Commit Graph

1338 Commits

Author SHA1 Message Date
Dan Walsh
653590a3f2 MCS fixes
quota fixes
2011-11-04 16:40:38 -04:00
Dan Walsh
01e90f94b8 MCS fixes
quota fixes
2011-11-04 13:36:24 -04:00
Dan Walsh
0b72d16e07 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy
Conflicts:
	policy-F16.patch
	selinux-policy.spec
2011-11-04 13:34:59 -04:00
Dan Walsh
8872d3d2ac MCS fixes
quota fixes
2011-11-04 13:31:43 -04:00
Miroslav
76b2f513a3 +- MCS fixes
+- quota fixes
2011-11-04 18:30:28 +01:00
dwalsh
d5bededc4d Make nvidia* to be labeled correctly
Fix abrt_manage_cache() interface
Make filetrans rules optional so base policy will build
Dontaudit chkpwd_t access to inherited TTYS
Make sure postfix content gets created with the correct label
Allow gnomeclock to read cgroup
Fixes for cloudform policy
2011-11-02 16:23:55 -04:00
dwalsh
a7f0027cf7 Make nvidia* to be labeled correctly
Fix abrt_manage_cache() interface
Make filetrans rules optional so base policy will build
Dontaudit chkpwd_t access to inherited TTYS
Make sure postfix content gets created with the correct label
Allow gnomeclock to read cgroup
Fixes for cloudform policy
2011-11-02 16:01:43 -04:00
Dan Walsh
bc6fbd3a31 Check in fixed for Chrome nacl support 2011-10-27 14:33:47 -04:00
Dan Walsh
26536c5d39 Begin removing qemu_t domain, we really no longer need this domain.
systemd_passwd needs dac_overide to communicate with users TTY's
Allow svirt_lxc domains to send kill signals within their container
2011-10-27 13:51:59 -04:00
Dan Walsh
a1db2ce026 Remove qemu.pp again without causing a crash 2011-10-27 09:33:50 -04:00
Dan Walsh
b4b0268a28 Remove qemu.pp, everything should use svirt_t or stay in its current domain 2011-10-26 15:42:29 -04:00
Dan Walsh
084f9557dc Allow policykit to talk to the systemd via dbus
Move chrome_sandbox_nacl_t to permissive domains
Additional rules for chrome_sandbox_nacl
2011-10-26 08:49:22 -04:00
Dan Walsh
fa26d89bd5 Change bootstrap name to nacl
Chrome still needs execmem
Missing role for chrome_sandbox_bootstrap
Add boolean to remove execmem and execstack from virtual machines
Dontaudit xdm_t doing an access_check on etc_t directories
2011-10-25 13:27:37 -04:00
Dan Walsh
44066bd77a Allow named to connect to dirsrv by default
add ldapmap1_0 as a krb5_host_rcache_t file
Google chrome developers asked me to add bootstrap policy for nacl stuff
Allow rhev_agentd_t to getattr on mountpoints
Postfix_smtpd_t needs access to milters and cleanup seems to read/write postfix_smtpd_t unix_stream_sockets
2011-10-25 09:12:49 -04:00
Dan Walsh
3dcddab74d Allow firewallgui to read /etc/selinux/config 2011-10-24 13:39:32 -04:00
Miroslav
b6ae8086ef - Fixes for cloudform policies which need to connect to random ports
- Make sure if an admin creates modules content it creates them with the correct label
- Add port 8953 as a dns port used by unbound
- Fix file name transition for alsa and confined users
2011-10-24 10:57:01 +02:00
Dan Walsh
1a2b4d14f1 Turn on mock_t and thumb_t for unconfined domains 2011-10-21 16:44:31 -04:00
Dan Walsh
f875d285bd Turn on mock_t and thumb_t for unconfined domains 2011-10-21 16:37:11 -04:00
Dan Walsh
e1f17eb990 Policy update should not modify local contexts 2011-10-21 09:42:14 -04:00
Dan Walsh
052e175084 Remove ada policy 2011-10-20 14:33:31 -04:00
Dan Walsh
b01657ac51 Remove ada policy 2011-10-20 14:21:03 -04:00
Dan Walsh
61fa8d555e Remove tzdata policy
Remove ada policy
Add labeling for udev
Add cloudform policy
Fixes for bootloader policy
2011-10-20 12:30:06 -04:00
Dan Walsh
8214f7881a Remove tzdata policy
Remove ada domain
2011-10-20 12:24:32 -04:00
Miroslav
1944b1a36e Remove tzdata policy 2011-10-20 18:00:51 +02:00
Dan Walsh
087aaea152 Remove tzdata domain, only necessary to make sure stuff is labeled correctly. 2011-10-20 11:43:18 -04:00
Dan Walsh
a56e13e7b8 Add policies for nova openstack 2011-10-19 08:31:34 -04:00
Dan Walsh
4dba2eb895 Allow svirt_lxc_domain to chr_file and blk_file devices if they are in the domain
Allow init process to setrlimit on itself
Take away transition rules for users executing ssh-keygen
Allow setroubleshoot_fixit_t to read /dev/urand
Allow sshd to relbale tunnel sockets
Allow fail2ban domtrans to shorewall in the same way as with iptables
Add support for lnk files in the /var/lib/sssd directory
Allow system mail to connect to courier-authdaemon over an unix stream socket
2011-10-19 08:29:33 -04:00
