Dan Walsh
ff64d9c354
Accidently checked in my test spec file
2011-04-21 10:07:57 -04:00
Dan Walsh
bd16f8dd70
Readd my patch
2011-04-19 11:36:13 -04:00
Dan Walsh
9bd1686ff7
Move to version 26 of policy
2011-04-19 11:34:24 -04:00
Miroslav Grepl
a357639bb0
- Fixes for zarafa policy
...
- Add support for AEOLUS project
- Change labeling of fping6
- Allow plymountd to send signals to init
- Allow initrc_t domain to manage abrt pid files
- Virt_admin should be allowed to manage images and processes
2011-04-19 13:53:55 +00:00
Dan Walsh
637b33d9f3
Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy
...
Conflicts:
selinux-policy.spec
2011-04-15 14:24:32 -04:00
Miroslav Grepl
6ac26422cc
- xdm_t needs getsession for switch user
...
- Every app that used to exec init is now execing systemdctl
- Allow squid to manage krb5_host_rcache_t files
- Allow foghorn to connect to agentx port - Fixes for colord policy
2011-04-15 09:08:10 +00:00
Dan Walsh
e935d25737
Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy
...
Conflicts:
selinux-policy.spec
2011-04-12 10:57:09 -04:00
Dan Walsh
826311d497
Testing
2011-04-11 17:06:55 -04:00
Miroslav Grepl
1b7c8fcdf6
- Add Dan's patch to remove 64 bit variants
...
- Allow colord to use unix_dgram_socket
- Allow apps that search pids to read /var/run if it is a lnk_file
- iscsid_t creates its own directory
- Allow init to list var_lock_t dir
- apm needs to verify user accounts auth_use_nsswitch
- Add labeling for systemd unit files
- Allow gnomeclok to enable ntpd service using systemctl - systemd_syst
- Add label for matahari-broker.pid file
- We want to remove untrustedmcsprocess from ability to read /proc/pid
- Fixes for matahari policy
- Allow system_tmpfiles_t to delete user_home_t files in the /tmp dir
- Allow sshd to transition to sysadm_t if ssh_sysadm_login is turned on
2011-04-11 07:58:00 +00:00
Dan Walsh
86354fa4cc
Remove lib64 mapping and use subs. change subs name to file_context.subs_dist
2011-04-05 15:30:24 -04:00
Miroslav Grepl
2130480ad3
- Fix typo
2011-04-05 09:38:41 +00:00
Miroslav Grepl
397c1e2d5c
- Add /var/run/lock /var/lock definition to file_contexts.subs
...
- nslcd_t is looking for kerberos cc files
- SSH_USE_STRONG_RNG is 1 which requires /dev/random
- Fix auth_rw_faillog definition
- Allow sysadm_t to set attributes on fixed disks
- allow user domains to execute lsof and look at application sockets
- prelink_cron job calls telinit -u if init is rewritten
- Fixes to run qemu_t from staff_t
2011-04-04 23:41:02 +00:00
Dan Walsh
568f781d20
Update to latest versions and change policy version
2011-04-04 16:50:06 -04:00
Miroslav Grepl
81c96b1880
comment out the sepolgen line
2011-04-04 20:43:56 +00:00
Miroslav Grepl
aaa0ee57f3
comment out the sepolgen line
2011-04-04 20:33:32 +00:00
Miroslav Grepl
68129209ed
comment out the sepolgen line
2011-04-04 20:16:34 +00:00
Miroslav Grepl
fb7e97f251
- Fix label for /var/run/udev to udev_var_run_t
...
- Mock needs to be able to read network state
2011-04-04 17:35:35 +00:00
Miroslav Grepl
a7705c54e1
- Add file_contexts.subs to handle /run and /run/lock
...
- Add other fixes relating to /run changes from F15 policy
2011-04-01 16:12:27 +00:00
Miroslav Grepl
36d3f31dcf
- Allow $1_sudo_t and $1_su_t open access to user terminals
...
- Allow initrc_t to use generic terminals
- Make Makefile/Rules.modular run sepolgen-ifgen during build to check if files for bugs
-systemd is going to be useing /run and /run/lock for early bootup files.
- Fix some comments in rlogin.if
- Add policy for KDE backlighthelper
- sssd needs to read ~/.k5login in nfs, cifs or fusefs file systems
- sssd wants to read .k5login file in users homedir
- setroubleshoot reads executables to see if they have TEXTREL
- Add /var/spool/audit support for new version of audit
- Remove kerberos_connect_524() interface calling
- Combine kerberos_master_port_t and kerberos_port_t
- systemd has setup /dev/kmsg as stderr for apps it executes
- Need these access so that init can impersonate sockets on unix_dgram_socket
2011-03-25 14:54:13 +00:00
Miroslav Grepl
47d5c167a8
- Remove some unconfined domains
...
- Remove permissive domains
- Add policy-term.patch from Dan
2011-03-23 23:53:27 +00:00
Miroslav Grepl
7c23cf73df
Fix multiple specification for boot.log
2011-03-17 16:01:12 +00:00
Miroslav Grepl
f5eb99f70b
- devicekit leaks file descriptors to setfiles_t
...
- Change all all_nodes to generic_node and all_if to generic_if
- Should not use deprecated interface
- Switch from using all_nodes to generic_node and from all_if to generic_if
- Add support for xfce4-notifyd
- Fix file context to show several labels as SystemHigh
- seunshare needs to be able to mounton nfs/cifs/fusefs homedirs
- Add etc_runtime_t label for /etc/securetty
- Fixes to allow xdm_t to start gkeyringd_USERTYPE_t directly
- login.krb needs to be able to write user_tmp_t
- dirsrv needs to bind to port 7390 for dogtag
- Fix a bug in gpg policy
- gpg sends audit messages
- Allow qpid to manage matahari files
2011-03-17 15:46:18 +00:00
Miroslav Grepl
af4c0d3f1e
- Initial policy for matahari
...
- Add dev_read_watchdog
- Allow clamd to connect clamd port
- Add support for kcmdatetimehelper
- Allow shutdown to setrlimit and sys_nice
- Allow systemd_passwd to talk to /dev/log before udev or syslog is runni
- Purge chr_file and blk files on /tmp
- Fixes for pads
- Fixes for piranha-pulse
- gpg_t needs to be able to encyprt anything owned by the user
2011-03-15 20:59:57 +00:00
Miroslav Grepl
f7f5ca9228
+- mozilla_plugin_tmp_t needs to be treated as user tmp files
...
+- More dontaudits of writes from readahead
+- Dontaudit readahead_t file_type:dir write, to cover up kernel bug
+- systemd_tmpfiles needs to relabel faillog directory as well as the file
+- Allow hostname and consoletype to r/w inherited initrc_tmp_t files handline hostname >> /tmp/myhost
2011-03-10 22:02:46 +00:00
Miroslav Grepl
8d54634624
- Add policykit fixes from Tim Waugh
...
- dontaudit sandbox domains sandbox_file_t:dir mounton
- Add new dontaudit rules for sysadm_dbusd_t
- Change label for /var/run/faillock
2011-03-10 12:46:20 +00:00
Miroslav Grepl
9b89d85005
Fix minimum policy
2011-03-08 18:36:28 +00:00
Miroslav Grepl
6726024e43
Update to upstream
2011-03-08 18:28:56 +00:00
Miroslav Grepl
781f349e05
- gpg_t needs to talk to gnome-keyring
...
- nscd wants to read /usr/tmp->/var/tmp to generate randomziation in unixchkpwd
- enforce MCS labeling on nodes
- Allow arpwatch to read meminfo
- Allow gnomeclock to send itself signals
- init relabels /dev/.udev files on boot
- gkeyringd has to transition back to staff_t when it runs commands in bin_t or shell_
- nautilus checks access on /media directory before mounting usb sticks, dontaudit acc
- dnsmasq can run as a dbus service, needs acquire service
- mysql_admin should be allowed to connect to mysql service
- virt creates monitor sockets in the users home dir
2011-03-01 17:08:45 +00:00
Miroslav Grepl
c34a0c5248
- Allow usbhid-ups to read hardware state information
...
- systemd-tmpfiles has moved
- Allo cgroup to sys_tty_config
- For some reason prelink is attempting to read gconf settings
- Add allow_daemons_use_tcp_wrapper boolean
- Add label for ~/.cache/wocky to make telepathy work in enforcing mode
- Add label for char devices /dev/dasd*
- Fix for apache_role
- Allow amavis to talk to nslcd
- allow all sandbox to read selinux poilcy config files
- Allow cluster domains to use the system bus and send each other dbus messages
2011-02-21 21:46:58 +00:00
Miroslav Grepl
7288282fd4
- Update to upstream
2011-02-16 18:45:08 +00:00
Dennis Gilmore
60e174d11c
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
2011-02-09 07:08:32 -06:00
Dan Walsh
d3861ceab3
- Update to ref policy
...
- cgred needs chown capability
- Add /dev/crash crash_dev_t
- systemd-readahead wants to use fanotify which means readahead_t needs sys_admin capability
2011-02-08 18:00:22 -05:00
Dan Walsh
812781becc
- Update to ref policy
...
- cgred needs chown capability
- Add /dev/crash crash_dev_t
2011-02-08 17:50:40 -05:00
Miroslav Grepl
f12703ea7e
- New labeling for postfmulti #675654
...
- dontaudit xdm_t listing noxattr file systems
- dovecot-auth needs to be able to connect to mysqld via the network as well as locally
- shutdown is passed stdout to a xdm_log_t file
- smartd creates a fixed disk device
- dovecot_etc_t contains a lnk_file that domains need to read
- mount needs to be able to read etc_runtim_t:lnk_file since in rawhide this is a link created at boot
2011-02-08 12:43:56 +00:00
Miroslav Grepl
19cd669e5e
- syslog_t needs syslog capability
...
- dirsrv needs to be able to create /var/lib/snmp
- Fix labeling for dirsrv
- Fix for dirsrv policy missing manage_dirs_pattern
- corosync needs to delete clvm_tmpfs_t files
- qdiskd needs to list hugetlbfs
- Move setsched to sandbox_x_domain, so firefox can run without network access
- Allow hddtemp to read removable devices
- Adding syslog and read_policy permissions to policy
* syslog
Allow unconfined, sysadm_t, secadm_t, logadm_t
* read_policy
allow unconfined, sysadm_t, secadm_t, staff_t on Targeted
allow sysadm_t (optionally), secadm_t on MLS
- mdadm application will write into /sys/.../uevent whenever arrays are
assembled or disassembled.
2011-02-03 18:30:25 +00:00
Dan Walsh
731e693460
- Add tcsd policy
2011-02-01 16:45:17 -05:00
Dan Walsh
0e793cf10b
Merge branches 'master', 'master', 'master' and 'master' of ssh://pkgs.fedoraproject.org/selinux-policy
2011-02-01 16:08:31 -05:00
Miroslav Grepl
ebce355dea
- ricci_modclusterd_t needs to bind to rpc ports 500-1023
...
