On ArchLinux the directory name of Network Manager in /usr/lib is
written in lowercase but not the files in /usr/bin, /var/lib, etc.
While at it, remove a useless backslash before a minus character.
Currently, all postgresql commands in are labeled as postgresql_exec_t.
This means they can only be executed by db admins. However, the "normal"
commands, such as createdb or psql, should also be executable by users.
(The users in question still need to be granted postgresql_role(), so
this is no security problem.)
If the (sadly nearly undocumented) Linux kernel feature which allows
specific user groups to send ICMP echos without CAP_NET_RAW
(configurable with the sysctl net.ipv4.ping_group_range, available since
3.0) is used, ping needs the getattr permission of the rawip_socket
class in order to work.
The kernel_delete_unlabeled_chr_files interface is called by the
(deprecated) files_delete_isid_type_chr_files interface in
kernel/files.if.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The kernel_delete_unlabeled_blk_files interface is called by the
(deprecated) files_delete_isid_type_blk_files in kernel/files.if.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The kernel_delete_unlabeled_sockets interface is called by the
(deprecated) files_delete_isid_type_sock_files interface in
kernel/files.if.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The kernel_delete_unlabeled_pipes interface is called by the
(deprecated) files_delete_isid_type_fifo_files interface in
kernel/files.if.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The kernel_delete_unlabeled_symlinks interface is called by the
files_delete_isid_type_symlinks interface (in kernel/files.if). This
interface is deprecated (and calls kernel_delete_unlabeled_symlinks).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
These are seldomly-used tools from the util-linux package.
Please check if they are located in /sbin instead of /usr/sbin on other
distributions.
Signed-off-by: Luis Ressel <aranea@aixah.de>
With init_daemon_pid_file supporting class parameters, all calls to
init_daemon_run_dir can now be transformed into init_daemon_pid_file
calls.
Update the init_daemon_run_dir interface so it gives a warning when
used, and use the init_daemon_pid_file interface underlyingly.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
For some daemons, it is the init script that is responsible for creating
the PID file of the daemon. As we do not want to update the init SELinux
policy module for each of these situations, we need to introduce an
interface that can be called by the SELinux policy module of the caller
(the daemon domain).
The initial suggestion was to transform the init_daemon_run_dir
interface, which offers a similar approach for directories in /run, into
a class-agnostic interface. Several names have been suggested, such as
init_script_spec_run_content or init_script_generic_run_filetrans_spec,
but in the end init_daemon_pid_file was used.
The interface requires the class(es) on which the file transition should
occur, like so:
init_daemon_pid_file(xdm_var_run_t, dir, "xdm")
init_daemon_pid_file(postgresql_var_run_t, file, "postgresql.pid")
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Pair of objects which supported by Interbase/Firebird/Red Database:
db_exception - exception which can be thrown from PSQL
db_domain - named set of column attributes
