rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity
2,858 Commits 8 Branches 96 Tags 37 MiB
a668127367
Commit Graph

1245 Commits

Author SHA1 Message Date
Jeremy Solt
c87e150280 roles patch from Dan Walsh to move unwanted interface calls into a ifndef 2010-08-09 09:20:31 -04:00
Chris PeBenito
00ca404a20 Remove unnecessary require on cgroup_admin(). 2010-08-09 09:10:24 -04:00
Chris PeBenito
d687db9b42 Whitespace fixes on cgroup. 2010-08-09 08:52:39 -04:00
Dominick Grift
61d7ee58a4 Confine /sbin/cgclear. 
Libcgroup moved cgclear to /sbin.
Confine it so that initrc_t can domain transition to the cgclear_t domain. That way we do not have to extend the initrc_t domains policy.
We might want to add cgroup_run_cgclear to sysadm module.

Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-08-09 08:47:15 -04:00
Dominick Grift
a0546c9d1c System layer xml fixes. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-08-05 09:25:55 -04:00
Dominick Grift
288845a638 Services layer xml files. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-08-05 09:25:29 -04:00
Chris PeBenito
97b990f86e Fix corecmd_dontaudit_exec_all_executables doc. 2010-08-05 09:24:41 -04:00
Dominick Grift
705f70f098 Kernel layer xml fixes. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-08-05 09:08:07 -04:00
Chris PeBenito
19ff03977d Fix usermanage_kill_passwd() parameter doc. 2010-08-05 08:56:31 -04:00
Dominick Grift
77e4b55f70 Admin layer xml fixes. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-08-05 08:46:44 -04:00
Dominick Grift
03b86663f0 apps: domain { allowed to transition, allowed access, to not audit }. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-08-05 08:20:59 -04:00
Chris PeBenito
8da88970be Accountsd cleanup. 2010-08-03 09:50:40 -04:00
Chris PeBenito
d0eebed0b7 Move accountsd to services. 2010-08-03 09:31:53 -04:00
Jeremy Solt
c4834a02d2 accountsd policy from Dan Walsh 
Edits:
 - Removed accountsd_manage_var_lib
 - Removed optional block for xserver - these interfaces didn't exist
 - It looks like sys_ptrace is needed because it reads /proc/pid/loginuid
 - Whitespace and style fixes
 2010-08-03 09:27:24 -04:00
Chris PeBenito
a7ee7f819a Docs standardizing on the role portion of run interfaces. Additional docs cleanup. 2010-08-03 09:20:22 -04:00
Chris PeBenito
9d4395a736 MojoMojo from Lain Arnell. 2010-08-02 09:28:06 -04:00
Chris PeBenito
a72e42f485 Interface documentation standardization patch from Dan Walsh. 2010-08-02 09:22:09 -04:00
Chris PeBenito
27eeb649cc Virtio disk file context update from Mika Pfluger. 2010-08-02 08:33:41 -04:00
Mika Pflüger
b3f7203d6a Take virtio disks into account. 
Signed-off-by: Mika Pflüger <debian@mikapflueger.de>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
 2010-08-02 08:25:14 -04:00
Chris PeBenito
64ef2df368 Module version bump for 5563d4c. 2010-07-22 09:13:11 -04:00
Jeremy Solt
5563d4c4d8 Removing seutil_domtrans_setsebool from anaconda patch - it doesn't exist 2010-07-22 08:49:32 -04:00
Jeremy Solt
b0a6f1b7c2 anaconda patch from Dan Walsh 
- Did not include the change to unconfined_domain_noaudit
 2010-07-22 08:49:32 -04:00
Chris PeBenito
21fdee9dd5 Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh. 
We went back and reread the bindreservport code in glibc.

Turns out the range or ports that this will reserve are 512-1024 rather
then 600-1024.

The code actually first tries to reserve a port from 600-1024 and if
they are ALL reserved will try 512-599.

