Commit Graph

78 Commits

Author SHA1 Message Date
Lukas Vrabec
e5fd601a61 Set default value as true in boolean mozilla_plugin_can_network_connect. 2015-11-27 16:21:05 +01:00
Miroslav Grepl
a270091f19 Make rawhide == f18 2012-12-17 17:21:00 +01:00
Dan Walsh
42bb16fcc9 Shut off httpd_tty_comm by default since this is handled by systemd now 2012-08-02 09:37:12 -04:00
Miroslav Grepl
4a27edfbeb Sync master with F17 2012-06-06 15:25:27 +02:00
Dan Walsh
05c3d969d7 Add lxc context definitions 2012-04-17 13:07:16 -04:00
Dan Walsh
a2e8b9ca5d Turn on deny_ptrace boolean for the Rawhide run, so we can test this out 2012-01-24 09:30:07 -05:00
Dan Walsh
e58227a2b3 Turn back on allow_execmem boolean 2011-11-08 08:47:34 -05:00
Dan Walsh
13382d02ea Add more MCS fixes to make sandbox working
Make faillog MLS trusted to make sudo_$1_t working
Allow sandbox_web_client_t to read passwd_file_t
Add .mailrc file context
Remove execheap from openoffice domain
Allow chrome_sandbox_nacl_t to read cpu_info
Allow virtd to relabel generic usb which is need if USB device
Fixes for virt.if interfaces to consider chr_file as image file type
2011-11-07 16:18:33 -05:00
Dan Walsh
6554bb3cca Remove allow_ptrace and replace it with deny_ptrace, which will remove all
ptrace from the system
Remove 2000 dontaudit rules between confined domains on transition
and replace with single
dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
2011-10-11 16:46:26 -04:00
Dan Walsh
859ba0c85a Allow nmbd to manage sock file in /var/run/nmbd
ricci_modservice send syslog msgs
Stop transitioning from unconfined_t to ldconfig_t, but make sure /etc/ld.so.cache is labeled correctly
Allow systemd_logind_t to manage /run/USER/dconf/user
2011-10-05 17:14:02 -04:00
Dan Walsh
402e7b8a4a Default telepath to allow it to connect to network ports 2011-04-21 18:26:23 -04:00
Dan Walsh
909fadb618 Remove policy-f15.patch and turn off authlogin_nsswitch_use_ldap 2011-03-24 13:34:26 -04:00
Dan Walsh
fc15ca86d1 Allow_gssd_read_tmp should be turned on 2011-01-17 17:16:05 -05:00
Dan Walsh
b96903aaa0 - Gnome apps list config_home_t
- mpd creates lnk files in homedir
- apache leaks write to mail apps on tmp files
- /var/stockmaniac/templates_cache contains log files
- Abrt list the connects of mount_tmp_t dirs
- passwd agent reads files under /dev and reads utmp file
- squid apache script connects to the squid port
- fix name of plymouth log file
- teamviewer is a wine app
- allow dmesg to read system state
- Stop labeling files under /var/lib/mock so restorecon will not go into this
- nsplugin needs to read network state for google talk
2010-12-28 15:41:30 -05:00
Dan Walsh
5bcd7aa5b3 - Fix up handling of dnsmasq_t creating /var/run/libvirt/network
- Turn on sshd_forward_ports boolean by default
- Allow sysadmin to dbus chat with rpm
- Add interface for rw_tpm_dev
- Allow cron to execute bin
- fsadm needs to write sysfs
- Dontaudit consoletype reading /var/run/pm-utils
- Lots of new privs fro mozilla_plugin_t running java app, make mozilla_plugin
- certmonger needs to manage dirsrv data
- /var/run/pm-utils should be labeled as devicekit_var_run_t
2010-11-30 16:24:01 -05:00
Miroslav Grepl
4eb45ebeaa - Turn on allow_postfix_local_write_mail_spool
- Allow initrc_t to transition to shutdown_t
- Allow logwatch and cron to mls_read_to_clearance for MLS boxes
- Allow wm to send signull to all applications and receive them from users
- lircd patch from field
- Login programs have to read /etc/samba
- New programs under /lib/systemd
- Abrt needs to read config files
2010-11-18 17:37:29 +01:00
Dan Walsh
fbd9ca071a - Turn off default transition to mozilla_plugin and telepathy domains from unconfined user
- Turn off iptables from unconfined user
- Allow sudo to send signals to any domains the user could have transitioned to.
