Commit Graph

1610 Commits

Author SHA1 Message Date
Dan Walsh
45852f5fe5 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy
Conflicts:
	selinux-policy.spec
2013-01-28 15:39:02 -05:00
Dan Walsh
b59d07ae28 Do a better job of cleaning up old policy files, trigger relabel of /home on upgrade to F19 2013-01-28 15:36:16 -05:00
Miroslav Grepl
aab1932f46 - Change ssh_use_pts to use macro and only inherited sshd_devpts_t
- Allow confined users to read systemd_logind seat information
- libmpg ships badly created libraries
- Add support for strongswan.service
- Add labeling for strongswan
- Allow l2tpd_t to read network manager content in /run directory
- Allow rsync to getattr any file in rsync_data_t
- Add labeling and filename transition for .grl-podcasts
2013-01-28 20:11:03 +01:00
Miroslav Grepl
1802bef984 * Fri Jan 25 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-7
- mount.glusterfs executes glusterfsd binary
- Allow systemd_hostnamed_t to stream connect to systemd
- Dontaudit any user doing a access check
- Allow obex-data-server to request the kernel to load a modul
- Allow gpg-agent to manage gnome content (~/.cache/gpg-agent-
- Allow gpg-agent to read /proc/sys/crypto/fips_enabled
- Add new types for antivirus.pp policy module
- Allow gnomesystemmm_t caps because of ioprio_set
- Make sure if mozilla_plugin creates files while in permissiv
- Allow gnomesystemmm_t caps because of ioprio_set
- Allow NM rawip socket
- files_relabel_non_security_files can not be used with boolea
- Add interface to thumb_t dbus_chat to allow it to read remot
- ALlow logrotate to domtrans to mdadm_t
- kde gnomeclock wants to write content to /tmp
2013-01-25 14:24:33 +01:00
Miroslav Grepl
4c3676d47a clamav and amavis has been merge to antivirus policy 2013-01-25 14:17:56 +01:00
Miroslav Grepl
b591902d83 * Wed Jan 23 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-6
- kde gnomeclock wants to write content to /tmp
- /usr/libexec/kde4/kcmdatetimehelper attempts to create /root/.kde
- Allow blueman_t to rwx zero_device_t, for some kind of jre
- Allow mozilla_plugin_t to rwx zero_device_t, for some kind of jre
- Ftp full access should be allowed to create directories as well as files
- Add boolean to allow rsync_full_acces, so that an rsync server can write all
- over the local machine
- logrotate needs to rotate logs in openshift directories, needs back port to RHEL6
- Add missing vpnc_roles type line
- Allow stapserver to write content in /tmp
- Allow gnome keyring to create keyrings dir in ~/.local/share
- Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on
- Add interface to colord_t dbus_chat to allow it to read remote process state
- Allow colord_t to read cupsd_t state
- Add mate-thumbnail-font as thumnailer
- Allow sectoolm to sys_ptrace since it is looking at other proceses /proc data.
- Allow qpidd to list /tmp. Needed by ssl
- Only allow init_t to transition to rsync_t domain, not initrc_t.  This should be b
- - Added systemd support for ksmtuned
- Added booleans
       ksmtuned_use_nfs
       ksmtuned_use_cifs
- firewalld seems to be creating mmap files which it needs to execute in /run /tmp a
- Looks like qpidd_t needs to read /dev/random
- Lots of probing avc's caused by execugting gpg from staff_t
- Dontaudit senmail triggering a net_admin avc
- Change thumb_role to use thumb_run, not sure why we have a thumb_role, needs back
- Logwatch does access check on mdadm binary
- Add raid_access_check_mdadm() iterface
2013-01-23 12:22:19 +01:00
Dan Walsh
a09a7deb16 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2013-01-16 09:46:42 -05:00
Dan Walsh
6d40a6c274 Add selinux-policy-filesystem for /etc/selinux directory so it can be shared with libsemanage 2013-01-16 09:46:31 -05:00
Miroslav Grepl
207a4dfc95 - Fix systemd_manage_unit_symlinks() interface
- Call systemd_manage_unit_symlinks(() which is correct interface
- Add filename transition for opasswd
- Switch gnomeclock_dbus_chat to systemd_dbus_chat_timedated since we hav
- Allow sytstemd-timedated to get status of init_t
- Add new systemd policies for hostnamed and rename gnomeclock_t to syste
- colord needs to communicate with systemd and systemd_logind, also remov
- Switch gnomeclock_dbus_chat to systemd_dbus_chat_timedated since we hav
- Allow gpg_t to manage all gnome files
- Stop using pcscd_read_pub_files
- New rules for xguest, dontaudit attempts to dbus chat
- Allow firewalld to create its mmap files in tmpfs and tmp directories
- Allow firewalld to create its mmap files in tmpfs and tmp directories
- run unbound-chkconf as named_t, so it can read dnssec
- Colord is reading xdm process state, probably reads state of any apps t
- Allow mdadm_t to change the kernel scheduler
- mythtv policy
- Update mandb_admin() interface
- Allow dsspam to listen on own tpc_socket
2013-01-16 15:13:43 +01:00
Dan Walsh
5f2806ad4e Rename gnomeclock to systemd_timedated 2013-01-15 18:58:56 -05:00
Miroslav Grepl
7f090dbfaa * Mon Jan 14 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-4
- Allow systemd-tmpfiles to relabel lpd spool files
- Ad labeling for texlive bash scripts
- Add xserver_filetrans_fonts_cache_home_content() interface
- Remove duplicate rules from *.te
- Add support for /var/lock/man-db.lock
- Add support for /var/tmp/abrt(/.*)?
- Add additional labeling for munin cgi scripts
- Allow httpd_t to read munin conf files
- Allow certwatch to read meminfo
- Fix nscd_dontaudit_write_sock_file() interfac
- Fix gnome_filetrans_home_content() to include also "fontconfig" dir as cache_home_t
- llow mozilla_plugin_t to create HOMEDIR/.fontconfig with the proper labeling
2013-01-14 13:39:59 +01:00
Miroslav Grepl
a7dce2ac5c * Fri Jan 11 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-3
- Allow gnomeclock to talk to puppet over dbus
- Allow numad access discovered by Dominic
- Add support for HOME_DIR/.maildir
- Fix attribute_role for mozilla_plugin_t domain to allow staff_r to access this d
- Allow udev to relabel udev_var_run_t lnk_files
- New bin_t file in mcelog
2013-01-11 19:30:57 +01:00
Miroslav Grepl
0c265c3817 Add back consolekit but we keep just consolekit.te and .fc was commented 2013-01-11 14:33:08 +01:00
Miroslav Grepl
f851aec1c4 - Remove all mcs overrides and replace with t1 != mcs_constrained_ty
- Add attribute_role for iptables
- mcs_process_set_categories needs to be called for type
- Implement additional role_attribute statements
- Sodo domain is attempting to get the additributes of proc_kcore_t
- Unbound uses port 8953
- Allow svirt_t images to compromise_kernel when using pci-passthrou
- Add label for dns lib files
- Bluetooth aquires a dbus name
- Remove redundant files_read_usr_file calling
- Remove redundant files_read_etc_file calling
- Fix mozilla_run_plugin()
- Add role_attribute support for more domains
2013-01-10 17:31:42 +01:00
Miroslav Grepl
fa970c32f1 use policy.29 2013-01-09 14:52:41 +01:00
Miroslav Grepl
8f47af1bde Require POLICYCOREUTILSVER 2.1.13-53 2013-01-09 14:52:16 +01:00
Miroslav Grepl
23a9442e40 * Wed Jan 9 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-1
- Mass merge with upstream
2013-01-09 13:16:35 +01:00
Miroslav Grepl
e5e41801b0 Upload new upstream sources 2013-01-08 11:50:45 +01:00
Miroslav Grepl
9cdcf52c73 Bump POLICYVER 2013-01-07 17:43:07 +01:00
Miroslav Grepl
fdeb413467 Revert "Upstream uses ctdb instead of ctdbd policy"
This reverts commit 1871109735.
2013-01-07 14:54:40 +01:00
Miroslav Grepl
c57639b449 Revert "Upstream change:"
This reverts commit 098e5a0968.
2013-01-07 14:54:27 +01:00
Miroslav Grepl
1a1e004154 Revert "Upstream change:"
This reverts commit 7316889d21.
2013-01-07 14:54:15 +01:00
Miroslav Grepl
6e9f07d2e3 Revert "Upstream change:"
This reverts commit 0368b4c345.
