Dominick Grift
d8d33a15bf
Permission to search generic pid directories is included with files_pid_filetrans.
...
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-15 17:42:27 +02:00
Dominick Grift
0540e22fcc
Use ps_process_pattern to read state. Permission to seach proc_t directories is required to read automount state.
...
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-15 17:42:27 +02:00
Dan Walsh
9461b60657
Add the ability to send audit messages to confined admin policies
...
Remove permissive domain from cmirrord and dontaudit sys_tty_config
Split out unconfined_domain() calls from other unconfined_ calls so we can disable unconfined.pp and leave unconfineduser
virt needs to be able to read processes to clearance for MLS
2010-09-15 11:31:20 -04:00
Miroslav Grepl
3b0a9c74bb
Allow iscsid to manage tgtd semaphores
2010-09-15 16:50:07 +02:00
Chris PeBenito
fee48647ac
Module version bump for c17ad38
5271920
2a2b6a7
01c4413
c4fbfae
a831710
...
67effb0
483be01
c6c63f6
b0d8d59
5b082e4
b8097d6
689d954
5afc3d3
f3c5e77
a59e50c
cf87233
17759c7
dc1db54
e9bf16d
4f95198
bf40792
622c63b
c20842c
dc7cc4d
792d448
2010-09-15 10:42:34 -04:00
Jeremy Solt
792d44840c
radvd patch from Dan Walsh
2010-09-15 09:14:55 -04:00
Jeremy Solt
dc7cc4d5c1
snort patch from Dan Walsh
2010-09-15 09:14:55 -04:00
Jeremy Solt
c20842caf8
stunnel patch from Dan Walsh
2010-09-15 09:14:55 -04:00
Jeremy Solt
622c63b4e3
zabbix patch from Dan Walsh
2010-09-15 09:14:55 -04:00
Jeremy Solt
bf40792ae5
zebra patch from Dan Walsh
2010-09-15 09:14:54 -04:00
Jeremy Solt
e9bf16d2d9
certmaster patch from Dan Walsh
2010-09-15 09:14:54 -04:00
Jeremy Solt
dc1db5407a
pcscd patch from Dan Walsh
...
Edit: removed the dev_list_sysfs call, dev_read_sysfs takes care of it
2010-09-15 09:14:54 -04:00
Jeremy Solt
17759c7326
postgresql patch from Dan Walsh
2010-09-15 09:14:54 -04:00
Jeremy Solt
cf872339b2
postgrey patch from Dan Walsh
2010-09-15 09:14:54 -04:00
Jeremy Solt
a59e50c12c
prelude patch from Dan Walsh
2010-09-15 09:14:54 -04:00
Jeremy Solt
b8097d6ec4
amavis patch from Dan Walsh
2010-09-15 09:14:53 -04:00
Jeremy Solt
5b082e4acf
arpwatch patch from Dan Walsh
2010-09-15 09:14:53 -04:00
Jeremy Solt
b0d8d59ff0
canna patch from Dan Walsh
2010-09-15 09:14:53 -04:00
Jeremy Solt
c6c63f63c7
certmonger patch from Dan Walsh
2010-09-15 09:14:53 -04:00
Jeremy Solt
483be01302
courier patch from Dan Walsh
2010-09-15 09:14:53 -04:00
Jeremy Solt
67effb0450
dcc patch from Dan Walsh
2010-09-15 09:14:53 -04:00
Jeremy Solt
a831710a6a
style change to djbdns.te
2010-09-15 09:14:52 -04:00
Jeremy Solt
c4fbfaecdd
fetchmail patch from Dan Walsh
2010-09-15 09:14:52 -04:00
Jeremy Solt
01c441355e
icecast patch from Dan Walsh
2010-09-15 09:14:52 -04:00
Jeremy Solt
2a2b6a79fa
nslcd patch from Dan Walsh
2010-09-15 09:14:52 -04:00
Jeremy Solt
5271920764
nut patch from Dan Walsh
2010-09-15 09:14:52 -04:00
Jeremy Solt
c17ad385ac
openct patch from Dan Walsh
2010-09-15 09:14:52 -04:00
Dan Walsh
c2dae98501
Allow a couple of sandbox issues.
...
Remove postgresl managing of etc_files, until I find out why it is needed.
Dontaudit leaks from rpm to mount
2010-09-14 10:02:43 -04:00
Dan Walsh
5ef740e54b
Fix gnome_setattr_config_home
...
Allow exec of sandbox_file_type by calling apps
Fix typos
2010-09-13 14:47:02 -04:00
Dan Walsh
3034a8d941
Fix some names in passenger policy
2010-09-13 10:26:10 -04:00
Miroslav Grepl
94820e4290
Move passenger policy to services
2010-09-13 15:10:30 +02:00
Dan Walsh
536f28a2bf
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
2010-09-13 08:43:40 -04:00
Dan Walsh
1a40cbf63e
Fix boolean descriptions
2010-09-13 08:43:35 -04:00
Miroslav Grepl
3a3212619a
Allow dovecot-deliver to create tmp files
...
Allow tor to send signals to itself
2010-09-13 13:12:24 +02:00
Miroslav Grepl
d7de04f8d4
- Add passenger policy
2010-09-13 11:49:37 +02:00
Dan Walsh
366396d855
Fix cert calls in telepath, boinc, kerberos
...
Add sys_admin to xend to allow it to start
Add oident calls to staff_t
2010-09-10 13:18:49 -04:00
Dan Walsh
cab9bc9c58
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy; branch 'master' of http://oss.tresys.com/git/refpolicy
...
