Commit Graph

84 Commits

Author SHA1 Message Date
Chris PeBenito 8c3893e427 Bump module versions for release.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-06-09 14:05:19 -04:00
Chris PeBenito 5d345b79ee various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-04-27 10:51:06 -04:00
Chris PeBenito da156aea1e systemd: Add initial policy for systemd --user.
This is just a start; it does not cover all uses.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2019-04-25 11:18:58 -04:00
Chris PeBenito 445cbed7c7 Bump module versions for release. 2019-02-01 15:03:42 -05:00
Chris PeBenito 30a46e5676 various: Module version bump. 2019-01-23 19:02:01 -05:00
Chris PeBenito ed79766651 dpkg: Rename dpkg_nnp_transition() to dpkg_nnp_domtrans(). 2019-01-23 18:28:51 -05:00
Russell Coker 05cd55fb51 tiny stuff for today
Allow transition to dpkg_t with nnp, Dominick seems to imply this shouldn't
be necessary.

Lots of little stuff for system_cronjob_t.

Other minor trivial changes that should be obvious.
2019-01-23 18:26:45 -05:00
Chris PeBenito a7f2394902 various: Module version bump. 2019-01-20 16:45:55 -05:00
Russell Coker 54136fa311 more tiny stuff
I think the old timesync labelling wasn't working anyway due to -- for a
directory name.

A couple of patches for devicekit calling dmidecode (this is part of replacing
some kmem access that was discussed on this list and rejected as a misfeature
in Debian DMI related code ages ago).

The rest should be obvious.
2019-01-20 16:20:33 -05:00
Chris PeBenito b4d7c65fc4 Various modules: Version bump. 2018-11-11 15:58:59 -05:00
Laurent Bigonville 404dcf2af4 Allow sysnet_dns_name_resolve() to use resolved to resolve DNS names
Also allow unconfined_t to talk with the resolved daemon
2018-11-11 13:36:05 +01:00
Chris PeBenito 65e8f758ca Bump module versions for release. 2018-07-01 11:02:33 -04:00
Chris PeBenito b492924414 Misc dbus fixes from Russell Coker. 2018-02-15 17:07:08 -05:00
Chris PeBenito aa0eecf3e3 Bump module versions for release. 2017-08-05 12:59:42 -04:00
Chris PeBenito e03f6d4c61 some userdomain patches from Russell Coker
Added mono_run for unconfined and also xserver_role and allow it to dbus
chat with xdm.

Allow sysadm_t to read kmsg.

Allow user domains to dbus chat with kerneloops for the kerneloops desktop
gui.  Also allow them to chat with devicekit disk and power daemons.

Allow gconfd_t to read /var/lib/gconf/defaults and /proc/filesystems
2017-04-18 21:41:45 -04:00
Chris PeBenito 73d8b3026c Systemd-related changes from Russell Coker. 2017-04-06 17:37:50 -04:00
Chris PeBenito 4d028498d8 Module version bumps for fixes from cgzones. 2017-03-05 10:48:42 -05:00
cgzones 4b79a54b41 modutils: adopt callers to new interfaces 2017-03-03 12:28:17 +01:00
Chris PeBenito 2087bde934 Systemd fixes from Russell Coker. 2017-02-23 20:03:23 -05:00
Chris PeBenito 69ede859e8 Bump module versions for release. 2017-02-04 13:30:53 -05:00
Chris PeBenito 0fe21742cd Module version bumps for patches from cgzones. 2017-01-09 20:34:15 -05:00
Chris PeBenito 1113e38307 Module version bumps for openoffice patches from Guido Trentalancia. 2016-12-06 20:19:18 -05:00
Chris PeBenito 34055cae87 Bump module versions for release. 2016-10-23 16:58:59 -04:00
Chris PeBenito 07451cd39a Module version bumps for syncthing from Naftuli Tzvi Kay. 2016-10-09 07:51:51 -04:00
Naftuli Tzvi Kay ba903b4840
Add Syncthing Support to Policy
For now, optionally add the Syncthing role to user_r, staff_r,
and unconfined_r, and define the Syncthing ports in core network.
2016-08-21 11:57:01 -07:00
Chris PeBenito 468185f5f7 Bump module versions for release. 2014-12-03 13:37:38 -05:00
Chris PeBenito 13b837fc15 Module version bump for unconfined syslog cap from Nicolas Iooss. 2014-06-09 09:29:12 -04:00
Chris PeBenito 1013c53a94 Module version bump for unconfined->lvm transition from Nicolas Iooss. 2014-05-13 08:44:26 -04:00
Nicolas Iooss 7c356f97f5 Make unconfined user run lvm programs in confined domain
When an unconfined user uses truecrypt to mount an encrypted file, dmsetup is
called to setup a new device.  This program works with udev to configure the
new device and uses SysV semaphores to synchronize states.  As udev runs
dmsetup in lvm_t domain, the first dmsetup process needs to create lvm_t
semaphores (not unconfined_t) and hence needs to run in lvm_t domain.