2013-01-07 14:54:04 +01:00
Miroslav Grepl
0368b4c345 Upstream change:
-isnsd = module
+isns = module
2013-01-07 14:32:26 +01:00
Miroslav Grepl
7316889d21 Upstream change:
-glusterd =  module
+glusterfs =  module
2013-01-07 12:43:02 +01:00
Miroslav Grepl
098e5a0968 Upstream change:
-fcoemon = module
+fcoe = module
2013-01-07 09:44:43 +01:00
Miroslav Grepl
1871109735 Upstream uses ctdb instead of ctdbd policy 2013-01-07 00:11:42 +01:00
Dan Walsh
01be266ba7 Bump the policy version to 28 to match selinux userspace
- Rebuild versus latest libsepol
2013-01-06 10:35:25 -05:00
Miroslav Grepl
17da016672 * Wed Jan 2 2013 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-69
- Add systemd_status_all_unit_files() interface
- Add support for nshadow
- Allow sysadm_t to administrate the postfix domains
- Add interface to setattr on isid directories for use by tmpreaper
- Allow sshd_t sys_admin for use with afs logins
- Allow systemd to read/write all sysctls
- Allow sshd_t sys_admin for use with afs logins
- Allow systemd to read/write all sysctls
- Add systemd_status_all_unit_files() interface
- Add support for nshadow
- Allow sysadm_t to administrate the postfix domains
- Add interface to setattr on isid directories for use by tmpreaper
- Allow sshd_t sys_admin for use with afs logins
- Allow systemd to read/write all sysctls
- Allow sshd_t sys_admin for use with afs logins
- Add labeling for /var/named/chroot/etc/localtim

* Thu Dec 27 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-68
- Allow setroubleshoot_fixit to execute rpm
- zoneminder needs to connect to httpd ports where remote cameras are listening
- Allow firewalld to execute content created in /run directory
- Allow svirt_t to read generic certs
- Dontaudit leaked ps content to mozilla plugin
- Allow sshd_t sys_admin for use with afs logins
- Allow systemd to read/write all sysctls
- init scripts are creating systemd_unit_file_t directories
2013-01-02 15:52:27 +01:00
Miroslav Grepl
eb0fd25a19 renamed: policy-rawhide.patch -> policy-rawhide-base.patch
renamed:    policy_contrib-rawhide.patch -> policy-rawhide-contrib.patch
2013-01-02 15:50:45 +01:00
Miroslav Grepl
52491466e2 Backport policy from F18 2012-12-21 09:57:21 +01:00
Miroslav Grepl
a270091f19 Make rawhide == f18 2012-12-17 17:21:00 +01:00
rhatdan
5991fc8049 Make sure content created in the homedir by uncnfined domains get created with the corect label. specifically /.readahead 2012-08-08 11:20:07 -04:00
Miroslav Grepl
e88478c88d +* Tue Aug 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-3
+- Add role rules for realmd, sambagui
2012-08-07 17:16:15 +02:00
Miroslav Grepl
711b0e2035 * Tue Aug 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-2
- Add new type selinux_login_config_t for /etc/selinux/<type>/logins/
- Additional fixes for seutil_manage_module_store()
- dbus_system_domain() should be used with optional_policy
- Fix svirt to be allowed to use fusefs file system
- Allow login programs to read /run/ data created by systemd_login
- sssd wants to write /etc/selinux/<policy>/logins/ for SELinux PAM modu
- Fix svirt to be allowed to use fusefs file system
- Allow piranha domain to use nsswitch
- Sanlock needs to send Kill Signals to non root processes
- Pulseaudio wants to execute /run/user/PID/.orc
2012-08-07 16:51:57 +02:00
Miroslav Grepl
e2915aed43 * Fri Aug 3 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11
- Fix saslauthd when it tries to read /etc/shadow
- Label gnome-boxes as a virt homedir
- Need to allow svirt_t ability to getattr on nfs_t file
- Update sanlock policy to solve all AVC's
- Change confined users can optionally manage virt conte
- Handle new directories under ~/.cache
- Add block suspend to appropriate domains
- More rules required for containers
- Allow login programs to read /run/ data created by sys
- Allow staff users to run svirt_t processes
2012-08-03 16:06:03 +02:00
Miroslav Grepl
46a9c6067c * Thu Aug 2 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-0
- Update to upstream
2012-08-02 07:43:02 +02:00
Miroslav Grepl
3c848e8da5 * Mon Jul 30 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-15
- More fixes for systemd to make rawhide booting from Dan Walsh
2012-07-30 22:23:31 +02:00
Miroslav Grepl
42c4091430 * Mon Jul 30 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-
- Add systemd fixes to make rawhide booting
2012-07-30 17:37:17 +02:00
Miroslav Grepl
b4a78ad40d - Add systemd_logind_inhibit_var_run_t attribute
- Remove corenet_all_recvfrom_unlabeled() for non-contrib policies because we moved it to domain.if for all domain_type
- Add interface for mysqld to dontaudit signull to all processes
- Label new /var/run/journal directory correctly
- Allow users to inhibit suspend via systemd
- Add new type for the /var/run/inhibit directory
- Add interface to send signull to systemd_login so avahi can send them
- Allow systemd_passwd to send syslog messages
- Remove corenet_all_recvfrom_unlabeled() calling fro policy files
- Allow       editparams.cgi running as httpd_bugzilla_script_t to read /etc/group
- Allow smbd to read cluster config
- Add additional labeling for passenger
- Allow dbus to inhibit suspend via systemd
- Allow avahi to send signull to systemd_login
2012-07-27 16:32:49 +02:00
Dan Walsh
2676121267 Add interface to dontaudit getattr access on sysctls
- Allow sshd to execute /bin/login
- Looks like xdm is recreating the xdm directory in ~/.cache/ on login
- Allow syslog to use the leaked kernel_t unix_dgram_socket from system-jounald
-  Fix semanage to work with unconfined domain disabled on F18
- Dontaudit attempts by mozilla plugins to getattr on all kernel sysctls
- Virt seems to be using lock files
- Dovecot seems to be searching directories of every mountpoint
- Allow jockey to read random/urandom, execute shell and install third-party drivers
- Add aditional params to allow cachedfiles to manage its content
- gpg agent needs to read /dev/random
- The kernel hands an svirt domains /SYSxxxxx which is a tmpfs that httpd wants to read and write
- Add a bunch of dontaudit rules to quiet svirt_lxc domains
- Additional perms needed to run svirt_lxc domains
- Allow cgclear to read cgconfig
- Allow sys_ptrace capability for snmp
- Allow freshclam to read /proc
- Allow procmail to manage /home/user/Maildir content
- Allow NM to execute wpa_cli
- Allow amavis to read clamd system state
- Regenerate man pages
2012-07-24 15:56:40 -04:00
Miroslav Grepl
9ba137b17b * Mon Jul 23 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-12
- Add interface to dontaudit getattr access on sysctls
- Allow sshd to execute /bin/login
- Looks like xdm is recreating the xdm directory in ~/.cache/ on login
- Allow syslog to use the leaked kernel_t unix_dgram_socket from system-jou
-  Fix semanage to work with unconfined domain disabled on F18
- Dontaudit attempts by mozilla plugins to getattr on all kernel sysctls
- Virt seems to be using lock files
- Dovecot seems to be searching directories of every mountpoint
- Allow jockey to read random/urandom, execute shell and install third-part
- Add aditional params to allow cachedfiles to manage its content
- gpg agent needs to read /dev/random
- The kernel hands an svirt domains /SYSxxxxx which is a tmpfs that httpd w
- Add a bunch of dontaudit rules to quiet svirt_lxc domains
- Additional perms needed to run svirt_lxc domains
- Allow cgclear to read cgconfig
- Allow sys_ptrace capability for snmp
- Allow freshclam to read /proc
- Allow procmail to manage /home/user/Maildir content
- Allow NM to execute wpa_cli
- Allow amavis to read clamd system state
- Regenerate man page
2012-07-23 17:47:41 +02:00
Dennis Gilmore
c07f6435e4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild 2012-07-21 14:21:28 -05:00
Miroslav Grepl
3da13de031 +- Add realmd and stapserver policies
+- Allow useradd to manage stap-server lib files
+- Tighten up capabilities for confined users
+- Label /etc/security/opasswd as shadow_t
+- Add label for /dev/ecryptfs
+- Allow condor_startd_t to start sshd with the ranged
+- Allow lpstat.cups to read fips_enabled file
+- Allow pyzor running as spamc_t to create /root/.pyzor directory
+- Add labelinf for amavisd-snmp init script
+- Add support for amavisd-snmp
+- Allow fprintd sigkill self
+- Allow xend (w/o libvirt) to start virtual machines
+- Allow aiccu to read /etc/passwd
+- Allow condor_startd to Make specified domain MCS trusted for setting any category set fo
+- Add condor_startd_ranged_domtrans_to() interface
+- Add ssd_conf_t for /etc/sssd
+- accountsd needs to fchown some files/directories
+- Add ICACLient and zibrauserdata as mozilla_filetrans_home_content
+- SELinux reports afs_t needs dac_override to read /etc/mtab, even though everything works
+- Allow xend_t to read the /etc/passwd file
 Please enter the commit message for your changes. Lines starting
 with '#' will be ignored, and an empty message aborts the commit.
 On branch master
 Changes to be committed:
   (use "git reset HEAD <file>..." to unstage)

	modified:   policy-rawhide.patch
	modified:   policy_contrib-rawhide.patch
	modified:   selinux-policy.spec
2012-07-16 00:03:02 +02:00
Dan Walsh
18fc0f3c99 Until we figure out how to fix systemd issues, allow all apps that send syslog messages to send them to kernel_t
- Add init_access_check() interface
- Fix label on /usr/bin/pingus to not be labeled as ping_exec_t
- Allow tcpdump to create a netlink_socket
- Label newusers like useradd
- Change xdm log files to be labeled xdm_log_t
- Allow sshd_t with privsep to work in MLS
- Allow freshclam to update databases thru HTTP proxy
- Allow s-m-config to access check on systemd
- Allow abrt to read public files by default
- Fix amavis_create_pid_files() interface
- Add labeling and filename transition for dbomatic.log
- Allow system_dbusd_t to stream connect to bluetooth, and use its socket
- Allow amavisd to execute fsav
- Allow tuned to use sys_admin and sys_nice capabilities
- Add php-fpm policy from Bryan
- Add labeling for aeolus-configserver-thinwrapper
- Allow thin domains to execute shell
- Fix gnome_role_gkeyringd() interface description
- Lot of interface fixes
- Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files
- Allow OpenMPI job to use kerberos
- Make deltacloudd_t as nsswitch_domain
- Allow xend_t to run lsscsi
- Allow qemu-dm running as xend_t to create tun_socket
- Add labeling for /opt/brother/Printers(.*/)?inf
- Allow jockey-backend to read pyconfig-64.h labeled as usr_t
- Fix clamscan_can_scan_system boolean
- Allow lpr to connectto to /run/user/$USER/keyring-22uREb/pkcs11
2012-07-13 16:59:14 -04:00
Dan Walsh
9d1d9952b1 Until we figure out how to fix systemd issues, allow all apps that send syslog messages to send them to kernel_t
- Add init_access_check() interface
- Fix label on /usr/bin/pingus to not be labeled as ping_exec_t
- Allow tcpdump to create a netlink_socket
- Label newusers like useradd
- Change xdm log files to be labeled xdm_log_t
- Allow sshd_t with privsep to work in MLS
- Allow freshclam to update databases thru HTTP proxy
- Allow s-m-config to access check on systemd
- Allow abrt to read public files by default
- Fix amavis_create_pid_files() interface
- Add labeling and filename transition for dbomatic.log
- Allow system_dbusd_t to stream connect to bluetooth, and use its socket
- Allow amavisd to execute fsav
- Allow tuned to use sys_admin and sys_nice capabilities
- Add php-fpm policy from Bryan
- Add labeling for aeolus-configserver-thinwrapper
- Allow thin domains to execute shell
- Fix gnome_role_gkeyringd() interface description
- Lot of interface fixes
- Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files
- Allow OpenMPI job to use kerberos
- Make deltacloudd_t as nsswitch_domain
- Allow xend_t to run lsscsi
- Allow qemu-dm running as xend_t to create tun_socket
- Add labeling for /opt/brother/Printers(.*/)?inf
- Allow jockey-backend to read pyconfig-64.h labeled as usr_t
- Fix clamscan_can_scan_system boolean
- Allow lpr to connectto to /run/user/$USER/keyring-22uREb/pkcs11
2012-07-12 19:20:37 -04:00
Miroslav Grepl
98ec5a124e - Until we figure out how to fix systemd issues, allow all apps that send syslog messag
- Add init_access_check() interface
- Fix label on /usr/bin/pingus to not be labeled as ping_exec_t
- Allow tcpdump to create a netlink_socket
- Label newusers like useradd
- Change xdm log files to be labeled xdm_log_t
- Allow sshd_t with privsep to work in MLS
- Allow freshclam to update databases thru HTTP proxy
- Allow s-m-config to access check on systemd
- Allow abrt to read public files by default
- Fix amavis_create_pid_files() interface
- Add labeling and filename transition for dbomatic.log
- Allow system_dbusd_t to stream connect to bluetooth, and use its socket
- Allow amavisd to execute fsav
- Allow tuned to use sys_admin and sys_nice capabilities
- Add php-fpm policy from Bryan
- Add labeling for aeolus-configserver-thinwrapper
- Allow thin domains to execute shell
- Fix gnome_role_gkeyringd() interface description
- Lot of interface fixes
- Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files
- Allow OpenMPI job to use kerberos
- Make deltacloudd_t as nsswitch_domain
2012-07-11 16:45:33 +02:00
Miroslav Grepl
0f07ba7f55 * Tue Jul 3 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-8
- initrc is calling exportfs which is not confined so it attempts to read nfsd_files
- Fixes for passenger running within openshift.
