Commit Graph

3276 Commits

Author SHA1 Message Date
Sven Vermeulen
356c704f4d Introduce portage_fetch_t as an application domain
Enhance portage_fetch_t from an application type to a domain. Introduce
the proper portage_fetch_exec_t and add the necessary privileges to the
domain definition to allow portage_fetch_t to be used by Portage
management utilities like layman and emerge-webrsync.

We enhance portage_domtrans() to include portage_fetch_t support.
Providing a different interface (portage_fetch_domtrans) is possible
too, but since every application and role that needs to deal with
portage needs to deal with the fetching as well, and vice versa, we keep
this in portage_domtrans.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-09-06 13:22:52 -04:00
Sven Vermeulen
706d503e5b Allow the sysadm domain to execute rc
The /sbin/rc binary is used by the system administrator to manage
runlevels (add/delete), check runlevel state, etc. all which do not
require a transition to occur. Hence the /sbin/rc (now labeled
rc_exec_t) is allowed to be executed without transitioning.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-09-06 13:22:44 -04:00
Sven Vermeulen
c5cbefb892 Gentoo integrated run_init support re-executes rc
When an init script is launched, Gentoo's integrated run_init support
will re-execute /sbin/rc (an all-in-one binary) for various functions.
The run_init_t domain here should not be allowed to transition yet, so
we allow it to execute /sbin/rc without transitioning.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-09-06 13:22:37 -04:00
Sven Vermeulen
032b62f2ed Allow gcc-config to execute rc
The gcc-config application uses some functions (from
/etc/init.d/functions.sh) which are simple wrappers on top of
/sbin/rc. Since this script is sourced and the functions executed
from within gcc_config_t, we allow gcc-config to execute /sbin/rc
without transitioning.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-09-06 13:22:31 -04:00
Sven Vermeulen
bce639cff4 Introduce rc_exec_t as file entry for initrc_t
Within Gentoo, the init system (openrc) uses a single binary (/sbin/rc)
for all its functions, be it executing init scripts, managing runlevels,
checking state, etc. This binary is not allowed to be labeled
initrc_exec_t as that would trigger domain transitions where this isn't
necessary (or even allowed).

A suggested solution is to use a separate type declaration for /sbin/rc
(rc_exec_t) which transitions where necessary.

This patch includes support for the /sbin/rc rc_exec_t type and declares
the init_rc_exec() interface which allows domains to execute the binary
without transitioning.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-09-06 13:22:22 -04:00
Chris PeBenito
8ee51235f6 Allow user and role changes on dynamic transitions with the same constraints as regular transitions. 2011-09-02 09:59:26 -04:00
Chris PeBenito
74aaedde68 Whitespace fixes in rsync, samba, and mount. 2011-09-02 09:55:50 -04:00
Chris PeBenito
c7c9e0e04d Whitespace fix in unprivuser. 2011-09-02 09:20:54 -04:00
Chris PeBenito
102f084d96 New git service features from Dominick Grift.
* git user sessions
* repositories on CIFS/NFS
* inetd service
2011-09-02 09:20:23 -04:00
Chris PeBenito
ec70a331ff Corenetwork policy size optimization from Dan Walsh. 2011-08-26 09:03:25 -04:00
Chris PeBenito
697d0bbf4d Module version bump for puppet mount patch from Sven Vermeulen. 2011-08-25 07:57:06 -04:00
Sven Vermeulen
960b471754 Allow puppet to mount partitions
Puppet is a management utility to manage several dozens or even hundreds of
systems through a single application. Part of its job is to ensure that the
configuration and state of a system is as expected. Part of this is to ensure
that the proper mounts are available and, if not, mount them (or umount them).

