Commit Graph

54 Commits

Author SHA1 Message Date
Chris PeBenito b2f72e833b Bump module versions for release.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-02-29 16:54:39 -05:00
Chris PeBenito 215a8be698 auditadm, secadm, staff, sysadm: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-02-16 11:32:16 -05:00
bauen1 b6352a3de7
sysadm: add sysadm_allow_rw_inherited_fifo tunable to allow writing to
fifo_files inherited from domains allowed to change role to sysadm_r.

This enables to do e.g. 'echo "..." | sudo -r sysadm_r command' from a
staff_u:staff_r:staff_t context
2020-02-16 17:05:40 +01:00
Chris PeBenito 445cbed7c7 Bump module versions for release. 2019-02-01 15:03:42 -05:00
Chris PeBenito 83ebbd23d3 corecommands, staff, unprivuser, ssh, locallogin, systemd: Module version bump. 2019-02-01 14:21:55 -05:00
Russell Coker 044da0b8b9 more misc stuff
Here's the latest stuff, most of which is to make staff_t usable as a login
domain.  Please merge whatever you think is good and skip the rest.
2019-02-01 14:16:57 -05:00
Chris PeBenito b6396ffe19 various: Module version bump. 2019-01-29 18:59:50 -05:00
Russell Coker 1574ac4a5d chromium
There are several nacl binaries that need labels.

Put an ifdef debian for some chromium paths.

Git policy misses chromium_role() lines, were they in another patch that was
submitted at the same time?

I don't know what this is for but doesn't seem harmful to allow it:
type=PROCTITLE msg=audit(28/01/19 19:31:42.361:3218) : proctitle=/bin/bash /usr/bin/google-chrome
type=SYSCALL msg=audit(28/01/19 19:31:42.361:3218) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffff9c a1=0x563328f7b590 a2=O_WRONLY|O_CREAT|O_TRUNC a3=0x1b6 items=0 ppid=5158 pid=5166 auid=test uid=test gid=test euid=test suid=test fsuid=test egid=test sgid=test fsgid=test tty=pts7 ses=232 comm=google-chrome exe=/bin/bash subj=user_u:user_r:chromium_t:s0 key=(null)
type=AVC msg=audit(28/01/19 19:31:42.361:3218) : avc:  granted  { associate } for  pid=5166 comm=google-chrome name=63 scontext=user_u:object_r:chromium_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem
type=AVC msg=audit(28/01/19 19:31:42.361:3218) : avc:  granted  { create } for  pid=5166 comm=google-chrome name=63 scontext=user_u:user_r:chromium_t:s0 tcontext=user_u:object_r:chromium_t:s0 tclass=file
type=AVC msg=audit(28/01/19 19:31:42.361:3218) : avc:  granted  { add_name } for  pid=5166 comm=google-chrome name=63 scontext=user_u:user_r:chromium_t:s0 tcontext=user_u:user_r:chromium_t:s0 tclass=dir

Allow domain_use_interactive_fds() for running via ssh -X.

Allow managing xdg data, cache, and config.

Allow reading public data from apt and dpkg, probably from lsb_release or some
other shell script.

How does the whold naclhelper thing work anyway?  I'm nervous about process
share access involving chromium_sandbox_t, is that really what we want?

Added lots of other stuff like searching cgroup dirs etc.
2019-01-29 18:59:33 -05:00
Chris PeBenito aa0eecf3e3 Bump module versions for release. 2017-08-05 12:59:42 -04:00
Chris PeBenito 2749bddae8 Module version bumps for patches from Jason Zaman. 2017-05-31 21:09:50 -04:00
Jason Zaman d49027dc40 dirmngr: add to roles 2017-05-31 20:40:47 -04:00
Chris PeBenito 6c2272c613 Module version bump for infiniband policy from Daniel Jurgens. 2017-05-24 19:36:49 -04:00
Daniel Jurgens 25a5b24274 refpolicy: Infiniband pkeys and endports
Every Infiniband network will have a default pkey, so that is labeled.
The rest of the pkey configuration is network specific. The policy allows
access to the default and unlabeled pkeys for sysadm and staff users.
kernel_t is allowed access to all pkeys, which it needs to process and
route management datagrams.

