Jeremy Solt
316cdb1d0d
nx patch from Dan Walsh
...
Edits:
- Style and whitespace fixes
- Removed read_lnk_files_pattern from nx_read_home_files
- Delete declaration of nx_server_home_ssh_t and files_type since the template already does this
2010-05-24 13:08:07 -04:00
Chris PeBenito
d9e4cbd2ce
Postfix patch from Dan Walsh.
2010-05-21 08:56:49 -04:00
Chris PeBenito
9ea85eaa8b
Sendmail patch from Dan Walsh.
2010-05-20 08:36:38 -04:00
Chris PeBenito
b276e36914
Procmail patch from Dan Walsh.
2010-05-20 08:17:06 -04:00
Chris PeBenito
e19b8d1c2e
MTA patch from Dan Walsh.
2010-05-19 09:00:39 -04:00
Chris PeBenito
088b65e52b
SSH patch from Dan Walsh.
2010-05-19 08:31:17 -04:00
Chris PeBenito
4e698b0fca
Cups patch from Dan Walsh.
2010-05-18 10:59:37 -04:00
Chris PeBenito
1b2f08ea10
Abrt patch from Dan Walsh.
2010-05-18 10:18:12 -04:00
Chris PeBenito
e9e43f04b3
Plymouthd policy from Dan Walsh.
2010-05-18 09:54:18 -04:00
Chris PeBenito
b0c2cae14a
Hal patch from Dan Walsh.
...
Lots of random access for hal.
2010-05-18 09:06:36 -04:00
Chris PeBenito
299db7080c
CVS patch from Dan Walsh.
...
cvs needs dac_override when it tries to read shadow
2010-05-14 10:24:11 -04:00
Chris PeBenito
bcc6e65421
SETroubleshoot patch from Dan Walsh.
...
Policy to handle the fixit button in setroubleshoot.
2010-05-13 13:22:53 -04:00
Chris PeBenito
ada61e1529
Asterisk patch from Dan Walsh.
...
asterisk_manage_lib_files(logrotate_t)
asterisk_exec(logrotate_t)
Needs net_admin
Drops capabilities
connects to unix_stream
execs itself
Requests kernel load modules
Execs shells
Connects to postgresql and snmp ports
Reads urand and generic usb devices
Has mysql and postgresql back ends
sends mail
2010-05-13 11:35:58 -04:00
Chris PeBenito
24e0b9b3a4
Munin patch from Dan Walsh.
2010-05-13 11:20:54 -04:00
Chris PeBenito
27afb97c29
Minor fixes on a2524cf
. Module version bump.
2010-05-11 08:33:04 -04:00
Chris PeBenito
aeb7a4e180
Whitespace fixes on cobbler.
2010-05-11 08:23:02 -04:00
Jeremy Solt
a2524cfa77
cobbler patch from Dan Walsh
2010-05-11 08:17:33 -04:00
Chris PeBenito
fb3fc9e4f0
Cyrus patch from Dan Walsh.
2010-05-03 15:14:50 -04:00
Chris PeBenito
4804cd43a0
Clamav patch from Dan Walsh.
2010-05-03 15:01:35 -04:00
Chris PeBenito
d8eb3c71c6
Dovecot patch from Dan Walsh.
2010-05-03 14:37:19 -04:00
Chris PeBenito
baea7b1dc6
Networkmanager patch from Dan Walsh.
2010-05-03 14:01:26 -04:00
Chris PeBenito
a3108c60c0
Consolekit patch from Dan Walsh.
2010-05-03 10:21:48 -04:00
Chris PeBenito
b0076a1413
Arpwatch patch from Dan Walsh.
2010-05-03 09:49:33 -04:00
Chris PeBenito
98ac98623c
Dbus patch from Dan Walsh.
2010-05-03 09:34:42 -04:00
Chris PeBenito
61738f11ec
Devicekit patch from Dan Walsh.
2010-05-03 09:01:46 -04:00
Chris PeBenito
87a9469fc9
Add networking rules for spamd to connect to mysql/postgresql over the network, from Chris St. Pierre.
2010-04-27 10:31:47 -04:00
Chris PeBenito
45696ab282
Add missing secmark rules in ntop, from Dominick Grift.
2010-04-27 09:31:30 -04:00
Chris PeBenito
a53c6c65a4
FTP patch from Dan Walsh.
2010-04-26 15:15:23 -04:00
Chris PeBenito
d7ebbd9d22
Module version bump for 34838aa
.
2010-04-26 13:40:21 -04:00
Jeremy Solt
34838aa62a
Samba patch from Dan Walsh
...
- signal interfaces
- fusefs support
- bug 566984: getattrs on all blk and chr files
Did not include:
- changes related to samba_unconfined_script_t and samba_unconfined_net_t
- samba_helper_template (didn't appear to be used)
- manage_lnk_files_pattern in samba_manage_var_files
- signal allow rule in samba_domtrans_winbind_helper
- samba_role_notrans
- userdom_manage_user_home_content
Some style and spacing fixes
2010-04-26 13:28:21 -04:00
Chris PeBenito
05a2e3e2d7
Lircd patch from Dan Walsh.
2010-04-26 12:59:02 -04:00
Chris PeBenito
e07fbc004d
Add DenyHosts from Dan Walsh.
2010-04-26 12:59:02 -04:00
Chris PeBenito
44b3808ba5
Djbdns patch from Dan Walsh.
2010-04-26 12:59:02 -04:00
Chris PeBenito
5c3274d7bf
Module version bump for 4b121a5
.
2010-04-19 10:23:11 -04:00
Chris PeBenito
46879922d8
Additional whitespace fix in nis.
2010-04-19 10:20:19 -04:00
Jeremy Solt
f49fc19e5a
Style changes
2010-04-19 10:19:46 -04:00
Jeremy Solt
4b121a5f53
nis patch from Dan Walsh
...
Made a couple style changes.
Removed unnecessary require in nis_use_ypbind interface
2010-04-19 10:19:44 -04:00
Chris PeBenito
da5940411c
Additional whitespace fixes in certmonger.
