]>
git.ipfire.org Git - people/stevee/selinux-policy.git/log
Miroslav Grepl [Thu, 13 Jan 2011 13:46:52 +0000 (13:46 +0000)]
Fixes for namespace policy and other fixes related to polyinstantiation
Dan Walsh [Wed, 12 Jan 2011 21:58:13 +0000 (16:58 -0500)]
Add transition to namespace_init_t from namespace.init for polyinstantiated homedirs
Miroslav Grepl [Tue, 11 Jan 2011 17:14:18 +0000 (17:14 +0000)]
Allow dovecot-deliver transition to sendmail which is needed by sieve scripts
Fixes for init, psad policy which relate with confined users
Miroslav Grepl [Tue, 11 Jan 2011 12:30:29 +0000 (12:30 +0000)]
Do not audit bootloader attempts to read devicekit pid files
Miroslav Grepl [Mon, 10 Jan 2011 17:40:06 +0000 (17:40 +0000)]
Allow nagios service plugins to read /proc
Miroslav Grepl [Mon, 10 Jan 2011 17:26:33 +0000 (17:26 +0000)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
Miroslav Grepl [Mon, 10 Jan 2011 17:25:57 +0000 (17:25 +0000)]
Add firewalld policy
Dan Walsh [Mon, 10 Jan 2011 15:55:12 +0000 (10:55 -0500)]
Allow vmware_host to read samba config
Dan Walsh [Mon, 10 Jan 2011 15:18:57 +0000 (10:18 -0500)]
Kernel wants to read /proc Fix duplicate grub def in cobbler
Dan Walsh [Mon, 10 Jan 2011 14:43:46 +0000 (09:43 -0500)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
Dan Walsh [Mon, 10 Jan 2011 14:40:51 +0000 (09:40 -0500)]
Chrony sends mail, executes shell, uses fifo_file and reads /proc
devicekitdisk getattr all file systems
sambd daemon writes wtmp file
libvirt transitions to dmidecode
Miroslav Grepl [Fri, 7 Jan 2011 14:50:23 +0000 (14:50 +0000)]
- Make kernel_t domain MLS trusted for lowering the level of file.
- Add label for /var/lib/tftpboot/grub directory
- Fixes for mpd policy
- Fix amanda_search_lib interface
Dan Walsh [Wed, 5 Jan 2011 20:59:57 +0000 (15:59 -0500)]
Transition from staff and unconfinet to mock_t
Dan Walsh [Wed, 5 Jan 2011 20:55:09 +0000 (15:55 -0500)]
Allow mock to execmem and execstack, can run java/mono type apps requiring this priv
Dan Walsh [Wed, 5 Jan 2011 20:25:59 +0000 (15:25 -0500)]
Allow groupadd and useradd to work with console
Dominick Grift [Wed, 5 Jan 2011 11:28:24 +0000 (12:28 +0100)]
merging refs/remotes/origin/master into HEAD
Miroslav Grepl [Wed, 5 Jan 2011 10:57:58 +0000 (10:57 +0000)]
Allow mysql-safe to send null signal to mysql
Dominick Grift [Wed, 5 Jan 2011 09:52:29 +0000 (10:52 +0100)]
Screen only creates directories and pipes in /var/run/screen, thus the user owning a directory and pipe there should only be able to manage that. Since screen is not allowed to create lnk_files and files in /var/run/screen, users should not be able to manage files and lnk_files there either.
