nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
2,977 Commits 1 Branch 0 Tags 16 MiB
9711c7bdb5
Commit Graph

1360 Commits

Author SHA1 Message Date
Chris PeBenito
befc7ec99f Module version bump for Dominick's consoletype cleanup. 2010-10-11 09:27:27 -04:00
Dominick Grift
bfd28e1a89 consoletype: redundant. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-11 09:13:47 -04:00
Dominick Grift
6ea380d622 consoletype: needs to use system dbus file descriptors. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-11 09:13:47 -04:00
Chris PeBenito
c7908d1ee7 Module version bump for Dominick's sudo cleanup. 2010-10-08 14:33:04 -04:00
Dominick Grift
5e70e017a3 sudo: wants to get attributes of device_t filesystems. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-08 14:26:55 -04:00
Dominick Grift
e737d5d723 sudo: wants to get attributes of generic pts filesystems. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-08 09:26:14 -04:00
Chris PeBenito
6e293ffd2c Revert su default_t rule. 2010-10-08 09:15:17 -04:00
Chris PeBenito
89173d538f Module version bump for Dominick's su cleanup. 2010-10-08 08:54:01 -04:00
Dominick Grift
bd7d571195 su: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-08 08:47:03 -04:00
Dominick Grift
00a1438d82 su: wants to search callers keyring. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-08 08:47:03 -04:00
Dominick Grift
6a05763d51 su: do not audit attempts to search /root. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-08 08:47:02 -04:00
Chris PeBenito
bd51fa387c Module version bump for Dominick's shutdown cleanup. 2010-10-07 13:07:07 -04:00
Dominick Grift
a39e274f10 shutdown: search generic log directories. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-07 12:38:07 -04:00
Dominick Grift
5718c0a59a shutdown: needs to connect to init with a unix stream socket. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-07 12:38:07 -04:00
Dominick Grift
a9acfbd613 shutdown: for sudo. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-07 12:38:07 -04:00
Dominick Grift
c56123dc72 shutdown: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-07 12:38:07 -04:00
Dominick Grift
e4efefc4fe shutdown: permission sets. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-07 12:38:07 -04:00
Dominick Grift
08f1a0326d shutdown: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-07 12:38:07 -04:00
Dominick Grift
051f74edc0 shutdown: Fedora change. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-07 12:38:07 -04:00
Chris PeBenito
2f8f8e1368 Typo fix in hadoop. 2010-10-07 12:31:41 -04:00
Chris PeBenito
641ac05468 Hadoop cleanup and module version bump. 
* a pass cleaning up the style.
* adjusted some regular expressions in the file contexts: .* is the same as (.*)? since * means 0 or more matches.
* renamed a few interfaces
* two rules that I dropped as they require further explanation

> +files_read_all_files(hadoop_t)

A very big privilege.

and

> +fs_associate(hadoop_tasktracker_t)