2010-04-19 10:17:24 -04:00
Jeremy Solt
0e5494a3d9
Fix some whitespace and style issues.
2010-04-19 10:07:20 -04:00
Jeremy Solt
33793ec2ce
certmonger policy from Dan Walsh
...
Removed manage_var_run and manage_var_lib interfaces
Added missing requires to admin interface
Removed permissive line
Fixed some spacing / style issues
2010-04-19 10:07:17 -04:00
Chris PeBenito
86ff008754
Module version bump for 4f7b413
.
2010-04-19 10:05:22 -04:00
Jeremy Solt
e6e2a769ac
Remove excess white space from ntop.te
...
Move ntop ports declaration to correct location.
2010-04-19 09:55:01 -04:00
Jeremy Solt
4f7b413cdc
Ntop policy from Dan Walsh
...
Added alias for ntop_http_content_t in apache
Pulled in ntop port from corenetwork patch
2010-04-19 09:54:58 -04:00
Chris PeBenito
98759716fe
Module version bump for 46e16a2
.
2010-04-19 09:54:13 -04:00
Jeremy Solt
d86d4f6069
Move optional policy to correct location for style
2010-04-19 09:50:42 -04:00
Jeremy Solt
01bfe1d20e
kerberos patch from Dan Walsh
2010-04-19 09:50:39 -04:00
KaiGai Kohei
ec8d32c8e9
[BUGFIX] lack of type transition on dbadm domain (Re: dbadm.pp is not available in selinux-policy package)
...
I found out a bug when we initialize the database with dbadm_r:dbadm_t
which belongs to sepgsql_admin_type attribute.
In the case when sepgsql_admin_type create a new database objects,
it does not have valid type_transition rules. So, it was failed.
Sorry, I didn't find out it for a long time.
And db_procedure:{execute} on the sepgsql_proc_exec_t might be necessary
for the administrative domain independently from sepgsql_unconfined_dbadm,
because we need to execute some of system defined procedures to look up
system tables.
2010-04-12 10:37:21 -04:00
Chris PeBenito
23ad802a9d
Module version bump for 5d3214f
and 795b733
.
2010-04-12 10:01:39 -04:00
Jeremy Solt
795b733a71
pcscd patch from Dan Walsh: manage pub files and fifo files
2010-04-12 09:10:37 -04:00
Jeremy Solt
5d3214f5a9
gpsd path from Dan Walsh
2010-04-12 09:07:50 -04:00
Dominick Grift
91b12ad94c
Move kernel_request_load_module(gssd_t) to the proper place.
...
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-04-06 15:05:22 -04:00
Dominick Grift
6d9925c872
Fix requires for apache tmp interfaces.
...
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-04-06 15:05:12 -04:00
Chris PeBenito
b577852a98
Portreserve patch from Dan Walsh.
2010-04-05 14:50:23 -04:00
Chris PeBenito
38db49c545
PPP patch from Dan Walsh.
2010-04-05 14:38:30 -04:00
Chris PeBenito
372acd0037
Rpc patch from Dan Walsh.
2010-04-05 14:26:21 -04:00
Chris PeBenito
20fa703294
Whitespace fixes on Apache.
2010-04-05 14:05:05 -04:00
Chris PeBenito
da0608ba38
Module version bump for 170a46d
, f8b3b7f
, and a49a82c
.
2010-04-05 13:49:00 -04:00
Chris PeBenito
b7d3db1860
Tweak for 170a46d
.
2010-04-05 13:48:01 -04:00
Jeremy Solt
a49a82c295
snort patch from Dan Walsh
...
Didn't rearrange all the kernel calls, but did add the kernel_request_load_module.
Didn't include the usbmod (doesn't exist in refpolicy at this time).
Included the generic usb device permissions because snort uses libpcap, which can also be used to monitor USB traffic, so this may be a side effect.
From the red hat bug (559861), it sounds as though snort was failing without these permissions, so it doesn't look like a dontaudit would work.
2010-04-05 13:46:11 -04:00
Jeremy Solt
f8b3b7fa48
Nut policy from Dan Walsh
...
Dropped optional policy for shutdown_domtrans
Dropped commented can_exec line
2010-04-05 13:45:31 -04:00
Jeremy Solt
170a46d6c5
memcached patch from Dan Walsh
...
Moved term_dontaudits up for style
2010-04-05 13:43:58 -04:00
Chris PeBenito
60def66b13
Second part of Apache patch from Dan Walsh.
2010-04-05 10:57:52 -04:00
Chris PeBenito
83caba3eb9
First part of apache patch from Dan Walsh: file context changes, including renaming script ro/ra/rw files.
2010-04-01 08:17:50 -04:00
Chris PeBenito
25d81d2655
Tor patch from Dan Walsh.
2010-03-29 14:30:52 -04:00
Chris PeBenito
2b93b88584
Sssd patch from Dan Walsh.
2010-03-29 14:08:52 -04:00
Chris PeBenito
ee2d2dda24
Add usbmuxd from Dan Walsh.
2010-03-29 13:29:18 -04:00
Chris PeBenito
6d4dbd20ae
Vhostmd from Dan Walsh.
2010-03-29 11:25:06 -04:00
Chris PeBenito
bf54d5be44
Module version bumps for c586c1b
, dcbb332
, 4c05dff
, 84ce9c3
, 2b012ba
, and 1868383
.
2010-03-29 09:21:59 -04:00
Chris PeBenito
ad0071bbe4
Tweaks on pulseaudio 1868383
, ksmtuned d279dd6
, and smokeping f3c346c
.
2010-03-29 09:19:40 -04:00
Jeremy Solt
f3c346cc07
Smokeping policy from Dan Walsh
...
Made some style / spacing changes
Did not include read access to /etc/shadow
Removed manage_var_run and manage_var_lib interfaces
Removed permissive line
2010-03-29 08:46:30 -04:00
Jeremy Solt
d279dd603f
ksmtuned policy from Dan Walsh
...
Couple style/space fixes.
