Commit Graph

137 Commits

Author SHA1 Message Date
Chris PeBenito
3ab07a0e1e Move all files out of the old contrib directory. 2018-06-23 10:38:58 -04:00
Chris PeBenito
4d5b06428b Bump module versions for release. 2018-01-14 14:08:09 -05:00
Chris PeBenito
2037c8f294 kernel, mls, sysadm, ssh, xserver, authlogin, locallogin, userdomain: Module version bumps. 2017-11-04 14:16:20 -04:00
Jason Zaman
9adc6c5ddb gssproxy: Allow others to stream connect
kernel AVC:
 * Starting gssproxy ...
Failed to write to /proc/net/rpc/use-gss-proxy: 13 (Permission denied)
 * start-stop-daemon: failed to start `gssproxy'

type=AVC msg=audit(1490858215.578:386110): avc:  denied  { connectto } for  pid=25447 comm="gssproxy" path="/run/gssproxy.sock" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=unix_stream_socket permissive=0
2017-11-04 14:00:56 -04:00
Chris PeBenito
f74a91a1a6 sysadm,fstools: Module version bump. 2017-09-14 17:21:56 -04:00
Christian Göttsche
e1d795de3b dphysswapfile: add interfaces and sysadm access
v2:

add swapfile file context
2017-09-14 17:19:55 -04:00
Chris PeBenito
aa0eecf3e3 Bump module versions for release. 2017-08-05 12:59:42 -04:00
Chris PeBenito
6293813020 Module version bump for patches from cgzones. 2017-06-12 18:48:58 -04:00
cgzones
c6f76058dc chkrootkit: add interfaces and sysadm permit
v2:
 - add bin_t fc to corecommands
2017-06-12 18:41:56 -04:00
Chris PeBenito
5ab11a8454 Module version bump for patches from cgzones. 2017-06-08 18:53:51 -04:00
cgzones
9ab63a1bdf rkhunter: add interfaces for rkhunter module and sysadm permit 2017-06-08 18:22:53 -04:00
Chris PeBenito
2749bddae8 Module version bumps for patches from Jason Zaman. 2017-05-31 21:09:50 -04:00
Jason Zaman
d49027dc40 dirmngr: add to roles 2017-05-31 20:40:47 -04:00
Chris PeBenito
6c2272c613 Module version bump for infiniband policy from Daniel Jurgens. 2017-05-24 19:36:49 -04:00
Chris PeBenito
412fc7e7fd corenet/sysadm: Move lines. 2017-05-24 19:36:04 -04:00
Daniel Jurgens
25a5b24274 refpolicy: Infiniband pkeys and endports
Every Infiniband network will have a default pkey, so that is labeled.
The rest of the pkey configuration is network specific. The policy allows
access to the default and unlabeled pkeys for sysadm and staff users.
kernel_t is allowed access to all pkeys, which it needs to process and
route management datagrams.

Endports are all unlabeled by default, sysadm users are allowed to
manage the subnet on unlabeled endports. kernel_t is allowed to manage
the subnet on all ibendports, which is required for configuring the HCA.

This patch requires selinux series: "SELinux user space support for
Infiniband RDMA", due to the new ipkeycon labeling mechanism.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-24 19:23:18 -04:00
Chris PeBenito
36c79fd3ee Module version bump for libmtp from Guido Trentalancia. 2017-05-22 20:20:47 -04:00
Guido Trentalancia
4f8b753f24 base: role changes for the new libmtp module
This is the base part of the policy needed to support libmtp (an
Initiator implementation of the Media Transfer Protocol).

Signed-off-by: Guido Trentalancia <guido at trentalancia.net>
2017-05-22 20:05:52 -04:00
Chris PeBenito
bb8f9f49c3 little misc strict from Russell Coker. 2017-04-29 11:25:13 -04:00
Chris PeBenito
878735f69f Module version bump for patches from Russell Coker and Guido Trentalancia. 2017-04-26 06:39:39 -04:00
Chris PeBenito
8f6f0cf0e2 Rename apm to acpi from Russell Coker.
This patch is slightly more involved than just running sed.  It also adds
typealias rules and doesn't change the FC entries.

The /dev/apm_bios device doesn't exist on modern systems.  I have left that
policy in for the moment on the principle of making one change per patch.  But
I might send another patch to remove that as it won't exist with modern
kernels.
2017-04-26 06:36:20 -04:00
Chris PeBenito
73d8b3026c Systemd-related changes from Russell Coker. 2017-04-06 17:37:50 -04:00
Chris PeBenito
603f0e1e6e Module version bump for monit patch from cgzones 2017-03-25 13:24:56 -04:00
cgzones
f438513a8a sysadm: add monit admin permissions 2017-03-09 13:24:51 +01:00
Chris PeBenito
4d028498d8 Module version bumps for fixes from cgzones. 2017-03-05 10:48:42 -05:00
cgzones
4b79a54b41 modutils: adopt callers to new interfaces 2017-03-03 12:28:17 +01:00
Chris PeBenito
3726cd58f6 Module version bump for changes from cgzones. 2017-02-18 12:28:38 -05:00
cgzones
60983561be sysadm: fix denials
allow to read kmesg and the selinux policy
2017-02-16 16:00:14 +01:00
Chris PeBenito
1720e109a3 Sort capabilities permissions from Russell Coker. 2017-02-15 18:47:33 -05:00
Chris PeBenito
69ede859e8 Bump module versions for release. 2017-02-04 13:30:53 -05:00
Chris PeBenito
49545aad8f Module version bump for patches from Guido Trentalancia. 2016-12-30 14:15:06 -05:00
Guido Trentalancia via refpolicy
84176263dd sysadm: add the shutdown role
Add the shutdown role interface call to the sysadm role module.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-12-30 13:13:58 -05:00
Chris PeBenito
f8489c13e4 Module version bump for xscreensaver patch from Guido Trentalancia. 2016-12-21 14:30:03 -05:00
Guido Trentalancia
997706aba3 base: enable the xscreensaver role
This patch enables the xscreensaver role so that the
xscreensaver module is used on those systems where the
corresponding application is installed.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-12-21 14:00:19 -05:00
Chris PeBenito
6e3c5476ca Module version bumps for patches from Guido Trentalancia. 2016-12-17 09:00:36 -05:00
Guido Trentalancia
20e8fb4b9c wm: update the window manager (wm) module and enable its role template (v7)
Enable the window manager role (wm contrib module) and update
the module to work with gnome-shell.

