Commit Graph

1347 Commits

Author SHA1 Message Date
Jeremy Solt
46fc0d39e3 Policy for system-config-kdump gui from Dan Walsh
Edits:
 - removed gnome_dontaudit_search_config
 - removed userdom_dontaudit_search_admin_dir
 - whitespace and style fixes
2010-08-10 09:05:43 -04:00
Jeremy Solt
68e615ec5a system-config-samba dbus service policy from Dan Walsh 2010-08-09 09:37:29 -04:00
Jeremy Solt
c87e150280 roles patch from Dan Walsh to move unwanted interface calls into a ifndef 2010-08-09 09:20:31 -04:00
Chris PeBenito
00ca404a20 Remove unnecessary require on cgroup_admin(). 2010-08-09 09:10:24 -04:00
Chris PeBenito
d687db9b42 Whitespace fixes on cgroup. 2010-08-09 08:52:39 -04:00
Dominick Grift
61d7ee58a4 Confine /sbin/cgclear.
Libcgroup moved cgclear to /sbin.
Confine it so that initrc_t can domain transition to the cgclear_t domain. That way we do not have to extend the initrc_t domains policy.
We might want to add cgroup_run_cgclear to sysadm module.

Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-09 08:47:15 -04:00
Dominick Grift
a0546c9d1c System layer xml fixes.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 09:25:55 -04:00
Dominick Grift
288845a638 Services layer xml files.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 09:25:29 -04:00
Chris PeBenito
97b990f86e Fix corecmd_dontaudit_exec_all_executables doc. 2010-08-05 09:24:41 -04:00
Dominick Grift
705f70f098 Kernel layer xml fixes.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 09:08:07 -04:00
Chris PeBenito
19ff03977d Fix usermanage_kill_passwd() parameter doc. 2010-08-05 08:56:31 -04:00
Dominick Grift
77e4b55f70 Admin layer xml fixes.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 08:46:44 -04:00
Dominick Grift
03b86663f0 apps: domain { allowed to transition, allowed access, to not audit }.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 08:20:59 -04:00
Chris PeBenito
8da88970be Accountsd cleanup. 2010-08-03 09:50:40 -04:00
Chris PeBenito
d0eebed0b7 Move accountsd to services. 2010-08-03 09:31:53 -04:00
Jeremy Solt
c4834a02d2 accountsd policy from Dan Walsh
Edits:
 - Removed accountsd_manage_var_lib
 - Removed optional block for xserver - these interfaces didn't exist
 - It looks like sys_ptrace is needed because it reads /proc/pid/loginuid
 - Whitespace and style fixes
2010-08-03 09:27:24 -04:00
Chris PeBenito
a7ee7f819a Docs standardizing on the role portion of run interfaces. Additional docs cleanup. 2010-08-03 09:20:22 -04:00
Chris PeBenito
9d4395a736 MojoMojo from Lain Arnell. 2010-08-02 09:28:06 -04:00
Chris PeBenito
a72e42f485 Interface documentation standardization patch from Dan Walsh. 2010-08-02 09:22:09 -04:00
Chris PeBenito
27eeb649cc Virtio disk file context update from Mika Pfluger. 2010-08-02 08:33:41 -04:00
Mika Pflüger
b3f7203d6a Take virtio disks into account.
Signed-off-by: Mika Pflüger <debian@mikapflueger.de>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-08-02 08:25:14 -04:00
Chris PeBenito
64ef2df368 Module version bump for 5563d4c. 2010-07-22 09:13:11 -04:00
Jeremy Solt
5563d4c4d8 Removing seutil_domtrans_setsebool from anaconda patch - it doesn't exist 2010-07-22 08:49:32 -04:00
Jeremy Solt
b0a6f1b7c2 anaconda patch from Dan Walsh
- Did not include the change to unconfined_domain_noaudit
2010-07-22 08:49:32 -04:00
Chris PeBenito
21fdee9dd5 Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh.
We went back and reread the bindreservport code in glibc.

Turns out the range or ports that this will reserve are 512-1024 rather
then 600-1024.

The code actually first tries to reserve a port from 600-1024 and if
they are ALL reserved will try 512-599.