- Add labeling for all tomcat6 dirs
- Add support for tomcat6
- Allow cobblerd to read /etc/passwd
- Allow jockey to read sysfs and and execute binaries with bin_t
- Allow thum to use user terminals
- Allow cgclear to read cgconfig config files
- Fix bcf2g.fc
- Remove sysnet_dns_name_resolve() from policies where auth_use_nsswitch() is used for other
- Allow dbomatic to execute ruby
- abrt_watch_log should be abrt_domain
- Allow mozilla_plugin to connect to gatekeeper port
2012-07-03 23:11:32 +02:00
Miroslav Grepl
1de5de6450 - add ptrace_child access to process
- remove files_read_etc_files() calling from all policies which hav
- Allow boinc domains to manage boinc_lib_t lnk_files
- Add support for boinc-client.service unit file
- Add support for boinc.log
- Allow mozilla_plugin execmod on mozilla home files if allow_ex
- Allow dovecot_deliver_t to read dovecot_var_run_t
- Allow ldconfig and insmod to manage kdumpctl tmp files
- Move thin policy out from cloudform.pp and add a new thin poli
- pacemaker needs to communicate with corosync streams
- abrt is now started on demand by dbus
- Allow certmonger to talk directly to Dogtag servers
- Change labeling for /var/lib/cobbler/webui_sessions to httpd_c
- Allow mozila_plugin to execute gstreamer home files
- Allow useradd to delete all file types stored in the users hom
- rhsmcertd reads the rpm database
- Add support for lightdm
2012-06-27 12:53:34 +02:00
Miroslav Grepl
52ac61da45 * Mon Jun 25 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-6
- Add tomcat policy
- Remove pyzor/razor policy
- rhsmcertd reads the rpm database
- Dontaudit  thumb to setattr on xdm_tmp dir
- Allow wicd to execute ldconfig in the networkmanager_t domain
- Add /var/run/cherokee\.pid labeling
- Allow mozilla_plugin to create mozilla_plugin_tmp_t lnk files too
- Allow postfix-master to r/w pipes other postfix domains
- Allow snort to create netlink_socket
- Add kdumpctl policy
- Allow firstboot to create tmp_t files/directories
- /usr/bin/paster should not be labeled as piranha_exec_t
- remove initrc_domain from tomcat
- Allow ddclient to read /etc/passwd
- Allow useradd to delete all file types stored in the users homedir
- Allow ldconfig and insmod to manage kdumpctl tmp files
- Firstboot should be just creating tmp_t dirs and xauth should be allowed to write to those
- Transition xauth files within firstboot_tmp_t
- Fix labeling of /run/media to match /media
- Label all lxdm.log as xserver_log_t
- Add port definition for mxi port
- Allow local_login_t to execute tmux
2012-06-25 07:09:24 +02:00
Dan Walsh
a3e9dc0c92 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2012-06-20 14:33:29 -04:00
Dan Walsh
7f9b7d5c03 Remove pyzor and razor modules 2012-06-20 14:33:23 -04:00
Miroslav Grepl
c74d194317 - apcupsd needs to read /etc/passwd
- Sanlock allso sends sigkill
- Allow glance_registry to connect to the mysqld port
- Dontaudit mozilla_plugin trying to getattr on /dev/gpmctl
- Allow firefox plugins/flash to connect to port 1234
- Allow mozilla plugins to delete user_tmp_t files
- Add transition name rule for printers.conf.O
- Allow virt_lxc_t to read urand
- Allow systemd_loigind to list gstreamer_home_dirs
- Fix labeling for /usr/bin
- Fixes for cloudform services
  * support FIPS
- Allow polipo to work as web caching
- Allow chfn to execute tmux
2012-06-19 13:40:53 +02:00
Miroslav Grepl
bfc280fd5b - Add support for ecryptfs
* ecryptfs does not support xattr
  * we need labeling for HOMEDIR
- Add policy for (u)mount.ecryptfs*
- Fix labeling of kerbero host cache files, allow rpc.svcgssd to manage
- Allow dovecot to manage Maildir content, fix transitions to Maildir
- Allow postfix_local to transition to dovecot_deliver
- Dontaudit attempts to setattr on xdm_tmp_t, looks like bogus code
- Cleanup interface definitions
- Allow apmd to change with the logind daemon
- Changes required for sanlock in rhel6
- Label /run/user/apache as httpd_tmp_t
- Allow thumb to use lib_t as execmod if boolean turned on
- Allow squid to create the squid directory in /var with the correct la
- Add a new policy for glusterd from Bryan Bickford (bbickfor@redhat.co
- Allow virtd to exec xend_exec_t without transition
- Allow virtd_lxc_t to unmount all file systems
2012-06-15 10:43:55 +02:00
Miroslav Grepl
c8f96d3d71 * Tue Jun 12 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-3
- PolicyKit path has changed
- Allow httpd connect to dirsrv socket
- Allow tuned to write generic kernel sysctls
- Dontaudit logwatch to gettr on /dev/dm-2
- Allow policykit-auth to manage kerberos files
- Make condor_startd and rgmanager as initrc domain
- Allow virsh to read /etc/passwd
- Allow mount to mount on user_tmp_t for /run/user/dwalsh/gvfs
- xdm now needs to execute xsession_exec_t
- Need labels for /var/lib/gdm
- Fix files_filetrans_named_content() interface
- Add new attribute - initrc_domain
- Allow systemd_logind_t to signal, signull, sigkill all processes
- Add filetrans rules for etc_runtime files
2012-06-12 14:33:10 +02:00
Miroslav Grepl
4415dfa1a8 * Sat Jun 9 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-2
- Rename boolean names to remove allow_
2012-06-09 09:07:54 +02:00
Dan Walsh
c3956376c7 Add booleans.subs_dist to selinux-policy package 2012-06-08 10:09:54 -04:00
Dan Walsh
62163c8c51 Trigger a restorecon -R -v /home on the next update 2012-06-07 14:05:06 -04:00
Miroslav Grepl
7efcb84ab9 update selinux-policy.spec file 2012-06-07 13:27:36 +02:00
Miroslav Grepl
1ee0a31352 Add temporary roleattribute patches 2012-06-07 11:58:33 +02:00
Miroslav Grepl
3dd200bfa4 * Thu Jun 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-1
- Mass merge with upstream
  * new policy topology to include contrib policy modules
  * we have now two base policy patches
2012-06-07 00:42:18 +02:00
Miroslav Grepl
e392eca2af Upload new sources 2012-06-06 16:09:49 +02:00
Miroslav Grepl
4a27edfbeb Sync master with F17 2012-06-06 15:25:27 +02:00
Miroslav
de69336bd3 +* Mon Feb 13 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-
+- Allow firewalld to read urand
+- Alias java, execmem_mono to bin_t to allow third parties
+- Add label for kmod
+- /etc/redhat-lsb contains binaries
+- Add boolean to allow gitosis to send mail
+- Add filename transition also for "event20"
+- Allow systemd_tmpfiles_t to delete all file types
+- Allow collectd to ipc_lock
2012-02-13 22:28:38 +01:00
Dan Walsh
4066cfa00d Add dnssec policy and go back to unconfined domains versus permissive domains 2012-02-09 17:38:44 -05:00
Dan Walsh
7bf1025fa8 Revert "Dropping support for snort since it was dropped from Fedora. Users should use nagios"
This reverts commit 76d9bfedb6.
2012-02-07 17:18:16 -05:00
Dan Walsh
5c28b0512d Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2012-02-07 17:17:54 -05:00
Dan Walsh
76d9bfedb6 Dropping support for snort since it was dropped from Fedora. Users should use nagios 2012-02-07 17:15:35 -05:00
Dan Walsh
d3a57c6cc7 Fedora no longer ships kerneloops, dropping policy 2012-02-07 17:09:23 -05:00
Miroslav Grepl
81894dfe50 - Add policy for grindengine MPI jobs 2012-02-07 18:18:07 +01:00
Miroslav Grepl
80d21dc60a Revert "Simplify the build-docs target"
This reverts commit 01be486292.
2012-02-07 14:08:38 +01:00
Miroslav Grepl
4689b08b49 - Add new sysadm_secadm.pp module
* contains secadm definition for sysadm_t
- Move user_mail_domain access out of the interface into the
- Allow httpd_t to create httpd_var_lib_t directories as wel
- Allow snmpd to connect to the ricci_modcluster stream
- Allow firewalld to read /etc/passwd
- Add auth_use_nsswitch for colord
- Allow smartd to read network state
- smartdnotify needs to read /etc/group
2012-02-06 23:20:13 +01:00
Dan Walsh
01be486292 Simplify the build-docs target 2012-02-06 15:33:48 -05:00
Dan Walsh
dc4ca7a142 Allow builder to skip build_docs 2012-02-06 12:13:56 -05:00
Miroslav
30ab254413 - Allow gpg and gpg_agent to store sock_file in gpg_secret_t directory
- lxdm startup scripts should be labeled bin_t, so confined users will work
- mcstransd now creates a pid, needs back port to F16
- qpidd should be allowed to connect to the amqp port
- Label devices 010-029 as usb devices
- ypserv packager says ypserv does not use tmp_t so removing selinux policy types
- Remove all ptrace commands that I believe are caused by the kernel/ps avcs
- Add initial Obex policy
- Add logging_syslogd_use_tty boolean
- Add polipo_connect_all_unreserved bolean
- Allow zabbix to connect to ftp port
- Allow systemd-logind to be able to switch VTs
- Allow apache to communicate with memcached through a sock_file
2012-02-03 10:57:34 +01:00
Dan Walsh
3515d8b4e7 Fix file_context.subs_dist for now to work with pre usrmove 2012-01-31 17:01:07 -05:00
Dan Walsh
9382499c6f Fix file_context.subs_dist for now to work with pre usrmove 2012-01-31 15:26:31 -05:00
Miroslav Grepl
fb431d4b29 - More /usr move fixes 2012-01-30 21:28:06 +01:00
Dan Walsh
191c435a9f POLY is no longer used 2012-01-30 10:27:14 -05:00
Dan Walsh
f53135cd92 Make sure /etc/passwd and /etc/group properly labeled 2012-01-26 17:45:12 -05:00
Miroslav
a9d343329b * Thu Jan 26 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-80
- Add zabbix_can_network boolean
- Add httpd_can_connect_zabbix boolean
- Prepare file context labeling for usrmove functions
- Allow system cronjobs to read kernel network state
- Add support for selinux_avcstat munin plugin
- Treat hearbeat with corosync policy
- Allow corosync to read and write to qpidd shared mem
-  mozilla_plugin is trying to run pulseaudio
- Fixes for new sshd patch for running priv sep domains as the users c
- Turn off dontaudit rules when turning on allow_ypbind
- udev now reads /etc/modules.d directory
2012-01-26 19:26:12 +01:00
Miroslav Grepl
0c0b390b07 - Turn on deny_ptrace boolean for the Rawhide run, so we can t
- Cups exchanges dbus messages with init
- udisk2 needs to send syslog messages
- certwatch needs to read /etc/passwd
2012-01-24 16:34:52 +01:00
Miroslav
75a7b93abc +- Add labeling for udisks2
+- Allow fsadmin to communicate with the systemd process
2012-01-23 22:35:48 +01:00
Miroslav Grepl
8cd443307d - Treat Bip with bitlbee policy
* Bip is an IRC proxy
- Add port definition for interwise port
- Add support for ipa_memcached socket
- systemd_jounald needs to getattr on all processes
- mdadmin fixes
