60d8b699fb
Change policy_config_t to a security file type.
...
This fixes an assertion error with systemd_tmpfiles_t. It should
have been a security file for a while.
2015-10-23 10:17:46 -04:00
0a088aa8ac
Module version bumps for further init_startstop_service() changes from Jason Zaman.
2015-05-27 14:50:45 -04:00
468185f5f7
Bump module versions for release.
2014-12-03 13:37:38 -05:00
b86c6004d4
Module version bump for module store move from Steve Lawrence.
2014-12-03 13:37:02 -05:00
418b3c78bb
Update policy for selinux userspace moving the policy store to /var/lib/selinux
...
With the new userspace, the only files in /var/lib/selinux are selinux
store related files, so label it and everything inside it as
semanage_store_t. semanage_var_lib_t is completely removed and now
aliases semanage_store_t for backwards compatibility. This differs from
the v2 patch in that it adds back the ability to manage
selinux_config_t, which is necessary to manage the old module store for
things like migrating from the old to new store and backwards
compatability.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2014-12-03 13:36:31 -05:00
3b697dbb25
Module version bump for 2 patch sets from Laurent Bigonville.
...
* xattrfs attribute
* Misc Debian fixes
2014-04-11 11:21:03 -04:00
86a429de23
Use new fs_getattr_all_xattr_fs interface for setfiles_t and restorecond_t
...
Use the new fs_getattr_all_xattr_fs() interface to allow setfiles_t and
restorecond_t domain to also get the attributes on pseudo-filesystems
that support xattr
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740682
2014-04-11 09:08:19 -04:00
10ff4d0fa3
Bump module versions for release.
2014-03-11 08:16:57 -04:00
0075ffb8b3
Module version bump for module store labeling fixes from Laurent Bigonville.
2014-01-17 08:54:08 -05:00
be12f4dc18
Label /etc/selinux/([^/]*/)?modules(/.*)? as semanage_store_t
...
Move the filetrans_patern out of the seutil_manage_module_store
interface as only semanage_t should be creating this directory
2014-01-16 16:12:44 -05:00
9d6546a472
Module version bumps for syslog-ng and semodule updates.
2013-11-13 09:27:21 -05:00
20471346ed
Silence symlink reading by setfiles since it doesn't follow symlinks anyway.
2013-09-27 17:09:43 -04:00
7174140178
Module version bump for xserver and selinuxutil updates from Dominick Grift.
2013-09-26 08:32:33 -04:00
b2eaf87020
Add comment for setfiles using /dev/console when it needs to be relabeled.
2013-09-26 08:31:41 -04:00
dae823c43a
Restorecon reads, and writes /dev/console before it is properly labeled
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-09-26 08:30:00 -04:00
3516535aa6
Bump module versions for release.
2012-07-25 14:33:06 -04:00
8e00a439ef
Module verion bump for simplify file contexts based on file context path substitutions, from Sven Vermeulen.
2012-05-10 10:36:06 -04:00
4f24b1841c
Add optional name for kernel and system filetrans interfaces.
2012-05-10 09:53:45 -04:00
b72101a116
Module version bump and changelog for non-auth file attribute to eliminate set expressions, from James Carter.
2012-05-04 09:14:00 -04:00
624e73955d
Changed non-contrib policy to use the new non_auth_file_type interfaces
...
Replaced calls to interfaces allowing access to all files except
auth_file_type files with calls to interfaces allowing access to
non_auth_file_type files.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2012-05-04 08:47:49 -04:00
ee8210c690
Module version bump for make role attributes able to type their "own" types patch from Harry Ciao.
2012-02-27 10:25:08 -05:00
e707a70819
Rearrange role lines from "own" patch.
2012-02-27 10:18:00 -05:00
93c3ee8b7f
Make role attributes able to type their "own" types.
...
By default, any role attribute should be able to type their "own" types
that share the same prefix and used in the run interface. For example,
role newrole_roles types newrole_t;
so that the calling domain of the seutil_run_newrole() interface could
properly tansition into newrole_t. Without above role rule, the caller's
role won't be associated with newrole_t.
Other role attributes such as useradd_roles, groupadd_roles, chfn_roles
and run_init_roles should be fixed in the same way.
2012-02-27 10:12:57 -05:00
f65edd8280
Bump module versions for release.
2012-02-15 14:32:45 -05:00
7d6b1e5889
Module version bump and changelog for role attributes usage.
2011-09-21 09:16:34 -04:00
08cf443ff6
Add role attributes in newrole and run_init.
2011-09-21 08:27:34 -04:00
e3a043d18d
Convert selinuxutil over to role attributes for semanage.
2011-09-21 08:26:58 -04:00
f718181930
Module version bump for semanage permissive mode feature support.
2011-09-13 12:43:37 -04:00
f12ebf31e2
Support semanage permissive mode
...
The semanage application supports a "semanage permissive" feature,
allowing certain domains to be marked for running permissive (rather
than the entire system).
