Commit Graph

237 Commits

Author SHA1 Message Date
Dan Walsh
7bf1025fa8 Revert "Dropping support for snort since it was dropped from Fedora. Users should use nagios"
This reverts commit 76d9bfedb6.
2012-02-07 17:18:16 -05:00
Dan Walsh
5c28b0512d Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2012-02-07 17:17:54 -05:00
Dan Walsh
76d9bfedb6 Dropping support for snort since it was dropped from Fedora. Users should use nagios 2012-02-07 17:15:35 -05:00
Dan Walsh
d3a57c6cc7 Fedora no longer ships kerneloops, dropping policy 2012-02-07 17:09:23 -05:00
Miroslav Grepl
81894dfe50 - Add policy for grindengine MPI jobs 2012-02-07 18:18:07 +01:00
Miroslav Grepl
4689b08b49 - Add new sysadm_secadm.pp module
* contains secadm definition for sysadm_t
- Move user_mail_domain access out of the interface into the
- Allow httpd_t to create httpd_var_lib_t directories as wel
- Allow snmpd to connect to the ricci_modcluster stream
- Allow firewalld to read /etc/passwd
- Add auth_use_nsswitch for colord
- Allow smartd to read network state
- smartdnotify needs to read /etc/group
2012-02-06 23:20:13 +01:00
Miroslav
30ab254413 - Allow gpg and gpg_agent to store sock_file in gpg_secret_t directory
- lxdm startup scripts should be labeled bin_t, so confined users will work
- mcstransd now creates a pid, needs back port to F16
- qpidd should be allowed to connect to the amqp port
- Label devices 010-029 as usb devices
- ypserv packager says ypserv does not use tmp_t so removing selinux policy types
- Remove all ptrace commands that I believe are caused by the kernel/ps avcs
- Add initial Obex policy
- Add logging_syslogd_use_tty boolean
- Add polipo_connect_all_unreserved bolean
- Allow zabbix to connect to ftp port
- Allow systemd-logind to be able to switch VTs
- Allow apache to communicate with memcached through a sock_file
2012-02-03 10:57:34 +01:00
Miroslav
1b62e3889e use entropyd instead of entropy 2012-01-11 13:33:22 +01:00
Dan Walsh
7cf580ebcc Rename audioentropy to entropy to match upstream 2012-01-06 11:52:44 -05:00
Dan Walsh
904f70ac64 Add Zoneminder policy 2011-12-22 19:26:50 +00:00
Dan Walsh
628fb6b378 Merge nsplugin with mozilla_plugin 2011-11-17 13:31:47 -05:00
Dan Walsh
c68d7aa77c Add blueman policy 2011-11-11 08:15:48 -05:00
Dan Walsh
13382d02ea Add more MCS fixes to make sandbox working
Make faillog MLS trusted to make sudo_$1_t working
Allow sandbox_web_client_t to read passwd_file_t
Add .mailrc file context
Remove execheap from openoffice domain
Allow chrome_sandbox_nacl_t to read cpu_info
Allow virtd to relabel generic usb which is need if USB device
Fixes for virt.if interfaces to consider chr_file as image file type
2011-11-07 16:18:33 -05:00
Dan Walsh
b4b0268a28 Remove qemu.pp, everything should use svirt_t or stay in its current domain 2011-10-26 15:42:29 -04:00
Dan Walsh
8214f7881a Remove tzdata policy
Remove ada domain
2011-10-20 12:24:32 -04:00
Dan Walsh
087aaea152 Remove tzdata domain, only necessary to make sure stuff is labeled correctly. 2011-10-20 11:43:18 -04:00
Dan Walsh
2453975e3d Move dontaudit sys_ptrace line from permissive.te to domain.te
Remove policy for hal, it no longer exists
2011-10-13 15:43:15 -04:00
Dan Walsh
f1bc73d0ef Allow logrotate setuid and setgid since logrotate is supposed to do it
Fixes for thumb policy by grift
Add new nfsd ports
Added fix to allow confined apps to execmod on chrome
Add labeling for additional vdsm directories
