2a4740c0a0
whitespace fixes in apt.
2009-07-29 15:24:52 -04:00
b5aaa7b72d
clean up 6a192f70d4
2009-07-29 15:12:48 -04:00
6a192f70d4
Update apt/aptitude policy to add support for lock/log files
...
Signed-off-by: Russell Coker <russell@coker.com.au>
Acked-By: Manoj Srivastava <srivasta@debian.org>
2009-07-29 15:00:39 -04:00
50458c8bb7
pull most of fedora changes to rpc.
2009-07-29 14:55:30 -04:00
0c89174f7f
pull most of fedora changes to samba.
2009-07-29 14:40:34 -04:00
105e85ac8e
/dev/fuse should be s0 not mls_high
...
> From my understanding of the FUSE website, the data from the userland FS
> is transferred through this device. Since the data may go up to system
> high, I believe the device should still be system high.
>
Making it systemhigh will generate lots of AVC messages on every login
at X Since fusefs is mounted at ~/.gfs. It will also make it unusable I
believe on an MLS machine. Mostly I have seen fusefs used for remote
access to data. sshfs for example.
2009-07-29 11:08:50 -04:00
363e8fb98a
pull in part of fedora mta changes
2009-07-29 10:59:09 -04:00
20c3ccee1a
add fprintd module from dan.
2009-07-29 10:28:31 -04:00
677c4c2fea
add devicekit module from dan.
2009-07-29 10:02:06 -04:00
4e7c0a93a6
consolekit patch from dan.
2009-07-29 09:13:54 -04:00
33322290f2
automount patch from dan.
2009-07-29 08:59:26 -04:00
8f3bddfbfd
cups patch from dan.
2009-07-28 15:46:26 -04:00
4be3e11094
pull in apache_admin() from fedora
2009-07-28 13:24:08 -04:00
91550027de
vmware patch from dan.
2009-07-28 11:37:34 -04:00
423a4a3a2c
fix dbus type transition conflict.
...
switch dbus ranged calls from daemon domain to system domain. This works
around a type transition conflict. It is also why the non-ranged
init_system_domain() is used instead of init_daemon_domain().
2009-07-28 11:05:19 -04:00
41ea887598
sudo patch from dan.
2009-07-28 10:29:11 -04:00
83f0b50814
readahead patch from dan.
2009-07-28 10:08:02 -04:00
4083191c4b
add missing userdom interfaces
2009-07-28 09:35:46 -04:00
c7ae9ae1c8
Merge branch 'master' of ssh://oss.tresys.com/home/git/refpolicy
2009-07-28 08:00:03 -04:00
ebf3ec9063
snort patch from dan.
2009-07-27 16:04:10 -04:00
5f6c30f8bd
wm policy from dan
2009-07-27 15:11:22 -04:00
708a74a212
oddjob patch from dan.
2009-07-27 10:52:20 -04:00
fa50187c5e
kerneloops patch from dan
2009-07-27 10:44:19 -04:00
9de7c1706d
hal patch from dan.
2009-07-27 10:18:50 -04:00
fe1205a810
avahi patch from dan
2009-07-27 09:57:20 -04:00
e04438840b
dbus patch from dan
2009-07-27 09:46:35 -04:00
5be35f2acd
tmpreaper patch from dan.
2009-07-27 09:11:38 -04:00
06625d302c
mozilla patch from dan.
2009-07-27 09:11:12 -04:00
f4962ab15b
add cpufreqselector from dan
2009-07-27 09:09:00 -04:00
09516cb4be
remove read_default_t tunable
2009-07-23 08:58:35 -04:00
5bb5ec1d40
podsleuth patch from dan.
2009-07-21 10:11:16 -04:00
13306f56b6
afs client patch from dan.
2009-07-21 10:11:03 -04:00
b93a7dacca
bluetooth patch from dan.
2009-07-21 10:10:47 -04:00
ad0aea536b
clamav patch from dan.
