Commit Graph

1159 Commits

Author SHA1 Message Date
Chris PeBenito a1b42052c9 Fix mmap_zero assertion violation in xserver. 2010-09-01 09:59:39 -04:00
Dominick Grift 623e4f0885 1/1] Make the ability to mmap zero conditional where this is fapplicable.
Retry: forgot to include attribute mmap_low_domain_type attribute to domain_mmap_low()	:

Inspired by similar implementation in Fedora.
Wine and vbetool do not always actually need the ability to mmap a low area of the address space.
In some cases this can be silently denied.

Therefore introduce an interface that facilitates "mmap low" conditionally, and the corresponding boolean.
Also implement booleans for wine and vbetool that enables the ability to not audit attempts by wine and vbetool to mmap a low area of the address space.

Rename domain_mmap_low interface to domain_mmap_low_uncond.

Change call to domain_mmap_low to domain_mmap_low_uncond for xserver_t. Also move this call to distro redhat ifndef block because Redhat does not need this ability.

Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-01 09:41:56 -04:00
Chris PeBenito 76a9fe96e4 Module version bumps and changelog for devtmpfs patchset. 2010-08-25 11:19:27 -04:00
Chris PeBenito 0d24805fd0 Trivial tweaks to devtmpfs patches. 2010-08-25 11:18:25 -04:00
Jeremy Solt 2fc79f1ef4 Early devtmpfs access
dontaudit attempts to read/write device_t chr files occurring before udev relabel
allow init_t and initrc_t read/write on device_t chr files (necessary to boot without unconfined)

Signed-off-by: Jeremy Solt <jsolt@tresys.com>
2010-08-25 11:01:27 -04:00
Jeremy Solt d6e1ef29cd Move devtmpfs to devices from filesystem
Move devtmpfs to devices module (remove from filesystem module)
Make device_t a filesystem
Add interface for associating types with device_t filesystem (dev_associate)
Call dev_associate from dev_filetrans
Allow all device nodes associate with device_t filesystem
Remove dev_tmpfs_filetrans_dev from kernel_t
Remove fs_associate_tmpfs(initctl_t) - redundant, it was in dev_filetrans, now in dev_associate
Mounton interface, to allow the kernel to mounton device_t

Signed-off-by: Jeremy Solt <jsolt@tresys.com>
2010-08-25 11:01:22 -04:00
Chris PeBenito c62f1bef77 Dbadm updates from KaiGai Kohei. 2010-08-19 08:41:39 -04:00
Chris PeBenito ab8f919e6f Part of gnome patch from Dan Walsh. 2010-08-12 09:21:36 -04:00
Chris PeBenito a9539a063b Additional kdumpgui cleanup. 2010-08-10 09:21:01 -04:00
Jeremy Solt 46fc0d39e3 Policy for system-config-kdump gui from Dan Walsh
Edits:
 - removed gnome_dontaudit_search_config
 - removed userdom_dontaudit_search_admin_dir
 - whitespace and style fixes
2010-08-10 09:05:43 -04:00
Jeremy Solt 68e615ec5a system-config-samba dbus service policy from Dan Walsh 2010-08-09 09:37:29 -04:00
Jeremy Solt c87e150280 roles patch from Dan Walsh to move unwanted interface calls into a ifndef 2010-08-09 09:20:31 -04:00
Chris PeBenito 00ca404a20 Remove unnecessary require on cgroup_admin(). 2010-08-09 09:10:24 -04:00
Chris PeBenito d687db9b42 Whitespace fixes on cgroup. 2010-08-09 08:52:39 -04:00
Dominick Grift 61d7ee58a4 Confine /sbin/cgclear.
Libcgroup moved cgclear to /sbin.
Confine it so that initrc_t can domain transition to the cgclear_t domain. That way we do not have to extend the initrc_t domains policy.
We might want to add cgroup_run_cgclear to sysadm module.

Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-09 08:47:15 -04:00
Dominick Grift a0546c9d1c System layer xml fixes.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 09:25:55 -04:00
Dominick Grift 288845a638 Services layer xml files.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 09:25:29 -04:00
Chris PeBenito 97b990f86e Fix corecmd_dontaudit_exec_all_executables doc. 2010-08-05 09:24:41 -04:00
Dominick Grift 705f70f098 Kernel layer xml fixes.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 09:08:07 -04:00
Chris PeBenito 19ff03977d Fix usermanage_kill_passwd() parameter doc. 2010-08-05 08:56:31 -04:00
Dominick Grift 77e4b55f70 Admin layer xml fixes.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 08:46:44 -04:00
Dominick Grift 03b86663f0 apps: domain { allowed to transition, allowed access, to not audit }.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 08:20:59 -04:00
Chris PeBenito 8da88970be Accountsd cleanup. 2010-08-03 09:50:40 -04:00
Chris PeBenito d0eebed0b7 Move accountsd to services. 2010-08-03 09:31:53 -04:00
Jeremy Solt c4834a02d2 accountsd policy from Dan Walsh
Edits:
 - Removed accountsd_manage_var_lib
 - Removed optional block for xserver - these interfaces didn't exist
 - It looks like sys_ptrace is needed because it reads /proc/pid/loginuid
 - Whitespace and style fixes
2010-08-03 09:27:24 -04:00
Chris PeBenito a7ee7f819a Docs standardizing on the role portion of run interfaces. Additional docs cleanup. 2010-08-03 09:20:22 -04:00
Chris PeBenito 9d4395a736 MojoMojo from Lain Arnell. 2010-08-02 09:28:06 -04:00
Chris PeBenito a72e42f485 Interface documentation standardization patch from Dan Walsh. 2010-08-02 09:22:09 -04:00
Chris PeBenito 27eeb649cc Virtio disk file context update from Mika Pfluger. 2010-08-02 08:33:41 -04:00
Mika Pflüger b3f7203d6a Take virtio disks into account.
Signed-off-by: Mika Pflüger <debian@mikapflueger.de>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-08-02 08:25:14 -04:00
Chris PeBenito 64ef2df368 Module version bump for 5563d4c. 2010-07-22 09:13:11 -04:00
Jeremy Solt 5563d4c4d8 Removing seutil_domtrans_setsebool from anaconda patch - it doesn't exist 2010-07-22 08:49:32 -04:00
Jeremy Solt b0a6f1b7c2 anaconda patch from Dan Walsh
- Did not include the change to unconfined_domain_noaudit
2010-07-22 08:49:32 -04:00
Chris PeBenito 21fdee9dd5 Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh.
We went back and reread the bindreservport code in glibc.

Turns out the range or ports that this will reserve are 512-1024 rather
then 600-1024.

The code actually first tries to reserve a port from 600-1024 and if
they are ALL reserved will try 512-599.

So we need to change corenetwork to reflect this.
2010-07-19 14:22:44 -04:00
Chris PeBenito 29f3bfa464 Fix JIT usage for freshclam.
http://marc.info/?l=selinux&m=127893898208934&w=2
2010-07-13 08:39:54 -04:00
Dominick Grift 48c3c37cf2 Remove some redundant attributes from user_home_t.
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-07-12 14:35:22 -04:00
Chris PeBenito 4b76ea5f51 Module version bump for fa1847f. 2010-07-12 14:02:18 -04:00
Dominick Grift fa1847f4a2 Add files_poly_member() to userdom_user_home_content() Remove redundant files_poly_member() calls.
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-07-09 09:43:04 -04:00
Chris PeBenito f7ffe6c2a9 Add missing ubac constraints on pulseaudio. 2010-07-09 09:14:35 -04:00
Chris PeBenito c14aebd032 Remove old rbacsep role statements. 2010-07-09 08:38:05 -04:00
Chris PeBenito 072857c425 VMWare patch from Dan Walsh. 2010-07-08 13:43:50 -04:00
Chris PeBenito f1618ffc6f Whitespace fix in userhelper. 2010-07-08 10:56:15 -04:00
Chris PeBenito b70dfcdf8f RPM patch from Dan Walsh. 2010-07-08 10:53:28 -04:00
Chris PeBenito 2d839c6791 Whitespace fixes in RPM. 2010-07-08 10:12:24 -04:00
Chris PeBenito 7e265a8abb Add shutdown from Dan Walsh. 2010-07-07 11:10:56 -04:00
Chris PeBenito b841dffda1 Add livecd from Dan Walsh. 2010-07-07 10:28:25 -04:00
Chris PeBenito 08690c84ad Remove ethereal module since the application was renamed to wireshark due to trademark issues. 2010-07-07 09:31:57 -04:00
Chris PeBenito 3c4e9fce8e Make spamassassin optional for milter, from Russell Coker. 2010-07-07 08:55:57 -04:00
Chris PeBenito bca0cdb86e Remove duplicate/redundant rules, from Russell Coker. 2010-07-07 08:41:20 -04:00
Chris PeBenito 1db1836ab9 Remove improper usage of userdom_manage_home_role(), userdom_manage_tmp_role(), and userdom_manage_tmpfs_role(). 2010-07-06 13:17:05 -04:00