Age | Commit message (Collapse) | Author | Files | Lines | |
---|---|---|---|---|---|
2009-10-27 | X Object Manager policy revisions to xserver.if. | Eamon Walsh | 1 | -90/+64 | |
This commit consists of two parts: 1. Revisions to xserver_object_types_template and xserver_common_x_domain_template. This reflects the dropping of many of the specific event, extension, and property types. 2. New interfaces: xserver_manage_core_devices: Gives control over core mouse/keyboard. xserver_unprotected: Allows all clients to access a domain's X objects. Modified interfaces: xserver_unconfined: Added x_domain typeattribute statement. Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov> | |||||
2009-10-27 | X Object Manager policy revisions to xserver.te. | Eamon Walsh | 1 | -121/+152 | |
This commit consists of three main parts: 1. Code movement. There were X object manager-related statements scattered somewhat throughout the file; these have been consolidated, which resulted in some other statements moving (e.g. iceauth_t). 2. Type changes. Many of the specific event, extension, and property types have been dropped for the time being. The rootwindow_t and remote_xclient_t types have been renamed, and a root_xcolormap_t type has been (re-)added. This is for naming consistency. An "xserver_unprotected" alias has been added for use in labeling clients whose resources should be globally accessible (e.g. xdm_t). 3. Policy changes. These are mostly related to devices, which now have separate x_keyboard and x_pointer classes. The "Hacks" section has been cleaned up, and various other classes have had the default permissions tweaked. Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov> | |||||
2009-10-26 | add tuned from miroslav grepl. | Chris PeBenito | 3 | -0/+188 | |
2009-10-22 | reorganize a92ee50 | Chris PeBenito | 1 | -1/+1 | |
2009-10-22 | Implement screen-locking feature. | Dominick Grift | 1 | -0/+2 | |
Signed-off-by: Dominick Grift <domg472@gmail.com> Signed-off-by: Chris PeBenito <cpebenito@tresys.com> | |||||
2009-10-22 | Fix a typo of SElinux to SELinux. | Justin P. Mattock | 1 | -1/+1 | |
Signed-off-by: Justin P. Mattock <justinmattock@gmail.com> | |||||
2009-10-22 | add open to search_dir_perms. | Chris PeBenito | 1 | -1/+1 | |
2009-10-14 | Add separate x_pointer and x_keyboard classes inheriting from x_device. | Eamon Walsh | 2 | -21/+38 | |
This is needed to allow more fine-grained control over X devices without using different types. Using different types is problematic because devices act as subjects in the X Flask implementation, and subjects cannot be labeled through a type transition (since the output role is hardcoded to object_r). Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov> | |||||
2009-10-07 | revise MCS constraints to use only MCS-specific attributes. | Chris PeBenito | 3 | -12/+57 | |
2009-09-28 | add seunshare from dan. | Chris PeBenito | 3 | -0/+108 | |
2009-09-17 | add dkim from stefan schulze frielinghaus. | Chris PeBenito | 3 | -0/+42 | |
2009-09-16 | add gnomeclock from dan. | Chris PeBenito | 3 | -0/+114 | |
2009-09-15 | add rtkit from dan. | Chris PeBenito | 3 | -0/+76 | |
2009-09-15 | clean up xscreensaver. | Chris PeBenito | 3 | -25/+14 | |
2009-09-15 | SELinux xscreensaver policy support | corentin.labbe | 3 | -0/+87 | |
Hello This a patch for adding xscreensaver policy. I think it need a specific policy because of the auth_domtrans_chk_passwd. cordially Signed-off-by: LABBE Corentin <corentin.labbe@geomatys.fr> | |||||
2009-09-14 | add modemmanager from dan. | Chris PeBenito | 3 | -0/+81 | |
2009-09-14 | add abrt from dan. | Chris PeBenito | 3 | -0/+253 | |
2009-09-09 | rearrange readahead rules. | Chris PeBenito | 1 | -5/+6 | |
2009-09-09 | readahead patch from dan. | Chris PeBenito | 1 | -1/+3 | |
2009-09-09 | nscd patch from dan. | Chris PeBenito | 2 | -1/+20 | |
