Commit Graph

3099 Commits

Author SHA1 Message Date
Chris PeBenito
da12b54802 Module version bumps for cert patch. 2010-09-10 11:31:22 -04:00
Chris PeBenito
e9d6dfb8b1 Fix missed deprecated interface usage from the cert patch. Add back a few rolecap tags. 2010-09-10 11:31:00 -04:00
Dominick Grift
8340621920 Implement miscfiles_cert_type().
This is based on Fedoras' miscfiles_cert_type implementation.
The idea was that openvpn needs to be able read home certificates (home_cert_t) which is not implemented in refpolicy yet, as well as generic cert_t certificates.

Note that openvpn is allowed to read all cert_types, as i know that it needs access to both generic cert_t as well as (future) home_cert_t. Dwalsh noted that other domains may need this as well but because i do not know exactly which domains i will not changes any other domains call to generic cert type interfaces.

Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-10 11:05:46 -04:00
Dan Walsh
1a82786cc8 Allow hugetlbfs_t to be on device_t file system
Allow sudo domains to signal user domains
Dontaudit xdm_t sending signals to all domains
Fix allow_exec* boolean descriptions
2010-09-10 10:10:34 -04:00
Chris PeBenito
8fbea561bb Module version bump for 8296eb2. 2010-09-10 08:51:54 -04:00
Dan Walsh
e81afdf5c9 raid tools now store pid file and sock_file in /dev/md for early boot. 2010-09-09 14:26:32 -04:00
Dan Walsh
8e47c02b16 fixes for openvpn suggested by dgrift 2010-09-09 10:35:27 -04:00
Dan Walsh
da07333345 Allow mozilla_plugin to create nsplugin_home_t directories
Allow hugetlbfs_t to be on device_t file system
Fix for ajaxterm policy
Fix type in dbus_delete_pid_files
Change openvpn to only allow search of users home dir
2010-09-09 09:55:31 -04:00
Chris PeBenito
9c2c77403f Remove unallocated tty access in amanda since it was originally there for the old targeted policy, and now all roles have a user tty type. 2010-09-09 09:32:31 -04:00
Dominick Grift
36c6e47384 Clean up Anaconda policy.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-09 08:14:56 -04:00
Dominick Grift
e02146370a Clean up Amtu module.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-09 08:14:09 -04:00
Dominick Grift
8296eb2261 Clean up Amanda module.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-09 08:13:13 -04:00
Dan Walsh
5f5963be01 add policy for ajaxterm 2010-09-09 07:11:32 -04:00
Dan Walsh
4c38170781 add policy for ajaxterm 2010-09-09 07:10:24 -04:00
Dan Walsh
d46a2b0115 allow sudo to create sudo_db_t dirs 2010-09-08 18:32:15 -04:00
Dan Walsh
ee4b1e0aad Allow crond to manage user_spool_cron_t link files
Allow init to delete dbus message.pid
Allow init and udev to create hugetlbfs directories
2010-09-08 17:54:31 -04:00
Dan Walsh
b36c20b2a9 Allow sudo domains to manage /var/db/sudo
Allow init_t and initrc_t to dbus chat
Allow pulseaudio to read /usr/share/alsa/alsa.conf
2010-09-08 17:27:24 -04:00
Dan Walsh
a75a591e52 Allow virt_domains to exec qumu_exec_t, add boolean to allow svirt_t to connect to x 2010-09-08 15:05:08 -04:00
Dan Walsh
dfe675b8f7 Mozilla_plugin needs to getattr on tmpfs and no longer needs to write to tmpfs_t
cleanup of nsplugin interface definition
Latest pm-utils is causing lots of domains to see a leaked lock file
I want mplayer to run as unconfined_execmem_t
mountpoint is causing dbus and init apps to getattr on all filesystems directories
Miroslav update dkim-milter
NetworkManager dbus chats with init
Allow apps that can read user_fonts_t to read the symbolic link
udev needs to manage etc_t
2010-09-08 12:06:20 -04:00
Dan Walsh
5dd0c28461 Cleanup warnings 2010-09-08 10:43:22 -04:00
Dan Walsh
4432db497b add sametime port definition 2010-09-08 10:33:16 -04:00
Dan Walsh
689bfef3a8 Fix apache interface 2010-09-08 10:29:40 -04:00
Dan Walsh
f79af26649 fix bad patch in xserver 2010-09-08 10:25:03 -04:00
Dan Walsh
aa760a2345 Fix gnome interface definitions 2010-09-08 10:10:20 -04:00
Dan Walsh
e51122d3e1 add sametime port definition 2010-09-08 09:40:46 -04:00
Dan Walsh
0745e42559 fix typo in xserver_stream_connect 2010-09-08 09:29:02 -04:00
Dan Walsh
36d83cb651 cleanup alsa patch to match upstream 2010-09-08 09:10:48 -04:00
Dan Walsh
4192c80c13 Eliminate extras alsa_read_home interface 2010-09-08 09:08:34 -04:00
Dan Walsh
8187343042 Any app that executes service command will not do a getattr of all mounted file systems 2010-09-08 08:56:13 -04:00
Dan Walsh
