Commit Graph

4885 Commits

Author SHA1 Message Date
Chris PeBenito
eab2cc89b4 Slocate patch from Dan Walsh.
Locate attempts to look at network sate and does getattr on all blk/chr
and noxattr symlinks.
2010-06-22 09:58:14 -04:00
Chris PeBenito
2c207dfa49 Qemu patch from Dan Walsh.
Fix qemu labeling.

Additional qemu interfaces

Allow qemu to read/write removable devices
2010-06-22 09:32:35 -04:00
Chris PeBenito
1fd3a8070f Pulseaudio patch from Dan Walsh.
Dontaudit attempts to exec pulseaudio.  qemu does this and it causes
other avc's even though qemu can not use pulseaudio.

Allow other domains to use pulseiaudio
2010-06-22 09:13:17 -04:00
Chris PeBenito
1ff703fc4a Podsleuth patch from Dan Walsh.
podsleuth asks the kernel to load modules
Reads/write removable blk device.

Reads user_tmpfs
2010-06-22 09:01:38 -04:00
Daniel J Walsh
fa98e0ec52 -Update to upstream 2010-06-21 14:31:26 +00:00
Chris PeBenito
8a24097bff Mplayer patch from Dominick Grift through Dan Walsh. 2010-06-21 09:52:33 -04:00
Chris PeBenito
3c1e8ff6bb Mozilla patch from Dan Walsh.
Various old fixes for mozilla.
2010-06-21 09:36:39 -04:00
Chris PeBenito
ae1b7dedd7 Cpufreqselector patch from Dan Walsh.
Needs to read localization
2010-06-21 09:03:11 -04:00
Daniel J Walsh
5f371acada -Update to upstream 2010-06-18 20:14:28 +00:00
Chris PeBenito
a99f69fd0e Loadkeys patch from Dan Walsh.
Dontaudit leaked sockets
2010-06-18 15:12:33 -04:00
Chris PeBenito
e08ac5acb3 Vbetool patch from Dan Walsh.
vbetool needs mls overrides
2010-06-18 14:56:27 -04:00
Chris PeBenito
3835c39a13 Sudo patch from Dan Walsh.
sudo gets execed by apps that leak sockets
2010-06-18 14:43:22 -04:00
Chris PeBenito
f7e3410aed Su patch from Dan Walsh.
dontaudit leaked sockets
2010-06-18 14:32:42 -04:00
Chris PeBenito
b9be5cccf1 Shorewall patch from Dan Walsh.
Shorewall execs hostname
2010-06-18 14:23:46 -04:00
Chris PeBenito
5116faa198 Quota patch from Dan Walsh.
Quata needs to setshed on kernel processes
2010-06-18 14:14:21 -04:00
Chris PeBenito
a9ef84b578 Prelink patch from Dan Walsh.
Prelink has new directory under /var/lib

dontaudit leaks from domains that transition

cron job looks at all mount points.
2010-06-18 14:07:53 -04:00
Chris PeBenito
9a4d292902 Netutils patch from Dan Walsh.
ping gets leaked log descriptor from nagios.

Label send_arp as ping_exec_t
2010-06-17 10:16:19 -04:00
Chris PeBenito
10c0104066 Kismet patch from Dan Walsh.
Kismet searches user_home_dirs for kismet_home_t content.
2010-06-17 08:24:21 -04:00
Chris PeBenito
e89f04fd17 Mcelog patch from Dan Walsh.
mcelog needs mls override
2010-06-17 08:23:48 -04:00
Chris PeBenito
0e30bca6d9 Consoletype patch from Dan Walsh.
I am sick of every app in the known universe leaking socket descriptors.
  Dontaudit by default

consoletype is handed a write for hal log on resume from hibernate.
2010-06-17 08:23:20 -04:00
Chris PeBenito
88a574d373 Alsa patch from Dan Walsh
Alsa trys to talk to all types of terminals.  Dontaudit this access.
2010-06-17 08:22:43 -04:00
Chris PeBenito
4db7790c60 Acct patch from Dan Walsh.
acct needs to use generic ptys
2010-06-17 08:22:17 -04:00
Daniel J Walsh
7c727a891e - Add Zarafa policy 2010-06-16 20:19:22 +00:00
Daniel J Walsh
cbf5825080 - Add Zarafa policy 2010-06-16 20:17:50 +00:00
Daniel J Walsh
244b4526c6 - Cleanup of aiccu policy
- initial mock policy
2010-06-16 18:25:47 +00:00
Daniel J Walsh
f2403c5b4f - Cleanup of aiccu policy
- initial mock policy
2010-06-11 15:39:46 +00:00
Chris PeBenito
48f99a81c0 Whitespace change: drop unnecessary blank line at the start of .te files. 2010-06-10 08:16:35 -04:00
Chris PeBenito
5c942ceb83 AFS patch from Dan Walsh. 2010-06-10 08:08:23 -04:00
Chris PeBenito
b521229560 Abrt patch from Dan Walsh.
Abrt uses /var/spool/abrt now and changed the name of its lock

