Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Remove unneeded system_u seusers mapping.Chris PeBenito2016-12-063-3/+0
|
* system/modutils: Add kernel_search_key(kmod_t)Luis Ressel2016-11-271-2/+2
| | | | | | This permission is currently granted in an ifdef(systemd) block, but it's also required on non-systemd systems if signed kernel modules are being used.
* modutils.te: Adjustment for compatibility with our tmpfiles policyLuis Ressel2016-11-272-1/+5
|
* modutils.te: Re-add custom gentoo changesLuis Ressel2016-11-271-0/+19
| | | | TODO: Check if we indeed still need those permissions.
* Merge modutils updates from upstreamLuis Ressel2016-11-271-1/+1
|
* Module version bumps for patches from Guido Trentalancia.Chris PeBenito2016-11-275-11/+7
|
* Let the user list noxattr fs directoriesGuido Trentalancia via refpolicy2016-11-271-0/+4
| | | | | | | | | | | | | | | When reading or managing noxattr fs files or symbolic links, also let the user list noxattr fs directories. This patch should be applied after the following one: http://oss.tresys.com/pipermail/refpolicy/2016-October/008539.html "Let users read/manage symlinks on fs that do not support xattr" posted on Sat, 29 Oct 2016 15:39:46 UTC. Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
* Let unprivileged users list mounted filesystemsGuido Trentalancia via refpolicy2016-11-271-2/+2
| | | | | | | | | | | | | Let unprivileged users list filesystems mounted on mount points such as /mnt (cdrom, FAT, NTFS and so on). This makes a great difference to the usability and effectiveness of graphical filesystem browsers such as Gnome Nautilus and currently comes at no security penalty because mounted filesystems can be listed with programs such as the "df" program from GNU coreutils or by simply reading /proc/mounts. Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
* Let users read/manage symlinks on fs that do not support xattrGuido Trentalancia via refpolicy2016-11-272-1/+21
| | | | | | | | Let unprivileged and administrative users read symbolic links on filesystems that do not support extended attributes (xattr) such as cdroms, FAT, NTFS and so on. Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
* single binary modutilsRussell Coker2016-11-275-262/+136
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | On Tuesday, 2 August 2016 7:59:28 PM AEDT Chris PeBenito wrote: > On 07/31/16 08:34, Russell Coker wrote: > > The following patch deals with a single binary for modutils, so depmod_t, > > and insmod_t are merged. > > Since the main SELinux distros (including RHEL/CentOS 7) all have merged > modutils these days, I'm open to taking a patch that fully merges these > domains (in which case renaming to kmod_t, with proper aliasing seems > the best idea). > > However, it's been some time since I used a busybox-based system; does > busybox still have separated tools? Yes, this is a bit of an obvious > question since busybox is also single-binary, but IIRC, the embedded > guys made some tiny helper scripts or executables so proper > transitioning could occur. Separate domains may still make sense. As we have had no response from Busybox users in the last 3 months and also no response to the thread Luis started in 2013 I think it's safe to assume that they don't need this. I've attached a new patch which renames to kmod_t as you suggested. Please consider it for inclusion. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ Description: Change modutils policy to match the use of a single binary Author: Russell Coker <russell@coker.com.au> Last-Update: 2014-06-25
* modutils.te: Temporarily remove custom gentoo changesLuis Ressel2016-11-271-25/+0
|
* modutils.if: Remove obsolete modutils_list_module_configLuis Ressel2016-11-272-25/+0
| | | | | | This interface is a custom gentoo addition and is solely used by the dracut policy. However, the permissions it grants have been added to the modutils_read_module_config interface back in 2012 (commit e74b098).
* chromium: allow random2.20161023-r1Jason Zaman2016-10-271-0/+1
| | | | | Fails to start with: gcrypt-Message: no entropy gathering module detected
* chromium: allow dbus chat to gnome keyring and upowerJason Zaman2016-10-271-0/+6
| | | | For saving secrets and inhibiting power management eg during videos
* Duplicate type declaration, switch to typealiasSven Vermeulen2016-10-241-1/+1
|
* Merging contrib moved syncthing into main root :-(Sven Vermeulen2016-10-243-0/+0
|
* Move miscfiles_relabel_user_certs to userdom_relabel_user_certsSven Vermeulen2016-10-242-8/+26
|
* Fix documentation for userdom_user_home_dir_filetrans_user_certSven Vermeulen2016-10-241-1/+1
|
* chromium: perms for user_cert_tJason Zaman2016-10-241-7/+6
|
* Swap documentation for two interfacesSven Vermeulen2016-10-241-3/+3
|
* Switch from cert_home_t to user_cert_tSven Vermeulen2016-10-245-49/+9
| | | | | | | | The type for user home certificate directories (and files) is user_cert_t. Remove all references to its code, and instead use the new type. Keep an alias at hand for third party SELinux policy modules though.
