import selinux-policy-3.14.3-30.el8

This commit is contained in:
CentOS Sources 2020-01-21 14:59:04 -05:00 committed by Stepan Oksanichenko
parent c3537309fd
commit 34aba96502
8 changed files with 474 additions and 14 deletions

4
.gitignore vendored
View File

@ -1,3 +1,3 @@
SOURCES/container-selinux.tgz
SOURCES/selinux-policy-68c5655.tar.gz
SOURCES/selinux-policy-contrib-ff0abc8.tar.gz
SOURCES/selinux-policy-contrib-20346b0.tar.gz
SOURCES/selinux-policy-d76fcee.tar.gz

View File

@ -1,3 +1,3 @@
d062b78207b84dff3bc74f0c67c21943040723d5 SOURCES/container-selinux.tgz
3a55719eee1f5aea3664adad331ed48c3f14f2eb SOURCES/selinux-policy-68c5655.tar.gz
31cc8d555c60212a119855c4d385b4e619c0e044 SOURCES/selinux-policy-contrib-ff0abc8.tar.gz
ebdfca6c003d85c7ef844b24ddcce74f6a00fb0d SOURCES/container-selinux.tgz
6c9e28f9df02de9eab3afee49ed11a5231bcf860 SOURCES/selinux-policy-contrib-20346b0.tar.gz
251b98b0076ddfe2dc4ffac49838c089cbe90be7 SOURCES/selinux-policy-d76fcee.tar.gz

View File

@ -40,7 +40,7 @@ then
fi
TEMP_STORE="$(mktemp -d)"
cd $TEMP_STORE
cd $TEMP_STORE || exit 1
IFS="("
set $1
@ -67,7 +67,7 @@ if [ "x$GENCIL" = "x1" ]; then
fi
fi
if [ "$GENTE" = "1" -o "x$GENCIL" != "x1" ]; then
if [ "$GENTE" = "1" ] || [ "x$GENCIL" != "x1" ]; then
m4 -D enable_mcs -D distro_redhat -D hide_broken_symptoms -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 -s /usr/share/selinux/devel/include/support/file_patterns.spt /usr/share/selinux/devel/include/support/ipc_patterns.spt /usr/share/selinux/devel/include/support/obj_perm_sets.spt /usr/share/selinux/devel/include/support/misc_patterns.spt /usr/share/selinux/devel/include/support/misc_macros.spt /usr/share/selinux/devel/include/support/all_perms.spt /usr/share/selinux/devel/include/support/mls_mcs_macros.spt /usr/share/selinux/devel/include/support/loadable_module.spt tmp/all_interfaces.conf expander.te > expander.tmp 2> /dev/null
if [ "x$GENTEMODULE" = "x1" ]; then
# sed '/^#.*$/d;/^\s*$/d;/^\s*class .*/d;/^\s*category .*/d;s/^\s*//' expander.tmp
@ -77,5 +77,5 @@ if [ "$GENTE" = "1" -o "x$GENCIL" != "x1" ]; then
fi
fi
cd - > /dev/null
cd - > /dev/null || exit 1
cleanup

View File

@ -292,6 +292,13 @@ cfengine = module
#
cgroup = module
# Layer: contrib
# Module: cgdcbxd
#
# cgdcbxd policy
#
cgdcbxd = module
# Layer: apps
# Module: chrome
#
@ -2642,3 +2649,24 @@ boltd = module
# kpatch
#
kpatch = module
# Layer: contrib
# Module: timedatex
#
# timedatex
#
timedatex = module
# Layer: contrib
# Module: rrdcached
#
# rrdcached
#
rrdcached = module
# Layer: contrib
# Module: stratisd
#
# stratisd
#
stratisd = module

View File

@ -25,7 +25,7 @@ gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
# permit any access to such users, then remove this entry.
#
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(staff_u, user, staff_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
#

View File

@ -25,7 +25,7 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
# permit any access to such users, then remove this entry.
#
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(staff_u, user, staff_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
#

View File

@ -25,7 +25,7 @@ gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
# permit any access to such users, then remove this entry.
#
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(staff_u, user, staff_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
#