This patch allows puppet_t to call mount.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-25 07:56:28 -04:00
Chris PeBenito
acf3f0e64d Fix typo in portage_dontaudit_use_fds. 2011-08-25 07:56:01 -04:00
Chris PeBenito
4a586153a1 Module version bump for load_policy dontaudit of leaked portage fds from Sven Vermeulen. 2011-08-25 07:46:26 -04:00
Chris PeBenito
7b4defd475 Move portage_dontaudit_use_fds() interface. 2011-08-25 07:45:08 -04:00
Chris PeBenito
8dc4e0f223 Whitespace fixes in selinuxutil. 2011-08-25 07:43:36 -04:00
Sven Vermeulen
5d77246f5f Do not audit the use of portage' filedescriptors from load_policy_t
During build and eventual activation of the base policy, the load_policy_t
domain attempts to use a portage file descriptor. However, this serves no
purpose (the loading is done correctly and everything is logged
appropriately).

Hence, we dontaudit this use.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-25 07:42:34 -04:00
Sven Vermeulen
137f7366ee Introduce portage_dontaudit_use_fds
Support the interface to not audit portage_t:fd use (file descriptors, leaked
or not)

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-25 07:42:34 -04:00
Chris PeBenito
68bbbbdec6 Change pppd_can_insmod to a Boolean so tunables and Booleans are not mixed. 2011-08-25 07:34:08 -04:00
Chris PeBenito
66e03ec8b2 Module version bump for LDAPS patch. Move a line. 2011-08-24 09:38:58 -04:00
Sven Vermeulen
9a680874fe Support LDAPS for nsswitch-related network activity
Systems that use LDAPS (LDAP over SSL/TLS) for their sysnet_* activities
currently fail since these domains do not allow proper access to the random
devices (needed for SSL/TLS). This patch adds this privilege to
sysnet_use_ldap.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-24 09:33:43 -04:00
Chris PeBenito
540bc2d3b2 Module version bump for courier-imapd patch from Sven Vermeulen. 2011-08-24 09:26:42 -04:00
Sven Vermeulen
5296cfcdb9 Update file contexts for courier to support courier-imap
The courier-imapd daemon is part of the courier package (and already supported
by the courier module in refpolicy), but uses a different location for its
configuration files (/etc/courier-imap) and persistent data
(/var/lib/courier-imap).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-24 09:26:13 -04:00
Sven Vermeulen
32ed63a740 Fix zabbix_agentd context
The zabbix_agentd context was wrongfully set to the domain type instead of
the _exec_t type.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-24 09:21:21 -04:00
Chris PeBenito
12904f9fe8 Module version bump for dhcp client patch from Sven Vermeulen. 2011-08-24 09:15:33 -04:00
Sven Vermeulen
4976982e85 Allow dhcp client to update kernel routing table plus context updates
This small patch updates the dhcpc_t (DHCP client domain) to allow updating the
kernel's routing tables (as that is a primary purpose of a DHCP client) as well
as interact with the kernel through the net_sysctls.

Also, one client (dhcpcd) uses /var/run/dhcpcd so add that in the file context
definition as well.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-24 09:13:33 -04:00
Chris PeBenito
5802e169eb Module version bump for xfce bin file contexts patch from Sven Vermeulen. 2011-08-24 09:08:16 -04:00
Chris PeBenito
a83b53041e Rearrange xfce corecommands fc entries. 2011-08-24 09:07:34 -04:00
Sven Vermeulen
7901eb059b Update file contexts for xfce4 helper applications
Many XFCE4 helper applications are located in /usr/lib locations. This patch
marks those helpers as bin_t.