So we need to change corenetwork to reflect this.
2010-07-19 14:22:44 -04:00
Chris PeBenito
29f3bfa464 Fix JIT usage for freshclam.
http://marc.info/?l=selinux&m=127893898208934&w=2
2010-07-13 08:39:54 -04:00
Dominick Grift
48c3c37cf2 Remove some redundant attributes from user_home_t.
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-07-12 14:35:22 -04:00
Chris PeBenito
4b76ea5f51 Module version bump for fa1847f. 2010-07-12 14:02:18 -04:00
Dominick Grift
fa1847f4a2 Add files_poly_member() to userdom_user_home_content() Remove redundant files_poly_member() calls.
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-07-09 09:43:04 -04:00
Chris PeBenito
f7ffe6c2a9 Add missing ubac constraints on pulseaudio. 2010-07-09 09:14:35 -04:00
Chris PeBenito
c14aebd032 Remove old rbacsep role statements. 2010-07-09 08:38:05 -04:00
Chris PeBenito
072857c425 VMWare patch from Dan Walsh. 2010-07-08 13:43:50 -04:00
Chris PeBenito
f1618ffc6f Whitespace fix in userhelper. 2010-07-08 10:56:15 -04:00
Chris PeBenito
b70dfcdf8f RPM patch from Dan Walsh. 2010-07-08 10:53:28 -04:00
Chris PeBenito
2d839c6791 Whitespace fixes in RPM. 2010-07-08 10:12:24 -04:00
Chris PeBenito
7e265a8abb Add shutdown from Dan Walsh. 2010-07-07 11:10:56 -04:00
Chris PeBenito
b841dffda1 Add livecd from Dan Walsh. 2010-07-07 10:28:25 -04:00
Chris PeBenito
08690c84ad Remove ethereal module since the application was renamed to wireshark due to trademark issues. 2010-07-07 09:31:57 -04:00
Chris PeBenito
3c4e9fce8e Make spamassassin optional for milter, from Russell Coker. 2010-07-07 08:55:57 -04:00
Chris PeBenito
bca0cdb86e Remove duplicate/redundant rules, from Russell Coker. 2010-07-07 08:41:20 -04:00
Chris PeBenito
1db1836ab9 Remove improper usage of userdom_manage_home_role(), userdom_manage_tmp_role(), and userdom_manage_tmpfs_role(). 2010-07-06 13:17:05 -04:00
Chris PeBenito
a3b0dc5b3c GPG patch from Dan Walsh. 2010-07-06 10:58:40 -04:00
Chris PeBenito
3bcfe5beb7 Usermanage patch from Dan Walsh.
Broken leaks of sockets

useradd runs semanage for -Z.

passwd_t needs sys_nice

useradd run within a samba_controler needs to append to the samba log.
2010-07-06 10:56:20 -04:00
Chris PeBenito
cad4224e8e Guest patch from Dan Walsh.
Dominic asked to remove mono and java from guest_t
2010-07-06 08:35:56 -04:00
Chris PeBenito
ab62f3f1b1 Module version bump for a7521af. 2010-07-01 10:48:11 -04:00
Jeremy Solt
a7521af67d firstboot patch from Dan Walsh
- Did not include gnome_admin_home_gconf_filetrans
- Whitespace fixes
2010-07-01 10:36:31 -04:00
Dominick Grift
7e5463b58c fix cgroup_admin
When cgroup policy was merged, some changes were made. One of these changes was the renaming of the type for cgroup rules engine daemon configuration file. The cgroup_admin interface was not modified to reflect this change.

Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-07-01 09:02:58 -04:00
Chris PeBenito
caf1666dc1 Module version bump for 5f04c91. 2010-06-29 11:26:16 -04:00
Jeremy Solt
5f04c91f30 gitosis patch from Dan Walsh 2010-06-29 11:25:37 -04:00
Chris PeBenito
ab4f820548 Module version bump for b5d89d0. 2010-06-29 11:03:56 -04:00
Jeremy Solt
b5d89d0325 vpn patch from Dan Walsh
fixed gen_require in vpn_relabelfrom_tun_socket interface (wrong type)
removed userdom_read_home_certs (not in refpolicy)
2010-06-29 11:02:45 -04:00
Chris PeBenito
155635e33d Create_lnk_perms fix from Russell Coker.
Personally I'd rather dump all those old compatibility macros, make them all
just display a message indicating the new correct thing to do and abort the
build.  But if we are going to keep them then we need to update them and make
them work.

