Commit Graph

1571 Commits

Author SHA1 Message Date
Dan Walsh
ff64d9c354 Accidently checked in my test spec file 2011-04-21 10:07:57 -04:00
Dan Walsh
bd16f8dd70 Readd my patch 2011-04-19 11:36:13 -04:00
Dan Walsh
9bd1686ff7 Move to version 26 of policy 2011-04-19 11:34:24 -04:00
Miroslav Grepl
a357639bb0 - Fixes for zarafa policy
- Add support for AEOLUS project
- Change labeling of fping6
- Allow plymountd to send signals to init
- Allow initrc_t domain to manage abrt pid files
- Virt_admin should be allowed to manage images and processes
2011-04-19 13:53:55 +00:00
Dan Walsh
637b33d9f3 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy
Conflicts:
	selinux-policy.spec
2011-04-15 14:24:32 -04:00
Miroslav Grepl
6ac26422cc - xdm_t needs getsession for switch user
- Every app that used to exec init is now execing systemdctl
- Allow squid to manage krb5_host_rcache_t files
- Allow foghorn to connect to agentx port - Fixes for colord policy
2011-04-15 09:08:10 +00:00
Dan Walsh
e935d25737 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy
Conflicts:
	selinux-policy.spec
2011-04-12 10:57:09 -04:00
Dan Walsh
826311d497 Testing 2011-04-11 17:06:55 -04:00
Miroslav Grepl
1b7c8fcdf6 - Add Dan's patch to remove 64 bit variants
- Allow colord to use unix_dgram_socket
- Allow apps that search pids to read /var/run if it is a lnk_file
- iscsid_t creates its own directory
- Allow init to list var_lock_t dir
- apm needs to verify user accounts auth_use_nsswitch
- Add labeling for systemd unit files
- Allow gnomeclok to enable ntpd service using systemctl - systemd_syst
- Add label for matahari-broker.pid file
- We want to remove untrustedmcsprocess from ability to read /proc/pid
- Fixes for matahari policy
- Allow system_tmpfiles_t to delete user_home_t files in the /tmp dir
- Allow sshd to transition to sysadm_t if ssh_sysadm_login is turned on
2011-04-11 07:58:00 +00:00
Dan Walsh
86354fa4cc Remove lib64 mapping and use subs. change subs name to file_context.subs_dist 2011-04-05 15:30:24 -04:00
Miroslav Grepl
2130480ad3 - Fix typo 2011-04-05 09:38:41 +00:00
Miroslav Grepl
397c1e2d5c - Add /var/run/lock /var/lock definition to file_contexts.subs
- nslcd_t is looking for kerberos cc files
- SSH_USE_STRONG_RNG is 1 which requires /dev/random
- Fix auth_rw_faillog definition
- Allow sysadm_t to set attributes on fixed disks
- allow user domains to execute lsof and look at application sockets
- prelink_cron job calls telinit -u if init is rewritten
- Fixes to run qemu_t from staff_t
2011-04-04 23:41:02 +00:00
Dan Walsh
568f781d20 Update to latest versions and change policy version 2011-04-04 16:50:06 -04:00
Miroslav Grepl
81c96b1880 comment out the sepolgen line 2011-04-04 20:43:56 +00:00
Miroslav Grepl
aaa0ee57f3 comment out the sepolgen line 2011-04-04 20:33:32 +00:00
Miroslav Grepl
68129209ed comment out the sepolgen line 2011-04-04 20:16:34 +00:00
Miroslav Grepl
fb7e97f251 - Fix label for /var/run/udev to udev_var_run_t
- Mock needs to be able to read network state
2011-04-04 17:35:35 +00:00
Miroslav Grepl
a7705c54e1 - Add file_contexts.subs to handle /run and /run/lock
- Add other fixes relating to /run changes from F15 policy
2011-04-01 16:12:27 +00:00
Miroslav Grepl
36d3f31dcf - Allow $1_sudo_t and $1_su_t open access to user terminals
- Allow initrc_t to use generic terminals
- Make Makefile/Rules.modular run sepolgen-ifgen during build to check if files for bugs
-systemd is going to be useing /run and /run/lock for early bootup files.
- Fix some comments in rlogin.if
- Add policy for KDE backlighthelper
- sssd needs to read ~/.k5login in nfs, cifs or fusefs file systems
- sssd wants to read .k5login file in users homedir
- setroubleshoot reads executables to see if they have TEXTREL
- Add /var/spool/audit support for new version of audit
- Remove kerberos_connect_524() interface calling
- Combine kerberos_master_port_t and kerberos_port_t
- systemd has setup /dev/kmsg as stderr for apps it executes
- Need these access so that init can impersonate sockets on unix_dgram_socket
2011-03-25 14:54:13 +00:00
Miroslav Grepl
47d5c167a8 - Remove some unconfined domains
- Remove permissive domains
- Add policy-term.patch from Dan
2011-03-23 23:53:27 +00:00
Miroslav Grepl
7c23cf73df Fix multiple specification for boot.log 2011-03-17 16:01:12 +00:00
Miroslav Grepl
f5eb99f70b - devicekit leaks file descriptors to setfiles_t
- Change all all_nodes to generic_node and all_if to generic_if
- Should not use deprecated interface
- Switch from using all_nodes to generic_node and from all_if to generic_if
- Add support for xfce4-notifyd
- Fix file context to show several labels as SystemHigh
- seunshare needs to be able to mounton nfs/cifs/fusefs homedirs
- Add etc_runtime_t label for /etc/securetty
- Fixes to allow xdm_t to start gkeyringd_USERTYPE_t directly
- login.krb needs to be able to write user_tmp_t
- dirsrv needs to bind to port 7390 for dogtag
- Fix a bug in gpg policy
- gpg sends audit messages
- Allow qpid to manage matahari files
2011-03-17 15:46:18 +00:00
Miroslav Grepl
af4c0d3f1e - Initial policy for matahari
- Add dev_read_watchdog
- Allow clamd to connect clamd port
- Add support for kcmdatetimehelper
- Allow shutdown to setrlimit and sys_nice
- Allow systemd_passwd to talk to /dev/log before udev or syslog is runni
- Purge chr_file and blk files on /tmp
- Fixes for pads
- Fixes for piranha-pulse
- gpg_t needs to be able to encyprt anything owned by the user
2011-03-15 20:59:57 +00:00
Miroslav Grepl
f7f5ca9228 +- mozilla_plugin_tmp_t needs to be treated as user tmp files
+- More dontaudits of writes from readahead
+- Dontaudit readahead_t file_type:dir write, to cover up kernel bug
+- systemd_tmpfiles needs to relabel faillog directory as well as the file
+- Allow hostname and consoletype to r/w inherited initrc_tmp_t files handline hostname >> /tmp/myhost
2011-03-10 22:02:46 +00:00
Miroslav Grepl
8d54634624 - Add policykit fixes from Tim Waugh
- dontaudit sandbox domains sandbox_file_t:dir mounton
- Add new dontaudit rules for sysadm_dbusd_t
- Change label for /var/run/faillock
2011-03-10 12:46:20 +00:00
Miroslav Grepl
9b89d85005 Fix minimum policy 2011-03-08 18:36:28 +00:00
Miroslav Grepl
6726024e43 Update to upstream 2011-03-08 18:28:56 +00:00
Miroslav Grepl
781f349e05 - gpg_t needs to talk to gnome-keyring
- nscd wants to read /usr/tmp->/var/tmp to generate randomziation in unixchkpwd
- enforce MCS labeling on nodes
- Allow arpwatch to read meminfo
- Allow gnomeclock to send itself signals
- init relabels /dev/.udev files on boot
- gkeyringd has to transition back to staff_t when it runs commands in bin_t or shell_
- nautilus checks access on /media directory before mounting usb sticks, dontaudit acc
- dnsmasq can run as a dbus service, needs acquire service
- mysql_admin should  be allowed to connect to mysql service
- virt creates monitor sockets in the users home dir
2011-03-01 17:08:45 +00:00
Miroslav Grepl
c34a0c5248 - Allow usbhid-ups to read hardware state information
- systemd-tmpfiles has moved
- Allo cgroup to sys_tty_config
- For some reason prelink is attempting to read gconf settings
- Add allow_daemons_use_tcp_wrapper boolean
- Add label for ~/.cache/wocky to make telepathy work in enforcing mode
- Add label for char devices /dev/dasd*
- Fix for apache_role
- Allow amavis to talk to nslcd
- allow all sandbox to read selinux poilcy config files
- Allow cluster domains to use the system bus and send each other dbus messages
2011-02-21 21:46:58 +00:00
Miroslav Grepl
7288282fd4 - Update to upstream 2011-02-16 18:45:08 +00:00
Dennis Gilmore
60e174d11c - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild 2011-02-09 07:08:32 -06:00
Dan Walsh
d3861ceab3 - Update to ref policy
- cgred needs chown capability
- Add /dev/crash crash_dev_t
- systemd-readahead wants to use fanotify which means readahead_t needs sys_admin capability
2011-02-08 18:00:22 -05:00
Dan Walsh
812781becc - Update to ref policy
- cgred needs chown capability
- Add /dev/crash crash_dev_t
2011-02-08 17:50:40 -05:00
Miroslav Grepl
f12703ea7e - New labeling for postfmulti #675654
- dontaudit xdm_t listing noxattr file systems
- dovecot-auth needs to be able to connect to mysqld via the network as well as locally
- shutdown is passed stdout to a xdm_log_t file
- smartd creates a fixed disk device
- dovecot_etc_t contains a lnk_file that domains need to read
- mount needs to be able to read etc_runtim_t:lnk_file since in rawhide this is a link created at boot
2011-02-08 12:43:56 +00:00
Miroslav Grepl
19cd669e5e - syslog_t needs syslog capability
- dirsrv needs to be able to create /var/lib/snmp
- Fix labeling for dirsrv
- Fix for dirsrv policy missing manage_dirs_pattern
- corosync needs to delete clvm_tmpfs_t files
- qdiskd needs to list hugetlbfs
- Move setsched to sandbox_x_domain, so firefox can run without network access
- Allow hddtemp to read removable devices
- Adding syslog and read_policy permissions to policy
       * syslog
               Allow unconfined, sysadm_t, secadm_t, logadm_t
       * read_policy
               allow unconfined, sysadm_t, secadm_t, staff_t on Targeted
               allow sysadm_t (optionally), secadm_t on MLS
- mdadm application will write into /sys/.../uevent whenever arrays are
assembled or disassembled.