2009-07-21 10:10:31 -04:00
92f08c7130
mailman patch from dan.
2009-07-21 10:10:17 -04:00
1847443ea3
ricci patch from dan.
2009-07-21 10:10:00 -04:00
d8822462c4
fix policykit interface
2009-07-21 10:09:14 -04:00
e4f73afb8e
gpg patch from dan
2009-07-21 10:07:38 -04:00
5271dd30bc
module version bump for 9b1907b217
2009-07-21 10:07:10 -04:00
9b1907b217
add pulseaudio from dan.
2009-07-21 10:05:38 -04:00
7395f80119
ppp patch from dan
2009-07-20 15:41:19 -04:00
4aa075262a
kerberos patch from dan
2009-07-20 15:41:08 -04:00
8f17f7c2ee
dnsmasq patch from dan.
2009-07-20 15:40:57 -04:00
93d300831d
dhcp patch from dan
2009-07-20 15:40:41 -04:00
af5374d3a5
policykit.if whitespace fix
2009-07-20 11:37:22 -04:00
adea587572
4 patches from dan.
2009-07-20 11:34:46 -04:00
edb7b90d89
add kismet and pulseaudio ports. fix sorting of ports.
2009-07-20 11:17:31 -04:00
9e90ce33db
add policykit from dan.
2009-07-20 11:15:09 -04:00
b67201eae7
fix bad varnishd interface names
2009-07-20 09:44:25 -04:00
7694abdff7
module version bump for f2583aa83b
2009-07-15 09:30:08 -04:00
f2583aa83b
Remove duplicate distro_redhat context
...
A recent update added an generic context for the lock files, so the
entry in distro_redhat can be removed.
Signed-off-by: Manoj Srivastava <srivasta@debian.org>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2009-07-15 09:27:36 -04:00
ce6fee6575
5 patches from dan
2009-07-14 10:30:22 -04:00
10b03f376b
three debian patches from manoj
2009-07-14 09:05:59 -04:00
84d88df579
trunk: fix typo in guest role decl.
2009-07-08 15:23:29 +00:00
9ac9739087
trunk: update policycaps comments for sock_file open perm.
2009-07-01 13:34:54 +00:00
bb88161284
trunk: 3 patches from dan.
2009-06-30 19:27:21 +00:00
45b975db5b
trunk: add missing varnish port.
2009-06-30 17:48:15 +00:00
50824a99ca
trunk: pads from dan.
2009-06-30 15:03:20 +00:00
46e2fa6d39
trunk: prelude patch from dan.
2009-06-30 14:44:50 +00:00
267d9c60c5
trunk: varnishd from dan.
2009-06-30 13:49:53 +00:00
3f67f722bb
trunk: whitespace fixes
2009-06-26 14:40:13 +00:00
20272c2b27
trunk: 7 patches from dan.
2009-06-26 13:22:39 +00:00
c989807d4a
trunk: nis patch from dan.
2009-06-25 15:16:29 +00:00
c017ee17ab
trunk: add sssd from dan.
2009-06-22 15:33:21 +00:00
26410ddf54
trunk: remove unnecessary semicolons after interface/template calls.
2009-06-19 13:52:33 +00:00
c9c0d846de
trunk: Greylist milter from Paul Howarth.
2009-06-18 14:36:35 +00:00
c7dc1c7222
trunk: Allow unix_update to change the security attributes associate with files so
...
that it can properly create the shadow file. Also allow it to read from
urandom so that it can add salt to the password hash.
2009-06-18 13:57:26 +00:00
df28a0c444
trunk: Misc fixes for unix_update from Brandon Whalen.
2009-06-18 13:36:40 +00:00
95ea7d6986
trunk: Add x_device permissions for XI2 functions, from Eamon Walsh.
2009-06-18 13:07:23 +00:00
45515556d4
trunk: 10 patches from dan.
2009-06-12 19:44:10 +00:00
30425aa876
trunk: 1 patch from dan.
