Commit Graph

717 Commits

Author SHA1 Message Date
Chris PeBenito
0041a78ef7 Remove cgroup_t usage in cgroup_admin() since it is not owned by the module. 2010-06-08 09:12:03 -04:00
Chris PeBenito
04dcd73fe3 Whitespace fixes in cgroup and init. 2010-06-08 08:47:26 -04:00
Dominick Grift
ddf821332f add libcg policy.
Libcgroup automates cgroup management.

Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-06-08 08:38:22 -04:00
Chris PeBenito
29af4c13e7 Bump module versions for release. 2010-05-24 15:32:01 -04:00
Chris PeBenito
7934ac10d3 Module version bump for 1184392 and more.
* module version bump
* make apache and unconfined portions optiona
* rearrange lines
2010-05-24 13:08:09 -04:00
Chris PeBenito
ca28376c4d Module version bump for 7942f7f. 2010-05-24 13:08:09 -04:00
Chris PeBenito
bdf5e19931 Module version bump for 383bd32. 2010-05-24 13:08:09 -04:00
Chris PeBenito
63583f4e29 Module version bump for f61ef24. 2010-05-24 13:08:09 -04:00
Chris PeBenito
a107f875bd Remove redundant optional and libs_* calls in clogd. 2010-05-24 13:08:08 -04:00
Chris PeBenito
dcb7227286 Module version bump for 51ad76f. 2010-05-24 13:08:08 -04:00
Jeremy Solt
6430c79a29 whitespace fix for clogd 2010-05-24 13:08:08 -04:00
Jeremy Solt
6055ab8d1d clogd policy from Dan Walsh
edits:
 - style and whitespace fixes
 - removed read_lnk_files_pattern from shm interface
 - removed permissive line
2010-05-24 13:08:08 -04:00
Jeremy Solt
7a8e6a8fba whitespace fixes for cluster suite patch 2010-05-24 13:08:08 -04:00
Jeremy Solt
21d23c878e Removed unnecessary comments
Removed 'SELinux policy for' from policy summaries
Removed rgmanager interface for semaphores (doesn't appear to be needed or used)
Removed redundant calls to libs_use_ld_so and libs_use_shared_libs
Fixed rhcs interface names to match naming rules
Merged tmpfs and semaphore/shm interfaces
2010-05-24 13:08:08 -04:00
Jeremy Solt
538cf9ab83 Redhat Cluster Suite Policy from Dan Walsh
Edits:
 - Style and whitespace fixes
 - Removed interfaces for default_t from ricci.te - this didn't seem right
 - Removed link files from rgmanager_manage_tmpfs_files
 - Removed rdisc.if patch. it was previously committed
 - Not including kernel_kill interface call for rgmanager
 - Not including ldap interfaces in rgmanager.te (currently not in refpolicy)
 - Not including files_create_var_run_dirs call for rgmanager (not in refpolicy)
2010-05-24 13:08:08 -04:00
Jeremy Solt
37194ac055 dnsmasq patch from Dan Walsh
- cron_manage_pid_files call removed until further explanation
2010-05-24 13:08:07 -04:00
Jeremy Solt
4ac0cd30fa Remove nagios_rw_inherited_tmp_files interface 2010-05-24 13:08:07 -04:00
Jeremy Solt
99bbe34881 Nagios patch from Dan Walsh
Edits:
- Removed permissive lines
- Removed tunable for broken symptoms
- Style and whitespace fixes
2010-05-24 13:08:07 -04:00
Jeremy Solt
599e8ff702 Create type and allow squid to manage its own tmpfs files 2010-05-24 13:08:07 -04:00
Jeremy Solt
d86c09846b squid patch from Dan Walsh
Edits:
 - Added netport to corenetwork.te.in
2010-05-24 13:08:07 -04:00
Jeremy Solt
fb543d0df1 remove rules for nx_server_home_ssh_t since they are already provided by the ssh template 2010-05-24 13:08:07 -04:00
Jeremy Solt
316cdb1d0d nx patch from Dan Walsh
Edits:
 - Style and whitespace fixes
 - Removed read_lnk_files_pattern from nx_read_home_files
 - Delete declaration of nx_server_home_ssh_t and files_type since the template already does this
2010-05-24 13:08:07 -04:00
Chris PeBenito
d9e4cbd2ce Postfix patch from Dan Walsh. 2010-05-21 08:56:49 -04:00
Chris PeBenito
9ea85eaa8b Sendmail patch from Dan Walsh. 2010-05-20 08:36:38 -04:00
Chris PeBenito
b276e36914 Procmail patch from Dan Walsh. 2010-05-20 08:17:06 -04:00
Chris PeBenito
e19b8d1c2e MTA patch from Dan Walsh. 2010-05-19 09:00:39 -04:00
Chris PeBenito
088b65e52b SSH patch from Dan Walsh. 2010-05-19 08:31:17 -04:00
Chris PeBenito
4e698b0fca Cups patch from Dan Walsh. 2010-05-18 10:59:37 -04:00
Chris PeBenito
1b2f08ea10 Abrt patch from Dan Walsh. 2010-05-18 10:18:12 -04:00
Chris PeBenito
e9e43f04b3 Plymouthd policy from Dan Walsh. 2010-05-18 09:54:18 -04:00
Chris PeBenito
b0c2cae14a Hal patch from Dan Walsh.
Lots of random access for hal.
2010-05-18 09:06:36 -04:00
Chris PeBenito
299db7080c CVS patch from Dan Walsh.
cvs needs dac_override when it tries to read shadow
2010-05-14 10:24:11 -04:00
Chris PeBenito
bcc6e65421 SETroubleshoot patch from Dan Walsh.
Policy to handle the fixit button in setroubleshoot.
2010-05-13 13:22:53 -04:00
Chris PeBenito
ada61e1529 Asterisk patch from Dan Walsh.
asterisk_manage_lib_files(logrotate_t)
    asterisk_exec(logrotate_t)

