Commit Graph

64 Commits

Author SHA1 Message Date
Dan Walsh
4e6b3f6dd9 Fixes to allow mozilla_plugin_t to create nsplugin_home_t directory.
Allow mozilla_plugin_t to create tcp/udp/netlink_route sockets
Allow confined users to read xdm_etc_t files
Allow xdm_t to transition to xauth_t for lxdm program
2010-09-27 10:21:54 -04:00
Dan Walsh
e027e93f2c More typos 2010-09-23 17:39:31 -04:00
Dan Walsh
7c94a3ab0d Allow consolehelper to read fonts and config files in user homedir 2010-09-23 15:14:34 -04:00
Dan Walsh
5d82597463 Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy 2010-09-22 16:46:04 -04:00
Dan Walsh
6ed3f15e82 Allow domains with different mcs levels to send each other signals as long as they are not identified as mcsconstrainproc
Allow shutdown to write utmp and search /var/log
Allow mozilla_plugin to send nsplugin signals
Split out samba_run_unconfined_net from unconfined_domain stuff.  TO allow unconfined.pp module to be removed
Allow nrpe to send signal and sigkill to the plugins
Fix up xguest to allow it to read hwdata and gconf_etc_t
Allow initrc_t to manage faillog
2010-09-22 16:42:32 -04:00
Dominick Grift
fc0d3d55f8 Merge branch 'base' 2010-09-21 13:57:06 +02:00
Dominick Grift
0eef2ca0f7 Use brace extension where possible.
Use brace extension where possible.
2010-09-21 13:50:00 +02:00
Dominick Grift
69d1431276 Use permission sets where possible.
Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.
2010-09-21 13:50:00 +02:00
Dominick Grift
2a724571c9 Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.
2010-09-21 13:49:58 +02:00
Dominick Grift
2528a2d701 Replace type and attributes statements by comma delimiters where possible.
Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.
2010-09-21 13:47:30 +02:00
Miroslav Grepl
d15b40a537 Fixed badly chosen type of interface for some interfaces 2010-09-21 09:09:43 +02:00
Dominick Grift
9c9e4c8180 This is a role capability.
This is a role capability.

This is a role capability.

Signed-off-by: Dominick Grift <domg472@gmail.com>

This is a role capability.

This is a role capability.
2010-09-16 12:18:34 +02:00
Dominick Grift
2f94f46028 Replace type and attributes statements by comma delimiters where possible.
Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.

Signed-off-by: Dominick Grift <domg472@gmail.com>

Replace type and attributes statements by comma delimiters where possible.

Replace type and attributes statements by comma delimiters where possible.
2010-09-16 12:18:33 +02:00
Dominick Grift
59c0340548 Use permission sets where possible.
Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Signed-off-by: Dominick Grift <domg472@gmail.com>

Use permission sets where possible.

Signed-off-by: Dominick Grift <domg472@gmail.com>

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.
2010-09-16 12:18:33 +02:00
Dominick Grift
f92662114a Search parent directory to be able to interact with target content.
Search parent directory to be able to interact with target content.

Search parent directory to be able to interact with target content.

Signed-off-by: Dominick Grift <domg472@gmail.com>

Search parent directory to be able to interact with target content.

Search parent directory to be able to interact with target content.

Signed-off-by: Dominick Grift <domg472@gmail.com>

Search parent directory to be able to interact with target content.

Search parent directory to be able to interact with target content.

Search parent directory to be able to interact with target content.
2010-09-16 12:18:33 +02:00
Dominick Grift
b0e9aaafb9 This is not a role capability.
This is not a role capability.

Signed-off-by: Dominick Grift <domg472@gmail.com>

This is not a role capability.
2010-09-16 12:18:31 +02:00
Dominick Grift
a3d20a3c3a Use relabel permission sets where possible. 2010-09-16 12:18:31 +02:00
Dominick Grift
2d102f8402 Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-16 12:18:31 +02:00
Dominick Grift
60d27bf8ab Tunable, optional, if(n)def block go below.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-16 10:43:14 +02:00
Dan Walsh
dfe675b8f7 Mozilla_plugin needs to getattr on tmpfs and no longer needs to write to tmpfs_t
cleanup of nsplugin interface definition
Latest pm-utils is causing lots of domains to see a leaked lock file
I want mplayer to run as unconfined_execmem_t
mountpoint is causing dbus and init apps to getattr on all filesystems directories
Miroslav update dkim-milter
NetworkManager dbus chats with init
Allow apps that can read user_fonts_t to read the symbolic link
udev needs to manage etc_t
2010-09-08 12:06:20 -04:00
Dan Walsh
f79af26649 fix bad patch in xserver 2010-09-08 10:25:03 -04:00
Dan Walsh
0745e42559 fix typo in xserver_stream_connect 2010-09-08 09:29:02 -04:00
Dan Walsh
f5b49a5e0b Allow iptables to read shorewall tmp files
Change chfn and passwd to use auth_use_pam so they can send dbus messages to fprintd
label vlc as an execmem_exec_t
Lots of fixes for mozilla_plugin to run google vidio chat
Allow telepath_msn to execute ldconfig and its own tmp files
Fix labels on hugepages
Allow mdadm to read files on /dev
Remove permissive domains and change back to unconfined
Allow freshclam to execute shell and bin_t
Allow devicekit_power to transition to dhcpc
Add boolean to allow icecast to connect to any port
2010-09-07 16:23:09 -04:00
Dan Walsh
09686dc8ee Allow all X apps to use direct dri if user_direct_dri boolean is turned on 2010-09-01 09:56:28 -04:00
Dan Walsh
c6fa935fd5 Fix sandbox tcp_socket calls to create_stream_socket_perms
Dontaudit sandbox_xserver_t trying to get the kernel to load modules
telepathy_msn sends dbus messages to networkmanager
mailman_t trys to read /root/.config
xserver tries to getpgid on processes that start it.
pam_systemd causes /var/run/users to be called for all login programs.  Must allow them to create directories
2010-08-31 18:36:43 -04:00
Dan Walsh
ac498fa5d9 More fixes 2010-08-27 10:56:56 -04:00
Dan Walsh
3eaa993945 UPdate for f14 policy 2010-08-26 09:41:21 -04:00
Dominick Grift
288845a638 Services layer xml files.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 09:25:29 -04:00
Chris PeBenito
a7ee7f819a Docs standardizing on the role portion of run interfaces. Additional docs cleanup. 2010-08-03 09:20:22 -04:00
Chris PeBenito
6246e7d30a Non-drawing X client support for consolekit. 2010-02-12 10:29:00 -05:00
Eamon Walsh
5025a463cf Drop the xserver_unprotected interface.
The motivation for this was xdm_t objects not getting cleaned up,
so the user session tried to interact with them.  But since the
default user type is unconfined this problem has gone away for now.

Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2009-10-30 08:55:58 -04:00
Eamon Walsh
5242ecceac X Object Manager policy revisions to xserver.if.
X Object Manager policy revisions to xserver.if.

This commit consists of two parts:

1. Revisions to xserver_object_types_template and
   xserver_common_x_domain_template.  This reflects the dropping
   of many of the specific event, extension, and property types.

2. New interfaces:
   xserver_manage_core_devices: Gives control over core mouse/keyboard.
   xserver_unprotected: Allows all clients to access a domain's X objects.
   Modified interfaces:
   xserver_unconfined: Added x_domain typeattribute statement.

Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2009-10-28 10:03:26 -04:00
Chris PeBenito
4279891d1f patch from Eamon Walsh to remove useage of deprecated xserver interfaces. 2009-08-28 13:40:29 -04:00
Chris PeBenito
93c49bdb04 deprecate userdom_xwindows_client_template
The X policy for users is currently split between
userdom_xwindows_client_template() and xserver_role().  Deprecate
the former and put the rules into the latter.

For preserving restricted X roles (xguest), divide the rules
into xserver_restricted_role() and xserver_role().
2009-08-28 13:29:36 -04:00
Chris PeBenito
3f67f722bb trunk: whitespace fixes 2009-06-26 14:40:13 +00:00
Chris PeBenito
ff8f0a63f4 trunk: whitespace fixes in xml blocks. 2008-12-03 19:16:20 +00:00
Chris PeBenito
296273a719 trunk: merge UBAC. 2008-11-05 16:10:46 +00:00
Chris PeBenito
82d2775c92 trunk: more open perm fixes. 2008-10-20 16:10:42 +00:00
Chris PeBenito
2cca6b79b4 trunk: remove redundant shared lib calls. 2008-10-17 17:31:04 +00:00
Chris PeBenito
12c61f36f4 trunk: 7 patches from dan, 1 from eamon. 2008-10-06 17:27:49 +00:00
Chris PeBenito
21ea2b1884 trunk: firstboot update from dan. 2008-09-12 15:54:11 +00:00
Chris PeBenito
0bfccda4e8 trunk: massive whitespace cleanup from dominick grift. 2008-07-23 21:38:39 +00:00
Chris PeBenito
2c12b471ad trunk: add core xselinux support. 2008-04-01 20:23:23 +00:00
Chris PeBenito
5f63dd12a3 trunk: fix xconsole rw interface. 2007-12-04 15:11:53 +00:00
Chris PeBenito
c0cf6e0a6e trunk: clean up nsswitch usage, from dan. 2007-12-04 15:05:55 +00:00
Chris PeBenito
ef659a476e Deprecate some old file and dir permission set macros in favor of the newer, more consistently-named macros. 2007-10-09 17:29:48 +00:00
Chris PeBenito
350b6ab767 trunk: merge strict and targeted policies. merge shlib_t into lib_t. 2007-10-02 16:04:50 +00:00
Chris PeBenito
e5e55ace89 trunk, strict-targeted-merge: add mmap_zero to xserver domains. 2007-06-28 12:34:08 +00:00
Chris PeBenito
1900668638 trunk: Unified labeled networking policy from Paul Moore.
The latest revision of the labeled policy patches which enable both labeled 
and unlabeled policy support for NetLabel.  This revision takes into account
Chris' feedback from the first version and reduces the number of interface
calls in each domain down to two at present: one for unlabeled access, one for
NetLabel access.  The older, transport layer specific interfaces, are still  
present for use by third-party modules but are not used in the default policy
modules.

trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.

This patch changes the policy to use the netmsg initial SID as the "base"
SID/context for NetLabel packets which only have MLS security attributes.
Currently we use the unlabeled initial SID which makes it very difficult to
distinquish between actual unlabeled packets and those packets which have MLS
security attributes.
2007-06-27 15:23:21 +00:00
Chris PeBenito
4967aaa320 Miscellaneous consolekit fixes from Dan Walsh. 2007-05-03 14:15:38 +00:00