RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
3,649 Commits 3 Branches 49 Tags 19 MiB
Commit Graph

3649 Commits

Author SHA1 Message Date
Dominick Grift 57f62fe531 xserver: associate xconsole_device_t (/dev/xconsole) to device_t (devtmpfs) 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-27 14:44:46 -04:00
Dominick Grift cb306b0c95 xserver: catch /run/gdm3 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-27 14:44:13 -04:00
Chris PeBenito f0ad29f609 Module version bump for debian ifstate changes from Dominick Grift. 2013-09-27 14:42:47 -04:00
Chris PeBenito b4b077f3fd Rearrange sysnet if blocks. 2013-09-27 14:41:54 -04:00
Dominick Grift ac5d072465 sysnetwork: Debian stores network interface configuration in /run/network (ifstate), That directory is created by the /etc/init.d/networking script. 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-27 14:39:29 -04:00
Chris PeBenito 360438c194 Module version bump for xdm dbus access from Dominick Grift. 2013-09-26 11:09:28 -04:00
Dominick Grift 2aad2492e9 xdm: is a system bus client and acquires service on the system bus xdm: dbus chat with accounts-daemon 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-26 10:51:02 -04:00
Chris PeBenito 77f13c4993 Module version bump for slim fc entries from Sven Vermeulen. 2013-09-26 10:48:55 -04:00
Sven Vermeulen 34038013c7 Extend slim /var/run expression 
On Gentoo, slim files are not in /var/run/slim, but directly in
/var/run. All names start with slim though, so changing the expression
to match those as well.

There is already a file transition in place (xdm_t writing files in
var_run_t -> xdm_var_run_t) so that needs no further changes.

Reported-by: Luis Ressel <aranea@aixah.de>
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
 2013-09-26 10:47:50 -04:00
Chris PeBenito fa50eb742f Module version bump for ping capabilities from Sven Vermeulen. 2013-09-26 10:47:32 -04:00
Sven Vermeulen 56c43144d7 Allow ping to get/set capabilities 
When ping is installed with capabilities instead of being marked setuid,
then the ping_t domain needs to be allowed to getcap/setcap.

Reported-by: Luis Ressel <aranea@aixah.de>
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
 2013-09-26 10:46:33 -04:00
Chris PeBenito 7aed0fd9dd Module version bump for init interface and corecommand fc from Dominick Grift. 2013-09-26 10:45:51 -04:00
Dominick Grift ceb6e7fcfb corecmd: avahi-daemon executes /usr/lib/avahi/avahi-daemon-check-dns.sh 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-26 10:32:23 -04:00
Dominick Grift da5f2acb27 init: create init_use_inherited_script_ptys() for tmpreaper (Debian) 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-26 10:30:59 -04:00
Chris PeBenito 3d08aca2f4 Module version bump for virtio console from Dominick Grift. 2013-09-26 10:28:55 -04:00
Chris PeBenito 1070ba4ff9 Whitespace fix in terminal.te. 2013-09-26 10:28:24 -04:00
Dominick Grift a43a205931 Initial virtio console device 
Also known as 'vmchannel', a transport mechanism is needed for
communication between the host userspace and guest userspace for
achieving things like making clipboard copy/paste work seamlessly across
the host and guest, locking the guest screen in case the vnc session to
the guest is closed and so on. This can be used in offline cases as
well, for example with libguestfs to probe which file systems the guest
uses, the apps installed, etc.

Virtio-serial is just the transport protocol that will enable such
applications to be written. It has two parts: (a) device emulation in
qemu that presents a virtio-pci device to the guest and (b) a guest
driver that presents a char device interface to userspace applications.

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-26 10:27:29 -04:00
Chris PeBenito dd1b596ae7 Module version bump for unconfined dbus fixes from Dominick Grift. 2013-09-26 10:25:47 -04:00
Dominick Grift 1a88de7131 Unconfined domains have unconfined access to all of dbus rather than only system bus 
unconfined: unconfined_t is real-time scheduled by rtkit

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-26 10:14:30 -04:00
Chris PeBenito ed1e6abc11 Update contrib. 2013-09-26 10:04:12 -04:00
Chris PeBenito 7f736f3587 Module version bump for selinuxfs location change from Dominick Grift. 2013-09-26 09:52:37 -04:00
Dominick Grift e6e9e2d08b selinux: selinuxfs is now mounted under /sys/fs/selinux instead of /selinux, so we need to allow domains that use selinuxfs to interface with SELinux to traverse /sys/fs to be able to get to /sys/fs/selinux 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-26 09:51:01 -04:00
Chris PeBenito 0a60e5753f Module version bump for udev Debian fixes from Dominick Grift. 2013-09-26 09:41:25 -04:00
Chris PeBenito 8e01aff2a5 Add comment for debian avahi-daemon-check-dns.sh usage by udev 2013-09-26 09:41:09 -04:00
Dominick Grift 5db6014548 udev: This is specific to debian i think. Some how the /usr/lib/avahi/avahi-daemon-check-dns\.sh ends up in the udev_t domain 
The script basically does what the name suggests, and additionally it
need to be able to stop and start avahi-daemon via its init script