2009-09-09 | cron patch from dan. | Chris PeBenito | 3 | -47/+194 | |
2009-09-09 | prelink patch from dan. | Chris PeBenito | 2 | -1/+20 | |
2009-09-08 | nslcd policy from dan. | Chris PeBenito | 3 | -0/+157 | |
2009-09-08 | term_write_all_terms() patch from Stefan Schulze Frielinghaus | Chris PeBenito | 1 | -0/+23 | |
2009-09-03 | add gitosis from miroslav grepl. | Chris PeBenito | 3 | -0/+85 | |
2009-09-03 | cpufreqselector patch from dan. | Chris PeBenito | 1 | -2/+11 | |
2009-09-03 | add an additional vmware host program. | Chris PeBenito | 2 | -1/+2 | |
2009-09-03 | screen patch from dan. | Chris PeBenito | 2 | -12/+3 | |
2009-09-03 | remove stale screen_dir_t references | Chris PeBenito | 1 | -5/+4 | |
The screen_dir_t was made an alias of the screen_var_run_t type. Remove the remaining references to this type. | |||||
2009-09-03 | gpg patch from dan. | Chris PeBenito | 2 | -4/+10 | |
gpg sends sigstop and signull Reads usb devices Can encrypts users content in /tmp and the homedir, as well as on NFS and cifs | |||||
2009-09-02 | openvpn patch from dan: Openvpn connects to cache ports and stores files in ↵ | Chris PeBenito | 1 | -1/+12 | |
nfs and cifs directories. | |||||
2009-09-02 | Webalizer does not list inotify, this was caused by leaked file descriptors ↵ | Chris PeBenito | 1 | -2/+2 | |
in either dbus or cron. Both of which have been cleaned up. | |||||
2009-09-02 | add shorewall from dan. | Chris PeBenito | 5 | -3/+229 | |
2009-09-02 | add kdump from dan. | Chris PeBenito | 3 | -0/+152 | |
2009-09-01 | cdrecord patch from dan. | Chris PeBenito | 1 | -2/+4 | |
2009-09-01 | awstats patch from dan. | Chris PeBenito | 1 | -1/+5 | |
2009-09-01 | certwatch patch from dan. | Chris PeBenito | 1 | -1/+2 | |
2009-09-01 | mrtg patch from dan. | Chris PeBenito | 1 | -1/+7 | |
2009-09-01 | add hddtemp from dan. | Chris PeBenito | 4 | -1/+81 | |
2009-08-31 | add ptchown policy from dan. | Chris PeBenito | 3 | -0/+52 | |
2009-08-31 | pulseaudio patch from dan. | Chris PeBenito | 2 | -3/+15 | |
2009-08-31 | module version number bump for nscd patch. | Chris PeBenito | 1 | -1/+1 | |
2009-08-31 | nscd cache location changed from /var/db/nscd to /var/cache/nscd | Manoj Srivastava | 1 | -0/+1 | |
The nscd policy module uses the old nscd cache location. The cache location changed with glibc 2.7-1, and the current nscd does place the files in /var/cache/nscd/. Signed-off-by: Manoj Srivastava <srivasta@debian.org> | |||||
2009-08-31 | kismet patch from dan. | Chris PeBenito | 4 | -2/+38 | |
2009-08-31 | module version number bump for tun patches | Chris PeBenito | 5 | -5/+5 | |
2009-08-31 | rename admin_tun_type to admindomain. | Chris PeBenito | 2 | -5/+5 | |
2009-08-31 | reorganize tun patch changes. | Chris PeBenito | 4 | -50/+47 | |
2009-08-31 | refpol: Policy for the new TUN driver access controls | Paul Moore | 8 | -0/+56 | |
Add policy for the new TUN driver access controls which allow policy to control which domains have the ability to create and attach to TUN/TAP devices. The policy rules for creating and attaching to a device are as shown below: # create a new device allow domain_t self:tun_socket { create }; # attach to a persistent device (created by tunlbl_t) allow domain_t tunlbl_t:tun_socket { relabelfrom }; allow domain_t self:tun_socket { relabelto }; Further discussion can be found on this thread: * http://marc.info/?t=125080850900002&r=1&w=2 Signed-off-by: Paul Moore <paul.moore@hp.com> | |||||
2009-08-31 | refpol: Add the "tun_socket" object class flask definitions | Paul Moore | 2 | -0/+4 | |
Add the new "tun_socket" class to the flask definitions. The "tun_socket" object class is used by the new TUN driver hooks which allow policy to control access to TUN/TAP devices. Signed-off-by: Paul Moore <paul.moore@hp.com> | |||||
2009-08-28 | patch from Eamon Walsh to remove useage of deprecated xserver interfaces. | Chris PeBenito | 5 | -6/+6 | |