Commit Graph

3590 Commits

Author SHA1 Message Date
Chris PeBenito aac94b0e40 Whitespace fixes from fc.subs changes. 2012-05-10 10:33:54 -04:00
Chris PeBenito 41ff913f44 Remove duplicate fc definition for firefox. 2012-05-10 10:33:30 -04:00
Sven Vermeulen b55726771e Simplify .fc in light of file_contexts.subs_dist
Now that we have file_contexts.subs_dist, translations that were put in the file context definition files can now be
cleaned up.

Differences from v1:
- removes a few duplicate entries in the libraries.fc file, and
- removes the contrib references

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-05-10 10:09:00 -04:00
Chris PeBenito 4f24b1841c Add optional name for kernel and system filetrans interfaces. 2012-05-10 09:53:45 -04:00
Chris PeBenito b0e936e0d0 Update toolchain dependencies. 2012-05-10 08:54:40 -04:00
Chris PeBenito bc1b68393f Update contrib. 2012-05-10 08:38:14 -04:00
Chris PeBenito 278ac79c08 Module version bump for http_cache port update from Sven Vermeulen. 2012-05-04 11:20:33 -04:00
Sven Vermeulen d36c428425 Mark tcp:3128 as http_cache_port_t
Port 3128 is the default port for squid cache

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-05-04 11:15:59 -04:00
Chris PeBenito 7b6fe9c1a5 Module version bump for syslog-ng and lvm patches from Sven Vermeulen. 2012-05-04 10:49:11 -04:00
Sven Vermeulen ee62c91345 Recent lvm utilities now use setfscreate
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-05-04 10:45:57 -04:00
Sven Vermeulen 1c5de3ddf5 Allow getsched for syslog-ng
Recent syslog-ng implementation uses a threading library that requires the getsched permission.

See also https://bugs.gentoo.org/show_bug.cgi?id=405425

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-05-04 10:40:05 -04:00
Chris PeBenito b72101a116 Module version bump and changelog for non-auth file attribute to eliminate set expressions, from James Carter. 2012-05-04 09:14:00 -04:00
Chris PeBenito 4f8e1a4e3d Rearrange a few files interfaces. 2012-05-04 09:13:11 -04:00
Chris PeBenito e7ed5a1fe9 Whitespace fixes in files.if. 2012-05-04 09:00:33 -04:00
James Carter 624e73955d Changed non-contrib policy to use the new non_auth_file_type interfaces
Replaced calls to interfaces allowing access to all files except
auth_file_type files with calls to interfaces allowing access to
non_auth_file_type files.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2012-05-04 08:47:49 -04:00
James Carter 8959338324 Change interfaces in authlogin.if to use new interfaces in files.if
Changed all interfaces that used auth_file_type to call the new
corresponding interface in files.if.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2012-05-04 08:47:42 -04:00
James Carter 709fd365b8 Create non_auth_file_type attribute and interfaces
Reduce the binary policy size by eliminating some set expressions
related to file accesses and make Repolicy easier to convert into CIL.
- Moved the auth_file_type attribute.
- Created a new type attribute called non_auth_file_type.
- Created new interfaces to allow file accesses on non_auth_file_type
files.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2012-05-04 08:47:37 -04:00
Chris PeBenito 9b0b33ac4c Update contrib. 2012-05-04 08:43:41 -04:00
Chris PeBenito a9cd7ff45f Module version bump for patches from Sven Vermeulen.
* Dontaudit in xserver
* Create user keys in sudo
2012-05-04 08:43:27 -04:00
Chris PeBenito a5fc78b88a Move domain call in xserver. 2012-05-04 08:35:24 -04:00
Sven Vermeulen d5a23304c3 Adding dontaudits for xserver
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-05-04 08:34:32 -04:00
Sven Vermeulen 1fe3d0929e sudo with SELinux support requires key handling
When using sudo with SELinux integrated support, the sudo domains need to be able to create user keys. Without this
privilege, any command invoked like "sudo /etc/init.d/local status" will run within the sudo domain (sysadm_sudo_t)
instead of the sysadm_t domain (or whatever domain is mentioned in the sudoers file).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-05-04 08:30:28 -04:00
Chris PeBenito 2e83467903 Module version bump and changelog for virt updates from Sven Vermeulen. 2012-04-23 10:43:15 -04:00
Sven Vermeulen e842434336 Calling virsh requires stream_connect rights towards virt
When virsh is used to manage the virtual guests, the parent domain requires stream_connect rights towards the virtd_t
domain. This patch adds it in for initrc_t (for init scripts managing the environment) and sysadm_t (system
administrator).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-04-23 10:22:55 -04:00
Sven Vermeulen f78979eadd Adding default context rules for libvirt
The libvirt infrastructure requires the availability of the context files.