- Allow dbus to use setrlimit to increase resoueces
- Mozilla_plugin is leaking to sandbox
- Allow confined users to connect to lircd over unix domain stream socket whic
- Allow awstats to read squid logs
- seunshare needs to manage tmp_t
- apcupsd cgi scripts have a new directory
2011-02-01 18:30:35 +00:00
Dan Walsh
6b3837d6e4
stop relabeling /var/lib
2011-01-27 14:29:13 -05:00
Miroslav Grepl
73e5debe55
- Fix xserver_dontaudit_read_xdm_pid
...
- Change oracle_port_t to oracledb_port_t to prevent conflict with satellite
- Allow dovecot_deliver_t to read/write postfix_master_t:fifo_file.
* These fifo_file is passed from postfix_master_t to postfix_local_t to dovecot_deliver_t
- Allow readahead to manage readahead pid dirs
- Allow readahead to read all mcs levels
- Allow mozilla_plugin_t to use nfs or samba homedirs
2011-01-27 18:13:11 +00:00
Miroslav Grepl
3c70739f2c
- Allow nagios plugin to read /proc/meminfo
...
- Fix for mozilla_plugin
- Allow samba_net_t to create /etc/keytab
- pppd_t setting up vpns needs to run unix_chkpwd, setsched its process and write wt
- nslcd can read user credentials
- Allow nsplugin to delete mozilla_plugin_tmpfs_t
- abrt tries to create dir in rpm_var_lib_t
- virt relabels fifo_files
- sshd needs to manage content in fusefs homedir
- mock manages link files in cache dir
2011-01-25 17:44:14 +00:00
Miroslav Grepl
0ababf8492
- nslcd needs setsched and to read /usr/tmp
...
- Invalid call in likewise policy ends up creating a bogus role
- Cannon puts content into /var/lib/bjlib that cups needs to be able to write
- Allow screen to create screen_home_t in /root
- dirsrv sends syslog messages
- pinentry reads stuff in .kde directory
- Add labels for .kde directory in homedir
- Treat irpinit, iprupdate, iprdump services with raid policy
2011-01-21 17:24:28 +00:00
Miroslav Grepl
408ea919b7
- NetworkManager wants to read consolekit_var_run_t
...
- Allow readahead to create /dev/.systemd/readahead
- Remove permissive domains
- Allow newrole to run namespace_init
2011-01-19 18:43:03 +00:00
Miroslav Grepl
ac028b8413
Fix release
2011-01-18 11:00:30 +00:00
Miroslav Grepl
a34c78a0fd
- Add sepgsql_contexts file
2011-01-18 10:28:56 +00:00
Miroslav Grepl
86b1f12f92
- Update to upstream
2011-01-17 18:42:12 +00:00
Miroslav Grepl
f16c69cb48
- Add oracle ports and allow apache to connect to them if the connect_db boole
...
- Add puppetmaster_use_db boolean
- Fixes for zarafa policy
- Fixes for gnomeclock poliy
- Fix systemd-tmpfiles to use auth_use_nsswitch
2011-01-17 17:47:06 +00:00
Miroslav Grepl
116d73139a
- gnomeclock executes a shell
...
- Update for screen policy to handle pipe in homedir
- Fixes for polyinstatiated homedir
- Fixes for namespace policy and other fixes related to polyinstantiation
- Add namespace policy
- Allow dovecot-deliver transition to sendmail which is needed by sieve scri
- Fixes for init, psad policy which relate with confined users
- Do not audit bootloader attempts to read devicekit pid files
- Allow nagios service plugins to read /proc
2011-01-14 17:48:34 +00:00
Miroslav Grepl
b1863350de
- Add firewalld policy
...
- Allow vmware_host to read samba config
- Kernel wants to read /proc Fix duplicate grub def in cobbler
- Chrony sends mail, executes shell, uses fifo_file and reads /proc
- devicekitdisk getattr all file systems
- sambd daemon writes wtmp file
- libvirt transitions to dmidecode
2011-01-11 13:44:47 +00:00
Miroslav Grepl
b559c4ec49
- Add initial policy for system-setup-keyboard which is now daemon
...
- Label /var/lock/subsys/shorewall as shorewall_lock_t
- Allow users to communicate with the gpg_agent_t
- Dontaudit mozilla_plugin_t using the inherited terminal
- Allow sambagui to read files in /usr
- webalizer manages squid log files
- Allow unconfined domains to bind ports to raw_ip_sockets
- Allow abrt to manage rpm logs when running yum
- Need labels for /var/run/bittlebee
- Label .ssh under amanda
- Remove unused genrequires for virt_domain_template
- Allow virt_domain to use fd inherited from virtd_t
- Allow iptables to read shorewall config
2011-01-05 10:08:57 +00:00
Dan Walsh
b96903aaa0
- Gnome apps list config_home_t
...
- mpd creates lnk files in homedir
- apache leaks write to mail apps on tmp files
- /var/stockmaniac/templates_cache contains log files
- Abrt list the connects of mount_tmp_t dirs
- passwd agent reads files under /dev and reads utmp file
- squid apache script connects to the squid port
- fix name of plymouth log file
- teamviewer is a wine app
- allow dmesg to read system state
- Stop labeling files under /var/lib/mock so restorecon will not go into this
- nsplugin needs to read network state for google talk
2010-12-28 15:41:30 -05:00
Dan Walsh
ef836a9861
- New labels for ghc http content
...
- nsplugin_config needs to read urand, lvm now calls setfscreate to create dev
- pm-suspend now creates log file for append access so we remove devicekit_wri
- Change authlogin_use_sssd to authlogin_nsswitch_use_ldap
- Fixes for greylist_milter policy
2010-12-22 16:12:41 -05:00
Miroslav Grepl
d980545506
- Update to upstream
...
- Fixes for systemd policy
- Fixes for passenger policy
- Allow staff users to run mysqld in the staff_t domain, akonadi needs this
- Add bin_t label for /usr/share/kde4/apps/kajongg/kajongg.py
- auth_use_nsswitch does not need avahi to read passwords,needed for resolving data
- Dontaudit (xdm_t) gok attempting to list contents of /var/account
- Telepathy domains need to read urand
- Need interface to getattr all file classes in a mock library for setroubleshoot
2010-12-21 09:32:36 +00:00
Miroslav Grepl
d6c5f3679b
Update to upstream
2010-12-20 17:43:48 +00:00
Dan Walsh
f3f61efb0b
- Update selinux policy to handle new /usr/share/sandbox/start script
2010-12-16 11:25:39 -05:00
Miroslav Grepl
0ba6b243f7
- Update to upstream
...
- Fix version of policy in spec file
2010-12-15 11:03:25 +00:00
Miroslav Grepl
1adb28c6ec
- Allow sandbox to run on nfs partitions, fixes for systemd_tmpfs
...
- remove per sandbox domains devpts types
- Allow dkim-milter sending signal to itself
2010-12-14 19:49:10 +00:00
Dan Walsh
25660bf875
- Allow domains that transition to ping or traceroute, kill them
...
- Allow user_t to conditionally transition to ping_t and traceroute_t
- Add fixes to systemd- tools, including new labeling for systemd-fsck, systemd-cryptsetup
2010-12-13 17:11:28 -05:00
Miroslav Grepl
3c0b9eac8c
- Turn on systemd policy
...
- mozilla_plugin needs to read certs in the homedir.
- Dontaudit leaked file descriptors from devicekit
- Fix ircssi to use auth_use_nsswitch
- Change to use interface without param in corenet to disable unlabelednet
- Allow init to relabel sockets and fifo files in /dev
- certmonger needs dac* capabilities to manage cert files not owned by root
- dovecot needs fsetid to change group membership on mail
- plymouthd removes /var/log/boot.log
- systemd is creating symlinks in /dev
- Change label on /etc/httpd/alias to be all cert_t
2010-12-13 18:56:13 +00:00
Miroslav Grepl
b04a855a22
- Fixes for clamscan and boinc policy
...
- Add boinc_project_t setpgid
- Allow alsa to create tmp files in /tmp
2010-12-10 13:55:11 +00:00
Miroslav Grepl
c2ad3681fa
- Push fixes to allow disabling of unlabeled_t packet access
...
- Enable unlabelednet policy
2010-12-07 17:51:16 +00:00
Miroslav Grepl
7b62a83f6b
- Fixes for lvm to work with systemd
2010-12-07 15:10:29 +00:00
Miroslav Grepl
151160499d
- Fix the label for wicd log
...
- plymouthd creates force-display-on-active-vt file
- Allow avahi to request the kernel to load a module
- Dontaudit hal leaks
- Fix gnome_manage_data interface
- Add new interface corenet_packet to define a type as being an packet_type.
- Removed general access to packet_type from icecast and squid.
- Allow mpd to read alsa config
- Fix the label for wicd log
- Add systemd policy
2010-12-06 19:08:04 +00:00
Miroslav Grepl
a4f1f54302
- Fix gnome_manage_data interface
...
- Dontaudit sys_ptrace capability for iscsid
- Fixes for nagios plugin policy
2010-12-03 17:07:37 +00:00
Miroslav Grepl
09460452b6
- Fix cron to run ranged when started by init
...
- Fix devicekit to use log files
- Dontaudit use of devicekit_var_run_t for fstools
- Allow init to setattr on logfile directories
2010-12-02 18:21:58 +01:00
Dan Walsh
5bcd7aa5b3
- Fix up handling of dnsmasq_t creating /var/run/libvirt/network
...
- Turn on sshd_forward_ports boolean by default
- Allow sysadmin to dbus chat with rpm
- Add interface for rw_tpm_dev
- Allow cron to execute bin
- fsadm needs to write sysfs
- Dontaudit consoletype reading /var/run/pm-utils
- Lots of new privs fro mozilla_plugin_t running java app, make mozilla_plugin
- certmonger needs to manage dirsrv data
- /var/run/pm-utils should be labeled as devicekit_var_run_t
2010-11-30 16:24:01 -05:00
Miroslav Grepl
954ef8ad92
- fixes to allow /var/run and /var/lock as tmpfs
...
- Allow chrome sandbox to connect to web ports
- Allow dovecot to listem on lmtp and sieve ports
- Allov ddclient to search sysctl_net_t
- Transition back to original domain if you execute the shell
2010-11-30 11:39:40 +00:00
Miroslav Grepl
b63541e55b
- Remove duplicate declaration
2010-11-25 16:53:58 +00:00
Miroslav Grepl
05f913e88b
- Update to upstream
...
- Cleanup for sandbox
- Add attribute to be able to select sandbox types
2010-11-25 12:21:34 +00:00
Miroslav Grepl
3daa6c760b
- Allow ddclient to fix file mode bits of ddclient conf file
...
- init leaks file descriptors to daemons
- Add labels for /etc/lirc/ and
- Allow amavis_t to exec shell
- Add label for gssd_tmp_t for /var/tmp/nfs_0
2010-11-22 12:12:57 +01:00
Dan Walsh
d6719f6ecb
- Put back in lircd_etc_t so policy will install
2010-11-18 16:27:30 -05:00
Miroslav Grepl
4eb45ebeaa
- Turn on allow_postfix_local_write_mail_spool
...
