Commit Graph

1889 Commits

Author SHA1 Message Date
Sven Vermeulen
9241902062 tcpdump chroots into /var/lib/tcpdump
When invoking tcpdump, the application creates a netlink_socket and then chroots
into /var/lib/tcpdump.

Without the right to create a netlink_socket:
tcpdump: Can't open netlink socket 13:Permission denied

Without the right on dac_read_search and sys_chroot:
tcpdump: Couldn't chroot/chdir to '/var/lib/tcpdump': Permission denied

See also https://bugs.gentoo.org/show_bug.cgi?id=443624

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-11-27 09:12:17 -05:00
Chris PeBenito
f11752ff60 Module version bump for iptables fc entry from Sven Vermeulen and inn log from Dominick Grift. 2012-11-27 08:53:57 -05:00
Dominick Grift
fe2743038a System logger creates innd log files with a named file transition
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-11-27 08:53:04 -05:00
Sven Vermeulen
a2317f3820 Run ipset in iptables domain
The ipset command is used to manage ip sets, used by iptables for a more
flexible management of firewall rules. It has very similar requirements as
iptables for accessing and working with the Linux kernel, so marking ipset as
iptables_exec_t to have it run in the iptables domain.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-11-27 08:35:57 -05:00
Chris PeBenito
a1f3891d66 Module version bump for userdomain portion of XDG updates from Dominick Grift. 2012-11-26 11:59:55 -05:00
Dominick Grift
f1ab10f1c6 These two attribute are unused
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-11-26 11:25:23 -05:00
Dominick Grift
9706f6a477 Create a attribute user_home_content_type and assign it to all types that are classified userdom_user_home_content()
Create various interfaces using the user_home_content_type attribute for
tmpreaper

user_home_t, user_tmp_t and user_tmpfs_t are user_home_content_type
(why?) We should probably also create user_tmp_content_type and
user_tmpfs_content_type attributes and assign to userdom_tmp_file and
userdom_tmpfs_file respectively

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-11-26 11:25:08 -05:00
Chris PeBenito
c48458f8e2 Module version bump for Debian ssh-keysign location from Laurent Bigonville. 2012-11-26 11:13:12 -05:00
Laurent Bigonville
28067a810a Add Debian location for ssh-keysign 2012-11-26 11:12:40 -05:00
Chris PeBenito
c97ce312da Module version bump for man cache from Dominick Grift. 2012-11-26 11:07:57 -05:00
Chris PeBenito
50d3b9e0c4 Adjust man cache interface names. 2012-11-26 11:07:32 -05:00
Chris PeBenito
bf0f91c63d Whitespace fix in miscfiles.fc. 2012-11-26 11:07:16 -05:00
Dominick Grift
dce8c71b5f Label /var/cache/man with a private man cache type for mandb
Since /var/cache/man was previously labeled man_t, make sure that the old
interfaces with regard to man_t also support man_cache_t

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-11-26 10:56:12 -05:00
Chris PeBenito
a1b98a3c73 Update contrib. 2012-11-26 09:38:47 -05:00
Chris PeBenito
b2cf9398df Module version bump for Gentoo openrc fixes for /run from Sven Vermeulen. 2012-10-31 11:49:56 -04:00
Chris PeBenito
6f1dfe762a Rearrange files interfaces. 2012-10-31 11:49:23 -04:00
Sven Vermeulen
d981fce3e1 Update files_manage_generic_locks with directory permissions
Currently, the files_manage_generic_locks only handles the lock files. If a
domain needs to manage both lock files and the lock directories (like specific
subdirectories in /var/lock that are not owned by a single other domain, such as
Gentoo's /var/lock/subsys location) it also needs the manage permissions on the
directory.

This is to support OpenRC's migration of /var/lock to /run/lock which otherwise
fails:

* Migrating /var/lock to /run/lock
cp: cannot create directory '/run/lock/subsys': Permission denied
rm: cannot remove '/var/lock/subsys': Permission denied

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-10-31 11:36:41 -04:00
Sven Vermeulen
da69156a54 Gentoo openrc migrates /var/run and /var/lock data to /run(/lock)
Gentoo's OpenRC init framework handles the migration of data from /var/run to
/run, and /var/lock to /run/lock. To deal with this, openrc uses "cp -a -r
/var/run /run" and "cp -a -r /var/lock/* /run/lock".

When done, it will create symlinks in /var towards the new locations.

