Permalink
Commits on Jul 24, 2014
Commits on Jul 9, 2014
  1. couchdb: Allow disksup df to gettatr pretty much everything

    Switch from dontaudit to allow.  Add additional allows to fix all visible AVC's.
    
    TODO: Unclear if the three marked are still needed.
    committed Jul 9, 2014
Commits on Jul 7, 2014
  1. /usr/lib/erlang/erts-.*/bin/ must be bin_t

    They are not part of rabbitmq.
    committed Jul 7, 2014
Commits on Jun 30, 2014
  1. Use init_daemon_pid_file for contrib modules

    Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
    sjvermeu committed with pebenito Jun 28, 2014
Commits on Jun 25, 2014
  1. Add filetrans for ntp-kod file

    sntp has a file used to persist the history of KoD responses
    received from servers.  The  default  is /var/db/ntp-kod.
    
    This patch adds the fcontext and a filetrans so it can be created.
    
    Changes from v1:
    * use files_var_filetrans instead of filetrans_pattern
    
    Signed-off-by: Jason Zaman <jason@perfinion.com>
    perfinion committed with pebenito Jun 23, 2014
Commits on Jun 17, 2014
  1. apache.te: Add labelling support for /var/log/mlogc

    Add the right labelling support for the
    ModSecurity Audit Log Collector(mlogc).
    mlogc is started by apache and run with the
    same selinux security context.
    
    Signed-off-by: Elia Pinto <andronicus.spiros@gmail.com>
    yersinia committed with pebenito Jun 10, 2014
Commits on May 20, 2014
  1. Mark icedtea binaries as java_exec_t

    Add the icedtea location to the java file contexts so that the icedtea
    java binaries are marked as java_exec_t.
    
    See also https://bugs.gentoo.org/show_bug.cgi?id=510364
    
    Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
    sjvermeu committed with pebenito May 17, 2014
  2. Fix typo in dnsmasq.if

    Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
    sjvermeu committed with pebenito May 16, 2014
Commits on Apr 24, 2014
  1. Move sock_file filetrans to fcron_crond conditional.

    Also drop the name in the filetrans.
    pebenito committed Apr 24, 2014
  2. fcron socket support

    The fcron daemon creates a socket file in /var/run (called fcron.fifo)
    which is used by the fcrondyn application to interact with the fcron
    daemon. This application allows admins to list the defined jobs, run
    jobs immediately, remove jobs, etc.
    
    Without this, fcrondyn cannot connect to the cron daemon; fcron also
    logs this at start-up:
    
    fcron[23724]: Cannot bind socket to '/var/run/fcron.fifo': Permission
    denied
    
    Through this patch, we allow the crond daemon to create this socket and
    update the admin role to allow the admin domain to stream_connect
    through this socket to the crond_t domain.
    
    Changes since v1:
    - Moved named file transition outside tunable_policy
    - Use user domain instead of role in cron_admin's stream_connect_pattern
    
    Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
    sjvermeu committed with pebenito Apr 21, 2014
  3. Snort policy updates

    When snort starts up, its init script creates the /var/run/snort directory.
    However, the policy did not have a file transition for this, which results
    in the /var/run/snort directory to be initrc_var_run_t.
    
    By supporting a file transition to snort_var_run_t the PID file can be
    hosted inside its own directory as intended.
    
    Error logs from Snort:
    Apr  9 14:42:45 server snort[1916]: WARNING: /var/run/snort is invalid,
    trying /var/run...
    Apr  9 14:42:45 server snort[1916]: Previous Error, errno=13,
    (Permission denied)
    Apr  9 14:42:45 server snort[1916]: PID path stat checked out ok, PID
    path set to /var/run/
    
    Second, snort is not able to write to its own log file. It needs the
    write privilege for this (append no longer cuts it) as found through the
    AVC denial.
    
    Error logs from Snort:
    Apr  9 14:42:45 server snort[1916]: FATAL ERROR: spo_unified2.c(320)
    Could not open /var/log/snort//merged.log: Permission denied
    
    Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
    sjvermeu committed with pebenito Apr 21, 2014
Commits on Apr 21, 2014
  1. Label /usr/sbin/ModemManager as modemmanager_exec_t

    modem-manager executable has been renamed in recent versions (>= 0.7.990)
    bigon committed with pebenito Apr 12, 2014
Commits on Apr 15, 2014
  1. Add new gnome_spec_domtrans_all_gkeyringd() interface

    Allow the caller to transition to all the gkeyringd domains
    bigon committed with pebenito Apr 11, 2014
  2. Properly label exim4 initscript under Debian

    Keep the same regex expression as for the other filecontexts
    bigon committed with pebenito Apr 11, 2014
  3. Fix the usage of dbus_spec_session_domain() interface

    Change the order of the parameters for the calls to
    dbus_spec_session_domain() interface.
    
    For consistancy with the other dbus interfaces and the backward
    compatibility, we consider that the description was correct and we
    change the callers instead.
    
    The order of the parameter for this interface is the following:
     dbus_spec_session_domain(role_prefix, domain, entry_point)
    bigon committed with pebenito Apr 11, 2014
  4. Allow gconfd to be started by the session bus

    Allow gconfd to be started by the session bus and make it transition to
    its own domain.
    
    It also connects to the system bus to listen to signals from
    org.gnome.GConf.Defaults interface
    bigon committed with pebenito Apr 11, 2014
  5. Fix dbus_all_session_domain(), session_bus_type is an attribute

    Fix dbus_all_session_domain(), session_bus_type is an attribute not a
    type
    bigon committed with pebenito Apr 11, 2014
Commits on Apr 11, 2014
  1. Fix strange file patterns

    Some file patterns look very strange, like:
    
        /var/log/cluster/.*\.*log
    
    I've found such patterns while writing a script that parses the file patterns.
    Hence I haven't tested if the new file contexts apply to the existing files.
    For example, this patch changes
    
        /var/run/*.fingerd\.pid
    
    to
    
        /var/run/fingerd\.pid
    
    because "/*" seems weird to me, but this also changes the semantic of the
    pattern.  Another possibility which doesn't change the meaning is:
    
        /var/run/?.fingerd\.pid
    
    I send this patch as an RFC because what I consider abnormal may in fact be
    something expected or a workaround to fix some bugs I'm not aware of.
    fishilico committed with pebenito Apr 5, 2014
  2. Label /usr/share/gitweb/static as httpd_git_content_t

    This directory contains gitweb static files at least on Debian and ArchLinux.
    fishilico committed with pebenito Apr 5, 2014
Commits on Apr 4, 2014