]>
git.ipfire.org Git - people/stevee/selinux-policy.git/log
Dan Walsh [Thu, 30 Jun 2011 11:08:42 +0000 (07:08 -0400)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
Dan Walsh [Thu, 30 Jun 2011 11:08:20 +0000 (07:08 -0400)]
Sandbox starts dbus within some apps and this attempts to communicate with netlink_selinux_socket. I think we need to allow this access, as it stops an ugly line from appearing in the log file
Dan Walsh [Thu, 30 Jun 2011 11:07:24 +0000 (07:07 -0400)]
Revert "Sandbox starts dbus within some apps and this attempts to communicate with netlink_selinux_socket. I think we need to allow this access, as it stops an ugly line from appearing in the log file"
This reverts commit
5a709ffff74bb93b11744d0a3041120a4910f94c .
Dan Walsh [Thu, 30 Jun 2011 11:06:28 +0000 (07:06 -0400)]
Sandbox starts dbus within some apps and this attempts to communicate with netlink_selinux_socket. I think we need to allow this access, as it stops an ugly line from appearing in the log file
Miroslav Grepl [Tue, 28 Jun 2011 10:56:49 +0000 (10:56 +0000)]
Allow pppd to search /var/lock dir
Dan Walsh [Wed, 29 Jun 2011 17:04:06 +0000 (13:04 -0400)]
Allow usbmuxd_t to read chr_files owned by svirt_t
Miroslav Grepl [Wed, 29 Jun 2011 16:02:10 +0000 (16:02 +0000)]
Add rhsmcertd policy
* Subscription Management Certificate Daemon policy
Miroslav Grepl [Wed, 29 Jun 2011 15:16:10 +0000 (15:16 +0000)]
Allow colord to read /proc/stat
Miroslav Grepl [Wed, 29 Jun 2011 13:35:24 +0000 (13:35 +0000)]
Add support for corosync-notifyd
* add corosync_exec_t label
Miroslav Grepl [Wed, 29 Jun 2011 13:22:42 +0000 (13:22 +0000)]
Allow shutdown to send sigchld to rhev-agentd
Miroslav Grepl [Wed, 29 Jun 2011 11:20:39 +0000 (11:20 +0000)]
Fix file context issue in postfix.fc
Miroslav Grepl [Wed, 29 Jun 2011 11:01:22 +0000 (11:01 +0000)]
Allow confined users to dbus chat with telepathy domains
Miroslav Grepl [Wed, 29 Jun 2011 08:32:16 +0000 (08:32 +0000)]
Allow telepathy_gabble to read gnome home config
Miroslav Grepl [Tue, 28 Jun 2011 16:21:56 +0000 (16:21 +0000)]
Fix bud in bugzilla.if
Miroslav Grepl [Tue, 28 Jun 2011 15:46:38 +0000 (15:46 +0000)]
Remove duplicate context declaration for /usr/sbin/validate
Miroslav Grepl [Tue, 28 Jun 2011 15:37:52 +0000 (15:37 +0000)]
Remove others duplicate declarations
Miroslav Grepl [Tue, 28 Jun 2011 15:22:05 +0000 (15:22 +0000)]
Remove duplicate declaration from iptables.fc
Miroslav Grepl [Tue, 28 Jun 2011 15:12:09 +0000 (15:12 +0000)]
Add back upstream changes in userdomain.if
Miroslav Grepl [Tue, 28 Jun 2011 15:01:19 +0000 (15:01 +0000)]
Remove duplicate declaration from vnstat
Miroslav Grepl [Tue, 28 Jun 2011 14:55:27 +0000 (14:55 +0000)]
Add back telepathy_dbus_chat() interface
Miroslav Grepl [Tue, 28 Jun 2011 14:46:25 +0000 (14:46 +0000)]
Use files_list_lost_found() interface
Miroslav Grepl [Tue, 28 Jun 2011 14:41:14 +0000 (14:41 +0000)]
Add back application_getattr_socket() interface
