Commit Graph

4969 Commits

Author SHA1 Message Date
Dan Walsh
13382d02ea Add more MCS fixes to make sandbox working
Make faillog MLS trusted to make sudo_$1_t working
Allow sandbox_web_client_t to read passwd_file_t
Add .mailrc file context
Remove execheap from openoffice domain
Allow chrome_sandbox_nacl_t to read cpu_info
Allow virtd to relabel generic usb which is need if USB device
Fixes for virt.if interfaces to consider chr_file as image file type
2011-11-07 16:18:33 -05:00
Dan Walsh
653590a3f2 MCS fixes
quota fixes
2011-11-04 16:40:38 -04:00
Dan Walsh
c30a9b8718 MCS fixes
quota fixes
2011-11-04 16:10:54 -04:00
Dan Walsh
55e8d8e7cf MCS fixes
quota fixes
2011-11-04 15:36:01 -04:00
Dan Walsh
8f22f8efc5 MCS fixes
quota fixes
2011-11-04 15:27:05 -04:00
Dan Walsh
01e90f94b8 MCS fixes
quota fixes
2011-11-04 13:36:24 -04:00
Dan Walsh
0b72d16e07 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy
Conflicts:
	policy-F16.patch
	selinux-policy.spec
2011-11-04 13:34:59 -04:00
Dan Walsh
8872d3d2ac MCS fixes
quota fixes
2011-11-04 13:31:43 -04:00
Miroslav
76b2f513a3 +- MCS fixes
+- quota fixes
2011-11-04 18:30:28 +01:00
Dan Walsh
5717c509f3 change qemu_t to svirt_t in mls config file virtual machines, remove config data 2011-11-03 11:29:41 -04:00
dwalsh
d5bededc4d Make nvidia* to be labeled correctly
Fix abrt_manage_cache() interface
Make filetrans rules optional so base policy will build
Dontaudit chkpwd_t access to inherited TTYS
Make sure postfix content gets created with the correct label
Allow gnomeclock to read cgroup
Fixes for cloudform policy
2011-11-02 16:23:55 -04:00
dwalsh
a7f0027cf7 Make nvidia* to be labeled correctly
Fix abrt_manage_cache() interface
Make filetrans rules optional so base policy will build
Dontaudit chkpwd_t access to inherited TTYS
Make sure postfix content gets created with the correct label
Allow gnomeclock to read cgroup
Fixes for cloudform policy
2011-11-02 16:01:43 -04:00
Dan Walsh
bc6fbd3a31 Check in fixed for Chrome nacl support 2011-10-27 14:33:47 -04:00
Dan Walsh
38087df72c Begin removing qemu_t domain, we really no longer need this domain.
systemd_passwd needs dac_overide to communicate with users TTY's
Allow svirt_lxc domains to send kill signals within their container
2011-10-27 14:06:19 -04:00
Dan Walsh
26536c5d39 Begin removing qemu_t domain, we really no longer need this domain.
systemd_passwd needs dac_overide to communicate with users TTY's
Allow svirt_lxc domains to send kill signals within their container
2011-10-27 13:51:59 -04:00
Dan Walsh
a1db2ce026 Remove qemu.pp again without causing a crash 2011-10-27 09:33:50 -04:00
Dan Walsh
b4b0268a28 Remove qemu.pp, everything should use svirt_t or stay in its current domain 2011-10-26 15:42:29 -04:00
Dan Walsh
084f9557dc Allow policykit to talk to the systemd via dbus
Move chrome_sandbox_nacl_t to permissive domains
Additional rules for chrome_sandbox_nacl
2011-10-26 08:49:22 -04:00
Dan Walsh
fa26d89bd5 Change bootstrap name to nacl
Chrome still needs execmem
Missing role for chrome_sandbox_bootstrap
Add boolean to remove execmem and execstack from virtual machines
Dontaudit xdm_t doing an access_check on etc_t directories
2011-10-25 13:27:37 -04:00
Dan Walsh
44066bd77a Allow named to connect to dirsrv by default
add ldapmap1_0 as a krb5_host_rcache_t file
Google chrome developers asked me to add bootstrap policy for nacl stuff
Allow rhev_agentd_t to getattr on mountpoints
Postfix_smtpd_t needs access to milters and cleanup seems to read/write postfix_smtpd_t unix_stream_sockets
2011-10-25 09:12:49 -04:00
Dan Walsh
3dcddab74d Allow firewallgui to read /etc/selinux/config 2011-10-24 13:39:32 -04:00
Miroslav
b6ae8086ef - Fixes for cloudform policies which need to connect to random ports
- Make sure if an admin creates modules content it creates them with the correct label
- Add port 8953 as a dns port used by unbound
- Fix file name transition for alsa and confined users
2011-10-24 10:57:01 +02:00
Dan Walsh
fbfb5e985d Turn on mock_t and thumb_t for unconfined domains 2011-10-21 16:53:02 -04:00
Dan Walsh
1a2b4d14f1 Turn on mock_t and thumb_t for unconfined domains 2011-10-21 16:44:31 -04:00
Dan Walsh
f875d285bd Turn on mock_t and thumb_t for unconfined domains 2011-10-21 16:37:11 -04:00
Dan Walsh
62727652eb Policy update should not modify local contexts 2011-10-21 10:28:58 -04:00
Dan Walsh
37b75a051e Policy update should not modify local contexts 2011-10-21 10:05:15 -04:00
Dan Walsh
e1f17eb990 Policy update should not modify local contexts 2011-10-21 09:42:14 -04:00
Dan Walsh
052e175084 Remove ada policy 2011-10-20 14:33:31 -04:00
Dan Walsh
b01657ac51 Remove ada policy 2011-10-20 14:21:03 -04:00
Dan Walsh
61fa8d555e Remove tzdata policy
