nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
3,893 Commits 1 Branch 0 Tags 16 MiB
3a7e30c22d
Commit Graph

2227 Commits

Author SHA1 Message Date
Sven Vermeulen
22ef609197 Support /sys/devices/system/cpu/online 
In glibc, the get_nprocs method reads /sys/devices/system/cpu/online, so
we need to grant most domains read access to this file. As we don't want
them to have read access on sysfs_t by default, create a new type
(cpu_online_t) and assign it to the file, and grant domains read access
to the file.

This does require systems to relabel the file upon every boot, something
distributions do in their bootup scripts, as /sys devices don't keep
their context.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
 2014-04-04 16:07:43 -04:00
Sven Vermeulen
6e0000b725 Hide getattr denials upon sudo invocation 
When sudo is invoked (sudo -i) the audit log gets quite a lot of denials
related to the getattr permission against tty_device_t:chr_file for the
*_sudo_t domain. However, no additional logging (that would hint at a
need) by sudo, nor any functional issues come up.

Hence the dontaudit call.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
 2014-04-04 16:07:43 -04:00
Chris PeBenito
8d94022284 Module version bump for userdomain kernel symbol table fix from Nicolas Iooss. 2014-04-04 15:53:32 -04:00
Nicolas Iooss
27f4846ff8 userdomain: no longer allow unprivileged users to read kernel symbols 
Unprivileged users don't need to read kallsyms and /boot/System.map.

This allow rule was introduced in the initial revision of userdomain.if in
2005, with commit b16c6b8c32:

