Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Update Python requirement in INSTALLNicolas Iooss2014-11-221-1/+1
| | | | | | | | | | | PyXML has not been required to build the policy and its documentation since at least Python 2.6, which comes with an "xml" module. Moreover, some support scripts requires Python 2.6 or above (and are compatible with Python 3.4, maybe also with other versions of Python 3). Add the minimum supported version of Python in INSTALL. ML thread: http://oss.tresys.com/pipermail/refpolicy/2014-November/007440.html
* Add new audit_read access vector in capability2 classLaurent Bigonville2014-11-221-0/+1
| | | | | This AV has been added in 3.16 in commit 3a101b8de0d39403b2c7e5c23fd0b005668acf48
* Add info on why munin crontab is explicitly mentionedSven Vermeulen2014-11-111-0/+1
|
* Crontab fix for munin (workaround) is in policySven Vermeulen2014-11-114-4/+4
|
* Force munin crontab to be system_u (define context), fix bug #526532Sven Vermeulen2014-11-111-0/+4
|
* Add manual pages for munin SELinux policy, supports bug #526532Sven Vermeulen2014-11-112-0/+307
|
* Fix typo in cron manual pageSven Vermeulen2014-11-112-3/+3
|
* Add cron_selinux manual page, support for bug #526532Sven Vermeulen2014-11-112-0/+633
|
* Fix bug #528602 - Update context for vnstatd binarySven Vermeulen2014-11-111-0/+1
|
* Fix bug #528602 - vnstatd init script naming fix in fc file thanks to Eric ↵Sven Vermeulen2014-11-081-0/+5
| | | | Glisse
* Add auth_read_shadow for run_init_t to support pam-less openrcSven Vermeulen2014-11-021-0/+4
|
* Support pam_rootok.so update in pam.d/run_init for integrated run_init ↵Sven Vermeulen2014-11-021-1/+2
| | | | support in openrc
* Emerge is also handled by python-execSven Vermeulen2014-11-011-2/+4
|
* Adding DISTDIR supportSven Vermeulen2014-11-011-2/+3
|
* Update link to upstream git repo2.20140311-r7Sven Vermeulen2014-11-011-1/+1
|
* No need for KEYWORDS edits anymore, is now part of ebuild as wellSven Vermeulen2014-11-011-1/+0
|
* Merge with upstreamSven Vermeulen2014-10-311-1/+1
|
* Module version bump for /sbin/iw support from Nicolas Iooss.Chris PeBenito2014-10-311-1/+1
|
* Add comment for iw generic netlink socket usageChris PeBenito2014-10-311-0/+2
|
* Use create_netlink_socket_perms when allowing netlink socket creationNicolas Iooss2014-10-312-3/+3
| | | | | | | | | | | create_netlink_socket_perms is defined as: { create_socket_perms nlmsg_read nlmsg_write } This means that it is redundant to allow create_socket_perms and nlmsg_read/nlmsg_write. Clean up things without allowing anything new.
* Allow iw to create generic netlink socketsNicolas Iooss2014-10-311-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | iw uses generic netlink socket to configure WiFi properties. For example, "strace iw dev wlan0 set power_save on" outputs: socket(PF_NETLINK, SOCK_RAW|SOCK_CLOEXEC, NETLINK_GENERIC) = 3 setsockopt(3, SOL_SOCKET, SO_SNDBUF, [32768], 4) = 0 setsockopt(3, SOL_SOCKET, SO_RCVBUF, [32768], 4) = 0 bind(3, {sa_family=AF_NETLINK, pid=7836, groups=00000000}, 12) = 0 Some AVC denials are reported in audit.log: type=AVC msg=audit(1408829044.820:486): avc: denied { create } for pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket permissive=1 type=AVC msg=audit(1408829044.820:487): avc: denied { setopt } for pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket permissive=1 type=AVC msg=audit(1408829044.820:488): avc: denied { bind } for pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket permissive=1 type=AVC msg=audit(1408829044.820:489): avc: denied { getattr } for pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket permissive=1 type=AVC msg=audit(1408829044.820:490): avc: denied { write } for pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket permissive=1 Allowing ifconfig_t to create generic netlink sockets fixes this. (On a side note, the AVC denials were caused by TLP, a tool which applies "laptop configuration" when switching between AC and battery with the help of a udev script)
* Label /sbin/iw as ifconfig_exec_tNicolas Iooss2014-10-311-0/+2
| | | | | | | | | iw manpage says "iw - show / manipulate wireless devices and their configuration". Label this command ifconfig_exec_t to allow it to manage wireless communication devices. Debian installs iw in /sbin/iw, Fedora in /usr/sbin/iw and Arch Linux in /usr/bin/iw (with /usr/sbin being a symlink to /usr/bin).