View File

@ -1,11 +1,11 @@
# github repo with selinux-policy base sources
%global git0 https://github.com/fedora-selinux/selinux-policy
%global commit0 68c5655db824d5bdd4876836d7f302df25bb09ae
%global commit0 d76fceec695c24f195633137f40b5dacba5a8759
%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
# github repo with selinux-policy contrib sources
%global git1 https://github.com/fedora-selinux/selinux-policy-contrib
%global commit1 ff0abc8711cdbefbec47bcd9761b5524384bab3a
%global commit1 20346b0f238e84d0ad58bc1a3c96f6ed3fb1da3d
%global shortcommit1 %(c=%{commit1}; echo ${c:0:7})
%define distro redhat
@ -29,7 +29,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.14.3
Release: 9%{?dist}
Release: 30%{?dist}
License: GPLv2+
Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz
@ -715,6 +715,438 @@ exit 0
%endif
%changelog
* Fri Dec 13 2019 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-30
- Allow userdomain dbus chat with systemd_resolved_t
Resolves: rhbz#1773463
- Allow init_t read and setattr on /var/lib/fprintd
Resolves: rhbz#1781696
- Allow sysadm_t dbus chat with colord_t
Resolves: rhbz#1772669
- Allow confined users run fwupdmgr
Resolves: rhbz#1772619
- Allow confined users run machinectl
Resolves: rhbz#1772625
- Allow systemd labeled as init_t domain to create dirs labeled as var_t
Resolves: rhbz#1778126
- Allow systemd labeled as init_t domain to manage faillog_t objects
Resolves: rhbz#1671019
- Add fprintd_read_var_lib_dir and fprintd_setattr_var_lib_dir interfaces
Resolves: rhbz#1781696
- Allow pulseaudio create .config and dgram sendto to unpriv_userdomain
Resolves: rhbz#1703231
- Allow abrt_dump_oops_t domain to create udp sockets BZ(1778030)
Resolves: rhbz#1777761
- Change type in transition for /var/cache/{dnf,yum} directory
Resolves: rhbz#1686833
- Revert "Update zebra SELinux policy to make it work also with frr service"
This reverts commit 73653250a252ad6eefcb3aae00749017e396ab8d.
- Revert "Label only regular files inside /usr/lib/frr direcotry as zebra_exec_t"
This reverts commit a19eb1021cbd6c637344954cead54caae081e07c.
- Allow stratis_t domain to request load modules
Resolves: rhbz#1726259
- Allow stratisd to connect to dbus
Resolves: rhbz#1726259
- Run stratisd service as stratisd_t
Resolves: rhbz#1726259
- Add support for smart card authentication in cockpit BZ(1690444)
Resolves: rhbz#1771414
- cockpit: Support split-out TLS proxy
Resolves: rhbz#1771414
- cockpit: Allow cockpit-session to read cockpit-tls state
Resolves: rhbz#1771414
- Update cockpit policy
Resolves: rhbz#1771414
- cockpit: Support https instance factory
Resolves: rhbz#1771414
- cockpit: Allow cockpit-session to read cockpit-tls state directory
Resolves: rhbz#1771414
- Fix nonexisting types in rtas_errd_rw_lock interface
Resolves: rhbz#1744234
* Wed Nov 27 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-29
- Allow timedatex_t domain to read relatime clock and adjtime_t files
Resolves: rhbz#1771513
* Fri Nov 22 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-28
- Update timedatex policy to add macros
Resolves: rhbz#1771513
* Fri Nov 15 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-27
- Allow timedatex_t domain dbus chat with both confined and unconfined users
Resolves: rhbz#1771513
- Fix typo bugs in rtas_errd_read_lock() interface
Resolves: rhbz#1750096
- Allow timedatex_t domain to systemctl chronyd domains
Resolves: rhbz#1771513
- Fix typo in dev_filetrans_all_named_dev()
Resolves: rhbz#1750096
* Mon Nov 11 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-26
- New policy for rrdcached
Resolves: rhbz#1726255
- Update timedatex policy
- Update timedatex SELinux policy to to sychronizate time with GNOME and add new macro chronyd_service_status to chronyd.if
- Add new macro systemd_timedated_status to systemd.if to get timedated service status