     * uses getpw
- amavisd calls getpwnam()
- denyhosts calls getpwall()
2012-01-23 16:15:05 +01:00
Miroslav Grepl
de9114f624 - Setup labeling of /var/rsa and /var/lib/rsa to allow login programs to write there
- bluetooth says they do not use /tmp and want to remove the type
- Allow init to transition to colord
- Mongod needs to read /proc/sys/vm/zone_reclaim_mode
- Allow postfix_smtpd_t to connect to spamd
- Add boolean to allow ftp to connect to all ports > 1023
- Allow sendmain to write to inherited dovecot tmp files
2012-01-20 14:43:02 +01:00
Dan Walsh
291b1f5075 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2012-01-19 09:44:28 -05:00
Dan Walsh
b80397b754 Remove Requires for bunzip2 and mktemp 2012-01-19 09:39:05 -05:00
Miroslav Grepl
153cc80f87 - Merge systemd patch
- systemd-tmpfiles wants to relabel /sys/devices/system/cpu/online
- Allow deltacloudd dac_override, setuid, setgid  caps
- Allow aisexec to execute shell
- Add use_nfs_home_dirs boolean for ssh-keygen
2012-01-16 10:56:19 +01:00
Dan Walsh
cd25a7a613 Fixes to make rawhide boot in enforcing mode with latest systemd changes 2012-01-13 12:26:06 -05:00
Dan Walsh
86d3f66092 Add labeling for /var/run/systemd/journal/syslog
libvirt sends signals to ifconfig
Allow domains that read logind session files to list them
2012-01-13 09:53:03 -05:00
Miroslav
68079f6d89 +- Add labeling for /var/run/systemd/journal/syslog
+- libvirt sends signals to ifconfig
+- Allow domains that read logind session files to list them
2012-01-11 20:37:45 +01:00
Miroslav
69a8d0687a - Fixed destined form libvirt-sandbox
- Allow apps that list sysfs to also read sympolicy links in this filesystem
- Add ubac_constrained rules for chrome_sandbox
- Need interface to allow domains to use tmpfs_t files created by the kernel, used by libra
- Allow postgresql to be executed by the caller
- Standardize interfaces of daemons
- Add new labeling for mm-handler
- Allow all matahari domains to read network state and etc_runtime_t files
2012-01-11 13:13:07 +01:00
Dan Walsh
7cf580ebcc Rename audioentropy to entropy to match upstream 2012-01-06 11:52:44 -05:00
Miroslav
b3ef57fc19 - New fix for seunshare, requires seunshare_domains to be able to mounton /
- Allow systemctl running as logrotate_t to connect to private systemd socket
- Allow tmpwatch to read meminfo
- Allow rpc.svcgssd to read supported_krb5_enctype
- Allow zarafa domains to read /dev/random and /dev/urandom
- Allow snmpd to read dev_snmp6
- Allow procmail to talk with cyrus
- Add fixes for check_disk and check_nagios plugins
2012-01-04 15:58:41 +01:00
Dan Walsh
5a73fdc4ee Test if selinuxenabled correctly 2011-12-22 15:32:22 +00:00
Dan Walsh
d5b8b9ccf7 default trans rules for Rawhide policy
Make sure sound_devices controlC* are labeled correctly on creation
sssd now needs sys_admin
Allow snmp to read all proc_type
Allow to setup users homedir with quota.group
2011-12-21 13:48:04 +00:00
Miroslav Grepl
67539d56f8 - default trans rules for Rawhide policy
-  Make sure sound_devices controlC* are labeled correctly on creation
- sssd now needs sys_admin
- Allow snmp to read all proc_type
- Allow to setup users homedir with quota.group
2011-12-20 19:41:35 +01:00
Dan Walsh
bce4ec2b6e Update to handle labeling on /sys using systemd-tmpfiles, also support default_range transition rules 2011-12-20 17:20:23 +00:00
Dan Walsh
a9225830b4 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2011-12-19 13:35:00 -05:00
Miroslav
cd251939af - Add httpd_can_connect_ldap() interface
- apcupsd_t needs to use seriel ports connected to usb devic
- Kde puts procmail mail directory under ~/.local/share
- nfsd_t can trigger sys_rawio on tests that involve too man
- Add labeling for /sbin/iscsiuio
2011-12-19 13:49:27 +01:00
Dan Walsh
49b3733c80 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy
Conflicts:
	selinux-policy.spec
2011-12-15 16:29:52 -05:00
Dan Walsh
ad10efc1aa Committing my changes 2011-12-15 16:28:30 -05:00
Miroslav
7c693b0afa +- Add label for /var/lib/iscan/interpreter
+- Dont audit writes to leaked file descriptors or redirected output for nacl
+- NetworkManager needs to write to /sys/class/net/ib*/mode
2011-12-14 10:32:29 +01:00
Miroslav
d17f759dd0 - Allow abrt to request the kernel to load a module
- Make sure mozilla content is labeled correctly
- Allow tgtd to read system state
- More fixes for boinc
  * allow to resolve dns name
  * re-write boinc policy to use boinc_domain attribute
- Allow munin services plugins to use NSCD services
2011-12-13 11:26:04 +01:00
Miroslav
202bb4cfa3 +- Allow mozilla_plugin_t to manage mozilla_home_t
+- Allow ssh derived domain to execute ssh-keygen in the ssh_keygen_t domain
+- Add label for tumblerd
2011-12-08 17:15:52 +01:00
Miroslav
1094d02fe9 - Fixes for xguest package 2011-12-07 18:40:29 +01:00
Miroslav
e91d876567 +- Fixes related to /bin, /sbin
+- Allow abrt to getattr on blk files
+- Add type for rhev-agent log file
+- Fix labeling for /dev/dmfm
+- Dontaudit wicd leaking
+- Allow systemd_logind_t to look at process info of apps that exc
+- Label /etc/locale.conf correctly
+- Allow user_mail_t to read /dev/random
+- Allow postfix-smtpd to read MIMEDefang
+- Add label for /var/log/suphp.log
+- Allow swat_t to connect and read/write nmbd_t sock_file
+- Allow systemd-tmpfiles to setattr for /run/user/gdm/dconf
+- Allow systemd-tmpfiles to change user identity in object contex
+- More fixes for rhev_agentd_t consolehelper policy
2011-12-06 21:59:27 +01:00
Dan Walsh
5305bd3265 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2011-12-02 14:29:16 -05:00
Dan Walsh
102fd0dcb4 Eliminate nsplugin from F17 2011-12-02 14:28:57 -05:00
Miroslav
4fe804b367 +- Use fs_use_xattr for squashf
+-  Fix procs_type interface
+- Dovecot has a new fifo_file /var/run/dovecot/stats-mail
+- Dovecot has a new fifo_file /var/run/stats-mail
+- Colord does not need to connect to network
+- Allow system_cronjob to dbus chat with NetworkManager
+- Puppet manages content, want to make sure it labels everything correctly
2011-12-01 18:25:51 +01:00
Miroslav
e5768e0fb6 - Change port 9050 to tor_socks_port_t and then allow openvpn to connect to it
- Allow all postfix domains to use the fifo_file
- Allow sshd_t to getattr on all file systems in order to generate avc on nfs_t
- Allow apmd_t to read grub.cfg
- Let firewallgui read the selinux config
- Allow systemd-tmpfiles to delete content in /root that has been moved to /tmp
- Fix devicekit_manage_pid_files() interface
- Allow squid to check the network state
- Dontaudit colord getattr on file systems
- Allow ping domains to read zabbix_tmp_t files
2011-11-29 14:16:11 +01:00
Dan Walsh
e9119eedac Let firewallgui read the selinux config 2011-11-28 21:37:22 -05:00
Miroslav
0ca57d1d0a - Disable nsplugin module 2011-11-28 15:54:55 +01:00
Miroslav
234df65f40 +- Allow mcelog_t to create dir and file in /var/run and label it
+- Allow dbus to manage fusefs
+- Mount needs to read process state when mounting gluster file s
+- Allow collectd-web to read collectd lib files
+- Allow daemons and system processes started by init to read/wri
+- Allow colord to get the attributes of tmpfs filesystem
+- Add sanlock_use_nfs and sanlock_use_samba booleans
+- Add bin_t label for /usr/lib/virtualbox/VBoxManage
2011-11-23 13:05:10 +01:00
Dan Walsh
3c81e30995 Merge 2011-11-16 10:58:53 -05:00
Miroslav
19d3c68d0d - Add ssh_dontaudit_search_home_dir
- Changes to allow namespace_init_t to work
- Add interface to allow exec of mongod, add port definition for mongod port, 27017
- Label .kde/share/apps/networkmanagement/certificates/ as home_cert_t
- Allow spamd and clamd to steam connect to each other
- Add policy label for passwd.OLD
- More fixes for postfix and postfix maildro
- Add ftp support for mozilla plugins
- Useradd now needs to manage policy since it calls libsemanage
- Fix devicekit_manage_log_files() interface
- Allow colord to execute ifconfig
- Allow accountsd to read /sys
- Allow mysqld-safe to execute shell
- Allow openct to stream connect to pcscd
- Add label for /var/run/nm-dns-dnsmasq\.conf
- Allow networkmanager to chat with virtd_t
2011-11-16 14:20:04 +01:00
Miroslav
68f1456925 - Pulseaudio changes
- Merge patches
2011-11-11 17:11:46 +01:00
dwalsh
4501de4407 Checkin patches to git repository 2011-11-11 08:16:39 -05:00
Dan Walsh
4147fe8cd2 Remove allow_execmem boolean and replace with deny_execmem boolean 2011-11-08 16:35:55 -05:00
Dan Walsh
90160938e2 Turn back on allow_execmem boolean 2011-11-08 16:33:10 -05:00
Dan Walsh
e58227a2b3 Turn back on allow_execmem boolean 2011-11-08 08:47:34 -05:00
Dan Walsh
13382d02ea Add more MCS fixes to make sandbox working
Make faillog MLS trusted to make sudo_$1_t working
Allow sandbox_web_client_t to read passwd_file_t
Add .mailrc file context
Remove execheap from openoffice domain
Allow chrome_sandbox_nacl_t to read cpu_info
Allow virtd to relabel generic usb which is need if USB device
Fixes for virt.if interfaces to consider chr_file as image file type
2011-11-07 16:18:33 -05:00
Dan Walsh
653590a3f2 MCS fixes
quota fixes
2011-11-04 16:40:38 -04:00
Dan Walsh
01e90f94b8 MCS fixes
quota fixes
2011-11-04 13:36:24 -04:00
Dan Walsh
0b72d16e07 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy
Conflicts:
	policy-F16.patch
	selinux-policy.spec
2011-11-04 13:34:59 -04:00
Dan Walsh
8872d3d2ac MCS fixes
quota fixes
2011-11-04 13:31:43 -04:00
Miroslav
76b2f513a3 +- MCS fixes
+- quota fixes
2011-11-04 18:30:28 +01:00
dwalsh
d5bededc4d Make nvidia* to be labeled correctly
Fix abrt_manage_cache() interface
Make filetrans rules optional so base policy will build
Dontaudit chkpwd_t access to inherited TTYS
Make sure postfix content gets created with the correct label
Allow gnomeclock to read cgroup
Fixes for cloudform policy
2011-11-02 16:23:55 -04:00
dwalsh
a7f0027cf7 Make nvidia* to be labeled correctly
Fix abrt_manage_cache() interface
Make filetrans rules optional so base policy will build
Dontaudit chkpwd_t access to inherited TTYS
Make sure postfix content gets created with the correct label
Allow gnomeclock to read cgroup
Fixes for cloudform policy
2011-11-02 16:01:43 -04:00
Dan Walsh
bc6fbd3a31 Check in fixed for Chrome nacl support 2011-10-27 14:33:47 -04:00
Dan Walsh
26536c5d39 Begin removing qemu_t domain, we really no longer need this domain.