    # cjp: why?
    bootloader_read_kernel_symbol_table($1_t)
 2014-04-04 15:52:17 -04:00
Chris PeBenito
a10930fe7c Update contrib. 2014-03-14 11:48:15 -04:00
Chris PeBenito
862e22528d Whitespace fix in xserver.fc. 2014-03-14 11:17:44 -04:00
Chris PeBenito
4508d748dc Move lightdm line in xserver.fc. 2014-03-14 11:17:22 -04:00
Laurent Bigonville
18e114dae4 Label /usr/sbin/lightdm as xdm_exec_t 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=739163
 2014-03-14 11:14:43 -04:00
Laurent Bigonville
81570b1eb4 Properly label git-shell and other git commands for Debian 2014-03-14 11:14:43 -04:00
Chris PeBenito
4caf0885bf Module version bump for postgresql fc entries from Luis Ressel. 2014-03-14 10:59:45 -04:00
Chris PeBenito
a72bd68428 Whitespace fix in postgresql.fc 2014-03-14 10:10:32 -04:00
Luis Ressel
defc62bf33 Add two postgresql file contexts from gentoo policy 
Gentoo appends version numbers to the names of the init script and the
config directory.
 2014-03-14 10:08:18 -04:00
Chris PeBenito
a82a6a80a1 Update Changelog and VERSION for release. 2014-03-11 08:16:57 -04:00
Chris PeBenito
10ff4d0fa3 Bump module versions for release. 2014-03-11 08:16:57 -04:00
Chris PeBenito
a5054f1135 Update contrib. 2014-03-11 08:15:14 -04:00
Chris PeBenito
d6365192c2 Update contrib. 2014-03-03 09:07:16 -05:00
Chris PeBenito
4dbe95d58b Module version bump for bootloader fc fixes from Luis Ressel. 2014-03-03 09:07:00 -05:00
Luis Ressel
f8eb4e3b3b Label grub2-install as bootloader_exec_t 2014-03-03 08:45:10 -05:00
Luis Ressel
c2a9b89c5f Generalize grub2 pattern 
GRUB2 helper programs can be named either grub2-* or grub-*, depending
on distro and configuration.
 2014-03-03 08:44:41 -05:00
Chris PeBenito
681c3d451c Update contrib. 2014-02-15 15:04:12 -05:00
Luis Ressel
a10fefcd39 Label fatsort as fsadm_exec_t. 
FATsort is an utility to sort directory entries on FAT partitions, see
http://fatsort.sourceforge.net/ . It requires direct access to the
block devices.
 2014-02-15 14:39:32 -05:00
Luis Ressel
f824120b6d Use xattr-labeling for squashfs. 
This is taken from the Fedora policy (authors: Dan Walsh, Miroslav
Grepl) and dates back to 2011 there.
 2014-02-15 14:34:10 -05:00
Chris PeBenito
3501307078 Fix read loopback file interface. 2014-02-08 11:35:57 -05:00
Chris PeBenito
92cd2e251c Module version bump for loopback file mounting fixes from Luis Ressel. 2014-02-08 10:50:34 -05:00
Chris PeBenito
acf1229dad Rename mount_read_mount_loopback() to mount_read_loopback_file(). 
Also make kernel block optional since the calls are to a higher layer.
 2014-02-08 10:49:47 -05:00
Chris PeBenito
38a2d8e581 Move loop control interface definition. 2014-02-08 10:48:50 -05:00
Luis Ressel
7ac64b8a5a Grant kernel_t necessary permissions for loopback mounts 
For loopback mounts to work, the kernel requires access permissions to
fd's passed in by mount and to the source files (labeled mount_loopback_t).
 2014-02-08 10:32:45 -05:00
Luis Ressel
24be4c0096 Allow mount_t usage of /dev/loop-control 
If loopback devices are not pregenerated (kernel option
CONFIG_BLK_DEV_LOOP_MIN_COUNT=0), mount needs to write to
/dev/loop-control do create them dynamically when needed.
 2014-02-08 10:32:45 -05:00
Luis Ressel
09370605a3 system/mount.if: Add mount_read_mount_loopback interface 2014-02-08 10:32:44 -05:00
Luis Ressel
781377da9f kernel/devices.if: Add dev_rw_loop_control interface 2014-02-08 10:32:44 -05:00
Chris PeBenito
3bb3d9e79e Module version bump for sesh fc from Nicolas Iooss. 2014-02-08 09:57:32 -05:00
Nicolas Iooss
f003497bcb Label /usr/lib/sudo/sesh as shell_exec_t 2014-02-08 09:50:09 -05:00
Chris PeBenito
3c4a9cde0e Update contrib. 2014-02-08 09:42:54 -05:00
Chris PeBenito
f097b7ab4e Move bin_t fc from couchdb to corecommands. 2014-02-08 09:42:43 -05:00
Chris PeBenito
dd0df56c26 Module version bump for files_dontaudit_list_var() interface from Luis Ressel. 2014-02-08 09:04:18 -05:00
Luis Ressel
7381deb292 kernel/files.if: Add files_dontaudit_list_var interface 
This is required for an update of the couchdb policy.
 2014-02-08 09:02:57 -05:00
Chris PeBenito
22d7dac75b Module version bump for ssh use of gpg-agent from Luis Ressel. 2014-02-08 08:41:05 -05:00
Chris PeBenito
7e71b34b09 Rearrange gpg agent calls. 2014-02-08 08:40:37 -05:00
Chris PeBenito
4ef4e0674d Rename gpg_agent_connect to gpg_stream_connect_agent. 2014-02-08 08:24:41 -05:00
Luis Ressel
bda6528039 Conditionally allow ssh to use gpg-agent 
gpg-agent also offers an ssh-compatible interface. This is useful e.g.
for smartcard authentication.
 2014-02-08 08:10:16 -05:00
Chris PeBenito
b244f47319 Module version bump for pid file directory from Russell Coker/Laurent Bigonville. 2014-02-06 09:14:31 -05:00
Laurent Bigonville
d6751cb2f4 Move the ifdef at the end of the declaration block 2014-02-06 09:14:31 -05:00
Laurent Bigonville
f2313e5304 Add fcontext for sshd pidfile and directory used for privsep 
Also allow sshd_t domain to chroot(2) in this directory as explained in
the README.privsep file in the openssh tarball.

