nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
2,952 Commits 1 Branch 0 Tags 16 MiB
c60f75ad0f
Commit Graph

1337 Commits

Author SHA1 Message Date
Dominick Grift
b9df0a9727 rpm: various changes both from fedora and myself. rpm: ntp post install scrript want to restart ntpd. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-06 09:03:32 -04:00
Dominick Grift
b7c851c66b rpm: redundant. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-06 08:53:24 -04:00
Dominick Grift
dcba9161a6 rpm: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-06 08:53:24 -04:00
Dominick Grift
34959a2210 rpm: (brace) expansion. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-06 08:53:24 -04:00
Dominick Grift
d60649d9a1 rpm: redundant. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-06 08:53:24 -04:00
Chris PeBenito
29b1bff0e1 Module version bump for Dominick's console cleanup. Also fix rule ordering. 2010-10-06 08:42:23 -04:00
Dominick Grift
5ec14d95fb consoletype: in fedora13 /dev/console is not labeled properly early in the boot process. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-06 08:38:40 -04:00
Dominick Grift
019ffc7d1d consoletype: redundant. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-06 08:38:39 -04:00
Chris PeBenito
c1af955d07 Module version bump for Dominick's quota cleanup. 2010-10-06 08:35:25 -04:00
Dominick Grift
5f716ead5c quota: permission sets. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-06 08:28:31 -04:00
Dominick Grift
0b217af214 quota: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-06 08:28:30 -04:00
Chris PeBenito
6d5cc8a096 Module version bump for Dominick's usermanage cleanup. 2010-10-05 15:27:06 -04:00
Dominick Grift
88c635d040 usermanage: permission sets. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:26:42 -04:00
Dominick Grift
e615cc410e usermanage: redundant. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:26:41 -04:00
Dominick Grift
4be6935276 usermanage: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:26:41 -04:00
Dominick Grift
bab33c7b83 usermanage: redundant. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:26:41 -04:00
Chris PeBenito
ae8f23fd6f Module version bump for Dominick's tzdata cleanup. 2010-10-05 15:21:52 -04:00
Dominick Grift
b1e1e93b9f tzdata: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:17:10 -04:00
Chris PeBenito
e7ee065485 Module version bump for Dominick's netutils cleanup. 2010-10-05 15:11:23 -04:00
Dominick Grift
b306b5acaa netutils: permission sets. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:11:00 -04:00
Dominick Grift
696a65867a netutils: redundant. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:11:00 -04:00
Dominick Grift
9d5094a3f8 netutils: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:11:00 -04:00
Chris PeBenito
cacbc6b186 Module version bump for Dominick's logrotate cleanup. 2010-10-05 15:08:54 -04:00
Dominick Grift
a1ac7d4fe3 logrotate: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:08:22 -04:00
Chris PeBenito
6a799b6bdc Module version bump for Dominick's cleanup. 2010-10-05 15:07:08 -04:00
Dominick Grift
ecab2ccd69 brctl: permission sets. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:05:35 -04:00
Dominick Grift
8f5cb4e977 brctl: redundant. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:05:20 -04:00
Dominick Grift
8f43f0294d brctl: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:05:05 -04:00
Chris PeBenito
e5c41507c7 Module version bump for Dominick's bootloader cleanups. 2010-10-05 14:00:20 -04:00
Dominick Grift
23f4caad54 bootloader: permission set. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 13:59:05 -04:00
Dominick Grift
eac0de8785 bootloader: unused. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 13:57:42 -04:00
Chris PeBenito
9e41622e49 Remove comment due to ace98b7. 2010-10-05 13:56:40 -04:00
Dominick Grift
ace98b78df bootloader: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 13:54:07 -04:00
Chris PeBenito