c16ffd1861 Allow apps that use pam to connect to init_t 2010-09-08 08:54:29 -04:00
Dan Walsh
db879987ca Fix pootle 2010-09-07 16:32:23 -04:00
Dan Walsh
f5b49a5e0b Allow iptables to read shorewall tmp files
Change chfn and passwd to use auth_use_pam so they can send dbus messages to fprintd
label vlc as an execmem_exec_t
Lots of fixes for mozilla_plugin to run google vidio chat
Allow telepath_msn to execute ldconfig and its own tmp files
Fix labels on hugepages
Allow mdadm to read files on /dev
Remove permissive domains and change back to unconfined
Allow freshclam to execute shell and bin_t
Allow devicekit_power to transition to dhcpc
Add boolean to allow icecast to connect to any port
2010-09-07 16:23:09 -04:00
Dan Walsh
f00ba23b21 Merge with upsteam 2010-09-03 17:19:55 -04:00
Dan Walsh
cdda8feee0 Merge branches 'master', 'master' and 'master' of http://oss.tresys.com/git/refpolicy
Conflicts:
	policy/modules/admin/alsa.fc
	policy/modules/admin/alsa.if
	policy/modules/kernel/filesystem.fc
2010-09-03 17:16:08 -04:00
Dan Walsh
ef98a37444 Allow gpg_pinentry_t to use fifo files of apps that transition to gpg_agent
Add mozilla_plugin_tmp_t
Allow mozilla_plugin to interact with pulseaudio tmpfs_t
Add apache labels for poodle
Add boolean to allow apache to connect to memcache_port
nagious sends signal and sigkill to system_mail_t
2010-09-03 17:06:40 -04:00
Chris PeBenito
28d96f0e39 Module version bumps for b7ceb34 5675107 e411968 eca7eb3. 2010-09-03 13:09:40 -04:00
Chris PeBenito
eca7eb3b47 Rearrange alsa interfaces. 2010-09-03 11:56:10 -04:00
Dominick Grift
e411968dff Implement alsa_home_t for asoundrc. Clean up Alsa module.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-03 11:23:06 -04:00
Dominick Grift
5675107ff9 Libcgroup moved the cgroup directory to /sys/fs/cgroup.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-03 11:03:10 -04:00
Dominick Grift
b7ceb34995 Do not try to relabel the contents of the /dev/shm directory.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-03 10:55:16 -04:00
Dan Walsh
b631f26416 Fix mmap_zero patch 2010-09-03 09:22:06 -04:00
Dan Walsh
a668127367 Allow certmaster to read usr_t files. All python apps are going to need this.
clvmd creates tmpfs files that corosync needs to communicate with
Allow dbus system services to search the cgroup_t directory
2010-09-02 13:38:00 -04:00
Dan Walsh
3a2e888584 cleanup mmap_low merge with upstream 2010-09-01 14:55:04 -04:00
Dan Walsh
cbadf720ba Merge branch 'master' of http://oss.tresys.com/git/refpolicy
Conflicts:
	policy/modules/kernel/domain.if
	policy/modules/services/xserver.te
2010-09-01 14:11:18 -04:00
Dan Walsh
02fb4a01f1 define /sys/fs/cgroup as a <<none>> file system 2010-09-01 10:12:53 -04:00
Chris PeBenito
785ee7988c Module version bump and changelog entry for conditional mmap_zero patch. 2010-09-01 10:08:09 -04:00
Chris PeBenito
a1b42052c9 Fix mmap_zero assertion violation in xserver. 2010-09-01 09:59:39 -04:00
Dan Walsh
09686dc8ee Allow all X apps to use direct dri if user_direct_dri boolean is turned on 2010-09-01 09:56:28 -04:00
Dan Walsh
03527520de firstboot is leaking a netlink_route socket into iptables. We need to dontaudit
tmpfs_t/devpts_t files can be stored on device_t file system
unconfined_mono_t can pass file descriptors to chrome_sandbox, so need transition from all unoconfined users types
Hald can connect to user processes over streams
xdm_t now changes the brightness level on the system
mdadm needs to manage hugetlbfs filesystems
2010-09-01 09:47:50 -04:00
Dominick Grift
623e4f0885 1/1] Make the ability to mmap zero conditional where this is fapplicable.
Retry: forgot to include attribute mmap_low_domain_type attribute to domain_mmap_low()	:

Inspired by similar implementation in Fedora.
Wine and vbetool do not always actually need the ability to mmap a low area of the address space.
In some cases this can be silently denied.

Therefore introduce an interface that facilitates "mmap low" conditionally, and the corresponding boolean.
Also implement booleans for wine and vbetool that enables the ability to not audit attempts by wine and vbetool to mmap a low area of the address space.

Rename domain_mmap_low interface to domain_mmap_low_uncond.

Change call to domain_mmap_low to domain_mmap_low_uncond for xserver_t. Also move this call to distro redhat ifndef block because Redhat does not need this ability.

Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-01 09:41:56 -04:00