2011-02-03 18:30:25 +00:00
Dan Walsh
731e693460 - Add tcsd policy 2011-02-01 16:45:17 -05:00
Dan Walsh
0e793cf10b Merge branches 'master', 'master', 'master' and 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2011-02-01 16:08:31 -05:00
Miroslav Grepl
ebce355dea - ricci_modclusterd_t needs to bind to rpc ports 500-1023
- Allow dbus to use setrlimit to increase resoueces
- Mozilla_plugin is leaking to sandbox
- Allow confined users  to connect to lircd over unix domain stream socket whic
- Allow awstats to read squid logs
- seunshare needs to manage tmp_t
- apcupsd cgi scripts have a new directory
2011-02-01 18:30:35 +00:00
Dan Walsh
6b3837d6e4 stop relabeling /var/lib 2011-01-27 14:29:13 -05:00
Miroslav Grepl
73e5debe55 - Fix xserver_dontaudit_read_xdm_pid
- Change oracle_port_t to oracledb_port_t to prevent conflict with satellite
- Allow dovecot_deliver_t to read/write postfix_master_t:fifo_file.
       * These fifo_file is passed from postfix_master_t to postfix_local_t to dovecot_deliver_t
- Allow readahead to manage readahead pid dirs
- Allow readahead to read all mcs levels
- Allow mozilla_plugin_t to use nfs or samba homedirs
2011-01-27 18:13:11 +00:00
Miroslav Grepl
3c70739f2c - Allow nagios plugin to read /proc/meminfo
- Fix for mozilla_plugin
- Allow samba_net_t to create /etc/keytab
- pppd_t setting up vpns needs to run unix_chkpwd, setsched its process and write wt
- nslcd can read user credentials
- Allow nsplugin to delete mozilla_plugin_tmpfs_t
- abrt tries to create dir in rpm_var_lib_t
- virt relabels fifo_files
- sshd needs to manage content in fusefs homedir
- mock manages link files in cache dir
2011-01-25 17:44:14 +00:00
Miroslav Grepl
0ababf8492 - nslcd needs setsched and to read /usr/tmp
- Invalid call in likewise policy ends up creating a bogus role
- Cannon puts content into /var/lib/bjlib that cups needs to be able to write
- Allow screen to create screen_home_t in /root
- dirsrv sends syslog messages
- pinentry reads stuff in .kde directory
- Add labels for .kde directory in homedir
- Treat irpinit, iprupdate, iprdump services with raid policy
2011-01-21 17:24:28 +00:00
Miroslav Grepl
408ea919b7 - NetworkManager wants to read consolekit_var_run_t
- Allow readahead to create /dev/.systemd/readahead
- Remove permissive domains
- Allow newrole to run namespace_init
2011-01-19 18:43:03 +00:00
Miroslav Grepl
ac028b8413 Fix release 2011-01-18 11:00:30 +00:00
Miroslav Grepl
a34c78a0fd - Add sepgsql_contexts file 2011-01-18 10:28:56 +00:00
Miroslav Grepl
86b1f12f92 - Update to upstream 2011-01-17 18:42:12 +00:00
Miroslav Grepl
f16c69cb48 - Add oracle ports and allow apache to connect to them if the connect_db boole
- Add puppetmaster_use_db boolean
- Fixes for zarafa policy
- Fixes for gnomeclock poliy
- Fix systemd-tmpfiles to use auth_use_nsswitch
2011-01-17 17:47:06 +00:00
Miroslav Grepl
116d73139a - gnomeclock executes a shell
- Update for screen policy to handle pipe in homedir
- Fixes for polyinstatiated homedir
- Fixes for namespace policy and other fixes related to polyinstantiation
- Add namespace policy
- Allow dovecot-deliver transition to sendmail which is needed by sieve scri
- Fixes for init, psad policy which relate with confined users
- Do not audit bootloader attempts to read devicekit pid files
- Allow nagios service plugins to read /proc
2011-01-14 17:48:34 +00:00
Miroslav Grepl
b1863350de - Add firewalld policy
- Allow vmware_host to read samba config
- Kernel wants to read /proc Fix duplicate grub def in cobbler
- Chrony sends mail, executes shell, uses fifo_file and reads /proc
- devicekitdisk getattr all file systems
- sambd daemon writes wtmp file
- libvirt transitions to dmidecode
2011-01-11 13:44:47 +00:00
Miroslav Grepl
b559c4ec49 - Add initial policy for system-setup-keyboard which is now daemon
- Label /var/lock/subsys/shorewall as shorewall_lock_t
- Allow users to communicate with the gpg_agent_t
- Dontaudit mozilla_plugin_t using the inherited terminal
- Allow sambagui to read files in /usr
- webalizer manages squid log files
- Allow unconfined domains to bind ports to raw_ip_sockets
- Allow abrt to manage rpm logs when running yum
- Need labels for /var/run/bittlebee
- Label .ssh under amanda
- Remove unused genrequires for virt_domain_template
- Allow virt_domain to use fd inherited from virtd_t
- Allow iptables to read shorewall config
2011-01-05 10:08:57 +00:00
Dan Walsh
b96903aaa0 - Gnome apps list config_home_t
- mpd creates lnk files in homedir
- apache leaks write to mail apps on tmp files
- /var/stockmaniac/templates_cache contains log files
- Abrt list the connects of mount_tmp_t dirs
- passwd agent reads files under /dev and reads utmp file
- squid apache script connects to the squid port
- fix name of plymouth log file
- teamviewer is a wine app
- allow dmesg to read system state
- Stop labeling files under /var/lib/mock so restorecon will not go into this
- nsplugin needs to read network state for google talk
2010-12-28 15:41:30 -05:00
Dan Walsh
ef836a9861 - New labels for ghc http content
- nsplugin_config needs to read urand, lvm now calls setfscreate to create dev
- pm-suspend now creates log file for append access so we remove devicekit_wri
- Change authlogin_use_sssd to authlogin_nsswitch_use_ldap
- Fixes for greylist_milter policy
2010-12-22 16:12:41 -05:00
Miroslav Grepl
d980545506 - Update to upstream
- Fixes for systemd policy
- Fixes for passenger policy
- Allow staff users to run mysqld in the staff_t domain, akonadi needs this
- Add bin_t label for /usr/share/kde4/apps/kajongg/kajongg.py
- auth_use_nsswitch does not need avahi to read passwords,needed for resolving data
- Dontaudit (xdm_t) gok attempting to list contents of /var/account
- Telepathy domains need to read urand
- Need interface to getattr all file classes in a mock library for setroubleshoot
2010-12-21 09:32:36 +00:00
Miroslav Grepl
d6c5f3679b Update to upstream 2010-12-20 17:43:48 +00:00
Dan Walsh
f3f61efb0b - Update selinux policy to handle new /usr/share/sandbox/start script 2010-12-16 11:25:39 -05:00
Miroslav Grepl
0ba6b243f7 - Update to upstream
- Fix version of policy in spec file
2010-12-15 11:03:25 +00:00
Miroslav Grepl
1adb28c6ec - Allow sandbox to run on nfs partitions, fixes for systemd_tmpfs
- remove per sandbox domains devpts types
- Allow dkim-milter sending signal to itself
2010-12-14 19:49:10 +00:00
Dan Walsh
25660bf875 - Allow domains that transition to ping or traceroute, kill them
- Allow user_t to conditionally transition to ping_t and traceroute_t
- Add fixes to systemd- tools, including new labeling for systemd-fsck, systemd-cryptsetup
2010-12-13 17:11:28 -05:00
Miroslav Grepl
3c0b9eac8c - Turn on systemd policy
- mozilla_plugin needs to read certs in the homedir.
- Dontaudit leaked file descriptors from devicekit
- Fix ircssi to use auth_use_nsswitch
- Change to use interface without param in corenet to disable unlabelednet
- Allow init to relabel sockets and fifo files in /dev
- certmonger needs dac* capabilities to manage cert files not owned by root
- dovecot needs fsetid to change group membership on mail
- plymouthd removes /var/log/boot.log
- systemd is creating symlinks in /dev
- Change label on /etc/httpd/alias to be all cert_t
2010-12-13 18:56:13 +00:00
Miroslav Grepl
b04a855a22 - Fixes for clamscan and boinc policy
- Add boinc_project_t setpgid
- Allow alsa to create tmp files in /tmp
2010-12-10 13:55:11 +00:00
Miroslav Grepl
c2ad3681fa - Push fixes to allow disabling of unlabeled_t packet access
- Enable unlabelednet policy
2010-12-07 17:51:16 +00:00
Miroslav Grepl
7b62a83f6b - Fixes for lvm to work with systemd 2010-12-07 15:10:29 +00:00
Miroslav Grepl
151160499d - Fix the label for wicd log
- plymouthd creates force-display-on-active-vt file
- Allow avahi to request the kernel to load a module
- Dontaudit hal leaks
- Fix gnome_manage_data interface
- Add new interface corenet_packet to define a type as being an packet_type.
- Removed general access to packet_type from icecast and squid.
- Allow mpd to read alsa config
- Fix the label for wicd log
- Add systemd policy
2010-12-06 19:08:04 +00:00
Miroslav Grepl
a4f1f54302 - Fix gnome_manage_data interface
- Dontaudit sys_ptrace capability for iscsid
- Fixes for nagios plugin policy
2010-12-03 17:07:37 +00:00
Miroslav Grepl
09460452b6 - Fix cron to run ranged when started by init
- Fix devicekit to use log files
- Dontaudit use of devicekit_var_run_t for fstools
- Allow init to setattr on logfile directories
2010-12-02 18:21:58 +01:00
Dan Walsh
5bcd7aa5b3 - Fix up handling of dnsmasq_t creating /var/run/libvirt/network
- Turn on sshd_forward_ports boolean by default
- Allow sysadmin to dbus chat with rpm
- Add interface for rw_tpm_dev
- Allow cron to execute bin
- fsadm needs to write sysfs
- Dontaudit consoletype reading /var/run/pm-utils
- Lots of new privs fro mozilla_plugin_t running java app, make mozilla_plugin
- certmonger needs to manage dirsrv data
- /var/run/pm-utils should be labeled as devicekit_var_run_t
2010-11-30 16:24:01 -05:00
Miroslav Grepl
954ef8ad92 - fixes to allow /var/run and /var/lock as tmpfs
- Allow chrome sandbox to connect to web ports
- Allow dovecot to listem on lmtp and sieve ports
- Allov ddclient to search sysctl_net_t
- Transition back to original domain if you execute the shell
2010-11-30 11:39:40 +00:00
Miroslav Grepl
b63541e55b - Remove duplicate declaration 2010-11-25 16:53:58 +00:00
Miroslav Grepl
05f913e88b - Update to upstream
- Cleanup for sandbox
- Add attribute to be able to select sandbox types
2010-11-25 12:21:34 +00:00
Miroslav Grepl
3daa6c760b - Allow ddclient to fix file mode bits of ddclient conf file
- init leaks file descriptors to daemons
- Add labels for /etc/lirc/ and
- Allow amavis_t to exec shell
- Add label for gssd_tmp_t for /var/tmp/nfs_0
2010-11-22 12:12:57 +01:00
Dan Walsh
d6719f6ecb - Put back in lircd_etc_t so policy will install 2010-11-18 16:27:30 -05:00
Miroslav Grepl
4eb45ebeaa - Turn on allow_postfix_local_write_mail_spool
- Allow initrc_t to transition to shutdown_t
- Allow logwatch and cron to mls_read_to_clearance for MLS boxes
- Allow wm to send signull to all applications and receive them from users
- lircd patch from field
- Login programs have to read /etc/samba
- New programs under /lib/systemd
- Abrt needs to read config files
2010-11-18 17:37:29 +01:00
Miroslav Grepl
582d2c5d2c - Update to upstream
- Dontaudit leaked sockets from userdomains to user domains
- Fixes for mcelog to handle scripts
- Apply patch from Ruben Kerkhof
- Allow syslog to search spool dirs
2010-11-16 09:46:19 +01:00
Miroslav Grepl
cbb8d59931 - Allow nagios plugins to read usr files
- Allow mysqld-safe to send system log messages
- Fixes fpr ddclient policy
- Fix sasl_admin interface
- Allow apache to search zarafa config
- Allow munin plugins to search /var/lib directory
- Allow gpsd to read sysfs_t
- Fix labels on /etc/mcelog/triggers to bin_t
2010-11-15 18:27:23 +01:00
Dan Walsh
763342ad3a - Remove saslauthd_tmp_t and transition tmp files to krb5_host_rcache_t
- Allow saslauthd_t to create krb5_host_rcache_t files in /tmp
- Fix xserver interface
- Fix definition of /var/run/lxdm
2010-11-12 11:08:35 -05:00
Dan Walsh
519b05a70f - Remove saslauthd_tmp_t and transition tmp files to krb5_host_rcache_t 2010-11-12 10:59:01 -05:00
Dan Walsh
50dacaca09 - kdump leaks kdump_etc_t to ifconfig, add dontaudit
- uux needs to transition to uucpd_t
- More init fixes relabels man,faillog
- Remove maxima defs in libraries.fc
- insmod needs to be able to create tmpfs_t files
- ping needs setcap
- init executes mcelog, initrc_t needs to manage faillog.
