nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
3,164 Commits 1 Branch 0 Tags 16 MiB
ffc0b4f058
Commit Graph

1532 Commits

Author SHA1 Message Date
Chris PeBenito
b08f1df144 Module version bump for portreserve. 2010-11-19 14:31:33 -05:00
Jeremy Solt
10143f3432 portreserve patch from Dan Walsh 
"Add _admin domain."
 2010-11-19 14:26:55 -05:00
Chris PeBenito
9e5e9d677c Module version bump for privoxy. 2010-11-19 14:05:55 -05:00
Jeremy Solt
4eef036424 privoxy patch from Dan Walsh 
"split out squid port from http_cache.  Need to allow all places that
connect to httpc_cache to connect to squid_port"

Edits:
 - Removed tunable tabbing
 2010-11-19 14:05:55 -05:00
Chris PeBenito
aa28f9239a Module version bump for radius. 2010-11-19 11:59:35 -05:00
Chris PeBenito
5c2355147f Module version bump for smokeping. 2010-11-19 11:59:06 -05:00
Jeremy Solt
820ba61d9b smokeping patch from Dan Walsh 
"smokeping tries to read shadow"
 2010-11-19 11:59:05 -05:00
Jeremy Solt
781393fbe9 radius patch from Dan Walsh 
"radious execs ntml_auth
tmpfs /var/run"
 2010-11-19 11:59:05 -05:00
Chris PeBenito
e6e42cd4c9 Module version bump for ulogd. 2010-11-19 11:39:51 -05:00
Chris PeBenito
b9a562446d Move all ulogd networking into the mysql and postgres optionals. 2010-11-19 11:39:36 -05:00
Jeremy Solt
a00839dcc1 ulogd patch from Dan Walsh 
"communicates with mysql and postgres via the network"
 2010-11-18 13:26:19 -05:00
Chris PeBenito
8d4ee022e6 Module version bump for usbmuxd. 2010-11-17 11:00:12 -05:00
Jeremy Solt
e6b13f9e1e usbmuxd patch from Dan Walsh 
"Lots of stuff labeled var_run_t"
 2010-11-17 11:00:12 -05:00
Chris PeBenito
289f1d3c32 Module version bump for uucp. 2010-11-17 10:21:17 -05:00
Jeremy Solt
e7d6384c07 uucp patch from Dan Walsh 
"Executes ssh to setup connection"
 2010-11-17 10:21:17 -05:00
Chris PeBenito
00ea7bbb84 Module version bump for varnishd. 2010-11-17 10:05:36 -05:00
Jeremy Solt
2e2f2cbe04 varnishd patch from Dan Walsh 
"Kills it self
+ varnishd_read_lib_files(services_munin_plugin_t)"
 2010-11-17 10:02:11 -05:00
Chris PeBenito
f920903264 Module version bump for hostname. 2010-11-17 09:30:44 -05:00
Chris PeBenito
8b61886e56 Module version bump for miscfiles. 2010-11-17 09:30:44 -05:00
Chris PeBenito
a2e8969d04 Additional miscfiles tweaks. 2010-11-17 09:30:44 -05:00
Jeremy Solt
d19a291e4e system_miscfiles patch from Dan Walsh 
"move cobbler, Allow policy to define certs."
 2010-11-17 09:30:44 -05:00
Jeremy Solt
7121e45e00 hostname patch from Dan Walsh 
"Hostname access Seems to attract leaks."

