Commit Graph

1836 Commits

Author SHA1 Message Date
Chris PeBenito 1409b86b02 Rename new xserver interfaces. 2012-10-19 08:52:58 -04:00
Chris PeBenito 9b6993158b Rearrange new xserver interfaces. 2012-10-19 08:49:43 -04:00
Dominick Grift 4034f4a4b4 Changes to the xserver policy module
These interfaces are needed by at least plymouth

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-10-19 08:48:12 -04:00
Mika Pflüger 8b1aa69f1f Debian locations of gvfs and kde4 libexec binaries in /usr/lib 2012-10-19 08:40:16 -04:00
Chris PeBenito e4f0112175 Module version bump for dhcp6 ports, from Russell Coker. 2012-10-19 08:39:02 -04:00
Russell Coker f9bee5a60b Label port 5546 as dhcpc_port_t and allow dhcpc_t to bind to TCP for client control
Client control is used by the wide dhcp6 client, which can be controlled
via dhcp6ctl. This works by communicating over port 5546.
2012-10-19 08:19:28 -04:00
Chris PeBenito 2f3035fb3b Module version bump for modutils patch from Dominick Grift. 2012-10-19 08:17:35 -04:00
Dominick Grift e74b098ca4 Changes to the modutils policy module
modutils_read_module_config() provides access to list modules_conf_t
directories so that we do not need a seperate
modutils_list_modules_config()

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-10-19 08:14:32 -04:00
Chris PeBenito afdb509245 Module version bump for changes from Dominick Grift and Sven Vermeulen. 2012-10-09 11:01:42 -04:00
Dominick Grift a63f5143ce Changes to the bootloader policy module
Add bootloader_exec() for kdumpgui

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-10-09 10:26:15 -04:00
Dominick Grift c667fa4a7d Changes to the userdomain policy module
Remove evolution and evolution alarm dbus chat from common user template
since callers of the evolution role are now allowed to dbus chat to
evolution and evolution alarm.

Common users need to be able to dbus chat with policykit and consolekit

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-10-09 10:25:29 -04:00
Sven Vermeulen 40c32b7a6a Allow search within postgresql var directory for the stream connect interface
Domains that are granted postgresql_stream_connect() need to be able to search
through the postgresql_var_run_t directory (in which the socket is located).

Update the interface to use the stream_connect_pattern definition to simplify
the interface and make it more readable.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-10-09 10:21:09 -04:00
Dominick Grift 4ea2bc7eba Changes to the sysnetwork policy module
dhcpc is a dbus_system_domain()

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-10-09 10:18:36 -04:00
Dominick Grift f3492a3a1e Declare a cslistener port type for phpfpm
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-10-09 10:05:35 -04:00
Dominick Grift 1dc2705388 Restricted Xwindows user domains run windows managers in the windows managers domain
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-10-09 10:03:34 -04:00
Chris PeBenito d7f7136953 Module version bump for cachefiles core support. 2012-10-04 08:25:19 -04:00
Chris PeBenito 1391285cf8 Rename cachefiles_dev_t to cachefiles_device_t. 2012-10-04 08:24:57 -04:00
Dominick Grift 298d840e46 Implement files_create_all_files_as() for cachefilesd
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-10-04 08:13:18 -04:00
Dominick Grift f8075ac60f Declare a cachfiles device node type
Used by kernel to communicate with user space (cachefilesd)
Label the character file accordingly

Create a dev_rw_cachefiles_dev() for cachefilesd

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-10-04 08:13:11 -04:00
Chris PeBenito 8bd7b0e1b9 Module version bump for srvloc port definition from Dominick Grift. 2012-10-02 10:35:29 -04:00
Dominick Grift b123010082 svrloc port type declaration from slpd policy module
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-10-02 10:33:55 -04:00
Chris PeBenito e036d3d694 Module version bump for ipsec net sysctls reading from Miroslav Grepl. 2012-10-02 10:15:31 -04:00
Miroslav Grepl 672f146fec Allow ipsec to read kernel sysctl 2012-10-02 10:14:44 -04:00
Chris PeBenito 99d1e6b9f1 Module verision bump for Debian cert file fc update from Laurent Bigonville. 2012-10-02 10:12:08 -04:00
Laurent Bigonville e5c59868be Add Debian location for PKI files 2012-10-02 10:10:59 -04:00
Chris PeBenito 9294b7d11f Module version bump for cfengine fc change from Dominick Grift. 2012-10-02 10:10:18 -04:00
Dominick Grift 111b0b3176 Remove var_log_t file context spec
The /var/cfengine/output location will be labeled in the forthcoming
cfengine policy module that will be ported from Fedora

