Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/services
Commit message (Collapse)AuthorAgeFilesLines
* Move all files out of the old contrib directory.Chris PeBenito2018-06-24777-0/+81888
|
* xserver: update to use new upstream xdg interfacesJason Zaman2018-06-162-6/+8
|
* XDG: Module version bump.Chris PeBenito2018-06-141-1/+1
|
* Allow X server users to manage all xdg resourcesSven Vermeulen2018-06-141-0/+30
| | | | | | | | | | | | | | With the introduction of the freedesktop XDG location support in the policy, end users need to be allowed to manage these locations from their main user domain. The necessary privileges are added to the xserver_role() interface, which is in use by the unconfined user domain as well as the main other user domains (like user, sysadm and staff). The necessary file transitions for the directories are added as well. Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
* Module version bumps for patches from James Carter.Chris PeBenito2018-04-221-1/+1
|
* Remove undeclared identifiers from xserver interfaceJames Carter2018-04-221-7/+2
| | | | | | | | The interface xserver_manage_xdm_spool_files() uses the undeclared type xdm_spool_t. Removed statements referring to this type and marked the interface as deprecated because it is now empty. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
* Bump module versions for release.Chris PeBenito2018-01-182-2/+2
|
* mls, xserver, systemd, userdomain: Module version bump.Chris PeBenito2017-12-131-1/+1
|
* Make xdm directories created in /run/user/%{USERID}/ xdm_runtime_t ↵David Sugar2017-12-131-0/+9
| | | | | | | | | | | | | | | | | | | | (user_runtime_content_type) Setup type xdm_runtime_t for files and directories created in /run/user/%{USERID}/ and use filetrans to transition from user_runtime_t to our private type. type=AVC msg=audit(1511962167.495:64): avc: denied { write } for pid=1137 comm="at-spi-bus-laun" name="/" dev="tmpfs" ino=14731 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=dir type=AVC msg=audit(1511962167.495:64): avc: denied { add_name } for pid=1137 comm="at-spi-bus-laun" name="dconf" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=dir type=AVC msg=audit(1511962167.495:64): avc: denied { create } for pid=1137 comm="at-spi-bus-laun" name="dconf" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=dir type=AVC msg=audit(1511962167.495:65): avc: denied { create } for pid=1137 comm="at-spi-bus-laun" name="user" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file type=AVC msg=audit(1511962167.495:65): avc: denied { read write open } for pid=1137 comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file type=AVC msg=audit(1511962199.010:144): avc: denied { read write } for pid=1614 comm="at-spi-bus-laun" name="user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file type=AVC msg=audit(1511962199.010:144): avc: denied { open } for pid=1614 comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file type=AVC msg=audit(1511962947.864:350): avc: denied { read write } for pid=1784 comm="at-spi-bus-laun" name="user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file type=AVC msg=audit(1511962947.864:350): avc: denied { open } for pid=1784 comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file type=AVC msg=audit(1511962981.011:440): avc: denied { read write } for pid=1877 comm="at-spi-bus-laun" name="user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file type=AVC msg=audit(1511962981.011:440): avc: denied { open } for pid=1877 comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file Signed-off-by: Dave Sugar <dsugar@tresys.com>
* xserver: Module version bump.Chris PeBenito2017-12-121-1/+1
|
* Create interfaces to write to inherited xserver log files.David Sugar2017-12-121-0/+39
| | | | | | Updated based on feedback Signed-off-by: Dave Sugar <dsugar@tresys.com>
* xserver, sysnetwork, systemd: Module version bump.Chris PeBenito2017-12-121-1/+1
|
* Allow xdm_t to read /proc/sys/crypto/fips_enabledDavid Sugar via refpolicy2017-12-121-0/+1
