Commit Graph

5166 Commits

Author SHA1 Message Date
Dan Walsh
5eea0f4403 Always run restorecon at install time to make sure key files are labeled correctly 2013-02-20 14:12:19 +01:00
Dan Walsh
3460d4cd12 Remove shutdown policy. Shutdown is now a symlink to systemctl. 2013-02-20 06:31:55 +01:00
Dan Walsh
c1f199109a Remove unused patches 2013-02-18 12:18:04 -05:00
Miroslav Grepl
2599f2f590 - virsh now does a setexeccon call
- Additional rules required by openshift domains
- Allow svirt_lxc_domains to use inherited terminals, needed to make virt-sandbox-serv
- Allow spamd_update_t to search spamc_home_t
- Avcs discovered by mounting an isci device under /mnt
- Allow lspci running as logrotate to read pci.ids
- Additional fix for networkmanager_read_pid_files()
- Fix networkmanager_read_pid_files() interface
- Allow all svirt domains to connect to svirt_socket_t
- Allow virsh to set SELinux context for a process.
- Allow tuned to create netlink_kobject_uevent_socket
- Allow systemd-timestamp to set SELinux context
- Add support for /var/lib/systemd/linger
- Fix ssh_sysadm_login to be working on MLS as expected
2013-02-14 19:06:59 +01:00
Dan Walsh
79355670f4 Bump required versions for tool chain. 2013-02-13 09:24:21 -05:00
Miroslav Grepl
7980df38fe - Rename files_rw_inherited_tmp_files to files_rw_inherited_tmp_file
- Add missing files_rw_inherited_tmp_files interface
- Add additional interface for ecryptfs
- ALlow nova-cert to connect to postgresql
- Allow keystone to connect to postgresql
- Allow all cups domains to getattr on filesystems
- Allow pppd to send signull
- Allow tuned to execute ldconfig
- Allow gpg to read fips_enabled
- Add additional fixes for ecryptfs
- Allow httpd to work with posgresql
- Allow keystone getsched and setsched
2013-02-11 16:57:33 +01:00
Miroslav Grepl
ad094338a5 - Allow gpg to read fips_enabled
- Add support for /var/cache/realmd
- Add support for /usr/sbin/blazer_usb and systemd support for nut
- Add labeling for fenced_sanlock and allow sanclok transition to fen
- bitlbee wants to read own log file
- Allow glance domain to send a signal itself
- Allow xend_t to request that the kernel load a kernel module
- Allow pacemaker to execute heartbeat lib files
- cleanup new swift policy
2013-02-08 14:01:21 +01:00
Dan Walsh
d4e203ba2f Remove unconfined_u content from appconfig-mls 2013-02-05 08:22:13 -05:00
Miroslav Grepl
953ff14b8b Fix spec file 2013-02-05 11:02:32 +01:00
Miroslav Grepl
da973f3722 - Add xserver_xdm_ioctl_log() interface
- Allow Xusers to ioctl lxdm.log to make lxdm working
- Add MLS fixes to make MLS boot/log-in working
- Add mls_socket_write_all_levels() also for syslogd
- fsck.xfs needs to read passwd
- Fix ntp_filetrans_named_content calling in init.te
- Allow postgresql to create pg_log dir
- Allow sshd to read rsync_data_t to make rsync <backuphost> working
- Change ntp.conf to be labeled net_conf_t
- Allow useradd to create homedirs in /run.  ircd-ratbox does this and we sho
- Allow xdm_t to execute gstreamer home content
- Allod initrc_t and unconfined domains, and sysadm_t to manage ntp
- New policy for openstack swift domains
- More access required for openshift_cron_t
- Use cupsd_log_t instead of cupsd_var_log_t
- rpm_script_roles should be used in rpm_run
- Fix rpm_run() interface
- Fix openshift_initrc_run()
- Fix sssd_dontaudit_stream_connect() interface
- Fix sssd_dontaudit_stream_connect() interface
- Allow LDA's job to deliver mail to the mailbox
- dontaudit block_suspend for mozilla_plugin_t
- Allow l2tpd_t to all signal perms
- Allow uuidgen to read /dev/random
- Allow mozilla-plugin-config to read power_supply info
- Implement cups_domain attribute for cups domains
- We now need access to user terminals since we start by executing a command
- We now need access to user terminals since we start by executing a command
- svirt lxc containers want to execute userhelper apps, need these changes to
- Add containment of openshift cron jobs
- Allow system cron jobs to create tmp directories
- Make userhelp_conf_t a config file
- Change rpm to use rpm_script_roles
- More fixes for rsync to make rsync <backuphost> wokring
- Allow logwatch to domtrans to mdadm
- Allow pacemaker to domtrans to ifconfig
- Allow pacemaker to setattr on corosync.log