Used ps_process_pattern in admin interface
2010-03-29 08:36:53 -04:00
Jeremy Solt
2b012bacb6
Prelude patch from Dan Walsh
2010-03-29 08:36:15 -04:00
Jeremy Solt
84ce9c3333
Bluetooth patch (sys_admin and debugfs) from Dan Walsh
...
Added comments to reference redhat bugs
2010-03-29 08:36:05 -04:00
Jeremy Solt
4c05dff3d1
avahi patch from Dan Walsh
...
Didn't include the file read in the dbus_chat interface.
2010-03-29 08:36:00 -04:00
Jeremy Solt
dcbb332992
chronyd patch from Dan Walsh
...
Fixed a couple style/spacing issues.
Added files_search_etc for chronyd_keys file
2010-03-29 08:35:52 -04:00
Jeremy Solt
c586c1bfa6
Give dcc setgid from Dan Walsh
2010-03-29 08:35:34 -04:00
Chris PeBenito
7656af7a6f
Module version bump for c37d843
.
2010-03-23 08:07:19 -04:00
Chris PeBenito
be8311279e
Minor bind XML tweaks.
2010-03-23 08:05:00 -04:00
Jeremy Solt
c37d843fa1
bind patch from Dan Walsh
...
some fixes in interfaces, added bind_setattr_zone_dirs interface
sysnet_read_config not needed with auth_use_nsswitch
Did not include init_read_script_tmp_files for named_t
2010-03-23 08:01:05 -04:00
Chris PeBenito
390b8a821b
Radvd patch from Dan Walsh.
2010-03-22 15:19:50 -04:00
Chris PeBenito
1b22152c2c
Rdisc patch from Dan Walsh.
2010-03-22 15:09:27 -04:00
Chris PeBenito
6c40309ef1
Module version bump for 1d348bd
.
2010-03-22 13:53:24 -04:00
Jeremy Solt
1d348bd253
Afs needs sys_admin, sends signals, and resolves hostnames from Dan Walsh
2010-03-22 13:52:19 -04:00
Chris PeBenito
cf7eb082d2
Sasl patch from Dan Walsh.
2010-03-22 11:22:25 -04:00
Chris PeBenito
449d2069ac
Snmp patch from Dan Walsh.
2010-03-22 11:08:31 -04:00
Chris PeBenito
08d7c7339b
Sysstat patch from Dan Walsh.
2010-03-22 10:47:41 -04:00
Chris PeBenito
98ac3f5ace
Telnet patch from Dan Walsh.
2010-03-22 10:40:37 -04:00
Chris PeBenito
461b53e028
Tuned patch from Dan Walsh.
2010-03-22 10:33:31 -04:00
Chris PeBenito
7630200e1b
Virt patch from Dan Walsh.
2010-03-22 10:24:34 -04:00
Chris PeBenito
064d1b469e
Rename rtkit_schedule() to rtkit_scheduled().
2010-03-22 09:54:58 -04:00
Chris PeBenito
e13a9ef5fe
Module version bump for ac19f1a
.
2010-03-22 08:59:04 -04:00
Chris PeBenito
c7a4cf3179
Module version bump for 9681df1
.
2010-03-22 08:58:41 -04:00
Chris PeBenito
32103f250f
Module version bump for d3b5907
.
2010-03-22 08:58:20 -04:00
Chris PeBenito
340af119b0
Minor tweaks on icecast.
2010-03-22 08:56:32 -04:00
Jeremy Solt
584dfaca45
icecast policy from Dan Walsh
...
Fixed some style and spacing issues
Replace manage_var_run interface with manage_pid_files with fewer permissions
Replaced rkit_daemon_system_domain with rtkit_schedule
2010-03-22 08:49:54 -04:00
Jeremy Solt
ac19f1ac26
rtkit patch from Dan Walsh:
...
rtkit_daemon_system_domain interface allows domains to say rtkit can setsched on their process.
Needs sys_nice capability
Needs to getsched on all domains.
Fix bug in te file
Me:
changed interface name from rtkit_daemon_system_domain to rtkit_schedule
Already had sys_nice capability
2010-03-22 08:41:42 -04:00
Jeremy Solt
9681df1c8d
postgresql patch from Dan Walsh:
...
"File context for /etc/sysconfig/pgsql and other bugs.
Sends audit messages connect to posgresql_server port
Reads its own process info"
Moved signal interface for style.
2010-03-22 08:39:15 -04:00
Jeremy Solt
d3b5907ea4
openvpn needs ipc_lock capability, connects to http ports,
...
and manages net_conf_t files - from Dan Walsh
2010-03-22 08:36:47 -04:00
Chris PeBenito
47293bd8d6
Tftp patch from Dan Walsh.
2010-03-19 15:56:14 -04:00
Chris PeBenito
788ba75491
Uucp patch from Dan Walsh.
2010-03-19 15:49:12 -04:00
Chris PeBenito
bed0a44560
Zebra patch from Dan Walsh.
2010-03-19 15:45:25 -04:00
Chris PeBenito
7b50b7053d
Module version bump for 6a03548
.
2010-03-17 09:42:46 -04:00
Jeremy Solt
6a035482dc
amavis uses uptime which reads utmp, and reads certs - from Dan Walsh
2010-03-17 09:41:18 -04:00
Chris PeBenito
827060cb04
Style fixes and module version bumps for 38fc1bd
.
2010-03-17 09:28:18 -04:00
Dominick Grift
38fc1bd180
Likewise policy.
...
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-03-17 08:48:45 -04:00
Chris PeBenito
2a62db7883
Module version bump for 414a570
.
2010-03-16 15:28:36 -04:00
Jeremy Solt
414a5704df
fetchmail executes programs in bin (uname), from Dan Walsh
2010-03-16 15:27:40 -04:00
Chris PeBenito
5911f3dbca
Module version bump for 935151a
.
2010-03-16 14:35:09 -04:00
Chris PeBenito
9a59893e5a
Module version bump for d7ec247
.
2010-03-16 14:34:23 -04:00
Chris PeBenito
9570fc108e
Module version bump for 591af7b
.