| | | | | | | | | type=AVC msg=audit(1512047222.742:53): avc: denied { search } for pid=1174 comm="lightdm-gtk-gre" name="crypto" dev="proc" ino=6218 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir type=AVC msg=audit(1512047222.742:53): avc: denied { read } for pid=1174 comm="lightdm-gtk-gre" name="fips_enabled" dev="proc" ino=6219 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file type=AVC msg=audit(1512047222.742:53): avc: denied { open } for pid=1174 comm="lightdm-gtk-gre" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=6219 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file type=AVC msg=audit(1512047222.743:54): avc: denied { getattr } for pid=1174 comm="lightdm-gtk-gre" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=6219 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file Signed-off-by: Dave Sugar <dsugar@tresys.com>
* corcmd, fs, xserver, init, systemd, userdomain: Module version bump.Chris PeBenito2017-12-121-1/+1
|
* Change label for ~/.xsession-errorsDavid Sugar2017-12-121-1/+2
| | | | | | | | | | | Currently .xsession-errors is labeled user_home_t when created by xdm_t. Switch to using existing interface xserver_user_home_dir_filetrans_user_xsession_log to create file with label xsession_log_t. This includes using the interface manage the type xsession_log_t. type=AVC msg=audit(1511962175.985:77): avc: denied { create } for pid=1163 comm="lightdm" name=".xsession-errors" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xsession_log_t:s0 tclass=file type=AVC msg=audit(1511962175.985:77): avc: denied { write open } for pid=1163 comm="lightdm" path="/home/user/.xsession-errors" dev="dm-0" ino=17153285 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xsession_log_t:s0 tclass=file type=AVC msg=audit(1511962941.991:268): avc: denied { rename } for pid=1721 comm="lightdm" name=".xsession-errors" dev="dm-0" ino=17153285 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xsession_log_t:s0 tclass=file type=AVC msg=audit(1511962977.779:419): avc: denied { unlink } for pid=1814 comm="lightdm" name=".xsession-errors.old" dev="dm-0" ino=17153285 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xsession_log_t:s0 tclass=file Signed-off-by: Dave Sugar <dsugar@tresys.com>
* Label /var/lib/lightdm-dataDavid Sugar2017-12-121-0/+1
| | | | | | RHEL 7.x includes the directory /var/lib/lightdm-data in the lightdm RPM. Label these files xdm_var_lib_t Signed-off-by: Dave Sugar <dsugar@tresys.com>
* Module version bumps.Chris PeBenito2017-11-151-1/+1
|
* xserver: Allow xdm_t to map usr_t filesLuis Ressel2017-11-151-0/+1
| | | | | | This is required for gtk-based login managers to access gtk's icon cache. IIRC, past discussion on the ML came to the conclusion that adding a new domain for this would be overkill.
* kernel, mls, sysadm, ssh, xserver, authlogin, locallogin, userdomain: Module ↵Chris PeBenito2017-11-052-2/+2
| | | | version bumps.
* Add key interfaces and permsJason Zaman2017-11-054-0/+21
| | | | Mostly taken from the fedora rawhide policy
* if application uses fonts, they may be mappedAmadeusz Sławiński2017-10-291-1/+1
| | | | Signed-off-by: Amadeusz Sławiński <amade@asmblr.net>
* corecommands, xserver, systemd, userdomain: Version bumps.Chris PeBenito2017-10-291-1/+1
|
* xserver: do not audit ioctl operations on log filesGuido Trentalancia2017-10-291-1/+1
| | | | | | | Do not audit ioctl operation attempts whenever write operations on the xserver log should not be audited. Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
* Module version bumps.Chris PeBenito2017-09-141-1/+1
|
* Grant all permissions neccessary for Xorg and basic X clientsLuis Ressel2017-09-142-1/+5
| | | | | Note that dev_rw_dri already has the permission, it was just forgotten to add it to dev_manage_dri, too.
* Remove complement and wildcard in allow rules.Chris PeBenito2017-09-095-82/+100
| | | | | | | Remove complement (~) and wildcard (*) in allow rules so that there are no unintentional additions when new permissions are declared. This patch does not add or remove permissions from any rules.
* Remove deprecated interfaces older than one year old.Chris PeBenito2017-09-092-89/+0
| | | | Additionally one deprecated attribute removed.
