Commit Graph

848 Commits

Author SHA1 Message Date
Chris PeBenito
a65fd90a50 trunk: 6 patches from dan. 2009-06-11 15:00:48 +00:00
Chris PeBenito
cca4a215fe trunk: add gpsd from miroslav grepl 2009-06-02 14:28:40 +00:00
Chris PeBenito
996779dfad trunk:
The attached patch allows unprivileged clients to export from or import
to the largeobject owned by themselves.

The current security policy does not allow them to import/export any
largeobjects without any clear reason.

NOTE: Export of the largeobject means that it dumps whole of the
largeobject into a local file, so SE-PostgreSQL checks both of
db_blob:{read export} on the largeobject and file:{write} on the
local file. Import is a reversal behavior.

KaiGai Kohei
2009-05-22 13:37:32 +00:00
Chris PeBenito
e0ea7b15ca trunk:
The attached patch fixes incorrect behavior in sepgsql_enable_users_ddl.

The current policy allows users/unprivs to run ALTER TABLE statement
unconditionally, because db_table/db_column:{setattr} is allowed outside
of the boolean. It should be moved to conditional section.

In addition, they are also allowed to db_procedure:{create drop setattr}
for xxxx_sepgsql_proc_exec_t, but it means we allows them to create, drop
or alter definition of the functions unconditionally. So, it also should
be moved to conditional section.

The postgresql.te allows sepgsql_client_type to modify sepgsql_table_t
and sepgsql_sysobj_t when sepgsql_enable_users_ddl is enabled, but
it should not be allowed.

KaiGai Kohei
2009-05-21 11:49:33 +00:00
Chris PeBenito
a01a4a7183 trunk:
OK, the attached patch adds the following types for unprivileged clients.
 - unpriv_sepgsql_table_t
 - unpriv_sepgsql_sysobj_t
 - unpriv_sepgsql_proc_exec_t
 - unpriv_sepgsql_blob_t

These types are the default for unprivileged and unprefixed domains,
such as httpd_t and others.

In addition, TYPE_TRANSITION rules are moved to outside of tunable
of the sepgsql_enable_users_ddl. IIRC, it was enclosed within the
tunable because UBAC domains (user_t and so on) were allowed to
create sepgsql_table_t, and its default was pointed to this type
when sepgsql_enable_users_ddl is disabled.
However, it has different meanings now, so the TYPE_TRANSITION rules
should be unconditional.

