Remove complement (~) and wildcard (*) in allow rules so that there are no
unintentional additions when new permissions are declared.
This patch does not add or remove permissions from any rules.
Put in libx32 subs entries that refer to directories with fc entries.
Allow dpkg_t to transition to dpkg_script_t when it executes bin_t for
dpkg-reconfigure.
Some dontaudit rules for mta processes spawned by mon for notification.
Lots of tiny changes that are obvious.
This patch adds an interface to manage systemd_passwd_var_run_t symlinks that
I'll add another patch to use shortly.
It has a number of changes needed by systemd_logind_t to set permissions for
local logins.
It has some more permissions that systemd_machined_t needs, I don't think it's
everything that systemd_machined_t needs but it's a start.
It has some changes for udev_t for systemd-udevd.
Execute HP Linux Imaging and Printing (HPLIP) applications launched
by udev in their own domain.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
The udev daemon should be able to load kernel modules not only on
systems using systemd but also on systems using former versions of
the udev daemon.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Update the udev module so that the udev domain can manage tmpfs files
and directories.
Thanks to Christian Göttsche for pointing out that this only applies
to systems not using systemd (v2).
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Define new netlink socket security classes introduced by kernel commit
223ae516404a7a65f09e79a1c0291521c233336e.
Note that this does not remove the long-since obsolete
netlink_firewall_socket and netlink_ip6_fw_socket classes
from refpolicy in case they are still needed for legacy
distribution policies.
Add the new socket classes to socket_class_set.
Update ubac and mls constraints for the new socket classes.
Add allow rules for a few specific known cases (netutils, iptables,
netlabel, ifconfig, udev) in core policy that require access.
Further refinement for the contrib tree will be needed. Any allow
rule previously written on :netlink_socket may need to be rewritten or
duplicated for one of the more specific classes. For now, we retain the
existing :netlink_socket rules for compatibility on older kernels.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Since commit 2d0c9cec mls_file_read_up and mls_file_write_down
interfaces are deprecated even though they are still present.
Replace mls_file_read_up with mls_file_read_all_levels and
mls_file_write_down with mls_file_write_all_levels.
Udev is writing persistent rules in /etc/udev/rules.d to ensure the
network interfaces and storage devices have a persistent name.
This patch has been taken from the Fedora policy
Chris PeBenito
Russell Coker
cgzones
Guido Trentalancia
Chris PeBenito
Stephen Smalley
Sven Vermeulen
Elia Pinto
Nicolas Iooss
Laurent Bigonville
Dominick Grift