Commit Graph

249 Commits

Author SHA1 Message Date
Dan Walsh
cbadf720ba Merge branch 'master' of http://oss.tresys.com/git/refpolicy
Conflicts:
	policy/modules/kernel/domain.if
	policy/modules/services/xserver.te
2010-09-01 14:11:18 -04:00
Chris PeBenito
785ee7988c Module version bump and changelog entry for conditional mmap_zero patch. 2010-09-01 10:08:09 -04:00
Dan Walsh
03527520de firstboot is leaking a netlink_route socket into iptables. We need to dontaudit
tmpfs_t/devpts_t files can be stored on device_t file system
unconfined_mono_t can pass file descriptors to chrome_sandbox, so need transition from all unoconfined users types
Hald can connect to user processes over streams
xdm_t now changes the brightness level on the system
mdadm needs to manage hugetlbfs filesystems
2010-09-01 09:47:50 -04:00
Dominick Grift
623e4f0885 1/1] Make the ability to mmap zero conditional where this is fapplicable.
Retry: forgot to include attribute mmap_low_domain_type attribute to domain_mmap_low()	:

Inspired by similar implementation in Fedora.
Wine and vbetool do not always actually need the ability to mmap a low area of the address space.
In some cases this can be silently denied.

Therefore introduce an interface that facilitates "mmap low" conditionally, and the corresponding boolean.
Also implement booleans for wine and vbetool that enables the ability to not audit attempts by wine and vbetool to mmap a low area of the address space.

Rename domain_mmap_low interface to domain_mmap_low_uncond.

Change call to domain_mmap_low to domain_mmap_low_uncond for xserver_t. Also move this call to distro redhat ifndef block because Redhat does not need this ability.

Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-01 09:41:56 -04:00
Dan Walsh
3fdb12decd Allow prelink to read dbus config/Broken
nsplugin_config wants the kernel to load modules for it.
mount writes into livecd_tmp_t directories
2010-08-31 08:54:18 -04:00
Dan Walsh
898c0de0b7 merge latest upstream 2010-08-30 13:41:40 -04:00
Dan Walsh
c71f02c02d More fixes 2010-08-30 11:15:53 -04:00
Dan Walsh
08e567dc56 Latest fixes 2010-08-26 20:30:04 -04:00
Dan Walsh
2968e06818 Update f14 2010-08-26 12:55:57 -04:00
Dan Walsh
507000a1db reset 2010-08-26 11:03:50 -04:00
Dan Walsh
8f4ec142d7 Modified amanda 2010-08-26 11:02:44 -04:00
Dan Walsh
09154bd53e Reset base 2010-08-26 11:01:06 -04:00
Dan Walsh
e15d0e76e3 Modify amanda 2010-08-26 10:59:43 -04:00
Dan Walsh
0aa4ecc332 F14 2010-08-26 10:56:06 -04:00
Dan Walsh
f9c5576c27 F14 2010-08-26 10:54:59 -04:00
Dan Walsh
e5e9b7bd43 F14 2010-08-26 10:50:47 -04:00
Dan Walsh
a947daf6df Update f14 2010-08-26 10:27:35 -04:00
Dan Walsh
83eff061a3 Latest f14 2010-08-26 10:26:28 -04:00
Dan Walsh
3eaa993945 UPdate for f14 policy 2010-08-26 09:41:21 -04:00
Chris PeBenito
76a9fe96e4 Module version bumps and changelog for devtmpfs patchset. 2010-08-25 11:19:27 -04:00
Jeremy Solt
2fc79f1ef4 Early devtmpfs access
dontaudit attempts to read/write device_t chr files occurring before udev relabel
allow init_t and initrc_t read/write on device_t chr files (necessary to boot without unconfined)