So we need to change corenetwork to reflect this.
 2010-07-19 14:22:44 -04:00
Chris PeBenito
29f3bfa464 Fix JIT usage for freshclam. 
http://marc.info/?l=selinux&m=127893898208934&w=2
 2010-07-13 08:39:54 -04:00
Dominick Grift
48c3c37cf2 Remove some redundant attributes from user_home_t. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
 2010-07-12 14:35:22 -04:00
Chris PeBenito
4b76ea5f51 Module version bump for fa1847f. 2010-07-12 14:02:18 -04:00
Dominick Grift
fa1847f4a2 Add files_poly_member() to userdom_user_home_content() Remove redundant files_poly_member() calls. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
 2010-07-09 09:43:04 -04:00
Chris PeBenito
f7ffe6c2a9 Add missing ubac constraints on pulseaudio. 2010-07-09 09:14:35 -04:00
Chris PeBenito
c14aebd032 Remove old rbacsep role statements. 2010-07-09 08:38:05 -04:00
Chris PeBenito
072857c425 VMWare patch from Dan Walsh. 2010-07-08 13:43:50 -04:00
Chris PeBenito
f1618ffc6f Whitespace fix in userhelper. 2010-07-08 10:56:15 -04:00
Chris PeBenito
b70dfcdf8f RPM patch from Dan Walsh. 2010-07-08 10:53:28 -04:00
Chris PeBenito
2d839c6791 Whitespace fixes in RPM. 2010-07-08 10:12:24 -04:00
Chris PeBenito
7e265a8abb Add shutdown from Dan Walsh. 2010-07-07 11:10:56 -04:00
Chris PeBenito
b841dffda1 Add livecd from Dan Walsh. 2010-07-07 10:28:25 -04:00
Chris PeBenito
08690c84ad Remove ethereal module since the application was renamed to wireshark due to trademark issues. 2010-07-07 09:31:57 -04:00
Chris PeBenito
3c4e9fce8e Make spamassassin optional for milter, from Russell Coker. 2010-07-07 08:55:57 -04:00
Chris PeBenito
bca0cdb86e Remove duplicate/redundant rules, from Russell Coker. 2010-07-07 08:41:20 -04:00
Chris PeBenito
1db1836ab9 Remove improper usage of userdom_manage_home_role(), userdom_manage_tmp_role(), and userdom_manage_tmpfs_role(). 2010-07-06 13:17:05 -04:00
Chris PeBenito
a3b0dc5b3c GPG patch from Dan Walsh. 2010-07-06 10:58:40 -04:00
Chris PeBenito
3bcfe5beb7 Usermanage patch from Dan Walsh. 
Broken leaks of sockets

useradd runs semanage for -Z.

passwd_t needs sys_nice

useradd run within a samba_controler needs to append to the samba log.
 2010-07-06 10:56:20 -04:00
Chris PeBenito
cad4224e8e Guest patch from Dan Walsh. 
Dominic asked to remove mono and java from guest_t
 2010-07-06 08:35:56 -04:00
Chris PeBenito
ab62f3f1b1 Module version bump for a7521af. 2010-07-01 10:48:11 -04:00
Jeremy Solt
a7521af67d firstboot patch from Dan Walsh 
- Did not include gnome_admin_home_gconf_filetrans
- Whitespace fixes
 2010-07-01 10:36:31 -04:00
Dominick Grift
7e5463b58c fix cgroup_admin 
When cgroup policy was merged, some changes were made. One of these changes was the renaming of the type for cgroup rules engine daemon configuration file. The cgroup_admin interface was not modified to reflect this change.

Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
 2010-07-01 09:02:58 -04:00
Chris PeBenito
caf1666dc1 Module version bump for 5f04c91. 2010-06-29 11:26:16 -04:00
Jeremy Solt
5f04c91f30 gitosis patch from Dan Walsh 2010-06-29 11:25:37 -04:00
Chris PeBenito
ab4f820548 Module version bump for b5d89d0. 2010-06-29 11:03:56 -04:00
Jeremy Solt
b5d89d0325 vpn patch from Dan Walsh 
fixed gen_require in vpn_relabelfrom_tun_socket interface (wrong type)
removed userdom_read_home_certs (not in refpolicy)
 2010-06-29 11:02:45 -04:00
Chris PeBenito
155635e33d Create_lnk_perms fix from Russell Coker. 
Personally I'd rather dump all those old compatibility macros, make them all
just display a message indicating the new correct thing to do and abort the
build.  But if we are going to keep them then we need to update them and make
them work.