Miroslav Grepl [Tue, 28 Jun 2011 14:35:32 +0000 (14:35 +0000)]
Remove duplicate declaration in rssh policy
Miroslav Grepl [Tue, 28 Jun 2011 14:30:45 +0000 (14:30 +0000)]
Use zarafa_domtrans_deliver interface instead of zarafa_deliver_domtrans
Miroslav Grepl [Tue, 28 Jun 2011 14:26:03 +0000 (14:26 +0000)]
Fix typo
Miroslav Grepl [Tue, 28 Jun 2011 14:22:24 +0000 (14:22 +0000)]
Use mozilla_exec_user_home_files()
Miroslav Grepl [Tue, 28 Jun 2011 14:18:01 +0000 (14:18 +0000)]
Use bugzilla_dontaudit_rw_stream_sockets(system_mail_t) which is correct
Miroslav Grepl [Tue, 28 Jun 2011 14:14:41 +0000 (14:14 +0000)]
Use the right interface
* bugzilla_search_content(system_mail_t)
Miroslav Grepl [Tue, 28 Jun 2011 14:10:33 +0000 (14:10 +0000)]
Remove duplication declaration in mozilla policy
Miroslav Grepl [Tue, 28 Jun 2011 14:05:35 +0000 (14:05 +0000)]
Remove duplicate declaration from colord policy
Miroslav Grepl [Tue, 28 Jun 2011 14:03:00 +0000 (14:03 +0000)]
Add back interface(`zarafa_manage_lib_files() interface
Miroslav Grepl [Tue, 28 Jun 2011 13:59:45 +0000 (13:59 +0000)]
Add back passenger_manage_pid_content() interface
Miroslav Grepl [Tue, 28 Jun 2011 13:52:59 +0000 (13:52 +0000)]
Add back mediawiki interfaces
Miroslav Grepl [Tue, 28 Jun 2011 13:49:39 +0000 (13:49 +0000)]
Remove duplicate declaration from userdomain.if
Miroslav Grepl [Tue, 28 Jun 2011 13:46:30 +0000 (13:46 +0000)]
Add missing interfaces to userdomain.if
Miroslav Grepl [Tue, 28 Jun 2011 13:36:42 +0000 (13:36 +0000)]
Add old userdomain.if file
Miroslav Grepl [Tue, 28 Jun 2011 13:28:57 +0000 (13:28 +0000)]
Just for testing
Miroslav Grepl [Tue, 28 Jun 2011 13:03:17 +0000 (13:03 +0000)]
Remove duplicate declaration for rssh.if
Miroslav Grepl [Tue, 28 Jun 2011 13:01:02 +0000 (13:01 +0000)]
Remove duplicate declarations for iscsi.if, libraries.if and logging.if
Miroslav Grepl [Tue, 28 Jun 2011 12:53:16 +0000 (12:53 +0000)]
Remove duplicate declarations in ipsec.if
Miroslav Grepl [Tue, 28 Jun 2011 12:51:14 +0000 (12:51 +0000)]
Fix duplicate declaration in daemontools.if
Miroslav Grepl [Tue, 28 Jun 2011 12:49:58 +0000 (12:49 +0000)]
Fix duplicate declaration in authlogin.if
Miroslav Grepl [Tue, 28 Jun 2011 12:48:43 +0000 (12:48 +0000)]
Fix duplicate declaration in kernel.if
Miroslav Grepl [Tue, 28 Jun 2011 12:45:52 +0000 (12:45 +0000)]
Fix duplicate declarations in filesystem.if (caused by merge with upstream)
Miroslav Grepl [Tue, 28 Jun 2011 12:37:58 +0000 (12:37 +0000)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
Miroslav Grepl [Tue, 28 Jun 2011 12:36:18 +0000 (12:36 +0000)]
Remove all duplicate declaration from domain.if, corenetwork.if, files.if
Miroslav Grepl [Tue, 28 Jun 2011 12:28:40 +0000 (12:28 +0000)]
Fix shorewall.if
Miroslav Grepl [Tue, 28 Jun 2011 12:07:40 +0000 (12:07 +0000)]
Fix for colord.if and others
Dan Walsh [Tue, 28 Jun 2011 10:30:24 +0000 (06:30 -0400)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
Dan Walsh [Tue, 28 Jun 2011 10:28:26 +0000 (06:28 -0400)]
