rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity
selinux-policy/.gitignore

481 lines
14 KiB
Plaintext
Raw Normal View History

auto-import selinux-policy-2.0.0-0.6 on branch devel from selinux-policy-2.0.0-0.6.src.rpm
2005-11-14 23:22:29 +00:00
serefpolicy-2.0.0.tgz
- Initial version
2005-11-16 03:43:46 +00:00
serefpolicy-2.0.1.tgz
- Update to upstream
2005-11-18 21:35:08 +00:00
serefpolicy-2.0.2.tgz
- Start building MLS Policy
2005-11-22 18:59:41 +00:00
serefpolicy-2.0.3.tgz
- Add rules for pegasus and avahi
2005-11-22 22:46:58 +00:00
serefpolicy-2.0.4.tgz
-Update to latest from upstream
2005-11-23 17:11:44 +00:00
serefpolicy-2.0.5.tgz
- Cleanup pegasus and named - Fix spec file - Fix up passwd changing applications
2005-11-29 05:22:53 +00:00
serefpolicy-2.0.6.tgz
- Fixes for dovecot and saslauthd
2005-12-01 18:16:50 +00:00
serefpolicy-2.0.7.tgz
Update from upstream
2005-12-02 22:58:20 +00:00
serefpolicy-2.0.8.tgz
Update from upstream
2005-12-06 04:12:01 +00:00
serefpolicy-2.0.9.tgz
Update from upstream
2005-12-06 17:44:30 +00:00
serefpolicy-2.0.10.tgz
Update from upstream
2005-12-07 01:07:26 +00:00
serefpolicy-2.0.11.tgz
exclude
noarch
nsadiff
nsaserefpolicy
Add xdm policy
2005-12-08 05:02:10 +00:00
serefpolicy-2.1.0.tgz
- Update to upstream - Turn off boolean allow_execstack
2005-12-08 21:56:50 +00:00
serefpolicy-2.1.1.tgz
- Update to upstream - Turn off allow_execmem and allow_execmod booleans - Add tcpd and automount policies
2005-12-10 05:19:29 +00:00
serefpolicy-2.1.2.tgz
- Fixes for hal - Update to upstream
2005-12-13 04:53:03 +00:00
serefpolicy-2.1.4.tgz
- Update from upstream - Allow unconfined_t to transition to rpm_script_t
2005-12-13 22:13:21 +00:00
serefpolicy-2.1.5.tgz
- Add file context for /var/cvs - Dontaudit webalizer search of homedir
2005-12-14 22:47:12 +00:00
serefpolicy-2.1.6.tgz
- Update to upstream
2006-01-04 19:21:36 +00:00
serefpolicy-2.1.7.tgz
- Update to upstream
2006-01-09 20:20:08 +00:00
serefpolicy-2.1.8.tgz
- Update to upstream
2006-01-11 22:25:06 +00:00
serefpolicy-2.1.9.tgz
- Update to upstream
2006-01-13 22:32:06 +00:00
serefpolicy-2.1.10.tgz
- Update to upstream - Fix ftp Man page
2006-01-17 03:55:13 +00:00
serefpolicy-2.1.11.tgz
- Update to upstream
2006-01-17 19:40:15 +00:00
serefpolicy-2.1.12.tgz
- Update to upstream
2006-01-17 22:47:12 +00:00
serefpolicy-2.1.13.tgz
- Update to upstream - Turn off execheap execstack for unconfined users - Add mono/wine policy to allow execheap and execstack for them - Add execheap for Xdm policy
2006-01-19 19:10:47 +00:00
serefpolicy-2.2.2.tgz
- Update to upstream
2006-01-24 15:41:46 +00:00
serefpolicy-2.2.4.tgz
- Many changes for MLS - Turn on strict policy
2006-01-25 16:45:54 +00:00
serefpolicy-2.2.5.tgz
- Update to upstream - Put back in changes for pup/zen
2006-01-26 15:47:02 +00:00
serefpolicy-2.2.6.tgz
- Update to upstream
2006-01-27 07:06:21 +00:00
serefpolicy-2.2.7.tgz
- Update to upstream - Fix rhgb
2006-01-28 04:52:34 +00:00
serefpolicy-2.2.8.tgz
- Update to upstream - Fix rhgb, and other Xorg startups
2006-01-31 00:35:32 +00:00
serefpolicy-2.2.9.tgz
*** empty log message ***
2006-02-03 14:59:07 +00:00
serefpolicy-2.2.10.tgz
*** empty log message ***
2006-02-04 03:03:32 +00:00
serefpolicy-2.2.11.tgz
*** empty log message ***
2006-02-09 13:56:52 +00:00
serefpolicy-2.2.12.tgz
*** empty log message ***
2006-02-11 02:41:50 +00:00
serefpolicy-2.2.13.tgz
*** empty log message ***
2006-02-13 15:55:10 +00:00
serefpolicy-2.2.14.tgz
*** empty log message ***
2006-02-14 17:11:59 +00:00
serefpolicy-2.2.15.tgz
*** empty log message ***
2006-02-19 12:17:15 +00:00
serefpolicy-2.2.16.tgz
*** empty log message ***
2006-02-20 22:11:40 +00:00
serefpolicy-2.2.17.tgz
*** empty log message ***
2006-02-21 15:36:15 +00:00
serefpolicy-2.2.18.tgz
*** empty log message ***
2006-02-21 20:39:54 +00:00
serefpolicy-2.2.19.tgz
*** empty log message ***
2006-02-22 22:46:02 +00:00
serefpolicy-2.2.20.tgz
*** empty log message ***
2006-02-23 15:12:37 +00:00
serefpolicy-2.2.21.tgz
- Update to upstream - Merged my latest fixes - Fix cups policy to handle unix domain sockets
2006-02-27 23:00:40 +00:00
serefpolicy-2.2.22.tgz
- Add hal changes suggested by Jeremy - add policyhelp to point at policy html pages
2006-03-04 14:49:35 +00:00
serefpolicy-2.2.23.tgz
- Update to upstream
2006-03-18 04:09:10 +00:00
serefpolicy-2.2.24.tgz
- Update to upstream
2006-03-21 19:46:10 +00:00
serefpolicy-2.2.25.tgz
- Fix policyhelp
2006-03-24 16:44:06 +00:00
serefpolicy-2.2.26.tgz
- Update to upstream
2006-03-27 22:07:37 +00:00
serefpolicy-2.2.27.tgz
- Update to upstream
2006-03-27 22:47:14 +00:00
serefpolicy-2.2.28.tgz
- Update to upstream
2006-03-31 20:57:44 +00:00
serefpolicy-2.2.29.tgz
- Allow secadm_t ability to relabel all files - Allow ftp to search xferlog_t directories - Allow mysql to communicate with ldap - Allow rsync to bind to rsync_port_t
2006-04-11 20:59:57 +00:00
serefpolicy-2.2.30.tgz
- Update to latest from upstream - Allow mono and unconfined to talk to initrc_t dbus objects
2006-04-13 21:28:19 +00:00
serefpolicy-2.2.31.tgz
- Update to latest from upstream
2006-04-14 19:50:03 +00:00
serefpolicy-2.2.32.tgz
- Update to latest from upstream - Add James Antill patch for xen - Many fixes for pegasus
2006-04-19 12:10:10 +00:00
serefpolicy-2.2.33.tgz
- Update to latest from upstream - Allow selinux-policy to be removed and kernel not to crash
2006-04-20 17:43:20 +00:00
serefpolicy-2.2.34.tgz
- Update to upstream - Fix postun to only disable selinux on full removal of the packages
2006-04-25 10:59:33 +00:00
selinux-policy-2.2.35-1.src.rpm
- Update to upstream - Fix postun to only disable selinux on full removal of the packages
2006-04-25 11:03:12 +00:00
serefpolicy-2.2.35.tgz
- Update to upstream
2006-05-01 18:41:55 +00:00
serefpolicy-2.2.36.tgz
- Update to upstream
2006-05-04 17:39:16 +00:00
serefpolicy-2.2.37.tgz
- Update to upstream
2006-05-08 19:26:49 +00:00
serefpolicy-2.2.38.tgz
- Update from upstream
2006-05-15 16:20:58 +00:00
serefpolicy-2.2.39.tgz
- Update from upstream
2006-05-17 01:40:53 +00:00
serefpolicy-2.2.40.tgz
- allow hal to read boot_t files - Upgrade to upstream
2006-05-18 16:07:35 +00:00
serefpolicy-2.2.41.tgz
- Upgrade to upstream
2006-05-20 12:01:14 +00:00
serefpolicy-2.2.42.tgz
- Update to upstream
2006-05-28 10:56:26 +00:00
serefpolicy-2.2.43.tgz
- Update from upstream
2006-06-09 03:03:22 +00:00
serefpolicy-2.2.45.tgz
- Update to upstream
2006-06-13 18:26:00 +00:00
serefpolicy-2.2.46.tgz
- Update from Upstream
2006-06-14 15:48:59 +00:00
serefpolicy-2.2.47.tgz
- Update to upstream
2006-06-21 14:01:45 +00:00
serefpolicy-2.2.48.tgz
- Update to upstream
2006-06-22 01:15:06 +00:00
serefpolicy-2.2.49.tgz
- Update to upstream - Add new class for kernel key ring
2006-06-22 19:16:49 +00:00
serefpolicy-2.3.1.tgz
- Update to upstream
2006-07-09 09:51:33 +00:00
serefpolicy-2.3.2.tgz
- Remove spamassassin_can_network boolean
2006-07-17 17:14:27 +00:00
serefpolicy-2.3.3.tgz
- Update to the latest from upstream
2006-08-04 22:58:10 +00:00
serefpolicy-2.3.4.tgz
- Fix setroubleshootd
2006-08-08 00:26:46 +00:00
serefpolicy-2.3.5.tgz
- Quiet down anaconda audit messages
2006-08-08 20:40:36 +00:00
serefpolicy-2.3.6.tgz
- Update from upstream - More java fixes
2006-08-12 11:54:51 +00:00
serefpolicy-2.3.7.tgz
- Fixes for stunnel and postgresql - Update from upstream
2006-08-20 15:11:37 +00:00
serefpolicy-2.3.8.tgz
- Update to upstream
2006-08-23 20:42:38 +00:00
serefpolicy-2.3.9.tgz
- Upgrade to upstream
2006-08-30 20:59:51 +00:00
serefpolicy-2.3.10.tgz
clog
- Update to upstream
2006-09-01 19:45:39 +00:00
serefpolicy-2.3.11.tgz
- Update to upstream
2006-09-05 12:03:37 +00:00
serefpolicy-2.3.12.tgz
- Update from upstream
2006-09-06 18:29:35 +00:00
serefpolicy-2.3.13.tgz
- Upgrade to upstream
2006-09-15 18:28:09 +00:00
serefpolicy-2.3.14.tgz
- Update from upstream
2006-09-22 20:41:12 +00:00
serefpolicy-2.3.15.tgz
- Update with upstream
2006-09-26 14:59:58 +00:00
serefpolicy-2.3.16.tgz
- Update to upstream
2006-09-29 19:19:18 +00:00
serefpolicy-2.3.17.tgz
- Patch for labeled networking
2006-10-03 18:47:06 +00:00
serefpolicy-2.3.18.tgz
- Update to upstream
2006-10-17 18:43:08 +00:00
serefpolicy-2.3.19.tgz
- Refupdate from upstream
2006-10-19 15:52:02 +00:00
serefpolicy-2.4.tgz
Mon Oct 23 2006 Dan Walsh <dwalsh@redhat.com> 2.4-4 - Allow noxattrfs to associate with other noxattrfs
2006-10-23 20:54:50 +00:00
serefpolicy-2.4.1.tgz
- Allow mount.nfs to work
2006-10-27 19:16:43 +00:00
serefpolicy-2.4.2.tgz
- Merge with upstream
2006-11-06 21:15:57 +00:00
serefpolicy-2.4.3.tgz
- Update to upstream
2006-11-15 15:22:30 +00:00
serefpolicy-2.4.4.tgz
- Move to upstream version which accepted my patches
2006-11-17 19:21:40 +00:00
serefpolicy-2.4.5.tgz
- Dontaudit appending hal_var_lib files Resolves: #217452 Resolves: #217571 Resolves: #217611 Resolves: #217640 Resolves: #217725
2006-11-29 20:11:02 +00:00
serefpolicy-2.4.6.tgz
- Begin adding user confinement to targeted policy
2007-01-22 18:15:16 +00:00
serefpolicy-2.5.1.tgz
- Add ability to generate webadm_t policy - Lots of new interfaces for httpd - Allow sshd to login as unconfined_t
2007-01-25 19:07:00 +00:00
serefpolicy-2.5.2.tgz
-
2007-02-12 16:27:42 +00:00
serefpolicy-2.5.3.tgz
- Add sepolgen support - Add bugzilla policy
2007-02-20 17:35:59 +00:00
serefpolicy-2.5.4.tgz
2007-02-26 15:06:22 +00:00
serefpolicy-2.5.5.tgz
- Update to remove security_t:filesystem getattr problems
2007-02-28 21:23:19 +00:00
serefpolicy-2.5.6.tgz
- Update to latest from upstream - Add fail2ban policy
2007-03-01 21:57:47 +00:00
serefpolicy-2.5.7.tgz
- More of my patches from upstream
2007-03-11 05:19:36 +00:00
serefpolicy-2.5.8.tgz
2007-03-20 15:01:28 +00:00
serefpolicy-2.5.9.tgz
- Allow samba to run groupadd
2007-03-23 17:31:13 +00:00
serefpolicy-2.5.10.tgz
- Update to upstream
2007-04-02 15:17:45 +00:00
serefpolicy-2.5.11.tgz
- Update to upstream
2007-04-11 20:55:28 +00:00
serefpolicy-2.5.12.tgz
- Upstream bumped the version
2007-04-23 17:00:48 +00:00
serefpolicy-2.6.1.tgz
- Update to latest from upstream
2007-05-01 20:53:29 +00:00
serefpolicy-2.6.2.tgz
- Update to latest from upstream
2007-05-04 17:30:10 +00:00
serefpolicy-2.6.3.tgz
- Update to latest from upstream
2007-05-14 18:10:58 +00:00
serefpolicy-2.6.4.tgz
2007-05-21 18:54:40 +00:00
serefpolicy-2.6.5.tgz
- Remove ifdef strict policy from upstream
2007-05-31 18:40:35 +00:00
serefpolicy-3.0.1.tgz
- Default to user_u:system_r:unconfined_t
2007-07-03 19:20:47 +00:00
serefpolicy-3.0.2.tgz
- Allow execution of gconf
2007-07-19 14:45:16 +00:00
serefpolicy-3.0.3.tgz
- Update with latest changes from upstream
2007-07-26 17:54:24 +00:00
serefpolicy-3.0.4.tgz
- Update from upstream
2007-08-03 19:53:44 +00:00
serefpolicy-3.0.5.tgz
- Add setransd for mls policy
2007-08-22 14:46:21 +00:00
serefpolicy-3.0.6.tgz
- Update an readd modules
2007-08-27 21:43:05 +00:00
serefpolicy-3.0.7.tgz
- Allow cron to search nfs and samba homedirs
2007-09-18 15:09:11 +00:00
serefpolicy-3.0.8.tgz
- Update to upstream
2007-10-23 23:13:09 +00:00
serefpolicy-3.1.0.tgz
- Update to upstream
2007-11-10 14:14:41 +00:00
serefpolicy-3.1.1.tgz
- Merge with upstream - Allow xsever to read hwdata_t - Allow login programs to setkeycreate
2007-11-27 04:11:10 +00:00
serefpolicy-3.1.2.tgz
- Remove user based home directory separation
2007-11-30 22:33:18 +00:00
serefpolicy-3.2.1.tgz
- Update to upstream - Allow httpd_sys_script_t to search users homedirs
2007-12-05 03:19:13 +00:00
serefpolicy-3.2.2.tgz
- Add polkit policy - Symplify userdom context, remove automatic per_role changes
2007-12-11 06:08:33 +00:00
serefpolicy-3.2.3.tgz
- Update to upstream
2007-12-13 21:40:00 +00:00
serefpolicy-3.2.4.tgz
- Fix definiton of admin_home_t
2007-12-19 18:00:58 +00:00
serefpolicy-3.2.5.tgz
- Update to upstream - Add libvirt policy - add qemu policy
2008-02-02 06:30:04 +00:00
serefpolicy-3.2.6.tgz
- Update to upstream
2008-02-06 21:47:42 +00:00
serefpolicy-3.2.7.tgz
- Merge with upstream
2008-02-18 21:31:18 +00:00
serefpolicy-3.2.8.tgz
- Fixes from yum-cron - Update to latest upstream
2008-02-20 18:52:50 +00:00
serefpolicy-3.2.9.tgz
- Add xace support
2008-02-22 20:32:52 +00:00
serefpolicy-3.3.0.tgz
- Update to upstream fixes
2008-02-26 13:45:23 +00:00
serefpolicy-3.3.1.tgz
Update for rawhide
2008-05-19 13:02:56 +00:00
serefpolicy-3.4.1.tgz
- Update to upstream
2008-06-12 14:50:00 +00:00
serefpolicy-3.4.2.tgz
- Fix xguest -> xguest_mozilla_t -> xguest_openiffice_t
2008-07-17 19:53:32 +00:00
serefpolicy-3.5.1.tgz
- Allow system-config-selinux to work with policykit
2008-08-07 12:22:07 +00:00
serefpolicy-3.5.2.tgz
- Update to upstream
2008-08-07 20:05:57 +00:00
serefpolicy-3.5.3.tgz
- Update to upstream
2008-08-11 21:19:25 +00:00
serefpolicy-3.5.4.tgz
- Allow ifconfig_t to read dhcpc_state_t
2008-08-26 14:46:43 +00:00
serefpolicy-3.5.5.tgz
- Update to upstream - New handling of init scripts
2008-09-03 20:16:35 +00:00
serefpolicy-3.5.6.tgz
- Remove gamin policy
2008-09-08 21:01:42 +00:00
serefpolicy-3.5.7.tgz
- Merge upstream changes - Add Xavier Toth patches
2008-09-12 20:36:21 +00:00
serefpolicy-3.5.8.tgz
- Upgrade to upstream
2008-09-26 12:38:56 +00:00
serefpolicy-3.5.9.tgz
- Allow NetworkManager to transition to avahi and iptables - Allow domains to search other domains keys, coverup kernel bug
2008-10-03 15:49:44 +00:00
serefpolicy-3.5.10.tgz
- Update to upstream policy
2008-10-09 10:48:56 +00:00
serefpolicy-3.5.11.tgz
- Update to upstream
2008-10-11 23:57:43 +00:00
serefpolicy-3.5.12.tgz
- Policy cleanup
2008-10-17 22:03:34 +00:00
serefpolicy-3.5.13.tgz
- Fix labeling on /var/spool/rsyslog
2008-11-25 19:18:01 +00:00
serefpolicy-3.6.1.tgz
- Update to upstream
2009-01-05 22:55:20 +00:00
serefpolicy-3.6.2.tgz
- Update to upstream
2009-01-19 17:35:43 +00:00
serefpolicy-3.6.3.tgz
- Upgrade to latest upstream
2009-02-04 04:02:17 +00:00
serefpolicy-3.6.4.tgz
- Add setrans contains from upstream
2009-02-09 22:07:20 +00:00
serefpolicy-3.6.5.tgz
- Re-add corenet_in_generic_if(unlabeled_t)
2009-02-16 22:54:22 +00:00
serefpolicy-3.6.6.tgz
- Update to Latest upstream
2009-03-03 20:10:30 +00:00
serefpolicy-3.6.7.tgz
- Upgrade to latest patches
2009-03-05 21:05:47 +00:00
serefpolicy-3.6.8.tgz
- Upgrade to latest upstream
2009-03-12 15:48:51 +00:00
serefpolicy-3.6.9.tgz
- Add xenner and wine fixes from mgrepl
