 21:59:27 +01:00
Dan Walsh
4ad2743642 Remove nsplugin, merged into mozilla_plugin 2011-12-02 14:30:23 -05:00
Dan Walsh
5305bd3265 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2011-12-02 14:29:16 -05:00
Dan Walsh
102fd0dcb4 Eliminate nsplugin from F17 2011-12-02 14:28:57 -05:00
Miroslav
4fe804b367 +- Use fs_use_xattr for squashf
+-  Fix procs_type interface
+- Dovecot has a new fifo_file /var/run/dovecot/stats-mail
+- Dovecot has a new fifo_file /var/run/stats-mail
+- Colord does not need to connect to network
+- Allow system_cronjob to dbus chat with NetworkManager
+- Puppet manages content, want to make sure it labels everything correctly
2011-12-01 18:25:51 +01:00
Miroslav
e5768e0fb6 - Change port 9050 to tor_socks_port_t and then allow openvpn to connect to it
- Allow all postfix domains to use the fifo_file
- Allow sshd_t to getattr on all file systems in order to generate avc on nfs_t
- Allow apmd_t to read grub.cfg
- Let firewallgui read the selinux config
- Allow systemd-tmpfiles to delete content in /root that has been moved to /tmp
- Fix devicekit_manage_pid_files() interface
- Allow squid to check the network state
- Dontaudit colord getattr on file systems
- Allow ping domains to read zabbix_tmp_t files
2011-11-29 14:16:11 +01:00
Dan Walsh
e9119eedac Let firewallgui read the selinux config 2011-11-28 21:37:22 -05:00
Miroslav
51bad8c183 Disable nsplugin also in MLS 2011-11-28 21:29:12 +01:00
Miroslav
63c9fddde2 Fix typo in the puppetmaster policy 2011-11-28 16:07:19 +01:00
Miroslav
0ca57d1d0a - Disable nsplugin module 2011-11-28 15:54:55 +01:00
Miroslav
218172dd16 nsplugin is no longer used 2011-11-28 15:23:57 +01:00
Miroslav
234df65f40 +- Allow mcelog_t to create dir and file in /var/run and label it
+- Allow dbus to manage fusefs
+- Mount needs to read process state when mounting gluster file s
+- Allow collectd-web to read collectd lib files
+- Allow daemons and system processes started by init to read/wri
+- Allow colord to get the attributes of tmpfs filesystem
+- Add sanlock_use_nfs and sanlock_use_samba booleans
+- Add bin_t label for /usr/lib/virtualbox/VBoxManage
2011-11-23 13:05:10 +01:00
Dan Walsh
628fb6b378 Merge nsplugin with mozilla_plugin 2011-11-17 13:31:47 -05:00
Dan Walsh
3c81e30995 Merge 2011-11-16 10:58:53 -05:00
Dan Walsh
74900d5a94 Add guest home spec 2011-11-16 10:58:16 -05:00
Miroslav
19d3c68d0d - Add ssh_dontaudit_search_home_dir
- Changes to allow namespace_init_t to work
- Add interface to allow exec of mongod, add port definition for mongod port, 27017
- Label .kde/share/apps/networkmanagement/certificates/ as home_cert_t
- Allow spamd and clamd to steam connect to each other
- Add policy label for passwd.OLD
- More fixes for postfix and postfix maildro
- Add ftp support for mozilla plugins
- Useradd now needs to manage policy since it calls libsemanage
- Fix devicekit_manage_log_files() interface
- Allow colord to execute ifconfig
- Allow accountsd to read /sys
- Allow mysqld-safe to execute shell
- Allow openct to stream connect to pcscd
- Add label for /var/run/nm-dns-dnsmasq\.conf
- Allow networkmanager to chat with virtd_t
2011-11-16 14:20:04 +01:00
Miroslav
68f1456925 - Pulseaudio changes
- Merge patches
2011-11-11 17:11:46 +01:00
Dan Walsh
076e5ffeff Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2011-11-11 08:17:37 -05:00
dwalsh
4501de4407 Checkin patches to git repository 2011-11-11 08:16:39 -05:00
Dan Walsh
c68d7aa77c Add blueman policy 2011-11-11 08:15:48 -05:00
Dan Walsh
6b27a2e362 Add denyexecmem patch 2011-11-10 09:21:38 -05:00
Dan Walsh
4147fe8cd2 Remove allow_execmem boolean and replace with deny_execmem boolean 2011-11-08 16:35:55 -05:00
Dan Walsh
90160938e2 Turn back on allow_execmem boolean 2011-11-08 16:33:10 -05:00
Dan Walsh
e58227a2b3 Turn back on allow_execmem boolean 2011-11-08 08:47:34 -05:00
Dan Walsh
13382d02ea Add more MCS fixes to make sandbox working
Make faillog MLS trusted to make sudo_$1_t working
Allow sandbox_web_client_t to read passwd_file_t
Add .mailrc file context
Remove execheap from openoffice domain
