]>
git.ipfire.org Git - people/stevee/selinux-policy.git/log
dwalsh [Thu, 10 Nov 2011 14:14:04 +0000 (09:14 -0500)]
Remove need for qemu.te file altogether by moving qemu_exec_t to virt.te
dwalsh [Thu, 10 Nov 2011 13:50:05 +0000 (08:50 -0500)]
Add a boolean to turn off all instances of ptrace in the policy
dwalsh [Thu, 10 Nov 2011 13:46:46 +0000 (08:46 -0500)]
More apache script domain to use attributes, to shrink the size of policy
dwalsh [Thu, 10 Nov 2011 13:39:06 +0000 (08:39 -0500)]
Add label to /etc/passwd and /etc/group files, to start to block containers from being able to read their contents.
dwalsh [Thu, 10 Nov 2011 13:24:04 +0000 (08:24 -0500)]
Icecast seems to need to read /dev/rand and /dev/urand
Miroslav Grepl [Thu, 10 Nov 2011 07:07:46 +0000 (07:07 +0000)]
Revert "Fix pulseaudio_role() and move usermanage_home_role() template to appropriate places"
This reverts commit
732e5bc35d39e7911eb7787f69ae326cc0472594 .
Miroslav Grepl [Thu, 10 Nov 2011 07:06:30 +0000 (07:06 +0000)]
Add TODO comment for puppet
Miroslav Grepl [Thu, 10 Nov 2011 07:01:58 +0000 (07:01 +0000)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
Dan Walsh [Wed, 9 Nov 2011 22:58:50 +0000 (17:58 -0500)]
Add allow rules for puppet based on Orions AVCs in Rawhide
Dan Walsh [Wed, 9 Nov 2011 20:52:44 +0000 (15:52 -0500)]
logrotate needs to be able to send signals at all levels
Dan Walsh [Wed, 9 Nov 2011 18:33:09 +0000 (13:33 -0500)]
Allow crond to send dbus messages to init
Dan Walsh [Wed, 9 Nov 2011 17:58:27 +0000 (12:58 -0500)]
init needs to be able to create private tmp dirs for services
Dan Walsh [Wed, 9 Nov 2011 17:57:51 +0000 (12:57 -0500)]
Consolekit needs to read the environ field of logged in users
Miroslav Grepl [Wed, 9 Nov 2011 14:19:25 +0000 (14:19 +0000)]
Fix pulseaudio_role() and move usermanage_home_role() template to appropriate places
Dan Walsh [Wed, 9 Nov 2011 13:16:01 +0000 (08:16 -0500)]
Allow dhcpc_t to read chronyd keys files
Dan Walsh [Wed, 9 Nov 2011 13:07:42 +0000 (08:07 -0500)]
vhostmd needs to send itself signals and wants to read /dev/random
Miroslav Grepl [Wed, 9 Nov 2011 09:26:33 +0000 (09:26 +0000)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
Miroslav Grepl [Wed, 9 Nov 2011 09:22:59 +0000 (09:22 +0000)]
Add vhostmd fixes
Dan Walsh [Tue, 8 Nov 2011 20:23:51 +0000 (15:23 -0500)]
Add 9990 as a new port for jboss_management
Dan Walsh [Tue, 8 Nov 2011 17:08:40 +0000 (12:08 -0500)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
Dan Walsh [Tue, 8 Nov 2011 17:08:28 +0000 (12:08 -0500)]
Allow login programs to connect to the pki_ca_port
Dan Walsh [Tue, 8 Nov 2011 17:08:01 +0000 (12:08 -0500)]
Allow service_munin_plugin_t to create its own shm
Miroslav Grepl [Tue, 8 Nov 2011 16:54:26 +0000 (16:54 +0000)]
Allow user_mail_t to read mail home file
Miroslav Grepl [Tue, 8 Nov 2011 15:05:34 +0000 (15:05 +0000)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
dwalsh [Tue, 8 Nov 2011 14:44:24 +0000 (09:44 -0500)]
Add filetrans rules for homecontent in userdom, allow chrome_sandbox to create home_cert_t
