dontaudit attempts to read/write device_t chr files occurring before udev relabel
allow init_t and initrc_t read/write on device_t chr files (necessary to boot without unconfined)
Signed-off-by: Jeremy Solt <jsolt@tresys.com>
Move devtmpfs to devices module (remove from filesystem module)
Make device_t a filesystem
Add interface for associating types with device_t filesystem (dev_associate)
Call dev_associate from dev_filetrans
Allow all device nodes associate with device_t filesystem
Remove dev_tmpfs_filetrans_dev from kernel_t
Remove fs_associate_tmpfs(initctl_t) - redundant, it was in dev_filetrans, now in dev_associate
Mounton interface, to allow the kernel to mounton device_t
Signed-off-by: Jeremy Solt <jsolt@tresys.com>
Libcgroup moved cgclear to /sbin.
Confine it so that initrc_t can domain transition to the cgclear_t domain. That way we do not have to extend the initrc_t domains policy.
We might want to add cgroup_run_cgclear to sysadm module.
Signed-off-by: Dominick Grift <domg472@gmail.com>
All login users can list cgroup.
Common users can read and write cgroup files (access governed by dac)
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
The libcgroup init scripts use tools in /usr/bin like cgexec and cgclear.
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
udev_var_run_t is used for managing files in /etc/udev/rules.d as well as other files, including udev pid files. This patch creates a type specifically for rules.d files, and an interface for managing them. It also gives access to this type to initrc_t so that rules can be properly populated during startup. This also fixes a problem on Gentoo where udev rules are NOT properly populated on startup.
Signed-off-by: Chris Richards <gizmo@giz-works.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
Allow to create /var/lock/.keep. This prevents Portage from destroying /var/lock under certain conditions. This patch is Gentoo specific.
Signed-off-by: Chris Richards <gizmo@giz-works.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
update-modules on Gentoo throws errors when run because it sources /etc/init.d/functions.sh, which always scans /var/lib/init.d to set SOFTLEVEL environment var. This is never used by update-modules.
Signed-off-by: Chris Richards <gizmo@giz-works.com>
Signed-off-by: Chris PeBenito <pebenito@gentoo.org>
syslog-ng wants to increase the number of permissible open files from 256 to 4096 on unix/linux systems.
Signed-off-by: Chris Richards <gizmo@giz-works.com>
Signed-off-by: Chris PeBenito <pebenito@gentoo.org>
Fix various interfaces to use permission sets for compatiblity with open permission.
Also use other permission sets where possible just because applicable permissions sets are available and the use of permission sets is encourage generally for compatibility.
The use of exec_file_perms permission set may be not be a good idea though since it may be a bit too coarse.
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
My previous version had a minor bug in admin_role where it was using cobblerd_var_log_t, and cobblerd_var_lib_t instead of cobbler_var_log_t, and cobbler_var_lib_t.
Whilst i was at it, i decided the implement a cobbler_etc_t for cobbler content in /etc. This because you cannot admin a cobbler environment witouth having access to cobbler config files and i dont want to give cobbler_admin access to manage etc_t.
As a consequence if this i also removed the files_read_etc_files(cobblerd_t), as i think that cobbler only needed it to read its own files in /etc. However this is not confirmed, and it may need read access to etc_t afteral.
Also i would like to underscore my reason for using public_content_rw_t. One of the reasons is that i do not want to give cobbler access to manage httpd_sys_content_rw_t. In general i do not want to depend on apache module at all.
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <pebenito@gentoo.org>
