selinux-refpolicy

Author	SHA1	Message	Date
Dominick Grift	b1599e01fe	sysnetwork: dhcpc binds socket to random high udp ports sysnetwork: do not audit attempts by ifconfig to read, and write dhcpc udp sockets (looks like a leaked fd) Signed-off-by: Dominick Grift <dominick.grift@gmail.com>	2013-09-27 17:13:12 -04:00
Chris PeBenito	20471346ed	Silence symlink reading by setfiles since it doesn't follow symlinks anyway.	2013-09-27 17:09:43 -04:00
Chris PeBenito	57f00181ee	Module version bump for mount updates from Dominick Grift.	2013-09-27 16:54:54 -04:00
Dominick Grift	85016ae811	mount: sets kernel thread priority mount: mount reads /lib/modules/3.10-2-amd64/modules.dep mount: mount lists all mount points In debian mount was trying to list / on a tmpfs (/run/lock). Since var_lock_t is a mountpoint type, and so is mnt_t, i decided to implement a files_list_all_mountpoints() and call that for mount because it makes sense Signed-off-by: Dominick Grift <dominick.grift@gmail.com>	2013-09-27 16:50:38 -04:00
Chris PeBenito	b7b3b55280	Module version bumps for Debian udev updates from Dominick Grift.	2013-09-27 16:44:54 -04:00
Chris PeBenito	756a5e5101	Update contrib	2013-09-27 16:44:28 -04:00
Dominick Grift	0947e315ea	udev: runs: /usr/lib/avahi/avahi-daemon-check-dns.sh which creates /run/avahi-daemon directory Signed-off-by: Dominick Grift <dominick.grift@gmail.com>	2013-09-27 16:40:09 -04:00
Chris PeBenito	24f4016ec5	Move stray Debian rule in udev.	2013-09-27 16:36:52 -04:00
Dominick Grift	5905067f2a	udev-acl.ck lists /run/udev/tags/udev-acl udev blocks suspend, and compromises kernel udevadm wants to create files in /run/udev/data. It writes to udev_tbl_t directories udev_t runs udisks-lvm-pv-export with a domain transition to lvm_t udev: remove compromise_kernel capability2 av perm as its currently not supported in reference policy udev: udevadm managing udev_tbl_t symbolic links (/run/udev/watch/6) udev: udevd manages control udev_tbl_t type socket udev: udevd manages udev_tbl_t directories named files pid filetrans for /run/udev directory udev: lets just label /run/udev type udev_var_run_t and get it over with udev: make the files_pid_filetrans more specific because it appears that udev also creates directories in /run that we dont want to have created with type udev_var_run_t (/run/avahi-daemon in Debian) udev: udev-acl.ck uses dbus system bus fds udev: sends dbus message to consolekit manager: OpenSessionWithParameters Signed-off-by: Dominick Grift <dominick.grift@gmail.com>	2013-09-27 16:35:28 -04:00
Chris PeBenito	be570944e5	Module version bump for ssh server caps for Debian from Dominick Grift.	2013-09-27 16:25:56 -04:00
Dominick Grift	fc8bbe630a	ssh: Debian sshd is configured to use capabilities Signed-off-by: Dominick Grift <dominick.grift@gmail.com>	2013-09-27 16:25:15 -04:00
Chris PeBenito	cf905e8ef1	Module version bumps for dhcpc leaked fds to hostname.	2013-09-27 15:55:52 -04:00
Dominick Grift	0857061b58	hostname: do not audit attempts by hostname to read and write dhcpc udp sockets (looks like a leaked fd) Signed-off-by: Dominick Grift <dominick.grift@gmail.com>	2013-09-27 15:13:19 -04:00
Chris PeBenito	48554d9376	Module version bump for gdomap port from Dominick Grift.	2013-09-27 15:12:51 -04:00
