Commit Graph

2209 Commits

Author SHA1 Message Date
Chris PeBenito e4f73afb8e gpg patch from dan 2009-07-21 10:07:38 -04:00
Chris PeBenito 5271dd30bc module version bump for 9b1907b217 2009-07-21 10:07:10 -04:00
Chris PeBenito 9b1907b217 add pulseaudio from dan. 2009-07-21 10:05:38 -04:00
Chris PeBenito 7395f80119 ppp patch from dan 2009-07-20 15:41:19 -04:00
Chris PeBenito 4aa075262a kerberos patch from dan 2009-07-20 15:41:08 -04:00
Chris PeBenito 8f17f7c2ee dnsmasq patch from dan. 2009-07-20 15:40:57 -04:00
Chris PeBenito 93d300831d dhcp patch from dan 2009-07-20 15:40:41 -04:00
Chris PeBenito af5374d3a5 policykit.if whitespace fix 2009-07-20 11:37:22 -04:00
Chris PeBenito adea587572 4 patches from dan. 2009-07-20 11:34:46 -04:00
Chris PeBenito edb7b90d89 add kismet and pulseaudio ports. fix sorting of ports. 2009-07-20 11:17:31 -04:00
Chris PeBenito dc0ab0f0c3 changelog for previous commit 2009-07-20 11:16:22 -04:00
Chris PeBenito 9e90ce33db add policykit from dan. 2009-07-20 11:15:09 -04:00
Chris PeBenito b67201eae7 fix bad varnishd interface names 2009-07-20 09:44:25 -04:00
Chris PeBenito 7694abdff7 module version bump for f2583aa83b 2009-07-15 09:30:08 -04:00
Manoj Srivastava f2583aa83b Remove duplicate distro_redhat context
A recent update added an generic context for the lock files, so the
entry in distro_redhat can be removed.

Signed-off-by: Manoj Srivastava <srivasta@debian.org>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2009-07-15 09:27:36 -04:00
Chris PeBenito ce6fee6575 5 patches from dan 2009-07-14 10:30:22 -04:00
Chris PeBenito 10b03f376b three debian patches from manoj 2009-07-14 09:05:59 -04:00
Chris PeBenito 84d88df579 trunk: fix typo in guest role decl. 2009-07-08 15:23:29 +00:00
Chris PeBenito 9ac9739087 trunk: update policycaps comments for sock_file open perm. 2009-07-01 13:34:54 +00:00
Chris PeBenito bb88161284 trunk: 3 patches from dan. 2009-06-30 19:27:21 +00:00
Chris PeBenito 45b975db5b trunk: add missing varnish port. 2009-06-30 17:48:15 +00:00
Chris PeBenito 50824a99ca trunk: pads from dan. 2009-06-30 15:03:20 +00:00
Chris PeBenito 46e2fa6d39 trunk: prelude patch from dan. 2009-06-30 14:44:50 +00:00
Chris PeBenito 267d9c60c5 trunk: varnishd from dan. 2009-06-30 13:49:53 +00:00
Chris PeBenito 3f67f722bb trunk: whitespace fixes 2009-06-26 14:40:13 +00:00
Chris PeBenito 20272c2b27 trunk: 7 patches from dan. 2009-06-26 13:22:39 +00:00
Chris PeBenito c989807d4a trunk: nis patch from dan. 2009-06-25 15:16:29 +00:00
Chris PeBenito c017ee17ab trunk: add sssd from dan. 2009-06-22 15:33:21 +00:00
Chris PeBenito 26410ddf54 trunk: remove unnecessary semicolons after interface/template calls. 2009-06-19 13:52:33 +00:00
Chris PeBenito c9c0d846de trunk: Greylist milter from Paul Howarth. 2009-06-18 14:36:35 +00:00
Chris PeBenito c7dc1c7222 trunk: Allow unix_update to change the security attributes associate with files so
that it can properly create the shadow file. Also allow it to read from
urandom so that it can add salt to the password hash.
2009-06-18 13:57:26 +00:00
Chris PeBenito df28a0c444 trunk: Misc fixes for unix_update from Brandon Whalen. 2009-06-18 13:36:40 +00:00
Chris PeBenito 95ea7d6986 trunk: Add x_device permissions for XI2 functions, from Eamon Walsh. 2009-06-18 13:07:23 +00:00
Chris PeBenito 45515556d4 trunk: 10 patches from dan. 2009-06-12 19:44:10 +00:00
Chris PeBenito 30425aa876 trunk: 1 patch from dan. 2009-06-12 15:30:15 +00:00
Chris PeBenito a65fd90a50 trunk: 6 patches from dan. 2009-06-11 15:00:48 +00:00
Chris PeBenito 731008ad85 trunk: 2 patches from dan. 2009-06-08 17:18:26 +00:00
Chris PeBenito 16fd1fd814 trunk: MLS constraints for the x_selection class, from Eamon Walsh. 2009-06-05 13:36:19 +00:00
Chris PeBenito cca4a215fe trunk: add gpsd from miroslav grepl 2009-06-02 14:28:40 +00:00
Chris PeBenito e127fb698d trunk: missed UBAC change: update securetty_types for merged user tty type. 2009-06-01 17:41:34 +00:00
Chris PeBenito 63f0a71c8a trunk: 9 patches from dan. 2009-06-01 16:03:42 +00:00
Chris PeBenito 22894e33c4 trunk: add libjackserver.so textrel fc. 2009-06-01 13:04:40 +00:00
Chris PeBenito 996779dfad trunk:
The attached patch allows unprivileged clients to export from or import
to the largeobject owned by themselves.