2010-03-16 14:34:05 -04:00
Chris PeBenito
1656bf730f
Whitespace fixes in mailman.
2010-03-16 13:51:51 -04:00
Jeremy Solt
935151afcd
Change kernel_load_module to kernel_request_load_module for howl from Dan Walsh
2010-03-16 13:44:55 -04:00
Jeremy Solt
d7ec24785b
File context update for certmaster from Dan Walsh
2010-03-16 13:44:50 -04:00
Jeremy Solt
591af7be0c
file context updates from Dan Walsh
2010-03-16 13:44:48 -04:00
Chris PeBenito
fce868d074
Module version bump for f7d413a
.
2010-03-16 13:15:00 -04:00
Chris PeBenito
bf140fc32c
Rearrange interfaces in fail2ban.
2010-03-16 13:14:46 -04:00
Jeremy Solt
f7d413af27
fail2ban_stream_connect and fail2ban_rw_stream_sockets from Dan Walsh
...
Did not include dontaudit_leaks interface
Modified fail2ban_rw_stream_sockets to use rw_stream_socket_perms set
2010-03-16 11:44:35 -04:00
Chris PeBenito
ce0570dc6d
Module version bump for e172614
.
2010-03-12 11:42:28 -05:00
Chris PeBenito
9e506eb236
Rearrange lines in alsa an mysql.
2010-03-12 08:59:23 -05:00
Chris PeBenito
e172614b57
Whitespace cleanup on mysql.if.
2010-03-12 08:55:34 -05:00
Jeremy Solt
12a6a53f63
mysql policy from Dan Walsh
...
My changes to patch:
A couple changes to match style.
Removed files_dontaudit_search_all_mountpoints(mysqld_safe_t), it doesn't exist in refpolicy
2010-03-12 08:54:29 -05:00
Chris PeBenito
30496b1575
Iscsi and tgtd patches from Dan Walsh.
2010-03-09 15:17:16 -05:00
Dominick Grift
183f79e38e
Fix cobbler_admin interface to require cobblerd_initrc_exec_t.
...
As per: http://oss.tresys.com/pipermail/refpolicy/2010-March/002258.html
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-03-04 14:12:41 -05:00
Chris PeBenito
ec0205ff73
Module version bump for e1e78df.
2010-03-04 09:18:04 -05:00
Chris PeBenito
b7070a9f3d
Module version bump for 52b215f.
2010-03-04 09:18:04 -05:00
Chris PeBenito
cb6385d0ba
Module version bump for cf5e81d.
2010-03-04 09:18:04 -05:00
Chris PeBenito
c4faa1db8e
Module version bump for 96b7e9f.
2010-03-04 09:18:04 -05:00
Chris PeBenito
812f30af02
Module version bump for a005018.
2010-03-04 09:18:04 -05:00
Chris PeBenito
4931c57e4b
Add additional comments for e1e78df.
2010-03-04 09:18:04 -05:00
Jeremy Solt
9a1f0d21e1
Seems reasonable that exim may need to manage these files when /etc/alternatives/mta points to exim
...
Patch from Dan Walsh
2010-03-04 09:18:03 -05:00
Jeremy Solt
15ae77bd77
Domain transition for apmd to vbetool from Dan Walsh
2010-03-04 09:18:03 -05:00
Jeremy Solt
a739053cf5
Changed amavis_initrc_domtrans domain summary to match style.
2010-03-04 09:18:03 -05:00
Jeremy Solt
6665c3c768
Changed arpwatch_initrc_domtrans domain summary to match style.
...
Restored arpwatch_initrc_exec_t require because it's still used in arpwatch_admin interface
2010-03-04 09:18:03 -05:00
Dominick Grift
d783374bc9
Various arpwatch fixes.
...
Allow domains to search /var/lib to enable interaction with arpwatch data.
Allow domains to search /tmp to enable interaction with arpwatch tmp content.
Create arpwatch initrc domtrans.
Call arpwatch initrc domtrans from arpwatch_admin.
Remove obsolete require.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-03-04 09:18:03 -05:00
Jeremy Solt
6eed0aa57c
Modified apcupsd_initrc_domtrans interface summary to match style.
...
Restored apcupsd_initrc_exec_t require in apcupsd_admin interface (It is used here in the role_transition).
2010-03-04 09:18:03 -05:00
Dominick Grift
eda6417669
Create apcupsd initrc domtrans. Call apcupsd initrc domtrans in apcupsd_admin. Remove obsolete require. Allow domains Various apcupsd fixes.
...
Create apcupsd initrc domtrans.
Call apcupsd initrc domtrans in apcupsd_admin.
Remove obsolete require.
Allow domains to search bin to enable run apcupsd executable file.
Allow domains to search httpd system content to enable run apcupsd cgi script executables.
Allow domains to search var to enable run apcupsd content in /var/www/upcupsd.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-03-04 09:18:03 -05:00
Jeremy Solt
3b814894c7
Fixed typo in gen_require for amavis_initrc_domtrans (Appears to be a copy/paste mistake).
...
Restored amavis_initrc_exec_t require in amavis_admin (still being used in this interface).
2010-03-04 09:18:02 -05:00
Dominick Grift
88340b904a
Various amavis fixes.
...
Create amavis_initrc_domtrans.
Call amavis_initrc_domtrans from amavis_admin.
Remove obsolete require.
Allow domains to search bin to enable run amavis executable.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-03-04 09:18:02 -05:00
Chris PeBenito
0bbb165448
Improve the documentation of nis_use_ypbind().
2010-03-03 10:37:15 -05:00
Chris PeBenito
d124921979
Module version bump for cd17345
.
2010-02-24 10:13:12 -05:00
Dominick Grift
cd17345324
Various abrt fixes.
...
Fix networking compatibility.
Allow domains to search bin to enable run abrt executables.
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-02-24 10:11:51 -05:00
Chris PeBenito
2040268b01
Module version bump for 534e57b
.
2010-02-24 10:08:41 -05:00
Dominick Grift
534e57b770
Various afs fixes.
...
Fix afs_initrc_domtrans.
Remove obsolete require in afs_admin.
