Commit Graph

1444 Commits

Author SHA1 Message Date
Miroslav
68f1456925 - Pulseaudio changes
- Merge patches
2011-11-11 17:11:46 +01:00
dwalsh
4501de4407 Checkin patches to git repository 2011-11-11 08:16:39 -05:00
Dan Walsh
4147fe8cd2 Remove allow_execmem boolean and replace with deny_execmem boolean 2011-11-08 16:35:55 -05:00
Dan Walsh
90160938e2 Turn back on allow_execmem boolean 2011-11-08 16:33:10 -05:00
Dan Walsh
e58227a2b3 Turn back on allow_execmem boolean 2011-11-08 08:47:34 -05:00
Dan Walsh
13382d02ea Add more MCS fixes to make sandbox working
Make faillog MLS trusted to make sudo_$1_t working
Allow sandbox_web_client_t to read passwd_file_t
Add .mailrc file context
Remove execheap from openoffice domain
Allow chrome_sandbox_nacl_t to read cpu_info
Allow virtd to relabel generic usb which is need if USB device
Fixes for virt.if interfaces to consider chr_file as image file type
2011-11-07 16:18:33 -05:00
Dan Walsh
653590a3f2 MCS fixes
quota fixes
2011-11-04 16:40:38 -04:00
Dan Walsh
01e90f94b8 MCS fixes
quota fixes
2011-11-04 13:36:24 -04:00
Dan Walsh
0b72d16e07 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy
Conflicts:
	policy-F16.patch
	selinux-policy.spec
2011-11-04 13:34:59 -04:00
Dan Walsh
8872d3d2ac MCS fixes
quota fixes
2011-11-04 13:31:43 -04:00
Miroslav
76b2f513a3 +- MCS fixes
+- quota fixes
2011-11-04 18:30:28 +01:00
dwalsh
d5bededc4d Make nvidia* to be labeled correctly
Fix abrt_manage_cache() interface
Make filetrans rules optional so base policy will build
Dontaudit chkpwd_t access to inherited TTYS
Make sure postfix content gets created with the correct label
Allow gnomeclock to read cgroup
Fixes for cloudform policy
2011-11-02 16:23:55 -04:00
dwalsh
a7f0027cf7 Make nvidia* to be labeled correctly
Fix abrt_manage_cache() interface
Make filetrans rules optional so base policy will build
Dontaudit chkpwd_t access to inherited TTYS
Make sure postfix content gets created with the correct label
Allow gnomeclock to read cgroup
Fixes for cloudform policy
2011-11-02 16:01:43 -04:00
Dan Walsh
bc6fbd3a31 Check in fixed for Chrome nacl support 2011-10-27 14:33:47 -04:00
Dan Walsh
26536c5d39 Begin removing qemu_t domain, we really no longer need this domain.
systemd_passwd needs dac_overide to communicate with users TTY's
Allow svirt_lxc domains to send kill signals within their container
2011-10-27 13:51:59 -04:00
Dan Walsh
a1db2ce026 Remove qemu.pp again without causing a crash 2011-10-27 09:33:50 -04:00
Dan Walsh
b4b0268a28 Remove qemu.pp, everything should use svirt_t or stay in its current domain 2011-10-26 15:42:29 -04:00
Dan Walsh
084f9557dc Allow policykit to talk to the systemd via dbus
Move chrome_sandbox_nacl_t to permissive domains
Additional rules for chrome_sandbox_nacl
2011-10-26 08:49:22 -04:00
Dan Walsh
fa26d89bd5 Change bootstrap name to nacl
Chrome still needs execmem
Missing role for chrome_sandbox_bootstrap
Add boolean to remove execmem and execstack from virtual machines
Dontaudit xdm_t doing an access_check on etc_t directories
2011-10-25 13:27:37 -04:00
Dan Walsh
44066bd77a Allow named to connect to dirsrv by default
add ldapmap1_0 as a krb5_host_rcache_t file
Google chrome developers asked me to add bootstrap policy for nacl stuff
Allow rhev_agentd_t to getattr on mountpoints
Postfix_smtpd_t needs access to milters and cleanup seems to read/write postfix_smtpd_t unix_stream_sockets
2011-10-25 09:12:49 -04:00
Dan Walsh
3dcddab74d Allow firewallgui to read /etc/selinux/config 2011-10-24 13:39:32 -04:00
Miroslav
b6ae8086ef - Fixes for cloudform policies which need to connect to random ports
- Make sure if an admin creates modules content it creates them with the correct label
- Add port 8953 as a dns port used by unbound
- Fix file name transition for alsa and confined users
2011-10-24 10:57:01 +02:00
Dan Walsh
1a2b4d14f1 Turn on mock_t and thumb_t for unconfined domains 2011-10-21 16:44:31 -04:00
Dan Walsh
f875d285bd Turn on mock_t and thumb_t for unconfined domains 2011-10-21 16:37:11 -04:00
Dan Walsh
e1f17eb990 Policy update should not modify local contexts 2011-10-21 09:42:14 -04:00
Dan Walsh
052e175084 Remove ada policy 2011-10-20 14:33:31 -04:00
Dan Walsh
b01657ac51 Remove ada policy 2011-10-20 14:21:03 -04:00
Dan Walsh
61fa8d555e Remove tzdata policy
Remove ada policy
Add labeling for udev
Add cloudform policy
Fixes for bootloader policy
2011-10-20 12:30:06 -04:00
Dan Walsh
8214f7881a Remove tzdata policy
Remove ada domain
2011-10-20 12:24:32 -04:00
Miroslav
1944b1a36e Remove tzdata policy 2011-10-20 18:00:51 +02:00
Dan Walsh
087aaea152 Remove tzdata domain, only necessary to make sure stuff is labeled correctly. 2011-10-20 11:43:18 -04:00
Dan Walsh
a56e13e7b8 Add policies for nova openstack 2011-10-19 08:31:34 -04:00
Dan Walsh
4dba2eb895 Allow svirt_lxc_domain to chr_file and blk_file devices if they are in the domain
Allow init process to setrlimit on itself
Take away transition rules for users executing ssh-keygen
Allow setroubleshoot_fixit_t to read /dev/urand
Allow sshd to relbale tunnel sockets
Allow fail2ban domtrans to shorewall in the same way as with iptables
Add support for lnk files in the /var/lib/sssd directory
Allow system mail to connect to courier-authdaemon over an unix stream socket
2011-10-19 08:29:33 -04:00
Dan Walsh
1414f9f3a7 Allow svirt_lxc_domain to chr_file and blk_file devices if they are in the domain
Allow init process to setrlimit on itself
Take away transition rules for users executing ssh-keygen
Allow setroubleshoot_fixit_t to read /dev/urand
Allow sshd to relbale tunnel sockets
Allow fail2ban domtrans to shorewall in the same way as with iptables
Add support for lnk files in the /var/lib/sssd directory
Allow system mail to connect to courier-authdaemon over an unix stream socket
2011-10-18 10:12:22 -04:00
Dan Walsh
9bf3aa2c96 Add passwd_file_t for /etc/ptmptmp 2011-10-17 15:51:24 -04:00
Dan Walsh
e29441a5cc Dontaudit access checks for all executables, gnome-shell is doing access(EXEC, X_OK)
Make corosync to be able to relabelto cluster lib fies
Allow samba domains to search /var/run/nmbd
Allow dirsrv to use pam
Allow thumb to call getuid
chrome less likely to get mmap_zero bug so removing dontaudit
gimp help-browser has built in javascript
Best guess is that devices named /dev/bsr4096 should be labeled as cpu_device_t
Re-write glance policy
2011-10-14 09:50:55 -04:00
Dan Walsh
2453975e3d Move dontaudit sys_ptrace line from permissive.te to domain.te
Remove policy for hal, it no longer exists
2011-10-13 15:43:15 -04:00
Dan Walsh
042e3a325f Don't check md5 size or mtime on certain config files 2011-10-12 15:42:07 -04:00
Dan Walsh
2f4dfeb425 Remove allow_ptrace and replace it with deny_ptrace, which will remove all
ptrace from the system
Remove 2000 dontaudit rules between confined domains on transition
and replace with single
dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
2011-10-12 10:13:18 -04:00
Dan Walsh
6554bb3cca Remove allow_ptrace and replace it with deny_ptrace, which will remove all
ptrace from the system
