Commit Graph

50 Commits

Author SHA1 Message Date
Chris PeBenito ef659a476e Deprecate some old file and dir permission set macros in favor of the newer, more consistently-named macros. 2007-10-09 17:29:48 +00:00
Chris PeBenito 81d4c88f8c trunk: remove stale user_net_control reference in usernetctl.if. 2007-10-08 13:38:25 +00:00
Chris PeBenito 12e9ea1ae3 trunk: module version bumps for previous commit. 2007-10-02 17:15:07 +00:00
Chris PeBenito 350b6ab767 trunk: merge strict and targeted policies. merge shlib_t into lib_t. 2007-10-02 16:04:50 +00:00
Chris PeBenito 3480f3f239 trunk: bump version numbers for release. 2007-09-28 13:58:24 +00:00
Chris PeBenito 0cf6df55e5 trunk: add awstats from Stefan Schulze Frielinghaus. 2007-09-17 17:25:40 +00:00
Chris PeBenito 8a9d6f6449 trunk: 6 patches from dan. 2007-09-07 13:41:20 +00:00
Chris PeBenito 0a0b8078ca trunk: 5 patches from dan. 2007-09-04 18:57:58 +00:00
Chris PeBenito 6dd721a686 trunk: 7 patches from dan, slocate, games, amavis, radius, sendmail, rshd, logrotate. 2007-08-27 17:57:36 +00:00
Chris PeBenito 8d2c34195e trunk: updates from dan on 9 modules 2007-08-22 20:02:41 +00:00
Chris PeBenito d46cfe45cd trunk: add application module 2007-07-19 18:57:48 +00:00
Chris PeBenito 116c1da330 trunk: update module version numbers for release. 2007-06-29 14:48:13 +00:00
Chris PeBenito 1900668638 trunk: Unified labeled networking policy from Paul Moore.
The latest revision of the labeled policy patches which enable both labeled 
and unlabeled policy support for NetLabel.  This revision takes into account
Chris' feedback from the first version and reduces the number of interface
calls in each domain down to two at present: one for unlabeled access, one for
NetLabel access.  The older, transport layer specific interfaces, are still  
present for use by third-party modules but are not used in the default policy
modules.

trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.

This patch changes the policy to use the netmsg initial SID as the "base"
SID/context for NetLabel packets which only have MLS security attributes.
Currently we use the unlabeled initial SID which makes it very difficult to
distinquish between actual unlabeled packets and those packets which have MLS
security attributes.
2007-06-27 15:23:21 +00:00
Chris PeBenito 22bff65f4d trunk: fix typo in vmware.fc 2007-06-26 14:31:31 +00:00
Chris PeBenito d139413c64 trunk: 2 patches from dan 2007-06-13 13:54:56 +00:00
Chris PeBenito 262def165a trunk: version bumps for previous commit. 2007-06-12 13:08:19 +00:00
Chris PeBenito f7101c5430 trunk: 7 simple patches from dan. 2007-06-12 13:06:13 +00:00
Chris PeBenito f6a590d7b4 six simple patches from dan 2007-06-11 14:09:09 +00:00
Chris PeBenito 17b9cb7dda trunk: fix line in evolution to be strict-only; was being covered up by genhomedircon. 2007-05-22 17:01:38 +00:00
Chris PeBenito f9029fc5b6 Patch to allow slocate to getattr other filesystems and directories on those filesystems from Dan Walsh. 2007-04-30 15:01:19 +00:00
Chris PeBenito 0251df3e39 bump module versions for release 2007-04-17 13:28:09 +00:00
Chris PeBenito 697489040e 5 patches from dan. confine insmod and udev on targeted, misc fc fixes, sasl kerberos use, and samba port fixes 2007-04-11 17:56:03 +00:00
Chris PeBenito 56e1b3d207 - Move booleans and tunables to modules when it is only used in a single
module.
- Add support for tunables and booleans local to a module.
2007-03-26 18:41:45 +00:00
Chris PeBenito 8021cb4f63 Merge sbin_t and ls_exec_t into bin_t. 2007-03-23 23:24:59 +00:00
Chris PeBenito 4832f0e066 create user gpg keys dir patch from dan 2007-03-19 19:10:43 +00:00
Chris PeBenito ecc98e19e3 patches for file contexts in networkmanager, miscfiles, corecommands, devices, and java from Dan Walsh. 2007-03-01 15:43:39 +00:00
Chris PeBenito 2aea366ffc Patch for an additional wine executable from Dan Walsh. 2007-02-28 16:23:06 +00:00
Chris PeBenito bf39cdb807 Patch for additional games file contexts from Dan Walsh. 2007-02-28 15:30:38 +00:00
Chris PeBenito 6b19be3360 patch from dan, Thu, 2007-01-25 at 08:12 -0500 2007-02-16 23:01:42 +00:00
Chris PeBenito ff943a1b9b Clean up file context regexes in apache and java, from Eamon Walsh:
Some file_contexts regular expressions in refpolicy-strict are causing 
genhomedircon to die; refpolicy is failing to build for me entirely.

