4340b9f8a4
Add interfaces to read/write /proc/sys/vm/overcommit_memory
2015-12-14 10:02:53 -05:00
6b1b2e3965
Module version bumps for 2 patches from Dominick Grift.
2015-12-10 15:46:13 -05:00
6d6370c98a
kernel: implement sysctl_vm_overcommit_t for /proc/sys/vm/overcommit_memory
...
Whoever requires this type first gets to create the interfaces to operate on this object
Signed-off-by: Dominick Grift <dac.override@gmail.com>
2015-12-10 14:10:16 -05:00
c23353bcd8
Bump module versions for release.
2015-12-08 09:53:02 -05:00
b94f45d760
Revise selinux module interfaces for perms protected by neverallows.
...
Use the allow rules on the relevant attributes in selinux.te, rather than
only using the attribute to pass the neverallows.
Closes #14
2015-11-04 15:10:29 -05:00
17694adc7b
Module version bump for systemd additions.
2015-10-23 14:53:14 -04:00
bdfc7e3eb0
Add sysfs_types attribute.
...
Collect all types used to label sysfs entries.
2015-10-23 10:17:46 -04:00
f7286189b3
Add systemd units for core refpolicy services.
...
Only for services that already have a named init script.
Add rules to init_startstop_service(), with conditional arg until
all of refpolicy-contrib callers are updated.
2015-10-23 10:17:46 -04:00
579849912d
Add supporting rules for domains tightly-coupled with systemd.
2015-10-23 10:17:46 -04:00
3639880cf6
Implement core systemd policy.
...
Significant contributions from the Tresys CLIP team.
Other changes from Laurent Bigonville.
2015-10-23 10:16:59 -04:00
4d28cb714f
Module version bump for patches from Jason Zaman/Matthias Dahl.
2015-10-12 09:31:18 -04:00
b3a95b4aeb
Add overlayfs as an XATTR capable fs
...
The module is called "overlay" in the kernel
2015-10-12 09:13:53 -04:00
cfaeb62603
Module version bump for vfio device from Alexander Wetzel.
2015-09-15 08:39:21 -04:00
9ae4033beb
adds vfio device support to base policy
...
Signed-off-by: Alexander Wetzel <alexander.wetzel@web.de>
2015-09-15 08:17:31 -04:00
1d51a2f4c4
Module version bump for APR build script labeling from Luis Ressel.
2015-08-11 08:46:41 -04:00
fd5e40b047
Mark APR build scripts as bin_t
...
I don't know why those are in /usr/share/build-1/ instead of
/usr/share/apr-0/build/ here, but it doesn't appear to be
Gentoo-specific.
2015-08-11 08:42:25 -04:00
459a19f18d
Module version bump for debufs mount point fc entry from Laurent Bigonville.
2015-05-06 09:50:14 -04:00
c738343b7f
Add fc for /sys/kernel/debug as debugfs_t
2015-05-06 09:49:40 -04:00
f963d6dafa
Fix domain_mmap_low() to be a proper tunable.
2015-02-09 16:02:36 -05:00
468185f5f7
Bump module versions for release.
2014-12-03 13:37:38 -05:00
0735f2ca4a
Module version bump for misc fixes from Sven Vermeulen.
2014-12-02 10:29:59 -05:00
84fa2ab1f2
Mark f2fs as a SELinux capable file system
...
Since Linux kernel 3.11, F2FS supports XATTR and the security namespace.
See commit
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8ae8f1627f39bae505b90cade50cd8a911b8bda6
2014-12-02 09:16:05 -05:00
29292968fe
xfce4-notifyd is an executable
2014-12-02 09:16:05 -05:00
6624f9cf7a
Drop RHEL4 and RHEL5 support.
2014-09-24 13:10:37 -04:00
e4cbb09a3d
Module version bumps for systemd/journald patches from Nicolas Iooss.
2014-09-12 11:30:05 -04:00
3a7e30c22d
Allow journald to read the kernel ring buffer and to use /dev/kmsg
...
audit.log shows that journald needs to read the kernel read buffer:
avc: denied { syslog_read } for pid=147 comm="systemd-journal" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1
Moreover journald uses RW access to /dev/kmsg, according to its code:
http://cgit.freedesktop.org/systemd/systemd/tree/src/journal/journald-kmsg.c?id=v215#n394
2014-09-12 09:52:18 -04:00
1743984baf
Module version bump for misc fixes from Nicolas Iooss.