2009-03-20 18:42:38 +00:00
serefpolicy-3.6.10.tgz
- Dontaudit binds to ports < 1024 for named - Upgrade to latest upstream
2009-04-06 19:27:19 +00:00
serefpolicy-3.6.11.tgz
- Upgrade to latest upstream - Allow devicekit_disk sys_rawio
2009-04-08 11:58:59 +00:00
serefpolicy-3.6.12.tgz
- Upgrade to upstream
2009-05-22 14:37:43 +00:00
serefpolicy-3.6.13.tgz
- Update to upstream
2009-06-09 02:15:29 +00:00
serefpolicy-3.6.14.tgz
- New version for upstream
2009-06-12 18:59:09 +00:00
serefpolicy-3.6.15.tgz
- New version for upstream
2009-06-15 17:59:49 +00:00
serefpolicy-3.6.16.tgz
- Update to upstream - Additional mail ports - Add virt_use_usb boolean for svirt
2009-06-19 11:41:44 +00:00
serefpolicy-3.6.17.tgz
- Update to upstream cleanup Fri Jun 19 2009 Dan Walsh <dwalsh@redhat.com> 3.6.17-1 - Update to upstream - Additional mail ports - Add virt_use_usb boolean for svirt
2009-06-20 13:59:00 +00:00
serefpolicy-3.6.18.tgz
- Update to upstream add sssd
2009-06-22 22:27:58 +00:00
serefpolicy-3.6.19.tgz
- Update to upstream - Fix nlscd_stream_connect
2009-06-26 20:13:04 +00:00
serefpolicy-3.6.20.tgz
- Update to upstream
2009-07-06 21:16:26 +00:00
serefpolicy-3.6.21.tgz
setroubleshoot-2.2.11.tar.gz
- Update to upstream
2009-07-15 19:12:04 +00:00
serefpolicy-3.6.22.tgz
- Update to upstream
2009-07-23 21:47:41 +00:00
serefpolicy-3.6.23.tgz
- Update to upstream
2009-07-28 19:08:17 +00:00
serefpolicy-3.6.24.tgz
- Fix polkit label - Remove hidebrokensymptoms for nss_ldap fix - Add modemmanager policy - Lots of merges from upstream - Begin removing textrel_shlib_t labels, from fixed libraries
2009-07-30 04:31:53 +00:00
serefpolicy-3.6.25.tgz
- More fixes from upstream
2009-07-30 21:38:54 +00:00
serefpolicy-3.6.26.tgz
- Add policycoreutils-python to pre install
2009-08-18 12:34:26 +00:00
serefpolicy-3.6.27.tgz
- Allow cupsd_config_t to be started by dbus - Add smoltclient policy
2009-08-18 22:43:34 +00:00
serefpolicy-3.6.28.tgz
- Fix system-config-services policy
2009-08-20 17:48:51 +00:00
setroubleshoot-2.2.21.tar.gz
- Update to upstream
2009-08-28 20:55:16 +00:00
serefpolicy-3.6.29.tgz
- Update to upsteam
2009-08-31 21:27:50 +00:00
serefpolicy-3.6.30.tgz
- More fixes
2009-09-09 21:08:02 +00:00
serefpolicy-3.6.31.tgz
- Update to upstream - Dontaudit nsplugin search /root - Dontaudit nsplugin sys_nice
2009-09-16 17:50:32 +00:00
serefpolicy-3.6.32.tgz
- Update to upstream
2009-11-14 05:18:01 +00:00
serefpolicy-3.6.33.tgz
- Update to upstream release 2.20091117
2009-11-18 22:22:56 +00:00
serefpolicy-3.7.1.tgz
- Add asterisk policy back in
2009-11-20 16:55:54 +00:00
serefpolicy-3.7.2.tgz
- Add asterisk policy back in - Update to upstream release 2.20091117
2009-11-25 20:19:12 +00:00
serefpolicy-3.7.3.tgz
- Update to upstream release
2009-12-10 19:20:14 +00:00
serefpolicy-3.7.4.tgz
Update packages
2009-12-18 21:09:01 +00:00
serefpolicy-3.7.5.tgz
- Update to upstream
2010-01-08 22:03:53 +00:00
serefpolicy-3.7.6.tgz
- Move users file to selection by spec file. - Allow vncserver to run as unconfined_u:unconfined_r:unconfined_t
2010-01-11 22:06:55 +00:00
serefpolicy-3.7.7.tgz
- Update to upstream
2010-01-18 22:40:25 +00:00
serefpolicy-3.7.8.tgz
- Add gstreamer_home_t for ~/.gstreamer
2010-01-22 15:26:39 +00:00
setroubleshoot-2.2.58.tar.gz
- Merge with upstream
2010-02-16 22:10:14 +00:00
serefpolicy-3.7.9.tgz
- Update to upstream
2010-03-18 15:47:35 +00:00
serefpolicy-3.7.11.tgz
serefpolicy-3.7.12.tgz
serefpolicy-3.7.13.tgz
serefpolicy-3.7.14.tgz
serefpolicy-3.7.15.tgz
- Update to upstream
2010-05-26 21:15:42 +00:00
serefpolicy-3.7.16.tgz
serefpolicy-3.7.17.tgz
serefpolicy-3.7.18.tgz
serefpolicy-3.7.19.tgz
serefpolicy-3.8.1.tgz
- Update to upstream - Allow prelink script to signal itself - Cobbler fixes
2010-06-07 21:15:35 +00:00
serefpolicy-3.8.2.tgz
- Update to upstream
2010-06-08 21:23:21 +00:00
serefpolicy-3.8.3.tgz
-Update to upstream
2010-06-18 20:14:28 +00:00
serefpolicy-3.8.4.tgz
-Update to upstream
2010-06-21 14:31:26 +00:00
serefpolicy-3.8.5.tgz
-Update to upstream
2010-06-28 17:19:34 +00:00
serefpolicy-3.8.6.tgz
- Update to upstream
2010-07-15 13:11:25 +00:00
serefpolicy-3.8.7.tgz
- Update to latest policy
2010-07-20 17:48:36 +00:00
serefpolicy-3.8.8.tgz
- Merge with upstream
2010-08-27 00:35:53 +00:00
*.rpm
serefpolicy*
/serefpolicy-3.9.0.tgz
- Merge with upstream
2010-08-30 21:34:52 +00:00
/serefpolicy-3.9.1.tgz
- Merge upstream fix of mmap_zero - Allow mount to write files in debugfs_t - Allow corosync to communicate with clvmd via tmpfs - Allow certmaster to read usr_t files - Allow dbus system services to search cgroup_t - Define rlogind_t as a login pgm
2010-09-02 17:43:28 +00:00
/serefpolicy-3.9.2.tgz
Allow iptables to read shorewall tmp files Change chfn and passwd to use auth_use_pam so they can send dbus messages to fpr intd label vlc as an execmem_exec_t Lots of fixes for mozilla_plugin to run google vidio chat Allow telepath_msn to execute ldconfig and its own tmp files Fix labels on hugepages Allow mdadm to read files on /dev Remove permissive domains and change back to unconfined Allow freshclam to execute shell and bin_t Allow devicekit_power to transition to dhcpc Add boolean to allow icecast to connect to any port
2010-09-08 18:17:07 +00:00
/serefpolicy-3.9.3.tgz
- Update to upstream
2010-09-13 20:17:15 +00:00
/serefpolicy-3.9.4.tgz
- Update to upstream
2010-09-16 11:59:03 +00:00
/serefpolicy-3.9.5.tgz
- Allow sandbox_x_domains to work with nfs/cifs/fusefs home dirs.
2010-10-18 17:18:55 +00:00
/serefpolicy-3.9.6.tgz
- Update to upstream - Add vlock policy
2010-11-05 16:40:07 +00:00
/serefpolicy-3.9.8.tgz
- Update to upstream - Dontaudit leaked sockets from userdomains to user domains - Fixes for mcelog to handle scripts - Apply patch from Ruben Kerkhof - Allow syslog to search spool dirs
2010-11-16 08:46:19 +00:00
/serefpolicy-3.9.9.tgz
- Update to upstream - Cleanup for sandbox - Add attribute to be able to select sandbox types
2010-11-25 12:21:34 +00:00
/serefpolicy-3.9.10.tgz
- Update to upstream - Fix version of policy in spec file
2010-12-15 11:03:25 +00:00
/serefpolicy-3.9.11.tgz
Update to upstream
2010-12-20 17:43:48 +00:00
/serefpolicy-3.9.12.tgz
- Update to upstream
2011-01-17 18:42:12 +00:00
/serefpolicy-3.9.13.tgz
Commit removes big SELinux policy patches against tresys refpolicy. We're quite diverted from upstream policy. This change will use tarballs from github projects: https://github.com/fedora-selinux/selinux-policy https://github.com/fedora-selinux/selinux-policy-contrib
2017-12-24 13:31:11 +00:00
/selinux-policy-9ae373e.tar.gz
/selinux-policy-contrib-e269450.tar.gz
/container-selinux.tgz
Update new sources to reflect changes related to python3 dependency
2018-01-08 17:44:57 +00:00
/selinux-policy-contrib-a749579.tar.gz
/selinux-policy-f6aa4d6.tar.gz
* Mon Jan 15 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-2 - Allow aide to mmap usr_t files BZ(1534182) - Allow ypserv_t domain to connect to tcp ports BZ(1534245) - Allow vmtools_t domain creating vmware_log_t files - Allow openvswitch_t domain to acces infiniband devices - Allow dirsrv_t domain to create tmp link files - Allow pcp_pmie_t domain to exec itself. BZ(153326) - Update openvswitch SELinux module - Allow virtd_t to create also sock_files with label virt_var_run_t - Allow chronyc_t domain to manage chronyd_keys_t files. - Allow logwatch to exec journal binaries BZ(1403463) - Allow sysadm_t and staff_t roles to manage user systemd services BZ(1531864) - Update logging_read_all_logs to allow mmap all logfiles BZ(1403463) - Add Label systemd_unit_file_t for /var/run/systemd/units/
2018-01-15 16:33:37 +00:00
/selinux-policy-cc4a892.tar.gz
/selinux-policy-contrib-68a780b.tar.gz
* Fri Jan 19 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-3 - Merge pull request #45 from jlebon/pr/rot-sd-dbus-rawhide - Allow virt_domains to acces infiniband pkeys. - Allow systemd to relabelfrom tmpfs_t link files in /var/run/systemd/units/ BZ(1535180) - Label /usr/libexec/ipsec/addconn as ipsec_exec_t to run this script as ipsec_t instead of init_t - Allow audisp_remote_t domain write to files on all levels
2018-01-19 11:48:25 +00:00
/selinux-policy-0087f3e.tar.gz
/selinux-policy-contrib-93c9a53.tar.gz
* Tue Jan 30 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-4 - rpm: Label /usr/share/rpm usr_t (ostree/Atomic systems) - Update dbus_role_template() BZ(1536218) - Allow lldpad_t domain to mmap own tmpfs files BZ(1534119) - Allow blueman_t dbus chat with policykit_t BZ(1470501) - Expand virt_read_lib_files() interface to allow list dirs with label virt_var_lib_t BZ(1507110) - Allow postfix_master_t and postfix_local_t to connect to system dbus. BZ(1530275) - Allow system_munin_plugin_t domain to read sssd public files and allow stream connect to ssd daemon BZ(1528471) - Allow rkt_t domain to bind on rkt_port_t tcp BZ(1534636) - Allow jetty_t domain to mmap own temp files BZ(1534628) - Allow sslh_t domain to read sssd public files and stream connect to sssd. BZ(1534624) - Consistently label usr_t for kernel/initrd in /usr - kernel/files.fc: Label /usr/lib/sysimage as usr_t - Allow iptables sysctl load list support with SELinux enforced - Label HOME_DIR/.config/systemd/user/* user unit files as systemd_unit_file_t BZ(1531864)
2018-01-30 11:57:41 +00:00
/selinux-policy-747f4e6.tar.gz
/selinux-policy-contrib-4fe9943.tar.gz
* Tue Jan 30 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-5 - Allow opendnssec daemon to execute ods-signer BZ(1537971)
2018-01-30 16:04:16 +00:00
/selinux-policy-contrib-a1cd00e.tar.gz
* Tue Feb 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-6 - Allow openvswitch_t domain to read cpuid, write to sysfs files and creating openvswitch_tmp_t sockets - Add new interface ppp_filetrans_named_content() - Allow keepalived_t read sysctl_net_t files - Allow puppetmaster_t domtran to puppetagent_t - Allow kdump_t domain to read kernel ring buffer - Allow boinc_t to mmap boinc tmpfs files BZ(1540816) - Merge pull request #47 from masatake/keepalived-signal - Allow keepalived_t create and write a file under /tmp - Allow ipsec_t domain to exec ifconfig_exec_t binaries. - Allow unconfined_domain_typ to create pppd_lock_t directory in /var/lock - Allow updpwd_t domain to create files in /etc with shadow_t label
2018-02-06 08:58:08 +00:00
/selinux-policy-642cc91.tar.gz
/selinux-policy-contrib-b657ba0.tar.gz
* Thu Feb 08 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-7 - Label /usr/sbin/ldap-agent as dirsrv_snmp_exec_t - Allow certmonger_t domain to access /etc/pki/pki-tomcat BZ(1542600) - Allow keepalived_t domain getattr proc filesystem - Allow init_t to create UNIX sockets for unconfined services (BZ1543049) - Allow ipsec_mgmt_t execute ifconfig_exec_t binaries Allow ipsec_mgmt_t nnp domain transition to ifconfig_t - Allow ipsec_t nnp transistions to domains ipsec_mgmt_t and ifconfig_t
2018-02-08 13:38:23 +00:00
/selinux-policy-contrib-0311bf8.tar.gz
/selinux-policy-ef9ecd7.tar.gz
* Tue Feb 20 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.1-9 - Fix broken cups Security Module - Allow dnsmasq_t domain dbus chat with unconfined users. BZ(1532079) - Allow geoclue to connect to tcp nmea port BZ(1362118) - Allow pcp_pmcd_t to read mock lib files BZ(1536152) - Allow abrt_t domain to mmap passwd file BZ(1540666) - Allow gpsd_t domain to get session id of another process BZ(1540584) - Allow httpd_t domain to mmap httpd_tmpfs_t files BZ(1540405) - Allow cluster_t dbus chat with systemd BZ(1540163) - Add interface raid_stream_connect() - Allow nscd_t to mmap nscd_var_run_t files BZ(1536689) - Allow dovecot_delivery_t to mmap mail_home_rw_t files BZ(1531911) - Make cups_pdf_t domain system dbusd client BZ(1532043) - Allow logrotate to read auditd_log_t files BZ(1525017) - Improve snapperd SELinux policy BZ(1514272) - Allow virt_domain to read virt_image_t files BZ(1312572) - Allow openvswitch_t stream connect svirt_t - Update dbus_dontaudit_stream_connect_system_dbusd() interface - Allow openvswitch domain to manage svirt_tmp_t sock files - Allow named_filetrans_domain domains to create .heim_org.h5l.kcm-socket sock_file with label sssd_var_run_t BZ(1538210) - Merge pull request #50 from dodys/pkcs - Label tcp and udp ports 10110 as nmea_port_t BZ(1362118) - Allow systemd to access rfkill lib dirs BZ(1539733) - Allow systemd to mamange raid var_run_t sockfiles and files BZ(1379044) - Allow vxfs filesystem to use SELinux labels - Allow systemd to setattr on systemd_rfkill_var_lib_t dirs BZ(1512231) - Allow few services to dbus chat with snapperd BZ(1514272) - Allow systemd to relabel system unit symlink to systemd_unit_file_t. BZ(1535180) - Fix logging as staff_u into Fedora 27 - Fix broken systemd_tmpfiles_run() interface
2018-02-20 08:25:14 +00:00
/selinux-policy-8a10ba8.tar.gz
/selinux-policy-contrib-6777a17.tar.gz
* Thu Feb 22 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-2 - refpolicy: Define extended_socket_class policy capability and socket classes - Make bluetooth_var_lib_t as mountpoint BZ(1547416) - Allow systemd to request load kernel module BZ(1547227) - Allow ipsec_t domain to read l2tpd pid files - Allow sysadm to read/write trace filesystem BZ(1547875) - Allow syslogd_t to mmap systemd coredump tmpfs files BZ(1547761)
2018-02-22 14:13:02 +00:00
/selinux-policy-contrib-27f5e51.tar.gz
/selinux-policy-2c13be1.tar.gz
Add forgotten sources file
2018-03-05 15:27:57 +00:00
/selinux-policy-e16d205.tar.gz
/selinux-policy-contrib-9facb1c.tar.gz
* Tue Mar 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-4 - Allow l2tpd_t domain to create pppox sockets - Update dbus_system_bus_client() so calling domain could read also system_dbusd_var_lib_t link files BZ(1544251) - Add interface abrt_map_cache() - Update gnome_manage_home_config() to allow also map permission BZ(1544270) - Allow oddjob_mkhomedir_t domain to be dbus system client BZ(1551770) - Dontaudit kernel bug when several services requesting load kernel module - Allow traceroute and unconfined domains creating sctp sockets - Add interface corenet_sctp_bind_generic_node() - Allow ping_t domain to create icmp sockets - Allow staff_t to mmap abrt_var_cache_t BZ(1544273) - Fix typo bug in dev_map_framebuffer() interface BZ(1551842) - Dontaudit kernel bug when several services requesting load kernel module