Signed-off-by: Dominick Grift <domg472@gmail.com>
Miroslav Grepl [Wed, 5 Jan 2011 09:25:52 +0000 (09:25 +0000)]
Fix typo
Dan Walsh [Tue, 4 Jan 2011 21:25:19 +0000 (16:25 -0500)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
Dan Walsh [Tue, 4 Jan 2011 21:21:16 +0000 (16:21 -0500)]
Label /var/lock/subsys/shorewall as shorewall_lock_t
Allow users to communicate with the gpg_agent_t
Dontaudit mozilla_plugin_t using the inherited terminal
Allow sambagui to read files in /usr
webalizer manages squid log files
Allow unconfined domains to bind ports to raw_ip_sockets
Allow abrt to manage rpm logs when running yum
Need labels for /var/run/bittlebee
Label .ssh under amanda
Remove unused genrequires for virt_domain_template
Allow virt_domain to use fd inherited from virtd_t
Allow iptables to read shorewall config
Miroslav Grepl [Tue, 4 Jan 2011 19:00:45 +0000 (19:00 +0000)]
Rename keyboard policy to keyboardd policy
Miroslav Grepl [Tue, 4 Jan 2011 18:47:05 +0000 (18:47 +0000)]
Add initial policy for system-setup-keyboard which is now daemon
Miroslav Grepl [Tue, 4 Jan 2011 16:26:24 +0000 (16:26 +0000)]
Fixes for bitlbee policy
Add transition from unconfined_java_t to wine_t
Allo sshd to search amanda lib files
Miroslav Grepl [Mon, 3 Jan 2011 10:29:29 +0000 (10:29 +0000)]
- Fix label for /var/stockmaniac/templates_cache
Dan Walsh [Tue, 28 Dec 2010 20:40:34 +0000 (15:40 -0500)]
Allow radius to communicate with postgresql
Telepath sofia needs to bind to any udp port
Dan Walsh [Tue, 28 Dec 2010 19:52:31 +0000 (14:52 -0500)]
Gnome apps list config_home_t
mpd creates lnk files in homedir
apache leaks write to mail apps on tmp files
/var/stockmaniac/templates_cache contains log files
Abrt list the connects of mount_tmp_t dirs
Dan Walsh [Tue, 28 Dec 2010 19:52:15 +0000 (14:52 -0500)]
passwd agent reads files under /dev and reads utmp file
Dan Walsh [Tue, 28 Dec 2010 19:51:38 +0000 (14:51 -0500)]
squid apache script connects to the squid port
Dan Walsh [Tue, 28 Dec 2010 19:51:00 +0000 (14:51 -0500)]
fix name of plymouth log file
Dan Walsh [Tue, 28 Dec 2010 19:50:27 +0000 (14:50 -0500)]
Stop labeling files under /var/lib/mock so restorecon will not go into this directory
Dan Walsh [Tue, 28 Dec 2010 19:49:44 +0000 (14:49 -0500)]
teamviewer is a wine app
Dan Walsh [Tue, 28 Dec 2010 15:17:27 +0000 (10:17 -0500)]
nsplugin needs to read network state for google talk
Dan Walsh [Tue, 28 Dec 2010 15:16:55 +0000 (10:16 -0500)]
allow dmesg to read system state
Dan Walsh [Thu, 23 Dec 2010 14:15:57 +0000 (09:15 -0500)]
Allow xdm and syslog to use /var/log/boot.log
Dan Walsh [Thu, 23 Dec 2010 14:15:22 +0000 (09:15 -0500)]
Allow users to communicate with mozilla_plugin and kill it
Dan Walsh [Thu, 23 Dec 2010 14:14:41 +0000 (09:14 -0500)]
Add labeling for ipv6
Dan Walsh [Wed, 22 Dec 2010 14:50:28 +0000 (09:50 -0500)]
Change authlogin_use_sssd to authlogin_nsswitch_use_ldap
Dan Walsh [Wed, 22 Dec 2010 14:49:52 +0000 (09:49 -0500)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
Miroslav Grepl [Wed, 22 Dec 2010 13:42:19 +0000 (13:42 +0000)]
Fixes for greylist_milter policy
Dan Walsh [Tue, 21 Dec 2010 22:22:49 +0000 (17:22 -0500)]
New labels for ghc http content
Dan Walsh [Tue, 21 Dec 2010 16:53:21 +0000 (11:53 -0500)]
nsplugin_config needs to read urand, lvm now calls setfscreate to create device nodes with proper context.