systemd_passwd needs dac_overide to communicate with users TTY's
Allow svirt_lxc domains to send kill signals within their container
2011-10-27 13:51:59 -04:00
Dan Walsh
a1db2ce026 Remove qemu.pp again without causing a crash 2011-10-27 09:33:50 -04:00
Dan Walsh
b4b0268a28 Remove qemu.pp, everything should use svirt_t or stay in its current domain 2011-10-26 15:42:29 -04:00
Dan Walsh
084f9557dc Allow policykit to talk to the systemd via dbus
Move chrome_sandbox_nacl_t to permissive domains
Additional rules for chrome_sandbox_nacl
2011-10-26 08:49:22 -04:00
Dan Walsh
fa26d89bd5 Change bootstrap name to nacl
Chrome still needs execmem
Missing role for chrome_sandbox_bootstrap
Add boolean to remove execmem and execstack from virtual machines
Dontaudit xdm_t doing an access_check on etc_t directories
2011-10-25 13:27:37 -04:00
Dan Walsh
44066bd77a Allow named to connect to dirsrv by default
add ldapmap1_0 as a krb5_host_rcache_t file
Google chrome developers asked me to add bootstrap policy for nacl stuff
Allow rhev_agentd_t to getattr on mountpoints
Postfix_smtpd_t needs access to milters and cleanup seems to read/write postfix_smtpd_t unix_stream_sockets
2011-10-25 09:12:49 -04:00
Dan Walsh
3dcddab74d Allow firewallgui to read /etc/selinux/config 2011-10-24 13:39:32 -04:00
Miroslav
b6ae8086ef - Fixes for cloudform policies which need to connect to random ports
- Make sure if an admin creates modules content it creates them with the correct label
- Add port 8953 as a dns port used by unbound
- Fix file name transition for alsa and confined users
2011-10-24 10:57:01 +02:00
Dan Walsh
1a2b4d14f1 Turn on mock_t and thumb_t for unconfined domains 2011-10-21 16:44:31 -04:00
Dan Walsh
f875d285bd Turn on mock_t and thumb_t for unconfined domains 2011-10-21 16:37:11 -04:00
Dan Walsh
e1f17eb990 Policy update should not modify local contexts 2011-10-21 09:42:14 -04:00
Dan Walsh
052e175084 Remove ada policy 2011-10-20 14:33:31 -04:00
Dan Walsh
b01657ac51 Remove ada policy 2011-10-20 14:21:03 -04:00
Dan Walsh
61fa8d555e Remove tzdata policy
Remove ada policy
Add labeling for udev
Add cloudform policy
Fixes for bootloader policy
2011-10-20 12:30:06 -04:00
Dan Walsh
8214f7881a Remove tzdata policy
Remove ada domain
2011-10-20 12:24:32 -04:00
Miroslav
1944b1a36e Remove tzdata policy 2011-10-20 18:00:51 +02:00
Dan Walsh
087aaea152 Remove tzdata domain, only necessary to make sure stuff is labeled correctly. 2011-10-20 11:43:18 -04:00
Dan Walsh
a56e13e7b8 Add policies for nova openstack 2011-10-19 08:31:34 -04:00
Dan Walsh
4dba2eb895 Allow svirt_lxc_domain to chr_file and blk_file devices if they are in the domain
Allow init process to setrlimit on itself
Take away transition rules for users executing ssh-keygen
Allow setroubleshoot_fixit_t to read /dev/urand
Allow sshd to relbale tunnel sockets
Allow fail2ban domtrans to shorewall in the same way as with iptables
Add support for lnk files in the /var/lib/sssd directory
Allow system mail to connect to courier-authdaemon over an unix stream socket
2011-10-19 08:29:33 -04:00
Dan Walsh
1414f9f3a7 Allow svirt_lxc_domain to chr_file and blk_file devices if they are in the domain
Allow init process to setrlimit on itself
Take away transition rules for users executing ssh-keygen
Allow setroubleshoot_fixit_t to read /dev/urand
Allow sshd to relbale tunnel sockets
Allow fail2ban domtrans to shorewall in the same way as with iptables
Add support for lnk files in the /var/lib/sssd directory
Allow system mail to connect to courier-authdaemon over an unix stream socket
2011-10-18 10:12:22 -04:00
Dan Walsh
9bf3aa2c96 Add passwd_file_t for /etc/ptmptmp 2011-10-17 15:51:24 -04:00
Dan Walsh
e29441a5cc Dontaudit access checks for all executables, gnome-shell is doing access(EXEC, X_OK)
Make corosync to be able to relabelto cluster lib fies
Allow samba domains to search /var/run/nmbd
Allow dirsrv to use pam
Allow thumb to call getuid
chrome less likely to get mmap_zero bug so removing dontaudit
gimp help-browser has built in javascript
Best guess is that devices named /dev/bsr4096 should be labeled as cpu_device_t
Re-write glance policy
2011-10-14 09:50:55 -04:00
Dan Walsh
2453975e3d Move dontaudit sys_ptrace line from permissive.te to domain.te
Remove policy for hal, it no longer exists
2011-10-13 15:43:15 -04:00
Dan Walsh
042e3a325f Don't check md5 size or mtime on certain config files 2011-10-12 15:42:07 -04:00
Dan Walsh
2f4dfeb425 Remove allow_ptrace and replace it with deny_ptrace, which will remove all
ptrace from the system
Remove 2000 dontaudit rules between confined domains on transition
and replace with single
dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
2011-10-12 10:13:18 -04:00
Dan Walsh
6554bb3cca Remove allow_ptrace and replace it with deny_ptrace, which will remove all
ptrace from the system
Remove 2000 dontaudit rules between confined domains on transition
and replace with single
dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
2011-10-11 16:46:26 -04:00
Dan Walsh
2a89dffbb5 Shrink size of policy through use of attributes for userdomain and apache 2011-10-06 10:53:27 -04:00
Miroslav
1000555932 Fix spec file 2011-10-05 23:57:40 +02:00
Miroslav
54943f9472 - Allow virsh to read xenstored pid file
- Backport corenetwork fixes from upstream
- Do not audit attempts by thumb to search config_home_t dirs (~/.config)
- label ~/.cache/telepathy/logger telepathy_logger_cache_home_t
- allow thumb to read generic data home files (mime.type)
2011-10-05 23:48:25 +02:00
Dan Walsh
859ba0c85a Allow nmbd to manage sock file in /var/run/nmbd
ricci_modservice send syslog msgs
Stop transitioning from unconfined_t to ldconfig_t, but make sure /etc/ld.so.cache is labeled correctly
Allow systemd_logind_t to manage /run/USER/dconf/user
2011-10-05 17:14:02 -04:00
Dan Walsh
14d7aac744 Fix missing patch from F16 2011-10-04 11:34:14 -04:00
Dan Walsh
f1bc73d0ef Allow logrotate setuid and setgid since logrotate is supposed to do it
Fixes for thumb policy by grift
Add new nfsd ports
Added fix to allow confined apps to execmod on chrome
Add labeling for additional vdsm directories
Allow Exim and Dovecot SASL
Add label for /var/run/nmbd
Add fixes to make virsh and xen working together
Colord executes ls
/var/spool/cron  is now labeled as user_cron_spool_t
2011-10-04 10:50:39 -04:00
Dan Walsh
e15ae4fa84 Fixes caused by the labeling of /etc/passwd
Add thumb.patch to transition unconfined_t to thumb_t for Rawhide
2011-09-30 10:22:41 -04:00
Dan Walsh
a004ca8c3a Fixes caused by the labeling of /etc/passwd 2011-09-29 13:50:39 -04:00
Miroslav
0247247d56 +- Add support for Clustered Samba commands
+- Allow ricci_modrpm_t to send log msgs
+- move permissive virt_qmf_t from virt.te to permissivedomains.te
+- Allow ssh_t to use kernel keyrings
+- Add policy for libvirt-qmf and more fixes for linux containers
+- Initial Polipo
+- Sanlock needs to run ranged in order to kill svirt processes
+- Allow smbcontrol to stream connect to ctdbd
2011-09-29 16:25:09 +02:00
Dan Walsh
4d24861bc2 Add label for /etc/passwd 2011-09-28 16:18:43 -04:00
Miroslav
1b20a51a85 Add grub.patch 2011-09-28 01:09:22 +02:00
Dan Walsh
24b80bf8d9 Make unconfined domains permissive for rawhide
Add definition for ephermeral ports
2011-09-27 10:16:54 -04:00
Miroslav
02a8a402a1 - Make mta_role() active
- Allow asterisk to connect to jabber client port
- Allow procmail to read utmp
- Add NIS support for systemd_logind_t
- Allow systemd_logind_t to manage /run/user/$USER/dconf dir which is labeled a
- Fix systemd_manage_unit_dirs() interface
- Allow ssh_t to manage directories passed into it
- init needs to be able to create and delete unit file directories
- Fix typo in apache_exec_sys_script
- Add ability for logrotate to transition to awstat domain
2011-09-26 12:32:44 +02:00
Miroslav Grepl
1aafd0f4bc Fix spec file 2011-09-23 17:59:34 +02:00
Miroslav Grepl
031161f80b Fix spec file 2011-09-23 17:58:45 +02:00
Miroslav
f9c350238c +- Change screen to use screen_domain attribute and allow screen_domains to read all process domain state
+- Add SELinux support for ssh pre-auth net process in F17
+- Add logging_syslogd_can_sendmail boolean
2011-09-23 13:57:44 +02:00
Dan Walsh
747b715541 Add definition for ephemeral ports
Define user_tty_device_t as a customizable_type
2011-09-21 08:39:14 -04:00
Miroslav
dec0110c4c - Needs to require a new version of checkpolicy
- Interface fixes
2011-09-20 16:24:24 +02:00
Miroslav
40af2abfd0 - Allow sanlock to manage virt lib files
- Add virt_use_sanlock booelan
- ksmtuned is trying to resolve uids
- Make sure .gvfs is labeled user_home_t in the users home directory
- Sanlock sends kill signals and needs the kill capability
- Allow mockbuild to work on nfs homedirs
- Fix kerberos_manage_host_rcache() interface
- Allow exim to read system state
2011-09-16 15:09:15 +02:00
Dan Walsh
a59df1059d Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2011-09-15 08:58:51 -04:00
Dan Walsh
9c4a933844 Make seusers config noreplace 2011-09-15 08:58:37 -04:00
Miroslav
b3edab31fb - Allow systemd-tmpfiles to set the correct labels on /var/run, /tmp and other files
- We want any file type that is created in /tmp by a process running as initrc_t to be labeled initrc_tmp_t
2011-09-14 16:11:08 +02:00
Miroslav
e8563b3245 +- Allow collectd to read hardware state information
+- Add loop_control_device_t
+- Allow mdadm to request kernel to load module
+- Allow domains that start other domains via systemctl to search unit dir
+- systemd_tmpfiles, needs to list any file systems mounted on /tmp
+- No one can explain why radius is listing the contents of /tmp, so we will dontaudit
+- If I can manage etc_runtime files, I should be able to read the links
+- Dontaudit hostname writing to mock library chr_files
+- Have gdm_t setup labeling correctly in users home dir
+- Label content unde /var/run/user/NAME/dconf as config_home_t
+- Allow sa-update to execute shell
+- Make ssh-keygen working with fips_enabled
+- Make mock work for staff_t user
+- Tighten security on mock_t
2011-09-13 16:17:16 +02:00
Miroslav
b1448b79b1 Fix typo in spec file 2011-09-09 13:31:15 +02:00
Miroslav
116a117fba - removing unconfined_notrans_t no longer necessary
- Clean up handling of secure_mode_insmod and secure_mode_policyload
- Remove unconfined_mount_t
2011-09-09 13:28:28 +02:00
Miroslav
5b0c573864 - Add exim_exec_t label for /usr/sbin/exim_tidydb
- Call init_dontaudit_rw_stream_socket() interface in mta policy
- sssd need to search /var/cache/krb5rcache directory
- Allow corosync to relabel own tmp files
- Allow zarafa domains to send system log messages
- Allow ssh to do tunneling
- Allow initrc scripts to sendto init_t unix_stream_socket
- Changes to make sure dmsmasq and virt directories are labeled corr
- Changes needed to allow sysadm_t to manage systemd unit files
- init is passing file descriptors to dbus and on to system daemons
- Allow sulogin additional access Reported by dgrift and Jeremy Mill
- Steve Grubb believes that wireshark does not need this access
- Fix /var/run/initramfs to stop restorecon from looking at
- pki needs another port
- Add more labels for cluster scripts
- Allow apps that manage cgroup_files to manage cgroup link files
- Fix label on nfs-utils scripts directories
- Allow gatherd to read /dev/rand and /dev/urand
2011-09-06 13:51:30 +02:00
Miroslav
392fd7310f - pki needs another port
- Add more labels for cluster scripts
- Fix label on nfs-utils scripts directories
- Fixes for cluster
- Allow gatherd to read /dev/rand and /dev/urand
- abrt leaks fifo files
2011-08-31 22:51:47 +02:00
Dan Walsh
e6877a0621 Add glance policy
Allow mdadm setsched
/var/run/initramfs should not be relabeled with a restorecon run
memcache can be setup to override sys_resource
Allow httpd_t to read tetex data
Allow systemd_tmpfiles to delete kernel modules left in /tmp directory.
