dae823c43a
Restorecon reads, and writes /dev/console before it is properly labeled
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-09-26 08:30:00 -04:00
3516535aa6
Bump module versions for release.
2012-07-25 14:33:06 -04:00
8e00a439ef
Module verion bump for simplify file contexts based on file context path substitutions, from Sven Vermeulen.
2012-05-10 10:36:06 -04:00
4f24b1841c
Add optional name for kernel and system filetrans interfaces.
2012-05-10 09:53:45 -04:00
b72101a116
Module version bump and changelog for non-auth file attribute to eliminate set expressions, from James Carter.
2012-05-04 09:14:00 -04:00
624e73955d
Changed non-contrib policy to use the new non_auth_file_type interfaces
...
Replaced calls to interfaces allowing access to all files except
auth_file_type files with calls to interfaces allowing access to
non_auth_file_type files.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2012-05-04 08:47:49 -04:00
ee8210c690
Module version bump for make role attributes able to type their "own" types patch from Harry Ciao.
2012-02-27 10:25:08 -05:00
e707a70819
Rearrange role lines from "own" patch.
2012-02-27 10:18:00 -05:00
93c3ee8b7f
Make role attributes able to type their "own" types.
...
By default, any role attribute should be able to type their "own" types
that share the same prefix and used in the run interface. For example,
role newrole_roles types newrole_t;
so that the calling domain of the seutil_run_newrole() interface could
properly tansition into newrole_t. Without above role rule, the caller's
role won't be associated with newrole_t.
Other role attributes such as useradd_roles, groupadd_roles, chfn_roles
and run_init_roles should be fixed in the same way.
2012-02-27 10:12:57 -05:00
f65edd8280
Bump module versions for release.
2012-02-15 14:32:45 -05:00
7d6b1e5889
Module version bump and changelog for role attributes usage.
2011-09-21 09:16:34 -04:00
08cf443ff6
Add role attributes in newrole and run_init.
2011-09-21 08:27:34 -04:00
e3a043d18d
Convert selinuxutil over to role attributes for semanage.
2011-09-21 08:26:58 -04:00
f718181930
Module version bump for semanage permissive mode feature support.
2011-09-13 12:43:37 -04:00
f12ebf31e2
Support semanage permissive mode
...
The semanage application supports a "semanage permissive" feature,
allowing certain domains to be marked for running permissive (rather
than the entire system).
To support this feature, we introduce a semanage_var_lib_t type for the
location where semanage will keep its permissive_<domain>.* files, and
allow semanage_t to work with fifo_files (needed for the command to
work).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-09-13 12:36:48 -04:00
f07bc3f973
Module version and changelog for openrc and portage updates from Sven Vermeulen.
2011-09-06 14:02:12 -04:00
ca4d39d31c
Rename init_rc_exec() to init_exec_rc().
2011-09-06 13:58:04 -04:00
c5cbefb892
Gentoo integrated run_init support re-executes rc
...
When an init script is launched, Gentoo's integrated run_init support
will re-execute /sbin/rc (an all-in-one binary) for various functions.
The run_init_t domain here should not be allowed to transition yet, so
we allow it to execute /sbin/rc without transitioning.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-09-06 13:22:37 -04:00
4a586153a1
Module version bump for load_policy dontaudit of leaked portage fds from Sven Vermeulen.
2011-08-25 07:46:26 -04:00
8dc4e0f223
Whitespace fixes in selinuxutil.
2011-08-25 07:43:36 -04:00
5d77246f5f
Do not audit the use of portage' filedescriptors from load_policy_t
...
During build and eventual activation of the base policy, the load_policy_t
domain attempts to use a portage file descriptor. However, this serves no
purpose (the loading is done correctly and everything is logged
appropriately).
Hence, we dontaudit this use.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-25 07:42:34 -04:00
78e65fb36c
Module version bump for setfiles audit message patch from Roy Li.
2011-08-23 08:21:40 -04:00
5d834aa7dd
Whitespace fix in selinuxutil.
2011-08-23 08:21:40 -04:00
0bd595020c
Make setfiles be able to send audit messages.
...
When audit subsystem is enabled, and setfiles works from root
dir, setfiles would send the AUDIT_FS_RELABEL information to
audit system, If no permission to send the information to audit
by netlink, setfiles would return error.
The test cases to reproduce this defect:
=> restorecon -R /
=> echo $?
255
=>
Signed-off-by: Roy.Li <rongqing.li@windriver.com>
2011-08-23 08:21:40 -04:00
aa4dad379b
Module version bump for release.
2011-07-26 08:11:01 -04:00
a29c7b86e1
Module version bump and Changelog for auth file patches from Matthew Ife.
2011-07-18 13:48:05 -04:00
4ff4e1c505
Replace deprecated *_except_shadow macro calls with *_except_auth_files calls.