Miroslav Grepl [Mon, 7 Nov 2011 19:46:32 +0000 (19:46 +0000)]
Fix typo in fstools policy
Miroslav Grepl [Mon, 7 Nov 2011 17:25:35 +0000 (17:25 +0000)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
Miroslav Grepl [Mon, 7 Nov 2011 17:24:25 +0000 (17:24 +0000)]
Make faillog MLS trusted to make sudo_$1_t working
Miroslav Grepl [Mon, 7 Nov 2011 17:23:18 +0000 (17:23 +0000)]
Fix the latest MCS patch to restrict fifo_file only on open to make sandbox working
Dan Walsh [Mon, 7 Nov 2011 23:47:14 +0000 (18:47 -0500)]
Allow sandbox_web_client_t to read passwd_file_t
Dan Walsh [Mon, 7 Nov 2011 16:58:50 +0000 (11:58 -0500)]
Add .mailrc file context
Dan Walsh [Fri, 4 Nov 2011 20:39:32 +0000 (16:39 -0400)]
Remove execheap from openoffice domain
Dan Walsh [Fri, 4 Nov 2011 18:52:27 +0000 (14:52 -0400)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
Dan Walsh [Fri, 4 Nov 2011 18:52:12 +0000 (14:52 -0400)]
Allow chrome_sandbox_nacl_t to read cpu_info
Miroslav Grepl [Fri, 4 Nov 2011 18:14:18 +0000 (18:14 +0000)]
Allow virtd to relabel generic usb which is need if USB device
Miroslav Grepl [Fri, 4 Nov 2011 17:38:17 +0000 (17:38 +0000)]
Allow fsadm to read all to read files and directories regardless of their MCS category set.
Miroslav Grepl [Fri, 4 Nov 2011 16:31:11 +0000 (16:31 +0000)]
Fixes for virt.if interfaces to consiger chr_file as image file type
Miroslav Grepl [Fri, 4 Nov 2011 15:02:17 +0000 (15:02 +0000)]
Also add MCS fixes for initrc
Miroslav Grepl [Fri, 4 Nov 2011 15:01:34 +0000 (15:01 +0000)]
init_t needs mcs fixes
Miroslav Grepl [Fri, 4 Nov 2011 14:33:12 +0000 (14:33 +0000)]
virtd_t needs to able to relabel chr_file
Miroslav Grepl [Fri, 4 Nov 2011 14:31:49 +0000 (14:31 +0000)]
Allow virtd_t to execute qemu-kvm
Dan Walsh [Fri, 4 Nov 2011 14:16:59 +0000 (10:16 -0400)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
Dan Walsh [Fri, 4 Nov 2011 14:16:32 +0000 (10:16 -0400)]
init execs /lib/systemd/ksmctl which writes to the run fields in sysfs
Miroslav Grepl [Fri, 4 Nov 2011 13:44:14 +0000 (13:44 +0000)]
Changes for policy/mcs
Miroslav Grepl [Fri, 4 Nov 2011 12:24:21 +0000 (12:24 +0000)]
Fix thumb_role() interface
Miroslav Grepl [Fri, 4 Nov 2011 12:19:39 +0000 (12:19 +0000)]
Fix typo
Miroslav Grepl [Fri, 4 Nov 2011 11:42:46 +0000 (11:42 +0000)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
Miroslav Grepl [Fri, 4 Nov 2011 11:42:18 +0000 (11:42 +0000)]
Allow systemd-tmpfile to delete /run/user/$USER/dconf
Miroslav Grepl [Fri, 4 Nov 2011 11:27:53 +0000 (11:27 +0000)]
Add dirsrvadmin_lock_t type
Dan Walsh [Thu, 3 Nov 2011 18:29:32 +0000 (14:29 -0400)]
Allow systemd_tmpfiles_t to delete all user content, if the user moves a file to /tmp, systemd_tmpfiles_t needs to be able to delete it. Also will fix the abiltiy to delete /run/user/ content
Dan Walsh [Thu, 3 Nov 2011 18:23:42 +0000 (14:23 -0400)]
Allow plymouthd_t to talk to sssd
Miroslav Grepl [Thu, 3 Nov 2011 15:31:09 +0000 (15:31 +0000)]
Fix context declaration in cloudform.fc
Dan Walsh [Thu, 3 Nov 2011 15:24:47 +0000 (11:24 -0400)]
megadev should be a fixed_disk, not a removable disk.