2018-03-06 15:16:43 +00:00
/selinux-policy-contrib-f564072.tar.gz
/selinux-policy-bd7ad92.tar.gz
* Mon Mar 12 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-5 - Allow bluetooth_t domain to create alg_socket BZ(1554410) - Allow tor_t domain to execute bin_t files BZ(1496274) - Allow iscsid_t domain to mmap kernel modules BZ(1553759) - Update minidlna SELinux policy BZ(1554087) - Allow motion_t domain to read sysfs_t files BZ(1554142) - Allow snapperd_t domain to getattr on all files,dirs,sockets,pipes BZ(1551738) - Allow l2tp_t domain to read ipsec config files BZ(1545348) - Allow colord_t to mmap home user files BZ(1551033) - Dontaudit httpd_t creating kobject uevent sockets BZ(1552536) - Allow ipmievd_t to mmap kernel modules BZ(1552535) - Allow boinc_t domain to read cgroup files BZ(1468381) - Backport allow rules from refpolicy upstream repo - Allow gpg_t domain to bind on all unereserved udp ports - Allow systemd to create systemd_rfkill_var_lib_t dirs BZ(1502164) - Allow netlabel_mgmt_t domain to read sssd public files, stream connect to sssd_t BZ(1483655) - Allow xdm_t domain to sys_ptrace BZ(1554150) - Allow application_domain_type also mmap inherited user temp files BZ(1552765) - Update ipsec_read_config() interface - Fix broken sysadm SELinux module - Allow ipsec_t to search for bind cache BZ(1542746) - Allow staff_t to send sigkill to mount_t domain BZ(1544272) - Label /run/systemd/resolve/stub-resolv.conf as net_conf_t BZ(1471545) - Label ip6tables.init as iptables_exec_t BZ(1551463) - Allow hostname_t to use usb ttys BZ(1542903) - Add fsetid capability to updpwd_t domain BZ(1543375) - Allow systemd machined send signal to all domains BZ(1372644) - Dontaudit create netlink selinux sockets for unpriv SELinux users BZ(1547876) - Allow sysadm_t to create netlink generic sockets BZ(1547874) - Allow passwd_t domain chroot - Dontaudit confined unpriviliged users setuid capability
2018-03-12 16:20:32 +00:00
/selinux-policy-9bd65d3.tar.gz
/selinux-policy-contrib-fbc0290.tar.gz
* Thu Mar 15 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-6 - Allow rpcd_t domain dac override - Allow rpm domain to mmap rpm_var_lib_t files - Allow arpwatch domain to create bluetooth sockets - Allow secadm_t domain to mmap audit config and log files - Update init_abstract_socket_activation() to allow also creating tcp sockets - getty_t should be ranged in MLS. Then also local_login_t runs as ranged domain. - Add SELinux support for systemd-importd - Create new type bpf_t and label /sys/fs/bpf with this type
2018-03-15 19:41:40 +00:00
/selinux-policy-contrib-ce817e6.tar.gz
/selinux-policy-370bcfb.tar.gz
Update also sources
2018-03-20 11:21:39 +00:00
/selinux-policy-4b1f9bd.tar.gz
/selinux-policy-contrib-d2dd0ad.tar.gz
* Wed Mar 21 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-8 - Improve bluetooth_stream_socket interface to allow caller domain also send bluetooth sockets - Allow tcpd_t bind on sshd_port_t if ssh_use_tcpd() is enabled - Allow semanage_t domain mmap usr_t files - Add new boolean: ssh_use_tcpd()
2018-03-21 18:15:49 +00:00
/selinux-policy-contrib-7ecfe28.tar.gz
/selinux-policy-116b85e.tar.gz
* Sun Mar 25 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-9 - Allow smbcontrol_t to mmap samba_var_t files and allow winbind create sockets BZ(1559795) - Allow nagios to exec itself and mmap nagios spool files BZ(1559683) - Allow nagios to mmap nagios config files BZ(1559683) - Fixing Ganesha module - Fix typo in NetworkManager module - Fix bug in gssproxy SELinux module - Allow abrt_t domain to mmap container_file_t files BZ(1525573) - Allow networkmanager to be run ssh client BZ(1558441) - Allow pcp domains to do dc override BZ(1557913) - Dontaudit pcp_pmie_t to reaquest lost kernel module - Allow pcp_pmcd_t to manage unpriv userdomains semaphores BZ(1554955) - Allow httpd_t to read httpd_log_t dirs BZ(1554912) - Allow fail2ban_t to read system network state BZ(1557752) - Allow dac override capability to mandb_t domain BZ(1529399) - Allow collectd_t domain to mmap collectd_var_lib_t files BZ(1556681) - Dontaudit bug in kernel 4.16 when domains requesting loading kernel modules BZ(1555369) - Add Domain transition from gssproxy_t to httpd_t domains BZ(1548439) - Allow httpd_t to mmap user_home_type files if boolean httpd_read_user_content is enabled BZ(1555359) - Allow snapperd to relabel snapperd_data_t - Improve bluetooth_stream_socket interface to allow caller domain also send bluetooth sockets - Allow tcpd_t bind on sshd_port_t if ssh_use_tcpd() is enabled - Allow insmod_t to load modules BZ(1544189) - Allow systemd_rfkill_t domain sys_admin capability BZ(1557595) - Allow systemd_networkd_t to read/write tun tap devices - Add shell_exec_t file as domain entry for init_t - Label also /run/systemd/resolved/ as systemd_resolved_var_run_t BZ(1556862) - Dontaudit kernel 4.16 bug when lot of domains requesting load kernel module BZ(1557347) - Improve userdom_mmap_user_home_content_files - Allow systemd_logind_t domain to setattributes on fixed disk devices BZ(1555414) - Dontaudit kernel 4.16 bug when lot of domains requesting load kernel module - Allow semanage_t domain mmap usr_t files - Add new boolean: ssh_use_tcpd()
2018-03-25 00:02:58 +00:00
/selinux-policy-154a8cf.tar.gz
/selinux-policy-contrib-504d76b.tar.gz
* Thu Mar 29 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-11 - Allow accountsd_t domain to dac override BZ(1561304) - Allow cockpit_ws_t domain to read system state BZ(1561053) - Allow postfix_map_t domain to use inherited user ptys BZ(1561295) - Allow abrt_dump_oops_t domain dac override BZ(1561467) - Allow l2tpd_t domain to run stream connect for sssd_t BZ(1561755) - Allow crontab domains to do dac override - Allow snapperd_t domain to unmount fs_t filesystems - Allow pcp processes to read fixed_disk devices BZ(1560816) - Allow unconfined and confined users to use dccp sockets - Allow systemd to manage bpf dirs/files - Allow traceroute_t to create dccp_sockets
2018-03-29 17:27:36 +00:00
/selinux-policy-01924d8.tar.gz
/selinux-policy-contrib-1255203.tar.gz
* Sat Apr 07 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-12 - Add new boolean redis_enable_notify() - Label /var/log/shibboleth-www(/.*) as httpd_sys_rw_content_t - Add new label for vmtools scripts and label it as vmtools_unconfined_t stored in /etc/vmware-tools/ - Allow svnserve_t domain to manage kerberos rcache and read krb5 keytab - Add dac_override and dac_read_search capability to hypervvssd_t domain - Label /usr/lib/systemd/systemd-fence_sanlockd as fenced_exec_t - Allow samba to create /tmp/host_0 as krb5_host_rcache_t - Add dac_override capability to fsdaemon_t BZ(1564143) - Allow abrt_t domain to map dos files BZ(1564193) - Add dac_override capability to automount_t domain - Allow keepalived_t domain to connect to system dbus bus - Allow nfsd_t to read nvme block devices BZ(1562554) - Allow lircd_t domain to execute bin_t files BZ(1562835) - Allow l2tpd_t domain to read sssd public files BZ(1563355) - Allow logrotate_t domain to do dac_override BZ(1539327) - Remove labeling for /etc/vmware-tools to bin_t it should be vmtools_unconfined_exec_t - Add capability sys_resource to systemd_sysctl_t domain - Label all /dev/rbd* devices as fixed_disk_device_t - Allow xdm_t domain to mmap xserver_log_t files BZ(1564469) - Allow local_login_t domain to rread udev db - Allow systemd_gpt_generator_t to read /dev/random device - add definition of bpf class and systemd perms
2018-04-07 18:34:23 +00:00
/selinux-policy-contrib-10b75cc.tar.gz
/selinux-policy-bb22502.tar.gz
* Thu Apr 12 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-13 - refpolicy: Update for kernel sctp support - Allow smbd_t send to nmbd_t via dgram sockets BZ(1563791) - Allow antivirus domain to be client for system dbus BZ(1562457) - Dontaudit requesting tlp_t domain kernel modules, its a kernel bug BZ(1562383) - Add new boolean: colord_use_nfs() BZ(1562818) - Allow pcp_pmcd_t domain to check access to mdadm BZ(1560317) - Allow colord_t to mmap gconf_home_t files - Add new boolean redis_enable_notify() - Label /var/log/shibboleth-www(/.*) as httpd_sys_rw_content_t - Add new label for vmtools scripts and label it as vmtools_unconfined_t stored in /etc/vmware-tools/ - Remove labeling for /etc/vmware-tools to bin_t it should be vmtools_unconfined_exec_t
2018-04-12 10:51:18 +00:00
/selinux-policy-b8ddd7e.tar.gz
/selinux-policy-contrib-4b13776.tar.gz
* Fri Apr 27 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-14 - Add dac_override capability to mailman_mail_t domain - Add dac_override capability to radvd_t domain - Update openvswitch policy - Add dac_override capability to oddjob_homedir_t domain - Allow slapd_t domain to mmap slapd_var_run_t files - Rename tang policy to tangd - Allow virtd_t domain to relabel virt_var_lib_t files - Allow logrotate_t domain to stop services via systemd - Add tang policy - Allow mozilla_plugin_t to create mozilla.pdf file in user homedir with label mozilla_home_t - Allow snapperd_t daemon to create unlabeled dirs. - Make httpd_var_run_t mountpoint - Allow hsqldb_t domain to mmap own temp files - We have inconsistency in cgi templates with upstream, we use _content_t, but refpolicy use httpd__content_t. Created aliasses to make it consistence - Allow Openvswitch adding netdev bridge ovs 2.7.2.10 FDP - Add new Boolean tomcat_use_execmem - Allow nfsd_t domain to read/write sysctl fs files - Allow conman to read system state - Allow brltty_t domain to be dbusd system client - Allow zebra_t domain to bind on babel udp port - Allow freeipmi domain to read sysfs_t files - Allow targetd_t domain mmap lvm config files - Allow abrt_t domain to manage kdump crash files - Add capability dac_override to antivirus domain - Allow svirt_t domain mmap svirt_image_t files BZ(1514538) - Allow ftpd_t domain to chat with systemd - Allow systemd init named socket activation for uuidd policy - Allow networkmanager domain to write to ecryptfs_t files BZ(1566706) - Allow l2tpd domain to stream connect to sssd BZ(1568160) - Dontaudit abrt_t to write to lib_t dirs BZ(1566784) - Allow NetworkManager_ssh_t domain transition to insmod_t BZ(1567630) - Allow certwatch to manage cert files BZ(1561418) - Merge pull request #53 from tmzullinger/rawhide - Merge pull request #52 from thetra0/rawhide - Allow abrt_dump_oops_t domain to mmap all non security files BZ(1565748) - Allow gpg_t domain mmap cert_t files Allow gpg_t mmap gpg_agent_t files - Allow NetworkManager_ssh_t domain use generic ptys. BZ(1565851) - Allow pppd_t domain read/write l2tpd pppox sockets BZ(1566096) - Allow xguest user use bluetooth sockets if xguest_use_bluetooth boolean is turned on. - Allow pppd_t domain creating pppox sockets BZ(1566271) - Allow abrt to map var_lib_t files - Allow chronyc to read system state BZ(1565217) - Allow keepalived_t domain to chat with systemd via dbus - Allow git to mmap git_(sys|user)_content_t files BZ(1518027) - Allow netutils_t domain to create bluetooth sockets - Allow traceroute to bind on generic sctp node - Allow traceroute to search network sysctls - Allow systemd to use virtio console - Label /dev/op_panel and /dev/opal-prd as opal_device_t
2018-04-27 09:50:21 +00:00
/selinux-policy-fee4738.tar.gz
/selinux-policy-contrib-6c883f6.tar.gz
* Sat Apr 28 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-15 - Allow unconfined_domain_type to create libs filetrans named content BZ(1513806)
2018-04-28 17:43:37 +00:00
/selinux-policy-301aa80.tar.gz
/selinux-policy-contrib-01b5dd1.tar.gz
* Mon Apr 30 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-16 - Allow systemd to mmap files with var_log_t label - Allow x_userdomains read/write to xserver session
2018-04-30 14:30:28 +00:00
/selinux-policy-17160ee.tar.gz
/selinux-policy-contrib-4f6a859.tar.gz
Fix typo bug in xserver SELinux module
2018-04-30 15:41:45 +00:00
/selinux-policy-718d75d.tar.gz
* Mon May 21 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-17 - Add dac_override capability to remote_login_t domain - Allow chrome_sandbox_t to mmap tmp files - Update ulogd SELinux security policy - Allow rhsmcertd_t domain send signull to apache processes - Allow systemd socket activation for modemmanager - Allow geoclue to dbus chat with systemd - Fix file contexts on conntrackd policy - Temporary fix for varnish and apache adding capability for DAC_OVERRIDE - Allow lsmd_plugin_t domain to getattr lsm_t unix stream sockets - Add label for /usr/sbin/pacemaker-remoted to have cluster_exec_t - Allow nscd_t domain to be system dbusd client - Allow abrt_t domain to read sysctl - Add dac_read_search capability for tangd - Allow systemd socket activation for rshd domain - Add label for /usr/libexec/cyrus-imapd/master as cyrus_exec_t to have proper SELinux domain transition from init_t to cyrus_t - Allow kdump_t domain to map /boot files - Allow conntrackd_t domain to send msgs to syslog - Label /usr/sbin/nhrpd and /usr/sbin/pimd binaries as zebra_exec_t - Allow swnserve_t domain to stream connect to sasl domain - Allow smbcontrol_t to create dirs with samba_var_t label - Remove execstack,execmem and execheap from domains setroubleshootd_t, locate_t and podsleuth_t to increase security. BZ(1579760) - Allow tangd to read public sssd files BZ(1509054) - Allow geoclue start with nnp systemd security feature with proper SELinux Domain transition BZ(1575212) - Allow ctdb_t domain modify ctdb_exec_t files - Allow firewalld_t domain to create netlink_netfilter sockets - Allow radiusd_t domain to read network sysctls - Allow pegasus_t domain to mount tracefs_t filesystem - Allow create systemd to mount pid files - Add files_map_boot_files() interface - Remove execstack,execmem and execheap from domain fsadm_t to increase security. BZ(1579760) - Fix typo xserver SELinux module - Allow systemd to mmap files with var_log_t label - Allow x_userdomains read/write to xserver session
2018-05-20 23:48:14 +00:00
/selinux-policy-cab8dc9.tar.gz
/selinux-policy-contrib-19624b4.tar.gz
* Mon May 21 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-18 - Disable secure mode environment cleansing for dirsrv_t - Allow udev execute /usr/libexec/gdm-disable-wayland in xdm_t domain which allows create /run/gdm/custom.conf with proper xdm_var_run_t label.
