|
|
|
@ -1,11 +1,11 @@
|
|
|
|
|
# github repo with selinux-policy base sources
|
|
|
|
|
%global git0 https://github.com/fedora-selinux/selinux-policy
|
|
|
|
|
%global commit0 68c5655db824d5bdd4876836d7f302df25bb09ae
|
|
|
|
|
%global commit0 d76fceec695c24f195633137f40b5dacba5a8759
|
|
|
|
|
%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
|
|
|
|
|
|
|
|
|
|
# github repo with selinux-policy contrib sources
|
|
|
|
|
%global git1 https://github.com/fedora-selinux/selinux-policy-contrib
|
|
|
|
|
%global commit1 ff0abc8711cdbefbec47bcd9761b5524384bab3a
|
|
|
|
|
%global commit1 20346b0f238e84d0ad58bc1a3c96f6ed3fb1da3d
|
|
|
|
|
%global shortcommit1 %(c=%{commit1}; echo ${c:0:7})
|
|
|
|
|
|
|
|
|
|
%define distro redhat
|
|
|
|
@ -29,7 +29,7 @@
|
|
|
|
|
Summary: SELinux policy configuration
|
|
|
|
|
Name: selinux-policy
|
|
|
|
|
Version: 3.14.3
|
|
|
|
|
Release: 9%{?dist}
|
|
|
|
|
Release: 30%{?dist}
|
|
|
|
|
License: GPLv2+
|
|
|
|
|
Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
|
|
|
|
|
Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz
|
|
|
|
@ -715,6 +715,438 @@ exit 0
|
|
|
|
|
%endif
|
|
|
|
|
|
|
|
|
|
%changelog
|
|
|
|
|
* Fri Dec 13 2019 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-30
|
|
|
|
|
- Allow userdomain dbus chat with systemd_resolved_t
|
|
|
|
|
Resolves: rhbz#1773463
|
|
|
|
|
- Allow init_t read and setattr on /var/lib/fprintd
|
|
|
|
|
Resolves: rhbz#1781696
|
|
|
|
|
- Allow sysadm_t dbus chat with colord_t
|
|
|
|
|
Resolves: rhbz#1772669
|
|
|
|
|
- Allow confined users run fwupdmgr
|
|
|
|
|
Resolves: rhbz#1772619
|
|
|
|
|
- Allow confined users run machinectl
|
|
|
|
|
Resolves: rhbz#1772625
|
|
|
|
|
- Allow systemd labeled as init_t domain to create dirs labeled as var_t
|
|
|
|
|
Resolves: rhbz#1778126
|
|
|
|
|
- Allow systemd labeled as init_t domain to manage faillog_t objects
|
|
|
|
|
Resolves: rhbz#1671019
|
|
|
|
|
- Add fprintd_read_var_lib_dir and fprintd_setattr_var_lib_dir interfaces
|
|
|
|
|
Resolves: rhbz#1781696
|
|
|
|
|
- Allow pulseaudio create .config and dgram sendto to unpriv_userdomain
|
|
|
|
|
Resolves: rhbz#1703231
|
|
|
|
|
- Allow abrt_dump_oops_t domain to create udp sockets BZ(1778030)
|
|
|
|
|
Resolves: rhbz#1777761
|
|
|
|
|
- Change type in transition for /var/cache/{dnf,yum} directory
|
|
|
|
|
Resolves: rhbz#1686833
|
|
|
|
|
- Revert "Update zebra SELinux policy to make it work also with frr service"
|
|
|
|
|
This reverts commit 73653250a252ad6eefcb3aae00749017e396ab8d.
|
|
|
|
|
- Revert "Label only regular files inside /usr/lib/frr direcotry as zebra_exec_t"
|
|
|
|
|
This reverts commit a19eb1021cbd6c637344954cead54caae081e07c.
