Chris PeBenito
872ece4bcf
Whitespace fix in usermanage.
2013-12-06 08:16:10 -05:00
Dominick Grift
6042255ede
usermanage: Run /etc/cron\.daily/cracklib-runtime in the crack_t domain in Debian
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-06 08:14:29 -05:00
Chris PeBenito
3208ff94c4
Module version bump for second lot of patches from Dominick Grift.
2013-12-03 13:03:35 -05:00
Dominick Grift
1b757c65cc
udev: in debian udevadm is located in /bin/udevadm
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-03 11:34:15 -05:00
Chris PeBenito
3ee649f132
Add comment in policy for lvm sysfs write.
2013-12-03 10:54:22 -05:00
Dominick Grift
6905ddaa98
lvm: lvm writes read_ahead_kb
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-03 10:53:23 -05:00
Dominick Grift
198a6b2830
udev: udevd executable location changed
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-03 10:52:44 -05:00
Chris PeBenito
613100a7f4
Whitespace fix in fstools.
2013-12-03 10:39:51 -05:00
Dominick Grift
521bbf8586
These { read write } tty_device_t chr files on boot up in Debian
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-03 10:39:21 -05:00
Chris PeBenito
ac22f3a48e
setrans: needs to be able to get attributes of selinuxfs, else fails to start in Debian
...
Access noted by Dominick Grift.
2013-12-03 09:52:21 -05:00
Chris PeBenito
3b52b87615
Rearrage userdom_delete_user_tmpfs_files() interface.
2013-12-03 09:45:16 -05:00
Dominick Grift
b0068ace7d
userdomain: add userdom_delete_user_tmpfs_files() for pulseaudio clients
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-03 09:43:51 -05:00
Chris PeBenito
f06282d1e0
Update contrib.
2013-12-03 09:34:05 -05:00
Chris PeBenito
1a01976fc4
Module version bump for first batch of patches from Dominick Grift.
2013-12-02 14:22:29 -05:00
Dominick Grift
66c6b8a9f7
unconfined: Do not domain transition to xserver_t (unconfined_t is xserver_unconfined)
...
It would not be sufficient in the current shape anyways because
unconfined_r is not associated with xserver_t
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:43:33 -05:00
Dominick Grift
04ac9311b9
xserver: already allowed by auth_login_pgm_domain(xdm_t)
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:43:33 -05:00
Dominick Grift
5c49af2076
kernel: cryptomgr_test (kernel_t) requests kernel to load cryptd(__driver-ecb-aes-aesni
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:43:33 -05:00
Dominick Grift
4113f7b0d4
sshd/setrans: make respective init scripts create pid dirs with proper contexts
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:43:33 -05:00
Dominick Grift
012f1b2311
sysbnetwork: dhclient searches /var/lib/ntp
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:43:32 -05:00
Dominick Grift
6c19504654
sysnetwork: dhcpc: networkmanager interface calls from Fedora. In Debian i was able to confirm the need for networkmanager_manage_lib_files(dhcpc_t) since dhclient reads /var/lib/NetworkManager/dhclient-eth0.conf
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:43:32 -05:00
Dominick Grift
3b6a8b0ee5
fstools: hdparm append (what seems inherited from devicekit ) /var/log/pm-powersave.log fstools: hdparm reads /run/pm-utils/locks/pm-powersave.lock
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:27:54 -05:00
Dominick Grift
000397b217
udev: reads modules config: /etc/modprobe.d/alsa-base-blacklist.conf
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:27:54 -05:00
Dominick Grift
e7b86e07f2
setrans: mcstransd reads filesystems file in /proc
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:27:54 -05:00
Dominick Grift
a0e88de5e5
authlogin: unix_chkpwd traverses / on sysfs device on Debian
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:27:54 -05:00
Dominick Grift
ec54e42ed9
udev: the avahi dns check script run by udev in Debian chmods /run/avahi-daemon
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:27:53 -05:00
Dominick Grift
617e504c20
udev: this fc spec does not make sense, as there is no corresponding file type transition for it
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:27:53 -05:00
Dominick Grift
76e595794b
mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints()
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:27:53 -05:00
Chris PeBenito
f028029464
Update contrib.
2013-11-13 12:20:51 -05:00
Chris PeBenito
9d6546a472
Module version bumps for syslog-ng and semodule updates.
2013-11-13 09:27:21 -05:00
Chris PeBenito
9fcc6fe625
Add comments about new capabilities for syslogd_t.
2013-11-13 09:26:38 -05:00
Sven Vermeulen
b00d94fb72
Allow capabilities for syslog-ng
...
The syslog-ng logger has (build-optional) support for capabilities. If
capabilities support is enabled, running it without setcap/getcap
permissions gives the following upon start:
* Starting syslog-ng ...
syslog-ng: Error setting capabilities, capability management disabled;
error='Permission denied' [ ok ]
Granting only setcap (initial AVC seen) does not fully help either:
* Starting syslog-ng ...
