Commit Graph

2742 Commits

Author SHA1 Message Date
Chris PeBenito 3835c39a13 Sudo patch from Dan Walsh.
sudo gets execed by apps that leak sockets
2010-06-18 14:43:22 -04:00
Chris PeBenito f7e3410aed Su patch from Dan Walsh.
dontaudit leaked sockets
2010-06-18 14:32:42 -04:00
Chris PeBenito b9be5cccf1 Shorewall patch from Dan Walsh.
Shorewall execs hostname
2010-06-18 14:23:46 -04:00
Chris PeBenito 5116faa198 Quota patch from Dan Walsh.
Quata needs to setshed on kernel processes
2010-06-18 14:14:21 -04:00
Chris PeBenito a9ef84b578 Prelink patch from Dan Walsh.
Prelink has new directory under /var/lib

dontaudit leaks from domains that transition

cron job looks at all mount points.
2010-06-18 14:07:53 -04:00
Chris PeBenito 9a4d292902 Netutils patch from Dan Walsh.
ping gets leaked log descriptor from nagios.

Label send_arp as ping_exec_t
2010-06-17 10:16:19 -04:00
Chris PeBenito 10c0104066 Kismet patch from Dan Walsh.
Kismet searches user_home_dirs for kismet_home_t content.
2010-06-17 08:24:21 -04:00
Chris PeBenito e89f04fd17 Mcelog patch from Dan Walsh.
mcelog needs mls override
2010-06-17 08:23:48 -04:00
Chris PeBenito 0e30bca6d9 Consoletype patch from Dan Walsh.
I am sick of every app in the known universe leaking socket descriptors.
  Dontaudit by default

consoletype is handed a write for hal log on resume from hibernate.
2010-06-17 08:23:20 -04:00
Chris PeBenito 88a574d373 Alsa patch from Dan Walsh
Alsa trys to talk to all types of terminals.  Dontaudit this access.
2010-06-17 08:22:43 -04:00
Chris PeBenito 4db7790c60 Acct patch from Dan Walsh.
acct needs to use generic ptys
2010-06-17 08:22:17 -04:00
Chris PeBenito 48f99a81c0 Whitespace change: drop unnecessary blank line at the start of .te files. 2010-06-10 08:16:35 -04:00
Chris PeBenito 5c942ceb83 AFS patch from Dan Walsh. 2010-06-10 08:08:23 -04:00
Chris PeBenito b521229560 Abrt patch from Dan Walsh.
Abrt uses /var/spool/abrt now and changed the name of its lock

Now uses a stream socket

Installs debuginfo packages

sys_nice itself
2010-06-10 07:58:00 -04:00
Chris PeBenito 48e0aa86c9 Files patch from Dan Walsh.
Redhat does want /usr/local/src labeled src_t or /usr/src for that matter

Fix labels on chroot environments
2010-06-09 09:09:34 -04:00
Chris PeBenito 135b1b4c54 Terminal patch from Dan Walsh. 2010-06-09 08:22:31 -04:00
Chris PeBenito 98652c65a3 Add missing changelog entry for cgroup. 2010-06-08 13:08:36 -04:00
Chris PeBenito c54e7d63dc Module version bump for cgroup patchset. 2010-06-08 09:18:43 -04:00
Chris PeBenito 53f9abbe68 Clean up cgroup. Rename cgconfigparser to cgconfig. 2010-06-08 09:15:41 -04:00
Chris PeBenito 0041a78ef7 Remove cgroup_t usage in cgroup_admin() since it is not owned by the module. 2010-06-08 09:12:03 -04:00
Chris PeBenito 860c05d9de Rearrange cgroup interfaces in filesystem. 2010-06-08 09:10:45 -04:00
Chris PeBenito 04dcd73fe3 Whitespace fixes in cgroup and init. 2010-06-08 08:47:26 -04:00
Dominick Grift e2b9add5f8 How users interact with cgroup.
All login users can list cgroup.
Common users can read and write cgroup files (access governed by dac)

Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-06-08 08:38:33 -04:00
Dominick Grift 73f0985092 How libgroup init scripts interact with libcgroup.
The libcgroup init scripts use tools in /usr/bin like cgexec and cgclear.

Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-06-08 08:38:29 -04:00
Dominick Grift ddf821332f add libcg policy.
Libcgroup automates cgroup management.

Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-06-08 08:38:22 -04:00
Dominick Grift c0c635b3f3 cgroup in filesystem.
Move cgroup_t declarations from kernel.te to filesystem.te
Redo cgroup interfaces in filesystem.if
Add file context specification for /cgroup mountpoint to filesystem.fc

Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-06-08 08:38:18 -04:00
Chris PeBenito 60f04fcb7a Kernel patch from Dan Walsh.
Add ability to dontaudit requiests to load kernel modules.  If you
disable ipv6 every confined app that does ip, tries to get the kernel to
load the module.

Better handling of unlabeled files by the kernel interfaces
2010-06-07 11:08:35 -04:00
Chris PeBenito fb7caddb4f Devices patch from Dan Walsh.
vhost_device_t added for libvirt/qemu

/dev/usbmon device added

lots of new interfaces.
2010-06-07 09:20:18 -04:00
Chris PeBenito 46c0e57acf Corecommands patch from Dan Walsh.
Lots of new places to stick bin_t files
2010-06-07 09:04:08 -04:00
Chris PeBenito 8f0de5df68 Storage patch from Dan Walsh.
Add /dev/hwcdrom
2010-06-04 09:47:45 -04:00
Chris PeBenito 5c2b95e1b9 Add missing cluster suite modules that were missing from the Changelog. 2010-05-26 11:53:21 -04:00
Chris PeBenito 2a29628e40 Fix duplicate lines in kudzu. 2010-05-26 08:26:50 -04:00
Chris PeBenito 03e653bd28 Changelog and version update for release. 2010-05-25 16:01:49 -04:00
Chris PeBenito 29af4c13e7 Bump module versions for release. 2010-05-24 15:32:01 -04:00
Chris PeBenito f9bdd1e389 Add missing changelog entries. 2010-05-24 15:24:40 -04:00
Chris PeBenito 91cbcc6602 Fix deprecated interface usage in rhel4 block in su.if. 2010-05-24 15:09:18 -04:00
Chris PeBenito 3d95ca2d82 Module version bump for 904f3d8. 2010-05-24 13:08:09 -04:00
Chris PeBenito 7934ac10d3 Module version bump for 1184392 and more.
* module version bump
* make apache and unconfined portions optiona
* rearrange lines
2010-05-24 13:08:09 -04:00
Chris PeBenito ca28376c4d Module version bump for 7942f7f. 2010-05-24 13:08:09 -04:00
Chris PeBenito bdf5e19931 Module version bump for 383bd32. 2010-05-24 13:08:09 -04:00
Chris PeBenito 213d35a07c Module version bump for 9e28f74. 2010-05-24 13:08:09 -04:00
Chris PeBenito 63583f4e29 Module version bump for f61ef24. 2010-05-24 13:08:09 -04:00
Chris PeBenito c789f82bc5 Module version bump for d5170e5. 2010-05-24 13:08:09 -04:00
Chris PeBenito d53a972879 Module version bump for cb1df6a. 2010-05-24 13:08:09 -04:00
Jeremy Solt d8642cad29 readahead patch from Dan Walsh
Edits:
 - Removed files_dontaudit_read_security_files and fs_dontaudit_read_tmpfs_blk_dev interface calls
2010-05-24 13:08:08 -04:00
Chris PeBenito fe74f71385 Fix deprecated interface usage that crept into lvm.if. 2010-05-24 13:08:08 -04:00
Chris PeBenito ff1cae1f5e Move line in logrotate; module version bump. 2010-05-24 13:08:08 -04:00
Chris PeBenito a107f875bd Remove redundant optional and libs_* calls in clogd. 2010-05-24 13:08:08 -04:00
Chris PeBenito dcb7227286 Module version bump for 51ad76f. 2010-05-24 13:08:08 -04:00
Jeremy Solt 6430c79a29 whitespace fix for clogd 2010-05-24 13:08:08 -04:00