Allow chrome_sandbox_nacl_t to read cpu_info
Allow virtd to relabel generic usb which is need if USB device
Fixes for virt.if interfaces to consider chr_file as image file type
2011-11-07 16:18:33 -05:00
Dan Walsh
653590a3f2 MCS fixes
quota fixes
2011-11-04 16:40:38 -04:00
Dan Walsh
c30a9b8718 MCS fixes
quota fixes
2011-11-04 16:10:54 -04:00
Dan Walsh
55e8d8e7cf MCS fixes
quota fixes
2011-11-04 15:36:01 -04:00
Dan Walsh
8f22f8efc5 MCS fixes
quota fixes
2011-11-04 15:27:05 -04:00
Dan Walsh
01e90f94b8 MCS fixes
quota fixes
2011-11-04 13:36:24 -04:00
Dan Walsh
0b72d16e07 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy
Conflicts:
	policy-F16.patch
	selinux-policy.spec
2011-11-04 13:34:59 -04:00
Dan Walsh
8872d3d2ac MCS fixes
quota fixes
2011-11-04 13:31:43 -04:00
Miroslav
76b2f513a3 +- MCS fixes
+- quota fixes
2011-11-04 18:30:28 +01:00
Dan Walsh
5717c509f3 change qemu_t to svirt_t in mls config file virtual machines, remove config data 2011-11-03 11:29:41 -04:00
dwalsh
d5bededc4d Make nvidia* to be labeled correctly
Fix abrt_manage_cache() interface
Make filetrans rules optional so base policy will build
Dontaudit chkpwd_t access to inherited TTYS
Make sure postfix content gets created with the correct label
Allow gnomeclock to read cgroup
Fixes for cloudform policy
2011-11-02 16:23:55 -04:00
dwalsh
a7f0027cf7 Make nvidia* to be labeled correctly
Fix abrt_manage_cache() interface
Make filetrans rules optional so base policy will build
Dontaudit chkpwd_t access to inherited TTYS
Make sure postfix content gets created with the correct label
Allow gnomeclock to read cgroup
Fixes for cloudform policy
2011-11-02 16:01:43 -04:00
Dan Walsh
bc6fbd3a31 Check in fixed for Chrome nacl support 2011-10-27 14:33:47 -04:00
Dan Walsh
38087df72c Begin removing qemu_t domain, we really no longer need this domain.
systemd_passwd needs dac_overide to communicate with users TTY's
Allow svirt_lxc domains to send kill signals within their container
2011-10-27 14:06:19 -04:00
Dan Walsh
26536c5d39 Begin removing qemu_t domain, we really no longer need this domain.
systemd_passwd needs dac_overide to communicate with users TTY's
Allow svirt_lxc domains to send kill signals within their container
2011-10-27 13:51:59 -04:00
Dan Walsh
a1db2ce026 Remove qemu.pp again without causing a crash 2011-10-27 09:33:50 -04:00
Dan Walsh
b4b0268a28 Remove qemu.pp, everything should use svirt_t or stay in its current domain 2011-10-26 15:42:29 -04:00
Dan Walsh
084f9557dc Allow policykit to talk to the systemd via dbus
Move chrome_sandbox_nacl_t to permissive domains
Additional rules for chrome_sandbox_nacl
2011-10-26 08:49:22 -04:00
Dan Walsh
fa26d89bd5 Change bootstrap name to nacl
Chrome still needs execmem
Missing role for chrome_sandbox_bootstrap
Add boolean to remove execmem and execstack from virtual machines
Dontaudit xdm_t doing an access_check on etc_t directories
2011-10-25 13:27:37 -04:00
Dan Walsh
44066bd77a Allow named to connect to dirsrv by default
add ldapmap1_0 as a krb5_host_rcache_t file
Google chrome developers asked me to add bootstrap policy for nacl stuff
Allow rhev_agentd_t to getattr on mountpoints
Postfix_smtpd_t needs access to milters and cleanup seems to read/write postfix_smtpd_t unix_stream_sockets
2011-10-25 09:12:49 -04:00
Dan Walsh
3dcddab74d Allow firewallgui to read /etc/selinux/config 2011-10-24 13:39:32 -04:00
Miroslav
b6ae8086ef - Fixes for cloudform policies which need to connect to random ports
- Make sure if an admin creates modules content it creates them with the correct label
- Add port 8953 as a dns port used by unbound
- Fix file name transition for alsa and confined users
2011-10-24 10:57:01 +02:00
Dan Walsh
fbfb5e985d Turn on mock_t and thumb_t for unconfined domains 2011-10-21 16:53:02 -04:00
Dan Walsh
1a2b4d14f1 Turn on mock_t and thumb_t for unconfined domains 2011-10-21 16:44:31 -04:00
Dan Walsh
f875d285bd Turn on mock_t and thumb_t for unconfined domains 2011-10-21 16:37:11 -04:00
Dan Walsh
62727652eb Policy update should not modify local contexts 2011-10-21 10:28:58 -04:00