Dominick Grift	9e62ecd264	corenetwork: Declare gdomap port, tcp/udp:538 Signed-off-by: Dominick Grift <dominick.grift@gmail.com>	2013-09-27 15:08:58 -04:00
Chris PeBenito	15f32f59fe	Module version bump for xserver console and fc fixes from Dominick Grift.	2013-09-27 15:08:12 -04:00
Dominick Grift	57f62fe531	xserver: associate xconsole_device_t (/dev/xconsole) to device_t (devtmpfs) Signed-off-by: Dominick Grift <dominick.grift@gmail.com>	2013-09-27 14:44:46 -04:00
Dominick Grift	cb306b0c95	xserver: catch /run/gdm3 Signed-off-by: Dominick Grift <dominick.grift@gmail.com>	2013-09-27 14:44:13 -04:00
Chris PeBenito	f0ad29f609	Module version bump for debian ifstate changes from Dominick Grift.	2013-09-27 14:42:47 -04:00
Chris PeBenito	b4b077f3fd	Rearrange sysnet if blocks.	2013-09-27 14:41:54 -04:00
Dominick Grift	ac5d072465	sysnetwork: Debian stores network interface configuration in /run/network (ifstate), That directory is created by the /etc/init.d/networking script. Signed-off-by: Dominick Grift <dominick.grift@gmail.com>	2013-09-27 14:39:29 -04:00
Chris PeBenito	360438c194	Module version bump for xdm dbus access from Dominick Grift.	2013-09-26 11:09:28 -04:00
Dominick Grift	2aad2492e9	xdm: is a system bus client and acquires service on the system bus xdm: dbus chat with accounts-daemon Signed-off-by: Dominick Grift <dominick.grift@gmail.com>	2013-09-26 10:51:02 -04:00
Chris PeBenito	77f13c4993	Module version bump for slim fc entries from Sven Vermeulen.	2013-09-26 10:48:55 -04:00
Sven Vermeulen	34038013c7	Extend slim /var/run expression On Gentoo, slim files are not in /var/run/slim, but directly in /var/run. All names start with slim though, so changing the expression to match those as well. There is already a file transition in place (xdm_t writing files in var_run_t -> xdm_var_run_t) so that needs no further changes. Reported-by: Luis Ressel <aranea@aixah.de> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>	2013-09-26 10:47:50 -04:00
Chris PeBenito	fa50eb742f	Module version bump for ping capabilities from Sven Vermeulen.	2013-09-26 10:47:32 -04:00
Sven Vermeulen	56c43144d7	Allow ping to get/set capabilities When ping is installed with capabilities instead of being marked setuid, then the ping_t domain needs to be allowed to getcap/setcap. Reported-by: Luis Ressel <aranea@aixah.de> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>	2013-09-26 10:46:33 -04:00
Chris PeBenito	7aed0fd9dd	Module version bump for init interface and corecommand fc from Dominick Grift.	2013-09-26 10:45:51 -04:00
Dominick Grift	ceb6e7fcfb	corecmd: avahi-daemon executes /usr/lib/avahi/avahi-daemon-check-dns.sh Signed-off-by: Dominick Grift <dominick.grift@gmail.com>	2013-09-26 10:32:23 -04:00
Dominick Grift	da5f2acb27	init: create init_use_inherited_script_ptys() for tmpreaper (Debian) Signed-off-by: Dominick Grift <dominick.grift@gmail.com>	2013-09-26 10:30:59 -04:00
Chris PeBenito	3d08aca2f4	Module version bump for virtio console from Dominick Grift.	2013-09-26 10:28:55 -04:00
Chris PeBenito	1070ba4ff9	Whitespace fix in terminal.te.	2013-09-26 10:28:24 -04:00