This is a domain, so the only files with this type should be the /proc/pid ones, which don't require associate permissions.
 2010-10-07 10:57:55 -04:00
Paul Nuzzi
bc71a042d8 hadoop 1/10 -- unconfined 
On 10/04/2010 02:18 PM, Christopher J. PeBenito wrote:
> On 10/04/10 13:15, Paul Nuzzi wrote:
>> On 10/01/2010 01:56 PM, Christopher J. PeBenito wrote:
>>> On 10/01/10 11:17, Paul Nuzzi wrote:
>>>> On 10/01/2010 08:02 AM, Dominick Grift wrote:
>>>>> On Thu, Sep 30, 2010 at 03:39:40PM -0400, Paul Nuzzi wrote:
>>>>>> I updated the patch based on recommendations from the mailing list.
>>>>>> All of hadoop's services are included in one module instead of
>>>>>> individual ones.  Unconfined and sysadm roles are given access to
>>>>>> hadoop and zookeeper client domain transitions. The services are started
>>>>>> using run_init.  Let me know what you think.
>>>>>
>>>>> Why do some hadoop domain need to manage generic tmp?
>>>>>
>>>>> files_manage_generic_tmp_dirs(zookeeper_t)
>>>>> files_manage_generic_tmp_dirs(hadoop_t)
>>>>> files_manage_generic_tmp_dirs(hadoop_$1_initrc_t)
>>>>> files_manage_generic_tmp_files(hadoop_$1_initrc_t)
>>>>> files_manage_generic_tmp_files(hadoop_$1_t)
>>>>> files_manage_generic_tmp_dirs(hadoop_$1_t)
>>>>
>>>> This has to be done for Java JMX to work.  All of the files are written to
>>>> /tmp/hsperfdata_(hadoop/zookeeper). /tmp/hsperfdata_ is labeled tmp_t while
>>>> all the files for each service are labeled with hadoop_*_tmp_t.  The first service
>>>> will end up owning the directory if it is not labeled tmp_t.
>>>
>>> The hsperfdata dir in /tmp certainly the bane of policy writers.  Based on a quick look through the policy, it looks like the only dir they create in /tmp is this hsperfdata dir.  I suggest you do something like
>>>
>>> files_tmp_filetrans(hadoop_t, hadoop_hsperfdata_t, dir)
>>> files_tmp_filetrans(zookeeper_t, hadoop_hsperfdata_t, dir)
>>>
>>> filetrans_pattern(hadoop_t, hadoop_hsperfdata_t, hadoop_tmp_t, file)
>>> filetrans_pattern(zookeeper_t, hadoop_hsperfdata_t, zookeeper_tmp_t, file)
>>>
>>
>> That looks like a better way to handle the tmp_t problem.
>>
>> I changed the patch with your comments.  Hopefully this will be one of the last updates.
>> Tested on a CDH3 cluster as a module without any problems.
>
> There are several little issues with style, but it'll be easier just to fix them when its committed.
>
> Other comments inline.
>

I did my best locking down the ports hadoop uses.  Unfortunately the services use high, randomized ports making
tcp_connect_generic_port a must have.  Hopefully one day hadoop will settle on static ports.  I added hadoop_datanode port 50010 since it is important to lock down that service.  I changed the patch based on the rest of the comments.

Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
 2010-10-07 08:07:16 -04:00
Chris PeBenito
3de55ab053 Module version bump for Dominick's rpm cleanup. 2010-10-06 09:04:31 -04:00
Dominick Grift
b9df0a9727 rpm: various changes both from fedora and myself. rpm: ntp post install scrript want to restart ntpd. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-06 09:03:32 -04:00
Dominick Grift
b7c851c66b rpm: redundant. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-06 08:53:24 -04:00
Dominick Grift
dcba9161a6 rpm: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-06 08:53:24 -04:00
Dominick Grift
34959a2210 rpm: (brace) expansion. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-06 08:53:24 -04:00
Dominick Grift
d60649d9a1 rpm: redundant. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-06 08:53:24 -04:00
Chris PeBenito
29b1bff0e1 Module version bump for Dominick's console cleanup. Also fix rule ordering. 2010-10-06 08:42:23 -04:00
Dominick Grift
5ec14d95fb consoletype: in fedora13 /dev/console is not labeled properly early in the boot process. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-06 08:38:40 -04:00
Dominick Grift
019ffc7d1d consoletype: redundant. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-06 08:38:39 -04:00
Chris PeBenito
c1af955d07 Module version bump for Dominick's quota cleanup. 2010-10-06 08:35:25 -04:00
Dominick Grift
5f716ead5c quota: permission sets. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-06 08:28:31 -04:00
Dominick Grift
0b217af214 quota: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-06 08:28:30 -04:00
Chris PeBenito
6d5cc8a096 Module version bump for Dominick's usermanage cleanup. 2010-10-05 15:27:06 -04:00
Dominick Grift
88c635d040 usermanage: permission sets. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:26:42 -04:00
Dominick Grift
e615cc410e usermanage: redundant. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:26:41 -04:00
Dominick Grift
4be6935276 usermanage: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:26:41 -04:00
Dominick Grift
bab33c7b83 usermanage: redundant. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:26:41 -04:00
Chris PeBenito
ae8f23fd6f Module version bump for Dominick's tzdata cleanup. 2010-10-05 15:21:52 -04:00
Dominick Grift
b1e1e93b9f tzdata: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:17:10 -04:00
Chris PeBenito
e7ee065485 Module version bump for Dominick's netutils cleanup. 2010-10-05 15:11:23 -04:00
Dominick Grift
b306b5acaa netutils: permission sets. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:11:00 -04:00
Dominick Grift
696a65867a netutils: redundant. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:11:00 -04:00
Dominick Grift
9d5094a3f8 netutils: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:11:00 -04:00
Chris PeBenito
cacbc6b186 Module version bump for Dominick's logrotate cleanup. 2010-10-05 15:08:54 -04:00
Dominick Grift
a1ac7d4fe3 logrotate: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:08:22 -04:00
Chris PeBenito
6a799b6bdc Module version bump for Dominick's cleanup. 2010-10-05 15:07:08 -04:00
Dominick Grift
ecab2ccd69 brctl: permission sets. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:05:35 -04:00
Dominick Grift
8f5cb4e977 brctl: redundant. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:05:20 -04:00
Dominick Grift
8f43f0294d brctl: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:05:05 -04:00
Chris PeBenito
e5c41507c7 Module version bump for Dominick's bootloader cleanups. 2010-10-05 14:00:20 -04:00
Dominick Grift
23f4caad54 bootloader: permission set. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 13:59:05 -04:00
Dominick Grift
eac0de8785 bootloader: unused. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 13:57:42 -04:00
Chris PeBenito
9e41622e49 Remove comment due to ace98b7. 2010-10-05 13:56:40 -04:00
Dominick Grift
ace98b78df bootloader: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 13:54:07 -04:00
Chris PeBenito
e29f6bf08a Module version bump and Changelog for 329138b and 413aac1. 2010-10-01 09:50:50 -04:00
Dominick Grift
413aac13de Allow common users to manage and relabel Alsa home files. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-01 09:41:22 -04:00
Dominick Grift
329138beba Move oident manage and relabel home content interfaces to common user template. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-01 09:41:12 -04:00
Chris PeBenito
a492b22ab1 Fix whitespace in cyphesis. 2010-09-17 08:50:26 -04:00
Jeremy Solt
92f6d7cf64 cyphesis patch from Dan Walsh 2010-09-17 08:46:23 -04:00
Chris PeBenito