Allow domains to search var to enable read write cache.
Allow domains to search bin to enable run afs executable.
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-02-24 10:07:28 -05:00
Dominick Grift
6306637c89
mysqlmanagerd_var_run_t is not a domain type.
...
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-02-24 10:00:05 -05:00
Chris PeBenito
1021460884
Minor tweaks and module version bump for 68cda59
.
2010-02-23 13:58:18 -05:00
Chris Richards
68cda59844
Add MySQL Manager to MySQL policy module
...
Second submission to fix mistakes from first.
Signed-off-by: Chris Richards <gizmo@giz-works.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-02-23 13:23:42 -05:00
Chris PeBenito
1049180cd8
Automount patch from Dan Walsh.
2010-02-19 13:50:01 -05:00
Chris PeBenito
d08a3df046
Ssh key creation fix from Gentoo.
2010-02-17 20:32:08 -05:00
Chris PeBenito
a513794b4c
Chronyd from Miroslav Grepl.
2010-02-16 14:53:59 -05:00
Chris PeBenito
3fb2b72c65
Ccs patch from Dan Walsh.
2010-02-16 11:28:08 -05:00
Chris PeBenito
0ab2c1eae9
Clear xserver TODO.
2010-02-12 10:29:41 -05:00
Chris PeBenito
6246e7d30a
Non-drawing X client support for consolekit.
2010-02-12 10:29:00 -05:00
Chris PeBenito
c3c753f786
Remove concept of user from terminal module interfaces dealing with ptynode and ttynode since these attributes are not specific to users.
2010-02-11 14:20:10 -05:00
Chris PeBenito
21673b238a
Hal patch from Dan Walsh.
2010-02-11 08:42:00 -05:00
Chris PeBenito
3079cbceb1
Virt/svirt patch from Dan Walsh.
2010-02-09 10:28:17 -05:00
Chris PeBenito
aa9e3b4b65
Ktalk patch from Dan Walsh.
2010-02-09 10:28:00 -05:00
Chris PeBenito
27eab81f2f
Misc fixes for 1031ee6
.
2010-02-08 13:38:48 -05:00
Chris PeBenito
7d2f96783c
Module version number bump for 1031ee6
.
2010-02-08 13:37:42 -05:00
Dominick Grift
1031ee6f6a
Implement cobblerd policy.
...
My previous version had a minor bug in admin_role where it was using cobblerd_var_log_t, and cobblerd_var_lib_t instead of cobbler_var_log_t, and cobbler_var_lib_t.
Whilst i was at it, i decided the implement a cobbler_etc_t for cobbler content in /etc. This because you cannot admin a cobbler environment witouth having access to cobbler config files and i dont want to give cobbler_admin access to manage etc_t.
As a consequence if this i also removed the files_read_etc_files(cobblerd_t), as i think that cobbler only needed it to read its own files in /etc. However this is not confirmed, and it may need read access to etc_t afteral.
Also i would like to underscore my reason for using public_content_rw_t. One of the reasons is that i do not want to give cobbler access to manage httpd_sys_content_rw_t. In general i do not want to depend on apache module at all.
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <pebenito@gentoo.org>
2010-02-08 12:56:01 -05:00
Chris PeBenito
e526fca176
Add nut from Stefan Schulze Frielinghaus and Miroslav Grepl.
2010-02-08 11:29:12 -05:00
Chris PeBenito
4ebfec7303
Add pyicqt from Stefan Schulze Frielinghaus.
2010-02-08 10:58:16 -05:00
Chris PeBenito
22a2874dbf
Add dbadm, from KaiGai Kohei.
2010-02-08 10:34:08 -05:00
Chris PeBenito
edc2f7dea4
Fix home_ssh_t usage.
2010-01-25 08:34:28 -05:00
Chris PeBenito
82b5d290cc
PPP patch from Dan Walsh.
2010-01-15 15:46:07 -05:00
Chris PeBenito
cde15072d0
SSH patch from Dan Walsh.
2010-01-15 15:28:27 -05:00
Chris PeBenito
fee5bb73bc
Uucp patch from Dan Walsh.
2010-01-08 10:37:47 -05:00
Chris PeBenito
c155e042d8
Sendmail patch from Dan Walsh.
2010-01-08 10:37:37 -05:00
Chris PeBenito
3624ef76d2
Mailman patch from Dan Walsh.
2010-01-08 10:37:23 -05:00
Chris PeBenito
8a8b24a4ba
Lircd patch from Dan Walsh.
2010-01-08 10:37:13 -05:00
Chris PeBenito
07ba15168b
Courier patch from Dan Walsh.
2010-01-08 10:37:01 -05:00
Chris PeBenito
d2acef78f4
Inetd patch from Dan Walsh.
2010-01-08 10:36:49 -05:00
Chris PeBenito
c292cb96ad
Avahi patch from Dan Walsh.
2010-01-08 10:35:47 -05:00
Chris PeBenito
00808a9b13
Fprintd patch from Dan Walsh.
2010-01-07 11:51:17 -05:00
Chris PeBenito
ef6ea56c4b
Fetchmail patch from Dan Walsh.
2010-01-07 11:51:05 -05:00
Chris PeBenito
84a45c9617
Exim patch from Dan Walsh.
2010-01-07 11:50:55 -05:00
Chris PeBenito
4dd84bbf0e
Dovecot patch from Dan Walsh.
2010-01-07 11:50:47 -05:00
Chris PeBenito
14c7865f1f
Ddclient patch from Dan Walsh.
2010-01-07 11:50:35 -05:00
Chris PeBenito
dcabb11eb5
DCC patch from Dan Walsh.
2010-01-07 11:50:20 -05:00
Chris PeBenito
30958fb7e7
Cyrus patch from Dan Walsh.
2010-01-07 11:49:55 -05:00
Chris PeBenito
192fb874f5
Clamav patch from Dan Walsh.
2010-01-07 11:49:44 -05:00
Chris PeBenito
c5155ac008
Bluetooth patch from Dan Walsh.