The attached patch adds write access to create_lnk_perms.
2010-06-28 09:33:17 -04:00
Chris PeBenito
113d2e023d Minor tweaks and module version bump for a00fc1c. 2010-06-25 09:51:34 -04:00
Dominick Grift
a00fc1c317 hddtemp fixes.
Clean up network control section.
Implement hddtemp_etc_t for /etc/sysconfig/hddtemp. The advantages are:
- hddtemp_t no longer needs access to read all generic etc_t files.
- allows us to implement a meaningful hddtemp_admin()

Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-06-25 09:43:54 -04:00
Chris PeBenito
0cec649be7 WM patch from Dan Walsh.
Window manager policy changes needed for MLS policy.
2010-06-25 09:00:19 -04:00
Chris PeBenito
3c79f954d1 Rearrage interfaces in filesystem. 2010-06-22 10:17:42 -04:00
Chris PeBenito
eab2cc89b4 Slocate patch from Dan Walsh.
Locate attempts to look at network sate and does getattr on all blk/chr
and noxattr symlinks.
2010-06-22 09:58:14 -04:00
Chris PeBenito
2c207dfa49 Qemu patch from Dan Walsh.
Fix qemu labeling.

Additional qemu interfaces

Allow qemu to read/write removable devices
2010-06-22 09:32:35 -04:00
Chris PeBenito
1fd3a8070f Pulseaudio patch from Dan Walsh.
Dontaudit attempts to exec pulseaudio.  qemu does this and it causes
other avc's even though qemu can not use pulseaudio.

Allow other domains to use pulseiaudio
2010-06-22 09:13:17 -04:00
Chris PeBenito
1ff703fc4a Podsleuth patch from Dan Walsh.
podsleuth asks the kernel to load modules
Reads/write removable blk device.

Reads user_tmpfs
2010-06-22 09:01:38 -04:00
Chris PeBenito
8a24097bff Mplayer patch from Dominick Grift through Dan Walsh. 2010-06-21 09:52:33 -04:00
Chris PeBenito
3c1e8ff6bb Mozilla patch from Dan Walsh.
Various old fixes for mozilla.
2010-06-21 09:36:39 -04:00
Chris PeBenito
ae1b7dedd7 Cpufreqselector patch from Dan Walsh.
Needs to read localization
2010-06-21 09:03:11 -04:00
Chris PeBenito
a99f69fd0e Loadkeys patch from Dan Walsh.
Dontaudit leaked sockets
2010-06-18 15:12:33 -04:00
Chris PeBenito
e08ac5acb3 Vbetool patch from Dan Walsh.
vbetool needs mls overrides
2010-06-18 14:56:27 -04:00
Chris PeBenito
3835c39a13 Sudo patch from Dan Walsh.
sudo gets execed by apps that leak sockets
2010-06-18 14:43:22 -04:00
Chris PeBenito
f7e3410aed Su patch from Dan Walsh.
dontaudit leaked sockets
2010-06-18 14:32:42 -04:00
Chris PeBenito
b9be5cccf1 Shorewall patch from Dan Walsh.
Shorewall execs hostname
2010-06-18 14:23:46 -04:00
Chris PeBenito
5116faa198 Quota patch from Dan Walsh.
Quata needs to setshed on kernel processes
2010-06-18 14:14:21 -04:00
Chris PeBenito
a9ef84b578 Prelink patch from Dan Walsh.
Prelink has new directory under /var/lib

dontaudit leaks from domains that transition

cron job looks at all mount points.
2010-06-18 14:07:53 -04:00
Chris PeBenito
9a4d292902 Netutils patch from Dan Walsh.
ping gets leaked log descriptor from nagios.

Label send_arp as ping_exec_t
2010-06-17 10:16:19 -04:00
Chris PeBenito
10c0104066 Kismet patch from Dan Walsh.
Kismet searches user_home_dirs for kismet_home_t content.
2010-06-17 08:24:21 -04:00
Chris PeBenito
e89f04fd17 Mcelog patch from Dan Walsh.
mcelog needs mls override
2010-06-17 08:23:48 -04:00
Chris PeBenito
0e30bca6d9 Consoletype patch from Dan Walsh.
I am sick of every app in the known universe leaking socket descriptors.
  Dontaudit by default

consoletype is handed a write for hal log on resume from hibernate.
2010-06-17 08:23:20 -04:00
Chris PeBenito
88a574d373 Alsa patch from Dan Walsh
Alsa trys to talk to all types of terminals.  Dontaudit this access.
2010-06-17 08:22:43 -04:00
Chris PeBenito
4db7790c60 Acct patch from Dan Walsh.
acct needs to use generic ptys
2010-06-17 08:22:17 -04:00
Chris PeBenito
48f99a81c0 Whitespace change: drop unnecessary blank line at the start of .te files. 2010-06-10 08:16:35 -04:00
Chris PeBenito
5c942ceb83 AFS patch from Dan Walsh. 2010-06-10 08:08:23 -04:00
Chris PeBenito
b521229560 Abrt patch from Dan Walsh.
Abrt uses /var/spool/abrt now and changed the name of its lock

