Commit Graph

3260 Commits

Author SHA1 Message Date
Sven Vermeulen
5d77246f5f Do not audit the use of portage' filedescriptors from load_policy_t
During build and eventual activation of the base policy, the load_policy_t
domain attempts to use a portage file descriptor. However, this serves no
purpose (the loading is done correctly and everything is logged
appropriately).

Hence, we dontaudit this use.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-25 07:42:34 -04:00
Sven Vermeulen
137f7366ee Introduce portage_dontaudit_use_fds
Support the interface to not audit portage_t:fd use (file descriptors, leaked
or not)

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-25 07:42:34 -04:00
Chris PeBenito
68bbbbdec6 Change pppd_can_insmod to a Boolean so tunables and Booleans are not mixed. 2011-08-25 07:34:08 -04:00
Chris PeBenito
66e03ec8b2 Module version bump for LDAPS patch. Move a line. 2011-08-24 09:38:58 -04:00
Sven Vermeulen
9a680874fe Support LDAPS for nsswitch-related network activity
Systems that use LDAPS (LDAP over SSL/TLS) for their sysnet_* activities
currently fail since these domains do not allow proper access to the random
devices (needed for SSL/TLS). This patch adds this privilege to
sysnet_use_ldap.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-24 09:33:43 -04:00
Chris PeBenito
540bc2d3b2 Module version bump for courier-imapd patch from Sven Vermeulen. 2011-08-24 09:26:42 -04:00
Sven Vermeulen
5296cfcdb9 Update file contexts for courier to support courier-imap
The courier-imapd daemon is part of the courier package (and already supported
by the courier module in refpolicy), but uses a different location for its
configuration files (/etc/courier-imap) and persistent data
(/var/lib/courier-imap).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-24 09:26:13 -04:00
Sven Vermeulen
32ed63a740 Fix zabbix_agentd context
The zabbix_agentd context was wrongfully set to the domain type instead of
the _exec_t type.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-24 09:21:21 -04:00
Chris PeBenito
12904f9fe8 Module version bump for dhcp client patch from Sven Vermeulen. 2011-08-24 09:15:33 -04:00
Sven Vermeulen
4976982e85 Allow dhcp client to update kernel routing table plus context updates
This small patch updates the dhcpc_t (DHCP client domain) to allow updating the
kernel's routing tables (as that is a primary purpose of a DHCP client) as well
as interact with the kernel through the net_sysctls.

Also, one client (dhcpcd) uses /var/run/dhcpcd so add that in the file context
definition as well.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-24 09:13:33 -04:00
Chris PeBenito
5802e169eb Module version bump for xfce bin file contexts patch from Sven Vermeulen. 2011-08-24 09:08:16 -04:00
Chris PeBenito
a83b53041e Rearrange xfce corecommands fc entries. 2011-08-24 09:07:34 -04:00
Sven Vermeulen
7901eb059b Update file contexts for xfce4 helper applications
Many XFCE4 helper applications are located in /usr/lib locations. This patch
marks those helpers as bin_t.

Recursively marking the directories bin_t does not work properly as these
locations also contain actual libraries.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-24 08:56:47 -04:00
Chris PeBenito
12c3e8bf71 Module version bump for nagios checkdisk patch from Sven Vermeulen. 2011-08-24 08:56:33 -04:00
Sven Vermeulen
eb6e425304 Nagios' checkdisk plugin requires getattr on the mountpoint directories
Without the getattr privilege on the mountpoint directories, the checkdisk
plugin fails to capture the data unless nagios is reconfigured to directly
read the device files themselves.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-24 08:55:41 -04:00
Chris PeBenito
003361c264 Module version bump for xtables-multi patch from Sven Vermeulen. 2011-08-24 08:55:00 -04:00
Sven Vermeulen
2ebb974006 ip6?tables-multi is combined in xtables-multi
Since april, the *-multi applications offered through iptables are combined
through a single binary called xtables-multi. The previous commands are now
symbolic links towards this application.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-24 08:35:57 -04:00
Chris PeBenito
f7a845fcca Module version bump for udp_socket listen dontaudit for all domains. 2011-08-23 08:29:03 -04:00
Chris PeBenito
78e65fb36c Module version bump for setfiles audit message patch from Roy Li. 2011-08-23 08:21:40 -04:00
Chris PeBenito
5d834aa7dd Whitespace fix in selinuxutil. 2011-08-23 08:21:40 -04:00
Roy.Li
0bd595020c Make setfiles be able to send audit messages.
When audit subsystem is enabled, and setfiles works from root
dir, setfiles would send the AUDIT_FS_RELABEL information to
audit system, If no permission to send the information to audit
by netlink, setfiles would return error.

The test cases to reproduce this defect:
	=> restorecon -R /
	=> echo $?
	255
	=>

Signed-off-by: Roy.Li <rongqing.li@windriver.com>
2011-08-23 08:21:40 -04:00
Chris PeBenito
ec280b3209 Silence spurious udp_socket listen denials. 2011-08-23 08:21:40 -04:00
Chris PeBenito
d3a85bbc0b Module version bump for zabbix patch from Sven Vermeulen. 2011-08-16 15:23:39 -04:00
Sven Vermeulen
0caefef811 Allow zabbix to connect to mysql through TCP
The mysql_stream_connect interface, which is already in use, is only for local
MySQL databases (not through TCP/IP).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-16 15:23:11 -04:00
Chris PeBenito
8f8d3f7caf Module version bump for nagios NRPE patch from Sven Vermeulen. 2011-08-16 15:21:58 -04:00
Sven Vermeulen
8d238a8308 Nagios NRPE client should be able to read its own configuration file
Currently, the nagios nrpe_t definition has no read access to its own
nrpe_etc_t. I suspect this to be a copy/paste problem. Since the nrpe
configuration file is stored in /etc/nagios (nagios_etc_t), NRPE does need
search privileges in nagios_etc_t. This is easily accomplished through
read_files_pattern.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-16 15:21:22 -04:00
Chris PeBenito
5f1189f0fe Module version bump for consolekit patch from Sven Vermeulen. 2011-08-16 15:21:01 -04:00
Sven Vermeulen
8365be4394 HAL support is not mandatory for ConsoleKit
The current consolekit policy definition has hal_ptrace(consolekit_t) in its
main body. However, HAL support within consolekit is not mandatory. As such,
this call should be within an optional_policy().

