Commit Graph

99 Commits

Author SHA1 Message Date
Miroslav
68079f6d89 +- Add labeling for /var/run/systemd/journal/syslog
+- libvirt sends signals to ifconfig
+- Allow domains that read logind session files to list them
2012-01-11 20:37:45 +01:00
Miroslav
ecab259899 Fix typo in xserver_filetrans_admin_home_content() 2012-01-11 14:13:28 +01:00
Miroslav
0149a53fbb Fix typo in xserver_filetrans_home_content() 2012-01-11 13:42:28 +01:00
Miroslav
69a8d0687a - Fixed destined form libvirt-sandbox
- Allow apps that list sysfs to also read sympolicy links in this filesystem
- Add ubac_constrained rules for chrome_sandbox
- Need interface to allow domains to use tmpfs_t files created by the kernel, used by libra
- Allow postgresql to be executed by the caller
- Standardize interfaces of daemons
- Add new labeling for mm-handler
- Allow all matahari domains to read network state and etc_runtime_t files
2012-01-11 13:13:07 +01:00
Miroslav
b3ef57fc19 - New fix for seunshare, requires seunshare_domains to be able to mounton /
- Allow systemctl running as logrotate_t to connect to private systemd socket
- Allow tmpwatch to read meminfo
- Allow rpc.svcgssd to read supported_krb5_enctype
- Allow zarafa domains to read /dev/random and /dev/urandom
- Allow snmpd to read dev_snmp6
- Allow procmail to talk with cyrus
- Add fixes for check_disk and check_nagios plugins
2012-01-04 15:58:41 +01:00
Miroslav Grepl
67539d56f8 - default trans rules for Rawhide policy
-  Make sure sound_devices controlC* are labeled correctly on creation
- sssd now needs sys_admin
- Allow snmp to read all proc_type
- Allow to setup users homedir with quota.group
2011-12-20 19:41:35 +01:00
Miroslav
cd251939af - Add httpd_can_connect_ldap() interface
- apcupsd_t needs to use seriel ports connected to usb devic
- Kde puts procmail mail directory under ~/.local/share
- nfsd_t can trigger sys_rawio on tests that involve too man
- Add labeling for /sbin/iscsiuio
2011-12-19 13:49:27 +01:00
Miroslav
7c693b0afa +- Add label for /var/lib/iscan/interpreter
+- Dont audit writes to leaked file descriptors or redirected output for nacl
+- NetworkManager needs to write to /sys/class/net/ib*/mode
2011-12-14 10:32:29 +01:00
Miroslav
d17f759dd0 - Allow abrt to request the kernel to load a module
- Make sure mozilla content is labeled correctly
- Allow tgtd to read system state
- More fixes for boinc
  * allow to resolve dns name
  * re-write boinc policy to use boinc_domain attribute
- Allow munin services plugins to use NSCD services
2011-12-13 11:26:04 +01:00
Miroslav
202bb4cfa3 +- Allow mozilla_plugin_t to manage mozilla_home_t
+- Allow ssh derived domain to execute ssh-keygen in the ssh_keygen_t domain
+- Add label for tumblerd
2011-12-08 17:15:52 +01:00
Miroslav
1094d02fe9 - Fixes for xguest package 2011-12-07 18:40:29 +01:00
Miroslav
e91d876567 +- Fixes related to /bin, /sbin
+- Allow abrt to getattr on blk files
+- Add type for rhev-agent log file
+- Fix labeling for /dev/dmfm
+- Dontaudit wicd leaking
+- Allow systemd_logind_t to look at process info of apps that exc
+- Label /etc/locale.conf correctly
+- Allow user_mail_t to read /dev/random
+- Allow postfix-smtpd to read MIMEDefang
+- Add label for /var/log/suphp.log
+- Allow swat_t to connect and read/write nmbd_t sock_file
+- Allow systemd-tmpfiles to setattr for /run/user/gdm/dconf
+- Allow systemd-tmpfiles to change user identity in object contex
+- More fixes for rhev_agentd_t consolehelper policy
2011-12-06 21:59:27 +01:00
Miroslav
