Commit Graph

1363 Commits

Author SHA1 Message Date
Miroslav Grepl
953ff14b8b Fix spec file 2013-02-05 11:02:32 +01:00
Miroslav Grepl
da973f3722 - Add xserver_xdm_ioctl_log() interface
- Allow Xusers to ioctl lxdm.log to make lxdm working
- Add MLS fixes to make MLS boot/log-in working
- Add mls_socket_write_all_levels() also for syslogd
- fsck.xfs needs to read passwd
- Fix ntp_filetrans_named_content calling in init.te
- Allow postgresql to create pg_log dir
- Allow sshd to read rsync_data_t to make rsync <backuphost> working
- Change ntp.conf to be labeled net_conf_t
- Allow useradd to create homedirs in /run.  ircd-ratbox does this and we sho
- Allow xdm_t to execute gstreamer home content
- Allod initrc_t and unconfined domains, and sysadm_t to manage ntp
- New policy for openstack swift domains
- More access required for openshift_cron_t
- Use cupsd_log_t instead of cupsd_var_log_t
- rpm_script_roles should be used in rpm_run
- Fix rpm_run() interface
- Fix openshift_initrc_run()
- Fix sssd_dontaudit_stream_connect() interface
- Fix sssd_dontaudit_stream_connect() interface
- Allow LDA's job to deliver mail to the mailbox
- dontaudit block_suspend for mozilla_plugin_t
- Allow l2tpd_t to all signal perms
- Allow uuidgen to read /dev/random
- Allow mozilla-plugin-config to read power_supply info
- Implement cups_domain attribute for cups domains
- We now need access to user terminals since we start by executing a command
- We now need access to user terminals since we start by executing a command
- svirt lxc containers want to execute userhelper apps, need these changes to
- Add containment of openshift cron jobs
- Allow system cron jobs to create tmp directories
- Make userhelp_conf_t a config file
- Change rpm to use rpm_script_roles
- More fixes for rsync to make rsync <backuphost> wokring
- Allow logwatch to domtrans to mdadm
- Allow pacemaker to domtrans to ifconfig
- Allow pacemaker to setattr on corosync.log
- Add pacemaker_use_execmem for memcheck-amd64 command
- Allow block_suspend capability
- Allow create fifo_file in /tmp with pacemaker_tmp_t
- Allow systat to getattr on fixed disk
- Relabel /etc/ntp.conf to be net_conf_t
- ntp_admin should create files in /etc with the correct label
- Add interface to create ntp_conf_t files in /etc
- Add additional labeling for quantum
- Allow quantum to execute dnsmasq with transition
2013-02-05 11:01:00 +01:00
Miroslav Grepl
f125066d3c * Wed Jan 30 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-9
- boinc_cliean wants also execmem as boinc projecs have
- Allow sa-update to search admin home for /root/.spamassassin
- Allow sa-update to search admin home for /root/.spamassassin
- Allow antivirus domain to read net sysctl
- Dontaudit attempts from thumb_t to connect to ssd
- Dontaudit attempts by readahead to read sock_files
- Dontaudit attempts by readahead to read sock_files
- Create tmpfs file while running as wine as user_tmpfs_t
- Dontaudit attempts by readahead to read sock_files
- libmpg ships badly created librarie
2013-01-30 12:41:36 +01:00
Dan Walsh
45852f5fe5 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy
Conflicts:
	selinux-policy.spec
2013-01-28 15:39:02 -05:00
Dan Walsh
b59d07ae28 Do a better job of cleaning up old policy files, trigger relabel of /home on upgrade to F19 2013-01-28 15:36:16 -05:00
Miroslav Grepl
aab1932f46 - Change ssh_use_pts to use macro and only inherited sshd_devpts_t
- Allow confined users to read systemd_logind seat information
- libmpg ships badly created libraries
- Add support for strongswan.service
- Add labeling for strongswan
- Allow l2tpd_t to read network manager content in /run directory
- Allow rsync to getattr any file in rsync_data_t
- Add labeling and filename transition for .grl-podcasts
2013-01-28 20:11:03 +01:00
Miroslav Grepl
1802bef984 * Fri Jan 25 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-7
- mount.glusterfs executes glusterfsd binary
- Allow systemd_hostnamed_t to stream connect to systemd
- Dontaudit any user doing a access check
- Allow obex-data-server to request the kernel to load a modul
- Allow gpg-agent to manage gnome content (~/.cache/gpg-agent-