Remove 2000 dontaudit rules between confined domains on transition
and replace with single
dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
2011-10-11 16:46:26 -04:00
Dan Walsh
2a89dffbb5 Shrink size of policy through use of attributes for userdomain and apache 2011-10-06 10:53:27 -04:00
Miroslav
1000555932 Fix spec file 2011-10-05 23:57:40 +02:00
Miroslav
54943f9472 - Allow virsh to read xenstored pid file
- Backport corenetwork fixes from upstream
- Do not audit attempts by thumb to search config_home_t dirs (~/.config)
- label ~/.cache/telepathy/logger telepathy_logger_cache_home_t
- allow thumb to read generic data home files (mime.type)
2011-10-05 23:48:25 +02:00
Dan Walsh
859ba0c85a Allow nmbd to manage sock file in /var/run/nmbd
ricci_modservice send syslog msgs
Stop transitioning from unconfined_t to ldconfig_t, but make sure /etc/ld.so.cache is labeled correctly
Allow systemd_logind_t to manage /run/USER/dconf/user
2011-10-05 17:14:02 -04:00
Dan Walsh
14d7aac744 Fix missing patch from F16 2011-10-04 11:34:14 -04:00
Dan Walsh
f1bc73d0ef Allow logrotate setuid and setgid since logrotate is supposed to do it
Fixes for thumb policy by grift
Add new nfsd ports
Added fix to allow confined apps to execmod on chrome
Add labeling for additional vdsm directories
Allow Exim and Dovecot SASL
Add label for /var/run/nmbd
Add fixes to make virsh and xen working together
Colord executes ls
/var/spool/cron  is now labeled as user_cron_spool_t
2011-10-04 10:50:39 -04:00
Dan Walsh
e15ae4fa84 Fixes caused by the labeling of /etc/passwd
Add thumb.patch to transition unconfined_t to thumb_t for Rawhide
2011-09-30 10:22:41 -04:00
Dan Walsh
a004ca8c3a Fixes caused by the labeling of /etc/passwd 2011-09-29 13:50:39 -04:00
Miroslav
0247247d56 +- Add support for Clustered Samba commands
+- Allow ricci_modrpm_t to send log msgs
+- move permissive virt_qmf_t from virt.te to permissivedomains.te
+- Allow ssh_t to use kernel keyrings
+- Add policy for libvirt-qmf and more fixes for linux containers
+- Initial Polipo
+- Sanlock needs to run ranged in order to kill svirt processes
+- Allow smbcontrol to stream connect to ctdbd
2011-09-29 16:25:09 +02:00
Dan Walsh
4d24861bc2 Add label for /etc/passwd 2011-09-28 16:18:43 -04:00
Miroslav
1b20a51a85 Add grub.patch 2011-09-28 01:09:22 +02:00
Dan Walsh
24b80bf8d9 Make unconfined domains permissive for rawhide
Add definition for ephermeral ports
2011-09-27 10:16:54 -04:00
Miroslav
02a8a402a1 - Make mta_role() active
- Allow asterisk to connect to jabber client port
- Allow procmail to read utmp
- Add NIS support for systemd_logind_t
- Allow systemd_logind_t to manage /run/user/$USER/dconf dir which is labeled a
- Fix systemd_manage_unit_dirs() interface
- Allow ssh_t to manage directories passed into it
- init needs to be able to create and delete unit file directories
- Fix typo in apache_exec_sys_script
- Add ability for logrotate to transition to awstat domain
2011-09-26 12:32:44 +02:00
Miroslav Grepl
1aafd0f4bc Fix spec file 2011-09-23 17:59:34 +02:00
Miroslav Grepl
031161f80b Fix spec file 2011-09-23 17:58:45 +02:00
Miroslav
f9c350238c +- Change screen to use screen_domain attribute and allow screen_domains to read all process domain state
+- Add SELinux support for ssh pre-auth net process in F17
+- Add logging_syslogd_can_sendmail boolean
2011-09-23 13:57:44 +02:00
Dan Walsh
747b715541 Add definition for ephemeral ports
Define user_tty_device_t as a customizable_type
2011-09-21 08:39:14 -04:00
Miroslav
dec0110c4c - Needs to require a new version of checkpolicy
- Interface fixes
2011-09-20 16:24:24 +02:00
Miroslav
40af2abfd0 - Allow sanlock to manage virt lib files
- Add virt_use_sanlock booelan
- ksmtuned is trying to resolve uids
- Make sure .gvfs is labeled user_home_t in the users home directory
- Sanlock sends kill signals and needs the kill capability
- Allow mockbuild to work on nfs homedirs
- Fix kerberos_manage_host_rcache() interface
- Allow exim to read system state
2011-09-16 15:09:15 +02:00
Dan Walsh
a59df1059d Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2011-09-15 08:58:51 -04:00
Dan Walsh
9c4a933844 Make seusers config noreplace 2011-09-15 08:58:37 -04:00
Miroslav
b3edab31fb - Allow systemd-tmpfiles to set the correct labels on /var/run, /tmp and other files
- We want any file type that is created in /tmp by a process running as initrc_t to be labeled initrc_tmp_t
2011-09-14 16:11:08 +02:00
Miroslav
e8563b3245 +- Allow collectd to read hardware state information
+- Add loop_control_device_t
+- Allow mdadm to request kernel to load module
+- Allow domains that start other domains via systemctl to search unit dir
+- systemd_tmpfiles, needs to list any file systems mounted on /tmp
+- No one can explain why radius is listing the contents of /tmp, so we will dontaudit
+- If I can manage etc_runtime files, I should be able to read the links
+- Dontaudit hostname writing to mock library chr_files
+- Have gdm_t setup labeling correctly in users home dir
+- Label content unde /var/run/user/NAME/dconf as config_home_t
+- Allow sa-update to execute shell
+- Make ssh-keygen working with fips_enabled
+- Make mock work for staff_t user
+- Tighten security on mock_t
2011-09-13 16:17:16 +02:00
Miroslav
b1448b79b1 Fix typo in spec file 2011-09-09 13:31:15 +02:00
Miroslav
116a117fba - removing unconfined_notrans_t no longer necessary
- Clean up handling of secure_mode_insmod and secure_mode_policyload
- Remove unconfined_mount_t
2011-09-09 13:28:28 +02:00
Miroslav
5b0c573864 - Add exim_exec_t label for /usr/sbin/exim_tidydb
- Call init_dontaudit_rw_stream_socket() interface in mta policy
- sssd need to search /var/cache/krb5rcache directory
- Allow corosync to relabel own tmp files
- Allow zarafa domains to send system log messages
- Allow ssh to do tunneling
- Allow initrc scripts to sendto init_t unix_stream_socket
- Changes to make sure dmsmasq and virt directories are labeled corr
- Changes needed to allow sysadm_t to manage systemd unit files
- init is passing file descriptors to dbus and on to system daemons
- Allow sulogin additional access Reported by dgrift and Jeremy Mill
- Steve Grubb believes that wireshark does not need this access
- Fix /var/run/initramfs to stop restorecon from looking at
- pki needs another port
- Add more labels for cluster scripts
- Allow apps that manage cgroup_files to manage cgroup link files
- Fix label on nfs-utils scripts directories
- Allow gatherd to read /dev/rand and /dev/urand
2011-09-06 13:51:30 +02:00
Miroslav
392fd7310f - pki needs another port
- Add more labels for cluster scripts
- Fix label on nfs-utils scripts directories
- Fixes for cluster
- Allow gatherd to read /dev/rand and /dev/urand
- abrt leaks fifo files
2011-08-31 22:51:47 +02:00
Dan Walsh
e6877a0621 Add glance policy
Allow mdadm setsched
/var/run/initramfs should not be relabeled with a restorecon run
memcache can be setup to override sys_resource
Allow httpd_t to read tetex data
Allow systemd_tmpfiles to delete kernel modules left in /tmp directory.