KaiGai Kohei
2009-05-21 11:28:14 +00:00
Chris PeBenito
80348b73a0 trunk: 4 patches from dan. 2009-05-14 14:41:50 +00:00
Chris PeBenito
a47eb527e5 trunk: whitespace fix for squid.fc. 2009-05-11 12:07:07 +00:00
Chris PeBenito
350ed89156 se-postgresql update from kaigai
- rework: Add a comment of "deprecated" for deprecated permissions.
- bugfix: MCS policy did not constrain the following permissions.
    db_database:{getattr}
    db_table:{getattr lock}
    db_column:{getattr}
    db_procedure:{drop getattr setattr}
    db_blob:{getattr import export}
- rework: db_table:{lock} is moved to reader side, because it makes
  impossible to refer read-only table with foreign-key constraint.
  (FK checks internally acquire explicit locks.)
- bugfix: some of permissions in db_procedure class are allowed
  on sepgsql_trusted_proc_t, but it is a domain, not a procedure.
  It should allow them on sepgsql_trusted_proc_exec_t.
  I also aliased sepgsql_proc_t as sepgsql_proc_exec_t to avoid
  such kind of confusion, as Chris suggested before.
- rework: we should not allow db_procedure:{install} on the
  sepgsql_trusted_proc_exec_t, because of a risk to invoke trusted
  procedure implicitly.
- bugfix: MLS policy dealt db_blob:{export} as writer-side permission,
  but it is required whrn the largeobject is refered.
- bugfix: MLS policy didn't constrain the db_procedure class.
2009-05-07 12:35:32 +00:00
Chris PeBenito
da3ed0667f trunk: lircd from miroslav grepl 2009-05-06 15:09:46 +00:00
Chris PeBenito
c0f5fa011a trunk: whitespace fixes. 2009-05-06 14:44:57 +00:00
Chris PeBenito
3392356f36 trunk: 5 patches from dan. 2009-05-06 14:26:20 +00:00
Chris PeBenito
0cf1d56018 trunk: Milter state directory patch from Paul Howarth. 2009-04-21 20:40:45 +00:00
Chris PeBenito
a5ef553c2d trunk: 5 modules from dan. 2009-04-20 19:03:15 +00:00
Chris PeBenito
153fe24bdc trunk: 5 patches from dan. 2009-04-07 14:09:43 +00:00
Chris PeBenito
8f800d48df trunk: 14 patches from dan. 2009-03-23 14:56:43 +00:00
Chris PeBenito
3c9b2e9bc6 trunk: 6 patches from dan. 2009-03-19 17:56:10 +00:00
Chris PeBenito
e21bd28bc8 trunk: add mysql db lnk_file transition. 2009-03-11 11:59:04 +00:00
Chris PeBenito
da04234f32 trunk: 5 patches from dan. 2009-03-10 19:32:04 +00:00
Chris PeBenito
156204a385 trunk: Drop write permission from fs_read_rpc_sockets(). 2009-02-24 20:00:15 +00:00
Chris PeBenito
f79314234a trunk: 6 patches from dan. 2009-02-11 19:28:30 +00:00
Chris PeBenito
466e22a8ba trunk: Add db_procedure install permission from KaiGai Kohei. 2009-01-23 19:49:36 +00:00
Chris PeBenito
c1262146e0 trunk: Remove node definitions and change node usage to generic nodes. 2009-01-09 19:48:02 +00:00
Chris PeBenito
668b3093ff trunk: change network interface access from all to generic network interfaces. 2009-01-06 20:24:10 +00:00
Chris PeBenito
17ec8c1f84 trunk: bump module versions for release. 2008-12-10 19:38:10 +00:00
Chris PeBenito
3196971ae8 trunk: Fix consistency of audioentropy and iscsi module naming. 2008-12-09 16:47:33 +00:00
Chris PeBenito
9ff89c44e7 trunk: 2 patches from dan. 2008-12-04 15:01:12 +00:00
Chris PeBenito
ff8f0a63f4 trunk: whitespace fixes in xml blocks. 2008-12-03 19:16:20 +00:00
Chris PeBenito
6073ea1e13 trunk: whitespace fix changing multiple spaces into tabs. 2008-12-03 18:33:19 +00:00
Chris PeBenito
a057e0462e trunk: fix missing xml parameter. 2008-12-03 15:51:53 +00:00
Chris PeBenito
fb4826f424 trunk: 3 patches from dan. 2008-12-03 15:21:33 +00:00
Chris PeBenito
b9e5238a24 trunk: add milter module from Paul Howarth. 2008-11-24 15:06:58 +00:00
Chris PeBenito
b3b607eb43 trunk: a fix on the previous commit. 2008-11-19 16:02:13 +00:00
Chris PeBenito
fcee22ad0d trunk: 5 patches from dan. 2008-11-19 15:24:10 +00:00
Chris PeBenito
01e9e7dbf5 trunk: 4 patches from dan. 2008-11-18 19:55:10 +00:00
Chris PeBenito
659c8650c7 trunk 2 patches from dan. 2008-11-17 15:48:12 +00:00
Chris PeBenito
7f49194215 trunk: Xserver MLS fix from Eamon Walsh. 2008-11-17 13:49:19 +00:00
Chris PeBenito
73c77e2c9b trunk: 2 fixes from martin orr. 2008-11-13 18:44:23 +00:00
Chris PeBenito
5843d066b6 trunk: 10 patches from dan. 2008-11-11 16:38:34 +00:00
Chris PeBenito
657c226c40 trunk: 7 patches from dan. 2008-11-06 22:36:50 +00:00
Chris PeBenito
ba796982df trunk: tweaks from russell and martin orr. 2008-11-06 15:01:15 +00:00
Chris PeBenito
296273a719 trunk: merge UBAC. 2008-11-05 16:10:46 +00:00
Chris PeBenito
82d2775c92 trunk: more open perm fixes. 2008-10-20 16:10:42 +00:00
Chris PeBenito
2cca6b79b4 trunk: remove redundant shared lib calls. 2008-10-17 17:31:04 +00:00
Chris PeBenito
2a98379a24 trunk: additional whitespace fixes. 2008-10-17 15:52:39 +00:00
Chris PeBenito
0b36a2146e trunk: Enable open permission checks policy capability. 2008-10-16 16:09:20 +00:00
Chris PeBenito
5d4f4b5375 trunk: bump version numbers for release. 2008-10-14 15:46:36 +00:00
Chris PeBenito
74993c4dae trunk: 8 patches from dan. 2008-10-13 15:06:23 +00:00
Chris PeBenito
aa7c463e5d trunk: a pile of misc fixes. 2008-10-13 13:36:50 +00:00
Chris PeBenito
06099da657 trunk: 3 patches from dan. 2008-10-09 18:06:24 +00:00
Chris PeBenito
04d2861035 trunk: missing bits from dan's previous round of patches. 2008-10-09 14:01:53 +00:00
Chris PeBenito
967fd1ba3f trunk: 8 patches from dan. 2008-10-08 20:03:24 +00:00
Chris PeBenito
e87221cefe trunk: 21 patches from dan. 2008-10-08 15:50:03 +00:00
Chris PeBenito
ed8ae5ebeb trunk: fix typo 2008-10-06 18:33:44 +00:00
Chris PeBenito
12c61f36f4 trunk: 7 patches from dan, 1 from eamon. 2008-10-06 17:27:49 +00:00
Chris PeBenito
73edbc9101 trunk: add oident from dominick grift. 2008-10-06 14:01:59 +00:00
Chris PeBenito
6d8af27cad trunk: fix dupe fc. 2008-10-03 13:17:56 +00:00
Chris PeBenito
3daef6999a trunk: cvs update from dan. 2008-09-23 12:56:00 +00:00
Chris PeBenito
658f4d3dd9 trunk: rpcbind update from dan. 2008-09-18 18:09:34 +00:00
Chris PeBenito
fd49feff49 trunk: last bit of wpa_supplicant update from martin orr. 2008-09-18 15:06:29 +00:00
Chris PeBenito
c9824ec5ce trunk: remove incomplete sshd_extern. 2008-09-18 14:06:30 +00:00
Chris PeBenito
f5394cc3cb trunk: bind update from dan. 2008-09-15 17:02:57 +00:00
Chris PeBenito