Edits:
 - No dontaudit_leaks in refpolicy, dropped those interface calls, leaving only nis_use_ypbind
 2010-11-17 09:30:44 -05:00
Chris PeBenito
9711c7bdb5 Add tun_socket ubac constraint and add tun_socket to socket_class_set. 2010-11-11 09:48:43 -05:00
Chris PeBenito
52f38d23c9 Module version bump for Chris Richards' mount patchset. 2010-11-11 09:48:01 -05:00
Chris PeBenito
66ef236c90 Minor fixes for Chris Richards' mount patchset. 2010-11-11 09:47:37 -05:00
Chris Richards
a861c7c6fd dontaudit mount writes to newly mounted filesystems 
Signed-off-by: Chris Richards <gizmo@giz-works.com>
 2010-11-11 09:15:20 -05:00
Chris Richards
4b825e21d4 dontaudit mount writes to newly mounted filesystems 
Signed-off-by: Chris Richards <gizmo@giz-works.com>
 2010-11-11 09:15:12 -05:00
Chris Richards
55d8395f49 dontaudit mount writes to newly mounted filesystems 
Signed-off-by: Chris Richards <gizmo@giz-works.com>
 2010-11-11 09:15:05 -05:00
Chris Richards
7644a58c1f dontaudit mount writes to newly mounted filesystems 
Signed-off-by: Chris Richards <gizmo@giz-works.com>
 2010-11-11 09:14:57 -05:00
Chris Richards
3e99a17663 dontaudit mount writes to newly mounted filesystems 
As of util-linux-n 2.18, the mount utility now attempts to write to the root
of newly mounted filesystems.  It does this in an attempt to ensure that the
r/w status of a filesystem as shown in mtab is correct.  To detect whether
a filesystem is r/w, mount calls access() with the W_OK argument.  This
results in an AVC denial with current policy.  As a fallback, mount also
attempts to modify the access time of the directory being mounted on if
the call to access() fails.  As mount already possesses the necessary
privileges, the modification of the access time succeeds (at least on systems
with the futimens() function, which has existed in linux since kernel 2.6.22
and glibc since version 2.6, or about July 2007).