As a result, initrc_t needs to be able to manage symlinks in /var, as well as
manage all pidfile content (needed for the migration of /var/run/* towards
/run).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-10-31 11:36:41 -04:00
Sven Vermeulen
5751a33f27 Introduce files_manage_all_pids interface
This interface will be used by domains that need to manage the various pidfile
content (*_var_run_t).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-10-31 11:36:41 -04:00
Sven Vermeulen
44b2efbf78 Allow init to set attributes on device_t
In Gentoo, the openrc init framework creates the /dev/shm location (within
devtmpfs) using a "mkdir -m 1777 /dev/shm" command. This results in initrc_t
wanting to set the attributes of the /dev/shm directory (at that point still
labeled device_t as tmpfs isn't mounted on it yet).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-10-31 11:36:41 -04:00
Chris PeBenito
8285fe10a6 Module version bump for user home content fixes from Dominick Grift. 2012-10-31 11:31:37 -04:00
Chris PeBenito
f80bd12603 Rearrange lines. 2012-10-31 10:52:36 -04:00
Dominick Grift
de7b3815c9 Changes to the user domain policy module
Content that (at least) common users need to be able to relabel and
create with a type transition

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-10-31 10:51:34 -04:00
Chris PeBenito
af2496ea2e Module version bump/contrib sync. 2012-10-30 16:12:14 -04:00
Chris PeBenito
a94ff9d100 Rearrange devices interfaces. 2012-10-30 16:11:32 -04:00
Dominick Grift
7545e7d22c Samhain_admin() now requires a role for the role_transition from $1 to initrc_t via samhain_initrc_exec_t
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-10-30 15:39:20 -04:00
Dominick Grift
83d28d8a52 Changes to the user domain policy module
gnome_role is deprecated, use gnome_role_template instead
depends on dbus because of gkeyringd

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-10-30 15:39:20 -04:00
Dominick Grift
4c68e48950 For virtd
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-10-30 15:39:20 -04:00
Chris PeBenito
35bb8cbf62 Module version bump for arping setcap from Dominick Grift. 2012-10-30 14:28:53 -04:00
Dominick Grift
7ef9402705 Arping needs setcap to cap_set_proc
rhbz#869615

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-10-30 14:19:37 -04:00
Chris PeBenito
104456aa17 Module version bump for interfaces used by virt from Dominick Grift. 2012-10-30 14:17:25 -04:00
Chris PeBenito
1673ea6474 Rearrange interfaces in files, clock, and udev. 2012-10-30 14:16:30 -04:00
Dominick Grift
176afaf5d6 For virtd
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-10-30 13:58:02 -04:00
Dominick Grift
fc749312f5 For virtd lxc
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-10-30 13:58:02 -04:00
Dominick Grift
f980fd9208 For virtd lxc
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-10-30 13:58:02 -04:00
Dominick Grift
f4a0be2dfc For virtd_lxc
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-10-30 13:58:02 -04:00
Dominick Grift
0122830bd9 For virtd_lxc
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-10-30 13:58:02 -04:00
Dominick Grift
e04ad5fe92 For virtd lxc
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-10-30 13:58:02 -04:00
Dominick Grift
193760f130 For svirt_lxc_domain
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-10-30 13:58:02 -04:00
Dominick Grift
c40ea7bd2d For svirt_lxc_domain
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-10-30 13:58:02 -04:00
Dominick Grift
1cbe9e6196 For svirt_lxc_domain
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-10-30 13:58:01 -04:00
Chris PeBenito
2b63d6a616 Module version bump for dovecot libs from Mika Pflueger. 2012-10-30 13:52:59 -04:00
Mika Pflüger
5ea6bf5c1e Explicitly label dovecot libraries lib_t for debian 2012-10-30 13:42:05 -04:00
Chris PeBenito
a2cc003740 Module version bump for minor logging and sysnet changes from Sven Vermeulen. 2012-10-30 13:39:46 -04:00
Sven Vermeulen
7ed91bfafd Support flushing routing cache
To flush the routing cache, ifconfig_t (through the "ip" command) requires
sys_admin capability. If not:

~# ip route flush cache
Cannot flush routing cache

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-10-30 13:28:02 -04:00
Chris PeBenito
d29f5d4e72 Rename logging_search_all_log_dirs to logging_search_all_logs 2012-10-30 13:27:10 -04:00
Sven Vermeulen
c239a20504 Introduce logging_search_all_log_dirs interface
Support the logging_search_all_log_dirs interface for applications such as
fail2ban-client, who scan through log directories.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-10-30 13:25:23 -04:00
Sven Vermeulen
48e8c08717 Introduce logging_getattr_all_logs interface
Support the logging_getattr_all_logs interface, which will be used by
applications responsible for reviewing the state of log files (without needing
to read them), such as the fail2ban-client application.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-10-30 13:25:07 -04:00
Chris PeBenito
b7bc3d1506 Module version bump for kernel_stream_connect() from Dominick Grift. 2012-10-19 09:18:53 -04:00
Chris PeBenito
2dfd2b93a9 Move kernel_stream_connect() declaration. 2012-10-19 09:18:19 -04:00