More details are available in the archives on the ML:
http://oss.tresys.com/pipermail/refpolicy/2014-May/007111.html
2014-05-13 08:18:47 -04:00
Chris PeBenito 10ff4d0fa3 Bump module versions for release. 2014-03-11 08:16:57 -04:00
Chris PeBenito 41ee5421a7 Module version bump for unconfined transition to dpkg from Laurent Bigonville. 2014-01-27 13:19:57 -05:00
Laurent Bigonville 0e1c64f3bb Allow unconfined users to transition to dpkg_t domain
dpkg is now using rpm_execcon()/setexecfilecon()-like function to
transition to the dpkg_script_t domain. This function will fail in
enforcing mode if the transition is not allowed.
2014-01-27 12:41:45 -05:00
Chris PeBenito d3af996d01 Module version bump for direct initrc fixes from Dominick Grift. 2014-01-16 16:11:02 -05:00
Dominick Grift 493ca67e54 Apply direct_initrc to unconfined_r:unconfined_t
Make it consistent with sysadm_r:sysadm_t.

If you build targeted policy then consider direct_initrc=y

If you build with direct_initrc=n then both unconfined_r:unconfined_t,
as well as sysadm_r:sysadm_t rely on run_init for running services on
behalf of the system.

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2014-01-16 15:27:18 -05:00
Chris PeBenito 1a01976fc4 Module version bump for first batch of patches from Dominick Grift. 2013-12-02 14:22:29 -05:00
Dominick Grift 66c6b8a9f7 unconfined: Do not domain transition to xserver_t (unconfined_t is xserver_unconfined)
It would not be sufficient in the current shape anyways because
unconfined_r is not associated with xserver_t

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:43:33 -05:00
Chris PeBenito dd1b596ae7 Module version bump for unconfined dbus fixes from Dominick Grift. 2013-09-26 10:25:47 -04:00
Dominick Grift 1a88de7131 Unconfined domains have unconfined access to all of dbus rather than only system bus
unconfined: unconfined_t is real-time scheduled by rtkit

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-09-26 10:14:30 -04:00
Chris PeBenito 3516535aa6 Bump module versions for release. 2012-07-25 14:33:06 -04:00
Chris PeBenito 8e00a439ef Module verion bump for simplify file contexts based on file context path substitutions, from Sven Vermeulen. 2012-05-10 10:36:06 -04:00
Chris PeBenito f65edd8280 Bump module versions for release. 2012-02-15 14:32:45 -05:00
Chris PeBenito 3cbb3701cd Module version bumps for debian fc patch from Russell Coker. 2011-11-16 15:31:48 -05:00
Chris PeBenito 370081cc60 Remove stray "A" from unconfined. 2011-09-14 12:46:56 -04:00
Sven Vermeulen 017b505110 Allow unconfined users to call portage features
The unconfined user is currently not allowed to call portage-related
functions. However, in a targeted system (with unconfined domains
enabled), users (including administrators) should be allowed to
transition to the portage domain.

