Commit Graph

2286 Commits

Author SHA1 Message Date
Chris PeBenito c5967300e2 add changelog entry for e4928c5f79 2009-10-22 09:22:14 -04:00
Chris PeBenito 7ca3f559d7 add open to search_dir_perms. 2009-10-22 09:13:04 -04:00
Eamon Walsh e4928c5f79 Add separate x_pointer and x_keyboard classes inheriting from x_device.
This is needed to allow more fine-grained control over X devices without
using different types.  Using different types is problematic because
devices act as subjects in the X Flask implementation, and subjects
cannot be labeled through a type transition (since the output role is
hardcoded to object_r).

Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
2009-10-14 08:44:44 -04:00
Chris PeBenito 808341bb9b revise MCS constraints to use only MCS-specific attributes. 2009-10-07 11:48:14 -04:00
Chris PeBenito 4be8dd10b9 add seunshare from dan. 2009-09-28 15:40:06 -04:00
Chris PeBenito 5a6b1fe2b4 add dkim from stefan schulze frielinghaus. 2009-09-17 09:12:33 -04:00
Chris PeBenito 21b1d1096f add gnomeclock from dan. 2009-09-16 08:38:58 -04:00
Chris PeBenito ed70158a39 add rtkit from dan. 2009-09-15 09:53:24 -04:00
Chris PeBenito 1d3b9e384c clean up xscreensaver. 2009-09-15 09:41:42 -04:00
corentin.labbe 31f9c109c1 SELinux xscreensaver policy support
Hello

This a patch for adding xscreensaver policy.

I think it need a specific policy because of the auth_domtrans_chk_passwd.

cordially

Signed-off-by: LABBE Corentin <corentin.labbe@geomatys.fr>
2009-09-15 08:46:28 -04:00
Chris PeBenito c141d835f1 add modemmanager from dan. 2009-09-14 09:48:13 -04:00
Chris PeBenito e3a90e358a add abrt from dan. 2009-09-14 09:22:24 -04:00
Chris PeBenito 6af53d08ed rearrange readahead rules. 2009-09-09 09:53:28 -04:00
Chris PeBenito c1e5b195f7 readahead patch from dan. 2009-09-09 09:45:34 -04:00
Chris PeBenito 937b2c4d91 nscd patch from dan. 2009-09-09 09:35:37 -04:00
Chris PeBenito c61b35048a cron patch from dan. 2009-09-09 09:28:04 -04:00
Chris PeBenito 163ddfaa80 prelink patch from dan. 2009-09-09 08:18:51 -04:00
Chris PeBenito 81bca10b28 nslcd policy from dan. 2009-09-08 10:31:19 -04:00
Chris PeBenito f67bc918d4 term_write_all_terms() patch from Stefan Schulze Frielinghaus 2009-09-08 10:06:38 -04:00
Chris PeBenito dbed95369c add gitosis from miroslav grepl. 2009-09-03 09:52:08 -04:00
Chris PeBenito 634a13c21f cpufreqselector patch from dan. 2009-09-03 09:15:17 -04:00
Chris PeBenito f6137171f3 add an additional vmware host program. 2009-09-03 08:56:58 -04:00
Chris PeBenito 6fdef06522 screen patch from dan. 2009-09-03 08:49:26 -04:00
Chris PeBenito 72b834ccb0 remove stale screen_dir_t references
The screen_dir_t was made an alias of the screen_var_run_t type.
Remove the remaining references to this type.
2009-09-03 08:39:42 -04:00
Chris PeBenito ca7fa520e7 gpg patch from dan.
gpg sends sigstop and signull