2009-06-12 15:30:15 +00:00
a65fd90a50
trunk: 6 patches from dan.
2009-06-11 15:00:48 +00:00
731008ad85
trunk: 2 patches from dan.
2009-06-08 17:18:26 +00:00
16fd1fd814
trunk: MLS constraints for the x_selection class, from Eamon Walsh.
2009-06-05 13:36:19 +00:00
cca4a215fe
trunk: add gpsd from miroslav grepl
2009-06-02 14:28:40 +00:00
63f0a71c8a
trunk: 9 patches from dan.
2009-06-01 16:03:42 +00:00
22894e33c4
trunk: add libjackserver.so textrel fc.
2009-06-01 13:04:40 +00:00
996779dfad
trunk:
...
The attached patch allows unprivileged clients to export from or import
to the largeobject owned by themselves.
The current security policy does not allow them to import/export any
largeobjects without any clear reason.
NOTE: Export of the largeobject means that it dumps whole of the
largeobject into a local file, so SE-PostgreSQL checks both of
db_blob:{read export} on the largeobject and file:{write} on the
local file. Import is a reversal behavior.
KaiGai Kohei
2009-05-22 13:37:32 +00:00
e0ea7b15ca
trunk:
...
The attached patch fixes incorrect behavior in sepgsql_enable_users_ddl.
The current policy allows users/unprivs to run ALTER TABLE statement
unconditionally, because db_table/db_column:{setattr} is allowed outside
of the boolean. It should be moved to conditional section.
In addition, they are also allowed to db_procedure:{create drop setattr}
for xxxx_sepgsql_proc_exec_t, but it means we allows them to create, drop
or alter definition of the functions unconditionally. So, it also should
be moved to conditional section.
The postgresql.te allows sepgsql_client_type to modify sepgsql_table_t
and sepgsql_sysobj_t when sepgsql_enable_users_ddl is enabled, but
it should not be allowed.
KaiGai Kohei
2009-05-21 11:49:33 +00:00
a01a4a7183
trunk:
...
OK, the attached patch adds the following types for unprivileged clients.
- unpriv_sepgsql_table_t
- unpriv_sepgsql_sysobj_t
- unpriv_sepgsql_proc_exec_t
- unpriv_sepgsql_blob_t
These types are the default for unprivileged and unprefixed domains,
such as httpd_t and others.
In addition, TYPE_TRANSITION rules are moved to outside of tunable
of the sepgsql_enable_users_ddl. IIRC, it was enclosed within the
tunable because UBAC domains (user_t and so on) were allowed to
create sepgsql_table_t, and its default was pointed to this type
when sepgsql_enable_users_ddl is disabled.
However, it has different meanings now, so the TYPE_TRANSITION rules
should be unconditional.
KaiGai Kohei
2009-05-21 11:28:14 +00:00
80348b73a0
trunk: 4 patches from dan.
2009-05-14 14:41:50 +00:00
a47eb527e5
trunk: whitespace fix for squid.fc.
2009-05-11 12:07:07 +00:00
350ed89156
se-postgresql update from kaigai
...
- rework: Add a comment of "deprecated" for deprecated permissions.
- bugfix: MCS policy did not constrain the following permissions.
db_database:{getattr}
db_table:{getattr lock}
db_column:{getattr}
db_procedure:{drop getattr setattr}
db_blob:{getattr import export}
- rework: db_table:{lock} is moved to reader side, because it makes
impossible to refer read-only table with foreign-key constraint.
(FK checks internally acquire explicit locks.)
- bugfix: some of permissions in db_procedure class are allowed
on sepgsql_trusted_proc_t, but it is a domain, not a procedure.
It should allow them on sepgsql_trusted_proc_exec_t.
I also aliased sepgsql_proc_t as sepgsql_proc_exec_t to avoid
such kind of confusion, as Chris suggested before.
- rework: we should not allow db_procedure:{install} on the
sepgsql_trusted_proc_exec_t, because of a risk to invoke trusted
procedure implicitly.
