RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
3,014 Commits 3 Branches 49 Tags 19 MiB
Commit Graph

3014 Commits

Author SHA1 Message Date
Dominick Grift 6a05763d51 su: do not audit attempts to search /root. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-08 08:47:02 -04:00
Chris PeBenito bd51fa387c Module version bump for Dominick's shutdown cleanup. 2010-10-07 13:07:07 -04:00
Dominick Grift a39e274f10 shutdown: search generic log directories. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-07 12:38:07 -04:00
Dominick Grift 5718c0a59a shutdown: needs to connect to init with a unix stream socket. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-07 12:38:07 -04:00
Dominick Grift a9acfbd613 shutdown: for sudo. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-07 12:38:07 -04:00
Dominick Grift c56123dc72 shutdown: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-07 12:38:07 -04:00
Dominick Grift e4efefc4fe shutdown: permission sets. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-07 12:38:07 -04:00
Dominick Grift 08f1a0326d shutdown: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-07 12:38:07 -04:00
Dominick Grift 051f74edc0 shutdown: Fedora change. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-07 12:38:07 -04:00
Chris PeBenito 2f8f8e1368 Typo fix in hadoop. 2010-10-07 12:31:41 -04:00
Chris PeBenito 641ac05468 Hadoop cleanup and module version bump. 
* a pass cleaning up the style.
* adjusted some regular expressions in the file contexts: .* is the same as (.*)? since * means 0 or more matches.
* renamed a few interfaces
* two rules that I dropped as they require further explanation

> +files_read_all_files(hadoop_t)

A very big privilege.

and

> +fs_associate(hadoop_tasktracker_t)

This is a domain, so the only files with this type should be the /proc/pid ones, which don't require associate permissions.
 2010-10-07 10:57:55 -04:00
Paul Nuzzi bc71a042d8 hadoop 1/10 -- unconfined 
On 10/04/2010 02:18 PM, Christopher J. PeBenito wrote:
> On 10/04/10 13:15, Paul Nuzzi wrote:
>> On 10/01/2010 01:56 PM, Christopher J. PeBenito wrote:
>>> On 10/01/10 11:17, Paul Nuzzi wrote:
>>>> On 10/01/2010 08:02 AM, Dominick Grift wrote:
>>>>> On Thu, Sep 30, 2010 at 03:39:40PM -0400, Paul Nuzzi wrote:
>>>>>> I updated the patch based on recommendations from the mailing list.
>>>>>> All of hadoop's services are included in one module instead of
>>>>>> individual ones.  Unconfined and sysadm roles are given access to
>>>>>> hadoop and zookeeper client domain transitions. The services are started
>>>>>> using run_init.  Let me know what you think.
>>>>>
>>>>> Why do some hadoop domain need to manage generic tmp?
>>>>>
>>>>> files_manage_generic_tmp_dirs(zookeeper_t)
>>>>> files_manage_generic_tmp_dirs(hadoop_t)
>>>>> files_manage_generic_tmp_dirs(hadoop_$1_initrc_t)
>>>>> files_manage_generic_tmp_files(hadoop_$1_initrc_t)
>>>>> files_manage_generic_tmp_files(hadoop_$1_t)
>>>>> files_manage_generic_tmp_dirs(hadoop_$1_t)
>>>>
>>>> This has to be done for Java JMX to work.  All of the files are written to
>>>> /tmp/hsperfdata_(hadoop/zookeeper). /tmp/hsperfdata_ is labeled tmp_t while
>>>> all the files for each service are labeled with hadoop_*_tmp_t.  The first service
>>>> will end up owning the directory if it is not labeled tmp_t.
>>>
>>> The hsperfdata dir in /tmp certainly the bane of policy writers.  Based on a quick look through the policy, it looks like the only dir they create in /tmp is this hsperfdata dir.  I suggest you do something like
>>>
>>> files_tmp_filetrans(hadoop_t, hadoop_hsperfdata_t, dir)
>>> files_tmp_filetrans(zookeeper_t, hadoop_hsperfdata_t, dir)
>>>
>>> filetrans_pattern(hadoop_t, hadoop_hsperfdata_t, hadoop_tmp_t, file)
>>> filetrans_pattern(zookeeper_t, hadoop_hsperfdata_t, zookeeper_tmp_t, file)
>>>
>>
>> That looks like a better way to handle the tmp_t problem.
>>
>> I changed the patch with your comments.  Hopefully this will be one of the last updates.
>> Tested on a CDH3 cluster as a module without any problems.
>
> There are several little issues with style, but it'll be easier just to fix them when its committed.
>
> Other comments inline.
>

I did my best locking down the ports hadoop uses.  Unfortunately the services use high, randomized ports making
tcp_connect_generic_port a must have.  Hopefully one day hadoop will settle on static ports.  I added hadoop_datanode port 50010 since it is important to lock down that service.  I changed the patch based on the rest of the comments.

Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
 2010-10-07 08:07:16 -04:00
Chris PeBenito 3de55ab053 Module version bump for Dominick's rpm cleanup. 2010-10-06 09:04:31 -04:00
Dominick Grift b9df0a9727 rpm: various changes both from fedora and myself. rpm: ntp post install scrript want to restart ntpd. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-06 09:03:32 -04:00
Dominick Grift b7c851c66b rpm: redundant. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-06 08:53:24 -04:00
Dominick Grift dcba9161a6 rpm: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-06 08:53:24 -04:00
Dominick Grift 34959a2210 rpm: (brace) expansion. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-06 08:53:24 -04:00
Dominick Grift d60649d9a1 rpm: redundant. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-06 08:53:24 -04:00
Chris PeBenito 29b1bff0e1 Module version bump for Dominick's console cleanup. Also fix rule ordering. 2010-10-06 08:42:23 -04:00
Dominick Grift 5ec14d95fb consoletype: in fedora13 /dev/console is not labeled properly early in the boot process. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-06 08:38:40 -04:00
Dominick Grift 019ffc7d1d consoletype: redundant. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-06 08:38:39 -04:00
Chris PeBenito c1af955d07 Module version bump for Dominick's quota cleanup. 2010-10-06 08:35:25 -04:00
Dominick Grift 5f716ead5c quota: permission sets. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-06 08:28:31 -04:00
Dominick Grift 0b217af214 quota: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-06 08:28:30 -04:00
Chris PeBenito 6d5cc8a096 Module version bump for Dominick's usermanage cleanup. 2010-10-05 15:27:06 -04:00
Dominick Grift 88c635d040 usermanage: permission sets. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:26:42 -04:00
Dominick Grift e615cc410e usermanage: redundant. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:26:41 -04:00
Dominick Grift 4be6935276 usermanage: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:26:41 -04:00
Dominick Grift bab33c7b83 usermanage: redundant. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:26:41 -04:00
Chris PeBenito ae8f23fd6f Module version bump for Dominick's tzdata cleanup. 2010-10-05 15:21:52 -04:00
Dominick Grift b1e1e93b9f tzdata: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:17:10 -04:00
Chris PeBenito e7ee065485 Module version bump for Dominick's netutils cleanup. 2010-10-05 15:11:23 -04:00
Dominick Grift b306b5acaa netutils: permission sets. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:11:00 -04:00
Dominick Grift 696a65867a netutils: redundant. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:11:00 -04:00
Dominick Grift 9d5094a3f8 netutils: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:11:00 -04:00
Chris PeBenito cacbc6b186 Module version bump for Dominick's logrotate cleanup. 2010-10-05 15:08:54 -04:00
Dominick Grift a1ac7d4fe3 logrotate: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:08:22 -04:00
Chris PeBenito 6a799b6bdc Module version bump for Dominick's cleanup. 2010-10-05 15:07:08 -04:00
Dominick Grift ecab2ccd69 brctl: permission sets. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:05:35 -04:00
Dominick Grift 8f5cb4e977 brctl: redundant. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:05:20 -04:00
Dominick Grift 8f43f0294d brctl: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:05:05 -04:00
Chris PeBenito e5c41507c7 Module version bump for Dominick's bootloader cleanups. 2010-10-05 14:00:20 -04:00
Dominick Grift 23f4caad54 bootloader: permission set. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 13:59:05 -04:00
Dominick Grift eac0de8785 bootloader: unused. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 13:57:42 -04:00
Chris PeBenito 9e41622e49 Remove comment due to ace98b7. 2010-10-05 13:56:40 -04:00
Dominick Grift ace98b78df bootloader: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 13:54:07 -04:00
Chris PeBenito e29f6bf08a Module version bump and Changelog for 329138b and 413aac1. 2010-10-01 09:50:50 -04:00
Dominick Grift 413aac13de Allow common users to manage and relabel Alsa home files. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-01 09:41:22 -04:00
Dominick Grift 329138beba Move oident manage and relabel home content interfaces to common user template. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-01 09:41:12 -04:00
Chris PeBenito db774a54a6 Add support for custom build options. 2010-09-30 14:53:44 -04:00