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-08-16 15:20:14 -04:00
Chris PeBenito
adddcf93f6 Fix unexpanded MLS/MCS fields in monolithic seusers file. 2011-08-12 08:28:37 -04:00
Chris PeBenito
8b3c840804 Whitespace fix in unprivuser. 2011-07-29 08:50:24 -04:00
Chris PeBenito
81eefe7ce9 Type transition fix in Postgresql database objects from KaiGai Kohei. 2011-07-29 08:42:53 -04:00
Chris PeBenito
f1aed68ac3 Support for file context path substitutions (file_contexts.subs).
Install file_contexts.subs_dist out of Refpolicy. This is TYPE-agnostic
so the file goes in config/.  Populate the file with current substitutions.
2011-07-28 13:12:28 -04:00
Chris PeBenito
f342e50500 Update VERSION and Changelog for release. 2011-07-26 08:15:53 -04:00
Chris PeBenito
aa4dad379b Module version bump for release. 2011-07-26 08:11:01 -04:00
Chris PeBenito
3cbc972771 Fix role declaration to handle new roleattribute requirements. 2011-07-25 12:10:05 -04:00
Chris PeBenito
ee4bdf2959 Rename audioentropy module to entropyd due to haveged support. 2011-07-25 08:46:03 -04:00
Chris PeBenito
004e272212 Module version bump and changelog for haveged support from Sven Vermeulen. 2011-07-25 08:43:51 -04:00
Sven Vermeulen
7b84ef7aae Add file context rules for haveged
Add file context rules for haveged within the audioentropyd module.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-07-25 08:38:45 -04:00
Sven Vermeulen
62cdea27c3 Update entropyd_t with privileges needed for haveged
Haveged by itself requires a few additional privileges (create a unix socket
and write access to some proc/sys/kernel files (like
/proc/sys/kernel/random/write_wakeup_threshold).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-07-25 08:38:40 -04:00
Sven Vermeulen
34aea93484 Separate sound specific items frmo general entropyd
Introduce a tunable called "entropyd_use_audio". This boolean triggers the
privileges that are specific for audio support (both device access as well
as the alsa-specific ones).

The idea to use a boolean is to support other entropy management
applications/daemons which use different sources (like haveged using the
HAVEGE algorithm).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-07-25 08:38:35 -04:00
Chris PeBenito
95995f5048 Module version bump for portage updates from Sven Vermeulen. 2011-07-22 08:36:33 -04:00
Chris PeBenito
f2a85d7d04 Rearrange a few lines in portage. 2011-07-22 08:25:53 -04:00
Sven Vermeulen
204529101f Support proxy/cache servers
Portage supports the use of proxy systems (which usually run on port 8080)
for the fetching of software archives.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-07-22 08:20:51 -04:00
Sven Vermeulen
be42fbd8d4 Support live ebuilds through portage_srcrepo_t
Portage supports the notion of "live ebuilds", which are packages that, when
installed, update a repository checkout on a specific location. This means
that a few portage-related domains need to have manage_* privileges on that
location whereas they usually have much more limited rights (when live
ebuilds aren't used).

To support live ebuilds, we introduce another label called portage_srcrepo_t
for those specific locations where the "higher" privileges are needed for,
and grant the proper permissions on the compile domains (like
portage_sandbox_t) to manage the checkouts.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-07-22 08:20:45 -04:00
Sven Vermeulen
77cefbf2b4 Support NFS mounts for portage related locations
When users want to use NFS mounted portage tree, distfiles, packages and
other locations, they need to use the proper context= mount option. However,
in the majority of cases, the users use a single NFS mount. In such
situation, context= cannot be used properly since it puts a label on the
entire mount (whereas we would then need other labels depending on
subdirectories).

Introducing a boolean "portage_use_nfs" which, when set (default off),
allows the necessary portage-related domains to manage files and directories
with the nfs_t label.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-07-22 08:20:36 -04:00
Chris PeBenito
6e742c4c63 Module version bump for NFS over TCP patchset. 2011-07-22 07:18:13 -04:00
Sven Vermeulen
bdc0c3985b Allow kernel to access NFS/RPC TCP
Allow kernel_t to access the nfsd_t' tcp_sockets.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-07-22 07:03:51 -04:00
Sven Vermeulen
555cbbc5f5 Create interface for NFS/RPC TCP access
Create the rpc_tcp_rw_nfs_sockets() interface, allowing for the calling
domain to access the tcp_sockets managed by nfsd_t.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-07-22 07:03:41 -04:00
Chris PeBenito
b594647caf Fix missing requires in /var/run and /var/lock symlink patch. 2011-07-18 14:12:07 -04:00
Chris PeBenito
a29c7b86e1 Module version bump and Changelog for auth file patches from Matthew Ife. 2011-07-18 13:48:05 -04:00