2010-01-07 11:49:32 -05:00
Chris PeBenito
96831fe421
Move rules from mta mailserver delivery from interface to .te to use the attribute.
2010-01-07 09:56:21 -05:00
Chris PeBenito
9c40673ff5
MTA patch from Dan Walsh.
2010-01-07 09:48:35 -05:00
Chris PeBenito
2650ca57ec
Tftp patch from Dan Walsh.
2010-01-07 09:01:10 -05:00
Chris PeBenito
f3890b25db
Sssd patch from Dan Walsh.
2010-01-07 09:00:59 -05:00
Chris PeBenito
207c4d1e6e
Snmp patch from Dan Walsh.
2010-01-07 09:00:48 -05:00
Chris PeBenito
82cdffce58
ntp patch from Dan Walsh.
2010-01-07 09:00:39 -05:00
Chris PeBenito
f37b7bd0cb
gpsd patch from Dan Walsh.
2010-01-07 08:59:38 -05:00
Chris PeBenito
b11dcd43b6
Tuned patch from Dan Walsh.
2009-12-18 10:45:56 -05:00
Chris PeBenito
ff785b93df
Rpcbind patch from Dan Walsh.
2009-12-18 10:45:39 -05:00
Chris PeBenito
733f494802
Radvd patch from Dan Walsh.
2009-12-18 10:45:29 -05:00
Chris PeBenito
b36ae9786f
Privoxy patch from Dan Walsh.
2009-12-18 10:45:22 -05:00
Chris PeBenito
1232a50c5f
Prelude patch from Dan Walsh.
2009-12-18 10:45:09 -05:00
Chris PeBenito
6df09cfef7
PCSCD patch from Dan Walsh.
2009-12-18 10:44:59 -05:00
Chris PeBenito
2d59a828b6
Nslcd patch from Dan Walsh.
2009-12-18 10:44:49 -05:00
Chris PeBenito
80f0587459
Mysql patch from Dan Walsh.
2009-12-18 10:44:35 -05:00
Chris PeBenito
d3c612ffd8
Modemmanager patch from Dan Walsh.
2009-12-18 10:44:26 -05:00
Chris PeBenito
0000b795ea
Milter patch from Dan Walsh.
2009-12-18 10:42:08 -05:00
Chris PeBenito
a32226612a
Memcached patch from Dan Walsh.
2009-12-18 10:41:56 -05:00
Chris PeBenito
6aa333b47e
Kerneloops patch from Dan Walsh.
2009-12-18 10:41:41 -05:00
Chris PeBenito
e1b8b54739
Kerberos patch from Dan Walsh.
2009-12-18 10:40:53 -05:00
Chris PeBenito
7d05af77c3
Irqbalance patch from Dan Walsh.
2009-12-18 10:39:36 -05:00
Chris PeBenito
d7b98c8902
GPM patch from Dan Walsh.
2009-12-18 10:39:23 -05:00
Chris PeBenito
ce8a71a960
Fail2ban patch from Dan Walsh.
2009-12-18 10:39:10 -05:00
Chris PeBenito
bd21cb1e09
Certmaster patch from Dan Walsh.
2009-12-18 10:38:57 -05:00
Chris PeBenito
a7d606860b
Bitlbee patch from Dan Walsh.
2009-12-18 10:38:30 -05:00
Chris PeBenito
5894c3e4fb
Amavis patch from Dan Walsh.
2009-12-18 10:38:17 -05:00
Chris PeBenito
32f27a7489
asterisk patch from Dan Walsh.
2009-12-18 10:37:52 -05:00
Chris PeBenito
7e81399d84
apm patch from Dan Walsh.
2009-12-18 10:35:31 -05:00
Chris PeBenito
41c139dc77
afs patch from Dan Walsh.
2009-12-18 10:35:03 -05:00
Chris PeBenito
b84d6ec491
smartmon patch from Dan Walsh.
2009-12-18 10:33:50 -05:00
Chris PeBenito
7fc72a02d9
Changelog and version bump for X object manager changes.
2009-12-03 10:40:42 -05:00
Chris PeBenito
e331a05c77
Merge branch 'master' into xselinux
2009-12-03 10:13:41 -05:00
Chris PeBenito
ed3a1f559a
bump module versions for release.
2009-11-17 10:05:56 -05:00
Chris PeBenito
e6d8fd1e50
additional cleanup for e877913
.
2009-11-11 11:28:50 -05:00
Craig Grube
e8779130bf
adding puppet configuration management system
...
Signed-off-by: Craig Grube <Craig.Grube@cobham.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2009-11-11 08:37:16 -05:00
Chris PeBenito
f272825b2d
one further rearrangement of tgtd.
2009-11-03 09:41:24 -05:00
Chris PeBenito
222d5b5987
clean up 0bca409
and add changelog entry.
2009-11-03 09:25:37 -05:00
Matthew Ife
0bca409d74
RESET tgtd daemon.
...
This one makes an effort to check for syntax and that it actually compiles.
Signed-off-by: Matthew Ife <deleriux@airattack-central.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2009-11-03 09:11:43 -05:00
Chris PeBenito
9448ca6e07
restore removed aliases.
2009-11-02 08:48:58 -05:00
Eamon Walsh
5025a463cf
Drop the xserver_unprotected interface.
...
The motivation for this was xdm_t objects not getting cleaned up,
so the user session tried to interact with them. But since the
default user type is unconfined this problem has gone away for now.
Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2009-10-30 08:55:58 -04:00
Eamon Walsh
5242ecceac
X Object Manager policy revisions to xserver.if.
...
X Object Manager policy revisions to xserver.if.
This commit consists of two parts:
1. Revisions to xserver_object_types_template and
xserver_common_x_domain_template. This reflects the dropping
of many of the specific event, extension, and property types.
2. New interfaces:
xserver_manage_core_devices: Gives control over core mouse/keyboard.
xserver_unprotected: Allows all clients to access a domain's X objects.
Modified interfaces:
xserver_unconfined: Added x_domain typeattribute statement.
Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2009-10-28 10:03:26 -04:00
Eamon Walsh
f267f85390
X Object Manager policy revisions to xserver.te.