2011-08-31 09:25:39 -04:00
Miroslav
1c136fe943 - Allow Postfix to deliver to Dovecot LMTP socket
- Ignore bogus sys_module for lldpad
- Allow chrony and gpsd to send dgrams, gpsd needs to write to the real time clock
- systemd_logind_t sets the attributes on usb devices
- Allow hddtemp_t to read etc_t files
- Add permissivedomains module
- Move all permissive domains calls to permissivedomain.te
- Allow pegasis to send kill signals to other UIDs
2011-08-29 14:07:18 +02:00
Miroslav
2f3d113f19 - Allow insmod_t to use fds leaked from devicekit
- dontaudit getattr between insmod_t and init_t unix_stream_sockets
- Change sysctl unit file interfaces to use systemctl
- Add support for chronyd unit file
- Allow mozilla_plugin to read gnome_usr_config
- Add policy for new gpsd
- Allow cups to create kerberos rhost cache files
- Add authlogin_filetrans_named_content, to unconfined_t to make sure shadow and other log files get labeled correctly
2011-08-24 10:24:46 +02:00
Dan Walsh
22a1cfd7d6 Make users_extra and seusers.final into config(noreplace) so semanage users and login does not get overwritten 2011-08-23 13:59:04 -04:00
Dan Walsh
ba2e58cd41 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2011-08-23 13:54:26 -04:00
Dan Walsh
39eb9ea8c1 Make users_extra and seusers.final into config no replace so semanage users and semanage login files do not get overwritten 2011-08-23 13:54:16 -04:00
Miroslav
24041fb3a0 - Add policy for sa-update being run out of cron jobs
- Add create perms to postgresql_manage_db
- ntpd using a gps has to be able to read/write generic tty_device_t
- If you disable unconfined and unconfineduser, rpm needs more privs to ma
- fix spec file
- Remove qemu_domtrans_unconfined() interface
- Make passenger working together with puppet
- Add init_dontaudit_rw_stream_socket interface
- Fixes for wordpress
2011-08-23 11:03:30 +02:00
Dan Walsh
5d837b2d13 Do not do preinstall if there is not previous install 2011-08-22 16:30:00 -04:00
Miroslav
8d13f53c05 - Turn on allow_domain_fd_use boolean on F16
- Allow syslog to manage all log files
- Add use_fusefs_home_dirs boolean for chrome
- Make vdagent working with confined users
- Add abrt_handle_event_t domain for ABRT event scripts
- Labeled /usr/sbin/rhnreg_ks as rpm_exec_t and added changes related to this change
- Allow httpd_git_script_t to read passwd data
- Allow openvpn to set its process priority when the nice parameter is used
2011-08-11 16:50:01 +02:00
Dan Walsh
10f0de0090 livecd fixes
spec file fixes
2011-08-10 14:00:28 -04:00
Dan Walsh
8a78e8623e Cleanup spec file to remove rpmnew files 2011-08-05 16:16:08 -04:00
Miroslav
913fabe1c8 - fetchmail can use kerberos
- ksmtuned reads in shell programs
- gnome_systemctl_t reads the process state of ntp
- dnsmasq_t asks the kernel to load multiple kernel mod
- Add rules for domains executing systemctl
- Bogus text within fc file
2011-08-04 22:32:55 +02:00
Dan Walsh
41a18182a5 storage should be in base 2011-08-03 16:21:21 -04:00
Dan Walsh
8becfd3523 Add cfengine policy 2011-08-03 10:22:38 -04:00
Miroslav
2aa62d446f - Add abrt_domain attribute
- Allow corosync to manage cluster lib files
- Allow corosync to connect to the system DBUS
2011-08-02 21:35:30 +02:00
Miroslav
58f5509584 - More fixes of rules which cause an explosion in rules by Dan Walsh 2011-07-29 14:18:40 +02:00
Miroslav
0c240d9a87 - Allow rcsmcertd to perform DNS name resolution
- Add dirsrvadmin_unconfined_script_t domain type for 389-ds admin scripts
- Allow tmux to run as screen
- New policy for collectd
- Allow gkeyring_t to interact with all user apps
- Add rules to allow firstboot to run on machines with the unconfined.pp module
2011-07-26 17:21:09 +02:00
Miroslav
f5593ed9be - Allow systemd_logind to send dbus messages with users
- allow accountsd to read wtmp file
- Allow dhcpd to get and set capabilities
2011-07-23 09:10:19 +02:00
Miroslav
6e9c2276f7 - Fix oracledb_port definition
- Allow mount to mounton the selinux file system
- Allow users to list /var directories
2011-07-22 12:37:49 +02:00
Miroslav
273e934611 systemd fixes 2011-07-21 17:22:47 +02:00
Miroslav
2ed5289fc9 - Add initial policy for abrt_dump_oops_t
- xtables-multi wants to getattr of the proc fs
- Smoltclient is connecting to abrt
- Dontaudit leaked file descriptors to postdrop
- Allow abrt_dump_oops to look at kernel sysctls
- Abrt_dump_oops_t reads kernel ring buffer
- Allow mysqld to request the kernel to load modules
- systemd-login needs fowner
- Allow postfix_cleanup_t to searh maildrop
2011-07-19 17:44:23 +02:00
Miroslav Grepl
805cc3bcdf - Initial systemd_logind policy
- Add policy for systemd_logger and additional proivs for systemd_logind
- More fixes for systemd policies
2011-07-18 08:17:03 +02:00
Miroslav Grepl
2b7c0552d7 - Allow setsched for virsh
- Systemd needs to impersonate cups, which means it needs to create tcp_sock
- iptables: the various /sbin/ip6?tables.* are now symlinks for /sbin/xtables-mult
2011-07-14 18:49:37 +02:00
Miroslav Grepl
50f07b8abf Fix spec file 2011-07-12 14:59:13 +02:00
Miroslav Grepl
330eac5848 - A lot of users are running yum -y update while in /root which is causing ldc
- Allow colord to interact with the users through the tmpfs file system
- Since we changed the label on deferred, we need to allow postfix_qmgr_t to b
- Add label for /var/log/mcelog
- Allow asterisk to read /dev/random if it uses TLS
- Allow colord to read ini files which are labeled as bin_t
- Allow dirsrvadmin sys_resource and setrlimit to use ulimit
- Systemd needs to be able to create sock_files for every label in /var/run di
- Also lists /var and /var/spool directories
- Add openl2tpd to l2tpd policy
- qpidd is reading the sysfs file
2011-07-12 09:44:07 +02:00
Dan Walsh
fb5b77fade Fully path the semodule command 2011-07-01 06:35:11 -04:00
Miroslav Grepl
975370d58e - Change usbmuxd_t to dontaudit attempts to read chr_file
- Add mysld_safe_exec_t for libra domains to be able to start private mysql dom
- Allow pppd to search /var/lock dir
- Add rhsmcertd policy
2011-06-30 17:55:41 +02:00
Miroslav Grepl
ade486af72 Update to upstream 2011-06-27 18:02:16 +02:00
Miroslav Grepl
2885bf8a6e - More fixes
* http://git.fedorahosted.org/git/?p=selinux-policy.git
2011-06-27 08:43:05 +02:00
Dan Walsh
7e1b615aa4 Next attempt at getting selinux-policy-* to work without rebuilding policy. 2011-06-16 12:01:25 -04:00
Dan Walsh
cf012ea57e Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2011-06-16 08:58:41 -04:00
Dan Walsh
8782a92ced Change required policycoreutils and libsemanage 2011-06-16 08:58:19 -04:00
Miroslav Grepl
4fb7b43f62 - Add dspam policy
- Add lldpad policy
- dovecot auth wants to search statfs #713555
- Allow systemd passwd apps to read init fifo_file
- Allow prelink to use inherited terminals
- Run cherokee in the httpd_t domain
- Allow mcs constraints on node connections
- Implement pyicqt policy
- Fixes for zarafa policy
- Allow cobblerd to send syslog messages
2011-06-16 10:42:42 +02:00
Dan Walsh
857c813190 Eliminate olpc stuff and other no longer needed files. Update to new system to build policy.* file within payload. 2011-06-09 22:36:45 -04:00
Dan Walsh
d0597c1c15 apply merge 2011-06-08 12:17:39 -04:00
Miroslav Grepl
183e54f534 Old passanger module needs to be removed in spec file 2011-06-08 17:41:02 +02:00
Miroslav Grepl
d8b121329f - Fixes for zabbix
- init script needs to be able to manage sanlock_var_run_...
- Allow sandlock and wdmd to create /var/run directories...
- mixclip.so has been compiled correctly
- Fix passenger policy module name
2011-06-08 17:32:27 +02:00
Dan Walsh
5253d49ee9 Update from git 2011-06-07 14:43:31 -04:00
Miroslav Grepl
94cdbacbd8 - Add mailscanner policy from dgrift
- Allow chrome to optionally be transitioned to
- Zabbix needs these rules when starting the zabbix_server_mysql
- Implement a type for freedesktop openicc standard (~/.local/share/icc)
- Allow system_dbusd_t to read inherited icc_data_home_t files.