2018-05-21 20:23:41 +00:00
/selinux-policy-contrib-5ae0301.tar.gz
/selinux-policy-ba72e52.tar.gz
* Thu May 24 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-20 - Allow tangd_t domain to create tcp sockets and add new interface tangd_read_db_files - Allow mailman_mail_t domain to search for apache configs - Allow mailman_cgi_t domain to ioctl an httpd with a unix domain stream sockets. - Improve procmail_domtrans() to allow mmaping procmail_exec_t - Allow ptrace arbitrary processes - Allow jabberd_router_t domain read kerberos keytabs BZ(1573945) - Allow certmonger to geattr of filesystems BZ(1578755) - Update dev_map_xserver_misc interface to allo mmaping char devices instead of files - Allow noatsecure permission for all domain transitions from systemd. - Allow systemd to read tangd db files - Fix typo in ssh.if file - Allow xdm_t domain to mmap xserver_misc_device_t files - Allow xdm_t domain to execute systemd-coredump binary - Add bridge_socket, dccp_socket, ib_socket and mpls_socket to socket_class_set - Improve modutils_domtrans_insmod() interface to mmap insmod_exec_t binaries - Improve iptables_domtrans() interface to allow mmaping iptables_exec_t binary - Improve auth_domtrans_login_programinterface to allow also mmap login_exec_t binaries - Improve auth_domtrans_chk_passwd() interface to allow also mmaping chkpwd_exec_t binaries. - Allow mmap dhcpc_exec_t binaries in sysnet_domtrans_dhcpc interface - Improve running xorg with proper SELinux domain even if systemd security feature NoNewPrivileges is used
2018-05-24 14:07:11 +00:00
/selinux-policy-877fde5.tar.gz
/selinux-policy-contrib-12d91da.tar.gz
* Sat May 26 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-21 - Add dac_override to exim policy BZ(1574303) - Fix typo in conntrackd.fc file - Allow sssd_t to kill sssd_selinux_manager_t - Allow httpd_sys_script_t to connect to mongodb_port_t if boolean httpd_can_network_connect_db is turned on - Allow chronyc_t to redirect ourput to /var/lib /var/log and /tmp - Allow policykit_auth_t to read udev db files BZ(1574419) - Allow varnishd_t do be dbus client BZ(1582251) - Allow cyrus_t domain to mmap own pid files BZ(1582183) - Allow user_mail_t domain to mmap etc_aliases_t files - Allow gkeyringd domains to run ssh agents - Allow gpg_pinentry_t domain read ssh state - Allow sysadm_u use xdm - Allow xdm_t domain to listen ofor unix dgram sockets BZ(1581495) - Add interface ssh_read_state() - Fix typo in sysnetwork.if file
2018-05-25 22:25:28 +00:00
/selinux-policy-contrib-6cf567f.tar.gz
/selinux-policy-a1ec13e.tar.gz
* Wed Jun 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-22 - Fix typo in authconfig policy - Update ctdb domain to support gNFS setup - Allow authconfig_t dbus chat with policykit - Allow lircd_t domain to read system state - Revert "Allow fsdaemon_t do send emails BZ(1582701)" - Typo in uuidd policy - Allow tangd_t domain read certs - Allow vpnc_t domain to read configfs_t files/dirs BZ(1583107) - Allow vpnc_t domain to read generic certs BZ(1583100) - Label /var/lib/phpMyAdmin directory as httpd_sys_rw_content_t BZ(1584811) - Allow NetworkManager_ssh_t domain to be system dbud client - Allow virt_qemu_ga_t read utmp - Add capability dac_override to system_mail_t domain - Update uuidd policy to reflect last changes from base branch - Add cap dac_override to procmail_t domain - Allow sendmail to mmap etc_aliases_t files BZ(1578569) - Add new interface dbus_read_pid_sock_files() - Allow mpd_t domain read config_home files if mpd_enable_homedirs boolean will be enabled - Allow fsdaemon_t do send emails BZ(1582701) - Allow firewalld_t domain to request kernel module BZ(1573501) - Allow chronyd_t domain to send send msg via dgram socket BZ(1584757) - Add sys_admin capability to fprint_t SELinux domain - Allow cyrus_t domain to create own files under /var/run BZ(1582885) - Allow cachefiles_kernel_t domain to have capability dac_override - Update policy for ypserv_t domain - Allow zebra_t domain to bind on tcp/udp ports labeled as qpasa_agent_port_t - Allow cyrus to have dac_override capability - Dontaudit action when abrt-hook-ccpp is writing to nscd sockets - Fix homedir polyinstantion under mls - Fixed typo in init.if file - Allow systemd to remove generic tmpt files BZ(1583144) - Update init_named_socket_activation() interface to also allow systemd create objects in /var/run with proper label during socket activation - Allow systemd-networkd and systemd-resolved services read system-dbusd socket BZ(1579075) - Fix typo in authlogin SELinux security module - Allod nsswitch_domain attribute to be system dbusd client BZ(1584632) - Allow audisp_t domain to mmap audisp_exec_t binary - Update ssh_domtrans_keygen interface to allow mmap ssh_keygen_exec_t binary file - Label tcp/udp ports 2612 as qpasa_agetn_port_t
2018-06-06 08:25:52 +00:00
/selinux-policy-contrib-93edf9a.tar.gz
/selinux-policy-d06c960.tar.gz
* Wed Jun 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-23 - Add dac_override capability to sendmail_t domian
2018-06-06 11:16:15 +00:00
/selinux-policy-contrib-f1b2ca4.tar.gz
* Tue Jun 12 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-24 - /usr/libexec/bluetooth/obexd should have only obexd_exec_t instead of bluetoothd_exec_t type - Allow ntop_t domain to create/map various sockets/files. - Enable the dictd to communicate via D-bus. - Allow inetd_child process to chat via dbus with abrt - Allow zabbix_agent_t domain to connect to redis_port_t - Allow rhsmcertd_t domain to read xenfs_t files - Allow zabbix_agent_t to run zabbix scripts - Fix openvswith SELinux module - Fix wrong path in tlp context file BZ(1586329) - Update brltty SELinux module - Allow rabbitmq_t domain to create own tmp files/dirs - Allow policykit_t mmap policykit_auth_exec_t files - Allow ipmievd_t domain to read general certs - Add sys_ptrace capability to pcp_pmie_t domain - Allow squid domain to exec ldconfig - Update gpg SELinux policy module - Allow mailman_domain to read system network state - Allow openvswitch_t domain to read neutron state and read/write fixed disk devices - Allow antivirus_domain to read all domain system state - Allow targetd_t domain to red gconf_home_t files/dirs - Label /usr/libexec/bluetooth/obexd as obexd_exec_t - Add interface nagios_unconfined_signull() - Fix typos in zabbix.te file - Add missing requires - Allow tomcat domain sends email - Fix typo in sge policy - Merge pull request #214 from wrabcak/fb-dhcpc - Allow dhcpc_t creating own socket files inside /var/run/ Allow dhcpc_t creating netlink_kobject_uevent_socket, netlink_generic_socket, rawip_socket BZ(1585971) - Allow confined users get AFS tokens - Allow sysadm_t domain to chat via dbus - Associate sysctl_kernel_t type with filesystem attribute - Allow syslogd_t domain to send signull to nagios_unconfined_plugin_t - Fix typo in netutils.te file
2018-06-12 12:22:02 +00:00
/selinux-policy-ae55b01.tar.gz
/selinux-policy-contrib-d23eef1.tar.gz
* Thu Jun 14 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-25 - Merge pull request #60 from vmojzis/rawhide - Allow tangd_t domain stream connect to sssd - Allow oddjob_t domain to chat with systemd via dbus - Allow freeipmi domains to mmap sysfs files - Fix typo in logwatch interface file - Allow spamd_t to manage logwatch_cache_t files/dirs - Allow dnsmasw_t domain to create own tmp files and manage mnt files - Allow fail2ban_client_t to inherit rlimit information from parent process - Allow nscd_t to read kernel sysctls - Label /var/log/conman.d as conman_log_t - Add dac_override capability to tor_t domain - Allow certmonger_t to readwrite to user_tmp_t dirs - Allow abrt_upload_watch_t domain to read general certs - Allow chornyd_t read phc2sys_t shared memory - Add several allow rules for pesign policy: - Add setgid and setuid capabilities to mysqlfd_safe_t domain - Add tomcat_can_network_connect_db boolean - Update virt_use_sanlock() boolean to read sanlock state - Add sanlock_read_state() interface - Allow zoneminder_t to getattr of fs_t - Allow rhsmcertd_t domain to send signull to postgresql_t domain - Add log file type to collectd and allow corresponding access - Allow policykit_t domain to dbus chat with dhcpc_t - Allow traceroute_t domain to exec bin_t binaries - Allow systemd_passwd_agent_t domain to list sysfs Allow systemd_passwd_agent_t domain to dac_override - Add new interface dev_map_sysfs() - Allow sshd_keygen_t to execute plymouthd - Allow systemd_networkd_t create and relabel tun sockets - Add new interface postgresql_signull()
2018-06-14 13:31:59 +00:00
/selinux-policy-003cd80.tar.gz
/selinux-policy-contrib-494e26e.tar.gz
* Wed Jun 27 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-26 - Allow psad domain to setrlimit. Allow psad domain to stream connect to dbus Allow psad domain to exec journalctl_exec_t binary - Update cups_filetrans_named_content() to allow caller domain create ppd directory with cupsd_etc_rw_t label - Allow abrt_t domain to write to rhsmcertd pid files - Allow pegasus_t domain to eexec lvm binaries and allow read/write access to lvm control - Add vhostmd_t domain to read/write to svirt images - Update kdump_manage_kdumpctl_tmp_files() interface to allow caller domain also mmap kdumpctl_tmp_t files - Allow sssd_t and slpad_t domains to mmap generic certs - Allow chronyc_t domain use inherited user ttys - Allow stapserver_t domain to mmap own tmp files - Update nscd_dontaudit_write_sock_file() to dontaudit also stream connect to nscd_t domain - Merge pull request #60 from vmojzis/rawhide - Allow tangd_t domain stream connect to sssd - Allow oddjob_t domain to chat with systemd via dbus - Allow freeipmi domains to mmap sysfs files - Fix typo in logwatch interface file - Allow sysadm_t and staff_t domains to use sudo io logging - Allow sysadm_t domain create sctp sockets - Allow traceroute_t domain to exec bin_t binaries - Allow systemd_passwd_agent_t domain to list sysfs Allow systemd_passwd_agent_t domain to dac_override - Add new interface dev_map_sysfs()
2018-06-27 08:25:55 +00:00
/selinux-policy-2248854.tar.gz
/selinux-policy-contrib-23a0603.tar.gz
* Wed Jul 18 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-28 - Allow cupsd_t domain to mmap cupsd_etc_t files - Allow kadmind_t domain to mmap krb5kdc_principal_t - Allow virtlogd_t domain to read virt_etc_t link files - Allow dirsrv_t domain to read crack db - Dontaudit pegasus_t to require sys_admin capability - Allow mysqld_t domain to exec mysqld_exec_t binary files - Allow abrt_t odmain to read rhsmcertd lib files - Allow winbind_t domain to request kernel module loads - Allow tomcat_domain to read cgroup_t files - Allow varnishlog_t domain to mmap varnishd_var_lib_t files - Allow innd_t domain to mmap news_spool_t files - Label HOME_DIR/mozilla.pdf file as mozilla_home_t instead of user_home_t - Allow fenced_t domain to reboot - Allow amanda_t domain to read network system state - Allow abrt_t domain to read rhsmcertd logs - Fix typo in radius policy - Update zoneminder policy to reflect latest features in zoneminder BZ(1592555) - Label /usr/bin/esmtp-wrapper as sendmail_exec_t - Update raid_access_check_mdadm() interface to dontaudit caller domain to mmap mdadm_exec_t binary files - Dontaudit thumb to read mmap_min_addr - Allow chronyd_t to send to system_cronjob_t via unix dgram socket BZ(1494904) - Allow mpd_t domain to mmap mpd_tmpfs_t files BZ(1585443) - Allow collectd_t domain to use ecryptfs files BZ(1592640) - Dontaudit mmap home type files for abrt_t domain - Allow fprintd_t domain creating own tmp files BZ(1590686) - Allow collectd_t domain to bind on bacula_port_t BZ(1590830) - Allow fail2ban_t domain to getpgid BZ(1591421) - Allow nagios_script_t domain to mmap nagios_log_t files BZ(1593808) - Allow pcp_pmcd_t domain to use sys_ptrace usernamespace cap - Allow sssd_selinux_manager_t to read/write to systemd sockets BZ(1595458) - Allow virt_qemu_ga_t domain to read network state BZ(1592145) - Allow radiusd_t domain to mmap radius_etc_rw_t files - Allow git_script_t domain to read and mmap gitosis_var_lib_t files BZ(1591729) - Add dac_read_search capability to thumb_t domain - Add dac_override capability to cups_pdf_t domain BZ(1594271) - Add net_admin capability to connntrackd_t domain BZ(1594221) - Allow gssproxy_t domain to domtrans into gssd_t domain BZ(1575234) - Fix interface init_dbus_chat in oddjob SELinux policy BZ(1590476) - Allow motion_t to mmap video devices BZ(1590446) - Add dac_override capability to mpd_t domain BZ(1585358) - Allow fsdaemon_t domain to write to mta home files BZ(1588212) - Allow virtlogd_t domain to chat via dbus with systemd_logind BZ(1589337) - Allow sssd_t domain to write to general cert files BZ(1589339) - Allow l2tpd_t domain to sends signull to ipsec domains BZ(1589483) - Allow cockpit_session_t to read kernel network state BZ(1596941) - Allow devicekit_power_t start with nnp systemd security feature with proper SELinux Domain transition BZ(1593817) - Update rhcs_rw_cluster_tmpfs() interface to allow caller domain to mmap cluster_tmpfs_t files - Allow chronyc_t domain to use nscd shm - Label /var/lib/tomcats dir as tomcat_var_lib_t
2018-07-18 15:37:07 +00:00
/selinux-policy-d616286.tar.gz
/selinux-policy-contrib-bfc11d6.tar.gz
* Wed Jul 25 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-29 - Allow aide to mmap all files - Revert "Allow firewalld to create rawip sockets" - Revert "Allow firewalld_t do read iptables_var_run_t files" - Allow svirt_tcg_t domain to read system state of virtd_t domains - Update rhcs contexts to reflects the latest fenced changes - Allow httpd_t domain to rw user_tmp_t files - Fix typo in openct policy - Allow winbind_t domian to connect to all ephemeral ports - Allow firewalld_t do read iptables_var_run_t files - Allow abrt_t domain to mmap data_home files - Allow glusterd_t domain to mmap user_tmp_t files - Allow mongodb_t domain to mmap own var_lib_t files - Allow firewalld to read kernel usermodehelper state - Allow modemmanager_t to read sssd public files - Allow openct_t domain to mmap own var_run_t files - Allow nnp transition for devicekit daemons - Allow firewalld to create rawip sockets - Allow firewalld to getattr proc filesystem - Dontaudit sys_admin capability for pcscd_t domain - Revert "Allow pcsd_t domain sys_admin capability" - Allow fetchmail_t domain to stream connect to sssd - Allow pcsd_t domain sys_admin capability - Allow cupsd_t to create cupsd_etc_t dirs - Allow varnishlog_t domain to list varnishd_var_lib_t dirs - Allow mongodb_t domain to read system network state BZ(1599230) - Allow tgtd_t domain to create dirs in /var/run labeled as tgtd_var_run_t BZ(1492377) - Allow iscsid_t domain to mmap sysfs_t files - Allow httpd_t domain to mmap own cache files - Add sys_resource capability to nslcd_t domain - Fixed typo in logging_audisp_domain interface - Add interface files_mmap_all_files() - Add interface iptables_read_var_run() - Allow systemd to mounton init_var_run_t files - Update policy rules for auditd_t based on changes in audit version 3 - Allow systemd_tmpfiles_t do mmap system db files - Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide - Improve domain_transition_pattern to allow mmap entrypoint bin file. - Don't setup unlabeled_t as an entry_type - Allow unconfined_service_t to transition to container_runtime_t
2018-07-25 21:42:34 +00:00
/selinux-policy-cc3def4.tar.gz
/selinux-policy-contrib-f0ca657.tar.gz
* Sun Jul 29 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-30 - Allow sblim_sfcbd_t domain to mmap own tmpfs files - Allow nfsd_t domain to read krb5 keytab files - Allow nfsd_t domain to manage fadm pid files - Allow virt_domain to create icmp sockets BZ(1609142) - Dontaudit oracleasm_t domain to request sys_admin capability - Update logging_manage_all_logs() interface to allow caller domain map all logfiles
2018-07-29 15:17:33 +00:00
/selinux-policy-contrib-6bfaa82.tar.gz
/selinux-policy-e08b2da.tar.gz
* Fri Aug 10 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-32 - Fix issue with aliases in apache interface file - Add same context for symlink as binary - Allow boltd_t to send logs to journal - Allow colord_use_nfs to allow colord also mmap nfs_t files - Allow mysqld_safe_t do execute itself - Allow smbd_t domain to chat via dbus with avahi daemon - cupsd_t domain will create /etc/cupsd/ppd as cupsd_etc_rw_t - Update screen_role_template to allow caller domain to have screen_exec_t as entrypoint do new domain - Add alias httpd__script_t to _script_t to make sepolicy generate working - Allow gpg_t domain to mmap gpg_agent_tmp_t files - label /var/lib/pgsql/data/log as postgresql_log_t - Allow sysadm_t domain to accept socket - Allow systemd to manage passwd_file_t - Allow sshd_t domain to mmap user_tmp_t files
2018-08-10 15:26:19 +00:00
/selinux-policy-8555de5.tar.gz
/selinux-policy-contrib-ab97c9d.tar.gz
* Tue Aug 28 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-1 - Allow ovs-vswitchd labeled as openvswitch_t domain communicate with qemu-kvm via UNIX stream socket - Add interface devicekit_mounton_var_lib() - Allow httpd_t domain to mmap tmp files - Allow tcsd_t domain to have dac_override capability - Allow cupsd_t to rename cupsd_etc_t files - Allow iptables_t domain to create rawip sockets - Allow amanda_t domain to mmap own tmpfs files - Allow fcoemon_t domain to write to sysfs_t dirs - Allow dovecot_auth_t domain to have dac_override capability - Allow geoclue_t domain to mmap own tmp files - Allow chronyc_t domain to read network state - Allow apcupsd_t domain to execute itself - Allow modemmanager_t domain to stream connect to sssd - Allow chonyc_t domain to rw userdomain pipes - Update dirsrvadmin_script_t policy to allow read httpd_tmp_t symlinks - Update dirsrv_read_share() interface to allow caller domain to mmap dirsrv_share_t files - Allow nagios_script_t domain to mmap nagios_spool_t files - Allow geoclue_t domain to mmap geoclue_var_lib_t files - Allow geoclue_t domain to map generic certs - Update munin_manage_var_lib_files to allow manage also dirs - Allow nsd_t domain to create new socket file in /var/run/nsd.ctl - Fix typo in virt SELinux policy module - Allow virtd_t domain to create netlink_socket - Allow rpm_t domain to write to audit - Allow nagios_script_t domain to mmap nagios_etc_t files - Update nscd_socket_use() to allow caller domain to stream connect to nscd_t - Allow kdumpctl_t domain to getattr fixed disk device in mls - Fix typo in stapserver policy - Dontaudit abrt_t domain to write to usr_t dirs - Revert "Allow rpcbind to bind on all unreserved udp ports" - Allow rpcbind to bind on all unreserved udp ports - Allow virtlogd to execute itself - Allow stapserver several actions: - execute own tmp files - mmap stapserver_var_lib_t files - create stapserver_tmpfs_t files - Allow ypxfr_t domain to stream connect to rpcbind and allos search sssd libs - Allos systemd to socket activate ibacm service - Allow dirsrv_t domain to mmap user_t files - Allow kdumpctl_t domain to manage kdumpctl_tmp_t fifo files - Allow kdumpctl to write to files on all levels - Allow httpd_t domain to mmap httpd_config_t files - Allow sanlock_t domain to connectto to unix_stream_socket - Revert "Add same context for symlink as binary" - Allow mysql execute rsync - Update nfsd_t policy because of ganesha features - Allow conman to getattr devpts_t - Allow tomcat_domain to connect to smtp ports - Allow tomcat_t domain to mmap tomcat_var_lib_t files - Allow nagios_t domain to mmap nagios_log_t files - Allow kpropd_t domain to mmap krb5kdc_principal_t files - Allow kdumpctl_t domain to read fixed disk storage
2018-08-28 22:10:24 +00:00
/selinux-policy-c8dfe84.tar.gz
/selinux-policy-contrib-a342008.tar.gz
* Thu Sep 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-2 - Allow tomcat services create link file in /tmp - Label /etc/shorewall6 as shorewall_etc_t - Allow winbind_t domain kill in user namespaces - Allow firewalld_t domain to read random device - Allow abrt_t domain to do execmem - Allow geoclue_t domain to execute own var_lib_t files - Allow openfortivpn_t domain to read system network state - Allow dnsmasq_t domain to read networkmanager lib files - sssd: Allow to limit capabilities using libcap - sssd: Remove unnecessary capability - sssd: Do not audit usage of lib nss_systemd.so - Fix bug in nsd.fc, /var/run/nsd.ctl is socket file not file - Add correct namespace_init_exec_t context to /etc/security/namespace.d/* - Update nscd_socket_use to allow caller domain to mmap nscd_var_run_t files - Allow exim_t domain to mmap bin files - Allow mysqld_t domain to executed with nnp transition - Allow svirt_t domain to mmap svirt_image_t block files - Add caps dac_read_search and dav_override to pesign_t domain - Allow iscsid_t domain to mmap userio chr files - Add read interfaces for mysqld_log_t that was added in commit df832bf - Allow boltd_t to dbus chat with xdm_t - Conntrackd need to load kernel module to work - Allow mysqld sys_nice capability - Update boltd policy based on SELinux denials from rhbz#1607974 - Allow systemd to create symlinks in for /var/lib - Add comment to show that template call also allows changing shells - Document userdom_change_password_template() behaviour - update files_mounton_kernel_symbol_table() interface to allow caller domain also mounton system_map_t file - Fix typo in logging SELinux module - Allow usertype to mmap user_tmp_type files - In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue - Revert "Add execute_no_trans permission to mmap_exec_file_perms pattern" - Add boolean: domain_can_mmap_files. - Allow ipsec_t domian to mmap own tmp files - Add .gitignore file - Add execute_no_trans permission to mmap_exec_file_perms pattern - Allow sudodomain to search caller domain proc info - Allow audisp_remote_t domain to read auditd_etc_t - netlabel: Remove unnecessary sssd nsswitch related macros - Allow to use sss module in auth_use_nsswitch - Limit communication with init_t over dbus - Add actual modules.conf to the git repo - Add few interfaces to optional block - Allow sysadm_t and staff_t domain to manage systemd unit files - Add interface dev_map_userio_dev()
2018-09-06 20:33:33 +00:00
/selinux-policy-contrib-5ed2192.tar.gz
/selinux-policy-38c6414.tar.gz
* Mon Sep 24 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-4 - Update sources to include SELinux policy for containers
2018-09-24 15:11:01 +00:00
/selinux-policy-contrib-dab4b50.tar.gz
/selinux-policy-446ee2a.tar.gz
* Thu Oct 04 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-5 - Allow dictd_t domain to mmap dictd_var_lib_t files BZ(1634650) - Fix typo in boltd.te policy - Allow fail2ban_t domain to mmap journal - Add kill capability to named_t domain - Allow neutron domain to read/write /var/run/utmp - Create boltd_var_run_t type for boltd pid files - Allow tomcat_domain to read /dev/random - Allow neutron_t domain to use pam - Add the port used by nsca (Nagios Service Check Acceptor)
2018-10-04 14:27:59 +00:00
/selinux-policy-0813126.tar.gz
/selinux-policy-contrib-ff6d7f4.tar.gz
* Tue Oct 09 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-6 - Allow boltd_t to be activated by init socket activation - Allow virt_domain to read/write to virtd_t unix_stream socket because of new version of libvirt 4.4. BZ(1635803) - Update SELinux policy for libreswan based on the latest rebase 3.26 - Fix typo in init_named_socket_activation interface
2018-10-09 15:49:28 +00:00
/selinux-policy-contrib-fdc0a2e.tar.gz
/selinux-policy-493101e.tar.gz
* Sat Oct 13 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-8 - ejabberd SELinux module removed, it's shipped by ejabberd-selinux package
2018-10-13 20:39:48 +00:00
/selinux-policy-contrib-765b73a.tar.gz
/selinux-policy-8bcb254.tar.gz
* Mon Oct 15 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-9 - Allow caller domains using cron_*_role to have entrypoint permission on system_cron_spool_t files BZ(1625645) - Add interface cron_system_spool_entrypoint() - Bolt added d-bus API for force-powering the thunderbolt controller, so system-dbusd needs acces to boltd pipes BZ(1637676) - Add interfaces for boltd SELinux module - Add dac_override capability to modemmanager_t domain BZ(1636608) - Allow systemd to mount boltd_var_run_t dirs BZ(1636823) - Label correctly /var/named/chroot*/dev/unrandom in bind chroot.
