Commit Graph

410 Commits

Author SHA1 Message Date
Chris PeBenito 466e22a8ba trunk: Add db_procedure install permission from KaiGai Kohei. 2009-01-23 19:49:36 +00:00
Chris PeBenito 019dfaf9dc trunk: Add support for network interfaces with access controlled by a Boolean from the CLIP project. 2009-01-15 20:31:06 +00:00
Chris PeBenito 9e7a338509 trunk: su fixes from clip. 2009-01-13 19:44:23 +00:00
Chris PeBenito f0435b1ac4 trunk: add support for labeled booleans. 2009-01-13 13:01:48 +00:00
Chris PeBenito c1262146e0 trunk: Remove node definitions and change node usage to generic nodes. 2009-01-09 19:48:02 +00:00
Chris PeBenito 347a701119 trunk: Add kernel_service access vectors, from Stephen Smalley. 2009-01-05 21:44:33 +00:00
Chris PeBenito e66a0cad18 trunk: check in version and changelog for release. 2008-12-10 19:49:42 +00:00
Chris PeBenito 3196971ae8 trunk: Fix consistency of audioentropy and iscsi module naming. 2008-12-09 16:47:33 +00:00
Chris PeBenito b3eb124654 trunk: Debian file context fix for xen from Russell Coker. 2008-11-24 15:34:54 +00:00
Chris PeBenito b9e5238a24 trunk: add milter module from Paul Howarth. 2008-11-24 15:06:58 +00:00
Chris PeBenito 7f49194215 trunk: Xserver MLS fix from Eamon Walsh. 2008-11-17 13:49:19 +00:00
Chris PeBenito 99282e6be0 trunk: add omapi port for dhcpcd. 2008-11-12 13:11:00 +00:00
Chris PeBenito 296273a719 trunk: merge UBAC. 2008-11-05 16:10:46 +00:00
Chris PeBenito 6e68e6bb5e trunk: Move shared library calls from individual modules to the domain module. 2008-10-17 17:36:56 +00:00
Chris PeBenito 0b36a2146e trunk: Enable open permission checks policy capability. 2008-10-16 16:09:20 +00:00
Chris PeBenito aea3f28e40 trunk: Remove hierarchy from portage module as it is not a good example of hieararchy. 2008-10-15 19:56:33 +00:00
Chris PeBenito b19f862271 trunk: Remove enableaudit target from modular build as semodule -DB supplants it. 2008-10-15 14:30:14 +00:00
Chris PeBenito 40db860272 trunk: version bits for the release. 2008-10-14 17:38:03 +00:00
Chris PeBenito 967fd1ba3f trunk: 8 patches from dan. 2008-10-08 20:03:24 +00:00
Chris PeBenito 73edbc9101 trunk: add oident from dominick grift. 2008-10-06 14:01:59 +00:00
Chris PeBenito 52ceaaac6e trunk: Debian update for NetworkManager/wpa_supplicant from Martin Orr. 2008-09-11 14:02:53 +00:00
Chris PeBenito a71e136cc3 trunk: add cyphesis from dan. 2008-09-03 14:46:10 +00:00
Chris PeBenito e40fa634b2 trunk: Logrotate and Bind updates from Vaclav Ovsik. 2008-09-03 14:12:56 +00:00
Chris PeBenito 6cc3f35635 trunk: first part of init script labeling support. 2008-08-29 19:00:02 +00:00
Chris PeBenito 32f8ff393b trunk: add w3c from dan. 2008-08-21 13:52:52 +00:00
Chris PeBenito 9c4500b2f4 trunk: Glibc 2.7 fix from Vaclav Ovsik. 2008-08-12 19:33:18 +00:00
Chris PeBenito 8a948caf2b trunk: 11 more cherry picks from fedora policy, by david hardeman. 2008-08-07 14:17:50 +00:00
Chris PeBenito b81bfc2651 trunk: Samba/winbind update from Mike Edenfield. 2008-08-05 12:54:11 +00:00