- fix xserver_ralabel_xdm_tmp_dirs
- Allow dovecot_deliver_t to list dovecot_etc_t
- Run acroread as execmem_t
2010-11-12 09:56:06 -05:00
Miroslav Grepl
9238df00c5 - Turn on mediawiki policy
- kdump leaks kdump_etc_t to ifconfig, add dontaudit
- uux needs to transition to uucpd_t
- More init fixes relabels man,faillog
- Remove maxima defs in libraries.fc
- insmod needs to be able to create tmpfs_t files
- ping needs setcap
2010-11-12 13:47:15 +01:00
Dan Walsh
7297a334b4 - Fix init to be able to relabel wtmp, tmp files 2010-11-10 14:39:23 -05:00
Miroslav Grepl
5d168a352b - Allow groupd transition to fenced domain when executes fence_node
- Fixes for rchs policy
- Allow mpd to be able to read samba/nfs files
2010-11-10 11:04:39 +01:00
Dan Walsh
ded1efb9d8 - Fix up corecommands.fc to match upstream
- Make sure /lib/systemd/* is labeled init_exec_t
- mount wants to setattr on all mountpoints
- dovecot auth wants to read dovecot etc files
- nscd daemon looks at the exe file of the comunicating daemon
- openvpn wants to read utmp file
- postfix apps now set sys_nice and lower limits
- remote_login (telnetd/login) wants to use telnetd_devpts_t and user_devpts_t to work correctly
- Also resolves nsswitch
- Fix labels on /etc/hosts.*
- Cleanup to make upsteam patch work
- allow abrt to read etc_runtime_t
2010-11-09 17:41:15 -05:00
Dan Walsh
fc9bf2f03d - Add conflicts for dirsrv package 2010-11-09 07:55:52 -05:00
Dan Walsh
3e0b7834a6 - Update to upstream
- Add vlock policy
2010-11-05 14:22:36 -04:00
Dan Walsh
6e50b74774 - Update to upstream
- Add vlock policy
2010-11-05 12:40:49 -04:00
Dan Walsh
06262c1566 - Update to upstream
- Add vlock policy
2010-11-05 12:40:07 -04:00
Dan Walsh
c52856e6d8 - Fix sandbox to work on nfs homedirs
- Allow cdrecord to setrlimit
- Allow mozilla_plugin to read xauth
- Change label on systemd-logger to syslogd_exec_t
- Install dirsrv policy from dirsrv package
2010-11-05 07:32:45 -04:00
Dan Walsh
9896599663 - 2010-11-02 17:07:21 -04:00
Dan Walsh
9754f472c7 - Allow NetworkManager to read openvpn_etc_t
- Dontaudit hplip to write of /usr dirs
- Allow system_mail_t to create /root/dead.letter as mail_home_t
- Add vdagent policy for spice agent daemon
2010-11-01 14:37:25 -04:00
Dan Walsh
7a208696f9 - Dontaudit sandbox sending sigkill to all user domains
- Add policy for rssh_chroot_helper
- Add missing flask definitions
- Allow udev to relabelto removable_t
- Fix label on /var/log/wicd.log
- Transition to initrc_t from init when executing bin_t
- Add audit_access permissions to file
- Make removable_t a device_node
- Fix label on /lib/systemd/*
2010-10-28 15:55:48 -04:00
Dan Walsh
2bb6181f15 - Fixes for systemd to manage /var/run
- Dontaudit leaks by firstboot
2010-10-22 16:35:00 -04:00
Dan Walsh
bac270827d - Allow chome to create netlink_route_socket
- Add additional MATHLAB file context
- Define nsplugin as an application_domain
- Dontaudit sending signals from sandboxed domains to other domains
- systemd requires init to build /tmp /var/auth and /var/lock dirs
- mount wants to read devicekit_power /proc/ entries
- mpd wants to connect to soundd port
- Openoffice causes a setattr on a lib_t file for normal users, add dontaudit
- Treat lib_t and textrel_shlib_t directories the same
- Allow mount read access on virtual images
2010-10-22 08:26:00 -04:00
Dan Walsh
4da7659056 - Allow sandbox_x_domains to work with nfs/cifs/fusefs home dirs. 2010-10-18 13:18:55 -04:00
Dan Walsh
c849c84305 - Allow cobblerd to list cobler appache content 2010-10-15 11:35:17 -04:00
Dan Walsh
d33e644851 - Fixup for the latest version of upowed
- Dontaudit sandbox sending SIGNULL to desktop apps
2010-10-15 10:26:39 -04:00
Dan Walsh
618ed7aec9 - Update to upstream 2010-10-13 10:00:44 -04:00
Dan Walsh
5a152bc135 - Update to upstream 2010-10-12 16:47:46 -04:00
Dan Walsh
f0a56ee31d -Mount command from a confined user generates setattr on /etc/mtab file, need to dontaudit this access
- dovecot-auth_t needs ipc_lock
- gpm needs to use the user terminal
- Allow system_mail_t to append ~/dead.letter
- Allow NetworkManager to edit /etc/NetworkManager/NetworkManager.conf
- Add pid file to vnstatd
- Allow mount to communicate with gfs_controld
- Dontaudit hal leaks in setfiles
2010-10-12 16:10:57 -04:00
Dan Walsh
dd20c25744 Rebuild with latest code 2010-10-08 17:00:50 -04:00
Dan Walsh
6f934680a8 - Allow smbd to use sys_admin
- Remove duplicate file context for tcfmgr
- Update to upstream
2010-10-07 14:55:49 -04:00
Dan Walsh
6f256d240d - Allow smbd to use sys_admin
- Remove duplicate file context for tcfmgr
2010-10-07 09:59:45 -04:00
Dan Walsh
0daa8b731a - Fix fusefs handling
- Do not allow sandbox to manage nsplugin_rw_t
- Allow mozilla_plugin_t to connecto its parent
- Allow init_t to connect to plymouthd running as kernel_t
- Add mediawiki policy
- dontaudit sandbox sending signals to itself.  This can happen when they are running at different mcs.
- Disable transition from dbus_session_domain to telepathy for F14
- Allow boinc_project to use shm
- Allow certmonger to search through directories that contain certs
- Allow fail2ban the DAC Override so it can read log files owned by non root users
2010-10-07 09:19:43 -04:00
Dan Walsh
b1cbbd0768 - Start adding support for use_fusefs_home_dirs
- Add /var/lib/syslog directory file context
- Add /etc/localtime as locale file context
2010-10-04 14:50:39 -04:00
Dan Walsh
fbd9ca071a - Turn off default transition to mozilla_plugin and telepathy domains from unconfined user
- Turn off iptables from unconfined user
- Allow sudo to send signals to any domains the user could have transitioned to.
- Passwd in single user mode needs to talk to console_device_t
- Mozilla_plugin_t needs to connect to web ports, needs to write to video device, and read alsa_home_t alsa setsup pulseaudio
- locate tried to read a symbolic link, will dontaudit
- New labels for telepathy-sunshine content in homedir
- Google is storing other binaries under /opt/google/talkplugin
- bluetooth/kernel is creating unlabeled_t socket that I will allow it to use until kernel fixes bug
- Add boolean for unconfined_t transition to mozilla_plugin_t and telepathy domains, turned off in F14 on in F15
- modemmanger and bluetooth send dbus messages to devicekit_power
- Samba needs to getquota on filesystems labeld samba_share_t
2010-10-01 12:06:09 -04:00
Dan Walsh
5ae8fb66d8 - Dontaudit attempts by xdm_t to write to bin_t for kdm
- Allow initrc_t to manage system_conf_t
2010-09-30 09:50:49 -04:00
Dan Walsh
7c487e9739 - Fixes to allow mozilla_plugin_t to create nsplugin_home_t directory.