2011-07-18 13:40:38 -04:00
decb7de030
Module version bump and changelog for semanage update from Harry Ciao.
2011-01-10 09:21:11 -05:00
60a2ca249e
Remove redundant semanage rule.
2011-01-10 09:20:39 -05:00
f2b3338362
semanage_t able to read from user homedirs.
...
Make semanage_t able to read from user homedirs or /tmp. Otherwise it
would fail to upgrade a .pp installed in there with below error messages.
BTW, semanage_t should be able to upgrade existing pp no matter if the
MLS is enabled or not.
root@qemu-host:/root> semodule -u selinuxutil.pp
type=1400 audit(1288862875.298:60): avc: denied { search } for pid=759 comm="semodule" name="root" dev=sda ino=81921 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0-s15:c0.c1023 tclass=dir
semodule: Failed on selinuxutil.pp!
root@qemu-host:/root> setenforce 0
type=1404 audit(1288862957.386:61): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295
root@qemu-host:/root> semodule -u selinuxutil.pp
type=1400 audit(1288862959.494:62): avc: denied { search } for pid=761 comm="semodule" name="root" dev=sda ino=81921 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0-s15:c0.c1023 tclass=dir
type=1400 audit(1288862959.498:63): avc: denied { read } for pid=761 comm="semodule" name="selinuxutil.pp" dev=sda ino=82505 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file
type=1400 audit(1288862959.503:64): avc: denied { open } for pid=761 comm="semodule" name="selinuxutil.pp" dev=sda ino=82505 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file
type=1400 audit(1288862959.507:65): avc: denied { getattr } for pid=761 comm="semodule" path="/root/selinuxutil.pp" dev=sda ino=82505 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file
type=1403 audit(1288863419.918:66): policy loaded auid=4294967295 ses=4294967295
root@qemu-host:/root>
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
2011-01-10 09:13:23 -05:00
48f99a81c0
Whitespace change: drop unnecessary blank line at the start of .te files.
2010-06-10 08:16:35 -04:00
29af4c13e7
Bump module versions for release.
2010-05-24 15:32:01 -04:00
72c8a37c2b
Setfiles fix from Gentoo.
2010-02-17 20:30:42 -05:00
c3c753f786
Remove concept of user from terminal module interfaces dealing with ptynode and ttynode since these attributes are not specific to users.
2010-02-11 14:20:10 -05:00
9570b28801
module version number bump for release 2.20090730 that was mistakenly omitted.
2009-08-05 10:59:21 -04:00
3f67f722bb
trunk: whitespace fixes
2009-06-26 14:40:13 +00:00
f0435b1ac4
trunk: add support for labeled booleans.
2009-01-13 13:01:48 +00:00
17ec8c1f84
trunk: bump module versions for release.
2008-12-10 19:38:10 +00:00
296273a719
trunk: merge UBAC.
2008-11-05 16:10:46 +00:00
932c3536f8
trunk: additional open fixes.
2008-11-04 14:37:05 +00:00
2cca6b79b4
trunk: remove redundant shared lib calls.
2008-10-17 17:31:04 +00:00
0b36a2146e
trunk: Enable open permission checks policy capability.
2008-10-16 16:09:20 +00:00
5d4f4b5375
trunk: bump version numbers for release.
2008-10-14 15:46:36 +00:00
04d2861035
trunk: missing bits from dan's previous round of patches.
2008-10-09 14:01:53 +00:00
cfcf5004e5
trunk: bump versions for release.
2008-07-02 14:07:57 +00:00
d87efeec73
trunk: fixes for gentoo targeted systems.
2008-05-27 12:07:03 +00:00
e9c6cda7da
trunk: Move user roles into individual modules.
2008-04-29 13:58:34 +00:00
0a14f3ae09
trunk: bump module version numbers for release.
2008-04-02 16:04:43 +00:00
12cf805e1c
trunk: add basic ubuntu support
2008-02-05 18:24:43 +00:00
9323a50bcc
trunk: add run_init domtrans to chk passwd.
2008-01-03 19:46:40 +00:00
f7925f25f7
trunk: bump module versions for release.
2007-12-14 14:23:18 +00:00
f98cfb5a29
trunk: version bump for newrole fixes.
2007-11-28 20:20:49 +00:00
6138d3da0e
trunk: test fix for newrole.
2007-11-28 18:39:47 +00:00
1483be1fe5
trunk: handle early boot on debian, for /dev labeling.
2007-11-26 20:22:17 +00:00
2f5c2f23da
trunk: remove duplicate init_system_domain() call for setfiles, from Vaclav Ovsik.
2007-11-26 19:32:51 +00:00
013783b2b1
trunk: switch newrole and run_init over to use nsswitch.
2007-11-16 15:58:23 +00:00
53da70cdaa
trunk: deprecate seutil_manage_selinux_config() in favor of correctly named seutil_manage_config().
2007-11-16 15:39:55 +00:00
389ad7b48d
trunk: reorganize selinuxutil.
