Commit Graph

1629 Commits

Author SHA1 Message Date
Chris PeBenito a8671ae5b2 enhanced setransd support from darrel goeddel 2006-10-20 14:44:23 +00:00
Chris PeBenito 248cccf7ce 20061018 release 2006-10-18 20:26:45 +00:00
Chris PeBenito a52b4d4f23 bump versions to release numbers 2006-10-18 19:25:27 +00:00
Chris PeBenito b04eccd87b fix duplicate /usr/bin/mplayer fc match for targeted 2006-10-18 17:31:14 +00:00
Chris PeBenito d4a48c41c2 make inetd optional 2006-10-18 15:49:45 +00:00
Chris PeBenito 130f8a4aa5 merge netlabel stuff from labeled-networking branch 2006-10-17 16:58:17 +00:00
Chris PeBenito aeaae5185e fix ticket #16 2006-10-16 16:51:57 +00:00
Chris PeBenito e45324d1ee gentoo integrated run_init rules in wrong build option. 2006-10-15 00:23:06 +00:00
Chris PeBenito 0e5c5442c6 fix term_tty() associations 2006-10-14 23:32:30 +00:00
Chris PeBenito 009b377174 more realplayer entries 2006-10-14 23:31:33 +00:00
Chris PeBenito 14b1684aae gentoo testing fixes. 2006-10-13 21:44:02 +00:00
Chris PeBenito 8a2492a2df fix makefile to install root default contexts 2006-10-12 13:18:21 +00:00
Chris PeBenito d508474f08 add load target to Makefile.devel 2006-10-10 15:23:17 +00:00
Chris PeBenito 212832373e mkdir policy and file contexts dirs in make load of modular policy. 2006-10-10 15:09:59 +00:00
Chris PeBenito 85f0c35922 make optional the inetd dependency in samba 2006-10-10 13:11:58 +00:00
Chris PeBenito 93ddc66983 change transition from run_init to initrc to spec. 2006-10-09 18:52:19 +00:00
Chris PeBenito f76d07072a fix some stuff that does not affect policy 2006-10-06 17:31:52 +00:00
Chris PeBenito 830c12eb2d apply contested part of russell's last patch 2006-10-06 13:38:49 +00:00
Chris PeBenito 546c81ce25 more non .so lib files for acrobat 2006-10-05 20:39:25 +00:00
Chris PeBenito 3c3c0439f6 patch from russell, Thu, 5 Oct 2006 22:44:49 +1000
Allow unconfined processes to see unlabeled processes in ps.

Removed a redundant rule in samba.te

Removed support for the pre-Fedora Red Hat code to create sym-links in /boot.

Removed support for devpts_t files in /tmp (there is no way that would ever 
work).

Allowed postgrey to create socket files.

Made the specs for the /lib and /lib64 directories better support stem 
compression.
2006-10-05 19:57:37 +00:00
Chris PeBenito e070dd2df0 - Move range transitions to modules.
- Make number of MLS sensitivities, and number of MLS and MCS
  categories configurable as build options.
2006-10-04 17:25:34 +00:00
Chris PeBenito 00219064d7 This patch adds a GConf policy to refpolicy.
This policy is much tighter than the GConf policy from the old example
policy.  It only allows gconfd to access configuration data stored by
GConf.  Users can modify configuration data using gconftool-2 or
gconf-editor, both of which use gconfd.  GConf manages multiple
configuration sources, so gconfd should be used to make any changes
anyway.  Normal users who aren't trying to directly edit the
configuration data of GConf won't notice anything different.

There is also a difference between this policy and the old example
policy in handling directories in /tmp.  The old example policy
labeled /tmp/gconfd-USER with ROLE_gconfd_tmp_t, but, since there was no
use of the file_type_auto_trans macro, if that directory was deleted
gconfd would create one labeled as tmp_t.  This policy uses the
files_tmp-filetrans macro to cause a directory in /tmp created by gconfd
to be labeled as $1_tmp_t.  It is not labeled with $1_gconf_tmp_t,
because if /tmp/orbit-USER is deleted, gconfd will create it (through
use of ORBit) and it would get the $1_gconf_tmp_t label.  By having
gconfd create $1_tmp_t directories in /tmp and $1_gconf_tmp_t files and
directories in directories labeled with $1_tmp_t, it can control its
data without requiring any future bonobo or Gnome policies to have
access to $1_gconf_tmp_t.

This patch is related to work that I am doing in making gconfd an
userspace object manager.  If any user program can modify the
configuration data that GConf stores, than making gconfd an userspace
object manager would be useless.

