| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
This permission is currently granted in an ifdef(systemd) block, but
it's also required on non-systemd systems if signed kernel modules are
being used.
|
| | |
|
| |
|
|
| |
TODO: Check if we indeed still need those permissions.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When reading or managing noxattr fs files or symbolic links, also
let the user list noxattr fs directories.
This patch should be applied after the following one:
http://oss.tresys.com/pipermail/refpolicy/2016-October/008539.html
"Let users read/manage symlinks on fs that do not support xattr"
posted on Sat, 29 Oct 2016 15:39:46 UTC.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Let unprivileged users list filesystems mounted on mount points such
as /mnt (cdrom, FAT, NTFS and so on).
This makes a great difference to the usability and effectiveness of
graphical filesystem browsers such as Gnome Nautilus and currently
comes at no security penalty because mounted filesystems can be
listed with programs such as the "df" program from GNU coreutils or
by simply reading /proc/mounts.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
|
| |
|
|
|
|
|
|
| |
Let unprivileged and administrative users read symbolic links on
filesystems that do not support extended attributes (xattr) such
as cdroms, FAT, NTFS and so on.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On Tuesday, 2 August 2016 7:59:28 PM AEDT Chris PeBenito wrote:
> On 07/31/16 08:34, Russell Coker wrote:
> > The following patch deals with a single binary for modutils, so depmod_t,
> > and insmod_t are merged.
>
> Since the main SELinux distros (including RHEL/CentOS 7) all have merged
> modutils these days, I'm open to taking a patch that fully merges these
> domains (in which case renaming to kmod_t, with proper aliasing seems
> the best idea).
>
> However, it's been some time since I used a busybox-based system; does
> busybox still have separated tools? Yes, this is a bit of an obvious
> question since busybox is also single-binary, but IIRC, the embedded
> guys made some tiny helper scripts or executables so proper
> transitioning could occur. Separate domains may still make sense.
As we have had no response from Busybox users in the last 3 months and also no
response to the thread Luis started in 2013 I think it's safe to assume that
they don't need this.
I've attached a new patch which renames to kmod_t as you suggested. Please
consider it for inclusion.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
Description: Change modutils policy to match the use of a single binary
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2014-06-25
|
| | |
|
| |
|
|
|
|
| |
This interface is a custom gentoo addition and is solely used by the
dracut policy. However, the permissions it grants have been added to the
modutils_read_module_config interface back in 2012 (commit e74b098).
|
| |
|
|
|
| |
Fails to start with:
gcrypt-Message: no entropy gathering module detected
|
| |
|
|
| |
For saving secrets and inhibiting power management eg during videos
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
The type for user home certificate directories (and files) is
user_cert_t. Remove all references to its code, and instead use the new
type.
Keep an alias at hand for third party SELinux policy modules though.
|
| |
|
|
|
|
|
|
|
|
| |
The userdom_user_home_dir_filetrans_user_cert interface can be assigned
to SELinux policies for domains that create the necessary user
directories, such as ~/.pki.
This interface will need to be upstreamed later though (we currently
need it already because we have end-user domains that other
distributions generally keep in the user domain).
|
| | |
|
| | |
|
| |
|
|
|
| |
For now, optionally add the Syncthing role to user_r, staff_r,
and unconfined_r, and define the Syncthing ports in core network.
|
| |
|
|
| |
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
|
| |
|
|
| |
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
|
| |
|
|
| |
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
|
| |
|
|
| |
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
|
| |
|
|
|
|
|
| |
Thanks Chris for the suggestions, here's a patch that I think is worthy of
inclusion.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
|
| |
|
|
|
|
|
|
| |
We need the relabelfrom/relabelto rights, otherwise tun/tap interface
activities fail:
~# tunctl -d tap0
TUNSETIFF: Permission denied
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Let gpg verify public key signatures in the evolution mail client application.
It doesn't need write permissions on such files for signing/encrypting messages.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
|
| |
|
|
|
| |
Bug found in pull #26 - permissions aren't granted for searching
the NetworkManager_var_run_t directory, only to reading its files.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new gstreamer_orcexec_t type and file context to the gnome
module in order to support the OIL Runtime Compiler (ORC) optimized
code execution (used for example by pulseaudio).
Add optional policy to the pulseaudio module to support the ORC
optimized code execution.
This patch has been anticipated a few weeks ago as part of a
larger gnome patch. It has now been split as a smaller patch,
as required.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Let mozilla play audio:
- add new interfaces to the pulseaudio module;
- let mozilla read alsa configuration files;
- add further permissions to mozilla needed to use
pulseaudio to play audio.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update the cups module with some permissions needed to run HP
printers (in particular to be able to load firmware on those
printers that need it every time they are connected).
The permission to execute shell scripts has been removed in
this new version, as this is not required.
Compared to previous versions, this new version creates a
specific hplip pty (as suggested by Christopher PeBenito).
Here is the list of printers that require firmware loading:
HP LaserJet 1000
HP LaserJet 1005 series
HP LaserJet 1018
HP LaserJet 1020
HP LaserJet p1005
HP LaserJet p1006
HP LaserJet p1007
HP LaserJet p1008
HP LaserJet p1009
HP LaserJet p1505
HP LaserJet Professional p1102
HP LaserJet Professional p1102w
HP LaserJet Professional p1566
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Update the evolution modules so that:
- it is able to read SSL certificates (e.g. for server authentication);
- it is able to read the random number generator device;
- it doesn't audit attempts to get the attributes of
extended attributes filesystems.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
|
| | |
|
| |
|
|
|
|
|
|
|
| |
commit a7334eb0de98af11ec38b6263536fa01bc2a606c
libsemanage: validate and compile file contexts before installing
validates the fcontexts when they are still in /var/lib/selinux. Without
setfiles_t having access to read the files, validation fails and the
policy cannot be updated.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
introduce the user certificate file context)
Introduce a new file context for user certificates (user_cert_t)
located in home directories.
Introduce new auxiliary interfaces to read and manage such files
files and directories.
Thanks to Christopher PeBenito for the useful suggestions that
led to this improved version of the patch.
Compared to the previous version, this patch adds the ability to
search the user home directories in the new interfaces.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
|
| | |
|
Luis Ressel
Chris PeBenito
Guido Trentalancia via refpolicy
Russell Coker
Jason Zaman
Sven Vermeulen
Naftuli Tzvi Kay
Guido Trentalancia
GitWeb