Thanks to Russell Coker for this patch
 2014-02-06 09:14:31 -05:00
Chris PeBenito
33b03a653e Update contrib. 2014-01-31 22:54:14 -05:00
Chris PeBenito
d5a562246e Module version bump for logging fc patch from Laurent Bigonville. 2014-01-31 22:24:08 -05:00
Laurent Bigonville
64be72b662 Add fcontext for rsyslog pidfile 2014-01-31 21:54:40 -05:00
Chris PeBenito
41ee5421a7 Module version bump for unconfined transition to dpkg from Laurent Bigonville. 2014-01-27 13:19:57 -05:00
Laurent Bigonville
0e1c64f3bb Allow unconfined users to transition to dpkg_t domain 
dpkg is now using rpm_execcon()/setexecfilecon()-like function to
transition to the dpkg_script_t domain. This function will fail in
enforcing mode if the transition is not allowed.
 2014-01-27 12:41:45 -05:00
Chris PeBenito
3ffc91fff4 Module version bump for ZFS tools fc entries from Matthew Thode. 2014-01-21 08:55:37 -05:00
Chris PeBenito
734aebb02d Rearrange ZFS fc entries. 2014-01-21 08:55:28 -05:00
Chris PeBenito
496faf8c43 Fix ZFS fc escaping in mount. 2014-01-21 08:54:59 -05:00
Chris PeBenito
971c2fa6a4 Remove ZFS symlink labeling. 2014-01-21 08:52:24 -05:00
Matthew Thode
fd9c2fc1e6 Extending support for SELinux on ZFS 
Signed-off-by: Matthew Thode <mthode@mthode.org>
 2014-01-21 08:43:40 -05:00
Chris PeBenito
0075ffb8b3 Module version bump for module store labeling fixes from Laurent Bigonville. 2014-01-17 08:54:08 -05:00
Laurent Bigonville
be12f4dc18 Label /etc/selinux/([^/]*/)?modules(/.*)? as semanage_store_t 
Move the filetrans_patern out of the seutil_manage_module_store
interface as only semanage_t should be creating this directory
 2014-01-16 16:12:44 -05:00
Chris PeBenito
d3af996d01 Module version bump for direct initrc fixes from Dominick Grift. 2014-01-16 16:11:02 -05:00
Dominick Grift
493ca67e54 Apply direct_initrc to unconfined_r:unconfined_t 
Make it consistent with sysadm_r:sysadm_t.

If you build targeted policy then consider direct_initrc=y

If you build with direct_initrc=n then both unconfined_r:unconfined_t,
as well as sysadm_r:sysadm_t rely on run_init for running services on
behalf of the system.

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2014-01-16 15:27:18 -05:00
Dominick Grift
2be58db792 Change behavior of init_run_daemon() 
Callers on init_run_daemon() role and domain transition on all
init_script_file_type to system_r and initrc_t respectively.

The old behavior of role and domain transitioning on init daemon entry
files was causing problems with programs that can be run both by system
and session.

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2014-01-16 14:42:00 -05:00
Chris PeBenito
58db129761 Update modules for file_t merge into unlabeled_t. 2014-01-16 11:24:25 -05:00
Chris PeBenito
d66aeb8436 Merge file_t into unlabeled_t, as they are security equivalent. 2014-01-16 11:19:00 -05:00
Chris PeBenito
bf6d35851e Module version bump for xserver change from Dominick Grift. 2014-01-08 13:58:51 -05:00
Dominick Grift
33b64cffb1 xserver: These are no longer needed 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2014-01-06 10:23:13 -05:00
Chris PeBenito
51fe53e3fb Module version bump for patch from Laurent Bigonville. 2013-12-20 15:04:52 -05:00
Laurent Bigonville
62a8012a77 Allow udev to write in /etc/udev/rules.d 
Udev is writing persistent rules in /etc/udev/rules.d to ensure the
network interfaces and storage devices have a persistent name.