4fe804b367 +- Use fs_use_xattr for squashf
+-  Fix procs_type interface
+- Dovecot has a new fifo_file /var/run/dovecot/stats-mail
+- Dovecot has a new fifo_file /var/run/stats-mail
+- Colord does not need to connect to network
+- Allow system_cronjob to dbus chat with NetworkManager
+- Puppet manages content, want to make sure it labels everything correctly
2011-12-01 18:25:51 +01:00
Miroslav
e5768e0fb6 - Change port 9050 to tor_socks_port_t and then allow openvpn to connect to it
- Allow all postfix domains to use the fifo_file
- Allow sshd_t to getattr on all file systems in order to generate avc on nfs_t
- Allow apmd_t to read grub.cfg
- Let firewallgui read the selinux config
- Allow systemd-tmpfiles to delete content in /root that has been moved to /tmp
- Fix devicekit_manage_pid_files() interface
- Allow squid to check the network state
- Dontaudit colord getattr on file systems
- Allow ping domains to read zabbix_tmp_t files
2011-11-29 14:16:11 +01:00
Miroslav
63c9fddde2 Fix typo in the puppetmaster policy 2011-11-28 16:07:19 +01:00
Miroslav
0ca57d1d0a - Disable nsplugin module 2011-11-28 15:54:55 +01:00
Miroslav
234df65f40 +- Allow mcelog_t to create dir and file in /var/run and label it
+- Allow dbus to manage fusefs
+- Mount needs to read process state when mounting gluster file s
+- Allow collectd-web to read collectd lib files
+- Allow daemons and system processes started by init to read/wri
+- Allow colord to get the attributes of tmpfs filesystem
+- Add sanlock_use_nfs and sanlock_use_samba booleans
+- Add bin_t label for /usr/lib/virtualbox/VBoxManage
2011-11-23 13:05:10 +01:00
Miroslav
19d3c68d0d - Add ssh_dontaudit_search_home_dir
- Changes to allow namespace_init_t to work
- Add interface to allow exec of mongod, add port definition for mongod port, 27017
- Label .kde/share/apps/networkmanagement/certificates/ as home_cert_t
- Allow spamd and clamd to steam connect to each other
- Add policy label for passwd.OLD
- More fixes for postfix and postfix maildro
- Add ftp support for mozilla plugins
- Useradd now needs to manage policy since it calls libsemanage
- Fix devicekit_manage_log_files() interface
- Allow colord to execute ifconfig
- Allow accountsd to read /sys
- Allow mysqld-safe to execute shell
- Allow openct to stream connect to pcscd
- Add label for /var/run/nm-dns-dnsmasq\.conf
- Allow networkmanager to chat with virtd_t
2011-11-16 14:20:04 +01:00
Miroslav
68f1456925 - Pulseaudio changes
- Merge patches
2011-11-11 17:11:46 +01:00
Dan Walsh
13382d02ea Add more MCS fixes to make sandbox working
Make faillog MLS trusted to make sudo_$1_t working
Allow sandbox_web_client_t to read passwd_file_t
Add .mailrc file context
Remove execheap from openoffice domain
Allow chrome_sandbox_nacl_t to read cpu_info
Allow virtd to relabel generic usb which is need if USB device
Fixes for virt.if interfaces to consider chr_file as image file type
2011-11-07 16:18:33 -05:00
Miroslav
76b2f513a3 +- MCS fixes
+- quota fixes
2011-11-04 18:30:28 +01:00
dwalsh
a7f0027cf7 Make nvidia* to be labeled correctly
Fix abrt_manage_cache() interface
Make filetrans rules optional so base policy will build
Dontaudit chkpwd_t access to inherited TTYS
Make sure postfix content gets created with the correct label
Allow gnomeclock to read cgroup
Fixes for cloudform policy
2011-11-02 16:01:43 -04:00
Dan Walsh
bc6fbd3a31 Check in fixed for Chrome nacl support 2011-10-27 14:33:47 -04:00
Dan Walsh
26536c5d39 Begin removing qemu_t domain, we really no longer need this domain.