48f6456344 trunk: rename labeled init scripts with initrc convention. 2008-09-15 14:20:20 +00:00
Chris PeBenito
a46b60549a trunk: squid update from dan. 2008-09-15 13:31:28 +00:00
Chris PeBenito
21ea2b1884 trunk: firstboot update from dan. 2008-09-12 15:54:11 +00:00
Chris PeBenito
36095d11ce trunk: kudzu and mta patches from dan. 2008-09-12 14:18:20 +00:00
Chris PeBenito
bc85e826ec trunk: promote networkmanager debian fc entries out of build options. 2008-09-12 12:14:52 +00:00
Chris PeBenito
8786916e8d trunk: ntp and setrans update from dan. 2008-09-11 14:54:40 +00:00
Chris PeBenito
52ceaaac6e trunk: Debian update for NetworkManager/wpa_supplicant from Martin Orr. 2008-09-11 14:02:53 +00:00
Chris PeBenito
ae3386373a trunk: networkmanager/ppp patch from dan. 2008-09-11 13:35:06 +00:00
Chris PeBenito
859135dcdd trunk: fix bad apcupsd interface name. 2008-09-09 15:56:26 +00:00
Chris PeBenito
54341818ac trunk: fix fail2ban init script regex. 2008-09-05 14:37:35 +00:00
Chris PeBenito
cdac989dee trunk: fail2ban update from dan. 2008-09-05 14:17:18 +00:00
Chris PeBenito
a71e136cc3 trunk: add cyphesis from dan. 2008-09-03 14:46:10 +00:00
Chris PeBenito
e40fa634b2 trunk: Logrotate and Bind updates from Vaclav Ovsik. 2008-09-03 14:12:56 +00:00
Chris PeBenito
9bcfb6dfa5 trunk: hplip uses dbus. 2008-08-29 14:25:09 +00:00
Chris PeBenito
24af9b1d34 trunk: inetd update from dan. 2008-08-29 13:21:53 +00:00
Chris PeBenito
c11057f7ae trunk: fedora update cherry picked by david hardeman. 2008-08-22 15:17:01 +00:00
Chris PeBenito
32f8ff393b trunk: add w3c from dan. 2008-08-21 13:52:52 +00:00
Chris PeBenito
93f445b8c0 trunk: firstboot update from dan. 2008-08-20 19:45:39 +00:00
Chris PeBenito
770c015f88 trunk: 2 patches from dan. 2008-08-14 15:10:41 +00:00
Chris PeBenito
3e59876583 trunk: 6 patches from the fedora policy, cherry picked by david hardeman. 2008-08-14 14:19:50 +00:00
Chris PeBenito
e0ed765c0e trunk: 3 patches from the fedora policy, cherry picked by David Hardeman. 2008-08-11 14:03:36 +00:00
Chris PeBenito
7aabe358f4 trunk: missed fixes on previous commit. 2008-08-07 14:45:37 +00:00
Chris PeBenito
8a948caf2b trunk: 11 more cherry picks from fedora policy, by david hardeman. 2008-08-07 14:17:50 +00:00
Chris PeBenito
b81bfc2651 trunk: Samba/winbind update from Mike Edenfield. 2008-08-05 12:54:11 +00:00
Chris PeBenito
dc1920b218 trunk: Database labeled networking update from KaiGai Kohei. 2008-07-25 04:07:09 +00:00
Chris PeBenito
6224fc1485 trunk: 7 patches from Fedora policy, cherry picked by david hrdeman. 2008-07-24 23:56:03 +00:00
Chris PeBenito
0bfccda4e8 trunk: massive whitespace cleanup from dominick grift. 2008-07-23 21:38:39 +00:00
Chris PeBenito
cfcf5004e5 trunk: bump versions for release. 2008-07-02 14:07:57 +00:00
Chris PeBenito
e311e23a44 trunk: Fix httpd_enable_homedirs to actually provide the access it is supposed to provide. 2008-07-01 13:57:53 +00:00
Chris PeBenito
5fe7de9ea9 trunk: apache script connections to postgres, from kaigai. 2008-06-25 13:03:59 +00:00
Chris PeBenito
f7eaeebbae trunk: more xml doc fixes. 2008-06-24 14:43:47 +00:00
Chris PeBenito
c5cfd2d405 trunk: Add unused interface/template parameter metadata in XML. 2008-06-24 14:23:40 +00:00
Chris PeBenito
8c6292b7a4 trunk: Patch to handle postfix data_directory from Vaclav Ovsik. 2008-06-24 13:21:35 +00:00
Chris PeBenito
7f4005e348 trunk: fix up stored procedure naming patch from kaigai. 2008-06-24 12:57:06 +00:00
Chris PeBenito
b1a903654f trunk: add missing requires. 2008-06-24 12:53:30 +00:00
Chris PeBenito
131634a581 trunk: podsleuth and hal updates from dan. 2008-06-17 14:07:44 +00:00
Chris PeBenito
eb4216397c trunk: add qemu and virt from dan. 2008-06-16 18:59:07 +00:00
Chris PeBenito
8e7d43c8ac trunk: additional patch from kaigai to fix up some type transitions for unpriv clients. 2008-06-13 13:33:36 +00:00
Chris PeBenito
e8cb08aefa trunk: add sepostgresql policy from kaigai kohei. 2008-06-10 15:33:18 +00:00
Chris PeBenito
ef55a11980 trunk: Patch for X.org dbus support from Martin Orr. 2008-06-07 13:31:48 +00:00
Chris PeBenito
cdbd09f65e trunk: add prelude from dan. 2008-06-06 03:13:42 +00:00
Chris PeBenito
147af4d309 trunk: misc fixes. 2008-05-27 18:09:18 +00:00
Chris PeBenito
8926b25f39 trunk: tweak kerneloops. 2008-05-26 17:48:56 +00:00
Chris PeBenito
782c10e949 trunk: add kerneloops from dan. 2008-05-26 17:47:49 +00:00
Chris PeBenito
cbe82b179b trunk: start adding open perm to obvious places. 2008-05-23 18:22:57 +00:00
Chris PeBenito
4416c416fa trunk: Module loading now requires setsched on kernel threads. 2008-05-22 18:39:03 +00:00
Chris PeBenito
b34db7a8ec trunk: another pile of misc fixes. 2008-05-22 15:24:52 +00:00
Chris PeBenito
8f3a0a95e0 trunk: a pile of misc fixes, mainly sync xml docs with interface implementation. 2008-05-15 13:10:34 +00:00
Chris PeBenito
e9c6cda7da trunk: Move user roles into individual modules. 2008-04-29 13:58:34 +00:00
Chris PeBenito
7e11b74087 trunk: make hald_log_t a log file. 2008-04-18 16:04:15 +00:00
Chris PeBenito
f12302af92 trunk: hal xml doc fix pointed out by Rob Myers. 2008-04-18 15:55:03 +00:00
Chris PeBenito
8152a78836 trunk: 7 patches from dan. 2008-04-04 17:08:34 +00:00
Chris PeBenito
0a14f3ae09 trunk: bump module version numbers for release. 2008-04-02 16:04:43 +00:00
Chris PeBenito
2c12b471ad trunk: add core xselinux support. 2008-04-01 20:23:23 +00:00
Chris PeBenito
e828954c63 trunk: 4 patches from dan. 2008-03-27 15:20:16 +00:00
Chris PeBenito
9377a3e59c trunk: fix winbind socket connection interface for default location of the sock_file. 2008-03-21 14:18:13 +00:00
Chris PeBenito
9e8c3aa651 trunk: add type transition to fix mysql socket creation. 2008-03-21 14:16:17 +00:00
Chris PeBenito
01e8ff4ab3 trunk: rpc update from Vaclav Ovsik. 2008-03-04 19:14:08 +00:00
Chris PeBenito
d57a094347 trunk: Exim updates on Debian from Devin Carrawy. 2008-03-04 18:25:13 +00:00
Chris PeBenito
834401ff97 trunk: dovecot fix from Stefan Schulze Frielinghaus. 2008-02-25 19:31:03 +00:00
Chris PeBenito
9fa023ff58 trunk: Pam and samba updates from Stefan Schulze Frielinghaus. 2008-02-19 19:33:48 +00:00
Chris PeBenito
ee6608baeb trunk: 8 patches from dan. 2008-02-18 18:44:40 +00:00