Chris PeBenito 3338f231d5 trunk: Policy size optimization with a non-security file attribute from James Carter. 2008-07-31 14:05:46 +00:00
Chris PeBenito dc1920b218 trunk: Database labeled networking update from KaiGai Kohei. 2008-07-25 04:07:09 +00:00
Chris PeBenito 6224fc1485 trunk: 7 patches from Fedora policy, cherry picked by david hrdeman. 2008-07-24 23:56:03 +00:00
Chris PeBenito 0bfccda4e8 trunk: massive whitespace cleanup from dominick grift. 2008-07-23 21:38:39 +00:00
Chris PeBenito 2b592aa495 trunk: pam_mount fix for local login from Stefan Schulze Frielinghaus 2008-07-18 13:25:31 +00:00
Chris PeBenito 4459a7c086 trunk: update init_telinit() for upstart's datagram socket usage instead of pipe useage. 2008-07-15 15:33:51 +00:00
Chris PeBenito e64c38c7a4 trunk: VERSION and Changelog update for release. 2008-07-02 15:39:31 +00:00
Chris PeBenito e311e23a44 trunk: Fix httpd_enable_homedirs to actually provide the access it is supposed to provide. 2008-07-01 13:57:53 +00:00
Chris PeBenito c5cfd2d405 trunk: Add unused interface/template parameter metadata in XML. 2008-06-24 14:23:40 +00:00
Chris PeBenito 8c6292b7a4 trunk: Patch to handle postfix data_directory from Vaclav Ovsik. 2008-06-24 13:21:35 +00:00
Chris PeBenito 131634a581 trunk: podsleuth and hal updates from dan. 2008-06-17 14:07:44 +00:00
Chris PeBenito eb4216397c trunk: add qemu and virt from dan. 2008-06-16 18:59:07 +00:00
Chris PeBenito e8cb08aefa trunk: add sepostgresql policy from kaigai kohei. 2008-06-10 15:33:18 +00:00
Chris PeBenito ef55a11980 trunk: Patch for X.org dbus support from Martin Orr. 2008-06-07 13:31:48 +00:00
Chris PeBenito cdbd09f65e trunk: add prelude from dan. 2008-06-06 03:13:42 +00:00
Chris PeBenito 308baad28c trunk: Patch for labeled networking controls in 2.6.25 from Paul Moore. 2008-05-26 18:38:06 +00:00
Chris PeBenito 782c10e949 trunk: add kerneloops from dan. 2008-05-26 17:47:49 +00:00
Chris PeBenito ff79b83c51 trunk: add kismet from dan. 2008-05-26 15:35:25 +00:00
Chris PeBenito 4416c416fa trunk: Module loading now requires setsched on kernel threads. 2008-05-22 18:39:03 +00:00
Chris PeBenito a42ce93a4d trunk: Patch to allow gpg agent --write-env-file option from Vaclav Ovsik. 2008-05-12 20:05:32 +00:00
Chris PeBenito d923d54c08 trunk: X application data class from Eamon Walsh and Ted Toth. 2008-05-06 14:37:05 +00:00
Chris PeBenito e9c6cda7da trunk: Move user roles into individual modules. 2008-04-29 13:58:34 +00:00
Chris PeBenito 7e11b74087 trunk: make hald_log_t a log file. 2008-04-18 16:04:15 +00:00
Chris PeBenito 2083db2e40 trunk: Cryptsetup runs shell scripts. Patch from Martin Orr. 2008-04-18 15:32:03 +00:00
Chris PeBenito c07f9ccd18 trunk: Add file for enabling policy capabilities. 2008-04-18 14:21:01 +00:00
Chris PeBenito 75da4b8ad3 trunk: Patch to fix leaky interface/template call depth calculator from Vaclav Ovsik. 2008-04-18 12:57:01 +00:00
Chris PeBenito c565b44f9c trunk: release 2008-04-02 18:44:07 +00:00
Chris PeBenito 2c12b471ad trunk: add core xselinux support. 2008-04-01 20:23:23 +00:00
Chris PeBenito 9377a3e59c trunk: fix winbind socket connection interface for default location of the sock_file. 2008-03-21 14:18:13 +00:00