Conflicts:
policy/modules/admin/amanda.if
policy/modules/system/init.te
policy/modules/system/miscfiles.if
policy/modules/system/miscfiles.te
policy/modules/system/userdomain.if
2010-09-10 13:02:25 -04:00
Dan Walsh
0b8f4cfe16
More fixes for mozilla_plugin_t
...
Allow telepathy domains to send themselves sigkill
Label /etc/httpd/alias/*db as cert_t
Allow fprintd to sys_nice
2010-09-10 12:10:13 -04:00
Chris PeBenito
da12b54802
Module version bumps for cert patch.
2010-09-10 11:31:22 -04:00
Chris PeBenito
e9d6dfb8b1
Fix missed deprecated interface usage from the cert patch. Add back a few rolecap tags.
2010-09-10 11:31:00 -04:00
Dominick Grift
8340621920
Implement miscfiles_cert_type().
...
This is based on Fedoras' miscfiles_cert_type implementation.
The idea was that openvpn needs to be able read home certificates (home_cert_t) which is not implemented in refpolicy yet, as well as generic cert_t certificates.
Note that openvpn is allowed to read all cert_types, as i know that it needs access to both generic cert_t as well as (future) home_cert_t. Dwalsh noted that other domains may need this as well but because i do not know exactly which domains i will not changes any other domains call to generic cert type interfaces.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-10 11:05:46 -04:00
Dan Walsh
1a82786cc8
Allow hugetlbfs_t to be on device_t file system
...
Allow sudo domains to signal user domains
Dontaudit xdm_t sending signals to all domains
Fix allow_exec* boolean descriptions
2010-09-10 10:10:34 -04:00
Dan Walsh
8e47c02b16
fixes for openvpn suggested by dgrift
2010-09-09 10:35:27 -04:00
Dan Walsh
da07333345
Allow mozilla_plugin to create nsplugin_home_t directories
...
Allow hugetlbfs_t to be on device_t file system
Fix for ajaxterm policy
Fix type in dbus_delete_pid_files
Change openvpn to only allow search of users home dir
2010-09-09 09:55:31 -04:00
Dan Walsh
5f5963be01
add policy for ajaxterm
2010-09-09 07:11:32 -04:00
Dan Walsh
4c38170781
add policy for ajaxterm
2010-09-09 07:10:24 -04:00
Dan Walsh
ee4b1e0aad
Allow crond to manage user_spool_cron_t link files
...
Allow init to delete dbus message.pid
Allow init and udev to create hugetlbfs directories
2010-09-08 17:54:31 -04:00
Dan Walsh
a75a591e52
Allow virt_domains to exec qumu_exec_t, add boolean to allow svirt_t to connect to x
2010-09-08 15:05:08 -04:00
Dan Walsh
dfe675b8f7
Mozilla_plugin needs to getattr on tmpfs and no longer needs to write to tmpfs_t
...
cleanup of nsplugin interface definition
Latest pm-utils is causing lots of domains to see a leaked lock file
I want mplayer to run as unconfined_execmem_t
mountpoint is causing dbus and init apps to getattr on all filesystems directories
Miroslav update dkim-milter
NetworkManager dbus chats with init
Allow apps that can read user_fonts_t to read the symbolic link
udev needs to manage etc_t
2010-09-08 12:06:20 -04:00
Dan Walsh
5dd0c28461
Cleanup warnings
2010-09-08 10:43:22 -04:00
Dan Walsh
689bfef3a8
Fix apache interface
2010-09-08 10:29:40 -04:00
Dan Walsh
f79af26649
fix bad patch in xserver
2010-09-08 10:25:03 -04:00
Dan Walsh
0745e42559
fix typo in xserver_stream_connect
2010-09-08 09:29:02 -04:00
Dan Walsh
db879987ca
Fix pootle
2010-09-07 16:32:23 -04:00
Dan Walsh
f5b49a5e0b
Allow iptables to read shorewall tmp files
...
Change chfn and passwd to use auth_use_pam so they can send dbus messages to fprintd
label vlc as an execmem_exec_t
Lots of fixes for mozilla_plugin to run google vidio chat
Allow telepath_msn to execute ldconfig and its own tmp files
Fix labels on hugepages
Allow mdadm to read files on /dev
Remove permissive domains and change back to unconfined
Allow freshclam to execute shell and bin_t
Allow devicekit_power to transition to dhcpc
Add boolean to allow icecast to connect to any port
2010-09-07 16:23:09 -04:00
Dan Walsh
ef98a37444
Allow gpg_pinentry_t to use fifo files of apps that transition to gpg_agent
...
Add mozilla_plugin_tmp_t
Allow mozilla_plugin to interact with pulseaudio tmpfs_t
Add apache labels for poodle
Add boolean to allow apache to connect to memcache_port
nagious sends signal and sigkill to system_mail_t
2010-09-03 17:06:40 -04:00
Dan Walsh
a668127367
Allow certmaster to read usr_t files. All python apps are going to need this.
...
clvmd creates tmpfs files that corosync needs to communicate with
Allow dbus system services to search the cgroup_t directory
2010-09-02 13:38:00 -04:00
Dan Walsh
cbadf720ba
Merge branch 'master' of http://oss.tresys.com/git/refpolicy
...