Dan Walsh [Tue, 21 Dec 2010 14:49:26 +0000 (09:49 -0500)]
pm-suspend now creates log file for append access so we remove devicekit_write_log and fix up appending to log files for init functions
Miroslav Grepl [Tue, 21 Dec 2010 08:55:39 +0000 (08:55 +0000)]
Fixes for passenger policy
Dan Walsh [Mon, 20 Dec 2010 21:40:56 +0000 (16:40 -0500)]
Allow staff users to run mysqld in the staff_t domain, akonadi needs this
Add bin_t label for /usr/share/kde4/apps/kajongg/kajongg.py
Dan Walsh [Mon, 20 Dec 2010 21:27:20 +0000 (16:27 -0500)]
auth_use_nsswitch does not need avahi to read passwords,needed for resolving data
Dan Walsh [Mon, 20 Dec 2010 21:24:01 +0000 (16:24 -0500)]
Dontaudit (xdm_t) gok attempting to list contents of /var/account
Telepathy domains need to read urand
Need interface to getattr all file classes in a mock library for setroubleshoot
Dan Walsh [Mon, 20 Dec 2010 20:56:58 +0000 (15:56 -0500)]
allod systemd_tmpfiles_t to delete /root/.* flags
Dan Walsh [Mon, 20 Dec 2010 19:13:08 +0000 (14:13 -0500)]
Add boot.log support to plymouthd
Dan Walsh [Mon, 20 Dec 2010 16:57:08 +0000 (11:57 -0500)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
Conflicts:
policy/modules/system/init.if
Miroslav Grepl [Mon, 20 Dec 2010 17:24:18 +0000 (17:24 +0000)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy; branch 'master' of http://oss.tresys.com/git/refpolicy
Conflicts:
policy/modules/system/init.if
Miroslav Grepl [Mon, 20 Dec 2010 17:02:53 +0000 (17:02 +0000)]
Add label for dkim-milter
Dan Walsh [Mon, 20 Dec 2010 16:43:31 +0000 (11:43 -0500)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
Dan Walsh [Mon, 20 Dec 2010 15:59:38 +0000 (10:59 -0500)]
Merge branch 'master' of http://oss.tresys.com/git/refpolicy
Conflicts:
policy/modules/system/init.if
Dan Walsh [Sat, 18 Dec 2010 12:23:52 +0000 (07:23 -0500)]
add authlogin_use_sssd to turn off access to ldap ports
Dan Walsh [Sat, 18 Dec 2010 12:23:05 +0000 (07:23 -0500)]
Init needs to delete symlinks from /dev
Dan Walsh [Sat, 18 Dec 2010 12:22:17 +0000 (07:22 -0500)]
Put dirsrv code in proper interface
Dan Walsh [Sat, 18 Dec 2010 12:20:44 +0000 (07:20 -0500)]
Need label for /var/lib/dkim-milter
Dan Walsh [Sat, 18 Dec 2010 12:20:11 +0000 (07:20 -0500)]
Prelink needs setfcap to restore file capabilities
Dan Walsh [Sat, 18 Dec 2010 12:19:21 +0000 (07:19 -0500)]
Fixup to match upstream.
Dan Walsh [Fri, 17 Dec 2010 17:07:51 +0000 (12:07 -0500)]
Fix access vectors so they do not break libselinux
Miroslav Grepl [Thu, 16 Dec 2010 17:00:19 +0000 (17:00 +0000)]
Allow mpd to read sound device
Chris PeBenito [Thu, 16 Dec 2010 14:03:51 +0000 (09:03 -0500)]
Fixes for samhain init_system_domain() usage.
Dan Walsh [Wed, 15 Dec 2010 21:33:47 +0000 (16:33 -0500)]
Merge branch 'master' of http://oss.tresys.com/git/refpolicy
Dan Walsh [Wed, 15 Dec 2010 21:26:53 +0000 (16:26 -0500)]
Add type for /usr/share/sandbox/start, so we can run sandbox on nfs shares
Chris PeBenito [Wed, 15 Dec 2010 19:50:28 +0000 (14:50 -0500)]
Whitespace fixes in init.