Dan Walsh
1414f9f3a7 Allow svirt_lxc_domain to chr_file and blk_file devices if they are in the domain
Allow init process to setrlimit on itself
Take away transition rules for users executing ssh-keygen
Allow setroubleshoot_fixit_t to read /dev/urand
Allow sshd to relbale tunnel sockets
Allow fail2ban domtrans to shorewall in the same way as with iptables
Add support for lnk files in the /var/lib/sssd directory
Allow system mail to connect to courier-authdaemon over an unix stream socket
2011-10-18 10:12:22 -04:00
Dan Walsh
9bf3aa2c96 Add passwd_file_t for /etc/ptmptmp 2011-10-17 15:51:24 -04:00
Dan Walsh
e29441a5cc Dontaudit access checks for all executables, gnome-shell is doing access(EXEC, X_OK)
Make corosync to be able to relabelto cluster lib fies
Allow samba domains to search /var/run/nmbd
Allow dirsrv to use pam
Allow thumb to call getuid
chrome less likely to get mmap_zero bug so removing dontaudit
gimp help-browser has built in javascript
Best guess is that devices named /dev/bsr4096 should be labeled as cpu_device_t
Re-write glance policy
2011-10-14 09:50:55 -04:00
Dan Walsh
2453975e3d Move dontaudit sys_ptrace line from permissive.te to domain.te
Remove policy for hal, it no longer exists
2011-10-13 15:43:15 -04:00
Dan Walsh
042e3a325f Don't check md5 size or mtime on certain config files 2011-10-12 15:42:07 -04:00
Dan Walsh
2f4dfeb425 Remove allow_ptrace and replace it with deny_ptrace, which will remove all
ptrace from the system
Remove 2000 dontaudit rules between confined domains on transition
and replace with single
dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
2011-10-12 10:13:18 -04:00
Dan Walsh
6554bb3cca Remove allow_ptrace and replace it with deny_ptrace, which will remove all
ptrace from the system
Remove 2000 dontaudit rules between confined domains on transition
and replace with single
dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
2011-10-11 16:46:26 -04:00
Dan Walsh
2a89dffbb5 Shrink size of policy through use of attributes for userdomain and apache 2011-10-06 10:53:27 -04:00
Miroslav
1000555932 Fix spec file 2011-10-05 23:57:40 +02:00
Miroslav
54943f9472 - Allow virsh to read xenstored pid file
- Backport corenetwork fixes from upstream
- Do not audit attempts by thumb to search config_home_t dirs (~/.config)
- label ~/.cache/telepathy/logger telepathy_logger_cache_home_t
- allow thumb to read generic data home files (mime.type)
2011-10-05 23:48:25 +02:00
Dan Walsh
859ba0c85a Allow nmbd to manage sock file in /var/run/nmbd
ricci_modservice send syslog msgs
Stop transitioning from unconfined_t to ldconfig_t, but make sure /etc/ld.so.cache is labeled correctly
Allow systemd_logind_t to manage /run/USER/dconf/user
2011-10-05 17:14:02 -04:00
Dan Walsh
14d7aac744 Fix missing patch from F16 2011-10-04 11:34:14 -04:00
Dan Walsh
f1bc73d0ef Allow logrotate setuid and setgid since logrotate is supposed to do it
Fixes for thumb policy by grift
Add new nfsd ports
Added fix to allow confined apps to execmod on chrome
Add labeling for additional vdsm directories
Allow Exim and Dovecot SASL
Add label for /var/run/nmbd
Add fixes to make virsh and xen working together
Colord executes ls
/var/spool/cron  is now labeled as user_cron_spool_t
2011-10-04 10:50:39 -04:00
Dan Walsh
e15ae4fa84 Fixes caused by the labeling of /etc/passwd
Add thumb.patch to transition unconfined_t to thumb_t for Rawhide
2011-09-30 10:22:41 -04:00
Dan Walsh
a004ca8c3a Fixes caused by the labeling of /etc/passwd 2011-09-29 13:50:39 -04:00
Miroslav
0247247d56 +- Add support for Clustered Samba commands
+- Allow ricci_modrpm_t to send log msgs
+- move permissive virt_qmf_t from virt.te to permissivedomains.te
+- Allow ssh_t to use kernel keyrings
+- Add policy for libvirt-qmf and more fixes for linux containers
+- Initial Polipo
+- Sanlock needs to run ranged in order to kill svirt processes
+- Allow smbcontrol to stream connect to ctdbd
2011-09-29 16:25:09 +02:00
Dan Walsh
4d24861bc2 Add label for /etc/passwd 2011-09-28 16:18:43 -04:00
Miroslav
1b20a51a85 Add grub.patch 2011-09-28 01:09:22 +02:00
Dan Walsh
24b80bf8d9 Make unconfined domains permissive for rawhide
Add definition for ephermeral ports
2011-09-27 10:16:54 -04:00
Miroslav
02a8a402a1 - Make mta_role() active
- Allow asterisk to connect to jabber client port
- Allow procmail to read utmp
- Add NIS support for systemd_logind_t
