Dan Walsh
b631f26416
Fix mmap_zero patch
2010-09-03 09:22:06 -04:00
Dan Walsh
3a2e888584
cleanup mmap_low merge with upstream
2010-09-01 14:55:04 -04:00
Dan Walsh
cbadf720ba
Merge branch 'master' of http://oss.tresys.com/git/refpolicy
...
Conflicts:
policy/modules/kernel/domain.if
policy/modules/services/xserver.te
2010-09-01 14:11:18 -04:00
Chris PeBenito
785ee7988c
Module version bump and changelog entry for conditional mmap_zero patch.
2010-09-01 10:08:09 -04:00
Dominick Grift
623e4f0885
1/1] Make the ability to mmap zero conditional where this is fapplicable.
...
Retry: forgot to include attribute mmap_low_domain_type attribute to domain_mmap_low() :
Inspired by similar implementation in Fedora.
Wine and vbetool do not always actually need the ability to mmap a low area of the address space.
In some cases this can be silently denied.
Therefore introduce an interface that facilitates "mmap low" conditionally, and the corresponding boolean.
Also implement booleans for wine and vbetool that enables the ability to not audit attempts by wine and vbetool to mmap a low area of the address space.
Rename domain_mmap_low interface to domain_mmap_low_uncond.
Change call to domain_mmap_low to domain_mmap_low_uncond for xserver_t. Also move this call to distro redhat ifndef block because Redhat does not need this ability.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-01 09:41:56 -04:00
Dan Walsh
c6fa935fd5
Fix sandbox tcp_socket calls to create_stream_socket_perms
...
Dontaudit sandbox_xserver_t trying to get the kernel to load modules
telepathy_msn sends dbus messages to networkmanager
mailman_t trys to read /root/.config
xserver tries to getpgid on processes that start it.
pam_systemd causes /var/run/users to be called for all login programs. Must allow them to create directories
2010-08-31 18:36:43 -04:00
Dan Walsh
4fccad906d
Allow qmail to use uucpd
...
Fixes found by Tom London for devicekit and udev using usbmuxd socket
2010-08-31 10:51:10 -04:00
Dan Walsh
3fdb12decd
Allow prelink to read dbus config/Broken
...
nsplugin_config wants the kernel to load modules for it.
mount writes into livecd_tmp_t directories
2010-08-31 08:54:18 -04:00
Dan Walsh
ddcd5d6350
Dontaudit signals from sandbox domains to domains that transition to them
2010-08-30 13:32:47 -04:00
Dan Walsh
c71f02c02d
More fixes
2010-08-30 11:15:53 -04:00
Dan Walsh
2d4a79a061
Policy fixes
2010-08-30 08:57:06 -04:00
Dan Walsh
4765a595e8
Fixes for f14
2010-08-26 15:29:37 -04:00
Dan Walsh
2968e06818
Update f14
2010-08-26 12:55:57 -04:00
Dan Walsh
18549c23df
Fix policy
2010-08-26 11:09:31 -04:00
Dan Walsh
a947daf6df
Update f14
2010-08-26 10:27:35 -04:00
Dan Walsh
3eaa993945
UPdate for f14 policy
2010-08-26 09:41:21 -04:00
Chris PeBenito
ab8f919e6f
Part of gnome patch from Dan Walsh.
2010-08-12 09:21:36 -04:00
Chris PeBenito
a9539a063b
Additional kdumpgui cleanup.
2010-08-10 09:21:01 -04:00
Jeremy Solt
46fc0d39e3
Policy for system-config-kdump gui from Dan Walsh
...
Edits:
- removed gnome_dontaudit_search_config
- removed userdom_dontaudit_search_admin_dir
- whitespace and style fixes
2010-08-10 09:05:43 -04:00
Jeremy Solt
68e615ec5a
system-config-samba dbus service policy from Dan Walsh
2010-08-09 09:37:29 -04:00
Dominick Grift
03b86663f0
apps: domain { allowed to transition, allowed access, to not audit }.
...
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 08:20:59 -04:00
Chris PeBenito
a7ee7f819a
Docs standardizing on the role portion of run interfaces. Additional docs cleanup.
2010-08-03 09:20:22 -04:00
Chris PeBenito
a72e42f485
Interface documentation standardization patch from Dan Walsh.
2010-08-02 09:22:09 -04:00
Chris PeBenito
4b76ea5f51
Module version bump for fa1847f
.