|
|
|
|
|
- Allow stratis_t domain to request load modules
|
|
|
|
|
Resolves: rhbz#1726259
|
|
|
|
|
- Allow stratisd to connect to dbus
|
|
|
|
|
Resolves: rhbz#1726259
|
|
|
|
|
- Run stratisd service as stratisd_t
|
|
|
|
|
Resolves: rhbz#1726259
|
|
|
|
|
- Add support for smart card authentication in cockpit BZ(1690444)
|
|
|
|
|
Resolves: rhbz#1771414
|
|
|
|
|
- cockpit: Support split-out TLS proxy
|
|
|
|
|
Resolves: rhbz#1771414
|
|
|
|
|
- cockpit: Allow cockpit-session to read cockpit-tls state
|
|
|
|
|
Resolves: rhbz#1771414
|
|
|
|
|
- Update cockpit policy
|
|
|
|
|
Resolves: rhbz#1771414
|
|
|
|
|
- cockpit: Support https instance factory
|
|
|
|
|
Resolves: rhbz#1771414
|
|
|
|
|
- cockpit: Allow cockpit-session to read cockpit-tls state directory
|
|
|
|
|
Resolves: rhbz#1771414
|
|
|
|
|
- Fix nonexisting types in rtas_errd_rw_lock interface
|
|
|
|
|
Resolves: rhbz#1744234
|
|
|
|
|
|
|
|
|
|
* Wed Nov 27 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-29
|
|
|
|
|
- Allow timedatex_t domain to read relatime clock and adjtime_t files
|
|
|
|
|
Resolves: rhbz#1771513
|
|
|
|
|
|
|
|
|
|
* Fri Nov 22 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-28
|
|
|
|
|
- Update timedatex policy to add macros
|
|
|
|
|
Resolves: rhbz#1771513
|
|
|
|
|
|
|
|
|
|
* Fri Nov 15 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-27
|
|
|
|
|
- Allow timedatex_t domain dbus chat with both confined and unconfined users
|
|
|
|
|
Resolves: rhbz#1771513
|
|
|
|
|
- Fix typo bugs in rtas_errd_read_lock() interface
|
|
|
|
|
Resolves: rhbz#1750096
|
|
|
|
|
- Allow timedatex_t domain to systemctl chronyd domains
|
|
|
|
|
Resolves: rhbz#1771513
|
|
|
|
|
- Fix typo in dev_filetrans_all_named_dev()
|
|
|
|
|
Resolves: rhbz#1750096
|
|
|
|
|
|
|
|
|
|
* Mon Nov 11 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-26
|
|
|
|
|
- New policy for rrdcached
|
|
|
|
|
Resolves: rhbz#1726255
|
|
|
|
|
- Update timedatex policy
|
|
|
|
|
- Update timedatex SELinux policy to to sychronizate time with GNOME and add new macro chronyd_service_status to chronyd.if
|
|
|
|
|
- Add new macro systemd_timedated_status to systemd.if to get timedated service status
|
|
|
|
|
Resolves: rhbz#1730204
|
|
|
|
|
- Update lldpad_t policy module
|
|
|
|
|
Resolves: rhbz#1726246
|
|
|
|
|
- Dontaudit sandbox web types to setattr lib_t dirs
|
|
|
|
|
Resolves: rhbz#1739858
|
|
|
|
|
- Fix typo in cachefiles device
|
|
|
|
|
Resolves: rhbz#1750096
|
|
|
|
|
|
|
|
|
|
* Thu Nov 07 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-25
|
|
|
|
|
- Allow sssd_t domain to read gnome config and named cache files
|
|
|
|
|
Resolves: rhbz#1743907
|
|
|
|
|
- Allow httpd_t to signull mailman_cgi_t process
|
|
|
|
|
Resolves: rhbz#1686462
|
|
|
|
|
- Update virt_read_content interface to allow caller domain mmap virt_content_t block devices and files
|
|
|
|
|
Resolves: rhbz#1758545
|
|
|
|
|
- Allow cachefilesd_t domain to read/write cachefiles_device_t devices
|
|
|
|
|
Resolves: rhbz#1750096
|
|
|
|
|
- Remove setting label for /dev/cachefilesd char device from cachefilesd policy. This should be added in base policy
|
|
|
|
|
Resolves: rhbz#1750096
|
|
|
|
|
- Allow pcp_pmcd_t domain to bind on udp port labeled as statsd_port_t
|
|
|
|
|
Resolves:rhbz#1746511
|
|
|
|
|
- Label libvirt drivers as virtd_exec_t
|
|
|
|
|
Resolves: rhbz#1745076
|
|
|
|
|
- Update apache and pkcs policies to make active opencryptoki rules
|
|
|
|
|
Resolves: rhbz#1744198
|
|
|
|
|
- Introduce new bolean httpd_use_opencryptoki
|
|
|
|
|
Resolves: rhbz#1744198
|
|
|
|
|
- Allow gssproxy_t domain read state of all processes on system
|
|
|
|
|
Resolves: rhbz#1752031
|
|
|
|
|
- Dontaudit tmpreaper_t getting attributes from sysctl_type files
|
|
|
|
|
Resolves: rhbz#1730204
|
|
|
|
|
- Added macro for timedatex to chat over dbus.
