rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity
3,004 Commits 8 Branches 96 Tags 37 MiB
be5142fc6f
Commit Graph

1342 Commits

Author SHA1 Message Date
Dominick Grift
47cf98ddd5 Permission to get attributes of target devicekit_t, devicekit_disk_t and devicekit_power_t domains are included with ps_process_patterns. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-15 17:42:28 +02:00
Dominick Grift
5ecaacae61 Type system_cronjob_var_run_t is not required here. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-15 17:42:27 +02:00
Dominick Grift
beb9c35b25 Types crontab_exec_t, cron_spool_t and user_cron_spool_t are required here. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-15 17:42:27 +02:00
Dominick Grift
d8d33a15bf Permission to search generic pid directories is included with files_pid_filetrans. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-15 17:42:27 +02:00
Dominick Grift
0540e22fcc Use ps_process_pattern to read state. Permission to seach proc_t directories is required to read automount state. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-15 17:42:27 +02:00
Dominick Grift
cb76ff4560 Type xenstored_var_run_t is required here. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-15 17:42:27 +02:00
Dominick Grift
8c0a06a69a Type print_spool_t is not required here. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-15 17:42:27 +02:00
Dan Walsh
9461b60657 Add the ability to send audit messages to confined admin policies 
Remove permissive domain from cmirrord and dontaudit sys_tty_config
Split out unconfined_domain() calls from other unconfined_ calls so we can disable unconfined.pp and leave unconfineduser
virt needs to be able to read processes to clearance for MLS
 2010-09-15 11:31:20 -04:00
Miroslav Grepl
3b0a9c74bb Allow iscsid to manage tgtd semaphores 2010-09-15 16:50:07 +02:00
Chris PeBenito
fee48647ac Module version bump for c17ad38 5271920 2a2b6a7 01c4413 c4fbfae a831710 
67effb0 483be01 c6c63f6 b0d8d59 5b082e4 b8097d6 689d954 5afc3d3 f3c5e77
a59e50c cf87233 17759c7 dc1db54 e9bf16d 4f95198 bf40792 622c63b c20842c
dc7cc4d 792d448
 2010-09-15 10:42:34 -04:00
Jeremy Solt
792d44840c radvd patch from Dan Walsh 2010-09-15 09:14:55 -04:00
Jeremy Solt
dc7cc4d5c1 snort patch from Dan Walsh 2010-09-15 09:14:55 -04:00
Jeremy Solt
c20842caf8 stunnel patch from Dan Walsh 2010-09-15 09:14:55 -04:00
Jeremy Solt
622c63b4e3 zabbix patch from Dan Walsh 2010-09-15 09:14:55 -04:00
Jeremy Solt
bf40792ae5 zebra patch from Dan Walsh 2010-09-15 09:14:54 -04:00
Jeremy Solt
4f95198644 awstats patch from Dan Walsh 2010-09-15 09:14:54 -04:00
Jeremy Solt
e9bf16d2d9 certmaster patch from Dan Walsh 2010-09-15 09:14:54 -04:00
Jeremy Solt
dc1db5407a pcscd patch from Dan Walsh 
Edit: removed the dev_list_sysfs call, dev_read_sysfs takes care of it
 2010-09-15 09:14:54 -04:00
Jeremy Solt
17759c7326 postgresql patch from Dan Walsh 2010-09-15 09:14:54 -04:00
Jeremy Solt
cf872339b2 postgrey patch from Dan Walsh 2010-09-15 09:14:54 -04:00
Jeremy Solt
a59e50c12c prelude patch from Dan Walsh 2010-09-15 09:14:54 -04:00
Jeremy Solt
f3c5e77754 certwatch patch from Dan Walsh 
Not including userdom_dontaudit_list_admin_dir - still no admin_home_t in refpolicy
 2010-09-15 09:14:54 -04:00
Jeremy Solt
5afc3d3589 firstboot patch from Dan Walsh 
Not including gnome_admin_home_gconf_filetrans - no admin_home_t in refpolicy
 2010-09-15 09:14:54 -04:00
Jeremy Solt
689d95422f smoltclient patch from Dan Walsh 2010-09-15 09:14:53 -04:00
Jeremy Solt
b8097d6ec4 amavis patch from Dan Walsh 2010-09-15 09:14:53 -04:00
Jeremy Solt
5b082e4acf arpwatch patch from Dan Walsh 2010-09-15 09:14:53 -04:00