2011-08-31 09:25:39 -04:00
Miroslav
1c136fe943 - Allow Postfix to deliver to Dovecot LMTP socket
- Ignore bogus sys_module for lldpad
- Allow chrony and gpsd to send dgrams, gpsd needs to write to the real time clock
- systemd_logind_t sets the attributes on usb devices
- Allow hddtemp_t to read etc_t files
- Add permissivedomains module
- Move all permissive domains calls to permissivedomain.te
- Allow pegasis to send kill signals to other UIDs
2011-08-29 14:07:18 +02:00
Miroslav
2f3d113f19 - Allow insmod_t to use fds leaked from devicekit
- dontaudit getattr between insmod_t and init_t unix_stream_sockets
- Change sysctl unit file interfaces to use systemctl
- Add support for chronyd unit file
- Allow mozilla_plugin to read gnome_usr_config
- Add policy for new gpsd
- Allow cups to create kerberos rhost cache files
- Add authlogin_filetrans_named_content, to unconfined_t to make sure shadow and other log files get labeled correctly
2011-08-24 10:24:46 +02:00
Dan Walsh
22a1cfd7d6 Make users_extra and seusers.final into config(noreplace) so semanage users and login does not get overwritten 2011-08-23 13:59:04 -04:00
Dan Walsh
ba2e58cd41 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2011-08-23 13:54:26 -04:00
Dan Walsh
39eb9ea8c1 Make users_extra and seusers.final into config no replace so semanage users and semanage login files do not get overwritten 2011-08-23 13:54:16 -04:00
Miroslav
24041fb3a0 - Add policy for sa-update being run out of cron jobs
- Add create perms to postgresql_manage_db
- ntpd using a gps has to be able to read/write generic tty_device_t
- If you disable unconfined and unconfineduser, rpm needs more privs to ma
- fix spec file
- Remove qemu_domtrans_unconfined() interface
- Make passenger working together with puppet
- Add init_dontaudit_rw_stream_socket interface
- Fixes for wordpress
2011-08-23 11:03:30 +02:00
Dan Walsh
5d837b2d13 Do not do preinstall if there is not previous install 2011-08-22 16:30:00 -04:00
Miroslav
8d13f53c05 - Turn on allow_domain_fd_use boolean on F16
- Allow syslog to manage all log files
- Add use_fusefs_home_dirs boolean for chrome
- Make vdagent working with confined users
- Add abrt_handle_event_t domain for ABRT event scripts
- Labeled /usr/sbin/rhnreg_ks as rpm_exec_t and added changes related to this change
- Allow httpd_git_script_t to read passwd data
- Allow openvpn to set its process priority when the nice parameter is used
2011-08-11 16:50:01 +02:00
Dan Walsh
10f0de0090 livecd fixes
spec file fixes
2011-08-10 14:00:28 -04:00
Dan Walsh
8a78e8623e Cleanup spec file to remove rpmnew files 2011-08-05 16:16:08 -04:00
Miroslav
913fabe1c8 - fetchmail can use kerberos
- ksmtuned reads in shell programs
- gnome_systemctl_t reads the process state of ntp
- dnsmasq_t asks the kernel to load multiple kernel mod
- Add rules for domains executing systemctl
- Bogus text within fc file
2011-08-04 22:32:55 +02:00
Dan Walsh
41a18182a5 storage should be in base 2011-08-03 16:21:21 -04:00
Dan Walsh
8becfd3523 Add cfengine policy 2011-08-03 10:22:38 -04:00
Miroslav
2aa62d446f - Add abrt_domain attribute
- Allow corosync to manage cluster lib files
- Allow corosync to connect to the system DBUS
2011-08-02 21:35:30 +02:00
Miroslav
58f5509584 - More fixes of rules which cause an explosion in rules by Dan Walsh 2011-07-29 14:18:40 +02:00
Miroslav
0c240d9a87 - Allow rcsmcertd to perform DNS name resolution
- Add dirsrvadmin_unconfined_script_t domain type for 389-ds admin scripts
- Allow tmux to run as screen
- New policy for collectd
- Allow gkeyring_t to interact with all user apps
- Add rules to allow firstboot to run on machines with the unconfined.pp module
2011-07-26 17:21:09 +02:00
Miroslav
f5593ed9be - Allow systemd_logind to send dbus messages with users
- allow accountsd to read wtmp file
- Allow dhcpd to get and set capabilities
2011-07-23 09:10:19 +02:00
Miroslav
6e9c2276f7 - Fix oracledb_port definition
- Allow mount to mounton the selinux file system
- Allow users to list /var directories
2011-07-22 12:37:49 +02:00
Miroslav
273e934611 systemd fixes 2011-07-21 17:22:47 +02:00
Miroslav
2ed5289fc9 - Add initial policy for abrt_dump_oops_t
- xtables-multi wants to getattr of the proc fs
- Smoltclient is connecting to abrt
- Dontaudit leaked file descriptors to postdrop
- Allow abrt_dump_oops to look at kernel sysctls
- Abrt_dump_oops_t reads kernel ring buffer
- Allow mysqld to request the kernel to load modules
- systemd-login needs fowner
- Allow postfix_cleanup_t to searh maildrop
2011-07-19 17:44:23 +02:00
Miroslav Grepl
805cc3bcdf - Initial systemd_logind policy
- Add policy for systemd_logger and additional proivs for systemd_logind
- More fixes for systemd policies
2011-07-18 08:17:03 +02:00
Miroslav Grepl
2b7c0552d7 - Allow setsched for virsh
- Systemd needs to impersonate cups, which means it needs to create tcp_sock
- iptables: the various /sbin/ip6?tables.* are now symlinks for /sbin/xtables-mult
2011-07-14 18:49:37 +02:00
Miroslav Grepl
50f07b8abf Fix spec file 2011-07-12 14:59:13 +02:00
Miroslav Grepl
330eac5848 - A lot of users are running yum -y update while in /root which is causing ldc
- Allow colord to interact with the users through the tmpfs file system
- Since we changed the label on deferred, we need to allow postfix_qmgr_t to b
- Add label for /var/log/mcelog
- Allow asterisk to read /dev/random if it uses TLS
- Allow colord to read ini files which are labeled as bin_t
- Allow dirsrvadmin sys_resource and setrlimit to use ulimit
- Systemd needs to be able to create sock_files for every label in /var/run di
- Also lists /var and /var/spool directories
- Add openl2tpd to l2tpd policy
- qpidd is reading the sysfs file
2011-07-12 09:44:07 +02:00
Dan Walsh
fb5b77fade Fully path the semodule command 2011-07-01 06:35:11 -04:00
Miroslav Grepl
975370d58e - Change usbmuxd_t to dontaudit attempts to read chr_file
- Add mysld_safe_exec_t for libra domains to be able to start private mysql dom
- Allow pppd to search /var/lock dir
- Add rhsmcertd policy
2011-06-30 17:55:41 +02:00
Miroslav Grepl
ade486af72 Update to upstream 2011-06-27 18:02:16 +02:00
Miroslav Grepl
2885bf8a6e - More fixes
* http://git.fedorahosted.org/git/?p=selinux-policy.git
2011-06-27 08:43:05 +02:00
Dan Walsh
7e1b615aa4 Next attempt at getting selinux-policy-* to work without rebuilding policy. 2011-06-16 12:01:25 -04:00
Dan Walsh
cf012ea57e Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2011-06-16 08:58:41 -04:00
Dan Walsh
8782a92ced Change required policycoreutils and libsemanage 2011-06-16 08:58:19 -04:00
Miroslav Grepl
4fb7b43f62 - Add dspam policy
- Add lldpad policy
- dovecot auth wants to search statfs #713555
- Allow systemd passwd apps to read init fifo_file
- Allow prelink to use inherited terminals
- Run cherokee in the httpd_t domain
- Allow mcs constraints on node connections
- Implement pyicqt policy
- Fixes for zarafa policy
- Allow cobblerd to send syslog messages
2011-06-16 10:42:42 +02:00
Dan Walsh
857c813190 Eliminate olpc stuff and other no longer needed files. Update to new system to build policy.* file within payload. 2011-06-09 22:36:45 -04:00
Dan Walsh
d0597c1c15 apply merge 2011-06-08 12:17:39 -04:00
Miroslav Grepl
183e54f534 Old passanger module needs to be removed in spec file 2011-06-08 17:41:02 +02:00
Miroslav Grepl
d8b121329f - Fixes for zabbix
- init script needs to be able to manage sanlock_var_run_...