fee48647ac Module version bump for c17ad38 5271920 2a2b6a7 01c4413 c4fbfae a831710 
67effb0 483be01 c6c63f6 b0d8d59 5b082e4 b8097d6 689d954 5afc3d3 f3c5e77
a59e50c cf87233 17759c7 dc1db54 e9bf16d 4f95198 bf40792 622c63b c20842c
dc7cc4d 792d448
 2010-09-15 10:42:34 -04:00
Jeremy Solt
792d44840c radvd patch from Dan Walsh 2010-09-15 09:14:55 -04:00
Jeremy Solt
dc7cc4d5c1 snort patch from Dan Walsh 2010-09-15 09:14:55 -04:00
Jeremy Solt
c20842caf8 stunnel patch from Dan Walsh 2010-09-15 09:14:55 -04:00
Jeremy Solt
622c63b4e3 zabbix patch from Dan Walsh 2010-09-15 09:14:55 -04:00
Jeremy Solt
bf40792ae5 zebra patch from Dan Walsh 2010-09-15 09:14:54 -04:00
Jeremy Solt
4f95198644 awstats patch from Dan Walsh 2010-09-15 09:14:54 -04:00
Jeremy Solt
e9bf16d2d9 certmaster patch from Dan Walsh 2010-09-15 09:14:54 -04:00
Jeremy Solt
dc1db5407a pcscd patch from Dan Walsh 
Edit: removed the dev_list_sysfs call, dev_read_sysfs takes care of it
 2010-09-15 09:14:54 -04:00
Jeremy Solt
17759c7326 postgresql patch from Dan Walsh 2010-09-15 09:14:54 -04:00
Jeremy Solt
cf872339b2 postgrey patch from Dan Walsh 2010-09-15 09:14:54 -04:00
Jeremy Solt
a59e50c12c prelude patch from Dan Walsh 2010-09-15 09:14:54 -04:00
Jeremy Solt
f3c5e77754 certwatch patch from Dan Walsh 
Not including userdom_dontaudit_list_admin_dir - still no admin_home_t in refpolicy
 2010-09-15 09:14:54 -04:00
Jeremy Solt
5afc3d3589 firstboot patch from Dan Walsh 
Not including gnome_admin_home_gconf_filetrans - no admin_home_t in refpolicy
 2010-09-15 09:14:54 -04:00
Jeremy Solt
689d95422f smoltclient patch from Dan Walsh 2010-09-15 09:14:53 -04:00
Jeremy Solt
b8097d6ec4 amavis patch from Dan Walsh 2010-09-15 09:14:53 -04:00
Jeremy Solt
5b082e4acf arpwatch patch from Dan Walsh 2010-09-15 09:14:53 -04:00
Jeremy Solt
b0d8d59ff0 canna patch from Dan Walsh 2010-09-15 09:14:53 -04:00
Jeremy Solt
c6c63f63c7 certmonger patch from Dan Walsh 2010-09-15 09:14:53 -04:00
Jeremy Solt
483be01302 courier patch from Dan Walsh 2010-09-15 09:14:53 -04:00
Jeremy Solt
67effb0450 dcc patch from Dan Walsh 2010-09-15 09:14:53 -04:00
Jeremy Solt
a831710a6a style change to djbdns.te 2010-09-15 09:14:52 -04:00
Jeremy Solt
c4fbfaecdd fetchmail patch from Dan Walsh 2010-09-15 09:14:52 -04:00
Jeremy Solt
01c441355e icecast patch from Dan Walsh 2010-09-15 09:14:52 -04:00
Jeremy Solt
2a2b6a79fa nslcd patch from Dan Walsh 2010-09-15 09:14:52 -04:00
Jeremy Solt
5271920764 nut patch from Dan Walsh 2010-09-15 09:14:52 -04:00
Jeremy Solt
c17ad385ac openct patch from Dan Walsh 2010-09-15 09:14:52 -04:00
Chris PeBenito
25d796ed37 Unconditional staff and user oidentd home config access from Dominick Grift. 2010-09-15 08:20:16 -04:00
Dominick Grift
941e3db567 Access for confined users to oidentd user home content is unconditional. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-15 08:05:41 -04:00
Chris PeBenito
da12b54802 Module version bumps for cert patch. 2010-09-10 11:31:22 -04:00
Chris PeBenito
e9d6dfb8b1 Fix missed deprecated interface usage from the cert patch. Add back a few rolecap tags. 2010-09-10 11:31:00 -04:00
Dominick Grift
8340621920 Implement miscfiles_cert_type(). 
This is based on Fedoras' miscfiles_cert_type implementation.
The idea was that openvpn needs to be able read home certificates (home_cert_t) which is not implemented in refpolicy yet, as well as generic cert_t certificates.

Note that openvpn is allowed to read all cert_types, as i know that it needs access to both generic cert_t as well as (future) home_cert_t. Dwalsh noted that other domains may need this as well but because i do not know exactly which domains i will not changes any other domains call to generic cert type interfaces.

Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-10 11:05:46 -04:00
Chris PeBenito
8fbea561bb Module version bump for 8296eb2. 2010-09-10 08:51:54 -04:00
Chris PeBenito
9c2c77403f Remove unallocated tty access in amanda since it was originally there for the old targeted policy, and now all roles have a user tty type. 2010-09-09 09:32:31 -04:00
Dominick Grift
36c6e47384 Clean up Anaconda policy. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-09 08:14:56 -04:00
Dominick Grift
e02146370a Clean up Amtu module. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-09 08:14:09 -04:00
Dominick Grift
8296eb2261 Clean up Amanda module. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-09 08:13:13 -04:00
Chris PeBenito
28d96f0e39 Module version bumps for b7ceb34 5675107 e411968 eca7eb3. 2010-09-03 13:09:40 -04:00
Chris PeBenito
eca7eb3b47 Rearrange alsa interfaces. 2010-09-03 11:56:10 -04:00