Commit Graph

1058 Commits

Author SHA1 Message Date
Chris PeBenito
c7a4cf3179 Module version bump for 9681df1. 2010-03-22 08:58:41 -04:00
Chris PeBenito
32103f250f Module version bump for d3b5907. 2010-03-22 08:58:20 -04:00
Chris PeBenito
340af119b0 Minor tweaks on icecast. 2010-03-22 08:56:32 -04:00
Jeremy Solt
584dfaca45 icecast policy from Dan Walsh
Fixed some style and spacing issues
Replace manage_var_run interface with manage_pid_files with fewer permissions
Replaced rkit_daemon_system_domain with rtkit_schedule
2010-03-22 08:49:54 -04:00
Jeremy Solt
ac19f1ac26 rtkit patch from Dan Walsh:
rtkit_daemon_system_domain interface allows domains to say rtkit can setsched on their process.
Needs sys_nice capability
Needs to getsched on all domains.
Fix bug in te file

Me:
changed interface name from rtkit_daemon_system_domain to rtkit_schedule
Already had sys_nice capability
2010-03-22 08:41:42 -04:00
Jeremy Solt
9681df1c8d postgresql patch from Dan Walsh:
"File context for /etc/sysconfig/pgsql and other bugs.
Sends audit messages connect to posgresql_server port
Reads its own process info"