- Allow colord_t to read icc_data_home_t content. #706975
- Label stuff under /usr/lib/debug as if it was labeled under /
2011-06-07 18:12:04 +02:00
Dan Walsh
0535650520 Allow policy.VERSION and modules to ship with package 2011-06-07 11:09:32 -04:00
Miroslav Grepl
0e70f655b4 Fix spec file 2011-06-02 15:17:47 +02:00
Miroslav Grepl
a56fb9fa8f - Fixes for sanlock policy
- Fixes for colord policy
- Other fixes
       * http://git.fedorahosted.org/git/?p=selinux-policy.git;a=log
2011-06-02 15:16:46 +02:00
Miroslav Grepl
a8e065be61 - Add rhev policy module to modules-targeted.conf 2011-05-26 14:16:59 +02:00
Miroslav Grepl
ace25237f9 - Lot of fixes
* http://git.fedorahosted.org/git/?p=selinux-policy.git;a=log
2011-05-24 16:38:28 +02:00
Dan Walsh
d97c92c34b New policy patch requires updated checkpolicy package 2011-05-23 18:27:11 -04:00
Miroslav Grepl
cb71de50e9 - Allow logrotate to execute systemctl
- Allow nsplugin_t to getattr on gpmctl
- Fix dev_getattr_all_chr_files() interface
- Allow shorewall to use inherited terms
- Allow userhelper to getattr all chr_file devices
- sandbox domains should be able to getattr and dontaudit search of sysctl_kernel_t
- Fix labeling for ABRT Retrace Server
2011-05-19 18:12:32 +02:00
Dan Walsh
7fbbd6f924 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2011-05-09 14:40:43 -04:00
Miroslav Grepl
27bf70c04e - Dontaudit sys_module for ifconfig
- Make telepathy and gkeyringd daemon working with confined users
- colord wants to read files in users homedir
- Remote login should be creating user_tmp_t not its own tmp files
2011-05-09 20:39:25 +00:00
Dan Walsh
ff120d7be5 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2011-05-06 10:51:56 -04:00
Miroslav Grepl
cfc00b53cb - Fix label for /usr/share/munin/plugins/munin_* plugins
- Add support for zarafa-indexer
- Fix boolean description
- Allow colord to getattr on /proc/scsi/scsi
- Add label for /lib/upstart/init
- Colord needs to list /mnt
2011-05-05 14:39:44 +00:00
Dan Walsh
e81c7996c4 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2011-05-03 16:37:04 -04:00
Miroslav Grepl
6347ee7725 - Forard port changes from F15 for telepathy
- NetworkManager should be allowed to use /dev/rfkill
- Fix dontaudit messages to say Domain to not audit
- Allow telepathy domains to read/write gnome_cache files
- Allow telepathy domains to call getpw
- Fixes for colord and vnstatd policy
2011-05-03 19:46:26 +00:00
Miroslav Grepl
b02295db9b - Allow init_t getcap and setcap
- Allow namespace_init_t to use nsswitch
- aisexec will execute corosync
- colord tries to read files off noxattr file systems
- Allow init_t getcap and setcap
2011-04-27 16:15:38 +00:00
Dan Walsh
99b2fe91aa Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2011-04-27 11:06:38 -04:00
Dan Walsh
402e7b8a4a Default telepath to allow it to connect to network ports 2011-04-21 18:26:23 -04:00
Miroslav Grepl
a8c63d7e69 - Add support for ABRT retrace server
- Allow user_t and staff_t access to generic scsi to handle locally plugged in scanners
- Allow telepath_msn_t to read /proc/PARENT/cmdline
- ftpd needs kill capability
- Allow telepath_msn_t to connect to sip port
- keyring daemon does not work on nfs homedirs
- Allow $1_sudo_t to read default SELinux context
- Add label for tgtd sock file in /var/run/
- Add apache_exec_rotatelogs interface
- allow all zaraha domains to signal themselves, server writes to /tmp
- Allow syslog to read the process state
- Add label for /usr/lib/chromium-browser/chrome
- Remove the telepathy transition from unconfined_t
- Dontaudit sandbox domains trying to mounton sandbox_file_t, this is caused by fuse mounts
- Allow initrc_t domain to manage abrt pid files
- Add support for AEOLUS project
- Virt_admin should be allowed to manage images and processes
- Allow plymountd to send signals to init
- Change labeling of fping6
2011-04-21 16:35:40 +00:00
Dan Walsh
ff64d9c354 Accidently checked in my test spec file 2011-04-21 10:07:57 -04:00
Dan Walsh
bd16f8dd70 Readd my patch 2011-04-19 11:36:13 -04:00
Dan Walsh
9bd1686ff7 Move to version 26 of policy 2011-04-19 11:34:24 -04:00
Miroslav Grepl
a357639bb0 - Fixes for zarafa policy
- Add support for AEOLUS project
- Change labeling of fping6
- Allow plymountd to send signals to init
- Allow initrc_t domain to manage abrt pid files
- Virt_admin should be allowed to manage images and processes
2011-04-19 13:53:55 +00:00
Dan Walsh
637b33d9f3 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy
Conflicts:
	selinux-policy.spec
2011-04-15 14:24:32 -04:00
Miroslav Grepl
6ac26422cc - xdm_t needs getsession for switch user
- Every app that used to exec init is now execing systemdctl
- Allow squid to manage krb5_host_rcache_t files
- Allow foghorn to connect to agentx port - Fixes for colord policy
2011-04-15 09:08:10 +00:00
Dan Walsh
e935d25737 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy
Conflicts:
	selinux-policy.spec
2011-04-12 10:57:09 -04:00
Dan Walsh
826311d497 Testing 2011-04-11 17:06:55 -04:00
Miroslav Grepl
1b7c8fcdf6 - Add Dan's patch to remove 64 bit variants
- Allow colord to use unix_dgram_socket
- Allow apps that search pids to read /var/run if it is a lnk_file
- iscsid_t creates its own directory
- Allow init to list var_lock_t dir
- apm needs to verify user accounts auth_use_nsswitch
- Add labeling for systemd unit files
- Allow gnomeclok to enable ntpd service using systemctl - systemd_syst
- Add label for matahari-broker.pid file
- We want to remove untrustedmcsprocess from ability to read /proc/pid
- Fixes for matahari policy
- Allow system_tmpfiles_t to delete user_home_t files in the /tmp dir
- Allow sshd to transition to sysadm_t if ssh_sysadm_login is turned on
2011-04-11 07:58:00 +00:00
Dan Walsh
86354fa4cc Remove lib64 mapping and use subs. change subs name to file_context.subs_dist 2011-04-05 15:30:24 -04:00
Miroslav Grepl
2130480ad3 - Fix typo 2011-04-05 09:38:41 +00:00
Miroslav Grepl
397c1e2d5c - Add /var/run/lock /var/lock definition to file_contexts.subs
- nslcd_t is looking for kerberos cc files
- SSH_USE_STRONG_RNG is 1 which requires /dev/random
- Fix auth_rw_faillog definition
- Allow sysadm_t to set attributes on fixed disks
- allow user domains to execute lsof and look at application sockets
- prelink_cron job calls telinit -u if init is rewritten
- Fixes to run qemu_t from staff_t
2011-04-04 23:41:02 +00:00
Dan Walsh
568f781d20 Update to latest versions and change policy version 2011-04-04 16:50:06 -04:00
Miroslav Grepl
81c96b1880 comment out the sepolgen line 2011-04-04 20:43:56 +00:00
Miroslav Grepl
aaa0ee57f3 comment out the sepolgen line 2011-04-04 20:33:32 +00:00
Miroslav Grepl
68129209ed comment out the sepolgen line 2011-04-04 20:16:34 +00:00
Miroslav Grepl
fb7e97f251 - Fix label for /var/run/udev to udev_var_run_t
- Mock needs to be able to read network state
2011-04-04 17:35:35 +00:00
Miroslav Grepl
a7705c54e1 - Add file_contexts.subs to handle /run and /run/lock
- Add other fixes relating to /run changes from F15 policy
2011-04-01 16:12:27 +00:00
Miroslav Grepl
36d3f31dcf - Allow $1_sudo_t and $1_su_t open access to user terminals
- Allow initrc_t to use generic terminals
- Make Makefile/Rules.modular run sepolgen-ifgen during build to check if files for bugs
-systemd is going to be useing /run and /run/lock for early bootup files.
- Fix some comments in rlogin.if
- Add policy for KDE backlighthelper
- sssd needs to read ~/.k5login in nfs, cifs or fusefs file systems
- sssd wants to read .k5login file in users homedir
- setroubleshoot reads executables to see if they have TEXTREL
- Add /var/spool/audit support for new version of audit
- Remove kerberos_connect_524() interface calling
- Combine kerberos_master_port_t and kerberos_port_t
- systemd has setup /dev/kmsg as stderr for apps it executes
- Need these access so that init can impersonate sockets on unix_dgram_socket
2011-03-25 14:54:13 +00:00
Miroslav Grepl
47d5c167a8 - Remove some unconfined domains
- Remove permissive domains
- Add policy-term.patch from Dan
2011-03-23 23:53:27 +00:00
Miroslav Grepl
7c23cf73df Fix multiple specification for boot.log 2011-03-17 16:01:12 +00:00
Miroslav Grepl
f5eb99f70b - devicekit leaks file descriptors to setfiles_t
- Change all all_nodes to generic_node and all_if to generic_if
- Should not use deprecated interface
- Switch from using all_nodes to generic_node and from all_if to generic_if
- Add support for xfce4-notifyd
- Fix file context to show several labels as SystemHigh
- seunshare needs to be able to mounton nfs/cifs/fusefs homedirs
- Add etc_runtime_t label for /etc/securetty
- Fixes to allow xdm_t to start gkeyringd_USERTYPE_t directly
- login.krb needs to be able to write user_tmp_t
- dirsrv needs to bind to port 7390 for dogtag
- Fix a bug in gpg policy
- gpg sends audit messages
- Allow qpid to manage matahari files
2011-03-17 15:46:18 +00:00
Miroslav Grepl
af4c0d3f1e - Initial policy for matahari
- Add dev_read_watchdog
- Allow clamd to connect clamd port
- Add support for kcmdatetimehelper
- Allow shutdown to setrlimit and sys_nice
- Allow systemd_passwd to talk to /dev/log before udev or syslog is runni
- Purge chr_file and blk files on /tmp
- Fixes for pads
- Fixes for piranha-pulse
- gpg_t needs to be able to encyprt anything owned by the user
2011-03-15 20:59:57 +00:00
Miroslav Grepl
f7f5ca9228 +- mozilla_plugin_tmp_t needs to be treated as user tmp files
+- More dontaudits of writes from readahead
+- Dontaudit readahead_t file_type:dir write, to cover up kernel bug
+- systemd_tmpfiles needs to relabel faillog directory as well as the file
+- Allow hostname and consoletype to r/w inherited initrc_tmp_t files handline hostname >> /tmp/myhost
2011-03-10 22:02:46 +00:00
Miroslav Grepl
8d54634624 - Add policykit fixes from Tim Waugh
- dontaudit sandbox domains sandbox_file_t:dir mounton
- Add new dontaudit rules for sysadm_dbusd_t
- Change label for /var/run/faillock
2011-03-10 12:46:20 +00:00
Miroslav Grepl
9b89d85005 Fix minimum policy 2011-03-08 18:36:28 +00:00
Miroslav Grepl
6726024e43 Update to upstream 2011-03-08 18:28:56 +00:00
Miroslav Grepl
781f349e05 - gpg_t needs to talk to gnome-keyring
- nscd wants to read /usr/tmp->/var/tmp to generate randomziation in unixchkpwd
- enforce MCS labeling on nodes
- Allow arpwatch to read meminfo
- Allow gnomeclock to send itself signals
- init relabels /dev/.udev files on boot
- gkeyringd has to transition back to staff_t when it runs commands in bin_t or shell_
- nautilus checks access on /media directory before mounting usb sticks, dontaudit acc
- dnsmasq can run as a dbus service, needs acquire service
- mysql_admin should  be allowed to connect to mysql service
- virt creates monitor sockets in the users home dir
2011-03-01 17:08:45 +00:00
Miroslav Grepl
c34a0c5248 - Allow usbhid-ups to read hardware state information
- systemd-tmpfiles has moved
- Allo cgroup to sys_tty_config
- For some reason prelink is attempting to read gconf settings
- Add allow_daemons_use_tcp_wrapper boolean
- Add label for ~/.cache/wocky to make telepathy work in enforcing mode
- Add label for char devices /dev/dasd*
- Fix for apache_role
- Allow amavis to talk to nslcd
- allow all sandbox to read selinux poilcy config files
- Allow cluster domains to use the system bus and send each other dbus messages
2011-02-21 21:46:58 +00:00
Miroslav Grepl
7288282fd4 - Update to upstream 2011-02-16 18:45:08 +00:00
Dennis Gilmore
60e174d11c - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild 2011-02-09 07:08:32 -06:00
Dan Walsh
d3861ceab3 - Update to ref policy
- cgred needs chown capability
- Add /dev/crash crash_dev_t
- systemd-readahead wants to use fanotify which means readahead_t needs sys_admin capability
2011-02-08 18:00:22 -05:00
Dan Walsh
812781becc - Update to ref policy
- cgred needs chown capability
- Add /dev/crash crash_dev_t
2011-02-08 17:50:40 -05:00
Miroslav Grepl
f12703ea7e - New labeling for postfmulti #675654
- dontaudit xdm_t listing noxattr file systems
- dovecot-auth needs to be able to connect to mysqld via the network as well as locally
- shutdown is passed stdout to a xdm_log_t file
- smartd creates a fixed disk device
- dovecot_etc_t contains a lnk_file that domains need to read
- mount needs to be able to read etc_runtim_t:lnk_file since in rawhide this is a link created at boot
2011-02-08 12:43:56 +00:00
Miroslav Grepl
19cd669e5e - syslog_t needs syslog capability
- dirsrv needs to be able to create /var/lib/snmp
- Fix labeling for dirsrv
- Fix for dirsrv policy missing manage_dirs_pattern
- corosync needs to delete clvm_tmpfs_t files
- qdiskd needs to list hugetlbfs
- Move setsched to sandbox_x_domain, so firefox can run without network access
- Allow hddtemp to read removable devices
- Adding syslog and read_policy permissions to policy
       * syslog
               Allow unconfined, sysadm_t, secadm_t, logadm_t
       * read_policy
               allow unconfined, sysadm_t, secadm_t, staff_t on Targeted
               allow sysadm_t (optionally), secadm_t on MLS
- mdadm application will write into /sys/.../uevent whenever arrays are
assembled or disassembled.