- Allow systemd_logind_t to manage /run/user/$USER/dconf dir which is labeled a
- Fix systemd_manage_unit_dirs() interface
- Allow ssh_t to manage directories passed into it
- init needs to be able to create and delete unit file directories
- Fix typo in apache_exec_sys_script
- Add ability for logrotate to transition to awstat domain
2011-09-26 12:32:44 +02:00
Miroslav Grepl
1aafd0f4bc Fix spec file 2011-09-23 17:59:34 +02:00
Miroslav Grepl
031161f80b Fix spec file 2011-09-23 17:58:45 +02:00
Miroslav
f9c350238c +- Change screen to use screen_domain attribute and allow screen_domains to read all process domain state
+- Add SELinux support for ssh pre-auth net process in F17
+- Add logging_syslogd_can_sendmail boolean
2011-09-23 13:57:44 +02:00
Dan Walsh
747b715541 Add definition for ephemeral ports
Define user_tty_device_t as a customizable_type
2011-09-21 08:39:14 -04:00
Miroslav
dec0110c4c - Needs to require a new version of checkpolicy
- Interface fixes
2011-09-20 16:24:24 +02:00
Miroslav
40af2abfd0 - Allow sanlock to manage virt lib files
- Add virt_use_sanlock booelan
- ksmtuned is trying to resolve uids
- Make sure .gvfs is labeled user_home_t in the users home directory
- Sanlock sends kill signals and needs the kill capability
- Allow mockbuild to work on nfs homedirs
- Fix kerberos_manage_host_rcache() interface
- Allow exim to read system state
2011-09-16 15:09:15 +02:00
Dan Walsh
a59df1059d Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2011-09-15 08:58:51 -04:00
Dan Walsh
9c4a933844 Make seusers config noreplace 2011-09-15 08:58:37 -04:00
Miroslav
b3edab31fb - Allow systemd-tmpfiles to set the correct labels on /var/run, /tmp and other files
- We want any file type that is created in /tmp by a process running as initrc_t to be labeled initrc_tmp_t
2011-09-14 16:11:08 +02:00
Miroslav
e8563b3245 +- Allow collectd to read hardware state information
+- Add loop_control_device_t
+- Allow mdadm to request kernel to load module
+- Allow domains that start other domains via systemctl to search unit dir
+- systemd_tmpfiles, needs to list any file systems mounted on /tmp
+- No one can explain why radius is listing the contents of /tmp, so we will dontaudit
+- If I can manage etc_runtime files, I should be able to read the links
+- Dontaudit hostname writing to mock library chr_files
+- Have gdm_t setup labeling correctly in users home dir
+- Label content unde /var/run/user/NAME/dconf as config_home_t
+- Allow sa-update to execute shell
+- Make ssh-keygen working with fips_enabled
+- Make mock work for staff_t user
+- Tighten security on mock_t
2011-09-13 16:17:16 +02:00
Miroslav
b1448b79b1 Fix typo in spec file 2011-09-09 13:31:15 +02:00
Miroslav
116a117fba - removing unconfined_notrans_t no longer necessary
- Clean up handling of secure_mode_insmod and secure_mode_policyload
- Remove unconfined_mount_t
2011-09-09 13:28:28 +02:00
Miroslav
5b0c573864 - Add exim_exec_t label for /usr/sbin/exim_tidydb
- Call init_dontaudit_rw_stream_socket() interface in mta policy
- sssd need to search /var/cache/krb5rcache directory
- Allow corosync to relabel own tmp files
- Allow zarafa domains to send system log messages
- Allow ssh to do tunneling
- Allow initrc scripts to sendto init_t unix_stream_socket
- Changes to make sure dmsmasq and virt directories are labeled corr
- Changes needed to allow sysadm_t to manage systemd unit files
- init is passing file descriptors to dbus and on to system daemons
- Allow sulogin additional access Reported by dgrift and Jeremy Mill
- Steve Grubb believes that wireshark does not need this access
- Fix /var/run/initramfs to stop restorecon from looking at
- pki needs another port
- Add more labels for cluster scripts
- Allow apps that manage cgroup_files to manage cgroup link files
- Fix label on nfs-utils scripts directories
- Allow gatherd to read /dev/rand and /dev/urand
2011-09-06 13:51:30 +02:00
Miroslav
392fd7310f - pki needs another port
- Add more labels for cluster scripts
- Fix label on nfs-utils scripts directories
- Fixes for cluster
- Allow gatherd to read /dev/rand and /dev/urand
- abrt leaks fifo files
2011-08-31 22:51:47 +02:00
Dan Walsh
e6877a0621 Add glance policy
Allow mdadm setsched
/var/run/initramfs should not be relabeled with a restorecon run
memcache can be setup to override sys_resource
Allow httpd_t to read tetex data
Allow systemd_tmpfiles to delete kernel modules left in /tmp directory.