Jeremy Solt
b0d8d59ff0 canna patch from Dan Walsh 2010-09-15 09:14:53 -04:00
Jeremy Solt
c6c63f63c7 certmonger patch from Dan Walsh 2010-09-15 09:14:53 -04:00
Jeremy Solt
483be01302 courier patch from Dan Walsh 2010-09-15 09:14:53 -04:00
Jeremy Solt
67effb0450 dcc patch from Dan Walsh 2010-09-15 09:14:53 -04:00
Jeremy Solt
a831710a6a style change to djbdns.te 2010-09-15 09:14:52 -04:00
Jeremy Solt
c4fbfaecdd fetchmail patch from Dan Walsh 2010-09-15 09:14:52 -04:00
Jeremy Solt
01c441355e icecast patch from Dan Walsh 2010-09-15 09:14:52 -04:00
Jeremy Solt
2a2b6a79fa nslcd patch from Dan Walsh 2010-09-15 09:14:52 -04:00
Jeremy Solt
5271920764 nut patch from Dan Walsh 2010-09-15 09:14:52 -04:00
Jeremy Solt
c17ad385ac openct patch from Dan Walsh 2010-09-15 09:14:52 -04:00
Chris PeBenito
25d796ed37 Unconditional staff and user oidentd home config access from Dominick Grift. 2010-09-15 08:20:16 -04:00
Dominick Grift
941e3db567 Access for confined users to oidentd user home content is unconditional. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-15 08:05:41 -04:00
Dan Walsh
6dfe56b4e5 Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy 2010-09-14 16:39:10 -04:00
Dan Walsh
43a0339db4 add labeling for /root/.debug 2010-09-14 15:29:18 -04:00
Dan Walsh
d7f2020c46 - Allow all domains that can use cgroups to search tmpfs_t directory 
- Allow init to send audit messages
 2010-09-14 15:18:34 -04:00
Miroslav Grepl
323c9f13bb Fixes for vmware-host policy 2010-09-14 19:28:55 +02:00
Dan Walsh
c2dae98501 Allow a couple of sandbox issues. 
Remove postgresl managing of etc_files, until I find out why it is needed.
Dontaudit leaks from rpm to mount
 2010-09-14 10:02:43 -04:00
Dan Walsh
4251ae1004 Add labels for /lib/readahead. 
Add back gnome_setattr interface
 2010-09-13 16:15:43 -04:00
Dan Walsh
5ef740e54b Fix gnome_setattr_config_home 
Allow exec of sandbox_file_type by calling apps
Fix typos
 2010-09-13 14:47:02 -04:00
Dan Walsh
3034a8d941 Fix some names in passenger policy 2010-09-13 10:26:10 -04:00
Miroslav Grepl
94820e4290 Move passenger policy to services 2010-09-13 15:10:30 +02:00
Dan Walsh
536f28a2bf Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy 2010-09-13 08:43:40 -04:00
Dan Walsh
1a40cbf63e Fix boolean descriptions 2010-09-13 08:43:35 -04:00
Miroslav Grepl
3a3212619a Allow dovecot-deliver to create tmp files 
Allow tor to send signals to itself
 2010-09-13 13:12:24 +02:00
Miroslav Grepl
d7de04f8d4 - Add passenger policy 2010-09-13 11:49:37 +02:00
Dan Walsh
366396d855 Fix cert calls in telepath, boinc, kerberos 
Add sys_admin to xend to allow it to start
Add oident calls to staff_t
 2010-09-10 13:18:49 -04:00
Dan Walsh
cab9bc9c58 Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy; branch 'master' of http://oss.tresys.com/git/refpolicy 
Conflicts:
	policy/modules/admin/amanda.if
	policy/modules/system/init.te
	policy/modules/system/miscfiles.if
	policy/modules/system/miscfiles.te
	policy/modules/system/userdomain.if
 2010-09-10 13:02:25 -04:00
Dan Walsh
d7544f0d25 rename mdadm_map_t to mdadm_var_run_t 2010-09-10 12:14:25 -04:00
Dan Walsh
0b8f4cfe16 More fixes for mozilla_plugin_t 
Allow telepathy domains to send themselves sigkill
Label /etc/httpd/alias/*db as cert_t
Allow fprintd to sys_nice
 2010-09-10 12:10:13 -04:00
Chris PeBenito
da12b54802 Module version bumps for cert patch. 2010-09-10 11:31:22 -04:00
Chris PeBenito
e9d6dfb8b1 Fix missed deprecated interface usage from the cert patch. Add back a few rolecap tags. 2010-09-10 11:31:00 -04:00
Dominick Grift
8340621920 Implement miscfiles_cert_type(). 
This is based on Fedoras' miscfiles_cert_type implementation.