Reads usb devices

Can encrypts users content in /tmp and the homedir, as well as on NFS and cifs
2009-09-03 08:23:18 -04:00
Chris PeBenito f2f296ba60 openvpn patch from dan: Openvpn connects to cache ports and stores files in nfs and cifs directories. 2009-09-02 09:24:10 -04:00
Chris PeBenito 93be4ba581 Webalizer does not list inotify, this was caused by leaked file descriptors in either dbus or cron. Both of which have been cleaned up. 2009-09-02 09:10:30 -04:00
Chris PeBenito 625be1b4e6 add shorewall from dan. 2009-09-02 08:58:52 -04:00
Chris PeBenito 71965a1fc5 add kdump from dan. 2009-09-02 08:33:25 -04:00
Chris PeBenito a4b6385b9d cdrecord patch from dan. 2009-09-01 09:22:40 -04:00
Chris PeBenito 1a79193449 awstats patch from dan. 2009-09-01 08:59:24 -04:00
Chris PeBenito b2324fa76d certwatch patch from dan. 2009-09-01 08:50:39 -04:00
Chris PeBenito b515ab0182 mrtg patch from dan. 2009-09-01 08:44:20 -04:00
Chris PeBenito aa83007d5a add hddtemp from dan. 2009-09-01 08:34:04 -04:00
Chris PeBenito aac56b12b7 add ptchown policy from dan. 2009-08-31 10:21:01 -04:00
Chris PeBenito a3dd1499ef pulseaudio patch from dan. 2009-08-31 10:07:57 -04:00
Chris PeBenito da4332a3c5 man page update from dan. 2009-08-31 09:57:55 -04:00
Chris PeBenito 6774578327 module version number bump for nscd patch. 2009-08-31 09:44:38 -04:00
Manoj Srivastava 2a79debe9b nscd cache location changed from /var/db/nscd to /var/cache/nscd
The nscd policy module uses the old nscd cache location. The cache location
changed with glibc 2.7-1, and the current nscd does place the files in
/var/cache/nscd/.

Signed-off-by: Manoj Srivastava <srivasta@debian.org>
2009-08-31 09:43:52 -04:00
Chris PeBenito a9e9678fc7 kismet patch from dan. 2009-08-31 09:38:47 -04:00
Chris PeBenito aaff2fcfcd module version number bump for tun patches 2009-08-31 09:17:31 -04:00
Chris PeBenito 0be901ba40 rename admin_tun_type to admindomain. 2009-08-31 09:03:51 -04:00
Chris PeBenito bd75703c7d reorganize tun patch changes. 2009-08-31 08:49:57 -04:00
Paul Moore 9dc3cd1635 refpol: Policy for the new TUN driver access controls
Add policy for the new TUN driver access controls which allow policy to
control which domains have the ability to create and attach to TUN/TAP
devices.  The policy rules for creating and attaching to a device are as
shown below:

  # create a new device
  allow domain_t self:tun_socket { create };

  # attach to a persistent device (created by tunlbl_t)
  allow domain_t tunlbl_t:tun_socket { relabelfrom };
  allow domain_t self:tun_socket { relabelto };

Further discussion can be found on this thread:

 * http://marc.info/?t=125080850900002&r=1&w=2

Signed-off-by: Paul Moore <paul.moore@hp.com>
2009-08-31 08:36:06 -04:00
Paul Moore 333494fd59 refpol: Add the "tun_socket" object class flask definitions
Add the new "tun_socket" class to the flask definitions.  The "tun_socket"
object class is used by the new TUN driver hooks which allow policy to control
access to TUN/TAP devices.

Signed-off-by: Paul Moore <paul.moore@hp.com>
2009-08-31 08:36:00 -04:00
Chris PeBenito 4279891d1f patch from Eamon Walsh to remove useage of deprecated xserver interfaces. 2009-08-28 13:40:29 -04:00
Chris PeBenito 93c49bdb04 deprecate userdom_xwindows_client_template
The X policy for users is currently split between
userdom_xwindows_client_template() and xserver_role().  Deprecate
the former and put the rules into the latter.

For preserving restricted X roles (xguest), divide the rules
into xserver_restricted_role() and xserver_role().
2009-08-28 13:29:36 -04:00
Chris PeBenito fef5dcf3af Remove excessive permissions in logging_send_syslog_msg(). Ticket #14. 2009-08-26 10:05:36 -04:00
Chris PeBenito e27827b86c split dev_create_cardmgr_dev() into a create and a filetrans interface. 2009-08-25 09:56:56 -04:00
Chris PeBenito dbb7dd9484 Merge branch 'master' of ssh://oss.tresys.com/home/git/refpolicy 2009-08-25 09:44:28 -04:00