Commit Graph

243 Commits

Author SHA1 Message Date
Dan Walsh
d1c6ba20d5 Start adding support for use_fusefs_home_dirs
Add /var/lib/syslog directory file context
Add /etc/localtime as locale file context
2010-10-04 14:45:52 -04:00
Dan Walsh
ddd1ccaa93 Allow unconfined_t to transition to alsa_t to make sure labels stay correct
Lots of fixes for mozilla_plugin nsplugin and mozilla_plugin are starting to merge
telepath_msn_t tries to read /proc/1/exe
Allow smokeping cgi scripts to create /var/lib/smokeping dirs.
Allow smbd_t to getquota on multiple file systems
2010-10-03 07:48:01 -04:00
Dan Walsh
b45aaab97c Allow sudo to send signals to any domains the user could have transitioned to.
Passwd in single user mode needs to talk to console_device_t
Mozilla_plugin_t needs to connect to web ports, needs to write to video device, and read alsa_home_t alsa setsup pulseaudio
locate tried to read a symbolic link, will dontaudit
New labels for telepathy-sunshine content in homedir
Google is storing other binaries under /opt/google/talkplugin
bluetooth/kernel is creating unlabeled_t socket that I will allow it to use until kernel fixes bug
Add boolean for unconfined_t transition to mozilla_plugin_t and telepathy domains, turned off in F14 on in F15
modemmanger and bluetooth send dbus messages to devicekit_power
Samba needs to getquota on filesystems labeld samba_share_t
2010-10-01 11:58:15 -04:00
Dan Walsh
f6e966f3ae Allow nsplugin to sendto itself dgrams
Fix /root/.ssh labeling
2010-09-29 10:55:40 -04:00
Dan Walsh
79bff2bb38 Allow mozilla_plugin to manage all gnome config files
Allow nsplugin_t to read lnk files in nsplugin_rw_t
New labeling for packagekit scripts to bin_t
Allow mount_t to delete etc_t
Allow fsdaemon_t to read usr_t files
2010-09-28 16:24:56 -04:00
Dan Walsh
4e6b3f6dd9 Fixes to allow mozilla_plugin_t to create nsplugin_home_t directory.
Allow mozilla_plugin_t to create tcp/udp/netlink_route sockets
Allow confined users to read xdm_etc_t files
Allow xdm_t to transition to xauth_t for lxdm program
2010-09-27 10:21:54 -04:00
Dan Walsh
fd595eb487 Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy 2010-09-26 06:44:28 -04:00
Dan Walsh
5212892e22 Rearrange firewallgui policy to be more easily updated to upstream, dontaudit search of /home
Allow clamd to send signals to itself
Allow mozilla_plugin_t to read user home content.  And unlink pulseaudio shm.
2010-09-26 06:42:14 -04:00
Dominick Grift
e66aa74b4a Allow haze to connect to yahoo chat and messenger port tcp:5050.
Bz #637339
2010-09-25 16:57:48 +02:00
Dan Walsh
fb52482a1f Allow firewallgui to sys_rawio which seems to be required to setup masqerading
Allow all domains to search through default_t directories, in order to find differnet labels.  For example people serring up /foo/bar to be share via samba.
Add label for /var/log/slim.log
2010-09-25 06:23:04 -04:00
Dan Walsh
f7307c60ba Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy 2010-09-24 11:55:35 -04:00
Dan Walsh
7cfb935473 Allow rpc.quota to do quotamod
Allow mozilla_plugin to execute mozilla_home_t
2010-09-24 11:55:05 -04:00
Dominick Grift
ff9b16dc29 Merge branch 'base' 2010-09-24 12:52:43 +02:00
Dan Walsh
fad629745b fix typo 2010-09-23 17:31:09 -04:00
Dan Walsh
7c94a3ab0d Allow consolehelper to read fonts and config files in user homedir 2010-09-23 15:14:34 -04:00
Dominick Grift
78ea2abe0f Search parent directory to be able to interact with targets content. 2010-09-23 16:22:26 +02:00
Dan Walsh
5d82597463 Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy 2010-09-22 16:46:04 -04:00
Dan Walsh
6ed3f15e82 Allow domains with different mcs levels to send each other signals as long as they are not identified as mcsconstrainproc
Allow shutdown to write utmp and search /var/log
Allow mozilla_plugin to send nsplugin signals
Split out samba_run_unconfined_net from unconfined_domain stuff.  TO allow unconfined.pp module to be removed
Allow nrpe to send signal and sigkill to the plugins
Fix up xguest to allow it to read hwdata and gconf_etc_t
Allow initrc_t to manage faillog
2010-09-22 16:42:32 -04:00
Miroslav Grepl
d15b40a537 Fixed badly chosen type of interface for some interfaces 2010-09-21 09:09:43 +02:00
Dan Walsh
0a394bf04f Add vnstat policy
allow logrotate to mail syslog files
Allow chrom-sandbox to search nfs_t
Allow libvirt to send audit messages
Dontaudit leaked console to xauth
2010-09-16 17:46:06 -04:00
Dan Walsh
14ffaf836d Merge upstream 2010-09-16 07:05:26 -04:00
Dominick Grift
8c0a06a69a Type print_spool_t is not required here.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-15 17:42:27 +02:00
Chris PeBenito
fee48647ac Module version bump for c17ad38 5271920 2a2b6a7 01c4413 c4fbfae a831710
67effb0 483be01 c6c63f6 b0d8d59 5b082e4 b8097d6 689d954 5afc3d3 f3c5e77
a59e50c cf87233 17759c7 dc1db54 e9bf16d 4f95198 bf40792 622c63b c20842c
dc7cc4d 792d448
2010-09-15 10:42:34 -04:00
Jeremy Solt
4f95198644 awstats patch from Dan Walsh 2010-09-15 09:14:54 -04:00
Dan Walsh
6dfe56b4e5 Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy 2010-09-14 16:39:10 -04:00
Miroslav Grepl
323c9f13bb Fixes for vmware-host policy 2010-09-14 19:28:55 +02:00
Dan Walsh
c2dae98501 Allow a couple of sandbox issues.