In this patch, we add the defaults to the three predefined application
contexts (mls/mcs/standard).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-04-23 10:18:45 -04:00
Chris PeBenito 94d8bd2904 Module version bump for mountpoint patches from Sven Vermeulen. 2012-04-23 09:33:17 -04:00
Sven Vermeulen 26cfbe5317 Marking debugfs and securityfs as mountpoints
The locations for debugfs_t (/sys/kernel/debug) and security_t
(/selinux or /sys/fs/selinux) should be marked as mountpoints as well.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-04-23 09:21:15 -04:00
Chris PeBenito 100734ef64 Module version bump for asterisk updates; pull in asterisk contrib changes. 2012-04-20 16:36:38 -04:00
Sven Vermeulen 00247b9d3f Allow initrc to manage asterisk log and pid file attributes
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-04-20 16:25:45 -04:00
Chris PeBenito 9e56720a39 Module version bump and changelog for various dontaudits from Sven Vermenulen. 2012-04-20 16:06:54 -04:00
Sven Vermeulen fc2f5ea3b4 Adding dontaudit for sudo
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-04-20 15:55:12 -04:00
Sven Vermeulen fbac862b89 Adding dontaudits for mount
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-04-20 15:44:05 -04:00
Sven Vermeulen 1bd83205aa Do not audit rw on dhcp client unix_stream_sockets
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-04-20 15:43:34 -04:00
Chris PeBenito 364768e8e9 Fix whitespace issues in sysnetwork.if. 2012-04-20 15:39:36 -04:00
Sven Vermeulen 2260ef56f8 Adding dontaudit interfaces in sysnet
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-04-20 15:39:04 -04:00
Chris PeBenito cb29c82a28 Rearrange mountpoint interfaces in files. 2012-04-20 15:38:51 -04:00
Chris PeBenito a1d38fb485 Fix files whitespace issues. 2012-04-20 15:35:24 -04:00
Sven Vermeulen f93d4fd85c Adding dontaudit interfaces for files module
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-04-20 15:30:10 -04:00
Chris PeBenito fbb165b989 Module version bump and changelog for bacula. 2012-03-30 09:43:13 -04:00
Chris PeBenito 68c8f3fc19 Fix whitespace issue in bacula sysadm patch. 2012-03-30 08:49:27 -04:00
Sven Vermeulen fdacc6e744 Allow sysadm to call bacula client
This patch allows the sysadmin to run the bacula admin client.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-03-30 08:48:39 -04:00
Chris PeBenito 5b4ed06fab Pull in contrib updates. 2012-03-06 09:00:44 -05:00
Chris PeBenito d796a281c1 Changelog for Move role declarations to the top of base.conf from Harry Ciao.
46acfd
2012-02-29 12:59:00 -05:00
Harry Ciao 46acfdd455 Move role declarations to the top of base.conf
system_r is required by the policy_module macro, which however will
be expanded as empty if the module is built into base.pp. system_r
is defined in the kernel.te, its definition should be moved to the
top of base.conf so that other modules copied earlier into base.conf
than kernel.te could reference system_r in their unconditional block
properly.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
2012-02-29 12:08:22 -05:00
Chris PeBenito ee8210c690 Module version bump for make role attributes able to type their "own" types patch from Harry Ciao. 2012-02-27 10:25:08 -05:00
Chris PeBenito e707a70819 Rearrange role lines from "own" patch. 2012-02-27 10:18:00 -05:00
Harry Ciao 93c3ee8b7f Make role attributes able to type their "own" types.
By default, any role attribute should be able to type their "own" types
that share the same prefix and used in the run interface. For example,

role newrole_roles types newrole_t;

so that the calling domain of the seutil_run_newrole() interface could
properly tansition into newrole_t. Without above role rule, the caller's
role won't be associated with newrole_t.

Other role attributes such as useradd_roles, groupadd_roles, chfn_roles
and run_init_roles should be fixed in the same way.
2012-02-27 10:12:57 -05:00
Chris PeBenito f3262926ae Module version bump for Mark temporary block device as fixed_disk_device_t from Sven Vermeulen. 2012-02-22 08:44:15 -05:00
Sven Vermeulen 1668ffb244 Mark temporary block device as fixed_disk_device_t
When udev creates the temporary block devices (such as /dev/.tmp-block-8:1) they
get by default marked as device_t. However, in case of software raid devices,
the mdadm application (running in mdadm_t) does not hold the proper privileges
to access this for its auto-assembly of the raids.

Other block device applications, like blkid (running in fsadm_t) use these
temporary block devices as well, but already hold the necessary privileges on
device_t to continue their work.

By marking the temporary block device as a fixed_disk_device_t, all these block
device handling applications (such as blkid, but also mdadm) now hold the proper
privileges. Since udev is selinux-aware, the created files are immediately
restorecon'ed before the rules are applied.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-02-22 08:32:42 -05:00
Chris PeBenito 98a85d1000 Update Changelog and VERSION for release. 2012-02-15 14:32:45 -05:00