Chris PeBenito
4f017813ab trunk: fix pppd admin interface. 2008-02-14 16:03:24 +00:00
Chris PeBenito
7a5e2d8a37 trunk: 12 patches from dan. 2008-02-07 16:37:47 +00:00
Chris PeBenito
12cf805e1c trunk: add basic ubuntu support 2008-02-05 18:24:43 +00:00
Chris PeBenito
ce8a5299a8 trunk: 3 patches from dan. 2008-02-05 17:41:53 +00:00
Chris PeBenito
f7925f25f7 trunk: bump module versions for release. 2007-12-14 14:23:18 +00:00
Chris PeBenito
dd9e1de35e trunk: Improve several tunables descriptions from Dan Walsh. 2007-12-07 15:44:53 +00:00
Chris PeBenito
09e21686ea trunk: another round of nsswitch from dan. 2007-12-06 16:04:14 +00:00
Chris PeBenito
74d920c3b5 trunk: add setrlimit to debian cron. 2007-12-06 14:35:44 +00:00
Chris PeBenito
5f63dd12a3 trunk: fix xconsole rw interface. 2007-12-04 15:11:53 +00:00
Chris PeBenito
c0cf6e0a6e trunk: clean up nsswitch usage, from dan. 2007-12-04 15:05:55 +00:00
Chris PeBenito
0aa18d9fd5 trunk: version bumps for previous commit. 2007-11-26 16:46:38 +00:00
Chris PeBenito
0b6acad1bb trunk: More complete labeled networking infrastructure from KaiGai Kohei. 2007-11-26 16:44:57 +00:00
Chris PeBenito
8d1f9d9e14 trunk: add missing tcp_socket rules for xfs. 2007-11-19 20:36:33 +00:00
Chris PeBenito
6ab634a512 trunk: fix dup specification for /var/spool/cups/* 2007-11-16 20:03:18 +00:00
Chris PeBenito
226c06969c trunk: 9 patches from dan. 2007-11-15 20:10:26 +00:00
Chris PeBenito
6c91189762 trunk: 8 patches from dan. 2007-11-15 16:54:18 +00:00
Chris PeBenito
3b498a9105 trunk: add gentoo hal fc entry. 2007-11-12 14:17:39 +00:00
Chris PeBenito
4605adcba7 trunk: add postfixpolicyd from Jan-Frode Myklebust. 2007-11-07 20:17:44 +00:00
Chris PeBenito
bd973e3e68 trunk: remove unused types from dbus. 2007-10-26 18:04:38 +00:00
Chris PeBenito
6bf8bf4f5c trunk: add exim from dan. 2007-10-24 15:07:40 +00:00
Chris PeBenito
3c99e5989a trunk: add /var/lib search for system bus template. 2007-10-22 15:53:31 +00:00
Chris PeBenito
a334d2918f trunk: add infrastructure for managing user web content. 2007-10-18 19:23:33 +00:00
Chris PeBenito
a27d1c6e84 trunk: gdm is in /usr/sbin on rawhide machines, from Eamon Walsh. 2007-10-15 17:50:07 +00:00
Chris PeBenito
f48782758e trunk: reorganize amanda and bind 2007-10-12 17:50:11 +00:00
Chris PeBenito
bc01b352f6 trunk: 2 patches from dan. 2007-10-12 17:35:56 +00:00
Chris PeBenito
cdf98fedc0 trunk: 10 patches from dan. 2007-10-11 18:12:29 +00:00
Chris PeBenito
ef659a476e Deprecate some old file and dir permission set macros in favor of the newer, more consistently-named macros. 2007-10-09 17:29:48 +00:00
Chris PeBenito
6c53a10e28 trunk: Patch to clean up unescaped periods in several file context entries from Jan-Frode Myklebust. 2007-10-05 18:00:55 +00:00
Chris PeBenito
12e9ea1ae3 trunk: module version bumps for previous commit. 2007-10-02 17:15:07 +00:00
Chris PeBenito
350b6ab767 trunk: merge strict and targeted policies. merge shlib_t into lib_t. 2007-10-02 16:04:50 +00:00
Chris PeBenito
3480f3f239 trunk: bump version numbers for release. 2007-09-28 13:58:24 +00:00
Chris PeBenito
4ddc7ba539 trunk: xml doc one-liner from Stefan Schulze Frielinghaus. 2007-09-24 13:01:17 +00:00
Chris PeBenito
8242f5a68d trunk: add bitlbee from devin carraway and add tcpd_wrapped_domain(). 2007-09-17 14:33:40 +00:00
Chris PeBenito
14add30d03 trunk: 3 patches from dan. 2007-09-12 14:53:39 +00:00
Chris PeBenito
134a799c75 trunk: 3 patches from dan. 2007-09-11 19:24:32 +00:00
Chris PeBenito
8a9d6f6449 trunk: 6 patches from dan. 2007-09-07 13:41:20 +00:00
Chris PeBenito
72f82c47c2 trunk: six patches from dan. 2007-09-06 18:34:40 +00:00
Chris PeBenito
016e5c5cdc trunk: 4 patches from dan. 2007-09-05 14:48:21 +00:00
Chris PeBenito
0a0b8078ca trunk: 5 patches from dan. 2007-09-04 18:57:58 +00:00
Chris PeBenito
6dd721a686 trunk: 7 patches from dan, slocate, games, amavis, radius, sendmail, rshd, logrotate. 2007-08-27 17:57:36 +00:00
Chris PeBenito
a2f444884b trunk: patch to allow sendmail to read ssl/tls certificates from Stefan Schulze Frielinghaus. 2007-08-27 17:00:18 +00:00
Chris PeBenito
2af7b42a06 trunk: switch daemons from inheriting from all levels to initrc_t sharing to all levels. 2007-08-22 20:21:52 +00:00
Chris PeBenito
8d2c34195e trunk: updates from dan on 9 modules 2007-08-22 20:02:41 +00:00
Chris PeBenito
80d5e02c81 trunk: Files and radvd updates from Stefan Schulze Frielinghaus. 2007-08-21 19:03:34 +00:00
Chris PeBenito
1779bef032 trunk: fix gdm xsession scripts on redhat machines. 2007-08-20 18:54:29 +00:00
Chris PeBenito
f8233ab7b0 trunk: Deprecate mls_file_write_down() and mls_file_read_up(), replaced with mls_write_all_levels() and mls_read_all_levels(), for consistency. 2007-08-20 18:26:08 +00:00
Chris PeBenito
2d0c9cecaf trunk: several MLS enhancements. 2007-08-20 15:15:03 +00:00
Chris PeBenito
371d11ec04 trunk: add 3rd party interface for apache cgi. 2007-07-26 19:48:40 +00:00
Chris PeBenito
708aab1393 trunk: fix targeted sshd. When the domain was unaliased from unconfined_t, a transition to unconfined_t was not added. 2007-07-20 18:25:26 +00:00
Chris PeBenito
d46cfe45cd trunk: add application module 2007-07-19 18:57:48 +00:00
Chris PeBenito
f80a0e4f25 trunk: Add debian apcupsd binary location, from Stefan Schulze Frielinghaus. 2007-07-02 15:25:46 +00:00
Chris PeBenito
116c1da330 trunk: update module version numbers for release. 2007-06-29 14:48:13 +00:00
Chris PeBenito
e5e55ace89 trunk, strict-targeted-merge: add mmap_zero to xserver domains. 2007-06-28 12:34:08 +00:00
Chris PeBenito
7b61fe506d trunk: add rpcbind from dan 2007-06-27 16:31:55 +00:00
Chris PeBenito
1900668638 trunk: Unified labeled networking policy from Paul Moore.
The latest revision of the labeled policy patches which enable both labeled 
and unlabeled policy support for NetLabel.  This revision takes into account
Chris' feedback from the first version and reduces the number of interface
calls in each domain down to two at present: one for unlabeled access, one for
NetLabel access.  The older, transport layer specific interfaces, are still  
present for use by third-party modules but are not used in the default policy
modules.

trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.

This patch changes the policy to use the netmsg initial SID as the "base"
SID/context for NetLabel packets which only have MLS security attributes.
Currently we use the unlabeled initial SID which makes it very difficult to
distinquish between actual unlabeled packets and those packets which have MLS
security attributes.
2007-06-27 15:23:21 +00:00
Chris PeBenito
2c3ac47d45 trunk: pyzor and clamav updates from dan 2007-06-26 18:43:11 +00:00
Chris PeBenito
02f2c3e979 trunk: nagios update from dan 2007-06-21 17:23:19 +00:00
Chris PeBenito
a90a256f64 trunk: procmail tweak from dan. 2007-06-21 14:54:34 +00:00
Chris PeBenito
92d1ade254 trunk: trivial gentoo tweaks 2007-06-20 20:08:26 +00:00
Chris PeBenito
99b5a56cb6 trunk: radius one-liner from dan 2007-06-20 15:03:55 +00:00
Chris PeBenito
40df56772f trunk: big samba update from dan 2007-06-19 19:11:35 +00:00
Chris PeBenito
788d88c923 trunk: drop snmpd_etc_t. 2007-06-19 17:39:35 +00:00
Chris PeBenito
6c8aba7b31 trunk: confine sendmail and logrotate on targeted 2007-06-19 17:01:39 +00:00
Chris PeBenito
cb10a2d5bf trunk: Tunable connection to postgresql for users from KaiGai Kohei. 2007-06-19 14:30:06 +00:00
Chris PeBenito
d139413c64 trunk: 2 patches from dan 2007-06-13 13:54:56 +00:00
Chris PeBenito
d5b81a81ff trunk: Add logging_send_audit_msgs() interface and deprecate send_audit_msgs_pattern(). 2007-06-12 18:46:14 +00:00
Chris PeBenito
262def165a trunk: version bumps for previous commit. 2007-06-12 13:08:19 +00:00
Chris PeBenito
f7101c5430 trunk: 7 simple patches from dan. 2007-06-12 13:06:13 +00:00
Chris PeBenito
6649aec9d0 trunk: 3 patches from dan 2007-06-11 15:43:37 +00:00
Chris PeBenito
d534d35a7e trunk: 5 patches from dan 2007-06-11 15:01:10 +00:00
Chris PeBenito
f6a590d7b4 six simple patches from dan 2007-06-11 14:09:09 +00:00
Chris PeBenito
a39a931362 trunk: snmp tweak from dan 2007-05-15 18:06:31 +00:00
Chris PeBenito
c412be6bef trunk: remaining pieces for apcupsd module 2007-05-15 15:43:00 +00:00
Chris PeBenito
762d2cb989 merge restorecon into setfiles 2007-05-11 17:10:43 +00:00
Chris PeBenito
12217cc286 Patch to begin separating out hald helper programs from Dan Walsh. 2007-05-07 17:57:48 +00:00
Chris PeBenito
78f17e6d6c add apcupsd from dan 2007-05-07 14:55:54 +00:00
Chris PeBenito
b129e2001c Fixes for squid, dovecot, and snmp from Dan Walsh. 2007-05-07 13:45:17 +00:00
Chris PeBenito
4967aaa320 Miscellaneous consolekit fixes from Dan Walsh. 2007-05-03 14:15:38 +00:00
Chris PeBenito
ed4b7301fb Patch to have avahi use the nsswitch interface rather than individual permissions from Dan Walsh. 2007-05-03 12:45:28 +00:00
Chris PeBenito
517618f0b4 Patch to dontaudit logrotate searching avahi pid directory from Dan Walsh. 2007-05-02 17:55:03 +00:00
Chris PeBenito
6a2975706a add rwho from Nalin Dahyabhai 2007-04-30 17:39:01 +00:00
Chris PeBenito
747ab18400 Patch to allow amavis to read spamassassin libraries from Dan Walsh. 2007-04-30 15:19:47 +00:00
Chris PeBenito
ae32fb7e7b trivial aide fix from dan 2007-04-30 15:09:15 +00:00
Chris PeBenito
7487a66705 trivial fix from dan for bluetooth 2007-04-30 14:33:12 +00:00
Chris PeBenito
d28e528b0d Fixes for RHEL4 from the CLIP project. 2007-04-27 15:08:15 +00:00
Chris PeBenito
cd16fe6e2c Replace the old lrrd fc entries with correct munin ones. 2007-04-23 17:36:35 +00:00
Chris PeBenito
7a4bd42ea3 Fix clockspeed_run_cli() declaration, it was incorrectly defined as a template instead of an interface. 2007-04-19 14:24:02 +00:00
Chris PeBenito
0251df3e39 bump module versions for release 2007-04-17 13:28:09 +00:00
Chris PeBenito
4029f11670 last piece of previous consolekit patch 2007-04-11 20:02:59 +00:00
Chris PeBenito
97e8156ecb add zabbix from dan 2007-04-11 18:55:44 +00:00
Chris PeBenito
697489040e 5 patches from dan. confine insmod and udev on targeted, misc fc fixes, sasl kerberos use, and samba port fixes 2007-04-11 17:56:03 +00:00
Chris PeBenito
99064c9fbd more consolekit updates from dan 2007-04-11 14:04:35 +00:00
Chris PeBenito
ebc1e8be97 from dan:
kadmind trys to setattr on krb5kdc file.  Just a library checking access.
2007-04-10 17:20:07 +00:00
Chris PeBenito
9af48eef6e six patches from dan 2007-04-10 13:10:58 +00:00
Chris PeBenito
39d8dcdb4f fix http_script_domains, it was incorrectly applied to the content type rather than the script domain. bug #24. 2007-04-02 13:20:55 +00:00
Chris PeBenito
9e8f65c83e six trivial patches from dan for iptables, netutils, ipsec, devices, filesystem and cpuspeed 2007-03-26 20:47:29 +00:00
Chris PeBenito
56e1b3d207 - Move booleans and tunables to modules when it is only used in a single
module.
- Add support for tunables and booleans local to a module.
2007-03-26 18:41:45 +00:00
Chris PeBenito
8021cb4f63 Merge sbin_t and ls_exec_t into bin_t. 2007-03-23 23:24:59 +00:00
Chris PeBenito
ab514d6a89 remove disable_trans booleans 2007-03-23 21:01:49 +00:00
Chris PeBenito
19fd9301e6 patch from dan to have ricci modstorage transition to lvm 2007-03-21 20:02:50 +00:00
Chris PeBenito
cd3ee91a4b add fail2ban from dan 2007-03-21 15:51:52 +00:00
Chris PeBenito
a5f5eba459 Add dontaudits for init fds and console to init_daemon_domain(). 2007-03-20 18:47:18 +00:00
Chris PeBenito
7200146ea8 trivial patch for radius from dan 2007-03-19 18:42:57 +00:00
Chris PeBenito
86b28c9594 trivial patch from dan for sysstat access to sysfs 2007-03-19 18:38:54 +00:00
Chris PeBenito
e66689f7be other part of consolekit addition 2007-03-19 18:36:36 +00:00
Chris PeBenito
c224d91c7b from Dan:
This is a new policy for the User Switching capability coming in gnome.