|
|
|
|
|
Resolves: rhbz#1730204
|
|
|
|
|
- Run timedatex service as timedatex_t
|
|
|
|
|
Resolves: rhbz#1730204
|
|
|
|
|
- Run lldpd service as lldpad_t.
|
|
|
|
|
Resolves: rhbz#1726246
|
|
|
|
|
- Allow abrt_upload_watch_t domain to send dgram msgs to kernel processes and stream connect to journald
|
|
|
|
|
- Allow tmpreaper_t domain to getattr files labeled as mtrr_device_t
|
|
|
|
|
Resolves: rhbz#1765065
|
|
|
|
|
- Allow rhsmcertd_t domain to read/write rtas_errd_var_lock_t files
|
|
|
|
|
Resolves: rhbz#1744234
|
|
|
|
|
- Allow tmpwatch process labeled as tmpreaper_t domain to execute fuser command.
|
|
|
|
|
Resolves: rhbz#1765065
|
|
|
|
|
- Update tmpreaper_t policy due to fuser command
|
|
|
|
|
Resolves: rhbz#1765065
|
|
|
|
|
- Allow fail2ban_t domain to create netlink netfilter sockets.
|
|
|
|
|
Resolves: rhbz#1766415
|
|
|
|
|
- Label /dev/cachefilesd as cachefiles_device_t
|
|
|
|
|
Resolves: rhbz#1750096
|
|
|
|
|
- Label udp 8125 port as statsd_port_t
|
|
|
|
|
Resolves: rhbz#1746511
|
|
|
|
|
- Allow systemd(init_t) to load kernel modules
|
|
|
|
|
Resolves: rhbz#1758255
|
|
|
|
|
- Dontaudit sys_admin capability for auditd_t domains
|
|
|
|
|
Resolves: rhbz#1669040
|
|
|
|
|
- Allow x_userdomain to dbus_chat with timedatex.
|
|
|
|
|
Resolves: rhbz#1730204
|
|
|
|
|
|
|
|
|
|
* Fri Oct 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-24
|
|
|
|
|
- Allow confined users to run newaliases
|
|
|
|
|
Resolves:rhbz#1750405
|
|
|
|
|
- Add interface mysql_dontaudit_rw_db()
|
|
|
|
|
Resolves: rhbz#1747926
|
|
|
|
|
- Label /var/lib/xfsdump/inventory as amanda_var_lib_t
|
|
|
|
|
Resolves: rhbz#1739137
|
|
|
|
|
- Allow tmpreaper_t domain to read all domains state
|
|
|
|
|
Resolves: rhbz#1765065
|
|
|
|
|
- Allow ipa_ods_exporter_t domain to read krb5_keytab files
|
|
|
|
|
Resolves: rhbz#1759900
|
|
|
|
|
- Allow rhsmcertd_t domain to read rtas_errd lock files
|
|
|
|
|
Resolves: rhbz#1744234
|
|
|
|
|
- Add new interface rtas_errd_read_lock()
|
|
|
|
|
Resolves: rhbz#1744234
|
|
|
|
|
- Donaudit ifconfig_t domain to read/write mysqld_db_t files
|
|
|
|
|
Resolves: rhbz#1747926
|
|
|
|
|
|
|
|
|
|
* Thu Oct 17 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-23
|
|
|
|
|
- Label only regular files inside /usr/lib/frr direcotry as zebra_exec_t
|
|
|
|
|
Resolves: rhbz#1714984
|
|
|
|
|
- Dontaudit and disallow sys_admin capability for keepalived_t domain
|
|
|
|
|
Resolves: rhbz#1729174
|
|
|
|
|
- Allow processes labeled as keepalived_t domain to get process group
|
|
|
|
|
Resolves: rhbz#1746955
|
|
|
|
|
|
|
|
|
|
* Mon Oct 14 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-22
|
|
|
|
|
- Allow ldconfig_t domain to manage initrc_tmp_t link files Allow netutils_t domain to write to initrc_tmp_t fifo files
|
|
|
|
|
Resolves: rhbz#1756006
|
|
|
|
|
- Allow user domains to manage user session services
|
|
|
|
|
Resolves: rhbz#1727887
|
|
|
|
|
- Allow staff and user users to get status of user systemd session
|
|
|
|
|
Resolves: rhbz#1727887
|
|
|
|
|
|
|
|
|
|
* Fri Oct 11 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-21
|
|
|
|
|
- Allow user_mail_domain attribute to manage files labeled as etc_aliases_t.
