Commit Graph

3026 Commits

Author SHA1 Message Date
Harry Ciao
4d8e9ffcb3 Make mount_t able to request loading kernel module.
Make the mount domain able to request kernel to load a kernel module.
Otherwise the binfmt_misc kernel module won't be properly loaded
during system booting up.

type=1400 audit(1292850971.104:4): avc:  denied  { module_request } for  pid=87 comm="mount" kmod="devtmpfs" scontext=system_u:system_r:mount_t:s0-s15:c0.c1023 tcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=system

type=1400 audit(1292851024.844:13): avc:  denied  { module_request } for  pid=409 comm="mount" kmod="binfmt_misc" scontext=system_u:system_r:mount_t:s0-s15:c0.c1023 tcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=system

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
2011-01-10 10:20:21 -05:00
Chris PeBenito
decb7de030 Module version bump and changelog for semanage update from Harry Ciao. 2011-01-10 09:21:11 -05:00
Chris PeBenito
60a2ca249e Remove redundant semanage rule. 2011-01-10 09:20:39 -05:00
Harry Ciao
f2b3338362 semanage_t able to read from user homedirs.
Make semanage_t able to read from user homedirs or /tmp. Otherwise it
would fail to upgrade a .pp installed in there with below error messages.

BTW, semanage_t should be able to upgrade existing pp no matter if the
MLS is enabled or not.

root@qemu-host:/root> semodule -u selinuxutil.pp
type=1400 audit(1288862875.298:60): avc:  denied  { search } for  pid=759 comm="semodule" name="root" dev=sda ino=81921 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0-s15:c0.c1023 tclass=dir
semodule:  Failed on selinuxutil.pp!
root@qemu-host:/root> setenforce 0
type=1404 audit(1288862957.386:61): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295
root@qemu-host:/root> semodule -u selinuxutil.pp
type=1400 audit(1288862959.494:62): avc:  denied  { search } for  pid=761 comm="semodule" name="root" dev=sda ino=81921 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0-s15:c0.c1023 tclass=dir
type=1400 audit(1288862959.498:63): avc:  denied  { read } for  pid=761 comm="semodule" name="selinuxutil.pp" dev=sda ino=82505 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file
type=1400 audit(1288862959.503:64): avc:  denied  { open } for  pid=761 comm="semodule" name="selinuxutil.pp" dev=sda ino=82505 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file
type=1400 audit(1288862959.507:65): avc:  denied  { getattr } for  pid=761 comm="semodule" path="/root/selinuxutil.pp" dev=sda ino=82505 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file
type=1403 audit(1288863419.918:66): policy loaded auid=4294967295 ses=4294967295
root@qemu-host:/root>

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
2011-01-10 09:13:23 -05:00
Chris PeBenito
23083bb09e Module version bump and changelog for vlock patch from Harry Ciao. 2011-01-05 11:23:47 -05:00
Harry Ciao
3543bdda9f vlock_t only uses the relabeled terminal.
The login or ssh program will relabel a tty or pty device after users
log in, and the vlock domain would only need to use the relabeled tty
or pty device, rather than the whole ttynode or ptynode attribute.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
2011-01-05 11:22:42 -05:00
Chris PeBenito
1c2e52e43f Module version bump and changelog for hadoop CDH3 patchset. 2011-01-05 10:23:02 -05:00
Chris PeBenito
60ca2bd83b Rearrange some lines in hadoop. 2011-01-05 10:22:10 -05:00
Chris PeBenito
a45657403b Whitespace fixes in hadoop. 2011-01-05 09:36:13 -05:00
Paul Nuzzi
fcb67e8cef hadoop: update to CDH3
On 12/15/2010 03:17 PM, Christopher J. PeBenito wrote:
> On 12/13/10 10:39, Paul Nuzzi wrote:
>> On 12/11/2010 04:01 AM, Dominick Grift wrote:
>> On 12/11/2010 12:22 AM, Paul Nuzzi wrote:
>>
>> Does hadoop depend on kerberos? If no then kerberos_use should probably
>> be optional.
>>
>>
>>> The new version of hadoop added Kerberos for authentication.
>
> So, to be explicit, its an unconditional requirement?

