Commit Graph

22 Commits

Author SHA1 Message Date
Laurent Bigonville
624abc4f54 Allow the user cronjobs to run in their userdomain
When cron_userdomain_transition boolean is set to on, the user cronjobs
are supposed to run in their domains. Without this patch the default
context is not properly computed:

    $ /usr/sbin/getdefaultcon user_u system_u:system_r:crond_t:s0
    /usr/sbin/getdefaultcon: Invalid argument
    $ /usr/sbin/getdefaultcon staff_u system_u:system_r:crond_t:s0
    staff_u:sysadm_r:sysadm_t:s0

With this patch applied:

    $ /usr/sbin/getdefaultcon user_u system_u:system_r:crond_t:s0
    user_u:user_r:user_t:s0
    $ /usr/sbin/getdefaultcon staff_ system_u:system_r:crond_t:s0
    staff_u:staff_r:staff_t:s0
2015-12-08 09:35:55 -05:00
Chris PeBenito
ca6cbe9bd1 Remove trailing / from paths 2012-08-15 10:57:24 -04:00
Sven Vermeulen
8e678aa594 Use substititions for /usr/local/lib and /etc/init.d
Introduce the substitutions for the /usr/local/lib* locations (towards /usr/lib)
and /etc/init.d (towards /etc/rc.d/init.d).

Update the file contexts of the translated locations.

Rebased (collided with Guido's patch for commenting within the
file_contexts.subs_dist file) since v3.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-08-15 10:30:25 -04:00
Chris PeBenito
44639de947 clarify the file_contexts.subs_dist configuration file usage from Guido Trentalancia
Add a comment at the top of the configuration file file_contexts.subs_dist
to clarify that it performs aliasing and not substitutions in the
strict sense of the word.

A name change might be considered too, if it proves to lead to further
confusion.

There might be pieces of documentation that could benefit from similar
considerations.

Also note that a specific manual page is missing.
2012-08-14 08:03:19 -04:00
Sven Vermeulen
f78979eadd Adding default context rules for libvirt
The libvirt infrastructure requires the availability of the context files.

In this patch, we add the defaults to the three predefined application
contexts (mls/mcs/standard).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-04-23 10:18:45 -04:00
Chris PeBenito
f1aed68ac3 Support for file context path substitutions (file_contexts.subs).
Install file_contexts.subs_dist out of Refpolicy. This is TYPE-agnostic
so the file goes in config/.  Populate the file with current substitutions.
2011-07-28 13:12:28 -04:00
Chris PeBenito
38baf97520 Fix db_blob typo in sepgsql_contexts. 2011-03-22 09:31:21 -04:00
Harry Ciao
c1b9938e96 Fix cron job process' domain during system booting up.
When SELinux user system_u starts crond during system booting up, its
cron job process should be in the system_cronjob_t domain, which has
the required entrypoint permission on system crontab files labeled as
system_cron_spool_t. Otherwise we can run into below error messages:

Jan 31 08:40:53 QtCao crond[535]: (system_u) Unauthorized SELinux context (/etc/crontab)
Jan 31 08:40:53 QtCao crond[535]: (system_u) Unauthorized SELinux context (/etc/cron.d/sysstat)

The weird thing is that the getdefaultcon command even can not fetch
"system_r:cronjob_t:s0" but "system_r:logrotate_t:s0" ! After fixing
default_contexts files the getdefaultcon command could properly fetch
"system_r:system_cronjob_t:s0" :

root@QtCao:/root> getdefaultcon system_u system_u:system_r:crond_t:s0
system_u:system_r:logrotate_t:s0
root@QtCao:/root>
root@QtCao:/root> grep crond_t /etc/selinux/refpolicy-mls/contexts/default_contexts
system_r:crond_t:s0		user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
root@QtCao:/root>
root@QtCao:/root> getdefaultcon system_u system_u:system_r:crond_t:s0
system_u:system_r:system_cronjob_t:s0
root@QtCao:/root>

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
2011-02-01 10:41:43 -05:00
KaiGai Kohei
b98aba85d9 Add sepgsql_contexts into appconfig-*
The attached patch adds sepgsql_contexts file into appconfig-*
directory. This configuration is used to initial labeling on
installation time for each database objects.
We can easily look up an appropriate label using selabel_loopup(3)
APIs. The 'sepgsql_contexts' is default for SE-PostgreSQL.

Thanks,
--
KaiGai Kohei <kaigai@ak.jp.nec.com>
2011-01-04 13:27:40 -05:00
Eamon Walsh
b624268b9f X Object manager policy revisions to x_contexts.
X Object manager policy revisions to x_contexts.

Many of the specific event, extension, and property types have been
removed for the time being.  Polyinstantiation allows selections and
properties to be separated in a different way, and new X server support
for labeling individual extension requests (as opposed to entire extensions)
should make the extension querying problem easier to solve in the future.

Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2009-10-28 10:03:35 -04:00
Chris PeBenito
e127fb698d trunk: missed UBAC change: update securetty_types for merged user tty type. 2009-06-01 17:41:34 +00:00
Chris PeBenito
42d567c3f4 trunk: 6 patches from dan. 2009-03-31 13:40:59 +00:00
Chris PeBenito
296273a719 trunk: merge UBAC. 2008-11-05 16:10:46 +00:00
Chris PeBenito
6224fc1485 trunk: 7 patches from Fedora policy, cherry picked by david hrdeman. 2008-07-24 23:56:03 +00:00
Chris PeBenito
a68c30f58a trunk: add secadm and auditadm bits to appconfig files now that they are available beyond the MLS policy. 2008-04-30 18:55:41 +00:00
Chris PeBenito
2c12b471ad trunk: add core xselinux support. 2008-04-01 20:23:23 +00:00
Chris PeBenito
13e4e6e3c4 trunk: install securetty_types. 2008-01-17 14:17:26 +00:00
Chris PeBenito
8bdb48da2e trunk: 6 patches from dan. 2007-11-05 14:34:47 +00:00
Chris PeBenito
350b6ab767 trunk: merge strict and targeted policies. merge shlib_t into lib_t. 2007-10-02 16:04:50 +00:00
Chris PeBenito
6b19be3360 patch from dan, Thu, 2007-01-25 at 08:12 -0500 2007-02-16 23:01:42 +00:00
Chris PeBenito
e070dd2df0 - Move range transitions to modules.
- Make number of MLS sensitivities, and number of MLS and MCS
  categories configurable as build options.
2006-10-04 17:25:34 +00:00
Chris PeBenito
17de1b790b remove extra level of directory 2006-07-12 20:32:27 +00:00