Allow Exim and Dovecot SASL
Add label for /var/run/nmbd
Add fixes to make virsh and xen working together
Colord executes ls
/var/spool/cron  is now labeled as user_cron_spool_t
2011-10-04 10:50:39 -04:00
Miroslav
0247247d56 +- Add support for Clustered Samba commands
+- Allow ricci_modrpm_t to send log msgs
+- move permissive virt_qmf_t from virt.te to permissivedomains.te
+- Allow ssh_t to use kernel keyrings
+- Add policy for libvirt-qmf and more fixes for linux containers
+- Initial Polipo
+- Sanlock needs to run ranged in order to kill svirt processes
+- Allow smbcontrol to stream connect to ctdbd
2011-09-29 16:25:09 +02:00
Dan Walsh
6a55631bdf Update ephemeral patch and fix modules defs for the thumb images 2011-09-27 11:16:13 -04:00
Dan Walsh
e88b9a2383 add thumbnailer protection 2011-09-26 10:57:37 -04:00
Dan Walsh
624394103f Add glance module definition 2011-08-29 13:35:06 -04:00
Dan Walsh
7c5dd0aa37 Add permissivedomains module 2011-08-26 11:40:56 -04:00
Dan Walsh
8becfd3523 Add cfengine policy 2011-08-03 10:22:38 -04:00
Miroslav
2aa62d446f - Add abrt_domain attribute
- Allow corosync to manage cluster lib files
- Allow corosync to connect to the system DBUS
2011-08-02 21:35:30 +02:00
Dan Walsh
d0fad1166a Add uuidd module 2011-07-29 10:36:34 -04:00
Dan Walsh
c1eb3ef122 Remove howl, hotplug and kudzu modules, since they are no longer used 2011-07-29 09:49:16 -04:00
Miroslav
0c240d9a87 - Allow rcsmcertd to perform DNS name resolution
- Add dirsrvadmin_unconfined_script_t domain type for 389-ds admin scripts
- Allow tmux to run as screen
- New policy for collectd
- Allow gkeyring_t to interact with all user apps
- Add rules to allow firstboot to run on machines with the unconfined.pp module
2011-07-26 17:21:09 +02:00
Dan Walsh
8193baf6c3 Add collectd module to targeted policy 2011-07-25 11:30:08 -04:00
Dan Walsh
dd16c38c4b Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2011-07-19 08:17:17 -04:00
Miroslav Grepl
805cc3bcdf - Initial systemd_logind policy
- Add policy for systemd_logger and additional proivs for systemd_logind
- More fixes for systemd policies
2011-07-18 08:17:03 +02:00
Dan Walsh
854346f783 add ctdbd policy module 2011-07-14 13:39:22 -04:00
Miroslav Grepl
40468c4016 Fix typo in modules-targeted.conf 2011-07-12 10:14:13 +02:00
Dan Walsh
5a8295ac0d add l2tpd daemon policy 2011-07-05 16:20:25 -04:00
Miroslav Grepl
975370d58e - Change usbmuxd_t to dontaudit attempts to read chr_file
- Add mysld_safe_exec_t for libra domains to be able to start private mysql dom
- Allow pppd to search /var/lock dir
- Add rhsmcertd policy
2011-06-30 17:55:41 +02:00
Miroslav Grepl
ade486af72 Update to upstream 2011-06-27 18:02:16 +02:00
Miroslav Grepl
4fb7b43f62 - Add dspam policy
- Add lldpad policy
- dovecot auth wants to search statfs #713555
- Allow systemd passwd apps to read init fifo_file
- Allow prelink to use inherited terminals
- Run cherokee in the httpd_t domain
- Allow mcs constraints on node connections
- Implement pyicqt policy
- Fixes for zarafa policy
- Allow cobblerd to send syslog messages
2011-06-16 10:42:42 +02:00
Miroslav Grepl
94cdbacbd8 - Add mailscanner policy from dgrift
- Allow chrome to optionally be transitioned to
- Zabbix needs these rules when starting the zabbix_server_mysql
- Implement a type for freedesktop openicc standard (~/.local/share/icc)
- Allow system_dbusd_t to read inherited icc_data_home_t files.