Conflicts:
policy/modules/kernel/domain.if
policy/modules/services/xserver.te
2010-09-01 14:11:18 -04:00
Chris PeBenito
785ee7988c
Module version bump and changelog entry for conditional mmap_zero patch.
2010-09-01 10:08:09 -04:00
Chris PeBenito
a1b42052c9
Fix mmap_zero assertion violation in xserver.
2010-09-01 09:59:39 -04:00
Dan Walsh
09686dc8ee
Allow all X apps to use direct dri if user_direct_dri boolean is turned on
2010-09-01 09:56:28 -04:00
Dan Walsh
03527520de
firstboot is leaking a netlink_route socket into iptables. We need to dontaudit
...
tmpfs_t/devpts_t files can be stored on device_t file system
unconfined_mono_t can pass file descriptors to chrome_sandbox, so need transition from all unoconfined users types
Hald can connect to user processes over streams
xdm_t now changes the brightness level on the system
mdadm needs to manage hugetlbfs filesystems
2010-09-01 09:47:50 -04:00
Dominick Grift
623e4f0885
1/1] Make the ability to mmap zero conditional where this is fapplicable.
...
Retry: forgot to include attribute mmap_low_domain_type attribute to domain_mmap_low() :
Inspired by similar implementation in Fedora.
Wine and vbetool do not always actually need the ability to mmap a low area of the address space.
In some cases this can be silently denied.
Therefore introduce an interface that facilitates "mmap low" conditionally, and the corresponding boolean.
Also implement booleans for wine and vbetool that enables the ability to not audit attempts by wine and vbetool to mmap a low area of the address space.
Rename domain_mmap_low interface to domain_mmap_low_uncond.
Change call to domain_mmap_low to domain_mmap_low_uncond for xserver_t. Also move this call to distro redhat ifndef block because Redhat does not need this ability.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-01 09:41:56 -04:00
Dan Walsh
c6fa935fd5
Fix sandbox tcp_socket calls to create_stream_socket_perms
...
Dontaudit sandbox_xserver_t trying to get the kernel to load modules
telepathy_msn sends dbus messages to networkmanager
mailman_t trys to read /root/.config
xserver tries to getpgid on processes that start it.
pam_systemd causes /var/run/users to be called for all login programs. Must allow them to create directories
2010-08-31 18:36:43 -04:00
Dan Walsh
4fccad906d
Allow qmail to use uucpd
...
Fixes found by Tom London for devicekit and udev using usbmuxd socket
2010-08-31 10:51:10 -04:00
Dan Walsh
5fb4db53ad
Add Miroslav Grepl patch for jabberd, adding new type for jabberd router.
2010-08-31 08:56:30 -04:00
Dan Walsh
5537e5558b
Apply Dominick Grift typo fixes
2010-08-30 17:32:41 -04:00
Dan Walsh
079779a634
Allow hald to transition to netutils
...
Block signal via mcs systems
2010-08-30 15:15:03 -04:00
Dan Walsh
ddcd5d6350
Dontaudit signals from sandbox domains to domains that transition to them
2010-08-30 13:32:47 -04:00
Dan Walsh
73f7d4f4a2
Fix spelling mistake
2010-08-30 11:30:00 -04:00
Dan Walsh
c71f02c02d
More fixes
2010-08-30 11:15:53 -04:00
Dan Walsh
2d4a79a061
Policy fixes
2010-08-30 08:57:06 -04:00
Dan Walsh
ac498fa5d9
More fixes
2010-08-27 10:56:56 -04:00
Dan Walsh
08e567dc56
Latest fixes
2010-08-26 20:30:04 -04:00
Dan Walsh
9561b0ab08
Update f14
2010-08-26 15:42:17 -04:00
Dan Walsh
4765a595e8
Fixes for f14
2010-08-26 15:29:37 -04:00
Dan Walsh
46c24a359b
ditto
2010-08-26 13:23:23 -04:00
Dan Walsh
aae38f05a6
whoya
2010-08-26 13:16:02 -04:00
Dan Walsh
2968e06818
Update f14
2010-08-26 12:55:57 -04:00
Dan Walsh
a947daf6df
Update f14
2010-08-26 10:27:35 -04:00
Dan Walsh
3eaa993945
UPdate for f14 policy
2010-08-26 09:41:21 -04:00
Chris PeBenito
00ca404a20
Remove unnecessary require on cgroup_admin().
2010-08-09 09:10:24 -04:00
Chris PeBenito
d687db9b42
Whitespace fixes on cgroup.
2010-08-09 08:52:39 -04:00
Dominick Grift
61d7ee58a4
Confine /sbin/cgclear.
...
Libcgroup moved cgclear to /sbin.
Confine it so that initrc_t can domain transition to the cgclear_t domain. That way we do not have to extend the initrc_t domains policy.
We might want to add cgroup_run_cgclear to sysadm module.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-09 08:47:15 -04:00
Dominick Grift
288845a638
Services layer xml files.
...
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 09:25:29 -04:00
Chris PeBenito
8da88970be
Accountsd cleanup.
2010-08-03 09:50:40 -04:00
Chris PeBenito
d0eebed0b7
Move accountsd to services.
2010-08-03 09:31:53 -04:00
Chris PeBenito
a7ee7f819a
Docs standardizing on the role portion of run interfaces. Additional docs cleanup.
2010-08-03 09:20:22 -04:00
Chris PeBenito
9d4395a736
MojoMojo from Lain Arnell.
2010-08-02 09:28:06 -04:00
Chris PeBenito
a72e42f485
Interface documentation standardization patch from Dan Walsh.
