Allow sys_nice capability, setsched, allow to search in /var/spool and
syslog_t domain to read network state files in /proc
squash! Add support for rsyslog
Use nscd_use instead of nscd_socket_use. This conditionally allows
nscd_shm_use
Remove the nscd_socket_use from ssh_keygen since it was redundant
already allowed by auth_use_nsswitch
Had to make some ssh_keysign_t rules unconditional else
nscd_use(ssh_keysign_t) would not build (nested booleans) but that does
not matter, the only actual domain transition to ssh_keysign_t is
conditional so the other unconditional ssh_keygen_t rules are
conditional in practice
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
Make sure various virt user home content gets created with a type
transition and proper file contexts for common users
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
The stunnel init script reads the stunnel configuration to find out where to
store and check for the PID file
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Some cron daemons, including vixie-cron, support using the system logger for
handling their logging events. Hence we allow syslogd_t to manage the cron logs,
and put a file transition in place for the system logger when it creates the
cron.log file.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
If the /run/lock/lvm directory doesn't exist yet, running any of the LVM tools
(like lvscan) will create this directory. Introduce a named file transition for
the lock location when a directory named "lvm" is created and grant the
necessary rights to create the directory.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
When the active session is changed, the udev-acl executable is called
by ConsoleKit. It will then read the ConsoleKit database to figure out
which is the active one.
The /var/log/cron[^/]* line in the context definition takes higher precedence
than the /var/log/cron.* line in the cron.fc file. As a result, when
/var/log/cron.log is created it gets relabeled to var_log_t instead of staying
with the cron_log_t type it should be.
Removing the line so that the definitions in cron.log are used.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The ipset command is used to manage ip sets, used by iptables for a more
flexible management of firewall rules. It has very similar requirements as
iptables for accessing and working with the Linux kernel, so marking ipset as
iptables_exec_t to have it run in the iptables domain.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Create various interfaces using the user_home_content_type attribute for
tmpreaper
user_home_t, user_tmp_t and user_tmpfs_t are user_home_content_type
(why?) We should probably also create user_tmp_content_type and
user_tmpfs_content_type attributes and assign to userdom_tmp_file and
userdom_tmpfs_file respectively
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
Since /var/cache/man was previously labeled man_t, make sure that the old
interfaces with regard to man_t also support man_cache_t
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
Gentoo's OpenRC init framework handles the migration of data from /var/run to
/run, and /var/lock to /run/lock. To deal with this, openrc uses "cp -a -r
/var/run /run" and "cp -a -r /var/lock/* /run/lock".
When done, it will create symlinks in /var towards the new locations.
As a result, initrc_t needs to be able to manage symlinks in /var, as well as
manage all pidfile content (needed for the migration of /var/run/* towards
/run).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
In Gentoo, the openrc init framework creates the /dev/shm location (within
devtmpfs) using a "mkdir -m 1777 /dev/shm" command. This results in initrc_t
wanting to set the attributes of the /dev/shm directory (at that point still
labeled device_t as tmpfs isn't mounted on it yet).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Content that (at least) common users need to be able to relabel and
create with a type transition
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
gnome_role is deprecated, use gnome_role_template instead
depends on dbus because of gkeyringd
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
Dominick Grift
Chris PeBenito
Laurent Bigonville
Sven Vermeulen