When cgroup policy was merged, some changes were made. One of these changes was the renaming of the type for cgroup rules engine daemon configuration file. The cgroup_admin interface was not modified to reflect this change.
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
Personally I'd rather dump all those old compatibility macros, make them all
just display a message indicating the new correct thing to do and abort the
build. But if we are going to keep them then we need to update them and make
them work.
The attached patch adds write access to create_lnk_perms.
Clean up network control section.
Implement hddtemp_etc_t for /etc/sysconfig/hddtemp. The advantages are:
- hddtemp_t no longer needs access to read all generic etc_t files.
- allows us to implement a meaningful hddtemp_admin()
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
Dontaudit attempts to exec pulseaudio. qemu does this and it causes
other avc's even though qemu can not use pulseaudio.
Allow other domains to use pulseiaudio
I am sick of every app in the known universe leaking socket descriptors.
Dontaudit by default
consoletype is handed a write for hal log on resume from hibernate.
All login users can list cgroup.
Common users can read and write cgroup files (access governed by dac)
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
The libcgroup init scripts use tools in /usr/bin like cgexec and cgclear.
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
Move cgroup_t declarations from kernel.te to filesystem.te
Redo cgroup interfaces in filesystem.if
Add file context specification for /cgroup mountpoint to filesystem.fc
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
Add ability to dontaudit requiests to load kernel modules. If you
disable ipv6 every confined app that does ip, tries to get the kernel to
load the module.
Better handling of unlabeled files by the kernel interfaces
