Chris PeBenito
a72e42f485
Interface documentation standardization patch from Dan Walsh.
2010-08-02 09:22:09 -04:00
Chris PeBenito
27eeb649cc
Virtio disk file context update from Mika Pfluger.
2010-08-02 08:33:41 -04:00
Mika Pflüger
b3f7203d6a
Take virtio disks into account.
...
Signed-off-by: Mika Pflüger <debian@mikapflueger.de>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-08-02 08:25:14 -04:00
Chris PeBenito
21fdee9dd5
Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh.
...
We went back and reread the bindreservport code in glibc.
Turns out the range or ports that this will reserve are 512-1024 rather
then 600-1024.
The code actually first tries to reserve a port from 600-1024 and if
they are ALL reserved will try 512-599.
So we need to change corenetwork to reflect this.
2010-07-19 14:22:44 -04:00
Chris PeBenito
3c79f954d1
Rearrage interfaces in filesystem.
2010-06-22 10:17:42 -04:00
Chris PeBenito
eab2cc89b4
Slocate patch from Dan Walsh.
...
Locate attempts to look at network sate and does getattr on all blk/chr
and noxattr symlinks.
2010-06-22 09:58:14 -04:00
Chris PeBenito
48f99a81c0
Whitespace change: drop unnecessary blank line at the start of .te files.
2010-06-10 08:16:35 -04:00
Chris PeBenito
48e0aa86c9
Files patch from Dan Walsh.
...
Redhat does want /usr/local/src labeled src_t or /usr/src for that matter
Fix labels on chroot environments
2010-06-09 09:09:34 -04:00
Chris PeBenito
135b1b4c54
Terminal patch from Dan Walsh.
2010-06-09 08:22:31 -04:00
Chris PeBenito
860c05d9de
Rearrange cgroup interfaces in filesystem.
2010-06-08 09:10:45 -04:00
Dominick Grift
c0c635b3f3
cgroup in filesystem.
...
Move cgroup_t declarations from kernel.te to filesystem.te
Redo cgroup interfaces in filesystem.if
Add file context specification for /cgroup mountpoint to filesystem.fc
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-06-08 08:38:18 -04:00
Chris PeBenito
60f04fcb7a
Kernel patch from Dan Walsh.
...
Add ability to dontaudit requiests to load kernel modules. If you
disable ipv6 every confined app that does ip, tries to get the kernel to
load the module.
Better handling of unlabeled files by the kernel interfaces
2010-06-07 11:08:35 -04:00
Chris PeBenito
fb7caddb4f
Devices patch from Dan Walsh.
...
vhost_device_t added for libvirt/qemu
/dev/usbmon device added
lots of new interfaces.
2010-06-07 09:20:18 -04:00
Chris PeBenito
46c0e57acf
Corecommands patch from Dan Walsh.
...
Lots of new places to stick bin_t files
2010-06-07 09:04:08 -04:00
Chris PeBenito
8f0de5df68
Storage patch from Dan Walsh.
...
Add /dev/hwcdrom
2010-06-04 09:47:45 -04:00
Chris PeBenito
29af4c13e7
Bump module versions for release.
2010-05-24 15:32:01 -04:00
Jeremy Solt
d86c09846b
squid patch from Dan Walsh
...
Edits:
- Added netport to corenetwork.te.in
2010-05-24 13:08:07 -04:00
Chris PeBenito
fb3fc9e4f0
Cyrus patch from Dan Walsh.
2010-05-03 15:14:50 -04:00
Chris PeBenito
03a6e03926
Add kernel access to devtmpfs. Also add workround while devtmpfs is tmpfs_t instead of device_t.
2010-05-03 11:17:16 -04:00
Chris PeBenito
05a2e3e2d7
Lircd patch from Dan Walsh.
2010-04-26 12:59:02 -04:00
Chris PeBenito
4a8bd017aa
Module version bump and extra comments for 194d61f
.
2010-04-24 08:10:43 -04:00
Chris Richards
194d61fd3c
modutils patch for update-modules
...
update-modules on Gentoo throws errors when run because it sources /etc/init.d/functions.sh, which always scans /var/lib/init.d to set SOFTLEVEL environment var. This is never used by update-modules.