- Allow mozilla_plugin_t to create tcp/udp/netlink_route sockets
- Allow confined users to read xdm_etc_t files
- Allow xdm_t to transition to xauth_t for lxdm program
2010-09-27 10:31:36 -04:00
Dan Walsh
e25799116a - Pull in cleanups from dgrift
- Allow mozilla_plugin_t to execute mozilla_home_t
- Allow rpc.quota to do quotamod
2010-09-24 12:03:50 -04:00
Dan Walsh
42c814d215 - Cleanup policy via dgrift
- Allow dovecot_deliver to append to inherited log files
- Lots of fixes for consolehelper
2010-09-23 17:40:24 -04:00
Dan Walsh
1d153ea0ea - Fix up Xguest policy 2010-09-22 18:36:47 -04:00
Dan Walsh
ea3b7b5dff - Add vnstat policy
- allow libvirt to send audit messages
- Allow chrome-sandbox to search nfs_t
2010-09-16 18:00:00 -04:00
Dan Walsh
a24e6a6700 - Update to upstream 2010-09-16 07:59:03 -04:00
Dan Walsh
ba8c31f5cd - Allow all domains that can use cgroups to search tmpfs_t directory
- Allow init to send audit messages
2010-09-14 16:16:56 -04:00
Dan Walsh
a0e8efd42c - Update to upstream 2010-09-13 16:17:15 -04:00
Dan Walsh
30a7d17203 - Add policy for ajaxterm 2010-09-09 09:58:12 -04:00
Dan Walsh
6e2d7f3a82 - Handle /var/db/sudo
- Allow pulseaudio to read alsa config
- Allow init to send initrc_t dbus messages
2010-09-08 21:24:49 -04:00
Dan Walsh
64d84cf8ec Allow iptables to read shorewall tmp files
Change chfn and passwd to use auth_use_pam so they can send dbus messages to fpr
intd
label vlc as an execmem_exec_t
Lots of fixes for mozilla_plugin to run google vidio chat
Allow telepath_msn to execute ldconfig and its own tmp files
Fix labels on hugepages
Allow mdadm to read files on /dev
Remove permissive domains and change back to unconfined
Allow freshclam to execute shell and bin_t
Allow devicekit_power to transition to dhcpc
Add boolean to allow icecast to connect to any port
2010-09-08 14:17:07 -04:00
Dan Walsh
482c9f3ad9 - Merge upstream fix of mmap_zero
- Allow mount to write files in debugfs_t
- Allow corosync to communicate with clvmd via tmpfs
- Allow certmaster to read usr_t files
- Allow dbus system services to search cgroup_t
- Define rlogind_t as a login pgm
2010-09-02 13:43:28 -04:00
Dan Walsh
a7a2367a59 - Merge with upstream 2010-08-30 17:34:52 -04:00
Dan Walsh
6578cf7413 - More access needed for devicekit
- Add dbadm policy
2010-08-30 11:58:36 -04:00
Dan Walsh
ba77266a14 - Merge with upstream 2010-08-26 20:35:53 -04:00
Dan Walsh
370d04ed3c - Allow seunshare to fowner 2010-08-25 09:45:26 -04:00
Dan Walsh
cc138e86b5 - Allow cron to look at user_cron_spool links
- Lots of fixes for mozilla_plugin_t
- Add sysv file system
- Turn unconfined domains to permissive to find additional avcs
2010-08-24 22:48:06 -04:00
Dan Walsh
63265668f0 - Update policy for mozilla_plugin_t 2010-08-23 18:01:46 -04:00
Dan Walsh
eee39f9d8e - Allow clamscan to read proc_t
- Allow mount_t to write to debufs_t dir
- Dontaudit mount_t trying to write to security_t dir
2010-08-23 17:29:52 -04:00
Dan Walsh
19988ca76d - Allow clamscan_t execmem if clamd_use_jit set
- Add policy for firefox plugin-container
2010-08-20 09:36:56 -04:00
Dan Walsh
3798ee962a - label dead.letter as mail_home_t 2010-08-17 07:22:11 -04:00
Dan Walsh
922cd61e83 * Tue Aug 10 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-12
- Fix devicekit_power bug
- Allow policykit_auth_t more access.
2010-08-11 07:55:04 -04:00
Daniel J Walsh
d4bb132c2e - Merge in fixes from dgrift repository 2010-07-27 20:34:21 +00:00
Daniel J Walsh
7f5d8f30d0 - Update boinc policy
- Fix sysstat policy to allow sys_admin
- Change failsafe_context to unconfined_r:unconfined_t:s0
2010-07-27 17:28:04 +00:00
Daniel J Walsh
a1ef703492 - New paths for upstart 2010-07-26 21:46:12 +00:00
Daniel J Walsh
8d55a410dc - New permissions for syslog
- New labels for /lib/upstart
2010-07-26 20:32:18 +00:00
Daniel J Walsh
f3fc10528f - Allow systemd to setsockcon on sockets to immitate other services 2010-07-22 16:58:58 +00:00
Daniel J Walsh
9f811efbbb - Remove debugfs label 2010-07-21 14:57:11 +00:00
Daniel J Walsh
d66bec6356 - Update to latest policy 2010-07-20 17:48:36 +00:00
Daniel J Walsh
1df2fc2bba - Fix eclipse labeling from IBMSupportAssasstant packageing 2010-07-19 21:16:41 +00:00
Daniel J Walsh
3f1005a67d - Make boot with systemd in enforcing mode 2010-07-15 20:04:35 +00:00
Daniel J Walsh
0f2ae00c61 - Update to upstream 2010-07-15 13:11:25 +00:00
Daniel J Walsh
9c1bcc22e3 - Add boolean to turn off port forwarding in sshd. 2010-07-12 21:15:05 +00:00
Miroslav Grepl
be922a1fae - Add support for ebtables
- Fixes for rhcs and corosync policy
2010-07-09 15:28:31 +00:00
Daniel J Walsh
6c42218d9d -Update to upstream 2010-06-28 17:19:34 +00:00
Daniel J Walsh
fa98e0ec52 -Update to upstream 2010-06-21 14:31:26 +00:00
Daniel J Walsh
5f371acada -Update to upstream 2010-06-18 20:14:28 +00:00
Daniel J Walsh
7c727a891e - Add Zarafa policy 2010-06-16 20:19:22 +00:00
Daniel J Walsh
f2403c5b4f - Cleanup of aiccu policy
- initial mock policy
2010-06-11 15:39:46 +00:00
Daniel J Walsh
f651bb6fdc - Lots of random fixes 2010-06-09 21:31:42 +00:00
Daniel J Walsh
b39ccca147 - Update to upstream 2010-06-08 21:23:21 +00:00
Daniel J Walsh
632048ceb1 - Update to upstream
- Allow prelink script to signal itself
- Cobbler fixes
2010-06-07 21:15:35 +00:00
Daniel J Walsh
bca242c772 - Add xdm_var_run_t to xserver_stream_connect_xdm
- Add cmorrord and mpd policy from Miroslav Grepl
2010-06-02 19:36:11 +00:00
Daniel J Walsh
e51284403f - Fix sshd creation of krb cc files for users to be user_tmp_t 2010-06-01 20:56:58 +00:00
Daniel J Walsh
4abfc011a4 - Fixes for accountsdialog
- Fixes for boinc
2010-05-28 12:39:05 +00:00
Daniel J Walsh
65c6e4c421 - Fix label on /var/lib/dokwiki
- Change permissive domains to enforcing
- Fix libvirt policy to allow it to run on mls
2010-05-27 16:14:50 +00:00
Daniel J Walsh
bc4089cfaa - Update to upstream 2010-05-26 21:15:42 +00:00
Daniel J Walsh
a72c31df34 - Update to upstream 2010-03-18 15:47:35 +00:00
Daniel J Walsh
add957370e - Merge with upstream 2010-02-16 22:10:14 +00:00
Daniel J Walsh
3c551b85fe - Allow sandbox to work with MLS 2010-02-11 21:54:06 +00:00
Daniel J Walsh
43c7f5f787 - Make Chrome work with staff user 2010-02-10 22:26:52 +00:00
Daniel J Walsh
487de6f251 - Add icecast policy
- Cleanup spec file
2010-02-08 22:06:23 +00:00
Daniel J Walsh
30c21992cb - Add mcelog policy 2010-02-03 20:52:58 +00:00
Daniel J Walsh
a62c6405cc - Lots of fixes found in F12 2010-02-02 16:41:03 +00:00
Daniel J Walsh
b2f6b0698f - Fix rpm_dontaudit_leaks 2010-01-28 15:44:39 +00:00
Daniel J Walsh
4d67b40db1 - Add getsched to hald_t
- Add file context for Fedora/Redhat Directory Server
2010-01-27 21:54:00 +00:00
Daniel J Walsh
b0f36568e1 - Allow abrt_helper to getattr on all filesystems
- Add label for /opt/real/RealPlayer/plugins/oggfformat\.so
2010-01-27 17:08:59 +00:00
Daniel J Walsh
b65afa2940 - Add gstreamer_home_t for ~/.gstreamer 2010-01-22 15:26:39 +00:00
Daniel J Walsh
faec5c2a14 - Update to upstream 2010-01-18 22:40:25 +00:00
Daniel J Walsh
3b54668c40 Update spec file to suck in the correct version of selinux-policy packages 2010-01-15 21:39:39 +00:00
Daniel J Walsh
89ad5ea38f - Turn on puppet policy
- Update to dgrift git policy
2010-01-14 21:49:18 +00:00
Daniel J Walsh
fc05ac0660 - Move users file to selection by spec file.
- Allow vncserver to run as unconfined_u:unconfined_r:unconfined_t
2010-01-11 22:06:55 +00:00
Daniel J Walsh
352dafd046 - Update to upstream 2010-01-07 21:59:22 +00:00
Daniel J Walsh
6049e24424 - Remove most of the permissive domains from F12. 2010-01-06 21:57:07 +00:00
Daniel J Walsh
485ded565a - Add cobbler policy from dgrift 2010-01-05 22:09:02 +00:00
Daniel J Walsh
1e86f3f158 - add usbmon device
- Add allow rulse for devicekit_disk
2010-01-04 21:31:54 +00:00
Daniel J Walsh
4478a9a993 - Lots of fixes found in F12, fixes from Tom London 2009-12-30 14:44:54 +00:00
Daniel J Walsh
08b890455e - Cleanups from dgrift 2009-12-23 18:39:12 +00:00
Daniel J Walsh
daebd59668 - Cleanups from dgrift 2009-12-23 18:37:23 +00:00
Daniel J Walsh
e2f53dfaec - Cleanups from dgrift 2009-12-23 13:02:27 +00:00
Daniel J Walsh
550cc5f4f4 - Add back xserver_manage_home_fonts 2009-12-22 17:25:13 +00:00
Daniel J Walsh
7d40583319 - Dontaudit sandbox trying to read nscd and sssd 2009-12-21 22:53:07 +00:00
Daniel J Walsh
b4675412e2 - Update to upstream 2009-12-18 21:18:10 +00:00
Daniel J Walsh
6ca563ec01 - Rename udisks-daemon back to devicekit_disk_t policy 2009-12-17 19:36:22 +00:00
Daniel J Walsh
e54cc7c3e4 - Fixes for abrt calls 2009-12-16 23:01:00 +00:00
Daniel J Walsh
9c90ba7e8e - Add tgtd policy 2009-12-16 13:30:38 +00:00
Daniel J Walsh
755e2d6934 - Add tgtd policy 2009-12-11 20:18:55 +00:00
Daniel J Walsh
9eef358da0 - Update to upstream release 2009-12-10 19:20:14 +00:00
Daniel J Walsh
f2a1dcd3d4 - Add asterisk policy back in
- Update to upstream release 2.20091117
2009-11-25 20:19:12 +00:00
Daniel J Walsh
ee88b050c5 - Add asterisk policy back in 2009-11-20 16:55:54 +00:00
Daniel J Walsh
ce8c76d673 - Add asterisk policy back in 2009-11-20 16:31:54 +00:00
Daniel J Walsh
55acbfd715 - Update to upstream release 2.20091117 2009-11-18 22:22:56 +00:00
Daniel J Walsh
5e44eb8657 - Update to upstream 2009-11-14 05:18:01 +00:00
Daniel J Walsh
32594a1112 - Allow vpnc request the kernel to load modules 2009-10-02 15:15:36 +00:00
Daniel J Walsh
aaf52ff041 - Add plymouth policy 2009-09-30 18:50:23 +00:00
Daniel J Walsh
d976a83a17 - Allow cupsd_config to read user tmp
- Allow snmpd_t to signal itself
- Allow sysstat_t to makedir in sysstat_log_t
2009-09-30 17:37:44 +00:00
Daniel J Walsh
8b10e3abd7 - Update rhcs policy 2009-09-29 12:38:58 +00:00
Daniel J Walsh
85582d623f - Allow users to exec restorecond 2009-09-25 18:47:07 +00:00
Daniel J Walsh
f5a104d238 - Allow sendmail to request kernel modules load 2009-09-24 23:30:16 +00:00
Daniel J Walsh
4c2f298bf2 - Fix all kernel_request_load_module domains 2009-09-22 12:49:53 +00:00
Daniel J Walsh
405a74c394 - Fix all kernel_request_load_module domains 2009-09-21 13:55:41 +00:00
Daniel J Walsh
41f8e385a1 - Remove allow_exec* booleans for confined users. Only available for
unconfined_t
2009-09-20 14:32:30 +00:00
Daniel J Walsh
8323d545c4 - More fixes for sandbox_web_t 2009-09-19 02:03:03 +00:00
Daniel J Walsh
ab462917cf - Allow sshd to create .ssh directory and content 2009-09-18 22:12:25 +00:00
Daniel J Walsh
d53d158d2b - Fix request_module line to module_request 2009-09-18 20:44:00 +00:00
Daniel J Walsh
1fb0a98434 - Fix sandbox policy to allow it to run under firefox.