- Allow sandlock and wdmd to create /var/run directories...
- mixclip.so has been compiled correctly
- Fix passenger policy module name
2011-06-08 17:32:27 +02:00
Dan Walsh
5253d49ee9 Update from git 2011-06-07 14:43:31 -04:00
Miroslav Grepl
94cdbacbd8 - Add mailscanner policy from dgrift
- Allow chrome to optionally be transitioned to
- Zabbix needs these rules when starting the zabbix_server_mysql
- Implement a type for freedesktop openicc standard (~/.local/share/icc)
- Allow system_dbusd_t to read inherited icc_data_home_t files.
- Allow colord_t to read icc_data_home_t content. #706975
- Label stuff under /usr/lib/debug as if it was labeled under /
2011-06-07 18:12:04 +02:00
Dan Walsh
0535650520 Allow policy.VERSION and modules to ship with package 2011-06-07 11:09:32 -04:00
Miroslav Grepl
0e70f655b4 Fix spec file 2011-06-02 15:17:47 +02:00
Miroslav Grepl
a56fb9fa8f - Fixes for sanlock policy
- Fixes for colord policy
- Other fixes
       * http://git.fedorahosted.org/git/?p=selinux-policy.git;a=log
2011-06-02 15:16:46 +02:00
Miroslav Grepl
a8e065be61 - Add rhev policy module to modules-targeted.conf 2011-05-26 14:16:59 +02:00
Miroslav Grepl
ace25237f9 - Lot of fixes
* http://git.fedorahosted.org/git/?p=selinux-policy.git;a=log
2011-05-24 16:38:28 +02:00
Dan Walsh
d97c92c34b New policy patch requires updated checkpolicy package 2011-05-23 18:27:11 -04:00
Miroslav Grepl
cb71de50e9 - Allow logrotate to execute systemctl
- Allow nsplugin_t to getattr on gpmctl
- Fix dev_getattr_all_chr_files() interface
- Allow shorewall to use inherited terms
- Allow userhelper to getattr all chr_file devices
- sandbox domains should be able to getattr and dontaudit search of sysctl_kernel_t
- Fix labeling for ABRT Retrace Server
2011-05-19 18:12:32 +02:00
Dan Walsh
7fbbd6f924 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2011-05-09 14:40:43 -04:00
Miroslav Grepl
27bf70c04e - Dontaudit sys_module for ifconfig
- Make telepathy and gkeyringd daemon working with confined users
- colord wants to read files in users homedir
- Remote login should be creating user_tmp_t not its own tmp files
2011-05-09 20:39:25 +00:00
Dan Walsh
ff120d7be5 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2011-05-06 10:51:56 -04:00
Miroslav Grepl
cfc00b53cb - Fix label for /usr/share/munin/plugins/munin_* plugins
- Add support for zarafa-indexer
- Fix boolean description
- Allow colord to getattr on /proc/scsi/scsi
- Add label for /lib/upstart/init
- Colord needs to list /mnt
2011-05-05 14:39:44 +00:00
Dan Walsh
e81c7996c4 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2011-05-03 16:37:04 -04:00
Miroslav Grepl
6347ee7725 - Forard port changes from F15 for telepathy
- NetworkManager should be allowed to use /dev/rfkill
- Fix dontaudit messages to say Domain to not audit
- Allow telepathy domains to read/write gnome_cache files
- Allow telepathy domains to call getpw
- Fixes for colord and vnstatd policy
2011-05-03 19:46:26 +00:00
Miroslav Grepl
b02295db9b - Allow init_t getcap and setcap
- Allow namespace_init_t to use nsswitch
- aisexec will execute corosync
- colord tries to read files off noxattr file systems
- Allow init_t getcap and setcap
2011-04-27 16:15:38 +00:00
Dan Walsh
99b2fe91aa Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2011-04-27 11:06:38 -04:00
Dan Walsh
402e7b8a4a Default telepath to allow it to connect to network ports 2011-04-21 18:26:23 -04:00
Miroslav Grepl
a8c63d7e69 - Add support for ABRT retrace server
- Allow user_t and staff_t access to generic scsi to handle locally plugged in scanners
- Allow telepath_msn_t to read /proc/PARENT/cmdline
- ftpd needs kill capability
- Allow telepath_msn_t to connect to sip port
- keyring daemon does not work on nfs homedirs
- Allow $1_sudo_t to read default SELinux context
- Add label for tgtd sock file in /var/run/
- Add apache_exec_rotatelogs interface
- allow all zaraha domains to signal themselves, server writes to /tmp
- Allow syslog to read the process state
- Add label for /usr/lib/chromium-browser/chrome
- Remove the telepathy transition from unconfined_t
- Dontaudit sandbox domains trying to mounton sandbox_file_t, this is caused by fuse mounts
- Allow initrc_t domain to manage abrt pid files
- Add support for AEOLUS project
- Virt_admin should be allowed to manage images and processes
- Allow plymountd to send signals to init
- Change labeling of fping6
2011-04-21 16:35:40 +00:00
Dan Walsh
ff64d9c354 Accidently checked in my test spec file 2011-04-21 10:07:57 -04:00
Dan Walsh
bd16f8dd70 Readd my patch 2011-04-19 11:36:13 -04:00
Dan Walsh
9bd1686ff7 Move to version 26 of policy 2011-04-19 11:34:24 -04:00
Miroslav Grepl
a357639bb0 - Fixes for zarafa policy
- Add support for AEOLUS project
- Change labeling of fping6
- Allow plymountd to send signals to init
- Allow initrc_t domain to manage abrt pid files
- Virt_admin should be allowed to manage images and processes
2011-04-19 13:53:55 +00:00
Dan Walsh
637b33d9f3 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy
Conflicts:
	selinux-policy.spec
2011-04-15 14:24:32 -04:00
Miroslav Grepl
6ac26422cc - xdm_t needs getsession for switch user
- Every app that used to exec init is now execing systemdctl
- Allow squid to manage krb5_host_rcache_t files
- Allow foghorn to connect to agentx port - Fixes for colord policy
2011-04-15 09:08:10 +00:00
Dan Walsh
e935d25737 Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy
Conflicts:
	selinux-policy.spec
2011-04-12 10:57:09 -04:00
Dan Walsh
826311d497 Testing 2011-04-11 17:06:55 -04:00
Miroslav Grepl
1b7c8fcdf6 - Add Dan's patch to remove 64 bit variants
- Allow colord to use unix_dgram_socket
- Allow apps that search pids to read /var/run if it is a lnk_file
- iscsid_t creates its own directory
- Allow init to list var_lock_t dir
- apm needs to verify user accounts auth_use_nsswitch
- Add labeling for systemd unit files
- Allow gnomeclok to enable ntpd service using systemctl - systemd_syst
- Add label for matahari-broker.pid file
- We want to remove untrustedmcsprocess from ability to read /proc/pid
- Fixes for matahari policy
- Allow system_tmpfiles_t to delete user_home_t files in the /tmp dir
- Allow sshd to transition to sysadm_t if ssh_sysadm_login is turned on
2011-04-11 07:58:00 +00:00
Dan Walsh
86354fa4cc Remove lib64 mapping and use subs. change subs name to file_context.subs_dist 2011-04-05 15:30:24 -04:00
Miroslav Grepl
2130480ad3 - Fix typo 2011-04-05 09:38:41 +00:00
Miroslav Grepl
397c1e2d5c - Add /var/run/lock /var/lock definition to file_contexts.subs
- nslcd_t is looking for kerberos cc files
- SSH_USE_STRONG_RNG is 1 which requires /dev/random
- Fix auth_rw_faillog definition
- Allow sysadm_t to set attributes on fixed disks
- allow user domains to execute lsof and look at application sockets
- prelink_cron job calls telinit -u if init is rewritten
- Fixes to run qemu_t from staff_t
2011-04-04 23:41:02 +00:00
Dan Walsh
568f781d20 Update to latest versions and change policy version 2011-04-04 16:50:06 -04:00
Miroslav Grepl
81c96b1880 comment out the sepolgen line 2011-04-04 20:43:56 +00:00
Miroslav Grepl
aaa0ee57f3 comment out the sepolgen line 2011-04-04 20:33:32 +00:00
Miroslav Grepl
68129209ed comment out the sepolgen line 2011-04-04 20:16:34 +00:00
Miroslav Grepl
fb7e97f251 - Fix label for /var/run/udev to udev_var_run_t
- Mock needs to be able to read network state
2011-04-04 17:35:35 +00:00
Miroslav Grepl
a7705c54e1 - Add file_contexts.subs to handle /run and /run/lock
- Add other fixes relating to /run changes from F15 policy
2011-04-01 16:12:27 +00:00
Miroslav Grepl
36d3f31dcf - Allow $1_sudo_t and $1_su_t open access to user terminals
- Allow initrc_t to use generic terminals
- Make Makefile/Rules.modular run sepolgen-ifgen during build to check if files for bugs
-systemd is going to be useing /run and /run/lock for early bootup files.
