Commit Graph

1733 Commits

Author SHA1 Message Date
Chris PeBenito
e7ed5a1fe9 Whitespace fixes in files.if. 2012-05-04 09:00:33 -04:00
James Carter
624e73955d Changed non-contrib policy to use the new non_auth_file_type interfaces
Replaced calls to interfaces allowing access to all files except
auth_file_type files with calls to interfaces allowing access to
non_auth_file_type files.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2012-05-04 08:47:49 -04:00
James Carter
8959338324 Change interfaces in authlogin.if to use new interfaces in files.if
Changed all interfaces that used auth_file_type to call the new
corresponding interface in files.if.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2012-05-04 08:47:42 -04:00
James Carter
709fd365b8 Create non_auth_file_type attribute and interfaces
Reduce the binary policy size by eliminating some set expressions
related to file accesses and make Repolicy easier to convert into CIL.
- Moved the auth_file_type attribute.
- Created a new type attribute called non_auth_file_type.
- Created new interfaces to allow file accesses on non_auth_file_type
files.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2012-05-04 08:47:37 -04:00
Chris PeBenito
9b0b33ac4c Update contrib. 2012-05-04 08:43:41 -04:00
Chris PeBenito
a9cd7ff45f Module version bump for patches from Sven Vermeulen.
* Dontaudit in xserver
* Create user keys in sudo
2012-05-04 08:43:27 -04:00
Chris PeBenito
a5fc78b88a Move domain call in xserver. 2012-05-04 08:35:24 -04:00
Sven Vermeulen
d5a23304c3 Adding dontaudits for xserver
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-05-04 08:34:32 -04:00
Sven Vermeulen
1fe3d0929e sudo with SELinux support requires key handling
When using sudo with SELinux integrated support, the sudo domains need to be able to create user keys. Without this
privilege, any command invoked like "sudo /etc/init.d/local status" will run within the sudo domain (sysadm_sudo_t)
instead of the sysadm_t domain (or whatever domain is mentioned in the sudoers file).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-05-04 08:30:28 -04:00
Chris PeBenito
2e83467903 Module version bump and changelog for virt updates from Sven Vermeulen. 2012-04-23 10:43:15 -04:00
Sven Vermeulen
e842434336 Calling virsh requires stream_connect rights towards virt
When virsh is used to manage the virtual guests, the parent domain requires stream_connect rights towards the virtd_t
domain. This patch adds it in for initrc_t (for init scripts managing the environment) and sysadm_t (system
administrator).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-04-23 10:22:55 -04:00
Chris PeBenito
94d8bd2904 Module version bump for mountpoint patches from Sven Vermeulen. 2012-04-23 09:33:17 -04:00
Sven Vermeulen
26cfbe5317 Marking debugfs and securityfs as mountpoints
The locations for debugfs_t (/sys/kernel/debug) and security_t
(/selinux or /sys/fs/selinux) should be marked as mountpoints as well.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-04-23 09:21:15 -04:00
Chris PeBenito
100734ef64 Module version bump for asterisk updates; pull in asterisk contrib changes. 2012-04-20 16:36:38 -04:00
Sven Vermeulen
00247b9d3f Allow initrc to manage asterisk log and pid file attributes
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-04-20 16:25:45 -04:00
Chris PeBenito
9e56720a39 Module version bump and changelog for various dontaudits from Sven Vermenulen. 2012-04-20 16:06:54 -04:00
Sven Vermeulen
fc2f5ea3b4 Adding dontaudit for sudo
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-04-20 15:55:12 -04:00
Sven Vermeulen
fbac862b89 Adding dontaudits for mount
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-04-20 15:44:05 -04:00
Sven Vermeulen
1bd83205aa Do not audit rw on dhcp client unix_stream_sockets
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-04-20 15:43:34 -04:00
Chris PeBenito
364768e8e9 Fix whitespace issues in sysnetwork.if. 2012-04-20 15:39:36 -04:00
Sven Vermeulen
2260ef56f8 Adding dontaudit interfaces in sysnet
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-04-20 15:39:04 -04:00
Chris PeBenito
cb29c82a28 Rearrange mountpoint interfaces in files. 2012-04-20 15:38:51 -04:00
Chris PeBenito
a1d38fb485 Fix files whitespace issues. 2012-04-20 15:35:24 -04:00
Sven Vermeulen
f93d4fd85c Adding dontaudit interfaces for files module
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-04-20 15:30:10 -04:00
Chris PeBenito
fbb165b989 Module version bump and changelog for bacula. 2012-03-30 09:43:13 -04:00
Chris PeBenito
68c8f3fc19 Fix whitespace issue in bacula sysadm patch. 2012-03-30 08:49:27 -04:00
Sven Vermeulen
fdacc6e744 Allow sysadm to call bacula client
This patch allows the sysadmin to run the bacula admin client.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-03-30 08:48:39 -04:00
Chris PeBenito
5b4ed06fab Pull in contrib updates. 2012-03-06 09:00:44 -05:00
Chris PeBenito
ee8210c690 Module version bump for make role attributes able to type their "own" types patch from Harry Ciao. 2012-02-27 10:25:08 -05:00
Chris PeBenito
e707a70819 Rearrange role lines from "own" patch. 2012-02-27 10:18:00 -05:00
Harry Ciao
93c3ee8b7f Make role attributes able to type their "own" types.
By default, any role attribute should be able to type their "own" types
that share the same prefix and used in the run interface. For example,