Remove ada policy
Add labeling for udev
Add cloudform policy
Fixes for bootloader policy
2011-10-20 12:30:06 -04:00
Dan Walsh
8214f7881a Remove tzdata policy
Remove ada domain
2011-10-20 12:24:32 -04:00
Miroslav
1944b1a36e Remove tzdata policy 2011-10-20 18:00:51 +02:00
Miroslav
5deba1c4da Add cloudform to modules-targetd.conf 2011-10-20 17:51:34 +02:00
Dan Walsh
087aaea152 Remove tzdata domain, only necessary to make sure stuff is labeled correctly. 2011-10-20 11:43:18 -04:00
Dan Walsh
a56e13e7b8 Add policies for nova openstack 2011-10-19 08:31:34 -04:00
Dan Walsh
4dba2eb895 Allow svirt_lxc_domain to chr_file and blk_file devices if they are in the domain
Allow init process to setrlimit on itself
Take away transition rules for users executing ssh-keygen
Allow setroubleshoot_fixit_t to read /dev/urand
Allow sshd to relbale tunnel sockets
Allow fail2ban domtrans to shorewall in the same way as with iptables
Add support for lnk files in the /var/lib/sssd directory
Allow system mail to connect to courier-authdaemon over an unix stream socket
2011-10-19 08:29:33 -04:00
Dan Walsh
1414f9f3a7 Allow svirt_lxc_domain to chr_file and blk_file devices if they are in the domain
Allow init process to setrlimit on itself
Take away transition rules for users executing ssh-keygen
Allow setroubleshoot_fixit_t to read /dev/urand
Allow sshd to relbale tunnel sockets
Allow fail2ban domtrans to shorewall in the same way as with iptables
Add support for lnk files in the /var/lib/sssd directory
Allow system mail to connect to courier-authdaemon over an unix stream socket
2011-10-18 10:12:22 -04:00
Dan Walsh
9bf3aa2c96 Add passwd_file_t for /etc/ptmptmp 2011-10-17 15:51:24 -04:00
Dan Walsh
e29441a5cc Dontaudit access checks for all executables, gnome-shell is doing access(EXEC, X_OK)
Make corosync to be able to relabelto cluster lib fies
Allow samba domains to search /var/run/nmbd
Allow dirsrv to use pam
Allow thumb to call getuid
chrome less likely to get mmap_zero bug so removing dontaudit
gimp help-browser has built in javascript
Best guess is that devices named /dev/bsr4096 should be labeled as cpu_device_t
Re-write glance policy
2011-10-14 09:50:55 -04:00
Dan Walsh
2453975e3d Move dontaudit sys_ptrace line from permissive.te to domain.te
Remove policy for hal, it no longer exists
2011-10-13 15:43:15 -04:00
Dan Walsh
042e3a325f Don't check md5 size or mtime on certain config files 2011-10-12 15:42:07 -04:00
Dan Walsh
2f4dfeb425 Remove allow_ptrace and replace it with deny_ptrace, which will remove all
ptrace from the system
Remove 2000 dontaudit rules between confined domains on transition
and replace with single
dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
2011-10-12 10:13:18 -04:00
Dan Walsh
80347b11c4 Remove allow_ptrace and replace it with deny_ptrace, which will remove all
ptrace from the system
Remove 2000 dontaudit rules between confined domains on transition
and replace with single
dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
2011-10-11 16:48:46 -04:00
Dan Walsh
3af504b2d1 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy
Conflicts:
	selinux-policy.spec
2011-10-11 16:48:17 -04:00
Dan Walsh
6554bb3cca Remove allow_ptrace and replace it with deny_ptrace, which will remove all
ptrace from the system
Remove 2000 dontaudit rules between confined domains on transition
and replace with single
dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
2011-10-11 16:46:26 -04:00
Miroslav
62760c4b9e - Fixes for bootloader policy
- $1_gkeyringd_t needs to read $HOME/%USER/.local/share/keystore
- Allow nsplugin to read /usr/share/config
- Allow sa-update to update rules
- Add use_fusefs_home_dirs for chroot ssh option
- Fixes for grub2
- Update systemd_exec_systemctl() interface
- Allow gpg to read the mail spool
- More fixes for sa-update running out of cron job
- Allow ipsec_mgmt_t to read hardware state information
- Allow pptp_t to connect to unreserved_port_t
- Dontaudit getattr on initctl in /dev from chfn
- Dontaudit getattr on kernel_core from chfn
- Add systemd_list_unit_dirs to systemd_exec_systemctl call
- Fixes for collectd policy
- CHange sysadm_t to create content as user_tmp_t under /tmp
2011-10-11 00:50:27 +02:00
Dan Walsh
2a89dffbb5 Shrink size of policy through use of attributes for userdomain and apache 2011-10-06 10:53:27 -04:00
Miroslav
1000555932 Fix spec file 2011-10-05 23:57:40 +02:00
Miroslav
54943f9472 - Allow virsh to read xenstored pid file
- Backport corenetwork fixes from upstream
- Do not audit attempts by thumb to search config_home_t dirs (~/.config)
- label ~/.cache/telepathy/logger telepathy_logger_cache_home_t
- allow thumb to read generic data home files (mime.type)
2011-10-05 23:48:25 +02:00