Commit Graph

116 Commits

Author SHA1 Message Date
Chris PeBenito 73d8b3026c Systemd-related changes from Russell Coker. 2017-04-06 17:37:50 -04:00
Chris PeBenito 603f0e1e6e Module version bump for monit patch from cgzones 2017-03-25 13:24:56 -04:00
cgzones f438513a8a sysadm: add monit admin permissions 2017-03-09 13:24:51 +01:00
Chris PeBenito 4d028498d8 Module version bumps for fixes from cgzones. 2017-03-05 10:48:42 -05:00
cgzones 4b79a54b41 modutils: adopt callers to new interfaces 2017-03-03 12:28:17 +01:00
Chris PeBenito 3726cd58f6 Module version bump for changes from cgzones. 2017-02-18 12:28:38 -05:00
cgzones 60983561be sysadm: fix denials
allow to read kmesg and the selinux policy
2017-02-16 16:00:14 +01:00
Chris PeBenito 1720e109a3 Sort capabilities permissions from Russell Coker. 2017-02-15 18:47:33 -05:00
Chris PeBenito 69ede859e8 Bump module versions for release. 2017-02-04 13:30:53 -05:00
Chris PeBenito 49545aad8f Module version bump for patches from Guido Trentalancia. 2016-12-30 14:15:06 -05:00
Guido Trentalancia via refpolicy 84176263dd sysadm: add the shutdown role
Add the shutdown role interface call to the sysadm role module.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-12-30 13:13:58 -05:00
Chris PeBenito f8489c13e4 Module version bump for xscreensaver patch from Guido Trentalancia. 2016-12-21 14:30:03 -05:00
Guido Trentalancia 997706aba3 base: enable the xscreensaver role
This patch enables the xscreensaver role so that the
xscreensaver module is used on those systems where the
corresponding application is installed.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-12-21 14:00:19 -05:00
Chris PeBenito 6e3c5476ca Module version bumps for patches from Guido Trentalancia. 2016-12-17 09:00:36 -05:00
Guido Trentalancia 20e8fb4b9c wm: update the window manager (wm) module and enable its role template (v7)
Enable the window manager role (wm contrib module) and update
the module to work with gnome-shell.

This patch requires the following recently posted patch for the
games module:

[PATCH v3 1/2] games: general update and improved pulseaudio integration
http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html

This patch has received some testing with the following two
configurations:
- gnome-shell executing in normal mode (with display managers
other than gdm, such as xdm from XOrg);
- gnome-shell executing in gdm mode (with the Gnome Display
Manager).

Patches 3/5, 4/5 and 5/5 are needed when gnome-shell is used
in conjunction with gdm.

Since the window managers are not limited by gnome-shell, this latter
version of the patch (along with part 2/5) uses separate optional
conditionals for the gnome and wm role templates.

The new wm_application_domain() interface introduced in the sixth
version of this patch is an idea of Jason Zaman.

This patch also fixes a minor bug in the way the pulseaudio_role()
interface is optionally included by the role templates (pulseaudio
does not depend on dbus).

This seventh version splits the 1/5 patch in two separate patches:
one for the base policy and one for the contrib policy.

THIS IS THE BASE POLICY PART.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-12-17 08:15:10 -05:00
Chris PeBenito 1113e38307 Module version bumps for openoffice patches from Guido Trentalancia. 2016-12-06 20:19:18 -05:00
Guido Trentalancia ab0b758ed7 Apache OpenOffice module (base policy part)
This is a patch that I have created and tested to support Apache
OpenOffice with its own module (base policy part, 1/2).

The file contexts (and initial tests) are based on the default
installation path for version 4 of the office suite.

Since the second version it includes revisions from Dominick Grift.

Since the third version it should correctly manage files in home
directories and allow some other major functionality.

The fourth version of the patch introduces a boolean to enable or
disable software updates from the network (application and/or
extensions).

The fifth version of the patch adds the ability to connect to the
X display manager (XDM) using Unix domain sockets (interface
xserver_stream_connect_xdm()). Also the fifth version splits the
whole patch into separate base policy / contrib policy patches as
required.

The sixth version of this patch removes obsolete executable
permission from the unconfined module.

The seventh, eighth and nineth versions brings no changes in the base
part of the patch.

All released versions are safe to apply, each new version just
brings improved application functionality and better integration
with other desktop applications.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-12-06 20:08:06 -05:00
Chris PeBenito 34055cae87 Bump module versions for release. 2016-10-23 16:58:59 -04:00
Chris PeBenito 07451cd39a Module version bumps for syncthing from Naftuli Tzvi Kay. 2016-10-09 07:51:51 -04:00
Naftuli Tzvi Kay ba903b4840
Add Syncthing Support to Policy
For now, optionally add the Syncthing role to user_r, staff_r,
and unconfined_r, and define the Syncthing ports in core network.
2016-08-21 11:57:01 -07:00
Chris PeBenito 78111e98d6 Module version bump for hwloc-dump-hwdata from Dominick Grift and Grzegorz Andrejczuk. 2016-05-02 08:32:42 -04:00
Dominick Grift 6232348be8 Update refpolicy to handle hwloc
The Portable Hardware Locality (hwloc) software package provides a
portable abstraction (across OS, versions, architectures, ...) of the
hierarchical topology of modern architectures, including NUMA memory
nodes, sockets, shared caches, cores and simultaneous multithreading. It
also gathers various system attributes such as cache and memory
information as well as the locality of I/O devices such as network
interfaces, InfiniBand HCAs or GPUs.

