Commit Graph

3742 Commits

Author SHA1 Message Date
Chris PeBenito b244f47319 Module version bump for pid file directory from Russell Coker/Laurent Bigonville. 2014-02-06 09:14:31 -05:00
Laurent Bigonville d6751cb2f4 Move the ifdef at the end of the declaration block 2014-02-06 09:14:31 -05:00
Laurent Bigonville f2313e5304 Add fcontext for sshd pidfile and directory used for privsep
Also allow sshd_t domain to chroot(2) in this directory as explained in
the README.privsep file in the openssh tarball.

Thanks to Russell Coker for this patch
2014-02-06 09:14:31 -05:00
Chris PeBenito 33b03a653e Update contrib. 2014-01-31 22:54:14 -05:00
Chris PeBenito d5a562246e Module version bump for logging fc patch from Laurent Bigonville. 2014-01-31 22:24:08 -05:00
Laurent Bigonville 64be72b662 Add fcontext for rsyslog pidfile 2014-01-31 21:54:40 -05:00
Chris PeBenito 41ee5421a7 Module version bump for unconfined transition to dpkg from Laurent Bigonville. 2014-01-27 13:19:57 -05:00
Laurent Bigonville 0e1c64f3bb Allow unconfined users to transition to dpkg_t domain
dpkg is now using rpm_execcon()/setexecfilecon()-like function to
transition to the dpkg_script_t domain. This function will fail in
enforcing mode if the transition is not allowed.
2014-01-27 12:41:45 -05:00
Chris PeBenito 3ffc91fff4 Module version bump for ZFS tools fc entries from Matthew Thode. 2014-01-21 08:55:37 -05:00
Chris PeBenito 734aebb02d Rearrange ZFS fc entries. 2014-01-21 08:55:28 -05:00
Chris PeBenito 496faf8c43 Fix ZFS fc escaping in mount. 2014-01-21 08:54:59 -05:00
Chris PeBenito 971c2fa6a4 Remove ZFS symlink labeling. 2014-01-21 08:52:24 -05:00
Matthew Thode fd9c2fc1e6 Extending support for SELinux on ZFS
Signed-off-by: Matthew Thode <mthode@mthode.org>
2014-01-21 08:43:40 -05:00
Chris PeBenito 0075ffb8b3 Module version bump for module store labeling fixes from Laurent Bigonville. 2014-01-17 08:54:08 -05:00
Laurent Bigonville be12f4dc18 Label /etc/selinux/([^/]*/)?modules(/.*)? as semanage_store_t
Move the filetrans_patern out of the seutil_manage_module_store
interface as only semanage_t should be creating this directory
2014-01-16 16:12:44 -05:00
Chris PeBenito d3af996d01 Module version bump for direct initrc fixes from Dominick Grift. 2014-01-16 16:11:02 -05:00
Dominick Grift 493ca67e54 Apply direct_initrc to unconfined_r:unconfined_t
Make it consistent with sysadm_r:sysadm_t.

If you build targeted policy then consider direct_initrc=y

If you build with direct_initrc=n then both unconfined_r:unconfined_t,
as well as sysadm_r:sysadm_t rely on run_init for running services on
behalf of the system.

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2014-01-16 15:27:18 -05:00
Dominick Grift 2be58db792 Change behavior of init_run_daemon()
Callers on init_run_daemon() role and domain transition on all
init_script_file_type to system_r and initrc_t respectively.

The old behavior of role and domain transitioning on init daemon entry
files was causing problems with programs that can be run both by system
and session.

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2014-01-16 14:42:00 -05:00
Chris PeBenito f27f36ff15 Make the QUIET build option apply to clean and bare targets. 2014-01-16 11:25:42 -05:00
Chris PeBenito 58db129761 Update modules for file_t merge into unlabeled_t. 2014-01-16 11:24:25 -05:00
Chris PeBenito d66aeb8436 Merge file_t into unlabeled_t, as they are security equivalent. 2014-01-16 11:19:00 -05:00
Chris PeBenito bf6d35851e Module version bump for xserver change from Dominick Grift. 2014-01-08 13:58:51 -05:00
Dominick Grift 33b64cffb1 xserver: These are no longer needed
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2014-01-06 10:23:13 -05:00
Chris PeBenito 51fe53e3fb Module version bump for patch from Laurent Bigonville. 2013-12-20 15:04:52 -05:00
Laurent Bigonville 62a8012a77 Allow udev to write in /etc/udev/rules.d
Udev is writing persistent rules in /etc/udev/rules.d to ensure the
network interfaces and storage devices have a persistent name.