- Allow initrc_t to transition to shutdown_t
- Allow logwatch and cron to mls_read_to_clearance for MLS boxes
- Allow wm to send signull to all applications and receive them from users
- lircd patch from field
- Login programs have to read /etc/samba
- New programs under /lib/systemd
- Abrt needs to read config files
2010-11-18 17:37:29 +01:00
Miroslav Grepl
582d2c5d2c
- Update to upstream
...
- Dontaudit leaked sockets from userdomains to user domains
- Fixes for mcelog to handle scripts
- Apply patch from Ruben Kerkhof
- Allow syslog to search spool dirs
2010-11-16 09:46:19 +01:00
Miroslav Grepl
cbb8d59931
- Allow nagios plugins to read usr files
...
- Allow mysqld-safe to send system log messages
- Fixes fpr ddclient policy
- Fix sasl_admin interface
- Allow apache to search zarafa config
- Allow munin plugins to search /var/lib directory
- Allow gpsd to read sysfs_t
- Fix labels on /etc/mcelog/triggers to bin_t
2010-11-15 18:27:23 +01:00
Dan Walsh
763342ad3a
- Remove saslauthd_tmp_t and transition tmp files to krb5_host_rcache_t
...
- Allow saslauthd_t to create krb5_host_rcache_t files in /tmp
- Fix xserver interface
- Fix definition of /var/run/lxdm
2010-11-12 11:08:35 -05:00
Dan Walsh
519b05a70f
- Remove saslauthd_tmp_t and transition tmp files to krb5_host_rcache_t
2010-11-12 10:59:01 -05:00
Dan Walsh
50dacaca09
- kdump leaks kdump_etc_t to ifconfig, add dontaudit
...
- uux needs to transition to uucpd_t
- More init fixes relabels man,faillog
- Remove maxima defs in libraries.fc
- insmod needs to be able to create tmpfs_t files
- ping needs setcap
- init executes mcelog, initrc_t needs to manage faillog.
- fix xserver_ralabel_xdm_tmp_dirs
- Allow dovecot_deliver_t to list dovecot_etc_t
- Run acroread as execmem_t
2010-11-12 09:56:06 -05:00
Miroslav Grepl
9238df00c5
- Turn on mediawiki policy
...
- kdump leaks kdump_etc_t to ifconfig, add dontaudit
- uux needs to transition to uucpd_t
- More init fixes relabels man,faillog
- Remove maxima defs in libraries.fc
- insmod needs to be able to create tmpfs_t files
- ping needs setcap
2010-11-12 13:47:15 +01:00
Dan Walsh
7297a334b4
- Fix init to be able to relabel wtmp, tmp files
2010-11-10 14:39:23 -05:00
Miroslav Grepl
5d168a352b
- Allow groupd transition to fenced domain when executes fence_node
...
- Fixes for rchs policy
- Allow mpd to be able to read samba/nfs files
2010-11-10 11:04:39 +01:00
Dan Walsh
ded1efb9d8
- Fix up corecommands.fc to match upstream
...
- Make sure /lib/systemd/* is labeled init_exec_t
- mount wants to setattr on all mountpoints
- dovecot auth wants to read dovecot etc files
- nscd daemon looks at the exe file of the comunicating daemon
- openvpn wants to read utmp file
- postfix apps now set sys_nice and lower limits
- remote_login (telnetd/login) wants to use telnetd_devpts_t and user_devpts_t to work correctly
- Also resolves nsswitch
- Fix labels on /etc/hosts.*
- Cleanup to make upsteam patch work
- allow abrt to read etc_runtime_t
2010-11-09 17:41:15 -05:00
Dan Walsh
fc9bf2f03d
- Add conflicts for dirsrv package
2010-11-09 07:55:52 -05:00
Dan Walsh
3e0b7834a6
- Update to upstream
...
- Add vlock policy
2010-11-05 14:22:36 -04:00
Dan Walsh
6e50b74774
- Update to upstream
...
- Add vlock policy
2010-11-05 12:40:49 -04:00
Dan Walsh
06262c1566
- Update to upstream
...
- Add vlock policy
2010-11-05 12:40:07 -04:00
Dan Walsh
c52856e6d8
- Fix sandbox to work on nfs homedirs
...
- Allow cdrecord to setrlimit
- Allow mozilla_plugin to read xauth
- Change label on systemd-logger to syslogd_exec_t
- Install dirsrv policy from dirsrv package
2010-11-05 07:32:45 -04:00
Dan Walsh
9896599663
-
2010-11-02 17:07:21 -04:00
Dan Walsh
9754f472c7
- Allow NetworkManager to read openvpn_etc_t
...
- Dontaudit hplip to write of /usr dirs
- Allow system_mail_t to create /root/dead.letter as mail_home_t
- Add vdagent policy for spice agent daemon
2010-11-01 14:37:25 -04:00
Dan Walsh
7a208696f9
- Dontaudit sandbox sending sigkill to all user domains
...
- Add policy for rssh_chroot_helper
- Add missing flask definitions
- Allow udev to relabelto removable_t
- Fix label on /var/log/wicd.log
- Transition to initrc_t from init when executing bin_t
- Add audit_access permissions to file
- Make removable_t a device_node
- Fix label on /lib/systemd/*
2010-10-28 15:55:48 -04:00
Dan Walsh
2bb6181f15
- Fixes for systemd to manage /var/run
...
- Dontaudit leaks by firstboot
2010-10-22 16:35:00 -04:00
Dan Walsh
bac270827d
- Allow chome to create netlink_route_socket
...
- Add additional MATHLAB file context
- Define nsplugin as an application_domain
- Dontaudit sending signals from sandboxed domains to other domains
- systemd requires init to build /tmp /var/auth and /var/lock dirs
- mount wants to read devicekit_power /proc/ entries
- mpd wants to connect to soundd port
- Openoffice causes a setattr on a lib_t file for normal users, add dontaudit
- Treat lib_t and textrel_shlib_t directories the same
- Allow mount read access on virtual images
2010-10-22 08:26:00 -04:00
Dan Walsh
4da7659056
- Allow sandbox_x_domains to work with nfs/cifs/fusefs home dirs.
2010-10-18 13:18:55 -04:00
Dan Walsh
c849c84305
- Allow cobblerd to list cobler appache content
2010-10-15 11:35:17 -04:00
Dan Walsh
d33e644851
- Fixup for the latest version of upowed
...
- Dontaudit sandbox sending SIGNULL to desktop apps
2010-10-15 10:26:39 -04:00
Dan Walsh
618ed7aec9
- Update to upstream
2010-10-13 10:00:44 -04:00
Dan Walsh
5a152bc135
- Update to upstream
2010-10-12 16:47:46 -04:00
Dan Walsh
f0a56ee31d
-Mount command from a confined user generates setattr on /etc/mtab file, need to dontaudit this access
...
- dovecot-auth_t needs ipc_lock
- gpm needs to use the user terminal
- Allow system_mail_t to append ~/dead.letter
- Allow NetworkManager to edit /etc/NetworkManager/NetworkManager.conf
- Add pid file to vnstatd
- Allow mount to communicate with gfs_controld
- Dontaudit hal leaks in setfiles
2010-10-12 16:10:57 -04:00
Dan Walsh
dd20c25744
Rebuild with latest code
2010-10-08 17:00:50 -04:00
Dan Walsh
6f934680a8
- Allow smbd to use sys_admin
...
- Remove duplicate file context for tcfmgr
- Update to upstream
2010-10-07 14:55:49 -04:00
Dan Walsh
6f256d240d
- Allow smbd to use sys_admin
...
- Remove duplicate file context for tcfmgr
2010-10-07 09:59:45 -04:00
Dan Walsh
0daa8b731a
- Fix fusefs handling
...
- Do not allow sandbox to manage nsplugin_rw_t
- Allow mozilla_plugin_t to connecto its parent
- Allow init_t to connect to plymouthd running as kernel_t
- Add mediawiki policy
- dontaudit sandbox sending signals to itself. This can happen when they are running at different mcs.
- Disable transition from dbus_session_domain to telepathy for F14
- Allow boinc_project to use shm
- Allow certmonger to search through directories that contain certs
- Allow fail2ban the DAC Override so it can read log files owned by non root users
2010-10-07 09:19:43 -04:00
Dan Walsh
b1cbbd0768
- Start adding support for use_fusefs_home_dirs
...
- Add /var/lib/syslog directory file context
- Add /etc/localtime as locale file context
2010-10-04 14:50:39 -04:00
Dan Walsh
fbd9ca071a
- Turn off default transition to mozilla_plugin and telepathy domains from unconfined user
...
- Turn off iptables from unconfined user
- Allow sudo to send signals to any domains the user could have transitioned to.
- Passwd in single user mode needs to talk to console_device_t
- Mozilla_plugin_t needs to connect to web ports, needs to write to video device, and read alsa_home_t alsa setsup pulseaudio
- locate tried to read a symbolic link, will dontaudit
- New labels for telepathy-sunshine content in homedir
- Google is storing other binaries under /opt/google/talkplugin
- bluetooth/kernel is creating unlabeled_t socket that I will allow it to use until kernel fixes bug
- Add boolean for unconfined_t transition to mozilla_plugin_t and telepathy domains, turned off in F14 on in F15
- modemmanger and bluetooth send dbus messages to devicekit_power
- Samba needs to getquota on filesystems labeld samba_share_t
2010-10-01 12:06:09 -04:00
Dan Walsh
5ae8fb66d8
- Dontaudit attempts by xdm_t to write to bin_t for kdm
...
- Allow initrc_t to manage system_conf_t
2010-09-30 09:50:49 -04:00
Dan Walsh
7c487e9739
- Fixes to allow mozilla_plugin_t to create nsplugin_home_t directory.
...
- Allow mozilla_plugin_t to create tcp/udp/netlink_route sockets
- Allow confined users to read xdm_etc_t files
- Allow xdm_t to transition to xauth_t for lxdm program
2010-09-27 10:31:36 -04:00
Dan Walsh
e25799116a
- Pull in cleanups from dgrift
...
- Allow mozilla_plugin_t to execute mozilla_home_t
- Allow rpc.quota to do quotamod
2010-09-24 12:03:50 -04:00
Dan Walsh
42c814d215
- Cleanup policy via dgrift
...
- Allow dovecot_deliver to append to inherited log files
- Lots of fixes for consolehelper
2010-09-23 17:40:24 -04:00
Dan Walsh
1d153ea0ea
- Fix up Xguest policy
2010-09-22 18:36:47 -04:00
Dan Walsh
ea3b7b5dff
- Add vnstat policy
...
- allow libvirt to send audit messages
- Allow chrome-sandbox to search nfs_t
2010-09-16 18:00:00 -04:00
Dan Walsh
a24e6a6700
- Update to upstream
2010-09-16 07:59:03 -04:00
Dan Walsh
ba8c31f5cd
- Allow all domains that can use cgroups to search tmpfs_t directory
...
- Allow init to send audit messages
2010-09-14 16:16:56 -04:00
Dan Walsh
a0e8efd42c
- Update to upstream
2010-09-13 16:17:15 -04:00
Dan Walsh
30a7d17203
- Add policy for ajaxterm
2010-09-09 09:58:12 -04:00
Dan Walsh
6e2d7f3a82
- Handle /var/db/sudo
...