Following changes enable:
- add interface to change dirs in /var/run
- add optional policies for hwloc-dump-hwdata

V3:
Remove files_rw_pid_dirs()
Call hwloc_admin(sysadm_t) instead of hwloc_manage_runtime(sysadm_t)
Adjust calls to renamed hwloc dhwd run and exec interfaces

Signed-off-by: Dominick Grift <dac.override@gmail.com>
2016-05-02 08:22:58 -04:00
Chris PeBenito 0e133c7d74 Module version bump for tboot utils from Luis Ressel and systemd fix from Jason Zaman.
Update contrib.
2016-03-08 08:52:25 -05:00
Luis Ressel 3b586829cc Allow sysadm to run txt-stat. 2016-03-08 08:36:04 -05:00
Chris PeBenito c23353bcd8 Bump module versions for release. 2015-12-08 09:53:02 -05:00
Chris PeBenito 17694adc7b Module version bump for systemd additions. 2015-10-23 14:53:14 -04:00
Chris PeBenito fc2de5c21c Add rules for sysadm_r to manage the services. 2015-10-23 10:17:46 -04:00
Chris PeBenito 95248e4919 Module version bump for cron_admin for sysadm from Jason Zaman. 2015-07-17 08:56:43 -04:00
Jason Zaman 13cfdd788f add new cron_admin interface to sysadm 2015-07-17 08:13:43 -04:00
Chris PeBenito d74c9bd6b8 Module version bumps for admin interfaces from Jason Zaman. 2015-07-14 11:18:35 -04:00
Jason Zaman 0023b30946 Introduce setrans_admin interface 2015-07-14 11:04:44 -04:00
Jason Zaman e1f2a8b9d6 Introduce ipsec_admin interface 2015-07-14 11:04:44 -04:00
Jason Zaman 8bee8e80af Introduce lvm_admin interface 2015-07-14 11:04:44 -04:00
Chris PeBenito acabb517e6 Module version bump for admin interface changes from Jason Zaman. 2015-06-09 08:39:18 -04:00
Jason Zaman 9c49f9d7fa Add all the missing _admin interfaces to sysadm
Lots of the foo_admin() interfaces were not applied to sysadm. This
patch adds all the ones that were missing.

The tests pass for all combinations of distros, monolithic,
direct_initrc, standard/mcs/mls.
2015-06-09 08:29:51 -04:00
Jason Zaman 43da2d2ad0 Introduce iptables_admin 2015-06-09 08:29:51 -04:00
Chris PeBenito 468185f5f7 Bump module versions for release. 2014-12-03 13:37:38 -05:00
Chris PeBenito 35860e6459 Module version bump for CIL fixes from Yuli Khodorkovskiy. 2014-09-17 14:00:08 -04:00
Yuli Khodorkovskiy 330b0fc333 Remove duplicate role declarations
-This patch is needed since CIL does not allow duplicate
role declarations. The roles for system_r, staff_r, sysadm_r, and
user_r were already declared in kernel.te. Since the roles are
pulled in from require statements in the appropriate interfaces,
the duplicate role declarations could be deleted in modules for
auditadm, staff, sysadm, and userdomain.

-Move a role declaration that used an argument passed into the
userdom_base_user_template into a gen_require statement.
2014-09-17 10:44:04 -04:00
Chris PeBenito 342498065e Module version bump for deprecated interface usage removal from Nicolas Iooss. 2014-05-27 09:23:29 -04:00
Nicolas Iooss 40c155f732 No longer use deprecated MLS interfaces
Since commit 2d0c9cec mls_file_read_up and mls_file_write_down
interfaces are deprecated even though they are still present.

Replace mls_file_read_up with mls_file_read_all_levels and
mls_file_write_down with mls_file_write_all_levels.
2014-05-27 09:08:36 -04:00
Chris PeBenito 3b697dbb25 Module version bump for 2 patch sets from Laurent Bigonville.
* xattrfs attribute
* Misc Debian fixes
2014-04-11 11:21:03 -04:00
Laurent Bigonville d0169a9acb Add telepathy role for user_r and staff_r 2014-04-11 09:26:12 -04:00
Chris PeBenito 10ff4d0fa3 Bump module versions for release. 2014-03-11 08:16:57 -04:00
Chris PeBenito b339b85001 Module version bump for patches from Dominick Grift. 2013-12-06 09:49:41 -05:00
Dominick Grift 8e01054f07 users: calls pulseaudio_role() for restricted xwindows users and staff_t/user_t
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-06 08:48:09 -05:00
Chris PeBenito 48a55abb0f Module version bump for sysadm fix for git role usage from Dominick Grift. 2013-09-26 09:16:03 -04:00
Dominick Grift ab3b84ecec sysadm: Doesnt work with direct_initrc = y
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-09-26 09:14:12 -04:00
Chris PeBenito d174521a64 Bump module versions for release. 2013-04-24 16:14:52 -04:00
Chris PeBenito af2496ea2e Module version bump/contrib sync. 2012-10-30 16:12:14 -04:00