Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy
Conflicts: selinux-policy.spec
This commit is contained in:
Dan Walsh
commit
45852f5fe5
@ -47,12 +47,12 @@ alsa = module
|
||||
#
|
||||
amanda = module
|
||||
|
||||
# Layer: services
|
||||
# Module: amavis
|
||||
# Layer: contrib
|
||||
# Module: antivirus
|
||||
#
|
||||
# Anti-virus
|
||||
#
|
||||
amavis = module
|
||||
antivirus = module
|
||||
|
||||
# Layer: admin
|
||||
# Module: amtu
|
||||
@ -243,20 +243,13 @@ chrome = module
|
||||
#
|
||||
chronyd = module
|
||||
|
||||
q# Layer: services
|
||||
# Layer: services
|
||||
# Module: cipe
|
||||
#
|
||||
# Encrypted tunnel daemon
|
||||
#
|
||||
cipe = module
|
||||
|
||||
# Layer: services
|
||||
# Module: clamav
|
||||
#
|
||||
# ClamAV Virus Scanner
|
||||
#
|
||||
clamav = module
|
||||
|
||||
# Layer: services
|
||||
# Module: clogd
|
||||
#
|
||||
|
||||
@ -68,13 +68,6 @@ alsa = module
|
||||
#
|
||||
amanda = module
|
||||
|
||||
# Layer: services
|
||||
# Module: amavis
|
||||
#
|
||||
# Anti-virus
|
||||
#
|
||||
amavis = module
|
||||
|
||||
# Layer: admin
|
||||
# Module: amtu
|
||||
#
|
||||
@ -327,12 +320,6 @@ chronyd = module
|
||||
#
|
||||
cipe = module
|
||||
|
||||
# Layer: services
|
||||
# Module: clamav
|
||||
#
|
||||
# ClamAV Virus Scanner
|
||||
#
|
||||
clamav = module
|
||||
|
||||
# Layer: services
|
||||
# Module: clogd
|
||||
|
||||
154921
policy-rawhide-base.patch
154921
policy-rawhide-base.patch
File diff suppressed because one or more lines are too long
File diff suppressed because it is too large
Load Diff
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.12.1
|
||||
Release: 5%{?dist}
|
||||
Release: 8%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -252,7 +252,7 @@ fi;
|
||||
. %{_sysconfdir}/selinux/config; \
|
||||
if [ -e /etc/selinux/%2/.rebuild ]; then \
|
||||
rm /etc/selinux/%2/.rebuild; \
|
||||
(cd /etc/selinux/%2/modules/active/modules; rm -f gnomeclock.pp matahari.pp xfs.pp kudzu.pp kerneloops.pp execmem.pp openoffice.pp ada.pp tzdata.pp hal.pp hotplug.pp howl.pp java.pp mono.pp moilscanner.pp gamin.pp audio_entropy.pp audioentropy.pp iscsid.pp polkit_auth.pp polkit.pp rtkit_daemon.pp ModemManager.pp telepathysofiasip.pp ethereal.pp passanger.pp qpidd.pp pyzor.pp razor.pp pki-selinux.pp phpfpm.pp consoletype.pp ctdbd.pp fcoemon.pp isnsd.pp l2tp.pp ) \
|
||||
(cd /etc/selinux/%2/modules/active/modules; rm -f amavis.pp clamav.pp gnomeclock.pp matahari.pp xfs.pp kudzu.pp kerneloops.pp execmem.pp openoffice.pp ada.pp tzdata.pp hal.pp hotplug.pp howl.pp java.pp mono.pp moilscanner.pp gamin.pp audio_entropy.pp audioentropy.pp iscsid.pp polkit_auth.pp polkit.pp rtkit_daemon.pp ModemManager.pp telepathysofiasip.pp ethereal.pp passanger.pp qpidd.pp pyzor.pp razor.pp pki-selinux.pp phpfpm.pp consoletype.pp ctdbd.pp fcoemon.pp isnsd.pp l2tp.pp ) \
|
||||
/usr/sbin/semodule -B -n -s %2; \
|
||||
else \
|
||||
touch /etc/selinux/%2/modules/active/modules/sandbox.disabled \
|
||||
@ -521,6 +521,64 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Jan 28 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-8
|
||||
- Change ssh_use_pts to use macro and only inherited sshd_devpts_t
|
||||
- Allow confined users to read systemd_logind seat information
|
||||
- libmpg ships badly created libraries
|
||||
- Add support for strongswan.service
|
||||
- Add labeling for strongswan
|
||||
- Allow l2tpd_t to read network manager content in /run directory
|
||||
- Allow rsync to getattr any file in rsync_data_t
|
||||
- Add labeling and filename transition for .grl-podcasts
|
||||
|
||||
* Fri Jan 25 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-7
|
||||
- mount.glusterfs executes glusterfsd binary
|
||||
- Allow systemd_hostnamed_t to stream connect to systemd
|
||||
- Dontaudit any user doing a access check
|
||||
- Allow obex-data-server to request the kernel to load a module