2010-08-02 09:22:09 -04:00
Chris PeBenito
29f3bfa464
Fix JIT usage for freshclam.
...
http://marc.info/?l=selinux&m=127893898208934&w=2
2010-07-13 08:39:54 -04:00
Chris PeBenito
4b76ea5f51
Module version bump for fa1847f
.
2010-07-12 14:02:18 -04:00
Dominick Grift
fa1847f4a2
Add files_poly_member() to userdom_user_home_content() Remove redundant files_poly_member() calls.
...
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-07-09 09:43:04 -04:00
Chris PeBenito
3c4e9fce8e
Make spamassassin optional for milter, from Russell Coker.
2010-07-07 08:55:57 -04:00
Chris PeBenito
bca0cdb86e
Remove duplicate/redundant rules, from Russell Coker.
2010-07-07 08:41:20 -04:00
Chris PeBenito
1db1836ab9
Remove improper usage of userdom_manage_home_role(), userdom_manage_tmp_role(), and userdom_manage_tmpfs_role().
2010-07-06 13:17:05 -04:00
Dominick Grift
7e5463b58c
fix cgroup_admin
...
When cgroup policy was merged, some changes were made. One of these changes was the renaming of the type for cgroup rules engine daemon configuration file. The cgroup_admin interface was not modified to reflect this change.
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-07-01 09:02:58 -04:00
Chris PeBenito
113d2e023d
Minor tweaks and module version bump for a00fc1c
.
2010-06-25 09:51:34 -04:00
Dominick Grift
a00fc1c317
hddtemp fixes.
...
Clean up network control section.
Implement hddtemp_etc_t for /etc/sysconfig/hddtemp. The advantages are:
- hddtemp_t no longer needs access to read all generic etc_t files.
- allows us to implement a meaningful hddtemp_admin()
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-06-25 09:43:54 -04:00
Chris PeBenito
9a4d292902
Netutils patch from Dan Walsh.
...
ping gets leaked log descriptor from nagios.
Label send_arp as ping_exec_t
2010-06-17 10:16:19 -04:00
Chris PeBenito
48f99a81c0
Whitespace change: drop unnecessary blank line at the start of .te files.
2010-06-10 08:16:35 -04:00
Chris PeBenito
5c942ceb83
AFS patch from Dan Walsh.
2010-06-10 08:08:23 -04:00
Chris PeBenito
b521229560
Abrt patch from Dan Walsh.
...
Abrt uses /var/spool/abrt now and changed the name of its lock
Now uses a stream socket
Installs debuginfo packages
sys_nice itself
2010-06-10 07:58:00 -04:00
Chris PeBenito
53f9abbe68
Clean up cgroup. Rename cgconfigparser to cgconfig.
2010-06-08 09:15:41 -04:00
Chris PeBenito
0041a78ef7
Remove cgroup_t usage in cgroup_admin() since it is not owned by the module.
2010-06-08 09:12:03 -04:00
Chris PeBenito
04dcd73fe3
Whitespace fixes in cgroup and init.
2010-06-08 08:47:26 -04:00
Dominick Grift
ddf821332f
add libcg policy.
...
Libcgroup automates cgroup management.
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-06-08 08:38:22 -04:00
Chris PeBenito
29af4c13e7
Bump module versions for release.
2010-05-24 15:32:01 -04:00
Chris PeBenito
7934ac10d3
Module version bump for 1184392 and more.
...
* module version bump
* make apache and unconfined portions optiona
* rearrange lines
2010-05-24 13:08:09 -04:00
Chris PeBenito
ca28376c4d
Module version bump for 7942f7f.
2010-05-24 13:08:09 -04:00
Chris PeBenito
bdf5e19931
Module version bump for 383bd32.
2010-05-24 13:08:09 -04:00
Chris PeBenito
63583f4e29
Module version bump for f61ef24.
2010-05-24 13:08:09 -04:00
Chris PeBenito
a107f875bd
Remove redundant optional and libs_* calls in clogd.
2010-05-24 13:08:08 -04:00
Chris PeBenito
dcb7227286
Module version bump for 51ad76f.
2010-05-24 13:08:08 -04:00
Jeremy Solt
6430c79a29
whitespace fix for clogd
2010-05-24 13:08:08 -04:00
Jeremy Solt
6055ab8d1d
clogd policy from Dan Walsh
...
edits:
- style and whitespace fixes
- removed read_lnk_files_pattern from shm interface
- removed permissive line
2010-05-24 13:08:08 -04:00
Jeremy Solt
7a8e6a8fba
whitespace fixes for cluster suite patch
2010-05-24 13:08:08 -04:00
Jeremy Solt
21d23c878e
Removed unnecessary comments
...
Removed 'SELinux policy for' from policy summaries
Removed rgmanager interface for semaphores (doesn't appear to be needed or used)
Removed redundant calls to libs_use_ld_so and libs_use_shared_libs
Fixed rhcs interface names to match naming rules
Merged tmpfs and semaphore/shm interfaces
2010-05-24 13:08:08 -04:00
Jeremy Solt
538cf9ab83
Redhat Cluster Suite Policy from Dan Walsh
...
Edits:
- Style and whitespace fixes
- Removed interfaces for default_t from ricci.te - this didn't seem right
- Removed link files from rgmanager_manage_tmpfs_files
- Removed rdisc.if patch. it was previously committed
- Not including kernel_kill interface call for rgmanager
- Not including ldap interfaces in rgmanager.te (currently not in refpolicy)
- Not including files_create_var_run_dirs call for rgmanager (not in refpolicy)
2010-05-24 13:08:08 -04:00
Jeremy Solt
37194ac055
dnsmasq patch from Dan Walsh
...