Now uses a stream socket

Installs debuginfo packages

sys_nice itself
2010-06-10 07:58:00 -04:00
Chris PeBenito
48e0aa86c9 Files patch from Dan Walsh.
Redhat does want /usr/local/src labeled src_t or /usr/src for that matter

Fix labels on chroot environments
2010-06-09 09:09:34 -04:00
Chris PeBenito
135b1b4c54 Terminal patch from Dan Walsh. 2010-06-09 08:22:31 -04:00
Chris PeBenito
c54e7d63dc Module version bump for cgroup patchset. 2010-06-08 09:18:43 -04:00
Chris PeBenito
53f9abbe68 Clean up cgroup. Rename cgconfigparser to cgconfig. 2010-06-08 09:15:41 -04:00
Chris PeBenito
0041a78ef7 Remove cgroup_t usage in cgroup_admin() since it is not owned by the module. 2010-06-08 09:12:03 -04:00
Chris PeBenito
860c05d9de Rearrange cgroup interfaces in filesystem. 2010-06-08 09:10:45 -04:00
Chris PeBenito
04dcd73fe3 Whitespace fixes in cgroup and init. 2010-06-08 08:47:26 -04:00
Dominick Grift
e2b9add5f8 How users interact with cgroup.
All login users can list cgroup.
Common users can read and write cgroup files (access governed by dac)

Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-06-08 08:38:33 -04:00
Dominick Grift
73f0985092 How libgroup init scripts interact with libcgroup.
The libcgroup init scripts use tools in /usr/bin like cgexec and cgclear.

Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-06-08 08:38:29 -04:00
Dominick Grift
ddf821332f add libcg policy.
Libcgroup automates cgroup management.

Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-06-08 08:38:22 -04:00
Dominick Grift
c0c635b3f3 cgroup in filesystem.
Move cgroup_t declarations from kernel.te to filesystem.te
Redo cgroup interfaces in filesystem.if
Add file context specification for /cgroup mountpoint to filesystem.fc

Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-06-08 08:38:18 -04:00
Chris PeBenito
60f04fcb7a Kernel patch from Dan Walsh.
Add ability to dontaudit requiests to load kernel modules.  If you
disable ipv6 every confined app that does ip, tries to get the kernel to
load the module.

Better handling of unlabeled files by the kernel interfaces
2010-06-07 11:08:35 -04:00
Chris PeBenito
fb7caddb4f Devices patch from Dan Walsh.
vhost_device_t added for libvirt/qemu

