rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity
2,426 Commits 8 Branches 96 Tags 37 MiB
68cda59844
Commit Graph

451 Commits

Author SHA1 Message Date
LABBE Corentin
0d700b0fa1 Gentoo dbus in libexec 2009-08-18 13:13:40 -04:00
LABBE Corentin
58cc9903dd Missing comma in policykit 2009-08-18 13:13:26 -04:00
Chris PeBenito
909922027b Debian policykit fixes from Martin Orr. 
The policykit binaries on Debian live in /usr/lib/policykit so add file
contexts for that.  Also a couple of policykit rules.
 2009-08-18 09:49:31 -04:00
Chris PeBenito
2a77737d4e Add missing rules to make unconfined_cronjob_t a valid cron job domain. 
Unconfined_cronjob_t is not a valid cron job domain because the cron
module is lacking a transition from the crond to the unconfined_cronjob_t
domain.  This adds the transition and also a constraints exemption since
part of the transition is also a seuser and role change typically.
 2009-08-12 14:15:39 -04:00
Chris PeBenito
e335910197 Add missing compatibility aliases for xdm_xserver*_t types. 
When collapsing all of the xdm_xserver*_t types into xserver*_t, aliases for
compatibility were mistakenly not added to the policy.
 2009-08-05 11:17:53 -04:00
Chris PeBenito
9570b28801 module version number bump for release 2.20090730 that was mistakenly omitted. 2009-08-05 10:59:21 -04:00
Chris PeBenito
50458c8bb7 pull most of fedora changes to rpc. 2009-07-29 14:55:30 -04:00
Chris PeBenito
0c89174f7f pull most of fedora changes to samba. 2009-07-29 14:40:34 -04:00
Chris PeBenito
363e8fb98a pull in part of fedora mta changes 2009-07-29 10:59:09 -04:00
Chris PeBenito
20c3ccee1a add fprintd module from dan. 2009-07-29 10:28:31 -04:00
Chris PeBenito
677c4c2fea add devicekit module from dan. 2009-07-29 10:02:06 -04:00
Chris PeBenito
4e7c0a93a6 consolekit patch from dan. 2009-07-29 09:13:54 -04:00
Chris PeBenito
33322290f2 automount patch from dan. 2009-07-29 08:59:26 -04:00
Chris PeBenito
8f3bddfbfd cups patch from dan. 2009-07-28 15:46:26 -04:00
Chris PeBenito
4be3e11094 pull in apache_admin() from fedora 2009-07-28 13:24:08 -04:00
Chris PeBenito
423a4a3a2c fix dbus type transition conflict. 
switch dbus ranged calls from daemon domain to system domain.  This works
around a type transition conflict.  It is also why the non-ranged
init_system_domain() is used instead of init_daemon_domain().
 2009-07-28 11:05:19 -04:00
Chris PeBenito
c7ae9ae1c8 Merge branch 'master' of ssh://oss.tresys.com/home/git/refpolicy 2009-07-28 08:00:03 -04:00
Chris PeBenito
ebf3ec9063 snort patch from dan. 2009-07-27 16:04:10 -04:00
Chris PeBenito
708a74a212 oddjob patch from dan. 2009-07-27 10:52:20 -04:00
Chris PeBenito
fa50187c5e kerneloops patch from dan 2009-07-27 10:44:19 -04:00
Chris PeBenito
9de7c1706d hal patch from dan. 2009-07-27 10:18:50 -04:00
Chris PeBenito
fe1205a810 avahi patch from dan 2009-07-27 09:57:20 -04:00
Chris PeBenito
e04438840b dbus patch from dan 2009-07-27 09:46:35 -04:00
Chris PeBenito
09516cb4be remove read_default_t tunable 2009-07-23 08:58:35 -04:00
Chris PeBenito
13306f56b6 afs client patch from dan. 2009-07-21 10:11:03 -04:00
Chris PeBenito
b93a7dacca bluetooth patch from dan. 2009-07-21 10:10:47 -04:00
Chris PeBenito
ad0aea536b clamav patch from dan. 2009-07-21 10:10:31 -04:00
Chris PeBenito
92f08c7130 mailman patch from dan. 2009-07-21 10:10:17 -04:00
Chris PeBenito
1847443ea3 ricci patch from dan. 2009-07-21 10:10:00 -04:00
Chris PeBenito
d8822462c4 fix policykit interface 2009-07-21 10:09:14 -04:00
Chris PeBenito
7395f80119 ppp patch from dan 2009-07-20 15:41:19 -04:00
Chris PeBenito
4aa075262a kerberos patch from dan 2009-07-20 15:41:08 -04:00
Chris PeBenito
8f17f7c2ee dnsmasq patch from dan. 2009-07-20 15:40:57 -04:00
Chris PeBenito
93d300831d dhcp patch from dan 2009-07-20 15:40:41 -04:00
Chris PeBenito
af5374d3a5 policykit.if whitespace fix 2009-07-20 11:37:22 -04:00
Chris PeBenito
9e90ce33db add policykit from dan. 2009-07-20 11:15:09 -04:00
Chris PeBenito
b67201eae7 fix bad varnishd interface names 2009-07-20 09:44:25 -04:00
Chris PeBenito
7694abdff7 module version bump for f2583aa83b 2009-07-15 09:30:08 -04:00
Manoj Srivastava
f2583aa83b Remove duplicate distro_redhat context 
A recent update added an generic context for the lock files, so the
entry in distro_redhat can be removed.