Allow systemd_tmpfiles_t to list file_t directories
Dan Walsh [Tue, 28 Jun 2011 10:26:41 +0000 (06:26 -0400)]
Allow systemd_tmpfiles_t to list file_t directories
Miroslav Grepl [Tue, 28 Jun 2011 09:41:36 +0000 (09:41 +0000)]
Fix more typos
Miroslav Grepl [Tue, 28 Jun 2011 08:50:51 +0000 (08:50 +0000)]
Fix in telepathy.if
Miroslav Grepl [Mon, 27 Jun 2011 18:44:05 +0000 (18:44 +0000)]
Fix ncftool.if
Miroslav Grepl [Mon, 27 Jun 2011 17:53:32 +0000 (17:53 +0000)]
qpidd policy was renamed to qpid by upstream
Miroslav Grepl [Mon, 27 Jun 2011 17:47:23 +0000 (17:47 +0000)]
Move mediawiki policy from apps to services
Miroslav Grepl [Mon, 27 Jun 2011 17:38:59 +0000 (17:38 +0000)]
Move passenger policy from services to admin layer
Miroslav Grepl [Mon, 27 Jun 2011 17:33:58 +0000 (17:33 +0000)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy; branch 'master' of http://oss.tresys.com/git/refpolicy
Conflicts:
policy/mcs
policy/modules/admin/ncftool.fc
policy/modules/admin/ncftool.if
policy/modules/admin/ncftool.te
policy/modules/admin/shorewall.if
policy/modules/apps/kdumpgui.te
policy/modules/apps/mozilla.if
policy/modules/apps/mozilla.te
policy/modules/apps/qemu.te
policy/modules/apps/rssh.te
policy/modules/apps/sambagui.te
policy/modules/apps/screen.if
policy/modules/apps/telepathy.fc
policy/modules/apps/telepathy.if
policy/modules/apps/telepathy.te
policy/modules/apps/vmware.te
policy/modules/apps/webalizer.te
policy/modules/apps/wm.fc
policy/modules/kernel/corecommands.fc
policy/modules/kernel/corenetwork.fc
policy/modules/kernel/corenetwork.if.in
policy/modules/kernel/corenetwork.te.in
policy/modules/kernel/devices.if
policy/modules/kernel/domain.if
policy/modules/kernel/files.fc
policy/modules/kernel/files.if
policy/modules/kernel/filesystem.fc
policy/modules/kernel/filesystem.if
policy/modules/kernel/filesystem.te
policy/modules/kernel/selinux.if
policy/modules/kernel/storage.if
policy/modules/kernel/terminal.fc
policy/modules/kernel/terminal.if
policy/modules/roles/sysadm.te
policy/modules/services/aiccu.if
policy/modules/services/aiccu.te
policy/modules/services/aisexec.te
policy/modules/services/amavis.te
policy/modules/services/bugzilla.fc
policy/modules/services/bugzilla.if
policy/modules/services/bugzilla.te
policy/modules/services/cgroup.te
policy/modules/services/cmirrord.fc
policy/modules/services/cmirrord.if
policy/modules/services/cobbler.if
policy/modules/services/colord.fc
policy/modules/services/colord.if
policy/modules/services/colord.te
policy/modules/services/courier.fc
policy/modules/services/cyrus.fc
policy/modules/services/dbus.if
policy/modules/services/dbus.te
policy/modules/services/dovecot.te
policy/modules/services/mpd.fc
policy/modules/services/mpd.if
policy/modules/services/mpd.te
policy/modules/services/postfix.fc
policy/modules/services/vnstatd.fc
policy/modules/services/vnstatd.if
policy/modules/services/vnstatd.te
policy/modules/services/xserver.te