- Dont audit leaks.
2009-09-18 16:20:05 +00:00
Daniel J Walsh
9de7033708 - Fixes for sandbox 2009-09-17 21:41:30 +00:00
Daniel J Walsh
69290fd9df - Update to upstream
- Dontaudit nsplugin search /root
- Dontaudit nsplugin sys_nice
2009-09-16 17:50:32 +00:00
Daniel J Walsh
23e7082b4b - Fix label on /usr/bin/notepad, /usr/sbin/vboxadd-service
- Remove policycoreutils-python requirement except for minimum
2009-09-15 21:45:12 +00:00
Daniel J Walsh
6b7b0c1cdc - Fix devicekit_disk_t to getattr on all domains sockets and fifo_files
- Conflicts seedit (You can not use selinux-policy-targeted and seedit at
    the same time.)
2009-09-15 18:26:13 +00:00
Daniel J Walsh
e20e351e10 - Add wordpress/wp-content/uploads label
- Fixes for sandbox when run from staff_t
2009-09-11 21:15:35 +00:00
Daniel J Walsh
ddc8588081 - Update to upstream
- Fixes for devicekit_disk
2009-09-10 15:38:44 +00:00
Daniel J Walsh
ab8f807545 - More fixes 2009-09-09 21:08:02 +00:00
Daniel J Walsh
b8498d1e5b - More fixes 2009-09-08 23:55:31 +00:00
Daniel J Walsh
123ae9957d - Lots of fixes for initrc and other unconfined domains 2009-09-08 14:30:36 +00:00
Daniel J Walsh
72bc25da0e - Allow xserver to use netlink_kobject_uevent_socket 2009-09-07 01:29:07 +00:00
Daniel J Walsh
1a2981be4a - Dontaudit setroubleshootfix looking at /root directory 2009-09-02 13:33:15 +00:00
Daniel J Walsh
65c3f9a0a8 - Update to upsteam 2009-08-31 21:27:50 +00:00
Daniel J Walsh
cb5670ca1b - Allow gssd to send signals to users
- Fix duplicate label for apache content
2009-08-31 13:39:37 +00:00
Daniel J Walsh
faf9cbbc4b - Update to upstream 2009-08-28 20:55:16 +00:00
Daniel J Walsh
38d427a08f - Remove polkit_auth on upgrades 2009-08-28 18:56:15 +00:00
Daniel J Walsh
42f9effee7 - Add back in unconfined.pp and unconfineduser.pp
- Add Sandbox unshare
2009-08-26 20:19:02 +00:00
Daniel J Walsh
07c04f81b6 - Add back in unconfined.pp and unconfineduser.pp 2009-08-26 14:02:27 +00:00
Daniel J Walsh
89e3546337 - Fixes for cdrecord, mdadm, and others 2009-08-26 12:12:39 +00:00
Daniel J Walsh
080ce6f2c8 - Add capability setting to dhcpc and gpm 2009-08-23 13:55:48 +00:00
Daniel J Walsh
8e64d7d393 - Allow cronjobs to read exim_spool_t 2009-08-22 11:51:13 +00:00
Daniel J Walsh
c5f5b5dbcb - Add ABRT policy 2009-08-21 22:58:28 +00:00
Daniel J Walsh
e3dd4912ce - Fix system-config-services policy 2009-08-20 17:48:51 +00:00
Daniel J Walsh
fc8ff2feac - Allow libvirt to change user componant of virt_domain 2009-08-20 00:02:37 +00:00
Daniel J Walsh
40243d944f - Allow cupsd_config_t to be started by dbus
- Add smoltclient policy
2009-08-18 22:43:34 +00:00
Daniel J Walsh
9c270225e5 - Add policycoreutils-python to pre install 2009-08-18 12:34:26 +00:00
Daniel J Walsh
b2c5e72a15 - Make all unconfined_domains permissive so we can see what AVC's happen 2009-08-13 22:33:07 +00:00
Daniel J Walsh
7fe210d864 - Add pt_chown policy 2009-08-12 20:10:51 +00:00
Daniel J Walsh
867473ac62 - Add kdump policy for Miroslav Grepl
- Turn off execstack boolean
2009-08-10 18:22:10 +00:00
Bill Nottingham
ac7bbfa65a - Turn on execstack on a temporary basis (#512845) 2009-08-07 19:36:54 +00:00
Daniel J Walsh
4de3826dbf - Allow nsplugin to connecto the session bus
- Allow samba_net to write to coolkey data
2009-08-07 11:51:54 +00:00
Daniel J Walsh
e21330348f - Allow devicekit_disk to list inotify 2009-08-05 21:31:17 +00:00
Daniel J Walsh
4816e90c52 - Allow svirt images to create sock_file in svirt_var_run_t 2009-08-05 20:37:39 +00:00
Daniel J Walsh
4673269d66 - Allow exim to getattr on mountpoints
- Fixes for pulseaudio
2009-08-04 11:32:06 +00:00
Daniel J Walsh
947b439e10 - Allow svirt_t to stream_connect to virtd_t 2009-07-31 19:05:34 +00:00
Daniel J Walsh
af4fa8266c - Allod hald_dccm_t to create sock_files in /tmp 2009-07-31 11:02:24 +00:00
Daniel J Walsh
abd1536931 - More fixes from upstream 2009-07-30 20:30:26 +00:00
Daniel J Walsh
c6e2224c70 - Fix polkit label
- Remove hidebrokensymptoms for nss_ldap fix
- Add modemmanager policy
- Lots of merges from upstream
- Begin removing textrel_shlib_t labels, from fixed libraries
2009-07-30 04:31:53 +00:00
Daniel J Walsh
3750561a72 - Update to upstream 2009-07-28 19:08:17 +00:00
Daniel J Walsh
9160520a0e - Allow certmaster to override dac permissions 2009-07-27 22:09:57 +00:00
Daniel J Walsh
df7055d5b3 - Update to upstream 2009-07-23 21:47:41 +00:00
Daniel J Walsh
8da0248476 - Fix context for VirtualBox 2009-07-19 16:04:30 +00:00
Daniel J Walsh
2360ff9f3f - Update to upstream 2009-07-15 19:12:04 +00:00
Daniel J Walsh
a88b486824 - Fixes for xguest 2009-07-08 15:37:57 +00:00
Daniel J Walsh
819f419b33 - fix multiple directory ownership of mandirs 2009-07-07 21:06:52 +00:00
Tom Callaway
a85aeff615 fix duplicate directory ownership with filesystem, policycoreutils 2009-07-07 15:41:05 +00:00
Daniel J Walsh
d9676a6ada - Update to upstream 2009-07-06 21:16:26 +00:00
Daniel J Walsh
bcc53daced - Add rules for rtkit-daemon 2009-06-30 11:46:56 +00:00
Daniel J Walsh
7b16d569d8 - Update to upstream
- Fix nlscd_stream_connect
2009-06-26 20:13:04 +00:00
Daniel J Walsh
221642f17f - Add rtkit policy 2009-06-25 21:43:36 +00:00
Daniel J Walsh
d399fb4d25 - Allow rpcd_t to stream connect to rpcbind 2009-06-24 20:45:26 +00:00
Daniel J Walsh
9850f4d30d - Allow kpropd to create tmp files 2009-06-24 13:15:55 +00:00
Daniel J Walsh
93dc66eaeb - Fix last duplicate /var/log/rpmpkgs 2009-06-23 13:23:52 +00:00
Daniel J Walsh
a9f0953822 - Update to upstream
add sssd
2009-06-22 22:27:58 +00:00
Daniel J Walsh
8866315d40 - Update to upstream
cleanup
Fri Jun 19 2009 Dan Walsh <dwalsh@redhat.com> 3.6.17-1
- Update to upstream
- Additional mail ports
- Add virt_use_usb boolean for svirt
2009-06-20 13:59:00 +00:00
Daniel J Walsh
6071093529 - Update to upstream
- Additional mail ports
- Add virt_use_usb boolean for svirt
2009-06-19 11:41:44 +00:00
Daniel J Walsh
9386d6f55f - Fix mcs rules to include chr_file and blk_file 2009-06-18 20:01:47 +00:00
Daniel J Walsh
e3bf6793cb - Add label for udev-acl 2009-06-18 14:42:34 +00:00
Daniel J Walsh
f8df9e54c4 - Additional rules for consolekit/udev, privoxy and various other fixes 2009-06-15 20:04:07 +00:00
Daniel J Walsh
49883e898d - New version for upstream 2009-06-15 15:26:20 +00:00
Daniel J Walsh
d3ae977ab7 - New version for upstream 2009-06-12 18:59:09 +00:00
Daniel J Walsh
6b838056a8 - Allow NetworkManager to read inotifyfs 2009-06-11 21:26:42 +00:00
Daniel J Walsh
aa7b9cbc5e - Allow setroubleshoot to run mlocate 2009-06-10 17:50:55 +00:00
Daniel J Walsh
8197718634 - Update to upstream 2009-06-08 21:47:04 +00:00
Daniel J Walsh
9ee63df41a - New log file for vmware
- Allow xdm to setattr on user_tmp_t
2009-05-26 16:57:59 +00:00
Daniel J Walsh
ef7416c2b8 - Upgrade to upstream 2009-05-22 14:37:43 +00:00
Daniel J Walsh
eead2a6f25 - Allow fprintd to access sys_ptrace
- Add sandbox policy
2009-05-20 17:28:24 +00:00
Daniel J Walsh
7b6c105887 - Add varnishd policy 2009-05-18 18:49:15 +00:00
Daniel J Walsh
f72bd44737 - Fixes for kpropd 2009-05-14 18:53:40 +00:00
Daniel J Walsh
fcb4418ad5 - Allow brctl to r/w tun_tap_device_t 2009-05-14 14:37:43 +00:00
Daniel J Walsh
62cfafdcb7 - Add /usr/share/selinux/packages
- Turn on nsplugin boolean
2009-05-12 18:10:29 +00:00
Daniel J Walsh
0f6b92d1fa - Allow rpcd_t to send signals to kernel threads 2009-05-11 13:11:03 +00:00
Daniel J Walsh
992419431e - Fix upgrade for F10 to F11 2009-05-08 19:43:27 +00:00
Daniel J Walsh
a2098a521f - Add policy for /var/lib/fprint 2009-05-07 19:09:40 +00:00
Daniel J Walsh
8a0604e919 -Remove duplicate line 2009-05-06 12:51:59 +00:00
Daniel J Walsh
959ab94100 - Allow svirt to manage pci and other sysfs device data 2009-05-05 20:48:39 +00:00
Daniel J Walsh
0e31a0e8ca - Fix package selection handling 2009-05-04 19:37:29 +00:00
Daniel J Walsh
c32d79e2c3 - Fix /sbin/ip6tables-save context
- Allod udev to transition to mount
- Fix loading of mls policy file
2009-05-04 18:20:29 +00:00
Daniel J Walsh
5dd89f3819 - Fix /sbin/ip6tables-save context 2009-05-02 11:52:13 +00:00
Daniel J Walsh
37ebfc9102 - Add shorewall policy 2009-04-30 22:22:00 +00:00
Daniel J Walsh
21b13fca45 - Additional rules for fprintd and sssd 2009-04-30 11:51:07 +00:00
Daniel J Walsh
40d8f60dd7 - Allow nsplugin to unix_read unix_write sem for unconfined_java 2009-04-28 20:09:21 +00:00
Daniel J Walsh
b3ac4a052b - Fix uml files to be owned by users 2009-04-28 15:49:42 +00:00
Daniel J Walsh
e080bbd4f6 - Fix Upgrade path to install unconfineduser.pp when unocnfined package is
3.0.0 or less
2009-04-28 15:13:35 +00:00
Daniel J Walsh
b11dbbb323 - Allow confined users to manace virt_content_t, since this is home dir