Signed-off-by: Chris Richards <gizmo@giz-works.com>
 2010-11-11 09:14:48 -05:00
Chris PeBenito
239e8e214e AIDE can be configured to log to syslog 2010-11-05 13:13:42 -04:00
Chris PeBenito
bc5a858a4e Change /dev/log fc to MLS system high. 
When the syslog recreates this sock_file on startup, it gets this sensitivity anyway.
This will prevent incorrect relabeling if /dev is relabeled.
 2010-11-05 13:13:21 -04:00
Chris PeBenito
47ecd96afa Fix deprecated interface usage in vlock. 2010-11-02 09:17:16 -04:00
Chris PeBenito
65ac69dd0e Whitespace fix in secadm.te and auditadm.te. 2010-11-02 09:09:05 -04:00
Harry Ciao
20cce006fa Make auditadm & secadm able to use vlock 
Make the auditadm and secadm able to use the vlock program.
Also bump their module versions.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
 2010-11-02 09:06:13 -04:00
Chris PeBenito
6df9de4947 Module version bump for vlock. Changelog entry. 2010-11-01 11:22:25 -04:00
Chris PeBenito
7f9f5bce63 Rename vlock interfaces. 2010-11-01 11:22:07 -04:00
Chris PeBenito
b058561a14 Rearrange rules in vlock. 2010-11-01 11:21:02 -04:00
Harry Ciao
d35e2ee03b Adding support for the vlock program. 
Both the system administrator and the unprivileged user could use vlock
to lock the current console when logging in either from the serial console
or by ssh.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
 2010-11-01 10:43:33 -04:00
Chris PeBenito
220915dcad Add mounting interfaces for selinuxfs. 2010-10-28 14:32:24 -04:00
Chris PeBenito
c1229a8232 Module version bump for oident. Additional comments for kernel loading. 2010-10-27 15:36:01 -04:00
Jeremy Solt
306d488a52 oident patch from Dan Walsh 2010-10-27 15:17:12 -04:00
Chris PeBenito
7ff21090c1 Additional rearrangement in tor and module version bump. 2010-10-27 15:06:13 -04:00
Jeremy Solt
2925b799f6 tor patch from Dan Walsh 
Added additional access for dns server (bind on the port shouldn't be enough)
 2010-10-27 15:06:13 -04:00
Chris PeBenito
98f8408519 Additional rearrangement in corecommands, along with module version bump. 2010-10-27 14:09:00 -04:00
Jeremy Solt
c60f75ad0f corecommands patch from Dan Walsh: "Lots of bin_t files" 2010-10-27 13:33:29 -04:00
Chris PeBenito
06dbd3bad1 Move sosreport to admin layer. 2010-10-26 15:23:20 -04:00
Chris PeBenito
a0a4752856 Minor sosreport cleanup. 2010-10-26 15:22:24 -04:00
Jeremy Solt
698289ff36 sosreport policy from Dan Walsh 
- A couple style fixes
 2010-10-22 11:16:05 -04:00
Chris PeBenito
00de01dab2 Move kdump to admin layer. 2010-10-21 10:45:20 -04:00
Chris PeBenito
1ec6fe6eef Module version bump for kdump. 2010-10-21 10:20:24 -04:00
Chris PeBenito
bd0bb4ea7c Module version bump for setrans. 2010-10-21 10:20:24 -04:00
Jeremy Solt
1b0ce6c984 setrans patch from Dan Walsh 
Edits:
 - Leaving out the mls_trusted_object(setrans_t) for now
 2010-10-21 10:20:24 -04:00
Jeremy Solt
d8572a6f5f kdump patch from Dan Walsh 2010-10-21 10:20:24 -04:00
Chris PeBenito
f1b2add393 Module version bump for asterisk. 2010-10-21 09:56:49 -04:00
Jeremy Solt
c152763d6e asterisk patch from Dan Walsh 2010-10-21 09:56:49 -04:00
Chris PeBenito
59ce9d66a6 Module version bump for hotplug. 2010-10-18 09:51:21 -04:00
Chris PeBenito
1e75e83f2c Module version bump for bitlbee. 2010-10-18 09:51:21 -04:00
Chris PeBenito
e06817bc03 Module version bump for wireshark patch. 2010-10-18 09:51:21 -04:00
Jeremy Solt
93985f63d7 wireshark patch from Dan Walsh 
files_poly_member is provided by userdom_user_home_content
Whitespace fixes
 2010-10-18 09:51:21 -04:00
Chris PeBenito
5f61db128e Module version bump for apcupsd patch. 2010-10-18 09:51:21 -04:00
Chris PeBenito
51dda6eae0 Module version bump for avahi patch. 2010-10-18 09:51:21 -04:00
Jeremy Solt
d20e128bbe Avahi patch from Dan Walsh 
Dropped file read from dbus_chat
 2010-10-18 09:51:21 -04:00
Jeremy Solt
31c003045e apcupsd patch from Dan Walsh 2010-10-18 09:51:21 -04:00
Jeremy Solt
05ca5f7b59 bitlbee patch from Dan Walsh 2010-10-18 09:51:20 -04:00
Jeremy Solt
7aeef6680f hotplug patch from Dan Walsh 2010-10-18 09:51:20 -04:00
Dominick Grift
6887b79031 obj_perm_sets: so that use_terminal interfaces also allow append. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-12 14:12:38 -04:00
Dominick Grift
69e900a7f4 Two insignificant fixes that i stumbled on when merging dev_getattr_fs() 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-11 10:30:45 -04:00
Chris PeBenito
735d72d52f Module version bump for Dominick's su cleanup. 2010-10-11 09:36:56 -04:00
Chris PeBenito
8d387b3228 Rename init_search_script_key() to init_search_script_keys(). 2010-10-11 09:36:31 -04:00
Dominick Grift
b21846594d su: wants to read inits script keyring. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-11 09:30:54 -04:00
Dominick Grift
a576078738 su: redundant, init_dontaudit_use_script_ptys($1_su_t) 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-11 09:30:48 -04:00
Chris PeBenito
befc7ec99f Module version bump for Dominick's consoletype cleanup. 2010-10-11 09:27:27 -04:00
Dominick Grift
bfd28e1a89 consoletype: redundant. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-11 09:13:47 -04:00
Dominick Grift
6ea380d622 consoletype: needs to use system dbus file descriptors. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-11 09:13:47 -04:00
Chris PeBenito
c7908d1ee7 Module version bump for Dominick's sudo cleanup. 2010-10-08 14:33:04 -04:00
Dominick Grift
5e70e017a3 sudo: wants to get attributes of device_t filesystems. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-08 14:26:55 -04:00
Dominick Grift
e737d5d723 sudo: wants to get attributes of generic pts filesystems. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-08 09:26:14 -04:00
Chris PeBenito
6e293ffd2c Revert su default_t rule. 2010-10-08 09:15:17 -04:00
Chris PeBenito
89173d538f Module version bump for Dominick's su cleanup. 2010-10-08 08:54:01 -04:00
Dominick Grift
bd7d571195 su: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-08 08:47:03 -04:00
Dominick Grift
00a1438d82 su: wants to search callers keyring. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-08 08:47:03 -04:00
Dominick Grift
6a05763d51 su: do not audit attempts to search /root. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-08 08:47:02 -04:00
Chris PeBenito
bd51fa387c Module version bump for Dominick's shutdown cleanup. 2010-10-07 13:07:07 -04:00
Dominick Grift
a39e274f10 shutdown: search generic log directories. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-07 12:38:07 -04:00
Dominick Grift
5718c0a59a shutdown: needs to connect to init with a unix stream socket. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-07 12:38:07 -04:00
Dominick Grift
a9acfbd613 shutdown: for sudo. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-07 12:38:07 -04:00
Dominick Grift
c56123dc72 shutdown: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-07 12:38:07 -04:00
Dominick Grift
e4efefc4fe shutdown: permission sets. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-07 12:38:07 -04:00
Dominick Grift
08f1a0326d shutdown: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-07 12:38:07 -04:00
Dominick Grift
051f74edc0 shutdown: Fedora change. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-07 12:38:07 -04:00
Chris PeBenito
2f8f8e1368 Typo fix in hadoop. 2010-10-07 12:31:41 -04:00
Chris PeBenito
641ac05468 Hadoop cleanup and module version bump. 
* a pass cleaning up the style.
* adjusted some regular expressions in the file contexts: .* is the same as (.*)? since * means 0 or more matches.
* renamed a few interfaces
* two rules that I dropped as they require further explanation