- Allow pulseaudio to read alsa config
- Allow init to send initrc_t dbus messages
2010-09-08 21:24:49 -04:00
Dan Walsh
64d84cf8ec
Allow iptables to read shorewall tmp files
...
Change chfn and passwd to use auth_use_pam so they can send dbus messages to fpr
intd
label vlc as an execmem_exec_t
Lots of fixes for mozilla_plugin to run google vidio chat
Allow telepath_msn to execute ldconfig and its own tmp files
Fix labels on hugepages
Allow mdadm to read files on /dev
Remove permissive domains and change back to unconfined
Allow freshclam to execute shell and bin_t
Allow devicekit_power to transition to dhcpc
Add boolean to allow icecast to connect to any port
2010-09-08 14:17:07 -04:00
Dan Walsh
482c9f3ad9
- Merge upstream fix of mmap_zero
...
- Allow mount to write files in debugfs_t
- Allow corosync to communicate with clvmd via tmpfs
- Allow certmaster to read usr_t files
- Allow dbus system services to search cgroup_t
- Define rlogind_t as a login pgm
2010-09-02 13:43:28 -04:00
Dan Walsh
a7a2367a59
- Merge with upstream
2010-08-30 17:34:52 -04:00
Dan Walsh
6578cf7413
- More access needed for devicekit
...
- Add dbadm policy
2010-08-30 11:58:36 -04:00
Dan Walsh
ba77266a14
- Merge with upstream
2010-08-26 20:35:53 -04:00
Dan Walsh
370d04ed3c
- Allow seunshare to fowner
2010-08-25 09:45:26 -04:00
Dan Walsh
cc138e86b5
- Allow cron to look at user_cron_spool links
...
- Lots of fixes for mozilla_plugin_t
- Add sysv file system
- Turn unconfined domains to permissive to find additional avcs
2010-08-24 22:48:06 -04:00
Dan Walsh
63265668f0
- Update policy for mozilla_plugin_t
2010-08-23 18:01:46 -04:00
Dan Walsh
eee39f9d8e
- Allow clamscan to read proc_t
...
- Allow mount_t to write to debufs_t dir
- Dontaudit mount_t trying to write to security_t dir
2010-08-23 17:29:52 -04:00
Dan Walsh
19988ca76d
- Allow clamscan_t execmem if clamd_use_jit set
...
- Add policy for firefox plugin-container
2010-08-20 09:36:56 -04:00
Dan Walsh
3798ee962a
- label dead.letter as mail_home_t
2010-08-17 07:22:11 -04:00
Dan Walsh
922cd61e83
* Tue Aug 10 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-12
...
- Fix devicekit_power bug
- Allow policykit_auth_t more access.
2010-08-11 07:55:04 -04:00
Daniel J Walsh
d4bb132c2e
- Merge in fixes from dgrift repository
2010-07-27 20:34:21 +00:00
Daniel J Walsh
7f5d8f30d0
- Update boinc policy
...
- Fix sysstat policy to allow sys_admin
- Change failsafe_context to unconfined_r:unconfined_t:s0
2010-07-27 17:28:04 +00:00
Daniel J Walsh
a1ef703492
- New paths for upstart
2010-07-26 21:46:12 +00:00
Daniel J Walsh
8d55a410dc
- New permissions for syslog
...
- New labels for /lib/upstart
2010-07-26 20:32:18 +00:00
Daniel J Walsh
f3fc10528f
- Allow systemd to setsockcon on sockets to immitate other services
2010-07-22 16:58:58 +00:00
Daniel J Walsh
9f811efbbb
- Remove debugfs label
2010-07-21 14:57:11 +00:00
Daniel J Walsh
d66bec6356
- Update to latest policy
2010-07-20 17:48:36 +00:00
Daniel J Walsh
1df2fc2bba
- Fix eclipse labeling from IBMSupportAssasstant packageing
2010-07-19 21:16:41 +00:00
Daniel J Walsh
3f1005a67d
- Make boot with systemd in enforcing mode
2010-07-15 20:04:35 +00:00
Daniel J Walsh
0f2ae00c61
- Update to upstream
2010-07-15 13:11:25 +00:00
Daniel J Walsh
9c1bcc22e3
- Add boolean to turn off port forwarding in sshd.
2010-07-12 21:15:05 +00:00
Miroslav Grepl
be922a1fae
- Add support for ebtables
...
- Fixes for rhcs and corosync policy
2010-07-09 15:28:31 +00:00
Daniel J Walsh
6c42218d9d
-Update to upstream
2010-06-28 17:19:34 +00:00
Daniel J Walsh
fa98e0ec52
-Update to upstream
2010-06-21 14:31:26 +00:00
Daniel J Walsh
5f371acada
-Update to upstream
2010-06-18 20:14:28 +00:00
Daniel J Walsh
7c727a891e
- Add Zarafa policy
2010-06-16 20:19:22 +00:00
Daniel J Walsh
f2403c5b4f
- Cleanup of aiccu policy
...
- initial mock policy
2010-06-11 15:39:46 +00:00
Daniel J Walsh
f651bb6fdc
- Lots of random fixes
2010-06-09 21:31:42 +00:00
Daniel J Walsh
b39ccca147
- Update to upstream
2010-06-08 21:23:21 +00:00
Daniel J Walsh
632048ceb1
- Update to upstream
...
- Allow prelink script to signal itself
- Cobbler fixes
2010-06-07 21:15:35 +00:00
Daniel J Walsh
bca242c772
- Add xdm_var_run_t to xserver_stream_connect_xdm
...
- Add cmorrord and mpd policy from Miroslav Grepl
2010-06-02 19:36:11 +00:00
Daniel J Walsh
e51284403f
- Fix sshd creation of krb cc files for users to be user_tmp_t
2010-06-01 20:56:58 +00:00
Daniel J Walsh
4abfc011a4
- Fixes for accountsdialog
...
- Fixes for boinc
2010-05-28 12:39:05 +00:00
Daniel J Walsh
65c6e4c421
- Fix label on /var/lib/dokwiki
...
- Change permissive domains to enforcing
- Fix libvirt policy to allow it to run on mls
2010-05-27 16:14:50 +00:00
Daniel J Walsh
bc4089cfaa
- Update to upstream
2010-05-26 21:15:42 +00:00
Daniel J Walsh
a72c31df34
- Update to upstream
2010-03-18 15:47:35 +00:00
Daniel J Walsh
add957370e
- Merge with upstream
2010-02-16 22:10:14 +00:00
Daniel J Walsh
3c551b85fe
- Allow sandbox to work with MLS
2010-02-11 21:54:06 +00:00
Daniel J Walsh
43c7f5f787
- Make Chrome work with staff user
2010-02-10 22:26:52 +00:00
Daniel J Walsh
487de6f251
- Add icecast policy
...
- Cleanup spec file
2010-02-08 22:06:23 +00:00
Daniel J Walsh
30c21992cb
- Add mcelog policy
2010-02-03 20:52:58 +00:00
Daniel J Walsh
a62c6405cc
- Lots of fixes found in F12
2010-02-02 16:41:03 +00:00
Daniel J Walsh
b2f6b0698f
- Fix rpm_dontaudit_leaks
2010-01-28 15:44:39 +00:00
Daniel J Walsh
4d67b40db1
- Add getsched to hald_t
...
- Add file context for Fedora/Redhat Directory Server
2010-01-27 21:54:00 +00:00
Daniel J Walsh
b0f36568e1
- Allow abrt_helper to getattr on all filesystems
...
- Add label for /opt/real/RealPlayer/plugins/oggfformat\.so
2010-01-27 17:08:59 +00:00
Daniel J Walsh
b65afa2940
- Add gstreamer_home_t for ~/.gstreamer
2010-01-22 15:26:39 +00:00
Daniel J Walsh
faec5c2a14
- Update to upstream
2010-01-18 22:40:25 +00:00
Daniel J Walsh
3b54668c40
Update spec file to suck in the correct version of selinux-policy packages
2010-01-15 21:39:39 +00:00
Daniel J Walsh
89ad5ea38f
- Turn on puppet policy
...
- Update to dgrift git policy
2010-01-14 21:49:18 +00:00
Daniel J Walsh
fc05ac0660
- Move users file to selection by spec file.
...
- Allow vncserver to run as unconfined_u:unconfined_r:unconfined_t
2010-01-11 22:06:55 +00:00
Daniel J Walsh
352dafd046
- Update to upstream
2010-01-07 21:59:22 +00:00
Daniel J Walsh
6049e24424
- Remove most of the permissive domains from F12.
2010-01-06 21:57:07 +00:00
Daniel J Walsh
485ded565a
- Add cobbler policy from dgrift
2010-01-05 22:09:02 +00:00
Daniel J Walsh
1e86f3f158
- add usbmon device
...
- Add allow rulse for devicekit_disk
2010-01-04 21:31:54 +00:00
Daniel J Walsh
4478a9a993
- Lots of fixes found in F12, fixes from Tom London
2009-12-30 14:44:54 +00:00
Daniel J Walsh
08b890455e
- Cleanups from dgrift
2009-12-23 18:39:12 +00:00
Daniel J Walsh
daebd59668
- Cleanups from dgrift
2009-12-23 18:37:23 +00:00
Daniel J Walsh
e2f53dfaec
- Cleanups from dgrift
2009-12-23 13:02:27 +00:00
Daniel J Walsh
550cc5f4f4
- Add back xserver_manage_home_fonts
2009-12-22 17:25:13 +00:00
Daniel J Walsh
7d40583319
- Dontaudit sandbox trying to read nscd and sssd
2009-12-21 22:53:07 +00:00
Daniel J Walsh
b4675412e2
- Update to upstream
2009-12-18 21:18:10 +00:00
Daniel J Walsh
6ca563ec01
- Rename udisks-daemon back to devicekit_disk_t policy
2009-12-17 19:36:22 +00:00
Daniel J Walsh
e54cc7c3e4
- Fixes for abrt calls
2009-12-16 23:01:00 +00:00
Daniel J Walsh
9c90ba7e8e
- Add tgtd policy
2009-12-16 13:30:38 +00:00
Daniel J Walsh
755e2d6934
- Add tgtd policy
2009-12-11 20:18:55 +00:00
Daniel J Walsh
9eef358da0
- Update to upstream release
2009-12-10 19:20:14 +00:00
Daniel J Walsh
f2a1dcd3d4
- Add asterisk policy back in
...
- Update to upstream release 2.20091117
2009-11-25 20:19:12 +00:00
Daniel J Walsh
ee88b050c5
- Add asterisk policy back in
2009-11-20 16:55:54 +00:00
Daniel J Walsh
ce8c76d673
- Add asterisk policy back in
2009-11-20 16:31:54 +00:00
Daniel J Walsh
55acbfd715
- Update to upstream release 2.20091117
2009-11-18 22:22:56 +00:00
Daniel J Walsh
5e44eb8657
- Update to upstream
2009-11-14 05:18:01 +00:00
Daniel J Walsh
32594a1112
- Allow vpnc request the kernel to load modules
2009-10-02 15:15:36 +00:00
Daniel J Walsh
aaf52ff041
- Add plymouth policy
2009-09-30 18:50:23 +00:00
Daniel J Walsh
d976a83a17
- Allow cupsd_config to read user tmp
...