The attached patch adds write access to create_lnk_perms.
 2010-06-28 09:33:17 -04:00
Chris PeBenito
113d2e023d Minor tweaks and module version bump for a00fc1c. 2010-06-25 09:51:34 -04:00
Dominick Grift
a00fc1c317 hddtemp fixes. 
Clean up network control section.
Implement hddtemp_etc_t for /etc/sysconfig/hddtemp. The advantages are:
- hddtemp_t no longer needs access to read all generic etc_t files.
- allows us to implement a meaningful hddtemp_admin()

Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
 2010-06-25 09:43:54 -04:00
Chris PeBenito
0cec649be7 WM patch from Dan Walsh. 
Window manager policy changes needed for MLS policy.
 2010-06-25 09:00:19 -04:00
Chris PeBenito
3c79f954d1 Rearrage interfaces in filesystem. 2010-06-22 10:17:42 -04:00
Chris PeBenito
eab2cc89b4 Slocate patch from Dan Walsh. 
Locate attempts to look at network sate and does getattr on all blk/chr
and noxattr symlinks.
 2010-06-22 09:58:14 -04:00
Chris PeBenito
2c207dfa49 Qemu patch from Dan Walsh. 
Fix qemu labeling.

Additional qemu interfaces

Allow qemu to read/write removable devices
 2010-06-22 09:32:35 -04:00
Chris PeBenito
1fd3a8070f Pulseaudio patch from Dan Walsh. 
Dontaudit attempts to exec pulseaudio.  qemu does this and it causes
other avc's even though qemu can not use pulseaudio.

Allow other domains to use pulseiaudio
 2010-06-22 09:13:17 -04:00
Chris PeBenito
1ff703fc4a Podsleuth patch from Dan Walsh. 
podsleuth asks the kernel to load modules
Reads/write removable blk device.

Reads user_tmpfs
 2010-06-22 09:01:38 -04:00
Chris PeBenito
8a24097bff Mplayer patch from Dominick Grift through Dan Walsh. 2010-06-21 09:52:33 -04:00
Chris PeBenito
3c1e8ff6bb Mozilla patch from Dan Walsh. 
Various old fixes for mozilla.
 2010-06-21 09:36:39 -04:00
Chris PeBenito
ae1b7dedd7 Cpufreqselector patch from Dan Walsh. 
Needs to read localization
 2010-06-21 09:03:11 -04:00
Chris PeBenito
a99f69fd0e Loadkeys patch from Dan Walsh. 
Dontaudit leaked sockets
 2010-06-18 15:12:33 -04:00
Chris PeBenito
e08ac5acb3 Vbetool patch from Dan Walsh. 
vbetool needs mls overrides
 2010-06-18 14:56:27 -04:00
Chris PeBenito
3835c39a13 Sudo patch from Dan Walsh. 
sudo gets execed by apps that leak sockets
 2010-06-18 14:43:22 -04:00
Chris PeBenito
f7e3410aed Su patch from Dan Walsh. 
dontaudit leaked sockets
 2010-06-18 14:32:42 -04:00
Chris PeBenito
b9be5cccf1 Shorewall patch from Dan Walsh. 
Shorewall execs hostname
 2010-06-18 14:23:46 -04:00
Chris PeBenito
5116faa198 Quota patch from Dan Walsh. 
Quata needs to setshed on kernel processes
 2010-06-18 14:14:21 -04:00
Chris PeBenito
a9ef84b578 Prelink patch from Dan Walsh. 
Prelink has new directory under /var/lib

dontaudit leaks from domains that transition

cron job looks at all mount points.
 2010-06-18 14:07:53 -04:00
Chris PeBenito
9a4d292902 Netutils patch from Dan Walsh. 
ping gets leaked log descriptor from nagios.

Label send_arp as ping_exec_t
 2010-06-17 10:16:19 -04:00
Chris PeBenito
10c0104066 Kismet patch from Dan Walsh. 
Kismet searches user_home_dirs for kismet_home_t content.
 2010-06-17 08:24:21 -04:00
Chris PeBenito
e89f04fd17 Mcelog patch from Dan Walsh. 
mcelog needs mls override
 2010-06-17 08:23:48 -04:00
Chris PeBenito
0e30bca6d9 Consoletype patch from Dan Walsh. 
I am sick of every app in the known universe leaking socket descriptors.
  Dontaudit by default

consoletype is handed a write for hal log on resume from hibernate.
 2010-06-17 08:23:20 -04:00
Chris PeBenito
88a574d373 Alsa patch from Dan Walsh 
Alsa trys to talk to all types of terminals.  Dontaudit this access.
 2010-06-17 08:22:43 -04:00
Chris PeBenito
4db7790c60 Acct patch from Dan Walsh. 
acct needs to use generic ptys
 2010-06-17 08:22:17 -04:00
Chris PeBenito
48f99a81c0 Whitespace change: drop unnecessary blank line at the start of .te files. 2010-06-10 08:16:35 -04:00
Chris PeBenito
5c942ceb83 AFS patch from Dan Walsh. 2010-06-10 08:08:23 -04:00
Chris PeBenito
b521229560 Abrt patch from Dan Walsh. 
Abrt uses /var/spool/abrt now and changed the name of its lock