Signed-off-by: Chris Richards <gizmo@giz-works.com>
Signed-off-by: Chris PeBenito <pebenito@gentoo.org>
2010-04-24 08:08:15 -04:00
Jeremy Solt
e6e2a769ac
Remove excess white space from ntop.te
...
Move ntop ports declaration to correct location.
2010-04-19 09:55:01 -04:00
Jeremy Solt
4f7b413cdc
Ntop policy from Dan Walsh
...
Added alias for ntop_http_content_t in apache
Pulled in ntop port from corenetwork patch
2010-04-19 09:54:58 -04:00
Chris PeBenito
46e16a2d2a
Use port range notation in corenetwork where it makes sense.
2010-04-13 11:55:04 -04:00
Chris PeBenito
3829eecb12
Clean up output of generated corenetwork.te.
2010-04-13 11:52:09 -04:00
Chris PeBenito
85e71c86da
Fix network_port() in corenetwork to correctly handle port ranges.
2010-04-13 11:06:02 -04:00
Chris PeBenito
e399e3abea
Add devtmpfs labeling.
2010-04-07 08:55:33 -04:00
Chris PeBenito
60def66b13
Second part of Apache patch from Dan Walsh.
2010-04-05 10:57:52 -04:00
Chris PeBenito
0417386142
Kernel patch from Dan Walsh.
2010-03-17 11:16:25 -04:00
Chris PeBenito
1f6d975502
Domain patch from Dan Walsh.
2010-03-17 10:02:07 -04:00
Chris PeBenito
827060cb04
Style fixes and module version bumps for 38fc1bd
.
2010-03-17 09:28:18 -04:00
Dominick Grift
38fc1bd180
Likewise policy.
...
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-03-17 08:48:45 -04:00
Chris PeBenito
e8871c2092
Add additional documentation to kernel_request_load_module().
2010-03-16 15:08:00 -04:00
Chris PeBenito
7af0e9bc95
Filesystem patch from Dan Walsh.
2010-03-12 11:40:59 -05:00
Chris PeBenito
bd063de6c4
Fix another corenetwork typo.
2010-03-08 11:04:40 -05:00
Chris PeBenito
4af2b3fb98
Add back missing s0 on network_port().
2010-03-08 07:59:56 -05:00
Chris PeBenito
9c709c46a1
Corenetwork patch from Dan Walsh.
2010-03-05 13:46:46 -05:00
Chris PeBenito
4b23c6747b
Corecommands patch from Dan Walsh.
2010-03-05 10:51:39 -05:00
Chris PeBenito
05351730cc
Devices patch from Dan Walsh.
2010-03-04 15:30:22 -05:00
Chris PeBenito
febc7fdfba
Storage patch from Dan Walsh.
2010-03-04 14:23:44 -05:00
Chris PeBenito
eeb7616f5e
Corenetwork patch from Dan Walsh.
2010-03-04 13:50:46 -05:00
Chris PeBenito
4a4436a778
Add examples to documentation of common corenetwork interfaces.
2010-03-03 13:42:15 -05:00
Chris PeBenito
88daf126f2
Improve the documentation of domain interfaces:
...
domain_type()
domain_use_interactive_fds()
2010-03-02 12:52:07 -05:00
Chris PeBenito
888d9e4652
Improve the documentation of ubac_constrained().
2010-03-02 11:28:44 -05:00
Chris PeBenito
4e12649d4e
Improve the documentation of devices interfaces:
...
dev_node()
dev_read_rand()
dev_read_urand()
dev_read_sysfs()
2010-03-02 10:24:24 -05:00
Chris PeBenito
12f73d8b69
Improve filesystem interfaces:
...
fs_getattr_xattr_fs()
fs_getattr_all_fs()
fs_search_auto_mountpoints()
2010-03-01 14:50:55 -05:00
Chris PeBenito
7cf2858e4a
Improve the documentation of files interfaces:
...
files_pid_file()
files_config_file()
files_tmp_file()
files_read_etc_runtime_files()
files_read_usr_files()
files_search_var_lib()
files_pid_filetrans()
2010-03-01 10:53:50 -05:00
Chris PeBenito
42eb0f10a9
Improve the documentation of corenetwork interfaces
...
corenet_tcp_sendrecv_generic_if()
corenet_udp_sendrecv_generic_if()
corenet_tcp_sendrecv_generic_node()
corenet_udp_sendrecv_generic_node()
corenet_tcp_bind_generic_node()
corenet_udp_bind_generic_node()
corenet_tcp_sendrecv_all_ports()
corenet_udp_sendrecv_all_ports()
corenet_all_recvfrom_unlabeled()
corenet_all_recvfrom_netlabel()
2010-02-26 14:24:56 -05:00
Chris PeBenito
3a744d1275
Improve documentation of corecmd_exec_bin() and corecmd_exec_shell().