2018-10-15 15:44:05 +00:00
/selinux-policy-contrib-5252fe6.tar.gz
/selinux-policy-2d39d24.tar.gz
* Tue Oct 16 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-10 - Allow boltd_t domain to dbus chat with fwupd_t domain BZ(1633786)
2018-10-15 22:18:59 +00:00
/selinux-policy-contrib-a69f9e6.tar.gz
Add missing sources from github
2018-11-04 01:05:17 +00:00
/selinux-policy-contrib-6c30b43.tar.gz
/selinux-policy-a46eac2.tar.gz
* Sun Nov 04 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-12 - Dontaudit thumb_t domain to setattr on lib_t dirs BZ(1643672) - Dontaudit cupsd_t domain to setattr lib_t dirs BZ(1636766) - Add dac_override capability to postgrey_t domain BZ(1638954) - Allow thumb_t domain to execute own tmpfs files BZ(1643698) - Allow xdm_t domain to manage dosfs_t files BZ(1645770) - Label systemd-timesyncd binary as systemd_timedated_exec_t to make it run in systemd_timedated_t domain BZ(1640801) - Improve fs_manage_ecryptfs_files to allow caller domain also mmap ecryptfs_t files BZ(1630675) - Label systemd-user-runtime-dir binary as systemd_logind_exec_t BZ(1644313)
2018-11-04 18:53:51 +00:00
/selinux-policy-contrib-5a2a313.tar.gz
/selinux-policy-62d90da.tar.gz
* Wed Nov 07 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-13 - Update pesign policy to allow pesign_t domain to read bind cache files/dirs - Add dac_override capability to mdadm_t domain - Create ibacm_tmpfs_t type for the ibacm policy - Dontaudit capability sys_admin for dhcpd_t domain - Makes rhsmcertd_t domain an exception to the constraint preventing changing the user identity in object contexts. - Allow abrt_t domain to mmap generic tmp_t files - Label /usr/sbin/wpa_cli as wpa_cli_exec_t - Allow sandbox_xserver_t domain write to user_tmp_t files - Allow certutil running as ipsec_mgmt_t domain to mmap ipsec_mgmt pid files Dontaudit ipsec_mgmt_t domain to write to the all mountpoints - Add interface files_map_generic_tmp_files() - Add dac_override capability to the syslogd_t domain - Create systemd_timedated_var_run_t label - Update systemd_timedated_t domain to allow create own pid files/access init_var_lib_t files and read dbus files BZ(1646202) - Add init_read_var_lib_lnk_files and init_read_var_lib_sock_files interfaces
2018-11-07 22:34:46 +00:00
/selinux-policy-contrib-a01743f.tar.gz
/selinux-policy-4cbc1ae.tar.gz
* Fri Dec 06 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-14 - Remove all ganesha bits from gluster and rpc policy - Label /usr/share/spamassassin/sa-update.cron as spamd_update_exec_t - Add dac_override capability to ssad_t domains - Allow pesign_t domain to read gnome home configs - Label /usr/libexec/lm_sensors/sensord-service-wrapper as lsmd_exec_t - Allow rngd_t domains read kernel state - Allow certmonger_t domains to read bind cache - Allow ypbind_t domain to stream connect to sssd - Allow rngd_t domain to setsched - Allow sanlock_t domain to read/write sysfs_t files - Add dac_override capability to postfix_local_t domain - Allow ypbind_t to search sssd_var_lib_t dirs - Allow virt_qemu_ga_t domain to write to user_tmp_t files - Allow systemd_logind_t to dbus chat with virt_qemu_ga_t - Update sssd_manage_lib_files() interface to allow also mmap sssd_var_lib_t files - Add new interface sssd_signal() - Update xserver_filetrans_home_content() and xserver_filetrans_admin_home_content() unterfaces to allow caller domain to create .vnc dir in users homedir labeled as xdm_home_t - Update logging_filetrans_named_content() to allow caller domains of this interface to create /var/log/journal/remote directory labeled as var_log_t - Add sys_resource capability to the systemd_passwd_agent_t domain - Allow ipsec_t domains to read bind cache - kernel/files.fc: Label /run/motd as etc_t - Allow systemd to stream connect to userdomain processes - Label /var/lib/private/systemd/ as init_var_lib_t - Allow initrc_t domain to create new socket labeled as init_T - Allow audisp_remote_t domain remote logging client to read local audit events from relevant socket. - Add tracefs_t type to mountpoint attribute - Allow useradd_t and groupadd_t domains to send signals to sssd_t - Allow systemd_logind_t domain to remove directories labeled as tmpfs_t BZ(1648636) - Allow useradd_t and groupadd_t domains to access sssd files because of the new feature in shadow-utils
2018-12-06 15:43:04 +00:00
/selinux-policy-contrib-a0e3869.tar.gz
/selinux-policy-509e071.tar.gz
* Fri Jan 11 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-16 - Allow sensord_t to execute own binary files - Allow pcp_pmlogger_t domain to getattr all filesystem BZ(1662432) - Allow virtd_lxc_t domains use BPF BZ(1662613) - Allow openvpn_t domain to read systemd state BZ(1661065) - Dontaudit ptrace all domains for blueman_t BZ(1653671) - Used correct renamed interface for imapd_t domain - Change label of /usr/libexec/lm_sensors/sensord-service-wrapper from lsmd_exec_t to sensord_exec_t BZ(1662922) - Allow hddtemp_t domain to read nvme block devices BZ(1663579) - Add dac_override capability to spamd_t domain BZ(1645667) - Allow pcp_pmlogger_t to mount tracefs_t filesystem BZ(1662983) - Allow pcp_pmlogger_t domain to read al sysctls BZ(1662441) - Specify recipients that will be notified about build CI results. - Allow saslauthd_t domain to mmap own pid files BZ(1653024) - Add dac_override capability for snapperd_t domain BZ(1619356) - Make kpatch_t domain application domain to allow users to execute kpatch in kpatch_t domain. - Add ipc_owner capability to pcp_pmcd_t domain BZ(1655282) - Update pulseaudio_stream_connect() to allow caller domain create stream sockets to cumminicate with pulseaudio - Allow pcp_pmlogger_t domain to send signals to rpm_script_t BZ(1651030) - Add new interface: rpm_script_signal() - Allow init_t domain to mmap init_var_lib_t files and dontaudit leaked fd. BZ(1651008) - Make workin: systemd-run --system --pty bash BZ(1647162) - Allow ipsec_t domain dbus chat with systemd_resolved_t BZ(1662443) - Allow staff_t to rw binfmt_misc_fs_t files BZ(1658975) - Specify recipients that will be notified about build CI results. - Label /usr/lib/systemd/user as systemd_unit_file_t BZ(1652814) - Allow sysadm_t,staff_t and unconfined_t domain to execute kpatch as kpatch_t domain - Add rules to allow systemd to mounton systemd_timedated_var_lib_t. - Allow x_userdomains to stream connect to pulseaudio BZ(1658286)
2019-01-11 11:46:15 +00:00
/selinux-policy-contrib-a265988.tar.gz
/selinux-policy-d0c5c81.tar.gz
* Fri Jan 11 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-17 - Allow staff_t domain to read read_binfmt_misc filesystem - Add interface fs_read_binfmt_misc() - Revert "Allow staff_t to rw binfmt_misc_fs_t files BZ(1658975)"
2019-01-11 15:07:53 +00:00
/selinux-policy-0379b0e.tar.gz
* Tue Jan 15 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-18 - Allow plymouthd_t search efivarfs directory BZ(1664143) - Allow arpwatch send e-mail notifications BZ(1657327) - Allow tangd_t domain to bind on tcp ports labeled as tangd_port_t - Allow gssd_t domain to read/write kernel keyrings of every domain. - Allow systemd_timedated_t domain nnp_transition BZ(1666222) - Add the fs_search_efivarfs_dir interface - Create tangd_port_t with default label tcp/7406 - Add interface domain_rw_all_domains_keyrings() - Some of the selinux-policy macros doesn't work in chroots/initial installs. BZ(1665643)
2019-01-15 17:29:10 +00:00
/selinux-policy-contrib-2664b0a.tar.gz
/selinux-policy-35f00c1.tar.gz
Add missing sources
2019-01-29 15:58:50 +00:00
/selinux-policy-5181cbd.tar.gz
/selinux-policy-contrib-992defd.tar.gz
* Sat Feb 02 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-20 - Allow sensord_t domain to use nsswitch and execute shell - Allow opafm_t domain to execute lib_t files - Allow opafm_t domain to manage kdump_crash_t files and dirs - Allow virt domains to read/write cephfs filesystems - Allow virtual machine to write to fixed_disk_device_t - Update kdump_manage_crash() interface to allow also manage dirs by caller domain Resolves: rhbz#1491585 - Allow svnserve_t domain to create in /tmp svn_0 file labeled as krb5_host_rcache_t - Allow vhostmd_t read libvirt configuration files - Update dbus_role_template interface to allow userdomains to accept data from userdomain dbus domains - Add miscfiles_filetrans_named_content_letsencrypt() to optional_block - Allow unconfined domains to create letsencrypt directory in /var/lib labeled as cert_t - Allow staff_t user to systemctl iptables units. - Allow systemd to read selinux logind config - obj_perm_sets.spt: Add xdp_socket to socket_class_set. - Add xdp_socket security class and access vectors - Allow transition from init_t domain to user_t domain during ssh login with confined user user_u
2019-02-02 12:41:12 +00:00
/selinux-policy-contrib-b4944ea.tar.gz
/selinux-policy-07bdaa4.tar.gz
* Tue Feb 12 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-21 - Allow glusterd_t to write to automount unnamed pipe Resolves: rhbz#1674243 - Allow ddclient_t to setcap Resolves: rhbz#1674298 - Add dac_override capability to vpnc_t domain - Add dac_override capability to spamd_t domain - Allow ibacm_t domain to read system state and label all ibacm sockets and symlinks as ibacm_var_run_t in /var/run - Allow read network state of system for processes labeled as ibacm_t - Allow ibacm_t domain to send dgram sockets to kernel processes - Allow dovecot_t to connect to MySQL UNIX socket - Fix CI for use on forks - Fix typo bug in sensord policy - Update ibacm_t policy after testing lastest version of this component - Allow sensord_t domain to mmap own log files - Allow virt_doamin to read/write dev device - Add dac_override capability for ipa_helper_t - Update policy with multiple allow rules to make working installing VM in MLS policy - Allow syslogd_t domain to send null signal to all domains on system Resolves: rhbz#1673847 - Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide - Allow systemd-logind daemon to remove shared memory during logout Resolves: rhbz#1674172 - Always label /home symlinks as home_root_t - Update mount_read_pid_files macro to allow also list mount_var_run_t dirs - Fix typo bug in userdomain SELinux policy - Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide - Allow user domains to stop systemd user sessions during logout process - Fix CI for use on forks - Label /dev/sev char device as sev_device_t - Add s_manage_fusefs_named_sockets interface - Allow systemd-journald to receive messages including a memfd
2019-02-12 16:05:35 +00:00
/selinux-policy-contrib-8b8ce9b.tar.gz
/selinux-policy-8258bc1.tar.gz
* Thu Feb 14 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-22 - Allow dovecot_t domain to connect to mysql db - Add dac_override capability for sbd_t SELinux domain - Add dac_override capability for spamd_update_t domain - Allow nnp transition for domains fsadm_t, lvm_t and mount_t - Add fs_manage_fusefs_named_pipes interface
2019-02-14 16:52:26 +00:00
/selinux-policy-contrib-01421de.tar.gz
/selinux-policy-18ccb6c.tar.gz
Add missing sources
2019-02-14 16:54:25 +00:00
/selinux-policy-contrib-7e2f178.tar.gz
* Mon Feb 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-1 - Allow openvpn_t domain to set capability BZ(1680276) - Update redis_enable_notify() boolean to fix sending e-mail by redis when this boolean is turned on - Allow chronyd_t domain to send data over dgram socket - Add rolekit_dgram_send() interface - Fix bug in userdom_restricted_xwindows_user_template() template to disallow all user domains to access admin_home_t - kernel/files.fc: Label /var/run/motd.d(./*)? and /var/run/motd as pam_var_run_t
2019-02-25 22:17:05 +00:00
/selinux-policy-contrib-af9fa4f.tar.gz
/selinux-policy-108b4cd.tar.gz
* Tue Feb 26 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-2 - Merge insmod_t, depmod_t and update_modules_t do kmod_t
2019-02-26 10:07:59 +00:00
/selinux-policy-contrib-925fb5e.tar.gz
/selinux-policy-aa6253c.tar.gz
* Wed Mar 12 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-4 - Update vmtools policy - Allow virt_qemu_ga_t domain to read udev_var_run_t files - Update nagios_run_sudo boolean with few allow rules related to accessing sssd - Update travis CI to install selinux-policy dependencies without checking for gpg check - Allow journalctl_t domain to mmap syslogd_var_run_t files - Allow smokeping process to mmap own var lib files and allow set process group. Resolves: rhbz#1661046 - Allow sbd_t domain to bypass permission checks for sending signals - Allow sbd_t domain read/write all sysctls - Allow kpatch_t domain to communicate with policykit_t domsin over dbus - Allow boltd_t to stream connect to sytem dbus - Allow zabbix_t domain to create sockets labeled as zabbix_var_run_t BZ(1683820) - Allow all domains to send dbus msgs to vmtools_unconfined_t processes - Label /dev/pkey as crypt_device_t - Allow sudodomains to write to systemd_logind_sessions_t pipes. - Label /usr/lib64/libcuda.so.XX.XX library as textrel_shlib_t. - Allow ifconfig_t domain to read /dev/random BZ(1687516) - Fix interface modutils_run_kmod() where was used old interface modutils_domtrans_insmod instead of new one modutils_domtrans_kmod() Resolves: rhbz#1686660 - Update travis CI to install selinux-policy dependencies without checking for gpg check - Label /usr/sbin/nodm as xdm_exec_t same as other display managers - Update userdom_admin_user_template() and init_prog_run_bpf() interfaces to make working bpftool for confined admin - Label /usr/sbin/e2mmpstatus as fsadm_exec_t Resolves: rhbz#1684221 - Update unconfined_dbus_send() interface to allow both direction communication over dbus with unconfined process.
2019-03-12 17:42:45 +00:00
/selinux-policy-contrib-c199027.tar.gz
/selinux-policy-4c00590.tar.gz
* Tue Mar 19 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-5 - Update xen SELinux module - Improve labeling for PCP plugins - Allow varnishd_t domain to read sysfs_t files - Update vmtools policy - Allow virt_qemu_ga_t domain to read udev_var_run_t files - Update nagios_run_sudo boolean with few allow rules related to accessing sssd - Update file context for modutils rhbz#1689975 - Label /dev/xen/hypercall and /dev/xen/xenbus_backend as xen_device_t Resolves: rhbz#1679293 - Grant permissions for onloadfs files of all classes. - Allow all domains to send dbus msgs to vmtools_unconfined_t processes - Label /dev/pkey as crypt_device_t - Allow sudodomains to write to systemd_logind_sessions_t pipes. - Label /usr/lib64/libcuda.so.XX.XX library as textrel_shlib_t.
2019-03-19 10:32:41 +00:00
/selinux-policy-b28842e.tar.gz
/selinux-policy-contrib-dc92f2d.tar.gz
* Sat Mar 23 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-6 - Allow boltd_t domain to write to sysfs_t dirs BZ(1689287) - Allow fail2ban execute journalctl BZ(1689034) - Update sudodomains to make working confined users run sudo/su - Introduce new boolean unconfined_dyntrans_all. - Allow iptables_t domain to read NetworkManager state BZ(1690881)
2019-03-23 14:32:56 +00:00
/selinux-policy-b78306b.tar.gz
/selinux-policy-contrib-ef0c1e0.tar.gz
* Wed Apr 03 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-7 - Allow fontconfig file transition for xguest_u user - Add gnome_filetrans_fontconfig_home_content interface - Add permissions needed by systemd's machinectl shell/login - Update SELinux policy for xen services - Add dac_override capability for kdumpctl_t process domain - Allow chronyd_t domain to exec shell - Fix varnisncsa typo - Allow init start freenx-server BZ(1678025) - Create logrotate_use_fusefs boolean - Add tcpd_wrapped_domain for telnetd BZ(1676940) - Allow tcpd bind to services ports BZ(1676940) - Update mysql_filetrans_named_content() to allow cluster to create mysql dirs in /var/run with proper label mysqld_var_run_t - Make shell_exec_t type as entrypoint for vmtools_unconfined_t. - Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy-contrib into rawhide - Allow virtlogd_t domain to create virt_etc_rw_t files in virt_etc_t - Allow esmtp access .esmtprc BZ(1691149) - Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy-contrib into rawhide - Allow tlp_t domain to read nvme block devices BZ(1692154) - Add support for smart card authentication in cockpit BZ(1690444) - Add permissions needed by systemd's machinectl shell/login - Allow kmod_t domain to mmap modules_dep_t files. - Allow systemd_machined_t dac_override capability BZ(1670787) - Update modutils_read_module_deps_files() interface to also allow mmap module_deps_t files - Allow unconfined_domain_type to use bpf tools BZ(1694115) - Revert "Allow unconfined_domain_type to use bpf tools BZ(1694115)" - Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide - Allow unconfined_domain_type to use bpf tools BZ(1694115) - Allow init_t read mnt_t symlinks BZ(1637070) - Update dev_filetrans_all_named_dev() interface - Allow xdm_t domain to execmod temp files BZ(1686675) - Revert "Allow xdm_t domain to create own tmp files BZ(1686675)" - Allow getty_t, local_login_t, chkpwd_t and passwd_t to use usbttys. BZ(1691582) - Allow confined users labeled as staff_t to run iptables. - Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide - Allow xdm_t domain to create own tmp files BZ(1686675) - Add miscfiles_dontaudit_map_generic_certs interface.
