| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
This interface is a custom gentoo addition and is solely used by the
dracut policy. However, the permissions it grants have been added to the
modutils_read_module_config interface back in 2012 (commit e74b098).
|
| |
|
|
|
| |
Fails to start with:
gcrypt-Message: no entropy gathering module detected
|
| |
|
|
| |
For saving secrets and inhibiting power management eg during videos
|
| | |
|
| | |
|
| |
|
|
| |
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
|
| |
|
|
| |
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
|
| |
|
|
| |
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
|
| |
|
|
| |
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
|
| |
|
|
|
|
|
| |
Thanks Chris for the suggestions, here's a patch that I think is worthy of
inclusion.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Let gpg verify public key signatures in the evolution mail client application.
It doesn't need write permissions on such files for signing/encrypting messages.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
|
| |
|
|
|
| |
Bug found in pull #26 - permissions aren't granted for searching
the NetworkManager_var_run_t directory, only to reading its files.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new gstreamer_orcexec_t type and file context to the gnome
module in order to support the OIL Runtime Compiler (ORC) optimized
code execution (used for example by pulseaudio).
Add optional policy to the pulseaudio module to support the ORC
optimized code execution.
This patch has been anticipated a few weeks ago as part of a
larger gnome patch. It has now been split as a smaller patch,
as required.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Let mozilla play audio:
- add new interfaces to the pulseaudio module;
- let mozilla read alsa configuration files;
- add further permissions to mozilla needed to use
pulseaudio to play audio.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update the cups module with some permissions needed to run HP
printers (in particular to be able to load firmware on those
printers that need it every time they are connected).
The permission to execute shell scripts has been removed in
this new version, as this is not required.
Compared to previous versions, this new version creates a
specific hplip pty (as suggested by Christopher PeBenito).
Here is the list of printers that require firmware loading:
HP LaserJet 1000
HP LaserJet 1005 series
HP LaserJet 1018
HP LaserJet 1020
HP LaserJet p1005
HP LaserJet p1006
HP LaserJet p1007
HP LaserJet p1008
HP LaserJet p1009
HP LaserJet p1505
HP LaserJet Professional p1102
HP LaserJet Professional p1102w
HP LaserJet Professional p1566
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Update the evolution modules so that:
- it is able to read SSL certificates (e.g. for server authentication);
- it is able to read the random number generator device;
- it doesn't audit attempts to get the attributes of
extended attributes filesystems.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
|
| | |
|
| | |
|
| |
|
|
|
| |
ntpctl is hardlinked to ntpd and causes a labelling conflict randomly.
Set the fcontext on both to be the same so there are no issues.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
client (another separate patch makes changes to the ifconfig part).
Create auxiliary interfaces in the ntp module.
The permission to execute restorecon/setfiles (required by the
dhclient-script script and granted in a previous version of this
patch) is not granted, as it does not break the script functioning.
Include revisions from Chris PeBenito.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update the pulseaudio module so that it is usable (tested with
latest version pulseaudio 9.0).
This patch depends on a recent patch to update the gnome module.
Support for the OIL Runtime Compiler (OIL) optimized code
execution is added to the pulseaudio module by using a few
newly created interfaces and file contexts in the gnome
module.
Supports the execmem permission only through a boolean which
defaults to false.
Thanks to Dominick Grift for the useful suggestions that
permitted to create this new improved version of the patch.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
alsa_etc_rw_t) is widened to the whole alsa share directory, instead of just a couple of files.
The wrong and misleading _rw_ label has been deprecated in the alsa
interface definitions and in their instances throughout the whole
Reference Policy (static and system-wide configuration files are
not runtime-writable). Warning messages are printed when the user
attempts to use the old namings for the above mentioned alsa
interface definitions.
After applying this patch, the recent pulseaudio patch should also
be applied to complete the removal of the _rw_ labels on the alsa
interfaces.
This version of the patch finally removes obsolete file contexts and
grants read permissions instead of manage permissions for static
configuration files in /usr/share/alsa and system-wide configuration
files in /etc.
Thanks to Dominick Grift for pointing out redundant interface usage
in a previous version of this patch.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
|
| |
|
|
|
|
|
|
|
| |
- add an interface to support chat over dbus in the mission
control domain;
- add support for dbus chat in the mission control domain for
the telepathy role.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
|
| | |
|
| |
|
|
|
|
| |
Update the rtkit daemon module so that the daemon can be started.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
|
| |
|
|
|
|
|
| |
Update the gpg role interface so that core dumps can be disabled
at runtime (required for successful execution of gpg).
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
|
| |
|
|
|
|
| |
Update needed for the normal functioning of the acpi daemon.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
|
| |
|
|
|
|
| |
Add a single permission to the policykit module.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On Wed, 3 Aug 2016 09:43:18 AM Chris PeBenito wrote:
> > kernel_read_kernel_sysctls(named_t)
> >
> > +kernel_read_vm_sysctls(named_t)
> >
> > kernel_read_system_state(named_t)
> > kernel_read_network_state(named_t)
>
> Yes, there is a kernel_read_vm_overcommit_sysctl().
I've attached a new patch.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
|
| | |
|
| | |
|
| |
|
|
| |
This patch allows watchdog to read all pid files for the "pidfile" feature.
|
| | |
|
Luis Ressel
Jason Zaman
Sven Vermeulen
Chris PeBenito
Russell Coker via refpolicy
Guido Trentalancia
Naftuli Tzvi Kay
Sean Placchetti
Russell Coker
GitWeb