Dominick Grift	a43a205931	Initial virtio console device Also known as 'vmchannel', a transport mechanism is needed for communication between the host userspace and guest userspace for achieving things like making clipboard copy/paste work seamlessly across the host and guest, locking the guest screen in case the vnc session to the guest is closed and so on. This can be used in offline cases as well, for example with libguestfs to probe which file systems the guest uses, the apps installed, etc. Virtio-serial is just the transport protocol that will enable such applications to be written. It has two parts: (a) device emulation in qemu that presents a virtio-pci device to the guest and (b) a guest driver that presents a char device interface to userspace applications. Signed-off-by: Dominick Grift <dominick.grift@gmail.com>	2013-09-26 10:27:29 -04:00
Chris PeBenito	dd1b596ae7	Module version bump for unconfined dbus fixes from Dominick Grift.	2013-09-26 10:25:47 -04:00
Dominick Grift	1a88de7131	Unconfined domains have unconfined access to all of dbus rather than only system bus unconfined: unconfined_t is real-time scheduled by rtkit Signed-off-by: Dominick Grift <dominick.grift@gmail.com>	2013-09-26 10:14:30 -04:00
Chris PeBenito	ed1e6abc11	Update contrib.	2013-09-26 10:04:12 -04:00
Chris PeBenito	7f736f3587	Module version bump for selinuxfs location change from Dominick Grift.	2013-09-26 09:52:37 -04:00
Dominick Grift	e6e9e2d08b	selinux: selinuxfs is now mounted under /sys/fs/selinux instead of /selinux, so we need to allow domains that use selinuxfs to interface with SELinux to traverse /sys/fs to be able to get to /sys/fs/selinux Signed-off-by: Dominick Grift <dominick.grift@gmail.com>	2013-09-26 09:51:01 -04:00
Chris PeBenito	0a60e5753f	Module version bump for udev Debian fixes from Dominick Grift.	2013-09-26 09:41:25 -04:00
Chris PeBenito	8e01aff2a5	Add comment for debian avahi-daemon-check-dns.sh usage by udev	2013-09-26 09:41:09 -04:00
Dominick Grift	5db6014548	udev: This is specific to debian i think. Some how the /usr/lib/avahi/avahi-daemon-check-dns\.sh ends up in the udev_t domain The script basically does what the name suggests, and additionally it need to be able to stop and start avahi-daemon via its init script Signed-off-by: Dominick Grift <dominick.grift@gmail.com>	2013-09-26 09:39:33 -04:00
Chris PeBenito	50e5772ead	Module version bump for restricted x user template fix from Dominick Grift.	2013-09-26 09:29:42 -04:00
Dominick Grift	3b0eefcc9e	userdomain: restricted xwindows user (squash me) Signed-off-by: Dominick Grift <dominick.grift@gmail.com>	2013-09-26 09:28:55 -04:00
Chris PeBenito	a2aeeefd98	Module version bump for fc fix in authlogin from Dominick Grift.	2013-09-26 09:27:04 -04:00
Dominick Grift	4f063c94d9	authlogin: Sudo file context specification did not catch paths (squash me) Signed-off-by: Dominick Grift <dominick.grift@gmail.com>	2013-09-26 09:25:27 -04:00
Chris PeBenito	5a727e1c60	Module version bump for lvm update from Dominick Grift.	2013-09-26 09:24:58 -04:00
Dominick Grift	43d6ac3f8e	lvm: lvm and udisks-lvm-pv-e read /run/udev/queue.bin Signed-off-by: Dominick Grift <dominick.grift@gmail.com>	2013-09-26 09:16:36 -04:00
Chris PeBenito	48a55abb0f	Module version bump for sysadm fix for git role usage from Dominick Grift.	2013-09-26 09:16:03 -04:00
Dominick Grift	ab3b84ecec	sysadm: Doesnt work with direct_initrc = y Signed-off-by: Dominick Grift <dominick.grift@gmail.com>	2013-09-26 09:14:12 -04:00
Chris PeBenito	55ac5a503d	Module version bump for ethtool reading pm-powersave.lock from Dominick Grift.	2013-09-26 09:14:07 -04:00

1 2 3 4 5 ...

3665 Commits