- Allow gpg-agent to read /proc/sys/crypto/fips_enabled
- Add new types for antivirus.pp policy module
- Allow gnomesystemmm_t caps because of ioprio_set
- Make sure if mozilla_plugin creates files while in permissiv
- Allow gnomesystemmm_t caps because of ioprio_set
- Allow NM rawip socket
- files_relabel_non_security_files can not be used with boolea
- Add interface to thumb_t dbus_chat to allow it to read remot
- ALlow logrotate to domtrans to mdadm_t
- kde gnomeclock wants to write content to /tmp
2013-01-25 14:24:33 +01:00
Miroslav Grepl
4c3676d47a clamav and amavis has been merge to antivirus policy 2013-01-25 14:17:56 +01:00
Miroslav Grepl
b591902d83 * Wed Jan 23 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-6
- kde gnomeclock wants to write content to /tmp
- /usr/libexec/kde4/kcmdatetimehelper attempts to create /root/.kde
- Allow blueman_t to rwx zero_device_t, for some kind of jre
- Allow mozilla_plugin_t to rwx zero_device_t, for some kind of jre
- Ftp full access should be allowed to create directories as well as files
- Add boolean to allow rsync_full_acces, so that an rsync server can write all
- over the local machine
- logrotate needs to rotate logs in openshift directories, needs back port to RHEL6
- Add missing vpnc_roles type line
- Allow stapserver to write content in /tmp
- Allow gnome keyring to create keyrings dir in ~/.local/share
- Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on
- Add interface to colord_t dbus_chat to allow it to read remote process state
- Allow colord_t to read cupsd_t state
- Add mate-thumbnail-font as thumnailer
- Allow sectoolm to sys_ptrace since it is looking at other proceses /proc data.
- Allow qpidd to list /tmp. Needed by ssl
- Only allow init_t to transition to rsync_t domain, not initrc_t.  This should be b
- - Added systemd support for ksmtuned
- Added booleans
       ksmtuned_use_nfs
       ksmtuned_use_cifs
- firewalld seems to be creating mmap files which it needs to execute in /run /tmp a
- Looks like qpidd_t needs to read /dev/random
- Lots of probing avc's caused by execugting gpg from staff_t
- Dontaudit senmail triggering a net_admin avc
- Change thumb_role to use thumb_run, not sure why we have a thumb_role, needs back
- Logwatch does access check on mdadm binary
- Add raid_access_check_mdadm() iterface
2013-01-23 12:22:19 +01:00
Dan Walsh
a09a7deb16 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2013-01-16 09:46:42 -05:00
Dan Walsh
6d40a6c274 Add selinux-policy-filesystem for /etc/selinux directory so it can be shared with libsemanage 2013-01-16 09:46:31 -05:00
Miroslav Grepl
207a4dfc95 - Fix systemd_manage_unit_symlinks() interface
- Call systemd_manage_unit_symlinks(() which is correct interface
- Add filename transition for opasswd
- Switch gnomeclock_dbus_chat to systemd_dbus_chat_timedated since we hav
- Allow sytstemd-timedated to get status of init_t
- Add new systemd policies for hostnamed and rename gnomeclock_t to syste
- colord needs to communicate with systemd and systemd_logind, also remov
- Switch gnomeclock_dbus_chat to systemd_dbus_chat_timedated since we hav
- Allow gpg_t to manage all gnome files
- Stop using pcscd_read_pub_files
- New rules for xguest, dontaudit attempts to dbus chat
- Allow firewalld to create its mmap files in tmpfs and tmp directories
- Allow firewalld to create its mmap files in tmpfs and tmp directories
- run unbound-chkconf as named_t, so it can read dnssec
- Colord is reading xdm process state, probably reads state of any apps t
- Allow mdadm_t to change the kernel scheduler
- mythtv policy
- Update mandb_admin() interface
- Allow dsspam to listen on own tpc_socket
2013-01-16 15:13:43 +01:00
Dan Walsh
5f2806ad4e Rename gnomeclock to systemd_timedated 2013-01-15 18:58:56 -05:00
Miroslav Grepl
7f090dbfaa * Mon Jan 14 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-4
- Allow systemd-tmpfiles to relabel lpd spool files
- Ad labeling for texlive bash scripts
- Add xserver_filetrans_fonts_cache_home_content() interface
- Remove duplicate rules from *.te
- Add support for /var/lock/man-db.lock
- Add support for /var/tmp/abrt(/.*)?
