]>
git.ipfire.org Git - people/stevee/selinux-policy.git/log
Dan Walsh [Wed, 23 Nov 2011 17:57:10 +0000 (12:57 -0500)]
saslauthd_t needs to connect to zarafa_port_t
Miroslav Grepl [Mon, 21 Nov 2011 13:05:19 +0000 (14:05 +0100)]
Allow collectd-web to read collectd lib files
Miroslav Grepl [Mon, 21 Nov 2011 11:33:56 +0000 (12:33 +0100)]
Allow colord to get the attributes of tmpfs filesystem
Miroslav Grepl [Mon, 21 Nov 2011 11:28:14 +0000 (12:28 +0100)]
Add sanlock_use_nfs and sanlock_use_samba booleans
Miroslav Grepl [Mon, 21 Nov 2011 11:10:00 +0000 (12:10 +0100)]
Add bin_t label for /usr/lib/virtualbox/VBoxManage
Miroslav Grepl [Mon, 21 Nov 2011 10:27:54 +0000 (11:27 +0100)]
cloudfrom_exec_mongodb is interface
Dan Walsh [Fri, 18 Nov 2011 18:45:13 +0000 (13:45 -0500)]
Get rid of extra fuse rules covered by userdom_home_manager
Dan Walsh [Fri, 18 Nov 2011 18:44:39 +0000 (13:44 -0500)]
Mount needs to read process state when mounting gluster file systems
Dan Walsh [Fri, 18 Nov 2011 18:29:12 +0000 (13:29 -0500)]
Allow colord to read mislabeled icc file in the users homedir
Dan Walsh [Fri, 18 Nov 2011 16:54:23 +0000 (11:54 -0500)]
Fix typo
Dan Walsh [Fri, 18 Nov 2011 16:48:51 +0000 (11:48 -0500)]
Allow mcelog_t to create dir and file in /var/run and label it correctly
Dan Walsh [Fri, 18 Nov 2011 16:44:43 +0000 (11:44 -0500)]
Allow thumb_t to create thumb_tmp_t in user_tmp_t directories
Dan Walsh [Fri, 18 Nov 2011 16:23:10 +0000 (11:23 -0500)]
Add auth_home_t for content that needs to be written by login programs, .google_authenticator is the only one that I know of so far
Dan Walsh [Fri, 18 Nov 2011 15:00:23 +0000 (10:00 -0500)]
Allow daemons and system processes started by init to read/write the unix_stream_socket passed in from as stdin/stdout/stderr
Dan Walsh [Fri, 18 Nov 2011 14:28:35 +0000 (09:28 -0500)]
We missed an alias for chkpwd_t -> system_chkpwd_t
Dan Walsh [Thu, 17 Nov 2011 21:31:16 +0000 (16:31 -0500)]
Mount usinging the curlftpfs will require sys_nice and setsched
Dan Walsh [Thu, 17 Nov 2011 18:38:55 +0000 (13:38 -0500)]
Fix build errors
Dan Walsh [Thu, 17 Nov 2011 18:28:26 +0000 (13:28 -0500)]
Merge nsplugin into mozilla_plugin domain
Dan Walsh [Thu, 17 Nov 2011 17:57:40 +0000 (12:57 -0500)]
Allow mozilla_plugin and nsplugin to read audio_home_t
Dan Walsh [Thu, 17 Nov 2011 14:31:40 +0000 (09:31 -0500)]
Allow namespace_init_t to use the console, define system_map_t as a proc_type, so dontaudit in libra will work
Dan Walsh [Thu, 17 Nov 2011 14:30:06 +0000 (09:30 -0500)]
Add label for yaboot/addnote, fix some whitespace
Dan Walsh [Wed, 16 Nov 2011 21:23:06 +0000 (16:23 -0500)]
Allow kdumpgui to run bootloader and mount and create tmp files
Dan Walsh [Wed, 16 Nov 2011 21:06:55 +0000 (16:06 -0500)]
We need to treat port_t and unreserved_port_t as generic_port types
Dan Walsh [Wed, 16 Nov 2011 15:51:19 +0000 (10:51 -0500)]
Not ready for this change yet, reverting
Dan Walsh [Wed, 16 Nov 2011 15:49:01 +0000 (10:49 -0500)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
Conflicts:
policy/modules/services/policykit.te
Miroslav Grepl [Wed, 16 Nov 2011 15:52:17 +0000 (16:52 +0100)]
Backport fixes from RHEL6 to make cronjobs working in MLS
Dan Walsh [Wed, 16 Nov 2011 15:46:25 +0000 (10:46 -0500)]
Seems like policykit and consolekit need sys_ptrace for now, not sure if kernel update will fix this problem
Miroslav Grepl [Wed, 16 Nov 2011 15:21:04 +0000 (16:21 +0100)]
Temporary fix devicekit_filetrans_named_content() interface
Miroslav Grepl [Wed, 16 Nov 2011 14:50:09 +0000 (15:50 +0100)]
auth_use_nsswitch() can no be used with attribute
Miroslav Grepl [Wed, 16 Nov 2011 14:48:07 +0000 (15:48 +0100)]
Revert "Add ftp support for mozilla plugins"
This reverts commit
c91eba2cf72ecd1dfc7bf67eaf01934d0a1bd520 .