...
X Object Manager policy revisions to xserver.te.
This commit consists of three main parts:
1. Code movement. There were X object manager-related statements
scattered somewhat throughout the file; these have been consolidated,
which resulted in some other statements moving (e.g. iceauth_t).
2. Type changes. Many of the specific event, extension, and property
types have been dropped for the time being. The rootwindow_t and
remote_xclient_t types have been renamed, and a root_xcolormap_t
type has been (re-)added. This is for naming consistency.
An "xserver_unprotected" alias has been added for use in labeling
clients whose resources should be globally accessible (e.g. xdm_t).
3. Policy changes. These are mostly related to devices, which now have
separate x_keyboard and x_pointer classes. The "Hacks" section
has been cleaned up, and various other classes have had the default
permissions tweaked.
Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2009-10-28 10:03:22 -04:00
Chris PeBenito
b04669aaea
add tuned from miroslav grepl.
2009-10-26 09:42:11 -04:00
Chris PeBenito
5a6b1fe2b4
add dkim from stefan schulze frielinghaus.
2009-09-17 09:12:33 -04:00
Chris PeBenito
21b1d1096f
add gnomeclock from dan.
2009-09-16 08:38:58 -04:00
Chris PeBenito
ed70158a39
add rtkit from dan.
2009-09-15 09:53:24 -04:00
Chris PeBenito
c141d835f1
add modemmanager from dan.
2009-09-14 09:48:13 -04:00
Chris PeBenito
e3a90e358a
add abrt from dan.
2009-09-14 09:22:24 -04:00
Chris PeBenito
937b2c4d91
nscd patch from dan.
2009-09-09 09:35:37 -04:00
Chris PeBenito
c61b35048a
cron patch from dan.
2009-09-09 09:28:04 -04:00
Chris PeBenito
81bca10b28
nslcd policy from dan.
2009-09-08 10:31:19 -04:00
Chris PeBenito
f2f296ba60
openvpn patch from dan: Openvpn connects to cache ports and stores files in nfs and cifs directories.
2009-09-02 09:24:10 -04:00
Chris PeBenito
aa83007d5a
add hddtemp from dan.
2009-09-01 08:34:04 -04:00
Chris PeBenito
6774578327
module version number bump for nscd patch.
2009-08-31 09:44:38 -04:00
Manoj Srivastava
2a79debe9b
nscd cache location changed from /var/db/nscd to /var/cache/nscd
...
The nscd policy module uses the old nscd cache location. The cache location
changed with glibc 2.7-1, and the current nscd does place the files in
/var/cache/nscd/.
Signed-off-by: Manoj Srivastava <srivasta@debian.org>
2009-08-31 09:43:52 -04:00
Chris PeBenito
aaff2fcfcd
module version number bump for tun patches
2009-08-31 09:17:31 -04:00
Chris PeBenito
bd75703c7d
reorganize tun patch changes.
2009-08-31 08:49:57 -04:00
Paul Moore
9dc3cd1635
refpol: Policy for the new TUN driver access controls
...
Add policy for the new TUN driver access controls which allow policy to
control which domains have the ability to create and attach to TUN/TAP
devices. The policy rules for creating and attaching to a device are as
shown below:
# create a new device
allow domain_t self:tun_socket { create };
# attach to a persistent device (created by tunlbl_t)
allow domain_t tunlbl_t:tun_socket { relabelfrom };
allow domain_t self:tun_socket { relabelto };
Further discussion can be found on this thread:
* http://marc.info/?t=125080850900002&r=1&w=2
Signed-off-by: Paul Moore <paul.moore@hp.com>
2009-08-31 08:36:06 -04:00
Chris PeBenito
4279891d1f
patch from Eamon Walsh to remove useage of deprecated xserver interfaces.
2009-08-28 13:40:29 -04:00
Chris PeBenito
93c49bdb04
deprecate userdom_xwindows_client_template
...
The X policy for users is currently split between
userdom_xwindows_client_template() and xserver_role(). Deprecate
the former and put the rules into the latter.
For preserving restricted X roles (xguest), divide the rules
into xserver_restricted_role() and xserver_role().
2009-08-28 13:29:36 -04:00
Chris PeBenito
dbb7dd9484
Merge branch 'master' of ssh://oss.tresys.com/home/git/refpolicy
2009-08-25 09:44:28 -04:00
Chris PeBenito
69347451fd
split dev_manage_dri_dev() into a manage and a filetrans interface.
2009-08-25 09:43:38 -04:00
Chris PeBenito
0484277038
reorganize dbus.fc.
2009-08-18 13:37:46 -04:00
Chris PeBenito
62c80e2546
module version bumps and changelog update for the previous 3 commits.
2009-08-18 13:20:01 -04:00
LABBE Corentin
0d700b0fa1
Gentoo dbus in libexec
2009-08-18 13:13:40 -04:00
LABBE Corentin
58cc9903dd
Missing comma in policykit
2009-08-18 13:13:26 -04:00
Chris PeBenito
909922027b
Debian policykit fixes from Martin Orr.
...
The policykit binaries on Debian live in /usr/lib/policykit so add file
contexts for that. Also a couple of policykit rules.
2009-08-18 09:49:31 -04:00
Chris PeBenito
2a77737d4e
Add missing rules to make unconfined_cronjob_t a valid cron job domain.
...
Unconfined_cronjob_t is not a valid cron job domain because the cron
module is lacking a transition from the crond to the unconfined_cronjob_t
domain. This adds the transition and also a constraints exemption since
part of the transition is also a seuser and role change typically.
2009-08-12 14:15:39 -04:00
Chris PeBenito
e335910197
Add missing compatibility aliases for xdm_xserver*_t types.
...
When collapsing all of the xdm_xserver*_t types into xserver*_t, aliases for
compatibility were mistakenly not added to the policy.
2009-08-05 11:17:53 -04:00
Chris PeBenito
9570b28801
module version number bump for release 2.20090730 that was mistakenly omitted.
2009-08-05 10:59:21 -04:00
Chris PeBenito
50458c8bb7
pull most of fedora changes to rpc.