- Add additional labeling for munin cgi scripts
- Allow httpd_t to read munin conf files
- Allow certwatch to read meminfo
- Fix nscd_dontaudit_write_sock_file() interfac
- Fix gnome_filetrans_home_content() to include also "fontconfig" dir as cache_home_t
- llow mozilla_plugin_t to create HOMEDIR/.fontconfig with the proper labeling
2013-01-14 13:39:59 +01:00
Miroslav Grepl
a7dce2ac5c * Fri Jan 11 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-3
- Allow gnomeclock to talk to puppet over dbus
- Allow numad access discovered by Dominic
- Add support for HOME_DIR/.maildir
- Fix attribute_role for mozilla_plugin_t domain to allow staff_r to access this d
- Allow udev to relabel udev_var_run_t lnk_files
- New bin_t file in mcelog
2013-01-11 19:30:57 +01:00
Miroslav Grepl
0c265c3817 Add back consolekit but we keep just consolekit.te and .fc was commented 2013-01-11 14:33:08 +01:00
Miroslav Grepl
f851aec1c4 - Remove all mcs overrides and replace with t1 != mcs_constrained_ty
- Add attribute_role for iptables
- mcs_process_set_categories needs to be called for type
- Implement additional role_attribute statements
- Sodo domain is attempting to get the additributes of proc_kcore_t
- Unbound uses port 8953
- Allow svirt_t images to compromise_kernel when using pci-passthrou
- Add label for dns lib files
- Bluetooth aquires a dbus name
- Remove redundant files_read_usr_file calling
- Remove redundant files_read_etc_file calling
- Fix mozilla_run_plugin()
- Add role_attribute support for more domains
2013-01-10 17:31:42 +01:00
Miroslav Grepl
fa970c32f1 use policy.29 2013-01-09 14:52:41 +01:00
Miroslav Grepl
8f47af1bde Require POLICYCOREUTILSVER 2.1.13-53 2013-01-09 14:52:16 +01:00
Miroslav Grepl
23a9442e40 * Wed Jan 9 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-1
- Mass merge with upstream
2013-01-09 13:16:35 +01:00
Miroslav Grepl
e5e41801b0 Upload new upstream sources 2013-01-08 11:50:45 +01:00
Miroslav Grepl
9cdcf52c73 Bump POLICYVER 2013-01-07 17:43:07 +01:00
Miroslav Grepl
fdeb413467 Revert "Upstream uses ctdb instead of ctdbd policy"
This reverts commit 1871109735.
2013-01-07 14:54:40 +01:00
Miroslav Grepl
c57639b449 Revert "Upstream change:"
This reverts commit 098e5a0968.
2013-01-07 14:54:27 +01:00
Miroslav Grepl
1a1e004154 Revert "Upstream change:"
This reverts commit 7316889d21.
2013-01-07 14:54:15 +01:00
Miroslav Grepl
6e9f07d2e3 Revert "Upstream change:"
This reverts commit 0368b4c345.