2011-08-31 09:25:39 -04:00
Miroslav
1c136fe943 - Allow Postfix to deliver to Dovecot LMTP socket
- Ignore bogus sys_module for lldpad
- Allow chrony and gpsd to send dgrams, gpsd needs to write to the real time clock
- systemd_logind_t sets the attributes on usb devices
- Allow hddtemp_t to read etc_t files
- Add permissivedomains module
- Move all permissive domains calls to permissivedomain.te
- Allow pegasis to send kill signals to other UIDs
2011-08-29 14:07:18 +02:00
Miroslav
2f3d113f19 - Allow insmod_t to use fds leaked from devicekit
- dontaudit getattr between insmod_t and init_t unix_stream_sockets
- Change sysctl unit file interfaces to use systemctl
- Add support for chronyd unit file
- Allow mozilla_plugin to read gnome_usr_config
- Add policy for new gpsd
- Allow cups to create kerberos rhost cache files
- Add authlogin_filetrans_named_content, to unconfined_t to make sure shadow and other log files get labeled correctly
2011-08-24 10:24:46 +02:00
Dan Walsh
22a1cfd7d6 Make users_extra and seusers.final into config(noreplace) so semanage users and login does not get overwritten 2011-08-23 13:59:04 -04:00
Dan Walsh
ba2e58cd41 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2011-08-23 13:54:26 -04:00
Dan Walsh
39eb9ea8c1 Make users_extra and seusers.final into config no replace so semanage users and semanage login files do not get overwritten 2011-08-23 13:54:16 -04:00
Miroslav
24041fb3a0 - Add policy for sa-update being run out of cron jobs
- Add create perms to postgresql_manage_db
- ntpd using a gps has to be able to read/write generic tty_device_t
- If you disable unconfined and unconfineduser, rpm needs more privs to ma
- fix spec file
- Remove qemu_domtrans_unconfined() interface
- Make passenger working together with puppet
- Add init_dontaudit_rw_stream_socket interface
- Fixes for wordpress
2011-08-23 11:03:30 +02:00
Dan Walsh
5d837b2d13 Do not do preinstall if there is not previous install 2011-08-22 16:30:00 -04:00
Miroslav
8d13f53c05 - Turn on allow_domain_fd_use boolean on F16
- Allow syslog to manage all log files
- Add use_fusefs_home_dirs boolean for chrome
- Make vdagent working with confined users
- Add abrt_handle_event_t domain for ABRT event scripts
- Labeled /usr/sbin/rhnreg_ks as rpm_exec_t and added changes related to this change
- Allow httpd_git_script_t to read passwd data
- Allow openvpn to set its process priority when the nice parameter is used
2011-08-11 16:50:01 +02:00
Dan Walsh
10f0de0090 livecd fixes
spec file fixes
2011-08-10 14:00:28 -04:00
Dan Walsh
8a78e8623e Cleanup spec file to remove rpmnew files 2011-08-05 16:16:08 -04:00
Miroslav
913fabe1c8 - fetchmail can use kerberos
- ksmtuned reads in shell programs
- gnome_systemctl_t reads the process state of ntp
- dnsmasq_t asks the kernel to load multiple kernel mod
- Add rules for domains executing systemctl
- Bogus text within fc file
2011-08-04 22:32:55 +02:00
Dan Walsh
41a18182a5 storage should be in base 2011-08-03 16:21:21 -04:00
Dan Walsh
8becfd3523 Add cfengine policy 2011-08-03 10:22:38 -04:00
Miroslav
2aa62d446f - Add abrt_domain attribute
- Allow corosync to manage cluster lib files
- Allow corosync to connect to the system DBUS
2011-08-02 21:35:30 +02:00
Miroslav
58f5509584 - More fixes of rules which cause an explosion in rules by Dan Walsh 2011-07-29 14:18:40 +02:00
Miroslav
0c240d9a87 - Allow rcsmcertd to perform DNS name resolution
- Add dirsrvadmin_unconfined_script_t domain type for 389-ds admin scripts
- Allow tmux to run as screen
- New policy for collectd
- Allow gkeyring_t to interact with all user apps
- Add rules to allow firstboot to run on machines with the unconfined.pp module
2011-07-26 17:21:09 +02:00
Miroslav