policy/modules/services/zabbix.fc
policy/modules/services/zabbix.te
policy/modules/services/zarafa.fc
policy/modules/services/zarafa.if
policy/modules/services/zarafa.te
policy/modules/system/application.if
policy/modules/system/authlogin.if
policy/modules/system/daemontools.if
policy/modules/system/daemontools.te
policy/modules/system/fstools.te
policy/modules/system/init.te
policy/modules/system/ipsec.fc
policy/modules/system/ipsec.te
policy/modules/system/iptables.fc
policy/modules/system/iptables.if
policy/modules/system/iptables.te
policy/modules/system/iscsi.te
policy/modules/system/libraries.fc
policy/modules/system/logging.fc
policy/modules/system/logging.te
policy/modules/system/sysnetwork.te
policy/modules/system/userdomain.if
Miroslav Grepl [Mon, 27 Jun 2011 14:00:08 +0000 (14:00 +0000)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
Conflicts:
policy/modules/kernel/terminal.if
policy/modules/system/logging.te
Dan Walsh [Mon, 27 Jun 2011 12:53:36 +0000 (08:53 -0400)]
Allow ifconfig to create appletalk_sockets
Dan Walsh [Mon, 27 Jun 2011 11:25:34 +0000 (07:25 -0400)]
Fix filetrans rule
Miroslav Grepl [Mon, 27 Jun 2011 07:57:56 +0000 (07:57 +0000)]
Fix setcap and getcap for syslogd
Miroslav Grepl [Mon, 27 Jun 2011 07:48:47 +0000 (07:48 +0000)]
Add files_delete_all_pid_sockets(init_t) instead of files_unlink_all_pid_sockets
Miroslav Grepl [Mon, 27 Jun 2011 07:32:23 +0000 (07:32 +0000)]
Fix name transition for ptmx_t
Dominick Grift [Sun, 26 Jun 2011 19:36:26 +0000 (21:36 +0200)]
logging.te: setcap and getcap are not permissions for the capability
object class they are permissions for the process object class.
Dominick Grift [Sun, 26 Jun 2011 19:30:55 +0000 (21:30 +0200)]
init.te: syntax error: files_unlink_all_pid_sockets is now
files_delete_all_pid_sockets.
Dominick Grift [Sun, 26 Jun 2011 19:22:10 +0000 (21:22 +0200)]
terminals: commented out for now because it breaks built and does not
make sense.
/dev/pts directories has a (named) file transition rule in here as well
so if /dev/pts gets created with devpts_t then this chr_file in there
will automatically inherit this type from the parent.
If this rule was added as a fall back to ensure that /dev/pts/ptmx gets
created with a proper type even if /dev/pts is created with device_t
instead of devpts_t then we should not use filetrans_pattern here.
Dominick Grift [Sun, 26 Jun 2011 19:09:47 +0000 (21:09 +0200)]
irssi wants to read /proc/meminfo
irssi: remove duplicate policy (auth_use_nsswitch already provides for
this access)
irssi: remove irssi access to sendrecv from generic ports add access to
sendrecv from ircd and httpd_cache ports instead.
Dan Walsh [Sun, 26 Jun 2011 11:22:23 +0000 (07:22 -0400)]
Remove bogus $ from postfix.if
Chris PeBenito [Fri, 24 Jun 2011 13:04:41 +0000 (09:04 -0400)]
Module version bump for mozilla plugin bug fix from Harry Ciao.
Harry Ciao [Thu, 23 Jun 2011 02:53:44 +0000 (10:53 +0800)]
Fix the call to mozilla_run_plugin.