Yes.  I think all future versions of hadoop will be kerberos enabled.

> It seems like there should be a hadoop_home_t that is
> userdom_user_home_content()

Updated.

Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
2011-01-05 09:35:40 -05:00
Chris PeBenito
a98e3bb8bd Changelog entry for KaiGai's sepgsql_contexts patch. 2011-01-04 13:33:23 -05:00
KaiGai Kohei
b98aba85d9 Add sepgsql_contexts into appconfig-*
The attached patch adds sepgsql_contexts file into appconfig-*
directory. This configuration is used to initial labeling on
installation time for each database objects.
We can easily look up an appropriate label using selabel_loopup(3)
APIs. The 'sepgsql_contexts' is default for SE-PostgreSQL.

Thanks,
--
KaiGai Kohei <kaigai@ak.jp.nec.com>
2011-01-04 13:27:40 -05:00
Chris PeBenito
7c4fbeba94 Fixes for samhain init_system_domain() usage. 2010-12-16 09:03:51 -05:00
Chris PeBenito
7a15ba8bae Whitespace fixes in init. 2010-12-15 14:50:28 -05:00
Chris PeBenito
0233fc5126 Rearrange distro blocks in init.fc 2010-12-15 14:48:43 -05:00
Chris Richards
f40d6d4915 Fix OpenRC status dir labeling for Gentoo
Signed-off-by: Chris Richards <gizmo@giz-works.com>
2010-12-15 14:44:51 -05:00
Chris Richards
9951061f90 Fix OpenRC status dir labeling for Gentoo
Current policy sets /lib(32|64)?/rc/init.d to lib_t.  This causes
problems for DHCP among other things, as the initrc domain does not
have permissions to perform some operations.  Changing to
initrc_state_t (the labeling used for /var/lib/init.d by
the older baselayout-1) resolves some of these issues.

Signed-off-by: Chris Richards <gizmo@giz-works.com>
2010-12-15 14:44:40 -05:00
Chris PeBenito
e50a2becc6 Fix samhain range transitions for MLS/MCS and a type transition conflict. 2010-12-15 14:06:58 -05:00
Chris PeBenito
aae6881065 Add changelog entry for samhain. 2010-12-15 11:28:52 -05:00
Chris PeBenito
5d8270c9e4 Cleanup samhain.if.
* Rearrange rules in the template.
* Remove samhain_etc_t:dir perms since there are no such dirs.
* Add extra docs in samhain_domtrans().
* Include samhaind_t in admin interface process perms.
2010-12-15 11:25:57 -05:00
Chris PeBenito
e579703142 Move samhain domain declarations into its template. 2010-12-15 11:13:18 -05:00
Chris PeBenito
ff449b62d7 Reorder samhain call in userdomain. 2010-12-15 11:02:29 -05:00
Chris PeBenito
40bc40b152 Whitespace fixes in samhain. 2010-12-15 11:01:12 -05:00
Harry Ciao
b2f8897d9c Add support for the samhain program.
Note, extra privileges may need to be granted to the samhain domain
if its default configuration file(/etc/samhainrc) is changed.

The samhain program could be used in the following way:

(In secadm_r role)
1. Initialize filesystem signature database:
newrole -l s15:c0.c1023 -p -- -c "samhain -t init"

(Note, the current secadm console will be blocked until
the database is completed)

2. Start samhain deamon to check filesystem integrity
newrole -l s15:c0.c1023 -p -- -c "samhain -t check -D"

3. Update filesystem signature database:
newrole -l s15:c0.c1023 -p -- -c "samhain -t update"

(In sysadm_r role)
1. Start samhain in daemon mode:
run_init /etc/init.d/samhain start

