d3af996d01
Module version bump for direct initrc fixes from Dominick Grift.
2014-01-16 16:11:02 -05:00
493ca67e54
Apply direct_initrc to unconfined_r:unconfined_t
...
Make it consistent with sysadm_r:sysadm_t.
If you build targeted policy then consider direct_initrc=y
If you build with direct_initrc=n then both unconfined_r:unconfined_t,
as well as sysadm_r:sysadm_t rely on run_init for running services on
behalf of the system.
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2014-01-16 15:27:18 -05:00
2be58db792
Change behavior of init_run_daemon()
...
Callers on init_run_daemon() role and domain transition on all
init_script_file_type to system_r and initrc_t respectively.
The old behavior of role and domain transitioning on init daemon entry
files was causing problems with programs that can be run both by system
and session.
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2014-01-16 14:42:00 -05:00
58db129761
Update modules for file_t merge into unlabeled_t.
2014-01-16 11:24:25 -05:00
d66aeb8436
Merge file_t into unlabeled_t, as they are security equivalent.
2014-01-16 11:19:00 -05:00
bf6d35851e
Module version bump for xserver change from Dominick Grift.
2014-01-08 13:58:51 -05:00
33b64cffb1
xserver: These are no longer needed
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2014-01-06 10:23:13 -05:00
51fe53e3fb
Module version bump for patch from Laurent Bigonville.
2013-12-20 15:04:52 -05:00
62a8012a77
Allow udev to write in /etc/udev/rules.d
...
Udev is writing persistent rules in /etc/udev/rules.d to ensure the
network interfaces and storage devices have a persistent name.
This patch has been taken from the Fedora policy
2013-12-20 15:04:22 -05:00
55d34a8c5f
Update contrib.
2013-12-20 15:02:54 -05:00
e9efb9297f
Module version bump for patch from Laurent Bigonville.
2013-12-20 15:02:24 -05:00
ac4dad0ed6
Label /bin/fusermount like /usr/bin/fusermount
...
On Debian, fusermount is installed under that path
2013-12-20 15:01:03 -05:00
05892ad6db
Module version bump for 2 patches from Dominick Grift.
2013-12-20 14:56:07 -05:00
39f77972ab
init: the gdomap and minissdpd init scripts read the respective environ files in /etc/default. We need to give them a private type so that we can give the gdomap_admin() and minissdpd_admin() access to it, but it seems overengineering to create private environ types for these files
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-20 14:47:27 -05:00
f4a4074d33
init: exim init script runs various helper apps that create and manage /var/lib/exim4/config.autogenerated.tmp file
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-20 14:47:27 -05:00
7725c1b677
Fix Debian compile issue.
2013-12-20 14:44:03 -05:00
aa3c38bedb
Module version bump for 4 init patches from Dominick Grift.
2013-12-10 10:40:38 -05:00
5c345460b1
init: creates /run/utmp
...
Manually apply patch from Dominick Grift.
2013-12-10 10:31:01 -05:00
5cb20b443e
init: init_script_domain() allow system_r role the init script domain type
...
Manually apply patch from Dominick Grift.
2013-12-10 10:30:09 -05:00
eb0dcf6f94
Whitespace fix in init.te.
2013-12-10 10:29:53 -05:00
75cca597f6
init: this is a bug in debian where tmpfs is mounted on /run, and so early on in the boot process init creates /run/utmp and /run/initctl in a tmpfs directory (/) tmpfs
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-10 10:29:53 -05:00
32d6aac409
init: for a specified automatic role transition to work. the source role must be allowed to change manually to the target role
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-10 10:29:48 -05:00
b339b85001
Module version bump for patches from Dominick Grift.
2013-12-06 09:49:41 -05:00
8e01054f07
users: calls pulseaudio_role() for restricted xwindows users and staff_t/user_t
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-06 08:48:09 -05:00
c7e2518162
Whitespace fix in libraries.
2013-12-06 08:48:04 -05:00
b56ecb9d52
libraries: for now i can only confirm mmap, might need to be changed to bin_t later if it turns out to need execute_no_trans
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-06 08:47:53 -05:00
e784e78825
iptables: calls to firewalld interfaces from Fedora. The firewalld_dontaudit_rw_tmp_files(iptables_t) was confirmed on Debian.
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-06 08:16:49 -05:00
872ece4bcf
Whitespace fix in usermanage.
2013-12-06 08:16:10 -05:00
6042255ede
usermanage: Run /etc/cron\.daily/cracklib-runtime in the crack_t domain in Debian
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-06 08:14:29 -05:00
3208ff94c4
Module version bump for second lot of patches from Dominick Grift.
2013-12-03 13:03:35 -05:00
1b757c65cc
udev: in debian udevadm is located in /bin/udevadm
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-03 11:34:15 -05:00
3ee649f132
Add comment in policy for lvm sysfs write.
2013-12-03 10:54:22 -05:00
6905ddaa98
lvm: lvm writes read_ahead_kb
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-03 10:53:23 -05:00
198a6b2830
udev: udevd executable location changed
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-03 10:52:44 -05:00
613100a7f4
Whitespace fix in fstools.
2013-12-03 10:39:51 -05:00
521bbf8586
These { read write } tty_device_t chr files on boot up in Debian
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-03 10:39:21 -05:00
ac22f3a48e
setrans: needs to be able to get attributes of selinuxfs, else fails to start in Debian
...
Access noted by Dominick Grift.
2013-12-03 09:52:21 -05:00
3b52b87615
Rearrage userdom_delete_user_tmpfs_files() interface.
2013-12-03 09:45:16 -05:00
b0068ace7d
userdomain: add userdom_delete_user_tmpfs_files() for pulseaudio clients
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-03 09:43:51 -05:00
f06282d1e0
Update contrib.
2013-12-03 09:34:05 -05:00
1a01976fc4
Module version bump for first batch of patches from Dominick Grift.
2013-12-02 14:22:29 -05:00
66c6b8a9f7
unconfined: Do not domain transition to xserver_t (unconfined_t is xserver_unconfined)
...
It would not be sufficient in the current shape anyways because
unconfined_r is not associated with xserver_t
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:43:33 -05:00
04ac9311b9
xserver: already allowed by auth_login_pgm_domain(xdm_t)
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:43:33 -05:00
5c49af2076
kernel: cryptomgr_test (kernel_t) requests kernel to load cryptd(__driver-ecb-aes-aesni
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:43:33 -05:00
4113f7b0d4
sshd/setrans: make respective init scripts create pid dirs with proper contexts
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:43:33 -05:00
012f1b2311
sysbnetwork: dhclient searches /var/lib/ntp
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:43:32 -05:00
6c19504654
sysnetwork: dhcpc: networkmanager interface calls from Fedora. In Debian i was able to confirm the need for networkmanager_manage_lib_files(dhcpc_t) since dhclient reads /var/lib/NetworkManager/dhclient-eth0.conf
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:43:32 -05:00
3b6a8b0ee5
fstools: hdparm append (what seems inherited from devicekit ) /var/log/pm-powersave.log fstools: hdparm reads /run/pm-utils/locks/pm-powersave.lock
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:27:54 -05:00
000397b217
udev: reads modules config: /etc/modprobe.d/alsa-base-blacklist.conf
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:27:54 -05:00
e7b86e07f2
setrans: mcstransd reads filesystems file in /proc
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:27:54 -05:00
Chris PeBenito
Dominick Grift
Dominick Grift
Laurent Bigonville