When you merged the mon patch you removed the ability for mon_t to execute
lib_t files.
The following patch re-enables the ability to execute alert scripts.
The following patch defines new macros rw_inherited_fifo_file_perms and
rw_inherited_term_perms for the obvious reason.
I've had this in Debian for a while and some Debian policy relies on it.
I think it's appropriate to include this before including any policy that
relies on it because it's an obvious foundation for writing good policy.
We could have inherited perms macros for other object types, but terminals
and fifos are the main ones that get inherited. The next best candidate
for such a macro is a sock_file, and that's largely due to systemd setting
programs stdout/stderr to unix domain sockets.
Execute HP Linux Imaging and Printing (HPLIP) applications launched
by udev in their own domain.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
A few of the socket classes added by commit 09ebf2b59a ("refpolicy:
Define extended_socket_class policy capability and socket classes") are
never used because sockets can never be created with the associated
address family. Remove these unused socket security classes.
The removed classes are bridge_socket for PF_BRIDGE, ib_socket for PF_IB,
and mpls_socket for PF_MPLS.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Since 8e01472078763ebc1eaea089a1adab75dd982ccd, it's possible to use
genfscon for sysfs.
This patch should help to deprecate distribution specific call to
restorecon or tmpfiles to restore /sys/devices/system/cpu/online during
boot.
Thanks to Dominick for the tip.
Add a permission needed for the correct functioning of sysvinit
on systems using the initramfs.
Without the selinux_get_fs_mount() interface call, the call to
libselinux:is_selinux_enabled() fails and sysvinit tries to do
the initial policy load again.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
The dangerous execheap permission is removed from xdm and the
dangerous execmem permission is only enabled for the Gnome
Display Manager (gnome-shell running in gdm mode) through a
new "xserver_gnome_xdm" boolean.
This patch also updates the XKB libs file context with their
default location (which at the moment is not compliant with
FHS3 due to the fact that it allows by default to write the
output from xkbcomp), adds the ability to read udev pid files
and finally adds a few permissions so that xconsole can run
smoothly.
The anomalous permission to execute XKB var library files has
been removed and the old X11R6 library location has been
updated so that subdirectories are also labeled as xkb_var_lib.
This patch includes various improvements and bug fixes as
kindly suggested in reviews made by Christopher PeBenito.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
The following patch (split in two parts, one for base and
another one for contrib) introduces a new file context for
the X session log files and two new interface to manage
them (instead of allowing to manage the whole user home
content files).
It is required after the recent confinement of graphical
desktop components (e.g. wm, xscreensaver).
The second version of the patch correctly uses file type
transitions and uses more tight permissions.
The third version simply moves some interface calls.
The fourth version introduces the new template for
username-dependent file contexts.
The fifth version moves other interface calls thanks to
further revisions from Christopher PeBenito (the corresponding
contrib policy part remains unchanged at version 4).
This sixth version, adds the missing diff relative to the
xserver.te policy file to declare the new xsession_log_t type.
The corresponding base policy patch is at version 4.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Some policy modules define file contexts in /bin, /sbin and /lib without
defining similar file contexts in the same directory under /usr.
Add these missing file contexts when there are outside ifdef blocks.