2010-07-12 14:02:18 -04:00
Dominick Grift
fa1847f4a2
Add files_poly_member() to userdom_user_home_content() Remove redundant files_poly_member() calls.
...
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-07-09 09:43:04 -04:00
Chris PeBenito
f7ffe6c2a9
Add missing ubac constraints on pulseaudio.
2010-07-09 09:14:35 -04:00
Chris PeBenito
072857c425
VMWare patch from Dan Walsh.
2010-07-08 13:43:50 -04:00
Chris PeBenito
f1618ffc6f
Whitespace fix in userhelper.
2010-07-08 10:56:15 -04:00
Chris PeBenito
b841dffda1
Add livecd from Dan Walsh.
2010-07-07 10:28:25 -04:00
Chris PeBenito
08690c84ad
Remove ethereal module since the application was renamed to wireshark due to trademark issues.
2010-07-07 09:31:57 -04:00
Chris PeBenito
bca0cdb86e
Remove duplicate/redundant rules, from Russell Coker.
2010-07-07 08:41:20 -04:00
Chris PeBenito
1db1836ab9
Remove improper usage of userdom_manage_home_role(), userdom_manage_tmp_role(), and userdom_manage_tmpfs_role().
2010-07-06 13:17:05 -04:00
Chris PeBenito
a3b0dc5b3c
GPG patch from Dan Walsh.
2010-07-06 10:58:40 -04:00
Chris PeBenito
caf1666dc1
Module version bump for 5f04c91
.
2010-06-29 11:26:16 -04:00
Jeremy Solt
5f04c91f30
gitosis patch from Dan Walsh
2010-06-29 11:25:37 -04:00
Chris PeBenito
0cec649be7
WM patch from Dan Walsh.
...
Window manager policy changes needed for MLS policy.
2010-06-25 09:00:19 -04:00
Chris PeBenito
eab2cc89b4
Slocate patch from Dan Walsh.
...
Locate attempts to look at network sate and does getattr on all blk/chr
and noxattr symlinks.
2010-06-22 09:58:14 -04:00
Chris PeBenito
2c207dfa49
Qemu patch from Dan Walsh.
...
Fix qemu labeling.
Additional qemu interfaces
Allow qemu to read/write removable devices
2010-06-22 09:32:35 -04:00
Chris PeBenito
1fd3a8070f
Pulseaudio patch from Dan Walsh.
...
Dontaudit attempts to exec pulseaudio. qemu does this and it causes
other avc's even though qemu can not use pulseaudio.
Allow other domains to use pulseiaudio
2010-06-22 09:13:17 -04:00
Chris PeBenito
1ff703fc4a
Podsleuth patch from Dan Walsh.
...
podsleuth asks the kernel to load modules
Reads/write removable blk device.
Reads user_tmpfs
2010-06-22 09:01:38 -04:00
Chris PeBenito
8a24097bff
Mplayer patch from Dominick Grift through Dan Walsh.
2010-06-21 09:52:33 -04:00
Chris PeBenito
3c1e8ff6bb
Mozilla patch from Dan Walsh.
...
Various old fixes for mozilla.
2010-06-21 09:36:39 -04:00
Chris PeBenito
ae1b7dedd7
Cpufreqselector patch from Dan Walsh.
...
Needs to read localization
2010-06-21 09:03:11 -04:00
Chris PeBenito
a99f69fd0e
Loadkeys patch from Dan Walsh.
...
Dontaudit leaked sockets
2010-06-18 15:12:33 -04:00
Chris PeBenito
48f99a81c0
Whitespace change: drop unnecessary blank line at the start of .te files.
2010-06-10 08:16:35 -04:00
Chris PeBenito
29af4c13e7
Bump module versions for release.
2010-05-24 15:32:01 -04:00
Chris PeBenito
2e4e39d26a
Loadkeys patch from Dan Walsh.
2010-05-14 11:40:26 -04:00
Chris PeBenito
84940a0995
Java patch from Dan Walsh.
...
Additional java context
unconfined_Java apps needs to execmod any file since we do not know where the jave content will be labeled
We want unconfined java apps to transition to rpm when they execute rpm_exec_t. To maintain proper labeling.
2010-05-14 10:40:59 -04:00
Chris PeBenito
857d37e84a
GPG patch from Dan Walsh.
2010-04-30 15:24:19 -04:00
Chris PeBenito
bf54d5be44
Module version bumps for c586c1b
, dcbb332
, 4c05dff
, 84ce9c3
, 2b012ba
, and 1868383
.
2010-03-29 09:21:59 -04:00