Moved signal interface for style.
2010-03-22 08:39:15 -04:00
Jeremy Solt
d3b5907ea4 openvpn needs ipc_lock capability, connects to http ports,
and manages net_conf_t files - from Dan Walsh
2010-03-22 08:36:47 -04:00
Chris PeBenito
47293bd8d6 Tftp patch from Dan Walsh. 2010-03-19 15:56:14 -04:00
Chris PeBenito
788ba75491 Uucp patch from Dan Walsh. 2010-03-19 15:49:12 -04:00
Chris PeBenito
bed0a44560 Zebra patch from Dan Walsh. 2010-03-19 15:45:25 -04:00
Chris PeBenito
bc31d12725 Libraries patch from Dan Walsh. 2010-03-19 14:21:23 -04:00
Chris PeBenito
0d86ea1d7b Xen patch from Dan Walsh. 2010-03-19 11:54:50 -04:00
Chris PeBenito
b60df9f57d Getty patch from Dan Walsh. 2010-03-19 11:05:56 -04:00
Chris PeBenito
1fa92b8a55 Sysnetwork patch from Dan Walsh. 2010-03-18 15:40:04 -04:00
Chris PeBenito
ddd786e404 Init patch from Dan Walsh. 2010-03-18 10:19:49 -04:00
Chris PeBenito
153ed8751a Authlogin patch from Dan Walsh. 2010-03-18 08:59:25 -04:00
Chris PeBenito
4fbcd778de Iptables patch from Dan Walsh. 2010-03-18 08:10:21 -04:00
Chris PeBenito
a124c0a81f Udev patch from Dan Walsh. 2010-03-17 15:17:48 -04:00
Chris PeBenito
7a8807b627 Logging patch from Dan Walsh. 2010-03-17 14:40:06 -04:00
Chris PeBenito
90e65feca5 Ipsec patch from Dan Walsh. 2010-03-17 13:52:07 -04:00
Chris PeBenito
d13c6758a4 Modutils patch from Dan Walsh. 2010-03-17 11:59:14 -04:00
Chris PeBenito
0417386142 Kernel patch from Dan Walsh. 2010-03-17 11:16:25 -04:00
Chris PeBenito
1f6d975502 Domain patch from Dan Walsh. 2010-03-17 10:02:07 -04:00
Chris PeBenito
7b50b7053d Module version bump for 6a03548. 2010-03-17 09:42:46 -04:00
Jeremy Solt
6a035482dc amavis uses uptime which reads utmp, and reads certs - from Dan Walsh 2010-03-17 09:41:18 -04:00
Chris PeBenito
827060cb04 Style fixes and module version bumps for 38fc1bd. 2010-03-17 09:28:18 -04:00
Dominick Grift
38fc1bd180 Likewise policy.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-03-17 08:48:45 -04:00
Chris PeBenito
2a62db7883 Module version bump for 414a570. 2010-03-16 15:28:36 -04:00
Jeremy Solt
414a5704df fetchmail executes programs in bin (uname), from Dan Walsh 2010-03-16 15:27:40 -04:00
Chris PeBenito
e8871c2092 Add additional documentation to kernel_request_load_module(). 2010-03-16 15:08:00 -04:00
Chris PeBenito
5911f3dbca Module version bump for 935151a. 2010-03-16 14:35:09 -04:00
Chris PeBenito
c6491af860 Module version bump for d12f18e. 2010-03-16 14:34:50 -04:00
Chris PeBenito
9a59893e5a Module version bump for d7ec247. 2010-03-16 14:34:23 -04:00
Chris PeBenito
9570fc108e Module version bump for 591af7b. 2010-03-16 14:34:05 -04:00
Chris PeBenito
ce693cbbec Module version bump for ae07c9e. 2010-03-16 14:33:43 -04:00
Chris PeBenito
1656bf730f Whitespace fixes in mailman. 2010-03-16 13:51:51 -04:00
Jeremy Solt
935151afcd Change kernel_load_module to kernel_request_load_module for howl from Dan Walsh 2010-03-16 13:44:55 -04:00
Jeremy Solt
d12f18e452 Change kernel_load_module to kernel_request_load_module from Dan Walsh 2010-03-16 13:44:52 -04:00
Jeremy Solt
d7ec24785b File context update for certmaster from Dan Walsh 2010-03-16 13:44:50 -04:00
Jeremy Solt
591af7be0c file context updates from Dan Walsh 2010-03-16 13:44:48 -04:00
Jeremy Solt
ae07c9e2e8 Screen needs to setattr on user_ttydevice_t from Dan Walsh 2010-03-16 13:36:45 -04:00
Chris PeBenito
fad6e761bf Whitespace fix for mcelog. 2010-03-16 13:15:38 -04:00
Chris PeBenito
fce868d074 Module version bump for f7d413a. 2010-03-16 13:15:00 -04:00
Chris PeBenito
bf140fc32c Rearrange interfaces in fail2ban. 2010-03-16 13:14:46 -04:00
Chris PeBenito
580279da88 Module version bump for 74b51e6. 2010-03-16 13:12:22 -04:00
Chris PeBenito
6bc64c4be7 Whitespace fixes for smoltclient. 2010-03-16 13:11:53 -04:00
Chris PeBenito
ba1c45337b Module version bump for 3137148. 2010-03-16 13:10:14 -04:00
Jeremy Solt
1484157201 mcelog policy from Dan Walsh
Me: Removed permissive line, and fixed a couple style issues
2010-03-16 11:47:07 -04:00
Jeremy Solt
f7d413af27 fail2ban_stream_connect and fail2ban_rw_stream_sockets from Dan Walsh
Did not include dontaudit_leaks interface
Modified fail2ban_rw_stream_sockets to use rw_stream_socket_perms set
2010-03-16 11:44:35 -04:00
Jeremy Solt
74b51e6db2 Firstboot sends dbus messages from Dan Walsh
Not including the noaudit for the unconfined domain
Corrected tabbing for nested optional policy
2010-03-16 11:43:36 -04:00
Jeremy Solt
257a2788cd Policy for smolt sendProfile client from Dan Walsh 2010-03-16 11:37:56 -04:00
Jeremy Solt
31371480b0 Run interface for ptchown from Dan Walsh 2010-03-16 11:34:58 -04:00
Chris PeBenito
37e2499ed1 Module version bump for 1d3d00b. 2010-03-12 11:43:09 -05:00
Chris PeBenito
ce0570dc6d Module version bump for e172614. 2010-03-12 11:42:28 -05:00
Chris PeBenito
7af0e9bc95 Filesystem patch from Dan Walsh. 2010-03-12 11:40:59 -05:00
Chris PeBenito
9e506eb236 Rearrange lines in alsa an mysql. 2010-03-12 08:59:23 -05:00
Chris PeBenito
e172614b57 Whitespace cleanup on mysql.if. 2010-03-12 08:55:34 -05:00
Jeremy Solt
1d3d00b279 Manage alsa writable config files interface from Dan Walsh
Moved term_dontaudit_use_console for style.
2010-03-12 08:54:29 -05:00
Jeremy Solt
12a6a53f63 mysql policy from Dan Walsh
My changes to patch:
A couple changes to match style.
Removed files_dontaudit_search_all_mountpoints(mysqld_safe_t), it doesn't exist in refpolicy
2010-03-12 08:54:29 -05:00
Chris PeBenito
2f0e3a4e7e Raid patch from Dan Walsh. 2010-03-09 15:33:29 -05:00
Chris PeBenito
30496b1575 Iscsi and tgtd patches from Dan Walsh. 2010-03-09 15:17:16 -05:00
Chris PeBenito
939eaf2f13 Fstools patch from Dan Walsh. 2010-03-09 14:32:17 -05:00
Chris PeBenito
d0a6df5c47 Miscfiles patch from Dan Walsh. 2010-03-09 10:44:55 -05:00
Chris PeBenito
547d62ea9e Module version bump for ddae1cc. 2010-03-09 09:34:30 -05:00
Jeremy Solt
ddae1cc9ec Creates sock files in /tmp, reads network state. - From Dan Walsh
I didn't include userdom_search_user_home_dirs, this is redundant with
the call to userdom_user_home_dir_filetrans
2010-03-09 09:32:23 -05:00
Chris PeBenito
bd063de6c4 Fix another corenetwork typo. 2010-03-08 11:04:40 -05:00
Chris PeBenito
6f9c3c4895 Module version bump for 42fa15b. 2010-03-08 10:03:18 -05:00
Chris PeBenito
b193389baa Module version bump for 3fcdc39. 2010-03-08 10:02:58 -05:00
Chris PeBenito
5dac50953f Module version bump for cf3da95. 2010-03-08 10:02:34 -05:00
Chris PeBenito
e2e1b6721b Minor style fixes. 2010-03-08 10:00:55 -05:00
Jeremy Solt
42fa15ba75 Logwatch looks for content in homedirs, reads samba shares - from Dan Walsh 2010-03-08 09:34:37 -05:00
Jeremy Solt
3fcdc39764 shorewall log file from Dan Walsh 2010-03-08 09:34:37 -05:00
Jeremy Solt
cf3da95084 Allow cdrecord_t to execute bin_t from Dan Walsh
growisofs executes mkisofs
2010-03-08 09:34:37 -05:00
Chris PeBenito
4af2b3fb98 Add back missing s0 on network_port(). 2010-03-08 07:59:56 -05:00
Chris PeBenito
09b92dcc3c Guest patch from Dan Walsh. 2010-03-05 14:09:49 -05:00
Chris PeBenito
9c709c46a1 Corenetwork patch from Dan Walsh. 2010-03-05 13:46:46 -05:00
Chris PeBenito
4b23c6747b Corecommands patch from Dan Walsh. 2010-03-05 10:51:39 -05:00
Chris PeBenito
05351730cc Devices patch from Dan Walsh. 2010-03-04 15:30:22 -05:00
Chris PeBenito
febc7fdfba Storage patch from Dan Walsh. 2010-03-04 14:23:44 -05:00
Dominick Grift
183f79e38e Fix cobbler_admin interface to require cobblerd_initrc_exec_t.
As per: http://oss.tresys.com/pipermail/refpolicy/2010-March/002258.html

Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-03-04 14:12:41 -05:00
Chris PeBenito
eeb7616f5e Corenetwork patch from Dan Walsh. 2010-03-04 13:50:46 -05:00
Chris PeBenito
c9ab7707b3 add write to manage_lnk_file_perms. 2010-03-04 11:29:06 -05:00
Chris PeBenito
1112a5bc20 Module version bump for be47d75. 2010-03-04 09:18:04 -05:00
Chris PeBenito
ec0205ff73 Module version bump for e1e78df. 2010-03-04 09:18:04 -05:00
Chris PeBenito
b7070a9f3d Module version bump for 52b215f. 2010-03-04 09:18:04 -05:00
Chris PeBenito
cb6385d0ba Module version bump for cf5e81d. 2010-03-04 09:18:04 -05:00
Chris PeBenito
c4faa1db8e Module version bump for 96b7e9f. 2010-03-04 09:18:04 -05:00
Chris PeBenito
812f30af02 Module version bump for a005018. 2010-03-04 09:18:04 -05:00
Chris PeBenito
4931c57e4b Add additional comments for e1e78df. 2010-03-04 09:18:04 -05:00
Jeremy Solt
4d2680e508 hotplug transition to brctl from Dan Walsh 2010-03-04 09:18:04 -05:00
Jeremy Solt
9a1f0d21e1 Seems reasonable that exim may need to manage these files when /etc/alternatives/mta points to exim
Patch from Dan Walsh
2010-03-04 09:18:03 -05:00
Jeremy Solt
15ae77bd77 Domain transition for apmd to vbetool from Dan Walsh 2010-03-04 09:18:03 -05:00
Jeremy Solt
6a9ef9e852 gen_require typo fix in dbadm.if from Dan Walsh 2010-03-04 09:18:03 -05:00
Jeremy Solt
a739053cf5 Changed amavis_initrc_domtrans domain summary to match style. 2010-03-04 09:18:03 -05:00
Jeremy Solt
6665c3c768 Changed arpwatch_initrc_domtrans domain summary to match style.
Restored arpwatch_initrc_exec_t require because it's still used in arpwatch_admin interface
2010-03-04 09:18:03 -05:00
Dominick Grift
d783374bc9 Various arpwatch fixes.
Allow domains to search /var/lib to enable interaction with arpwatch data.
Allow domains to search /tmp to enable interaction with arpwatch tmp content.
Create arpwatch initrc domtrans.
Call arpwatch initrc domtrans from arpwatch_admin.
Remove obsolete require.

Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-03-04 09:18:03 -05:00
Jeremy Solt
6eed0aa57c Modified apcupsd_initrc_domtrans interface summary to match style.
Restored apcupsd_initrc_exec_t require in apcupsd_admin interface (It is used here in the role_transition).
2010-03-04 09:18:03 -05:00
Dominick Grift
eda6417669 Create apcupsd initrc domtrans. Call apcupsd initrc domtrans in apcupsd_admin. Remove obsolete require. Allow domains Various apcupsd fixes.
Create apcupsd initrc domtrans.
Call apcupsd initrc domtrans in apcupsd_admin.
Remove obsolete require.
Allow domains to search bin to enable run apcupsd executable file.
Allow domains to search httpd system content to enable run apcupsd cgi script executables.
Allow domains to search var to enable run apcupsd content in /var/www/upcupsd.

Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-03-04 09:18:03 -05:00
Jeremy Solt
3b814894c7 Fixed typo in gen_require for amavis_initrc_domtrans (Appears to be a copy/paste mistake).
Restored amavis_initrc_exec_t require in amavis_admin (still being used in this interface).
2010-03-04 09:18:02 -05:00
Dominick Grift
88340b904a Various amavis fixes.
Create amavis_initrc_domtrans.
Call amavis_initrc_domtrans from amavis_admin.
Remove obsolete require.
Allow domains to search bin to enable run amavis executable.

Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-03-04 09:18:02 -05:00
Chris PeBenito
402bbb9fe9 Improve documentation of udev_read_db(). 2010-03-03 14:16:36 -05:00
Chris PeBenito
b675cec7f8 Improve documentation of seutil_sigchld_newrole(). 2010-03-03 14:16:22 -05:00
Chris PeBenito
4a4436a778 Add examples to documentation of common corenetwork interfaces. 2010-03-03 13:42:15 -05:00
Chris PeBenito
a6bafb5a25 Module version bump for bf530f5. 2010-03-03 13:11:58 -05:00
Dominick Grift
bf530f532c Various permission set fixes.
Fix various interfaces to use permission sets for compatiblity with open permission.

