RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
3,714 Commits 3 Branches 49 Tags 18 MiB
Commit Graph

690 Commits

Author SHA1 Message Date
Chris PeBenito 05892ad6db Module version bump for 2 patches from Dominick Grift. 2013-12-20 14:56:07 -05:00
Dominick Grift 39f77972ab init: the gdomap and minissdpd init scripts read the respective environ files in /etc/default. We need to give them a private type so that we can give the gdomap_admin() and minissdpd_admin() access to it, but it seems overengineering to create private environ types for these files 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-20 14:47:27 -05:00
Dominick Grift f4a4074d33 init: exim init script runs various helper apps that create and manage /var/lib/exim4/config.autogenerated.tmp file 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-20 14:47:27 -05:00
Chris PeBenito 7725c1b677 Fix Debian compile issue. 2013-12-20 14:44:03 -05:00
Chris PeBenito aa3c38bedb Module version bump for 4 init patches from Dominick Grift. 2013-12-10 10:40:38 -05:00
Chris PeBenito 5c345460b1 init: creates /run/utmp 
Manually apply patch from Dominick Grift.
 2013-12-10 10:31:01 -05:00
Chris PeBenito 5cb20b443e init: init_script_domain() allow system_r role the init script domain type 
Manually apply patch from Dominick Grift.
 2013-12-10 10:30:09 -05:00
Chris PeBenito eb0dcf6f94 Whitespace fix in init.te. 2013-12-10 10:29:53 -05:00
Dominick Grift 75cca597f6 init: this is a bug in debian where tmpfs is mounted on /run, and so early on in the boot process init creates /run/utmp and /run/initctl in a tmpfs directory (/) tmpfs 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-10 10:29:53 -05:00
Dominick Grift 32d6aac409 init: for a specified automatic role transition to work. the source role must be allowed to change manually to the target role 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-10 10:29:48 -05:00
Chris PeBenito b339b85001 Module version bump for patches from Dominick Grift. 2013-12-06 09:49:41 -05:00
Dominick Grift 8e01054f07 users: calls pulseaudio_role() for restricted xwindows users and staff_t/user_t 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-06 08:48:09 -05:00
Chris PeBenito c7e2518162 Whitespace fix in libraries. 2013-12-06 08:48:04 -05:00
Dominick Grift b56ecb9d52 libraries: for now i can only confirm mmap, might need to be changed to bin_t later if it turns out to need execute_no_trans 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-06 08:47:53 -05:00
Dominick Grift e784e78825 iptables: calls to firewalld interfaces from Fedora. The firewalld_dontaudit_rw_tmp_files(iptables_t) was confirmed on Debian. 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-06 08:16:49 -05:00
Chris PeBenito 3208ff94c4 Module version bump for second lot of patches from Dominick Grift. 2013-12-03 13:03:35 -05:00
Dominick Grift 1b757c65cc udev: in debian udevadm is located in /bin/udevadm 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-03 11:34:15 -05:00
Chris PeBenito 3ee649f132 Add comment in policy for lvm sysfs write. 2013-12-03 10:54:22 -05:00
Dominick Grift 6905ddaa98 lvm: lvm writes read_ahead_kb 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-03 10:53:23 -05:00
Dominick Grift 198a6b2830 udev: udevd executable location changed 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-03 10:52:44 -05:00
Chris PeBenito 613100a7f4 Whitespace fix in fstools. 2013-12-03 10:39:51 -05:00
Dominick Grift 521bbf8586 These { read write } tty_device_t chr files on boot up in Debian 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-03 10:39:21 -05:00
Chris PeBenito ac22f3a48e setrans: needs to be able to get attributes of selinuxfs, else fails to start in Debian 
Access noted by Dominick Grift.
 2013-12-03 09:52:21 -05:00
Chris PeBenito 3b52b87615 Rearrage userdom_delete_user_tmpfs_files() interface. 2013-12-03 09:45:16 -05:00
Dominick Grift b0068ace7d userdomain: add userdom_delete_user_tmpfs_files() for pulseaudio clients 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-03 09:43:51 -05:00
Chris PeBenito 1a01976fc4 Module version bump for first batch of patches from Dominick Grift. 2013-12-02 14:22:29 -05:00
Dominick Grift 66c6b8a9f7 unconfined: Do not domain transition to xserver_t (unconfined_t is xserver_unconfined) 
It would not be sufficient in the current shape anyways because
unconfined_r is not associated with xserver_t