This patch has been taken from the Fedora policy
 2013-12-20 15:04:22 -05:00
Chris PeBenito
55d34a8c5f Update contrib. 2013-12-20 15:02:54 -05:00
Chris PeBenito
e9efb9297f Module version bump for patch from Laurent Bigonville. 2013-12-20 15:02:24 -05:00
Laurent Bigonville
ac4dad0ed6 Label /bin/fusermount like /usr/bin/fusermount 
On Debian, fusermount is installed under that path
 2013-12-20 15:01:03 -05:00
Chris PeBenito
05892ad6db Module version bump for 2 patches from Dominick Grift. 2013-12-20 14:56:07 -05:00
Dominick Grift
39f77972ab init: the gdomap and minissdpd init scripts read the respective environ files in /etc/default. We need to give them a private type so that we can give the gdomap_admin() and minissdpd_admin() access to it, but it seems overengineering to create private environ types for these files 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-20 14:47:27 -05:00
Dominick Grift
f4a4074d33 init: exim init script runs various helper apps that create and manage /var/lib/exim4/config.autogenerated.tmp file 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-20 14:47:27 -05:00
Chris PeBenito
7725c1b677 Fix Debian compile issue. 2013-12-20 14:44:03 -05:00
Chris PeBenito
aa3c38bedb Module version bump for 4 init patches from Dominick Grift. 2013-12-10 10:40:38 -05:00
Chris PeBenito
5c345460b1 init: creates /run/utmp 
Manually apply patch from Dominick Grift.
 2013-12-10 10:31:01 -05:00
Chris PeBenito
5cb20b443e init: init_script_domain() allow system_r role the init script domain type 
Manually apply patch from Dominick Grift.
 2013-12-10 10:30:09 -05:00
Chris PeBenito
eb0dcf6f94 Whitespace fix in init.te. 2013-12-10 10:29:53 -05:00
Dominick Grift
75cca597f6 init: this is a bug in debian where tmpfs is mounted on /run, and so early on in the boot process init creates /run/utmp and /run/initctl in a tmpfs directory (/) tmpfs 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-10 10:29:53 -05:00
Dominick Grift
32d6aac409 init: for a specified automatic role transition to work. the source role must be allowed to change manually to the target role 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-10 10:29:48 -05:00
Chris PeBenito
b339b85001 Module version bump for patches from Dominick Grift. 2013-12-06 09:49:41 -05:00
Dominick Grift
8e01054f07 users: calls pulseaudio_role() for restricted xwindows users and staff_t/user_t 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-06 08:48:09 -05:00
Chris PeBenito
c7e2518162 Whitespace fix in libraries. 2013-12-06 08:48:04 -05:00
Dominick Grift
b56ecb9d52 libraries: for now i can only confirm mmap, might need to be changed to bin_t later if it turns out to need execute_no_trans 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-06 08:47:53 -05:00
Dominick Grift
e784e78825 iptables: calls to firewalld interfaces from Fedora. The firewalld_dontaudit_rw_tmp_files(iptables_t) was confirmed on Debian. 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-06 08:16:49 -05:00
Chris PeBenito
872ece4bcf Whitespace fix in usermanage. 2013-12-06 08:16:10 -05:00
Dominick Grift
6042255ede usermanage: Run /etc/cron\.daily/cracklib-runtime in the crack_t domain in Debian 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-06 08:14:29 -05:00
Chris PeBenito
3208ff94c4 Module version bump for second lot of patches from Dominick Grift. 2013-12-03 13:03:35 -05:00
Dominick Grift
1b757c65cc udev: in debian udevadm is located in /bin/udevadm 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-03 11:34:15 -05:00
Chris PeBenito
3ee649f132 Add comment in policy for lvm sysfs write. 2013-12-03 10:54:22 -05:00
Dominick Grift
6905ddaa98 lvm: lvm writes read_ahead_kb 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-03 10:53:23 -05:00
Dominick Grift
198a6b2830 udev: udevd executable location changed 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-03 10:52:44 -05:00
Chris PeBenito
613100a7f4 Whitespace fix in fstools. 2013-12-03 10:39:51 -05:00
Dominick Grift
521bbf8586 These { read write } tty_device_t chr files on boot up in Debian 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-03 10:39:21 -05:00
Chris PeBenito
ac22f3a48e setrans: needs to be able to get attributes of selinuxfs, else fails to start in Debian 
Access noted by Dominick Grift.
 2013-12-03 09:52:21 -05:00
Chris PeBenito
3b52b87615 Rearrage userdom_delete_user_tmpfs_files() interface. 2013-12-03 09:45:16 -05:00
Dominick Grift
b0068ace7d userdomain: add userdom_delete_user_tmpfs_files() for pulseaudio clients 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-03 09:43:51 -05:00
Chris PeBenito
f06282d1e0 Update contrib. 2013-12-03 09:34:05 -05:00
Chris PeBenito
1a01976fc4 Module version bump for first batch of patches from Dominick Grift. 2013-12-02 14:22:29 -05:00
Dominick Grift
66c6b8a9f7 unconfined: Do not domain transition to xserver_t (unconfined_t is xserver_unconfined) 
It would not be sufficient in the current shape anyways because
unconfined_r is not associated with xserver_t