consolekit is a daemon that communicates with xdm_t and hal through dbus to change the
ownership/access on certain devices when the login session changes from one user to another
2007-03-19 18:01:15 +00:00
Chris PeBenito
0cca516db7 fix for rh bug 203290 2007-03-08 19:01:21 +00:00
Chris PeBenito
b5a6c86f46 last bit of dans patch 2007-03-08 17:53:52 +00:00
Chris PeBenito
cdc91b9aeb Patch for handling restart of nscd when ran from useradd, groupadd, and admin passwd, from Dan Walsh. 2007-03-08 15:14:45 +00:00
Chris PeBenito
59bedc1886 procmail uses /tmp files
Wants to send signull to itself
Can exec ls
Read spamassinn_lib_dirs
New directory for spamassin /var/lib/
pyzor uses tmp files
2007-03-07 21:33:22 +00:00
Chris PeBenito
7aefc69117 trivial change from dan 2007-03-06 17:44:26 +00:00
Chris PeBenito
7aca2aa827 setroubleshoot has a plugin that checks the file context on disk versus a matchpathcon. So needs additional privs 2007-03-06 17:16:08 +00:00
Chris PeBenito
c23eb5b1c4 Patch for gssd fixes from Dan Walsh 2007-03-06 16:18:59 +00:00
Chris PeBenito
c5561c777d patches for lvm and ricci fixes from Dan Walsh. 2007-03-06 15:35:02 +00:00
Chris PeBenito
f2c69c47b3 lmtp and smtp are the same file require same context of setfiles complains
postfix_pickup_t wants to read postfix_spool_maildrop_t dir
2007-03-01 20:41:19 +00:00
Chris PeBenito
ecc98e19e3 patches for file contexts in networkmanager, miscfiles, corecommands, devices, and java from Dan Walsh. 2007-03-01 15:43:39 +00:00
Chris PeBenito
4900fdf7d1 Patch for kerberized telnet fixes from Dan Walsh. 2007-02-28 17:17:52 +00:00
Chris PeBenito
09c56f5496 Patch for kerberized ftp and other ftp fixes from Dan Walsh. 2007-02-28 17:01:47 +00:00
Chris PeBenito
f0eaed31be Patch for misc fixes to bluetooth from Dan Walsh. 2007-02-26 17:23:52 +00:00
Chris PeBenito
5b06477c8e On Tue, 2007-02-20 at 12:02 -0500, Daniel J Walsh wrote:
> Eliminate excess avc messages created when using kerberos libraries
> 
> krb5kdc wans to setsched
> 
> Also uses a fifo_file to communicate.
> 
> Needs to search_network_sysctl
2007-02-26 17:04:56 +00:00
Chris PeBenito
66cf194680 Patch to remove redundant mls_trusted_object() call from Dan Walsh. 2007-02-23 20:05:12 +00:00
Chris PeBenito
4685213857 Patch for misc fixes to nis ypxfr policy from Dan Walsh. 2007-02-23 19:52:52 +00:00
Chris PeBenito
aeb54c6dd0 Patch to allow apmd to telinit from Dan Walsh. 2007-02-23 19:41:41 +00:00
Chris PeBenito
d114071e7a While using samba and SELinux with Debian GNU/Linux (etch) the
following files need to be labeled correctly:
/var/run/samba/gencache.tdb
/var/run/samba/share_info.tdb