- bugfix: MLS policy dealt db_blob:{export} as writer-side permission,
but it is required whrn the largeobject is refered.
- bugfix: MLS policy didn't constrain the db_procedure class.
2009-05-07 12:35:32 +00:00
da3ed0667f
trunk: lircd from miroslav grepl
2009-05-06 15:09:46 +00:00
c0f5fa011a
trunk: whitespace fixes.
2009-05-06 14:44:57 +00:00
3392356f36
trunk: 5 patches from dan.
2009-05-06 14:26:20 +00:00
0cf1d56018
trunk: Milter state directory patch from Paul Howarth.
2009-04-21 20:40:45 +00:00
a5ef553c2d
trunk: 5 modules from dan.
2009-04-20 19:03:15 +00:00
153fe24bdc
trunk: 5 patches from dan.
2009-04-07 14:09:43 +00:00
09125ae411
trunk: module version bump for previous commit.
2009-04-03 14:15:53 +00:00
d6605bc48b
trunk: 3 patches from dan.
2009-04-03 14:14:43 +00:00
42d567c3f4
trunk: 6 patches from dan.
2009-03-31 13:40:59 +00:00
8f800d48df
trunk: 14 patches from dan.
2009-03-23 14:56:43 +00:00
244b45d225
trunk: 3 patches from dan.
2009-03-20 13:58:15 +00:00
3c9b2e9bc6
trunk: 6 patches from dan.
2009-03-19 17:56:10 +00:00
d3cdc3d07c
trunk: add open perm to sock_file.
2009-03-11 14:58:03 +00:00
79a5a8084d
trunk: 2 patches from dan.
2009-03-11 14:19:50 +00:00
c90440a7cd
trunk: 4 patches from dan.
2009-03-11 13:32:23 +00:00
e21bd28bc8
trunk: add mysql db lnk_file transition.
2009-03-11 11:59:04 +00:00
da04234f32
trunk: 5 patches from dan.
2009-03-10 19:32:04 +00:00
11c944faf1
trunk: fix typo in devices file contexts.
2009-03-05 17:46:22 +00:00
2c664e7fb8
trunk: storage patch from dan.
2009-03-05 15:49:41 +00:00
7b76207e37
trunk: devices patch from dan.
2009-03-05 15:36:41 +00:00
be5aaebfd6
trunk: corecommands patch from dan.
2009-03-05 14:43:03 +00:00
b4ad699e57
trunk: add nlmsg_tty_audit permission.
2009-03-05 14:11:24 +00:00
c45fdad85b
trunk: filesystem patch from dan.
2009-03-04 15:53:07 +00:00
e1a70f1dde
trunk: add MLS constrains for ingress/egress permissions from Paul Moore.
...
Add MLS constraints for several network related access controls including
the new ingress/egress controls and the older Secmark controls. Based on
the following post to the SELinux Reference Policy mailing list:
* http://oss.tresys.com/pipermail/refpolicy/2009-February/000579.html
2009-03-02 15:16:49 +00:00
156204a385
trunk: Drop write permission from fs_read_rpc_sockets().
2009-02-24 20:00:15 +00:00
81fa19ed73
trunk: remove unused udev_runtime_t type.
2009-02-24 19:31:08 +00:00
f3fcadfe04
trunk: Patch for RadSec port from Glen Turner.
2009-02-23 13:41:28 +00:00
f79314234a
trunk: 6 patches from dan.
2009-02-11 19:28:30 +00:00
c1e501136b
trunk: add context contains to setrans.
2009-02-09 13:58:22 +00:00
7722c29e88
trunk: Enable network_peer_controls policy capability from Paul Moore.
2009-02-03 15:45:30 +00:00
805f34ed09
trunk: btrfs from Paul Moore.
2009-01-30 13:44:14 +00:00
466e22a8ba
trunk: Add db_procedure install permission from KaiGai Kohei.