Recursively marking the directories bin_t does not work properly as these
locations also contain actual libraries.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-24 08:56:47 -04:00
Chris PeBenito
12c3e8bf71 Module version bump for nagios checkdisk patch from Sven Vermeulen. 2011-08-24 08:56:33 -04:00
Sven Vermeulen
eb6e425304 Nagios' checkdisk plugin requires getattr on the mountpoint directories
Without the getattr privilege on the mountpoint directories, the checkdisk
plugin fails to capture the data unless nagios is reconfigured to directly
read the device files themselves.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-24 08:55:41 -04:00
Chris PeBenito
003361c264 Module version bump for xtables-multi patch from Sven Vermeulen. 2011-08-24 08:55:00 -04:00
Sven Vermeulen
2ebb974006 ip6?tables-multi is combined in xtables-multi
Since april, the *-multi applications offered through iptables are combined
through a single binary called xtables-multi. The previous commands are now
symbolic links towards this application.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-24 08:35:57 -04:00
Chris PeBenito
f7a845fcca Module version bump for udp_socket listen dontaudit for all domains. 2011-08-23 08:29:03 -04:00
Chris PeBenito
78e65fb36c Module version bump for setfiles audit message patch from Roy Li. 2011-08-23 08:21:40 -04:00
Chris PeBenito
5d834aa7dd Whitespace fix in selinuxutil. 2011-08-23 08:21:40 -04:00
Roy.Li
0bd595020c Make setfiles be able to send audit messages.
When audit subsystem is enabled, and setfiles works from root
dir, setfiles would send the AUDIT_FS_RELABEL information to
audit system, If no permission to send the information to audit
by netlink, setfiles would return error.

The test cases to reproduce this defect:
	=> restorecon -R /
	=> echo $?
	255
	=>

Signed-off-by: Roy.Li <rongqing.li@windriver.com>
2011-08-23 08:21:40 -04:00
Chris PeBenito
ec280b3209 Silence spurious udp_socket listen denials. 2011-08-23 08:21:40 -04:00
Chris PeBenito
d3a85bbc0b Module version bump for zabbix patch from Sven Vermeulen. 2011-08-16 15:23:39 -04:00
Sven Vermeulen
0caefef811 Allow zabbix to connect to mysql through TCP
The mysql_stream_connect interface, which is already in use, is only for local
MySQL databases (not through TCP/IP).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-16 15:23:11 -04:00
Chris PeBenito
8f8d3f7caf Module version bump for nagios NRPE patch from Sven Vermeulen. 2011-08-16 15:21:58 -04:00
Sven Vermeulen
8d238a8308 Nagios NRPE client should be able to read its own configuration file
Currently, the nagios nrpe_t definition has no read access to its own
nrpe_etc_t. I suspect this to be a copy/paste problem. Since the nrpe
configuration file is stored in /etc/nagios (nagios_etc_t), NRPE does need
search privileges in nagios_etc_t. This is easily accomplished through
read_files_pattern.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-16 15:21:22 -04:00
Chris PeBenito
5f1189f0fe Module version bump for consolekit patch from Sven Vermeulen. 2011-08-16 15:21:01 -04:00
Sven Vermeulen
8365be4394 HAL support is not mandatory for ConsoleKit
The current consolekit policy definition has hal_ptrace(consolekit_t) in its
main body. However, HAL support within consolekit is not mandatory. As such,
this call should be within an optional_policy().

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-16 15:20:14 -04:00
Chris PeBenito
adddcf93f6 Fix unexpanded MLS/MCS fields in monolithic seusers file. 2011-08-12 08:28:37 -04:00
Chris PeBenito
8b3c840804 Whitespace fix in unprivuser. 2011-07-29 08:50:24 -04:00
Chris PeBenito
81eefe7ce9 Type transition fix in Postgresql database objects from KaiGai Kohei. 2011-07-29 08:42:53 -04:00
Chris PeBenito
f1aed68ac3 Support for file context path substitutions (file_contexts.subs).
Install file_contexts.subs_dist out of Refpolicy. This is TYPE-agnostic
so the file goes in config/.  Populate the file with current substitutions.
2011-07-28 13:12:28 -04:00
Chris PeBenito
f342e50500 Update VERSION and Changelog for release. 2011-07-26 08:15:53 -04:00
Chris PeBenito
aa4dad379b Module version bump for release. 2011-07-26 08:11:01 -04:00