Commit Graph

1308 Commits

Author SHA1 Message Date
Chris Richards
4b825e21d4 dontaudit mount writes to newly mounted filesystems
Signed-off-by: Chris Richards <gizmo@giz-works.com>
2010-11-11 09:15:12 -05:00
Chris Richards
55d8395f49 dontaudit mount writes to newly mounted filesystems
Signed-off-by: Chris Richards <gizmo@giz-works.com>
2010-11-11 09:15:05 -05:00
Chris Richards
7644a58c1f dontaudit mount writes to newly mounted filesystems
Signed-off-by: Chris Richards <gizmo@giz-works.com>
2010-11-11 09:14:57 -05:00
Chris Richards
3e99a17663 dontaudit mount writes to newly mounted filesystems
As of util-linux-n 2.18, the mount utility now attempts to write to the root
of newly mounted filesystems.  It does this in an attempt to ensure that the
r/w status of a filesystem as shown in mtab is correct.  To detect whether
a filesystem is r/w, mount calls access() with the W_OK argument.  This
results in an AVC denial with current policy.  As a fallback, mount also
attempts to modify the access time of the directory being mounted on if
the call to access() fails.  As mount already possesses the necessary
privileges, the modification of the access time succeeds (at least on systems
with the futimens() function, which has existed in linux since kernel 2.6.22
and glibc since version 2.6, or about July 2007).