2010-02-26 08:58:32 -05:00
Chris PeBenito
7a0c0b4088
Improve documentation on kernel_read_system_state(), kernel_read_network_state(), and kernel_read_proc_symlinks().
2010-02-25 12:59:11 -05:00
Chris PeBenito
fd813456a4
Add additional documentation to files_type().
2010-02-25 10:41:12 -05:00
Chris PeBenito
6dadd3995e
Rearrange files interfaces.
2010-02-25 08:32:22 -05:00
Chris PeBenito
fca4a96bae
Improve documentation on files_read_etc_files().
2010-02-24 15:20:03 -05:00
Chris Richards
68cda59844
Add MySQL Manager to MySQL policy module
...
Second submission to fix mistakes from first.
Signed-off-by: Chris Richards <gizmo@giz-works.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-02-23 13:23:42 -05:00
Chris PeBenito
2f84a77d22
Syslog fixes from Gentoo.
2010-02-17 20:33:53 -05:00
Chris PeBenito
8b8501991e
Clean up leaked portage file descriptors.
2010-02-17 20:33:31 -05:00
Chris PeBenito
a513794b4c
Chronyd from Miroslav Grepl.
2010-02-16 14:53:59 -05:00
Chris PeBenito
c3c753f786
Remove concept of user from terminal module interfaces dealing with ptynode and ttynode since these attributes are not specific to users.
2010-02-11 14:20:10 -05:00
Chris PeBenito
21673b238a
Hal patch from Dan Walsh.
2010-02-11 08:42:00 -05:00
Chris PeBenito
3079cbceb1
Virt/svirt patch from Dan Walsh.
2010-02-09 10:28:17 -05:00
Chris PeBenito
27eab81f2f
Misc fixes for 1031ee6
.
2010-02-08 13:38:48 -05:00
Chris PeBenito
7d2f96783c
Module version number bump for 1031ee6
.
2010-02-08 13:37:42 -05:00
Dominick Grift
1031ee6f6a
Implement cobblerd policy.
...
My previous version had a minor bug in admin_role where it was using cobblerd_var_log_t, and cobblerd_var_lib_t instead of cobbler_var_log_t, and cobbler_var_lib_t.
Whilst i was at it, i decided the implement a cobbler_etc_t for cobbler content in /etc. This because you cannot admin a cobbler environment witouth having access to cobbler config files and i dont want to give cobbler_admin access to manage etc_t.
As a consequence if this i also removed the files_read_etc_files(cobblerd_t), as i think that cobbler only needed it to read its own files in /etc. However this is not confirmed, and it may need read access to etc_t afteral.
Also i would like to underscore my reason for using public_content_rw_t. One of the reasons is that i do not want to give cobbler access to manage httpd_sys_content_rw_t. In general i do not want to depend on apache module at all.
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <pebenito@gentoo.org>
2010-02-08 12:56:01 -05:00
Chris PeBenito
e526fca176
Add nut from Stefan Schulze Frielinghaus and Miroslav Grepl.
2010-02-08 11:29:12 -05:00
Chris PeBenito
d2acef78f4
Inetd patch from Dan Walsh.
2010-01-08 10:36:49 -05:00
Chris PeBenito
32f27a7489
asterisk patch from Dan Walsh.
2009-12-18 10:37:52 -05:00
Chris PeBenito
b84d6ec491
smartmon patch from Dan Walsh.
2009-12-18 10:33:50 -05:00
Chris PeBenito
e21162e471
Kdump reads the kernel core.
2009-11-25 10:04:40 -05:00
Chris PeBenito
dccbb80cb0
Whitespace cleanup.
2009-11-24 11:11:38 -05:00
Chris PeBenito
910b1d8ecb
Files patch from Dan Walsh.
