RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
3,808 Commits 3 Branches 49 Tags 19 MiB
Commit Graph

723 Commits

Author SHA1 Message Date
Chris PeBenito fbae5870d9 Module version bump for fixes from Laurent Bigonville. 2014-04-21 09:24:28 -04:00
Laurent Bigonville b963532e7c Label /etc/locale.alias as locale_t on Debian 
On Debian, /usr/share/locale/locale.alias is a symlink to
/etc/locale.alias, properly label this file.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=707246
 2014-04-21 09:02:26 -04:00
Chris PeBenito 3b697dbb25 Module version bump for 2 patch sets from Laurent Bigonville. 
* xattrfs attribute
* Misc Debian fixes
 2014-04-11 11:21:03 -04:00
Laurent Bigonville d30d36a2fe Label /usr/local/share/ca-certificates(/.*)? as cert_t 
On Debian, this directory can contain locally trusted certificates that
will be then be symlinked to /etc/ssl/certs by
update-ca-certificates(8), the files should be labelled as cert_t.
 2014-04-11 09:26:12 -04:00
Laurent Bigonville b7bd94f923 Properly label the manpages installed by postgresql 
The postgresql manpages are installed under a private directory, some of
them are symlinked to the usual location.

Properly labeling them ensure that mandb can read them.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740591
 2014-04-11 09:26:12 -04:00
Laurent Bigonville 86a429de23 Use new fs_getattr_all_xattr_fs interface for setfiles_t and restorecond_t 
Use the new fs_getattr_all_xattr_fs() interface to allow setfiles_t and
restorecond_t domain to also get the attributes on pseudo-filesystems
that support xattr

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740682
 2014-04-11 09:08:19 -04:00
Chris PeBenito 8d94022284 Module version bump for userdomain kernel symbol table fix from Nicolas Iooss. 2014-04-04 15:53:32 -04:00
Nicolas Iooss 27f4846ff8 userdomain: no longer allow unprivileged users to read kernel symbols 
Unprivileged users don't need to read kallsyms and /boot/System.map.

This allow rule was introduced in the initial revision of userdomain.if in
2005, with commit b16c6b8c32a631a2e66265f6f60b664222760972:

    # cjp: why?
    bootloader_read_kernel_symbol_table($1_t)
 2014-04-04 15:52:17 -04:00
Chris PeBenito 10ff4d0fa3 Bump module versions for release. 2014-03-11 08:16:57 -04:00
Luis Ressel a10fefcd39 Label fatsort as fsadm_exec_t. 
FATsort is an utility to sort directory entries on FAT partitions, see
http://fatsort.sourceforge.net/ . It requires direct access to the
block devices.
 2014-02-15 14:39:32 -05:00
Chris PeBenito 3501307078 Fix read loopback file interface. 2014-02-08 11:35:57 -05:00
Chris PeBenito 92cd2e251c Module version bump for loopback file mounting fixes from Luis Ressel. 2014-02-08 10:50:34 -05:00
Chris PeBenito acf1229dad Rename mount_read_mount_loopback() to mount_read_loopback_file(). 
Also make kernel block optional since the calls are to a higher layer.
 2014-02-08 10:49:47 -05:00
Luis Ressel 24be4c0096 Allow mount_t usage of /dev/loop-control 
If loopback devices are not pregenerated (kernel option
CONFIG_BLK_DEV_LOOP_MIN_COUNT=0), mount needs to write to
/dev/loop-control do create them dynamically when needed.
 2014-02-08 10:32:45 -05:00
Luis Ressel 09370605a3 system/mount.if: Add mount_read_mount_loopback interface 2014-02-08 10:32:44 -05:00
Chris PeBenito d5a562246e Module version bump for logging fc patch from Laurent Bigonville. 2014-01-31 22:24:08 -05:00
Laurent Bigonville 64be72b662 Add fcontext for rsyslog pidfile 2014-01-31 21:54:40 -05:00
Chris PeBenito 41ee5421a7 Module version bump for unconfined transition to dpkg from Laurent Bigonville. 2014-01-27 13:19:57 -05:00
Laurent Bigonville 0e1c64f3bb Allow unconfined users to transition to dpkg_t domain 
dpkg is now using rpm_execcon()/setexecfilecon()-like function to
transition to the dpkg_script_t domain. This function will fail in
enforcing mode if the transition is not allowed.
 2014-01-27 12:41:45 -05:00
Chris PeBenito 3ffc91fff4 Module version bump for ZFS tools fc entries from Matthew Thode. 2014-01-21 08:55:37 -05:00
Chris PeBenito 734aebb02d Rearrange ZFS fc entries. 2014-01-21 08:55:28 -05:00
Chris PeBenito 496faf8c43 Fix ZFS fc escaping in mount. 2014-01-21 08:54:59 -05:00
Matthew Thode fd9c2fc1e6 Extending support for SELinux on ZFS 
Signed-off-by: Matthew Thode <mthode@mthode.org>
 2014-01-21 08:43:40 -05:00
Chris PeBenito 0075ffb8b3 Module version bump for module store labeling fixes from Laurent Bigonville. 2014-01-17 08:54:08 -05:00
Laurent Bigonville be12f4dc18 Label /etc/selinux/([^/]*/)?modules(/.*)? as semanage_store_t 
Move the filetrans_patern out of the seutil_manage_module_store
interface as only semanage_t should be creating this directory
 2014-01-16 16:12:44 -05:00
Chris PeBenito d3af996d01 Module version bump for direct initrc fixes from Dominick Grift. 2014-01-16 16:11:02 -05:00
Dominick Grift 493ca67e54 Apply direct_initrc to unconfined_r:unconfined_t 
Make it consistent with sysadm_r:sysadm_t.