- Allow snmpd_t to signal itself
- Allow sysstat_t to makedir in sysstat_log_t
2009-09-30 17:37:44 +00:00
Daniel J Walsh
8b10e3abd7
- Update rhcs policy
2009-09-29 12:38:58 +00:00
Daniel J Walsh
85582d623f
- Allow users to exec restorecond
2009-09-25 18:47:07 +00:00
Daniel J Walsh
f5a104d238
- Allow sendmail to request kernel modules load
2009-09-24 23:30:16 +00:00
Daniel J Walsh
4c2f298bf2
- Fix all kernel_request_load_module domains
2009-09-22 12:49:53 +00:00
Daniel J Walsh
405a74c394
- Fix all kernel_request_load_module domains
2009-09-21 13:55:41 +00:00
Daniel J Walsh
41f8e385a1
- Remove allow_exec* booleans for confined users. Only available for
...
unconfined_t
2009-09-20 14:32:30 +00:00
Daniel J Walsh
8323d545c4
- More fixes for sandbox_web_t
2009-09-19 02:03:03 +00:00
Daniel J Walsh
ab462917cf
- Allow sshd to create .ssh directory and content
2009-09-18 22:12:25 +00:00
Daniel J Walsh
d53d158d2b
- Fix request_module line to module_request
2009-09-18 20:44:00 +00:00
Daniel J Walsh
1fb0a98434
- Fix sandbox policy to allow it to run under firefox.
...
- Dont audit leaks.
2009-09-18 16:20:05 +00:00
Daniel J Walsh
9de7033708
- Fixes for sandbox
2009-09-17 21:41:30 +00:00
Daniel J Walsh
69290fd9df
- Update to upstream
...
- Dontaudit nsplugin search /root
- Dontaudit nsplugin sys_nice
2009-09-16 17:50:32 +00:00
Daniel J Walsh
23e7082b4b
- Fix label on /usr/bin/notepad, /usr/sbin/vboxadd-service
...
- Remove policycoreutils-python requirement except for minimum
2009-09-15 21:45:12 +00:00
Daniel J Walsh
6b7b0c1cdc
- Fix devicekit_disk_t to getattr on all domains sockets and fifo_files
...
- Conflicts seedit (You can not use selinux-policy-targeted and seedit at
the same time.)
2009-09-15 18:26:13 +00:00
Daniel J Walsh
e20e351e10
- Add wordpress/wp-content/uploads label
...
- Fixes for sandbox when run from staff_t
2009-09-11 21:15:35 +00:00
Daniel J Walsh
ddc8588081
- Update to upstream
...
- Fixes for devicekit_disk
2009-09-10 15:38:44 +00:00
Daniel J Walsh
ab8f807545
- More fixes
2009-09-09 21:08:02 +00:00
Daniel J Walsh
b8498d1e5b
- More fixes
2009-09-08 23:55:31 +00:00
Daniel J Walsh
123ae9957d
- Lots of fixes for initrc and other unconfined domains
2009-09-08 14:30:36 +00:00
Daniel J Walsh
72bc25da0e
- Allow xserver to use netlink_kobject_uevent_socket
2009-09-07 01:29:07 +00:00
Daniel J Walsh
1a2981be4a
- Dontaudit setroubleshootfix looking at /root directory
2009-09-02 13:33:15 +00:00
Daniel J Walsh
65c3f9a0a8
- Update to upsteam
2009-08-31 21:27:50 +00:00
Daniel J Walsh
cb5670ca1b
- Allow gssd to send signals to users
...
- Fix duplicate label for apache content
2009-08-31 13:39:37 +00:00
Daniel J Walsh
faf9cbbc4b
- Update to upstream
2009-08-28 20:55:16 +00:00
Daniel J Walsh
38d427a08f
- Remove polkit_auth on upgrades
2009-08-28 18:56:15 +00:00
Daniel J Walsh
42f9effee7
- Add back in unconfined.pp and unconfineduser.pp
...
- Add Sandbox unshare
2009-08-26 20:19:02 +00:00
Daniel J Walsh
07c04f81b6
- Add back in unconfined.pp and unconfineduser.pp
2009-08-26 14:02:27 +00:00
Daniel J Walsh
89e3546337
- Fixes for cdrecord, mdadm, and others
2009-08-26 12:12:39 +00:00
Daniel J Walsh
080ce6f2c8
- Add capability setting to dhcpc and gpm
2009-08-23 13:55:48 +00:00
Daniel J Walsh
8e64d7d393
- Allow cronjobs to read exim_spool_t
2009-08-22 11:51:13 +00:00
Daniel J Walsh
c5f5b5dbcb
- Add ABRT policy
2009-08-21 22:58:28 +00:00
Daniel J Walsh
e3dd4912ce
- Fix system-config-services policy
2009-08-20 17:48:51 +00:00
Daniel J Walsh
fc8ff2feac
- Allow libvirt to change user componant of virt_domain
2009-08-20 00:02:37 +00:00
Daniel J Walsh
40243d944f
- Allow cupsd_config_t to be started by dbus
...
- Add smoltclient policy
2009-08-18 22:43:34 +00:00
Daniel J Walsh
9c270225e5
- Add policycoreutils-python to pre install
2009-08-18 12:34:26 +00:00
Daniel J Walsh
b2c5e72a15
- Make all unconfined_domains permissive so we can see what AVC's happen
2009-08-13 22:33:07 +00:00
Daniel J Walsh
7fe210d864
- Add pt_chown policy
2009-08-12 20:10:51 +00:00
Daniel J Walsh
867473ac62
- Add kdump policy for Miroslav Grepl
...
- Turn off execstack boolean
2009-08-10 18:22:10 +00:00
Bill Nottingham
ac7bbfa65a
- Turn on execstack on a temporary basis ( #512845 )
2009-08-07 19:36:54 +00:00
Daniel J Walsh
4de3826dbf
- Allow nsplugin to connecto the session bus
...
- Allow samba_net to write to coolkey data
2009-08-07 11:51:54 +00:00
Daniel J Walsh
e21330348f
- Allow devicekit_disk to list inotify
2009-08-05 21:31:17 +00:00
Daniel J Walsh
4816e90c52
- Allow svirt images to create sock_file in svirt_var_run_t
2009-08-05 20:37:39 +00:00
Daniel J Walsh
4673269d66
- Allow exim to getattr on mountpoints
...
- Fixes for pulseaudio
2009-08-04 11:32:06 +00:00
Daniel J Walsh
947b439e10
- Allow svirt_t to stream_connect to virtd_t
2009-07-31 19:05:34 +00:00
Daniel J Walsh
af4fa8266c
- Allod hald_dccm_t to create sock_files in /tmp
2009-07-31 11:02:24 +00:00
Daniel J Walsh
abd1536931
- More fixes from upstream
2009-07-30 20:30:26 +00:00
Daniel J Walsh
c6e2224c70
- Fix polkit label
...
- Remove hidebrokensymptoms for nss_ldap fix
- Add modemmanager policy
- Lots of merges from upstream
- Begin removing textrel_shlib_t labels, from fixed libraries
2009-07-30 04:31:53 +00:00
Daniel J Walsh
3750561a72
- Update to upstream
2009-07-28 19:08:17 +00:00
Daniel J Walsh
9160520a0e
- Allow certmaster to override dac permissions
2009-07-27 22:09:57 +00:00
Daniel J Walsh
df7055d5b3
- Update to upstream
2009-07-23 21:47:41 +00:00
Daniel J Walsh
8da0248476
- Fix context for VirtualBox
2009-07-19 16:04:30 +00:00
Daniel J Walsh
2360ff9f3f
- Update to upstream
2009-07-15 19:12:04 +00:00
Daniel J Walsh
a88b486824
- Fixes for xguest
2009-07-08 15:37:57 +00:00
Daniel J Walsh
819f419b33
- fix multiple directory ownership of mandirs
2009-07-07 21:06:52 +00:00
Tom Callaway
a85aeff615
fix duplicate directory ownership with filesystem, policycoreutils
2009-07-07 15:41:05 +00:00
Daniel J Walsh
d9676a6ada
- Update to upstream
2009-07-06 21:16:26 +00:00
Daniel J Walsh
bcc53daced
- Add rules for rtkit-daemon
2009-06-30 11:46:56 +00:00
Daniel J Walsh
7b16d569d8
- Update to upstream
...
- Fix nlscd_stream_connect
2009-06-26 20:13:04 +00:00
Daniel J Walsh
221642f17f
- Add rtkit policy
2009-06-25 21:43:36 +00:00
Daniel J Walsh
d399fb4d25
- Allow rpcd_t to stream connect to rpcbind
2009-06-24 20:45:26 +00:00
Daniel J Walsh
9850f4d30d
- Allow kpropd to create tmp files
2009-06-24 13:15:55 +00:00
Daniel J Walsh
93dc66eaeb
- Fix last duplicate /var/log/rpmpkgs
2009-06-23 13:23:52 +00:00
Daniel J Walsh
a9f0953822
- Update to upstream
...
add sssd
2009-06-22 22:27:58 +00:00
Daniel J Walsh
8866315d40
- Update to upstream
...
cleanup
Fri Jun 19 2009 Dan Walsh <dwalsh@redhat.com> 3.6.17-1
- Update to upstream
- Additional mail ports
- Add virt_use_usb boolean for svirt
2009-06-20 13:59:00 +00:00
Daniel J Walsh
6071093529
- Update to upstream
...
- Additional mail ports
- Add virt_use_usb boolean for svirt
2009-06-19 11:41:44 +00:00
Daniel J Walsh
9386d6f55f
- Fix mcs rules to include chr_file and blk_file
2009-06-18 20:01:47 +00:00
Daniel J Walsh
e3bf6793cb
- Add label for udev-acl
2009-06-18 14:42:34 +00:00
Daniel J Walsh
f8df9e54c4
- Additional rules for consolekit/udev, privoxy and various other fixes
2009-06-15 20:04:07 +00:00
Daniel J Walsh
49883e898d
- New version for upstream
2009-06-15 15:26:20 +00:00
Daniel J Walsh
d3ae977ab7
- New version for upstream
2009-06-12 18:59:09 +00:00
Daniel J Walsh
6b838056a8
- Allow NetworkManager to read inotifyfs
2009-06-11 21:26:42 +00:00
Daniel J Walsh
aa7b9cbc5e
- Allow setroubleshoot to run mlocate
2009-06-10 17:50:55 +00:00
Daniel J Walsh
8197718634
- Update to upstream
2009-06-08 21:47:04 +00:00
Daniel J Walsh
9ee63df41a
- New log file for vmware
...
- Allow xdm to setattr on user_tmp_t
2009-05-26 16:57:59 +00:00
Daniel J Walsh
ef7416c2b8
- Upgrade to upstream
2009-05-22 14:37:43 +00:00
Daniel J Walsh
eead2a6f25
- Allow fprintd to access sys_ptrace
...
