nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
3,365 Commits 1 Branch 0 Tags 16 MiB
94d8bd2904
Commit Graph

1722 Commits

Author SHA1 Message Date
Chris PeBenito
94d8bd2904 Module version bump for mountpoint patches from Sven Vermeulen. 2012-04-23 09:33:17 -04:00
Sven Vermeulen
26cfbe5317 Marking debugfs and securityfs as mountpoints 
The locations for debugfs_t (/sys/kernel/debug) and security_t
(/selinux or /sys/fs/selinux) should be marked as mountpoints as well.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
 2012-04-23 09:21:15 -04:00
Chris PeBenito
100734ef64 Module version bump for asterisk updates; pull in asterisk contrib changes. 2012-04-20 16:36:38 -04:00
Sven Vermeulen
00247b9d3f Allow initrc to manage asterisk log and pid file attributes 
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
 2012-04-20 16:25:45 -04:00
Chris PeBenito
9e56720a39 Module version bump and changelog for various dontaudits from Sven Vermenulen. 2012-04-20 16:06:54 -04:00
Sven Vermeulen
fc2f5ea3b4 Adding dontaudit for sudo 
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
 2012-04-20 15:55:12 -04:00
Sven Vermeulen
fbac862b89 Adding dontaudits for mount 
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
 2012-04-20 15:44:05 -04:00
Sven Vermeulen
1bd83205aa Do not audit rw on dhcp client unix_stream_sockets 
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
 2012-04-20 15:43:34 -04:00
Chris PeBenito
364768e8e9 Fix whitespace issues in sysnetwork.if. 2012-04-20 15:39:36 -04:00
Sven Vermeulen
2260ef56f8 Adding dontaudit interfaces in sysnet 
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
 2012-04-20 15:39:04 -04:00
Chris PeBenito
cb29c82a28 Rearrange mountpoint interfaces in files. 2012-04-20 15:38:51 -04:00
Chris PeBenito
a1d38fb485 Fix files whitespace issues. 2012-04-20 15:35:24 -04:00
Sven Vermeulen
f93d4fd85c Adding dontaudit interfaces for files module 
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
 2012-04-20 15:30:10 -04:00
Chris PeBenito
fbb165b989 Module version bump and changelog for bacula. 2012-03-30 09:43:13 -04:00
Chris PeBenito
68c8f3fc19 Fix whitespace issue in bacula sysadm patch. 2012-03-30 08:49:27 -04:00
Sven Vermeulen
fdacc6e744 Allow sysadm to call bacula client 
This patch allows the sysadmin to run the bacula admin client.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
 2012-03-30 08:48:39 -04:00
Chris PeBenito
5b4ed06fab Pull in contrib updates. 2012-03-06 09:00:44 -05:00
Chris PeBenito
ee8210c690 Module version bump for make role attributes able to type their "own" types patch from Harry Ciao. 2012-02-27 10:25:08 -05:00
Chris PeBenito
e707a70819 Rearrange role lines from "own" patch. 2012-02-27 10:18:00 -05:00
Harry Ciao
93c3ee8b7f Make role attributes able to type their "own" types. 
By default, any role attribute should be able to type their "own" types
that share the same prefix and used in the run interface. For example,

role newrole_roles types newrole_t;

so that the calling domain of the seutil_run_newrole() interface could
properly tansition into newrole_t. Without above role rule, the caller's
role won't be associated with newrole_t.

Other role attributes such as useradd_roles, groupadd_roles, chfn_roles
and run_init_roles should be fixed in the same way.
 2012-02-27 10:12:57 -05:00
Chris PeBenito
f3262926ae Module version bump for Mark temporary block device as fixed_disk_device_t from Sven Vermeulen. 2012-02-22 08:44:15 -05:00
Sven Vermeulen
1668ffb244 Mark temporary block device as fixed_disk_device_t 
When udev creates the temporary block devices (such as /dev/.tmp-block-8:1) they
get by default marked as device_t. However, in case of software raid devices,
the mdadm application (running in mdadm_t) does not hold the proper privileges
to access this for its auto-assembly of the raids.

Other block device applications, like blkid (running in fsadm_t) use these
temporary block devices as well, but already hold the necessary privileges on
device_t to continue their work.