content
- Allow all domains to read rpm_script_tmp_t which is what shell creates on
    redirection
2009-04-27 18:56:58 +00:00
Daniel J Walsh
b0991a2dfd - Fix labeling on /var/lib/misc/prelink*
- Allow xserver to rw_shm_perms with all x_clients
- Allow prelink to execute files in the users home directory
2009-04-27 14:45:15 +00:00
Daniel J Walsh
89c9c9ae6a - Allow initrc_t to delete dev_null
- Allow readahead to configure auditing
- Fix milter policy
- Add /var/lib/readahead
2009-04-24 19:28:35 +00:00
Daniel J Walsh
eaaf2ab923 - Allow initrc_t to delete dev_null
- Allow readahead to configure auditing
- Fix milter policy
- Add /var/lib/readahead
2009-04-24 17:50:36 +00:00
Daniel J Walsh
dac8380cd0 - Allow initrc_t to delete dev_null
- Allow readahead to configure auditing
2009-04-24 13:17:08 +00:00
Daniel J Walsh
db0dafaaeb - Update to latest milter code from Paul Howarth 2009-04-24 11:53:55 +00:00
Daniel J Walsh
cd0a396413 - Update to latest milter code from Paul Howarth 2009-04-24 11:42:43 +00:00
Daniel J Walsh
5ce1c49771 - Additional perms for readahead 2009-04-24 04:09:22 +00:00
Daniel J Walsh
4d5adb716e - Allow pulseaudio to acquire_svc on session bus
- Fix readahead labeling
2009-04-23 14:48:46 +00:00
Daniel J Walsh
3c498a780b - Allow sshd to read var_lib symlinks for freenx 2009-04-22 19:18:30 +00:00
Daniel J Walsh
a32a1594b6 - Allow nsplugin unix_read and write on users shm and sem
- Allow sysadm_t to execute su
2009-04-21 20:31:51 +00:00
Daniel J Walsh
d982e7e091 - Fixes for podsleuth 2009-04-18 12:13:36 +00:00
Daniel J Walsh
dc00fc32b6 *** empty log message *** 2009-04-17 14:19:17 +00:00
Daniel J Walsh
6203f422e2 - Allow cupsd_t to create link files in print_spool_t 2009-04-16 15:14:26 +00:00
Daniel J Walsh
4a0aac139f - Allow audioentroy to read etc files 2009-04-15 12:03:09 +00:00
Daniel J Walsh
685032cae2 - Add fail2ban_var_lib_t
- Fixes for devicekit_power_t
2009-04-14 11:02:35 +00:00
Daniel J Walsh
d4af172a64 - Separate out the ucnonfined user from the unconfined.pp package 2009-04-11 12:30:22 +00:00
Daniel J Walsh
90e4193775 - Make sure unconfined_java_t and unconfined_mono_t create user_tmpfs_t. 2009-04-08 13:18:20 +00:00
Daniel J Walsh
25a47636ae - Upgrade to latest upstream
- Allow devicekit_disk sys_rawio
2009-04-08 00:59:46 +00:00
Daniel J Walsh
510c2a3987 - Dontaudit binds to ports < 1024 for named
- Upgrade to latest upstream
2009-04-06 17:07:59 +00:00
Daniel J Walsh
04b6828096 - Allow podsleuth to use tmpfs files 2009-04-03 21:27:39 +00:00
Daniel J Walsh
80beeee40e - Add customizable_types for svirt 2009-04-03 19:25:21 +00:00
Daniel J Walsh
f49c57d5e6 - Allow setroubelshoot exec* privs to prevent crash from bad libraries
- add cpufreqselector
2009-04-03 14:45:58 +00:00
Daniel J Walsh
90ea5b3fef - Dontaudit listing of /root directory for cron system jobs 2009-04-02 15:23:58 +00:00
Daniel J Walsh
3434a9be73 - Fix missing ld.so.cache label 2009-03-30 16:06:48 +00:00
Daniel J Walsh
c0158a8c68 - Add label for ~/.forward and /root/.forward 2009-03-27 19:48:17 +00:00
Daniel J Walsh
6130d52b7c - Fixes for svirt 2009-03-27 00:01:52 +00:00
Daniel J Walsh
9ca87fc9d8 - Fixes to allow svirt read iso files in homedir 2009-03-24 19:45:02 +00:00
Daniel J Walsh
ec9800856c - Add xenner and wine fixes from mgrepl 2009-03-24 14:33:05 +00:00
Daniel J Walsh
5dce3c12f7 - Add xenner and wine fixes from mgrepl 2009-03-20 18:42:38 +00:00
Daniel J Walsh
bfc78b6af9 - Allow mdadm to read/write mls override 2009-03-18 19:34:57 +00:00
Daniel J Walsh
095146a89d - Change to svirt to only access svirt_image_t 2009-03-17 19:52:35 +00:00
Daniel J Walsh
d4b8dcf968 - Fix libvirt policy 2009-03-16 16:02:20 +00:00
Daniel J Walsh
b12011f2ab - Upgrade to latest upstream 2009-03-12 15:48:51 +00:00
Daniel J Walsh
c240b604f6 - Fixes for iscsid and sssd
- More cleanups for upgrade from F10 to Rawhide.
2009-03-11 20:25:16 +00:00
Daniel J Walsh
e72f55aac0 - Add pulseaudio, sssd policy
- Allow networkmanager to exec udevadm
2009-03-09 21:58:08 +00:00
Daniel J Walsh
0c34c69a38 - Add pulseaudio context 2009-03-09 16:18:51 +00:00
Daniel J Walsh
a67a1c12aa - Upgrade to latest patches 2009-03-05 21:05:47 +00:00
Daniel J Walsh
0a03cce02d - Fixes for libvirt 2009-03-04 19:41:16 +00:00
Daniel J Walsh
8c3a31a48a - Update to Latest upstream 2009-03-03 20:10:30 +00:00
Daniel J Walsh
496752533e - Further confinement of qemu images via svirt 2009-02-27 21:22:47 +00:00
Jesse Keating
150ff59c76 - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild 2009-02-26 00:27:53 +00:00
Daniel J Walsh
52cbcb4196 - Allow NetworkManager to manage /etc/NetworkManager/system-connections 2009-02-20 01:07:59 +00:00
Daniel J Walsh
de67749970 - add virtual_image_context and virtual_domain_context files 2009-02-18 19:45:29 +00:00
Daniel J Walsh
8f6e4365ca - Allow rpcd_t to send signal to mount_t
- Allow libvirtd to run ranged
2009-02-18 14:27:36 +00:00
Daniel J Walsh
8c2b68a3e1 - Fix sysnet/net_conf_t 2009-02-17 16:21:42 +00:00
Daniel J Walsh
81794767c6 - Fix squidGuard labeling 2009-02-17 14:07:10 +00:00
Daniel J Walsh
2eec438a0b - Re-add corenet_in_generic_if(unlabeled_t) 2009-02-16 22:54:22 +00:00
Daniel J Walsh
e46e005f04 2009-02-11 20:40:13 +00:00
Daniel J Walsh
d43c255c87 UPdate policycorutils version 2009-02-10 16:10:28 +00:00
Daniel J Walsh
1d1c058a4e - Add git web policy 2009-02-10 16:08:36 +00:00
Daniel J Walsh
bd0db4f147 - Add setrans contains from upstream 2009-02-09 22:07:20 +00:00
Daniel J Walsh
4ed140a4b7 - Allow xdm to create user_tmp_t sockets for switch user to work 2009-02-09 14:23:24 +00:00
Daniel J Walsh
bc861e624e - Fix staff_t domain 2009-02-06 17:48:29 +00:00
Daniel J Walsh
73fe81bbab - Grab remainder of network_peer_controls patch 2009-02-05 13:44:44 +00:00
Daniel J Walsh
659e96fa65 - More fixes for devicekit 2009-02-04 16:24:43 +00:00
Daniel J Walsh
c957c38343 - Upgrade to latest upstream 2009-02-04 04:02:17 +00:00
Daniel J Walsh
574cab47f1 - Add boolean to disallow unconfined_t login 2009-02-03 15:26:10 +00:00
Daniel J Walsh
0554a10b80 - Add back transition from xguest to mozilla 2009-01-30 16:49:11 +00:00
Daniel J Walsh
ab3e55d79a - Add virt_content_ro_t and labeling for isos directory 2009-01-30 15:06:44 +00:00
Daniel J Walsh
2fbeb784fa - Fixes for wicd daemon 2009-01-28 22:23:18 +00:00
Daniel J Walsh
f899107d92 - Fixes for wicd daemon 2009-01-28 17:23:17 +00:00
Daniel J Walsh
48adbeae08 - More mls/rpm fixes 2009-01-26 16:21:59 +00:00
Daniel J Walsh
14c9b9cdc6 - Add policy to make dbus/nm-applet work 2009-01-23 20:35:45 +00:00
Daniel J Walsh
40dd24d39b - Remove polgen-ifgen from post and add trigger to policycoreutils-python 2009-01-22 20:10:48 +00:00
Daniel J Walsh
6f8856e9d4 - Add wm policy
- Make mls work in graphics mode
2009-01-21 22:49:23 +00:00
Daniel J Walsh
6cf32a1e8b - Add wm policy
- Make mls work in graphics mode
2009-01-21 21:22:11 +00:00
Daniel J Walsh
1b94a1375f - Add wm policy 2009-01-21 20:39:17 +00:00
Daniel J Walsh
2a4bdae89c - Fixed for DeviceKit 2009-01-21 16:17:40 +00:00
Daniel J Walsh
acc137684b - Add devicekit policy 2009-01-19 22:34:56 +00:00
Daniel J Walsh
1d72fb031f - Update to upstream 2009-01-19 17:35:43 +00:00
Daniel J Walsh
7b146db852 - Define openoffice as an x_domain 2009-01-19 14:28:24 +00:00
Daniel J Walsh
eacea1d45d - Define openoffice as an x_domain 2009-01-16 21:32:59 +00:00
Daniel J Walsh
339bf3bba8 - Fixes for reading xserver_tmp_t 2009-01-13 16:22:47 +00:00
Daniel J Walsh
87fb15321a - Allow cups_pdf_t write to nfs_t 2009-01-12 16:59:00 +00:00
Daniel J Walsh
2ed2ff46f8 - Remove audio_entropy policy 2009-01-06 14:46:21 +00:00
Daniel J Walsh
292c49cacc - Update to upstream 2009-01-05 22:55:20 +00:00
Daniel J Walsh
5df2628335 - Allow hal_acl_t to getattr/setattr fixed_disk 2009-01-04 19:45:03 +00:00
Daniel J Walsh
32363900ec - Change userdom_read_all_users_state to include reading symbolic links in
/proc
2008-12-27 13:06:14 +00:00
Daniel J Walsh
cf8fd9f0cc - Fix dbus reading /proc information 2008-12-22 22:51:28 +00:00
Daniel J Walsh
bae2e9888e - Add missing alias for home directory content 2008-12-22 19:35:46 +00:00
Daniel J Walsh
33c7eab541 - Fixes for IBM java location 2008-12-17 21:15:08 +00:00
Daniel J Walsh
dcd0c96f34 - Allow unconfined_r unconfined_java_t 2008-12-11 15:21:57 +00:00
Daniel J Walsh
fd2b62ea68 - Add cron_role back to user domains 2008-12-09 21:04:28 +00:00
Daniel J Walsh
9a43d2b055 - Fix sudo setting of user keys 2008-12-08 22:00:56 +00:00
Daniel J Walsh
163db10557 - Allow iptables to talk to terminals
- Fixes for policy kit
- lots of fixes for booting.