- Add sandbox policy
2009-05-20 17:28:24 +00:00
Daniel J Walsh
7b6c105887
- Add varnishd policy
2009-05-18 18:49:15 +00:00
Daniel J Walsh
f72bd44737
- Fixes for kpropd
2009-05-14 18:53:40 +00:00
Daniel J Walsh
fcb4418ad5
- Allow brctl to r/w tun_tap_device_t
2009-05-14 14:37:43 +00:00
Daniel J Walsh
62cfafdcb7
- Add /usr/share/selinux/packages
...
- Turn on nsplugin boolean
2009-05-12 18:10:29 +00:00
Daniel J Walsh
0f6b92d1fa
- Allow rpcd_t to send signals to kernel threads
2009-05-11 13:11:03 +00:00
Daniel J Walsh
992419431e
- Fix upgrade for F10 to F11
2009-05-08 19:43:27 +00:00
Daniel J Walsh
a2098a521f
- Add policy for /var/lib/fprint
2009-05-07 19:09:40 +00:00
Daniel J Walsh
8a0604e919
-Remove duplicate line
2009-05-06 12:51:59 +00:00
Daniel J Walsh
959ab94100
- Allow svirt to manage pci and other sysfs device data
2009-05-05 20:48:39 +00:00
Daniel J Walsh
0e31a0e8ca
- Fix package selection handling
2009-05-04 19:37:29 +00:00
Daniel J Walsh
c32d79e2c3
- Fix /sbin/ip6tables-save context
...
- Allod udev to transition to mount
- Fix loading of mls policy file
2009-05-04 18:20:29 +00:00
Daniel J Walsh
5dd89f3819
- Fix /sbin/ip6tables-save context
2009-05-02 11:52:13 +00:00
Daniel J Walsh
37ebfc9102
- Add shorewall policy
2009-04-30 22:22:00 +00:00
Daniel J Walsh
21b13fca45
- Additional rules for fprintd and sssd
2009-04-30 11:51:07 +00:00
Daniel J Walsh
40d8f60dd7
- Allow nsplugin to unix_read unix_write sem for unconfined_java
2009-04-28 20:09:21 +00:00
Daniel J Walsh
b3ac4a052b
- Fix uml files to be owned by users
2009-04-28 15:49:42 +00:00
Daniel J Walsh
e080bbd4f6
- Fix Upgrade path to install unconfineduser.pp when unocnfined package is
...
3.0.0 or less
2009-04-28 15:13:35 +00:00
Daniel J Walsh
b11dbbb323
- Allow confined users to manace virt_content_t, since this is home dir
...
content
- Allow all domains to read rpm_script_tmp_t which is what shell creates on
redirection
2009-04-27 18:56:58 +00:00
Daniel J Walsh
b0991a2dfd
- Fix labeling on /var/lib/misc/prelink*
...
- Allow xserver to rw_shm_perms with all x_clients
- Allow prelink to execute files in the users home directory
2009-04-27 14:45:15 +00:00
Daniel J Walsh
89c9c9ae6a
- Allow initrc_t to delete dev_null
...
- Allow readahead to configure auditing
- Fix milter policy
- Add /var/lib/readahead
2009-04-24 19:28:35 +00:00
Daniel J Walsh
eaaf2ab923
- Allow initrc_t to delete dev_null
...
- Allow readahead to configure auditing
- Fix milter policy
- Add /var/lib/readahead
2009-04-24 17:50:36 +00:00
Daniel J Walsh
dac8380cd0
- Allow initrc_t to delete dev_null
...
- Allow readahead to configure auditing
2009-04-24 13:17:08 +00:00
Daniel J Walsh
db0dafaaeb
- Update to latest milter code from Paul Howarth
2009-04-24 11:53:55 +00:00
Daniel J Walsh
cd0a396413
- Update to latest milter code from Paul Howarth
2009-04-24 11:42:43 +00:00
Daniel J Walsh
5ce1c49771
- Additional perms for readahead
2009-04-24 04:09:22 +00:00
Daniel J Walsh
4d5adb716e
- Allow pulseaudio to acquire_svc on session bus
...
- Fix readahead labeling
2009-04-23 14:48:46 +00:00
Daniel J Walsh
3c498a780b
- Allow sshd to read var_lib symlinks for freenx
2009-04-22 19:18:30 +00:00
Daniel J Walsh
a32a1594b6
- Allow nsplugin unix_read and write on users shm and sem
...
- Allow sysadm_t to execute su
2009-04-21 20:31:51 +00:00
Daniel J Walsh
d982e7e091
- Fixes for podsleuth
2009-04-18 12:13:36 +00:00
Daniel J Walsh
dc00fc32b6
*** empty log message ***
2009-04-17 14:19:17 +00:00
Daniel J Walsh
6203f422e2
- Allow cupsd_t to create link files in print_spool_t
2009-04-16 15:14:26 +00:00
Daniel J Walsh
4a0aac139f
- Allow audioentroy to read etc files
2009-04-15 12:03:09 +00:00
Daniel J Walsh
685032cae2
- Add fail2ban_var_lib_t
...
- Fixes for devicekit_power_t
2009-04-14 11:02:35 +00:00
Daniel J Walsh
d4af172a64
- Separate out the ucnonfined user from the unconfined.pp package
2009-04-11 12:30:22 +00:00
Daniel J Walsh
90e4193775
- Make sure unconfined_java_t and unconfined_mono_t create user_tmpfs_t.
2009-04-08 13:18:20 +00:00
Daniel J Walsh
25a47636ae
- Upgrade to latest upstream
...
- Allow devicekit_disk sys_rawio
2009-04-08 00:59:46 +00:00
Daniel J Walsh
510c2a3987
- Dontaudit binds to ports < 1024 for named
...
- Upgrade to latest upstream
2009-04-06 17:07:59 +00:00
Daniel J Walsh
04b6828096
- Allow podsleuth to use tmpfs files
2009-04-03 21:27:39 +00:00
Daniel J Walsh
80beeee40e
- Add customizable_types for svirt
2009-04-03 19:25:21 +00:00
Daniel J Walsh
f49c57d5e6
- Allow setroubelshoot exec* privs to prevent crash from bad libraries
...
- add cpufreqselector
2009-04-03 14:45:58 +00:00
Daniel J Walsh
90ea5b3fef
- Dontaudit listing of /root directory for cron system jobs
2009-04-02 15:23:58 +00:00
Daniel J Walsh
3434a9be73
- Fix missing ld.so.cache label
2009-03-30 16:06:48 +00:00
Daniel J Walsh
c0158a8c68
- Add label for ~/.forward and /root/.forward
2009-03-27 19:48:17 +00:00
Daniel J Walsh
6130d52b7c
- Fixes for svirt
2009-03-27 00:01:52 +00:00
Daniel J Walsh
9ca87fc9d8
- Fixes to allow svirt read iso files in homedir
2009-03-24 19:45:02 +00:00
Daniel J Walsh
ec9800856c
- Add xenner and wine fixes from mgrepl
2009-03-24 14:33:05 +00:00
Daniel J Walsh
5dce3c12f7
- Add xenner and wine fixes from mgrepl
2009-03-20 18:42:38 +00:00
Daniel J Walsh
bfc78b6af9
- Allow mdadm to read/write mls override
2009-03-18 19:34:57 +00:00
Daniel J Walsh
095146a89d
- Change to svirt to only access svirt_image_t
2009-03-17 19:52:35 +00:00
Daniel J Walsh
d4b8dcf968
- Fix libvirt policy
2009-03-16 16:02:20 +00:00
Daniel J Walsh
b12011f2ab
- Upgrade to latest upstream
2009-03-12 15:48:51 +00:00
Daniel J Walsh
c240b604f6
- Fixes for iscsid and sssd
...
- More cleanups for upgrade from F10 to Rawhide.
2009-03-11 20:25:16 +00:00
Daniel J Walsh
e72f55aac0
- Add pulseaudio, sssd policy
...
- Allow networkmanager to exec udevadm
2009-03-09 21:58:08 +00:00
Daniel J Walsh
0c34c69a38
- Add pulseaudio context
2009-03-09 16:18:51 +00:00
Daniel J Walsh
a67a1c12aa
- Upgrade to latest patches
2009-03-05 21:05:47 +00:00
Daniel J Walsh
0a03cce02d
- Fixes for libvirt
2009-03-04 19:41:16 +00:00
Daniel J Walsh
8c3a31a48a
- Update to Latest upstream
2009-03-03 20:10:30 +00:00
Daniel J Walsh
496752533e
- Further confinement of qemu images via svirt
2009-02-27 21:22:47 +00:00
Jesse Keating
150ff59c76
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
2009-02-26 00:27:53 +00:00
Daniel J Walsh
52cbcb4196
- Allow NetworkManager to manage /etc/NetworkManager/system-connections
2009-02-20 01:07:59 +00:00
Daniel J Walsh
de67749970
- add virtual_image_context and virtual_domain_context files
2009-02-18 19:45:29 +00:00
Daniel J Walsh
8f6e4365ca
- Allow rpcd_t to send signal to mount_t
...
- Allow libvirtd to run ranged
2009-02-18 14:27:36 +00:00
Daniel J Walsh
8c2b68a3e1
- Fix sysnet/net_conf_t
2009-02-17 16:21:42 +00:00
Daniel J Walsh
81794767c6
- Fix squidGuard labeling
2009-02-17 14:07:10 +00:00
Daniel J Walsh
2eec438a0b
- Re-add corenet_in_generic_if(unlabeled_t)
2009-02-16 22:54:22 +00:00
Daniel J Walsh
e46e005f04
2009-02-11 20:40:13 +00:00
Daniel J Walsh
d43c255c87
UPdate policycorutils version
2009-02-10 16:10:28 +00:00
Daniel J Walsh
1d1c058a4e
- Add git web policy
2009-02-10 16:08:36 +00:00
Daniel J Walsh
bd0db4f147
- Add setrans contains from upstream
2009-02-09 22:07:20 +00:00
Daniel J Walsh
4ed140a4b7
- Allow xdm to create user_tmp_t sockets for switch user to work
2009-02-09 14:23:24 +00:00
Daniel J Walsh
bc861e624e
- Fix staff_t domain
2009-02-06 17:48:29 +00:00
Daniel J Walsh
73fe81bbab
- Grab remainder of network_peer_controls patch
2009-02-05 13:44:44 +00:00
Daniel J Walsh
659e96fa65
- More fixes for devicekit
2009-02-04 16:24:43 +00:00
Daniel J Walsh
c957c38343
- Upgrade to latest upstream
2009-02-04 04:02:17 +00:00
Daniel J Walsh
574cab47f1
- Add boolean to disallow unconfined_t login
2009-02-03 15:26:10 +00:00
Daniel J Walsh
0554a10b80
- Add back transition from xguest to mozilla
2009-01-30 16:49:11 +00:00
Daniel J Walsh
ab3e55d79a
- Add virt_content_ro_t and labeling for isos directory
2009-01-30 15:06:44 +00:00
Daniel J Walsh
2fbeb784fa
- Fixes for wicd daemon
2009-01-28 22:23:18 +00:00
Daniel J Walsh
f899107d92
- Fixes for wicd daemon
2009-01-28 17:23:17 +00:00
Daniel J Walsh
48adbeae08
- More mls/rpm fixes
2009-01-26 16:21:59 +00:00
Daniel J Walsh
14c9b9cdc6
- Add policy to make dbus/nm-applet work
2009-01-23 20:35:45 +00:00
Daniel J Walsh
40dd24d39b
- Remove polgen-ifgen from post and add trigger to policycoreutils-python
2009-01-22 20:10:48 +00:00
Daniel J Walsh
6f8856e9d4
- Add wm policy
...