If you build targeted policy then consider direct_initrc=y

If you build with direct_initrc=n then both unconfined_r:unconfined_t,
as well as sysadm_r:sysadm_t rely on run_init for running services on
behalf of the system.

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2014-01-16 15:27:18 -05:00
Dominick Grift 2be58db792 Change behavior of init_run_daemon() 
Callers on init_run_daemon() role and domain transition on all
init_script_file_type to system_r and initrc_t respectively.

The old behavior of role and domain transitioning on init daemon entry
files was causing problems with programs that can be run both by system
and session.

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2014-01-16 14:42:00 -05:00
Chris PeBenito 58db129761 Update modules for file_t merge into unlabeled_t. 2014-01-16 11:24:25 -05:00
Chris PeBenito 51fe53e3fb Module version bump for patch from Laurent Bigonville. 2013-12-20 15:04:52 -05:00
Laurent Bigonville 62a8012a77 Allow udev to write in /etc/udev/rules.d 
Udev is writing persistent rules in /etc/udev/rules.d to ensure the
network interfaces and storage devices have a persistent name.

This patch has been taken from the Fedora policy
 2013-12-20 15:04:22 -05:00
Chris PeBenito e9efb9297f Module version bump for patch from Laurent Bigonville. 2013-12-20 15:02:24 -05:00
Laurent Bigonville ac4dad0ed6 Label /bin/fusermount like /usr/bin/fusermount 
On Debian, fusermount is installed under that path
 2013-12-20 15:01:03 -05:00
Chris PeBenito 05892ad6db Module version bump for 2 patches from Dominick Grift. 2013-12-20 14:56:07 -05:00
Dominick Grift 39f77972ab init: the gdomap and minissdpd init scripts read the respective environ files in /etc/default. We need to give them a private type so that we can give the gdomap_admin() and minissdpd_admin() access to it, but it seems overengineering to create private environ types for these files 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-20 14:47:27 -05:00
Dominick Grift f4a4074d33 init: exim init script runs various helper apps that create and manage /var/lib/exim4/config.autogenerated.tmp file 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-20 14:47:27 -05:00
Chris PeBenito 7725c1b677 Fix Debian compile issue. 2013-12-20 14:44:03 -05:00
Chris PeBenito aa3c38bedb Module version bump for 4 init patches from Dominick Grift. 2013-12-10 10:40:38 -05:00
Chris PeBenito 5c345460b1 init: creates /run/utmp 
Manually apply patch from Dominick Grift.
 2013-12-10 10:31:01 -05:00
Chris PeBenito 5cb20b443e init: init_script_domain() allow system_r role the init script domain type 
Manually apply patch from Dominick Grift.
 2013-12-10 10:30:09 -05:00
Chris PeBenito eb0dcf6f94 Whitespace fix in init.te. 2013-12-10 10:29:53 -05:00
Dominick Grift 75cca597f6 init: this is a bug in debian where tmpfs is mounted on /run, and so early on in the boot process init creates /run/utmp and /run/initctl in a tmpfs directory (/) tmpfs 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-10 10:29:53 -05:00
Dominick Grift 32d6aac409 init: for a specified automatic role transition to work. the source role must be allowed to change manually to the target role 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-10 10:29:48 -05:00
Chris PeBenito b339b85001 Module version bump for patches from Dominick Grift. 2013-12-06 09:49:41 -05:00
Dominick Grift 8e01054f07 users: calls pulseaudio_role() for restricted xwindows users and staff_t/user_t 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-06 08:48:09 -05:00
Chris PeBenito c7e2518162 Whitespace fix in libraries. 2013-12-06 08:48:04 -05:00
Dominick Grift b56ecb9d52 libraries: for now i can only confirm mmap, might need to be changed to bin_t later if it turns out to need execute_no_trans 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-06 08:47:53 -05:00
Dominick Grift e784e78825 iptables: calls to firewalld interfaces from Fedora. The firewalld_dontaudit_rw_tmp_files(iptables_t) was confirmed on Debian. 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-06 08:16:49 -05:00
Chris PeBenito 3208ff94c4 Module version bump for second lot of patches from Dominick Grift. 2013-12-03 13:03:35 -05:00
Dominick Grift 1b757c65cc udev: in debian udevadm is located in /bin/udevadm 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-03 11:34:15 -05:00