Sugar, David
2831598bb5
grant rpm_t permission to map security_t
...
type=AVC msg=audit(1560944462.698:217): avc: denied { map } for pid=1265 comm="rpm" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1
v2 - Create new interface to allow mapping security_t and use this interface by rpm_t
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-07-13 14:00:23 -04:00
Jason Zaman
181298ab8b
selinux: compute_access_vector requires creating netlink_selinux_sockets
2018-07-10 17:25:11 -04:00
Chris PeBenito
efa32d9b56
Remove deprecated interfaces older than one year old.
...
Additionally one deprecated attribute removed.
2017-08-06 17:03:17 -04:00
Chris PeBenito
b94f45d760
Revise selinux module interfaces for perms protected by neverallows.
...
Use the allow rules on the relevant attributes in selinux.te, rather than
only using the attribute to pass the neverallows.
Closes #14
2015-11-04 15:10:29 -05:00
Chris PeBenito
6624f9cf7a
Drop RHEL4 and RHEL5 support.
2014-09-24 13:10:37 -04:00
Sven Vermeulen
ddca151876
Dontaudit access on security_t file system at /sys/fs/selinux
...
Second part of the support of security_t under /sys/fs/selinux - when
asked not to audit getting attributes on the selinux file system, have
this propagate to the sysfs parts as well.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2014-04-21 08:37:47 -04:00
Sven Vermeulen
4c68c98ed2
The security_t file system can be at /sys/fs/selinux
...
Because it is no longer a top-level file system, we need to enhance some
of the interfaces with the appropriate rights towards sysfs_t.
First set to allow getattr rights on the file system, which now also
means getattr on the sysfs_t file system as well as search privileges in
sysfs_t.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2014-04-21 08:37:46 -04:00
Dominick Grift
e6e9e2d08b
selinux: selinuxfs is now mounted under /sys/fs/selinux instead of /selinux, so we need to allow domains that use selinuxfs to interface with SELinux to traverse /sys/fs to be able to get to /sys/fs/selinux
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-09-26 09:51:01 -04:00
Chris PeBenito
8e94109c52
Change secure_mode_policyload to disable only toggling of this Boolean rather than disabling all Boolean toggling permissions.
2011-09-26 10:44:27 -04:00
Chris PeBenito
ed17ee5394
Pull in additional changes in kernel layer from Fedora.
2011-03-31 09:49:01 -04:00
Chris PeBenito
220915dcad
Add mounting interfaces for selinuxfs.
2010-10-28 14:32:24 -04:00
Dominick Grift
705f70f098
Kernel layer xml fixes.
...
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 09:08:07 -04:00
Chris PeBenito
f0435b1ac4
trunk: add support for labeled booleans.
2009-01-13 13:01:48 +00:00
Chris PeBenito
82d2775c92
trunk: more open perm fixes.
2008-10-20 16:10:42 +00:00
Chris PeBenito
04d2861035
trunk: missing bits from dan's previous round of patches.
2008-10-09 14:01:53 +00:00
Chris PeBenito
eeef8dc451
trunk: Add interface for libselinux constructor, for libselinux-linked SELinux-enabled programs.
2007-11-16 14:58:17 +00:00
Chris PeBenito
5bf9deb5bb
trunk: 3 patches from dan
2007-06-20 19:47:10 +00:00
Chris PeBenito
86d754eed6
Add support for libselinux 2.0.5 init_selinuxmnt() changes.
2007-02-27 17:02:35 +00:00
Chris PeBenito
bbcd3c97dd
add main part of role-o-matic
2006-09-06 22:07:25 +00:00
Chris PeBenito
46551033aa
patch from dan Wed, 26 Jul 2006 14:42:46 -0400
2006-07-28 15:13:58 +00:00
Chris PeBenito
8b9ebd3769
some cleanup in the kernel layer
2006-07-25 15:23:13 +00:00
Chris PeBenito
133000c286
remove setbool auditallow, except for distro_rhel4.
2006-07-13 14:22:21 +00:00
Chris PeBenito
17de1b790b
remove extra level of directory
2006-07-12 20:32:27 +00:00