2011-02-03 18:30:25 +00:00
Dan Walsh
731e693460 - Add tcsd policy 2011-02-01 16:45:17 -05:00
Dan Walsh
0e793cf10b Merge branches 'master', 'master', 'master' and 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2011-02-01 16:08:31 -05:00
Miroslav Grepl
ebce355dea - ricci_modclusterd_t needs to bind to rpc ports 500-1023
- Allow dbus to use setrlimit to increase resoueces
- Mozilla_plugin is leaking to sandbox
- Allow confined users  to connect to lircd over unix domain stream socket whic
- Allow awstats to read squid logs
- seunshare needs to manage tmp_t
- apcupsd cgi scripts have a new directory
2011-02-01 18:30:35 +00:00
Dan Walsh
6b3837d6e4 stop relabeling /var/lib 2011-01-27 14:29:13 -05:00
Miroslav Grepl
73e5debe55 - Fix xserver_dontaudit_read_xdm_pid
- Change oracle_port_t to oracledb_port_t to prevent conflict with satellite
- Allow dovecot_deliver_t to read/write postfix_master_t:fifo_file.
       * These fifo_file is passed from postfix_master_t to postfix_local_t to dovecot_deliver_t
- Allow readahead to manage readahead pid dirs
- Allow readahead to read all mcs levels
- Allow mozilla_plugin_t to use nfs or samba homedirs
2011-01-27 18:13:11 +00:00
Miroslav Grepl
3c70739f2c - Allow nagios plugin to read /proc/meminfo
- Fix for mozilla_plugin
- Allow samba_net_t to create /etc/keytab
- pppd_t setting up vpns needs to run unix_chkpwd, setsched its process and write wt
- nslcd can read user credentials
- Allow nsplugin to delete mozilla_plugin_tmpfs_t
- abrt tries to create dir in rpm_var_lib_t
- virt relabels fifo_files
- sshd needs to manage content in fusefs homedir
- mock manages link files in cache dir
2011-01-25 17:44:14 +00:00
Miroslav Grepl
0ababf8492 - nslcd needs setsched and to read /usr/tmp
- Invalid call in likewise policy ends up creating a bogus role
- Cannon puts content into /var/lib/bjlib that cups needs to be able to write
- Allow screen to create screen_home_t in /root
- dirsrv sends syslog messages
- pinentry reads stuff in .kde directory
- Add labels for .kde directory in homedir
- Treat irpinit, iprupdate, iprdump services with raid policy
2011-01-21 17:24:28 +00:00
Miroslav Grepl
408ea919b7 - NetworkManager wants to read consolekit_var_run_t
- Allow readahead to create /dev/.systemd/readahead
- Remove permissive domains
- Allow newrole to run namespace_init
2011-01-19 18:43:03 +00:00
Miroslav Grepl
ac028b8413 Fix release 2011-01-18 11:00:30 +00:00
Miroslav Grepl
a34c78a0fd - Add sepgsql_contexts file 2011-01-18 10:28:56 +00:00
Miroslav Grepl
86b1f12f92 - Update to upstream 2011-01-17 18:42:12 +00:00
Miroslav Grepl
f16c69cb48 - Add oracle ports and allow apache to connect to them if the connect_db boole
- Add puppetmaster_use_db boolean
- Fixes for zarafa policy
- Fixes for gnomeclock poliy
- Fix systemd-tmpfiles to use auth_use_nsswitch
2011-01-17 17:47:06 +00:00
Miroslav Grepl
116d73139a - gnomeclock executes a shell
- Update for screen policy to handle pipe in homedir
- Fixes for polyinstatiated homedir
- Fixes for namespace policy and other fixes related to polyinstantiation
- Add namespace policy
- Allow dovecot-deliver transition to sendmail which is needed by sieve scri
- Fixes for init, psad policy which relate with confined users
- Do not audit bootloader attempts to read devicekit pid files
- Allow nagios service plugins to read /proc
2011-01-14 17:48:34 +00:00
Miroslav Grepl
b1863350de - Add firewalld policy
- Allow vmware_host to read samba config
- Kernel wants to read /proc Fix duplicate grub def in cobbler
- Chrony sends mail, executes shell, uses fifo_file and reads /proc
- devicekitdisk getattr all file systems
- sambd daemon writes wtmp file
- libvirt transitions to dmidecode
2011-01-11 13:44:47 +00:00
Miroslav Grepl
b559c4ec49 - Add initial policy for system-setup-keyboard which is now daemon
- Label /var/lock/subsys/shorewall as shorewall_lock_t
- Allow users to communicate with the gpg_agent_t
- Dontaudit mozilla_plugin_t using the inherited terminal
- Allow sambagui to read files in /usr
- webalizer manages squid log files
- Allow unconfined domains to bind ports to raw_ip_sockets
- Allow abrt to manage rpm logs when running yum
- Need labels for /var/run/bittlebee
- Label .ssh under amanda
- Remove unused genrequires for virt_domain_template
- Allow virt_domain to use fd inherited from virtd_t
- Allow iptables to read shorewall config
2011-01-05 10:08:57 +00:00
Dan Walsh
b96903aaa0 - Gnome apps list config_home_t
- mpd creates lnk files in homedir
- apache leaks write to mail apps on tmp files
- /var/stockmaniac/templates_cache contains log files
- Abrt list the connects of mount_tmp_t dirs
- passwd agent reads files under /dev and reads utmp file
- squid apache script connects to the squid port
- fix name of plymouth log file
- teamviewer is a wine app
- allow dmesg to read system state
- Stop labeling files under /var/lib/mock so restorecon will not go into this
- nsplugin needs to read network state for google talk
2010-12-28 15:41:30 -05:00
Dan Walsh
ef836a9861 - New labels for ghc http content
- nsplugin_config needs to read urand, lvm now calls setfscreate to create dev
- pm-suspend now creates log file for append access so we remove devicekit_wri
- Change authlogin_use_sssd to authlogin_nsswitch_use_ldap
- Fixes for greylist_milter policy
2010-12-22 16:12:41 -05:00
Miroslav Grepl
d980545506 - Update to upstream
- Fixes for systemd policy
- Fixes for passenger policy
- Allow staff users to run mysqld in the staff_t domain, akonadi needs this
- Add bin_t label for /usr/share/kde4/apps/kajongg/kajongg.py
- auth_use_nsswitch does not need avahi to read passwords,needed for resolving data
- Dontaudit (xdm_t) gok attempting to list contents of /var/account
- Telepathy domains need to read urand
- Need interface to getattr all file classes in a mock library for setroubleshoot
2010-12-21 09:32:36 +00:00
Miroslav Grepl
d6c5f3679b Update to upstream 2010-12-20 17:43:48 +00:00
Dan Walsh
f3f61efb0b - Update selinux policy to handle new /usr/share/sandbox/start script 2010-12-16 11:25:39 -05:00
Miroslav Grepl
0ba6b243f7 - Update to upstream
- Fix version of policy in spec file
2010-12-15 11:03:25 +00:00
Miroslav Grepl
1adb28c6ec - Allow sandbox to run on nfs partitions, fixes for systemd_tmpfs
- remove per sandbox domains devpts types
- Allow dkim-milter sending signal to itself
2010-12-14 19:49:10 +00:00
Dan Walsh
25660bf875 - Allow domains that transition to ping or traceroute, kill them
- Allow user_t to conditionally transition to ping_t and traceroute_t
- Add fixes to systemd- tools, including new labeling for systemd-fsck, systemd-cryptsetup
2010-12-13 17:11:28 -05:00
Miroslav Grepl
3c0b9eac8c - Turn on systemd policy
- mozilla_plugin needs to read certs in the homedir.
- Dontaudit leaked file descriptors from devicekit
- Fix ircssi to use auth_use_nsswitch
- Change to use interface without param in corenet to disable unlabelednet
- Allow init to relabel sockets and fifo files in /dev
- certmonger needs dac* capabilities to manage cert files not owned by root
- dovecot needs fsetid to change group membership on mail
- plymouthd removes /var/log/boot.log
- systemd is creating symlinks in /dev
- Change label on /etc/httpd/alias to be all cert_t
2010-12-13 18:56:13 +00:00
Miroslav Grepl
b04a855a22 - Fixes for clamscan and boinc policy
- Add boinc_project_t setpgid
- Allow alsa to create tmp files in /tmp
2010-12-10 13:55:11 +00:00
Miroslav Grepl
c2ad3681fa - Push fixes to allow disabling of unlabeled_t packet access
- Enable unlabelednet policy
2010-12-07 17:51:16 +00:00