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-02 08:43:33 -05:00
Dominick Grift
04ac9311b9 xserver: already allowed by auth_login_pgm_domain(xdm_t) 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-02 08:43:33 -05:00
Dominick Grift
5c49af2076 kernel: cryptomgr_test (kernel_t) requests kernel to load cryptd(__driver-ecb-aes-aesni 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-02 08:43:33 -05:00
Dominick Grift
4113f7b0d4 sshd/setrans: make respective init scripts create pid dirs with proper contexts 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-02 08:43:33 -05:00
Dominick Grift
012f1b2311 sysbnetwork: dhclient searches /var/lib/ntp 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-02 08:43:32 -05:00
Dominick Grift
6c19504654 sysnetwork: dhcpc: networkmanager interface calls from Fedora. In Debian i was able to confirm the need for networkmanager_manage_lib_files(dhcpc_t) since dhclient reads /var/lib/NetworkManager/dhclient-eth0.conf 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-02 08:43:32 -05:00
Dominick Grift
3b6a8b0ee5 fstools: hdparm append (what seems inherited from devicekit ) /var/log/pm-powersave.log fstools: hdparm reads /run/pm-utils/locks/pm-powersave.lock 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-02 08:27:54 -05:00
Dominick Grift
000397b217 udev: reads modules config: /etc/modprobe.d/alsa-base-blacklist.conf 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-02 08:27:54 -05:00
Dominick Grift
e7b86e07f2 setrans: mcstransd reads filesystems file in /proc 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-02 08:27:54 -05:00
Dominick Grift
a0e88de5e5 authlogin: unix_chkpwd traverses / on sysfs device on Debian 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-02 08:27:54 -05:00
Dominick Grift
ec54e42ed9 udev: the avahi dns check script run by udev in Debian chmods /run/avahi-daemon 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-02 08:27:53 -05:00
Dominick Grift
617e504c20 udev: this fc spec does not make sense, as there is no corresponding file type transition for it 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-02 08:27:53 -05:00
Dominick Grift
76e595794b mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-02 08:27:53 -05:00
Chris PeBenito
f028029464 Update contrib. 2013-11-13 12:20:51 -05:00
Chris PeBenito
9d6546a472 Module version bumps for syslog-ng and semodule updates. 2013-11-13 09:27:21 -05:00
Chris PeBenito
9fcc6fe625 Add comments about new capabilities for syslogd_t. 2013-11-13 09:26:38 -05:00
Sven Vermeulen
b00d94fb72 Allow capabilities for syslog-ng 
The syslog-ng logger has (build-optional) support for capabilities. If
capabilities support is enabled, running it without setcap/getcap
permissions gives the following upon start:

 * Starting syslog-ng ...
syslog-ng: Error setting capabilities, capability management disabled;
error='Permission denied' [ ok ]

Granting only setcap (initial AVC seen) does not fully help either:

 * Starting syslog-ng ...
 Error managing capability set, cap_set_proc returned an error;

With setcap and getcap enabled, syslog-ng starts and functions fine.