role newrole_roles types newrole_t;

so that the calling domain of the seutil_run_newrole() interface could
properly tansition into newrole_t. Without above role rule, the caller's
role won't be associated with newrole_t.

Other role attributes such as useradd_roles, groupadd_roles, chfn_roles
and run_init_roles should be fixed in the same way.
2012-02-27 10:12:57 -05:00
Chris PeBenito
f3262926ae Module version bump for Mark temporary block device as fixed_disk_device_t from Sven Vermeulen. 2012-02-22 08:44:15 -05:00
Sven Vermeulen
1668ffb244 Mark temporary block device as fixed_disk_device_t
When udev creates the temporary block devices (such as /dev/.tmp-block-8:1) they
get by default marked as device_t. However, in case of software raid devices,
the mdadm application (running in mdadm_t) does not hold the proper privileges
to access this for its auto-assembly of the raids.

Other block device applications, like blkid (running in fsadm_t) use these
temporary block devices as well, but already hold the necessary privileges on
device_t to continue their work.

By marking the temporary block device as a fixed_disk_device_t, all these block
device handling applications (such as blkid, but also mdadm) now hold the proper
privileges. Since udev is selinux-aware, the created files are immediately
restorecon'ed before the rules are applied.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-02-22 08:32:42 -05:00
Chris PeBenito
f65edd8280 Bump module versions for release. 2012-02-15 14:32:45 -05:00
Chris PeBenito
6da98efd58 Pull in contrib changes from Sven Vermeulen. 2012-02-08 15:45:15 -05:00
Chris PeBenito
2788635e51 Pull in new contrib modules.
* glance
* rhsmcertd
* sanlock
* sblim
* uuidd
* vdagent
2012-01-25 10:19:13 -05:00
Chris PeBenito
e34b1f6cbd Module version bump and changelog for sshd using oddjob_mkhomedir from Sven Vermeulen. 2012-01-04 08:14:11 -05:00
Sven Vermeulen
93e4685552 sshd can call mkhomedir when a new user logs on
These services are offered through the oddjob module.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-01-04 07:49:50 -05:00
Chris PeBenito
c4fa10ef81 Module version bump for changes from Fedora. 2011-12-15 08:38:06 -05:00
Chris PeBenito
7184d348c9 Add ssh_signull interface from Fedora. 2011-12-15 08:37:15 -05:00
Chris PeBenito
7ec71dcd22 Repository port from Fedora. 2011-12-15 08:37:00 -05:00
Dan Walsh
4d6b03b961 Add port for matahati policy 2011-12-15 08:33:40 -05:00
Dan Walsh
288b8ab6b2 Add port for glance policy 2011-12-15 08:33:10 -05:00
Chris PeBenito
64a0271ffd Module version bump and changelog for slim and lxdm file contexts to xserver, from Sven Vermeulen. 2011-12-13 11:17:23 -05:00
Chris PeBenito
89e1cadd02 Whitespace fix in xserver. 2011-12-13 11:17:00 -05:00
Sven Vermeulen
6f0ac6d737 Supporting lxdm and slim
Update the xserver file contexts to support the slim and lxdm services.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-12-13 10:48:16 -05:00
Chris PeBenito
3cbb3701cd Module version bumps for debian fc patch from Russell Coker. 2011-11-16 15:31:48 -05:00
Chris PeBenito
e78ada8605 Debian file locations patch from Russell Coker. 2011-11-16 15:29:18 -05:00
Chris PeBenito
e5b14e7e3a Add optional file name to filetrans_pattern. 2011-11-02 08:48:25 -04:00
Chris PeBenito
ba817fccd9 Add userdom interfaces for user application domains, user tmp files, and user tmpfs files. 2011-10-28 08:49:19 -04:00