2. Stop samhain daemon:
run_init /etc/init.d/samhain stop

3. Check samhain daemon status:
run_init /etc/init.d/samhain status

4. Read/write samhain log files:
newrole -l s15:c0.c1023 -p -- -c "cat /var/log/samhain_log"

5. Remove samhain database files
newrole -l s15:c0.c1023 -p -- -c "rm /var/lib/samhain/samhain_file"

Note:
1. Stop samhain daemon before updating signature database.
2. Don't try to start samhain daemon twice.
3. Need to toggle SELinux into the Permissive mode in order to remove
   the samhain_log files from /var/log/.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
2010-12-15 10:57:12 -05:00
Chris PeBenito
c3cd3843fb Fix mojomojo module author. Apologies to Iain Arnell for the typo. 2010-12-15 08:09:08 -05:00
Chris PeBenito
a3f28fbd7a Update Changelog and VERSION for release. 2010-12-13 10:09:37 -05:00
Chris PeBenito
826d014241 Bump module versions for release. 2010-12-13 09:12:22 -05:00
Chris PeBenito
b08f1df144 Module version bump for portreserve. 2010-11-19 14:31:33 -05:00
Jeremy Solt
10143f3432 portreserve patch from Dan Walsh
"Add _admin domain."
2010-11-19 14:26:55 -05:00
Chris PeBenito
9e5e9d677c Module version bump for privoxy. 2010-11-19 14:05:55 -05:00
Jeremy Solt
4eef036424 privoxy patch from Dan Walsh
"split out squid port from http_cache.  Need to allow all places that
connect to httpc_cache to connect to squid_port"

Edits:
 - Removed tunable tabbing
2010-11-19 14:05:55 -05:00
Chris PeBenito
aa28f9239a Module version bump for radius. 2010-11-19 11:59:35 -05:00
Chris PeBenito
5c2355147f Module version bump for smokeping. 2010-11-19 11:59:06 -05:00
Jeremy Solt
820ba61d9b smokeping patch from Dan Walsh
"smokeping tries to read shadow"
2010-11-19 11:59:05 -05:00
Jeremy Solt
781393fbe9 radius patch from Dan Walsh
"radious execs ntml_auth
tmpfs /var/run"
2010-11-19 11:59:05 -05:00
Chris PeBenito
e6e42cd4c9 Module version bump for ulogd. 2010-11-19 11:39:51 -05:00
Chris PeBenito
b9a562446d Move all ulogd networking into the mysql and postgres optionals. 2010-11-19 11:39:36 -05:00
Jeremy Solt
a00839dcc1 ulogd patch from Dan Walsh
"communicates with mysql and postgres via the network"
2010-11-18 13:26:19 -05:00
Chris PeBenito
8d4ee022e6 Module version bump for usbmuxd. 2010-11-17 11:00:12 -05:00
Jeremy Solt
e6b13f9e1e usbmuxd patch from Dan Walsh
"Lots of stuff labeled var_run_t"
2010-11-17 11:00:12 -05:00
Chris PeBenito
289f1d3c32 Module version bump for uucp. 2010-11-17 10:21:17 -05:00
Jeremy Solt
e7d6384c07 uucp patch from Dan Walsh
"Executes ssh to setup connection"
2010-11-17 10:21:17 -05:00
Chris PeBenito
00ea7bbb84 Module version bump for varnishd. 2010-11-17 10:05:36 -05:00
Jeremy Solt
2e2f2cbe04 varnishd patch from Dan Walsh
"Kills it self
+ varnishd_read_lib_files(services_munin_plugin_t)"
2010-11-17 10:02:11 -05:00
Chris PeBenito
f920903264 Module version bump for hostname. 2010-11-17 09:30:44 -05:00
Chris PeBenito
8b61886e56 Module version bump for miscfiles. 2010-11-17 09:30:44 -05:00
Chris PeBenito
a2e8969d04 Additional miscfiles tweaks. 2010-11-17 09:30:44 -05:00
Jeremy Solt
d19a291e4e system_miscfiles patch from Dan Walsh
"move cobbler, Allow policy to define certs."
2010-11-17 09:30:44 -05:00
Jeremy Solt
7121e45e00 hostname patch from Dan Walsh
"Hostname access Seems to attract leaks."

Edits:
 - No dontaudit_leaks in refpolicy, dropped those interface calls, leaving only nis_use_ypbind
2010-11-17 09:30:44 -05:00
Chris PeBenito
9711c7bdb5 Add tun_socket ubac constraint and add tun_socket to socket_class_set. 2010-11-11 09:48:43 -05:00