2008-12-08 16:38:09 +00:00
Daniel J Walsh
2ae1615a14 - Allow iptables to talk to terminals
- Fixes for policy kit
- lots of fixes for booting.
2008-12-04 21:43:55 +00:00
Daniel J Walsh
c136db3296 - Allow iptables to talk to terminals 2008-12-04 20:36:26 +00:00
Daniel J Walsh
01ce3df8a6 - Allow iptables to talk to terminals 2008-12-04 18:47:26 +00:00
Daniel J Walsh
bcb1922de7 - Cleanup policy 2008-12-03 23:40:18 +00:00
Daniel J Walsh
739db21a4a - Cleanup policy 2008-12-03 22:18:31 +00:00
Ignacio Vazquez-Abrams
23d6844939 Rebuild for Python 2.6 2008-12-01 15:00:41 +00:00
Daniel J Walsh
02d888c766 - Fix labeling on /var/spool/rsyslog 2008-11-25 19:18:01 +00:00
Daniel J Walsh
0d6e623017 - Allow postgresl to bind to udp nodes 2008-11-06 17:47:54 +00:00
Daniel J Walsh
2a650ea1aa - Allow lvm to dbus chat with hal
- Allow rlogind to read nfs_t
2008-11-05 22:21:30 +00:00
Daniel J Walsh
074b12f275 - Fix cyphesis file context 2008-11-05 20:34:06 +00:00
Daniel J Walsh
6a09cfb688 - Allow hal/pm-utils to look at /var/run/video.rom
- Add ulogd policy
2008-11-05 18:26:36 +00:00
Daniel J Walsh
411a424e1c - Additional fixes for cyphesis
- Fix certmaster file context
- Add policy for system-config-samba
2008-11-04 15:40:31 +00:00
Daniel J Walsh
333ebd64df - Allow dhcpc to restart ypbind
- Fixup labeling in /var/run
2008-11-03 21:09:40 +00:00
Daniel J Walsh
1bc89b8d4c - Fix confined users
- Allow xguest to read/write xguest_dbusd_t
2008-10-29 20:45:55 +00:00
Daniel J Walsh
2362056f7a - Fix confined users
- Allow xguest to read/write xguest_dbusd_t
2008-10-29 17:12:16 +00:00
Daniel J Walsh
812930ae8d - Allow openoffice execstack/execmem privs 2008-10-28 23:22:15 +00:00
Daniel J Walsh
d8e5d05b6e - Allow openoffice execstack/execmem privs 2008-10-28 20:06:14 +00:00
Daniel J Walsh
a3e038c1a1 - Allow openoffice execstack/execmem privs 2008-10-27 21:07:05 +00:00
Daniel J Walsh
4fa9db787c - Allow mozilla to run with unconfined_execmem_t 2008-10-25 11:14:56 +00:00
Daniel J Walsh
798a73de69 - Dontaudit domains trying to write to .xsession-errors 2008-10-24 13:41:09 +00:00
Daniel J Walsh
3281238148 - Allow nsplugin to look at autofs_t directory 2008-10-24 12:14:54 +00:00
Daniel J Walsh
de61cc7d10 - Allow kerneloops to create tmp files 2008-10-23 12:59:31 +00:00
Daniel J Walsh
ae68d97fe5 - More alias for fastcgi 2008-10-22 13:34:13 +00:00
Daniel J Walsh
236d3cc19a - Remove mod_fcgid-selinux package 2008-10-21 18:31:38 +00:00
Daniel J Walsh
b9e15d9766 - Fix dovecot access 2008-10-20 19:53:30 +00:00
Daniel J Walsh
49f48f4a99 - Policy cleanup 2008-10-17 22:03:34 +00:00
Daniel J Walsh
b4cab5a3eb - Remove Multiple spec
- Add include
- Fix makefile to not call per_role_expansion
2008-10-16 19:56:59 +00:00
Daniel J Walsh
6115689216 - Remove Multiple spec
- Add include
- Fix makefile to not call per_role_expansion
2008-10-16 17:28:39 +00:00
Daniel J Walsh
4b4392dd08 - Fix labeling of libGL 2008-10-15 21:32:30 +00:00
Daniel J Walsh
4125702a20 - Update to upstream 2008-10-14 23:50:08 +00:00
Daniel J Walsh
b6cc6a84e9 - Update to upstream 2008-10-11 23:57:43 +00:00
Daniel J Walsh
675bbabe24 - Update to upstream policy 2008-10-09 03:10:32 +00:00
Daniel J Walsh
1062bd3849 - Fixes for confined xwindows and xdm_t 2008-10-06 19:10:48 +00:00
Daniel J Walsh
86369ef439 - Allow confined users and xdm to exec wm
- Allow nsplugin to talk to fifo files on nfs
2008-10-03 20:11:22 +00:00
Daniel J Walsh
f1a8278899 - Allow NetworkManager to transition to avahi and iptables
- Allow domains to search other domains keys, coverup kernel bug
2008-10-03 15:49:44 +00:00
Daniel J Walsh
b42a1eddf9 - Allow domains to search other domains keys, coverup kernel bug 2008-10-03 15:07:40 +00:00
Daniel J Walsh
094ef3d610 - Fix labeling for oracle 2008-10-01 19:15:34 +00:00
Daniel J Walsh
2ede4ec7ba - Allow nsplugin to comminicate with xdm_tmp_t sock_file 2008-10-01 12:27:11 +00:00
Daniel J Walsh
99873745bf - Change all user tmpfs_t files to be labeled user_tmpfs_t
- Allow radiusd to create sock_files
2008-09-30 14:39:16 +00:00
Daniel J Walsh
b709ffd738 - Upgrade to upstream 2008-09-25 18:54:16 +00:00
Daniel J Walsh
ed32c64290 - Allow confined users to login with dbus 2008-09-23 20:14:47 +00:00
Daniel J Walsh
a80e7ac6a3 - Fix transition to nsplugin 2008-09-23 15:14:53 +00:00
Daniel J Walsh
d86efe56b9 - Fix transition to nsplugin 2008-09-22 20:07:59 +00:00
Daniel J Walsh
f0375d509e - Add file context for /dev/mspblk.* 2008-09-22 17:55:56 +00:00
Daniel J Walsh
f77dd2c9db - Fix transition to nsplugin '
Thu Sep 18 2008 Dan Walsh <dwalsh@redhat.com> 3.5.8-3
- Fix labeling on new pm*log
- Allow ssh to bind to all nodes
2008-09-22 12:33:03 +00:00
Daniel J Walsh
11ef2470b7 - Fix labeling on new pm*log
- Allow ssh to bind to all nodes
2008-09-18 21:02:12 +00:00
Daniel J Walsh
530772ab58 - Fix labeling on new pm*log
- Allow ssh to bind to all nodes
2008-09-18 19:34:12 +00:00
Daniel J Walsh
16c3ff1596 - Merge upstream changes
- Add Xavier Toth patches
2008-09-12 14:21:05 +00:00
Daniel J Walsh
aca77a6f2d - Remove gamin policy 2008-09-08 21:01:42 +00:00
Daniel J Walsh
d0d3073e2f - Add tinyxs-max file system support 2008-09-04 20:59:27 +00:00
Daniel J Walsh
0a219fe07b - Update to upstream
- New handling of init scripts
2008-09-03 20:16:35 +00:00
Daniel J Walsh
3ad3552b8a - Allow audit dispatcher to kill his children 2008-08-29 20:54:34 +00:00
Daniel J Walsh
cd8bee594b - Update to upstream
- Fix crontab use by unconfined user
2008-08-29 19:29:23 +00:00
Daniel J Walsh
7638e78556 - Allow ifconfig_t to read dhcpc_state_t 2008-08-26 14:46:43 +00:00
Daniel J Walsh
eb7e6dca5e - Allow ifconfig_t to read dhcpc_state_t 2008-08-13 19:24:36 +00:00
Daniel J Walsh
57ae10cc0d - Update to upstream 2008-08-12 15:06:36 +00:00
Daniel J Walsh
1a0f642074 - Update to upstream 2008-08-11 21:19:25 +00:00
Daniel J Walsh
b5d09d1532 - Update to upstream 2008-08-07 20:05:57 +00:00
Daniel J Walsh
0f1bd620e5 - Allow system-config-selinux to work with policykit 2008-08-07 12:22:07 +00:00
Daniel J Walsh
174291bc3e - Fix novel labeling 2008-08-05 20:49:34 +00:00
Daniel J Walsh
170fa29709 - Fix novel labeling 2008-08-01 16:38:49 +00:00
Daniel J Walsh
07bd5c4abb - Consolodate pyzor,spamassassin, razor into one security domain
- Fix xdm requiring additional perms.