Chris PeBenito 6e2123fc72 trunk: add wireshark. 2008-03-14 15:26:52 +00:00
Chris PeBenito 47333d8246 trunk: Revise upstart support in init module to use a tunable, as upstart is now used in Fedora too. 2008-03-10 19:29:47 +00:00
Chris PeBenito e276d50e21 trunk: Add iferror.m4 rather generate it out of the Makefiles. 2008-03-06 20:17:46 +00:00
Chris PeBenito 210607be61 trunk: Definitions for open permisson on file and similar objects from Eric Paris. 2008-03-04 20:19:29 +00:00
Chris PeBenito e065ac8ab5 trunk: Apt updates for ptys and logs, from Martin Orr. 2008-03-04 19:48:58 +00:00
Chris PeBenito 01e8ff4ab3 trunk: rpc update from Vaclav Ovsik. 2008-03-04 19:14:08 +00:00
Chris PeBenito d57a094347 trunk: Exim updates on Debian from Devin Carrawy. 2008-03-04 18:25:13 +00:00
Chris PeBenito 9fa023ff58 trunk: Pam and samba updates from Stefan Schulze Frielinghaus. 2008-02-19 19:33:48 +00:00
Chris PeBenito 45b56b01e8 trunk: Backup update on Debian from Vaclav Ovsik. 2008-02-19 14:26:59 +00:00
Chris PeBenito 51223bfc56 trunk: Cracklib update on Deban from Vaclav Ovsik. 2008-02-19 14:06:11 +00:00
Chris PeBenito 037fc0f4e6 trunk: label /proc/kallsyms with system_map_t. 2008-02-15 19:59:10 +00:00
Chris PeBenito 8b9ffed517 trunk: add capability2 class, from Stephen Smalley. 2008-02-07 17:51:59 +00:00
Chris PeBenito f3da31d339 trunk: Labeled networking peer object class updates. 2008-01-03 16:20:01 +00:00
Chris PeBenito cde477c7e5 trunk: package versioning for release. 2007-12-14 18:49:30 +00:00
Chris PeBenito 1abafe3707 trunk: Patch for debian logrotate to handle syslogd-listfiles, from Vaclav Ovsik. 2007-12-12 16:18:50 +00:00
Chris PeBenito dd9e1de35e trunk: Improve several tunables descriptions from Dan Walsh. 2007-12-07 15:44:53 +00:00
Chris PeBenito c0cf6e0a6e trunk: clean up nsswitch usage, from dan. 2007-12-04 15:05:55 +00:00
Chris PeBenito 0b6acad1bb trunk: More complete labeled networking infrastructure from KaiGai Kohei. 2007-11-26 16:44:57 +00:00
Chris PeBenito eeef8dc451 trunk: Add interface for libselinux constructor, for libselinux-linked SELinux-enabled programs. 2007-11-16 14:58:17 +00:00
Chris PeBenito 847937da7d trunk: Patch to restructure user role templates to create restricted user roles from Dan Walsh. 2007-11-13 19:31:43 +00:00
Chris PeBenito 4605adcba7 trunk: add postfixpolicyd from Jan-Frode Myklebust. 2007-11-07 20:17:44 +00:00
Chris PeBenito 164772b537 trunk: Russian man page translations from Andrey Markelov. 2007-10-29 18:45:24 +00:00
Chris PeBenito bd973e3e68 trunk: remove unused types from dbus. 2007-10-26 18:04:38 +00:00
Chris PeBenito 6bf8bf4f5c trunk: add exim from dan. 2007-10-24 15:07:40 +00:00
Chris PeBenito a334d2918f trunk: add infrastructure for managing user web content. 2007-10-18 19:23:33 +00:00
Chris PeBenito ef659a476e Deprecate some old file and dir permission set macros in favor of the newer, more consistently-named macros. 2007-10-09 17:29:48 +00:00
Chris PeBenito 6c53a10e28 trunk: Patch to clean up unescaped periods in several file context entries from Jan-Frode Myklebust. 2007-10-05 18:00:55 +00:00