e29f6bf08a Module version bump and Changelog for 329138b and 413aac1. 2010-10-01 09:50:50 -04:00
Dominick Grift
413aac13de Allow common users to manage and relabel Alsa home files. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-01 09:41:22 -04:00
Dominick Grift
329138beba Move oident manage and relabel home content interfaces to common user template. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-01 09:41:12 -04:00
Chris PeBenito
a492b22ab1 Fix whitespace in cyphesis. 2010-09-17 08:50:26 -04:00
Jeremy Solt
92f6d7cf64 cyphesis patch from Dan Walsh 2010-09-17 08:46:23 -04:00
Chris PeBenito
fee48647ac Module version bump for c17ad38 5271920 2a2b6a7 01c4413 c4fbfae a831710 
67effb0 483be01 c6c63f6 b0d8d59 5b082e4 b8097d6 689d954 5afc3d3 f3c5e77
a59e50c cf87233 17759c7 dc1db54 e9bf16d 4f95198 bf40792 622c63b c20842c
dc7cc4d 792d448
 2010-09-15 10:42:34 -04:00
Jeremy Solt
792d44840c radvd patch from Dan Walsh 2010-09-15 09:14:55 -04:00
Jeremy Solt
dc7cc4d5c1 snort patch from Dan Walsh 2010-09-15 09:14:55 -04:00
Jeremy Solt
c20842caf8 stunnel patch from Dan Walsh 2010-09-15 09:14:55 -04:00
Jeremy Solt
622c63b4e3 zabbix patch from Dan Walsh 2010-09-15 09:14:55 -04:00
Jeremy Solt
bf40792ae5 zebra patch from Dan Walsh 2010-09-15 09:14:54 -04:00
Jeremy Solt
4f95198644 awstats patch from Dan Walsh 2010-09-15 09:14:54 -04:00
Jeremy Solt
e9bf16d2d9 certmaster patch from Dan Walsh 2010-09-15 09:14:54 -04:00
Jeremy Solt
dc1db5407a pcscd patch from Dan Walsh 
Edit: removed the dev_list_sysfs call, dev_read_sysfs takes care of it
 2010-09-15 09:14:54 -04:00
Jeremy Solt
17759c7326 postgresql patch from Dan Walsh 2010-09-15 09:14:54 -04:00
Jeremy Solt
cf872339b2 postgrey patch from Dan Walsh 2010-09-15 09:14:54 -04:00
Jeremy Solt
a59e50c12c prelude patch from Dan Walsh 2010-09-15 09:14:54 -04:00
Jeremy Solt
f3c5e77754 certwatch patch from Dan Walsh 
Not including userdom_dontaudit_list_admin_dir - still no admin_home_t in refpolicy
 2010-09-15 09:14:54 -04:00
Jeremy Solt
5afc3d3589 firstboot patch from Dan Walsh 
Not including gnome_admin_home_gconf_filetrans - no admin_home_t in refpolicy
 2010-09-15 09:14:54 -04:00
Jeremy Solt
689d95422f smoltclient patch from Dan Walsh 2010-09-15 09:14:53 -04:00
Jeremy Solt
b8097d6ec4 amavis patch from Dan Walsh 2010-09-15 09:14:53 -04:00
Jeremy Solt
5b082e4acf arpwatch patch from Dan Walsh 2010-09-15 09:14:53 -04:00
Jeremy Solt
b0d8d59ff0 canna patch from Dan Walsh 2010-09-15 09:14:53 -04:00
Jeremy Solt
c6c63f63c7 certmonger patch from Dan Walsh 2010-09-15 09:14:53 -04:00
Jeremy Solt
483be01302 courier patch from Dan Walsh 2010-09-15 09:14:53 -04:00
Jeremy Solt
67effb0450 dcc patch from Dan Walsh 2010-09-15 09:14:53 -04:00
Jeremy Solt
a831710a6a style change to djbdns.te 2010-09-15 09:14:52 -04:00
Jeremy Solt
c4fbfaecdd fetchmail patch from Dan Walsh 2010-09-15 09:14:52 -04:00
Jeremy Solt
01c441355e icecast patch from Dan Walsh 2010-09-15 09:14:52 -04:00
Jeremy Solt
2a2b6a79fa nslcd patch from Dan Walsh 2010-09-15 09:14:52 -04:00
Jeremy Solt
5271920764 nut patch from Dan Walsh 2010-09-15 09:14:52 -04:00
Jeremy Solt
c17ad385ac openct patch from Dan Walsh 2010-09-15 09:14:52 -04:00
Chris PeBenito
25d796ed37 Unconditional staff and user oidentd home config access from Dominick Grift. 2010-09-15 08:20:16 -04:00
Dominick Grift
941e3db567 Access for confined users to oidentd user home content is unconditional. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-15 08:05:41 -04:00
Chris PeBenito
da12b54802 Module version bumps for cert patch. 2010-09-10 11:31:22 -04:00
Chris PeBenito
e9d6dfb8b1 Fix missed deprecated interface usage from the cert patch. Add back a few rolecap tags. 2010-09-10 11:31:00 -04:00
Dominick Grift
8340621920 Implement miscfiles_cert_type(). 
This is based on Fedoras' miscfiles_cert_type implementation.
The idea was that openvpn needs to be able read home certificates (home_cert_t) which is not implemented in refpolicy yet, as well as generic cert_t certificates.