Signed-off-by: Jeremy Solt <jsolt@tresys.com>
2010-08-25 11:01:27 -04:00
Chris PeBenito
19ff03977d Fix usermanage_kill_passwd() parameter doc. 2010-08-05 08:56:31 -04:00
Dominick Grift
77e4b55f70 Admin layer xml fixes.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 08:46:44 -04:00
Chris PeBenito
d0eebed0b7 Move accountsd to services. 2010-08-03 09:31:53 -04:00
Jeremy Solt
c4834a02d2 accountsd policy from Dan Walsh
Edits:
 - Removed accountsd_manage_var_lib
 - Removed optional block for xserver - these interfaces didn't exist
 - It looks like sys_ptrace is needed because it reads /proc/pid/loginuid
 - Whitespace and style fixes
2010-08-03 09:27:24 -04:00
Chris PeBenito
a7ee7f819a Docs standardizing on the role portion of run interfaces. Additional docs cleanup. 2010-08-03 09:20:22 -04:00
Chris PeBenito
a72e42f485 Interface documentation standardization patch from Dan Walsh. 2010-08-02 09:22:09 -04:00
Chris PeBenito
64ef2df368 Module version bump for 5563d4c. 2010-07-22 09:13:11 -04:00
Jeremy Solt
5563d4c4d8 Removing seutil_domtrans_setsebool from anaconda patch - it doesn't exist 2010-07-22 08:49:32 -04:00
Jeremy Solt
b0a6f1b7c2 anaconda patch from Dan Walsh
- Did not include the change to unconfined_domain_noaudit
2010-07-22 08:49:32 -04:00
Chris PeBenito
b70dfcdf8f RPM patch from Dan Walsh. 2010-07-08 10:53:28 -04:00
Chris PeBenito
2d839c6791 Whitespace fixes in RPM. 2010-07-08 10:12:24 -04:00
Chris PeBenito
7e265a8abb Add shutdown from Dan Walsh. 2010-07-07 11:10:56 -04:00
Chris PeBenito
3bcfe5beb7 Usermanage patch from Dan Walsh.
Broken leaks of sockets

useradd runs semanage for -Z.

passwd_t needs sys_nice

useradd run within a samba_controler needs to append to the samba log.
2010-07-06 10:56:20 -04:00
Chris PeBenito
ab62f3f1b1 Module version bump for a7521af. 2010-07-01 10:48:11 -04:00
Jeremy Solt
a7521af67d firstboot patch from Dan Walsh
- Did not include gnome_admin_home_gconf_filetrans
- Whitespace fixes
2010-07-01 10:36:31 -04:00
Chris PeBenito
ab4f820548 Module version bump for b5d89d0. 2010-06-29 11:03:56 -04:00
Jeremy Solt
b5d89d0325 vpn patch from Dan Walsh
fixed gen_require in vpn_relabelfrom_tun_socket interface (wrong type)
removed userdom_read_home_certs (not in refpolicy)
2010-06-29 11:02:45 -04:00
Chris PeBenito
e08ac5acb3 Vbetool patch from Dan Walsh.
vbetool needs mls overrides
2010-06-18 14:56:27 -04:00
Chris PeBenito
3835c39a13 Sudo patch from Dan Walsh.
sudo gets execed by apps that leak sockets
2010-06-18 14:43:22 -04:00
Chris PeBenito
f7e3410aed Su patch from Dan Walsh.
dontaudit leaked sockets
2010-06-18 14:32:42 -04:00
Chris PeBenito
b9be5cccf1 Shorewall patch from Dan Walsh.
Shorewall execs hostname
2010-06-18 14:23:46 -04:00
Chris PeBenito
5116faa198 Quota patch from Dan Walsh.
Quata needs to setshed on kernel processes
2010-06-18 14:14:21 -04:00
Chris PeBenito
a9ef84b578 Prelink patch from Dan Walsh.
Prelink has new directory under /var/lib

dontaudit leaks from domains that transition

cron job looks at all mount points.
2010-06-18 14:07:53 -04:00
Chris PeBenito
9a4d292902 Netutils patch from Dan Walsh.
ping gets leaked log descriptor from nagios.

Label send_arp as ping_exec_t
2010-06-17 10:16:19 -04:00
Chris PeBenito
10c0104066 Kismet patch from Dan Walsh.
Kismet searches user_home_dirs for kismet_home_t content.
2010-06-17 08:24:21 -04:00
Chris PeBenito
e89f04fd17 Mcelog patch from Dan Walsh.
mcelog needs mls override
2010-06-17 08:23:48 -04:00
Chris PeBenito
0e30bca6d9 Consoletype patch from Dan Walsh.
I am sick of every app in the known universe leaking socket descriptors.
  Dontaudit by default

consoletype is handed a write for hal log on resume from hibernate.
2010-06-17 08:23:20 -04:00
Chris PeBenito
88a574d373 Alsa patch from Dan Walsh
Alsa trys to talk to all types of terminals.  Dontaudit this access.
2010-06-17 08:22:43 -04:00
Chris PeBenito
4db7790c60 Acct patch from Dan Walsh.
acct needs to use generic ptys
2010-06-17 08:22:17 -04:00