2013-01-07 14:54:04 +01:00
Miroslav Grepl
0368b4c345 Upstream change:
-isnsd = module
+isns = module
2013-01-07 14:32:26 +01:00
Miroslav Grepl
7316889d21 Upstream change:
-glusterd =  module
+glusterfs =  module
2013-01-07 12:43:02 +01:00
Miroslav Grepl
098e5a0968 Upstream change:
-fcoemon = module
+fcoe = module
2013-01-07 09:44:43 +01:00
Miroslav Grepl
1871109735 Upstream uses ctdb instead of ctdbd policy 2013-01-07 00:11:42 +01:00
Dan Walsh
01be266ba7 Bump the policy version to 28 to match selinux userspace
- Rebuild versus latest libsepol
2013-01-06 10:35:25 -05:00
Miroslav Grepl
17da016672 * Wed Jan 2 2013 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-69
- Add systemd_status_all_unit_files() interface
- Add support for nshadow
- Allow sysadm_t to administrate the postfix domains
- Add interface to setattr on isid directories for use by tmpreaper
- Allow sshd_t sys_admin for use with afs logins
- Allow systemd to read/write all sysctls
- Allow sshd_t sys_admin for use with afs logins
- Allow systemd to read/write all sysctls
- Add systemd_status_all_unit_files() interface
- Add support for nshadow
- Allow sysadm_t to administrate the postfix domains
- Add interface to setattr on isid directories for use by tmpreaper
- Allow sshd_t sys_admin for use with afs logins
- Allow systemd to read/write all sysctls
- Allow sshd_t sys_admin for use with afs logins
- Add labeling for /var/named/chroot/etc/localtim

* Thu Dec 27 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-68
- Allow setroubleshoot_fixit to execute rpm
- zoneminder needs to connect to httpd ports where remote cameras are listening
- Allow firewalld to execute content created in /run directory
- Allow svirt_t to read generic certs
- Dontaudit leaked ps content to mozilla plugin
- Allow sshd_t sys_admin for use with afs logins
- Allow systemd to read/write all sysctls
- init scripts are creating systemd_unit_file_t directories
2013-01-02 15:52:27 +01:00
Miroslav Grepl
eb0fd25a19 renamed: policy-rawhide.patch -> policy-rawhide-base.patch
renamed:    policy_contrib-rawhide.patch -> policy-rawhide-contrib.patch
2013-01-02 15:50:45 +01:00
Miroslav Grepl
52491466e2 Backport policy from F18 2012-12-21 09:57:21 +01:00
Miroslav Grepl
a270091f19 Make rawhide == f18 2012-12-17 17:21:00 +01:00
rhatdan
5991fc8049 Make sure content created in the homedir by uncnfined domains get created with the corect label. specifically /.readahead 2012-08-08 11:20:07 -04:00
Miroslav Grepl
e88478c88d +* Tue Aug 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-3
+- Add role rules for realmd, sambagui
2012-08-07 17:16:15 +02:00
Miroslav Grepl
711b0e2035 * Tue Aug 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-2
- Add new type selinux_login_config_t for /etc/selinux/<type>/logins/
- Additional fixes for seutil_manage_module_store()
- dbus_system_domain() should be used with optional_policy
- Fix svirt to be allowed to use fusefs file system
- Allow login programs to read /run/ data created by systemd_login
- sssd wants to write /etc/selinux/<policy>/logins/ for SELinux PAM modu
- Fix svirt to be allowed to use fusefs file system
- Allow piranha domain to use nsswitch
- Sanlock needs to send Kill Signals to non root processes
- Pulseaudio wants to execute /run/user/PID/.orc
2012-08-07 16:51:57 +02:00
Miroslav Grepl
e2915aed43 * Fri Aug 3 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11
- Fix saslauthd when it tries to read /etc/shadow
- Label gnome-boxes as a virt homedir
- Need to allow svirt_t ability to getattr on nfs_t file
- Update sanlock policy to solve all AVC's
- Change confined users can optionally manage virt conte
- Handle new directories under ~/.cache
- Add block suspend to appropriate domains
- More rules required for containers
- Allow login programs to read /run/ data created by sys
- Allow staff users to run svirt_t processes
2012-08-03 16:06:03 +02:00
Miroslav Grepl
46a9c6067c * Thu Aug 2 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-0
- Update to upstream
2012-08-02 07:43:02 +02:00
Miroslav Grepl
3c848e8da5 * Mon Jul 30 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-15
- More fixes for systemd to make rawhide booting from Dan Walsh
2012-07-30 22:23:31 +02:00
Miroslav Grepl
42c4091430 * Mon Jul 30 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-
- Add systemd fixes to make rawhide booting
2012-07-30 17:37:17 +02:00
Miroslav Grepl
b4a78ad40d - Add systemd_logind_inhibit_var_run_t attribute