- Fix some comments in rlogin.if
- Add policy for KDE backlighthelper
- sssd needs to read ~/.k5login in nfs, cifs or fusefs file systems
- sssd wants to read .k5login file in users homedir
- setroubleshoot reads executables to see if they have TEXTREL
- Add /var/spool/audit support for new version of audit
- Remove kerberos_connect_524() interface calling
- Combine kerberos_master_port_t and kerberos_port_t
- systemd has setup /dev/kmsg as stderr for apps it executes
- Need these access so that init can impersonate sockets on unix_dgram_socket
2011-03-25 14:54:13 +00:00
Miroslav Grepl
47d5c167a8 - Remove some unconfined domains
- Remove permissive domains
- Add policy-term.patch from Dan
2011-03-23 23:53:27 +00:00
Miroslav Grepl
7c23cf73df Fix multiple specification for boot.log 2011-03-17 16:01:12 +00:00
Miroslav Grepl
f5eb99f70b - devicekit leaks file descriptors to setfiles_t
- Change all all_nodes to generic_node and all_if to generic_if
- Should not use deprecated interface
- Switch from using all_nodes to generic_node and from all_if to generic_if
- Add support for xfce4-notifyd
- Fix file context to show several labels as SystemHigh
- seunshare needs to be able to mounton nfs/cifs/fusefs homedirs
- Add etc_runtime_t label for /etc/securetty
- Fixes to allow xdm_t to start gkeyringd_USERTYPE_t directly
- login.krb needs to be able to write user_tmp_t
- dirsrv needs to bind to port 7390 for dogtag
- Fix a bug in gpg policy
- gpg sends audit messages
- Allow qpid to manage matahari files
2011-03-17 15:46:18 +00:00
Miroslav Grepl
af4c0d3f1e - Initial policy for matahari
- Add dev_read_watchdog
- Allow clamd to connect clamd port
- Add support for kcmdatetimehelper
- Allow shutdown to setrlimit and sys_nice
- Allow systemd_passwd to talk to /dev/log before udev or syslog is runni
- Purge chr_file and blk files on /tmp
- Fixes for pads
- Fixes for piranha-pulse
- gpg_t needs to be able to encyprt anything owned by the user
2011-03-15 20:59:57 +00:00
Miroslav Grepl
f7f5ca9228 +- mozilla_plugin_tmp_t needs to be treated as user tmp files
+- More dontaudits of writes from readahead
+- Dontaudit readahead_t file_type:dir write, to cover up kernel bug
+- systemd_tmpfiles needs to relabel faillog directory as well as the file
+- Allow hostname and consoletype to r/w inherited initrc_tmp_t files handline hostname >> /tmp/myhost
2011-03-10 22:02:46 +00:00
Miroslav Grepl
8d54634624 - Add policykit fixes from Tim Waugh
- dontaudit sandbox domains sandbox_file_t:dir mounton
- Add new dontaudit rules for sysadm_dbusd_t
- Change label for /var/run/faillock
2011-03-10 12:46:20 +00:00
Miroslav Grepl
9b89d85005 Fix minimum policy 2011-03-08 18:36:28 +00:00
Miroslav Grepl
6726024e43 Update to upstream 2011-03-08 18:28:56 +00:00
Miroslav Grepl
781f349e05 - gpg_t needs to talk to gnome-keyring
- nscd wants to read /usr/tmp->/var/tmp to generate randomziation in unixchkpwd
- enforce MCS labeling on nodes
- Allow arpwatch to read meminfo
- Allow gnomeclock to send itself signals
- init relabels /dev/.udev files on boot
- gkeyringd has to transition back to staff_t when it runs commands in bin_t or shell_
- nautilus checks access on /media directory before mounting usb sticks, dontaudit acc
- dnsmasq can run as a dbus service, needs acquire service
- mysql_admin should  be allowed to connect to mysql service
- virt creates monitor sockets in the users home dir
2011-03-01 17:08:45 +00:00
Miroslav Grepl
c34a0c5248 - Allow usbhid-ups to read hardware state information
- systemd-tmpfiles has moved
- Allo cgroup to sys_tty_config
- For some reason prelink is attempting to read gconf settings
- Add allow_daemons_use_tcp_wrapper boolean
- Add label for ~/.cache/wocky to make telepathy work in enforcing mode
- Add label for char devices /dev/dasd*
- Fix for apache_role
- Allow amavis to talk to nslcd
- allow all sandbox to read selinux poilcy config files
- Allow cluster domains to use the system bus and send each other dbus messages
2011-02-21 21:46:58 +00:00
Miroslav Grepl
7288282fd4 - Update to upstream 2011-02-16 18:45:08 +00:00
Dennis Gilmore
60e174d11c - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild 2011-02-09 07:08:32 -06:00
Dan Walsh
d3861ceab3 - Update to ref policy
- cgred needs chown capability
- Add /dev/crash crash_dev_t
- systemd-readahead wants to use fanotify which means readahead_t needs sys_admin capability
2011-02-08 18:00:22 -05:00
Dan Walsh
812781becc - Update to ref policy
- cgred needs chown capability
- Add /dev/crash crash_dev_t
2011-02-08 17:50:40 -05:00
Miroslav Grepl
f12703ea7e - New labeling for postfmulti #675654
- dontaudit xdm_t listing noxattr file systems
- dovecot-auth needs to be able to connect to mysqld via the network as well as locally
- shutdown is passed stdout to a xdm_log_t file
- smartd creates a fixed disk device
- dovecot_etc_t contains a lnk_file that domains need to read
- mount needs to be able to read etc_runtim_t:lnk_file since in rawhide this is a link created at boot
2011-02-08 12:43:56 +00:00
Miroslav Grepl
19cd669e5e - syslog_t needs syslog capability
- dirsrv needs to be able to create /var/lib/snmp
- Fix labeling for dirsrv
- Fix for dirsrv policy missing manage_dirs_pattern
- corosync needs to delete clvm_tmpfs_t files
- qdiskd needs to list hugetlbfs
- Move setsched to sandbox_x_domain, so firefox can run without network access
- Allow hddtemp to read removable devices
- Adding syslog and read_policy permissions to policy
       * syslog
               Allow unconfined, sysadm_t, secadm_t, logadm_t
       * read_policy
               allow unconfined, sysadm_t, secadm_t, staff_t on Targeted
               allow sysadm_t (optionally), secadm_t on MLS
- mdadm application will write into /sys/.../uevent whenever arrays are
assembled or disassembled.
2011-02-03 18:30:25 +00:00
Dan Walsh
731e693460 - Add tcsd policy 2011-02-01 16:45:17 -05:00
Dan Walsh
0e793cf10b Merge branches 'master', 'master', 'master' and 'master' of ssh://pkgs.fedoraproject.org/selinux-policy 2011-02-01 16:08:31 -05:00
Miroslav Grepl
ebce355dea - ricci_modclusterd_t needs to bind to rpc ports 500-1023
- Allow dbus to use setrlimit to increase resoueces
- Mozilla_plugin is leaking to sandbox
- Allow confined users  to connect to lircd over unix domain stream socket whic
- Allow awstats to read squid logs
- seunshare needs to manage tmp_t
- apcupsd cgi scripts have a new directory
2011-02-01 18:30:35 +00:00
Dan Walsh
6b3837d6e4 stop relabeling /var/lib 2011-01-27 14:29:13 -05:00
Miroslav Grepl
73e5debe55 - Fix xserver_dontaudit_read_xdm_pid
- Change oracle_port_t to oracledb_port_t to prevent conflict with satellite
- Allow dovecot_deliver_t to read/write postfix_master_t:fifo_file.