> +files_read_all_files(hadoop_t)

A very big privilege.

and

> +fs_associate(hadoop_tasktracker_t)

This is a domain, so the only files with this type should be the /proc/pid ones, which don't require associate permissions.
 2010-10-07 10:57:55 -04:00
Paul Nuzzi
bc71a042d8 hadoop 1/10 -- unconfined 
On 10/04/2010 02:18 PM, Christopher J. PeBenito wrote:
> On 10/04/10 13:15, Paul Nuzzi wrote:
>> On 10/01/2010 01:56 PM, Christopher J. PeBenito wrote:
>>> On 10/01/10 11:17, Paul Nuzzi wrote:
>>>> On 10/01/2010 08:02 AM, Dominick Grift wrote:
>>>>> On Thu, Sep 30, 2010 at 03:39:40PM -0400, Paul Nuzzi wrote:
>>>>>> I updated the patch based on recommendations from the mailing list.
>>>>>> All of hadoop's services are included in one module instead of
>>>>>> individual ones.  Unconfined and sysadm roles are given access to
>>>>>> hadoop and zookeeper client domain transitions. The services are started
>>>>>> using run_init.  Let me know what you think.
>>>>>
>>>>> Why do some hadoop domain need to manage generic tmp?
>>>>>
>>>>> files_manage_generic_tmp_dirs(zookeeper_t)
>>>>> files_manage_generic_tmp_dirs(hadoop_t)
>>>>> files_manage_generic_tmp_dirs(hadoop_$1_initrc_t)
>>>>> files_manage_generic_tmp_files(hadoop_$1_initrc_t)
>>>>> files_manage_generic_tmp_files(hadoop_$1_t)
>>>>> files_manage_generic_tmp_dirs(hadoop_$1_t)
>>>>
>>>> This has to be done for Java JMX to work.  All of the files are written to
>>>> /tmp/hsperfdata_(hadoop/zookeeper). /tmp/hsperfdata_ is labeled tmp_t while
>>>> all the files for each service are labeled with hadoop_*_tmp_t.  The first service
>>>> will end up owning the directory if it is not labeled tmp_t.
>>>
>>> The hsperfdata dir in /tmp certainly the bane of policy writers.  Based on a quick look through the policy, it looks like the only dir they create in /tmp is this hsperfdata dir.  I suggest you do something like
>>>
>>> files_tmp_filetrans(hadoop_t, hadoop_hsperfdata_t, dir)
>>> files_tmp_filetrans(zookeeper_t, hadoop_hsperfdata_t, dir)
>>>
>>> filetrans_pattern(hadoop_t, hadoop_hsperfdata_t, hadoop_tmp_t, file)
>>> filetrans_pattern(zookeeper_t, hadoop_hsperfdata_t, zookeeper_tmp_t, file)
>>>
>>
>> That looks like a better way to handle the tmp_t problem.
>>
>> I changed the patch with your comments.  Hopefully this will be one of the last updates.
>> Tested on a CDH3 cluster as a module without any problems.
>
> There are several little issues with style, but it'll be easier just to fix them when its committed.
>
> Other comments inline.
>