* Introduce userdom_user_home_dir_filetrans_user_certSven Vermeulen2016-10-241-0/+29
| | | | | | | | | | The userdom_user_home_dir_filetrans_user_cert interface can be assigned to SELinux policies for domains that create the necessary user directories, such as ~/.pki. This interface will need to be upstreamed later though (we currently need it already because we have end-user domains that other distributions generally keep in the user domain).
* Merge upstreamSven Vermeulen2016-10-241-2/+2
|
* Update Changelog and VERSION for release.Chris PeBenito2016-10-242-1/+235
|
* Bump module versions for release.Chris PeBenito2016-10-2429-29/+29
|
* fc_sort: cleanup warnings caught by clang tidy / static analyzer.Rahul Chaudhry2016-10-241-2/+2
| | | | | Value stored to 'i' is never read. Variable 'j' is never used.
* Update specfileSean Placchetti2016-10-241-4/+8
| | | | Minor tweaks to specfile
* Update to refpolicy spec fileSean Placchetti2016-10-241-1/+1
| | | | Missing forwardslash
* Module version bumps for syncthing from Naftuli Tzvi Kay.Chris PeBenito2016-10-244-4/+4
|
* Add Syncthing Support to PolicyNaftuli Tzvi Kay2016-10-244-0/+15
| | | | | For now, optionally add the Syncthing role to user_r, staff_r, and unconfined_r, and define the Syncthing ports in core network.
* Update Changelog for release.Chris PeBenito2016-10-241-0/+160
| | | | Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
* Bump module versions for release.Chris PeBenito2016-10-2460-60/+60
| | | | Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
* Module version bump for webalizer patch from Russell Coker.Chris PeBenito2016-10-242-2/+2
| | | | Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
* webalizer: Rearrange a couple lines.Chris PeBenito2016-10-241-2/+2
| | | | Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
* webalizer patch for inclusionRussell Coker via refpolicy2016-10-243-0/+27
| | | | | | | Thanks Chris for the suggestions, here's a patch that I think is worthy of inclusion. Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
* Rearrange lines in syncthing.Chris PeBenito2016-10-242-23/+16
| | | | Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
* Syncthing PolicyNaftuli Tzvi Kay2016-10-243-0/+113
| | | | | | | Policy governing Syncthing - a file synchronization utility written in Go. Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
* Manage tun/tap interfacesSven Vermeulen2016-10-241-0/+3
| | | | | | | | We need the relabelfrom/relabelto rights, otherwise tun/tap interface activities fail: ~# tunctl -d tap0 TUNSETIFF: Permission denied
* Merge upstream2.20151208-r6Jason Zaman2016-10-031-2/+2
|
* Module version bump for networkmanager fix from Naftuli Tzvi Kay.Chris PeBenito2016-10-031-1/+1
|
* gpg: Whitespace fix.Chris PeBenito2016-10-031-1/+1
|
* Module version bump for evolution patch from Guido Trentalancia.Chris PeBenito2016-10-032-2/+2
|
* gpg: public key signature verification in evolutionGuido Trentalancia2016-10-032-0/+25
| | | | | | | | Let gpg verify public key signatures in the evolution mail client application. It doesn't need write permissions on such files for signing/encrypting messages. Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
* Fix NetworkManager Read Pid Files MacroNaftuli Tzvi Kay2016-10-031-0/+1
| | | | | Bug found in pull #26 - permissions aren't granted for searching the NetworkManager_var_run_t directory, only to reading its files.
* Module version bump for gnome patch from Guido Trentalancia.Chris PeBenito2016-10-032-2/+2
|
* gnome: add support for the OIL Runtime Compiler (ORC) optimized code executionGuido Trentalancia via refpolicy2016-10-034-0/+111
| | | | | | | | | | | | | | | Add a new gstreamer_orcexec_t type and file context to the gnome module in order to support the OIL Runtime Compiler (ORC) optimized code execution (used for example by pulseaudio). Add optional policy to the pulseaudio module to support the ORC optimized code execution. This patch has been anticipated a few weeks ago as part of a larger gnome patch. It has now been split as a smaller patch, as required. Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
* Module version bump for mozilla patch from Guido Trentalancia.Chris PeBenito2016-10-032-2/+2
|
* pulseaudio: Move interface definitions.Chris PeBenito2016-10-031-38/+38
|
* mozilla: let mozilla play audioGuido Trentalancia via refpolicy2016-10-032-0/+86
| | | | | | | | | | | Let mozilla play audio: - add new interfaces to the pulseaudio module; - let mozilla read alsa configuration files; - add further permissions to mozilla needed to use pulseaudio to play audio. Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
* cups: Module version bump for hplip patch from Guido TrentalanciaChris PeBenito2016-10-031-1/+1
|