Dan Walsh
9461b60657
Add the ability to send audit messages to confined admin policies
...
Remove permissive domain from cmirrord and dontaudit sys_tty_config
Split out unconfined_domain() calls from other unconfined_ calls so we can disable unconfined.pp and leave unconfineduser
virt needs to be able to read processes to clearance for MLS
2010-09-15 11:31:20 -04:00
Miroslav Grepl
3b0a9c74bb
Allow iscsid to manage tgtd semaphores
2010-09-15 16:50:07 +02:00
Dan Walsh
6dfe56b4e5
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
2010-09-14 16:39:10 -04:00
Dan Walsh
43a0339db4
add labeling for /root/.debug
2010-09-14 15:29:18 -04:00
Dan Walsh
d7f2020c46
- Allow all domains that can use cgroups to search tmpfs_t directory
...
- Allow init to send audit messages
2010-09-14 15:18:34 -04:00
Miroslav Grepl
323c9f13bb
Fixes for vmware-host policy
2010-09-14 19:28:55 +02:00
Dan Walsh
c2dae98501
Allow a couple of sandbox issues.
...
Remove postgresl managing of etc_files, until I find out why it is needed.
Dontaudit leaks from rpm to mount
2010-09-14 10:02:43 -04:00
Dan Walsh
4251ae1004
Add labels for /lib/readahead.
...
Add back gnome_setattr interface
2010-09-13 16:15:43 -04:00
Dan Walsh
5ef740e54b
Fix gnome_setattr_config_home
...
Allow exec of sandbox_file_type by calling apps
Fix typos
2010-09-13 14:47:02 -04:00
Dan Walsh
3034a8d941
Fix some names in passenger policy
2010-09-13 10:26:10 -04:00
Miroslav Grepl
94820e4290
Move passenger policy to services
2010-09-13 15:10:30 +02:00
Dan Walsh
536f28a2bf
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
2010-09-13 08:43:40 -04:00
Dan Walsh
1a40cbf63e
Fix boolean descriptions
2010-09-13 08:43:35 -04:00
Miroslav Grepl
3a3212619a
Allow dovecot-deliver to create tmp files
...
Allow tor to send signals to itself
2010-09-13 13:12:24 +02:00
Miroslav Grepl
d7de04f8d4
- Add passenger policy
2010-09-13 11:49:37 +02:00
Dan Walsh
366396d855
Fix cert calls in telepath, boinc, kerberos
...
Add sys_admin to xend to allow it to start
Add oident calls to staff_t
2010-09-10 13:18:49 -04:00
Dan Walsh
cab9bc9c58
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy; branch 'master' of http://oss.tresys.com/git/refpolicy
...
Conflicts:
policy/modules/admin/amanda.if
policy/modules/system/init.te
policy/modules/system/miscfiles.if
policy/modules/system/miscfiles.te
policy/modules/system/userdomain.if
2010-09-10 13:02:25 -04:00
Dan Walsh
d7544f0d25
rename mdadm_map_t to mdadm_var_run_t
2010-09-10 12:14:25 -04:00
Dan Walsh
0b8f4cfe16
More fixes for mozilla_plugin_t
...
Allow telepathy domains to send themselves sigkill
Label /etc/httpd/alias/*db as cert_t
Allow fprintd to sys_nice
2010-09-10 12:10:13 -04:00
Chris PeBenito
da12b54802
Module version bumps for cert patch.
2010-09-10 11:31:22 -04:00
Chris PeBenito
e9d6dfb8b1
Fix missed deprecated interface usage from the cert patch. Add back a few rolecap tags.
2010-09-10 11:31:00 -04:00
Dominick Grift
8340621920
Implement miscfiles_cert_type().
...
This is based on Fedoras' miscfiles_cert_type implementation.
The idea was that openvpn needs to be able read home certificates (home_cert_t) which is not implemented in refpolicy yet, as well as generic cert_t certificates.
Note that openvpn is allowed to read all cert_types, as i know that it needs access to both generic cert_t as well as (future) home_cert_t. Dwalsh noted that other domains may need this as well but because i do not know exactly which domains i will not changes any other domains call to generic cert type interfaces.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-10 11:05:46 -04:00
Dan Walsh
1a82786cc8
Allow hugetlbfs_t to be on device_t file system
...