Needs net_admin

Drops capabilities
connects to unix_stream

execs itself

Requests kernel load modules

Execs shells

Connects to postgresql and snmp ports

Reads urand and generic usb devices

Has mysql and postgresql back ends
sends mail
2010-05-13 11:35:58 -04:00
Chris PeBenito
24e0b9b3a4 Munin patch from Dan Walsh. 2010-05-13 11:20:54 -04:00
Chris PeBenito
27afb97c29 Minor fixes on a2524cf. Module version bump. 2010-05-11 08:33:04 -04:00
Chris PeBenito
aeb7a4e180 Whitespace fixes on cobbler. 2010-05-11 08:23:02 -04:00
Jeremy Solt
a2524cfa77 cobbler patch from Dan Walsh 2010-05-11 08:17:33 -04:00
Chris PeBenito
fb3fc9e4f0 Cyrus patch from Dan Walsh. 2010-05-03 15:14:50 -04:00
Chris PeBenito
4804cd43a0 Clamav patch from Dan Walsh. 2010-05-03 15:01:35 -04:00
Chris PeBenito
d8eb3c71c6 Dovecot patch from Dan Walsh. 2010-05-03 14:37:19 -04:00
Chris PeBenito
baea7b1dc6 Networkmanager patch from Dan Walsh. 2010-05-03 14:01:26 -04:00
Chris PeBenito
a3108c60c0 Consolekit patch from Dan Walsh. 2010-05-03 10:21:48 -04:00
Chris PeBenito
b0076a1413 Arpwatch patch from Dan Walsh. 2010-05-03 09:49:33 -04:00
Chris PeBenito
98ac98623c Dbus patch from Dan Walsh. 2010-05-03 09:34:42 -04:00
Chris PeBenito
61738f11ec Devicekit patch from Dan Walsh. 2010-05-03 09:01:46 -04:00
Chris PeBenito
87a9469fc9 Add networking rules for spamd to connect to mysql/postgresql over the network, from Chris St. Pierre. 2010-04-27 10:31:47 -04:00
Chris PeBenito
45696ab282 Add missing secmark rules in ntop, from Dominick Grift. 2010-04-27 09:31:30 -04:00
Chris PeBenito
a53c6c65a4 FTP patch from Dan Walsh. 2010-04-26 15:15:23 -04:00
Chris PeBenito
d7ebbd9d22 Module version bump for 34838aa. 2010-04-26 13:40:21 -04:00
Jeremy Solt
34838aa62a Samba patch from Dan Walsh
- signal interfaces
 - fusefs support
 - bug 566984: getattrs on all blk and chr files