2019-04-03 12:33:40 +00:00
/macro-expander
/selinux-policy-549ed43.tar.gz
/selinux-policy-contrib-e753aa8.tar.gz
Fix some conflicting filename transition rules in the policy sources
2019-04-04 09:02:58 +00:00
/selinux-policy-contrib-7010ac2.tar.gz
/selinux-policy-50cc590.tar.gz
Update missing sources
2019-04-05 17:30:33 +00:00
/selinux-policy-f1590bb.tar.gz
* Mon Apr 08 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-9 - Merge #18 `Add check for config file consistency` - Allow tlp_t domain also write to nvme_devices block devices BZ(1696943) - Fix typo in rhsmcertd SELinux module - Allow dnsmasq_t domain to manage NetworkManager_var_lib_t files - Allow rhsmcertd_t domain to read yum.log file labeled as rpm_log_t - Allow unconfined users to use vsock unlabeled sockets - Add interface kernel_rw_unlabeled_vsock_socket() - Allow unconfined users to use smc unlabeled sockets - Add interface kernel_rw_unlabeled_smc_socket - Allow systemd_resolved_t domain to read system network state BZ(1697039) - Allow systemd to mounton kernel sysctls BZ(1696201) - Add interface kernel_mounton_kernel_sysctl() BZ(1696201) - Allow systemd to mounton several systemd direstory to increase security of systemd Resolves: rhbz#1696201
2019-04-08 13:54:57 +00:00
/selinux-policy-contrib-8659df1.tar.gz
/selinux-policy-f8a2347.tar.gz
* Tue Apr 09 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-10 - Allow systemd_modules_load to read modules_dep_t files - Allow systemd labeled as init_t to setattr on unallocated ttys BZ(1697667)
2019-04-09 08:57:19 +00:00
/selinux-policy-379f4fb.tar.gz
* Fri Apr 12 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-11 - Allow mongod_t domain to lsearch in cgroups BZ(1698743) - Allow rngd communication with pcscd BZ(1679217) - Create cockpit_tmpfs_t and allow cockpit ws and session to use it BZ(1698405) - Fix broken networkmanager interface for allowing manage lib files for dnsmasq_t. - Update logging_send_audit_msgs(sudodomain() to control TTY auditing for netlink socket for audit service
2019-04-12 21:24:21 +00:00
/selinux-policy-2163c68.tar.gz
/selinux-policy-contrib-b78d1b1.tar.gz
* Fri Apr 19 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-12 - Fix typo in cups SELinux policy - Allow iscsid_t to read modules deps BZ(1700245) - Allow cups_pdf_t domain to create cupsd_log_t dirs in /var/log BZ(1700442) - Allow httpd_rotatelogs_t to execute generic binaries - Update system_dbus policy because of dbus-broker-20-2 - Allow httpd_t doman to read/write /dev/zero device BZ(1700758) - Allow tlp_t domain to read module deps files BZ(1699459) - Add file context for /usr/lib/dotnet/dotnet - Update dev_rw_zero() interface by adding map permission - Allow bounded transition for executing init scripts
2019-04-19 20:39:06 +00:00
/selinux-policy-contrib-d00ed3c.tar.gz
/selinux-policy-6ed8a72.tar.gz
* Thu Apr 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-13 - Introduce deny_bluetooth boolean - Allow greylist_milter_t to read network system state BZ(1702672) - Allow freeipmi domains to mmap freeipmi_var_cache_t files - Allow rhsmcertd_t and rpm_t domains to chat over dbus - Allow thumb_t domain to delete cache_home_t files BZ(1701643) - Update gnome_role_template() to allow _gkeyringd_t domains to chat with systemd_logind over dbus - Add new interface boltd_dbus_chat() - Allow fwupd_t and modemmanager_t domains to communicate over dbus BZ(1701791) - Allow keepalived_t domain to create and use netlink_connector sockets BZ(1701750) - Allow cockpit_ws_t domain to set limits BZ(1701703) - Update Nagios policy when sudo is used - Deamon rhsmcertd is able to install certs for docker again - Introduce deny_bluetooth boolean - Don't allow a container to connect to random services - Remove file context /usr/share/spamassassin/sa-update\.cron -> bin_t to label sa-update.cron as spamd_update_exec_t. - Allow systemd_logind_t and systemd_resolved_t domains to chat over dbus - Allow unconfined_t to use bpf tools - Allow x_userdomains to communicate with boltd daemon over dbus
2019-04-25 15:29:03 +00:00
/selinux-policy-contrib-5a0561d.tar.gz
/selinux-policy-54c05f2.tar.gz
* Fri Apr 26 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-14 - Allow transition from cockpit_session to unpriv user domains
2019-04-26 14:46:34 +00:00
/selinux-policy-088381c.tar.gz
* Thu May 02 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-15 - Allow iscsid_t domain to mmap modules_dep_t files - Allow ngaios to use chown capability - Dontaudit gpg_domain to create netlink_audit sockets - Remove role transition in rpm_run() interface to allow sysadm_r jump to rpm_t type. BZ(1704251) - Allow dirsrv_t domain to execute own tmp files BZ(1703111) - Update fs_rw_cephfs_files() interface to allow also caller domain to read/write cephpfs_t lnk files - Update domain_can_mmap_files() boolean to allow also mmap lnk files - Improve userdom interfaces to drop guest_u SELinux user to use nsswitch
2019-05-02 13:46:11 +00:00
/selinux-policy-contrib-e33aa41.tar.gz
/selinux-policy-c5e58b6.tar.gz
* Fri May 03 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-16 - Add fcontext for apachectl util to fix missing output when executed "httpd -t" from this script.
2019-05-03 22:00:01 +00:00
/selinux-policy-contrib-721b2bf.tar.gz
Update broken sources
2019-05-04 15:45:09 +00:00
/selinux-policy-8eaf5bc.tar.gz
* Fri May 17 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-17 - Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on - Allow nrpe_t domain to be dbus cliennt - Add interface sssd_signull() - Label /usr/bin/tshark as wireshark_exec_t - Fix typo in dbus_role_template() - Allow userdomains to send data over dgram sockets to userdomains dbus services BZ(1710119) - Allow userdomains dbus domain to execute dbus broker. BZ(1710113) - Allow dovedot_deliver_t setuid/setgid capabilities BZ(1709572) - Allow virt domains to access xserver devices BZ(1705685) - Allow aide to be executed by systemd with correct (aide_t) domain BZ(1648512) - Dontaudit svirt_tcg_t domain to read process state of libvirt BZ(1594598) - Allow pcp_pmie_t domain to use fsetid capability BZ(1708082) - Allow pcp_pmlogger_t to use setrlimit BZ(1708951) - Allow gpsd_t domain to read udev db BZ(1709025) - Add sys_ptrace capaiblity for namespace_init_t domain - Allow systemd to execute sa-update in spamd_update_t domain BZ(1705331) - Allow rhsmcertd_t domain to read rpm cache files - Label /efi same as /boot/efi boot_t BZ(1571962) - Allow transition from udev_t to tlp_t BZ(1705246) - Remove initrc_exec_t for /usr/sbin/apachectl file
2019-05-17 16:12:55 +00:00
/selinux-policy-contrib-38d51f0.tar.gz
/selinux-policy-62e78cf.tar.gz
* Fri May 17 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-18 - Fix typo in gpg SELinux module - Update gpg policy to make ti working with confined users - Add domain transition that systemd labeled as init_t can execute spamd_update_exec_t binary to run newly created process as spamd_update_t - Remove allow rule for virt_qemu_ga_t to write/append user_tmp_t files - Label /var/run/user/*/dbus-1 as session_dbusd_tmp_t - Add dac_override capability to namespace_init_t domain - Label /usr/sbin/corosync-qdevice as cluster_exec_t - Allow NetworkManager_ssh_t domain to open communication channel with system dbus. BZ(1677484) - Label /usr/libexec/dnf-utils as debuginfo_exec_t - Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on - Allow nrpe_t domain to be dbus cliennt - Add interface sssd_signull() - Label /usr/bin/tshark as wireshark_exec_t - Update userdomains to allow confined users to create gpg keys - Allow associate all filesystem_types with fs_t - Dontaudit syslogd_t using kill in unamespaces BZ(1711122) - Allow init_t to manage session_dbusd_tmp_t dirs - Allow systemd_gpt_generator_t to read/write to clearance - Allow su_domain_type to getattr to /dev/gpmctl - Update userdom_login_user_template() template to make working systemd user session for guest and xguest SELinux users
2019-05-17 23:04:36 +00:00
/selinux-policy-contrib-ebaeade.tar.gz
/selinux-policy-78cbf0a.tar.gz
* Mon May 27 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-19 - Fix bind_read_cache() interface to allow only read perms to caller domains - [speech-dispatcher.if] m4 macro names can not have - in them - Grant varnishlog_t access to varnishd_etc_t - Allow nrpe_t domain to read process state of systemd_logind_t - Allow mongod_t domain to connect on https port BZ(1711922) - Allow chronyc_t domain to create own tmpfiles and allow communicate send data over unix dgram sockets - Dontaudit spamd_update_t domain to read all domains states BZ(1711799) - Allow pcp_pmie_t domain to use sys_ptrace usernamespace cap BZ(1705871) - Allow userdomains to send data over dgram sockets to userdomains dbus services BZ(1710119) - Revert "Allow userdomains to send data over dgram sockets to userdomains dbus services BZ(1710119)" - Make boinc_var_lib_t mountpoint BZ(1711682) - Allow wireshark_t domain to create fifo temp files - All NetworkManager_ssh_t rules have to be in same optional block with ssh_basic_client_template(), fixing this bug in NetworkManager policy - Allow dbus chat between NetworkManager_t and NetworkManager_ssh_t domains. BZ(1677484) - Fix typo in gpg SELinux module - Update gpg policy to make ti working with confined users - Add domain transition that systemd labeled as init_t can execute spamd_update_exec_t binary to run newly created process as spamd_update_t - Remove allow rule for virt_qemu_ga_t to write/append user_tmp_t files - Label /var/run/user/*/dbus-1 as session_dbusd_tmp_t - Add dac_override capability to namespace_init_t domain - Label /usr/sbin/corosync-qdevice as cluster_exec_t - Allow NetworkManager_ssh_t domain to open communication channel with system dbus. BZ(1677484) - Label /usr/libexec/dnf-utils as debuginfo_exec_t - Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on - Allow nrpe_t domain to be dbus cliennt - Add interface sssd_signull() - Build in parallel on Travis - Fix parallel build of the policy - Revert "Make able deply overcloud via neutron_t to label nsfs as fs_t" - Add interface systemd_logind_read_state() - Fix find commands in Makefiles - Allow systemd-timesyncd to read network state BZ(1694272) - Update userdomains to allow confined users to create gpg keys - Allow associate all filesystem_types with fs_t - Dontaudit syslogd_t using kill in unamespaces BZ(1711122) - Allow init_t to manage session_dbusd_tmp_t dirs - Allow systemd_gpt_generator_t to read/write to clearance - Allow su_domain_type to getattr to /dev/gpmctl - Update userdom_login_user_template() template to make working systemd user session for guest and xguest SELinux users
2019-05-27 14:47:47 +00:00
/selinux-policy-contrib-efd9524.tar.gz
/selinux-policy-50e97b7.tar.gz
* Thu May 30 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-20 - Allow pcp_pmcd_t domain to domtrans to mdadm_t domain BZ(1714800) - Allow spamd_update_t to exec itsef - Fix broken logwatch SELinux module - Allow logwatch_mail_t to manage logwatch cache files/dirs - Update wireshark_t domain to use several sockets - Allow sysctl_rpc_t and sysctl_irq_t to be stored on fs_t
2019-05-30 09:43:45 +00:00
/selinux-policy-contrib-7dabd9f.tar.gz
/selinux-policy-26ad838.tar.gz
* Tue Jun 18 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-21 - Add vnstatd_var_lib_t to mountpoint attribute BZ(1648864) - cockpit: Support split-out TLS proxy - Allow dkim_milter_t to use shell BZ(1716937) - Create explicit fc rule for mailman executable BZ(1666004) - Update interface networkmanager_manage_pid_files() to allow manage also dirs - Allow dhcpd_t domain to mmap dnssec_t files BZ(1718701) - Add new interface bind_map_dnssec_keys() - Update virt_use_nfs() boolean to allow virt_t to mmap nfs_t files - Allow redis_t domain to read public sssd files - Allow fetchmail_t to connect to dovecot stream sockets BZ(1715569) - Allow confined users to login via cockpit - Allow nfsd_t domain to do chroot becasue of new version of nfsd - Add gpg_agent_roles to system_r roles - Allow qpidd_t domain to getattr all fs_t filesystem and mmap usr_t files - Allow rhsmcertd_t domain to manage rpm cache - Allow sbd_t domain to read tmpfs_t symlinks - Allow ctdb_t domain to manage samba_var_t files/links/sockets and dirs - Allow kadmind_t domain to read home config data - Allow sbd_t domain to readwrite cgroups - Allow NetworkManager_t domain to read nsfs_t files BZ(1715597) - Label /var/log/pacemaker/pacemaker as cluster_var_log_t - Allow certmonger_t domain to manage named cache files/dirs - Allow pcp_pmcd_t domain to domtrans to mdadm_t domain BZ(1714800) - Allow crack_t domain read /et/passwd files - Label fontconfig cache and config files and directories BZ(1659905) - Allow dhcpc_t domain to manage network manager pid files - Label /usr/sbin/nft as iptables_exec_t - Allow userdomain attribute to manage cockpit_ws_t stream sockets - Allow ssh_agent_type to read/write cockpit_session_t unnamed pipes - Add interface ssh_agent_signal()
2019-06-18 07:29:06 +00:00
/selinux-policy-contrib-2f9692d.tar.gz
Add new sources
2019-06-18 07:30:20 +00:00
/selinux-policy-5b2d489.tar.gz
* Mon Jul 08 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-22 - Label /var/kerberos/krb5 as krb5_keytab_t - Allow glusterd_t domain to setpgid - Allow lsmd_t domain to execute /usr/bin/debuginfo-install - Allow sbd_t domain to manage cgroup dirs - Allow opafm_t domain to modify scheduling information of another process. - Allow wireshark_t domain to create netlink netfilter sockets - Allow gpg_agent_t domain to use nsswitch - Allow httpd script types to mmap httpd rw content - Allow dkim_milter_t domain to execute shell BZ(17116937) - Allow sbd_t domain to use nsswitch - Allow rhsmcertd_t domain to send signull to all domains - Allow snort_t domain to create netlink netfilter sockets BZ(1723184) - Dontaudit blueman to read state of all domains on system BZ(1722696) - Allow boltd_t domain to use ps and get state of all domains on system. BZ(1723217) - Allow rtkit_daemon_t to uise sys_ptrace usernamespace capability BZ(1723308) - Replace "-" by "_" in types names - Change condor_domain declaration in condor_systemctl - Allow firewalld_t domain to read iptables_var_run_t files BZ(1722405) - Allow auditd_t domain to send signals to audisp_remote_t domain - Allow systemd labeled as init_t domain to read/write faillog_t. BZ(1723132) - Allow systemd_tmpfiles_t domain to relabel from usermodehelper_t files - Add interface kernel_relabelfrom_usermodehelper() - Dontaudit unpriv_userdomain to manage boot_t files - Allow xdm_t domain to mmap /var/lib/gdm/.cache/fontconfig BZ(1725509) - Allow systemd to execute bootloader grub2-set-bootflag BZ(1722531) - Allow associate efivarfs_t on sysfs_t
2019-07-08 08:00:11 +00:00
/selinux-policy-contrib-7d3bcf4.tar.gz
/selinux-policy-905153e.tar.gz
* Wed Jul 10 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-23 - Update dbusd policy and netowrkmanager to allow confined users to connect to vpn over NetworkManager - Fix all interfaces which cannot by compiled because of typos - Allow X userdomains to mmap user_fonts_cache_t dirs
2019-07-10 08:16:00 +00:00
/selinux-policy-contrib-9e9bb01.tar.gz
/selinux-policy-f1ee18a.tar.gz
* Wed Jul 17 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-24 - Label user cron spool file with user_cron_spool_t - Update gnome_role_template() template to allow sysadm_t confined user to login to xsession - Allow lograte_t domain to manage collect_rw_content files and dirs - Add interface collectd_manage_rw_content() - Allow systemd_hostnamed_t domain to dbus chat with sosreport_t domain - Update tomcat_can_network_connect_db boolean to allow tomcat domains also connect to redis ports - Allow mysqld_t domain to manage cluster pid files - Relabel /usr/sbin/virtlockd from virt_exec_t to virtlogd_exec_t. - Allow ptp4l_t domain to write to pmc socket which is created by pmc command line tool - Allow dkim-milter to send e-mails BZ(1716937) - Update spamassasin policy to make working /usr/share/spamassassin/sa-update.cron script BZ(1711799) - Update svnserve_t policy to make working svnserve hooks - Allow varnishlog_t domain to check for presence of varnishd_t domains - Update sandboxX policy to make working firefox inside SELinux sandbox - Remove allow rule from svirt_transition_svirt_sandbox interface to don't allow containers to connect to random services - Allow httpd_t domain to read /var/lib/softhsm/tokens to allow httpd daemon to use pkcs#11 devices - Allow gssd_t domain to list tmpfs_t dirs - Allow mdadm_t domain to read tmpfs_t files - Allow sbd_t domain to check presence of processes labeled as cluster_t - Dontaudit httpd_sys_script_t to read systemd unit files - Allow blkmapd_t domain to read nvme devices - Update cpucontrol_t domain to make working microcode service - Allow domain transition from logwatch_t do postfix_postqueue_t - Allow chronyc_t domain to create and write to non_security files in case when sysadmin is redirecting output to file e.g: 'chronyc -n tracking > /var/lib/test' - Allow httpd_sys_script_t domain to mmap httpcontent - Allow sbd_t to manage cgroups_t files - Update wireshark policy to make working tshar labeled as wireshark_t - Update virt_use_nfs boolean to allow svirt_t domain to mmap nfs_t files - Allow sysadm_t domain to create netlink selinux sockets - Make cgdcbxd active in Fedora upstream sources - Allow sysadm_t domain to dbus chat with rtkit daemon - Allow x_userdomains to nnp domain transition to thumb_t domain - Allow unconfined_domain_type to setattr own process lnk files. - Add interface files_write_generic_pid_sockets() - Dontaudit writing to user home dirs by gnome-keyring-daemon - Allow staff and admin domains to setpcap in user namespace - Allow staff and sysadm to use lockdev - Allow staff and sysadm users to run iotop. - Dontaudit traceroute_t domain require sys_admin capability - Dontaudit dbus chat between kernel_t and init_t - Allow systemd labeled as init_t to create mountpoints without any specific label as default_t
2019-07-17 15:58:49 +00:00
/selinux-policy-contrib-2e0b14e.tar.gz
/selinux-policy-8935967.tar.gz