- Remove corenet_all_recvfrom_unlabeled() for non-contrib policies because we moved it to domain.if for all domain_type
- Add interface for mysqld to dontaudit signull to all processes
- Label new /var/run/journal directory correctly
- Allow users to inhibit suspend via systemd
- Add new type for the /var/run/inhibit directory
- Add interface to send signull to systemd_login so avahi can send them
- Allow systemd_passwd to send syslog messages
- Remove corenet_all_recvfrom_unlabeled() calling fro policy files
- Allow       editparams.cgi running as httpd_bugzilla_script_t to read /etc/group
- Allow smbd to read cluster config
- Add additional labeling for passenger
- Allow dbus to inhibit suspend via systemd
- Allow avahi to send signull to systemd_login
2012-07-27 16:32:49 +02:00
Dan Walsh
2676121267 Add interface to dontaudit getattr access on sysctls
- Allow sshd to execute /bin/login
- Looks like xdm is recreating the xdm directory in ~/.cache/ on login
- Allow syslog to use the leaked kernel_t unix_dgram_socket from system-jounald
-  Fix semanage to work with unconfined domain disabled on F18
- Dontaudit attempts by mozilla plugins to getattr on all kernel sysctls
- Virt seems to be using lock files
- Dovecot seems to be searching directories of every mountpoint
- Allow jockey to read random/urandom, execute shell and install third-party drivers
- Add aditional params to allow cachedfiles to manage its content
- gpg agent needs to read /dev/random
- The kernel hands an svirt domains /SYSxxxxx which is a tmpfs that httpd wants to read and write
- Add a bunch of dontaudit rules to quiet svirt_lxc domains
- Additional perms needed to run svirt_lxc domains
- Allow cgclear to read cgconfig
- Allow sys_ptrace capability for snmp
- Allow freshclam to read /proc
- Allow procmail to manage /home/user/Maildir content
- Allow NM to execute wpa_cli
- Allow amavis to read clamd system state
- Regenerate man pages
2012-07-24 15:56:40 -04:00
Miroslav Grepl
9ba137b17b * Mon Jul 23 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-12
- Add interface to dontaudit getattr access on sysctls
- Allow sshd to execute /bin/login
- Looks like xdm is recreating the xdm directory in ~/.cache/ on login
- Allow syslog to use the leaked kernel_t unix_dgram_socket from system-jou
-  Fix semanage to work with unconfined domain disabled on F18
- Dontaudit attempts by mozilla plugins to getattr on all kernel sysctls
- Virt seems to be using lock files
- Dovecot seems to be searching directories of every mountpoint
- Allow jockey to read random/urandom, execute shell and install third-part
- Add aditional params to allow cachedfiles to manage its content
- gpg agent needs to read /dev/random
- The kernel hands an svirt domains /SYSxxxxx which is a tmpfs that httpd w
- Add a bunch of dontaudit rules to quiet svirt_lxc domains
- Additional perms needed to run svirt_lxc domains
- Allow cgclear to read cgconfig
- Allow sys_ptrace capability for snmp
- Allow freshclam to read /proc
- Allow procmail to manage /home/user/Maildir content
- Allow NM to execute wpa_cli
- Allow amavis to read clamd system state
- Regenerate man page
2012-07-23 17:47:41 +02:00
Dennis Gilmore
c07f6435e4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild 2012-07-21 14:21:28 -05:00
Miroslav Grepl
3da13de031 +- Add realmd and stapserver policies
+- Allow useradd to manage stap-server lib files
+- Tighten up capabilities for confined users
+- Label /etc/security/opasswd as shadow_t
+- Add label for /dev/ecryptfs
+- Allow condor_startd_t to start sshd with the ranged
+- Allow lpstat.cups to read fips_enabled file
+- Allow pyzor running as spamc_t to create /root/.pyzor directory
+- Add labelinf for amavisd-snmp init script
+- Add support for amavisd-snmp
+- Allow fprintd sigkill self
+- Allow xend (w/o libvirt) to start virtual machines
+- Allow aiccu to read /etc/passwd
+- Allow condor_startd to Make specified domain MCS trusted for setting any category set fo
+- Add condor_startd_ranged_domtrans_to() interface
+- Add ssd_conf_t for /etc/sssd
+- accountsd needs to fchown some files/directories
+- Add ICACLient and zibrauserdata as mozilla_filetrans_home_content
+- SELinux reports afs_t needs dac_override to read /etc/mtab, even though everything works
+- Allow xend_t to read the /etc/passwd file
 Please enter the commit message for your changes. Lines starting
 with '#' will be ignored, and an empty message aborts the commit.
