RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
3,791 Commits 3 Branches 49 Tags 19 MiB
Commit Graph

2130 Commits

Author SHA1 Message Date
Laurent Bigonville 408549f8d3 Create new xattrfs attribute and fs_getattr_all_xattr_fs() interface 
Create a new attribute and fs_getattr_all_xattr_fs() interface that will
be used for all the filesystems that support xattr
 2014-04-11 09:08:19 -04:00
Chris PeBenito 2a8d47d7b1 Update contrib. 2014-04-04 16:29:57 -04:00
Chris PeBenito 2abfedde73 Module version bump for 2 Gentoo patches from Sven Vermeulen. 2014-04-04 16:09:30 -04:00
Sven Vermeulen 22ef609197 Support /sys/devices/system/cpu/online 
In glibc, the get_nprocs method reads /sys/devices/system/cpu/online, so
we need to grant most domains read access to this file. As we don't want
them to have read access on sysfs_t by default, create a new type
(cpu_online_t) and assign it to the file, and grant domains read access
to the file.

This does require systems to relabel the file upon every boot, something
distributions do in their bootup scripts, as /sys devices don't keep
their context.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
 2014-04-04 16:07:43 -04:00
Sven Vermeulen 6e0000b725 Hide getattr denials upon sudo invocation 
When sudo is invoked (sudo -i) the audit log gets quite a lot of denials
related to the getattr permission against tty_device_t:chr_file for the
*_sudo_t domain. However, no additional logging (that would hint at a
need) by sudo, nor any functional issues come up.

Hence the dontaudit call.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
 2014-04-04 16:07:43 -04:00
Chris PeBenito 8d94022284 Module version bump for userdomain kernel symbol table fix from Nicolas Iooss. 2014-04-04 15:53:32 -04:00
Nicolas Iooss 27f4846ff8 userdomain: no longer allow unprivileged users to read kernel symbols 
Unprivileged users don't need to read kallsyms and /boot/System.map.

This allow rule was introduced in the initial revision of userdomain.if in
2005, with commit b16c6b8c32a631a2e66265f6f60b664222760972:

    # cjp: why?
    bootloader_read_kernel_symbol_table($1_t)
 2014-04-04 15:52:17 -04:00
Chris PeBenito a10930fe7c Update contrib. 2014-03-14 11:48:15 -04:00
Chris PeBenito 862e22528d Whitespace fix in xserver.fc. 2014-03-14 11:17:44 -04:00
Chris PeBenito 4508d748dc Move lightdm line in xserver.fc. 2014-03-14 11:17:22 -04:00
Laurent Bigonville 18e114dae4 Label /usr/sbin/lightdm as xdm_exec_t 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=739163
 2014-03-14 11:14:43 -04:00
Laurent Bigonville 81570b1eb4 Properly label git-shell and other git commands for Debian 2014-03-14 11:14:43 -04:00
Chris PeBenito 4caf0885bf Module version bump for postgresql fc entries from Luis Ressel. 2014-03-14 10:59:45 -04:00
Chris PeBenito a72bd68428 Whitespace fix in postgresql.fc 2014-03-14 10:10:32 -04:00
Luis Ressel defc62bf33 Add two postgresql file contexts from gentoo policy 
Gentoo appends version numbers to the names of the init script and the
config directory.
 2014-03-14 10:08:18 -04:00
Chris PeBenito a82a6a80a1 Update Changelog and VERSION for release. 2014-03-11 08:16:57 -04:00
Chris PeBenito 10ff4d0fa3 Bump module versions for release. 2014-03-11 08:16:57 -04:00
Chris PeBenito a5054f1135 Update contrib. 2014-03-11 08:15:14 -04:00
Chris PeBenito d6365192c2 Update contrib. 2014-03-03 09:07:16 -05:00
Chris PeBenito 4dbe95d58b Module version bump for bootloader fc fixes from Luis Ressel. 2014-03-03 09:07:00 -05:00
Luis Ressel f8eb4e3b3b Label grub2-install as bootloader_exec_t 2014-03-03 08:45:10 -05:00
Luis Ressel c2a9b89c5f Generalize grub2 pattern 
GRUB2 helper programs can be named either grub2-* or grub-*, depending
on distro and configuration.
 2014-03-03 08:44:41 -05:00
Chris PeBenito 681c3d451c Update contrib. 2014-02-15 15:04:12 -05:00
Luis Ressel a10fefcd39 Label fatsort as fsadm_exec_t. 
FATsort is an utility to sort directory entries on FAT partitions, see
http://fatsort.sourceforge.net/ . It requires direct access to the
block devices.
 2014-02-15 14:39:32 -05:00
Luis Ressel f824120b6d Use xattr-labeling for squashfs. 
This is taken from the Fedora policy (authors: Dan Walsh, Miroslav
Grepl) and dates back to 2011 there.
 2014-02-15 14:34:10 -05:00
Chris PeBenito 3501307078 Fix read loopback file interface. 2014-02-08 11:35:57 -05:00
Chris PeBenito 92cd2e251c Module version bump for loopback file mounting fixes from Luis Ressel. 2014-02-08 10:50:34 -05:00
Chris PeBenito acf1229dad Rename mount_read_mount_loopback() to mount_read_loopback_file(). 
Also make kernel block optional since the calls are to a higher layer.
 2014-02-08 10:49:47 -05:00
Chris PeBenito 38a2d8e581 Move loop control interface definition. 2014-02-08 10:48:50 -05:00
Luis Ressel 7ac64b8a5a Grant kernel_t necessary permissions for loopback mounts 
For loopback mounts to work, the kernel requires access permissions to
fd's passed in by mount and to the source files (labeled mount_loopback_t).
 2014-02-08 10:32:45 -05:00
Luis Ressel 24be4c0096 Allow mount_t usage of /dev/loop-control 
If loopback devices are not pregenerated (kernel option
CONFIG_BLK_DEV_LOOP_MIN_COUNT=0), mount needs to write to
/dev/loop-control do create them dynamically when needed.
 2014-02-08 10:32:45 -05:00
Luis Ressel 09370605a3 system/mount.if: Add mount_read_mount_loopback interface 2014-02-08 10:32:44 -05:00
Luis Ressel 781377da9f kernel/devices.if: Add dev_rw_loop_control interface 2014-02-08 10:32:44 -05:00
Chris PeBenito 3bb3d9e79e Module version bump for sesh fc from Nicolas Iooss. 2014-02-08 09:57:32 -05:00
Nicolas Iooss f003497bcb Label /usr/lib/sudo/sesh as shell_exec_t 2014-02-08 09:50:09 -05:00
Chris PeBenito 3c4a9cde0e Update contrib. 2014-02-08 09:42:54 -05:00
Chris PeBenito f097b7ab4e Move bin_t fc from couchdb to corecommands. 2014-02-08 09:42:43 -05:00
Chris PeBenito dd0df56c26 Module version bump for files_dontaudit_list_var() interface from Luis Ressel. 2014-02-08 09:04:18 -05:00
Luis Ressel 7381deb292 kernel/files.if: Add files_dontaudit_list_var interface 
This is required for an update of the couchdb policy.
 2014-02-08 09:02:57 -05:00
Chris PeBenito 22d7dac75b Module version bump for ssh use of gpg-agent from Luis Ressel. 2014-02-08 08:41:05 -05:00
Chris PeBenito 7e71b34b09 Rearrange gpg agent calls. 2014-02-08 08:40:37 -05:00
Chris PeBenito 4ef4e0674d Rename gpg_agent_connect to gpg_stream_connect_agent. 2014-02-08 08:24:41 -05:00
Luis Ressel bda6528039 Conditionally allow ssh to use gpg-agent 
gpg-agent also offers an ssh-compatible interface. This is useful e.g.
for smartcard authentication.
 2014-02-08 08:10:16 -05:00
Chris PeBenito b244f47319 Module version bump for pid file directory from Russell Coker/Laurent Bigonville. 2014-02-06 09:14:31 -05:00
Laurent Bigonville d6751cb2f4 Move the ifdef at the end of the declaration block 2014-02-06 09:14:31 -05:00
Laurent Bigonville f2313e5304 Add fcontext for sshd pidfile and directory used for privsep 
Also allow sshd_t domain to chroot(2) in this directory as explained in
the README.privsep file in the openssh tarball.

Thanks to Russell Coker for this patch
 2014-02-06 09:14:31 -05:00
Chris PeBenito 33b03a653e Update contrib. 2014-01-31 22:54:14 -05:00
Chris PeBenito d5a562246e Module version bump for logging fc patch from Laurent Bigonville. 2014-01-31 22:24:08 -05:00
Laurent Bigonville 64be72b662 Add fcontext for rsyslog pidfile 2014-01-31 21:54:40 -05:00
Chris PeBenito 41ee5421a7 Module version bump for unconfined transition to dpkg from Laurent Bigonville. 2014-01-27 13:19:57 -05:00