Signed-off-by: Manoj Srivastava <srivasta@debian.org>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
 2009-07-15 09:27:36 -04:00
Chris PeBenito
ce6fee6575 5 patches from dan 2009-07-14 10:30:22 -04:00
Chris PeBenito
10b03f376b three debian patches from manoj 2009-07-14 09:05:59 -04:00
Chris PeBenito
bb88161284 trunk: 3 patches from dan. 2009-06-30 19:27:21 +00:00
Chris PeBenito
45b975db5b trunk: add missing varnish port. 2009-06-30 17:48:15 +00:00
Chris PeBenito
50824a99ca trunk: pads from dan. 2009-06-30 15:03:20 +00:00
Chris PeBenito
46e2fa6d39 trunk: prelude patch from dan. 2009-06-30 14:44:50 +00:00
Chris PeBenito
267d9c60c5 trunk: varnishd from dan. 2009-06-30 13:49:53 +00:00
Chris PeBenito
3f67f722bb trunk: whitespace fixes 2009-06-26 14:40:13 +00:00
Chris PeBenito
20272c2b27 trunk: 7 patches from dan. 2009-06-26 13:22:39 +00:00
Chris PeBenito
c989807d4a trunk: nis patch from dan. 2009-06-25 15:16:29 +00:00
Chris PeBenito
c017ee17ab trunk: add sssd from dan. 2009-06-22 15:33:21 +00:00
Chris PeBenito
26410ddf54 trunk: remove unnecessary semicolons after interface/template calls. 2009-06-19 13:52:33 +00:00
Chris PeBenito
c9c0d846de trunk: Greylist milter from Paul Howarth. 2009-06-18 14:36:35 +00:00
Chris PeBenito
45515556d4 trunk: 10 patches from dan. 2009-06-12 19:44:10 +00:00
Chris PeBenito
a65fd90a50 trunk: 6 patches from dan. 2009-06-11 15:00:48 +00:00
Chris PeBenito
cca4a215fe trunk: add gpsd from miroslav grepl 2009-06-02 14:28:40 +00:00
Chris PeBenito
996779dfad trunk: 
The attached patch allows unprivileged clients to export from or import
to the largeobject owned by themselves.

The current security policy does not allow them to import/export any
largeobjects without any clear reason.

NOTE: Export of the largeobject means that it dumps whole of the
largeobject into a local file, so SE-PostgreSQL checks both of
db_blob:{read export} on the largeobject and file:{write} on the
local file. Import is a reversal behavior.

KaiGai Kohei
 2009-05-22 13:37:32 +00:00
Chris PeBenito
e0ea7b15ca trunk: 
The attached patch fixes incorrect behavior in sepgsql_enable_users_ddl.

The current policy allows users/unprivs to run ALTER TABLE statement
unconditionally, because db_table/db_column:{setattr} is allowed outside
of the boolean. It should be moved to conditional section.

In addition, they are also allowed to db_procedure:{create drop setattr}
for xxxx_sepgsql_proc_exec_t, but it means we allows them to create, drop
or alter definition of the functions unconditionally. So, it also should
be moved to conditional section.

The postgresql.te allows sepgsql_client_type to modify sepgsql_table_t
and sepgsql_sysobj_t when sepgsql_enable_users_ddl is enabled, but
it should not be allowed.

KaiGai Kohei
 2009-05-21 11:49:33 +00:00
Chris PeBenito
a01a4a7183 trunk: 
OK, the attached patch adds the following types for unprivileged clients.
 - unpriv_sepgsql_table_t
 - unpriv_sepgsql_sysobj_t
 - unpriv_sepgsql_proc_exec_t
 - unpriv_sepgsql_blob_t

These types are the default for unprivileged and unprefixed domains,
such as httpd_t and others.

