Update on the file contexts for courier-imap. Also fixes a few context
directives which didn't update the directory itself.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The alsactl binary is often installed in /usr/sbin instead of /sbin (not a
necessity to start up the system). Used in distributions such as Gentoo,
Slackware and Arch.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
When starting the X server from the console (using the startx script
that is being shipped with package xinit from X.Org), a few more
permissions are needed from the reference policy.
The label is for a file created by the startx script (from X.Org) and
the module being requested is ipv6 (which can be disabled by other
means).
Allow xserver_restricted_role domains to call/start Xorg (using startx), fixes
15-second lag/timeout (needs siginh permission as provided by
xserver_domtrans).
Apparently, the 15-second lag (or some other behavior) was already detected
in the past, giving rise to the SIGINH permission in the xserver_domtrans()
interface.
However, domains that are given the xserver_(restricted_)role do not call
the xserver_domtrans but rather the "standard" domtrans_pattern.
The new patch suggests to use xserver_domtrans in the
xserver_restricted_role, which automatically includes the siginh permission
then.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
This patch adds a new interface to the cpufreqselector module
to allow dbus chat. It then uses such interface to allow dbus chat
with system_dbusd_t and xdm_t. This patch also adds some other
permissions needed to run cpufreqselector.
As one of entrypoint application, crond_t should have had the
files_polyinstantiate_all() interface called so that pam_namespace.so
could work well in crond_t. Otherwise the crond_t lacks the sys_admin
permission to make use of pam_namespace.so
BTW, the allow_polyinstantiation boolean need to be toggled true
accordingly.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Entry point applications such as crond or atd use pam_loginuid.so for
the session phase of their PAM config files to set the process loginuid
attribute. Accordingly logging_set_loginuid interface should have been
called, otherwise we could run into below error message:
type=USER_START msg=audit(1296377641.212:213): user pid=2633 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s15:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=failed)'
type=USER_END msg=audit(1296377641.220:214): user pid=2633 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s15:c0.c1023 msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=failed)'
type=AVC msg=audit(1296377641.196:212): avc: denied { audit_control } for pid=2633 comm="crond" capability=30 scontext=system_u:system_r:crond_t:s0-s15:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s15:c0.c1023 tclass=capability
BTW, other entrypoint applications such as sshd/login/remote have had
this interface called for their domains.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
On my system, I use XFCE and start X from the commandline (using "startx")
rather than through a graphical DM. During the start-up, XFCE4 creates
temporary ICE files in /tmp (like /tmp/.xfsm-ICE-ABCDEF) which are later
read in by iceauth and at some point X.
I'm not that good at the entire ICE stuff, but without this, I was unable to
shut down my session ("log off").
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
I realized the policy wasn't complete for handling udev_tbl_t dirs, and
updating it wouldn't work because we couldn't make a filetrans on dirs,
since all the dirs in /dev would become udev_tbl_t. i.e. this would have
been required, but would make problems: dev_filetrans(udev_t, udev_tbl_t, dir);
As identified by Stephan Smalley, the current MLS constraint for the
contains permission of the context class should consider the current
level of a user along with the clearance level so that mls_systemlow
is no longer considered contained in mls_systemhigh.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
