This usage under /dev/.udev has been unused for a very long time and
replaced by functionality in /run/udev. Since these have separate types,
take this opportunity to revoke these likely unnecessary rules.
Fixes#221
Derived from Laurent Bigonville's work in #230
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
When SECMARK or Netlabel packet labeling is used, it's useful to
forbid receiving and sending unlabeled packets. If packet labeling is
not active, there's no effect.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Remove unused permission definitions from SELinux.
Many of these were only ever used in pre-mainline
versions of SELinux, prior to Linux 2.6.0. Some of them
were used in the legacy network or compat_net=1 checks
that were disabled by default in Linux 2.6.18 and
fully removed in Linux 2.6.30.
The corresponding classmap declarations were removed from the
mainline kernel in:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42a9699a9fa179c0054ea3cf5ad3cc67104a6162
Permissions never used in mainline Linux:
file swapon
filesystem transition
tcp_socket { connectto newconn acceptfrom }
node enforce_dest
unix_stream_socket { newconn acceptfrom }
Legacy network checks, removed in 2.6.30:
socket { recv_msg send_msg }
node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Remove complement (~) and wildcard (*) in allow rules so that there are no
unintentional additions when new permissions are declared.
This patch does not add or remove permissions from any rules.
Only for services that already have a named init script.
Add rules to init_startstop_service(), with conditional arg until
all of refpolicy-contrib callers are updated.
When starting postgresql, it fails with the (little saying) error message:
pg_ctl: could not start server
In the denials, we notice:
Nov 24 10:41:52 lerya kernel: [1628900.540506] type=1400
audit(1353750112.021:10143): avc: denied { connectto } for pid=20481
comm="pg_ctl" path="/run/postgresql/.s.PGSQL.5432" ipaddr=...
scontext=system_u:system_r:postgresql_t tcontext=system_u:system_r:postgresql_t
tclass=unix_stream_socket
Hence, allow postgresql to connect to its own stream socket.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Use the init_daemon_run_dir interface in order to allow initrc_t to create the
run dirs of the postgresql service.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
* fix bugs in MLS/MCS
* add connection pooling server support
* foreign data wrapper support
* Add temporary objects support
* redefinition of use permission onto system objects
Chris PeBenito
bauen1
Topi Miettinen
Stephen Smalley
Alexander Miroshnichenko
Alexander Miroshnichenko
Chris PeBenito
Sven Vermeulen