Did not include:
 - changes related to samba_unconfined_script_t and samba_unconfined_net_t
 - samba_helper_template (didn't appear to be used)
 - manage_lnk_files_pattern in samba_manage_var_files
 - signal allow rule in samba_domtrans_winbind_helper
 - samba_role_notrans
 - userdom_manage_user_home_content

Some style and spacing fixes
2010-04-26 13:28:21 -04:00
Chris PeBenito
05a2e3e2d7 Lircd patch from Dan Walsh. 2010-04-26 12:59:02 -04:00
Chris PeBenito
e07fbc004d Add DenyHosts from Dan Walsh. 2010-04-26 12:59:02 -04:00
Chris PeBenito
44b3808ba5 Djbdns patch from Dan Walsh. 2010-04-26 12:59:02 -04:00
Chris PeBenito
5c3274d7bf Module version bump for 4b121a5. 2010-04-19 10:23:11 -04:00
Chris PeBenito
46879922d8 Additional whitespace fix in nis. 2010-04-19 10:20:19 -04:00
Jeremy Solt
f49fc19e5a Style changes 2010-04-19 10:19:46 -04:00
Jeremy Solt
4b121a5f53 nis patch from Dan Walsh
Made a couple style changes.
Removed unnecessary require in nis_use_ypbind interface
2010-04-19 10:19:44 -04:00
Chris PeBenito
da5940411c Additional whitespace fixes in certmonger. 2010-04-19 10:17:24 -04:00
Jeremy Solt
0e5494a3d9 Fix some whitespace and style issues. 2010-04-19 10:07:20 -04:00
Jeremy Solt
33793ec2ce certmonger policy from Dan Walsh
Removed manage_var_run and manage_var_lib interfaces
Added missing requires to admin interface
Removed permissive line
Fixed some spacing / style issues
2010-04-19 10:07:17 -04:00
Chris PeBenito
86ff008754 Module version bump for 4f7b413. 2010-04-19 10:05:22 -04:00
Jeremy Solt
e6e2a769ac Remove excess white space from ntop.te
Move ntop ports declaration to correct location.
2010-04-19 09:55:01 -04:00
Jeremy Solt
4f7b413cdc Ntop policy from Dan Walsh
Added alias for ntop_http_content_t in apache
Pulled in ntop port from corenetwork patch
2010-04-19 09:54:58 -04:00
Chris PeBenito
98759716fe Module version bump for 46e16a2. 2010-04-19 09:54:13 -04:00
Jeremy Solt
d86d4f6069 Move optional policy to correct location for style 2010-04-19 09:50:42 -04:00
Jeremy Solt
01bfe1d20e kerberos patch from Dan Walsh 2010-04-19 09:50:39 -04:00
KaiGai Kohei
ec8d32c8e9 [BUGFIX] lack of type transition on dbadm domain (Re: dbadm.pp is not available in selinux-policy package)
I found out a bug when we initialize the database with dbadm_r:dbadm_t
which belongs to sepgsql_admin_type attribute.

In the case when sepgsql_admin_type create a new database objects,
it does not have valid type_transition rules. So, it was failed.
Sorry, I didn't find out it for a long time.