/dev/usbmon device added

lots of new interfaces.
2010-06-07 09:20:18 -04:00
Chris PeBenito
46c0e57acf Corecommands patch from Dan Walsh.
Lots of new places to stick bin_t files
2010-06-07 09:04:08 -04:00
Chris PeBenito
8f0de5df68 Storage patch from Dan Walsh.
Add /dev/hwcdrom
2010-06-04 09:47:45 -04:00
Chris PeBenito
2a29628e40 Fix duplicate lines in kudzu. 2010-05-26 08:26:50 -04:00
Chris PeBenito
29af4c13e7 Bump module versions for release. 2010-05-24 15:32:01 -04:00
Chris PeBenito
91cbcc6602 Fix deprecated interface usage in rhel4 block in su.if. 2010-05-24 15:09:18 -04:00
Chris PeBenito
3d95ca2d82 Module version bump for 904f3d8. 2010-05-24 13:08:09 -04:00
Chris PeBenito
7934ac10d3 Module version bump for 1184392 and more.
* module version bump
* make apache and unconfined portions optiona
* rearrange lines
2010-05-24 13:08:09 -04:00
Chris PeBenito
ca28376c4d Module version bump for 7942f7f. 2010-05-24 13:08:09 -04:00
Chris PeBenito
bdf5e19931 Module version bump for 383bd32. 2010-05-24 13:08:09 -04:00
Chris PeBenito
213d35a07c Module version bump for 9e28f74. 2010-05-24 13:08:09 -04:00
Chris PeBenito
63583f4e29 Module version bump for f61ef24. 2010-05-24 13:08:09 -04:00
Chris PeBenito
c789f82bc5 Module version bump for d5170e5. 2010-05-24 13:08:09 -04:00
Chris PeBenito
d53a972879 Module version bump for cb1df6a. 2010-05-24 13:08:09 -04:00
Jeremy Solt
d8642cad29 readahead patch from Dan Walsh
Edits:
 - Removed files_dontaudit_read_security_files and fs_dontaudit_read_tmpfs_blk_dev interface calls
2010-05-24 13:08:08 -04:00
Chris PeBenito
fe74f71385 Fix deprecated interface usage that crept into lvm.if. 2010-05-24 13:08:08 -04:00
Chris PeBenito
ff1cae1f5e Move line in logrotate; module version bump. 2010-05-24 13:08:08 -04:00
Chris PeBenito
a107f875bd Remove redundant optional and libs_* calls in clogd. 2010-05-24 13:08:08 -04:00
Chris PeBenito
dcb7227286 Module version bump for 51ad76f. 2010-05-24 13:08:08 -04:00
Jeremy Solt
6430c79a29 whitespace fix for clogd 2010-05-24 13:08:08 -04:00
Jeremy Solt
6055ab8d1d clogd policy from Dan Walsh
edits:
 - style and whitespace fixes
 - removed read_lnk_files_pattern from shm interface
 - removed permissive line
2010-05-24 13:08:08 -04:00
Jeremy Solt
7a8e6a8fba whitespace fixes for cluster suite patch 2010-05-24 13:08:08 -04:00
Jeremy Solt
21d23c878e Removed unnecessary comments
Removed 'SELinux policy for' from policy summaries
Removed rgmanager interface for semaphores (doesn't appear to be needed or used)
Removed redundant calls to libs_use_ld_so and libs_use_shared_libs
Fixed rhcs interface names to match naming rules
Merged tmpfs and semaphore/shm interfaces
2010-05-24 13:08:08 -04:00
Jeremy Solt
538cf9ab83 Redhat Cluster Suite Policy from Dan Walsh
Edits:
 - Style and whitespace fixes
 - Removed interfaces for default_t from ricci.te - this didn't seem right
 - Removed link files from rgmanager_manage_tmpfs_files
 - Removed rdisc.if patch. it was previously committed
 - Not including kernel_kill interface call for rgmanager
 - Not including ldap interfaces in rgmanager.te (currently not in refpolicy)
 - Not including files_create_var_run_dirs call for rgmanager (not in refpolicy)
2010-05-24 13:08:08 -04:00
Jeremy Solt
b8c9879a8c logrotate patch from Dan Walsh 2010-05-24 13:08:08 -04:00
Jeremy Solt
fdc0d0f77c vpn patch from Dan Walsh
Edits:
 - Removed userdom_read_home_certs
2010-05-24 13:08:08 -04:00
Jeremy Solt
37194ac055 dnsmasq patch from Dan Walsh
- cron_manage_pid_files call removed until further explanation
2010-05-24 13:08:07 -04:00
Jeremy Solt
2483d7ae56 Replace apache_delete_cache with apache_delete_cache_files in tmpreaper.te 2010-05-24 13:08:07 -04:00
Jeremy Solt
8daddcf37e tmpreaper patch from Dan Walsh 2010-05-24 13:08:07 -04:00
Jeremy Solt
7605d2738c Remove call to nagios_rw_inherited_tmp_files 2010-05-24 13:08:07 -04:00
Jeremy Solt
44dc1b9c21 netutils patch from Dan Walsh
Edits:
 - Dropping term_use_all_terms and user_ping tunables for ping and traceroute
 - Whitespace fixes
2010-05-24 13:08:07 -04:00
Jeremy Solt
4ac0cd30fa Remove nagios_rw_inherited_tmp_files interface 2010-05-24 13:08:07 -04:00
Jeremy Solt
99bbe34881 Nagios patch from Dan Walsh
Edits:
- Removed permissive lines
- Removed tunable for broken symptoms
- Style and whitespace fixes
2010-05-24 13:08:07 -04:00
Jeremy Solt
599e8ff702 Create type and allow squid to manage its own tmpfs files 2010-05-24 13:08:07 -04:00
Jeremy Solt
d86c09846b squid patch from Dan Walsh
Edits:
 - Added netport to corenetwork.te.in
2010-05-24 13:08:07 -04:00
Jeremy Solt
fb543d0df1 remove rules for nx_server_home_ssh_t since they are already provided by the ssh template 2010-05-24 13:08:07 -04:00
Jeremy Solt
316cdb1d0d nx patch from Dan Walsh
Edits:
 - Style and whitespace fixes
 - Removed read_lnk_files_pattern from nx_read_home_files
 - Delete declaration of nx_server_home_ssh_t and files_type since the template already does this
2010-05-24 13:08:07 -04:00
Chris PeBenito
d9e4cbd2ce Postfix patch from Dan Walsh. 2010-05-21 08:56:49 -04:00
Chris PeBenito
9fe1b540b8 Prelink patch from Dan Walsh. 2010-05-20 08:54:51 -04:00
Chris PeBenito
9ea85eaa8b Sendmail patch from Dan Walsh. 2010-05-20 08:36:38 -04:00
Chris PeBenito
b276e36914 Procmail patch from Dan Walsh. 2010-05-20 08:17:06 -04:00
Chris PeBenito
e19b8d1c2e MTA patch from Dan Walsh. 2010-05-19 09:00:39 -04:00
Chris PeBenito
088b65e52b SSH patch from Dan Walsh. 2010-05-19 08:31:17 -04:00
Chris PeBenito
4e698b0fca Cups patch from Dan Walsh. 2010-05-18 10:59:37 -04:00
Chris PeBenito
e2c9450235 Remove excessive permission in udev_manage_rules_files() and move the interface up in the .if file. Module version bump for d56b33a. 2010-05-18 10:28:17 -04:00
Chris Richards
d56b33a1e4 Create new interface and type for managing /etc/udev/rules.d
udev_var_run_t is used for managing files in /etc/udev/rules.d as well as other files, including udev pid files.  This patch creates a type specifically for rules.d files, and an interface for managing them.  It also gives access to this type to initrc_t so that rules can be properly populated during startup.  This also fixes a problem on Gentoo where udev rules are NOT properly populated on startup.

