nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
4,905 Commits 1 Branch 0 Tags 16 MiB
445cbed7c7
Commit Graph

251 Commits

Author SHA1 Message Date
Sven Vermeulen
96a78a6f7e mplayer support for webcams 
In order to work with webcams, mplayer domain needs write access to the
v4l_device_t (updates and reconfiguration of the video device)

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
 2011-03-23 11:55:19 -04:00
Chris PeBenito
bdc7622e86 Remove redundant system dbus permissions with cpufreqselector and incorrect xdm dbus permission. 2011-03-16 08:20:28 -04:00
Chris PeBenito
dc24f36872 Module version bump and changelog for cpufreqselector dbus patch from Guido Trentalancia. 2011-02-22 11:36:15 -05:00
Chris PeBenito
616a0d5337 Whitespace fixes in cpufreqselector and xserver. 2011-02-22 11:23:42 -05:00
Guido Trentalancia
f8b9fb9391 patch to make cpufreqselector usable with dbus 
This patch adds a new interface to the cpufreqselector module
to allow dbus chat. It then uses such interface to allow dbus chat
with system_dbusd_t and xdm_t. This patch also adds some other
permissions needed to run cpufreqselector.
 2011-02-22 11:23:10 -05:00
Chris PeBenito
23083bb09e Module version bump and changelog for vlock patch from Harry Ciao. 2011-01-05 11:23:47 -05:00
Harry Ciao
3543bdda9f vlock_t only uses the relabeled terminal. 
The login or ssh program will relabel a tty or pty device after users
log in, and the vlock domain would only need to use the relabeled tty
or pty device, rather than the whole ttynode or ptynode attribute.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
 2011-01-05 11:22:42 -05:00
Chris PeBenito
826d014241 Bump module versions for release. 2010-12-13 09:12:22 -05:00
Chris PeBenito
47ecd96afa Fix deprecated interface usage in vlock. 2010-11-02 09:17:16 -04:00
Chris PeBenito
7f9f5bce63 Rename vlock interfaces. 2010-11-01 11:22:07 -04:00
Chris PeBenito
b058561a14 Rearrange rules in vlock. 2010-11-01 11:21:02 -04:00
Harry Ciao
d35e2ee03b Adding support for the vlock program. 
Both the system administrator and the unprivileged user could use vlock
to lock the current console when logging in either from the serial console
or by ssh.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
 2010-11-01 10:43:33 -04:00
Chris PeBenito
e06817bc03 Module version bump for wireshark patch. 2010-10-18 09:51:21 -04:00
Jeremy Solt
93985f63d7 wireshark patch from Dan Walsh 
files_poly_member is provided by userdom_user_home_content
Whitespace fixes
 2010-10-18 09:51:21 -04:00
Chris PeBenito
fee48647ac Module version bump for c17ad38 5271920 2a2b6a7 01c4413 c4fbfae a831710 
67effb0 483be01 c6c63f6 b0d8d59 5b082e4 b8097d6 689d954 5afc3d3 f3c5e77
a59e50c cf87233 17759c7 dc1db54 e9bf16d 4f95198 bf40792 622c63b c20842c
dc7cc4d 792d448
 2010-09-15 10:42:34 -04:00
Jeremy Solt
4f95198644 awstats patch from Dan Walsh 2010-09-15 09:14:54 -04:00
Chris PeBenito
da12b54802 Module version bumps for cert patch. 2010-09-10 11:31:22 -04:00
Chris PeBenito
e9d6dfb8b1 Fix missed deprecated interface usage from the cert patch. Add back a few rolecap tags. 2010-09-10 11:31:00 -04:00
Chris PeBenito
785ee7988c Module version bump and changelog entry for conditional mmap_zero patch. 2010-09-01 10:08:09 -04:00
Dominick Grift
623e4f0885 1/1] Make the ability to mmap zero conditional where this is fapplicable. 
Retry: forgot to include attribute mmap_low_domain_type attribute to domain_mmap_low()	:

Inspired by similar implementation in Fedora.
Wine and vbetool do not always actually need the ability to mmap a low area of the address space.
In some cases this can be silently denied.

Therefore introduce an interface that facilitates "mmap low" conditionally, and the corresponding boolean.
Also implement booleans for wine and vbetool that enables the ability to not audit attempts by wine and vbetool to mmap a low area of the address space.

Rename domain_mmap_low interface to domain_mmap_low_uncond.

Change call to domain_mmap_low to domain_mmap_low_uncond for xserver_t. Also move this call to distro redhat ifndef block because Redhat does not need this ability.

Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-01 09:41:56 -04:00
Chris PeBenito
ab8f919e6f Part of gnome patch from Dan Walsh. 2010-08-12 09:21:36 -04:00
Chris PeBenito
a9539a063b Additional kdumpgui cleanup. 2010-08-10 09:21:01 -04:00
Jeremy Solt
46fc0d39e3 Policy for system-config-kdump gui from Dan Walsh 
Edits:
 - removed gnome_dontaudit_search_config
 - removed userdom_dontaudit_search_admin_dir
 - whitespace and style fixes
 2010-08-10 09:05:43 -04:00
Jeremy Solt
68e615ec5a system-config-samba dbus service policy from Dan Walsh 2010-08-09 09:37:29 -04:00
Dominick Grift
03b86663f0 apps: domain { allowed to transition, allowed access, to not audit }. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-08-05 08:20:59 -04:00
Chris PeBenito
a7ee7f819a Docs standardizing on the role portion of run interfaces. Additional docs cleanup. 2010-08-03 09:20:22 -04:00
Chris PeBenito
a72e42f485 Interface documentation standardization patch from Dan Walsh. 2010-08-02 09:22:09 -04:00
Chris PeBenito
4b76ea5f51 Module version bump for fa1847f. 2010-07-12 14:02:18 -04:00
Dominick Grift
fa1847f4a2 Add files_poly_member() to userdom_user_home_content() Remove redundant files_poly_member() calls. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
 2010-07-09 09:43:04 -04:00
Chris PeBenito
f7ffe6c2a9 Add missing ubac constraints on pulseaudio. 2010-07-09 09:14:35 -04:00
Chris PeBenito
072857c425 VMWare patch from Dan Walsh. 2010-07-08 13:43:50 -04:00
Chris PeBenito
f1618ffc6f Whitespace fix in userhelper. 2010-07-08 10:56:15 -04:00
Chris PeBenito
b841dffda1 Add livecd from Dan Walsh. 2010-07-07 10:28:25 -04:00
Chris PeBenito
08690c84ad Remove ethereal module since the application was renamed to wireshark due to trademark issues. 2010-07-07 09:31:57 -04:00
Chris PeBenito
bca0cdb86e Remove duplicate/redundant rules, from Russell Coker. 2010-07-07 08:41:20 -04:00
Chris PeBenito
1db1836ab9 Remove improper usage of userdom_manage_home_role(), userdom_manage_tmp_role(), and userdom_manage_tmpfs_role(). 2010-07-06 13:17:05 -04:00
Chris PeBenito
a3b0dc5b3c GPG patch from Dan Walsh. 2010-07-06 10:58:40 -04:00
Chris PeBenito
caf1666dc1 Module version bump for 5f04c91. 2010-06-29 11:26:16 -04:00
Jeremy Solt
5f04c91f30 gitosis patch from Dan Walsh 2010-06-29 11:25:37 -04:00
Chris PeBenito
0cec649be7 WM patch from Dan Walsh. 
Window manager policy changes needed for MLS policy.
 2010-06-25 09:00:19 -04:00
Chris PeBenito
eab2cc89b4 Slocate patch from Dan Walsh. 
Locate attempts to look at network sate and does getattr on all blk/chr
and noxattr symlinks.
 2010-06-22 09:58:14 -04:00
Chris PeBenito
2c207dfa49 Qemu patch from Dan Walsh. 
Fix qemu labeling.

Additional qemu interfaces

Allow qemu to read/write removable devices
 2010-06-22 09:32:35 -04:00
Chris PeBenito
1fd3a8070f Pulseaudio patch from Dan Walsh. 
Dontaudit attempts to exec pulseaudio.  qemu does this and it causes
other avc's even though qemu can not use pulseaudio.

Allow other domains to use pulseiaudio
 2010-06-22 09:13:17 -04:00
Chris PeBenito
1ff703fc4a Podsleuth patch from Dan Walsh. 
podsleuth asks the kernel to load modules
Reads/write removable blk device.