To support this feature, we introduce a semanage_var_lib_t type for the
location where semanage will keep its permissive_<domain>.* files, and
allow semanage_t to work with fifo_files (needed for the command to
work).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-09-13 12:36:48 -04:00
f07bc3f973
Module version and changelog for openrc and portage updates from Sven Vermeulen.
2011-09-06 14:02:12 -04:00
ca4d39d31c
Rename init_rc_exec() to init_exec_rc().
2011-09-06 13:58:04 -04:00
c5cbefb892
Gentoo integrated run_init support re-executes rc
...
When an init script is launched, Gentoo's integrated run_init support
will re-execute /sbin/rc (an all-in-one binary) for various functions.
The run_init_t domain here should not be allowed to transition yet, so
we allow it to execute /sbin/rc without transitioning.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-09-06 13:22:37 -04:00
4a586153a1
Module version bump for load_policy dontaudit of leaked portage fds from Sven Vermeulen.
2011-08-25 07:46:26 -04:00
8dc4e0f223
Whitespace fixes in selinuxutil.
2011-08-25 07:43:36 -04:00
5d77246f5f
Do not audit the use of portage' filedescriptors from load_policy_t
...
During build and eventual activation of the base policy, the load_policy_t
domain attempts to use a portage file descriptor. However, this serves no
purpose (the loading is done correctly and everything is logged
appropriately).
Hence, we dontaudit this use.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-25 07:42:34 -04:00
78e65fb36c
Module version bump for setfiles audit message patch from Roy Li.
2011-08-23 08:21:40 -04:00
5d834aa7dd
Whitespace fix in selinuxutil.
2011-08-23 08:21:40 -04:00
0bd595020c
Make setfiles be able to send audit messages.
...
When audit subsystem is enabled, and setfiles works from root
dir, setfiles would send the AUDIT_FS_RELABEL information to
audit system, If no permission to send the information to audit
by netlink, setfiles would return error.
The test cases to reproduce this defect:
=> restorecon -R /
=> echo $?
255
=>
Signed-off-by: Roy.Li <rongqing.li@windriver.com>
2011-08-23 08:21:40 -04:00
aa4dad379b
Module version bump for release.
2011-07-26 08:11:01 -04:00
a29c7b86e1
Module version bump and Changelog for auth file patches from Matthew Ife.
2011-07-18 13:48:05 -04:00
4ff4e1c505
Replace deprecated *_except_shadow macro calls with *_except_auth_files calls.
2011-07-18 13:40:38 -04:00
decb7de030
Module version bump and changelog for semanage update from Harry Ciao.
2011-01-10 09:21:11 -05:00
60a2ca249e
Remove redundant semanage rule.
2011-01-10 09:20:39 -05:00
f2b3338362
semanage_t able to read from user homedirs.
...
Make semanage_t able to read from user homedirs or /tmp. Otherwise it
would fail to upgrade a .pp installed in there with below error messages.
BTW, semanage_t should be able to upgrade existing pp no matter if the
MLS is enabled or not.
root@qemu-host:/root> semodule -u selinuxutil.pp
type=1400 audit(1288862875.298:60): avc: denied { search } for pid=759 comm="semodule" name="root" dev=sda ino=81921 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0-s15:c0.c1023 tclass=dir
semodule: Failed on selinuxutil.pp!
root@qemu-host:/root> setenforce 0
type=1404 audit(1288862957.386:61): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295
root@qemu-host:/root> semodule -u selinuxutil.pp
type=1400 audit(1288862959.494:62): avc: denied { search } for pid=761 comm="semodule" name="root" dev=sda ino=81921 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0-s15:c0.c1023 tclass=dir
type=1400 audit(1288862959.498:63): avc: denied { read } for pid=761 comm="semodule" name="selinuxutil.pp" dev=sda ino=82505 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file
type=1400 audit(1288862959.503:64): avc: denied { open } for pid=761 comm="semodule" name="selinuxutil.pp" dev=sda ino=82505 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file
type=1400 audit(1288862959.507:65): avc: denied { getattr } for pid=761 comm="semodule" path="/root/selinuxutil.pp" dev=sda ino=82505 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file
type=1403 audit(1288863419.918:66): policy loaded auid=4294967295 ses=4294967295
root@qemu-host:/root>
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
2011-01-10 09:13:23 -05:00
48f99a81c0
Whitespace change: drop unnecessary blank line at the start of .te files.
2010-06-10 08:16:35 -04:00
29af4c13e7
Bump module versions for release.
2010-05-24 15:32:01 -04:00
72c8a37c2b
Setfiles fix from Gentoo.
2010-02-17 20:30:42 -05:00
c3c753f786
Remove concept of user from terminal module interfaces dealing with ptynode and ttynode since these attributes are not specific to users.
2010-02-11 14:20:10 -05:00
9570b28801
module version number bump for release 2.20090730 that was mistakenly omitted.
2009-08-05 10:59:21 -04:00
3f67f722bb
trunk: whitespace fixes
2009-06-26 14:40:13 +00:00
Chris PeBenito
Steve Lawrence
Laurent Bigonville
Dominick Grift
James Carter
Harry Ciao
Sven Vermeulen
Roy.Li
Matthew Ife
Chris PeBenito