Commit Graph

377 Commits

Author SHA1 Message Date
Chris PeBenito
b60df9f57d Getty patch from Dan Walsh. 2010-03-19 11:05:56 -04:00
Chris PeBenito
1fa92b8a55 Sysnetwork patch from Dan Walsh. 2010-03-18 15:40:04 -04:00
Chris PeBenito
ddd786e404 Init patch from Dan Walsh. 2010-03-18 10:19:49 -04:00
Chris PeBenito
153ed8751a Authlogin patch from Dan Walsh. 2010-03-18 08:59:25 -04:00
Chris PeBenito
4fbcd778de Iptables patch from Dan Walsh. 2010-03-18 08:10:21 -04:00
Chris PeBenito
a124c0a81f Udev patch from Dan Walsh. 2010-03-17 15:17:48 -04:00
Chris PeBenito
7a8807b627 Logging patch from Dan Walsh. 2010-03-17 14:40:06 -04:00
Chris PeBenito
90e65feca5 Ipsec patch from Dan Walsh. 2010-03-17 13:52:07 -04:00
Chris PeBenito
d13c6758a4 Modutils patch from Dan Walsh. 2010-03-17 11:59:14 -04:00
Chris PeBenito
827060cb04 Style fixes and module version bumps for 38fc1bd. 2010-03-17 09:28:18 -04:00
Dominick Grift
38fc1bd180 Likewise policy.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-03-17 08:48:45 -04:00
Chris PeBenito
2f0e3a4e7e Raid patch from Dan Walsh. 2010-03-09 15:33:29 -05:00
Chris PeBenito
30496b1575 Iscsi and tgtd patches from Dan Walsh. 2010-03-09 15:17:16 -05:00
Chris PeBenito
939eaf2f13 Fstools patch from Dan Walsh. 2010-03-09 14:32:17 -05:00
Chris PeBenito
d0a6df5c47 Miscfiles patch from Dan Walsh. 2010-03-09 10:44:55 -05:00
Chris PeBenito
1112a5bc20 Module version bump for be47d75. 2010-03-04 09:18:04 -05:00
Jeremy Solt
4d2680e508 hotplug transition to brctl from Dan Walsh 2010-03-04 09:18:04 -05:00
Chris PeBenito
402bbb9fe9 Improve documentation of udev_read_db(). 2010-03-03 14:16:36 -05:00
Chris PeBenito
b675cec7f8 Improve documentation of seutil_sigchld_newrole(). 2010-03-03 14:16:22 -05:00
Chris PeBenito
a6bafb5a25 Module version bump for bf530f5. 2010-03-03 13:11:58 -05:00
Dominick Grift
bf530f532c Various permission set fixes.
Fix various interfaces to use permission sets for compatiblity with open permission.

Also use other permission sets where possible just because applicable permissions sets are available and the use of permission sets is encourage generally for compatibility.

The use of exec_file_perms permission set may be not be a good idea though since it may be a bit too coarse.

Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-03-03 13:10:55 -05:00
Chris PeBenito
b58db31da6 Improve the documentation of application_domain(). 2010-03-03 10:37:58 -05:00
Chris PeBenito
d24a7df15c Improve the documentation of auth_use_nsswitch(). 2010-03-03 10:37:37 -05:00
Dominick Grift
4cb24aed7b Fix userdom_write_user_tmp_sockets to use write_sock_file_perms to allow domains to open user_tmp_t sock_files.
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-03-03 10:31:56 -05:00
Chris PeBenito
c46376e665 Improve documentation for userdomain interfaces:
userdom_use_user_terminals()
userdom_dontaudit_search_user_home_dirs()
userdom_dontaudit_use_unpriv_user_fds()
2010-03-02 14:01:10 -05:00
Chris PeBenito
42f1b11482 Module version bump for 03dd57f. 2010-03-01 13:34:10 -05:00
Dominick Grift
03dd57fe7b Fix auth_domtrans_chk_passwd to use read_file_perms to surpress open AVC denials.
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-03-01 13:30:28 -05:00
Chris PeBenito
5fb5bf2686 Additional docs for logging_log_filetrans(). 2010-03-01 10:38:24 -05:00
Chris PeBenito
14e543cb1c Improve the documentation of unconfined_domain(). 2010-02-26 13:47:17 -05:00
Chris PeBenito
45185c0783 Improve the documentation of logging_log_file() and logging_log_filetrans(). 2010-02-26 09:34:41 -05:00
Chris PeBenito
13f000d2ef Improve the documentation of:
init_script_file()
init_daemon_domain()
init_system_domain()
init_ranged_daemon_domain()
init_ranged_system_domain()
init_use_fds()
2010-02-25 16:00:58 -05:00
Chris PeBenito
d6887176c1 Improve sysnet_read_config() documentation. 2010-02-25 13:54:34 -05:00
Chris PeBenito
81a0fb4024 Switch sysnet_use_portmap(), sysnet_use_ldap(), and sysnet_dns_name_resolve() to use sysnet_read_config() rather thane explicit type usage. 2010-02-25 13:53:52 -05:00
Chris PeBenito
6e48775f75 Improve documentation on logging_send_syslog_msg(). 2010-02-24 15:56:05 -05:00
Chris PeBenito
611bc9311d Improve documentation on miscfiles_read_localization(). 2010-02-24 14:56:07 -05:00
Chris PeBenito
72295e93e1 Qemu patch from Dan Walsh. 2010-02-19 10:15:19 -05:00
Chris PeBenito
2f84a77d22 Syslog fixes from Gentoo. 2010-02-17 20:33:53 -05:00
Chris PeBenito
8b8501991e Clean up leaked portage file descriptors. 2010-02-17 20:33:31 -05:00
Chris PeBenito
2c05132062 Utmp fix from Gentoo. 2010-02-17 20:31:46 -05:00
Chris PeBenito
72c8a37c2b Setfiles fix from Gentoo. 2010-02-17 20:30:42 -05:00
Chris PeBenito
679a63d09f Mount usbfs fix from Gentoo. 2010-02-17 20:30:13 -05:00
Chris PeBenito
aadcb968f9 Move netlink route sockets from nsswitch to DNS name resolve. 2010-02-17 20:28:59 -05:00
Chris PeBenito
c3c753f786 Remove concept of user from terminal module interfaces dealing with ptynode and ttynode since these attributes are not specific to users. 2010-02-11 14:20:10 -05:00
Chris PeBenito
16412e2ff9 Merge branch 'master' of git+ssh://cpebenito@oss.tresys.com/home/git/refpolicy 2010-02-08 14:47:06 -05:00
Chris PeBenito
27eab81f2f Misc fixes for 1031ee6. 2010-02-08 13:38:48 -05:00
Chris PeBenito
7d2f96783c Module version number bump for 1031ee6. 2010-02-08 13:37:42 -05:00
Dominick Grift
1031ee6f6a Implement cobblerd policy.
My previous version had a minor bug in admin_role where it was using cobblerd_var_log_t, and cobblerd_var_lib_t instead of cobbler_var_log_t, and cobbler_var_lib_t.

Whilst i was at it, i decided the implement a cobbler_etc_t for cobbler content in /etc. This because you cannot admin a cobbler environment witouth having access to cobbler config files and i dont want to give cobbler_admin access to manage etc_t.

As a consequence if this i also removed the files_read_etc_files(cobblerd_t), as i think that cobbler only needed it to read its own files in /etc. However this is not confirmed, and it may need read access to etc_t afteral.

Also i would like to underscore my reason for using public_content_rw_t. One of the reasons is that i do not want to give cobbler access to manage httpd_sys_content_rw_t. In general i do not want to depend on apache module at all.

Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <pebenito@gentoo.org>
2010-02-08 12:56:01 -05:00
Chris PeBenito
2d743657f4 Userdomain patch from Stefan Schulze Frielinghaus. 2010-02-08 11:43:44 -05:00
Chris PeBenito
22a2874dbf Add dbadm, from KaiGai Kohei. 2010-02-08 10:34:08 -05:00
Chris PeBenito
7491a9ed62 Iptables and modutils patches from Dan Walsh. 2009-12-01 09:23:11 -05:00
Chris PeBenito
0cad9a734e RAID patch from Dan Walsh. 2009-11-25 11:17:19 -05:00
Chris PeBenito
77c71b54e5 Fstools and Xen patches from Dan Walsh. 2009-11-25 10:27:31 -05:00
Chris PeBenito
e21162e471 Kdump reads the kernel core. 2009-11-25 10:04:40 -05:00
Chris PeBenito
837163cfe7 UDEV patch from Dan Walsh. 2009-11-25 09:44:14 -05:00
Chris PeBenito
832c1be4ca IPSEC patch from Dan Walsh. 2009-11-24 14:09:10 -05:00
Chris PeBenito
5ed061769e Application patch from Dan Walsh. 2009-11-24 11:48:39 -05:00
Chris PeBenito
dccbb80cb0 Whitespace cleanup. 2009-11-24 11:11:38 -05:00
Chris PeBenito
0f982dada2 ISCSI patch from Dan Walsh. 2009-11-24 11:08:22 -05:00
Chris PeBenito
0a119a0142 Setrans patch from Dan Walsh. 2009-11-24 09:41:03 -05:00
Chris PeBenito
bd34ef71df LVM patch from Dan Walsh. 2009-11-24 09:19:45 -05:00
Chris PeBenito
9dfdd48fec Miscfiles patch from Dan Walsh. 2009-11-24 09:04:48 -05:00
Chris PeBenito
ed3a1f559a bump module versions for release. 2009-11-17 10:05:56 -05:00
Chris PeBenito
e6d8fd1e50 additional cleanup for e877913. 2009-11-11 11:28:50 -05:00
Craig Grube
e8779130bf adding puppet configuration management system
Signed-off-by: Craig Grube <Craig.Grube@cobham.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2009-11-11 08:37:16 -05:00
Chris PeBenito
625be1b4e6 add shorewall from dan. 2009-09-02 08:58:52 -04:00
Chris PeBenito
71965a1fc5 add kdump from dan. 2009-09-02 08:33:25 -04:00
Chris PeBenito
a9e9678fc7 kismet patch from dan. 2009-08-31 09:38:47 -04:00
Chris PeBenito
aaff2fcfcd module version number bump for tun patches 2009-08-31 09:17:31 -04:00
Chris PeBenito
0be901ba40 rename admin_tun_type to admindomain. 2009-08-31 09:03:51 -04:00
Chris PeBenito
bd75703c7d reorganize tun patch changes. 2009-08-31 08:49:57 -04:00
Paul Moore
9dc3cd1635 refpol: Policy for the new TUN driver access controls
Add policy for the new TUN driver access controls which allow policy to
control which domains have the ability to create and attach to TUN/TAP
devices.  The policy rules for creating and attaching to a device are as
shown below:

  # create a new device
  allow domain_t self:tun_socket { create };

  # attach to a persistent device (created by tunlbl_t)
  allow domain_t tunlbl_t:tun_socket { relabelfrom };
  allow domain_t self:tun_socket { relabelto };

Further discussion can be found on this thread:

 * http://marc.info/?t=125080850900002&r=1&w=2

Signed-off-by: Paul Moore <paul.moore@hp.com>
2009-08-31 08:36:06 -04:00
Chris PeBenito
4279891d1f patch from Eamon Walsh to remove useage of deprecated xserver interfaces. 2009-08-28 13:40:29 -04:00
Chris PeBenito
93c49bdb04 deprecate userdom_xwindows_client_template
The X policy for users is currently split between
userdom_xwindows_client_template() and xserver_role().  Deprecate
the former and put the rules into the latter.

