Commit Graph

3456 Commits

Author SHA1 Message Date
Sven Vermeulen 9a680874fe Support LDAPS for nsswitch-related network activity
Systems that use LDAPS (LDAP over SSL/TLS) for their sysnet_* activities
currently fail since these domains do not allow proper access to the random
devices (needed for SSL/TLS). This patch adds this privilege to
sysnet_use_ldap.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-24 09:33:43 -04:00
Chris PeBenito 540bc2d3b2 Module version bump for courier-imapd patch from Sven Vermeulen. 2011-08-24 09:26:42 -04:00
Sven Vermeulen 5296cfcdb9 Update file contexts for courier to support courier-imap
The courier-imapd daemon is part of the courier package (and already supported
by the courier module in refpolicy), but uses a different location for its
configuration files (/etc/courier-imap) and persistent data
(/var/lib/courier-imap).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-24 09:26:13 -04:00
Sven Vermeulen 32ed63a740 Fix zabbix_agentd context
The zabbix_agentd context was wrongfully set to the domain type instead of
the _exec_t type.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-24 09:21:21 -04:00
Chris PeBenito 12904f9fe8 Module version bump for dhcp client patch from Sven Vermeulen. 2011-08-24 09:15:33 -04:00
Sven Vermeulen 4976982e85 Allow dhcp client to update kernel routing table plus context updates
This small patch updates the dhcpc_t (DHCP client domain) to allow updating the
kernel's routing tables (as that is a primary purpose of a DHCP client) as well
as interact with the kernel through the net_sysctls.

Also, one client (dhcpcd) uses /var/run/dhcpcd so add that in the file context
definition as well.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-24 09:13:33 -04:00
Chris PeBenito 5802e169eb Module version bump for xfce bin file contexts patch from Sven Vermeulen. 2011-08-24 09:08:16 -04:00
Chris PeBenito a83b53041e Rearrange xfce corecommands fc entries. 2011-08-24 09:07:34 -04:00
Sven Vermeulen 7901eb059b Update file contexts for xfce4 helper applications
Many XFCE4 helper applications are located in /usr/lib locations. This patch
marks those helpers as bin_t.

Recursively marking the directories bin_t does not work properly as these
locations also contain actual libraries.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-24 08:56:47 -04:00
Chris PeBenito 12c3e8bf71 Module version bump for nagios checkdisk patch from Sven Vermeulen. 2011-08-24 08:56:33 -04:00
Sven Vermeulen eb6e425304 Nagios' checkdisk plugin requires getattr on the mountpoint directories
Without the getattr privilege on the mountpoint directories, the checkdisk
plugin fails to capture the data unless nagios is reconfigured to directly
read the device files themselves.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-24 08:55:41 -04:00
Chris PeBenito 003361c264 Module version bump for xtables-multi patch from Sven Vermeulen. 2011-08-24 08:55:00 -04:00
Sven Vermeulen 2ebb974006 ip6?tables-multi is combined in xtables-multi
Since april, the *-multi applications offered through iptables are combined
through a single binary called xtables-multi. The previous commands are now
symbolic links towards this application.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-24 08:35:57 -04:00
Chris PeBenito f7a845fcca Module version bump for udp_socket listen dontaudit for all domains. 2011-08-23 08:29:03 -04:00
Chris PeBenito 78e65fb36c Module version bump for setfiles audit message patch from Roy Li. 2011-08-23 08:21:40 -04:00
Chris PeBenito 5d834aa7dd Whitespace fix in selinuxutil. 2011-08-23 08:21:40 -04:00
Roy.Li 0bd595020c Make setfiles be able to send audit messages.
When audit subsystem is enabled, and setfiles works from root
dir, setfiles would send the AUDIT_FS_RELABEL information to
audit system, If no permission to send the information to audit
by netlink, setfiles would return error.

The test cases to reproduce this defect:
	=> restorecon -R /
	=> echo $?
	255
	=>

Signed-off-by: Roy.Li <rongqing.li@windriver.com>
2011-08-23 08:21:40 -04:00
Chris PeBenito ec280b3209 Silence spurious udp_socket listen denials. 2011-08-23 08:21:40 -04:00
Chris PeBenito d3a85bbc0b Module version bump for zabbix patch from Sven Vermeulen. 2011-08-16 15:23:39 -04:00
Sven Vermeulen 0caefef811 Allow zabbix to connect to mysql through TCP
The mysql_stream_connect interface, which is already in use, is only for local
MySQL databases (not through TCP/IP).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-16 15:23:11 -04:00
Chris PeBenito 8f8d3f7caf Module version bump for nagios NRPE patch from Sven Vermeulen. 2011-08-16 15:21:58 -04:00
Sven Vermeulen 8d238a8308 Nagios NRPE client should be able to read its own configuration file
Currently, the nagios nrpe_t definition has no read access to its own
nrpe_etc_t. I suspect this to be a copy/paste problem. Since the nrpe
configuration file is stored in /etc/nagios (nagios_etc_t), NRPE does need
search privileges in nagios_etc_t. This is easily accomplished through
read_files_pattern.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-16 15:21:22 -04:00
Chris PeBenito 5f1189f0fe Module version bump for consolekit patch from Sven Vermeulen. 2011-08-16 15:21:01 -04:00
Sven Vermeulen 8365be4394 HAL support is not mandatory for ConsoleKit
The current consolekit policy definition has hal_ptrace(consolekit_t) in its
main body. However, HAL support within consolekit is not mandatory. As such,
this call should be within an optional_policy().