* Fri Jul 26 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-25 - Allow spamd_update_t domain to read network state of system BZ(1733172) - Allow dlm_controld_t domain to transition to the lvm_t - Allow sandbox_web_client_t domain to do sys_chroot in user namespace - Allow virtlockd process read virtlockd.conf file - Add more permissions for session dbus types to make working dbus broker with systemd user sessions - Allow sssd_t domain to read gnome config and named cache files - Allow brltty to request to load kernel module - Add svnserve_tmp_t label forl svnserve temp files to system private tmp - Allow sssd_t domain to read kernel net sysctls BZ(1732185) - Run timedatex service as timedatex_t - Allow mysqld_t domain to domtrans to ifconfig_t domain when executing ifconfig tool - Allow cyrus work with PrivateTmp - Make cgdcbxd_t domain working with SELinux enforcing. - Make working wireshark execute byt confined users staff_t and sysadm_t - Dontaudit virt_domain to manage ~/.cache dirs BZ(1730963) - Allow svnserve_t domain to read system state - allow named_t to map named_cache_t files - Label user cron spool file with user_cron_spool_t - Update gnome_role_template() template to allow sysadm_t confined user to login to xsession - Allow lograte_t domain to manage collect_rw_content files and dirs - Add interface collectd_manage_rw_content() - Allow ifconfig_t domain to manage vmware logs - Remove system_r role from staff_u user. - Make new timedatex policy module active - Add systemd_private_tmp_type attribute - Allow systemd to load kernel modules during boot process. - Allow sysadm_t and staff_t domains to read wireshark shared memory - Label /usr/libexec/utempter/utempter as utemper_exec_t - Allow ipsec_t domain to read/write l2tpd pipe BZ(1731197) - Allow sysadm_t domain to create netlink selinux sockets - Make cgdcbxd active in Fedora upstream sources
2019-07-26 08:28:53 +00:00
/selinux-policy-contrib-da6544c.tar.gz
/selinux-policy-2f909f9.tar.gz
* Tue Jul 30 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-26 - New policy for rrdcached - Allow dhcpd_t domain to read network sysctls. - Allow nut services to communicate with unconfined domains - Allow virt_domain to Support ecryptfs home dirs. - Allow domain transition lsmd_t to sensord_t - Allow httpd_t to signull mailman_cgi_t process - Make rrdcached policy active - Label /etc/sysconfig/ip6?tables\.save as system_conf_t Resolves: rhbz#1733542 - Allow machinectl to run pull-tar BZ(1724247)
2019-07-30 08:51:50 +00:00
/selinux-policy-contrib-2b47485.tar.gz
/selinux-policy-da92bd2.tar.gz
* Mon Aug 05 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-27 - Allow tlp domain run tlp in trace mode BZ(1737106) - Make timedatex_t domain system dbus bus client BZ(1737239) - Allow cgdcbxd_t domain to list cgroup dirs - Allow systemd to create and bindmount dirs. BZ(1734831)
2019-08-05 16:25:34 +00:00
/selinux-policy-contrib-b7144a2.tar.gz
* Tue Aug 06 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-28 - Allow systemd to create and bindmount dirs. BZ(1734831)
2019-08-06 08:48:46 +00:00
/selinux-policy-cd63aff.tar.gz
* Wed Aug 07 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-29 - Allow dlm_controld_t domain setgid capability - Fix SELinux modules not installing in chroots. Resolves: rhbz#1665643
2019-08-07 15:38:17 +00:00
/selinux-policy-contrib-e563a8d.tar.gz
* Tue Aug 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-30 - cockpit: Allow cockpit-session to read cockpit-tls state - Allow zebrat_t domain to read state of NetworkManager_t processes BZ(1739983) - Allow named_t domain to read/write samba_var_t files BZ(1738794) - Dontaudit abrt_t domain to read root_t files - Allow ipa_dnskey_t domain to read kerberos keytab - Allow mongod_t domain to read cgroup_t files BZ(1739357) - Update ibacm_t policy - Allow systemd to relabel all files on system. - Revert "Add new boolean systemd_can_relabel" - Allow xdm_t domain to read kernel sysctl BZ(1740385) - Add sys_admin capability for xdm_t in user namespace. BZ(1740386) - Allow dbus communications with resolved for DNS lookups - Add new boolean systemd_can_relabel - Allow auditd_t domain to create auditd_tmp_t temporary files and dirs in /tmp or /var/tmp - Label '/var/usrlocal/(.*/)?sbin(/.*)?' as bin_t - Update systemd_dontaudit_read_unit_files() interface to dontaudit alos listing dirs - Run lvmdbusd service as lvm_t
2019-08-13 15:59:35 +00:00
/selinux-policy-contrib-4396848.tar.gz
/selinux-policy-b313a79.tar.gz
* Tue Aug 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-31 - Update timedatex policy BZ(1734197)
2019-08-13 17:06:46 +00:00
/selinux-policy-contrib-c55a896.tar.gz
* Wed Sep 04 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-2 - Allow zabbix_t domain to manage zabbix_var_lib_t sock files and connect to unix_stream_socket - Dontaudit sandbox web types to setattr lib_t dirs - Dontaudit system_mail_t domains to check for existence other applications on system BZ(1747369) - Allow haproxy_t domain to read network state of system - Allow processes labeled as keepalived_t domain to get process group - Introduce dbusd_unit_file_type - Allow pesign_t domain to read/write named cache files. - Label /var/log/hawkey.log as rpm_log_t and update rpm named filetrans interfaces. - Allow httpd_t domain to read/write named_cache_t files - Add new interface bind_rw_cache() - Allow cupsd_t domain to create directory with name ppd in dirs labeled as cupsd_etc_t with label cupsd_rw_etc_t. - Update cpucontrol_t SELinux policy - Allow pcp_pmcd_t domain to bind on udp port labeled as statsd_port_t - Run lldpd service as lldpad_t. - Allow spamd_update_t domain to create unix dgram sockets. - Update dbus role template for confined users to allow login into x session - Label /usr/libexec/microcode_ctl/reload_microcode as cpucontrol_exec_t - Fix typo in networkmanager_append_log() interface - Update collectd policy to allow daemon create /var/log/collectd with collectd_log_t label - Allow login user type to use systemd user session - Allow xdm_t domain to start dbusd services. - Introduce new type xdm_unit_file_t - Remove allowing all domain to communicate over pipes with all domain under rpm_transition_domain attribute - Allow systemd labeled as init_t to remove sockets with tmp_t label BZ(1745632) - Allow ipsec_t domain to read/write named cache files - Allow sysadm_t to create hawkey log file with rpm_log_t SELinux label - Allow domains systemd_networkd_t and systemd_logind_t to chat over dbus - Label udp 8125 port as statsd_port_t
2019-09-04 16:09:39 +00:00
/selinux-policy-6a0cb45.tar.gz
/selinux-policy-contrib-8ce79b2.tar.gz
* Fri Sep 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-3 - Add sys_ptrace capability to pcp_pmlogger_t domain BZ(1751816) - Allow gssproxy_t domain read state of all processes on system - Fix typo in cachefilesd module - Allow cachefilesd_t domain to read/write cachefiles_device_t devices - Remove setting label for /dev/cachefilesd char device from cachefilesd policy. This should be added in base policy - Add sys_admin capability for keepalived_t labeled processes - Allow user_mail_domain attribute to manage files labeled as etc_aliases_t. - Create new type ipmievd_helper_t domain for loading kernel modules. - Run stratisd service as stratisd_t - Fix abrt_upload_watch_t in abrt policy - Update keepalived policy - Update cron_role, cron_admin_role and cron_unconfined_role to avoid *_t_t types - Revert "Create admin_crontab_t and admin_crontab_tmp_t types" - Revert "Update cron_role() template to accept third parameter with SELinux domain prefix" - Allow amanda_t to manage its var lib files and read random_device_t - Create admin_crontab_t and admin_crontab_tmp_t types - Add setgid and setuid capabilities to keepalived_t domain - Update cron_role() template to accept third parameter with SELinux domain prefix - Allow psad_t domain to create tcp diag sockets BZ(1750324) - Allow systemd to mount fwupd_cache_t BZ(1750288) - Allow chronyc_t domain to append to all non_security files - Update zebra SELinux policy to make it work also with frr service - Allow rtkit_daemon_t domain set process nice value in user namespaces BZ(1750024) - Dontaudit rhsmcertd_t to write to dirs labeled as lib_t BZ(1556763) - Label /var/run/mysql as mysqld_var_run_t - Allow chronyd_t domain to manage and create chronyd_tmp_t dirs,files,sock_file objects. - Update timedatex policy to manage localization - Allow sandbox_web_type domains to sys_ptrace and sys_chroot in user namespaces - Update gnome_dontaudit_read_config - Allow devicekit_var_lib_t dirs to be created by systemd during service startup. BZ(1748997) - Allow systemd labeled as init_t domain to remount rootfs filesystem - Add interface files_remount_rootfs() - Dontaudit sys_admin capability for iptables_t SELinux domain - Label /dev/cachefilesd as cachefiles_device_t - Make stratisd policy active - Allow userdomains to dbus chat with policykit daemon - Update userdomains to pass correct parametes based on updates from cron_*_role interfaces - New interface files_append_non_security_files() - Label 2618/tcp and 2618/udp as priority_e_com_port_t - Label 2616/tcp and 2616/udp as appswitch_emp_port_t - Label 2615/tcp and 2615/udp as firepower_port_t - Label 2610/tcp and 2610/udp as versa_tek_port_t - Label 2613/tcp and 2613/udp as smntubootstrap_port_t - Label 3784/tcp and 3784/udp as bfd_control_port_t - Remove rule allowing all processes to stream connect to unconfined domains
2019-09-13 15:04:11 +00:00
/selinux-policy-contrib-c5a8fd2.tar.gz
/selinux-policy-3e6f5ff.tar.gz
* Fri Sep 20 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-4 - Run ipa-custodia as ipa_custodia_t - Update webalizer_t SELinux policy - Dontaudit thumb_t domain to getattr of nsfs_t files BZ(1753598) - Allow rhsmcertd_t domain to read rtas_errd lock files - Add new interface rtas_errd_read_lock() - Update allow rules set for nrpe_t domain - Update timedatex SELinux policy to to sychronizate time with GNOME and add new macro chronyd_service_status to chronyd.if - Allow avahi_t to send msg to lpr_t - Label /dev/shm/dirsrv/ with dirsrv_tmpfs_t label - Allow dlm_controld_t domain to read random device - Label libvirt drivers as virtd_exec_t - Add sys_ptrace capability to pcp_pmlogger_t domain BZ(1751816) - Allow gssproxy_t domain read state of all processes on system - Add new macro systemd_timedated_status to systemd.if to get timedated service status - Introduce xdm_manage_bootloader booelan - Revert "Unconfined domains, need to create content with the correct labels" - Allow xdm_t domain to read sssd pid files BZ(1753240) - Move open, audit_access, and execmod to common file perms
2019-09-20 13:00:31 +00:00
/selinux-policy-37ef196.tar.gz
/selinux-policy-contrib-b43d580.tar.gz
* Fri Sep 20 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-5 - Fix ipa_custodia_stream_connect interface - Allow systemd_modules_load_t domain to read systemd pid files - Add new interface init_read_pid_files() - Allow systemd labeled as init_t domain to manage faillog_t objects - Add file context ipsec_var_run_t for /var/run/charon\.dck to ipsec.fc
2019-09-20 21:17:36 +00:00
/selinux-policy-31db3dc.tar.gz
/selinux-policy-contrib-c3a90b3.tar.gz
Update fixed sources from github
2019-09-20 21:31:28 +00:00
/selinux-policy-contrib-bfb130f.tar.gz
* Fri Oct 04 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-6 - Update aide_t domain to allow this tool to analyze also /dev filesystem - Allow bitlbee_t domain map files in /usr - Allow stratisd to getattr of fixed disk device nodes - Add net_broadcast capability to openvswitch_t domain BZ(1716044) - Allow exim_t to read mysqld conf files if exim_can_connect_db is enabled. BZ(1756973) - Allow cobblerd_t domain search apache configuration dirs - Dontaudit NetworkManager_t domain to write to kdump temp pipies BZ(1750428) - Label /var/log/collectd.log as collectd_log_t - Allow boltd_t domain to manage sysfs files and dirs BZ(1754360) - Add fowner capability to the pcp_pmlogger_t domain BZ(1754767) - networkmanager: allow NetworkManager_t to create bluetooth_socket - Fix ipa_custodia_stream_connect interface - Add new interface udev_getattr_rules_chr_files() - Make dbus-broker service working on s390x arch - Add new interface dev_mounton_all_device_nodes() - Add new interface dev_create_all_files() - Allow systemd(init_t) to load kernel modules - Allow ldconfig_t domain to manage initrc_tmp_t objects - Add new interface init_write_initrc_tmp_pipes() - Add new interface init_manage_script_tmp_files() - Allow xdm_t setpcap capability in user namespace BZ(1756790) - Allow x_userdomain to mmap generic SSL certificates - Allow xdm_t domain to user netlink_route sockets BZ(1756791) - Update files_create_var_lib_dirs() interface to allow caller domain also set attributes of var_lib_t directory BZ(1754245) - Allow sudo userdomain to run rpm related commands - Add sys_admin capability for ipsec_t domain - Allow systemd_modules_load_t domain to read systemd pid files - Add new interface init_read_pid_files() - Allow systemd labeled as init_t domain to manage faillog_t objects - Add file context ipsec_var_run_t for /var/run/charon\.dck to ipsec.fc - Make ipa_custodia policy active
2019-10-04 12:03:09 +00:00
/selinux-policy-contrib-2c0ecb3.tar.gz
/selinux-policy-d63d681.tar.gz
* Wed Oct 09 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-7 - Revert "nova.fc: fix duplicated slash" - Introduce new bolean httpd_use_opencryptoki - Add new interface apache_read_state() - Allow setroubleshoot_fixit_t to read random_device_t - Label /etc/named direcotory as named_conf_t BZ(1759495) - nova.fc: fix duplicated slash - Allow dkim to execute sendmail - Update virt_read_content interface to allow caller domain mmap virt_content_t block devices and files - Update aide_t domain to allow this tool to analyze also /dev filesystem - Update interface modutils_read_module_deps to allow caller domain also mmap modules_dep_t files BZ(1758634) - Allow avahi_t to send msg to xdm_t - Allow systemd_logind to read dosfs files & dirs Allow systemd-logind - a system service that manages user logins, to read files and list dirs on a DOS filesystem - Update dev_manage_sysfs() to support managing also lnk files BZ(1759019) - Allow systemd_logind_t domain to read blk_files in domain removable_device_t - Add new interface udev_getattr_rules_chr_files()
2019-10-09 11:13:38 +00:00
/selinux-policy-aa4c070.tar.gz
/selinux-policy-contrib-84cf0f5.tar.gz
* Wed Oct 09 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-8 - Update apache and pkcs policies to make active opencryptoki rules - Allow ipa_ods_exporter_t domain to read krb5_keytab files BZ(1759884)
2019-10-09 18:44:47 +00:00
/selinux-policy-contrib-7c1c105.tar.gz
* Fri Oct 11 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-9 - Allow networkmanager_t domain domain transition to chronyc_t domain BZ(1760226)
2019-10-11 13:22:02 +00:00
/selinux-policy-contrib-070f96c.tar.gz
- Update timedatex policy to add macros, more detail below - Allow nagios_script_t domain list files labled sysfs_t. - Allow jetty_t domain search and read cgroup_t files. - Allow Gluster mount client to mount files_type - Dontaudit and disallow sys_admin capability for keepalived_t domain - Update numad policy to allow signull, kill, nice and trace processes - Allow ipmievd_t to RW watchdog devices - Allow ldconfig_t domain to manage initrc_tmp_t link files Allow netutils_t domain to write to initrc_tmp_t fifo files - Allow user domains to manage user session services - Allow staff and user users to get status of user systemd session - Update sudo_role_template() to allow caller domain to read syslog pid files
2019-10-22 13:43:26 +00:00
/selinux-policy-contrib-7adf788.tar.gz
/selinux-policy-c95997f.tar.gz
* Fri Oct 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-11 - Allow confined users to run newaliases - Add interface mysql_dontaudit_rw_db() - Label /var/lib/xfsdump/inventory as amanda_var_lib_t - Allow tmpreaper_t domain to read all domains state - Make httpd_var_lib_t label system mountdir attribute - Update cockpit policy - Update timedatex policy to add macros, more detail below - Allow nagios_script_t domain list files labled sysfs_t. - Allow jetty_t domain search and read cgroup_t files. - Donaudit ifconfig_t domain to read/write mysqld_db_t files - Dontaudit domains read/write leaked pipes
2019-10-25 09:09:31 +00:00
/selinux-policy-contrib-6b3a800.tar.gz
/selinux-policy-7b7648b.tar.gz
* Sun Nov 03 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-12 - Label /var/cache/nginx as httpd_cache_t - Allow abrt_upload_watch_t domain to send dgram msgs to kernel processes and stream connect to journald - Created dnsmasq_use_ipset boolean - Allow capability dac_override in logwatch_mail_t domain - Allow automount_t domain to execute ping in own SELinux domain (ping_t) - Allow tmpreaper_t domain to getattr files labeled as mtrr_device_t - Allow collectd_t domain to create netlink_generic_socket sockets - Allow rhsmcertd_t domain to read/write rtas_errd_var_lock_t files - Allow tmpwatch process labeled as tmpreaper_t domain to execute fuser command. - Label /etc/postfix/chroot-update as postfix_exec_t - Update tmpreaper_t policy due to fuser command - Allow kdump_t domain to create netlink_route and udp sockets - Allow stratisd to connect to dbus - Allow fail2ban_t domain to create netlink netfilter sockets. - Allow dovecot get filesystem quotas - Allow networkmanager_t domain to execute chronyd binary in chronyd_t domain. BZ(1765689) - Allow systemd-tmpfiles processes to set rlimit information - Allow cephfs to use xattrs for storing contexts - Update files_filetrans_named_content() interface to allow caller domain to create /oldroot /.profile with correct label etc_runtime_t
2019-11-03 11:59:34 +00:00
/selinux-policy-contrib-dee19b8.tar.gz
/selinux-policy-40f6bcc.tar.gz
* Wed Nov 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-13 - Fix typo bugs in rtas_errd_read_lock() interface - cockpit: Drop cockpit-cert-session - Allow timedatex_t domain to systemctl chronyd domains - Allow ipa_helper_t to read kr5_keytab_t files - cockpit: Allow cockpit-session to read cockpit-tls state directory - Allow stratisd_t domain to read nvme and fixed disk devices - Update lldpad_t policy module - Dontaudit tmpreaper_t getting attributes from sysctl_type files - cockpit: Support https instance factory - Added macro for timedatex to chat over dbus. - Fix typo in dev_filetrans_all_named_dev() - Update files_manage_etc_runtime_files() interface to allow manage also dirs - Fix typo in cachefiles device - Dontaudit sys_admin capability for auditd_t domains - Allow x_userdomain to read adjtime_t files - Allow users using template userdom_unpriv_user_template() to run bpf tool - Allow x_userdomain to dbus_chat with timedatex.