Allow sudo domains to signal user domains
Dontaudit xdm_t sending signals to all domains
Fix allow_exec* boolean descriptions
2010-09-10 10:10:34 -04:00
Chris PeBenito
8fbea561bb
Module version bump for 8296eb2
.
2010-09-10 08:51:54 -04:00
Dan Walsh
e81afdf5c9
raid tools now store pid file and sock_file in /dev/md for early boot.
2010-09-09 14:26:32 -04:00
Dan Walsh
8e47c02b16
fixes for openvpn suggested by dgrift
2010-09-09 10:35:27 -04:00
Dan Walsh
da07333345
Allow mozilla_plugin to create nsplugin_home_t directories
...
Allow hugetlbfs_t to be on device_t file system
Fix for ajaxterm policy
Fix type in dbus_delete_pid_files
Change openvpn to only allow search of users home dir
2010-09-09 09:55:31 -04:00
Chris PeBenito
9c2c77403f
Remove unallocated tty access in amanda since it was originally there for the old targeted policy, and now all roles have a user tty type.
2010-09-09 09:32:31 -04:00
Dominick Grift
36c6e47384
Clean up Anaconda policy.
...
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-09 08:14:56 -04:00
Dominick Grift
e02146370a
Clean up Amtu module.
...
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-09 08:14:09 -04:00
Dominick Grift
8296eb2261
Clean up Amanda module.
...
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-09 08:13:13 -04:00
Dan Walsh
5f5963be01
add policy for ajaxterm
2010-09-09 07:11:32 -04:00
Dan Walsh
4c38170781
add policy for ajaxterm
2010-09-09 07:10:24 -04:00
Dan Walsh
d46a2b0115
allow sudo to create sudo_db_t dirs
2010-09-08 18:32:15 -04:00
Dan Walsh
ee4b1e0aad
Allow crond to manage user_spool_cron_t link files
...
Allow init to delete dbus message.pid
Allow init and udev to create hugetlbfs directories
2010-09-08 17:54:31 -04:00
Dan Walsh
b36c20b2a9
Allow sudo domains to manage /var/db/sudo
...
Allow init_t and initrc_t to dbus chat
Allow pulseaudio to read /usr/share/alsa/alsa.conf
2010-09-08 17:27:24 -04:00
Dan Walsh
a75a591e52
Allow virt_domains to exec qumu_exec_t, add boolean to allow svirt_t to connect to x
2010-09-08 15:05:08 -04:00
Dan Walsh
dfe675b8f7
Mozilla_plugin needs to getattr on tmpfs and no longer needs to write to tmpfs_t
...
cleanup of nsplugin interface definition
Latest pm-utils is causing lots of domains to see a leaked lock file
I want mplayer to run as unconfined_execmem_t
mountpoint is causing dbus and init apps to getattr on all filesystems directories
Miroslav update dkim-milter
NetworkManager dbus chats with init
Allow apps that can read user_fonts_t to read the symbolic link
udev needs to manage etc_t
2010-09-08 12:06:20 -04:00
Dan Walsh
5dd0c28461
Cleanup warnings
2010-09-08 10:43:22 -04:00
Dan Walsh
4432db497b
add sametime port definition
2010-09-08 10:33:16 -04:00
Dan Walsh
689bfef3a8
Fix apache interface
2010-09-08 10:29:40 -04:00
Dan Walsh
f79af26649
fix bad patch in xserver
2010-09-08 10:25:03 -04:00
Dan Walsh
aa760a2345
Fix gnome interface definitions
2010-09-08 10:10:20 -04:00
Dan Walsh
e51122d3e1
add sametime port definition
2010-09-08 09:40:46 -04:00
Dan Walsh
0745e42559
fix typo in xserver_stream_connect
2010-09-08 09:29:02 -04:00
Dan Walsh
36d83cb651
cleanup alsa patch to match upstream
2010-09-08 09:10:48 -04:00
Dan Walsh
4192c80c13
Eliminate extras alsa_read_home interface
2010-09-08 09:08:34 -04:00
Dan Walsh
8187343042
Any app that executes service command will not do a getattr of all mounted file systems
2010-09-08 08:56:13 -04:00
Dan Walsh
c16ffd1861
Allow apps that use pam to connect to init_t
2010-09-08 08:54:29 -04:00
Dan Walsh
db879987ca
Fix pootle
2010-09-07 16:32:23 -04:00