RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
3,777 Commits 3 Branches 49 Tags 18 MiB
Commit Graph

2119 Commits

Author SHA1 Message Date
Laurent Bigonville 81570b1eb4 Properly label git-shell and other git commands for Debian 2014-03-14 11:14:43 -04:00
Chris PeBenito 4caf0885bf Module version bump for postgresql fc entries from Luis Ressel. 2014-03-14 10:59:45 -04:00
Chris PeBenito a72bd68428 Whitespace fix in postgresql.fc 2014-03-14 10:10:32 -04:00
Luis Ressel defc62bf33 Add two postgresql file contexts from gentoo policy 
Gentoo appends version numbers to the names of the init script and the
config directory.
 2014-03-14 10:08:18 -04:00
Chris PeBenito a82a6a80a1 Update Changelog and VERSION for release. 2014-03-11 08:16:57 -04:00
Chris PeBenito 10ff4d0fa3 Bump module versions for release. 2014-03-11 08:16:57 -04:00
Chris PeBenito a5054f1135 Update contrib. 2014-03-11 08:15:14 -04:00
Chris PeBenito d6365192c2 Update contrib. 2014-03-03 09:07:16 -05:00
Chris PeBenito 4dbe95d58b Module version bump for bootloader fc fixes from Luis Ressel. 2014-03-03 09:07:00 -05:00
Luis Ressel f8eb4e3b3b Label grub2-install as bootloader_exec_t 2014-03-03 08:45:10 -05:00
Luis Ressel c2a9b89c5f Generalize grub2 pattern 
GRUB2 helper programs can be named either grub2-* or grub-*, depending
on distro and configuration.
 2014-03-03 08:44:41 -05:00
Chris PeBenito 681c3d451c Update contrib. 2014-02-15 15:04:12 -05:00
Luis Ressel a10fefcd39 Label fatsort as fsadm_exec_t. 
FATsort is an utility to sort directory entries on FAT partitions, see
http://fatsort.sourceforge.net/ . It requires direct access to the
block devices.
 2014-02-15 14:39:32 -05:00
Luis Ressel f824120b6d Use xattr-labeling for squashfs. 
This is taken from the Fedora policy (authors: Dan Walsh, Miroslav
Grepl) and dates back to 2011 there.
 2014-02-15 14:34:10 -05:00
Chris PeBenito 3501307078 Fix read loopback file interface. 2014-02-08 11:35:57 -05:00
Chris PeBenito 92cd2e251c Module version bump for loopback file mounting fixes from Luis Ressel. 2014-02-08 10:50:34 -05:00
Chris PeBenito acf1229dad Rename mount_read_mount_loopback() to mount_read_loopback_file(). 
Also make kernel block optional since the calls are to a higher layer.
 2014-02-08 10:49:47 -05:00
Chris PeBenito 38a2d8e581 Move loop control interface definition. 2014-02-08 10:48:50 -05:00
Luis Ressel 7ac64b8a5a Grant kernel_t necessary permissions for loopback mounts 
For loopback mounts to work, the kernel requires access permissions to
fd's passed in by mount and to the source files (labeled mount_loopback_t).
 2014-02-08 10:32:45 -05:00
Luis Ressel 24be4c0096 Allow mount_t usage of /dev/loop-control 
If loopback devices are not pregenerated (kernel option
CONFIG_BLK_DEV_LOOP_MIN_COUNT=0), mount needs to write to
/dev/loop-control do create them dynamically when needed.
 2014-02-08 10:32:45 -05:00
Luis Ressel 09370605a3 system/mount.if: Add mount_read_mount_loopback interface 2014-02-08 10:32:44 -05:00
Luis Ressel 781377da9f kernel/devices.if: Add dev_rw_loop_control interface 2014-02-08 10:32:44 -05:00
Chris PeBenito 3bb3d9e79e Module version bump for sesh fc from Nicolas Iooss. 2014-02-08 09:57:32 -05:00
Nicolas Iooss f003497bcb Label /usr/lib/sudo/sesh as shell_exec_t 2014-02-08 09:50:09 -05:00
Chris PeBenito 3c4a9cde0e Update contrib. 2014-02-08 09:42:54 -05:00
Chris PeBenito f097b7ab4e Move bin_t fc from couchdb to corecommands. 2014-02-08 09:42:43 -05:00
Chris PeBenito dd0df56c26 Module version bump for files_dontaudit_list_var() interface from Luis Ressel. 2014-02-08 09:04:18 -05:00
Luis Ressel 7381deb292 kernel/files.if: Add files_dontaudit_list_var interface 
This is required for an update of the couchdb policy.
 2014-02-08 09:02:57 -05:00
Chris PeBenito 22d7dac75b Module version bump for ssh use of gpg-agent from Luis Ressel. 2014-02-08 08:41:05 -05:00
Chris PeBenito 7e71b34b09 Rearrange gpg agent calls. 2014-02-08 08:40:37 -05:00
Chris PeBenito 4ef4e0674d Rename gpg_agent_connect to gpg_stream_connect_agent. 2014-02-08 08:24:41 -05:00
Luis Ressel bda6528039 Conditionally allow ssh to use gpg-agent 
gpg-agent also offers an ssh-compatible interface. This is useful e.g.
for smartcard authentication.
 2014-02-08 08:10:16 -05:00
Chris PeBenito b244f47319 Module version bump for pid file directory from Russell Coker/Laurent Bigonville. 2014-02-06 09:14:31 -05:00
Laurent Bigonville d6751cb2f4 Move the ifdef at the end of the declaration block 2014-02-06 09:14:31 -05:00
Laurent Bigonville f2313e5304 Add fcontext for sshd pidfile and directory used for privsep 
Also allow sshd_t domain to chroot(2) in this directory as explained in
the README.privsep file in the openssh tarball.