- Add pacemaker_use_execmem for memcheck-amd64 command
- Allow block_suspend capability
- Allow create fifo_file in /tmp with pacemaker_tmp_t
- Allow systat to getattr on fixed disk
- Relabel /etc/ntp.conf to be net_conf_t
- ntp_admin should create files in /etc with the correct label
- Add interface to create ntp_conf_t files in /etc
- Add additional labeling for quantum
- Allow quantum to execute dnsmasq with transition
2013-02-05 11:01:00 +01:00
Dan Walsh
13b7212ad0 add openstack swift domain 2013-02-04 17:03:20 -05:00
Dan Walsh
330d3c0f25 add openshift_cron_t as a permissive domain 2013-02-01 13:36:46 -05:00
Dan Walsh
32922067ef Add systemd_sysctl_t as a permissive domain 2013-01-31 10:30:03 -05:00
Miroslav Grepl
f125066d3c * Wed Jan 30 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-9
- boinc_cliean wants also execmem as boinc projecs have
- Allow sa-update to search admin home for /root/.spamassassin
- Allow sa-update to search admin home for /root/.spamassassin
- Allow antivirus domain to read net sysctl
- Dontaudit attempts from thumb_t to connect to ssd
- Dontaudit attempts by readahead to read sock_files
- Dontaudit attempts by readahead to read sock_files
- Create tmpfs file while running as wine as user_tmpfs_t
- Dontaudit attempts by readahead to read sock_files
- libmpg ships badly created librarie
2013-01-30 12:41:36 +01:00
Dan Walsh
45852f5fe5 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy
Conflicts:
	selinux-policy.spec
2013-01-28 15:39:02 -05:00
Dan Walsh
b59d07ae28 Do a better job of cleaning up old policy files, trigger relabel of /home on upgrade to F19 2013-01-28 15:36:16 -05:00
Miroslav Grepl
aab1932f46 - Change ssh_use_pts to use macro and only inherited sshd_devpts_t
- Allow confined users to read systemd_logind seat information
- libmpg ships badly created libraries
- Add support for strongswan.service
- Add labeling for strongswan
- Allow l2tpd_t to read network manager content in /run directory
- Allow rsync to getattr any file in rsync_data_t
- Add labeling and filename transition for .grl-podcasts
2013-01-28 20:11:03 +01:00
Miroslav Grepl
a39c31a810 Fix dupl transition rules in mozilla.te 2013-01-25 20:24:52 +01:00
Miroslav Grepl
1802bef984 * Fri Jan 25 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-7
- mount.glusterfs executes glusterfsd binary
- Allow systemd_hostnamed_t to stream connect to systemd
- Dontaudit any user doing a access check
- Allow obex-data-server to request the kernel to load a modul
- Allow gpg-agent to manage gnome content (~/.cache/gpg-agent-
- Allow gpg-agent to read /proc/sys/crypto/fips_enabled
- Add new types for antivirus.pp policy module
- Allow gnomesystemmm_t caps because of ioprio_set
- Make sure if mozilla_plugin creates files while in permissiv
- Allow gnomesystemmm_t caps because of ioprio_set
- Allow NM rawip socket
- files_relabel_non_security_files can not be used with boolea
- Add interface to thumb_t dbus_chat to allow it to read remot
- ALlow logrotate to domtrans to mdadm_t
- kde gnomeclock wants to write content to /tmp
2013-01-25 14:24:33 +01:00
Miroslav Grepl
4c3676d47a clamav and amavis has been merge to antivirus policy 2013-01-25 14:17:56 +01:00
Miroslav Grepl
b591902d83 * Wed Jan 23 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-6
- kde gnomeclock wants to write content to /tmp
- /usr/libexec/kde4/kcmdatetimehelper attempts to create /root/.kde
- Allow blueman_t to rwx zero_device_t, for some kind of jre
- Allow mozilla_plugin_t to rwx zero_device_t, for some kind of jre
- Ftp full access should be allowed to create directories as well as files
- Add boolean to allow rsync_full_acces, so that an rsync server can write all
- over the local machine
- logrotate needs to rotate logs in openshift directories, needs back port to RHEL6
- Add missing vpnc_roles type line
- Allow stapserver to write content in /tmp
- Allow gnome keyring to create keyrings dir in ~/.local/share
- Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on
- Add interface to colord_t dbus_chat to allow it to read remote process state
- Allow colord_t to read cupsd_t state
- Add mate-thumbnail-font as thumnailer
- Allow sectoolm to sys_ptrace since it is looking at other proceses /proc data.