- Passwd in single user mode needs to talk to console_device_t
- Mozilla_plugin_t needs to connect to web ports, needs to write to video device, and read alsa_home_t alsa setsup pulseaudio
- locate tried to read a symbolic link, will dontaudit
- New labels for telepathy-sunshine content in homedir
- Google is storing other binaries under /opt/google/talkplugin
- bluetooth/kernel is creating unlabeled_t socket that I will allow it to use until kernel fixes bug
- Add boolean for unconfined_t transition to mozilla_plugin_t and telepathy domains, turned off in F14 on in F15
- modemmanger and bluetooth send dbus messages to devicekit_power
- Samba needs to getquota on filesystems labeld samba_share_t
2010-10-01 12:06:09 -04:00
Dan Walsh
1d153ea0ea - Fix up Xguest policy 2010-09-22 18:36:47 -04:00
Dan Walsh
ea3b7b5dff - Add vnstat policy
- allow libvirt to send audit messages
- Allow chrome-sandbox to search nfs_t
2010-09-16 18:00:00 -04:00
Daniel J Walsh
3f1005a67d - Make boot with systemd in enforcing mode 2010-07-15 20:04:35 +00:00
Daniel J Walsh
bca242c772 - Add xdm_var_run_t to xserver_stream_connect_xdm
- Add cmorrord and mpd policy from Miroslav Grepl
2010-06-02 19:36:11 +00:00
Daniel J Walsh
a72c31df34 - Update to upstream 2010-03-18 15:47:35 +00:00
Daniel J Walsh
89ad5ea38f - Turn on puppet policy
- Update to dgrift git policy
2010-01-14 21:49:18 +00:00
Daniel J Walsh
ee88b050c5 - Add asterisk policy back in 2009-11-20 16:55:54 +00:00
Daniel J Walsh
85582d623f - Allow users to exec restorecond 2009-09-25 18:47:07 +00:00
Daniel J Walsh
72bc25da0e - Allow xserver to use netlink_kobject_uevent_socket 2009-09-07 01:29:07 +00:00
Daniel J Walsh
9c270225e5 - Add policycoreutils-python to pre install 2009-08-18 12:34:26 +00:00
Daniel J Walsh
cbedd06c12 - Add kdump policy for Miroslav Grepl
- Turn off execstack boolean
2009-08-12 20:09:21 +00:00
Daniel J Walsh
867473ac62 - Add kdump policy for Miroslav Grepl
- Turn off execstack boolean
2009-08-10 18:22:10 +00:00
Bill Nottingham
ac7bbfa65a - Turn on execstack on a temporary basis (#512845) 2009-08-07 19:36:54 +00:00
Daniel J Walsh
9160520a0e - Allow certmaster to override dac permissions 2009-07-27 22:09:57 +00:00
Daniel J Walsh
d982e7e091 - Fixes for podsleuth 2009-04-18 12:13:36 +00:00
Daniel J Walsh
1d1c058a4e - Add git web policy 2009-02-10 16:08:36 +00:00
Daniel J Walsh
6a09cfb688 - Allow hal/pm-utils to look at /var/run/video.rom
- Add ulogd policy
2008-11-05 18:26:36 +00:00
Daniel J Walsh
d8e5d05b6e - Allow openoffice execstack/execmem privs 2008-10-28 20:06:14 +00:00
Daniel J Walsh
4450ddb039 - Fixes for logrotate, alsa 2008-07-30 13:44:15 +00:00
Daniel J Walsh
fbea0df606 add init_upstart boolean 2008-05-19 17:48:06 +00:00
Daniel J Walsh
2d8ff5157a - Remove old booleans from targeted-booleans.conf file 2008-04-28 21:24:59 +00:00
Daniel J Walsh
5a576e06f0 - Allow passwd to communicate with user sockets to change gnome-keyring 2008-04-08 19:17:28 +00:00
Daniel J Walsh
27943de6a0 - Allow radvd to use fifo_file
- dontaudit setfiles reading links
- allow semanage sys_resource
- add allow_httpd_mod_auth_ntlm_winbind boolean
- Allow privhome apps including dovecot read on nfs and cifs home dirs if
    the boolean is set
2008-04-05 10:39:06 +00:00
Daniel J Walsh
b7229ad8bb - Prepare policy for beta release
- Change some of the system domains back to unconfined
- Turn on some of the booleans
2008-02-28 05:01:51 +00:00
Daniel J Walsh
8d4af9d064 - Fixes from yum-cron
- Update to latest upstream
2008-02-20 22:44:00 +00:00
Daniel J Walsh
7c2be34d14 - Allow usertypes to read/write noxattr file systems 2008-01-28 16:48:49 +00:00
Daniel J Walsh
7330e86b90 - Update to upstream 2007-11-10 14:14:41 +00:00
Daniel J Walsh
cd8aa3b448 - Update to upstream 2007-10-24 19:31:28 +00:00
Daniel J Walsh
d50690ad8f - Update to upstream 2007-10-24 03:29:53 +00:00
Daniel J Walsh
fa0d1c8884 - Update to upstream 2007-10-23 23:13:09 +00:00
Daniel J Walsh
8fd9df6414 - Remove homedir_template 2007-10-05 19:47:10 +00:00
Daniel J Walsh
922f646a26 - Remove homedir_template 2007-10-05 11:43:46 +00:00
Daniel J Walsh
0f8f545d1a - Fix prelink to handle execmod 2007-07-24 14:39:01 +00:00