- Allow colord_t to read icc_data_home_t content. #706975
- Label stuff under /usr/lib/debug as if it was labeled under /
2011-06-07 18:12:04 +02:00
Miroslav Grepl
a8e065be61 - Add rhev policy module to modules-targeted.conf 2011-05-26 14:16:59 +02:00
Dan Walsh
7920a06561 add sanlock and wdmd policy 2011-05-23 18:37:50 -04:00
Dan Walsh
d34689e1c3 Add callweaver module 2011-05-17 11:02:03 +02:00
Miroslav Grepl
af4c0d3f1e - Initial policy for matahari
- Add dev_read_watchdog
- Allow clamd to connect clamd port
- Add support for kcmdatetimehelper
- Allow shutdown to setrlimit and sys_nice
- Allow systemd_passwd to talk to /dev/log before udev or syslog is runni
- Purge chr_file and blk files on /tmp
- Fixes for pads
- Fixes for piranha-pulse
- gpg_t needs to be able to encyprt anything owned by the user
2011-03-15 20:59:57 +00:00
Miroslav Grepl
a72013a386 Add colord policy 2011-03-08 18:32:49 +00:00
Dan Walsh
731e693460 - Add tcsd policy 2011-02-01 16:45:17 -05:00
Miroslav Grepl
116d73139a - gnomeclock executes a shell
- Update for screen policy to handle pipe in homedir
- Fixes for polyinstatiated homedir
- Fixes for namespace policy and other fixes related to polyinstantiation
- Add namespace policy
- Allow dovecot-deliver transition to sendmail which is needed by sieve scri
- Fixes for init, psad policy which relate with confined users
- Do not audit bootloader attempts to read devicekit pid files
- Allow nagios service plugins to read /proc
2011-01-14 17:48:34 +00:00
Miroslav Grepl
b1863350de - Add firewalld policy
- Allow vmware_host to read samba config
- Kernel wants to read /proc Fix duplicate grub def in cobbler
- Chrony sends mail, executes shell, uses fifo_file and reads /proc
- devicekitdisk getattr all file systems
- sambd daemon writes wtmp file
- libvirt transitions to dmidecode
2011-01-11 13:44:47 +00:00
Miroslav Grepl
b559c4ec49 - Add initial policy for system-setup-keyboard which is now daemon
- Label /var/lock/subsys/shorewall as shorewall_lock_t
- Allow users to communicate with the gpg_agent_t
- Dontaudit mozilla_plugin_t using the inherited terminal
- Allow sambagui to read files in /usr
- webalizer manages squid log files
- Allow unconfined domains to bind ports to raw_ip_sockets
- Allow abrt to manage rpm logs when running yum
- Need labels for /var/run/bittlebee
- Label .ssh under amanda
- Remove unused genrequires for virt_domain_template
- Allow virt_domain to use fd inherited from virtd_t
- Allow iptables to read shorewall config
2011-01-05 10:08:57 +00:00
Dan Walsh
b96903aaa0 - Gnome apps list config_home_t
- mpd creates lnk files in homedir
- apache leaks write to mail apps on tmp files
- /var/stockmaniac/templates_cache contains log files
- Abrt list the connects of mount_tmp_t dirs
- passwd agent reads files under /dev and reads utmp file
- squid apache script connects to the squid port
- fix name of plymouth log file
- teamviewer is a wine app
- allow dmesg to read system state
- Stop labeling files under /var/lib/mock so restorecon will not go into this
- nsplugin needs to read network state for google talk
2010-12-28 15:41:30 -05:00
Dan Walsh
c68e37c2c7 Make alsa a module rather then in base 2010-12-21 09:24:00 -05:00
Miroslav Grepl
3c0b9eac8c - Turn on systemd policy
- mozilla_plugin needs to read certs in the homedir.
- Dontaudit leaked file descriptors from devicekit
- Fix ircssi to use auth_use_nsswitch
- Change to use interface without param in corenet to disable unlabelednet
- Allow init to relabel sockets and fifo files in /dev
- certmonger needs dac* capabilities to manage cert files not owned by root
- dovecot needs fsetid to change group membership on mail
- plymouthd removes /var/log/boot.log
- systemd is creating symlinks in /dev
- Change label on /etc/httpd/alias to be all cert_t
2010-12-13 18:56:13 +00:00