Remove postgresl managing of etc_files, until I find out why it is needed.
Dontaudit leaks from rpm to mount
2010-09-14 10:02:43 -04:00
Dan Walsh
4251ae1004 Add labels for /lib/readahead.
Add back gnome_setattr interface
2010-09-13 16:15:43 -04:00
Dan Walsh
5ef740e54b Fix gnome_setattr_config_home
Allow exec of sandbox_file_type by calling apps
Fix typos
2010-09-13 14:47:02 -04:00
Dan Walsh
3034a8d941 Fix some names in passenger policy 2010-09-13 10:26:10 -04:00
Miroslav Grepl
94820e4290 Move passenger policy to services 2010-09-13 15:10:30 +02:00
Miroslav Grepl
d7de04f8d4 - Add passenger policy 2010-09-13 11:49:37 +02:00
Dan Walsh
366396d855 Fix cert calls in telepath, boinc, kerberos
Add sys_admin to xend to allow it to start
Add oident calls to staff_t
2010-09-10 13:18:49 -04:00
Dan Walsh
cab9bc9c58 Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy; branch 'master' of http://oss.tresys.com/git/refpolicy
Conflicts:
	policy/modules/admin/amanda.if
	policy/modules/system/init.te
	policy/modules/system/miscfiles.if
	policy/modules/system/miscfiles.te
	policy/modules/system/userdomain.if
2010-09-10 13:02:25 -04:00
Dan Walsh
0b8f4cfe16 More fixes for mozilla_plugin_t
Allow telepathy domains to send themselves sigkill
Label /etc/httpd/alias/*db as cert_t
Allow fprintd to sys_nice
2010-09-10 12:10:13 -04:00
Chris PeBenito
da12b54802 Module version bumps for cert patch. 2010-09-10 11:31:22 -04:00
Chris PeBenito
e9d6dfb8b1 Fix missed deprecated interface usage from the cert patch. Add back a few rolecap tags. 2010-09-10 11:31:00 -04:00
Dan Walsh
da07333345 Allow mozilla_plugin to create nsplugin_home_t directories
Allow hugetlbfs_t to be on device_t file system
Fix for ajaxterm policy
Fix type in dbus_delete_pid_files
Change openvpn to only allow search of users home dir
2010-09-09 09:55:31 -04:00
Dan Walsh
b36c20b2a9 Allow sudo domains to manage /var/db/sudo
Allow init_t and initrc_t to dbus chat
Allow pulseaudio to read /usr/share/alsa/alsa.conf
2010-09-08 17:27:24 -04:00
Dan Walsh
a75a591e52 Allow virt_domains to exec qumu_exec_t, add boolean to allow svirt_t to connect to x 2010-09-08 15:05:08 -04:00
Dan Walsh
dfe675b8f7 Mozilla_plugin needs to getattr on tmpfs and no longer needs to write to tmpfs_t
cleanup of nsplugin interface definition
Latest pm-utils is causing lots of domains to see a leaked lock file
I want mplayer to run as unconfined_execmem_t
mountpoint is causing dbus and init apps to getattr on all filesystems directories
Miroslav update dkim-milter
NetworkManager dbus chats with init
Allow apps that can read user_fonts_t to read the symbolic link
udev needs to manage etc_t
2010-09-08 12:06:20 -04:00
Dan Walsh
5dd0c28461 Cleanup warnings 2010-09-08 10:43:22 -04:00
Dan Walsh
aa760a2345 Fix gnome interface definitions 2010-09-08 10:10:20 -04:00
Dan Walsh
e51122d3e1 add sametime port definition 2010-09-08 09:40:46 -04:00
Dan Walsh
f5b49a5e0b Allow iptables to read shorewall tmp files
Change chfn and passwd to use auth_use_pam so they can send dbus messages to fprintd
label vlc as an execmem_exec_t
Lots of fixes for mozilla_plugin to run google vidio chat
Allow telepath_msn to execute ldconfig and its own tmp files
Fix labels on hugepages
Allow mdadm to read files on /dev
Remove permissive domains and change back to unconfined
Allow freshclam to execute shell and bin_t
Allow devicekit_power to transition to dhcpc
Add boolean to allow icecast to connect to any port
2010-09-07 16:23:09 -04:00
Dan Walsh
ef98a37444 Allow gpg_pinentry_t to use fifo files of apps that transition to gpg_agent
Add mozilla_plugin_tmp_t
Allow mozilla_plugin to interact with pulseaudio tmpfs_t
Add apache labels for poodle
Add boolean to allow apache to connect to memcache_port
nagious sends signal and sigkill to system_mail_t
2010-09-03 17:06:40 -04:00
Dan Walsh
b631f26416 Fix mmap_zero patch 2010-09-03 09:22:06 -04:00
Dan Walsh
3a2e888584 cleanup mmap_low merge with upstream 2010-09-01 14:55:04 -04:00
Dan Walsh
cbadf720ba Merge branch 'master' of http://oss.tresys.com/git/refpolicy
Conflicts:
	policy/modules/kernel/domain.if
	policy/modules/services/xserver.te
2010-09-01 14:11:18 -04:00
Chris PeBenito
785ee7988c Module version bump and changelog entry for conditional mmap_zero patch. 2010-09-01 10:08:09 -04:00