In order to write the grub configuration and perform the preliminary
checks, the grub-mkconfig command should run in the bootloader_t domain.
As such, update the file context definition to be bootloader_exec_t.
PyXML has not been required to build the policy and its documentation
since at least Python 2.6, which comes with an "xml" module.
Moreover, some support scripts requires Python 2.6 or above (and are
compatible with Python 3.4, maybe also with other versions of Python 3).
Add the minimum supported version of Python in INSTALL.
ML thread: http://oss.tresys.com/pipermail/refpolicy/2014-November/007440.html
create_netlink_socket_perms is defined as:
{ create_socket_perms nlmsg_read nlmsg_write }
This means that it is redundant to allow create_socket_perms and
nlmsg_read/nlmsg_write.
Clean up things without allowing anything new.
iw manpage says "iw - show / manipulate wireless devices and their
configuration". Label this command ifconfig_exec_t to allow it to
manage wireless communication devices.
Debian installs iw in /sbin/iw, Fedora in /usr/sbin/iw and Arch Linux in
/usr/bin/iw (with /usr/sbin being a symlink to /usr/bin).
-This patch is needed since CIL does not allow duplicate
role declarations. The roles for system_r, staff_r, sysadm_r, and
user_r were already declared in kernel.te. Since the roles are
pulled in from require statements in the appropriate interfaces,
the duplicate role declarations could be deleted in modules for
auditadm, staff, sysadm, and userdomain.
-Move a role declaration that used an argument passed into the
userdom_base_user_template into a gen_require statement.
Since commit 0fd9dc55, logging.te contains:
term_write_all_user_ttys(syslogd_t)
As "write" is a superset of "append", this rule is no longer needed:
term_append_unallocated_ttys(syslogd_t)
While at it, add a comment which explains why
term_dontaudit_setattr_unallocated_ttys is needed.
audit.log shows that journald needs to read the kernel read buffer:
avc: denied { syslog_read } for pid=147 comm="systemd-journal" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1
Moreover journald uses RW access to /dev/kmsg, according to its code:
http://cgit.freedesktop.org/systemd/systemd/tree/src/journal/journald-kmsg.c?id=v215#n394
On ArchLinux the directory name of Network Manager in /usr/lib is
written in lowercase but not the files in /usr/bin, /var/lib, etc.
While at it, remove a useless backslash before a minus character.
Currently, all postgresql commands in are labeled as postgresql_exec_t.
This means they can only be executed by db admins. However, the "normal"
commands, such as createdb or psql, should also be executable by users.
(The users in question still need to be granted postgresql_role(), so
this is no security problem.)