f5593ed9be - Allow systemd_logind to send dbus messages with users
- allow accountsd to read wtmp file
- Allow dhcpd to get and set capabilities
2011-07-23 09:10:19 +02:00
Miroslav
6e9c2276f7 - Fix oracledb_port definition
- Allow mount to mounton the selinux file system
- Allow users to list /var directories
2011-07-22 12:37:49 +02:00
Miroslav
273e934611 systemd fixes 2011-07-21 17:22:47 +02:00
Miroslav
2ed5289fc9 - Add initial policy for abrt_dump_oops_t
- xtables-multi wants to getattr of the proc fs
- Smoltclient is connecting to abrt
- Dontaudit leaked file descriptors to postdrop
- Allow abrt_dump_oops to look at kernel sysctls
- Abrt_dump_oops_t reads kernel ring buffer
- Allow mysqld to request the kernel to load modules
- systemd-login needs fowner
- Allow postfix_cleanup_t to searh maildrop
2011-07-19 17:44:23 +02:00
Miroslav Grepl
805cc3bcdf - Initial systemd_logind policy
- Add policy for systemd_logger and additional proivs for systemd_logind
- More fixes for systemd policies
2011-07-18 08:17:03 +02:00
Miroslav Grepl
2b7c0552d7 - Allow setsched for virsh
- Systemd needs to impersonate cups, which means it needs to create tcp_sock
- iptables: the various /sbin/ip6?tables.* are now symlinks for /sbin/xtables-mult
2011-07-14 18:49:37 +02:00
Miroslav Grepl
50f07b8abf Fix spec file 2011-07-12 14:59:13 +02:00
Miroslav Grepl
330eac5848 - A lot of users are running yum -y update while in /root which is causing ldc
- Allow colord to interact with the users through the tmpfs file system
- Since we changed the label on deferred, we need to allow postfix_qmgr_t to b
- Add label for /var/log/mcelog
- Allow asterisk to read /dev/random if it uses TLS
- Allow colord to read ini files which are labeled as bin_t
- Allow dirsrvadmin sys_resource and setrlimit to use ulimit
- Systemd needs to be able to create sock_files for every label in /var/run di
- Also lists /var and /var/spool directories
- Add openl2tpd to l2tpd policy
- qpidd is reading the sysfs file
2011-07-12 09:44:07 +02:00
Dan Walsh
fb5b77fade Fully path the semodule command 2011-07-01 06:35:11 -04:00
Miroslav Grepl
975370d58e - Change usbmuxd_t to dontaudit attempts to read chr_file
- Add mysld_safe_exec_t for libra domains to be able to start private mysql dom
- Allow pppd to search /var/lock dir
- Add rhsmcertd policy
2011-06-30 17:55:41 +02:00
Miroslav Grepl
ade486af72 Update to upstream 2011-06-27 18:02:16 +02:00
Miroslav Grepl
2885bf8a6e - More fixes
* http://git.fedorahosted.org/git/?p=selinux-policy.git
2011-06-27 08:43:05 +02:00
Dan Walsh
7e1b615aa4 Next attempt at getting selinux-policy-* to work without rebuilding policy. 2011-06-16 12:01:25 -04:00
Dan Walsh
cf012ea57e Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2011-06-16 08:58:41 -04:00
Dan Walsh
8782a92ced Change required policycoreutils and libsemanage 2011-06-16 08:58:19 -04:00
Miroslav Grepl
4fb7b43f62 - Add dspam policy
- Add lldpad policy
- dovecot auth wants to search statfs #713555
- Allow systemd passwd apps to read init fifo_file
- Allow prelink to use inherited terminals
- Run cherokee in the httpd_t domain
- Allow mcs constraints on node connections
- Implement pyicqt policy
- Fixes for zarafa policy
- Allow cobblerd to send syslog messages
2011-06-16 10:42:42 +02:00
Dan Walsh
857c813190 Eliminate olpc stuff and other no longer needed files. Update to new system to build policy.* file within payload. 2011-06-09 22:36:45 -04:00
Dan Walsh
d0597c1c15 apply merge 2011-06-08 12:17:39 -04:00
Miroslav Grepl
183e54f534 Old passanger module needs to be removed in spec file 2011-06-08 17:41:02 +02:00
Miroslav Grepl
d8b121329f - Fixes for zabbix
- init script needs to be able to manage sanlock_var_run_...