Chris PeBenito 350b6ab767 trunk: merge strict and targeted policies. merge shlib_t into lib_t. 2007-10-02 16:04:50 +00:00
Chris PeBenito cb811cda3b trunk: update version and changelog for release. 2007-09-28 15:14:55 +00:00
Chris PeBenito 8acfcbcc2a trunk: Add support for setting the unknown permissions handling. 2007-09-27 13:41:09 +00:00
Chris PeBenito 96fc0a45be trunk: Fix XML building for external reference builds and headers builds. 2007-09-21 15:06:58 +00:00
Chris PeBenito 6f49b490b8 trunk: Patch to add missing requirements in userdomain interfaces from Shintaro Fujiwara. 2007-09-17 18:04:35 +00:00
Chris PeBenito 0cf6df55e5 trunk: add awstats from Stefan Schulze Frielinghaus. 2007-09-17 17:25:40 +00:00
Chris PeBenito 8242f5a68d trunk: add bitlbee from devin carraway and add tcpd_wrapped_domain(). 2007-09-17 14:33:40 +00:00
Chris PeBenito 8241b538af trunk: udev update and brctl module from dan. 2007-09-05 17:55:57 +00:00
Chris PeBenito d62c0881e2 Update MLS constraints from LSPP evaluated policy. 2007-08-24 14:14:29 +00:00
Chris PeBenito 2af7b42a06 trunk: switch daemons from inheriting from all levels to initrc_t sharing to all levels. 2007-08-22 20:21:52 +00:00
Chris PeBenito 80d5e02c81 trunk: Files and radvd updates from Stefan Schulze Frielinghaus. 2007-08-21 19:03:34 +00:00
Chris PeBenito f8233ab7b0 trunk: Deprecate mls_file_write_down() and mls_file_read_up(), replaced with mls_write_all_levels() and mls_read_all_levels(), for consistency. 2007-08-20 18:26:08 +00:00
Chris PeBenito 2d0c9cecaf trunk: several MLS enhancements. 2007-08-20 15:15:03 +00:00
Chris PeBenito 9760cbec2d trunk: Database userspace object manager classes from KaiGai Kohei. 2007-08-09 13:15:07 +00:00
Chris PeBenito 371d11ec04 trunk: add 3rd party interface for apache cgi. 2007-07-26 19:48:40 +00:00
Chris PeBenito 924f3cc2cb trunk: add getserv and shmemserv nscd permissions. 2007-07-24 19:52:18 +00:00
Chris PeBenito d46cfe45cd trunk: add application module 2007-07-19 18:57:48 +00:00
Chris PeBenito f80a0e4f25 trunk: Add debian apcupsd binary location, from Stefan Schulze Frielinghaus. 2007-07-02 15:25:46 +00:00
Chris PeBenito 970122ca12 trunk: updated version and changelog for release 2007-06-29 15:30:58 +00:00
Chris PeBenito 113b4fc4a2 Fix incorrectly named files_lib_filetrans_shared_lib() interface in the libraries module. 2007-06-28 17:25:46 +00:00
Chris PeBenito 7b61fe506d trunk: add rpcbind from dan 2007-06-27 16:31:55 +00:00
Chris PeBenito 1900668638 trunk: Unified labeled networking policy from Paul Moore.
The latest revision of the labeled policy patches which enable both labeled 
and unlabeled policy support for NetLabel.  This revision takes into account
Chris' feedback from the first version and reduces the number of interface
calls in each domain down to two at present: one for unlabeled access, one for
NetLabel access.  The older, transport layer specific interfaces, are still  
present for use by third-party modules but are not used in the default policy
modules.

trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.

This patch changes the policy to use the netmsg initial SID as the "base"
SID/context for NetLabel packets which only have MLS security attributes.
Currently we use the unlabeled initial SID which makes it very difficult to
distinquish between actual unlabeled packets and those packets which have MLS
security attributes.
2007-06-27 15:23:21 +00:00
Chris PeBenito 7f089782ae trunk: xen updates from dan 2007-06-21 13:36:05 +00:00
Chris PeBenito 5bf9deb5bb trunk: 3 patches from dan 2007-06-20 19:47:10 +00:00
Chris PeBenito 40df56772f trunk: big samba update from dan 2007-06-19 19:11:35 +00:00
Chris PeBenito 788d88c923 trunk: drop snmpd_etc_t. 2007-06-19 17:39:35 +00:00
Chris PeBenito 6c8aba7b31 trunk: confine sendmail and logrotate on targeted 2007-06-19 17:01:39 +00:00
Chris PeBenito cb10a2d5bf trunk: Tunable connection to postgresql for users from KaiGai Kohei. 2007-06-19 14:30:06 +00:00
Chris PeBenito 41337aa8b9 Memprotect support patch from Stephen Smalley. 2007-06-19 13:02:26 +00:00
Chris PeBenito a74d1ad7cd trunk: add amtu from dan 2007-06-12 18:58:36 +00:00
Chris PeBenito d5b81a81ff trunk: Add logging_send_audit_msgs() interface and deprecate send_audit_msgs_pattern(). 2007-06-12 18:46:14 +00:00
Chris PeBenito d534d35a7e trunk: 5 patches from dan 2007-06-11 15:01:10 +00:00
Chris PeBenito 762d2cb989 merge restorecon into setfiles 2007-05-11 17:10:43 +00:00
Chris PeBenito 12217cc286 Patch to begin separating out hald helper programs from Dan Walsh. 2007-05-07 17:57:48 +00:00
Chris PeBenito 78f17e6d6c add apcupsd from dan 2007-05-07 14:55:54 +00:00
Chris PeBenito b129e2001c Fixes for squid, dovecot, and snmp from Dan Walsh. 2007-05-07 13:45:17 +00:00
Chris PeBenito 4967aaa320 Miscellaneous consolekit fixes from Dan Walsh. 2007-05-03 14:15:38 +00:00
Chris PeBenito ed4b7301fb Patch to have avahi use the nsswitch interface rather than individual permissions from Dan Walsh. 2007-05-03 12:45:28 +00:00
Chris PeBenito 517618f0b4 Patch to dontaudit logrotate searching avahi pid directory from Dan Walsh. 2007-05-02 17:55:03 +00:00
Chris PeBenito 882186c933 - Patch to allow insmod to mount kvmfs and dontaudit rw unconfined_t pipes
to handle usage from userhelper.
2007-05-02 17:31:38 +00:00
Chris PeBenito 6a2975706a add rwho from Nalin Dahyabhai 2007-04-30 17:39:01 +00:00
Chris PeBenito 747ab18400 Patch to allow amavis to read spamassassin libraries from Dan Walsh. 2007-04-30 15:19:47 +00:00
Chris PeBenito f9029fc5b6 Patch to allow slocate to getattr other filesystems and directories on those filesystems from Dan Walsh. 2007-04-30 15:01:19 +00:00
Chris PeBenito d28e528b0d Fixes for RHEL4 from the CLIP project. 2007-04-27 15:08:15 +00:00
Chris PeBenito cd16fe6e2c Replace the old lrrd fc entries with correct munin ones. 2007-04-23 17:36:35 +00:00
Chris PeBenito b4dfdc7d30 Move program admin template usage out of userdom_admin_user_template() to sysadm policy in userdomain.te to fix usage of the template for third parties. 2007-04-19 14:30:57 +00:00
Chris PeBenito 7a4bd42ea3 Fix clockspeed_run_cli() declaration, it was incorrectly defined as a template instead of an interface. 2007-04-19 14:24:02 +00:00
Chris PeBenito 2733830a27 final release entries for 20070417 2007-04-17 14:20:24 +00:00
Chris PeBenito 97e8156ecb add zabbix from dan 2007-04-11 18:55:44 +00:00
Chris PeBenito 697489040e 5 patches from dan. confine insmod and udev on targeted, misc fc fixes, sasl kerberos use, and samba port fixes 2007-04-11 17:56:03 +00:00
Chris PeBenito 19b2dee3cc confine ldconfig in targeted, from dan 2007-04-10 19:39:22 +00:00
Chris PeBenito f4e2b1983a man page updates from dan 2007-04-02 13:58:33 +00:00
Chris PeBenito a26923c32e Two patches from Paul Moore to for ipsec to remove redundant rules and have setkey read the config file. 2007-03-28 18:47:45 +00:00
Chris PeBenito 56e1b3d207 - Move booleans and tunables to modules when it is only used in a single
module.
- Add support for tunables and booleans local to a module.
2007-03-26 18:41:45 +00:00
Chris PeBenito 8021cb4f63 Merge sbin_t and ls_exec_t into bin_t. 2007-03-23 23:24:59 +00:00
Chris PeBenito ab514d6a89 remove disable_trans booleans 2007-03-23 21:01:49 +00:00
Chris PeBenito e9b0042f35 Output different header sets for kernel and userland from flask headers. 2007-03-23 20:32:23 +00:00
Chris PeBenito 1852cdabce deprecated pax class 2007-03-23 20:21:06 +00:00
Chris PeBenito d17bab02cc stop adding netfilter contexts, as decided at the developers summit 2007-03-21 19:40:55 +00:00
Chris PeBenito cd3ee91a4b add fail2ban from dan 2007-03-21 15:51:52 +00:00
Chris PeBenito a5f5eba459 Add dontaudits for init fds and console to init_daemon_domain(). 2007-03-20 18:47:18 +00:00
Chris PeBenito 4832f0e066 create user gpg keys dir patch from dan 2007-03-19 19:10:43 +00:00
Chris PeBenito 93784927ca add kvmfs support, from dan 2007-03-19 18:48:14 +00:00
Chris PeBenito c224d91c7b from Dan:
This is a new policy for the User Switching capability coming in gnome.