2014-08-26 09:14:44 -04:00
d3092fc059
Fix typo in fs_getattr_all_fs description
2014-08-26 09:07:53 -04:00
7487f355dd
Label (/var)?/tmp/systemd-private-.../tmp like /tmp
...
Such directories are used by systemd as private mountpoints for
services.
2014-08-26 08:22:53 -04:00
28658963c3
Label /usr/lib/networkmanager/ like /usr/lib/NetworkManager/
...
On ArchLinux the directory name of Network Manager in /usr/lib is
written in lowercase but not the files in /usr/bin, /var/lib, etc.
While at it, remove a useless backslash before a minus character.
2014-08-26 08:08:41 -04:00
617466b2bd
Module version bump for losetup fixes from Luis Ressel.
2014-08-19 08:45:38 -04:00
9946965a53
Add neccessary permissions for losetup
...
This allows losetup to bind mount_loopback_t files to loop devices.
2014-08-18 15:24:46 -04:00
2b621e2c09
Module version bump for full IRC ports from Luis Ressel.
2014-08-18 15:21:49 -04:00
43d6b26963
kernel/corenetwork.te: Add all registered IRC ports
...
IANA has registered 6665-9/tcp and 6697 for IRC.
2014-08-18 14:01:26 -04:00
b383c8075e
Module version bump for missing unlabeled interfaces from Sven Vermeulen.
2014-08-14 15:49:59 -04:00
953a007662
Introduce kernel_delete_unlabeled_chr_files
...
The kernel_delete_unlabeled_chr_files interface is called by the
(deprecated) files_delete_isid_type_chr_files interface in
kernel/files.if.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2014-08-14 15:48:58 -04:00
f21915b7ca
Introduce kernel_delete_unlabeled_blk_files
...
The kernel_delete_unlabeled_blk_files interface is called by the
(deprecated) files_delete_isid_type_blk_files in kernel/files.if.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2014-08-14 15:48:58 -04:00
1b85e52057
Introduce kernel_delete_unlabeled_sockets
...
The kernel_delete_unlabeled_sockets interface is called by the
(deprecated) files_delete_isid_type_sock_files interface in
kernel/files.if.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2014-08-14 15:48:58 -04:00
54816519d4
Introduce kernel_delete_unlabeled_pipes
...
The kernel_delete_unlabeled_pipes interface is called by the
(deprecated) files_delete_isid_type_fifo_files interface in
kernel/files.if.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2014-08-14 15:48:58 -04:00
280709d26f
Introduce kernel_delete_unlabeled_symlinks
...
The kernel_delete_unlabeled_symlinks interface is called by the
files_delete_isid_type_symlinks interface (in kernel/files.if). This
interface is deprecated (and calls kernel_delete_unlabeled_symlinks).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2014-08-14 15:48:58 -04:00
d7acf5d3c5
Module version bump for tumblerd fc entry from Jason Zaman.
2014-06-30 15:29:25 -04:00
a3a64ffced
Move tumblerd fc entry
2014-06-30 15:28:51 -04:00
724eff0b5e
File Context for tumbler
...
Tumbler is a D-Bus service for applications to request thumbnails
Signed-off-by: Jason Zaman <jason@perfinion.com>
2014-06-30 14:38:59 -04:00
d31c3b4bcd
Module version bump for zram fc entry from Jason Zaman.
2014-06-25 11:57:24 -04:00
860a6112de
File contexts for zram
...
zram is a compressed block device in ram
Signed-off-by: Jason Zaman <jason@perfinion.com>
2014-06-25 10:34:45 -04:00
f8a0451c7d
Module version bump for dropbox port from Sven Vermeulen.
2014-06-09 08:42:26 -04:00
c0bd1fbe5f
Add dropbox_port_t support
...
The dropbox application has a feature called "LAN Sync" which works on
TCP & UDP port 17500. Marking this port as dropbox_port_t (instead of
the currently default unreserved_port_t) allows for more fine-grained
access control to this resource.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2014-06-09 08:35:48 -04:00
b2b750279a
Module version bump for firstboot_rw_t alias removal.
2014-06-09 08:23:24 -04:00
fb51415d42
Remove firstboot_rw_t as FC5 has been gone for a long time.
2014-06-09 08:22:52 -04:00
a55da23db2
Fix misspelling
...
Fix misspelling using http://github.com/lyda/misspell-check
Signed-off-by: Elia Pinto <gitter.spiros@gmail.com>
2014-06-09 08:21:45 -04:00
Laurent Bigonville
Chris PeBenito
Dominick Grift
Jason Zaman
Alexander Wetzel
Luis Ressel
Sven Vermeulen
Nicolas Iooss
Elia Pinto