- Allow sandlock and wdmd to create /var/run directories...
- mixclip.so has been compiled correctly
- Fix passenger policy module name
2011-06-08 17:32:27 +02:00
Dan Walsh
5253d49ee9 Update from git 2011-06-07 14:43:31 -04:00
Miroslav Grepl
94cdbacbd8 - Add mailscanner policy from dgrift
- Allow chrome to optionally be transitioned to
- Zabbix needs these rules when starting the zabbix_server_mysql
- Implement a type for freedesktop openicc standard (~/.local/share/icc)
- Allow system_dbusd_t to read inherited icc_data_home_t files.
- Allow colord_t to read icc_data_home_t content. #706975
- Label stuff under /usr/lib/debug as if it was labeled under /
2011-06-07 18:12:04 +02:00
Dan Walsh
0535650520 Allow policy.VERSION and modules to ship with package 2011-06-07 11:09:32 -04:00
Miroslav Grepl
0e70f655b4 Fix spec file 2011-06-02 15:17:47 +02:00
Miroslav Grepl
a56fb9fa8f - Fixes for sanlock policy
- Fixes for colord policy
- Other fixes
       * http://git.fedorahosted.org/git/?p=selinux-policy.git;a=log
2011-06-02 15:16:46 +02:00
Miroslav Grepl
a8e065be61 - Add rhev policy module to modules-targeted.conf 2011-05-26 14:16:59 +02:00
Miroslav Grepl
ace25237f9 - Lot of fixes
* http://git.fedorahosted.org/git/?p=selinux-policy.git;a=log
2011-05-24 16:38:28 +02:00
Dan Walsh
d97c92c34b New policy patch requires updated checkpolicy package 2011-05-23 18:27:11 -04:00
Miroslav Grepl
cb71de50e9 - Allow logrotate to execute systemctl
- Allow nsplugin_t to getattr on gpmctl
- Fix dev_getattr_all_chr_files() interface
- Allow shorewall to use inherited terms
- Allow userhelper to getattr all chr_file devices
- sandbox domains should be able to getattr and dontaudit search of sysctl_kernel_t
- Fix labeling for ABRT Retrace Server
2011-05-19 18:12:32 +02:00
Dan Walsh
7fbbd6f924 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2011-05-09 14:40:43 -04:00
Miroslav Grepl
27bf70c04e - Dontaudit sys_module for ifconfig
- Make telepathy and gkeyringd daemon working with confined users
- colord wants to read files in users homedir
- Remote login should be creating user_tmp_t not its own tmp files
2011-05-09 20:39:25 +00:00
Dan Walsh
ff120d7be5 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2011-05-06 10:51:56 -04:00
Miroslav Grepl
cfc00b53cb - Fix label for /usr/share/munin/plugins/munin_* plugins
- Add support for zarafa-indexer
- Fix boolean description
- Allow colord to getattr on /proc/scsi/scsi
- Add label for /lib/upstart/init
- Colord needs to list /mnt
2011-05-05 14:39:44 +00:00
Dan Walsh
e81c7996c4 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2011-05-03 16:37:04 -04:00
Miroslav Grepl
6347ee7725 - Forard port changes from F15 for telepathy
- NetworkManager should be allowed to use /dev/rfkill
- Fix dontaudit messages to say Domain to not audit
- Allow telepathy domains to read/write gnome_cache files
- Allow telepathy domains to call getpw
- Fixes for colord and vnstatd policy
2011-05-03 19:46:26 +00:00
Miroslav Grepl
b02295db9b - Allow init_t getcap and setcap
- Allow namespace_init_t to use nsswitch
- aisexec will execute corosync
- colord tries to read files off noxattr file systems
- Allow init_t getcap and setcap
2011-04-27 16:15:38 +00:00
Dan Walsh
99b2fe91aa Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2011-04-27 11:06:38 -04:00
Dan Walsh
402e7b8a4a Default telepath to allow it to connect to network ports 2011-04-21 18:26:23 -04:00
Miroslav Grepl
a8c63d7e69 - Add support for ABRT retrace server
- Allow user_t and staff_t access to generic scsi to handle locally plugged in scanners
- Allow telepath_msn_t to read /proc/PARENT/cmdline
- ftpd needs kill capability
- Allow telepath_msn_t to connect to sip port
- keyring daemon does not work on nfs homedirs
- Allow $1_sudo_t to read default SELinux context
- Add label for tgtd sock file in /var/run/
- Add apache_exec_rotatelogs interface
- allow all zaraha domains to signal themselves, server writes to /tmp