systemd_passwd needs dac_overide to communicate with users TTY's
Allow svirt_lxc domains to send kill signals within their container
2011-10-27 13:51:59 -04:00
Dan Walsh
084f9557dc Allow policykit to talk to the systemd via dbus
Move chrome_sandbox_nacl_t to permissive domains
Additional rules for chrome_sandbox_nacl
2011-10-26 08:49:22 -04:00
Dan Walsh
fa26d89bd5 Change bootstrap name to nacl
Chrome still needs execmem
Missing role for chrome_sandbox_bootstrap
Add boolean to remove execmem and execstack from virtual machines
Dontaudit xdm_t doing an access_check on etc_t directories
2011-10-25 13:27:37 -04:00
Dan Walsh
44066bd77a Allow named to connect to dirsrv by default
add ldapmap1_0 as a krb5_host_rcache_t file
Google chrome developers asked me to add bootstrap policy for nacl stuff
Allow rhev_agentd_t to getattr on mountpoints
Postfix_smtpd_t needs access to milters and cleanup seems to read/write postfix_smtpd_t unix_stream_sockets
2011-10-25 09:12:49 -04:00
Miroslav
b6ae8086ef - Fixes for cloudform policies which need to connect to random ports
- Make sure if an admin creates modules content it creates them with the correct label
- Add port 8953 as a dns port used by unbound
- Fix file name transition for alsa and confined users
2011-10-24 10:57:01 +02:00
Dan Walsh
62727652eb Policy update should not modify local contexts 2011-10-21 10:28:58 -04:00
Dan Walsh
e1f17eb990 Policy update should not modify local contexts 2011-10-21 09:42:14 -04:00
Dan Walsh
8214f7881a Remove tzdata policy
Remove ada domain
2011-10-20 12:24:32 -04:00
Dan Walsh
a56e13e7b8 Add policies for nova openstack 2011-10-19 08:31:34 -04:00
Dan Walsh
1414f9f3a7 Allow svirt_lxc_domain to chr_file and blk_file devices if they are in the domain
Allow init process to setrlimit on itself
Take away transition rules for users executing ssh-keygen
Allow setroubleshoot_fixit_t to read /dev/urand
Allow sshd to relbale tunnel sockets
Allow fail2ban domtrans to shorewall in the same way as with iptables
Add support for lnk files in the /var/lib/sssd directory
Allow system mail to connect to courier-authdaemon over an unix stream socket
2011-10-18 10:12:22 -04:00
Dan Walsh
e29441a5cc Dontaudit access checks for all executables, gnome-shell is doing access(EXEC, X_OK)
Make corosync to be able to relabelto cluster lib fies
Allow samba domains to search /var/run/nmbd
Allow dirsrv to use pam
Allow thumb to call getuid
chrome less likely to get mmap_zero bug so removing dontaudit
gimp help-browser has built in javascript
Best guess is that devices named /dev/bsr4096 should be labeled as cpu_device_t
Re-write glance policy
2011-10-14 09:50:55 -04:00
Dan Walsh
6554bb3cca Remove allow_ptrace and replace it with deny_ptrace, which will remove all
ptrace from the system
Remove 2000 dontaudit rules between confined domains on transition
and replace with single
dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
2011-10-11 16:46:26 -04:00
Dan Walsh
2a89dffbb5 Shrink size of policy through use of attributes for userdomain and apache 2011-10-06 10:53:27 -04:00
Miroslav
1000555932 Fix spec file 2011-10-05 23:57:40 +02:00
Dan Walsh
859ba0c85a Allow nmbd to manage sock file in /var/run/nmbd
ricci_modservice send syslog msgs
Stop transitioning from unconfined_t to ldconfig_t, but make sure /etc/ld.so.cache is labeled correctly
Allow systemd_logind_t to manage /run/USER/dconf/user
2011-10-05 17:14:02 -04:00
Dan Walsh
3b9467424f Allow logrotate setuid and setgid since logrotate is supposed to do it
Fixes for thumb policy by grift
Add new nfsd ports
Added fix to allow confined apps to execmod on chrome
Add labeling for additional vdsm directories
Allow Exim and Dovecot SASL
Add label for /var/run/nmbd