This patch has been taken from the Fedora policy
2013-12-20 15:04:22 -05:00
Chris PeBenito 55d34a8c5f Update contrib. 2013-12-20 15:02:54 -05:00
Chris PeBenito e9efb9297f Module version bump for patch from Laurent Bigonville. 2013-12-20 15:02:24 -05:00
Laurent Bigonville ac4dad0ed6 Label /bin/fusermount like /usr/bin/fusermount
On Debian, fusermount is installed under that path
2013-12-20 15:01:03 -05:00
Chris PeBenito 05892ad6db Module version bump for 2 patches from Dominick Grift. 2013-12-20 14:56:07 -05:00
Dominick Grift 39f77972ab init: the gdomap and minissdpd init scripts read the respective environ files in /etc/default. We need to give them a private type so that we can give the gdomap_admin() and minissdpd_admin() access to it, but it seems overengineering to create private environ types for these files
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-20 14:47:27 -05:00
Dominick Grift f4a4074d33 init: exim init script runs various helper apps that create and manage /var/lib/exim4/config.autogenerated.tmp file
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-20 14:47:27 -05:00
Chris PeBenito 7725c1b677 Fix Debian compile issue. 2013-12-20 14:44:03 -05:00
Chris PeBenito aa3c38bedb Module version bump for 4 init patches from Dominick Grift. 2013-12-10 10:40:38 -05:00
Chris PeBenito 5c345460b1 init: creates /run/utmp
Manually apply patch from Dominick Grift.
2013-12-10 10:31:01 -05:00
Chris PeBenito 5cb20b443e init: init_script_domain() allow system_r role the init script domain type
Manually apply patch from Dominick Grift.
2013-12-10 10:30:09 -05:00
Chris PeBenito eb0dcf6f94 Whitespace fix in init.te. 2013-12-10 10:29:53 -05:00
Dominick Grift 75cca597f6 init: this is a bug in debian where tmpfs is mounted on /run, and so early on in the boot process init creates /run/utmp and /run/initctl in a tmpfs directory (/) tmpfs
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-10 10:29:53 -05:00
Dominick Grift 32d6aac409 init: for a specified automatic role transition to work. the source role must be allowed to change manually to the target role
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-10 10:29:48 -05:00
Chris PeBenito b339b85001 Module version bump for patches from Dominick Grift. 2013-12-06 09:49:41 -05:00
Dominick Grift 8e01054f07 users: calls pulseaudio_role() for restricted xwindows users and staff_t/user_t
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-06 08:48:09 -05:00
Chris PeBenito c7e2518162 Whitespace fix in libraries. 2013-12-06 08:48:04 -05:00
Dominick Grift b56ecb9d52 libraries: for now i can only confirm mmap, might need to be changed to bin_t later if it turns out to need execute_no_trans
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-06 08:47:53 -05:00
Dominick Grift e784e78825 iptables: calls to firewalld interfaces from Fedora. The firewalld_dontaudit_rw_tmp_files(iptables_t) was confirmed on Debian.
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-06 08:16:49 -05:00
Chris PeBenito 872ece4bcf Whitespace fix in usermanage. 2013-12-06 08:16:10 -05:00
Dominick Grift 6042255ede usermanage: Run /etc/cron\.daily/cracklib-runtime in the crack_t domain in Debian
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-06 08:14:29 -05:00
Chris PeBenito 3208ff94c4 Module version bump for second lot of patches from Dominick Grift. 2013-12-03 13:03:35 -05:00
Dominick Grift 1b757c65cc udev: in debian udevadm is located in /bin/udevadm
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-03 11:34:15 -05:00
Chris PeBenito 3ee649f132 Add comment in policy for lvm sysfs write. 2013-12-03 10:54:22 -05:00
Dominick Grift 6905ddaa98 lvm: lvm writes read_ahead_kb
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-03 10:53:23 -05:00
Dominick Grift 198a6b2830 udev: udevd executable location changed
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-03 10:52:44 -05:00