In addition, TYPE_TRANSITION rules are moved to outside of tunable
of the sepgsql_enable_users_ddl. IIRC, it was enclosed within the
tunable because UBAC domains (user_t and so on) were allowed to
create sepgsql_table_t, and its default was pointed to this type
when sepgsql_enable_users_ddl is disabled.
However, it has different meanings now, so the TYPE_TRANSITION rules
should be unconditional.

KaiGai Kohei
 2009-05-21 11:28:14 +00:00
Chris PeBenito
80348b73a0 trunk: 4 patches from dan. 2009-05-14 14:41:50 +00:00
Chris PeBenito
a47eb527e5 trunk: whitespace fix for squid.fc. 2009-05-11 12:07:07 +00:00
Chris PeBenito
350ed89156 se-postgresql update from kaigai 
- rework: Add a comment of "deprecated" for deprecated permissions.
- bugfix: MCS policy did not constrain the following permissions.
    db_database:{getattr}
    db_table:{getattr lock}
    db_column:{getattr}
    db_procedure:{drop getattr setattr}
    db_blob:{getattr import export}
- rework: db_table:{lock} is moved to reader side, because it makes
  impossible to refer read-only table with foreign-key constraint.
  (FK checks internally acquire explicit locks.)
- bugfix: some of permissions in db_procedure class are allowed
  on sepgsql_trusted_proc_t, but it is a domain, not a procedure.
  It should allow them on sepgsql_trusted_proc_exec_t.
  I also aliased sepgsql_proc_t as sepgsql_proc_exec_t to avoid
  such kind of confusion, as Chris suggested before.
- rework: we should not allow db_procedure:{install} on the
  sepgsql_trusted_proc_exec_t, because of a risk to invoke trusted
  procedure implicitly.
- bugfix: MLS policy dealt db_blob:{export} as writer-side permission,
  but it is required whrn the largeobject is refered.
- bugfix: MLS policy didn't constrain the db_procedure class.
 2009-05-07 12:35:32 +00:00
Chris PeBenito
da3ed0667f trunk: lircd from miroslav grepl 2009-05-06 15:09:46 +00:00
Chris PeBenito
c0f5fa011a trunk: whitespace fixes. 2009-05-06 14:44:57 +00:00
Chris PeBenito
3392356f36 trunk: 5 patches from dan. 2009-05-06 14:26:20 +00:00
Chris PeBenito
0cf1d56018 trunk: Milter state directory patch from Paul Howarth. 2009-04-21 20:40:45 +00:00
Chris PeBenito
a5ef553c2d trunk: 5 modules from dan. 2009-04-20 19:03:15 +00:00
Chris PeBenito
153fe24bdc trunk: 5 patches from dan. 2009-04-07 14:09:43 +00:00
Chris PeBenito
8f800d48df trunk: 14 patches from dan. 2009-03-23 14:56:43 +00:00
Chris PeBenito
3c9b2e9bc6 trunk: 6 patches from dan. 2009-03-19 17:56:10 +00:00
Chris PeBenito
e21bd28bc8 trunk: add mysql db lnk_file transition. 2009-03-11 11:59:04 +00:00
Chris PeBenito
da04234f32 trunk: 5 patches from dan. 2009-03-10 19:32:04 +00:00
Chris PeBenito
156204a385 trunk: Drop write permission from fs_read_rpc_sockets(). 2009-02-24 20:00:15 +00:00
Chris PeBenito
f79314234a trunk: 6 patches from dan. 2009-02-11 19:28:30 +00:00
Chris PeBenito
466e22a8ba trunk: Add db_procedure install permission from KaiGai Kohei. 2009-01-23 19:49:36 +00:00
Chris PeBenito
c1262146e0 trunk: Remove node definitions and change node usage to generic nodes. 2009-01-09 19:48:02 +00:00
Chris PeBenito
668b3093ff trunk: change network interface access from all to generic network interfaces. 2009-01-06 20:24:10 +00:00
Chris PeBenito
17ec8c1f84 trunk: bump module versions for release. 2008-12-10 19:38:10 +00:00
Chris PeBenito
3196971ae8 trunk: Fix consistency of audioentropy and iscsi module naming. 2008-12-09 16:47:33 +00:00