The regular expressions seem redundant to me, perhaps I am missing 
something, but the following patch fixes the problems for me.  Please 
review and apply
2007-01-24 17:10:31 +00:00
Chris PeBenito 42c5c5f612 bump versions for release. 2006-12-12 21:22:47 +00:00
Chris PeBenito c0868a7a3b merge policy patterns to trunk 2006-12-12 20:08:08 +00:00
Chris PeBenito d6d16b9796 patch from dan Wed, 29 Nov 2006 17:06:40 -0500 2006-12-04 20:10:56 +00:00
Chris PeBenito 563e58e863 patch from dan for some missing gen_require()s 2006-11-29 13:44:40 +00:00
Chris PeBenito d9845ae92a patch from dan Tue, 24 Oct 2006 11:00:28 -0400 2006-10-31 21:01:48 +00:00
Chris PeBenito a52b4d4f23 bump versions to release numbers 2006-10-18 19:25:27 +00:00
Chris PeBenito b04eccd87b fix duplicate /usr/bin/mplayer fc match for targeted 2006-10-18 17:31:14 +00:00
Chris PeBenito f76d07072a fix some stuff that does not affect policy 2006-10-06 17:31:52 +00:00
Chris PeBenito 00219064d7 This patch adds a GConf policy to refpolicy.
This policy is much tighter than the GConf policy from the old example
policy.  It only allows gconfd to access configuration data stored by
GConf.  Users can modify configuration data using gconftool-2 or
gconf-editor, both of which use gconfd.  GConf manages multiple
configuration sources, so gconfd should be used to make any changes
anyway.  Normal users who aren't trying to directly edit the
configuration data of GConf won't notice anything different.

There is also a difference between this policy and the old example
policy in handling directories in /tmp.  The old example policy
labeled /tmp/gconfd-USER with ROLE_gconfd_tmp_t, but, since there was no
use of the file_type_auto_trans macro, if that directory was deleted
gconfd would create one labeled as tmp_t.  This policy uses the
files_tmp-filetrans macro to cause a directory in /tmp created by gconfd
to be labeled as $1_tmp_t.  It is not labeled with $1_gconf_tmp_t,
because if /tmp/orbit-USER is deleted, gconfd will create it (through
use of ORBit) and it would get the $1_gconf_tmp_t label.  By having
gconfd create $1_tmp_t directories in /tmp and $1_gconf_tmp_t files and
directories in directories labeled with $1_tmp_t, it can control its
data without requiring any future bonobo or Gnome policies to have
access to $1_gconf_tmp_t.

This patch is related to work that I am doing in making gconfd an
userspace object manager.  If any user program can modify the
configuration data that GConf stores, than making gconfd an userspace
object manager would be useless.

Signed-off-by:  James Carter <jwcart2@tycho.nsa.gov>
2006-10-02 15:22:48 +00:00
Chris PeBenito e2b84ef79a patch from dan Mon, 25 Sep 2006 15:46:40 -0400 2006-09-28 14:37:29 +00:00
Chris PeBenito 8708d9bef2 patch from dan Wed, 20 Sep 2006 12:12:49 -0400 2006-09-22 17:14:35 +00:00
Chris PeBenito bbcd3c97dd add main part of role-o-matic 2006-09-06 22:07:25 +00:00
Chris PeBenito eac818f040 patch from dan Thu, 31 Aug 2006 15:16:30 -0400 2006-09-01 15:52:05 +00:00
Chris PeBenito a5e2133bc8 patch from dan Wed, 23 Aug 2006 14:03:49 -0400 2006-08-29 02:41:00 +00:00
Chris PeBenito 33c7e6b4e8 remove dead selopt rules 2006-08-15 20:00:58 +00:00
Chris PeBenito 497da0953c ps/ptrace dontaudit cleanup 2006-08-08 17:49:03 +00:00
Chris PeBenito 80f928e24b display warning if using loadkeys_domtrans() in targeted 2006-08-03 18:02:28 +00:00
Chris PeBenito ea3c1f508a add helpers for printing warning and error messages 2006-07-25 17:27:00 +00:00
Chris PeBenito 19ebf01d6a patch to fix escaping of . in file contexts from james athey 2006-07-24 15:43:57 +00:00
Chris PeBenito 17de1b790b remove extra level of directory 2006-07-12 20:32:27 +00:00