Allow mount to write not only to /etc/mtab but also to the /etc/mtab~[0-9]\{0,20\}
lock files (the number corresponds to the PID). Such files are still mistakenly
being labelled as etc_t instead of etc_runtime_t (thus preventing the successful
completion of the write operation and the accumulation of unremovable stale lock
files over several operation attempts as in normal system reboots, for example).
Do the same with the standard mount temporary file /etc/mtab.tmp.
The above refers to mount from util-linux-2.21.2 from kernel.org. See mount -vvv
for the location of such files.
This patch includes the necessary refactoring to support python 3.
Changes since v2
- Do not include contrib submodule (no relevant changes there)
- Update in pyplate to fix a failure with str/unicode in doc generation
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
* fix bugs in MLS/MCS
* add connection pooling server support
* foreign data wrapper support
* Add temporary objects support
* redefinition of use permission onto system objects
Now that we have file_contexts.subs_dist, translations that were put in the file context definition files can now be
cleaned up.
Differences from v1:
- removes a few duplicate entries in the libraries.fc file, and
- removes the contrib references
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Recent syslog-ng implementation uses a threading library that requires the getsched permission.
See also https://bugs.gentoo.org/show_bug.cgi?id=405425
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Replaced calls to interfaces allowing access to all files except
auth_file_type files with calls to interfaces allowing access to
non_auth_file_type files.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Changed all interfaces that used auth_file_type to call the new
corresponding interface in files.if.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Reduce the binary policy size by eliminating some set expressions
related to file accesses and make Repolicy easier to convert into CIL.
- Moved the auth_file_type attribute.
- Created a new type attribute called non_auth_file_type.
- Created new interfaces to allow file accesses on non_auth_file_type
files.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
When using sudo with SELinux integrated support, the sudo domains need to be able to create user keys. Without this
privilege, any command invoked like "sudo /etc/init.d/local status" will run within the sudo domain (sysadm_sudo_t)
instead of the sysadm_t domain (or whatever domain is mentioned in the sudoers file).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
When virsh is used to manage the virtual guests, the parent domain requires stream_connect rights towards the virtd_t
domain. This patch adds it in for initrc_t (for init scripts managing the environment) and sysadm_t (system
administrator).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The libvirt infrastructure requires the availability of the context files.
In this patch, we add the defaults to the three predefined application
contexts (mls/mcs/standard).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The locations for debugfs_t (/sys/kernel/debug) and security_t
(/selinux or /sys/fs/selinux) should be marked as mountpoints as well.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