Chris PeBenito [Wed, 15 Dec 2010 19:48:43 +0000 (14:48 -0500)]
Rearrange distro blocks in init.fc
Chris Richards [Sun, 28 Nov 2010 08:44:46 +0000 (02:44 -0600)]
Fix OpenRC status dir labeling for Gentoo
Signed-off-by: Chris Richards <gizmo@giz-works.com>
Chris Richards [Sun, 28 Nov 2010 08:44:05 +0000 (02:44 -0600)]
Fix OpenRC status dir labeling for Gentoo
Current policy sets /lib(32|64)?/rc/init.d to lib_t. This causes
problems for DHCP among other things, as the initrc domain does not
have permissions to perform some operations. Changing to
initrc_state_t (the labeling used for /var/lib/init.d by
the older baselayout-1) resolves some of these issues.
Signed-off-by: Chris Richards <gizmo@giz-works.com>
Chris PeBenito [Wed, 15 Dec 2010 19:06:58 +0000 (14:06 -0500)]
Fix samhain range transitions for MLS/MCS and a type transition conflict.
Miroslav Grepl [Wed, 15 Dec 2010 17:37:43 +0000 (17:37 +0000)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
Miroslav Grepl [Wed, 15 Dec 2010 17:36:49 +0000 (17:36 +0000)]
Add setuid capability for vpnc
Chris PeBenito [Wed, 15 Dec 2010 16:28:52 +0000 (11:28 -0500)]
Add changelog entry for samhain.
Chris PeBenito [Wed, 15 Dec 2010 16:25:57 +0000 (11:25 -0500)]
Cleanup samhain.if.
* Rearrange rules in the template.
* Remove samhain_etc_t:dir perms since there are no such dirs.
* Add extra docs in samhain_domtrans().
* Include samhaind_t in admin interface process perms.
Chris PeBenito [Wed, 15 Dec 2010 16:13:18 +0000 (11:13 -0500)]
Move samhain domain declarations into its template.
Chris PeBenito [Wed, 15 Dec 2010 16:02:29 +0000 (11:02 -0500)]
Reorder samhain call in userdomain.
Chris PeBenito [Wed, 15 Dec 2010 16:01:12 +0000 (11:01 -0500)]
Whitespace fixes in samhain.
Harry Ciao [Mon, 8 Nov 2010 06:42:38 +0000 (14:42 +0800)]
Add support for the samhain program.
Note, extra privileges may need to be granted to the samhain domain
if its default configuration file(/etc/samhainrc) is changed.
The samhain program could be used in the following way:
(In secadm_r role)
1. Initialize filesystem signature database:
newrole -l s15:c0.c1023 -p -- -c "samhain -t init"
(Note, the current secadm console will be blocked until
the database is completed)
2. Start samhain deamon to check filesystem integrity
newrole -l s15:c0.c1023 -p -- -c "samhain -t check -D"
3. Update filesystem signature database:
newrole -l s15:c0.c1023 -p -- -c "samhain -t update"
(In sysadm_r role)
1. Start samhain in daemon mode:
run_init /etc/init.d/samhain start
2. Stop samhain daemon:
run_init /etc/init.d/samhain stop
3. Check samhain daemon status:
run_init /etc/init.d/samhain status
4. Read/write samhain log files:
newrole -l s15:c0.c1023 -p -- -c "cat /var/log/samhain_log"
5. Remove samhain database files
newrole -l s15:c0.c1023 -p -- -c "rm /var/lib/samhain/samhain_file"
Note:
1. Stop samhain daemon before updating signature database.
2. Don't try to start samhain daemon twice.
3. Need to toggle SELinux into the Permissive mode in order to remove
the samhain_log files from /var/log/.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Dan Walsh [Wed, 15 Dec 2010 15:25:31 +0000 (10:25 -0500)]
Mistake in plymouth.te, should allow plymoutd to delete /var/log/boot.log
GoogleTalkPlugin is causing nsplugin to need to listen on tcp_socket, as well as list sysfs and create netlink_kobject_socket
Miroslav Grepl [Wed, 15 Dec 2010 13:43:56 +0000 (13:43 +0000)]
Fixes for boinc and munin policy
Chris PeBenito [Wed, 15 Dec 2010 13:09:08 +0000 (08:09 -0500)]
Fix mojomojo module author. Apologies to Iain Arnell for the typo.