Dan Walsh [Thu, 3 Nov 2011 15:16:06 +0000 (11:16 -0400)]
use the correct interface
Dan Walsh [Thu, 3 Nov 2011 15:10:30 +0000 (11:10 -0400)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
Dan Walsh [Thu, 3 Nov 2011 15:09:51 +0000 (11:09 -0400)]
We have seen mount execute the consolehelper executable
dwalsh [Thu, 3 Nov 2011 14:16:58 +0000 (10:16 -0400)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
Dan Walsh [Thu, 3 Nov 2011 14:15:34 +0000 (10:15 -0400)]
Package-cleanup does uses the rpm libraries
Dan Walsh [Thu, 3 Nov 2011 13:25:53 +0000 (09:25 -0400)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
Dan Walsh [Thu, 3 Nov 2011 13:24:04 +0000 (09:24 -0400)]
Allow quota to add quotadb files to mail_spool and mta_mquue
Miroslav Grepl [Thu, 3 Nov 2011 12:19:32 +0000 (12:19 +0000)]
Allow initrc_t to manage dirsrv pid files
dwalsh [Wed, 2 Nov 2011 16:40:39 +0000 (12:40 -0400)]
Updated cloudforms policy for latest AVC's
dwalsh [Wed, 2 Nov 2011 16:10:22 +0000 (12:10 -0400)]
MLS Overrides needed for a user running at a level to be able to use sudo and talk to sssd
dwalsh [Wed, 2 Nov 2011 16:09:30 +0000 (12:09 -0400)]
More AVCS from Tom London for thumb
dwalsh [Wed, 2 Nov 2011 14:33:32 +0000 (10:33 -0400)]
Tom London avc's show thumb domain connencting back to user unix_stream_sockets
dwalsh [Wed, 2 Nov 2011 14:32:57 +0000 (10:32 -0400)]
Tom London shows telepathy_msn_t trying to look at pid 1, no reason to not allow it
dwalsh [Wed, 2 Nov 2011 14:32:08 +0000 (10:32 -0400)]
Allow userdomains to talk to usbmuxd for handling ipods
dwalsh [Wed, 2 Nov 2011 14:20:37 +0000 (10:20 -0400)]
Allow devicekit_power_t to manage content in gnome directories of home dir, also allow it to read /dev/urandom
Miroslav Grepl [Wed, 2 Nov 2011 11:38:30 +0000 (11:38 +0000)]
Remove duplicat TE rules
Miroslav Grepl [Wed, 2 Nov 2011 09:43:46 +0000 (09:43 +0000)]
Fix dev_filetrans_xserver_named_dev() interface
Miroslav Grepl [Wed, 2 Nov 2011 09:23:11 +0000 (09:23 +0000)]
Add support for pam_tty_audit.so for sudo domains
Miroslav Grepl [Wed, 2 Nov 2011 09:03:36 +0000 (09:03 +0000)]
Make cloudform working again with SELinux
Miroslav Grepl [Wed, 2 Nov 2011 07:57:58 +0000 (07:57 +0000)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
Dan Walsh [Tue, 1 Nov 2011 20:28:04 +0000 (16:28 -0400)]
Allow fsetid to smbd_t policy
Dan Walsh [Tue, 1 Nov 2011 20:21:47 +0000 (16:21 -0400)]
Add dev_filetrans_xserver_misc to xserver_t so that if it creates a device in /dev it will be labeled xserver_misc_dev_t:
Dan Walsh [Tue, 1 Nov 2011 18:54:12 +0000 (14:54 -0400)]
Allow xserver_t to create nvidia devices with the correct label
Dan Walsh [Tue, 1 Nov 2011 15:39:36 +0000 (11:39 -0400)]