I did my best locking down the ports hadoop uses.  Unfortunately the services use high, randomized ports making
tcp_connect_generic_port a must have.  Hopefully one day hadoop will settle on static ports.  I added hadoop_datanode port 50010 since it is important to lock down that service.  I changed the patch based on the rest of the comments.

Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
 2010-10-07 08:07:16 -04:00
Chris PeBenito
3de55ab053 Module version bump for Dominick's rpm cleanup. 2010-10-06 09:04:31 -04:00
Dominick Grift
b9df0a9727 rpm: various changes both from fedora and myself. rpm: ntp post install scrript want to restart ntpd. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-06 09:03:32 -04:00
Dominick Grift
b7c851c66b rpm: redundant. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-06 08:53:24 -04:00
Dominick Grift
dcba9161a6 rpm: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-06 08:53:24 -04:00
Dominick Grift
34959a2210 rpm: (brace) expansion. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-06 08:53:24 -04:00
Dominick Grift
d60649d9a1 rpm: redundant. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-06 08:53:24 -04:00
Chris PeBenito
29b1bff0e1 Module version bump for Dominick's console cleanup. Also fix rule ordering. 2010-10-06 08:42:23 -04:00
Dominick Grift
5ec14d95fb consoletype: in fedora13 /dev/console is not labeled properly early in the boot process. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-06 08:38:40 -04:00
Dominick Grift
019ffc7d1d consoletype: redundant. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-06 08:38:39 -04:00
Chris PeBenito
c1af955d07 Module version bump for Dominick's quota cleanup. 2010-10-06 08:35:25 -04:00
Dominick Grift
5f716ead5c quota: permission sets. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-06 08:28:31 -04:00
Dominick Grift
0b217af214 quota: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-06 08:28:30 -04:00
Chris PeBenito
6d5cc8a096 Module version bump for Dominick's usermanage cleanup. 2010-10-05 15:27:06 -04:00
Dominick Grift
88c635d040 usermanage: permission sets. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:26:42 -04:00
Dominick Grift
e615cc410e usermanage: redundant. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:26:41 -04:00
Dominick Grift
4be6935276 usermanage: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:26:41 -04:00
Dominick Grift
bab33c7b83 usermanage: redundant. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:26:41 -04:00
Chris PeBenito
ae8f23fd6f Module version bump for Dominick's tzdata cleanup. 2010-10-05 15:21:52 -04:00
Dominick Grift
b1e1e93b9f tzdata: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:17:10 -04:00
Chris PeBenito
e7ee065485 Module version bump for Dominick's netutils cleanup. 2010-10-05 15:11:23 -04:00
Dominick Grift
b306b5acaa netutils: permission sets. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:11:00 -04:00
Dominick Grift
696a65867a netutils: redundant. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:11:00 -04:00
Dominick Grift
9d5094a3f8 netutils: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:11:00 -04:00
Chris PeBenito
cacbc6b186 Module version bump for Dominick's logrotate cleanup. 2010-10-05 15:08:54 -04:00
Dominick Grift
a1ac7d4fe3 logrotate: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:08:22 -04:00
Chris PeBenito
6a799b6bdc Module version bump for Dominick's cleanup. 2010-10-05 15:07:08 -04:00
Dominick Grift
ecab2ccd69 brctl: permission sets. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:05:35 -04:00
Dominick Grift
8f5cb4e977 brctl: redundant. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:05:20 -04:00
Dominick Grift
8f43f0294d brctl: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 15:05:05 -04:00
Chris PeBenito
e5c41507c7 Module version bump for Dominick's bootloader cleanups. 2010-10-05 14:00:20 -04:00
Dominick Grift
23f4caad54 bootloader: permission set. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 13:59:05 -04:00
Dominick Grift
eac0de8785 bootloader: unused. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 13:57:42 -04:00
Chris PeBenito