And db_procedure:{execute} on the sepgsql_proc_exec_t might be necessary
for the administrative domain independently from sepgsql_unconfined_dbadm,
because we need to execute some of system defined procedures to look up
system tables.
2010-04-12 10:37:21 -04:00
Chris PeBenito
23ad802a9d Module version bump for 5d3214f and 795b733. 2010-04-12 10:01:39 -04:00
Jeremy Solt
795b733a71 pcscd patch from Dan Walsh: manage pub files and fifo files 2010-04-12 09:10:37 -04:00
Jeremy Solt
5d3214f5a9 gpsd path from Dan Walsh 2010-04-12 09:07:50 -04:00
Dominick Grift
91b12ad94c Move kernel_request_load_module(gssd_t) to the proper place.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-04-06 15:05:22 -04:00
Dominick Grift
6d9925c872 Fix requires for apache tmp interfaces.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-04-06 15:05:12 -04:00
Chris PeBenito
b577852a98 Portreserve patch from Dan Walsh. 2010-04-05 14:50:23 -04:00
Chris PeBenito
38db49c545 PPP patch from Dan Walsh. 2010-04-05 14:38:30 -04:00
Chris PeBenito
372acd0037 Rpc patch from Dan Walsh. 2010-04-05 14:26:21 -04:00
Chris PeBenito
20fa703294 Whitespace fixes on Apache. 2010-04-05 14:05:05 -04:00
Chris PeBenito
da0608ba38 Module version bump for 170a46d, f8b3b7f, and a49a82c. 2010-04-05 13:49:00 -04:00
Chris PeBenito
b7d3db1860 Tweak for 170a46d. 2010-04-05 13:48:01 -04:00
Jeremy Solt
a49a82c295 snort patch from Dan Walsh
Didn't rearrange all the kernel calls, but did add the kernel_request_load_module.
Didn't include the usbmod (doesn't exist in refpolicy at this time).
Included the generic usb device permissions because snort uses libpcap, which can also be used to monitor USB traffic, so this may be a side effect.
From the red hat bug (559861), it sounds as though snort was failing without these permissions, so it doesn't look like a dontaudit would work.
2010-04-05 13:46:11 -04:00
Jeremy Solt
f8b3b7fa48 Nut policy from Dan Walsh
Dropped optional policy for shutdown_domtrans
Dropped commented can_exec line
2010-04-05 13:45:31 -04:00
Jeremy Solt
170a46d6c5 memcached patch from Dan Walsh
Moved term_dontaudits up for style
2010-04-05 13:43:58 -04:00
Chris PeBenito
60def66b13 Second part of Apache patch from Dan Walsh. 2010-04-05 10:57:52 -04:00
Chris PeBenito
83caba3eb9 First part of apache patch from Dan Walsh: file context changes, including renaming script ro/ra/rw files. 2010-04-01 08:17:50 -04:00
Chris PeBenito
25d81d2655 Tor patch from Dan Walsh. 2010-03-29 14:30:52 -04:00
Chris PeBenito
2b93b88584 Sssd patch from Dan Walsh. 2010-03-29 14:08:52 -04:00
Chris PeBenito
ee2d2dda24 Add usbmuxd from Dan Walsh. 2010-03-29 13:29:18 -04:00
Chris PeBenito
6d4dbd20ae Vhostmd from Dan Walsh. 2010-03-29 11:25:06 -04:00
Chris PeBenito
bf54d5be44 Module version bumps for c586c1b, dcbb332, 4c05dff, 84ce9c3, 2b012ba, and 1868383. 2010-03-29 09:21:59 -04:00
Chris PeBenito
ad0071bbe4 Tweaks on pulseaudio 1868383, ksmtuned d279dd6, and smokeping f3c346c. 2010-03-29 09:19:40 -04:00
Jeremy Solt
f3c346cc07 Smokeping policy from Dan Walsh
Made some style / spacing changes
Did not include read access to /etc/shadow
Removed manage_var_run and manage_var_lib interfaces
Removed permissive line
2010-03-29 08:46:30 -04:00
Jeremy Solt
d279dd603f ksmtuned policy from Dan Walsh
Couple style/space fixes.
Used ps_process_pattern in admin interface
2010-03-29 08:36:53 -04:00
Jeremy Solt
2b012bacb6 Prelude patch from Dan Walsh 2010-03-29 08:36:15 -04:00
Jeremy Solt
84ce9c3333 Bluetooth patch (sys_admin and debugfs) from Dan Walsh
Added comments to reference redhat bugs
2010-03-29 08:36:05 -04:00
Jeremy Solt
4c05dff3d1 avahi patch from Dan Walsh
Didn't include the file read in the dbus_chat interface.
2010-03-29 08:36:00 -04:00
Jeremy Solt
dcbb332992 chronyd patch from Dan Walsh
Fixed a couple style/spacing issues.
Added files_search_etc for chronyd_keys file
2010-03-29 08:35:52 -04:00
Jeremy Solt
c586c1bfa6 Give dcc setgid from Dan Walsh 2010-03-29 08:35:34 -04:00
Chris PeBenito
7656af7a6f Module version bump for c37d843. 2010-03-23 08:07:19 -04:00
Chris PeBenito
be8311279e Minor bind XML tweaks. 2010-03-23 08:05:00 -04:00
Jeremy Solt
c37d843fa1 bind patch from Dan Walsh
some fixes in interfaces, added bind_setattr_zone_dirs interface
sysnet_read_config not needed with auth_use_nsswitch