- cron_manage_pid_files call removed until further explanation
2010-05-24 13:08:07 -04:00
Jeremy Solt
4ac0cd30fa
Remove nagios_rw_inherited_tmp_files interface
2010-05-24 13:08:07 -04:00
Jeremy Solt
99bbe34881
Nagios patch from Dan Walsh
...
Edits:
- Removed permissive lines
- Removed tunable for broken symptoms
- Style and whitespace fixes
2010-05-24 13:08:07 -04:00
Jeremy Solt
599e8ff702
Create type and allow squid to manage its own tmpfs files
2010-05-24 13:08:07 -04:00
Jeremy Solt
d86c09846b
squid patch from Dan Walsh
...
Edits:
- Added netport to corenetwork.te.in
2010-05-24 13:08:07 -04:00
Jeremy Solt
fb543d0df1
remove rules for nx_server_home_ssh_t since they are already provided by the ssh template
2010-05-24 13:08:07 -04:00
Jeremy Solt
316cdb1d0d
nx patch from Dan Walsh
...
Edits:
- Style and whitespace fixes
- Removed read_lnk_files_pattern from nx_read_home_files
- Delete declaration of nx_server_home_ssh_t and files_type since the template already does this
2010-05-24 13:08:07 -04:00
Chris PeBenito
d9e4cbd2ce
Postfix patch from Dan Walsh.
2010-05-21 08:56:49 -04:00
Chris PeBenito
9ea85eaa8b
Sendmail patch from Dan Walsh.
2010-05-20 08:36:38 -04:00
Chris PeBenito
b276e36914
Procmail patch from Dan Walsh.
2010-05-20 08:17:06 -04:00
Chris PeBenito
e19b8d1c2e
MTA patch from Dan Walsh.
2010-05-19 09:00:39 -04:00
Chris PeBenito
088b65e52b
SSH patch from Dan Walsh.
2010-05-19 08:31:17 -04:00
Chris PeBenito
4e698b0fca
Cups patch from Dan Walsh.
2010-05-18 10:59:37 -04:00
Chris PeBenito
1b2f08ea10
Abrt patch from Dan Walsh.
2010-05-18 10:18:12 -04:00
Chris PeBenito
e9e43f04b3
Plymouthd policy from Dan Walsh.
2010-05-18 09:54:18 -04:00
Chris PeBenito
b0c2cae14a
Hal patch from Dan Walsh.
...
Lots of random access for hal.
2010-05-18 09:06:36 -04:00
Chris PeBenito
299db7080c
CVS patch from Dan Walsh.
...
cvs needs dac_override when it tries to read shadow
2010-05-14 10:24:11 -04:00
Chris PeBenito
bcc6e65421
SETroubleshoot patch from Dan Walsh.
...
Policy to handle the fixit button in setroubleshoot.
2010-05-13 13:22:53 -04:00
Chris PeBenito
ada61e1529
Asterisk patch from Dan Walsh.
...
asterisk_manage_lib_files(logrotate_t)
asterisk_exec(logrotate_t)
Needs net_admin
Drops capabilities
connects to unix_stream
execs itself
Requests kernel load modules
Execs shells
Connects to postgresql and snmp ports
Reads urand and generic usb devices
Has mysql and postgresql back ends
sends mail
2010-05-13 11:35:58 -04:00
Chris PeBenito
24e0b9b3a4
Munin patch from Dan Walsh.
2010-05-13 11:20:54 -04:00
Chris PeBenito
27afb97c29
Minor fixes on a2524cf
. Module version bump.
2010-05-11 08:33:04 -04:00
Chris PeBenito
aeb7a4e180
Whitespace fixes on cobbler.
2010-05-11 08:23:02 -04:00
Jeremy Solt
a2524cfa77
cobbler patch from Dan Walsh
2010-05-11 08:17:33 -04:00
Chris PeBenito
fb3fc9e4f0
Cyrus patch from Dan Walsh.
2010-05-03 15:14:50 -04:00
Chris PeBenito
4804cd43a0
Clamav patch from Dan Walsh.
2010-05-03 15:01:35 -04:00
Chris PeBenito
d8eb3c71c6
Dovecot patch from Dan Walsh.
2010-05-03 14:37:19 -04:00
Chris PeBenito
baea7b1dc6
Networkmanager patch from Dan Walsh.
2010-05-03 14:01:26 -04:00
Chris PeBenito
a3108c60c0
Consolekit patch from Dan Walsh.
2010-05-03 10:21:48 -04:00
Chris PeBenito
b0076a1413
Arpwatch patch from Dan Walsh.
2010-05-03 09:49:33 -04:00
Chris PeBenito
98ac98623c
Dbus patch from Dan Walsh.
2010-05-03 09:34:42 -04:00
Chris PeBenito
61738f11ec
Devicekit patch from Dan Walsh.
2010-05-03 09:01:46 -04:00
Chris PeBenito
87a9469fc9
Add networking rules for spamd to connect to mysql/postgresql over the network, from Chris St. Pierre.
2010-04-27 10:31:47 -04:00
Chris PeBenito
45696ab282
Add missing secmark rules in ntop, from Dominick Grift.