       * These fifo_file is passed from postfix_master_t to postfix_local_t to dovecot_deliver_t
- Allow readahead to manage readahead pid dirs
- Allow readahead to read all mcs levels
- Allow mozilla_plugin_t to use nfs or samba homedirs
2011-01-27 18:13:11 +00:00
Miroslav Grepl
3c70739f2c - Allow nagios plugin to read /proc/meminfo
- Fix for mozilla_plugin
- Allow samba_net_t to create /etc/keytab
- pppd_t setting up vpns needs to run unix_chkpwd, setsched its process and write wt
- nslcd can read user credentials
- Allow nsplugin to delete mozilla_plugin_tmpfs_t
- abrt tries to create dir in rpm_var_lib_t
- virt relabels fifo_files
- sshd needs to manage content in fusefs homedir
- mock manages link files in cache dir
2011-01-25 17:44:14 +00:00
Miroslav Grepl
0ababf8492 - nslcd needs setsched and to read /usr/tmp
- Invalid call in likewise policy ends up creating a bogus role
- Cannon puts content into /var/lib/bjlib that cups needs to be able to write
- Allow screen to create screen_home_t in /root
- dirsrv sends syslog messages
- pinentry reads stuff in .kde directory
- Add labels for .kde directory in homedir
- Treat irpinit, iprupdate, iprdump services with raid policy
2011-01-21 17:24:28 +00:00
Miroslav Grepl
408ea919b7 - NetworkManager wants to read consolekit_var_run_t
- Allow readahead to create /dev/.systemd/readahead
- Remove permissive domains
- Allow newrole to run namespace_init
2011-01-19 18:43:03 +00:00
Miroslav Grepl
ac028b8413 Fix release 2011-01-18 11:00:30 +00:00
Miroslav Grepl
a34c78a0fd - Add sepgsql_contexts file 2011-01-18 10:28:56 +00:00
Miroslav Grepl
86b1f12f92 - Update to upstream 2011-01-17 18:42:12 +00:00
Miroslav Grepl
f16c69cb48 - Add oracle ports and allow apache to connect to them if the connect_db boole
- Add puppetmaster_use_db boolean
- Fixes for zarafa policy
- Fixes for gnomeclock poliy
- Fix systemd-tmpfiles to use auth_use_nsswitch
2011-01-17 17:47:06 +00:00
Miroslav Grepl
116d73139a - gnomeclock executes a shell
- Update for screen policy to handle pipe in homedir
- Fixes for polyinstatiated homedir
- Fixes for namespace policy and other fixes related to polyinstantiation
- Add namespace policy
- Allow dovecot-deliver transition to sendmail which is needed by sieve scri
- Fixes for init, psad policy which relate with confined users
- Do not audit bootloader attempts to read devicekit pid files
- Allow nagios service plugins to read /proc
2011-01-14 17:48:34 +00:00
Miroslav Grepl
b1863350de - Add firewalld policy
- Allow vmware_host to read samba config
- Kernel wants to read /proc Fix duplicate grub def in cobbler
- Chrony sends mail, executes shell, uses fifo_file and reads /proc
- devicekitdisk getattr all file systems
- sambd daemon writes wtmp file
- libvirt transitions to dmidecode
2011-01-11 13:44:47 +00:00
Miroslav Grepl
b559c4ec49 - Add initial policy for system-setup-keyboard which is now daemon
- Label /var/lock/subsys/shorewall as shorewall_lock_t
- Allow users to communicate with the gpg_agent_t
- Dontaudit mozilla_plugin_t using the inherited terminal
- Allow sambagui to read files in /usr
- webalizer manages squid log files
- Allow unconfined domains to bind ports to raw_ip_sockets
- Allow abrt to manage rpm logs when running yum
- Need labels for /var/run/bittlebee
- Label .ssh under amanda
- Remove unused genrequires for virt_domain_template
- Allow virt_domain to use fd inherited from virtd_t
- Allow iptables to read shorewall config
2011-01-05 10:08:57 +00:00
Dan Walsh
b96903aaa0 - Gnome apps list config_home_t
- mpd creates lnk files in homedir
- apache leaks write to mail apps on tmp files
- /var/stockmaniac/templates_cache contains log files
- Abrt list the connects of mount_tmp_t dirs
- passwd agent reads files under /dev and reads utmp file
- squid apache script connects to the squid port
- fix name of plymouth log file
- teamviewer is a wine app
- allow dmesg to read system state
- Stop labeling files under /var/lib/mock so restorecon will not go into this
- nsplugin needs to read network state for google talk
2010-12-28 15:41:30 -05:00
Dan Walsh
ef836a9861 - New labels for ghc http content
- nsplugin_config needs to read urand, lvm now calls setfscreate to create dev
- pm-suspend now creates log file for append access so we remove devicekit_wri
- Change authlogin_use_sssd to authlogin_nsswitch_use_ldap
- Fixes for greylist_milter policy
2010-12-22 16:12:41 -05:00
Miroslav Grepl
d980545506 - Update to upstream
- Fixes for systemd policy
- Fixes for passenger policy
- Allow staff users to run mysqld in the staff_t domain, akonadi needs this
- Add bin_t label for /usr/share/kde4/apps/kajongg/kajongg.py
- auth_use_nsswitch does not need avahi to read passwords,needed for resolving data
- Dontaudit (xdm_t) gok attempting to list contents of /var/account
- Telepathy domains need to read urand
- Need interface to getattr all file classes in a mock library for setroubleshoot
2010-12-21 09:32:36 +00:00
Miroslav Grepl
d6c5f3679b Update to upstream 2010-12-20 17:43:48 +00:00
Dan Walsh
f3f61efb0b - Update selinux policy to handle new /usr/share/sandbox/start script 2010-12-16 11:25:39 -05:00
Miroslav Grepl
0ba6b243f7 - Update to upstream
- Fix version of policy in spec file
2010-12-15 11:03:25 +00:00
Miroslav Grepl
1adb28c6ec - Allow sandbox to run on nfs partitions, fixes for systemd_tmpfs
- remove per sandbox domains devpts types
- Allow dkim-milter sending signal to itself
2010-12-14 19:49:10 +00:00
Dan Walsh
25660bf875 - Allow domains that transition to ping or traceroute, kill them
- Allow user_t to conditionally transition to ping_t and traceroute_t
- Add fixes to systemd- tools, including new labeling for systemd-fsck, systemd-cryptsetup
2010-12-13 17:11:28 -05:00
Miroslav Grepl
3c0b9eac8c - Turn on systemd policy
- mozilla_plugin needs to read certs in the homedir.
- Dontaudit leaked file descriptors from devicekit
- Fix ircssi to use auth_use_nsswitch
- Change to use interface without param in corenet to disable unlabelednet
- Allow init to relabel sockets and fifo files in /dev
- certmonger needs dac* capabilities to manage cert files not owned by root
- dovecot needs fsetid to change group membership on mail
- plymouthd removes /var/log/boot.log
- systemd is creating symlinks in /dev
- Change label on /etc/httpd/alias to be all cert_t
2010-12-13 18:56:13 +00:00
Miroslav Grepl
b04a855a22 - Fixes for clamscan and boinc policy
- Add boinc_project_t setpgid
- Allow alsa to create tmp files in /tmp
2010-12-10 13:55:11 +00:00
Miroslav Grepl
c2ad3681fa - Push fixes to allow disabling of unlabeled_t packet access
- Enable unlabelednet policy
2010-12-07 17:51:16 +00:00
Miroslav Grepl
7b62a83f6b - Fixes for lvm to work with systemd 2010-12-07 15:10:29 +00:00
Miroslav Grepl
151160499d - Fix the label for wicd log
- plymouthd creates force-display-on-active-vt file
- Allow avahi to request the kernel to load a module
- Dontaudit hal leaks
- Fix gnome_manage_data interface
- Add new interface corenet_packet to define a type as being an packet_type.
- Removed general access to packet_type from icecast and squid.