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-02 08:43:33 -05:00
Dominick Grift 4113f7b0d4 sshd/setrans: make respective init scripts create pid dirs with proper contexts 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-02 08:43:33 -05:00
Dominick Grift 012f1b2311 sysbnetwork: dhclient searches /var/lib/ntp 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-02 08:43:32 -05:00
Dominick Grift 6c19504654 sysnetwork: dhcpc: networkmanager interface calls from Fedora. In Debian i was able to confirm the need for networkmanager_manage_lib_files(dhcpc_t) since dhclient reads /var/lib/NetworkManager/dhclient-eth0.conf 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-02 08:43:32 -05:00
Dominick Grift 3b6a8b0ee5 fstools: hdparm append (what seems inherited from devicekit ) /var/log/pm-powersave.log fstools: hdparm reads /run/pm-utils/locks/pm-powersave.lock 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-02 08:27:54 -05:00
Dominick Grift 000397b217 udev: reads modules config: /etc/modprobe.d/alsa-base-blacklist.conf 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-02 08:27:54 -05:00
Dominick Grift e7b86e07f2 setrans: mcstransd reads filesystems file in /proc 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-02 08:27:54 -05:00
Dominick Grift a0e88de5e5 authlogin: unix_chkpwd traverses / on sysfs device on Debian 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-02 08:27:54 -05:00
Dominick Grift ec54e42ed9 udev: the avahi dns check script run by udev in Debian chmods /run/avahi-daemon 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-02 08:27:53 -05:00
Dominick Grift 617e504c20 udev: this fc spec does not make sense, as there is no corresponding file type transition for it 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-02 08:27:53 -05:00
Dominick Grift 76e595794b mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-02 08:27:53 -05:00
Chris PeBenito 9d6546a472 Module version bumps for syslog-ng and semodule updates. 2013-11-13 09:27:21 -05:00
Chris PeBenito 9fcc6fe625 Add comments about new capabilities for syslogd_t. 2013-11-13 09:26:38 -05:00
Sven Vermeulen b00d94fb72 Allow capabilities for syslog-ng 
The syslog-ng logger has (build-optional) support for capabilities. If
capabilities support is enabled, running it without setcap/getcap
permissions gives the following upon start:

 * Starting syslog-ng ...
syslog-ng: Error setting capabilities, capability management disabled;
error='Permission denied' [ ok ]

Granting only setcap (initial AVC seen) does not fully help either:

 * Starting syslog-ng ...
 Error managing capability set, cap_set_proc returned an error;

With setcap and getcap enabled, syslog-ng starts and functions fine.

See also https://bugs.gentoo.org/show_bug.cgi?id=488718

Reported-by: Vincent Brillault <gentoo@lerya.net>
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
 2013-11-13 09:14:34 -05:00
Sven Vermeulen 2142e6e0cc Allow semodule to create symlink in semanage_store_t 
With new userspace, trying to build a SELinux policy (and load it)
fails:

~# semodule -B
libsemanage.semanage_install_active: Unable to create sybolic link from
/etc/selinux/mcs/modules/active/policy.kern to
/etc/selinux/mcs/policy/policy.28 error code 0. (Permission denied).

AVC shows a denial for the semodule command, running as semanage_t,
trying to create a lnk_file in semanage_module_t.
 2013-11-13 09:13:32 -05:00
Chris PeBenito eb4512f6eb Module version bump for dhcpc fixes from Dominick Grift. 2013-09-27 17:15:22 -04:00
Chris PeBenito f0e0066a7b Reorder dhcpc additions. 2013-09-27 17:15:02 -04:00
Dominick Grift b1599e01fe sysnetwork: dhcpc binds socket to random high udp ports sysnetwork: do not audit attempts by ifconfig to read, and write dhcpc udp sockets (looks like a leaked fd) 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-27 17:13:12 -04:00
Chris PeBenito 20471346ed Silence symlink reading by setfiles since it doesn't follow symlinks anyway. 2013-09-27 17:09:43 -04:00
Chris PeBenito 57f00181ee Module version bump for mount updates from Dominick Grift. 2013-09-27 16:54:54 -04:00
Dominick Grift 85016ae811 mount: sets kernel thread priority mount: mount reads /lib/modules/3.10-2-amd64/modules.dep mount: mount lists all mount points 
In debian mount was trying to list / on a tmpfs (/run/lock). Since
var_lock_t is a mountpoint type, and so is mnt_t, i decided to implement
a files_list_all_mountpoints() and call that for mount because it makes
sense

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-27 16:50:38 -04:00
Chris PeBenito b7b3b55280 Module version bumps for Debian udev updates from Dominick Grift. 2013-09-27 16:44:54 -04:00
Dominick Grift 0947e315ea udev: runs: /usr/lib/avahi/avahi-daemon-check-dns.sh which creates /run/avahi-daemon directory 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-27 16:40:09 -04:00
Chris PeBenito 24f4016ec5 Move stray Debian rule in udev. 2013-09-27 16:36:52 -04:00