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-16 15:20:14 -04:00
Chris PeBenito adddcf93f6 Fix unexpanded MLS/MCS fields in monolithic seusers file. 2011-08-12 08:28:37 -04:00
Chris PeBenito 8b3c840804 Whitespace fix in unprivuser. 2011-07-29 08:50:24 -04:00
Chris PeBenito 81eefe7ce9 Type transition fix in Postgresql database objects from KaiGai Kohei. 2011-07-29 08:42:53 -04:00
Chris PeBenito f1aed68ac3 Support for file context path substitutions (file_contexts.subs).
Install file_contexts.subs_dist out of Refpolicy. This is TYPE-agnostic
so the file goes in config/.  Populate the file with current substitutions.
2011-07-28 13:12:28 -04:00
Chris PeBenito f342e50500 Update VERSION and Changelog for release. 2011-07-26 08:15:53 -04:00
Chris PeBenito aa4dad379b Module version bump for release. 2011-07-26 08:11:01 -04:00
Chris PeBenito 3cbc972771 Fix role declaration to handle new roleattribute requirements. 2011-07-25 12:10:05 -04:00
Chris PeBenito ee4bdf2959 Rename audioentropy module to entropyd due to haveged support. 2011-07-25 08:46:03 -04:00
Chris PeBenito 004e272212 Module version bump and changelog for haveged support from Sven Vermeulen. 2011-07-25 08:43:51 -04:00
Sven Vermeulen 7b84ef7aae Add file context rules for haveged
Add file context rules for haveged within the audioentropyd module.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-07-25 08:38:45 -04:00
Sven Vermeulen 62cdea27c3 Update entropyd_t with privileges needed for haveged
Haveged by itself requires a few additional privileges (create a unix socket
and write access to some proc/sys/kernel files (like
/proc/sys/kernel/random/write_wakeup_threshold).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-07-25 08:38:40 -04:00
Sven Vermeulen 34aea93484 Separate sound specific items frmo general entropyd
Introduce a tunable called "entropyd_use_audio". This boolean triggers the
privileges that are specific for audio support (both device access as well
as the alsa-specific ones).

The idea to use a boolean is to support other entropy management
applications/daemons which use different sources (like haveged using the
HAVEGE algorithm).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-07-25 08:38:35 -04:00
Chris PeBenito 95995f5048 Module version bump for portage updates from Sven Vermeulen. 2011-07-22 08:36:33 -04:00
Chris PeBenito f2a85d7d04 Rearrange a few lines in portage. 2011-07-22 08:25:53 -04:00
Sven Vermeulen 204529101f Support proxy/cache servers
Portage supports the use of proxy systems (which usually run on port 8080)
for the fetching of software archives.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-07-22 08:20:51 -04:00
Sven Vermeulen be42fbd8d4 Support live ebuilds through portage_srcrepo_t
Portage supports the notion of "live ebuilds", which are packages that, when
installed, update a repository checkout on a specific location. This means
that a few portage-related domains need to have manage_* privileges on that
location whereas they usually have much more limited rights (when live
ebuilds aren't used).

To support live ebuilds, we introduce another label called portage_srcrepo_t
for those specific locations where the "higher" privileges are needed for,
and grant the proper permissions on the compile domains (like
portage_sandbox_t) to manage the checkouts.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-07-22 08:20:45 -04:00
Sven Vermeulen 77cefbf2b4 Support NFS mounts for portage related locations
When users want to use NFS mounted portage tree, distfiles, packages and
other locations, they need to use the proper context= mount option. However,
in the majority of cases, the users use a single NFS mount. In such
situation, context= cannot be used properly since it puts a label on the
entire mount (whereas we would then need other labels depending on
subdirectories).

Introducing a boolean "portage_use_nfs" which, when set (default off),
allows the necessary portage-related domains to manage files and directories
with the nfs_t label.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-07-22 08:20:36 -04:00
Chris PeBenito 6e742c4c63 Module version bump for NFS over TCP patchset. 2011-07-22 07:18:13 -04:00
Sven Vermeulen bdc0c3985b Allow kernel to access NFS/RPC TCP
Allow kernel_t to access the nfsd_t' tcp_sockets.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-07-22 07:03:51 -04:00
Sven Vermeulen 555cbbc5f5 Create interface for NFS/RPC TCP access
Create the rpc_tcp_rw_nfs_sockets() interface, allowing for the calling
domain to access the tcp_sockets managed by nfsd_t.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-07-22 07:03:41 -04:00
Chris PeBenito b594647caf Fix missing requires in /var/run and /var/lock symlink patch. 2011-07-18 14:12:07 -04:00
Chris PeBenito a29c7b86e1 Module version bump and Changelog for auth file patches from Matthew Ife. 2011-07-18 13:48:05 -04:00
Chris PeBenito a4912ae653 Whitespace fix in authlogin.if. 2011-07-18 13:46:18 -04:00
Matthew Ife 4ff4e1c505 Replace deprecated *_except_shadow macro calls with *_except_auth_files calls. 2011-07-18 13:40:38 -04:00
Matthew Ife 61fb2009ad Create a new attribute for auth_file types. Add shadow as an auth_file type. Add new interfaces to manage auth_file types Deprecate *_except_shadow macros in favour of *_except_auth_files 2011-07-18 13:40:37 -04:00
Chris PeBenito e5745955f9 Udev fc for /var/run/udev from Martin Orr.
This is intended to label /run/udev, but I am assuming that everyone
will use file_contexts.subs(_dist)? to substitute /var/run for /run,
since there are currently no other fcs for /run in refpolicy.

The label is udev_tbl_t instead of udev_var_run_t, because /run/udev
contains the data which used to be in /dev/.udev.
2011-07-18 13:36:27 -04:00