Miroslav Grepl [Tue, 15 Nov 2011 21:23:17 +0000 (22:23 +0100)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
Miroslav Grepl [Tue, 15 Nov 2011 21:12:55 +0000 (22:12 +0100)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
Miroslav Grepl [Tue, 15 Nov 2011 21:00:08 +0000 (22:00 +0100)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
Dan Walsh [Tue, 15 Nov 2011 19:22:12 +0000 (14:22 -0500)]
Add ssh_dontaudit_search_home_dir
Dan Walsh [Tue, 15 Nov 2011 19:20:06 +0000 (14:20 -0500)]
Changes to allow namespace_init_t to work
Dan Walsh [Tue, 15 Nov 2011 18:34:20 +0000 (13:34 -0500)]
Add interface to allow exec of mongod, add port definition for mongod port, 27017
Dan Walsh [Tue, 15 Nov 2011 14:38:00 +0000 (09:38 -0500)]
Label .kde/share/apps/networkmanagement/certificates/ as home_cert_t
Dan Walsh [Tue, 15 Nov 2011 14:19:21 +0000 (09:19 -0500)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
Dan Walsh [Tue, 15 Nov 2011 14:18:03 +0000 (09:18 -0500)]
Allow spamd and clamd to steam connect to each other
Dan Walsh [Tue, 15 Nov 2011 14:17:37 +0000 (09:17 -0500)]
Add policy label for passwd.OLD
Miroslav Grepl [Tue, 15 Nov 2011 11:03:21 +0000 (11:03 +0000)]
More fixes for postfix and postfix maildrop
Miroslav Grepl [Tue, 15 Nov 2011 10:51:27 +0000 (10:51 +0000)]
Add ftp support for mozilla plugins
Miroslav Grepl [Tue, 15 Nov 2011 10:33:28 +0000 (10:33 +0000)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
dwalsh [Mon, 14 Nov 2011 19:52:00 +0000 (14:52 -0500)]
Useradd now needs to manage policy since it calls libsemanage
Miroslav Grepl [Mon, 14 Nov 2011 18:59:10 +0000 (18:59 +0000)]
Other policykit fixes
Conflicts:
policy/modules/services/policykit.if
Miroslav Grepl [Mon, 14 Nov 2011 18:04:24 +0000 (18:04 +0000)]
Try to add devicekit_relabel_log_files() instead of filename trans for apmd since there is a conflict between apmd_var_log_t and devicekit_var_log_t
Miroslav Grepl [Mon, 14 Nov 2011 16:56:55 +0000 (16:56 +0000)]
Fix devicekit_manage_log_files() interface
Miroslav Grepl [Mon, 14 Nov 2011 16:51:53 +0000 (16:51 +0000)]
Fix devicekit_* filename trans interfaces
Miroslav Grepl [Mon, 14 Nov 2011 15:29:31 +0000 (15:29 +0000)]
Add policykit_domain attribute for policykit domains and call auth_use_nsswitch just for this attribute
Allow policykit_domain to read /sys
Miroslav Grepl [Mon, 14 Nov 2011 15:12:50 +0000 (15:12 +0000)]
Allow colord to execute ifconfig
Miroslav Grepl [Mon, 14 Nov 2011 14:45:28 +0000 (14:45 +0000)]
Allow accountsd to read /sys
Miroslav Grepl [Mon, 14 Nov 2011 14:25:26 +0000 (14:25 +0000)]
Allow accountsd to read /sys
Miroslav Grepl [Mon, 14 Nov 2011 13:48:34 +0000 (13:48 +0000)]
Allow mysqld-safe to execute shell
Miroslav Grepl [Mon, 14 Nov 2011 13:46:30 +0000 (13:46 +0000)]
Allow openct to stream connect to pcscd
