Commit Graph

163 Commits

Author SHA1 Message Date
Chris PeBenito 495e2c203b Remove complement and wildcard in allow rules.
Remove complement (~) and wildcard (*) in allow rules so that there are no
unintentional additions when new permissions are declared.

This patch does not add or remove permissions from any rules.
2017-08-13 16:21:44 -04:00
Chris PeBenito aa0eecf3e3 Bump module versions for release. 2017-08-05 12:59:42 -04:00
Chris PeBenito a599f28196 Module version bump for /usr/bin fc fixes from Nicolas Iooss. 2017-05-04 08:27:46 -04:00
Chris PeBenito bb8f9f49c3 little misc strict from Russell Coker. 2017-04-29 11:25:13 -04:00
Chris PeBenito 878735f69f Module version bump for patches from Russell Coker and Guido Trentalancia. 2017-04-26 06:39:39 -04:00
Chris PeBenito 8f6f0cf0e2 Rename apm to acpi from Russell Coker.
This patch is slightly more involved than just running sed.  It also adds
typealias rules and doesn't change the FC entries.

The /dev/apm_bios device doesn't exist on modern systems.  I have left that
policy in for the moment on the principle of making one change per patch.  But
I might send another patch to remove that as it won't exist with modern
kernels.
2017-04-26 06:36:20 -04:00
Chris PeBenito 95b584b5e9 xdm sigchld interface from Russell Coker. 2017-04-20 19:32:19 -04:00
Chris PeBenito 291f1512e3 Module version bump from fixes from Guido Trentalancia. 2017-04-20 19:19:25 -04:00
Chris PeBenito a8a360c178 devicekit, mount, xserver, and selinuxutil from Russell Coker
Allow devicekit_power_t to chat to xdm via dbus and log via syslog.

Allow mount_t to do more with it's runtime files and stat more filesystem
types.

Allow xauth to send sigchld to xdm.

Allow semanage to search policy_src_t dirs and read /dev/urandom.
2017-04-18 21:28:16 -04:00
Chris PeBenito 73d8b3026c Systemd-related changes from Russell Coker. 2017-04-06 17:37:50 -04:00
Chris PeBenito b690079a93 Misc fc changes from Russell Coker. 2017-04-06 17:00:28 -04:00
Chris PeBenito 160d08f3ae systemd-resolvd, sessions, and tmpfiles take2
I believe that I have addressed all the issues Chris raised, so here's a newer
version of the patch which applies to today's git version.

Description: systemd-resolved, sessions, and tmpfiles patches
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2017-03-26
2017-03-28 18:51:35 -04:00
Chris PeBenito b411e4b300 another version of systemd cgroups hostnamed and logind
From Russell Coker
2017-03-25 13:45:37 -04:00
Chris PeBenito 4d028498d8 Module version bumps for fixes from cgzones. 2017-03-05 10:48:42 -05:00
cgzones 4b79a54b41 modutils: adopt callers to new interfaces 2017-03-03 12:28:17 +01:00
Chris PeBenito cb35cd587f Little misc patches from Russell Coker. 2017-02-18 09:39:01 -05:00
Chris PeBenito 1720e109a3 Sort capabilities permissions from Russell Coker. 2017-02-15 18:47:33 -05:00
Chris PeBenito 69da46ae18 usrmerge FC fixes from Russell Coker. 2017-02-07 18:51:58 -05:00
Chris PeBenito 69ede859e8 Bump module versions for release. 2017-02-04 13:30:53 -05:00
Chris PeBenito 23001afc0c Module version bump for xkb fix from Jason Zaman. 2017-01-29 12:48:01 -05:00
Chris PeBenito a67c2a819d Module version bump for patches from Guido Trentalancia. 2017-01-03 19:35:56 -05:00
Guido Trentalancia d76d9e13b1 xserver: restrict executable memory permissions
The dangerous execheap permission is removed from xdm and the
dangerous execmem permission is only enabled for the Gnome
Display Manager (gnome-shell running in gdm mode) through a
new "xserver_gnome_xdm" boolean.

This patch also updates the XKB libs file context with their
default location (which at the moment is not compliant with
FHS3 due to the fact that it allows by default to write the
output from xkbcomp), adds the ability to read udev pid files
and finally adds a few permissions so that xconsole can run
smoothly.

The anomalous permission to execute XKB var library files has
been removed and the old X11R6 library location has been
updated so that subdirectories are also labeled as xkb_var_lib.

This patch includes various improvements and bug fixes as
kindly suggested in reviews made by Christopher PeBenito.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2017-01-03 19:33:27 -05:00
Chris PeBenito 5fe6fbca54 xserver: Update from Russell Coker for boinc. 2017-01-02 13:11:31 -05:00
Chris PeBenito 49545aad8f Module version bump for patches from Guido Trentalancia. 2016-12-30 14:15:06 -05:00
Guido Trentalancia 1c9c592a2f xserver: introduce new fc and interface to manage X session logs
The following patch (split in two parts, one for base and
another one for contrib) introduces a new file context for
the X session log files and two new interface to manage
them (instead of allowing to manage the whole user home
content files).

It is required after the recent confinement of graphical
desktop components (e.g. wm, xscreensaver).

The second version of the patch correctly uses file type
transitions and uses more tight permissions.

The third version simply moves some interface calls.

The fourth version introduces the new template for
username-dependent file contexts.

The fifth version moves other interface calls thanks to
further revisions from Christopher PeBenito (the corresponding
contrib policy part remains unchanged at version 4).