- Make mls work in graphics mode
2009-01-21 22:49:23 +00:00
Daniel J Walsh
6cf32a1e8b
- Add wm policy
...
- Make mls work in graphics mode
2009-01-21 21:22:11 +00:00
Daniel J Walsh
1b94a1375f
- Add wm policy
2009-01-21 20:39:17 +00:00
Daniel J Walsh
2a4bdae89c
- Fixed for DeviceKit
2009-01-21 16:17:40 +00:00
Daniel J Walsh
acc137684b
- Add devicekit policy
2009-01-19 22:34:56 +00:00
Daniel J Walsh
1d72fb031f
- Update to upstream
2009-01-19 17:35:43 +00:00
Daniel J Walsh
7b146db852
- Define openoffice as an x_domain
2009-01-19 14:28:24 +00:00
Daniel J Walsh
eacea1d45d
- Define openoffice as an x_domain
2009-01-16 21:32:59 +00:00
Daniel J Walsh
339bf3bba8
- Fixes for reading xserver_tmp_t
2009-01-13 16:22:47 +00:00
Daniel J Walsh
87fb15321a
- Allow cups_pdf_t write to nfs_t
2009-01-12 16:59:00 +00:00
Daniel J Walsh
2ed2ff46f8
- Remove audio_entropy policy
2009-01-06 14:46:21 +00:00
Daniel J Walsh
292c49cacc
- Update to upstream
2009-01-05 22:55:20 +00:00
Daniel J Walsh
5df2628335
- Allow hal_acl_t to getattr/setattr fixed_disk
2009-01-04 19:45:03 +00:00
Daniel J Walsh
32363900ec
- Change userdom_read_all_users_state to include reading symbolic links in
...
/proc
2008-12-27 13:06:14 +00:00
Daniel J Walsh
cf8fd9f0cc
- Fix dbus reading /proc information
2008-12-22 22:51:28 +00:00
Daniel J Walsh
bae2e9888e
- Add missing alias for home directory content
2008-12-22 19:35:46 +00:00
Daniel J Walsh
33c7eab541
- Fixes for IBM java location
2008-12-17 21:15:08 +00:00
Daniel J Walsh
dcd0c96f34
- Allow unconfined_r unconfined_java_t
2008-12-11 15:21:57 +00:00
Daniel J Walsh
fd2b62ea68
- Add cron_role back to user domains
2008-12-09 21:04:28 +00:00
Daniel J Walsh
9a43d2b055
- Fix sudo setting of user keys
2008-12-08 22:00:56 +00:00
Daniel J Walsh
163db10557
- Allow iptables to talk to terminals
...
- Fixes for policy kit
- lots of fixes for booting.
2008-12-08 16:38:09 +00:00
Daniel J Walsh
2ae1615a14
- Allow iptables to talk to terminals
...
- Fixes for policy kit
- lots of fixes for booting.
2008-12-04 21:43:55 +00:00
Daniel J Walsh
c136db3296
- Allow iptables to talk to terminals
2008-12-04 20:36:26 +00:00
Daniel J Walsh
01ce3df8a6
- Allow iptables to talk to terminals
2008-12-04 18:47:26 +00:00
Daniel J Walsh
bcb1922de7
- Cleanup policy
2008-12-03 23:40:18 +00:00
Daniel J Walsh
739db21a4a
- Cleanup policy
2008-12-03 22:18:31 +00:00
Ignacio Vazquez-Abrams
23d6844939
Rebuild for Python 2.6
2008-12-01 15:00:41 +00:00
Daniel J Walsh
02d888c766
- Fix labeling on /var/spool/rsyslog
2008-11-25 19:18:01 +00:00
Daniel J Walsh
0d6e623017
- Allow postgresl to bind to udp nodes
2008-11-06 17:47:54 +00:00
Daniel J Walsh
2a650ea1aa
- Allow lvm to dbus chat with hal
...
- Allow rlogind to read nfs_t
2008-11-05 22:21:30 +00:00
Daniel J Walsh
074b12f275
- Fix cyphesis file context
2008-11-05 20:34:06 +00:00
Daniel J Walsh
6a09cfb688
- Allow hal/pm-utils to look at /var/run/video.rom
...
- Add ulogd policy
2008-11-05 18:26:36 +00:00
Daniel J Walsh
411a424e1c
- Additional fixes for cyphesis
...
- Fix certmaster file context
- Add policy for system-config-samba
2008-11-04 15:40:31 +00:00
Daniel J Walsh
333ebd64df
- Allow dhcpc to restart ypbind
...
- Fixup labeling in /var/run
2008-11-03 21:09:40 +00:00
Daniel J Walsh
1bc89b8d4c
- Fix confined users
...
- Allow xguest to read/write xguest_dbusd_t
2008-10-29 20:45:55 +00:00
Daniel J Walsh
2362056f7a
- Fix confined users
...
- Allow xguest to read/write xguest_dbusd_t
2008-10-29 17:12:16 +00:00
Daniel J Walsh
812930ae8d
- Allow openoffice execstack/execmem privs
2008-10-28 23:22:15 +00:00
Daniel J Walsh
d8e5d05b6e
- Allow openoffice execstack/execmem privs
2008-10-28 20:06:14 +00:00
Daniel J Walsh
a3e038c1a1
- Allow openoffice execstack/execmem privs
2008-10-27 21:07:05 +00:00
Daniel J Walsh
4fa9db787c
- Allow mozilla to run with unconfined_execmem_t
2008-10-25 11:14:56 +00:00
Daniel J Walsh
798a73de69
- Dontaudit domains trying to write to .xsession-errors
2008-10-24 13:41:09 +00:00
Daniel J Walsh
3281238148
- Allow nsplugin to look at autofs_t directory
2008-10-24 12:14:54 +00:00
Daniel J Walsh
de61cc7d10
- Allow kerneloops to create tmp files
2008-10-23 12:59:31 +00:00
Daniel J Walsh
ae68d97fe5
- More alias for fastcgi
2008-10-22 13:34:13 +00:00
Daniel J Walsh
236d3cc19a
- Remove mod_fcgid-selinux package
2008-10-21 18:31:38 +00:00
Daniel J Walsh
b9e15d9766
- Fix dovecot access
2008-10-20 19:53:30 +00:00
Daniel J Walsh
49f48f4a99
- Policy cleanup
2008-10-17 22:03:34 +00:00
Daniel J Walsh
b4cab5a3eb
- Remove Multiple spec
...
- Add include
- Fix makefile to not call per_role_expansion
2008-10-16 19:56:59 +00:00
Daniel J Walsh
6115689216
- Remove Multiple spec
...
- Add include
- Fix makefile to not call per_role_expansion
2008-10-16 17:28:39 +00:00
Daniel J Walsh
4b4392dd08
- Fix labeling of libGL
2008-10-15 21:32:30 +00:00
Daniel J Walsh
4125702a20
- Update to upstream
2008-10-14 23:50:08 +00:00
Daniel J Walsh
b6cc6a84e9
- Update to upstream
2008-10-11 23:57:43 +00:00
Daniel J Walsh
675bbabe24
- Update to upstream policy
2008-10-09 03:10:32 +00:00
Daniel J Walsh
1062bd3849
- Fixes for confined xwindows and xdm_t
2008-10-06 19:10:48 +00:00
Daniel J Walsh
86369ef439
- Allow confined users and xdm to exec wm
...
- Allow nsplugin to talk to fifo files on nfs
2008-10-03 20:11:22 +00:00
Daniel J Walsh
f1a8278899
- Allow NetworkManager to transition to avahi and iptables
...
- Allow domains to search other domains keys, coverup kernel bug
2008-10-03 15:49:44 +00:00
Daniel J Walsh
b42a1eddf9
- Allow domains to search other domains keys, coverup kernel bug
2008-10-03 15:07:40 +00:00
Daniel J Walsh
094ef3d610
- Fix labeling for oracle
2008-10-01 19:15:34 +00:00
Daniel J Walsh
2ede4ec7ba
- Allow nsplugin to comminicate with xdm_tmp_t sock_file
2008-10-01 12:27:11 +00:00
Daniel J Walsh
99873745bf
- Change all user tmpfs_t files to be labeled user_tmpfs_t
...
- Allow radiusd to create sock_files
2008-09-30 14:39:16 +00:00
Daniel J Walsh
b709ffd738
- Upgrade to upstream
2008-09-25 18:54:16 +00:00
Daniel J Walsh
ed32c64290
- Allow confined users to login with dbus
2008-09-23 20:14:47 +00:00
Daniel J Walsh
a80e7ac6a3
- Fix transition to nsplugin
2008-09-23 15:14:53 +00:00
Daniel J Walsh
d86efe56b9
- Fix transition to nsplugin
2008-09-22 20:07:59 +00:00
Daniel J Walsh
f0375d509e
- Add file context for /dev/mspblk.*
2008-09-22 17:55:56 +00:00
Daniel J Walsh
f77dd2c9db
- Fix transition to nsplugin '
...
Thu Sep 18 2008 Dan Walsh <dwalsh@redhat.com> 3.5.8-3
- Fix labeling on new pm*log
- Allow ssh to bind to all nodes
2008-09-22 12:33:03 +00:00
Daniel J Walsh
11ef2470b7
- Fix labeling on new pm*log
...
- Allow ssh to bind to all nodes
2008-09-18 21:02:12 +00:00
Daniel J Walsh
530772ab58
- Fix labeling on new pm*log
...
- Allow ssh to bind to all nodes
2008-09-18 19:34:12 +00:00
Daniel J Walsh
16c3ff1596
- Merge upstream changes
...
- Add Xavier Toth patches
2008-09-12 14:21:05 +00:00
Daniel J Walsh
aca77a6f2d
- Remove gamin policy
2008-09-08 21:01:42 +00:00
Daniel J Walsh
d0d3073e2f
- Add tinyxs-max file system support
2008-09-04 20:59:27 +00:00
Daniel J Walsh
0a219fe07b
- Update to upstream
...
- New handling of init scripts
2008-09-03 20:16:35 +00:00
Daniel J Walsh
3ad3552b8a
- Allow audit dispatcher to kill his children
2008-08-29 20:54:34 +00:00
Daniel J Walsh
cd8bee594b
- Update to upstream
...