The idea was that openvpn needs to be able read home certificates (home_cert_t) which is not implemented in refpolicy yet, as well as generic cert_t certificates.

Note that openvpn is allowed to read all cert_types, as i know that it needs access to both generic cert_t as well as (future) home_cert_t. Dwalsh noted that other domains may need this as well but because i do not know exactly which domains i will not changes any other domains call to generic cert type interfaces.

Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-10 11:05:46 -04:00
Dan Walsh
1a82786cc8 Allow hugetlbfs_t to be on device_t file system 
Allow sudo domains to signal user domains
Dontaudit xdm_t sending signals to all domains
Fix allow_exec* boolean descriptions
 2010-09-10 10:10:34 -04:00
Chris PeBenito
8fbea561bb Module version bump for 8296eb2. 2010-09-10 08:51:54 -04:00
Dan Walsh
e81afdf5c9 raid tools now store pid file and sock_file in /dev/md for early boot. 2010-09-09 14:26:32 -04:00
Dan Walsh
8e47c02b16 fixes for openvpn suggested by dgrift 2010-09-09 10:35:27 -04:00
Dan Walsh
da07333345 Allow mozilla_plugin to create nsplugin_home_t directories 
Allow hugetlbfs_t to be on device_t file system
Fix for ajaxterm policy
Fix type in dbus_delete_pid_files
Change openvpn to only allow search of users home dir
 2010-09-09 09:55:31 -04:00
Chris PeBenito
9c2c77403f Remove unallocated tty access in amanda since it was originally there for the old targeted policy, and now all roles have a user tty type. 2010-09-09 09:32:31 -04:00
Dominick Grift
36c6e47384 Clean up Anaconda policy. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-09 08:14:56 -04:00
Dominick Grift
e02146370a Clean up Amtu module. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-09 08:14:09 -04:00
Dominick Grift
8296eb2261 Clean up Amanda module. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-09 08:13:13 -04:00
Dan Walsh
5f5963be01 add policy for ajaxterm 2010-09-09 07:11:32 -04:00
Dan Walsh
4c38170781 add policy for ajaxterm 2010-09-09 07:10:24 -04:00
Dan Walsh
d46a2b0115 allow sudo to create sudo_db_t dirs 2010-09-08 18:32:15 -04:00
Dan Walsh
ee4b1e0aad Allow crond to manage user_spool_cron_t link files 
Allow init to delete dbus message.pid
Allow init and udev to create hugetlbfs directories
 2010-09-08 17:54:31 -04:00
Dan Walsh
b36c20b2a9 Allow sudo domains to manage /var/db/sudo 
Allow init_t and initrc_t to dbus chat
Allow pulseaudio to read /usr/share/alsa/alsa.conf
 2010-09-08 17:27:24 -04:00
Dan Walsh
a75a591e52 Allow virt_domains to exec qumu_exec_t, add boolean to allow svirt_t to connect to x 2010-09-08 15:05:08 -04:00
Dan Walsh
dfe675b8f7 Mozilla_plugin needs to getattr on tmpfs and no longer needs to write to tmpfs_t 
cleanup of nsplugin interface definition
Latest pm-utils is causing lots of domains to see a leaked lock file
I want mplayer to run as unconfined_execmem_t
mountpoint is causing dbus and init apps to getattr on all filesystems directories
Miroslav update dkim-milter
NetworkManager dbus chats with init
Allow apps that can read user_fonts_t to read the symbolic link
udev needs to manage etc_t
 2010-09-08 12:06:20 -04:00
Dan Walsh
5dd0c28461 Cleanup warnings 2010-09-08 10:43:22 -04:00
Dan Walsh
4432db497b add sametime port definition 2010-09-08 10:33:16 -04:00
Dan Walsh
689bfef3a8 Fix apache interface 2010-09-08 10:29:40 -04:00
