Chris PeBenito
eab2cc89b4
Slocate patch from Dan Walsh.
...
Locate attempts to look at network sate and does getattr on all blk/chr
and noxattr symlinks.
2010-06-22 09:58:14 -04:00
Chris PeBenito
2c207dfa49
Qemu patch from Dan Walsh.
...
Fix qemu labeling.
Additional qemu interfaces
Allow qemu to read/write removable devices
2010-06-22 09:32:35 -04:00
Chris PeBenito
1fd3a8070f
Pulseaudio patch from Dan Walsh.
...
Dontaudit attempts to exec pulseaudio. qemu does this and it causes
other avc's even though qemu can not use pulseaudio.
Allow other domains to use pulseiaudio
2010-06-22 09:13:17 -04:00
Chris PeBenito
1ff703fc4a
Podsleuth patch from Dan Walsh.
...
podsleuth asks the kernel to load modules
Reads/write removable blk device.
Reads user_tmpfs
2010-06-22 09:01:38 -04:00
Daniel J Walsh
fa98e0ec52
-Update to upstream
2010-06-21 14:31:26 +00:00
Chris PeBenito
8a24097bff
Mplayer patch from Dominick Grift through Dan Walsh.
2010-06-21 09:52:33 -04:00
Chris PeBenito
3c1e8ff6bb
Mozilla patch from Dan Walsh.
...
Various old fixes for mozilla.
2010-06-21 09:36:39 -04:00
Chris PeBenito
ae1b7dedd7
Cpufreqselector patch from Dan Walsh.
...
Needs to read localization
2010-06-21 09:03:11 -04:00
Daniel J Walsh
5f371acada
-Update to upstream
2010-06-18 20:14:28 +00:00
Chris PeBenito
a99f69fd0e
Loadkeys patch from Dan Walsh.
...
Dontaudit leaked sockets
2010-06-18 15:12:33 -04:00
Chris PeBenito
e08ac5acb3
Vbetool patch from Dan Walsh.
...
vbetool needs mls overrides
2010-06-18 14:56:27 -04:00
Chris PeBenito
3835c39a13
Sudo patch from Dan Walsh.
...
sudo gets execed by apps that leak sockets
2010-06-18 14:43:22 -04:00
Chris PeBenito
f7e3410aed
Su patch from Dan Walsh.
...
dontaudit leaked sockets
2010-06-18 14:32:42 -04:00
Chris PeBenito
b9be5cccf1
Shorewall patch from Dan Walsh.
...
Shorewall execs hostname
2010-06-18 14:23:46 -04:00
Chris PeBenito
5116faa198
Quota patch from Dan Walsh.
...
Quata needs to setshed on kernel processes
2010-06-18 14:14:21 -04:00
Chris PeBenito
a9ef84b578
Prelink patch from Dan Walsh.
...
Prelink has new directory under /var/lib
dontaudit leaks from domains that transition
cron job looks at all mount points.
2010-06-18 14:07:53 -04:00
Chris PeBenito
9a4d292902
Netutils patch from Dan Walsh.
...
ping gets leaked log descriptor from nagios.
Label send_arp as ping_exec_t
2010-06-17 10:16:19 -04:00
Chris PeBenito
10c0104066
Kismet patch from Dan Walsh.
...
Kismet searches user_home_dirs for kismet_home_t content.
2010-06-17 08:24:21 -04:00
Chris PeBenito
e89f04fd17
Mcelog patch from Dan Walsh.
...
mcelog needs mls override
2010-06-17 08:23:48 -04:00
Chris PeBenito
0e30bca6d9
Consoletype patch from Dan Walsh.
...
I am sick of every app in the known universe leaking socket descriptors.
Dontaudit by default
consoletype is handed a write for hal log on resume from hibernate.
2010-06-17 08:23:20 -04:00
Chris PeBenito
88a574d373
Alsa patch from Dan Walsh
...
Alsa trys to talk to all types of terminals. Dontaudit this access.
2010-06-17 08:22:43 -04:00
Chris PeBenito
4db7790c60
Acct patch from Dan Walsh.
...
acct needs to use generic ptys
2010-06-17 08:22:17 -04:00
Daniel J Walsh
7c727a891e
- Add Zarafa policy
2010-06-16 20:19:22 +00:00
Daniel J Walsh
cbf5825080
- Add Zarafa policy
2010-06-16 20:17:50 +00:00
Daniel J Walsh
244b4526c6
- Cleanup of aiccu policy
...