consolekit is a daemon that communicates with xdm_t and hal through dbus to change the
ownership/access on certain devices when the login session changes from one user to another
2007-03-19 18:01:15 +00:00
Chris PeBenito 6c20f77e80 patch from Dan for sudo:
sudo should be able to getattr on all executables not just 
bin_t/sbin_t.  Confined executeables run from sudo need this.

sudo_exec_t needs to be marked as exec_type so prelink will work correctly.

sudo semanage should work
2007-03-19 16:32:44 +00:00
Chris PeBenito b50f2ee48d It was just pointed out to me that the raw IP socket class is missing from the
recvfrom MLS constraint.

Signed-off-by: Paul Moore
2007-03-09 14:45:19 +00:00
Chris PeBenito cdc91b9aeb Patch for handling restart of nscd when ran from useradd, groupadd, and admin passwd, from Dan Walsh. 2007-03-08 15:14:45 +00:00
Chris PeBenito 59bedc1886 procmail uses /tmp files
Wants to send signull to itself
Can exec ls
Read spamassinn_lib_dirs
New directory for spamassin /var/lib/
pyzor uses tmp files
2007-03-07 21:33:22 +00:00
Chris PeBenito 7aca2aa827 setroubleshoot has a plugin that checks the file context on disk versus a matchpathcon. So needs additional privs 2007-03-06 17:16:08 +00:00
Chris PeBenito c23eb5b1c4 Patch for gssd fixes from Dan Walsh 2007-03-06 16:18:59 +00:00
Chris PeBenito c5561c777d patches for lvm and ricci fixes from Dan Walsh. 2007-03-06 15:35:02 +00:00
Chris PeBenito f2c69c47b3 lmtp and smtp are the same file require same context of setfiles complains
postfix_pickup_t wants to read postfix_spool_maildrop_t dir
2007-03-01 20:41:19 +00:00
Chris PeBenito ecc98e19e3 patches for file contexts in networkmanager, miscfiles, corecommands, devices, and java from Dan Walsh. 2007-03-01 15:43:39 +00:00
Chris PeBenito 4900fdf7d1 Patch for kerberized telnet fixes from Dan Walsh. 2007-02-28 17:17:52 +00:00
Chris PeBenito 09c56f5496 Patch for kerberized ftp and other ftp fixes from Dan Walsh. 2007-02-28 17:01:47 +00:00
Chris PeBenito 2aea366ffc Patch for an additional wine executable from Dan Walsh. 2007-02-28 16:23:06 +00:00
Chris PeBenito bf39cdb807 Patch for additional games file contexts from Dan Walsh. 2007-02-28 15:30:38 +00:00
Chris PeBenito 86d754eed6 Add support for libselinux 2.0.5 init_selinuxmnt() changes. 2007-02-27 17:02:35 +00:00
Chris PeBenito f0eaed31be Patch for misc fixes to bluetooth from Dan Walsh. 2007-02-26 17:23:52 +00:00
Chris PeBenito 5b06477c8e On Tue, 2007-02-20 at 12:02 -0500, Daniel J Walsh wrote:
> Eliminate excess avc messages created when using kerberos libraries
> 
> krb5kdc wans to setsched
> 
> Also uses a fifo_file to communicate.
> 
> Needs to search_network_sysctl
2007-02-26 17:04:56 +00:00
Chris PeBenito bbb7cc8927 Patch to start deprecating usercanread attribute from Ryan Bradetich. 2007-02-26 16:13:23 +00:00
Chris PeBenito a715dc0995 add dccp_socket object class 2007-02-26 15:39:59 +00:00
Chris PeBenito 3a39015792 On Tue, 2007-02-20 at 12:30 -0500, Daniel J Walsh wrote:
> prelink creates temporarly files that it then needs to relabel.
2007-02-23 21:20:46 +00:00
Chris PeBenito 5c45eaede1 On Tue, 2007-02-20 at 12:28 -0500, Daniel J Walsh wrote:
> audit needs fsetid
> 
> syslog needs to be able to create a tcp_socket for off machine logging.
2007-02-23 20:19:29 +00:00
Chris PeBenito 66cf194680 Patch to remove redundant mls_trusted_object() call from Dan Walsh. 2007-02-23 20:05:12 +00:00
Chris PeBenito 4685213857 Patch for misc fixes to nis ypxfr policy from Dan Walsh. 2007-02-23 19:52:52 +00:00
Chris PeBenito aeb54c6dd0 Patch to allow apmd to telinit from Dan Walsh. 2007-02-23 19:41:41 +00:00
Chris PeBenito d114071e7a While using samba and SELinux with Debian GNU/Linux (etch) the
following files need to be labeled correctly:
/var/run/samba/gencache.tdb
/var/run/samba/share_info.tdb

Should also concern other distributions than Debian.