Dan Walsh
f79af26649 fix bad patch in xserver 2010-09-08 10:25:03 -04:00
Dan Walsh
aa760a2345 Fix gnome interface definitions 2010-09-08 10:10:20 -04:00
Dan Walsh
e51122d3e1 add sametime port definition 2010-09-08 09:40:46 -04:00
Dan Walsh
0745e42559 fix typo in xserver_stream_connect 2010-09-08 09:29:02 -04:00
Dan Walsh
36d83cb651 cleanup alsa patch to match upstream 2010-09-08 09:10:48 -04:00
Dan Walsh
4192c80c13 Eliminate extras alsa_read_home interface 2010-09-08 09:08:34 -04:00
Dan Walsh
8187343042 Any app that executes service command will not do a getattr of all mounted file systems 2010-09-08 08:56:13 -04:00
Dan Walsh
c16ffd1861 Allow apps that use pam to connect to init_t 2010-09-08 08:54:29 -04:00
Dan Walsh
db879987ca Fix pootle 2010-09-07 16:32:23 -04:00
Dan Walsh
f5b49a5e0b Allow iptables to read shorewall tmp files 
Change chfn and passwd to use auth_use_pam so they can send dbus messages to fprintd
label vlc as an execmem_exec_t
Lots of fixes for mozilla_plugin to run google vidio chat
Allow telepath_msn to execute ldconfig and its own tmp files
Fix labels on hugepages
Allow mdadm to read files on /dev
Remove permissive domains and change back to unconfined
Allow freshclam to execute shell and bin_t
Allow devicekit_power to transition to dhcpc
Add boolean to allow icecast to connect to any port
 2010-09-07 16:23:09 -04:00
Dan Walsh
f00ba23b21 Merge with upsteam 2010-09-03 17:19:55 -04:00
Dan Walsh
cdda8feee0 Merge branches 'master', 'master' and 'master' of http://oss.tresys.com/git/refpolicy 
Conflicts:
	policy/modules/admin/alsa.fc
	policy/modules/admin/alsa.if
	policy/modules/kernel/filesystem.fc
 2010-09-03 17:16:08 -04:00
Dan Walsh
ef98a37444 Allow gpg_pinentry_t to use fifo files of apps that transition to gpg_agent 
Add mozilla_plugin_tmp_t
Allow mozilla_plugin to interact with pulseaudio tmpfs_t
Add apache labels for poodle
Add boolean to allow apache to connect to memcache_port
nagious sends signal and sigkill to system_mail_t
 2010-09-03 17:06:40 -04:00
Chris PeBenito
28d96f0e39 Module version bumps for b7ceb34 5675107 e411968 eca7eb3. 2010-09-03 13:09:40 -04:00
Chris PeBenito
eca7eb3b47 Rearrange alsa interfaces. 2010-09-03 11:56:10 -04:00
Dominick Grift
e411968dff Implement alsa_home_t for asoundrc. Clean up Alsa module. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-03 11:23:06 -04:00
Dominick Grift
5675107ff9 Libcgroup moved the cgroup directory to /sys/fs/cgroup. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-03 11:03:10 -04:00
Dominick Grift
b7ceb34995 Do not try to relabel the contents of the /dev/shm directory. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-03 10:55:16 -04:00
Dan Walsh
b631f26416 Fix mmap_zero patch 2010-09-03 09:22:06 -04:00
Dan Walsh
a668127367 Allow certmaster to read usr_t files. All python apps are going to need this. 
clvmd creates tmpfs files that corosync needs to communicate with
Allow dbus system services to search the cgroup_t directory
 2010-09-02 13:38:00 -04:00
Dan Walsh
3a2e888584 cleanup mmap_low merge with upstream 2010-09-01 14:55:04 -04:00
Dan Walsh
cbadf720ba Merge branch 'master' of http://oss.tresys.com/git/refpolicy 
Conflicts:
	policy/modules/kernel/domain.if
	policy/modules/services/xserver.te
 2010-09-01 14:11:18 -04:00
Dan Walsh
02fb4a01f1 define /sys/fs/cgroup as a <<none>> file system 2010-09-01 10:12:53 -04:00