Resolves: rhbz#1730204
- Update lldpad_t policy module
Resolves: rhbz#1726246
- Dontaudit sandbox web types to setattr lib_t dirs
Resolves: rhbz#1739858
- Fix typo in cachefiles device
Resolves: rhbz#1750096
* Thu Nov 07 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-25
- Allow sssd_t domain to read gnome config and named cache files
Resolves: rhbz#1743907
- Allow httpd_t to signull mailman_cgi_t process
Resolves: rhbz#1686462
- Update virt_read_content interface to allow caller domain mmap virt_content_t block devices and files
Resolves: rhbz#1758545
- Allow cachefilesd_t domain to read/write cachefiles_device_t devices
Resolves: rhbz#1750096
- Remove setting label for /dev/cachefilesd char device from cachefilesd policy. This should be added in base policy
Resolves: rhbz#1750096
- Allow pcp_pmcd_t domain to bind on udp port labeled as statsd_port_t
Resolves:rhbz#1746511
- Label libvirt drivers as virtd_exec_t
Resolves: rhbz#1745076
- Update apache and pkcs policies to make active opencryptoki rules
Resolves: rhbz#1744198
- Introduce new bolean httpd_use_opencryptoki
Resolves: rhbz#1744198
- Allow gssproxy_t domain read state of all processes on system
Resolves: rhbz#1752031
- Dontaudit tmpreaper_t getting attributes from sysctl_type files
Resolves: rhbz#1730204
- Added macro for timedatex to chat over dbus.
Resolves: rhbz#1730204
- Run timedatex service as timedatex_t
Resolves: rhbz#1730204
- Run lldpd service as lldpad_t.
Resolves: rhbz#1726246
- Allow abrt_upload_watch_t domain to send dgram msgs to kernel processes and stream connect to journald
- Allow tmpreaper_t domain to getattr files labeled as mtrr_device_t
Resolves: rhbz#1765065
- Allow rhsmcertd_t domain to read/write rtas_errd_var_lock_t files
Resolves: rhbz#1744234
- Allow tmpwatch process labeled as tmpreaper_t domain to execute fuser command.
Resolves: rhbz#1765065
- Update tmpreaper_t policy due to fuser command
Resolves: rhbz#1765065
- Allow fail2ban_t domain to create netlink netfilter sockets.
Resolves: rhbz#1766415
- Label /dev/cachefilesd as cachefiles_device_t
Resolves: rhbz#1750096
- Label udp 8125 port as statsd_port_t
Resolves: rhbz#1746511
- Allow systemd(init_t) to load kernel modules
Resolves: rhbz#1758255
- Dontaudit sys_admin capability for auditd_t domains
Resolves: rhbz#1669040
- Allow x_userdomain to dbus_chat with timedatex.
Resolves: rhbz#1730204
* Fri Oct 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-24
- Allow confined users to run newaliases
Resolves:rhbz#1750405
- Add interface mysql_dontaudit_rw_db()
Resolves: rhbz#1747926
- Label /var/lib/xfsdump/inventory as amanda_var_lib_t
Resolves: rhbz#1739137
- Allow tmpreaper_t domain to read all domains state
Resolves: rhbz#1765065
- Allow ipa_ods_exporter_t domain to read krb5_keytab files
Resolves: rhbz#1759900
- Allow rhsmcertd_t domain to read rtas_errd lock files
Resolves: rhbz#1744234
- Add new interface rtas_errd_read_lock()
Resolves: rhbz#1744234
- Donaudit ifconfig_t domain to read/write mysqld_db_t files
Resolves: rhbz#1747926
* Thu Oct 17 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-23
- Label only regular files inside /usr/lib/frr direcotry as zebra_exec_t
Resolves: rhbz#1714984
- Dontaudit and disallow sys_admin capability for keepalived_t domain
Resolves: rhbz#1729174
- Allow processes labeled as keepalived_t domain to get process group
Resolves: rhbz#1746955
* Mon Oct 14 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-22
- Allow ldconfig_t domain to manage initrc_tmp_t link files Allow netutils_t domain to write to initrc_tmp_t fifo files
Resolves: rhbz#1756006
- Allow user domains to manage user session services
Resolves: rhbz#1727887
- Allow staff and user users to get status of user systemd session
Resolves: rhbz#1727887