- Allow mpd to read alsa config
- Fix the label for wicd log
- Add systemd policy
2010-12-06 19:08:04 +00:00
Miroslav Grepl
a4f1f54302 - Fix gnome_manage_data interface
- Dontaudit sys_ptrace capability for iscsid
- Fixes for nagios plugin policy
2010-12-03 17:07:37 +00:00
Miroslav Grepl
09460452b6 - Fix cron to run ranged when started by init
- Fix devicekit to use log files
- Dontaudit use of devicekit_var_run_t for fstools
- Allow init to setattr on logfile directories
2010-12-02 18:21:58 +01:00
Dan Walsh
5bcd7aa5b3 - Fix up handling of dnsmasq_t creating /var/run/libvirt/network
- Turn on sshd_forward_ports boolean by default
- Allow sysadmin to dbus chat with rpm
- Add interface for rw_tpm_dev
- Allow cron to execute bin
- fsadm needs to write sysfs
- Dontaudit consoletype reading /var/run/pm-utils
- Lots of new privs fro mozilla_plugin_t running java app, make mozilla_plugin
- certmonger needs to manage dirsrv data
- /var/run/pm-utils should be labeled as devicekit_var_run_t
2010-11-30 16:24:01 -05:00
Miroslav Grepl
954ef8ad92 - fixes to allow /var/run and /var/lock as tmpfs
- Allow chrome sandbox to connect to web ports
- Allow dovecot to listem on lmtp and sieve ports
- Allov ddclient to search sysctl_net_t
- Transition back to original domain if you execute the shell
2010-11-30 11:39:40 +00:00
Miroslav Grepl
b63541e55b - Remove duplicate declaration 2010-11-25 16:53:58 +00:00
Miroslav Grepl
05f913e88b - Update to upstream
- Cleanup for sandbox
- Add attribute to be able to select sandbox types
2010-11-25 12:21:34 +00:00
Miroslav Grepl
3daa6c760b - Allow ddclient to fix file mode bits of ddclient conf file
- init leaks file descriptors to daemons
- Add labels for /etc/lirc/ and
- Allow amavis_t to exec shell
- Add label for gssd_tmp_t for /var/tmp/nfs_0
2010-11-22 12:12:57 +01:00
Dan Walsh
d6719f6ecb - Put back in lircd_etc_t so policy will install 2010-11-18 16:27:30 -05:00
Miroslav Grepl
4eb45ebeaa - Turn on allow_postfix_local_write_mail_spool
- Allow initrc_t to transition to shutdown_t
- Allow logwatch and cron to mls_read_to_clearance for MLS boxes
- Allow wm to send signull to all applications and receive them from users
- lircd patch from field
- Login programs have to read /etc/samba
- New programs under /lib/systemd
- Abrt needs to read config files
2010-11-18 17:37:29 +01:00
Miroslav Grepl
582d2c5d2c - Update to upstream
- Dontaudit leaked sockets from userdomains to user domains
- Fixes for mcelog to handle scripts
- Apply patch from Ruben Kerkhof
- Allow syslog to search spool dirs
2010-11-16 09:46:19 +01:00
Miroslav Grepl
cbb8d59931 - Allow nagios plugins to read usr files
- Allow mysqld-safe to send system log messages
- Fixes fpr ddclient policy
- Fix sasl_admin interface
- Allow apache to search zarafa config
- Allow munin plugins to search /var/lib directory
- Allow gpsd to read sysfs_t
- Fix labels on /etc/mcelog/triggers to bin_t
2010-11-15 18:27:23 +01:00
Dan Walsh
763342ad3a - Remove saslauthd_tmp_t and transition tmp files to krb5_host_rcache_t
- Allow saslauthd_t to create krb5_host_rcache_t files in /tmp
- Fix xserver interface
- Fix definition of /var/run/lxdm
2010-11-12 11:08:35 -05:00
Dan Walsh
519b05a70f - Remove saslauthd_tmp_t and transition tmp files to krb5_host_rcache_t 2010-11-12 10:59:01 -05:00
Dan Walsh
50dacaca09 - kdump leaks kdump_etc_t to ifconfig, add dontaudit
- uux needs to transition to uucpd_t
- More init fixes relabels man,faillog
- Remove maxima defs in libraries.fc
- insmod needs to be able to create tmpfs_t files
- ping needs setcap
- init executes mcelog, initrc_t needs to manage faillog.
- fix xserver_ralabel_xdm_tmp_dirs
- Allow dovecot_deliver_t to list dovecot_etc_t
- Run acroread as execmem_t
2010-11-12 09:56:06 -05:00
Miroslav Grepl
9238df00c5 - Turn on mediawiki policy
- kdump leaks kdump_etc_t to ifconfig, add dontaudit
- uux needs to transition to uucpd_t
- More init fixes relabels man,faillog
- Remove maxima defs in libraries.fc
- insmod needs to be able to create tmpfs_t files
- ping needs setcap
2010-11-12 13:47:15 +01:00
Dan Walsh
7297a334b4 - Fix init to be able to relabel wtmp, tmp files 2010-11-10 14:39:23 -05:00
Miroslav Grepl
5d168a352b - Allow groupd transition to fenced domain when executes fence_node
- Fixes for rchs policy
- Allow mpd to be able to read samba/nfs files
2010-11-10 11:04:39 +01:00
Dan Walsh
ded1efb9d8 - Fix up corecommands.fc to match upstream
- Make sure /lib/systemd/* is labeled init_exec_t
- mount wants to setattr on all mountpoints
- dovecot auth wants to read dovecot etc files
- nscd daemon looks at the exe file of the comunicating daemon
- openvpn wants to read utmp file
- postfix apps now set sys_nice and lower limits
- remote_login (telnetd/login) wants to use telnetd_devpts_t and user_devpts_t to work correctly
- Also resolves nsswitch
- Fix labels on /etc/hosts.*
- Cleanup to make upsteam patch work
- allow abrt to read etc_runtime_t
2010-11-09 17:41:15 -05:00
Dan Walsh
fc9bf2f03d - Add conflicts for dirsrv package 2010-11-09 07:55:52 -05:00
Dan Walsh
3e0b7834a6 - Update to upstream
- Add vlock policy
2010-11-05 14:22:36 -04:00
Dan Walsh
6e50b74774 - Update to upstream
- Add vlock policy
2010-11-05 12:40:49 -04:00
Dan Walsh
06262c1566 - Update to upstream
- Add vlock policy
2010-11-05 12:40:07 -04:00
Dan Walsh
c52856e6d8 - Fix sandbox to work on nfs homedirs
- Allow cdrecord to setrlimit
- Allow mozilla_plugin to read xauth
- Change label on systemd-logger to syslogd_exec_t
- Install dirsrv policy from dirsrv package
2010-11-05 07:32:45 -04:00
Dan Walsh
9896599663 - 2010-11-02 17:07:21 -04:00
Dan Walsh
9754f472c7 - Allow NetworkManager to read openvpn_etc_t
- Dontaudit hplip to write of /usr dirs
- Allow system_mail_t to create /root/dead.letter as mail_home_t
- Add vdagent policy for spice agent daemon
2010-11-01 14:37:25 -04:00
Dan Walsh
7a208696f9 - Dontaudit sandbox sending sigkill to all user domains
- Add policy for rssh_chroot_helper
- Add missing flask definitions
- Allow udev to relabelto removable_t
- Fix label on /var/log/wicd.log
- Transition to initrc_t from init when executing bin_t
- Add audit_access permissions to file
- Make removable_t a device_node
- Fix label on /lib/systemd/*
2010-10-28 15:55:48 -04:00
Dan Walsh
2bb6181f15 - Fixes for systemd to manage /var/run
- Dontaudit leaks by firstboot
2010-10-22 16:35:00 -04:00
Dan Walsh
bac270827d - Allow chome to create netlink_route_socket
- Add additional MATHLAB file context
- Define nsplugin as an application_domain
- Dontaudit sending signals from sandboxed domains to other domains
- systemd requires init to build /tmp /var/auth and /var/lock dirs
- mount wants to read devicekit_power /proc/ entries
- mpd wants to connect to soundd port
- Openoffice causes a setattr on a lib_t file for normal users, add dontaudit
- Treat lib_t and textrel_shlib_t directories the same
- Allow mount read access on virtual images
2010-10-22 08:26:00 -04:00
Dan Walsh
4da7659056 - Allow sandbox_x_domains to work with nfs/cifs/fusefs home dirs. 2010-10-18 13:18:55 -04:00
Dan Walsh
c849c84305 - Allow cobblerd to list cobler appache content 2010-10-15 11:35:17 -04:00
Dan Walsh
d33e644851 - Fixup for the latest version of upowed
- Dontaudit sandbox sending SIGNULL to desktop apps
2010-10-15 10:26:39 -04:00
Dan Walsh
618ed7aec9 - Update to upstream 2010-10-13 10:00:44 -04:00
Dan Walsh
5a152bc135 - Update to upstream 2010-10-12 16:47:46 -04:00
Dan Walsh
f0a56ee31d -Mount command from a confined user generates setattr on /etc/mtab file, need to dontaudit this access
- dovecot-auth_t needs ipc_lock
- gpm needs to use the user terminal
- Allow system_mail_t to append ~/dead.letter
- Allow NetworkManager to edit /etc/NetworkManager/NetworkManager.conf
- Add pid file to vnstatd
- Allow mount to communicate with gfs_controld
- Dontaudit hal leaks in setfiles
2010-10-12 16:10:57 -04:00
Dan Walsh
dd20c25744 Rebuild with latest code 2010-10-08 17:00:50 -04:00
Dan Walsh
6f934680a8 - Allow smbd to use sys_admin
- Remove duplicate file context for tcfmgr
- Update to upstream
2010-10-07 14:55:49 -04:00
Dan Walsh
6f256d240d - Allow smbd to use sys_admin
- Remove duplicate file context for tcfmgr
2010-10-07 09:59:45 -04:00
Dan Walsh
0daa8b731a - Fix fusefs handling
- Do not allow sandbox to manage nsplugin_rw_t
- Allow mozilla_plugin_t to connecto its parent
- Allow init_t to connect to plymouthd running as kernel_t
- Add mediawiki policy
- dontaudit sandbox sending signals to itself.  This can happen when they are running at different mcs.