9e41622e49 Remove comment due to ace98b7. 2010-10-05 13:56:40 -04:00
Dominick Grift
ace98b78df bootloader: search parent. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-05 13:54:07 -04:00
Chris PeBenito
e29f6bf08a Module version bump and Changelog for 329138b and 413aac1. 2010-10-01 09:50:50 -04:00
Dominick Grift
413aac13de Allow common users to manage and relabel Alsa home files. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-01 09:41:22 -04:00
Dominick Grift
329138beba Move oident manage and relabel home content interfaces to common user template. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-10-01 09:41:12 -04:00
Chris PeBenito
a492b22ab1 Fix whitespace in cyphesis. 2010-09-17 08:50:26 -04:00
Jeremy Solt
92f6d7cf64 cyphesis patch from Dan Walsh 2010-09-17 08:46:23 -04:00
Chris PeBenito
fee48647ac Module version bump for c17ad38 5271920 2a2b6a7 01c4413 c4fbfae a831710 
67effb0 483be01 c6c63f6 b0d8d59 5b082e4 b8097d6 689d954 5afc3d3 f3c5e77
a59e50c cf87233 17759c7 dc1db54 e9bf16d 4f95198 bf40792 622c63b c20842c
dc7cc4d 792d448
 2010-09-15 10:42:34 -04:00
Jeremy Solt
792d44840c radvd patch from Dan Walsh 2010-09-15 09:14:55 -04:00
Jeremy Solt
dc7cc4d5c1 snort patch from Dan Walsh 2010-09-15 09:14:55 -04:00
Jeremy Solt
c20842caf8 stunnel patch from Dan Walsh 2010-09-15 09:14:55 -04:00
Jeremy Solt
622c63b4e3 zabbix patch from Dan Walsh 2010-09-15 09:14:55 -04:00
Jeremy Solt
bf40792ae5 zebra patch from Dan Walsh 2010-09-15 09:14:54 -04:00
Jeremy Solt
4f95198644 awstats patch from Dan Walsh 2010-09-15 09:14:54 -04:00
Jeremy Solt
e9bf16d2d9 certmaster patch from Dan Walsh 2010-09-15 09:14:54 -04:00
Jeremy Solt
dc1db5407a pcscd patch from Dan Walsh 
Edit: removed the dev_list_sysfs call, dev_read_sysfs takes care of it
 2010-09-15 09:14:54 -04:00
Jeremy Solt
17759c7326 postgresql patch from Dan Walsh 2010-09-15 09:14:54 -04:00
Jeremy Solt
cf872339b2 postgrey patch from Dan Walsh 2010-09-15 09:14:54 -04:00
Jeremy Solt
a59e50c12c prelude patch from Dan Walsh 2010-09-15 09:14:54 -04:00
Jeremy Solt
f3c5e77754 certwatch patch from Dan Walsh 
Not including userdom_dontaudit_list_admin_dir - still no admin_home_t in refpolicy
 2010-09-15 09:14:54 -04:00
Jeremy Solt
5afc3d3589 firstboot patch from Dan Walsh 
Not including gnome_admin_home_gconf_filetrans - no admin_home_t in refpolicy
 2010-09-15 09:14:54 -04:00
Jeremy Solt
689d95422f smoltclient patch from Dan Walsh 2010-09-15 09:14:53 -04:00
Jeremy Solt
b8097d6ec4 amavis patch from Dan Walsh 2010-09-15 09:14:53 -04:00
Jeremy Solt
5b082e4acf arpwatch patch from Dan Walsh 2010-09-15 09:14:53 -04:00
Jeremy Solt
b0d8d59ff0 canna patch from Dan Walsh 2010-09-15 09:14:53 -04:00
Jeremy Solt
c6c63f63c7 certmonger patch from Dan Walsh 2010-09-15 09:14:53 -04:00
Jeremy Solt
483be01302 courier patch from Dan Walsh 2010-09-15 09:14:53 -04:00
Jeremy Solt
67effb0450 dcc patch from Dan Walsh 2010-09-15 09:14:53 -04:00
Jeremy Solt
a831710a6a style change to djbdns.te 2010-09-15 09:14:52 -04:00
Jeremy Solt
c4fbfaecdd fetchmail patch from Dan Walsh 2010-09-15 09:14:52 -04:00
Jeremy Solt
01c441355e icecast patch from Dan Walsh 2010-09-15 09:14:52 -04:00
Jeremy Solt
2a2b6a79fa nslcd patch from Dan Walsh 2010-09-15 09:14:52 -04:00
Jeremy Solt
5271920764 nut patch from Dan Walsh 2010-09-15 09:14:52 -04:00
Jeremy Solt
c17ad385ac openct patch from Dan Walsh 2010-09-15 09:14:52 -04:00
Chris PeBenito
25d796ed37 Unconditional staff and user oidentd home config access from Dominick Grift. 2010-09-15 08:20:16 -04:00
Dominick Grift
941e3db567 Access for confined users to oidentd user home content is unconditional. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-15 08:05:41 -04:00
Chris PeBenito
da12b54802 Module version bumps for cert patch. 2010-09-10 11:31:22 -04:00
Chris PeBenito
e9d6dfb8b1 Fix missed deprecated interface usage from the cert patch. Add back a few rolecap tags. 2010-09-10 11:31:00 -04:00
Dominick Grift
8340621920 Implement miscfiles_cert_type(). 
This is based on Fedoras' miscfiles_cert_type implementation.
The idea was that openvpn needs to be able read home certificates (home_cert_t) which is not implemented in refpolicy yet, as well as generic cert_t certificates.