Other fixes for openct (remove transition declaration)
Miroslav Grepl [Mon, 14 Nov 2011 13:08:35 +0000 (13:08 +0000)]
Add label for /var/run/nm-dns-dnsmasq\.conf
Dan Walsh [Fri, 11 Nov 2011 22:25:28 +0000 (17:25 -0500)]
Allow apmd to run pm-suspend and create the devicekit log files with the correct label
Dan Walsh [Fri, 11 Nov 2011 22:14:57 +0000 (17:14 -0500)]
Allow networkmanager to chat with virtd_t
Dan Walsh [Fri, 11 Nov 2011 22:09:54 +0000 (17:09 -0500)]
Allow init to run postfix aliases.db file and read /etc/aliases file
Dan Walsh [Fri, 11 Nov 2011 21:58:56 +0000 (16:58 -0500)]
Allow pulseaudio to read .esd_auth file
Dan Walsh [Fri, 11 Nov 2011 21:45:33 +0000 (16:45 -0500)]
Fix ldconfig to create file with the correct label
Dan Walsh [Fri, 11 Nov 2011 21:39:11 +0000 (16:39 -0500)]
Change all calls that use the use_nfs_home_dirs to use attributes for either userdom_home_reader_type or userdom_home_manager_type, then we don't have to cut and paste the same code all over the place
Dan Walsh [Fri, 11 Nov 2011 20:09:43 +0000 (15:09 -0500)]
fix copy paste errors
Dan Walsh [Fri, 11 Nov 2011 20:01:08 +0000 (15:01 -0500)]
Allow mock to create dirs as well as files
Dan Walsh [Fri, 11 Nov 2011 19:57:48 +0000 (14:57 -0500)]
Multiple fixes for blueman
Dan Walsh [Fri, 11 Nov 2011 19:57:22 +0000 (14:57 -0500)]
Allow pulseaudio_t to manage lnk_files in homedir
Dan Walsh [Fri, 11 Nov 2011 19:14:31 +0000 (14:14 -0500)]
Remove all patches to execmem, java, openoffice and mono
Dan Walsh [Fri, 11 Nov 2011 18:56:30 +0000 (13:56 -0500)]
We have to get rid of java_exec_t, mono_exec_t, execmem_exec_t to stop templates from working
Dan Walsh [Fri, 11 Nov 2011 17:10:06 +0000 (12:10 -0500)]
Allow fail2ban to manage /etc/deny.hosts
Dan Walsh [Fri, 11 Nov 2011 15:53:06 +0000 (10:53 -0500)]
Dontaudit access_check for all files from xdm_t, it runs gnome-shell
Dan Walsh [Fri, 11 Nov 2011 15:40:15 +0000 (10:40 -0500)]
Add new device label for /dev/ati/card.*
Dan Walsh [Fri, 11 Nov 2011 15:36:38 +0000 (10:36 -0500)]
Added getattr to dontaudit
Dan Walsh [Fri, 11 Nov 2011 15:29:13 +0000 (10:29 -0500)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
Dan Walsh [Fri, 11 Nov 2011 15:29:03 +0000 (10:29 -0500)]
Allow keyring to read /sys/devices/system/cpu/online
Miroslav Grepl [Fri, 11 Nov 2011 15:12:08 +0000 (15:12 +0000)]
Puppet fixes
Miroslav Grepl [Fri, 11 Nov 2011 15:07:22 +0000 (15:07 +0000)]
REmove userdom_manage_home_role() pulseaudio_role()
Miroslav Grepl [Fri, 11 Nov 2011 15:01:24 +0000 (15:01 +0000)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
Dan Walsh [Fri, 11 Nov 2011 14:08:44 +0000 (09:08 -0500)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
Miroslav Grepl [Fri, 11 Nov 2011 13:54:55 +0000 (13:54 +0000)]
Puppet fixes
Miroslav Grepl [Fri, 11 Nov 2011 08:29:19 +0000 (08:29 +0000)]