* regenerated corenetwork.te after adding adb portsJason Zaman2014-10-262-0/+450
|
* Add policy for Android tools and SDKJason Zaman2014-10-203-0/+212
|
* Add port for ADB (Android Debug Bridge)Jason Zaman2014-10-121-0/+1
|
* Add java_domain_type interfaceJason Zaman2014-10-122-0/+37
| | | | | This interface will enable another domain to use Java without having to domtrans to java_t
* Allow setting ownership of ts/ directorySven Vermeulen2014-10-121-0/+3
| | | | | | | | When creating the ts/ directory (in which sudo keeps timestamps), allow the sudo application to set ownership. No errors involved (only denial) but the end result is different (group ownership is different, even though there is no group privilege).
* Allow sudo to create /var/run/sudo if non-existingSven Vermeulen2014-10-121-0/+3
| | | | | | | | | | | | When sudo is invoked and the /var/run/sudo directory (in which a ts/ subdirectory would be created and managed by sudo) is not available yet, sudo will try to create it. Grant it this privilege and have this directory be labeled as pam_var_run_t. Without this, we get: sudo: unable to mkdir /var/run/sudo: Permission denied
* Add auth_pid_filetrans_pam_var_runSven Vermeulen2014-10-121-0/+34
| | | | | | This interface allows a domain to create resources inside the generic pid location (/var/run) and have them created with the pam_var_run_t type.
* Merge upstreamSven Vermeulen2014-10-121-2/+2
|
* Module version bump for Debian arping fc entries from Laurent Bigonville.Chris PeBenito2014-10-121-1/+1
|
* Fix minor typo in init.ifNicolas Iooss2014-10-121-1/+1
|
* Debian also ship a different arping implementationLaurent Bigonville2014-10-121-0/+1
| | | | | In addition to the iputils arping implementation, Debian also ships an other implementation which is installed under /usr/sbin/arping
* On Debian iputils-arping is installed in /usr/bin/arpingLaurent Bigonville2014-10-121-0/+1
|
* Drop RHEL4 and RHEL5 support.Chris PeBenito2014-10-129-148/+3
|
* Module version bump for changes to the networkmanager modules by Lubomir RintelDominick Grift2014-10-121-1/+1
|
* Allow NetworkManager to create Bluetooth SDP socketsLubomir Rintel2014-10-121-0/+1
| | | | It's going to do the the discovery for DUN service for modems with Bluez 5.
* Merge with master upstreamSven Vermeulen2014-09-211-1/+1
|
* Module version bump for CIL fixes from Yuli Khodorkovskiy.Chris PeBenito2014-09-215-5/+5
|
* Remove duplicate role declarationsYuli Khodorkovskiy2014-09-215-5/+4
| | | | | | | | | | | | -This patch is needed since CIL does not allow duplicate role declarations. The roles for system_r, staff_r, sysadm_r, and user_r were already declared in kernel.te. Since the roles are pulled in from require statements in the appropriate interfaces, the duplicate role declarations could be deleted in modules for auditadm, staff, sysadm, and userdomain. -Move a role declaration that used an argument passed into the userdom_base_user_template into a gen_require statement.
* /dev/log symlinks are not labeled devlog_t.Chris PeBenito2014-09-212-2/+1
| | | | Drop rule; if /dev/log is a symlink, it should be device_t.
* Merge branch 'master' of ↵Sven Vermeulen2014-09-131-0/+5
|\ | | | | | | git+ssh://git.overlays.gentoo.org/proj/hardened-refpolicy
| * fcontext for bluetoothd on gentooJason Zaman2014-09-031-0/+5
| |
* | Reintroduce refpolicy quircks as merging becomes difficult otherwiseSven Vermeulen2014-09-131-5/+5
| |
* | Move gentoo specifics downward for faster mergingSven Vermeulen2014-09-131-5/+20
| |
* | Merge master upstreamSven Vermeulen2014-09-131-1/+1
| |
* | Module version bumps for systemd/journald patches from Nicolas Iooss.Chris PeBenito2014-09-133-3/+3
| |
* | Remove redundant Gentoo-specific term_append_unallocated_ttys(syslogd_t)Nicolas Iooss2014-09-131-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | Since commit 0fd9dc55, logging.te contains: term_write_all_user_ttys(syslogd_t) As "write" is a superset of "append", this rule is no longer needed: term_append_unallocated_ttys(syslogd_t) While at it, add a comment which explains why term_dontaudit_setattr_unallocated_ttys is needed.
* | Allow journald to access to the state of all processesNicolas Iooss2014-09-131-0/+2
| | | | | | | | | | | | | | | | When a process sends a syslog message to journald, journald records information such as command, executable, cgroup, etc.: http://cgit.freedesktop.org/systemd/systemd/tree/src/journal/journald-server.c?id=v215#n589 This needs domain_read_all_domains_state.
* | Add comment for journald ring buffer reading.Chris PeBenito2014-09-131-0/+1
| |