Signed-off-by: Chris Richards <gizmo@giz-works.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-05-18 10:20:55 -04:00
Chris PeBenito
1b2f08ea10 Abrt patch from Dan Walsh. 2010-05-18 10:18:12 -04:00
Chris PeBenito
e9e43f04b3 Plymouthd policy from Dan Walsh. 2010-05-18 09:54:18 -04:00
Chris PeBenito
b0c2cae14a Hal patch from Dan Walsh.
Lots of random access for hal.
2010-05-18 09:06:36 -04:00
Chris PeBenito
2e4e39d26a Loadkeys patch from Dan Walsh. 2010-05-14 11:40:26 -04:00
Chris PeBenito
84940a0995 Java patch from Dan Walsh.
Additional java context

unconfined_Java apps needs to execmod any file since we do not know where the jave content will be labeled

We want unconfined java apps to transition to rpm when they execute rpm_exec_t.  To maintain proper labeling.
2010-05-14 10:40:59 -04:00
Chris PeBenito
299db7080c CVS patch from Dan Walsh.
cvs needs dac_override when it tries to read shadow
2010-05-14 10:24:11 -04:00
Chris PeBenito
bcc6e65421 SETroubleshoot patch from Dan Walsh.
Policy to handle the fixit button in setroubleshoot.
2010-05-13 13:22:53 -04:00
Chris PeBenito
ada61e1529 Asterisk patch from Dan Walsh.
asterisk_manage_lib_files(logrotate_t)
    asterisk_exec(logrotate_t)