 On branch master
 Changes to be committed:
   (use "git reset HEAD <file>..." to unstage)

	modified:   policy-rawhide.patch
	modified:   policy_contrib-rawhide.patch
	modified:   selinux-policy.spec
2012-07-16 00:03:02 +02:00
Dan Walsh
18fc0f3c99 Until we figure out how to fix systemd issues, allow all apps that send syslog messages to send them to kernel_t
- Add init_access_check() interface
- Fix label on /usr/bin/pingus to not be labeled as ping_exec_t
- Allow tcpdump to create a netlink_socket
- Label newusers like useradd
- Change xdm log files to be labeled xdm_log_t
- Allow sshd_t with privsep to work in MLS
- Allow freshclam to update databases thru HTTP proxy
- Allow s-m-config to access check on systemd
- Allow abrt to read public files by default
- Fix amavis_create_pid_files() interface
- Add labeling and filename transition for dbomatic.log
- Allow system_dbusd_t to stream connect to bluetooth, and use its socket
- Allow amavisd to execute fsav
- Allow tuned to use sys_admin and sys_nice capabilities
- Add php-fpm policy from Bryan
- Add labeling for aeolus-configserver-thinwrapper
- Allow thin domains to execute shell
- Fix gnome_role_gkeyringd() interface description
- Lot of interface fixes
- Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files
- Allow OpenMPI job to use kerberos
- Make deltacloudd_t as nsswitch_domain
- Allow xend_t to run lsscsi
- Allow qemu-dm running as xend_t to create tun_socket
- Add labeling for /opt/brother/Printers(.*/)?inf
- Allow jockey-backend to read pyconfig-64.h labeled as usr_t
- Fix clamscan_can_scan_system boolean
- Allow lpr to connectto to /run/user/$USER/keyring-22uREb/pkcs11
2012-07-13 16:59:14 -04:00
Dan Walsh
9d1d9952b1 Until we figure out how to fix systemd issues, allow all apps that send syslog messages to send them to kernel_t
- Add init_access_check() interface
- Fix label on /usr/bin/pingus to not be labeled as ping_exec_t
- Allow tcpdump to create a netlink_socket
- Label newusers like useradd
- Change xdm log files to be labeled xdm_log_t
- Allow sshd_t with privsep to work in MLS
- Allow freshclam to update databases thru HTTP proxy
- Allow s-m-config to access check on systemd
- Allow abrt to read public files by default
- Fix amavis_create_pid_files() interface
- Add labeling and filename transition for dbomatic.log
- Allow system_dbusd_t to stream connect to bluetooth, and use its socket
- Allow amavisd to execute fsav
- Allow tuned to use sys_admin and sys_nice capabilities
- Add php-fpm policy from Bryan
- Add labeling for aeolus-configserver-thinwrapper
- Allow thin domains to execute shell
- Fix gnome_role_gkeyringd() interface description
- Lot of interface fixes
- Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files
- Allow OpenMPI job to use kerberos
- Make deltacloudd_t as nsswitch_domain
- Allow xend_t to run lsscsi
- Allow qemu-dm running as xend_t to create tun_socket
- Add labeling for /opt/brother/Printers(.*/)?inf
- Allow jockey-backend to read pyconfig-64.h labeled as usr_t
- Fix clamscan_can_scan_system boolean
- Allow lpr to connectto to /run/user/$USER/keyring-22uREb/pkcs11
2012-07-12 19:20:37 -04:00
Miroslav Grepl
98ec5a124e - Until we figure out how to fix systemd issues, allow all apps that send syslog messag
- Add init_access_check() interface
- Fix label on /usr/bin/pingus to not be labeled as ping_exec_t
- Allow tcpdump to create a netlink_socket
- Label newusers like useradd
- Change xdm log files to be labeled xdm_log_t
- Allow sshd_t with privsep to work in MLS
- Allow freshclam to update databases thru HTTP proxy
- Allow s-m-config to access check on systemd
- Allow abrt to read public files by default
- Fix amavis_create_pid_files() interface
- Add labeling and filename transition for dbomatic.log
- Allow system_dbusd_t to stream connect to bluetooth, and use its socket
- Allow amavisd to execute fsav
- Allow tuned to use sys_admin and sys_nice capabilities
- Add php-fpm policy from Bryan
- Add labeling for aeolus-configserver-thinwrapper
- Allow thin domains to execute shell
- Fix gnome_role_gkeyringd() interface description
- Lot of interface fixes
- Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files
- Allow OpenMPI job to use kerberos
- Make deltacloudd_t as nsswitch_domain
2012-07-11 16:45:33 +02:00