Did not include init_read_script_tmp_files for named_t
2010-03-23 08:01:05 -04:00
Chris PeBenito
390b8a821b Radvd patch from Dan Walsh. 2010-03-22 15:19:50 -04:00
Chris PeBenito
1b22152c2c Rdisc patch from Dan Walsh. 2010-03-22 15:09:27 -04:00
Chris PeBenito
6c40309ef1 Module version bump for 1d348bd. 2010-03-22 13:53:24 -04:00
Jeremy Solt
1d348bd253 Afs needs sys_admin, sends signals, and resolves hostnames from Dan Walsh 2010-03-22 13:52:19 -04:00
Chris PeBenito
cf7eb082d2 Sasl patch from Dan Walsh. 2010-03-22 11:22:25 -04:00
Chris PeBenito
449d2069ac Snmp patch from Dan Walsh. 2010-03-22 11:08:31 -04:00
Chris PeBenito
08d7c7339b Sysstat patch from Dan Walsh. 2010-03-22 10:47:41 -04:00
Chris PeBenito
98ac3f5ace Telnet patch from Dan Walsh. 2010-03-22 10:40:37 -04:00
Chris PeBenito
461b53e028 Tuned patch from Dan Walsh. 2010-03-22 10:33:31 -04:00
Chris PeBenito
7630200e1b Virt patch from Dan Walsh. 2010-03-22 10:24:34 -04:00
Chris PeBenito
064d1b469e Rename rtkit_schedule() to rtkit_scheduled(). 2010-03-22 09:54:58 -04:00
Chris PeBenito
e13a9ef5fe Module version bump for ac19f1a. 2010-03-22 08:59:04 -04:00
Chris PeBenito
c7a4cf3179 Module version bump for 9681df1. 2010-03-22 08:58:41 -04:00
Chris PeBenito
32103f250f Module version bump for d3b5907. 2010-03-22 08:58:20 -04:00
Chris PeBenito
340af119b0 Minor tweaks on icecast. 2010-03-22 08:56:32 -04:00
Jeremy Solt
584dfaca45 icecast policy from Dan Walsh
Fixed some style and spacing issues
Replace manage_var_run interface with manage_pid_files with fewer permissions
Replaced rkit_daemon_system_domain with rtkit_schedule
2010-03-22 08:49:54 -04:00
Jeremy Solt
ac19f1ac26 rtkit patch from Dan Walsh:
rtkit_daemon_system_domain interface allows domains to say rtkit can setsched on their process.
Needs sys_nice capability
Needs to getsched on all domains.
Fix bug in te file

Me:
changed interface name from rtkit_daemon_system_domain to rtkit_schedule
Already had sys_nice capability
2010-03-22 08:41:42 -04:00
Jeremy Solt
9681df1c8d postgresql patch from Dan Walsh:
"File context for /etc/sysconfig/pgsql and other bugs.
Sends audit messages connect to posgresql_server port
Reads its own process info"

