Chris Richards
4b825e21d4
dontaudit mount writes to newly mounted filesystems
...
Signed-off-by: Chris Richards <gizmo@giz-works.com>
2010-11-11 09:15:12 -05:00
Chris Richards
55d8395f49
dontaudit mount writes to newly mounted filesystems
...
Signed-off-by: Chris Richards <gizmo@giz-works.com>
2010-11-11 09:15:05 -05:00
Chris Richards
7644a58c1f
dontaudit mount writes to newly mounted filesystems
...
Signed-off-by: Chris Richards <gizmo@giz-works.com>
2010-11-11 09:14:57 -05:00
Chris Richards
3e99a17663
dontaudit mount writes to newly mounted filesystems
...
As of util-linux-n 2.18, the mount utility now attempts to write to the root
of newly mounted filesystems. It does this in an attempt to ensure that the
r/w status of a filesystem as shown in mtab is correct. To detect whether
a filesystem is r/w, mount calls access() with the W_OK argument. This
results in an AVC denial with current policy. As a fallback, mount also
attempts to modify the access time of the directory being mounted on if
the call to access() fails. As mount already possesses the necessary
privileges, the modification of the access time succeeds (at least on systems
with the futimens() function, which has existed in linux since kernel 2.6.22
and glibc since version 2.6, or about July 2007).
Signed-off-by: Chris Richards <gizmo@giz-works.com>
2010-11-11 09:14:48 -05:00
Chris PeBenito
239e8e214e
AIDE can be configured to log to syslog
2010-11-05 13:13:42 -04:00
Chris PeBenito
bc5a858a4e
Change /dev/log fc to MLS system high.
...
When the syslog recreates this sock_file on startup, it gets this sensitivity anyway.
This will prevent incorrect relabeling if /dev is relabeled.
2010-11-05 13:13:21 -04:00
Chris PeBenito
47ecd96afa
Fix deprecated interface usage in vlock.
2010-11-02 09:17:16 -04:00
Chris PeBenito
65ac69dd0e
Whitespace fix in secadm.te and auditadm.te.
2010-11-02 09:09:05 -04:00
Harry Ciao
20cce006fa
Make auditadm & secadm able to use vlock
...
Make the auditadm and secadm able to use the vlock program.
Also bump their module versions.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
2010-11-02 09:06:13 -04:00
Chris PeBenito
6df9de4947
Module version bump for vlock. Changelog entry.
2010-11-01 11:22:25 -04:00
Chris PeBenito
7f9f5bce63
Rename vlock interfaces.
2010-11-01 11:22:07 -04:00
Chris PeBenito
b058561a14
Rearrange rules in vlock.
2010-11-01 11:21:02 -04:00
Harry Ciao
d35e2ee03b
Adding support for the vlock program.
...
Both the system administrator and the unprivileged user could use vlock
to lock the current console when logging in either from the serial console
or by ssh.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
2010-11-01 10:43:33 -04:00
Chris PeBenito
220915dcad
Add mounting interfaces for selinuxfs.
2010-10-28 14:32:24 -04:00
Chris PeBenito
c1229a8232
Module version bump for oident. Additional comments for kernel loading.
2010-10-27 15:36:01 -04:00
Jeremy Solt
306d488a52
oident patch from Dan Walsh
2010-10-27 15:17:12 -04:00
Chris PeBenito
7ff21090c1
Additional rearrangement in tor and module version bump.
2010-10-27 15:06:13 -04:00
Jeremy Solt
2925b799f6
tor patch from Dan Walsh
...
Added additional access for dns server (bind on the port shouldn't be enough)
2010-10-27 15:06:13 -04:00
Chris PeBenito
98f8408519
Additional rearrangement in corecommands, along with module version bump.
2010-10-27 14:09:00 -04:00
Jeremy Solt
c60f75ad0f
corecommands patch from Dan Walsh: "Lots of bin_t files"
2010-10-27 13:33:29 -04:00
Chris PeBenito
06dbd3bad1
Move sosreport to admin layer.