Now uses a stream socket

Installs debuginfo packages

sys_nice itself
 2010-06-10 07:58:00 -04:00
Chris PeBenito
48e0aa86c9 Files patch from Dan Walsh. 
Redhat does want /usr/local/src labeled src_t or /usr/src for that matter

Fix labels on chroot environments
 2010-06-09 09:09:34 -04:00
Chris PeBenito
135b1b4c54 Terminal patch from Dan Walsh. 2010-06-09 08:22:31 -04:00
Chris PeBenito
c54e7d63dc Module version bump for cgroup patchset. 2010-06-08 09:18:43 -04:00
Chris PeBenito
53f9abbe68 Clean up cgroup. Rename cgconfigparser to cgconfig. 2010-06-08 09:15:41 -04:00
Chris PeBenito
0041a78ef7 Remove cgroup_t usage in cgroup_admin() since it is not owned by the module. 2010-06-08 09:12:03 -04:00
Chris PeBenito
860c05d9de Rearrange cgroup interfaces in filesystem. 2010-06-08 09:10:45 -04:00
Chris PeBenito
04dcd73fe3 Whitespace fixes in cgroup and init. 2010-06-08 08:47:26 -04:00
Dominick Grift
e2b9add5f8 How users interact with cgroup. 
All login users can list cgroup.
Common users can read and write cgroup files (access governed by dac)

Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
 2010-06-08 08:38:33 -04:00
Dominick Grift
73f0985092 How libgroup init scripts interact with libcgroup. 
The libcgroup init scripts use tools in /usr/bin like cgexec and cgclear.

Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
 2010-06-08 08:38:29 -04:00
Dominick Grift
ddf821332f add libcg policy. 
Libcgroup automates cgroup management.

Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
 2010-06-08 08:38:22 -04:00
Dominick Grift
c0c635b3f3 cgroup in filesystem. 
Move cgroup_t declarations from kernel.te to filesystem.te
Redo cgroup interfaces in filesystem.if
Add file context specification for /cgroup mountpoint to filesystem.fc

Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
 2010-06-08 08:38:18 -04:00
Chris PeBenito
60f04fcb7a Kernel patch from Dan Walsh. 
Add ability to dontaudit requiests to load kernel modules.  If you
disable ipv6 every confined app that does ip, tries to get the kernel to
load the module.

Better handling of unlabeled files by the kernel interfaces
 2010-06-07 11:08:35 -04:00
Chris PeBenito
fb7caddb4f Devices patch from Dan Walsh. 
vhost_device_t added for libvirt/qemu

/dev/usbmon device added

lots of new interfaces.
 2010-06-07 09:20:18 -04:00
Chris PeBenito
46c0e57acf Corecommands patch from Dan Walsh. 
Lots of new places to stick bin_t files
 2010-06-07 09:04:08 -04:00
Chris PeBenito
8f0de5df68 Storage patch from Dan Walsh. 
Add /dev/hwcdrom
 2010-06-04 09:47:45 -04:00
Chris PeBenito
2a29628e40 Fix duplicate lines in kudzu. 2010-05-26 08:26:50 -04:00
Chris PeBenito
29af4c13e7 Bump module versions for release. 2010-05-24 15:32:01 -04:00
Chris PeBenito
91cbcc6602 Fix deprecated interface usage in rhel4 block in su.if. 2010-05-24 15:09:18 -04:00
Chris PeBenito
3d95ca2d82 Module version bump for 904f3d8. 2010-05-24 13:08:09 -04:00
Chris PeBenito
7934ac10d3 Module version bump for 1184392 and more. 
* module version bump
* make apache and unconfined portions optiona
* rearrange lines
 2010-05-24 13:08:09 -04:00
Chris PeBenito
ca28376c4d Module version bump for 7942f7f. 2010-05-24 13:08:09 -04:00
Chris PeBenito
bdf5e19931 Module version bump for 383bd32. 2010-05-24 13:08:09 -04:00
Chris PeBenito
213d35a07c Module version bump for 9e28f74. 2010-05-24 13:08:09 -04:00