Note that openvpn is allowed to read all cert_types, as i know that it needs access to both generic cert_t as well as (future) home_cert_t. Dwalsh noted that other domains may need this as well but because i do not know exactly which domains i will not changes any other domains call to generic cert type interfaces.

Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-10 11:05:46 -04:00
Chris PeBenito
8fbea561bb Module version bump for 8296eb2. 2010-09-10 08:51:54 -04:00
Chris PeBenito
9c2c77403f Remove unallocated tty access in amanda since it was originally there for the old targeted policy, and now all roles have a user tty type. 2010-09-09 09:32:31 -04:00
Dominick Grift
36c6e47384 Clean up Anaconda policy. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-09 08:14:56 -04:00
Dominick Grift
e02146370a Clean up Amtu module. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-09 08:14:09 -04:00
Dominick Grift
8296eb2261 Clean up Amanda module. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-09 08:13:13 -04:00
Chris PeBenito
28d96f0e39 Module version bumps for b7ceb34 5675107 e411968 eca7eb3. 2010-09-03 13:09:40 -04:00
Chris PeBenito
eca7eb3b47 Rearrange alsa interfaces. 2010-09-03 11:56:10 -04:00
Dominick Grift
e411968dff Implement alsa_home_t for asoundrc. Clean up Alsa module. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-03 11:23:06 -04:00
Dominick Grift
5675107ff9 Libcgroup moved the cgroup directory to /sys/fs/cgroup. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-03 11:03:10 -04:00
Dominick Grift
b7ceb34995 Do not try to relabel the contents of the /dev/shm directory. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-03 10:55:16 -04:00
Chris PeBenito
785ee7988c Module version bump and changelog entry for conditional mmap_zero patch. 2010-09-01 10:08:09 -04:00
Chris PeBenito
a1b42052c9 Fix mmap_zero assertion violation in xserver. 2010-09-01 09:59:39 -04:00
Dominick Grift
623e4f0885 1/1] Make the ability to mmap zero conditional where this is fapplicable. 
Retry: forgot to include attribute mmap_low_domain_type attribute to domain_mmap_low()	:

Inspired by similar implementation in Fedora.
Wine and vbetool do not always actually need the ability to mmap a low area of the address space.
In some cases this can be silently denied.

Therefore introduce an interface that facilitates "mmap low" conditionally, and the corresponding boolean.
Also implement booleans for wine and vbetool that enables the ability to not audit attempts by wine and vbetool to mmap a low area of the address space.

Rename domain_mmap_low interface to domain_mmap_low_uncond.