|
|
|
|
|
Resolves: rhbz#1750405
|
|
|
|
|
- Allow dlm_controld_t domain to read random device
|
|
|
|
|
Resolves: rhbz#1752943
|
|
|
|
|
- Allow haproxy_t domain to read network state of system
|
|
|
|
|
Resolves: rhbz#1746974
|
|
|
|
|
- Allow avahi_t to send msg to lpr_t
|
|
|
|
|
Resolves: rhbz#1752843
|
|
|
|
|
- Create new type ipmievd_helper_t domain for loading kernel modules.
|
|
|
|
|
Resolves: rhbz#1673804
|
|
|
|
|
- networkmanager: allow NetworkManager_t to create bluetooth_socket
|
|
|
|
|
Resolves: rhbz#1747768
|
|
|
|
|
- Label /etc/named direcotory as named_conf_t
|
|
|
|
|
Resolves: rhbz#1759505
|
|
|
|
|
- Update aide_t domain to allow this tool to analyze also /dev filesystem
|
|
|
|
|
Resolves: rhbz#1758265
|
|
|
|
|
- Update zebra SELinux policy to make it work also with frr service
|
|
|
|
|
Resolves: rhbz#1714984
|
|
|
|
|
- Allow chronyd_t domain to manage and create chronyd_tmp_t dirs,files,sock_file objects.
|
|
|
|
|
Resolves: rhbz#1711909
|
|
|
|
|
- Allow chronyc_t domain to append to all non_security files
|
|
|
|
|
Resolves: rhbz#1696252
|
|
|
|
|
- Allow httpd_t domain to read/write named_cache_t files
|
|
|
|
|
Resolves: rhbz#1690484
|
|
|
|
|
- Add new interface bind_rw_cache()
|
|
|
|
|
Resolves: rhbz#1690484
|
|
|
|
|
- Label /var/run/mysql as mysqld_var_run_t
|
|
|
|
|
Resolves: rhbz#1687867
|
|
|
|
|
- Allow cupsd_t domain to create directory with name ppd in dirs labeled as cupsd_etc_t with label cupsd_rw_etc_t.
|
|
|
|
|
Resolves: rhbz#1612552
|
|
|
|
|
- Update cron_role, cron_admin_role and cron_unconfined_role to avoid *_t_t types
|
|
|
|
|
Resolves: rhbz#1647971
|
|
|
|
|
- Allow sandbox_web_type domains to sys_ptrace and sys_chroot in user namespaces
|
|
|
|
|
Resolves: rhbz#1663874
|
|
|
|
|
- Update gnome_dontaudit_read_config
|
|
|
|
|
Resolves: rhbz#1663874
|
|
|
|
|
- Update tomcat_can_network_connect_db boolean to allow tomcat domains also connect to redis ports
|
|
|
|
|
Resolves: rhbz#1687499
|
|
|
|
|
- Update keepalived policy
|
|
|
|
|
Resolves: rhbz#1728332
|
|
|
|
|
- Add sys_admin capability for keepalived_t labeled processes
|
|
|
|
|
Resolves: rhbz#1729174
|
|
|
|
|
- Fix abrt_upload_watch_t in abrt policy
|
|
|
|
|
Resolves: rhbz#1737419
|
|
|
|
|
- Label /dev/shm/dirsrv/ with dirsrv_tmpfs_t label
|
|
|
|
|
Resolves: rhbz#1737550
|
|
|
|
|
- Allow amanda_t to manage its var lib files and read random_device_t
|
|
|
|
|
Resolves: rhbz#1739137
|
|
|
|
|
- Allow zebrat_t domain to read state of NetworkManager_t processes BZ(1739983)
|
|
|
|
|
Resolves: rhbz#1743684
|
|
|
|
|
- Allow pesign_t domain to read/write named cache files.