* Bump module versions for release.Chris PeBenito2017-09-092-2/+2
|
* Module version bump for patches from cgzones.Chris PeBenito2017-06-131-1/+1
|
* rkhunter: add interfaces for rkhunter module and sysadm permitcgzones2017-06-131-0/+19
|
* Module version bump for /usr/bin fc fixes from Nicolas Iooss.Chris PeBenito2017-05-072-2/+2
|
* Support systems with a single /usr/bin directoryNicolas Iooss2017-05-072-0/+2
| | | | | | | | | | | | | | | | | On systems such as Arch Linux, all programs which are usually located in /bin, /sbin, /usr/bin and /usr/sbin are present in /usr/bin and the other locations are symbolic links to this directory. With such a configuration, the file contexts which define types for files in /bin, /sbin and /usr/sbin need to be duplicated to provide definitions for /usr/bin/... As the "/bin vs. /usr/bin" part of the needed definitions has already been done with the "usr merge" patches, the next step consists in duplicating file contexts for /usr/sbin. This is what this patch does for all modules which are not in contrib. This is the second iteration of an idea I have previously posted on http://oss.tresys.com/pipermail/refpolicy/2017-March/009176.html
* little misc strict from Russell Coker.Chris PeBenito2017-04-301-2/+3
|
* Module version bump for patches from Russell Coker and Guido Trentalancia.Chris PeBenito2017-04-301-1/+1
|
* Rename apm to acpi from Russell Coker.Chris PeBenito2017-04-301-4/+4
| | | | | | | | | | This patch is slightly more involved than just running sed. It also adds typealias rules and doesn't change the FC entries. The /dev/apm_bios device doesn't exist on modern systems. I have left that policy in for the moment on the principle of making one change per patch. But I might send another patch to remove that as it won't exist with modern kernels.
* Further strict systemd fixes from Russell Coker.Chris PeBenito2017-04-302-1/+3
|
* xdm sigchld interface from Russell Coker.Chris PeBenito2017-04-302-1/+19
|
* Module version bump from fixes from Guido Trentalancia.Chris PeBenito2017-04-301-1/+1
|
* xserver: fix iceauth_home_t file context creationGuido Trentalancia via refpolicy2017-04-301-1/+32
| | | | | | | | | This patch fixes the xserver module so that the hidden .ICEauthority file is created with the proper context (file transition). It also optimizes a similar interface used for xauth home files. Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
* devicekit, mount, xserver, and selinuxutil from Russell CokerChris PeBenito2017-04-301-1/+3
| | | | | | | | | | | Allow devicekit_power_t to chat to xdm via dbus and log via syslog. Allow mount_t to do more with it's runtime files and stat more filesystem types. Allow xauth to send sigchld to xdm. Allow semanage to search policy_src_t dirs and read /dev/urandom.
* Systemd-related changes from Russell Coker.Chris PeBenito2017-04-103-2/+15
|
* Backport "Misc fc changes from Russel Coker."Sven Vermeulen2017-04-102-1/+5
| | | | git apply failed so had to do this manually
* systemd-resolvd, sessions, and tmpfiles take2Chris PeBenito2017-03-302-2/+56
| | | | | | | | | I believe that I have addressed all the issues Chris raised, so here's a newer version of the patch which applies to today's git version. Description: systemd-resolved, sessions, and tmpfiles patches Author: Russell Coker <russell@coker.com.au> Last-Update: 2017-03-26
* another version of systemd cgroups hostnamed and logindChris PeBenito2017-03-302-1/+39
| | | | From Russell Coker
* dontaudit net_admin for SO_SNDBUFFORCEChris PeBenito2017-03-302-1/+3
| | | | | | | | The following patch adds dontaudit rules for where the net_admin capability is requested due to SO_SNDBUFFORCE. This forces the caller to use SO_SNDBUF which gives the same result but possibly a smaller buffer. From Russell Coker
* Module version bumps for fixes from cgzones.Chris PeBenito2017-03-302-2/+2
|
* modutils: adopt callers to new interfacescgzones2017-03-301-1/+1
|
* corecmd_read_bin_symlinks(): remove deprecated and redundant callscgzones2017-03-301-2/+0
|
* Little misc patches from Russell Coker.Chris PeBenito2017-02-212-1/+21
|
* Sort capabilities permissions from Russell Coker.Chris PeBenito2017-02-174-7/+7
|