We position the portage-related calls outside the "ifdef(distro_gentoo)"
as other distributions support Portage as well.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-09-14 12:33:11 -04:00
Chris PeBenito 1c5dacd2c0 Change secure_mode_insmod to control sys_module capability rather than controlling domain transitions to insmod.
Based on a patch from Dan Walsh.
2011-09-13 14:45:14 -04:00
Chris PeBenito 826d014241 Bump module versions for release. 2010-12-13 09:12:22 -05:00
Chris PeBenito 641ac05468 Hadoop cleanup and module version bump.
* a pass cleaning up the style.
* adjusted some regular expressions in the file contexts: .* is the same as (.*)? since * means 0 or more matches.
* renamed a few interfaces
* two rules that I dropped as they require further explanation

> +files_read_all_files(hadoop_t)

A very big privilege.

and

> +fs_associate(hadoop_tasktracker_t)

This is a domain, so the only files with this type should be the /proc/pid ones, which don't require associate permissions.
2010-10-07 10:57:55 -04:00
Paul Nuzzi bc71a042d8 hadoop 1/10 -- unconfined
On 10/04/2010 02:18 PM, Christopher J. PeBenito wrote:
> On 10/04/10 13:15, Paul Nuzzi wrote:
>> On 10/01/2010 01:56 PM, Christopher J. PeBenito wrote:
>>> On 10/01/10 11:17, Paul Nuzzi wrote:
>>>> On 10/01/2010 08:02 AM, Dominick Grift wrote:
>>>>> On Thu, Sep 30, 2010 at 03:39:40PM -0400, Paul Nuzzi wrote:
>>>>>> I updated the patch based on recommendations from the mailing list.
>>>>>> All of hadoop's services are included in one module instead of
>>>>>> individual ones.  Unconfined and sysadm roles are given access to
>>>>>> hadoop and zookeeper client domain transitions. The services are started
>>>>>> using run_init.  Let me know what you think.
>>>>>
>>>>> Why do some hadoop domain need to manage generic tmp?
>>>>>
>>>>> files_manage_generic_tmp_dirs(zookeeper_t)
>>>>> files_manage_generic_tmp_dirs(hadoop_t)
>>>>> files_manage_generic_tmp_dirs(hadoop_$1_initrc_t)
>>>>> files_manage_generic_tmp_files(hadoop_$1_initrc_t)
>>>>> files_manage_generic_tmp_files(hadoop_$1_t)
>>>>> files_manage_generic_tmp_dirs(hadoop_$1_t)
>>>>
>>>> This has to be done for Java JMX to work.  All of the files are written to
>>>> /tmp/hsperfdata_(hadoop/zookeeper). /tmp/hsperfdata_ is labeled tmp_t while
>>>> all the files for each service are labeled with hadoop_*_tmp_t.  The first service
>>>> will end up owning the directory if it is not labeled tmp_t.
>>>
>>> The hsperfdata dir in /tmp certainly the bane of policy writers.  Based on a quick look through the policy, it looks like the only dir they create in /tmp is this hsperfdata dir.  I suggest you do something like
>>>
>>> files_tmp_filetrans(hadoop_t, hadoop_hsperfdata_t, dir)
>>> files_tmp_filetrans(zookeeper_t, hadoop_hsperfdata_t, dir)
>>>
>>> filetrans_pattern(hadoop_t, hadoop_hsperfdata_t, hadoop_tmp_t, file)
>>> filetrans_pattern(zookeeper_t, hadoop_hsperfdata_t, zookeeper_tmp_t, file)
>>>
>>
>> That looks like a better way to handle the tmp_t problem.
>>
>> I changed the patch with your comments.  Hopefully this will be one of the last updates.
>> Tested on a CDH3 cluster as a module without any problems.
>
> There are several little issues with style, but it'll be easier just to fix them when its committed.
>
> Other comments inline.
>

I did my best locking down the ports hadoop uses.  Unfortunately the services use high, randomized ports making
tcp_connect_generic_port a must have.  Hopefully one day hadoop will settle on static ports.  I added hadoop_datanode port 50010 since it is important to lock down that service.  I changed the patch based on the rest of the comments.

Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
2010-10-07 08:07:16 -04:00
Chris PeBenito 48f99a81c0 Whitespace change: drop unnecessary blank line at the start of .te files. 2010-06-10 08:16:35 -04:00
Chris PeBenito 29af4c13e7 Bump module versions for release. 2010-05-24 15:32:01 -04:00