Moved signal interface for style.
2010-03-22 08:39:15 -04:00
Jeremy Solt
d3b5907ea4 openvpn needs ipc_lock capability, connects to http ports,
and manages net_conf_t files - from Dan Walsh
2010-03-22 08:36:47 -04:00
Chris PeBenito
47293bd8d6 Tftp patch from Dan Walsh. 2010-03-19 15:56:14 -04:00
Chris PeBenito
788ba75491 Uucp patch from Dan Walsh. 2010-03-19 15:49:12 -04:00
Chris PeBenito
bed0a44560 Zebra patch from Dan Walsh. 2010-03-19 15:45:25 -04:00
Chris PeBenito
7b50b7053d Module version bump for 6a03548. 2010-03-17 09:42:46 -04:00
Jeremy Solt
6a035482dc amavis uses uptime which reads utmp, and reads certs - from Dan Walsh 2010-03-17 09:41:18 -04:00
Chris PeBenito
827060cb04 Style fixes and module version bumps for 38fc1bd. 2010-03-17 09:28:18 -04:00
Dominick Grift
38fc1bd180 Likewise policy.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-03-17 08:48:45 -04:00
Chris PeBenito
2a62db7883 Module version bump for 414a570. 2010-03-16 15:28:36 -04:00
Jeremy Solt
414a5704df fetchmail executes programs in bin (uname), from Dan Walsh 2010-03-16 15:27:40 -04:00
Chris PeBenito
5911f3dbca Module version bump for 935151a. 2010-03-16 14:35:09 -04:00
Chris PeBenito
9a59893e5a Module version bump for d7ec247. 2010-03-16 14:34:23 -04:00
Chris PeBenito
9570fc108e Module version bump for 591af7b. 2010-03-16 14:34:05 -04:00
Chris PeBenito
1656bf730f Whitespace fixes in mailman. 2010-03-16 13:51:51 -04:00
Jeremy Solt
935151afcd Change kernel_load_module to kernel_request_load_module for howl from Dan Walsh 2010-03-16 13:44:55 -04:00
Jeremy Solt
d7ec24785b File context update for certmaster from Dan Walsh 2010-03-16 13:44:50 -04:00
Jeremy Solt
591af7be0c file context updates from Dan Walsh 2010-03-16 13:44:48 -04:00
Chris PeBenito
fce868d074 Module version bump for f7d413a. 2010-03-16 13:15:00 -04:00
Chris PeBenito
bf140fc32c Rearrange interfaces in fail2ban. 2010-03-16 13:14:46 -04:00
Jeremy Solt
f7d413af27 fail2ban_stream_connect and fail2ban_rw_stream_sockets from Dan Walsh
Did not include dontaudit_leaks interface
Modified fail2ban_rw_stream_sockets to use rw_stream_socket_perms set
2010-03-16 11:44:35 -04:00
Chris PeBenito
ce0570dc6d Module version bump for e172614. 2010-03-12 11:42:28 -05:00
Chris PeBenito
9e506eb236 Rearrange lines in alsa an mysql. 2010-03-12 08:59:23 -05:00
Chris PeBenito
e172614b57 Whitespace cleanup on mysql.if. 2010-03-12 08:55:34 -05:00
Jeremy Solt
12a6a53f63 mysql policy from Dan Walsh
My changes to patch:
A couple changes to match style.
Removed files_dontaudit_search_all_mountpoints(mysqld_safe_t), it doesn't exist in refpolicy
2010-03-12 08:54:29 -05:00
Chris PeBenito
30496b1575 Iscsi and tgtd patches from Dan Walsh. 2010-03-09 15:17:16 -05:00
Dominick Grift
183f79e38e Fix cobbler_admin interface to require cobblerd_initrc_exec_t.
As per: http://oss.tresys.com/pipermail/refpolicy/2010-March/002258.html

Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-03-04 14:12:41 -05:00
Chris PeBenito
ec0205ff73 Module version bump for e1e78df. 2010-03-04 09:18:04 -05:00
Chris PeBenito
b7070a9f3d Module version bump for 52b215f. 2010-03-04 09:18:04 -05:00
Chris PeBenito
cb6385d0ba Module version bump for cf5e81d. 2010-03-04 09:18:04 -05:00
Chris PeBenito
c4faa1db8e Module version bump for 96b7e9f. 2010-03-04 09:18:04 -05:00
Chris PeBenito
812f30af02 Module version bump for a005018. 2010-03-04 09:18:04 -05:00
Chris PeBenito
4931c57e4b Add additional comments for e1e78df. 2010-03-04 09:18:04 -05:00