Should also concern other distributions than Debian.

-Stefan
2007-02-23 19:30:17 +00:00
Chris PeBenito
bcac3a5e3d Patch to remove incorrect cron labeling in apache.fc from Ryan Bradetich. 2007-02-23 19:08:45 +00:00
Chris PeBenito
6b19be3360 patch from dan, Thu, 2007-01-25 at 08:12 -0500 2007-02-16 23:01:42 +00:00
Chris PeBenito
10e12095d6 Fix explicit use of httpd_t in openca_domtrans(), bug #22. 2007-02-07 22:10:45 +00:00
Chris PeBenito
ff943a1b9b Clean up file context regexes in apache and java, from Eamon Walsh:
Some file_contexts regular expressions in refpolicy-strict are causing 
genhomedircon to die; refpolicy is failing to build for me entirely.

The regular expressions seem redundant to me, perhaps I am missing 
something, but the following patch fixes the problems for me.  Please 
review and apply
2007-01-24 17:10:31 +00:00
Chris PeBenito
42c5c5f612 bump versions for release. 2006-12-12 21:22:47 +00:00
Chris PeBenito
c0868a7a3b merge policy patterns to trunk 2006-12-12 20:08:08 +00:00
Chris PeBenito
d6d16b9796 patch from dan Wed, 29 Nov 2006 17:06:40 -0500 2006-12-04 20:10:56 +00:00
Chris PeBenito
563e58e863 patch from dan for some missing gen_require()s 2006-11-29 13:44:40 +00:00
Chris PeBenito
c31f6724c0 fix dontaudit interface that was allowing instead of dontauditing; thanks to karl for pointing this out. 2006-11-28 15:47:47 +00:00
Chris PeBenito
fa45da0efd add aide, ccs, and ricci 2006-11-16 20:56:24 +00:00
Chris PeBenito
ed38ca9f3d fixes from gentoo strict testing:
- Allow semanage to read from /root on strict non-MLS for
  local policy modules.
- Gentoo init script fixes for udev.
- Allow udev to read kernel modules.inputmap.
- Dnsmasq fixes from testing.
- Allow kernel NFS server to getattr filesystems so df can work
  on clients.
2006-11-13 03:24:07 +00:00
Chris PeBenito
d9845ae92a patch from dan Tue, 24 Oct 2006 11:00:28 -0400 2006-10-31 21:01:48 +00:00
Chris PeBenito
a52b4d4f23 bump versions to release numbers 2006-10-18 19:25:27 +00:00
Chris PeBenito
d4a48c41c2 make inetd optional 2006-10-18 15:49:45 +00:00
Chris PeBenito
14b1684aae gentoo testing fixes. 2006-10-13 21:44:02 +00:00
Chris PeBenito
85f0c35922 make optional the inetd dependency in samba 2006-10-10 13:11:58 +00:00
Chris PeBenito
830c12eb2d apply contested part of russell's last patch 2006-10-06 13:38:49 +00:00
Chris PeBenito
3c3c0439f6 patch from russell, Thu, 5 Oct 2006 22:44:49 +1000
Allow unconfined processes to see unlabeled processes in ps.