See also https://bugs.gentoo.org/show_bug.cgi?id=488718

Reported-by: Vincent Brillault <gentoo@lerya.net>
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
 2013-11-13 09:14:34 -05:00
Sven Vermeulen
2142e6e0cc Allow semodule to create symlink in semanage_store_t 
With new userspace, trying to build a SELinux policy (and load it)
fails:

~# semodule -B
libsemanage.semanage_install_active: Unable to create sybolic link from
/etc/selinux/mcs/modules/active/policy.kern to
/etc/selinux/mcs/policy/policy.28 error code 0. (Permission denied).

AVC shows a denial for the semodule command, running as semanage_t,
trying to create a lnk_file in semanage_module_t.
 2013-11-13 09:13:32 -05:00
Chris PeBenito
eb4512f6eb Module version bump for dhcpc fixes from Dominick Grift. 2013-09-27 17:15:22 -04:00
Chris PeBenito
f0e0066a7b Reorder dhcpc additions. 2013-09-27 17:15:02 -04:00
Dominick Grift
b1599e01fe sysnetwork: dhcpc binds socket to random high udp ports sysnetwork: do not audit attempts by ifconfig to read, and write dhcpc udp sockets (looks like a leaked fd) 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-27 17:13:12 -04:00
Chris PeBenito
20471346ed Silence symlink reading by setfiles since it doesn't follow symlinks anyway. 2013-09-27 17:09:43 -04:00
Chris PeBenito
57f00181ee Module version bump for mount updates from Dominick Grift. 2013-09-27 16:54:54 -04:00
Dominick Grift
85016ae811 mount: sets kernel thread priority mount: mount reads /lib/modules/3.10-2-amd64/modules.dep mount: mount lists all mount points 
In debian mount was trying to list / on a tmpfs (/run/lock). Since
var_lock_t is a mountpoint type, and so is mnt_t, i decided to implement
a files_list_all_mountpoints() and call that for mount because it makes
sense

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-27 16:50:38 -04:00
Chris PeBenito
b7b3b55280 Module version bumps for Debian udev updates from Dominick Grift. 2013-09-27 16:44:54 -04:00
Chris PeBenito
756a5e5101 Update contrib 2013-09-27 16:44:28 -04:00
Dominick Grift
0947e315ea udev: runs: /usr/lib/avahi/avahi-daemon-check-dns.sh which creates /run/avahi-daemon directory 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-27 16:40:09 -04:00
Chris PeBenito
24f4016ec5 Move stray Debian rule in udev. 2013-09-27 16:36:52 -04:00
Dominick Grift
5905067f2a udev-acl.ck lists /run/udev/tags/udev-acl udev blocks suspend, and compromises kernel 
udevadm wants to create files in /run/udev/data. It writes to udev_tbl_t
directories

udev_t runs udisks-lvm-pv-export with a domain transition to lvm_t

udev: remove compromise_kernel capability2 av perm as its currently not
supported in reference policy

udev: udevadm managing udev_tbl_t symbolic links (/run/udev/watch/6)

udev: udevd manages control udev_tbl_t type socket

udev: udevd manages udev_tbl_t directories
named files pid filetrans for /run/udev directory

udev: lets just label /run/udev type udev_var_run_t and get it over with

udev: make the files_pid_filetrans more specific because it appears that
udev also creates directories in /run that we dont want to have created
with type udev_var_run_t (/run/avahi-daemon in Debian)