2010-04-27 09:31:30 -04:00
Chris PeBenito
a53c6c65a4
FTP patch from Dan Walsh.
2010-04-26 15:15:23 -04:00
Chris PeBenito
d7ebbd9d22
Module version bump for 34838aa
.
2010-04-26 13:40:21 -04:00
Jeremy Solt
34838aa62a
Samba patch from Dan Walsh
...
- signal interfaces
- fusefs support
- bug 566984: getattrs on all blk and chr files
Did not include:
- changes related to samba_unconfined_script_t and samba_unconfined_net_t
- samba_helper_template (didn't appear to be used)
- manage_lnk_files_pattern in samba_manage_var_files
- signal allow rule in samba_domtrans_winbind_helper
- samba_role_notrans
- userdom_manage_user_home_content
Some style and spacing fixes
2010-04-26 13:28:21 -04:00
Chris PeBenito
05a2e3e2d7
Lircd patch from Dan Walsh.
2010-04-26 12:59:02 -04:00
Chris PeBenito
e07fbc004d
Add DenyHosts from Dan Walsh.
2010-04-26 12:59:02 -04:00
Chris PeBenito
44b3808ba5
Djbdns patch from Dan Walsh.
2010-04-26 12:59:02 -04:00
Chris PeBenito
5c3274d7bf
Module version bump for 4b121a5
.
2010-04-19 10:23:11 -04:00
Chris PeBenito
46879922d8
Additional whitespace fix in nis.
2010-04-19 10:20:19 -04:00
Jeremy Solt
f49fc19e5a
Style changes
2010-04-19 10:19:46 -04:00
Jeremy Solt
4b121a5f53
nis patch from Dan Walsh
...
Made a couple style changes.
Removed unnecessary require in nis_use_ypbind interface
2010-04-19 10:19:44 -04:00
Chris PeBenito
da5940411c
Additional whitespace fixes in certmonger.
2010-04-19 10:17:24 -04:00
Jeremy Solt
0e5494a3d9
Fix some whitespace and style issues.
2010-04-19 10:07:20 -04:00
Jeremy Solt
33793ec2ce
certmonger policy from Dan Walsh
...
Removed manage_var_run and manage_var_lib interfaces
Added missing requires to admin interface
Removed permissive line
Fixed some spacing / style issues
2010-04-19 10:07:17 -04:00
Chris PeBenito
86ff008754
Module version bump for 4f7b413
.
2010-04-19 10:05:22 -04:00
Jeremy Solt
e6e2a769ac
Remove excess white space from ntop.te
...
Move ntop ports declaration to correct location.
2010-04-19 09:55:01 -04:00
Jeremy Solt
4f7b413cdc
Ntop policy from Dan Walsh
...
Added alias for ntop_http_content_t in apache
Pulled in ntop port from corenetwork patch
2010-04-19 09:54:58 -04:00
Chris PeBenito
98759716fe
Module version bump for 46e16a2
.
2010-04-19 09:54:13 -04:00
Jeremy Solt
d86d4f6069
Move optional policy to correct location for style
2010-04-19 09:50:42 -04:00
Jeremy Solt
01bfe1d20e
kerberos patch from Dan Walsh
2010-04-19 09:50:39 -04:00
KaiGai Kohei
ec8d32c8e9
[BUGFIX] lack of type transition on dbadm domain (Re: dbadm.pp is not available in selinux-policy package)
...
I found out a bug when we initialize the database with dbadm_r:dbadm_t
which belongs to sepgsql_admin_type attribute.
In the case when sepgsql_admin_type create a new database objects,
it does not have valid type_transition rules. So, it was failed.
Sorry, I didn't find out it for a long time.
And db_procedure:{execute} on the sepgsql_proc_exec_t might be necessary
for the administrative domain independently from sepgsql_unconfined_dbadm,
because we need to execute some of system defined procedures to look up
system tables.
2010-04-12 10:37:21 -04:00
Chris PeBenito
23ad802a9d
Module version bump for 5d3214f
and 795b733
.
2010-04-12 10:01:39 -04:00
Jeremy Solt
795b733a71
pcscd patch from Dan Walsh: manage pub files and fifo files
2010-04-12 09:10:37 -04:00
Jeremy Solt
5d3214f5a9
gpsd path from Dan Walsh
2010-04-12 09:07:50 -04:00
Dominick Grift
91b12ad94c
Move kernel_request_load_module(gssd_t) to the proper place.
...
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-04-06 15:05:22 -04:00
Dominick Grift
6d9925c872
Fix requires for apache tmp interfaces.
...
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-04-06 15:05:12 -04:00
Chris PeBenito
b577852a98
Portreserve patch from Dan Walsh.
2010-04-05 14:50:23 -04:00
Chris PeBenito
38db49c545
PPP patch from Dan Walsh.
2010-04-05 14:38:30 -04:00
Chris PeBenito
372acd0037
Rpc patch from Dan Walsh.
2010-04-05 14:26:21 -04:00
Chris PeBenito
20fa703294
Whitespace fixes on Apache.
2010-04-05 14:05:05 -04:00
Chris PeBenito
da0608ba38
Module version bump for 170a46d
, f8b3b7f
, and a49a82c
.
2010-04-05 13:49:00 -04:00
Chris PeBenito
b7d3db1860
Tweak for 170a46d
.
2010-04-05 13:48:01 -04:00
Jeremy Solt
a49a82c295
snort patch from Dan Walsh
...
Didn't rearrange all the kernel calls, but did add the kernel_request_load_module.