* Fri Oct 11 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-21
- Allow user_mail_domain attribute to manage files labeled as etc_aliases_t.
Resolves: rhbz#1750405
- Allow dlm_controld_t domain to read random device
Resolves: rhbz#1752943
- Allow haproxy_t domain to read network state of system
Resolves: rhbz#1746974
- Allow avahi_t to send msg to lpr_t
Resolves: rhbz#1752843
- Create new type ipmievd_helper_t domain for loading kernel modules.
Resolves: rhbz#1673804
- networkmanager: allow NetworkManager_t to create bluetooth_socket
Resolves: rhbz#1747768
- Label /etc/named direcotory as named_conf_t
Resolves: rhbz#1759505
- Update aide_t domain to allow this tool to analyze also /dev filesystem
Resolves: rhbz#1758265
- Update zebra SELinux policy to make it work also with frr service
Resolves: rhbz#1714984
- Allow chronyd_t domain to manage and create chronyd_tmp_t dirs,files,sock_file objects.
Resolves: rhbz#1711909
- Allow chronyc_t domain to append to all non_security files
Resolves: rhbz#1696252
- Allow httpd_t domain to read/write named_cache_t files
Resolves: rhbz#1690484
- Add new interface bind_rw_cache()
Resolves: rhbz#1690484
- Label /var/run/mysql as mysqld_var_run_t
Resolves: rhbz#1687867
- Allow cupsd_t domain to create directory with name ppd in dirs labeled as cupsd_etc_t with label cupsd_rw_etc_t.
Resolves: rhbz#1612552
- Update cron_role, cron_admin_role and cron_unconfined_role to avoid *_t_t types
Resolves: rhbz#1647971
- Allow sandbox_web_type domains to sys_ptrace and sys_chroot in user namespaces
Resolves: rhbz#1663874
- Update gnome_dontaudit_read_config
Resolves: rhbz#1663874
- Update tomcat_can_network_connect_db boolean to allow tomcat domains also connect to redis ports
Resolves: rhbz#1687499
- Update keepalived policy
Resolves: rhbz#1728332
- Add sys_admin capability for keepalived_t labeled processes
Resolves: rhbz#1729174
- Fix abrt_upload_watch_t in abrt policy
Resolves: rhbz#1737419
- Label /dev/shm/dirsrv/ with dirsrv_tmpfs_t label
Resolves: rhbz#1737550
- Allow amanda_t to manage its var lib files and read random_device_t
Resolves: rhbz#1739137
- Allow zebrat_t domain to read state of NetworkManager_t processes BZ(1739983)
Resolves: rhbz#1743684
- Allow pesign_t domain to read/write named cache files.
Resolves: rhbz#1745429
- Allow login user type to use systemd user session
Resolves: rhbz#1727887
- Allow avahi_t to send msg to xdm_t
Resolves: rhbz#1755401
- Allow ldconfig_t domain to manage initrc_tmp_t objects
Resolves: rhbz#1756006
- Add new interface init_write_initrc_tmp_pipes()
- Add new interface init_manage_script_tmp_files()
- Add new interface udev_getattr_rules_chr_files()
- Run lvmdbusd service as lvm_t
Resolves: rhbz#1726166
- Label 2618/tcp and 2618/udp as priority_e_com_port_t
- Label 2616/tcp and 2616/udp as appswitch_emp_port_t
- Label 2615/tcp and 2615/udp as firepower_port_t
- Label 2610/tcp and 2610/udp as versa_tek_port_t
- Label 2613/tcp and 2613/udp as smntubootstrap_port_t
- Label 3784/tcp and 3784/udp as bfd_control_port_t
- Allow systemd labeled as init_t domain to remount rootfs filesystem
Resolves: rhbz#1698197
- Add interface files_remount_rootfs()
- New interface files_append_non_security_files()
- Allow domains systemd_networkd_t and systemd_logind_t to chat over dbus
Resolves: rhbz#1612552
- Update userdomains to pass correct parametes based on updates from cron_*_role interfaces
Resolves: rhbz#1647971
- Dontaudit sys_admin capability for iptables_t SELinux domain
Resolves: rhbz#1669040
- Allow systemd labeled as init_t domain to read/write faillog_t. BZ(1723132)
Resolves: rhbz#1671019
- Allow userdomains to dbus chat with policykit daemon
Resolves: rhbz#1727902
- Allow ipsec_t domain to read/write named cache files
Resolves: rhbz#1743777
- Add sys_admin capability for ipsec_t domain
Resolves: rhbz#1753662