2019-11-13 14:45:37 +00:00
/selinux-policy-contrib-6c531fb.tar.gz
/selinux-policy-4253587.tar.gz
* Thu Nov 21 2019 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-16 - Allow timedatex_t domain dbus chat with both confined and unconfined users - Allow timedatex_t domain dbus chat with unconfined users - Allow NetworkManager_t manage dhcpc_state_t BZ(1770698) - Make unconfined domains part of domain_named_attribute - Label tcp ports 24816,24817 as pulp_port_t - Remove duplicate entries for initrc_t in init.te
2019-11-21 15:26:28 +00:00
/selinux-policy-contrib-5041702.tar.gz
/selinux-policy-a9839a5.tar.gz
* Wed Nov 27 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-17 - Fix nonexisting types in rtas_errd_rw_lock interface - Allow snmpd_t domain to trace processes in user namespace - Allow timedatex_t domain to read relatime clock and adjtime_t files - Allow zebra_t domain to execute zebra binaries - Label /usr/lib/NetworkManager/dispatcher as NetworkManager_initrc_exec_t - Allow ksmtuned_t domain to trace processes in user namespace - Allow systemd to read symlinks in /var/lib - Update dev_mounton_all_device_nodes() interface - Add the miscfiles_map_generic_certs macro to the sysnet_dns_name_resolve macro. - Allow systemd_domain to map files in /usr. - Allow strongswan start using swanctl method BZ(1773381) - Dontaudit systemd_tmpfiles_t getattr of all file types BZ(1772976)
2019-11-27 19:26:39 +00:00
/selinux-policy-contrib-35568c7.tar.gz
/selinux-policy-90b3284.tar.gz
* Thu Nov 28 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-18 - Introduce new type pdns_var_lib_t - Allow zebra_t domain to read files labled as nsfs_t. - Allow systemd to setattr on all device_nodes - Allow systemd to mounton and list all proc types
2019-11-28 21:19:38 +00:00
/selinux-policy-contrib-46d44de.tar.gz
/selinux-policy-ae2c4ae.tar.gz
Add missing sources
2019-11-28 22:01:47 +00:00
/selinux-policy-4881d15.tar.gz
* Fri Dec 20 2019 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-19 - Allow init_t nnp domain transition to kmod_t - Allow userdomain dbus chat with systemd_resolved_t - Allow init_t read and setattr on /var/lib/fprintd - Allow sysadm_t dbus chat with colord_t - Allow confined users run fwupdmgr - Allow confined users run machinectl - Allow systemd labeled as init_t domain to create dirs labeled as var_t - Allow systemd labeled as init_t do read/write tpm_device_t chr files BZ(1778079) - Add new file context rabbitmq_conf_t. - Allow journalctl read init state BZ(1731753) - Add fprintd_read_var_lib_dir and fprintd_setattr_var_lib_dir interfaces - Allow pulseaudio create .config and dgram sendto to unpriv_userdomain - Change type in transition for /var/cache/{dnf,yum} directory - Allow cockpit_ws_t read efivarfs_t BZ(1777085) - Allow abrt_dump_oops_t domain to create udp sockets BZ(1778030) - Allow named_t domain to mmap named_zone_t files BZ(1647493) - Make boinc_var_lib_t label system mountdir attribute - Allow stratis_t domain to request load modules - Update fail2ban policy - Allow spamd_update_t access antivirus_unit_file_t BZ(1774092) - Allow uuidd_t Domain trasition from sytemd into confined domain with NoNewPrivileges Systemd Security feature. - Allow rdisc_t Domain trasition from sytemd into confined domain with NoNewPrivileges Systemd Security feature.
2019-12-20 16:01:21 +00:00
/selinux-policy-contrib-43e2de6.tar.gz
/selinux-policy-789c659.tar.gz
* Mon Jan 13 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-20 - Fix typo in anaconda SELinux module - Allow rtkit_t domain to control scheduling for your install_t processes - Boolean: rngd_t to use executable memory - Allow rngd_t domain to use nsswitch BZ(1787661) - Allow exim to execute bin_t without domain trans - Allow create udp sockets for abrt_upload_watch_t domains - Drop label zebra_t for frr binaries - Allow NetworkManager_t domain to get status of samba services - Update milter policy to allow use sendmail - Modify file context for .local directory to match exactly BZ(1637401) - Allow init_t domain to create own socket files in /tmp - Allow ipsec_mgmt_t domain to mmap ipsec_conf_file_t files - Create files_create_non_security_dirs() interface
2020-01-13 09:09:50 +00:00
/selinux-policy-b169ed6.tar.gz
/selinux-policy-contrib-cabad1f.tar.gz
* Fri Jan 24 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-21 - Dontaudit timedatex_t read file_contexts_t and validate security contexts - Make stratisd_t domain unconfined for now. - stratisd_t policy updates. - Label /var/spool/plymouth/boot.log as plymouthd_var_log_t - Label /stratis as stratisd_data_t - Allow opafm_t to create and use netlink rdma sockets. - Allow stratisd_t domain to read/write fixed disk devices and removable devices. - Added macro for stratisd to chat over dbus - Add dac_override capability to stratisd_t domain - Allow init_t set the nice level of all domains BZ(1778088) - Allow userdomain to chat with stratisd over dbus.
2020-01-24 16:07:51 +00:00
/selinux-policy-533b7be.tar.gz
/selinux-policy-contrib-be783bd.tar.gz
* Fri Jan 31 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-23 - Allow thumb_t connect to system_dbusd_t BZ(1795044) - Allow saslauthd_t filetrans variable files for /tmp directory - Added apache create log dirs macro - Tiny documentation fix - Allow openfortivpn_t to manage net_conf_t files. - Introduce boolean openfortivpn_can_network_connect. - Dontaudit domain chronyd_t to list in user home dirs. - Allow init_t to create apache log dirs. - Add file transition for /dev/nvidia-uvm BZ(1770588) - Allow syslog_t to read efivarfs_t files - Add ioctl to term_dontaudit_use_ptmx macro - Update xserver_rw_session macro
2020-01-31 09:53:24 +00:00
/selinux-policy-9e0b4dd.tar.gz
/selinux-policy-contrib-f23171a.tar.gz
* Fri Feb 07 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.5-24 - Allow ptp4l_t create and use packet_socket sockets - Allow ipa_custodia_t create and use netlink_route_socket sockets. - Allow networkmanager_t transition to setfiles_t - Create init_create_dirs boolean to allow init create directories
2020-02-07 08:33:54 +00:00
/selinux-policy-contrib-7f1b345.tar.gz
/selinux-policy-9d5b9be.tar.gz
* Sat Feb 15 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-2 - Allow vhostmd communication with hosted virtual machines - Add and update virt interfaces - Update radiusd policy - Allow systemd_private_tmp(named_tmp_t) - Allow bacula dac_override capability - Allow systemd_networkd_t to read efivarfs - Add support for systemd-userdbd - Allow systemd system services read efivarfs files
2020-02-15 23:25:43 +00:00
/selinux-policy-4be621b.tar.gz
/selinux-policy-contrib-6178b11.tar.gz
* Sun Feb 16 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-3 - Allow systemd labeled as init_t to manage systemd_userdbd_runtime_t symlinks - Allow systemd_userdbd_t domain to read efivarfs files
2020-02-16 12:00:31 +00:00
/selinux-policy-a303d1d.tar.gz
* Tue Feb 18 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-4 - Update virt_read_qemu_pid_files inteface - Allow systemd_logind_t domain to getattr cgroup filesystem - Allow systemd_logind_t domain to manage user_tmp_t char and block devices - Allow nsswitch_domain attribute to stream connect to systemd process
2020-02-18 17:04:28 +00:00
/selinux-policy-contrib-f2a3549.tar.gz
/selinux-policy-d5268be.tar.gz
* Sat Feb 22 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-5 - Allow certmonger_t domain to read pkcs_slotd lock files - Allow httpd_t domain to mmap own var_lib_t files BZ(1804853) - Allow ipda_custodia_t to create udp_socket and added permission nlmsg_read for netlink_route_sockets - Make file context more variable for /usr/bin/fusermount and /bin/fusermount - Allow local_login_t domain to getattr cgroup filesystem - Allow systemd_logind_t domain to manage user_tmp_t char and block devices
2020-02-22 16:02:13 +00:00
/selinux-policy-bde5c9e.tar.gz
/selinux-policy-contrib-f7a21a9.tar.gz
* Fri Feb 28 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-6 - Allow postfix stream connect to cyrus through runtime socket - Dontaudit daemons to set and get scheduling policy/parameters
2020-02-28 16:13:35 +00:00
/selinux-policy-contrib-08def7c.tar.gz
/selinux-policy-deadfd1.tar.gz
* Mon Mar 09 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-7 - Allow sssd read systemd-resolved runtime directory - Allow sssd read NetworkManager's runtime directory - Mark nm-cloud-setup systemd units as NetworkManager_unit_file_t - Allow system_mail_t to signull pcscd_t - Create interface pcscd_signull - Allow auditd poweroff or switch to single mode
2020-03-09 16:07:28 +00:00
/selinux-policy-ff8908f.tar.gz
/selinux-policy-contrib-5406e9a.tar.gz
* Fri Mar 13 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-8 - Allow NetworkManager read its unit files and manage services - Add init_daemon_domain() for geoclue_t - Allow to use nnp_transition in pulseaudio_role - Allow pdns_t domain to map files in /usr. - Label all NetworkManager fortisslvpn plugins as openfortivpn_exec_t - Allow login_pgm create and bind on netlink_selinux_socket
2020-03-13 08:22:23 +00:00
/selinux-policy-contrib-d504071.tar.gz
/selinux-policy-649b10d.tar.gz
* Wed Mar 18 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-9 - Allow zabbix_t manage and filetrans temporary socket files - Makefile: fix tmp/%.mod.fc target
2020-03-18 12:55:22 +00:00
/selinux-policy-contrib-ab515a1.tar.gz
/selinux-policy-0072731.tar.gz
* Wed Mar 25 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-10 - Allow openfortivpn exec shell - Remove label session_dbusd_tmp_t for /run/user/USERID/systemd - Add ibacm_t ipc_lock capability - Allow ipsec_t connectto ipsec_mgmt_t - Remove ipa_custodia - Allow systemd-journald to read user_tmp_t symlinks
2020-03-25 17:09:22 +00:00
/selinux-policy-a9a124e.tar.gz
/selinux-policy-contrib-2c38d35.tar.gz
* Tue Mar 31 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-11 - Allow NetworkManager manage dhcpd unit files - Update ninfod policy to add nnp transition from systemd to ninfod - Remove container interface calling by named_filetrans_domain.
2020-03-31 07:52:00 +00:00
/selinux-policy-contrib-d5da042.tar.gz
/selinux-policy-50a6afe.tar.gz
* Tue Apr 16 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-12 - Allow rngd create netlink_kobject_uevent_socket and read udev runtime files - Allow ssh-keygen create file in /var/lib/glusterd - Update ctdbd_manage_lib_files() to also allow mmap ctdbd_var_lib_t files - Merge ipa and ipa_custodia modules - Allow NetworkManager_ssh_t to execute_no_trans for binary ssh_exec_t - Introduce daemons_dontaudit_scheduling boolean - Modify path for arping in netutils.fc to match both bin and sbin - Change file context for /var/run/pam_ssh to match file transition - Add file context entry and file transition for /var/run/pam_timestamp
2020-04-14 14:09:02 +00:00
/selinux-policy-ad1d355.tar.gz
/selinux-policy-contrib-6db7310.tar.gz
* Wed Apr 29 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-13 - Update networkmanager_read_pid_files() to allow also list_dir_perms - Update policy for NetworkManager_ssh_t - Allow glusterd synchronize between master and slave - Allow spamc_t domain to read network state - Allow strongswan use tun/tap devices and keys - Allow systemd_userdbd_t domain logging to journal
2020-04-29 09:21:16 +00:00
/selinux-policy-b583642.tar.gz
/selinux-policy-contrib-80860a3.tar.gz
* Tue May 19 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-14 - Allow chronyc_t domain to use nsswitch - Allow nscd_socket_use() for domains in nscd_use() unconditionally - Add allow rules for lttng-sessiond domain - Label dirsrv systemd unit files and add dirsrv_systemctl() - Allow gluster geo-replication in rsync mode - Allow nagios_plugin_domain execute programs in bin directories - Allow sys_admin capability for domain labeled systemd_bootchart_t - Split the arping path regexp to 2 lines to prevent from relabeling - Allow tcpdump sniffing offloaded (RDMA) traffic - Revert "Change arping path regexp to work around fixfiles incorrect handling" - Change arping path regexp to work around fixfiles incorrect handling - Allow read efivarfs_t files by domains executing systemctl file
2020-05-19 15:52:53 +00:00
/selinux-policy-contrib-cafd506.tar.gz
/selinux-policy-6d96694.tar.gz
* Thu Jun 04 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-15 - Add fetchmail_uidl_cache_t type for /var/mail/.fetchmail.pid - Support multiple ways of tlp invocation - Allow qemu-kvm read and write /dev/mapper/control - Introduce logrotate_use_cifs boolean - Allow ptp4l_t sys_admin capability to run bpf programs - Allow to getattr files on an nsfs filesystem - httpd: Allow NoNewPriv transition from systemd - Allow rhsmd read process state of all domains and kernel threads - Allow rhsmd mmap /etc/passwd - Allow systemd-logind manage efivarfs files - Allow initrc_t tlp_filetrans_named_content() - Allow systemd_resolved_t to read efivarfs - Allow systemd_modules_load_t to read efivarfs - Introduce systemd_read_efivarfs_type attribute - Allow named transition for /run/tlp from a user shell - Allow ipsec_mgmt_t mmap ipsec_conf_file_t files - Add file context for /sys/kernel/tracing
2020-06-04 10:37:12 +00:00
/selinux-policy-contrib-22a7272.tar.gz
/selinux-policy-7dd92fd.tar.gz
* Fri Jun 26 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-17 - Allow pdns server to read system state - Allow irqbalance nnp_transition - Fix description tag for the sssd_connect_all_unreserved_ports tunable - Allow journalctl process set its resource limits - Add sssd_access_kernel_keys tunable to conditionally access kernel keys - Make keepalived work with network namespaces - Create sssd_connect_all_unreserved_ports boolean - Allow hypervkvpd to request kernel to load a module - Allow systemd_private_tmp(dirsrv_tmp_t) - Allow microcode_ctl get attributes of sysfs directories - Remove duplicate files_dontaudit_list_tmp(radiusd_t) line - Allow radiusd connect to gssproxy over unix domain stream socket - Add fwupd_cache_t file context for '/var/cache/fwupd(/.*)?' - Allow qemu read and write /dev/mapper/control - Allow tlp_t can_exec() tlp_exec_t - Dontaudit vpnc_t setting its process scheduling - Remove files_mmap_usr_files() call for particular domains - Allow dirsrv_t list cgroup directories - Crete the kerberos_write_kadmind_tmp_files() interface - Allow realmd_t dbus chat with accountsd_t - Label systemd-growfs and systemd-makefs as fsadm_exec_t - Allow staff_u and user_u setattr generic usb devices - Allow sysadm_t dbus chat with accountsd - Modify kernel_rw_key() not to include append permission - Add kernel_rw_key() interface to access to kernel keyrings - Modify systemd_delete_private_tmp() to use delete_*_pattern macros - Allow systemd-modules to load kernel modules - Add cachefiles_dev_t as a typealias to cachefiles_device_t - Allow libkrb5 lib read client keytabs - Allow domain mmap usr_t files - Remove files_mmap_usr_files() call for systemd domains - Allow sshd write to kadmind temporary files - Do not audit staff_t and user_t attempts to manage boot_t entries - Add files_dontaudit_manage_boot_dirs() interface - Allow systemd-tty-ask-password-agent read efivarfs files
2020-06-26 14:15:46 +00:00
/selinux-policy-contrib-2a1096a.tar.gz
/selinux-policy-427796e.tar.gz
* Tue Jul 07 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-18 - Allow oddjob_t process noatsecure permission for ipa_helper_t - Allow keepalived manage its private type runtime directories - Update irqbalance runtime directory file context - Allow irqbalance file transition for pid sock_files and directories - Allow systemd_private_tmp(dirsrv_tmp_t) instead of dirsrv_t - Allow virtlogd_t manage virt lib files - Allow systemd set efivarfs files attributes - Support systemctl --user in machinectl - Allow chkpwd_t read and write systemd-machined devpts character nodes - Allow init_t write to inherited systemd-logind sessions pipes
2020-07-07 14:11:16 +00:00
/selinux-policy-contrib-f55cbfd.tar.gz
/selinux-policy-f0e4878.tar.gz
* Fri Jul 10 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-19 - Additional support for keepalived running in a namespace - Remove systemd_dbus_chat_resolved(pcp_pmie_t) - virt: remove the libvirt qmf rules - Allow certmonger manage dirsrv services - Run ipa_helper_noatsecure(oddjob_t) only if the interface exists - Allow domain dbus chat with systemd-resolved - Define file context for /var/run/netns directory only - Revert "Add support for fuse.glusterfs"
2020-07-10 15:18:49 +00:00
/selinux-policy-contrib-27225b9.tar.gz
/selinux-policy-d5c0a2d.tar.gz
* Mon Jul 13 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.6-20 - Align gen_tunable() syntax with sepolgen
2020-07-13 15:47:32 +00:00
/selinux-policy-9c84d68.tar.gz
* Thu Jul 30 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-22 - Allow virtlockd only getattr and lock block devices - Allow qemu-ga read all non security file types conditionally - Allow virtlockd manage VMs posix file locks - Allow smbd get attributes of device files labeled samba_share_t - Label /tmp/krb5_0.rcache2 with krb5_host_rcache_t - Add a new httpd_can_manage_courier_spool boolean - Create interface courier_manage_spool_sockets() in courier policy to allow to search dir and allow manage sock files - Revert "Allow qemu-kvm read and write /dev/mapper/control" - Revert "Allow qemu read and write /dev/mapper/control" - Revert "Dontaudit and disallow sys_admin capability for keepalived_t domain" - Dontaudit pcscd_t setting its process scheduling - Dontaudit thumb_t setting its process scheduling - Allow munin domain transition with NoNewPrivileges - Add dev_lock_all_blk_files() interface - Allow auditd manage kerberos host rcache files - Allow systemd-logind dbus chat with fwupd
2020-07-30 15:41:10 +00:00
/selinux-policy-af31e95.tar.gz
/selinux-policy-contrib-3e36d23.tar.gz
/selinux-policy-contrib-72b3524.tar.gz
/selinux-policy-3952201.tar.gz
* Mon Aug 03 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-23 - Revert "Add support for /sys/fs/kdbus and allow login_pgm domain to access it." - Revert "Add interface to allow types to associate with cgroup filesystems" - Revert "kdbusfs should not be accessible for now." - Revert "kdbusfs should not be accessible for now by default for shipped policies. It should be moved to kdbus.pp" - Revert "Add kdbus.pp policy to allow access /sys/fs/kdbus. It needs to go with own module because this is workaround for now to avoid SELinux in enforcing mode." - Remove the legacy kdbus module - Remove "kdbus = module" from modules-targeted-base.conf
2020-08-03 11:25:54 +00:00
/selinux-policy-217d493.tar.gz
* Thu Aug 13 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.6-24 - Add ipa_helper_noatsecure() interface unconditionally - Conditionally allow nagios_plugin_domain dbus chat with init - Revert "Update allow rules set for nrpe_t domain" - Add ipa_helper_noatsecure() interface to ipa.if - Label /usr/libexec/qemu-pr-helper with virtd_exec_t - Allow kadmind manage kerberos host rcache - Allow nsswitch_domain to connect to systemd-machined using a unix socket - Define named file transition for sshd on /tmp/krb5_0.rcache2 - Allow systemd-machined create userdbd runtime sock files - Disable kdbus module before updating
2020-08-13 18:12:50 +00:00
/selinux-policy-contrib-9b7cf70.tar.gz
/selinux-policy-6fe2056.tar.gz