|
|
|
|
|
Resolves: rhbz#1745429
|
|
|
|
|
- Allow login user type to use systemd user session
|
|
|
|
|
Resolves: rhbz#1727887
|
|
|
|
|
- Allow avahi_t to send msg to xdm_t
|
|
|
|
|
Resolves: rhbz#1755401
|
|
|
|
|
- Allow ldconfig_t domain to manage initrc_tmp_t objects
|
|
|
|
|
Resolves: rhbz#1756006
|
|
|
|
|
- Add new interface init_write_initrc_tmp_pipes()
|
|
|
|
|
- Add new interface init_manage_script_tmp_files()
|
|
|
|
|
- Add new interface udev_getattr_rules_chr_files()
|
|
|
|
|
- Run lvmdbusd service as lvm_t
|
|
|
|
|
Resolves: rhbz#1726166
|
|
|
|
|
- Label 2618/tcp and 2618/udp as priority_e_com_port_t
|
|
|
|
|
- Label 2616/tcp and 2616/udp as appswitch_emp_port_t
|
|
|
|
|
- Label 2615/tcp and 2615/udp as firepower_port_t
|
|
|
|
|
- Label 2610/tcp and 2610/udp as versa_tek_port_t
|
|
|
|
|
- Label 2613/tcp and 2613/udp as smntubootstrap_port_t
|
|
|
|
|
- Label 3784/tcp and 3784/udp as bfd_control_port_t
|
|
|
|
|
- Allow systemd labeled as init_t domain to remount rootfs filesystem
|
|
|
|
|
Resolves: rhbz#1698197
|
|
|
|
|
- Add interface files_remount_rootfs()
|
|
|
|
|
- New interface files_append_non_security_files()
|
|
|
|
|
- Allow domains systemd_networkd_t and systemd_logind_t to chat over dbus
|
|
|
|
|
Resolves: rhbz#1612552
|
|
|
|
|
- Update userdomains to pass correct parametes based on updates from cron_*_role interfaces
|
|
|
|
|
Resolves: rhbz#1647971
|
|
|
|
|
- Dontaudit sys_admin capability for iptables_t SELinux domain
|
|
|
|
|
Resolves: rhbz#1669040
|
|
|
|
|
- Allow systemd labeled as init_t domain to read/write faillog_t. BZ(1723132)
|
|
|
|
|
Resolves: rhbz#1671019
|
|
|
|
|
- Allow userdomains to dbus chat with policykit daemon
|
|
|
|
|
Resolves: rhbz#1727902
|
|
|
|
|
- Allow ipsec_t domain to read/write named cache files
|
|
|
|
|
Resolves: rhbz#1743777
|
|
|
|
|
- Add sys_admin capability for ipsec_t domain
|
|
|
|
|
Resolves: rhbz#1753662
|
|
|
|
|
|
|
|
|
|
* Mon Sep 16 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-20
|
|
|
|
|
- Label /var/log/hawkey.log as rpm_log_t and update rpm named filetrans interfaces.