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-26 09:39:33 -04:00
Chris PeBenito 50e5772ead Module version bump for restricted x user template fix from Dominick Grift. 2013-09-26 09:29:42 -04:00
Dominick Grift 3b0eefcc9e userdomain: restricted xwindows user (squash me) 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-26 09:28:55 -04:00
Chris PeBenito a2aeeefd98 Module version bump for fc fix in authlogin from Dominick Grift. 2013-09-26 09:27:04 -04:00
Dominick Grift 4f063c94d9 authlogin: Sudo file context specification did not catch paths (squash me) 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-26 09:25:27 -04:00
Chris PeBenito 5a727e1c60 Module version bump for lvm update from Dominick Grift. 2013-09-26 09:24:58 -04:00
Dominick Grift 43d6ac3f8e lvm: lvm and udisks-lvm-pv-e read /run/udev/queue.bin 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-26 09:16:36 -04:00
Chris PeBenito 48a55abb0f Module version bump for sysadm fix for git role usage from Dominick Grift. 2013-09-26 09:16:03 -04:00
Dominick Grift ab3b84ecec sysadm: Doesnt work with direct_initrc = y 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-26 09:14:12 -04:00
Chris PeBenito 55ac5a503d Module version bump for ethtool reading pm-powersave.lock from Dominick Grift. 2013-09-26 09:14:07 -04:00
Dominick Grift 7c6ba1570e sysnetwork: ethtool reads /run/pm-utils/locks/pm-powersave.lock 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-26 08:57:19 -04:00
Chris PeBenito 5544324eb6 Module version bump for syslog reading overcommit_memory from Dominick Grift. 2013-09-26 08:54:47 -04:00
Dominick Grift d66cfb529b logging: syslog (rs:main Q:Reg) reading sysctl_vm files (overcommit_memory) in Debian 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-26 08:49:38 -04:00
Chris PeBenito 0b1efe5612 Module version bump for tmpfs associate to device_t from Dominick Grift. 2013-09-26 08:48:48 -04:00
Dominick Grift e3072cb7bf filesystem: associate tmpfs_t (shm) to device_t (devtmpfs) file systems 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-26 08:46:36 -04:00
Chris PeBenito 7174140178 Module version bump for xserver and selinuxutil updates from Dominick Grift. 2013-09-26 08:32:33 -04:00
Chris PeBenito b2eaf87020 Add comment for setfiles using /dev/console when it needs to be relabeled. 2013-09-26 08:31:41 -04:00
Dominick Grift dae823c43a Restorecon reads, and writes /dev/console before it is properly labeled 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-26 08:30:00 -04:00
Dominick Grift 1a5c0ec970 These regular expressions were not matched 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-26 08:23:37 -04:00
Chris PeBenito 2f6ea284d2 Update contrib. 2013-09-23 15:47:09 -04:00
Chris PeBenito 65499f0580 Module version bump for redis port from Dominick Grift. 2013-09-23 15:47:00 -04:00
Dominick Grift b44a96030e Support redis port tcp,6379 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-23 14:44:16 -04:00
Chris PeBenito 951462610d Module version bump for pstore filesystem support from Dominick Grift. 2013-09-23 14:41:03 -04:00
Dominick Grift bf1ab85c1f Initial pstore support 
Generic interface to platform dependent persistent storage
https://www.kernel.org/doc/Documentation/ABI/testing/pstore

This basically works pretty much the same as cgroup file systems from a
SELinux perspective

Make sure that the installed /sys/fs/pstore directory is labeled
properly so that the pstore file system can be mounted on that

I also removed the files_type() calls as they are duplicate (it is
already called in files_mountpoint)

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-23 14:31:20 -04:00
Chris PeBenito 36e088fa43 Module version bump for kerberos keytab changes for ssh from Dominick Grift. 2013-09-23 14:28:00 -04:00
Chris PeBenito 0656a81019 Fix support/policyvers.py not to error if building policy on a SELinux-disabled system. 2013-09-23 14:26:32 -04:00