Chris PeBenito
9ff89c44e7 trunk: 2 patches from dan. 2008-12-04 15:01:12 +00:00
Chris PeBenito
ff8f0a63f4 trunk: whitespace fixes in xml blocks. 2008-12-03 19:16:20 +00:00
Chris PeBenito
6073ea1e13 trunk: whitespace fix changing multiple spaces into tabs. 2008-12-03 18:33:19 +00:00
Chris PeBenito
a057e0462e trunk: fix missing xml parameter. 2008-12-03 15:51:53 +00:00
Chris PeBenito
fb4826f424 trunk: 3 patches from dan. 2008-12-03 15:21:33 +00:00
Chris PeBenito
b9e5238a24 trunk: add milter module from Paul Howarth. 2008-11-24 15:06:58 +00:00
Chris PeBenito
b3b607eb43 trunk: a fix on the previous commit. 2008-11-19 16:02:13 +00:00
Chris PeBenito
fcee22ad0d trunk: 5 patches from dan. 2008-11-19 15:24:10 +00:00
Chris PeBenito
01e9e7dbf5 trunk: 4 patches from dan. 2008-11-18 19:55:10 +00:00
Chris PeBenito
659c8650c7 trunk 2 patches from dan. 2008-11-17 15:48:12 +00:00
Chris PeBenito
7f49194215 trunk: Xserver MLS fix from Eamon Walsh. 2008-11-17 13:49:19 +00:00
Chris PeBenito
73c77e2c9b trunk: 2 fixes from martin orr. 2008-11-13 18:44:23 +00:00
Chris PeBenito
5843d066b6 trunk: 10 patches from dan. 2008-11-11 16:38:34 +00:00
Chris PeBenito
657c226c40 trunk: 7 patches from dan. 2008-11-06 22:36:50 +00:00
Chris PeBenito
ba796982df trunk: tweaks from russell and martin orr. 2008-11-06 15:01:15 +00:00
Chris PeBenito
296273a719 trunk: merge UBAC. 2008-11-05 16:10:46 +00:00
Chris PeBenito
82d2775c92 trunk: more open perm fixes. 2008-10-20 16:10:42 +00:00
Chris PeBenito
2cca6b79b4 trunk: remove redundant shared lib calls. 2008-10-17 17:31:04 +00:00
Chris PeBenito
2a98379a24 trunk: additional whitespace fixes. 2008-10-17 15:52:39 +00:00
Chris PeBenito
0b36a2146e trunk: Enable open permission checks policy capability. 2008-10-16 16:09:20 +00:00
Chris PeBenito
5d4f4b5375 trunk: bump version numbers for release. 2008-10-14 15:46:36 +00:00
Chris PeBenito
74993c4dae trunk: 8 patches from dan. 2008-10-13 15:06:23 +00:00
Chris PeBenito
aa7c463e5d trunk: a pile of misc fixes. 2008-10-13 13:36:50 +00:00
Chris PeBenito
06099da657 trunk: 3 patches from dan. 2008-10-09 18:06:24 +00:00
Chris PeBenito
04d2861035 trunk: missing bits from dan's previous round of patches. 2008-10-09 14:01:53 +00:00
Chris PeBenito
967fd1ba3f trunk: 8 patches from dan. 2008-10-08 20:03:24 +00:00
Chris PeBenito
e87221cefe trunk: 21 patches from dan. 2008-10-08 15:50:03 +00:00
Chris PeBenito
ed8ae5ebeb trunk: fix typo 2008-10-06 18:33:44 +00:00
Chris PeBenito
12c61f36f4 trunk: 7 patches from dan, 1 from eamon. 2008-10-06 17:27:49 +00:00
Chris PeBenito
73edbc9101 trunk: add oident from dominick grift. 2008-10-06 14:01:59 +00:00
Chris PeBenito
6d8af27cad trunk: fix dupe fc. 2008-10-03 13:17:56 +00:00
Chris PeBenito
3daef6999a trunk: cvs update from dan. 2008-09-23 12:56:00 +00:00
Chris PeBenito
658f4d3dd9 trunk: rpcbind update from dan. 2008-09-18 18:09:34 +00:00
Chris PeBenito
fd49feff49 trunk: last bit of wpa_supplicant update from martin orr. 2008-09-18 15:06:29 +00:00
Chris PeBenito
c9824ec5ce trunk: remove incomplete sshd_extern. 2008-09-18 14:06:30 +00:00
Chris PeBenito
f5394cc3cb trunk: bind update from dan. 2008-09-15 17:02:57 +00:00
Chris PeBenito
48f6456344 trunk: rename labeled init scripts with initrc convention. 2008-09-15 14:20:20 +00:00
Chris PeBenito
a46b60549a trunk: squid update from dan. 2008-09-15 13:31:28 +00:00
Chris PeBenito