|
|
|
|
|
- Allow sysadm_t to create hawkey log file with rpm_log_t SELinux label
|
|
|
|
|
Resolves: rhbz#1720639
|
|
|
|
|
|
|
|
|
|
* Fri Aug 30 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-19
|
|
|
|
|
- Update cpucontrol_t SELinux policy
|
|
|
|
|
Resolves: rhbz#1743930
|
|
|
|
|
|
|
|
|
|
* Mon Aug 19 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-18
|
|
|
|
|
- Allow dlm_controld_t domain to transition to the lvm_t
|
|
|
|
|
Resolves: rhbz#1732956
|
|
|
|
|
|
|
|
|
|
* Fri Aug 16 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-17
|
|
|
|
|
- Label /usr/libexec/microcode_ctl/reload_microcode as cpucontrol_exec_t
|
|
|
|
|
Resolves: rhbz#1669485
|
|
|
|
|
- Fix typo in networkmanager_append_log() interface
|
|
|
|
|
Resolves: rhbz#1687460
|
|
|
|
|
- Update gpg policy to make ti working with confined users
|
|
|
|
|
Resolves: rhbz#1640296
|
|
|
|
|
|
|
|
|
|
* Wed Aug 14 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-16
|
|
|
|
|
- Allow audisp_remote_t domain to read kerberos keytab
|
|
|
|
|
Resolves: rhbz#1740146
|
|
|
|
|
|
|
|
|
|
* Mon Aug 12 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-15
|
|
|
|
|
- Dontaudit abrt_t domain to read root_t files
|
|
|
|
|
Resolves: rhbz#1734403
|
|
|
|
|
- Allow ipa_dnskey_t domain to read kerberos keytab
|
|
|
|
|
Resolves: rhbz#1730144
|
|
|
|
|
- Update ibacm_t policy
|
|
|
|
|
- Allow dlm_controld_t domain setgid capability
|
|
|
|
|
Resolves: rhbz#1738608
|
|
|
|
|
- Allow auditd_t domain to create auditd_tmp_t temporary files and dirs in /tmp or /var/tmp
|
|
|
|
|
Resolves: rhbz#1740146
|
|
|
|
|
- Update systemd_dontaudit_read_unit_files() interface to dontaudit alos listing dirs
|
|
|
|
|
Resolves: rhbz#1670139
|
|
|
|
|
|
|
|
|
|
* Wed Aug 07 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-14
|
|
|
|
|
- Allow cgdcbxd_t domain to list cgroup dirs
|
|
|
|
|
Resolves: rhbz#1651991
|
|
|
|
|
|
|
|
|
|
* Mon Jul 29 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-13
|
|
|
|
|
- Allow search krb5_keytab_t dirs for interfaces kerberos_read_keytab() and kerberos_rw_keytab
|
|
|
|
|
Resolves: rhbz#1730144
|
|
|
|
|
- Allow virtlockd process read virtlockd.conf file
|
|
|
|
|
Resolves: rhbz#1733185
|
|
|
|
|
- Relabel /usr/sbin/virtlockd from virt_exec_t to virtlogd_exec_t.
|
|
|
|
|
Resolves: rhbz#1733185
|
|
|
|
|
- Allow brltty to request to load kernel module
|
|
|
|
|
Resolves: rhbz#1689955
|
|
|
|
|
- Add svnserve_tmp_t label forl svnserve temp files to system private tmp
|
|
|
|
|
Resolves: rhbz#1729955
|
|
|
|
|
- Dontaudit svirt_tcg_t domain to read process state of libvirt
|
|
|
|
|
Resolves: rhbz#1732500
|
|
|
|
|
- Allow mysqld_t domain to domtrans to ifconfig_t domain when executing ifconfig tool
|
|
|
|
|
Resolves: rhbz#1732381
|
|
|
|
|
- Allow cyrus work with PrivateTmp
|
|
|
|
|
Resolves: rhbz#1725023
|
|
|
|
|
- Make cgdcbxd_t domain working with SELinux enforcing.
|
|
|
|
|
Resolves: rhbz#1651991
|
|
|
|
|
- Remove system_r role from staff_u user.
|
|
|
|
|
Resolves: rhbz#1677052
|
|
|
|
|
- Add systemd_private_tmp_type attribute
|
|
|
|
|
Resolves: rhbz#1725023
|
|
|
|
|
- Allow systemd to load kernel modules during boot process.