Removed a redundant rule in samba.te

Removed support for the pre-Fedora Red Hat code to create sym-links in /boot.

Removed support for devpts_t files in /tmp (there is no way that would ever 
work).

Allowed postgrey to create socket files.

Made the specs for the /lib and /lib64 directories better support stem 
compression.
2006-10-05 19:57:37 +00:00
Chris PeBenito
e070dd2df0 - Move range transitions to modules.
- Make number of MLS sensitivities, and number of MLS and MCS
  categories configurable as build options.
2006-10-04 17:25:34 +00:00
Chris PeBenito
e2b84ef79a patch from dan Mon, 25 Sep 2006 15:46:40 -0400 2006-09-28 14:37:29 +00:00
Chris PeBenito
693d4aedb5 patch from dan Fri, 22 Sep 2006 16:30:34 -0400 2006-09-25 18:53:06 +00:00
Chris PeBenito
8708d9bef2 patch from dan Wed, 20 Sep 2006 12:12:49 -0400 2006-09-22 17:14:35 +00:00
Chris PeBenito
a9e03b3752 * add a macro for generating category declarations
* fix userdom_search_all_users_home_content() to use search_dir_perms;
* change ssh daemon macro to use userdom_search_all_users_home_dirs() instead of _home_content()
2006-09-21 15:48:15 +00:00
Chris PeBenito
bf469d7669 gentoo testing fixes 2006-09-19 17:02:29 +00:00
Chris PeBenito
9dfbd81493 forgot to bump policy vers 2006-09-13 18:42:49 +00:00
Chris PeBenito
73ca55d311 patches from erich Wed, 13 Sep 2006 16:18:18 +0200 2006-09-13 18:35:10 +00:00
Chris PeBenito
0d96ff339e misc fixes 2006-09-13 14:23:04 +00:00
Chris PeBenito
376fbc0be9 clean up usercanread 2006-09-11 18:23:09 +00:00
Chris PeBenito
95b8223eed cleanups 2006-09-08 17:21:28 +00:00
Chris PeBenito
bbcd3c97dd add main part of role-o-matic 2006-09-06 22:07:25 +00:00
Chris PeBenito
75beb95014 patch from dan Tue, 05 Sep 2006 17:06:06 -0400 2006-09-06 16:36:23 +00:00
Chris PeBenito
13d7cec671 patch from erich Sat, 02 Sep 2006 03:37:44 +0200 2006-09-04 18:22:12 +00:00
Chris PeBenito
5dbda5558a patch from dan Fri, 01 Sep 2006 15:45:24 -0400 2006-09-04 15:15:35 +00:00
Chris PeBenito
eac818f040 patch from dan Thu, 31 Aug 2006 15:16:30 -0400 2006-09-01 15:52:05 +00:00
Chris PeBenito
a5e2133bc8 patch from dan Wed, 23 Aug 2006 14:03:49 -0400 2006-08-29 02:41:00 +00:00
Chris PeBenito
d15dd5a739 more testing fixes 2006-08-23 03:47:39 +00:00
Chris PeBenito
3ef029db7c add nscd_socket_use() to auth_use_nsswitch() since it caches nss lookups. 2006-08-22 19:37:56 +00:00
Chris PeBenito
3573908f1c fix cron_system_entry() rules 2006-08-16 13:52:18 +00:00
Chris PeBenito
33c7e6b4e8 remove dead selopt rules 2006-08-15 20:00:58 +00:00
Chris PeBenito
497da0953c ps/ptrace dontaudit cleanup 2006-08-08 17:49:03 +00:00
Chris PeBenito
4846dc8ad4 patch from Stefan for mrtg daemon operation. 2006-08-07 17:14:00 +00:00
Chris PeBenito
4b3b46d7ef add authlogin interface to abstract common login program perms 2006-07-31 22:26:59 +00:00
Chris PeBenito
46551033aa patch from dan Wed, 26 Jul 2006 14:42:46 -0400 2006-07-28 15:13:58 +00:00
Chris PeBenito
81aa67fcc0 more ssh agent fixes 2006-07-26 21:16:45 +00:00
Chris PeBenito
528811e040 clean up most of the remaining ssh TODO 2006-07-26 20:34:09 +00:00
Chris PeBenito
79f5f5e8fd add gdm Xsession fc 2006-07-26 20:33:23 +00:00
Chris PeBenito
d617143ba4 remove deprecated mount_send_nfs_client_request() from stunnel 2006-07-25 22:28:47 +00:00
Chris PeBenito
ea3c1f508a add helpers for printing warning and error messages 2006-07-25 17:27:00 +00:00
Chris PeBenito
19ebf01d6a patch to fix escaping of . in file contexts from james athey 2006-07-24 15:43:57 +00:00
Chris PeBenito
da9bbc655a fix up audit message perms now that audit_write denials are being audited by the kernel. 2006-07-13 17:22:08 +00:00
Chris PeBenito
17de1b790b remove extra level of directory 2006-07-12 20:32:27 +00:00