2009-07-29 14:55:30 -04:00
Chris PeBenito
0c89174f7f
pull most of fedora changes to samba.
2009-07-29 14:40:34 -04:00
Chris PeBenito
363e8fb98a
pull in part of fedora mta changes
2009-07-29 10:59:09 -04:00
Chris PeBenito
20c3ccee1a
add fprintd module from dan.
2009-07-29 10:28:31 -04:00
Chris PeBenito
677c4c2fea
add devicekit module from dan.
2009-07-29 10:02:06 -04:00
Chris PeBenito
4e7c0a93a6
consolekit patch from dan.
2009-07-29 09:13:54 -04:00
Chris PeBenito
33322290f2
automount patch from dan.
2009-07-29 08:59:26 -04:00
Chris PeBenito
8f3bddfbfd
cups patch from dan.
2009-07-28 15:46:26 -04:00
Chris PeBenito
4be3e11094
pull in apache_admin() from fedora
2009-07-28 13:24:08 -04:00
Chris PeBenito
423a4a3a2c
fix dbus type transition conflict.
...
switch dbus ranged calls from daemon domain to system domain. This works
around a type transition conflict. It is also why the non-ranged
init_system_domain() is used instead of init_daemon_domain().
2009-07-28 11:05:19 -04:00
Chris PeBenito
c7ae9ae1c8
Merge branch 'master' of ssh://oss.tresys.com/home/git/refpolicy
2009-07-28 08:00:03 -04:00
Chris PeBenito
ebf3ec9063
snort patch from dan.
2009-07-27 16:04:10 -04:00
Chris PeBenito
708a74a212
oddjob patch from dan.
2009-07-27 10:52:20 -04:00
Chris PeBenito
fa50187c5e
kerneloops patch from dan
2009-07-27 10:44:19 -04:00
Chris PeBenito
9de7c1706d
hal patch from dan.
2009-07-27 10:18:50 -04:00
Chris PeBenito
fe1205a810
avahi patch from dan
2009-07-27 09:57:20 -04:00
Chris PeBenito
e04438840b
dbus patch from dan
2009-07-27 09:46:35 -04:00
Chris PeBenito
09516cb4be
remove read_default_t tunable
2009-07-23 08:58:35 -04:00
Chris PeBenito
13306f56b6
afs client patch from dan.
2009-07-21 10:11:03 -04:00
Chris PeBenito
b93a7dacca
bluetooth patch from dan.
2009-07-21 10:10:47 -04:00
Chris PeBenito
ad0aea536b
clamav patch from dan.
2009-07-21 10:10:31 -04:00
Chris PeBenito
92f08c7130
mailman patch from dan.
2009-07-21 10:10:17 -04:00
Chris PeBenito
1847443ea3
ricci patch from dan.
2009-07-21 10:10:00 -04:00
Chris PeBenito
d8822462c4
fix policykit interface
2009-07-21 10:09:14 -04:00
Chris PeBenito
7395f80119
ppp patch from dan
2009-07-20 15:41:19 -04:00
Chris PeBenito
4aa075262a
kerberos patch from dan
2009-07-20 15:41:08 -04:00
Chris PeBenito
8f17f7c2ee
dnsmasq patch from dan.
2009-07-20 15:40:57 -04:00
Chris PeBenito
93d300831d
dhcp patch from dan
2009-07-20 15:40:41 -04:00
Chris PeBenito
af5374d3a5
policykit.if whitespace fix
2009-07-20 11:37:22 -04:00
Chris PeBenito
9e90ce33db
add policykit from dan.
2009-07-20 11:15:09 -04:00
Chris PeBenito
b67201eae7
fix bad varnishd interface names
2009-07-20 09:44:25 -04:00
Chris PeBenito
7694abdff7
module version bump for f2583aa83b
2009-07-15 09:30:08 -04:00
Manoj Srivastava
f2583aa83b
Remove duplicate distro_redhat context
...
A recent update added an generic context for the lock files, so the
entry in distro_redhat can be removed.
Signed-off-by: Manoj Srivastava <srivasta@debian.org>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2009-07-15 09:27:36 -04:00
Chris PeBenito
ce6fee6575
5 patches from dan
2009-07-14 10:30:22 -04:00
Chris PeBenito
10b03f376b
three debian patches from manoj
2009-07-14 09:05:59 -04:00
Chris PeBenito
bb88161284
trunk: 3 patches from dan.
2009-06-30 19:27:21 +00:00
Chris PeBenito
45b975db5b
trunk: add missing varnish port.
2009-06-30 17:48:15 +00:00
Chris PeBenito
50824a99ca
trunk: pads from dan.
2009-06-30 15:03:20 +00:00
Chris PeBenito
46e2fa6d39
trunk: prelude patch from dan.
2009-06-30 14:44:50 +00:00
Chris PeBenito
267d9c60c5
trunk: varnishd from dan.
2009-06-30 13:49:53 +00:00
Chris PeBenito
3f67f722bb
trunk: whitespace fixes
2009-06-26 14:40:13 +00:00
Chris PeBenito
20272c2b27
trunk: 7 patches from dan.
2009-06-26 13:22:39 +00:00
Chris PeBenito
c989807d4a
trunk: nis patch from dan.
2009-06-25 15:16:29 +00:00
Chris PeBenito
c017ee17ab
trunk: add sssd from dan.
2009-06-22 15:33:21 +00:00
Chris PeBenito
26410ddf54
trunk: remove unnecessary semicolons after interface/template calls.
2009-06-19 13:52:33 +00:00
Chris PeBenito
c9c0d846de
trunk: Greylist milter from Paul Howarth.
2009-06-18 14:36:35 +00:00
Chris PeBenito
45515556d4
trunk: 10 patches from dan.
2009-06-12 19:44:10 +00:00
Chris PeBenito
a65fd90a50
trunk: 6 patches from dan.
2009-06-11 15:00:48 +00:00
Chris PeBenito
cca4a215fe
trunk: add gpsd from miroslav grepl
2009-06-02 14:28:40 +00:00