- initial mock policy
2010-06-16 18:25:47 +00:00
Daniel J Walsh
f2403c5b4f
- Cleanup of aiccu policy
...
- initial mock policy
2010-06-11 15:39:46 +00:00
Chris PeBenito
48f99a81c0
Whitespace change: drop unnecessary blank line at the start of .te files.
2010-06-10 08:16:35 -04:00
Chris PeBenito
5c942ceb83
AFS patch from Dan Walsh.
2010-06-10 08:08:23 -04:00
Chris PeBenito
b521229560
Abrt patch from Dan Walsh.
...
Abrt uses /var/spool/abrt now and changed the name of its lock
Now uses a stream socket
Installs debuginfo packages
sys_nice itself
2010-06-10 07:58:00 -04:00
Daniel J Walsh
f651bb6fdc
- Lots of random fixes
2010-06-09 21:31:42 +00:00
Chris PeBenito
48e0aa86c9
Files patch from Dan Walsh.
...
Redhat does want /usr/local/src labeled src_t or /usr/src for that matter
Fix labels on chroot environments
2010-06-09 09:09:34 -04:00
Chris PeBenito
135b1b4c54
Terminal patch from Dan Walsh.
2010-06-09 08:22:31 -04:00
Daniel J Walsh
b39ccca147
- Update to upstream
2010-06-08 21:23:21 +00:00
Chris PeBenito
98652c65a3
Add missing changelog entry for cgroup.
2010-06-08 13:08:36 -04:00
Chris PeBenito
c54e7d63dc
Module version bump for cgroup patchset.
2010-06-08 09:18:43 -04:00
Chris PeBenito
53f9abbe68
Clean up cgroup. Rename cgconfigparser to cgconfig.
2010-06-08 09:15:41 -04:00
Chris PeBenito
0041a78ef7
Remove cgroup_t usage in cgroup_admin() since it is not owned by the module.
2010-06-08 09:12:03 -04:00
Chris PeBenito
860c05d9de
Rearrange cgroup interfaces in filesystem.
2010-06-08 09:10:45 -04:00
Chris PeBenito
04dcd73fe3
Whitespace fixes in cgroup and init.
2010-06-08 08:47:26 -04:00
Dominick Grift
e2b9add5f8
How users interact with cgroup.
...
All login users can list cgroup.
Common users can read and write cgroup files (access governed by dac)
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-06-08 08:38:33 -04:00
Dominick Grift
73f0985092
How libgroup init scripts interact with libcgroup.
...
The libcgroup init scripts use tools in /usr/bin like cgexec and cgclear.
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-06-08 08:38:29 -04:00
Dominick Grift
ddf821332f
add libcg policy.
...
Libcgroup automates cgroup management.
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-06-08 08:38:22 -04:00
Dominick Grift
c0c635b3f3
cgroup in filesystem.
...
Move cgroup_t declarations from kernel.te to filesystem.te
Redo cgroup interfaces in filesystem.if
Add file context specification for /cgroup mountpoint to filesystem.fc
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-06-08 08:38:18 -04:00
Daniel J Walsh
632048ceb1
- Update to upstream
...
- Allow prelink script to signal itself
- Cobbler fixes
2010-06-07 21:15:35 +00:00
Chris PeBenito
60f04fcb7a
Kernel patch from Dan Walsh.
...
Add ability to dontaudit requiests to load kernel modules. If you
disable ipv6 every confined app that does ip, tries to get the kernel to
load the module.
Better handling of unlabeled files by the kernel interfaces
2010-06-07 11:08:35 -04:00
Chris PeBenito
fb7caddb4f
Devices patch from Dan Walsh.
...
vhost_device_t added for libvirt/qemu
/dev/usbmon device added
lots of new interfaces.
2010-06-07 09:20:18 -04:00
Chris PeBenito
46c0e57acf
Corecommands patch from Dan Walsh.
...
Lots of new places to stick bin_t files
2010-06-07 09:04:08 -04:00
Chris PeBenito
8f0de5df68
Storage patch from Dan Walsh.
...
Add /dev/hwcdrom
2010-06-04 09:47:45 -04:00
Daniel J Walsh
bca242c772
- Add xdm_var_run_t to xserver_stream_connect_xdm
...
- Add cmorrord and mpd policy from Miroslav Grepl
2010-06-02 19:36:11 +00:00
Daniel J Walsh
e51284403f
- Fix sshd creation of krb cc files for users to be user_tmp_t
2010-06-01 20:56:58 +00:00