-Stefan
2007-02-23 19:30:17 +00:00
Chris PeBenito bcac3a5e3d Patch to remove incorrect cron labeling in apache.fc from Ryan Bradetich. 2007-02-23 19:08:45 +00:00
Chris PeBenito f1be09c2b1 make ttys and ptys device nodes 2007-02-20 20:17:07 +00:00
Chris PeBenito 6b19be3360 patch from dan, Thu, 2007-01-25 at 08:12 -0500 2007-02-16 23:01:42 +00:00
Chris PeBenito 4bd55ebf32 Fix explicit use of httpd_t in openca_domtrans(), bug #22. 2007-02-07 22:16:18 +00:00
Chris PeBenito ff943a1b9b Clean up file context regexes in apache and java, from Eamon Walsh:
Some file_contexts regular expressions in refpolicy-strict are causing 
genhomedircon to die; refpolicy is failing to build for me entirely.

The regular expressions seem redundant to me, perhaps I am missing 
something, but the following patch fixes the problems for me.  Please 
review and apply
2007-01-24 17:10:31 +00:00
Chris PeBenito b001503548 update version and changelog for release 2006-12-12 21:59:26 +00:00
Chris PeBenito c0868a7a3b merge policy patterns to trunk 2006-12-12 20:08:08 +00:00
Chris PeBenito d6d16b9796 patch from dan Wed, 29 Nov 2006 17:06:40 -0500 2006-12-04 20:10:56 +00:00
Chris PeBenito fa45da0efd add aide, ccs, and ricci 2006-11-16 20:56:24 +00:00
Chris PeBenito d31d3c159e This modifies the mls constraint for polmatch in the association class.
Specifically:

- polmatch need no longer make an exception for unlabeled_t
  since a flow will now always match SPD rules with no contexts (per
  the IPSec leak fix patch upstreamed a few weeks back), as
  opposed to needing polmatch access to unlabeled_t.

Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
2006-11-16 13:38:14 +00:00
Chris PeBenito c6a60bb28d On Tue, 2006-11-07 at 16:51 -0500, James Antill wrote:
> Here is the policy changes needed for the context contains security
> checking in PAM and cron.
2006-11-14 13:38:52 +00:00
Chris PeBenito 59f8539306 - Add a reload target to Modules.devel and change the load
target to only insert modules that were changed.
2006-11-13 03:36:13 +00:00
Chris PeBenito ed38ca9f3d fixes from gentoo strict testing:
- Allow semanage to read from /root on strict non-MLS for
  local policy modules.
- Gentoo init script fixes for udev.
- Allow udev to read kernel modules.inputmap.
- Dnsmasq fixes from testing.
- Allow kernel NFS server to getattr filesystems so df can work
  on clients.
2006-11-13 03:24:07 +00:00
Chris PeBenito f497b8df50 Christopher J. PeBenito wrote:
> We could add another 'or' on the above constraint:
> 
> or ( (t2 == mlsfilewrite_in_range) and (l1 dom l2) and (h1 domby h2) )
> 
> I believe that would be the constraint you were looking for.  I don't
> like the name of that attribute, but I couldn't come up with a better
> one off the top of my head. :)
> 

Attached is a patch which I've tested against selinux-policy-2.4.2-1
that implements this additional constraint.  The name is still a bit
forced, but it works.

-matt <mra at hp dot com>
2006-11-01 15:42:22 +00:00
Chris PeBenito d9845ae92a patch from dan Tue, 24 Oct 2006 11:00:28 -0400 2006-10-31 21:01:48 +00:00
Chris PeBenito a8671ae5b2 enhanced setransd support from darrel goeddel 2006-10-20 14:44:23 +00:00
Chris PeBenito 248cccf7ce 20061018 release 2006-10-18 20:26:45 +00:00
Chris PeBenito 130f8a4aa5 merge netlabel stuff from labeled-networking branch 2006-10-17 16:58:17 +00:00
Chris PeBenito 3c3c0439f6 patch from russell, Thu, 5 Oct 2006 22:44:49 +1000
Allow unconfined processes to see unlabeled processes in ps.

Removed a redundant rule in samba.te

Removed support for the pre-Fedora Red Hat code to create sym-links in /boot.

Removed support for devpts_t files in /tmp (there is no way that would ever 
work).