- Fix crontab use by unconfined user
2008-08-29 19:29:23 +00:00
Daniel J Walsh
7638e78556
- Allow ifconfig_t to read dhcpc_state_t
2008-08-26 14:46:43 +00:00
Daniel J Walsh
eb7e6dca5e
- Allow ifconfig_t to read dhcpc_state_t
2008-08-13 19:24:36 +00:00
Daniel J Walsh
57ae10cc0d
- Update to upstream
2008-08-12 15:06:36 +00:00
Daniel J Walsh
1a0f642074
- Update to upstream
2008-08-11 21:19:25 +00:00
Daniel J Walsh
b5d09d1532
- Update to upstream
2008-08-07 20:05:57 +00:00
Daniel J Walsh
0f1bd620e5
- Allow system-config-selinux to work with policykit
2008-08-07 12:22:07 +00:00
Daniel J Walsh
174291bc3e
- Fix novel labeling
2008-08-05 20:49:34 +00:00
Daniel J Walsh
170fa29709
- Fix novel labeling
2008-08-01 16:38:49 +00:00
Daniel J Walsh
07bd5c4abb
- Consolodate pyzor,spamassassin, razor into one security domain
...
- Fix xdm requiring additional perms.
2008-07-30 13:48:03 +00:00
Daniel J Walsh
8f2532e249
- Fixes for logrotate, alsa
2008-07-25 11:53:34 +00:00
Daniel J Walsh
f12d5b90db
- Eliminate vbetool duplicate entry
2008-07-25 04:24:01 +00:00
Daniel J Walsh
0b05335dd6
- Fix xguest -> xguest_mozilla_t -> xguest_openiffice_t
...
- Change dhclient to be able to red networkmanager_var_run
2008-07-24 18:19:05 +00:00
Daniel J Walsh
feefeee019
- Fix xguest -> xguest_mozilla_t -> xguest_openiffice_t
2008-07-17 19:53:32 +00:00
Daniel J Walsh
078ad09a44
- Update to latest refpolicy
...
- Fix libsemanage initial install bug
2008-07-15 20:06:55 +00:00
Daniel J Walsh
6ed8533082
- Update to latest refpolicy
2008-07-15 15:22:39 +00:00
Daniel J Walsh
df6220163f
- Add inotify support to nscd
2008-07-10 15:28:32 +00:00
Daniel J Walsh
6db69f086d
Add nscd inotify fix
2008-07-09 13:05:54 +00:00
Daniel J Walsh
43f9fcec3e
- Allow unconfined_t to setfcap
2008-07-08 20:14:39 +00:00
Daniel J Walsh
273a44c689
- Allow amanda to read tape
...
- Allow prewikka cgi to use syslog, allow audisp_t to signal cgi
- Add support for netware file systems
2008-07-07 17:56:28 +00:00
Daniel J Walsh
258b00e5b7
- Allow ypbind apps to net_bind_service
2008-07-03 20:14:23 +00:00
Daniel J Walsh
75edec44e7
- Allow all system domains and application domains to append to any log
...
file
2008-07-02 20:45:43 +00:00
Daniel J Walsh
cd60b64c83
- Allow gdm to read rpm database
...
- Allow nsplugin to read mplayer config files
2008-06-30 21:12:23 +00:00
Daniel J Walsh
c18681476b
- Allow vpnc to run ifconfig
2008-06-26 12:12:35 +00:00
Daniel J Walsh
f86ed5a437
- Allow confined users to use postgres
...
- Allow system_mail_t to exec other mail clients
- Label mogrel_rails as an apache server
2008-06-24 11:14:04 +00:00
Daniel J Walsh
547aa2a382
- Apply unconfined_execmem_exec_t to haskell programs
2008-06-23 12:20:04 +00:00
Daniel J Walsh
6959e0bb76
- Fix prelude file context
2008-06-23 00:55:21 +00:00
Daniel J Walsh
fe0d467c2b
- allow hplip to talk dbus
...
- Fix context on ~/.local dir
2008-06-22 12:22:25 +00:00
Daniel J Walsh
f4ff8bb944
- Prevent applications from reading x_device
2008-06-12 19:57:12 +00:00
Daniel J Walsh
5608a9da69
- Add /var/lib/selinux context
2008-06-12 18:44:52 +00:00
Daniel J Walsh
af0f735167
- Update to upstream
2008-06-12 14:50:00 +00:00
Daniel J Walsh
c5c253fae5
- Update to upstream
2008-06-11 19:01:26 +00:00
Daniel J Walsh
f513c7b90b
- Add livecd policy
2008-06-10 19:34:59 +00:00
Daniel J Walsh
15f71c5d61
- Add livecd policy
2008-06-04 17:26:52 +00:00
Daniel J Walsh
91ec07f1df
- Dontaudit search of admin_home for init_system_domain
...
- Rewrite of xace interfaces
- Lots of new fs_list_inotify
- Allow livecd to transition to setfiles_mac
2008-06-04 12:57:43 +00:00
Daniel J Walsh
80e0b808d5
- Begin XAce integration
2008-06-03 20:27:28 +00:00
Daniel J Walsh
081b6ac47e
- Merge Upstream
2008-06-02 18:56:05 +00:00
Daniel J Walsh
2e33f7ba70
- Merge Upstream
2008-06-02 17:10:33 +00:00
Daniel J Walsh
4b7f030014
Update for rawhide
2008-05-19 13:02:56 +00:00
Daniel J Walsh
993c27dacb
- Allow amanada to create data files
2008-05-07 19:10:59 +00:00
Daniel J Walsh
6c25b428ce
- Remove dmesg boolean
...
- Allow user domains to read/write game data
2008-05-06 17:01:42 +00:00
Daniel J Walsh
86881dd93f
- Change unconfined_t to transition to unconfined_mono_t when running mono
...
- Change XXX_mono_t to transition to XXX_t when executing bin_t files, so
gnome-do will work
2008-04-29 16:05:11 +00:00
Daniel J Walsh
2d8ff5157a
- Remove old booleans from targeted-booleans.conf file
2008-04-28 21:24:59 +00:00
Daniel J Walsh
b4e933120a
- Don't run crontab from unconfined_t
2008-04-24 21:08:32 +00:00
Daniel J Walsh
ef5e600999
- Don't run crontab from unconfined_t
2008-04-24 19:41:22 +00:00
Daniel J Walsh
4b1d56da14
- Change etc files to config files to allow users to read them
2008-04-23 14:15:54 +00:00
Daniel J Walsh
a6a82aec79
- dontaudit mrtg reading /proc
...
- Allow iscsi to signal itself
- Allow gnomeclock sys_ptrace
2008-04-15 20:27:09 +00:00
Daniel J Walsh
5896bad9cf
2008-04-14 20:01:48 +00:00
Daniel J Walsh
bb36d75512
2008-04-11 18:58:08 +00:00
Daniel J Walsh
06686c20a2
- Allow dhcpd to read kernel network state
2008-04-10 19:45:47 +00:00
Daniel J Walsh
41625a26ea
- Label /var/run/gdm correctly
...
- Fix unconfined_u user creation
2008-04-10 14:37:57 +00:00
Daniel J Walsh
254e3c7af3
- Allow transition from initrc_t to getty_t
2008-04-08 20:14:36 +00:00
Daniel J Walsh
5a576e06f0
- Allow passwd to communicate with user sockets to change gnome-keyring
2008-04-08 19:17:28 +00:00
Daniel J Walsh
7f851af8d9
- Fix initial install
2008-04-08 03:17:46 +00:00
Daniel J Walsh
c3c4a525c2
-
2008-04-06 12:06:47 +00:00
Daniel J Walsh
27943de6a0
- Allow radvd to use fifo_file
...
- dontaudit setfiles reading links
- allow semanage sys_resource
- add allow_httpd_mod_auth_ntlm_winbind boolean
- Allow privhome apps including dovecot read on nfs and cifs home dirs if
the boolean is set
2008-04-05 10:39:06 +00:00
Daniel J Walsh
c66f2bc425
- Allow nsplugin to read /etc/mozpluggerrc, user_fonts
...
- Allow syslog to manage innd logs.
- Allow procmail to ioctl spamd_exec_t
2008-04-01 09:21:21 +00:00
Daniel J Walsh
294ea7a213
- Allow initrc_t to dbus chat with consolekit.
2008-03-29 18:36:09 +00:00
Daniel J Walsh
e54cb216a8
- Additional access for nsplugin
...
- Allow xdm setcap/getcap until pulseaudio is fixed
2008-03-28 22:07:45 +00:00
Daniel J Walsh
f70afcdd9e
- Allow mount to mkdir on tmpfs
...
- Allow ifconfig to search debugfs
2008-03-26 06:17:27 +00:00
Daniel J Walsh
bf3d39e959
- Fix file context for MATLAB
...
- Fixes for xace
2008-03-21 23:24:11 +00:00
Daniel J Walsh
5ea3f10caf
- Allow stunnel to transition to inetd children domains
...
- Make unconfined_dbusd_t an unconfined domain
2008-03-20 16:11:16 +00:00
Daniel J Walsh
94b7be909e
2008-03-18 21:10:02 +00:00
Daniel J Walsh
ba9e5e8244
- Fixes for qemu/virtd
2008-03-17 21:42:05 +00:00
Daniel J Walsh
97081dcb9d
- Fix bug in mozilla policy to allow xguest transition
...
- This will fix the
2008-03-14 21:17:21 +00:00
Daniel J Walsh
a6e1280791
- Fix bug in mozilla policy to allow xguest transition
...
- This will fix the
2008-03-14 21:13:24 +00:00
Daniel J Walsh
d593d26c1d
- Allow nsplugin to run acroread
2008-03-14 15:59:07 +00:00
Daniel J Walsh
987b10f86d
- Add cups_pdf policy
...
- Add openoffice policy to run in xguest
2008-03-14 00:25:00 +00:00
Daniel J Walsh
7f811bf534
- prewika needs to contact mysql
...
- Allow syslog to read system_map files
2008-03-13 12:58:25 +00:00
Daniel J Walsh
ceda8feb68
- Change init_t to an unconfined_domain
2008-03-12 12:39:48 +00:00
Daniel J Walsh
0879f489ab
- Allow init to transition to initrc_t on shell exec.
...
- Fix init to be able to sendto init_t.
- Allow syslog to connect to mysql
- Allow lvm to manage its own fifo_files
- Allow bugzilla to use ldap
- More mls fixes
2008-03-12 01:10:44 +00:00
Bill Nottingham
110bce3a29
fixes for init, rhgb. also, fix the build
2008-03-11 22:46:00 +00:00
Daniel J Walsh
2041ac3d49
- Additional changes for MLS policy
2008-03-10 20:58:06 +00:00
Daniel J Walsh
1bf67d57ed
- Fix initrc_context generation for MLS
2008-03-06 22:25:06 +00:00
Daniel J Walsh
dc57e68eff
- Fixes for libvirt
2008-03-05 23:11:52 +00:00
Daniel J Walsh
5947905ef9
- Allow bitlebee to read locale_t
2008-03-04 21:38:18 +00:00
Daniel J Walsh
d8c160273b
- More xselinux rules
2008-02-29 22:33:22 +00:00
Daniel J Walsh
9a0f35b9ad
- Change httpd_$1_script_r*_t to httpd_$1_content_r*_t
2008-02-29 22:18:30 +00:00
Daniel J Walsh
338714fc7f
-
2008-02-28 21:51:10 +00:00