- Allow syslog to read the process state
- Add label for /usr/lib/chromium-browser/chrome
- Remove the telepathy transition from unconfined_t
- Dontaudit sandbox domains trying to mounton sandbox_file_t, this is caused by fuse mounts
- Allow initrc_t domain to manage abrt pid files
- Add support for AEOLUS project
- Virt_admin should be allowed to manage images and processes
- Allow plymountd to send signals to init
- Change labeling of fping6
2011-04-21 16:35:40 +00:00
Dan Walsh
ff64d9c354 Accidently checked in my test spec file 2011-04-21 10:07:57 -04:00
Dan Walsh
bd16f8dd70 Readd my patch 2011-04-19 11:36:13 -04:00
Dan Walsh
9bd1686ff7 Move to version 26 of policy 2011-04-19 11:34:24 -04:00
Miroslav Grepl
a357639bb0 - Fixes for zarafa policy
- Add support for AEOLUS project
- Change labeling of fping6
- Allow plymountd to send signals to init
- Allow initrc_t domain to manage abrt pid files
- Virt_admin should be allowed to manage images and processes
2011-04-19 13:53:55 +00:00
Dan Walsh
637b33d9f3 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy
Conflicts:
	selinux-policy.spec
2011-04-15 14:24:32 -04:00
Miroslav Grepl
6ac26422cc - xdm_t needs getsession for switch user
- Every app that used to exec init is now execing systemdctl
- Allow squid to manage krb5_host_rcache_t files
- Allow foghorn to connect to agentx port - Fixes for colord policy
2011-04-15 09:08:10 +00:00
Dan Walsh
e935d25737 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy
Conflicts:
	selinux-policy.spec
2011-04-12 10:57:09 -04:00
Dan Walsh
826311d497 Testing 2011-04-11 17:06:55 -04:00
Miroslav Grepl
1b7c8fcdf6 - Add Dan's patch to remove 64 bit variants
- Allow colord to use unix_dgram_socket
- Allow apps that search pids to read /var/run if it is a lnk_file
- iscsid_t creates its own directory
- Allow init to list var_lock_t dir
- apm needs to verify user accounts auth_use_nsswitch
- Add labeling for systemd unit files
- Allow gnomeclok to enable ntpd service using systemctl - systemd_syst
- Add label for matahari-broker.pid file
- We want to remove untrustedmcsprocess from ability to read /proc/pid
- Fixes for matahari policy
- Allow system_tmpfiles_t to delete user_home_t files in the /tmp dir
- Allow sshd to transition to sysadm_t if ssh_sysadm_login is turned on
2011-04-11 07:58:00 +00:00
Dan Walsh
86354fa4cc Remove lib64 mapping and use subs. change subs name to file_context.subs_dist 2011-04-05 15:30:24 -04:00
Miroslav Grepl
2130480ad3 - Fix typo 2011-04-05 09:38:41 +00:00
Miroslav Grepl
397c1e2d5c - Add /var/run/lock /var/lock definition to file_contexts.subs
- nslcd_t is looking for kerberos cc files
- SSH_USE_STRONG_RNG is 1 which requires /dev/random
- Fix auth_rw_faillog definition
- Allow sysadm_t to set attributes on fixed disks
- allow user domains to execute lsof and look at application sockets
- prelink_cron job calls telinit -u if init is rewritten
- Fixes to run qemu_t from staff_t
2011-04-04 23:41:02 +00:00
Dan Walsh
568f781d20 Update to latest versions and change policy version 2011-04-04 16:50:06 -04:00
Miroslav Grepl
81c96b1880 comment out the sepolgen line 2011-04-04 20:43:56 +00:00
Miroslav Grepl
aaa0ee57f3 comment out the sepolgen line 2011-04-04 20:33:32 +00:00
Miroslav Grepl
68129209ed comment out the sepolgen line 2011-04-04 20:16:34 +00:00
Miroslav Grepl
fb7e97f251 - Fix label for /var/run/udev to udev_var_run_t
- Mock needs to be able to read network state
2011-04-04 17:35:35 +00:00
Miroslav Grepl
a7705c54e1 - Add file_contexts.subs to handle /run and /run/lock
- Add other fixes relating to /run changes from F15 policy
2011-04-01 16:12:27 +00:00
Miroslav Grepl
36d3f31dcf - Allow $1_sudo_t and $1_su_t open access to user terminals
- Allow initrc_t to use generic terminals
- Make Makefile/Rules.modular run sepolgen-ifgen during build to check if files for bugs
-systemd is going to be useing /run and /run/lock for early bootup files.
