Permalink
Commits on Jul 24, 2014
Commits on Jul 9, 2014
  1. couchdb: Allow disksup df to gettatr pretty much everything

    wtogami committed Jul 9, 2014
    Switch from dontaudit to allow.  Add additional allows to fix all visible AVC's.
    
    TODO: Unclear if the three marked are still needed.
Commits on Jul 7, 2014
  1. /usr/lib/erlang/erts-.*/bin/ must be bin_t

    wtogami committed Jul 7, 2014
    They are not part of rabbitmq.
Commits on Jun 30, 2014
  1. Use init_daemon_pid_file for contrib modules

    sjvermeu authored and pebenito committed Jun 28, 2014
    Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Commits on Jun 25, 2014
  1. Add filetrans for ntp-kod file

    perfinion authored and pebenito committed Jun 23, 2014
    sntp has a file used to persist the history of KoD responses
    received from servers.  The  default  is /var/db/ntp-kod.
    
    This patch adds the fcontext and a filetrans so it can be created.
    
    Changes from v1:
    * use files_var_filetrans instead of filetrans_pattern
    
    Signed-off-by: Jason Zaman <jason@perfinion.com>
Commits on Jun 17, 2014
  1. apache.te: Add labelling support for /var/log/mlogc

    yersinia authored and pebenito committed Jun 10, 2014
    Add the right labelling support for the
    ModSecurity Audit Log Collector(mlogc).
    mlogc is started by apache and run with the
    same selinux security context.
    
    Signed-off-by: Elia Pinto <andronicus.spiros@gmail.com>
Commits on May 20, 2014
  1. Mark icedtea binaries as java_exec_t

    sjvermeu authored and pebenito committed May 17, 2014
    Add the icedtea location to the java file contexts so that the icedtea
    java binaries are marked as java_exec_t.
    
    See also https://bugs.gentoo.org/show_bug.cgi?id=510364
    
    Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
  2. Fix typo in dnsmasq.if

    sjvermeu authored and pebenito committed May 16, 2014
    Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Commits on Apr 24, 2014
  1. Move sock_file filetrans to fcron_crond conditional.

    pebenito committed Apr 24, 2014
    Also drop the name in the filetrans.
  2. fcron socket support

    sjvermeu authored and pebenito committed Apr 21, 2014
    The fcron daemon creates a socket file in /var/run (called fcron.fifo)
    which is used by the fcrondyn application to interact with the fcron
    daemon. This application allows admins to list the defined jobs, run
    jobs immediately, remove jobs, etc.
    
    Without this, fcrondyn cannot connect to the cron daemon; fcron also
    logs this at start-up:
    
    fcron[23724]: Cannot bind socket to '/var/run/fcron.fifo': Permission
    denied
    
    Through this patch, we allow the crond daemon to create this socket and
    update the admin role to allow the admin domain to stream_connect
    through this socket to the crond_t domain.
    
    Changes since v1:
    - Moved named file transition outside tunable_policy
    - Use user domain instead of role in cron_admin's stream_connect_pattern
    
    Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
  3. Snort policy updates

    sjvermeu authored and pebenito committed Apr 21, 2014
    When snort starts up, its init script creates the /var/run/snort directory.
    However, the policy did not have a file transition for this, which results
    in the /var/run/snort directory to be initrc_var_run_t.
    
    By supporting a file transition to snort_var_run_t the PID file can be
    hosted inside its own directory as intended.
    
    Error logs from Snort:
    Apr  9 14:42:45 server snort[1916]: WARNING: /var/run/snort is invalid,
    trying /var/run...
    Apr  9 14:42:45 server snort[1916]: Previous Error, errno=13,
    (Permission denied)
    Apr  9 14:42:45 server snort[1916]: PID path stat checked out ok, PID
    path set to /var/run/
    
    Second, snort is not able to write to its own log file. It needs the
    write privilege for this (append no longer cuts it) as found through the
    AVC denial.
    
    Error logs from Snort:
    Apr  9 14:42:45 server snort[1916]: FATAL ERROR: spo_unified2.c(320)
    Could not open /var/log/snort//merged.log: Permission denied
    
    Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Commits on Apr 21, 2014
  1. Label /usr/sbin/ModemManager as modemmanager_exec_t

    bigon authored and pebenito committed Apr 12, 2014
    modem-manager executable has been renamed in recent versions (>= 0.7.990)
Commits on Apr 15, 2014
  1. Add new gnome_spec_domtrans_all_gkeyringd() interface

    bigon authored and pebenito committed Apr 11, 2014
    Allow the caller to transition to all the gkeyringd domains
  2. Properly label exim4 initscript under Debian

    bigon authored and pebenito committed Apr 11, 2014
    Keep the same regex expression as for the other filecontexts
  3. Fix the usage of dbus_spec_session_domain() interface

    bigon authored and pebenito committed Apr 11, 2014
    Change the order of the parameters for the calls to
    dbus_spec_session_domain() interface.
    
    For consistancy with the other dbus interfaces and the backward
    compatibility, we consider that the description was correct and we
    change the callers instead.
    
    The order of the parameter for this interface is the following:
     dbus_spec_session_domain(role_prefix, domain, entry_point)
  4. Allow gconfd to be started by the session bus

    bigon authored and pebenito committed Apr 11, 2014
    Allow gconfd to be started by the session bus and make it transition to
    its own domain.
    
    It also connects to the system bus to listen to signals from
    org.gnome.GConf.Defaults interface
  5. Fix dbus_all_session_domain(), session_bus_type is an attribute

    bigon authored and pebenito committed Apr 11, 2014
    Fix dbus_all_session_domain(), session_bus_type is an attribute not a
    type
Commits on Apr 11, 2014
  1. Fix strange file patterns

    fishilico authored and pebenito committed Apr 5, 2014
    Some file patterns look very strange, like:
    
        /var/log/cluster/.*\.*log
    
    I've found such patterns while writing a script that parses the file patterns.
    Hence I haven't tested if the new file contexts apply to the existing files.
    For example, this patch changes
    
        /var/run/*.fingerd\.pid
    
    to
    
        /var/run/fingerd\.pid
    
    because "/*" seems weird to me, but this also changes the semantic of the
    pattern.  Another possibility which doesn't change the meaning is:
    
        /var/run/?.fingerd\.pid
    
    I send this patch as an RFC because what I consider abnormal may in fact be
    something expected or a workaround to fix some bugs I'm not aware of.
  2. Label /usr/share/gitweb/static as httpd_git_content_t

    fishilico authored and pebenito committed Apr 5, 2014
    This directory contains gitweb static files at least on Debian and ArchLinux.
Commits on Apr 4, 2014