|
|
|
|
|
Resolves: rhbz#1644805
|
|
|
|
|
|
|
|
|
|
* Fri Jul 19 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-12
|
|
|
|
|
- Make working wireshark execute byt confined users staff_t and sysadm_t
|
|
|
|
|
Resolves: rhbz#1712788
|
|
|
|
|
- Label user cron spool file with user_cron_spool_t
|
|
|
|
|
Resolves: rhbz#1727342
|
|
|
|
|
- Allow ptp4l_t domain to write to pmc socket which is created by pmc command line tool
|
|
|
|
|
Resolves: rhbz#1668667
|
|
|
|
|
- Update svnserve_t policy to make working svnserve hooks
|
|
|
|
|
Resolves: rhbz#1729955
|
|
|
|
|
- Allow varnishlog_t domain to check for presence of varnishd_t domains
|
|
|
|
|
Resolves: rhbz#1730270
|
|
|
|
|
- Allow lsmd_t domain to execute /usr/bin/debuginfo-install
|
|
|
|
|
Resolves: rhbz#1720648
|
|
|
|
|
- Update sandboxX policy to make working firefox inside SELinux sandbox
|
|
|
|
|
Resolves: rhbz#1663874
|
|
|
|
|
- Remove allow rule from svirt_transition_svirt_sandbox interface to don't allow containers to connect to random services
|
|
|
|
|
Resolves: rhbz#1695248
|
|
|
|
|
- Allow httpd_t domain to read /var/lib/softhsm/tokens to allow httpd daemon to use pkcs#11 devices
|
|
|
|
|
Resolves: rhbz#1690484
|
|
|
|
|
- Allow opafm_t domain to modify scheduling information of another process.
|
|
|
|
|
Resolves: rhbz#1725874
|
|
|
|
|
- Allow gssd_t domain to list tmpfs_t dirs
|
|
|
|
|
Resolves: rhbz#1674470
|
|
|
|
|
- Allow mdadm_t domain to read tmpfs_t files
|
|
|
|
|
Resolves: rhbz#1669996
|
|
|
|
|
- Allow sbd_t domain to check presence of processes labeled as cluster_t
|
|
|
|
|
Resolves: rhbz#1669595
|
|
|
|
|
- Dontaudit httpd_sys_script_t to read systemd unit files
|
|
|
|
|
Resolves: rhbz#1670139
|
|
|
|
|
- Allow blkmapd_t domain to read nvme devices
|
|
|
|
|
Resolves: rhbz#1669985
|
|
|
|
|
- Update cpucontrol_t domain to make working microcode service
|
|
|
|
|
Resolves: rhbz#1669485
|
|
|
|
|
- Allow domain transition from logwatch_t do postfix_postqueue_t
|
|
|
|
|
Resolves: rhbz#1669162
|
|
|
|
|
- Allow chronyc_t domain to create and write to non_security files in case when sysadmin is redirecting output to file e.g: 'chronyc -n tracking > /var/lib/test'
|
|
|
|
|
Resolves: rhbz#1696252
|
|
|
|
|
- Allow httpd_sys_script_t domain to mmap httpdcontent
|
|
|
|
|
Resolves: rhbz#1693137
|
|
|
|
|
- Allow sbd_t to manage cgroups_t files
|
|
|
|
|
Resolves: rhbz#1715134
|
|
|
|
|
- Update wireshark policy to make working tshar labeled as wireshark_t
|
|
|
|
|
Resolves: rhbz#1711005
|
|
|
|
|
- Update virt_use_nfs boolean to allow svirt_t domain to mmap nfs_t files
|
|
|
|
|
Resolves: rhbz#1719083
|
|
|
|
|
- Allow sbd_t domain to use nsswitch
|
|
|
|
|
Resolves: rhbz#1723498
|
|
|
|
|
- Allow sysadm_t and staff_t domains to read wireshark shared memory
|
|
|
|
|
Resolves: rhbz#1712788
|
|
|
|
|
- Label /usr/libexec/utempter/utempter as utemper_exec_t
|
|
|
|
|
Resolves: rhbz#1729571
|
|
|
|
|
- Allow unconfined_domain_type to setattr own process lnk files.