For preserving restricted X roles (xguest), divide the rules
into xserver_restricted_role() and xserver_role().
2009-08-28 13:29:36 -04:00
Chris PeBenito
fef5dcf3af Remove excessive permissions in logging_send_syslog_msg(). Ticket #14. 2009-08-26 10:05:36 -04:00
Chris PeBenito
e27827b86c split dev_create_cardmgr_dev() into a create and a filetrans interface. 2009-08-25 09:56:56 -04:00
Chris PeBenito
b2648249d9 Fix unconfined_r use of unconfined_java_t.
The unconfined role is running java in the unconfined_java_t.  The current
policy only has a domtrans interface, so the unconfined_java_t domain is not
added to unconfined_r.  Add a run interface and change the unconfined module
to use this new interface.
2009-08-17 13:19:26 -04:00
Chris PeBenito
97e42114db remove redundant xen_append_log() call in hostname. 2009-08-11 14:19:38 -04:00
Chris PeBenito
e51390dfcb fix refpolicy ticket #48. 2009-08-10 11:14:03 -04:00
Chris PeBenito
9570b28801 module version number bump for release 2.20090730 that was mistakenly omitted. 2009-08-05 10:59:21 -04:00
Chris PeBenito
d69616c625 fix ordering in sysnetwork. 2009-08-05 10:23:50 -04:00
Chris PeBenito
48bf6397fc fix ordering in raid. 2009-08-05 10:19:28 -04:00
Chris PeBenito
4b218bd646 fix ordering in pcmcia. 2009-08-05 10:18:31 -04:00
Chris PeBenito
f0e959b4d2 fix ordering in mount. 2009-08-05 10:16:41 -04:00
Chris PeBenito
54327d48ee fix ordering in modutils. 2009-08-05 10:15:45 -04:00
Chris PeBenito
568efbe895 fix ordering of interface calls in lvm. 2009-08-05 10:07:35 -04:00
Chris PeBenito
8cd1306e5b fix ordering of interface calls in locallogin. 2009-08-05 10:06:04 -04:00
Chris PeBenito
e6985f91ab fix ordering of interface calls in iptables. 2009-08-05 10:04:13 -04:00
Chris PeBenito
464ffa57fd fix ordering of interface calls in init. 2009-08-05 10:01:06 -04:00
Chris PeBenito
14d282253f fix ordering of interface calls in hostname. 2009-08-05 09:57:14 -04:00
Chris PeBenito
5b5300c823 fix ordering of interface calls in getty. 2009-08-05 09:55:58 -04:00
Chris PeBenito
79ca728b5f fix ordering of interface calls in fstools. 2009-08-05 09:54:52 -04:00
Chris PeBenito
08638af216 fix ordering of interface calls in clock. 2009-08-05 09:52:34 -04:00
Chris PeBenito
2acba7bbdb fix ordering of interface calls in authlogin. 2009-08-05 09:51:47 -04:00
Chris PeBenito
4c92f08f75 openrc unfortunately mounts a tmpfs at /lib/rc 2009-07-30 08:57:15 -04:00
Chris PeBenito
cfdbf366cb gentoo init script system uses tmpfs for state data 2009-07-30 08:33:43 -04:00
Chris PeBenito
efa0acccea gentoo init script system sends audit messages. 2009-07-29 21:50:32 -04:00
Chris PeBenito
33322290f2 automount patch from dan. 2009-07-29 08:59:26 -04:00
Chris PeBenito
4083191c4b add missing userdom interfaces 2009-07-28 09:35:46 -04:00
Chris PeBenito
09516cb4be remove read_default_t tunable 2009-07-23 08:58:35 -04:00
Chris PeBenito
3f67f722bb trunk: whitespace fixes 2009-06-26 14:40:13 +00:00