Allowed postgrey to create socket files.

Made the specs for the /lib and /lib64 directories better support stem 
compression.
2006-10-05 19:57:37 +00:00
Chris PeBenito e070dd2df0 - Move range transitions to modules.
- Make number of MLS sensitivities, and number of MLS and MCS
  categories configurable as build options.
2006-10-04 17:25:34 +00:00
Chris PeBenito 00219064d7 This patch adds a GConf policy to refpolicy.
This policy is much tighter than the GConf policy from the old example
policy.  It only allows gconfd to access configuration data stored by
GConf.  Users can modify configuration data using gconftool-2 or
gconf-editor, both of which use gconfd.  GConf manages multiple
configuration sources, so gconfd should be used to make any changes
anyway.  Normal users who aren't trying to directly edit the
configuration data of GConf won't notice anything different.

There is also a difference between this policy and the old example
policy in handling directories in /tmp.  The old example policy
labeled /tmp/gconfd-USER with ROLE_gconfd_tmp_t, but, since there was no
use of the file_type_auto_trans macro, if that directory was deleted
gconfd would create one labeled as tmp_t.  This policy uses the
files_tmp-filetrans macro to cause a directory in /tmp created by gconfd
to be labeled as $1_tmp_t.  It is not labeled with $1_gconf_tmp_t,
because if /tmp/orbit-USER is deleted, gconfd will create it (through
use of ORBit) and it would get the $1_gconf_tmp_t label.  By having
gconfd create $1_tmp_t directories in /tmp and $1_gconf_tmp_t files and
directories in directories labeled with $1_tmp_t, it can control its
data without requiring any future bonobo or Gnome policies to have
access to $1_gconf_tmp_t.

This patch is related to work that I am doing in making gconfd an
userspace object manager.  If any user program can modify the
configuration data that GConf stores, than making gconfd an userspace
object manager would be useless.

Signed-off-by:  James Carter <jwcart2@tycho.nsa.gov>
2006-10-02 15:22:48 +00:00
Chris PeBenito e2b84ef79a patch from dan Mon, 25 Sep 2006 15:46:40 -0400 2006-09-28 14:37:29 +00:00
Chris PeBenito 693d4aedb5 patch from dan Fri, 22 Sep 2006 16:30:34 -0400 2006-09-25 18:53:06 +00:00
Chris PeBenito 8708d9bef2 patch from dan Wed, 20 Sep 2006 12:12:49 -0400 2006-09-22 17:14:35 +00:00
Chris PeBenito bbcd3c97dd add main part of role-o-matic 2006-09-06 22:07:25 +00:00
Chris PeBenito 75beb95014 patch from dan Tue, 05 Sep 2006 17:06:06 -0400 2006-09-06 16:36:23 +00:00
Chris PeBenito 13d7cec671 patch from erich Sat, 02 Sep 2006 03:37:44 +0200 2006-09-04 18:22:12 +00:00
Chris PeBenito 5dbda5558a patch from dan Fri, 01 Sep 2006 15:45:24 -0400 2006-09-04 15:15:35 +00:00
Chris PeBenito eac818f040 patch from dan Thu, 31 Aug 2006 15:16:30 -0400 2006-09-01 15:52:05 +00:00
Chris PeBenito a5e2133bc8 patch from dan Wed, 23 Aug 2006 14:03:49 -0400 2006-08-29 02:41:00 +00:00
Chris PeBenito 3ef029db7c add nscd_socket_use() to auth_use_nsswitch() since it caches nss lookups. 2006-08-22 19:37:56 +00:00
Chris PeBenito 33c7e6b4e8 remove dead selopt rules 2006-08-15 20:00:58 +00:00
Chris PeBenito f5d1d0f7b3 missed changelog entry for nc 2006-08-07 17:25:46 +00:00
Chris PeBenito 4846dc8ad4 patch from Stefan for mrtg daemon operation. 2006-08-07 17:14:00 +00:00
Chris PeBenito 9d3a3f84ad add missing entry for dan's last patch 2006-08-02 19:56:32 +00:00
Chris PeBenito 4b3b46d7ef add authlogin interface to abstract common login program perms 2006-07-31 22:26:59 +00:00
Chris PeBenito 133000c286 remove setbool auditallow, except for distro_rhel4. 2006-07-13 14:22:21 +00:00
Chris PeBenito 17de1b790b remove extra level of directory 2006-07-12 20:32:27 +00:00