Add fixes to make virsh and xen working together
Colord executes ls
/var/spool/cron  is now labeled as user_cron_spool_t
2011-10-04 10:53:11 -04:00
Dan Walsh
f1bc73d0ef Allow logrotate setuid and setgid since logrotate is supposed to do it
Fixes for thumb policy by grift
Add new nfsd ports
Added fix to allow confined apps to execmod on chrome
Add labeling for additional vdsm directories
Allow Exim and Dovecot SASL
Add label for /var/run/nmbd
Add fixes to make virsh and xen working together
Colord executes ls
/var/spool/cron  is now labeled as user_cron_spool_t
2011-10-04 10:50:39 -04:00
Miroslav
0247247d56 +- Add support for Clustered Samba commands
+- Allow ricci_modrpm_t to send log msgs
+- move permissive virt_qmf_t from virt.te to permissivedomains.te
+- Allow ssh_t to use kernel keyrings
+- Add policy for libvirt-qmf and more fixes for linux containers
+- Initial Polipo
+- Sanlock needs to run ranged in order to kill svirt processes
+- Allow smbcontrol to stream connect to ctdbd
2011-09-29 16:25:09 +02:00
Miroslav
af391ff269 Fixes for systemd unit files 2011-09-27 18:50:47 +02:00
Miroslav
02a8a402a1 - Make mta_role() active
- Allow asterisk to connect to jabber client port
- Allow procmail to read utmp
- Add NIS support for systemd_logind_t
- Allow systemd_logind_t to manage /run/user/$USER/dconf dir which is labeled a
- Fix systemd_manage_unit_dirs() interface
- Allow ssh_t to manage directories passed into it
- init needs to be able to create and delete unit file directories
- Fix typo in apache_exec_sys_script
- Add ability for logrotate to transition to awstat domain
2011-09-26 12:32:44 +02:00
Miroslav
f9c350238c +- Change screen to use screen_domain attribute and allow screen_domains to read all process domain state
+- Add SELinux support for ssh pre-auth net process in F17
+- Add logging_syslogd_can_sendmail boolean
2011-09-23 13:57:44 +02:00
Miroslav
049fa4881e Remove duplicate declaration 2011-09-20 16:39:31 +02:00
Miroslav
dec0110c4c - Needs to require a new version of checkpolicy
- Interface fixes
2011-09-20 16:24:24 +02:00
Miroslav
40af2abfd0 - Allow sanlock to manage virt lib files
- Add virt_use_sanlock booelan
- ksmtuned is trying to resolve uids
- Make sure .gvfs is labeled user_home_t in the users home directory
- Sanlock sends kill signals and needs the kill capability
- Allow mockbuild to work on nfs homedirs
- Fix kerberos_manage_host_rcache() interface
- Allow exim to read system state
2011-09-16 15:09:15 +02:00
Miroslav
b3edab31fb - Allow systemd-tmpfiles to set the correct labels on /var/run, /tmp and other files
- We want any file type that is created in /tmp by a process running as initrc_t to be labeled initrc_tmp_t
2011-09-14 16:11:08 +02:00
Miroslav
e8563b3245 +- Allow collectd to read hardware state information
+- Add loop_control_device_t
+- Allow mdadm to request kernel to load module
+- Allow domains that start other domains via systemctl to search unit dir
+- systemd_tmpfiles, needs to list any file systems mounted on /tmp
+- No one can explain why radius is listing the contents of /tmp, so we will dontaudit
+- If I can manage etc_runtime files, I should be able to read the links
+- Dontaudit hostname writing to mock library chr_files
+- Have gdm_t setup labeling correctly in users home dir
+- Label content unde /var/run/user/NAME/dconf as config_home_t
+- Allow sa-update to execute shell
+- Make ssh-keygen working with fips_enabled
+- Make mock work for staff_t user
+- Tighten security on mock_t
2011-09-13 16:17:16 +02:00
Miroslav
116a117fba - removing unconfined_notrans_t no longer necessary
- Clean up handling of secure_mode_insmod and secure_mode_policyload
- Remove unconfined_mount_t
2011-09-09 13:28:28 +02:00