* Mon Sep 16 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-20
- Label /var/log/hawkey.log as rpm_log_t and update rpm named filetrans interfaces.
- Allow sysadm_t to create hawkey log file with rpm_log_t SELinux label
Resolves: rhbz#1720639
* Fri Aug 30 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-19
- Update cpucontrol_t SELinux policy
Resolves: rhbz#1743930
* Mon Aug 19 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-18
- Allow dlm_controld_t domain to transition to the lvm_t
Resolves: rhbz#1732956
* Fri Aug 16 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-17
- Label /usr/libexec/microcode_ctl/reload_microcode as cpucontrol_exec_t
Resolves: rhbz#1669485
- Fix typo in networkmanager_append_log() interface
Resolves: rhbz#1687460
- Update gpg policy to make ti working with confined users
Resolves: rhbz#1640296
* Wed Aug 14 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-16
- Allow audisp_remote_t domain to read kerberos keytab
Resolves: rhbz#1740146
* Mon Aug 12 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-15
- Dontaudit abrt_t domain to read root_t files
Resolves: rhbz#1734403
- Allow ipa_dnskey_t domain to read kerberos keytab
Resolves: rhbz#1730144
- Update ibacm_t policy
- Allow dlm_controld_t domain setgid capability
Resolves: rhbz#1738608
- Allow auditd_t domain to create auditd_tmp_t temporary files and dirs in /tmp or /var/tmp
Resolves: rhbz#1740146
- Update systemd_dontaudit_read_unit_files() interface to dontaudit alos listing dirs
Resolves: rhbz#1670139
* Wed Aug 07 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-14
- Allow cgdcbxd_t domain to list cgroup dirs
Resolves: rhbz#1651991
* Mon Jul 29 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-13
- Allow search krb5_keytab_t dirs for interfaces kerberos_read_keytab() and kerberos_rw_keytab
Resolves: rhbz#1730144
- Allow virtlockd process read virtlockd.conf file
Resolves: rhbz#1733185
- Relabel /usr/sbin/virtlockd from virt_exec_t to virtlogd_exec_t.
Resolves: rhbz#1733185
- Allow brltty to request to load kernel module
Resolves: rhbz#1689955
- Add svnserve_tmp_t label forl svnserve temp files to system private tmp
Resolves: rhbz#1729955
- Dontaudit svirt_tcg_t domain to read process state of libvirt
Resolves: rhbz#1732500
- Allow mysqld_t domain to domtrans to ifconfig_t domain when executing ifconfig tool
Resolves: rhbz#1732381
- Allow cyrus work with PrivateTmp
Resolves: rhbz#1725023
- Make cgdcbxd_t domain working with SELinux enforcing.
Resolves: rhbz#1651991
- Remove system_r role from staff_u user.
Resolves: rhbz#1677052
- Add systemd_private_tmp_type attribute
Resolves: rhbz#1725023
- Allow systemd to load kernel modules during boot process.
Resolves: rhbz#1644805
* Fri Jul 19 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-12
- Make working wireshark execute byt confined users staff_t and sysadm_t
Resolves: rhbz#1712788
- Label user cron spool file with user_cron_spool_t
Resolves: rhbz#1727342
- Allow ptp4l_t domain to write to pmc socket which is created by pmc command line tool
Resolves: rhbz#1668667
- Update svnserve_t policy to make working svnserve hooks
Resolves: rhbz#1729955
- Allow varnishlog_t domain to check for presence of varnishd_t domains
Resolves: rhbz#1730270
- Allow lsmd_t domain to execute /usr/bin/debuginfo-install
Resolves: rhbz#1720648
- Update sandboxX policy to make working firefox inside SELinux sandbox
Resolves: rhbz#1663874
- Remove allow rule from svirt_transition_svirt_sandbox interface to don't allow containers to connect to random services
Resolves: rhbz#1695248
- Allow httpd_t domain to read /var/lib/softhsm/tokens to allow httpd daemon to use pkcs#11 devices
Resolves: rhbz#1690484
- Allow opafm_t domain to modify scheduling information of another process.
Resolves: rhbz#1725874