Endports are all unlabeled by default, sysadm users are allowed to
manage the subnet on unlabeled endports. kernel_t is allowed to manage
the subnet on all ibendports, which is required for configuring the HCA.

This patch requires selinux series: "SELinux user space support for
Infiniband RDMA", due to the new ipkeycon labeling mechanism.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-24 19:23:18 -04:00
Chris PeBenito 36c79fd3ee Module version bump for libmtp from Guido Trentalancia. 2017-05-22 20:20:47 -04:00
Guido Trentalancia 4f8b753f24 base: role changes for the new libmtp module
This is the base part of the policy needed to support libmtp (an
Initiator implementation of the Media Transfer Protocol).

Signed-off-by: Guido Trentalancia <guido at trentalancia.net>
2017-05-22 20:05:52 -04:00
Chris PeBenito 69ede859e8 Bump module versions for release. 2017-02-04 13:30:53 -05:00
Chris PeBenito f8489c13e4 Module version bump for xscreensaver patch from Guido Trentalancia. 2016-12-21 14:30:03 -05:00
Guido Trentalancia 997706aba3 base: enable the xscreensaver role
This patch enables the xscreensaver role so that the
xscreensaver module is used on those systems where the
corresponding application is installed.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-12-21 14:00:19 -05:00
Chris PeBenito 6e3c5476ca Module version bumps for patches from Guido Trentalancia. 2016-12-17 09:00:36 -05:00
Guido Trentalancia 20e8fb4b9c wm: update the window manager (wm) module and enable its role template (v7)
Enable the window manager role (wm contrib module) and update
the module to work with gnome-shell.

This patch requires the following recently posted patch for the
games module:

[PATCH v3 1/2] games: general update and improved pulseaudio integration
http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html

This patch has received some testing with the following two
configurations:
- gnome-shell executing in normal mode (with display managers
other than gdm, such as xdm from XOrg);
- gnome-shell executing in gdm mode (with the Gnome Display
Manager).

Patches 3/5, 4/5 and 5/5 are needed when gnome-shell is used
in conjunction with gdm.

Since the window managers are not limited by gnome-shell, this latter
version of the patch (along with part 2/5) uses separate optional
conditionals for the gnome and wm role templates.

The new wm_application_domain() interface introduced in the sixth
version of this patch is an idea of Jason Zaman.

This patch also fixes a minor bug in the way the pulseaudio_role()
interface is optionally included by the role templates (pulseaudio
does not depend on dbus).

This seventh version splits the 1/5 patch in two separate patches:
one for the base policy and one for the contrib policy.

THIS IS THE BASE POLICY PART.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-12-17 08:15:10 -05:00
Chris PeBenito 1113e38307 Module version bumps for openoffice patches from Guido Trentalancia. 2016-12-06 20:19:18 -05:00
Guido Trentalancia ab0b758ed7 Apache OpenOffice module (base policy part)
This is a patch that I have created and tested to support Apache
OpenOffice with its own module (base policy part, 1/2).

The file contexts (and initial tests) are based on the default
installation path for version 4 of the office suite.

Since the second version it includes revisions from Dominick Grift.

Since the third version it should correctly manage files in home
directories and allow some other major functionality.

The fourth version of the patch introduces a boolean to enable or
disable software updates from the network (application and/or
extensions).

The fifth version of the patch adds the ability to connect to the
X display manager (XDM) using Unix domain sockets (interface
xserver_stream_connect_xdm()). Also the fifth version splits the
whole patch into separate base policy / contrib policy patches as
required.

The sixth version of this patch removes obsolete executable
permission from the unconfined module.

The seventh, eighth and nineth versions brings no changes in the base
part of the patch.