Reads user_tmpfs
 2010-06-22 09:01:38 -04:00
Chris PeBenito
8a24097bff Mplayer patch from Dominick Grift through Dan Walsh. 2010-06-21 09:52:33 -04:00
Chris PeBenito
3c1e8ff6bb Mozilla patch from Dan Walsh. 
Various old fixes for mozilla.
 2010-06-21 09:36:39 -04:00
Chris PeBenito
ae1b7dedd7 Cpufreqselector patch from Dan Walsh. 
Needs to read localization
 2010-06-21 09:03:11 -04:00
Chris PeBenito
a99f69fd0e Loadkeys patch from Dan Walsh. 
Dontaudit leaked sockets
 2010-06-18 15:12:33 -04:00
Chris PeBenito
48f99a81c0 Whitespace change: drop unnecessary blank line at the start of .te files. 2010-06-10 08:16:35 -04:00
Chris PeBenito
29af4c13e7 Bump module versions for release. 2010-05-24 15:32:01 -04:00
Chris PeBenito
2e4e39d26a Loadkeys patch from Dan Walsh. 2010-05-14 11:40:26 -04:00
Chris PeBenito
84940a0995 Java patch from Dan Walsh. 
Additional java context

unconfined_Java apps needs to execmod any file since we do not know where the jave content will be labeled

We want unconfined java apps to transition to rpm when they execute rpm_exec_t.  To maintain proper labeling.
 2010-05-14 10:40:59 -04:00
Chris PeBenito
857d37e84a GPG patch from Dan Walsh. 2010-04-30 15:24:19 -04:00
Chris PeBenito
bf54d5be44 Module version bumps for c586c1b, dcbb332, 4c05dff, 84ce9c3, 2b012ba, and 1868383. 2010-03-29 09:21:59 -04:00
Chris PeBenito
ad0071bbe4 Tweaks on pulseaudio 1868383, ksmtuned d279dd6, and smokeping f3c346c. 2010-03-29 09:19:40 -04:00
Jeremy Solt
18683835fd pulseaudio patch from Dan Walsh 
Fixed template where it should have been interface
Replaced read_home and manage_home interfaces with read_home_files, manage_home_files and reduced access
Removed admin_dir reference
Replaced rtkit_daemon_system_domain with rtkit_scheduled
Fixed style / spacing issues
 2010-03-29 08:41:45 -04:00
Chris PeBenito
df29613c72 Module version bump for 75c8a69. 2010-03-22 13:51:35 -04:00
Jeremy Solt
75c8a691ee gitosis read/manage lib interfaces from Dan Walsh 
Only giving manage_files_pattern for gitosis_manage_lib_files
 2010-03-22 13:48:39 -04:00
Chris PeBenito
ce693cbbec Module version bump for ae07c9e. 2010-03-16 14:33:43 -04:00
Jeremy Solt
ae07c9e2e8 Screen needs to setattr on user_ttydevice_t from Dan Walsh 2010-03-16 13:36:45 -04:00
Chris PeBenito
ba1c45337b Module version bump for 3137148. 2010-03-16 13:10:14 -04:00
Jeremy Solt
31371480b0 Run interface for ptchown from Dan Walsh 2010-03-16 11:34:58 -04:00
Chris PeBenito
5dac50953f Module version bump for cf3da95. 2010-03-08 10:02:34 -05:00
Jeremy Solt
cf3da95084 Allow cdrecord_t to execute bin_t from Dan Walsh 
growisofs executes mkisofs
 2010-03-08 09:34:37 -05:00
Chris PeBenito
4fd0889171 Java patch from Dan Walsh. 2010-02-19 11:21:38 -05:00
Chris PeBenito
1e0f483a18 Mono patch from Dan Walsh. 2010-02-19 10:42:43 -05:00
Chris PeBenito
a777957b49 Rename qemu_unconfined_t to unconfined_qemu_t. 2010-02-19 10:27:09 -05:00
Chris PeBenito
8a1c9c505f Rearrage qemu.if. 2010-02-19 10:16:28 -05:00
Chris PeBenito
72295e93e1 Qemu patch from Dan Walsh. 2010-02-19 10:15:19 -05:00
Chris PeBenito
4796d07ee0 Wine patch from Dan Walsh. 2010-02-19 09:17:51 -05:00
Chris PeBenito
6f30d7e770 Pulseaudio patch from Dan Walsh. 2010-02-16 15:13:08 -05:00
Chris PeBenito
c3c753f786 Remove concept of user from terminal module interfaces dealing with ptynode and ttynode since these attributes are not specific to users. 2010-02-11 14:20:10 -05:00
Chris PeBenito
46b03739ac Seunshare patch from Dan Walsh. 2009-12-01 10:31:28 -05:00
Chris PeBenito
d7776f58c2 Screen patch from Dan Walsh. 2009-12-01 10:31:17 -05:00
Chris PeBenito
6394ea6143 Podsleuth patch from Dan Walsh. 2009-12-01 10:30:50 -05:00
Chris PeBenito
b77daab0ed Mozilla patch from Dan Walsh. 2009-12-01 10:30:30 -05:00
Chris PeBenito
36ded4bd36 GPG patch from Dan Walsh. 2009-12-01 10:30:07 -05:00
Chris PeBenito
962d6fb9b0 Calamaris patch from Dan Walsh. 2009-12-01 10:29:51 -05:00
Chris PeBenito
ed3a1f559a bump module versions for release. 2009-11-17 10:05:56 -05:00
Chris PeBenito
a1a45de06e reorganize a92ee50 2009-10-22 10:35:45 -04:00
Dominick Grift
a92ee50126 Implement screen-locking feature. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
 2009-10-22 10:33:05 -04:00
Chris PeBenito
4be8dd10b9 add seunshare from dan. 2009-09-28 15:40:06 -04:00
Chris PeBenito
1d3b9e384c clean up xscreensaver. 2009-09-15 09:41:42 -04:00
corentin.labbe
31f9c109c1 SELinux xscreensaver policy support 
Hello