Didn't include the usbmod (doesn't exist in refpolicy at this time).
Included the generic usb device permissions because snort uses libpcap, which can also be used to monitor USB traffic, so this may be a side effect.
From the red hat bug (559861), it sounds as though snort was failing without these permissions, so it doesn't look like a dontaudit would work.
2010-04-05 13:46:11 -04:00
Jeremy Solt
f8b3b7fa48
Nut policy from Dan Walsh
...
Dropped optional policy for shutdown_domtrans
Dropped commented can_exec line
2010-04-05 13:45:31 -04:00
Jeremy Solt
170a46d6c5
memcached patch from Dan Walsh
...
Moved term_dontaudits up for style
2010-04-05 13:43:58 -04:00
Chris PeBenito
60def66b13
Second part of Apache patch from Dan Walsh.
2010-04-05 10:57:52 -04:00
Chris PeBenito
83caba3eb9
First part of apache patch from Dan Walsh: file context changes, including renaming script ro/ra/rw files.
2010-04-01 08:17:50 -04:00
Chris PeBenito
25d81d2655
Tor patch from Dan Walsh.
2010-03-29 14:30:52 -04:00
Chris PeBenito
2b93b88584
Sssd patch from Dan Walsh.
2010-03-29 14:08:52 -04:00
Chris PeBenito
ee2d2dda24
Add usbmuxd from Dan Walsh.
2010-03-29 13:29:18 -04:00
Chris PeBenito
6d4dbd20ae
Vhostmd from Dan Walsh.
2010-03-29 11:25:06 -04:00
Chris PeBenito
bf54d5be44
Module version bumps for c586c1b
, dcbb332
, 4c05dff
, 84ce9c3
, 2b012ba
, and 1868383
.
2010-03-29 09:21:59 -04:00
Chris PeBenito
ad0071bbe4
Tweaks on pulseaudio 1868383
, ksmtuned d279dd6
, and smokeping f3c346c
.
2010-03-29 09:19:40 -04:00
Jeremy Solt
f3c346cc07
Smokeping policy from Dan Walsh
...
Made some style / spacing changes
Did not include read access to /etc/shadow
Removed manage_var_run and manage_var_lib interfaces
Removed permissive line
2010-03-29 08:46:30 -04:00
Jeremy Solt
d279dd603f
ksmtuned policy from Dan Walsh
...
Couple style/space fixes.
Used ps_process_pattern in admin interface
2010-03-29 08:36:53 -04:00
Jeremy Solt
2b012bacb6
Prelude patch from Dan Walsh
2010-03-29 08:36:15 -04:00
Jeremy Solt
84ce9c3333
Bluetooth patch (sys_admin and debugfs) from Dan Walsh
...
Added comments to reference redhat bugs
2010-03-29 08:36:05 -04:00
Jeremy Solt
4c05dff3d1
avahi patch from Dan Walsh
...
Didn't include the file read in the dbus_chat interface.
2010-03-29 08:36:00 -04:00
Jeremy Solt
dcbb332992
chronyd patch from Dan Walsh
...
Fixed a couple style/spacing issues.
Added files_search_etc for chronyd_keys file
2010-03-29 08:35:52 -04:00
Jeremy Solt
c586c1bfa6
Give dcc setgid from Dan Walsh
2010-03-29 08:35:34 -04:00
Chris PeBenito
7656af7a6f
Module version bump for c37d843
.
2010-03-23 08:07:19 -04:00
Chris PeBenito
be8311279e
Minor bind XML tweaks.
2010-03-23 08:05:00 -04:00
Jeremy Solt
c37d843fa1
bind patch from Dan Walsh
...
some fixes in interfaces, added bind_setattr_zone_dirs interface
sysnet_read_config not needed with auth_use_nsswitch
Did not include init_read_script_tmp_files for named_t
2010-03-23 08:01:05 -04:00
Chris PeBenito
390b8a821b
Radvd patch from Dan Walsh.
2010-03-22 15:19:50 -04:00
Chris PeBenito
1b22152c2c
Rdisc patch from Dan Walsh.
2010-03-22 15:09:27 -04:00
Chris PeBenito
6c40309ef1
Module version bump for 1d348bd
.
2010-03-22 13:53:24 -04:00
Jeremy Solt
1d348bd253
Afs needs sys_admin, sends signals, and resolves hostnames from Dan Walsh
2010-03-22 13:52:19 -04:00
Chris PeBenito
cf7eb082d2
Sasl patch from Dan Walsh.
2010-03-22 11:22:25 -04:00
Chris PeBenito
449d2069ac
Snmp patch from Dan Walsh.
2010-03-22 11:08:31 -04:00
Chris PeBenito
08d7c7339b
Sysstat patch from Dan Walsh.
2010-03-22 10:47:41 -04:00
Chris PeBenito
98ac3f5ace
Telnet patch from Dan Walsh.
2010-03-22 10:40:37 -04:00
Chris PeBenito
461b53e028
Tuned patch from Dan Walsh.
2010-03-22 10:33:31 -04:00
Chris PeBenito
7630200e1b
Virt patch from Dan Walsh.
2010-03-22 10:24:34 -04:00
Chris PeBenito
064d1b469e
Rename rtkit_schedule() to rtkit_scheduled().
2010-03-22 09:54:58 -04:00
Chris PeBenito
e13a9ef5fe
Module version bump for ac19f1a
.