The current security policy does not allow them to import/export any
largeobjects without any clear reason.

NOTE: Export of the largeobject means that it dumps whole of the
largeobject into a local file, so SE-PostgreSQL checks both of
db_blob:{read export} on the largeobject and file:{write} on the
local file. Import is a reversal behavior.

KaiGai Kohei
2009-05-22 13:37:32 +00:00
Chris PeBenito e0ea7b15ca trunk:
The attached patch fixes incorrect behavior in sepgsql_enable_users_ddl.

The current policy allows users/unprivs to run ALTER TABLE statement
unconditionally, because db_table/db_column:{setattr} is allowed outside
of the boolean. It should be moved to conditional section.

In addition, they are also allowed to db_procedure:{create drop setattr}
for xxxx_sepgsql_proc_exec_t, but it means we allows them to create, drop
or alter definition of the functions unconditionally. So, it also should
be moved to conditional section.

The postgresql.te allows sepgsql_client_type to modify sepgsql_table_t
and sepgsql_sysobj_t when sepgsql_enable_users_ddl is enabled, but
it should not be allowed.

KaiGai Kohei
2009-05-21 11:49:33 +00:00
Chris PeBenito a01a4a7183 trunk:
OK, the attached patch adds the following types for unprivileged clients.
 - unpriv_sepgsql_table_t
 - unpriv_sepgsql_sysobj_t
 - unpriv_sepgsql_proc_exec_t
 - unpriv_sepgsql_blob_t

These types are the default for unprivileged and unprefixed domains,
such as httpd_t and others.

In addition, TYPE_TRANSITION rules are moved to outside of tunable
of the sepgsql_enable_users_ddl. IIRC, it was enclosed within the
tunable because UBAC domains (user_t and so on) were allowed to
create sepgsql_table_t, and its default was pointed to this type
when sepgsql_enable_users_ddl is disabled.
However, it has different meanings now, so the TYPE_TRANSITION rules
should be unconditional.

KaiGai Kohei
2009-05-21 11:28:14 +00:00
Chris PeBenito 80348b73a0 trunk: 4 patches from dan. 2009-05-14 14:41:50 +00:00
Chris PeBenito a47eb527e5 trunk: whitespace fix for squid.fc. 2009-05-11 12:07:07 +00:00
Chris PeBenito 350ed89156 se-postgresql update from kaigai
- rework: Add a comment of "deprecated" for deprecated permissions.
- bugfix: MCS policy did not constrain the following permissions.
    db_database:{getattr}
    db_table:{getattr lock}
    db_column:{getattr}
    db_procedure:{drop getattr setattr}
    db_blob:{getattr import export}
- rework: db_table:{lock} is moved to reader side, because it makes
  impossible to refer read-only table with foreign-key constraint.
  (FK checks internally acquire explicit locks.)
- bugfix: some of permissions in db_procedure class are allowed
  on sepgsql_trusted_proc_t, but it is a domain, not a procedure.
  It should allow them on sepgsql_trusted_proc_exec_t.
  I also aliased sepgsql_proc_t as sepgsql_proc_exec_t to avoid
  such kind of confusion, as Chris suggested before.
- rework: we should not allow db_procedure:{install} on the
  sepgsql_trusted_proc_exec_t, because of a risk to invoke trusted
  procedure implicitly.
- bugfix: MLS policy dealt db_blob:{export} as writer-side permission,
  but it is required whrn the largeobject is refered.
- bugfix: MLS policy didn't constrain the db_procedure class.
2009-05-07 12:35:32 +00:00
Chris PeBenito da3ed0667f trunk: lircd from miroslav grepl 2009-05-06 15:09:46 +00:00
Chris PeBenito c0f5fa011a trunk: whitespace fixes. 2009-05-06 14:44:57 +00:00