Signed-off-by:  James Carter <jwcart2@tycho.nsa.gov>
2006-10-02 15:22:48 +00:00
Chris PeBenito f8cfddbb76 fix ticket #15. 2006-09-29 18:00:21 +00:00
Chris PeBenito 49317e6b49 fix corenetwork so the ifdef enable_mls survives to regular processing. 2006-09-29 17:37:57 +00:00
Chris PeBenito 6c63996d9b fix build error 2006-09-29 14:24:57 +00:00
Chris PeBenito e2b84ef79a patch from dan Mon, 25 Sep 2006 15:46:40 -0400 2006-09-28 14:37:29 +00:00
Chris PeBenito 693d4aedb5 patch from dan Fri, 22 Sep 2006 16:30:34 -0400 2006-09-25 18:53:06 +00:00
Chris PeBenito 8708d9bef2 patch from dan Wed, 20 Sep 2006 12:12:49 -0400 2006-09-22 17:14:35 +00:00
Chris PeBenito a9e03b3752 * add a macro for generating category declarations
* fix userdom_search_all_users_home_content() to use search_dir_perms;
* change ssh daemon macro to use userdom_search_all_users_home_dirs() instead of _home_content()
2006-09-21 15:48:15 +00:00
Chris PeBenito bf469d7669 gentoo testing fixes 2006-09-19 17:02:29 +00:00
Chris PeBenito cf7af137c0 add mls fd constraints 2006-09-15 19:05:03 +00:00
Chris PeBenito 2b571d6880 common users list inotifyfs 2006-09-14 18:19:04 +00:00
Chris PeBenito 1a79cf0508 add -E to python commands 2006-09-13 19:10:53 +00:00
Chris PeBenito 9dfbd81493 forgot to bump policy vers 2006-09-13 18:42:49 +00:00
Chris PeBenito 73ca55d311 patches from erich Wed, 13 Sep 2006 16:18:18 +0200 2006-09-13 18:35:10 +00:00
Chris PeBenito 2cac32a605 fix miscfiles_read_localization() 2006-09-13 18:08:17 +00:00
Chris PeBenito 0d96ff339e misc fixes 2006-09-13 14:23:04 +00:00
Chris PeBenito 376fbc0be9 clean up usercanread 2006-09-11 18:23:09 +00:00
Chris PeBenito b1bf2f7811 add last bit of role infrastructure 2006-09-11 15:26:25 +00:00
Chris PeBenito 95b8223eed cleanups 2006-09-08 17:21:28 +00:00
Chris PeBenito bbcd3c97dd add main part of role-o-matic 2006-09-06 22:07:25 +00:00
Chris PeBenito 75beb95014 patch from dan Tue, 05 Sep 2006 17:06:06 -0400 2006-09-06 16:36:23 +00:00
Chris PeBenito 91dabf4d78 fix up usb.ids per distro 2006-09-05 14:31:27 +00:00
Chris PeBenito 686f11c22c add corenetwork.if dependency on corenetwork.te.in, since it is used to build the .if file 2006-09-05 14:29:37 +00:00
Chris PeBenito 13d7cec671 patch from erich Sat, 02 Sep 2006 03:37:44 +0200 2006-09-04 18:22:12 +00:00
Chris PeBenito 5dbda5558a patch from dan Fri, 01 Sep 2006 15:45:24 -0400 2006-09-04 15:15:35 +00:00
Chris PeBenito 9b45c60308 This patch adds a polmatch avperm to arbitrate flow/state's access to
a xfrm policy. It also defines MLS policy for association { sendto,
recvfrom, polmatch }.

NOTE: When an inbound packet is not using an IPSec SA, a check is performed
between the socket label and the unlabeled sid (SYSTEM_HIGH MLS label). For
MLS purposes however, the target of the check should be the MLS label taken
from the node sid (or secmark in the new secmark world). This would present
a severe performance overhead (to make a new sid based on the unlabeled sid
with the MLS taken from the node sid or secmark and then using this sid as
the target). Pending reconciliation of the netlabel, ipsec and iptables contexts,
I have chosen to currently make an exception for unlabeled_t SAs if TE policy
allowed it. A similar problem exists for the outbound case and it has been similarly
handled in the policy below (by making an exception for unlabeled_t).

I am submitting the below limited patch pending a comprehensive patch from
Joy Latten at IBM (latten@austin.ibm.com).

I am not sure if I needed to manually do a "make tolib" in the flask subdir
and submit the results as well. Please let me know if I needed to.

Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
2006-09-01 17:06:53 +00:00
Chris PeBenito eac818f040 patch from dan Thu, 31 Aug 2006 15:16:30 -0400 2006-09-01 15:52:05 +00:00
Chris PeBenito c634db20c6 fix makefile style so internal variables are lowercase 2006-08-31 17:28:35 +00:00
Chris PeBenito a5e2133bc8 patch from dan Wed, 23 Aug 2006 14:03:49 -0400 2006-08-29 02:41:00 +00:00