nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
3,801 Commits 1 Branch 0 Tags 16 MiB
76a9daf35a
Commit Graph

2140 Commits

Author SHA1 Message Date
Chris PeBenito
76a9daf35a Update contrib. 2014-04-15 14:52:06 -04:00
Chris PeBenito
37cea01bfa Module version bump for gnome keyring fix from Laurent Bigonville. 2014-04-15 14:51:53 -04:00
Laurent Bigonville
adfe24f6ce Allow the xdm_t domain to enter all the gkeyringd ones 
During the opening of the session, the pam_gnome_keyring module is
starting the daemon in the gkeyringd user domain, allow xdm_t to
transition to it.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742966
 2014-04-15 09:29:51 -04:00
Chris PeBenito
eabe0273c2 Update contrib. 2014-04-11 11:43:49 -04:00
Chris PeBenito
3b697dbb25 Module version bump for 2 patch sets from Laurent Bigonville. 
* xattrfs attribute
* Misc Debian fixes
 2014-04-11 11:21:03 -04:00
Laurent Bigonville
d30d36a2fe Label /usr/local/share/ca-certificates(/.*)? as cert_t 
On Debian, this directory can contain locally trusted certificates that
will be then be symlinked to /etc/ssl/certs by
update-ca-certificates(8), the files should be labelled as cert_t.
 2014-04-11 09:26:12 -04:00
Laurent Bigonville
b7bd94f923 Properly label the manpages installed by postgresql 
The postgresql manpages are installed under a private directory, some of
them are symlinked to the usual location.

Properly labeling them ensure that mandb can read them.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740591
 2014-04-11 09:26:12 -04:00
Laurent Bigonville
d0169a9acb Add telepathy role for user_r and staff_r 2014-04-11 09:26:12 -04:00
Laurent Bigonville
86a429de23 Use new fs_getattr_all_xattr_fs interface for setfiles_t and restorecond_t 
Use the new fs_getattr_all_xattr_fs() interface to allow setfiles_t and
restorecond_t domain to also get the attributes on pseudo-filesystems
that support xattr

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740682
 2014-04-11 09:08:19 -04:00
Laurent Bigonville
b1aee4c811 Associate the new xattrfs attribute to fs_t and some pseudo-fs 
Associate the new xattrfs attribute to fs_t and the pseudo filesystems
that we know support xattr

This patch adds the attribute to the following (pseudo) filesystems

 - device_t
 - devpts_t
 - fs_t
 - hugetlbfs
 - sysfs_t
 - tmpfs_t
 2014-04-11 09:08:19 -04:00
Laurent Bigonville
408549f8d3 Create new xattrfs attribute and fs_getattr_all_xattr_fs() interface 
Create a new attribute and fs_getattr_all_xattr_fs() interface that will
be used for all the filesystems that support xattr
 2014-04-11 09:08:19 -04:00
Chris PeBenito
2a8d47d7b1 Update contrib. 2014-04-04 16:29:57 -04:00
Chris PeBenito
2abfedde73 Module version bump for 2 Gentoo patches from Sven Vermeulen. 2014-04-04 16:09:30 -04:00
Sven Vermeulen
22ef609197 Support /sys/devices/system/cpu/online 
In glibc, the get_nprocs method reads /sys/devices/system/cpu/online, so
we need to grant most domains read access to this file. As we don't want
them to have read access on sysfs_t by default, create a new type
(cpu_online_t) and assign it to the file, and grant domains read access
to the file.

This does require systems to relabel the file upon every boot, something
distributions do in their bootup scripts, as /sys devices don't keep
their context.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
 2014-04-04 16:07:43 -04:00
Sven Vermeulen
6e0000b725 Hide getattr denials upon sudo invocation 
When sudo is invoked (sudo -i) the audit log gets quite a lot of denials
related to the getattr permission against tty_device_t:chr_file for the
*_sudo_t domain. However, no additional logging (that would hint at a
need) by sudo, nor any functional issues come up.

Hence the dontaudit call.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
 2014-04-04 16:07:43 -04:00
Chris PeBenito
8d94022284 Module version bump for userdomain kernel symbol table fix from Nicolas Iooss. 2014-04-04 15:53:32 -04:00
Nicolas Iooss
27f4846ff8 userdomain: no longer allow unprivileged users to read kernel symbols 
Unprivileged users don't need to read kallsyms and /boot/System.map.

