RepoMirrors/selinux-refpolicy
1
0
Fork 0
mirror of https://github.com/SELinuxProject/refpolicy synced 2025-03-25 04:26:37 +00:00
Code Issues Packages Projects Releases Wiki Activity
4,235 Commits 3 Branches 50 Tags 22 MiB
da59af22f4
Commit Graph

54 Commits

Author SHA1 Message Date
Guido Trentalancia via refpolicy
b7f5fa6ac7 Let the user list noxattr fs directories 
When reading or managing noxattr fs files or symbolic links, also
let the user list noxattr fs directories.

This patch should be applied after the following one:

http://oss.tresys.com/pipermail/refpolicy/2016-October/008539.html

"Let users read/manage symlinks on fs that do not support xattr"

posted on Sat, 29 Oct 2016 15:39:46 UTC.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
 2016-10-30 14:25:22 -04:00
Guido Trentalancia via refpolicy
c23fe5c298 Let users read/manage symlinks on fs that do not support xattr 
Let unprivileged and administrative users read symbolic links on
filesystems that do not support extended attributes (xattr) such
as cdroms, FAT, NTFS and so on.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
 2016-10-30 14:24:52 -04:00
Vit Mojzis
17bd45dab9 Add interface to allow reading files in efivarfs - contains Linux Kernel configuration options for UEFI systems (UEFI Runtime Variables) 2016-02-03 13:33:43 +01:00
Nicolas Iooss
c82a479ed8 Fix interface descriptions when duplicate ones are found 
Distinct interfaces should have different comments
 2016-01-19 00:17:34 +01:00
Nicolas Iooss
25bc2d5c1d Allow systemd services to use PrivateNetwork feature 
systemd creates a new network namespace for services which are using
PrivateNetwork=yes.

In the implementation, systemd uses a socketpair as a storage buffer for
the namespace reference file descriptor (c.f.
https://github.com/systemd/systemd/blob/v228/src/core/namespace.c#L660).
One end of this socketpair is locked (hence the need of "lock" access to
self:unix_dgram_socket for init_t) while systemd opens
/proc/self/ns/net, which lives in nsfs.

While at it, add filesystem_type attribute to nsfs_t.
 2016-01-11 13:17:16 -05:00
Chris PeBenito
3639880cf6 Implement core systemd policy. 
Significant contributions from the Tresys CLIP team.

Other changes from Laurent Bigonville.
 2015-10-23 10:16:59 -04:00
Nicolas Iooss
d3092fc059 Fix typo in fs_getattr_all_fs description 2014-08-26 09:07:53 -04:00
Laurent Bigonville
408549f8d3 Create new xattrfs attribute and fs_getattr_all_xattr_fs() interface 
Create a new attribute and fs_getattr_all_xattr_fs() interface that will
be used for all the filesystems that support xattr
 2014-04-11 09:08:19 -04:00
Dominick Grift
f4a0be2dfc For virtd_lxc 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2012-10-30 13:58:02 -04:00
Dominick Grift
0122830bd9 For virtd_lxc 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2012-10-30 13:58:02 -04:00
Chris PeBenito
4f24b1841c Add optional name for kernel and system filetrans interfaces. 2012-05-10 09:53:45 -04:00
Chris PeBenito
ed17ee5394 Pull in additional changes in kernel layer from Fedora. 2011-03-31 09:49:01 -04:00
Chris PeBenito
22633ec985 Whitespace fix in filesystem. 2011-03-31 08:55:05 -04:00
Chris PeBenito
f940ca9db6 Remove eventpollfs_t. 
Eventpollfs was changed to task SID in 2006.  Remove the dead type.
 2011-03-31 08:52:07 -04:00
Chris PeBenito
66ef236c90 Minor fixes for Chris Richards' mount patchset. 2010-11-11 09:47:37 -05:00
Chris Richards
55d8395f49 dontaudit mount writes to newly mounted filesystems 
Signed-off-by: Chris Richards <gizmo@giz-works.com>
 2010-11-11 09:15:05 -05:00
Dominick Grift
5675107ff9 Libcgroup moved the cgroup directory to /sys/fs/cgroup. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-03 11:03:10 -04:00
Dominick Grift
705f70f098 Kernel layer xml fixes. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-08-05 09:08:07 -04:00
Chris PeBenito
3c79f954d1 Rearrage interfaces in filesystem. 2010-06-22 10:17:42 -04:00
Chris PeBenito
eab2cc89b4 Slocate patch from Dan Walsh. 
Locate attempts to look at network sate and does getattr on all blk/chr
and noxattr symlinks.
 2010-06-22 09:58:14 -04:00
Chris PeBenito
860c05d9de Rearrange cgroup interfaces in filesystem. 2010-06-08 09:10:45 -04:00
Dominick Grift
c0c635b3f3 cgroup in filesystem. 
Move cgroup_t declarations from kernel.te to filesystem.te
Redo cgroup interfaces in filesystem.if
Add file context specification for /cgroup mountpoint to filesystem.fc

Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
 2010-06-08 08:38:18 -04:00
Chris PeBenito
7af0e9bc95 Filesystem patch from Dan Walsh. 2010-03-12 11:40:59 -05:00
Chris PeBenito
12f73d8b69 Improve filesystem interfaces: 
fs_getattr_xattr_fs()
fs_getattr_all_fs()
fs_search_auto_mountpoints()
 2010-03-01 14:50:55 -05:00
Chris PeBenito
f4b9dc3b00 Filesystem patch from Dan Walsh. 2009-11-23 13:46:51 -05:00
Chris PeBenito
3f67f722bb trunk: whitespace fixes 2009-06-26 14:40:13 +00:00
Chris PeBenito
731008ad85 trunk: 2 patches from dan. 2009-06-08 17:18:26 +00:00
Chris PeBenito
c45fdad85b trunk: filesystem patch from dan. 2009-03-04 15:53:07 +00:00
Chris PeBenito
156204a385 trunk: Drop write permission from fs_read_rpc_sockets(). 2009-02-24 20:00:15 +00:00
Chris PeBenito
ff8f0a63f4 trunk: whitespace fixes in xml blocks. 2008-12-03 19:16:20 +00:00
Chris PeBenito
6073ea1e13 trunk: whitespace fix changing multiple spaces into tabs. 2008-12-03 18:33:19 +00:00
Chris PeBenito
82d2775c92 trunk: more open perm fixes. 2008-10-20 16:10:42 +00:00
Chris PeBenito
88cf0a9c2b trunk: whitespace fix; collapse multiple blank lines into one. 2008-10-17 15:29:51 +00:00
Chris PeBenito
770c015f88 trunk: 2 patches from dan. 2008-08-14 15:10:41 +00:00
Chris PeBenito
0bfccda4e8 trunk: massive whitespace cleanup from dominick grift. 2008-07-23 21:38:39 +00:00
Chris PeBenito
7d8fbdc062 trunk: fix bad cifs interface. 2008-05-23 14:41:36 +00:00
Chris PeBenito
e6fdb59601 trunk: fix typo 2008-05-23 13:50:38 +00:00
Chris PeBenito
b34db7a8ec trunk: another pile of misc fixes. 2008-05-22 15:24:52 +00:00
Chris PeBenito
8f3a0a95e0 trunk: a pile of misc fixes, mainly sync xml docs with interface implementation. 2008-05-15 13:10:34 +00:00
Chris PeBenito
8e2fb69f88 trunk: filesystem patch from dan. 2007-10-24 18:37:26 +00:00
Chris PeBenito
3d6e962dfa trunk: filesystem patch from dan 2007-08-08 20:04:28 +00:00
Chris PeBenito
5bf9deb5bb trunk: 3 patches from dan 2007-06-20 19:47:10 +00:00
Chris PeBenito
9e8f65c83e six trivial patches from dan for iptables, netutils, ipsec, devices, filesystem and cpuspeed 2007-03-26 20:47:29 +00:00
Chris PeBenito
6b19be3360 patch from dan, Thu, 2007-01-25 at 08:12 -0500 2007-02-16 23:01:42 +00:00
Chris PeBenito
c0868a7a3b merge policy patterns to trunk 2006-12-12 20:08:08 +00:00
Chris PeBenito
ed38ca9f3d fixes from gentoo strict testing: 
- Allow semanage to read from /root on strict non-MLS for
  local policy modules.
- Gentoo init script fixes for udev.
- Allow udev to read kernel modules.inputmap.
- Dnsmasq fixes from testing.
- Allow kernel NFS server to getattr filesystems so df can work
  on clients.
 2006-11-13 03:24:07 +00:00
Chris PeBenito
d9845ae92a patch from dan Tue, 24 Oct 2006 11:00:28 -0400 2006-10-31 21:01:48 +00:00
Chris PeBenito
693d4aedb5 patch from dan Fri, 22 Sep 2006 16:30:34 -0400 2006-09-25 18:53:06 +00:00
Chris PeBenito
8708d9bef2 patch from dan Wed, 20 Sep 2006 12:12:49 -0400 2006-09-22 17:14:35 +00:00
Chris PeBenito
bbcd3c97dd add main part of role-o-matic 2006-09-06 22:07:25 +00:00