Miroslav Grepl [Wed, 15 Dec 2010 10:21:53 +0000 (10:21 +0000)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy; branch 'master' of http://oss.tresys.com/git/refpolicy
Miroslav Grepl [Tue, 14 Dec 2010 19:29:16 +0000 (19:29 +0000)]
Fix for dkim-milter
Dan Walsh [Tue, 14 Dec 2010 16:13:30 +0000 (11:13 -0500)]
remove per sandbox domains devpts types
Dan Walsh [Tue, 14 Dec 2010 15:30:05 +0000 (10:30 -0500)]
Allow sandbox to run on nfs partitions, fixes for systemd_tmpfs
Dan Walsh [Mon, 13 Dec 2010 22:07:42 +0000 (17:07 -0500)]
Allow domains that transition to ping or traceroute, kill them
Allow user_t to conditionally transition to ping_t and traceroute_t
Add fixes to systemd- tools, including new labeling for systemd-fsck, systemd-cryptsetup
Dan Walsh [Mon, 13 Dec 2010 20:46:13 +0000 (15:46 -0500)]
fixes for systemd apps
Dan Walsh [Mon, 13 Dec 2010 20:22:23 +0000 (15:22 -0500)]
Label /var/run/*cron* as crond_var_run_t
Miroslav Grepl [Mon, 13 Dec 2010 18:53:21 +0000 (18:53 +0000)]
Remove dulicate declaration
Miroslav Grepl [Mon, 13 Dec 2010 15:52:08 +0000 (15:52 +0000)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
Miroslav Grepl [Mon, 13 Dec 2010 15:51:33 +0000 (15:51 +0000)]
Dontaudit sys_ptrace capablitity for mozilla-plugin
Chris PeBenito [Mon, 13 Dec 2010 15:09:37 +0000 (10:09 -0500)]
Update Changelog and VERSION for release.
Dan Walsh [Mon, 13 Dec 2010 14:40:09 +0000 (09:40 -0500)]
mozilla_plugin needs to read certs in the homedir.
Dan Walsh [Mon, 13 Dec 2010 14:18:41 +0000 (09:18 -0500)]
Certmonger needs more access
nero libraries need textrel_shlib_t
Chris PeBenito [Mon, 13 Dec 2010 14:12:22 +0000 (09:12 -0500)]
Bump module versions for release.
Dan Walsh [Fri, 10 Dec 2010 21:09:04 +0000 (16:09 -0500)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
Dan Walsh [Fri, 10 Dec 2010 21:04:58 +0000 (16:04 -0500)]
Dontaudit leaked file descriptors from devicekit
Fix ircssi to use auth_use_nsswitch
Change to use interface without param in corenet to disable unlabelednet packets
Allow init to relabel sockets and fifo files in /dev
certmonger needs dac* capabilities to manage cert files not owned by root
dovecot needs fsetid to change group membership on mail
plymouthd removes /var/log/boot.log
systemd is creating symlinks in /dev
Change label on /etc/httpd/alias to be all cert_t
Miroslav Grepl [Fri, 10 Dec 2010 13:49:52 +0000 (13:49 +0000)]
Allow alsa to create tmp files in /tmp
adobre dir in user home directory needs to be created with the proper label
Miroslav Grepl [Thu, 9 Dec 2010 18:26:33 +0000 (18:26 +0000)]
Fixes for clamscan and boinc policy
Miroslav Grepl [Wed, 8 Dec 2010 17:49:52 +0000 (17:49 +0000)]
Add boinc_project_t setpgid