2008-07-30 13:48:03 +00:00
Daniel J Walsh
8f2532e249 - Fixes for logrotate, alsa 2008-07-25 11:53:34 +00:00
Daniel J Walsh
f12d5b90db - Eliminate vbetool duplicate entry 2008-07-25 04:24:01 +00:00
Daniel J Walsh
0b05335dd6 - Fix xguest -> xguest_mozilla_t -> xguest_openiffice_t
- Change dhclient to be able to red networkmanager_var_run
2008-07-24 18:19:05 +00:00
Daniel J Walsh
feefeee019 - Fix xguest -> xguest_mozilla_t -> xguest_openiffice_t 2008-07-17 19:53:32 +00:00
Daniel J Walsh
078ad09a44 - Update to latest refpolicy
- Fix libsemanage initial install bug
2008-07-15 20:06:55 +00:00
Daniel J Walsh
6ed8533082 - Update to latest refpolicy 2008-07-15 15:22:39 +00:00
Daniel J Walsh
df6220163f - Add inotify support to nscd 2008-07-10 15:28:32 +00:00
Daniel J Walsh
6db69f086d Add nscd inotify fix 2008-07-09 13:05:54 +00:00
Daniel J Walsh
43f9fcec3e - Allow unconfined_t to setfcap 2008-07-08 20:14:39 +00:00
Daniel J Walsh
273a44c689 - Allow amanda to read tape
- Allow prewikka cgi to use syslog, allow audisp_t to signal cgi
- Add support for netware file systems
2008-07-07 17:56:28 +00:00
Daniel J Walsh
258b00e5b7 - Allow ypbind apps to net_bind_service 2008-07-03 20:14:23 +00:00
Daniel J Walsh
75edec44e7 - Allow all system domains and application domains to append to any log
file
2008-07-02 20:45:43 +00:00
Daniel J Walsh
cd60b64c83 - Allow gdm to read rpm database
- Allow nsplugin to read mplayer config files
2008-06-30 21:12:23 +00:00
Daniel J Walsh
c18681476b - Allow vpnc to run ifconfig 2008-06-26 12:12:35 +00:00
Daniel J Walsh
f86ed5a437 - Allow confined users to use postgres
- Allow system_mail_t to exec other mail clients
- Label mogrel_rails as an apache server
2008-06-24 11:14:04 +00:00
Daniel J Walsh
547aa2a382 - Apply unconfined_execmem_exec_t to haskell programs 2008-06-23 12:20:04 +00:00
Daniel J Walsh
6959e0bb76 - Fix prelude file context 2008-06-23 00:55:21 +00:00
Daniel J Walsh
fe0d467c2b - allow hplip to talk dbus
- Fix context on ~/.local dir
2008-06-22 12:22:25 +00:00
Daniel J Walsh
f4ff8bb944 - Prevent applications from reading x_device 2008-06-12 19:57:12 +00:00
Daniel J Walsh
5608a9da69 - Add /var/lib/selinux context 2008-06-12 18:44:52 +00:00
Daniel J Walsh
af0f735167 - Update to upstream 2008-06-12 14:50:00 +00:00
Daniel J Walsh
c5c253fae5 - Update to upstream 2008-06-11 19:01:26 +00:00
Daniel J Walsh
f513c7b90b - Add livecd policy 2008-06-10 19:34:59 +00:00
Daniel J Walsh
15f71c5d61 - Add livecd policy 2008-06-04 17:26:52 +00:00
Daniel J Walsh
91ec07f1df - Dontaudit search of admin_home for init_system_domain
- Rewrite of xace interfaces
- Lots of new fs_list_inotify
- Allow livecd to transition to setfiles_mac
2008-06-04 12:57:43 +00:00
Daniel J Walsh
80e0b808d5 - Begin XAce integration 2008-06-03 20:27:28 +00:00
Daniel J Walsh
081b6ac47e - Merge Upstream 2008-06-02 18:56:05 +00:00
Daniel J Walsh
2e33f7ba70 - Merge Upstream 2008-06-02 17:10:33 +00:00
Daniel J Walsh
4b7f030014 Update for rawhide 2008-05-19 13:02:56 +00:00
Daniel J Walsh
993c27dacb - Allow amanada to create data files 2008-05-07 19:10:59 +00:00
Daniel J Walsh
6c25b428ce - Remove dmesg boolean
- Allow user domains to read/write game data
2008-05-06 17:01:42 +00:00
Daniel J Walsh
86881dd93f - Change unconfined_t to transition to unconfined_mono_t when running mono
- Change XXX_mono_t to transition to XXX_t when executing bin_t files, so
    gnome-do will work
2008-04-29 16:05:11 +00:00
Daniel J Walsh
2d8ff5157a - Remove old booleans from targeted-booleans.conf file 2008-04-28 21:24:59 +00:00
Daniel J Walsh
b4e933120a - Don't run crontab from unconfined_t 2008-04-24 21:08:32 +00:00
Daniel J Walsh
ef5e600999 - Don't run crontab from unconfined_t 2008-04-24 19:41:22 +00:00
Daniel J Walsh
4b1d56da14 - Change etc files to config files to allow users to read them 2008-04-23 14:15:54 +00:00
Daniel J Walsh
a6a82aec79 - dontaudit mrtg reading /proc
- Allow iscsi to signal itself
- Allow gnomeclock sys_ptrace
2008-04-15 20:27:09 +00:00
Daniel J Walsh
5896bad9cf 2008-04-14 20:01:48 +00:00
Daniel J Walsh
bb36d75512 2008-04-11 18:58:08 +00:00
Daniel J Walsh
06686c20a2 - Allow dhcpd to read kernel network state 2008-04-10 19:45:47 +00:00
Daniel J Walsh
41625a26ea - Label /var/run/gdm correctly
- Fix unconfined_u user creation
2008-04-10 14:37:57 +00:00
Daniel J Walsh
254e3c7af3 - Allow transition from initrc_t to getty_t 2008-04-08 20:14:36 +00:00
Daniel J Walsh
5a576e06f0 - Allow passwd to communicate with user sockets to change gnome-keyring 2008-04-08 19:17:28 +00:00
Daniel J Walsh
7f851af8d9 - Fix initial install 2008-04-08 03:17:46 +00:00
Daniel J Walsh
c3c4a525c2 - 2008-04-06 12:06:47 +00:00
Daniel J Walsh
27943de6a0 - Allow radvd to use fifo_file
- dontaudit setfiles reading links
- allow semanage sys_resource
- add allow_httpd_mod_auth_ntlm_winbind boolean
- Allow privhome apps including dovecot read on nfs and cifs home dirs if
    the boolean is set
2008-04-05 10:39:06 +00:00
Daniel J Walsh
c66f2bc425 - Allow nsplugin to read /etc/mozpluggerrc, user_fonts
- Allow syslog to manage innd logs.
- Allow procmail to ioctl spamd_exec_t
2008-04-01 09:21:21 +00:00
Daniel J Walsh
294ea7a213 - Allow initrc_t to dbus chat with consolekit. 2008-03-29 18:36:09 +00:00
Daniel J Walsh
e54cb216a8 - Additional access for nsplugin
- Allow xdm setcap/getcap until pulseaudio is fixed
2008-03-28 22:07:45 +00:00
Daniel J Walsh
f70afcdd9e - Allow mount to mkdir on tmpfs
- Allow ifconfig to search debugfs
2008-03-26 06:17:27 +00:00
Daniel J Walsh
bf3d39e959 - Fix file context for MATLAB
- Fixes for xace
2008-03-21 23:24:11 +00:00
Daniel J Walsh
5ea3f10caf - Allow stunnel to transition to inetd children domains
- Make unconfined_dbusd_t an unconfined domain
2008-03-20 16:11:16 +00:00
Daniel J Walsh
94b7be909e 2008-03-18 21:10:02 +00:00
Daniel J Walsh
ba9e5e8244 - Fixes for qemu/virtd 2008-03-17 21:42:05 +00:00
Daniel J Walsh
97081dcb9d - Fix bug in mozilla policy to allow xguest transition
- This will fix the
2008-03-14 21:17:21 +00:00
Daniel J Walsh
a6e1280791 - Fix bug in mozilla policy to allow xguest transition
- This will fix the
2008-03-14 21:13:24 +00:00
Daniel J Walsh
d593d26c1d - Allow nsplugin to run acroread 2008-03-14 15:59:07 +00:00
Daniel J Walsh
987b10f86d - Add cups_pdf policy
- Add openoffice policy to run in xguest
2008-03-14 00:25:00 +00:00
Daniel J Walsh
7f811bf534 - prewika needs to contact mysql
- Allow syslog to read system_map files
2008-03-13 12:58:25 +00:00
Daniel J Walsh
ceda8feb68 - Change init_t to an unconfined_domain 2008-03-12 12:39:48 +00:00
Daniel J Walsh
0879f489ab - Allow init to transition to initrc_t on shell exec.
- Fix init to be able to sendto init_t.
- Allow syslog to connect to mysql
- Allow lvm to manage its own fifo_files
- Allow bugzilla to use ldap
- More mls fixes
2008-03-12 01:10:44 +00:00
Bill Nottingham
110bce3a29 fixes for init, rhgb. also, fix the build 2008-03-11 22:46:00 +00:00
Daniel J Walsh
2041ac3d49 - Additional changes for MLS policy 2008-03-10 20:58:06 +00:00
Daniel J Walsh
1bf67d57ed - Fix initrc_context generation for MLS 2008-03-06 22:25:06 +00:00
Daniel J Walsh
dc57e68eff - Fixes for libvirt 2008-03-05 23:11:52 +00:00
Daniel J Walsh
5947905ef9 - Allow bitlebee to read locale_t 2008-03-04 21:38:18 +00:00
Daniel J Walsh
d8c160273b - More xselinux rules 2008-02-29 22:33:22 +00:00
Daniel J Walsh
9a0f35b9ad - Change httpd_$1_script_r*_t to httpd_$1_content_r*_t 2008-02-29 22:18:30 +00:00
Daniel J Walsh
338714fc7f - 2008-02-28 21:51:10 +00:00