2010-03-22 08:59:04 -04:00
Chris PeBenito
c7a4cf3179
Module version bump for 9681df1
.
2010-03-22 08:58:41 -04:00
Chris PeBenito
32103f250f
Module version bump for d3b5907
.
2010-03-22 08:58:20 -04:00
Chris PeBenito
340af119b0
Minor tweaks on icecast.
2010-03-22 08:56:32 -04:00
Jeremy Solt
584dfaca45
icecast policy from Dan Walsh
...
Fixed some style and spacing issues
Replace manage_var_run interface with manage_pid_files with fewer permissions
Replaced rkit_daemon_system_domain with rtkit_schedule
2010-03-22 08:49:54 -04:00
Jeremy Solt
ac19f1ac26
rtkit patch from Dan Walsh:
...
rtkit_daemon_system_domain interface allows domains to say rtkit can setsched on their process.
Needs sys_nice capability
Needs to getsched on all domains.
Fix bug in te file
Me:
changed interface name from rtkit_daemon_system_domain to rtkit_schedule
Already had sys_nice capability
2010-03-22 08:41:42 -04:00
Jeremy Solt
9681df1c8d
postgresql patch from Dan Walsh:
...
"File context for /etc/sysconfig/pgsql and other bugs.
Sends audit messages connect to posgresql_server port
Reads its own process info"
Moved signal interface for style.
2010-03-22 08:39:15 -04:00
Jeremy Solt
d3b5907ea4
openvpn needs ipc_lock capability, connects to http ports,
...
and manages net_conf_t files - from Dan Walsh
2010-03-22 08:36:47 -04:00
Chris PeBenito
47293bd8d6
Tftp patch from Dan Walsh.
2010-03-19 15:56:14 -04:00
Chris PeBenito
788ba75491
Uucp patch from Dan Walsh.
2010-03-19 15:49:12 -04:00
Chris PeBenito
bed0a44560
Zebra patch from Dan Walsh.
2010-03-19 15:45:25 -04:00
Chris PeBenito
7b50b7053d
Module version bump for 6a03548
.
2010-03-17 09:42:46 -04:00
Jeremy Solt
6a035482dc
amavis uses uptime which reads utmp, and reads certs - from Dan Walsh
2010-03-17 09:41:18 -04:00
Chris PeBenito
827060cb04
Style fixes and module version bumps for 38fc1bd
.
2010-03-17 09:28:18 -04:00
Dominick Grift
38fc1bd180
Likewise policy.
...
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-03-17 08:48:45 -04:00
Chris PeBenito
2a62db7883
Module version bump for 414a570
.
2010-03-16 15:28:36 -04:00
Jeremy Solt
414a5704df
fetchmail executes programs in bin (uname), from Dan Walsh
2010-03-16 15:27:40 -04:00
Chris PeBenito
5911f3dbca
Module version bump for 935151a
.
2010-03-16 14:35:09 -04:00
Chris PeBenito
9a59893e5a
Module version bump for d7ec247
.
2010-03-16 14:34:23 -04:00
Chris PeBenito
9570fc108e
Module version bump for 591af7b
.
2010-03-16 14:34:05 -04:00
Chris PeBenito
1656bf730f
Whitespace fixes in mailman.
2010-03-16 13:51:51 -04:00
Jeremy Solt
935151afcd
Change kernel_load_module to kernel_request_load_module for howl from Dan Walsh
2010-03-16 13:44:55 -04:00
Jeremy Solt
d7ec24785b
File context update for certmaster from Dan Walsh
2010-03-16 13:44:50 -04:00
Jeremy Solt
591af7be0c
file context updates from Dan Walsh
2010-03-16 13:44:48 -04:00
Chris PeBenito
fce868d074
Module version bump for f7d413a
.
2010-03-16 13:15:00 -04:00
Chris PeBenito
bf140fc32c
Rearrange interfaces in fail2ban.
2010-03-16 13:14:46 -04:00
Jeremy Solt
f7d413af27
fail2ban_stream_connect and fail2ban_rw_stream_sockets from Dan Walsh
...
Did not include dontaudit_leaks interface
Modified fail2ban_rw_stream_sockets to use rw_stream_socket_perms set
2010-03-16 11:44:35 -04:00
Chris PeBenito
ce0570dc6d
Module version bump for e172614
.
2010-03-12 11:42:28 -05:00
Chris PeBenito
9e506eb236
Rearrange lines in alsa an mysql.
2010-03-12 08:59:23 -05:00
Chris PeBenito
e172614b57
Whitespace cleanup on mysql.if.
2010-03-12 08:55:34 -05:00
Jeremy Solt
12a6a53f63
mysql policy from Dan Walsh
...
My changes to patch:
A couple changes to match style.
Removed files_dontaudit_search_all_mountpoints(mysqld_safe_t), it doesn't exist in refpolicy
2010-03-12 08:54:29 -05:00
Chris PeBenito
30496b1575
Iscsi and tgtd patches from Dan Walsh.
2010-03-09 15:17:16 -05:00
Dominick Grift
183f79e38e
Fix cobbler_admin interface to require cobblerd_initrc_exec_t.
...
As per: http://oss.tresys.com/pipermail/refpolicy/2010-March/002258.html
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-03-04 14:12:41 -05:00
Chris PeBenito
ec0205ff73
Module version bump for e1e78df.
2010-03-04 09:18:04 -05:00
Chris PeBenito
b7070a9f3d
Module version bump for 52b215f.
2010-03-04 09:18:04 -05:00