2009-01-23 19:49:36 +00:00
019dfaf9dc
trunk: Add support for network interfaces with access controlled by a Boolean from the CLIP project.
2009-01-15 20:31:06 +00:00
64daa85393
trunk: add sysadm_entry_spec_domtrans_to() interface from clip.
2009-01-15 15:07:37 +00:00
9e7a338509
trunk: su fixes from clip.
2009-01-13 19:44:23 +00:00
f0435b1ac4
trunk: add support for labeled booleans.
2009-01-13 13:01:48 +00:00
c1262146e0
trunk: Remove node definitions and change node usage to generic nodes.
2009-01-09 19:48:02 +00:00
668b3093ff
trunk: change network interface access from all to generic network interfaces.
2009-01-06 20:24:10 +00:00
59d599642e
trunk: fix certwatch version number.
2009-01-06 19:33:24 +00:00
347a701119
trunk: Add kernel_service access vectors, from Stephen Smalley.
2009-01-05 21:44:33 +00:00
17ec8c1f84
trunk: bump module versions for release.
2008-12-10 19:38:10 +00:00
3196971ae8
trunk: Fix consistency of audioentropy and iscsi module naming.
2008-12-09 16:47:33 +00:00
9ff89c44e7
trunk: 2 patches from dan.
2008-12-04 15:01:12 +00:00
f657cb14e5
trunk: fix role change constraint.
2008-12-03 20:16:08 +00:00
ff8f0a63f4
trunk: whitespace fixes in xml blocks.
2008-12-03 19:16:20 +00:00
6073ea1e13
trunk: whitespace fix changing multiple spaces into tabs.
2008-12-03 18:33:19 +00:00
a057e0462e
trunk: fix missing xml parameter.
2008-12-03 15:51:53 +00:00
fb4826f424
trunk: 3 patches from dan.
2008-12-03 15:21:33 +00:00
14c0edc7e9
trunk: 2 patches from dan.
2008-12-02 22:40:49 +00:00
b3eb124654
trunk: Debian file context fix for xen from Russell Coker.
2008-11-24 15:34:54 +00:00
b9e5238a24
trunk: add milter module from Paul Howarth.
2008-11-24 15:06:58 +00:00
b3b607eb43
trunk: a fix on the previous commit.
2008-11-19 16:02:13 +00:00
fcee22ad0d
trunk: 5 patches from dan.
2008-11-19 15:24:10 +00:00
01e9e7dbf5
trunk: 4 patches from dan.
2008-11-18 19:55:10 +00:00
659c8650c7
trunk 2 patches from dan.
2008-11-17 15:48:12 +00:00
7f49194215
trunk: Xserver MLS fix from Eamon Walsh.
2008-11-17 13:49:19 +00:00
7a4c282536
trunk: fix logging admin interfaces.
2008-11-14 13:53:21 +00:00
23d5ab8de7
trunk: fix disable ubac condition for process perms.
2008-11-14 13:17:51 +00:00
73c77e2c9b
trunk: 2 fixes from martin orr.
2008-11-13 18:44:23 +00:00
99282e6be0
trunk: add omapi port for dhcpcd.
2008-11-12 13:11:00 +00:00
5843d066b6
trunk: 10 patches from dan.
2008-11-11 16:38:34 +00:00
27337d8c21
trunk: patch from Mike Edenfield to add udevadm fc entry.
2008-11-11 15:03:06 +00:00
657c226c40
trunk: 7 patches from dan.
2008-11-06 22:36:50 +00:00
ba796982df
trunk: tweaks from russell and martin orr.
2008-11-06 15:01:15 +00:00
0003940ff2
trunk: add missing ubac module.
2008-11-05 16:11:27 +00:00
296273a719
trunk: merge UBAC.
2008-11-05 16:10:46 +00:00
932c3536f8
trunk: additional open fixes.
2008-11-04 14:37:05 +00:00
Chris PeBenito
Manoj Srivastava
Chris PeBenito