Needs net_admin

Drops capabilities
connects to unix_stream

execs itself

Requests kernel load modules

Execs shells

Connects to postgresql and snmp ports

Reads urand and generic usb devices

Has mysql and postgresql back ends
sends mail
2010-05-13 11:35:58 -04:00
Chris PeBenito
24e0b9b3a4 Munin patch from Dan Walsh. 2010-05-13 11:20:54 -04:00
Chris PeBenito
16070400a8 RPM patch from Dan Walsh. 2010-05-11 11:11:40 -04:00
Chris PeBenito
27afb97c29 Minor fixes on a2524cf. Module version bump. 2010-05-11 08:33:04 -04:00
Chris PeBenito
aeb7a4e180 Whitespace fixes on cobbler. 2010-05-11 08:23:02 -04:00
Jeremy Solt
a2524cfa77 cobbler patch from Dan Walsh 2010-05-11 08:17:33 -04:00
Chris PeBenito
fb3fc9e4f0 Cyrus patch from Dan Walsh. 2010-05-03 15:14:50 -04:00
Chris PeBenito
4804cd43a0 Clamav patch from Dan Walsh. 2010-05-03 15:01:35 -04:00
Chris PeBenito
d8eb3c71c6 Dovecot patch from Dan Walsh. 2010-05-03 14:37:19 -04:00
Chris PeBenito
baea7b1dc6 Networkmanager patch from Dan Walsh. 2010-05-03 14:01:26 -04:00
Chris PeBenito
03a6e03926 Add kernel access to devtmpfs. Also add workround while devtmpfs is tmpfs_t instead of device_t. 2010-05-03 11:17:16 -04:00
Chris PeBenito
a3108c60c0 Consolekit patch from Dan Walsh. 2010-05-03 10:21:48 -04:00
Chris PeBenito
b0076a1413 Arpwatch patch from Dan Walsh. 2010-05-03 09:49:33 -04:00
Chris PeBenito
98ac98623c Dbus patch from Dan Walsh. 2010-05-03 09:34:42 -04:00
Chris PeBenito
61738f11ec Devicekit patch from Dan Walsh. 2010-05-03 09:01:46 -04:00
Chris PeBenito
857d37e84a GPG patch from Dan Walsh. 2010-04-30 15:24:19 -04:00
Chris PeBenito
3b72786090 Add trusted object condition to unix socket connectto/sendto, to fix label translation. 2010-04-29 11:29:39 -04:00
Chris PeBenito
87a9469fc9 Add networking rules for spamd to connect to mysql/postgresql over the network, from Chris St. Pierre. 2010-04-27 10:31:47 -04:00
Chris PeBenito
45696ab282 Add missing secmark rules in ntop, from Dominick Grift. 2010-04-27 09:31:30 -04:00
Chris PeBenito
a53c6c65a4 FTP patch from Dan Walsh. 2010-04-26 15:15:23 -04:00
Chris PeBenito
d7ebbd9d22 Module version bump for 34838aa. 2010-04-26 13:40:21 -04:00
Jeremy Solt
34838aa62a Samba patch from Dan Walsh
- signal interfaces
 - fusefs support
 - bug 566984: getattrs on all blk and chr files

Did not include:
 - changes related to samba_unconfined_script_t and samba_unconfined_net_t
 - samba_helper_template (didn't appear to be used)
 - manage_lnk_files_pattern in samba_manage_var_files
 - signal allow rule in samba_domtrans_winbind_helper
 - samba_role_notrans
 - userdom_manage_user_home_content

Some style and spacing fixes
2010-04-26 13:28:21 -04:00
Chris Richards
9b3e798ea3 bootmisc init script, 2nd try
Allow to create /var/lock/.keep.  This prevents Portage from destroying /var/lock under certain conditions.  This patch is Gentoo specific.

Signed-off-by: Chris Richards <gizmo@giz-works.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-04-26 12:59:12 -04:00
Chris PeBenito
05a2e3e2d7 Lircd patch from Dan Walsh. 2010-04-26 12:59:02 -04:00
Chris PeBenito
e07fbc004d Add DenyHosts from Dan Walsh. 2010-04-26 12:59:02 -04:00
Chris PeBenito
44b3808ba5 Djbdns patch from Dan Walsh. 2010-04-26 12:59:02 -04:00
Chris PeBenito
4a8bd017aa Module version bump and extra comments for 194d61f. 2010-04-24 08:10:43 -04:00
Chris Richards
194d61fd3c modutils patch for update-modules
update-modules on Gentoo throws errors when run because it sources /etc/init.d/functions.sh, which always scans /var/lib/init.d to set SOFTLEVEL environment var.  This is never used by update-modules.

Signed-off-by: Chris Richards <gizmo@giz-works.com>
Signed-off-by: Chris PeBenito <pebenito@gentoo.org>
2010-04-24 08:08:15 -04:00
Chris PeBenito
78352db924 Module version bump for 8c38fba. 2010-04-24 08:07:51 -04:00
Chris Richards
8c38fba0f0 allow syslog-ng to setrlimit
syslog-ng wants to increase the number of permissible open files from 256 to 4096 on unix/linux systems.