udev: udev-acl.ck uses dbus system bus fds

udev: sends dbus message to consolekit manager:
OpenSessionWithParameters

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-27 16:35:28 -04:00
Chris PeBenito
be570944e5 Module version bump for ssh server caps for Debian from Dominick Grift. 2013-09-27 16:25:56 -04:00
Dominick Grift
fc8bbe630a ssh: Debian sshd is configured to use capabilities 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-27 16:25:15 -04:00
Chris PeBenito
cf905e8ef1 Module version bumps for dhcpc leaked fds to hostname. 2013-09-27 15:55:52 -04:00
Dominick Grift
0857061b58 hostname: do not audit attempts by hostname to read and write dhcpc udp sockets (looks like a leaked fd) 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-27 15:13:19 -04:00
Chris PeBenito
48554d9376 Module version bump for gdomap port from Dominick Grift. 2013-09-27 15:12:51 -04:00
Dominick Grift
9e62ecd264 corenetwork: Declare gdomap port, tcp/udp:538 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-27 15:08:58 -04:00
Chris PeBenito
15f32f59fe Module version bump for xserver console and fc fixes from Dominick Grift. 2013-09-27 15:08:12 -04:00
Dominick Grift
57f62fe531 xserver: associate xconsole_device_t (/dev/xconsole) to device_t (devtmpfs) 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-27 14:44:46 -04:00
Dominick Grift
cb306b0c95 xserver: catch /run/gdm3 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-27 14:44:13 -04:00
Chris PeBenito
f0ad29f609 Module version bump for debian ifstate changes from Dominick Grift. 2013-09-27 14:42:47 -04:00
Chris PeBenito
b4b077f3fd Rearrange sysnet if blocks. 2013-09-27 14:41:54 -04:00
Dominick Grift
ac5d072465 sysnetwork: Debian stores network interface configuration in /run/network (ifstate), That directory is created by the /etc/init.d/networking script. 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-27 14:39:29 -04:00
Chris PeBenito
360438c194 Module version bump for xdm dbus access from Dominick Grift. 2013-09-26 11:09:28 -04:00
Dominick Grift
2aad2492e9 xdm: is a system bus client and acquires service on the system bus xdm: dbus chat with accounts-daemon 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-26 10:51:02 -04:00
Chris PeBenito
77f13c4993 Module version bump for slim fc entries from Sven Vermeulen. 2013-09-26 10:48:55 -04:00
Sven Vermeulen
34038013c7 Extend slim /var/run expression 
On Gentoo, slim files are not in /var/run/slim, but directly in
/var/run. All names start with slim though, so changing the expression
to match those as well.

There is already a file transition in place (xdm_t writing files in
var_run_t -> xdm_var_run_t) so that needs no further changes.

Reported-by: Luis Ressel <aranea@aixah.de>
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
 2013-09-26 10:47:50 -04:00
Chris PeBenito
fa50eb742f Module version bump for ping capabilities from Sven Vermeulen. 2013-09-26 10:47:32 -04:00
Sven Vermeulen
56c43144d7 Allow ping to get/set capabilities 
When ping is installed with capabilities instead of being marked setuid,
then the ping_t domain needs to be allowed to getcap/setcap.

Reported-by: Luis Ressel <aranea@aixah.de>
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
 2013-09-26 10:46:33 -04:00
Chris PeBenito
7aed0fd9dd Module version bump for init interface and corecommand fc from Dominick Grift. 2013-09-26 10:45:51 -04:00
Dominick Grift
ceb6e7fcfb corecmd: avahi-daemon executes /usr/lib/avahi/avahi-daemon-check-dns.sh 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-26 10:32:23 -04:00
Dominick Grift
da5f2acb27 init: create init_use_inherited_script_ptys() for tmpreaper (Debian) 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-26 10:30:59 -04:00
Chris PeBenito
3d08aca2f4 Module version bump for virtio console from Dominick Grift. 2013-09-26 10:28:55 -04:00
Chris PeBenito
1070ba4ff9 Whitespace fix in terminal.te. 2013-09-26 10:28:24 -04:00
Dominick Grift
a43a205931 Initial virtio console device 
Also known as 'vmchannel', a transport mechanism is needed for
communication between the host userspace and guest userspace for
achieving things like making clipboard copy/paste work seamlessly across
the host and guest, locking the guest screen in case the vnc session to
the guest is closed and so on. This can be used in offline cases as
well, for example with libguestfs to probe which file systems the guest
uses, the apps installed, etc.

Virtio-serial is just the transport protocol that will enable such
applications to be written. It has two parts: (a) device emulation in
qemu that presents a virtio-pci device to the guest and (b) a guest
driver that presents a char device interface to userspace applications.

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-09-26 10:27:29 -04:00
Chris PeBenito
dd1b596ae7 Module version bump for unconfined dbus fixes from Dominick Grift. 2013-09-26 10:25:47 -04:00