Thanks to Russell Coker for this patch
 2014-02-06 09:14:31 -05:00
Chris PeBenito 33b03a653e Update contrib. 2014-01-31 22:54:14 -05:00
Chris PeBenito d5a562246e Module version bump for logging fc patch from Laurent Bigonville. 2014-01-31 22:24:08 -05:00
Laurent Bigonville 64be72b662 Add fcontext for rsyslog pidfile 2014-01-31 21:54:40 -05:00
Chris PeBenito 41ee5421a7 Module version bump for unconfined transition to dpkg from Laurent Bigonville. 2014-01-27 13:19:57 -05:00
Laurent Bigonville 0e1c64f3bb Allow unconfined users to transition to dpkg_t domain 
dpkg is now using rpm_execcon()/setexecfilecon()-like function to
transition to the dpkg_script_t domain. This function will fail in
enforcing mode if the transition is not allowed.
 2014-01-27 12:41:45 -05:00
Chris PeBenito 3ffc91fff4 Module version bump for ZFS tools fc entries from Matthew Thode. 2014-01-21 08:55:37 -05:00
Chris PeBenito 734aebb02d Rearrange ZFS fc entries. 2014-01-21 08:55:28 -05:00
Chris PeBenito 496faf8c43 Fix ZFS fc escaping in mount. 2014-01-21 08:54:59 -05:00
Chris PeBenito 971c2fa6a4 Remove ZFS symlink labeling. 2014-01-21 08:52:24 -05:00
Matthew Thode fd9c2fc1e6 Extending support for SELinux on ZFS 
Signed-off-by: Matthew Thode <mthode@mthode.org>
 2014-01-21 08:43:40 -05:00
Chris PeBenito 0075ffb8b3 Module version bump for module store labeling fixes from Laurent Bigonville. 2014-01-17 08:54:08 -05:00
Laurent Bigonville be12f4dc18 Label /etc/selinux/([^/]*/)?modules(/.*)? as semanage_store_t 
Move the filetrans_patern out of the seutil_manage_module_store
interface as only semanage_t should be creating this directory
 2014-01-16 16:12:44 -05:00
Chris PeBenito d3af996d01 Module version bump for direct initrc fixes from Dominick Grift. 2014-01-16 16:11:02 -05:00
Dominick Grift 493ca67e54 Apply direct_initrc to unconfined_r:unconfined_t 
Make it consistent with sysadm_r:sysadm_t.

If you build targeted policy then consider direct_initrc=y

If you build with direct_initrc=n then both unconfined_r:unconfined_t,
as well as sysadm_r:sysadm_t rely on run_init for running services on
behalf of the system.

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2014-01-16 15:27:18 -05:00
Dominick Grift 2be58db792 Change behavior of init_run_daemon() 
Callers on init_run_daemon() role and domain transition on all
init_script_file_type to system_r and initrc_t respectively.

The old behavior of role and domain transitioning on init daemon entry
files was causing problems with programs that can be run both by system
and session.

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2014-01-16 14:42:00 -05:00