By marking the temporary block device as a fixed_disk_device_t, all these block
device handling applications (such as blkid, but also mdadm) now hold the proper
privileges. Since udev is selinux-aware, the created files are immediately
restorecon'ed before the rules are applied.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
 2012-02-22 08:32:42 -05:00
Chris PeBenito
f65edd8280 Bump module versions for release. 2012-02-15 14:32:45 -05:00
Chris PeBenito
6da98efd58 Pull in contrib changes from Sven Vermeulen. 2012-02-08 15:45:15 -05:00
Chris PeBenito
2788635e51 Pull in new contrib modules. 
* glance
* rhsmcertd
* sanlock
* sblim
* uuidd
* vdagent
 2012-01-25 10:19:13 -05:00
Chris PeBenito
e34b1f6cbd Module version bump and changelog for sshd using oddjob_mkhomedir from Sven Vermeulen. 2012-01-04 08:14:11 -05:00
Sven Vermeulen
93e4685552 sshd can call mkhomedir when a new user logs on 
These services are offered through the oddjob module.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
 2012-01-04 07:49:50 -05:00
Chris PeBenito
c4fa10ef81 Module version bump for changes from Fedora. 2011-12-15 08:38:06 -05:00
Chris PeBenito
7184d348c9 Add ssh_signull interface from Fedora. 2011-12-15 08:37:15 -05:00
Chris PeBenito
7ec71dcd22 Repository port from Fedora. 2011-12-15 08:37:00 -05:00
Dan Walsh
4d6b03b961 Add port for matahati policy 2011-12-15 08:33:40 -05:00
Dan Walsh
288b8ab6b2 Add port for glance policy 2011-12-15 08:33:10 -05:00
Chris PeBenito
64a0271ffd Module version bump and changelog for slim and lxdm file contexts to xserver, from Sven Vermeulen. 2011-12-13 11:17:23 -05:00
Chris PeBenito
89e1cadd02 Whitespace fix in xserver. 2011-12-13 11:17:00 -05:00
Sven Vermeulen
6f0ac6d737 Supporting lxdm and slim 
Update the xserver file contexts to support the slim and lxdm services.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
 2011-12-13 10:48:16 -05:00
Chris PeBenito
3cbb3701cd Module version bumps for debian fc patch from Russell Coker. 2011-11-16 15:31:48 -05:00
Chris PeBenito
e78ada8605 Debian file locations patch from Russell Coker. 2011-11-16 15:29:18 -05:00
Chris PeBenito
e5b14e7e3a Add optional file name to filetrans_pattern. 2011-11-02 08:48:25 -04:00
Chris PeBenito
ba817fccd9 Add userdom interfaces for user application domains, user tmp files, and user tmpfs files. 2011-10-28 08:49:19 -04:00
Chris PeBenito
e2fa4f2e8c Add user application, tmp and tmpfs file interfaces. 2011-10-28 08:48:10 -04:00
Chris PeBenito
4d91cc95c7 Module version bump and Changelog for asterisk admin updates from Sven Vermeulen. 2011-10-25 09:43:13 -04:00
Sven Vermeulen
ecf83667ab Allow sysadm to interact with asterisk 
When administering asterisk, one often ran command is "asterisk -r"
which yields the asterisk CLI (when the asterisk server is running). To
be able to run this, you need asterisk_stream_connect privileges.

Assign these privileges to the sysadm_r

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
 2011-10-25 09:40:12 -04:00
Chris PeBenito
6b63ed7481 Remove deprecated permission sets. 
These were deprecated on or around October 9, 2007.
 2011-10-14 10:24:18 -04:00
Chris PeBenito
dd49083624 Remove deprecated send_audit_msgs_pattern(). 
This was deprecated June 12, 2007.
 2011-10-14 10:23:05 -04:00
Chris PeBenito
b928020970 Remove deprecated optional_policy usage. 
This was deprecated July 25, 2006.
 2011-10-14 10:22:16 -04:00
Chris PeBenito
d1af485661 Remove rolemap and per-role template support. 
This support was deprecated and unused in Reference Policy November 5 2008.
 2011-10-14 08:52:21 -04:00
Chris PeBenito
332c3a5fc4 Fix corenetwork port declaration to choose either reserved or unreserved. 
This changes the port declarations for cases where a type is used for
ports above and below 1024.  The old code would give both the reserved
and unreserved port attribute.  This new code only gives the reserved
port attribute.
 2011-10-04 15:31:08 -04:00
Chris PeBenito
7b98e4f436 Clean up stale TODOs. 2011-09-26 11:51:47 -04:00
Chris PeBenito
8e94109c52 Change secure_mode_policyload to disable only toggling of this Boolean rather than disabling all Boolean toggling permissions. 2011-09-26 10:44:27 -04:00
Chris PeBenito
aecd12c7b0 Move secure_mode_policyload into selinux module as that is the only place it is used. 2011-09-26 09:53:23 -04:00