Puppet is a management utility to manage several dozens or even hundreds of
systems through a single application. Part of its job is to ensure that the
configuration and state of a system is as expected. Part of this is to ensure
that the proper mounts are available and, if not, mount them (or umount them).
This patch allows puppet_t to call mount.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
During build and eventual activation of the base policy, the load_policy_t
domain attempts to use a portage file descriptor. However, this serves no
purpose (the loading is done correctly and everything is logged
appropriately).
Hence, we dontaudit this use.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Systems that use LDAPS (LDAP over SSL/TLS) for their sysnet_* activities
currently fail since these domains do not allow proper access to the random
devices (needed for SSL/TLS). This patch adds this privilege to
sysnet_use_ldap.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The courier-imapd daemon is part of the courier package (and already supported
by the courier module in refpolicy), but uses a different location for its
configuration files (/etc/courier-imap) and persistent data
(/var/lib/courier-imap).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
This small patch updates the dhcpc_t (DHCP client domain) to allow updating the
kernel's routing tables (as that is a primary purpose of a DHCP client) as well
as interact with the kernel through the net_sysctls.
Also, one client (dhcpcd) uses /var/run/dhcpcd so add that in the file context
definition as well.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Many XFCE4 helper applications are located in /usr/lib locations. This patch
marks those helpers as bin_t.
Recursively marking the directories bin_t does not work properly as these
locations also contain actual libraries.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Without the getattr privilege on the mountpoint directories, the checkdisk
plugin fails to capture the data unless nagios is reconfigured to directly
read the device files themselves.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Since april, the *-multi applications offered through iptables are combined
through a single binary called xtables-multi. The previous commands are now
symbolic links towards this application.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
When audit subsystem is enabled, and setfiles works from root
dir, setfiles would send the AUDIT_FS_RELABEL information to
audit system, If no permission to send the information to audit
by netlink, setfiles would return error.
The test cases to reproduce this defect:
=> restorecon -R /
=> echo $?
255
=>
Signed-off-by: Roy.Li <rongqing.li@windriver.com>
The mysql_stream_connect interface, which is already in use, is only for local
MySQL databases (not through TCP/IP).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Currently, the nagios nrpe_t definition has no read access to its own
nrpe_etc_t. I suspect this to be a copy/paste problem. Since the nrpe
configuration file is stored in /etc/nagios (nagios_etc_t), NRPE does need
search privileges in nagios_etc_t. This is easily accomplished through
read_files_pattern.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The current consolekit policy definition has hal_ptrace(consolekit_t) in its
main body. However, HAL support within consolekit is not mandatory. As such,
this call should be within an optional_policy().
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Haveged by itself requires a few additional privileges (create a unix socket
and write access to some proc/sys/kernel files (like
/proc/sys/kernel/random/write_wakeup_threshold).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Chris PeBenito
Sven Vermeulen
Roy.Li