- Allow gssd_t domain to list tmpfs_t dirs
Resolves: rhbz#1674470
- Allow mdadm_t domain to read tmpfs_t files
Resolves: rhbz#1669996
- Allow sbd_t domain to check presence of processes labeled as cluster_t
Resolves: rhbz#1669595
- Dontaudit httpd_sys_script_t to read systemd unit files
Resolves: rhbz#1670139
- Allow blkmapd_t domain to read nvme devices
Resolves: rhbz#1669985
- Update cpucontrol_t domain to make working microcode service
Resolves: rhbz#1669485
- Allow domain transition from logwatch_t do postfix_postqueue_t
Resolves: rhbz#1669162
- Allow chronyc_t domain to create and write to non_security files in case when sysadmin is redirecting output to file e.g: 'chronyc -n tracking > /var/lib/test'
Resolves: rhbz#1696252
- Allow httpd_sys_script_t domain to mmap httpdcontent
Resolves: rhbz#1693137
- Allow sbd_t to manage cgroups_t files
Resolves: rhbz#1715134
- Update wireshark policy to make working tshar labeled as wireshark_t
Resolves: rhbz#1711005
- Update virt_use_nfs boolean to allow svirt_t domain to mmap nfs_t files
Resolves: rhbz#1719083
- Allow sbd_t domain to use nsswitch
Resolves: rhbz#1723498
- Allow sysadm_t and staff_t domains to read wireshark shared memory
Resolves: rhbz#1712788
- Label /usr/libexec/utempter/utempter as utemper_exec_t
Resolves: rhbz#1729571
- Allow unconfined_domain_type to setattr own process lnk files.
Resolves: rhbz#1730500
- Add interface files_write_generic_pid_sockets()
- Dontaudit writing to user home dirs by gnome-keyring-daemon
Resolves: rhbz#1689797
- Allow staff and admin domains to setpcap in user namespace
Resolves: rhbz#1673922
- Allow staff and sysadm to use lockdev
Resolves: rhbz#1673269
- Allow staff and sysadm users to run iotop.
Resolves: rhbz#1671241
- Dontaudit traceroute_t domain require sys_admin capability
Resolves: rhbz#1671672
- Dontaudit dbus chat between kernel_t and init_t
Resolves: rhbz#1669095
- Allow systemd labeled as init_t to create mountpoints without any specific label as default_t
Resolves: rhbz#1696144
* Wed Jul 10 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-11
- Fix minor changes to pass coverity scan
Resolves: rhbz#1728578
* Tue Jul 09 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-10
- Allow qpidd_t domain to getattr all fs_t filesystem and mmap usr_t files
- Label /var/kerberos/krb5 as krb5_keytab_t
Resolves: rhbz#1669975
- Allow sbd_t domain to manage cgroup dirs
Resolves: rhbz#1715134
- Allow wireshark_t domain to create netlink netfilter sockets
Resolves: rhbz#1711005
- Allow gpg_agent_t domain to use nsswitch
Resolves: rhbz#1567073
- Allow httpd script types to mmap httpd rw content
Resolves: rhbz#1693137
- Allow confined users to login via cockpit
Resolves: rhbz#1718814
- Replace "-" by "_" in speechdispatcher types names
- Change condor_domain declaration in condor_systemctl
- Update interface networkmanager_manage_pid_files() to allow manage also dirs
Resolves: rhbz#1720070
- Update virt_use_nfs() boolean to allow virt_t to mmap nfs_t files
Resolves: rhbz#1719083
- Fix all interfaces which cannot by compiled because of typos
Resolves: rhbz#1687460
- Allow auditd_t domain to send signals to audisp_remote_t domain
Resolves: rhbz#1726659
- Allow associate efivarfs_t on sysfs_t
Resolves: rhbz#1709747
- Allow userdomain attribute to manage cockpit_ws_t stream sockets
Resolves: rhbz#1718814
- Allow ssh_agent_type to read/write cockpit_session_t unnamed pipes
- Add interface ssh_agent_signal()
- Dontaudit unpriv_userdomain to manage boot_t files
Resolves: rhbz#1723773
- Allow crack_t domain read /et/passwd files
Resolves: rhbz#1721132
- Allow dhcpc_t domain to manage network manager pid files
Resolves: rhbz#1720070
* Mon Jun 10 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-9
- Allow redis_t domain to read public sssd files
Resolves: rhbz#1718200