Also use other permission sets where possible just because applicable permissions sets are available and the use of permission sets is encourage generally for compatibility.

The use of exec_file_perms permission set may be not be a good idea though since it may be a bit too coarse.

Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-03-03 13:10:55 -05:00
Chris PeBenito
b58db31da6 Improve the documentation of application_domain(). 2010-03-03 10:37:58 -05:00
Chris PeBenito
d24a7df15c Improve the documentation of auth_use_nsswitch(). 2010-03-03 10:37:37 -05:00
Chris PeBenito
0bbb165448 Improve the documentation of nis_use_ypbind(). 2010-03-03 10:37:15 -05:00
Dominick Grift
4cb24aed7b Fix userdom_write_user_tmp_sockets to use write_sock_file_perms to allow domains to open user_tmp_t sock_files.
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-03-03 10:31:56 -05:00
Chris PeBenito
c46376e665 Improve documentation for userdomain interfaces:
userdom_use_user_terminals()
userdom_dontaudit_search_user_home_dirs()
userdom_dontaudit_use_unpriv_user_fds()
2010-03-02 14:01:10 -05:00
Chris PeBenito
88daf126f2 Improve the documentation of domain interfaces:
domain_type()
domain_use_interactive_fds()
2010-03-02 12:52:07 -05:00
Chris PeBenito
888d9e4652 Improve the documentation of ubac_constrained(). 2010-03-02 11:28:44 -05:00
Chris PeBenito
4e12649d4e Improve the documentation of devices interfaces:
dev_node()
dev_read_rand()
dev_read_urand()
dev_read_sysfs()
2010-03-02 10:24:24 -05:00
Chris PeBenito
12f73d8b69 Improve filesystem interfaces:
fs_getattr_xattr_fs()
fs_getattr_all_fs()
fs_search_auto_mountpoints()
2010-03-01 14:50:55 -05:00
Chris PeBenito
42f1b11482 Module version bump for 03dd57f. 2010-03-01 13:34:10 -05:00
Dominick Grift
03dd57fe7b Fix auth_domtrans_chk_passwd to use read_file_perms to surpress open AVC denials.
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-03-01 13:30:28 -05:00
Chris PeBenito
7cf2858e4a Improve the documentation of files interfaces:
files_pid_file()
files_config_file()
files_tmp_file()
files_read_etc_runtime_files()
files_read_usr_files()
files_search_var_lib()
files_pid_filetrans()
2010-03-01 10:53:50 -05:00
Chris PeBenito
5fb5bf2686 Additional docs for logging_log_filetrans(). 2010-03-01 10:38:24 -05:00
Chris PeBenito
42eb0f10a9 Improve the documentation of corenetwork interfaces
corenet_tcp_sendrecv_generic_if()
corenet_udp_sendrecv_generic_if()
corenet_tcp_sendrecv_generic_node()
corenet_udp_sendrecv_generic_node()
corenet_tcp_bind_generic_node()
corenet_udp_bind_generic_node()
corenet_tcp_sendrecv_all_ports()
corenet_udp_sendrecv_all_ports()
corenet_all_recvfrom_unlabeled()
corenet_all_recvfrom_netlabel()
2010-02-26 14:24:56 -05:00
Chris PeBenito
14e543cb1c Improve the documentation of unconfined_domain(). 2010-02-26 13:47:17 -05:00
Chris PeBenito
45185c0783 Improve the documentation of logging_log_file() and logging_log_filetrans(). 2010-02-26 09:34:41 -05:00
Chris PeBenito
3a744d1275 Improve documentation of corecmd_exec_bin() and corecmd_exec_shell(). 2010-02-26 08:58:32 -05:00
Chris PeBenito
13f000d2ef Improve the documentation of:
init_script_file()
init_daemon_domain()
init_system_domain()
init_ranged_daemon_domain()
init_ranged_system_domain()
init_use_fds()
2010-02-25 16:00:58 -05:00
Chris PeBenito
d6887176c1 Improve sysnet_read_config() documentation. 2010-02-25 13:54:34 -05:00
Chris PeBenito
81a0fb4024 Switch sysnet_use_portmap(), sysnet_use_ldap(), and sysnet_dns_name_resolve() to use sysnet_read_config() rather thane explicit type usage. 2010-02-25 13:53:52 -05:00
Chris PeBenito
7a0c0b4088 Improve documentation on kernel_read_system_state(), kernel_read_network_state(), and kernel_read_proc_symlinks(). 2010-02-25 12:59:11 -05:00
Chris PeBenito
fd813456a4 Add additional documentation to files_type(). 2010-02-25 10:41:12 -05:00
Chris PeBenito
6dadd3995e Rearrange files interfaces. 2010-02-25 08:32:22 -05:00
Chris PeBenito
6e48775f75 Improve documentation on logging_send_syslog_msg(). 2010-02-24 15:56:05 -05:00
Chris PeBenito
fca4a96bae Improve documentation on files_read_etc_files(). 2010-02-24 15:20:03 -05:00
Chris PeBenito
611bc9311d Improve documentation on miscfiles_read_localization(). 2010-02-24 14:56:07 -05:00
Chris PeBenito
d124921979 Module version bump for cd17345. 2010-02-24 10:13:12 -05:00
Dominick Grift
cd17345324 Various abrt fixes.
Fix networking compatibility.
Allow domains to search bin to enable run abrt executables.

Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-02-24 10:11:51 -05:00
Chris PeBenito
2040268b01 Module version bump for 534e57b. 2010-02-24 10:08:41 -05:00
Dominick Grift
534e57b770 Various afs fixes.
Fix afs_initrc_domtrans.
Remove obsolete require in afs_admin.
Allow domains to search var to enable read write cache.
Allow domains to search bin to enable run afs executable.

Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-02-24 10:07:28 -05:00
Dominick Grift
6306637c89 mysqlmanagerd_var_run_t is not a domain type.
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-02-24 10:00:05 -05:00
Chris PeBenito
1021460884 Minor tweaks and module version bump for 68cda59. 2010-02-23 13:58:18 -05:00
Chris Richards
68cda59844 Add MySQL Manager to MySQL policy module
Second submission to fix mistakes from first.

Signed-off-by: Chris Richards <gizmo@giz-works.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-02-23 13:23:42 -05:00
Chris PeBenito
1049180cd8 Automount patch from Dan Walsh. 2010-02-19 13:50:01 -05:00
Chris PeBenito
fa03ecc046 Shorewall patch from Dan Walsh. 2010-02-19 11:53:19 -05:00
Chris PeBenito
6ae29c7378 Vbetool patch from Dan Walsh. 2010-02-19 11:34:28 -05:00
Chris PeBenito
4fd0889171 Java patch from Dan Walsh. 2010-02-19 11:21:38 -05:00
Chris PeBenito
1e0f483a18 Mono patch from Dan Walsh. 2010-02-19 10:42:43 -05:00
Chris PeBenito
a777957b49 Rename qemu_unconfined_t to unconfined_qemu_t. 2010-02-19 10:27:09 -05:00
Chris PeBenito
8a1c9c505f Rearrage qemu.if. 2010-02-19 10:16:28 -05:00
Chris PeBenito
72295e93e1 Qemu patch from Dan Walsh. 2010-02-19 10:15:19 -05:00
Chris PeBenito
29b580ce8f Add sectoolm by Miroslav Grepl. 2010-02-19 09:39:06 -05:00
Chris PeBenito
4796d07ee0 Wine patch from Dan Walsh. 2010-02-19 09:17:51 -05:00
Chris PeBenito
6a9da24987 Useradd home dir creation fix from Gentoo. 2010-02-17 20:34:23 -05:00
Chris PeBenito
2f84a77d22 Syslog fixes from Gentoo. 2010-02-17 20:33:53 -05:00