Allow smbcontrol to signal themselves
Dan Walsh [Thu, 10 Nov 2011 23:56:54 +0000 (18:56 -0500)]
Move permissive blueman to permissivedomains.te
Dan Walsh [Thu, 10 Nov 2011 23:29:47 +0000 (18:29 -0500)]
Add blueman policy
Dan Walsh [Thu, 10 Nov 2011 23:29:25 +0000 (18:29 -0500)]
virt wants to dbus chat with init
Dan Walsh [Thu, 10 Nov 2011 23:28:58 +0000 (18:28 -0500)]
tmpreaper wants to read meminfo
Dan Walsh [Fri, 11 Nov 2011 04:43:54 +0000 (23:43 -0500)]
Allow smbcontrol_t to signal itself
dwalsh [Thu, 10 Nov 2011 19:49:14 +0000 (14:49 -0500)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
dwalsh [Thu, 10 Nov 2011 19:48:56 +0000 (14:48 -0500)]
add label for /var/spool/turboprint
Dan Walsh [Thu, 10 Nov 2011 16:49:00 +0000 (11:49 -0500)]
Allow piranha_web_t to read /dev/random
dwalsh [Thu, 10 Nov 2011 14:33:07 +0000 (09:33 -0500)]
Remove all f16 permissive domains from F17
dwalsh [Thu, 10 Nov 2011 14:27:27 +0000 (09:27 -0500)]
Remove execmem_exec_t, java_exec_t, mono_exec_t and allow confined users to use execmem, add deny_execmem boolean to turn off execmem for all users. Probably will only work in server non graphical environments since so much of the desktop now requies JIT and execmem
dwalsh [Thu, 10 Nov 2011 14:19:43 +0000 (09:19 -0500)]
I am moving to remove consoletype policy package altogether from the system. I want to see if anything breaks without this package. It has tended to be an SELinux AVC generator with little to no benefit
dwalsh [Thu, 10 Nov 2011 14:14:04 +0000 (09:14 -0500)]
Remove need for qemu.te file altogether by moving qemu_exec_t to virt.te
dwalsh [Thu, 10 Nov 2011 13:50:05 +0000 (08:50 -0500)]
Add a boolean to turn off all instances of ptrace in the policy
dwalsh [Thu, 10 Nov 2011 13:46:46 +0000 (08:46 -0500)]
More apache script domain to use attributes, to shrink the size of policy
dwalsh [Thu, 10 Nov 2011 13:39:06 +0000 (08:39 -0500)]
Add label to /etc/passwd and /etc/group files, to start to block containers from being able to read their contents.
dwalsh [Thu, 10 Nov 2011 13:24:04 +0000 (08:24 -0500)]
Icecast seems to need to read /dev/rand and /dev/urand
Miroslav Grepl [Thu, 10 Nov 2011 07:07:46 +0000 (07:07 +0000)]
Revert "Fix pulseaudio_role() and move usermanage_home_role() template to appropriate places"
This reverts commit
732e5bc35d39e7911eb7787f69ae326cc0472594 .
Miroslav Grepl [Thu, 10 Nov 2011 07:06:30 +0000 (07:06 +0000)]
Add TODO comment for puppet
Miroslav Grepl [Thu, 10 Nov 2011 07:01:58 +0000 (07:01 +0000)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
Conflicts:
policy/modules/services/vhostmd.te
Dan Walsh [Wed, 9 Nov 2011 22:58:50 +0000 (17:58 -0500)]
Add allow rules for puppet based on Orions AVCs in Rawhide
Dan Walsh [Wed, 9 Nov 2011 20:52:44 +0000 (15:52 -0500)]
logrotate needs to be able to send signals at all levels