- Disable transition from dbus_session_domain to telepathy for F14
- Allow boinc_project to use shm
- Allow certmonger to search through directories that contain certs
- Allow fail2ban the DAC Override so it can read log files owned by non root users
2010-10-07 09:19:43 -04:00
Dan Walsh
b1cbbd0768 - Start adding support for use_fusefs_home_dirs
- Add /var/lib/syslog directory file context
- Add /etc/localtime as locale file context
2010-10-04 14:50:39 -04:00
Dan Walsh
fbd9ca071a - Turn off default transition to mozilla_plugin and telepathy domains from unconfined user
- Turn off iptables from unconfined user
- Allow sudo to send signals to any domains the user could have transitioned to.
- Passwd in single user mode needs to talk to console_device_t
- Mozilla_plugin_t needs to connect to web ports, needs to write to video device, and read alsa_home_t alsa setsup pulseaudio
- locate tried to read a symbolic link, will dontaudit
- New labels for telepathy-sunshine content in homedir
- Google is storing other binaries under /opt/google/talkplugin
- bluetooth/kernel is creating unlabeled_t socket that I will allow it to use until kernel fixes bug
- Add boolean for unconfined_t transition to mozilla_plugin_t and telepathy domains, turned off in F14 on in F15
- modemmanger and bluetooth send dbus messages to devicekit_power
- Samba needs to getquota on filesystems labeld samba_share_t
2010-10-01 12:06:09 -04:00
Dan Walsh
5ae8fb66d8 - Dontaudit attempts by xdm_t to write to bin_t for kdm
- Allow initrc_t to manage system_conf_t
2010-09-30 09:50:49 -04:00
Dan Walsh
7c487e9739 - Fixes to allow mozilla_plugin_t to create nsplugin_home_t directory.
- Allow mozilla_plugin_t to create tcp/udp/netlink_route sockets
- Allow confined users to read xdm_etc_t files
- Allow xdm_t to transition to xauth_t for lxdm program
2010-09-27 10:31:36 -04:00
Dan Walsh
e25799116a - Pull in cleanups from dgrift
- Allow mozilla_plugin_t to execute mozilla_home_t
- Allow rpc.quota to do quotamod
2010-09-24 12:03:50 -04:00
Dan Walsh
42c814d215 - Cleanup policy via dgrift
- Allow dovecot_deliver to append to inherited log files
- Lots of fixes for consolehelper
2010-09-23 17:40:24 -04:00
Dan Walsh
1d153ea0ea - Fix up Xguest policy 2010-09-22 18:36:47 -04:00
Dan Walsh
ea3b7b5dff - Add vnstat policy
- allow libvirt to send audit messages
- Allow chrome-sandbox to search nfs_t
2010-09-16 18:00:00 -04:00
Dan Walsh
a24e6a6700 - Update to upstream 2010-09-16 07:59:03 -04:00
Dan Walsh
ba8c31f5cd - Allow all domains that can use cgroups to search tmpfs_t directory
- Allow init to send audit messages
2010-09-14 16:16:56 -04:00
Dan Walsh
a0e8efd42c - Update to upstream 2010-09-13 16:17:15 -04:00
Dan Walsh
30a7d17203 - Add policy for ajaxterm 2010-09-09 09:58:12 -04:00
Dan Walsh
6e2d7f3a82 - Handle /var/db/sudo
- Allow pulseaudio to read alsa config
- Allow init to send initrc_t dbus messages
2010-09-08 21:24:49 -04:00
Dan Walsh
64d84cf8ec Allow iptables to read shorewall tmp files
Change chfn and passwd to use auth_use_pam so they can send dbus messages to fpr
intd
label vlc as an execmem_exec_t
Lots of fixes for mozilla_plugin to run google vidio chat
Allow telepath_msn to execute ldconfig and its own tmp files
Fix labels on hugepages
Allow mdadm to read files on /dev
Remove permissive domains and change back to unconfined
Allow freshclam to execute shell and bin_t
Allow devicekit_power to transition to dhcpc
Add boolean to allow icecast to connect to any port
2010-09-08 14:17:07 -04:00
Dan Walsh
482c9f3ad9 - Merge upstream fix of mmap_zero
- Allow mount to write files in debugfs_t
- Allow corosync to communicate with clvmd via tmpfs
- Allow certmaster to read usr_t files
- Allow dbus system services to search cgroup_t
- Define rlogind_t as a login pgm
2010-09-02 13:43:28 -04:00
Dan Walsh
a7a2367a59 - Merge with upstream 2010-08-30 17:34:52 -04:00
Dan Walsh
6578cf7413 - More access needed for devicekit
- Add dbadm policy
2010-08-30 11:58:36 -04:00
Dan Walsh
ba77266a14 - Merge with upstream 2010-08-26 20:35:53 -04:00
Dan Walsh
370d04ed3c - Allow seunshare to fowner 2010-08-25 09:45:26 -04:00
Dan Walsh
cc138e86b5 - Allow cron to look at user_cron_spool links
- Lots of fixes for mozilla_plugin_t
- Add sysv file system
- Turn unconfined domains to permissive to find additional avcs
2010-08-24 22:48:06 -04:00
Dan Walsh
63265668f0 - Update policy for mozilla_plugin_t 2010-08-23 18:01:46 -04:00
Dan Walsh
eee39f9d8e - Allow clamscan to read proc_t
- Allow mount_t to write to debufs_t dir
- Dontaudit mount_t trying to write to security_t dir
2010-08-23 17:29:52 -04:00
Dan Walsh
19988ca76d - Allow clamscan_t execmem if clamd_use_jit set
- Add policy for firefox plugin-container
2010-08-20 09:36:56 -04:00
Dan Walsh
3798ee962a - label dead.letter as mail_home_t 2010-08-17 07:22:11 -04:00
Dan Walsh
922cd61e83 * Tue Aug 10 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-12
- Fix devicekit_power bug
- Allow policykit_auth_t more access.
2010-08-11 07:55:04 -04:00
Daniel J Walsh
d4bb132c2e - Merge in fixes from dgrift repository 2010-07-27 20:34:21 +00:00