2009-11-24 08:49:15 -05:00
Chris PeBenito
290aa8a020
Corecommands patch from Dan Walsh.
2009-11-23 13:47:36 -05:00
Chris PeBenito
f4b9dc3b00
Filesystem patch from Dan Walsh.
2009-11-23 13:46:51 -05:00
Chris PeBenito
d6c3ed8557
Add terminal patch from Dan Walsh.
2009-11-19 14:57:49 -05:00
Chris PeBenito
b51e8e0b42
Add devices patch from Dan Walsh.
2009-11-19 09:44:19 -05:00
Chris PeBenito
e276b8e5d0
Add kernel patch from Dan Walsh
2009-11-19 09:25:38 -05:00
Chris PeBenito
53c73dc785
Add storage patch, from Dan Walsh.
2009-11-19 09:03:36 -05:00
Chris PeBenito
ed3a1f559a
bump module versions for release.
2009-11-17 10:05:56 -05:00
Chris PeBenito
e6d8fd1e50
additional cleanup for e877913
.
2009-11-11 11:28:50 -05:00
Craig Grube
e8779130bf
adding puppet configuration management system
...
Signed-off-by: Craig Grube <Craig.Grube@cobham.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2009-11-11 08:37:16 -05:00
Chris PeBenito
808341bb9b
revise MCS constraints to use only MCS-specific attributes.
2009-10-07 11:48:14 -04:00
Chris PeBenito
f67bc918d4
term_write_all_terms() patch from Stefan Schulze Frielinghaus
2009-09-08 10:06:38 -04:00
Chris PeBenito
aa83007d5a
add hddtemp from dan.
2009-09-01 08:34:04 -04:00
Chris PeBenito
e27827b86c
split dev_create_cardmgr_dev() into a create and a filetrans interface.
2009-08-25 09:56:56 -04:00
Chris PeBenito
69347451fd
split dev_manage_dri_dev() into a manage and a filetrans interface.
2009-08-25 09:43:38 -04:00
Chris PeBenito
9570b28801
module version number bump for release 2.20090730 that was mistakenly omitted.
2009-08-05 10:59:21 -04:00
Chris PeBenito
78a9c2815d
add bin_t labeling for gentoo dhcpcd-run-hooks location
2009-07-30 09:34:00 -04:00
Chris PeBenito
105e85ac8e
/dev/fuse should be s0 not mls_high
...
> From my understanding of the FUSE website, the data from the userland FS
> is transferred through this device. Since the data may go up to system
> high, I believe the device should still be system high.
>
Making it systemhigh will generate lots of AVC messages on every login
at X Since fusefs is mounted at ~/.gfs. It will also make it unusable I
believe on an MLS machine. Mostly I have seen fusefs used for remote
access to data. sshfs for example.
2009-07-29 11:08:50 -04:00
Chris PeBenito
9de7c1706d
hal patch from dan.
2009-07-27 10:18:50 -04:00
Chris PeBenito
06625d302c
mozilla patch from dan.
2009-07-27 09:11:12 -04:00
Chris PeBenito
09516cb4be
remove read_default_t tunable
2009-07-23 08:58:35 -04:00
Chris PeBenito
5271dd30bc
module version bump for 9b1907b217
2009-07-21 10:07:10 -04:00
Chris PeBenito
9b1907b217
add pulseaudio from dan.
2009-07-21 10:05:38 -04:00
Chris PeBenito
edb7b90d89
add kismet and pulseaudio ports. fix sorting of ports.
2009-07-20 11:17:31 -04:00
Chris PeBenito
ce6fee6575
5 patches from dan
2009-07-14 10:30:22 -04:00
Chris PeBenito
45b975db5b
trunk: add missing varnish port.
2009-06-30 17:48:15 +00:00
Chris PeBenito
3f67f722bb
trunk: whitespace fixes
2009-06-26 14:40:13 +00:00
Chris PeBenito
a65fd90a50
trunk: 6 patches from dan.
2009-06-11 15:00:48 +00:00
Chris PeBenito
731008ad85
trunk: 2 patches from dan.
2009-06-08 17:18:26 +00:00
Chris PeBenito
16fd1fd814
trunk: MLS constraints for the x_selection class, from Eamon Walsh.
2009-06-05 13:36:19 +00:00