Note that openvpn is allowed to read all cert_types, as i know that it needs access to both generic cert_t as well as (future) home_cert_t. Dwalsh noted that other domains may need this as well but because i do not know exactly which domains i will not changes any other domains call to generic cert type interfaces.

Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-10 11:05:46 -04:00
Chris PeBenito
8fbea561bb Module version bump for 8296eb2. 2010-09-10 08:51:54 -04:00
Chris PeBenito
9c2c77403f Remove unallocated tty access in amanda since it was originally there for the old targeted policy, and now all roles have a user tty type. 2010-09-09 09:32:31 -04:00
Dominick Grift
36c6e47384 Clean up Anaconda policy. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-09 08:14:56 -04:00
Dominick Grift
e02146370a Clean up Amtu module. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-09 08:14:09 -04:00
Dominick Grift
8296eb2261 Clean up Amanda module. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-09 08:13:13 -04:00
Chris PeBenito
28d96f0e39 Module version bumps for b7ceb34 5675107 e411968 eca7eb3. 2010-09-03 13:09:40 -04:00
Chris PeBenito
eca7eb3b47 Rearrange alsa interfaces. 2010-09-03 11:56:10 -04:00
Dominick Grift
e411968dff Implement alsa_home_t for asoundrc. Clean up Alsa module. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-03 11:23:06 -04:00
Dominick Grift
5675107ff9 Libcgroup moved the cgroup directory to /sys/fs/cgroup. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-03 11:03:10 -04:00
Dominick Grift
b7ceb34995 Do not try to relabel the contents of the /dev/shm directory. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-03 10:55:16 -04:00
Chris PeBenito
785ee7988c Module version bump and changelog entry for conditional mmap_zero patch. 2010-09-01 10:08:09 -04:00
Chris PeBenito
a1b42052c9 Fix mmap_zero assertion violation in xserver. 2010-09-01 09:59:39 -04:00
Dominick Grift
623e4f0885 1/1] Make the ability to mmap zero conditional where this is fapplicable. 
Retry: forgot to include attribute mmap_low_domain_type attribute to domain_mmap_low()	:

Inspired by similar implementation in Fedora.
Wine and vbetool do not always actually need the ability to mmap a low area of the address space.
In some cases this can be silently denied.

Therefore introduce an interface that facilitates "mmap low" conditionally, and the corresponding boolean.
Also implement booleans for wine and vbetool that enables the ability to not audit attempts by wine and vbetool to mmap a low area of the address space.

Rename domain_mmap_low interface to domain_mmap_low_uncond.

Change call to domain_mmap_low to domain_mmap_low_uncond for xserver_t. Also move this call to distro redhat ifndef block because Redhat does not need this ability.

Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-01 09:41:56 -04:00
Chris PeBenito
76a9fe96e4 Module version bumps and changelog for devtmpfs patchset. 2010-08-25 11:19:27 -04:00
Chris PeBenito
0d24805fd0 Trivial tweaks to devtmpfs patches. 2010-08-25 11:18:25 -04:00
Jeremy Solt
2fc79f1ef4 Early devtmpfs access 
dontaudit attempts to read/write device_t chr files occurring before udev relabel
allow init_t and initrc_t read/write on device_t chr files (necessary to boot without unconfined)

Signed-off-by: Jeremy Solt <jsolt@tresys.com>
 2010-08-25 11:01:27 -04:00
Jeremy Solt
d6e1ef29cd Move devtmpfs to devices from filesystem 
Move devtmpfs to devices module (remove from filesystem module)
Make device_t a filesystem
Add interface for associating types with device_t filesystem (dev_associate)
Call dev_associate from dev_filetrans
Allow all device nodes associate with device_t filesystem
Remove dev_tmpfs_filetrans_dev from kernel_t
Remove fs_associate_tmpfs(initctl_t) - redundant, it was in dev_filetrans, now in dev_associate
Mounton interface, to allow the kernel to mounton device_t

Signed-off-by: Jeremy Solt <jsolt@tresys.com>
 2010-08-25 11:01:22 -04:00
Chris PeBenito
c62f1bef77 Dbadm updates from KaiGai Kohei. 2010-08-19 08:41:39 -04:00
Chris PeBenito
ab8f919e6f Part of gnome patch from Dan Walsh. 2010-08-12 09:21:36 -04:00
Chris PeBenito
a9539a063b Additional kdumpgui cleanup. 2010-08-10 09:21:01 -04:00
Jeremy Solt
46fc0d39e3 Policy for system-config-kdump gui from Dan Walsh 
Edits:
 - removed gnome_dontaudit_search_config
 - removed userdom_dontaudit_search_admin_dir
 - whitespace and style fixes
 2010-08-10 09:05:43 -04:00
Jeremy Solt
68e615ec5a system-config-samba dbus service policy from Dan Walsh 2010-08-09 09:37:29 -04:00
Jeremy Solt
c87e150280 roles patch from Dan Walsh to move unwanted interface calls into a ifndef 2010-08-09 09:20:31 -04:00
Chris PeBenito
00ca404a20 Remove unnecessary require on cgroup_admin(). 2010-08-09 09:10:24 -04:00
Chris PeBenito
d687db9b42 Whitespace fixes on cgroup. 2010-08-09 08:52:39 -04:00
Dominick Grift
61d7ee58a4 Confine /sbin/cgclear. 
Libcgroup moved cgclear to /sbin.
Confine it so that initrc_t can domain transition to the cgclear_t domain. That way we do not have to extend the initrc_t domains policy.
We might want to add cgroup_run_cgclear to sysadm module.

Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-08-09 08:47:15 -04:00
Dominick Grift
a0546c9d1c System layer xml fixes. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-08-05 09:25:55 -04:00
Dominick Grift
288845a638 Services layer xml files. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-08-05 09:25:29 -04:00
Chris PeBenito
97b990f86e Fix corecmd_dontaudit_exec_all_executables doc. 2010-08-05 09:24:41 -04:00
Dominick Grift
705f70f098 Kernel layer xml fixes. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-08-05 09:08:07 -04:00