Now uses a stream socket

Installs debuginfo packages

sys_nice itself
2010-06-10 07:58:00 -04:00
Daniel J Walsh
f651bb6fdc - Lots of random fixes 2010-06-09 21:31:42 +00:00
Chris PeBenito
48e0aa86c9 Files patch from Dan Walsh.
Redhat does want /usr/local/src labeled src_t or /usr/src for that matter

Fix labels on chroot environments
2010-06-09 09:09:34 -04:00
Chris PeBenito
135b1b4c54 Terminal patch from Dan Walsh. 2010-06-09 08:22:31 -04:00
Daniel J Walsh
b39ccca147 - Update to upstream 2010-06-08 21:23:21 +00:00
Chris PeBenito
98652c65a3 Add missing changelog entry for cgroup. 2010-06-08 13:08:36 -04:00
Chris PeBenito
c54e7d63dc Module version bump for cgroup patchset. 2010-06-08 09:18:43 -04:00
Chris PeBenito
53f9abbe68 Clean up cgroup. Rename cgconfigparser to cgconfig. 2010-06-08 09:15:41 -04:00
Chris PeBenito
0041a78ef7 Remove cgroup_t usage in cgroup_admin() since it is not owned by the module. 2010-06-08 09:12:03 -04:00
Chris PeBenito
860c05d9de Rearrange cgroup interfaces in filesystem. 2010-06-08 09:10:45 -04:00
Chris PeBenito
04dcd73fe3 Whitespace fixes in cgroup and init. 2010-06-08 08:47:26 -04:00
Dominick Grift
e2b9add5f8 How users interact with cgroup.
All login users can list cgroup.
Common users can read and write cgroup files (access governed by dac)

Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-06-08 08:38:33 -04:00
Dominick Grift
73f0985092 How libgroup init scripts interact with libcgroup.
The libcgroup init scripts use tools in /usr/bin like cgexec and cgclear.

Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-06-08 08:38:29 -04:00
Dominick Grift
ddf821332f add libcg policy.
Libcgroup automates cgroup management.

Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-06-08 08:38:22 -04:00
Dominick Grift
c0c635b3f3 cgroup in filesystem.
Move cgroup_t declarations from kernel.te to filesystem.te
Redo cgroup interfaces in filesystem.if
Add file context specification for /cgroup mountpoint to filesystem.fc

Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-06-08 08:38:18 -04:00
Daniel J Walsh
632048ceb1 - Update to upstream
- Allow prelink script to signal itself
- Cobbler fixes
2010-06-07 21:15:35 +00:00
Chris PeBenito
60f04fcb7a Kernel patch from Dan Walsh.
Add ability to dontaudit requiests to load kernel modules.  If you
disable ipv6 every confined app that does ip, tries to get the kernel to
load the module.

Better handling of unlabeled files by the kernel interfaces
2010-06-07 11:08:35 -04:00
Chris PeBenito
fb7caddb4f Devices patch from Dan Walsh.
vhost_device_t added for libvirt/qemu

/dev/usbmon device added

lots of new interfaces.
2010-06-07 09:20:18 -04:00
Chris PeBenito
46c0e57acf Corecommands patch from Dan Walsh.
Lots of new places to stick bin_t files
2010-06-07 09:04:08 -04:00
Chris PeBenito
8f0de5df68 Storage patch from Dan Walsh.
Add /dev/hwcdrom
2010-06-04 09:47:45 -04:00
Daniel J Walsh
bca242c772 - Add xdm_var_run_t to xserver_stream_connect_xdm
- Add cmorrord and mpd policy from Miroslav Grepl
2010-06-02 19:36:11 +00:00
Daniel J Walsh
e51284403f - Fix sshd creation of krb cc files for users to be user_tmp_t 2010-06-01 20:56:58 +00:00