This patch requires the following recently posted patch for the
games module:

[PATCH v3 1/2] games: general update and improved pulseaudio integration
http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html

This patch has received some testing with the following two
configurations:
- gnome-shell executing in normal mode (with display managers
other than gdm, such as xdm from XOrg);
- gnome-shell executing in gdm mode (with the Gnome Display
Manager).

Patches 3/5, 4/5 and 5/5 are needed when gnome-shell is used
in conjunction with gdm.

Since the window managers are not limited by gnome-shell, this latter
version of the patch (along with part 2/5) uses separate optional
conditionals for the gnome and wm role templates.

The new wm_application_domain() interface introduced in the sixth
version of this patch is an idea of Jason Zaman.

This patch also fixes a minor bug in the way the pulseaudio_role()
interface is optionally included by the role templates (pulseaudio
does not depend on dbus).

This seventh version splits the 1/5 patch in two separate patches:
one for the base policy and one for the contrib policy.

THIS IS THE BASE POLICY PART.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-12-17 08:15:10 -05:00
Chris PeBenito
1113e38307 Module version bumps for openoffice patches from Guido Trentalancia. 2016-12-06 20:19:18 -05:00
Guido Trentalancia
ab0b758ed7 Apache OpenOffice module (base policy part)
This is a patch that I have created and tested to support Apache
OpenOffice with its own module (base policy part, 1/2).

The file contexts (and initial tests) are based on the default
installation path for version 4 of the office suite.

Since the second version it includes revisions from Dominick Grift.

Since the third version it should correctly manage files in home
directories and allow some other major functionality.

The fourth version of the patch introduces a boolean to enable or
disable software updates from the network (application and/or
extensions).

The fifth version of the patch adds the ability to connect to the
X display manager (XDM) using Unix domain sockets (interface
xserver_stream_connect_xdm()). Also the fifth version splits the
whole patch into separate base policy / contrib policy patches as
required.

The sixth version of this patch removes obsolete executable
permission from the unconfined module.

The seventh, eighth and nineth versions brings no changes in the base
part of the patch.

All released versions are safe to apply, each new version just
brings improved application functionality and better integration
with other desktop applications.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-12-06 20:08:06 -05:00
Chris PeBenito
34055cae87 Bump module versions for release. 2016-10-23 16:58:59 -04:00
Chris PeBenito
07451cd39a Module version bumps for syncthing from Naftuli Tzvi Kay. 2016-10-09 07:51:51 -04:00
Naftuli Tzvi Kay
ba903b4840
Add Syncthing Support to Policy
For now, optionally add the Syncthing role to user_r, staff_r,
and unconfined_r, and define the Syncthing ports in core network.
2016-08-21 11:57:01 -07:00
Chris PeBenito
78111e98d6 Module version bump for hwloc-dump-hwdata from Dominick Grift and Grzegorz Andrejczuk. 2016-05-02 08:32:42 -04:00
Dominick Grift
6232348be8 Update refpolicy to handle hwloc
The Portable Hardware Locality (hwloc) software package provides a
portable abstraction (across OS, versions, architectures, ...) of the
hierarchical topology of modern architectures, including NUMA memory
nodes, sockets, shared caches, cores and simultaneous multithreading. It
also gathers various system attributes such as cache and memory
information as well as the locality of I/O devices such as network
interfaces, InfiniBand HCAs or GPUs.

Following changes enable:
- add interface to change dirs in /var/run
- add optional policies for hwloc-dump-hwdata

V3:
Remove files_rw_pid_dirs()
Call hwloc_admin(sysadm_t) instead of hwloc_manage_runtime(sysadm_t)
Adjust calls to renamed hwloc dhwd run and exec interfaces

Signed-off-by: Dominick Grift <dac.override@gmail.com>
2016-05-02 08:22:58 -04:00
Chris PeBenito
0e133c7d74 Module version bump for tboot utils from Luis Ressel and systemd fix from Jason Zaman.
Update contrib.
2016-03-08 08:52:25 -05:00
Luis Ressel
3b586829cc Allow sysadm to run txt-stat. 2016-03-08 08:36:04 -05:00
Chris PeBenito
c23353bcd8 Bump module versions for release. 2015-12-08 09:53:02 -05:00
Chris PeBenito
17694adc7b Module version bump for systemd additions. 2015-10-23 14:53:14 -04:00
Chris PeBenito
fc2de5c21c Add rules for sysadm_r to manage the services. 2015-10-23 10:17:46 -04:00
Chris PeBenito
95248e4919 Module version bump for cron_admin for sysadm from Jason Zaman. 2015-07-17 08:56:43 -04:00
Jason Zaman
13cfdd788f add new cron_admin interface to sysadm 2015-07-17 08:13:43 -04:00