Signed-off-by: Chris Richards <gizmo@giz-works.com>
Signed-off-by: Chris PeBenito <pebenito@gentoo.org>
2010-04-24 08:02:23 -04:00
Chris PeBenito
5c3274d7bf Module version bump for 4b121a5. 2010-04-19 10:23:11 -04:00
Chris PeBenito
46879922d8 Additional whitespace fix in nis. 2010-04-19 10:20:19 -04:00
Jeremy Solt
f49fc19e5a Style changes 2010-04-19 10:19:46 -04:00
Jeremy Solt
4b121a5f53 nis patch from Dan Walsh
Made a couple style changes.
Removed unnecessary require in nis_use_ypbind interface
2010-04-19 10:19:44 -04:00
Chris PeBenito
da5940411c Additional whitespace fixes in certmonger. 2010-04-19 10:17:24 -04:00
Jeremy Solt
0e5494a3d9 Fix some whitespace and style issues. 2010-04-19 10:07:20 -04:00
Jeremy Solt
33793ec2ce certmonger policy from Dan Walsh
Removed manage_var_run and manage_var_lib interfaces
Added missing requires to admin interface
Removed permissive line
Fixed some spacing / style issues
2010-04-19 10:07:17 -04:00
Chris PeBenito
86ff008754 Module version bump for 4f7b413. 2010-04-19 10:05:22 -04:00
Jeremy Solt
e6e2a769ac Remove excess white space from ntop.te
Move ntop ports declaration to correct location.
2010-04-19 09:55:01 -04:00
Jeremy Solt
4f7b413cdc Ntop policy from Dan Walsh
Added alias for ntop_http_content_t in apache
Pulled in ntop port from corenetwork patch
2010-04-19 09:54:58 -04:00
Chris PeBenito
98759716fe Module version bump for 46e16a2. 2010-04-19 09:54:13 -04:00
Jeremy Solt
d86d4f6069 Move optional policy to correct location for style 2010-04-19 09:50:42 -04:00
Jeremy Solt
01bfe1d20e kerberos patch from Dan Walsh 2010-04-19 09:50:39 -04:00
Chris PeBenito
46e16a2d2a Use port range notation in corenetwork where it makes sense. 2010-04-13 11:55:04 -04:00
Chris PeBenito
3829eecb12 Clean up output of generated corenetwork.te. 2010-04-13 11:52:09 -04:00
Chris PeBenito
85e71c86da Fix network_port() in corenetwork to correctly handle port ranges. 2010-04-13 11:06:02 -04:00
KaiGai Kohei
ec8d32c8e9 [BUGFIX] lack of type transition on dbadm domain (Re: dbadm.pp is not available in selinux-policy package)
I found out a bug when we initialize the database with dbadm_r:dbadm_t
which belongs to sepgsql_admin_type attribute.

In the case when sepgsql_admin_type create a new database objects,
it does not have valid type_transition rules. So, it was failed.
Sorry, I didn't find out it for a long time.

And db_procedure:{execute} on the sepgsql_proc_exec_t might be necessary
for the administrative domain independently from sepgsql_unconfined_dbadm,
because we need to execute some of system defined procedures to look up
system tables.
2010-04-12 10:37:21 -04:00
Chris PeBenito
23ad802a9d Module version bump for 5d3214f and 795b733. 2010-04-12 10:01:39 -04:00
Jeremy Solt
795b733a71 pcscd patch from Dan Walsh: manage pub files and fifo files 2010-04-12 09:10:37 -04:00
Jeremy Solt
5d3214f5a9 gpsd path from Dan Walsh 2010-04-12 09:07:50 -04:00
Chris PeBenito
e399e3abea Add devtmpfs labeling. 2010-04-07 08:55:33 -04:00
Dominick Grift
91b12ad94c Move kernel_request_load_module(gssd_t) to the proper place.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-04-06 15:05:22 -04:00
Dominick Grift
6d9925c872 Fix requires for apache tmp interfaces.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-04-06 15:05:12 -04:00
Chris PeBenito
b577852a98 Portreserve patch from Dan Walsh. 2010-04-05 14:50:23 -04:00
Chris PeBenito
38db49c545 PPP patch from Dan Walsh. 2010-04-05 14:38:30 -04:00
Chris PeBenito
372acd0037 Rpc patch from Dan Walsh. 2010-04-05 14:26:21 -04:00