Retry: forgot to include attribute mmap_low_domain_type attribute to domain_mmap_low() :
Inspired by similar implementation in Fedora.
Wine and vbetool do not always actually need the ability to mmap a low area of the address space.
In some cases this can be silently denied.
Therefore introduce an interface that facilitates "mmap low" conditionally, and the corresponding boolean.
Also implement booleans for wine and vbetool that enables the ability to not audit attempts by wine and vbetool to mmap a low area of the address space.
Rename domain_mmap_low interface to domain_mmap_low_uncond.
Change call to domain_mmap_low to domain_mmap_low_uncond for xserver_t. Also move this call to distro redhat ifndef block because Redhat does not need this ability.
Signed-off-by: Dominick Grift <domg472@gmail.com>
dontaudit attempts to read/write device_t chr files occurring before udev relabel
allow init_t and initrc_t read/write on device_t chr files (necessary to boot without unconfined)
Signed-off-by: Jeremy Solt <jsolt@tresys.com>
Move devtmpfs to devices module (remove from filesystem module)
Make device_t a filesystem
Add interface for associating types with device_t filesystem (dev_associate)
Call dev_associate from dev_filetrans
Allow all device nodes associate with device_t filesystem
Remove dev_tmpfs_filetrans_dev from kernel_t
Remove fs_associate_tmpfs(initctl_t) - redundant, it was in dev_filetrans, now in dev_associate
Mounton interface, to allow the kernel to mounton device_t
Signed-off-by: Jeremy Solt <jsolt@tresys.com>
We went back and reread the bindreservport code in glibc.
Turns out the range or ports that this will reserve are 512-1024 rather
then 600-1024.
The code actually first tries to reserve a port from 600-1024 and if
they are ALL reserved will try 512-599.
So we need to change corenetwork to reflect this.
Move cgroup_t declarations from kernel.te to filesystem.te
Redo cgroup interfaces in filesystem.if
Add file context specification for /cgroup mountpoint to filesystem.fc
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
Add ability to dontaudit requiests to load kernel modules. If you
disable ipv6 every confined app that does ip, tries to get the kernel to
load the module.
Better handling of unlabeled files by the kernel interfaces
update-modules on Gentoo throws errors when run because it sources /etc/init.d/functions.sh, which always scans /var/lib/init.d to set SOFTLEVEL environment var. This is never used by update-modules.
Signed-off-by: Chris Richards <gizmo@giz-works.com>
Signed-off-by: Chris PeBenito <pebenito@gentoo.org>