All released versions are safe to apply, each new version just
brings improved application functionality and better integration
with other desktop applications.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-12-06 20:08:06 -05:00
Chris PeBenito 34055cae87 Bump module versions for release. 2016-10-23 16:58:59 -04:00
Chris PeBenito 07451cd39a Module version bumps for syncthing from Naftuli Tzvi Kay. 2016-10-09 07:51:51 -04:00
Naftuli Tzvi Kay ba903b4840
Add Syncthing Support to Policy
For now, optionally add the Syncthing role to user_r, staff_r,
and unconfined_r, and define the Syncthing ports in core network.
2016-08-21 11:57:01 -07:00
Chris PeBenito 468185f5f7 Bump module versions for release. 2014-12-03 13:37:38 -05:00
Chris PeBenito 35860e6459 Module version bump for CIL fixes from Yuli Khodorkovskiy. 2014-09-17 14:00:08 -04:00
Yuli Khodorkovskiy 330b0fc333 Remove duplicate role declarations
-This patch is needed since CIL does not allow duplicate
role declarations. The roles for system_r, staff_r, sysadm_r, and
user_r were already declared in kernel.te. Since the roles are
pulled in from require statements in the appropriate interfaces,
the duplicate role declarations could be deleted in modules for
auditadm, staff, sysadm, and userdomain.

-Move a role declaration that used an argument passed into the
userdom_base_user_template into a gen_require statement.
2014-09-17 10:44:04 -04:00
Chris PeBenito 3b697dbb25 Module version bump for 2 patch sets from Laurent Bigonville.
* xattrfs attribute
* Misc Debian fixes
2014-04-11 11:21:03 -04:00
Laurent Bigonville d0169a9acb Add telepathy role for user_r and staff_r 2014-04-11 09:26:12 -04:00
Chris PeBenito 10ff4d0fa3 Bump module versions for release. 2014-03-11 08:16:57 -04:00
Chris PeBenito b339b85001 Module version bump for patches from Dominick Grift. 2013-12-06 09:49:41 -05:00
Dominick Grift 8e01054f07 users: calls pulseaudio_role() for restricted xwindows users and staff_t/user_t
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-06 08:48:09 -05:00
Chris PeBenito d174521a64 Bump module versions for release. 2013-04-24 16:14:52 -04:00
Chris PeBenito af2496ea2e Module version bump/contrib sync. 2012-10-30 16:12:14 -04:00
Dominick Grift 83d28d8a52 Changes to the user domain policy module
gnome_role is deprecated, use gnome_role_template instead
depends on dbus because of gkeyringd

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-10-30 15:39:20 -04:00
Chris PeBenito f65edd8280 Bump module versions for release. 2012-02-15 14:32:45 -05:00
Chris PeBenito 102f084d96 New git service features from Dominick Grift.
* git user sessions
* repositories on CIFS/NFS
* inetd service
2011-09-02 09:20:23 -04:00
Chris PeBenito 826d014241 Bump module versions for release. 2010-12-13 09:12:22 -05:00
Chris PeBenito 6df9de4947 Module version bump for vlock. Changelog entry. 2010-11-01 11:22:25 -04:00
Chris PeBenito 7f9f5bce63 Rename vlock interfaces. 2010-11-01 11:22:07 -04:00
Harry Ciao d35e2ee03b Adding support for the vlock program.
Both the system administrator and the unprivileged user could use vlock
to lock the current console when logging in either from the serial console
or by ssh.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
2010-11-01 10:43:33 -04:00
Chris PeBenito e29f6bf08a Module version bump and Changelog for 329138b and 413aac1. 2010-10-01 09:50:50 -04:00
Dominick Grift 329138beba Move oident manage and relabel home content interfaces to common user template.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-10-01 09:41:12 -04:00
Chris PeBenito 25d796ed37 Unconditional staff and user oidentd home config access from Dominick Grift. 2010-09-15 08:20:16 -04:00
Dominick Grift 941e3db567 Access for confined users to oidentd user home content is unconditional.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-15 08:05:41 -04:00
Chris PeBenito c62f1bef77 Dbadm updates from KaiGai Kohei. 2010-08-19 08:41:39 -04:00
Jeremy Solt c87e150280 roles patch from Dan Walsh to move unwanted interface calls into a ifndef 2010-08-09 09:20:31 -04:00
Chris PeBenito 08690c84ad Remove ethereal module since the application was renamed to wireshark due to trademark issues. 2010-07-07 09:31:57 -04:00
Chris PeBenito 48f99a81c0 Whitespace change: drop unnecessary blank line at the start of .te files. 2010-06-10 08:16:35 -04:00