- Fix some comments in rlogin.if
- Add policy for KDE backlighthelper
- sssd needs to read ~/.k5login in nfs, cifs or fusefs file systems
- sssd wants to read .k5login file in users homedir
- setroubleshoot reads executables to see if they have TEXTREL
- Add /var/spool/audit support for new version of audit
- Remove kerberos_connect_524() interface calling
- Combine kerberos_master_port_t and kerberos_port_t
- systemd has setup /dev/kmsg as stderr for apps it executes
- Need these access so that init can impersonate sockets on unix_dgram_socket
2011-03-25 14:54:13 +00:00
Miroslav Grepl
47d5c167a8 - Remove some unconfined domains
- Remove permissive domains
- Add policy-term.patch from Dan
2011-03-23 23:53:27 +00:00
Miroslav Grepl
7c23cf73df Fix multiple specification for boot.log 2011-03-17 16:01:12 +00:00
Miroslav Grepl
f5eb99f70b - devicekit leaks file descriptors to setfiles_t
- Change all all_nodes to generic_node and all_if to generic_if
- Should not use deprecated interface
- Switch from using all_nodes to generic_node and from all_if to generic_if
- Add support for xfce4-notifyd
- Fix file context to show several labels as SystemHigh
- seunshare needs to be able to mounton nfs/cifs/fusefs homedirs
- Add etc_runtime_t label for /etc/securetty
- Fixes to allow xdm_t to start gkeyringd_USERTYPE_t directly
- login.krb needs to be able to write user_tmp_t
- dirsrv needs to bind to port 7390 for dogtag
- Fix a bug in gpg policy
- gpg sends audit messages
- Allow qpid to manage matahari files
2011-03-17 15:46:18 +00:00
Miroslav Grepl
af4c0d3f1e - Initial policy for matahari
- Add dev_read_watchdog
- Allow clamd to connect clamd port
- Add support for kcmdatetimehelper
- Allow shutdown to setrlimit and sys_nice
- Allow systemd_passwd to talk to /dev/log before udev or syslog is runni
- Purge chr_file and blk files on /tmp
- Fixes for pads
- Fixes for piranha-pulse
- gpg_t needs to be able to encyprt anything owned by the user
2011-03-15 20:59:57 +00:00
Miroslav Grepl
f7f5ca9228 +- mozilla_plugin_tmp_t needs to be treated as user tmp files
+- More dontaudits of writes from readahead
+- Dontaudit readahead_t file_type:dir write, to cover up kernel bug
+- systemd_tmpfiles needs to relabel faillog directory as well as the file
+- Allow hostname and consoletype to r/w inherited initrc_tmp_t files handline hostname >> /tmp/myhost
2011-03-10 22:02:46 +00:00
Miroslav Grepl
8d54634624 - Add policykit fixes from Tim Waugh
- dontaudit sandbox domains sandbox_file_t:dir mounton
- Add new dontaudit rules for sysadm_dbusd_t
- Change label for /var/run/faillock
2011-03-10 12:46:20 +00:00
Miroslav Grepl
9b89d85005 Fix minimum policy 2011-03-08 18:36:28 +00:00
Miroslav Grepl
6726024e43 Update to upstream 2011-03-08 18:28:56 +00:00
Miroslav Grepl
781f349e05 - gpg_t needs to talk to gnome-keyring
- nscd wants to read /usr/tmp->/var/tmp to generate randomziation in unixchkpwd
- enforce MCS labeling on nodes
- Allow arpwatch to read meminfo
- Allow gnomeclock to send itself signals
- init relabels /dev/.udev files on boot
- gkeyringd has to transition back to staff_t when it runs commands in bin_t or shell_
- nautilus checks access on /media directory before mounting usb sticks, dontaudit acc
- dnsmasq can run as a dbus service, needs acquire service
- mysql_admin should  be allowed to connect to mysql service
- virt creates monitor sockets in the users home dir
2011-03-01 17:08:45 +00:00
Miroslav Grepl
c34a0c5248 - Allow usbhid-ups to read hardware state information
- systemd-tmpfiles has moved
- Allo cgroup to sys_tty_config
- For some reason prelink is attempting to read gconf settings
- Add allow_daemons_use_tcp_wrapper boolean
- Add label for ~/.cache/wocky to make telepathy work in enforcing mode
- Add label for char devices /dev/dasd*
- Fix for apache_role
- Allow amavis to talk to nslcd
- allow all sandbox to read selinux poilcy config files
- Allow cluster domains to use the system bus and send each other dbus messages
2011-02-21 21:46:58 +00:00
Miroslav Grepl
7288282fd4 - Update to upstream 2011-02-16 18:45:08 +00:00
Dennis Gilmore
60e174d11c - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild 2011-02-09 07:08:32 -06:00
Dan Walsh
d3861ceab3 - Update to ref policy
- cgred needs chown capability
- Add /dev/crash crash_dev_t
- systemd-readahead wants to use fanotify which means readahead_t needs sys_admin capability
2011-02-08 18:00:22 -05:00
Dan Walsh
812781becc - Update to ref policy
- cgred needs chown capability
- Add /dev/crash crash_dev_t
2011-02-08 17:50:40 -05:00