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-10-02 10:09:33 -04:00
Chris PeBenito 75c6d0b8c3 Module version bump for kmod fc from Laurent Bigonville. 2012-10-02 10:08:41 -04:00
Chris PeBenito 071537fab5 split kmod fc into two lines. 2012-10-02 10:08:09 -04:00
Laurent Bigonville e57cb31d34 Add insmod_exec_t label for kmod executable
lsmod, rmmod, insmod, modinfo, modprobe and depmod are now symlinks to
the kmod executable
2012-10-02 09:59:28 -04:00
Chris PeBenito 7b4f78195f Update contrib. 2012-10-01 13:27:36 -04:00
Chris PeBenito 17b43a4d8b Update contrib. 2012-10-01 08:01:47 -04:00
Chris PeBenito 5b58ce70fd Module version bump for Debian file context updates from Laurent Bigonville. 2012-09-17 11:08:42 -04:00
Laurent Bigonville da349a2cfa Add Debian location for udisks helpers 2012-09-17 10:31:39 -04:00
Laurent Bigonville 31daa917db Add Debian locations for GDM 3 2012-09-17 10:31:38 -04:00
Chris PeBenito 0a0d071937 Module version bump for ports update from Dominick Grift. 2012-09-17 10:30:26 -04:00
Dominick Grift 53c8224fc4 Declare port types for ports used by Fedora but use /etc/services for port names rather than using fedora port names. If /etc/services does not have a port name for a port used by Fedora, skip for now.
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-09-17 10:06:29 -04:00
Chris PeBenito 140cd7bb6d Module version bump for various changes from Sven Vermeulen. 2012-09-17 10:00:10 -04:00
Sven Vermeulen bd4af49996 Allow init scripts to read courier configuration
The courier-imap and courier-pop3 daemons are started by sourcing their
configuration files, and then invoking the daemons using the proper options. If
this is done through a specialized script, then init only needs to call this
script (where a proper transition occurs) but if the init script itself does
this, it needs to be able to read the configuration files.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-09-17 09:31:44 -04:00
Sven Vermeulen a3ac9f6054 Gentoo's openrc does not require initrc_exec_t for runscripts anymore
The Gentoo-specific runscripts in /sbin should not be marked as initrc_exec_t
anymore (just bin_t).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-09-17 09:31:40 -04:00
Sven Vermeulen 074cfbeb5b Allow syslogd to create /var/lib/syslog and /var/lib/misc/syslog-ng.persist
If the /var/lib/syslog directory does not exist, then syslog-ng (running in
syslogd_t) will attempt to create the directory.

Allow the syslogd_t domain to create the directory, and use an automatic file
transition towards syslogd_var_lib_t.

Also, the syslog-ng daemon uses a persistence file in
/var/lib/misc/syslog-ng.persist (and .persist- if it suspects a collision). As
/var/lib/misc is still a generic var_lib_t, we have the syslogd_t daemon write
its files as syslogd_var_lib_t therein.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-09-17 09:31:35 -04:00
Sven Vermeulen 9176e86474 Puppet uses mount output for verification
Puppet calls mount to obtain the list of mounted file systems, redirecting its
output to a temporary file (labeled puppet_tmp_t). This allows the mount domain
to write to this resource.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-09-17 09:31:32 -04:00
Chris PeBenito 6a6325a852 Turn off all tunables by default, from Guido Trentalancia. 2012-09-06 09:23:30 -04:00
Chris PeBenito 49a65c0e6f Module version bump for loop-control patch. 2012-09-05 13:45:48 -04:00
Dominick Grift d204c4cd07 Declare a loop control device node type and label /dev/loop-control accordingly
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-09-05 13:42:18 -04:00
Chris PeBenito 4a865b3830 Module version bump for lost+found labeling in /var/log from Guido Trentalancia. 2012-08-29 10:49:23 -04:00
Guido Trentalancia 06e2744b23 add lost+found filesystem labels to support NSA security guidelines
Add lost+found filesystem label to /var/log and /var/log/audit.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
2012-08-29 10:41:32 -04:00
Chris PeBenito d38855ea95 Module version bump for init_daemon_run_dirs usage from Sven Vermeulen. 2012-08-29 08:50:56 -04:00
Sven Vermeulen 258449bf2c Allow initrc_t to create run dirs for core modules
Use the init_daemon_run_dir interface in order to allow initrc_t to create the
run dirs of the postgresql service.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-08-29 08:45:26 -04:00
Sven Vermeulen 7857ccdf21 Use the init_daemon_run_dir interface for udev
Use the init_daemon_run_dir interface in order to allow initrc_t to create the
run dirs of the udev daemon with the proper file transition.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-08-29 08:45:21 -04:00