Change call to domain_mmap_low to domain_mmap_low_uncond for xserver_t. Also move this call to distro redhat ifndef block because Redhat does not need this ability.

Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-01 09:41:56 -04:00
Chris PeBenito
76a9fe96e4 Module version bumps and changelog for devtmpfs patchset. 2010-08-25 11:19:27 -04:00
Chris PeBenito
0d24805fd0 Trivial tweaks to devtmpfs patches. 2010-08-25 11:18:25 -04:00
Jeremy Solt
2fc79f1ef4 Early devtmpfs access 
dontaudit attempts to read/write device_t chr files occurring before udev relabel
allow init_t and initrc_t read/write on device_t chr files (necessary to boot without unconfined)

Signed-off-by: Jeremy Solt <jsolt@tresys.com>
 2010-08-25 11:01:27 -04:00
Jeremy Solt
d6e1ef29cd Move devtmpfs to devices from filesystem 
Move devtmpfs to devices module (remove from filesystem module)
Make device_t a filesystem
Add interface for associating types with device_t filesystem (dev_associate)
Call dev_associate from dev_filetrans
Allow all device nodes associate with device_t filesystem
Remove dev_tmpfs_filetrans_dev from kernel_t
Remove fs_associate_tmpfs(initctl_t) - redundant, it was in dev_filetrans, now in dev_associate
Mounton interface, to allow the kernel to mounton device_t

Signed-off-by: Jeremy Solt <jsolt@tresys.com>
 2010-08-25 11:01:22 -04:00
Chris PeBenito
c62f1bef77 Dbadm updates from KaiGai Kohei. 2010-08-19 08:41:39 -04:00
Chris PeBenito
ab8f919e6f Part of gnome patch from Dan Walsh. 2010-08-12 09:21:36 -04:00
Chris PeBenito
a9539a063b Additional kdumpgui cleanup. 2010-08-10 09:21:01 -04:00
Jeremy Solt
46fc0d39e3 Policy for system-config-kdump gui from Dan Walsh 
Edits:
 - removed gnome_dontaudit_search_config
 - removed userdom_dontaudit_search_admin_dir
 - whitespace and style fixes
 2010-08-10 09:05:43 -04:00
Jeremy Solt
68e615ec5a system-config-samba dbus service policy from Dan Walsh 2010-08-09 09:37:29 -04:00
Jeremy Solt
c87e150280 roles patch from Dan Walsh to move unwanted interface calls into a ifndef 2010-08-09 09:20:31 -04:00
Chris PeBenito
00ca404a20 Remove unnecessary require on cgroup_admin(). 2010-08-09 09:10:24 -04:00
Chris PeBenito
d687db9b42 Whitespace fixes on cgroup. 2010-08-09 08:52:39 -04:00
Dominick Grift
61d7ee58a4 Confine /sbin/cgclear. 
Libcgroup moved cgclear to /sbin.
Confine it so that initrc_t can domain transition to the cgclear_t domain. That way we do not have to extend the initrc_t domains policy.
We might want to add cgroup_run_cgclear to sysadm module.

Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-08-09 08:47:15 -04:00
Dominick Grift
a0546c9d1c System layer xml fixes. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-08-05 09:25:55 -04:00
Dominick Grift
288845a638 Services layer xml files. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-08-05 09:25:29 -04:00
Chris PeBenito
97b990f86e Fix corecmd_dontaudit_exec_all_executables doc. 2010-08-05 09:24:41 -04:00
Dominick Grift
705f70f098 Kernel layer xml fixes. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-08-05 09:08:07 -04:00
Chris PeBenito
19ff03977d Fix usermanage_kill_passwd() parameter doc. 2010-08-05 08:56:31 -04:00
Dominick Grift
77e4b55f70 Admin layer xml fixes. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-08-05 08:46:44 -04:00
Dominick Grift
03b86663f0 apps: domain { allowed to transition, allowed access, to not audit }. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-08-05 08:20:59 -04:00
Chris PeBenito
8da88970be Accountsd cleanup. 2010-08-03 09:50:40 -04:00
Chris PeBenito
d0eebed0b7 Move accountsd to services. 2010-08-03 09:31:53 -04:00