|
||||
- Allow gpg-agent to manage gnome content (~/.cache/gpg-agent-info)
|
||||
- Allow gpg-agent to read /proc/sys/crypto/fips_enabled
|
||||
- Add new types for antivirus.pp policy module
|
||||
- Allow gnomesystemmm_t caps because of ioprio_set
|
||||
- Make sure if mozilla_plugin creates files while in permissive mode, they get created with the correct label, user_home_t
|
||||
- Allow gnomesystemmm_t caps because of ioprio_set
|
||||
- Allow NM rawip socket
|
||||
- files_relabel_non_security_files can not be used with boolean
|
||||
- Add interface to thumb_t dbus_chat to allow it to read remote process state
|
||||
- ALlow logrotate to domtrans to mdadm_t
|
||||
- kde gnomeclock wants to write content to /tmp
|
||||
|
||||
* Wed Jan 23 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-6
|
||||
- kde gnomeclock wants to write content to /tmp
|
||||
- /usr/libexec/kde4/kcmdatetimehelper attempts to create /root/.kde
|
||||
- Allow blueman_t to rwx zero_device_t, for some kind of jre
|
||||
- Allow mozilla_plugin_t to rwx zero_device_t, for some kind of jre
|
||||
- Ftp full access should be allowed to create directories as well as files
|
||||
- Add boolean to allow rsync_full_acces, so that an rsync server can write all
|
||||
- over the local machine
|
||||
- logrotate needs to rotate logs in openshift directories, needs back port to RHEL6
|
||||
- Add missing vpnc_roles type line
|
||||
- Allow stapserver to write content in /tmp
|
||||
- Allow gnome keyring to create keyrings dir in ~/.local/share
|
||||
- Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on
|
||||
- Add interface to colord_t dbus_chat to allow it to read remote process state
|
||||
- Allow colord_t to read cupsd_t state
|
||||
- Add mate-thumbnail-font as thumnailer
|
||||
- Allow sectoolm to sys_ptrace since it is looking at other proceses /proc data.
|
||||
- Allow qpidd to list /tmp. Needed by ssl
|
||||
- Only allow init_t to transition to rsync_t domain, not initrc_t. This should be back ported to F17, F18
|
||||
- - Added systemd support for ksmtuned
|
||||
- Added booleans
|
||||
ksmtuned_use_nfs
|
||||
ksmtuned_use_cifs
|
||||
- firewalld seems to be creating mmap files which it needs to execute in /run /tmp and /dev/shm. Would like to clean this up but for now we will allow
|
||||
- Looks like qpidd_t needs to read /dev/random
|
||||
- Lots of probing avc's caused by execugting gpg from staff_t
|
||||
- Dontaudit senmail triggering a net_admin avc
|
||||
- Change thumb_role to use thumb_run, not sure why we have a thumb_role, needs back port
|
||||
- Logwatch does access check on mdadm binary
|
||||
- Add raid_access_check_mdadm() iterface
|
||||
|
||||
* Wed Jan 16 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-5
|
||||
- Fix systemd_manage_unit_symlinks() interface
|
||||
- Call systemd_manage_unit_symlinks(() which is correct interface
|
||||
@ -541,6 +599,15 @@ SELinux Reference policy mls base module.
|
||||
- mythtv policy
|
||||
- Update mandb_admin() interface
|
||||
- Allow dsspam to listen on own tpc_socket
|
||||
- seutil_filetrans_named_content needs to be optional
|
||||
- Allow sysadm_t to execute content in his homedir
|
||||
- Add attach_queue to tun_socket, new patch from Paul Moore
|
||||
- Change most of selinux configuration types to security_file_type.
|
||||
- Add filename transition rules for selinux configuration
|
||||
- ssh into a box with -X -Y requires ssh_use_ptys
|
||||
- Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on
|
||||
- Allow all unpriv userdomains to send dbus messages to hostnamed and timedated
|
||||
- New allow rules found by Tom London for systemd_hostnamed
|
||||
|
||||
* Mon Jan 14 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-4
|
||||
- Allow systemd-tmpfiles to relabel lpd spool files
|
||||
|
||||
Loading…
Reference in New Issue
Block a user