21ea2b1884 trunk: firstboot update from dan. 2008-09-12 15:54:11 +00:00
Chris PeBenito
36095d11ce trunk: kudzu and mta patches from dan. 2008-09-12 14:18:20 +00:00
Chris PeBenito
bc85e826ec trunk: promote networkmanager debian fc entries out of build options. 2008-09-12 12:14:52 +00:00
Chris PeBenito
8786916e8d trunk: ntp and setrans update from dan. 2008-09-11 14:54:40 +00:00
Chris PeBenito
52ceaaac6e trunk: Debian update for NetworkManager/wpa_supplicant from Martin Orr. 2008-09-11 14:02:53 +00:00
Chris PeBenito
ae3386373a trunk: networkmanager/ppp patch from dan. 2008-09-11 13:35:06 +00:00
Chris PeBenito
859135dcdd trunk: fix bad apcupsd interface name. 2008-09-09 15:56:26 +00:00
Chris PeBenito
54341818ac trunk: fix fail2ban init script regex. 2008-09-05 14:37:35 +00:00
Chris PeBenito
cdac989dee trunk: fail2ban update from dan. 2008-09-05 14:17:18 +00:00
Chris PeBenito
a71e136cc3 trunk: add cyphesis from dan. 2008-09-03 14:46:10 +00:00
Chris PeBenito
e40fa634b2 trunk: Logrotate and Bind updates from Vaclav Ovsik. 2008-09-03 14:12:56 +00:00
Chris PeBenito
9bcfb6dfa5 trunk: hplip uses dbus. 2008-08-29 14:25:09 +00:00
Chris PeBenito
24af9b1d34 trunk: inetd update from dan. 2008-08-29 13:21:53 +00:00
Chris PeBenito
c11057f7ae trunk: fedora update cherry picked by david hardeman. 2008-08-22 15:17:01 +00:00
Chris PeBenito
32f8ff393b trunk: add w3c from dan. 2008-08-21 13:52:52 +00:00
Chris PeBenito
93f445b8c0 trunk: firstboot update from dan. 2008-08-20 19:45:39 +00:00
Chris PeBenito
770c015f88 trunk: 2 patches from dan. 2008-08-14 15:10:41 +00:00
Chris PeBenito
3e59876583 trunk: 6 patches from the fedora policy, cherry picked by david hardeman. 2008-08-14 14:19:50 +00:00
Chris PeBenito
e0ed765c0e trunk: 3 patches from the fedora policy, cherry picked by David Hardeman. 2008-08-11 14:03:36 +00:00
Chris PeBenito
7aabe358f4 trunk: missed fixes on previous commit. 2008-08-07 14:45:37 +00:00
Chris PeBenito
8a948caf2b trunk: 11 more cherry picks from fedora policy, by david hardeman. 2008-08-07 14:17:50 +00:00
Chris PeBenito
b81bfc2651 trunk: Samba/winbind update from Mike Edenfield. 2008-08-05 12:54:11 +00:00
Chris PeBenito
dc1920b218 trunk: Database labeled networking update from KaiGai Kohei. 2008-07-25 04:07:09 +00:00
Chris PeBenito
6224fc1485 trunk: 7 patches from Fedora policy, cherry picked by david hrdeman. 2008-07-24 23:56:03 +00:00
Chris PeBenito
0bfccda4e8 trunk: massive whitespace cleanup from dominick grift. 2008-07-23 21:38:39 +00:00
Chris PeBenito
cfcf5004e5 trunk: bump versions for release. 2008-07-02 14:07:57 +00:00
Chris PeBenito
e311e23a44 trunk: Fix httpd_enable_homedirs to actually provide the access it is supposed to provide. 2008-07-01 13:57:53 +00:00
Chris PeBenito
5fe7de9ea9 trunk: apache script connections to postgres, from kaigai. 2008-06-25 13:03:59 +00:00
Chris PeBenito
f7eaeebbae trunk: more xml doc fixes. 2008-06-24 14:43:47 +00:00
Chris PeBenito
c5cfd2d405 trunk: Add unused interface/template parameter metadata in XML. 2008-06-24 14:23:40 +00:00
Chris PeBenito
8c6292b7a4 trunk: Patch to handle postfix data_directory from Vaclav Ovsik. 2008-06-24 13:21:35 +00:00
Chris PeBenito
7f4005e348 trunk: fix up stored procedure naming patch from kaigai. 2008-06-24 12:57:06 +00:00
Chris PeBenito
b1a903654f trunk: add missing requires. 2008-06-24 12:53:30 +00:00
Chris PeBenito
131634a581 trunk: podsleuth and hal updates from dan. 2008-06-17 14:07:44 +00:00