This allow rule was introduced in the initial revision of userdomain.if in
2005, with commit b16c6b8c32:

    # cjp: why?
    bootloader_read_kernel_symbol_table($1_t)
 2014-04-04 15:52:17 -04:00
Chris PeBenito
a10930fe7c Update contrib. 2014-03-14 11:48:15 -04:00
Chris PeBenito
862e22528d Whitespace fix in xserver.fc. 2014-03-14 11:17:44 -04:00
Chris PeBenito
4508d748dc Move lightdm line in xserver.fc. 2014-03-14 11:17:22 -04:00
Laurent Bigonville
18e114dae4 Label /usr/sbin/lightdm as xdm_exec_t 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=739163
 2014-03-14 11:14:43 -04:00
Laurent Bigonville
81570b1eb4 Properly label git-shell and other git commands for Debian 2014-03-14 11:14:43 -04:00
Chris PeBenito
4caf0885bf Module version bump for postgresql fc entries from Luis Ressel. 2014-03-14 10:59:45 -04:00
Chris PeBenito
a72bd68428 Whitespace fix in postgresql.fc 2014-03-14 10:10:32 -04:00
Luis Ressel
defc62bf33 Add two postgresql file contexts from gentoo policy 
Gentoo appends version numbers to the names of the init script and the
config directory.
 2014-03-14 10:08:18 -04:00
Chris PeBenito
a82a6a80a1 Update Changelog and VERSION for release. 2014-03-11 08:16:57 -04:00
Chris PeBenito
10ff4d0fa3 Bump module versions for release. 2014-03-11 08:16:57 -04:00
Chris PeBenito
a5054f1135 Update contrib. 2014-03-11 08:15:14 -04:00
Chris PeBenito
d6365192c2 Update contrib. 2014-03-03 09:07:16 -05:00
Chris PeBenito
4dbe95d58b Module version bump for bootloader fc fixes from Luis Ressel. 2014-03-03 09:07:00 -05:00
Luis Ressel
f8eb4e3b3b Label grub2-install as bootloader_exec_t 2014-03-03 08:45:10 -05:00
Luis Ressel
c2a9b89c5f Generalize grub2 pattern 
GRUB2 helper programs can be named either grub2-* or grub-*, depending
on distro and configuration.
 2014-03-03 08:44:41 -05:00
Chris PeBenito
681c3d451c Update contrib. 2014-02-15 15:04:12 -05:00
Luis Ressel
a10fefcd39 Label fatsort as fsadm_exec_t. 
FATsort is an utility to sort directory entries on FAT partitions, see
http://fatsort.sourceforge.net/ . It requires direct access to the
block devices.
 2014-02-15 14:39:32 -05:00
Luis Ressel
f824120b6d Use xattr-labeling for squashfs. 
This is taken from the Fedora policy (authors: Dan Walsh, Miroslav
Grepl) and dates back to 2011 there.
 2014-02-15 14:34:10 -05:00
Chris PeBenito
3501307078 Fix read loopback file interface. 2014-02-08 11:35:57 -05:00
Chris PeBenito
92cd2e251c Module version bump for loopback file mounting fixes from Luis Ressel. 2014-02-08 10:50:34 -05:00
Chris PeBenito
acf1229dad Rename mount_read_mount_loopback() to mount_read_loopback_file(). 
Also make kernel block optional since the calls are to a higher layer.
 2014-02-08 10:49:47 -05:00
Chris PeBenito
38a2d8e581 Move loop control interface definition. 2014-02-08 10:48:50 -05:00
Luis Ressel
7ac64b8a5a Grant kernel_t necessary permissions for loopback mounts 
For loopback mounts to work, the kernel requires access permissions to
fd's passed in by mount and to the source files (labeled mount_loopback_t).
 2014-02-08 10:32:45 -05:00
Luis Ressel
24be4c0096 Allow mount_t usage of /dev/loop-control 
If loopback devices are not pregenerated (kernel option
CONFIG_BLK_DEV_LOOP_MIN_COUNT=0), mount needs to write to
/dev/loop-control do create them dynamically when needed.
 2014-02-08 10:32:45 -05:00
Luis Ressel
09370605a3 system/mount.if: Add mount_read_mount_loopback interface 2014-02-08 10:32:44 -05:00
Luis Ressel
781377da9f kernel/devices.if: Add dev_rw_loop_control interface 2014-02-08 10:32:44 -05:00
Chris PeBenito
3bb3d9e79e Module version bump for sesh fc from Nicolas Iooss. 2014-02-08 09:57:32 -05:00
Nicolas Iooss
f003497bcb Label /usr/lib/sudo/sesh as shell_exec_t 2014-02-08 09:50:09 -05:00
Chris PeBenito
3c4a9cde0e Update contrib. 2014-02-08 09:42:54 -05:00
Chris PeBenito
f097b7ab4e Move bin_t fc from couchdb to corecommands. 2014-02-08 09:42:43 -05:00
Chris PeBenito
dd0df56c26 Module version bump for files_dontaudit_list_var() interface from Luis Ressel. 2014-02-08 09:04:18 -05:00
Luis Ressel
7381deb292 kernel/files.if: Add files_dontaudit_list_var interface 
This is required for an update of the couchdb policy.
 2014-02-08 09:02:57 -05:00
Chris PeBenito
22d7dac75b Module version bump for ssh use of gpg-agent from Luis Ressel. 2014-02-08 08:41:05 -05:00