This sixth version, adds the missing diff relative to the
xserver.te policy file to declare the new xsession_log_t type.

The corresponding base policy patch is at version 4.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-12-30 12:41:59 -05:00
Chris PeBenito f850ec37df Module version bumps for /run fc changes from cgzones. 2016-12-22 15:54:46 -05:00
Chris PeBenito 5d7ed4937d Module version bump for patches from Guido Trentalancia. 2016-12-18 17:56:17 -05:00
Chris PeBenito 898ec0e24e Module version bump for xserver patch from Guido Trentalancia. 2016-12-15 19:29:12 -05:00
Guido Trentalancia dbd988ac99 xserver: enable dbus messaging with devicekit power
Enable messaging over dbus between devicekit power and the X
Display Manager (XDM) domains.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-12-15 19:18:41 -05:00
Chris PeBenito 1113e38307 Module version bumps for openoffice patches from Guido Trentalancia. 2016-12-06 20:19:18 -05:00
Chris PeBenito db06838142 Module version bump for xserver changes from Guido Trentalancia. 2016-12-04 09:11:02 -05:00
Chris PeBenito 4aa4a3d10b xserver: Rearrange lines 2016-12-04 09:10:25 -05:00
Guido Trentalancia 58e5ce24ae xserver: remove unneeded user content permissions
Remove unneeded permissions to read user content from the
xserver module (xserver and xdm domains).

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-12-04 08:57:24 -05:00
Chris PeBenito 2fe9c4017e Module version bump for xserver patch from Guido Trentalancia 2016-12-01 19:45:14 -05:00
Guido Trentalancia 8e977d59f2 xserver: remove unneeded user content permissions
Remove unneeded permissions to read user content from the
xserver module.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-12-01 19:45:14 -05:00
Chris PeBenito 34055cae87 Bump module versions for release. 2016-10-23 16:58:59 -04:00
Chris PeBenito 6829da4054 Update for the xserver module:
- updated the file contexts for the Xsession script;
- created an interface for chatting over dbus with
  xdm (currently used by the userdomain module in
  the common user template);
- added permission to chat over dbus with colord.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-08-14 15:13:24 -04:00
Chris PeBenito 187019a615 Module version bump for various patches from Guido Trentalancia. 2016-08-14 14:58:57 -04:00
Chris PeBenito 9e0566104a Update alsa module use from Guido Trentalancia. 2016-08-14 14:34:19 -04:00
Chris PeBenito 001cd53e2a Module version bump for Debian Xorg fc fixes from Laurent Bigonville 2016-01-07 13:11:50 -05:00
Chris PeBenito 994f605a2c Module version bump for Xorg and SSH patches from Nicolas Iooss. 2016-01-05 13:38:19 -05:00
Nicolas Iooss 59e00c5580 Label Xorg server binary correctly on Arch Linux
On Arch Linux, /usr/bin/Xorg is only a shell script which executes
/usr/lib/xorg-server/Xorg.wrap, which is a SUID binary wrapper around
/usr/lib/xorg-server/Xorg.

Even though Xorg.wrap is not a full X server, it reads X11 configuration
files, uses the DRM interface to detect KMS, etc. (cf.
http://cgit.freedesktop.org/xorg/xserver/tree/hw/xfree86/xorg-wrapper.c?id=xorg-server-1.18.0
for more details).  Therefore label it as xserver_exec_t.

This makes the following AVC appear:

    denied  { execute_no_trans } for  pid=927 comm="X"
    path="/usr/lib/xorg-server/Xorg.wrap" dev="dm-0" ino=3152592
    scontext=system_u:system_r:xserver_t
    tcontext=system_u:object_r:xserver_exec_t tclass=file

Allow /usr/bin/Xorg to execute Xorg.wrap with a can_exec statement.
2016-01-05 13:22:52 -05:00
Chris PeBenito 468185f5f7 Bump module versions for release. 2014-12-03 13:37:38 -05:00
Chris PeBenito 0735f2ca4a Module version bump for misc fixes from Sven Vermeulen. 2014-12-02 10:29:59 -05:00
Chris PeBenito 6624f9cf7a Drop RHEL4 and RHEL5 support. 2014-09-24 13:10:37 -04:00
Chris PeBenito d580aae38f Module version bump for shutdown transitions from Luis Ressel. 2014-06-09 08:21:33 -04:00
Luis Ressel c55cd63011 Allow xdm_t to transition to shutdown_t domain
Several DMs offer the possibility to shutdown the system. I personally
don't think a bool is neccessary for this permission, but I wouldn't
oppose one either.
2014-06-09 08:15:57 -04:00
Chris PeBenito e71df879e5 Module version bump for rcs2log and xserver updates from Sven Vermeulen. 2014-06-02 15:14:50 -04:00
Sven Vermeulen 97c3e208f8 xserver_t needs to ender dirs labeled xdm_var_run_t
The LightDM application stores its xauth file in a subdirectory
(/var/run/lightdm/root) which is labeled as xdm_var_run_t. As a result,
X11 (xserver_t) needs search rights to this location.

With this setup, X is run as follows:
  /usr/bin/X :0 -auth /var/run/lightdm/root/:0

Changes since v1:
- Use read_files_pattern instead of separate allow rules

Signed-off-by: Jason Zaman <jason@perfinion.com>
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2014-06-02 11:05:01 -04:00
Chris PeBenito 37cea01bfa Module version bump for gnome keyring fix from Laurent Bigonville. 2014-04-15 14:51:53 -04:00