- Allow qpidd to list /tmp. Needed by ssl
- Only allow init_t to transition to rsync_t domain, not initrc_t.  This should be b
- - Added systemd support for ksmtuned
- Added booleans
       ksmtuned_use_nfs
       ksmtuned_use_cifs
- firewalld seems to be creating mmap files which it needs to execute in /run /tmp a
- Looks like qpidd_t needs to read /dev/random
- Lots of probing avc's caused by execugting gpg from staff_t
- Dontaudit senmail triggering a net_admin avc
- Change thumb_role to use thumb_run, not sure why we have a thumb_role, needs back
- Logwatch does access check on mdadm binary
- Add raid_access_check_mdadm() iterface
2013-01-23 12:22:19 +01:00
Dan Walsh
a09a7deb16 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2013-01-16 09:46:42 -05:00
Dan Walsh
6d40a6c274 Add selinux-policy-filesystem for /etc/selinux directory so it can be shared with libsemanage 2013-01-16 09:46:31 -05:00
Miroslav Grepl
207a4dfc95 - Fix systemd_manage_unit_symlinks() interface
- Call systemd_manage_unit_symlinks(() which is correct interface
- Add filename transition for opasswd
- Switch gnomeclock_dbus_chat to systemd_dbus_chat_timedated since we hav
- Allow sytstemd-timedated to get status of init_t
- Add new systemd policies for hostnamed and rename gnomeclock_t to syste
- colord needs to communicate with systemd and systemd_logind, also remov
- Switch gnomeclock_dbus_chat to systemd_dbus_chat_timedated since we hav
- Allow gpg_t to manage all gnome files
- Stop using pcscd_read_pub_files
- New rules for xguest, dontaudit attempts to dbus chat
- Allow firewalld to create its mmap files in tmpfs and tmp directories
- Allow firewalld to create its mmap files in tmpfs and tmp directories
- run unbound-chkconf as named_t, so it can read dnssec
- Colord is reading xdm process state, probably reads state of any apps t
- Allow mdadm_t to change the kernel scheduler
- mythtv policy
- Update mandb_admin() interface
- Allow dsspam to listen on own tpc_socket
2013-01-16 15:13:43 +01:00
Dan Walsh
5f2806ad4e Rename gnomeclock to systemd_timedated 2013-01-15 18:58:56 -05:00
Dan Walsh
c14302d03d Rename gnomeclock to systemd_timedated 2013-01-15 18:54:56 -05:00
Dan Walsh
7846a149ab Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2013-01-15 11:56:41 -05:00
Dan Walsh
0608169181 Update from upstream 2013-01-15 11:55:13 -05:00
Dan Walsh
afbf138ed9 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy
Conflicts:
	selinux-policy.spec
2013-01-15 11:54:07 -05:00
Miroslav Grepl
7f090dbfaa * Mon Jan 14 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-4
- Allow systemd-tmpfiles to relabel lpd spool files
- Ad labeling for texlive bash scripts
- Add xserver_filetrans_fonts_cache_home_content() interface
- Remove duplicate rules from *.te
- Add support for /var/lock/man-db.lock
- Add support for /var/tmp/abrt(/.*)?