When mozilla_role interface is called, 1st argument is the caller's
role and 2nd argument is the caller's domain, such as:
mozilla_role(staff_r, staff_t)
When mozilla_role calls mozilla_run_plugin, the passed 2nd argument
should be the caller's role rather than its domain, so $1 not $2 should
be used.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Dan Walsh [Thu, 23 Jun 2011 20:11:16 +0000 (16:11 -0400)]
Fix label on abrt-hook-ccpp
Dan Walsh [Thu, 23 Jun 2011 19:29:17 +0000 (15:29 -0400)]
Init_t needs to unmount and remount all file systems
Dan Walsh [Thu, 23 Jun 2011 13:17:16 +0000 (09:17 -0400)]
Eliminate some confined domains from being able to talk to abrt
Dan Walsh [Thu, 23 Jun 2011 13:16:49 +0000 (09:16 -0400)]
Allow privoxy to read network state
Dan Walsh [Thu, 23 Jun 2011 13:16:13 +0000 (09:16 -0400)]
Fix call to mozilla_run_plugin to pass role
Dan Walsh [Wed, 22 Jun 2011 18:22:22 +0000 (14:22 -0400)]
Allow abrt to list apache modules
Dan Walsh [Wed, 22 Jun 2011 15:41:45 +0000 (11:41 -0400)]
Allow xserver_t roles to be used with insmod
Dan Walsh [Wed, 22 Jun 2011 15:17:59 +0000 (11:17 -0400)]
Allow colord_t to read icc_data
Dan Walsh [Wed, 22 Jun 2011 15:12:19 +0000 (11:12 -0400)]
Allow rhev_agentd to use console apps
Dan Walsh [Wed, 22 Jun 2011 15:11:51 +0000 (11:11 -0400)]
Dontaudit leaked init fd to daemons
Dan Walsh [Wed, 22 Jun 2011 15:10:49 +0000 (11:10 -0400)]
Allow systemd_tmpfiles_t to delete fifo_files in /run directories. Fix names on interfaces
Miroslav Grepl [Tue, 21 Jun 2011 18:10:04 +0000 (18:10 +0000)]
Allow ricci_modclusterd to connect to cluster port
Dan Walsh [Fri, 17 Jun 2011 18:30:12 +0000 (14:30 -0400)]
Allow chrome_sandbox to execute content in nfs homedir
Dan Walsh [Fri, 17 Jun 2011 18:23:38 +0000 (14:23 -0400)]
postfix_qmgr needs to read /var/spool/postfix/deferred
Dan Walsh [Fri, 17 Jun 2011 18:18:02 +0000 (14:18 -0400)]
abrt_t needs fsetid
Dan Walsh [Fri, 17 Jun 2011 17:59:22 +0000 (13:59 -0400)]
Make dnssec_t a mountpoint since bind_chroot package now mounts on it.
Dan Walsh [Fri, 17 Jun 2011 17:54:56 +0000 (13:54 -0400)]
syslog-ng latest version drops capabilityies
Dan Walsh [Fri, 17 Jun 2011 17:48:10 +0000 (13:48 -0400)]
Allow lldpad to create its own shm
Dan Walsh [Fri, 17 Jun 2011 17:28:59 +0000 (13:28 -0400)]
Add filename transition for ptmx chr_file
Dan Walsh [Fri, 17 Jun 2011 13:40:47 +0000 (09:40 -0400)]
Allow mta_user_agent read and write fifo files passed into send_mail
Dan Walsh [Fri, 17 Jun 2011 12:23:12 +0000 (08:23 -0400)]
Add sanlock_log_t
Dominick Grift [Thu, 16 Jun 2011 21:00:04 +0000 (23:00 +0200)]
chrome sandbox needs to be able to open nfs/cifs files (may even need to
be able to mmap them in some cases? #713934
Dominick Grift [Thu, 16 Jun 2011 20:42:15 +0000 (22:42 +0200)]
allow aria2c (abrt_t) to read /dev/random #713916
Dominick Grift [Thu, 16 Jun 2011 20:17:38 +0000 (22:17 +0200)]
Allow tmpreaper to set attributes of all user home content directories
and allow it to delete all user home content dirs, files , symlinks and
sock files. #713898
Dominick Grift [Thu, 16 Jun 2011 19:45:07 +0000 (21:45 +0200)]
support gecko mozilla browser plugin
Dominick Grift [Wed, 15 Jun 2011 20:16:56 +0000 (22:16 +0200)]
Merge branch 'master' of ssh://domg472@git.fedorahosted.org/git/selinux-policy.git
Dominick Grift [Wed, 15 Jun 2011 20:16:31 +0000 (22:16 +0200)]
dovecot auth wants to search statfs #713555
Dan Walsh [Wed, 15 Jun 2011 20:15:02 +0000 (16:15 -0400)]
Allow systemd passwd apps to read init fifo_file
Dan Walsh [Wed, 15 Jun 2011 20:12:30 +0000 (16:12 -0400)]
Allow systemd passwd apps to read init fifo_file