2010-10-26 15:23:20 -04:00
Chris PeBenito
a0a4752856
Minor sosreport cleanup.
2010-10-26 15:22:24 -04:00
Jeremy Solt
698289ff36
sosreport policy from Dan Walsh
...
- A couple style fixes
2010-10-22 11:16:05 -04:00
Chris PeBenito
00de01dab2
Move kdump to admin layer.
2010-10-21 10:45:20 -04:00
Chris PeBenito
1ec6fe6eef
Module version bump for kdump.
2010-10-21 10:20:24 -04:00
Chris PeBenito
bd0bb4ea7c
Module version bump for setrans.
2010-10-21 10:20:24 -04:00
Jeremy Solt
1b0ce6c984
setrans patch from Dan Walsh
...
Edits:
- Leaving out the mls_trusted_object(setrans_t) for now
2010-10-21 10:20:24 -04:00
Jeremy Solt
d8572a6f5f
kdump patch from Dan Walsh
2010-10-21 10:20:24 -04:00
Chris PeBenito
f1b2add393
Module version bump for asterisk.
2010-10-21 09:56:49 -04:00
Jeremy Solt
c152763d6e
asterisk patch from Dan Walsh
2010-10-21 09:56:49 -04:00
Chris PeBenito
59ce9d66a6
Module version bump for hotplug.
2010-10-18 09:51:21 -04:00
Chris PeBenito
1e75e83f2c
Module version bump for bitlbee.
2010-10-18 09:51:21 -04:00
Chris PeBenito
e06817bc03
Module version bump for wireshark patch.
2010-10-18 09:51:21 -04:00
Jeremy Solt
93985f63d7
wireshark patch from Dan Walsh
...
files_poly_member is provided by userdom_user_home_content
Whitespace fixes
2010-10-18 09:51:21 -04:00
Chris PeBenito
5f61db128e
Module version bump for apcupsd patch.
2010-10-18 09:51:21 -04:00
Chris PeBenito
51dda6eae0
Module version bump for avahi patch.
2010-10-18 09:51:21 -04:00
Jeremy Solt
d20e128bbe
Avahi patch from Dan Walsh
...
Dropped file read from dbus_chat
2010-10-18 09:51:21 -04:00
Jeremy Solt
31c003045e
apcupsd patch from Dan Walsh
2010-10-18 09:51:21 -04:00
Jeremy Solt
05ca5f7b59
bitlbee patch from Dan Walsh
2010-10-18 09:51:20 -04:00
Jeremy Solt
7aeef6680f
hotplug patch from Dan Walsh
2010-10-18 09:51:20 -04:00
Dominick Grift
69e900a7f4
Two insignificant fixes that i stumbled on when merging dev_getattr_fs()
...
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-10-11 10:30:45 -04:00
Chris PeBenito
735d72d52f
Module version bump for Dominick's su cleanup.
2010-10-11 09:36:56 -04:00
Chris PeBenito
8d387b3228
Rename init_search_script_key() to init_search_script_keys().
2010-10-11 09:36:31 -04:00
Dominick Grift
b21846594d
su: wants to read inits script keyring.
...
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-10-11 09:30:54 -04:00
Dominick Grift
a576078738
su: redundant, init_dontaudit_use_script_ptys($1_su_t)
...
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-10-11 09:30:48 -04:00
Chris PeBenito
befc7ec99f
Module version bump for Dominick's consoletype cleanup.
2010-10-11 09:27:27 -04:00
Dominick Grift
bfd28e1a89
consoletype: redundant.
...
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-10-11 09:13:47 -04:00
Dominick Grift
6ea380d622
consoletype: needs to use system dbus file descriptors.
...
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-10-11 09:13:47 -04:00
Chris PeBenito
c7908d1ee7
Module version bump for Dominick's sudo cleanup.
2010-10-08 14:33:04 -04:00
Dominick Grift
5e70e017a3
sudo: wants to get attributes of device_t filesystems.
...
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-10-08 14:26:55 -04:00