devicekit_dontaudit_rw_log actually needs open
Dan Walsh [Tue, 1 Nov 2011 15:38:52 +0000 (11:38 -0400)]
mozilla_plugin_tmpfs_t not used in mozila_domtrans_plugin interface
Dan Walsh [Tue, 1 Nov 2011 15:38:24 +0000 (11:38 -0400)]
Duplicate policy removed
Dan Walsh [Tue, 1 Nov 2011 15:15:25 +0000 (11:15 -0400)]
gnomeclock on kde wants to create dgram_socket
Dan Walsh [Tue, 1 Nov 2011 13:40:39 +0000 (09:40 -0400)]
initrc_t should not be setting up devices if unconfined.pp is disabled
Dan Walsh [Tue, 1 Nov 2011 13:40:03 +0000 (09:40 -0400)]
Allow virtd_t domains to manage svirt_image_t chr_file
Miroslav Grepl [Tue, 1 Nov 2011 11:59:07 +0000 (11:59 +0000)]
Allow tor to read sysfs_t
Miroslav Grepl [Tue, 1 Nov 2011 11:17:28 +0000 (11:17 +0000)]
Fix abrt_manage_cache() interface
Miroslav Grepl [Tue, 1 Nov 2011 11:09:43 +0000 (11:09 +0000)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
Miroslav Grepl [Tue, 1 Nov 2011 06:39:55 +0000 (06:39 +0000)]
Revert "remove temporary fixes"
This reverts commit
d62a4335e120f3f385575c25d20e2198b69ac3c1 .
Miroslav Grepl [Tue, 1 Nov 2011 06:31:38 +0000 (06:31 +0000)]
Revert "Temporary remove conflict filename transition for kernel_t"
This reverts commit
dac919641809cd23dbdeb7f8b288c985a3d6b7ef .
Miroslav Grepl [Tue, 1 Nov 2011 06:30:50 +0000 (06:30 +0000)]
remove temporary fixes
Dan Walsh [Mon, 31 Oct 2011 20:39:56 +0000 (16:39 -0400)]
Make filetrans rules optional so base policy will build
Dan Walsh [Mon, 31 Oct 2011 18:50:49 +0000 (14:50 -0400)]
Dontaudit chkpwd_t access to inherited TTYS
Dan Walsh [Mon, 31 Oct 2011 18:46:20 +0000 (14:46 -0400)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
Dan Walsh [Mon, 31 Oct 2011 18:46:07 +0000 (14:46 -0400)]
Make sure postfix content gets created with the correct label
Miroslav Grepl [Mon, 31 Oct 2011 14:49:40 +0000 (14:49 +0000)]
Temporary remove conflict filename transition for kernel_t
Miroslav Grepl [Mon, 31 Oct 2011 13:10:36 +0000 (13:10 +0000)]
Allow gnomeclock to read cgroup
Miroslav Grepl [Mon, 31 Oct 2011 11:26:12 +0000 (11:26 +0000)]
Move libs* calling in kernel.te to optional blokc
Miroslav Grepl [Mon, 31 Oct 2011 11:11:01 +0000 (11:11 +0000)]
Fixes for cloudform policy
Miroslav Grepl [Mon, 31 Oct 2011 10:00:08 +0000 (10:00 +0000)]
Allow pptp to read kernel network state
Miroslav Grepl [Mon, 31 Oct 2011 08:37:58 +0000 (08:37 +0000)]
Allow gpg to read spamd tmp file
Miroslav Grepl [Mon, 31 Oct 2011 08:56:20 +0000 (08:56 +0000)]
Allow kcmdatetimehelper to read hardware state information
Dan Walsh [Fri, 28 Oct 2011 20:36:35 +0000 (16:36 -0400)]
New name for imagfac.py
projects / people / stevee / selinux-policy.git / log