- Add additional labeling for munin cgi scripts
- Allow httpd_t to read munin conf files
- Allow certwatch to read meminfo
- Fix nscd_dontaudit_write_sock_file() interfac
- Fix gnome_filetrans_home_content() to include also "fontconfig" dir as cache_home_t
- llow mozilla_plugin_t to create HOMEDIR/.fontconfig with the proper labeling
2013-01-14 13:39:59 +01:00
Miroslav Grepl
9e49f866d4 More fixes for numad 2013-01-11 22:04:24 +01:00
Miroslav Grepl
a3277735dd Fix virt_ptrace() interface
Please enter the commit message for your changes. Lines starting
2013-01-11 20:01:16 +01:00
Miroslav Grepl
a765f30a9f fix consolekit 2013-01-11 19:48:49 +01:00
Miroslav Grepl
a7dce2ac5c * Fri Jan 11 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-3
- Allow gnomeclock to talk to puppet over dbus
- Allow numad access discovered by Dominic
- Add support for HOME_DIR/.maildir
- Fix attribute_role for mozilla_plugin_t domain to allow staff_r to access this d
- Allow udev to relabel udev_var_run_t lnk_files
- New bin_t file in mcelog
2013-01-11 19:30:57 +01:00
Miroslav Grepl
0c265c3817 Add back consolekit but we keep just consolekit.te and .fc was commented 2013-01-11 14:33:08 +01:00
Miroslav Grepl
f851aec1c4 - Remove all mcs overrides and replace with t1 != mcs_constrained_ty
- Add attribute_role for iptables
- mcs_process_set_categories needs to be called for type
- Implement additional role_attribute statements
- Sodo domain is attempting to get the additributes of proc_kcore_t
- Unbound uses port 8953
- Allow svirt_t images to compromise_kernel when using pci-passthrou
- Add label for dns lib files
- Bluetooth aquires a dbus name
- Remove redundant files_read_usr_file calling
- Remove redundant files_read_etc_file calling
- Fix mozilla_run_plugin()
- Add role_attribute support for more domains
2013-01-10 17:31:42 +01:00
Miroslav Grepl
fa970c32f1 use policy.29 2013-01-09 14:52:41 +01:00
Miroslav Grepl
8f47af1bde Require POLICYCOREUTILSVER 2.1.13-53 2013-01-09 14:52:16 +01:00
Miroslav Grepl
23a9442e40 * Wed Jan 9 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-1
- Mass merge with upstream
2013-01-09 13:16:35 +01:00
Miroslav Grepl
e5e41801b0 Upload new upstream sources 2013-01-08 11:50:45 +01:00
Miroslav Grepl
9cdcf52c73 Bump POLICYVER 2013-01-07 17:43:07 +01:00
Miroslav Grepl
fdeb413467 Revert "Upstream uses ctdb instead of ctdbd policy"
This reverts commit 1871109735.
2013-01-07 14:54:40 +01:00
Miroslav Grepl
c57639b449 Revert "Upstream change:"
This reverts commit 098e5a0968.
2013-01-07 14:54:27 +01:00
Miroslav Grepl
1a1e004154 Revert "Upstream change:"
This reverts commit 7316889d21.
2013-01-07 14:54:15 +01:00
Miroslav Grepl
6e9f07d2e3 Revert "Upstream change:"
This reverts commit 0368b4c345.
2013-01-07 14:54:04 +01:00
Dan Walsh
3ba95111e0 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2013-01-07 08:44:03 -05:00
Dan Walsh
4ee59fd5e7 Bump the policy version to 28 to match selinux userspace
- Rebuild versus latest libsepol
2013-01-07 08:42:53 -05:00
Miroslav Grepl
0368b4c345 Upstream change:
-isnsd = module
+isns = module
2013-01-07 14:32:26 +01:00
Miroslav Grepl
7316889d21 Upstream change:
-glusterd =  module
+glusterfs =  module
2013-01-07 12:43:02 +01:00
Miroslav Grepl
098e5a0968 Upstream change:
-fcoemon = module
+fcoe = module
2013-01-07 09:44:43 +01:00