2007-11-16 15:39:09 +00:00
eeef8dc451
trunk: Add interface for libselinux constructor, for libselinux-linked SELinux-enabled programs.
2007-11-16 14:58:17 +00:00
ef659a476e
Deprecate some old file and dir permission set macros in favor of the newer, more consistently-named macros.
2007-10-09 17:29:48 +00:00
12e9ea1ae3
trunk: module version bumps for previous commit.
2007-10-02 17:15:07 +00:00
350b6ab767
trunk: merge strict and targeted policies. merge shlib_t into lib_t.
2007-10-02 16:04:50 +00:00
3480f3f239
trunk: bump version numbers for release.
2007-09-28 13:58:24 +00:00
abc89340c4
trunk: two tiny patches from Stefan Schulze Frielinghaus
2007-09-06 19:29:54 +00:00
f8233ab7b0
trunk: Deprecate mls_file_write_down() and mls_file_read_up(), replaced with mls_write_all_levels() and mls_read_all_levels(), for consistency.
2007-08-20 18:26:08 +00:00
2d0c9cecaf
trunk: several MLS enhancements.
2007-08-20 15:15:03 +00:00
d46cfe45cd
trunk: add application module
2007-07-19 18:57:48 +00:00
116c1da330
trunk: update module version numbers for release.
2007-06-29 14:48:13 +00:00
762d2cb989
merge restorecon into setfiles
2007-05-11 17:10:43 +00:00
0251df3e39
bump module versions for release
2007-04-17 13:28:09 +00:00
8021cb4f63
Merge sbin_t and ls_exec_t into bin_t.
2007-03-23 23:24:59 +00:00
a5f5eba459
Add dontaudits for init fds and console to init_daemon_domain().
2007-03-20 18:47:18 +00:00
6b19be3360
patch from dan, Thu, 2007-01-25 at 08:12 -0500
2007-02-16 23:01:42 +00:00
42c5c5f612
bump versions for release.
2006-12-12 21:22:47 +00:00
c0868a7a3b
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
d6d16b9796
patch from dan Wed, 29 Nov 2006 17:06:40 -0500
2006-12-04 20:10:56 +00:00
ed38ca9f3d
fixes from gentoo strict testing:
...
- Allow semanage to read from /root on strict non-MLS for
local policy modules.
- Gentoo init script fixes for udev.
- Allow udev to read kernel modules.inputmap.
- Dnsmasq fixes from testing.
- Allow kernel NFS server to getattr filesystems so df can work
on clients.
2006-11-13 03:24:07 +00:00
d9845ae92a
patch from dan Tue, 24 Oct 2006 11:00:28 -0400
2006-10-31 21:01:48 +00:00
582438054d
fix up corecommands perm sets, add seutil_manage_config_dirs()
2006-10-27 13:55:35 +00:00
a8671ae5b2
enhanced setransd support from darrel goeddel
2006-10-20 14:44:23 +00:00
a52b4d4f23
bump versions to release numbers
2006-10-18 19:25:27 +00:00
93ddc66983
change transition from run_init to initrc to spec.
2006-10-09 18:52:19 +00:00
e070dd2df0
- Move range transitions to modules.
...
- Make number of MLS sensitivities, and number of MLS and MCS
categories configurable as build options.
2006-10-04 17:25:34 +00:00
8708d9bef2
patch from dan Wed, 20 Sep 2006 12:12:49 -0400
2006-09-22 17:14:35 +00:00
13d7cec671
patch from erich Sat, 02 Sep 2006 03:37:44 +0200
2006-09-04 18:22:12 +00:00
5dbda5558a
patch from dan Fri, 01 Sep 2006 15:45:24 -0400
2006-09-04 15:15:35 +00:00
eac818f040
patch from dan Thu, 31 Aug 2006 15:16:30 -0400
2006-09-01 15:52:05 +00:00
a5e2133bc8
patch from dan Wed, 23 Aug 2006 14:03:49 -0400
2006-08-29 02:41:00 +00:00
98de871cee
more strict testing fixes
2006-08-23 19:36:04 +00:00
3ef029db7c
add nscd_socket_use() to auth_use_nsswitch() since it caches nss lookups.
2006-08-22 19:37:56 +00:00
4bc6e32e28
fix for netfilter_contexts
2006-08-18 14:01:48 +00:00
46551033aa
patch from dan Wed, 26 Jul 2006 14:42:46 -0400
2006-07-28 15:13:58 +00:00
da9bbc655a
fix up audit message perms now that audit_write denials are being audited by the kernel.
2006-07-13 17:22:08 +00:00
17de1b790b
remove extra level of directory
2006-07-12 20:32:27 +00:00
Dominick Grift
Chris PeBenito
James Carter
Harry Ciao
Sven Vermeulen
Roy.Li
Matthew Ife
Chris PeBenito