This a patch for adding xscreensaver policy.

I think it need a specific policy because of the auth_domtrans_chk_passwd.

cordially

Signed-off-by: LABBE Corentin <corentin.labbe@geomatys.fr>
 2009-09-15 08:46:28 -04:00
Chris PeBenito
dbed95369c add gitosis from miroslav grepl. 2009-09-03 09:52:08 -04:00
Chris PeBenito
634a13c21f cpufreqselector patch from dan. 2009-09-03 09:15:17 -04:00
Chris PeBenito
f6137171f3 add an additional vmware host program. 2009-09-03 08:56:58 -04:00
Chris PeBenito
6fdef06522 screen patch from dan. 2009-09-03 08:49:26 -04:00
Chris PeBenito
72b834ccb0 remove stale screen_dir_t references 
The screen_dir_t was made an alias of the screen_var_run_t type.
Remove the remaining references to this type.
 2009-09-03 08:39:42 -04:00
Chris PeBenito
ca7fa520e7 gpg patch from dan. 
gpg sends sigstop and signull

Reads usb devices

Can encrypts users content in /tmp and the homedir, as well as on NFS and cifs
 2009-09-03 08:23:18 -04:00
Chris PeBenito
93be4ba581 Webalizer does not list inotify, this was caused by leaked file descriptors in either dbus or cron. Both of which have been cleaned up. 2009-09-02 09:10:30 -04:00
Chris PeBenito
a4b6385b9d cdrecord patch from dan. 2009-09-01 09:22:40 -04:00
Chris PeBenito
1a79193449 awstats patch from dan. 2009-09-01 08:59:24 -04:00
Chris PeBenito
aac56b12b7 add ptchown policy from dan. 2009-08-31 10:21:01 -04:00
Chris PeBenito
a3dd1499ef pulseaudio patch from dan. 2009-08-31 10:07:57 -04:00
Chris PeBenito
aaff2fcfcd module version number bump for tun patches 2009-08-31 09:17:31 -04:00
Paul Moore
9dc3cd1635 refpol: Policy for the new TUN driver access controls 
Add policy for the new TUN driver access controls which allow policy to
control which domains have the ability to create and attach to TUN/TAP
devices.  The policy rules for creating and attaching to a device are as
shown below:

  # create a new device
  allow domain_t self:tun_socket { create };

  # attach to a persistent device (created by tunlbl_t)
  allow domain_t tunlbl_t:tun_socket { relabelfrom };
  allow domain_t self:tun_socket { relabelto };

Further discussion can be found on this thread:

 * http://marc.info/?t=125080850900002&r=1&w=2

Signed-off-by: Paul Moore <paul.moore@hp.com>
 2009-08-31 08:36:06 -04:00
Chris PeBenito
4279891d1f patch from Eamon Walsh to remove useage of deprecated xserver interfaces. 2009-08-28 13:40:29 -04:00
Chris PeBenito
b2648249d9 Fix unconfined_r use of unconfined_java_t. 
The unconfined role is running java in the unconfined_java_t.  The current
policy only has a domtrans interface, so the unconfined_java_t domain is not
added to unconfined_r.  Add a run interface and change the unconfined module
to use this new interface.
 2009-08-17 13:19:26 -04:00
Chris PeBenito
9570b28801 module version number bump for release 2.20090730 that was mistakenly omitted. 2009-08-05 10:59:21 -04:00