|
|
|
|
|
Resolves: rhbz#1730500
|
|
|
|
|
- Add interface files_write_generic_pid_sockets()
|
|
|
|
|
- Dontaudit writing to user home dirs by gnome-keyring-daemon
|
|
|
|
|
Resolves: rhbz#1689797
|
|
|
|
|
- Allow staff and admin domains to setpcap in user namespace
|
|
|
|
|
Resolves: rhbz#1673922
|
|
|
|
|
- Allow staff and sysadm to use lockdev
|
|
|
|
|
Resolves: rhbz#1673269
|
|
|
|
|
- Allow staff and sysadm users to run iotop.
|
|
|
|
|
Resolves: rhbz#1671241
|
|
|
|
|
- Dontaudit traceroute_t domain require sys_admin capability
|
|
|
|
|
Resolves: rhbz#1671672
|
|
|
|
|
- Dontaudit dbus chat between kernel_t and init_t
|
|
|
|
|
Resolves: rhbz#1669095
|
|
|
|
|
- Allow systemd labeled as init_t to create mountpoints without any specific label as default_t
|
|
|
|
|
Resolves: rhbz#1696144
|
|
|
|
|
|
|
|
|
|
* Wed Jul 10 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-11
|
|
|
|
|
- Fix minor changes to pass coverity scan
|
|
|
|
|
Resolves: rhbz#1728578
|
|
|
|
|
|
|
|
|
|
* Tue Jul 09 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-10
|
|
|
|
|
- Allow qpidd_t domain to getattr all fs_t filesystem and mmap usr_t files
|
|
|
|
|
- Label /var/kerberos/krb5 as krb5_keytab_t
|
|
|
|
|
Resolves: rhbz#1669975
|
|
|
|
|
- Allow sbd_t domain to manage cgroup dirs
|
|
|
|
|
Resolves: rhbz#1715134
|
|
|
|
|
- Allow wireshark_t domain to create netlink netfilter sockets
|
|
|
|
|
Resolves: rhbz#1711005
|
|
|
|
|
- Allow gpg_agent_t domain to use nsswitch
|
|
|
|
|
Resolves: rhbz#1567073
|
|
|
|
|
- Allow httpd script types to mmap httpd rw content
|
|
|
|
|
Resolves: rhbz#1693137
|
|
|
|
|
- Allow confined users to login via cockpit
|
|
|
|
|
Resolves: rhbz#1718814
|
|
|
|
|
- Replace "-" by "_" in speechdispatcher types names
|
|
|
|
|
- Change condor_domain declaration in condor_systemctl
|
|
|
|
|
- Update interface networkmanager_manage_pid_files() to allow manage also dirs
|
|
|
|
|
Resolves: rhbz#1720070
|
|
|
|
|
- Update virt_use_nfs() boolean to allow virt_t to mmap nfs_t files
|
|
|
|
|
Resolves: rhbz#1719083
|
|
|
|
|
- Fix all interfaces which cannot by compiled because of typos
|
|
|
|
|
Resolves: rhbz#1687460
|
|
|
|
|
- Allow auditd_t domain to send signals to audisp_remote_t domain
|
|
|
|
|
Resolves: rhbz#1726659
|
|
|
|
|
- Allow associate efivarfs_t on sysfs_t
|
|
|
|
|
Resolves: rhbz#1709747
|
|
|
|
|
- Allow userdomain attribute to manage cockpit_ws_t stream sockets
|
|
|
|
|
Resolves: rhbz#1718814
|
|
|
|
|
- Allow ssh_agent_type to read/write cockpit_session_t unnamed pipes
|
|
|
|
|
- Add interface ssh_agent_signal()
|
|
|
|
|
- Dontaudit unpriv_userdomain to manage boot_t files
|
|
|
|
|
Resolves: rhbz#1723773
|
|
|
|
|
- Allow crack_t domain read /et/passwd files
|
|
|
|
|
Resolves: rhbz#1721132
|
|
|
|
|
- Allow dhcpc_t domain to manage network manager pid files
|
|
|
|
|
Resolves: rhbz#1720070
|
|
|
|
|
|
|
|
|
|
* Mon Jun 10 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-9
|
|
|
|
|
- Allow redis_t domain to read public sssd files
|
|
|
|
|
Resolves: rhbz#1718200
|
|
|
|
|