Error managing capability set, cap_set_proc returned an error;
With setcap and getcap enabled, syslog-ng starts and functions fine.
See also https://bugs.gentoo.org/show_bug.cgi?id=488718
Reported-by: Vincent Brillault <gentoo@lerya.net>
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2013-11-13 09:14:34 -05:00
Sven Vermeulen
2142e6e0cc
Allow semodule to create symlink in semanage_store_t
...
With new userspace, trying to build a SELinux policy (and load it)
fails:
~# semodule -B
libsemanage.semanage_install_active: Unable to create sybolic link from
/etc/selinux/mcs/modules/active/policy.kern to
/etc/selinux/mcs/policy/policy.28 error code 0. (Permission denied).
AVC shows a denial for the semodule command, running as semanage_t,
trying to create a lnk_file in semanage_module_t.
2013-11-13 09:13:32 -05:00
Chris PeBenito
eb4512f6eb
Module version bump for dhcpc fixes from Dominick Grift.
2013-09-27 17:15:22 -04:00
Chris PeBenito
f0e0066a7b
Reorder dhcpc additions.
2013-09-27 17:15:02 -04:00
Dominick Grift
b1599e01fe
sysnetwork: dhcpc binds socket to random high udp ports sysnetwork: do not audit attempts by ifconfig to read, and write dhcpc udp sockets (looks like a leaked fd)
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-09-27 17:13:12 -04:00
Chris PeBenito
20471346ed
Silence symlink reading by setfiles since it doesn't follow symlinks anyway.
2013-09-27 17:09:43 -04:00
Chris PeBenito
57f00181ee
Module version bump for mount updates from Dominick Grift.
2013-09-27 16:54:54 -04:00
Dominick Grift
85016ae811
mount: sets kernel thread priority mount: mount reads /lib/modules/3.10-2-amd64/modules.dep mount: mount lists all mount points
...
In debian mount was trying to list / on a tmpfs (/run/lock). Since
var_lock_t is a mountpoint type, and so is mnt_t, i decided to implement
a files_list_all_mountpoints() and call that for mount because it makes
sense
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-09-27 16:50:38 -04:00
Chris PeBenito
b7b3b55280
Module version bumps for Debian udev updates from Dominick Grift.
2013-09-27 16:44:54 -04:00
Chris PeBenito
756a5e5101
Update contrib
2013-09-27 16:44:28 -04:00
Dominick Grift
0947e315ea
udev: runs: /usr/lib/avahi/avahi-daemon-check-dns.sh which creates /run/avahi-daemon directory
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-09-27 16:40:09 -04:00
Chris PeBenito
24f4016ec5
Move stray Debian rule in udev.
2013-09-27 16:36:52 -04:00
Dominick Grift
5905067f2a
udev-acl.ck lists /run/udev/tags/udev-acl udev blocks suspend, and compromises kernel
...
udevadm wants to create files in /run/udev/data. It writes to udev_tbl_t
directories
udev_t runs udisks-lvm-pv-export with a domain transition to lvm_t
udev: remove compromise_kernel capability2 av perm as its currently not
supported in reference policy
udev: udevadm managing udev_tbl_t symbolic links (/run/udev/watch/6)
udev: udevd manages control udev_tbl_t type socket
udev: udevd manages udev_tbl_t directories
named files pid filetrans for /run/udev directory
udev: lets just label /run/udev type udev_var_run_t and get it over with
udev: make the files_pid_filetrans more specific because it appears that
udev also creates directories in /run that we dont want to have created
with type udev_var_run_t (/run/avahi-daemon in Debian)
udev: udev-acl.ck uses dbus system bus fds
udev: sends dbus message to consolekit manager:
OpenSessionWithParameters
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-09-27 16:35:28 -04:00
Chris PeBenito
be570944e5
Module version bump for ssh server caps for Debian from Dominick Grift.
2013-09-27 16:25:56 -04:00
Dominick Grift
fc8bbe630a
ssh: Debian sshd is configured to use capabilities
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-09-27 16:25:15 -04:00
Chris PeBenito
cf905e8ef1
Module version bumps for dhcpc leaked fds to hostname.
2013-09-27 15:55:52 -04:00
Dominick Grift
0857061b58
hostname: do not audit attempts by hostname to read and write dhcpc udp sockets (looks like a leaked fd)
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-09-27 15:13:19 -04:00
Chris PeBenito
48554d9376
Module version bump for gdomap port from Dominick Grift.
2013-09-27 15:12:51 -04:00
Dominick Grift
9e62ecd264
corenetwork: Declare gdomap port, tcp/udp:538
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-09-27 15:08:58 -04:00
Chris PeBenito
15f32f59fe
Module version bump for xserver console and fc fixes from Dominick Grift.
2013-09-27 15:08:12 -04:00