Signed-off-by: Chris Richards <gizmo@giz-works.com>
2010-11-11 09:14:48 -05:00
Chris PeBenito
239e8e214e AIDE can be configured to log to syslog 2010-11-05 13:13:42 -04:00
Chris PeBenito
bc5a858a4e Change /dev/log fc to MLS system high.
When the syslog recreates this sock_file on startup, it gets this sensitivity anyway.
This will prevent incorrect relabeling if /dev is relabeled.
2010-11-05 13:13:21 -04:00
Chris PeBenito
47ecd96afa Fix deprecated interface usage in vlock. 2010-11-02 09:17:16 -04:00
Chris PeBenito
65ac69dd0e Whitespace fix in secadm.te and auditadm.te. 2010-11-02 09:09:05 -04:00
Harry Ciao
20cce006fa Make auditadm & secadm able to use vlock
Make the auditadm and secadm able to use the vlock program.
Also bump their module versions.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
2010-11-02 09:06:13 -04:00
Chris PeBenito
6df9de4947 Module version bump for vlock. Changelog entry. 2010-11-01 11:22:25 -04:00
Chris PeBenito
7f9f5bce63 Rename vlock interfaces. 2010-11-01 11:22:07 -04:00
Chris PeBenito
b058561a14 Rearrange rules in vlock. 2010-11-01 11:21:02 -04:00
Harry Ciao
d35e2ee03b Adding support for the vlock program.
Both the system administrator and the unprivileged user could use vlock
to lock the current console when logging in either from the serial console
or by ssh.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
2010-11-01 10:43:33 -04:00
Chris PeBenito
220915dcad Add mounting interfaces for selinuxfs. 2010-10-28 14:32:24 -04:00
Chris PeBenito
c1229a8232 Module version bump for oident. Additional comments for kernel loading. 2010-10-27 15:36:01 -04:00
Jeremy Solt
306d488a52 oident patch from Dan Walsh 2010-10-27 15:17:12 -04:00
Chris PeBenito
7ff21090c1 Additional rearrangement in tor and module version bump. 2010-10-27 15:06:13 -04:00
Jeremy Solt
2925b799f6 tor patch from Dan Walsh
Added additional access for dns server (bind on the port shouldn't be enough)
2010-10-27 15:06:13 -04:00
Chris PeBenito
98f8408519 Additional rearrangement in corecommands, along with module version bump. 2010-10-27 14:09:00 -04:00
Jeremy Solt
c60f75ad0f corecommands patch from Dan Walsh: "Lots of bin_t files" 2010-10-27 13:33:29 -04:00
Chris PeBenito
06dbd3bad1 Move sosreport to admin layer. 2010-10-26 15:23:20 -04:00
Chris PeBenito
a0a4752856 Minor sosreport cleanup. 2010-10-26 15:22:24 -04:00
Jeremy Solt
698289ff36 sosreport policy from Dan Walsh
- A couple style fixes
2010-10-22 11:16:05 -04:00
Chris PeBenito
00de01dab2 Move kdump to admin layer. 2010-10-21 10:45:20 -04:00
Chris PeBenito
1ec6fe6eef Module version bump for kdump. 2010-10-21 10:20:24 -04:00
Chris PeBenito
bd0bb4ea7c Module version bump for setrans. 2010-10-21 10:20:24 -04:00
Jeremy Solt
1b0ce6c984 setrans patch from Dan Walsh
Edits:
 - Leaving out the mls_trusted_object(setrans_t) for now
2010-10-21 10:20:24 -04:00
Jeremy Solt
d8572a6f5f kdump patch from Dan Walsh 2010-10-21 10:20:24 -04:00
Chris PeBenito
f1b2add393 Module version bump for asterisk. 2010-10-21 09:56:49 -04:00
Jeremy Solt
c152763d6e asterisk patch from Dan Walsh 2010-10-21 09:56:49 -04:00
Chris PeBenito
59ce9d66a6 Module version bump for hotplug. 2010-10-18 09:51:21 -04:00
Chris PeBenito
1e75e83f2c Module version bump for bitlbee. 2010-10-18 09:51:21 -04:00
Chris PeBenito
e06817bc03 Module version bump for wireshark patch. 2010-10-18 09:51:21 -04:00
Jeremy Solt
93985f63d7 wireshark patch from Dan Walsh
files_poly_member is provided by userdom_user_home_content
Whitespace fixes
2010-10-18 09:51:21 -04:00
Chris PeBenito
5f61db128e Module version bump for apcupsd patch. 2010-10-18 09:51:21 -04:00
Chris PeBenito
51dda6eae0 Module version bump for avahi patch. 2010-10-18 09:51:21 -04:00
Jeremy Solt
d20e128bbe Avahi patch from Dan Walsh
Dropped file read from dbus_chat
2010-10-18 09:51:21 -04:00
Jeremy Solt
31c003045e apcupsd patch from Dan Walsh 2010-10-18 09:51:21 -04:00
Jeremy Solt
05ca5f7b59 bitlbee patch from Dan Walsh 2010-10-18 09:51:20 -04:00
Jeremy Solt
7aeef6680f hotplug patch from Dan Walsh 2010-10-18 09:51:20 -04:00
Dominick Grift
69e900a7f4 Two insignificant fixes that i stumbled on when merging dev_getattr_fs()
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-10-11 10:30:45 -04:00
Chris PeBenito
735d72d52f Module version bump for Dominick's su cleanup. 2010-10-11 09:36:56 -04:00
Chris PeBenito
8d387b3228 Rename init_search_script_key() to init_search_script_keys(). 2010-10-11 09:36:31 -04:00
Dominick Grift
b21846594d su: wants to read inits script keyring.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-10-11 09:30:54 -04:00
Dominick Grift
a576078738 su: redundant, init_dontaudit_use_script_ptys($1_su_t)
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-10-11 09:30:48 -04:00
Chris PeBenito
befc7ec99f Module version bump for Dominick's consoletype cleanup. 2010-10-11 09:27:27 -04:00
Dominick Grift
bfd28e1a89 consoletype: redundant.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-10-11 09:13:47 -04:00
Dominick Grift
6ea380d622 consoletype: needs to use system dbus file descriptors.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-10-11 09:13:47 -04:00
Chris PeBenito
c7908d1ee7 Module version bump for Dominick's sudo cleanup. 2010-10-08 14:33:04 -04:00
Dominick Grift
5e70e017a3 sudo: wants to get attributes of device_t filesystems.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-10-08 14:26:55 -04:00