To flush the routing cache, ifconfig_t (through the "ip" command) requires
sys_admin capability. If not:
~# ip route flush cache
Cannot flush routing cache
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Support the logging_search_all_log_dirs interface for applications such as
fail2ban-client, who scan through log directories.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Support the logging_getattr_all_logs interface, which will be used by
applications responsible for reviewing the state of log files (without needing
to read them), such as the fail2ban-client application.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
modutils_read_module_config() provides access to list modules_conf_t
directories so that we do not need a seperate
modutils_list_modules_config()
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
Remove evolution and evolution alarm dbus chat from common user template
since callers of the evolution role are now allowed to dbus chat to
evolution and evolution alarm.
Common users need to be able to dbus chat with policykit and consolekit
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
The /var/cfengine/output location will be labeled in the forthcoming
cfengine policy module that will be ported from Fedora
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
The courier-imap and courier-pop3 daemons are started by sourcing their
configuration files, and then invoking the daemons using the proper options. If
this is done through a specialized script, then init only needs to call this
script (where a proper transition occurs) but if the init script itself does
this, it needs to be able to read the configuration files.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The Gentoo-specific runscripts in /sbin should not be marked as initrc_exec_t
anymore (just bin_t).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
If the /var/lib/syslog directory does not exist, then syslog-ng (running in
syslogd_t) will attempt to create the directory.
Allow the syslogd_t domain to create the directory, and use an automatic file
transition towards syslogd_var_lib_t.
Also, the syslog-ng daemon uses a persistence file in
/var/lib/misc/syslog-ng.persist (and .persist- if it suspects a collision). As
/var/lib/misc is still a generic var_lib_t, we have the syslogd_t daemon write
its files as syslogd_var_lib_t therein.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Puppet calls mount to obtain the list of mounted file systems, redirecting its
output to a temporary file (labeled puppet_tmp_t). This allows the mount domain
to write to this resource.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Use the init_daemon_run_dir interface in order to allow initrc_t to create the
run dirs of the udev daemon with the proper file transition.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Due to the introduction of /run, many init scripts need to create the daemon run
dirs (such as /run/udev for the udev init script). To simplify this, we
introduce the "daemonrundir" attribute to which initrc_t has the necessary
create_dirs_perms granted. Because it often needs to change the attributes or
ownership of the directories as well, we also grant the setattr rights on the
directory.
Then, when needed, the modules can call this interface while adding the name of
the directory. This will trigger a named file transition when initrc_t creates
this directory:
init_daemon_run_dir(udev_var_run_t, "udev")
will trigger
files_pid_filetrans(initrc_t, udev_var_run_t, dir, "udev")
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
This directory contains the working files for updating network-related files
(like resolv.conf for name servers) before they are copied to the fixed
location. Although already in use previously, this location (/var/run/dhcpc or
/var/run/dhcpcd) was statically defined on the system.
With the introduction of /run and systems having /var/run -> /run, this is now a
dynamically created directory by dhcpc_t. Hence, the policy is enhanced allowing
dhcpc_t to create dhcpc_var_run_t directories, and include a file transition for
directories created in the var_run_t location(s).
Changes since v1
----------------
- Use create_dirs_pattern instead of manage_dirs_pattern
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Introduce the substitutions for the /usr/local/lib* locations (towards /usr/lib)
and /etc/init.d (towards /etc/rc.d/init.d).
Update the file contexts of the translated locations.
Rebased (collided with Guido's patch for commenting within the
file_contexts.subs_dist file) since v3.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Recent udev installs its main binary in /usr/lib/systemd (called systemd-udevd).
Update file contexts to support this.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
With udev now using /run for its data, the init script responsible for preparing
the environment to start up udev needs to be able to setup this location as
well.
We here allow init scripts to create the /run/udev location (transitioning to
udev_var_run_t) and manage this content (creating the /run/udev subdirectories).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Chris PeBenito
Dominick Grift
Mika Pflüger
Sven Vermeulen
Russell Coker
Miroslav Grepl
Laurent Bigonville