Remove trailing whitespaces
This commit is contained in:
parent
e99b0bae28
commit
fe20768333
11
README.md
11
README.md
@ -20,7 +20,7 @@ On GitHub, we have two repositories (selinux-policy and selinux-policy-contrib )
|
||||
origin/rawhide
|
||||
|
||||
$ cd selinux-policy-contrib
|
||||
$ git remote -v
|
||||
$ git remote -v
|
||||
origin git@github.com:fedora-selinux/selinux-policy-contrib.git (fetch)
|
||||
|
||||
$ git branch -r
|
||||
@ -38,13 +38,13 @@ Package sources in dist-git are generally composed from a _selinux-policy and _s
|
||||
## Build process
|
||||
|
||||
1. clone [fedora-selinux/selinux-policy](https://github.com/fedora-selinux/selinux-policy) repository
|
||||
|
||||
|
||||
$ cd ~/devel/github
|
||||
$ git clone git@github.com:fedora-selinux/selinux-policy.git
|
||||
$ cd selinux-policy
|
||||
|
||||
2. clone [fedora-selinux/selinux-policy-contrib](https://github.com/fedora-selinux/selinux-policy-contrib) repository
|
||||
|
||||
|
||||
$ cd ~/devel/github
|
||||
$ git clone git@github.com:fedora-selinux/selinux-policy-contrib.git
|
||||
$ cd selinux-policy-contrib
|
||||
@ -54,7 +54,7 @@ Package sources in dist-git are generally composed from a _selinux-policy and _s
|
||||
4. clone **selinux-policy** dist-git repository
|
||||
|
||||
$ cd ~/devel/dist-git
|
||||
$ fedpkg clone selinux-policy
|
||||
$ fedpkg clone selinux-policy
|
||||
$ cd selinux-policy
|
||||
|
||||
4. Download the latest snaphots from selinux-policy and selinux-policy-contrib github repositories
|
||||
@ -63,6 +63,5 @@ Package sources in dist-git are generally composed from a _selinux-policy and _s
|
||||
|
||||
5. add changes to the dist-git repository, bump release, create a changelog entry, commit and push
|
||||
6. build the package
|
||||
|
||||
$ fedpkg build
|
||||
|
||||
$ fedpkg build
|
||||
|
@ -79,12 +79,12 @@ Requires: selinux-policy-any = %{version}-%{release}
|
||||
Provides: selinux-policy-base = %{version}-%{release}
|
||||
Suggests: selinux-policy-targeted
|
||||
|
||||
%description
|
||||
%description
|
||||
SELinux core policy package.
|
||||
Originally based off of reference policy,
|
||||
the policy has been adjusted to provide support for Fedora.
|
||||
|
||||
%files
|
||||
%files
|
||||
%{!?_licensedir:%global license %%doc}
|
||||
%license COPYING
|
||||
%dir %{_datadir}/selinux
|
||||
@ -399,7 +399,7 @@ end
|
||||
|
||||
%build
|
||||
|
||||
%prep
|
||||
%prep
|
||||
%setup -n %{name}-contrib-%{commit1} -q -b 29
|
||||
tar -xf %{SOURCE35}
|
||||
contrib_path=`pwd`
|
||||
@ -525,13 +525,13 @@ echo "
|
||||
SELINUX=enforcing
|
||||
# SELINUXTYPE= can take one of these three values:
|
||||
# targeted - Targeted processes are protected,
|
||||
# minimum - Modification of targeted policy. Only selected processes are protected.
|
||||
# minimum - Modification of targeted policy. Only selected processes are protected.
|
||||
# mls - Multi Level Security protection.
|
||||
SELINUXTYPE=targeted
|
||||
|
||||
" > %{_sysconfdir}/selinux/config
|
||||
|
||||
ln -sf ../selinux/config %{_sysconfdir}/sysconfig/selinux
|
||||
ln -sf ../selinux/config %{_sysconfdir}/sysconfig/selinux
|
||||
%{_sbindir}/restorecon %{_sysconfdir}/selinux/config 2> /dev/null || :
|
||||
else
|
||||
. %{_sysconfdir}/selinux/config
|
||||
@ -630,7 +630,7 @@ exit 0
|
||||
|
||||
%files targeted -f %{buildroot}%{_datadir}/selinux/targeted/nonbasemodules.lst
|
||||
%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u
|
||||
%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u
|
||||
%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u
|
||||
%fileList targeted
|
||||
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/targeted/active/modules/100/permissivedomains
|
||||
%endif
|
||||
@ -733,12 +733,12 @@ exit 0
|
||||
|
||||
%files minimum -f %{buildroot}%{_datadir}/selinux/minimum/nonbasemodules.lst
|
||||
%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u
|
||||
%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u
|
||||
%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u
|
||||
%fileList minimum
|
||||
%endif
|
||||
|
||||
%if %{BUILD_MLS}
|
||||
%package mls
|
||||
%package mls
|
||||
Summary: SELinux MLS policy
|
||||
Provides: selinux-policy-base = %{version}-%{release}
|
||||
Obsoletes: selinux-policy-mls-sources < 2
|
||||
@ -750,16 +750,16 @@ Requires: selinux-policy = %{version}-%{release}
|
||||
Conflicts: seedit
|
||||
Conflicts: container-selinux <= 1.9.0-9
|
||||
|
||||
%description mls
|
||||
%description mls
|
||||
SELinux MLS (Multi Level Security) policy package.
|
||||
|
||||
%pretrans mls -p <lua>
|
||||
%backupConfigLua
|
||||
|
||||
%pre mls
|
||||
%pre mls
|
||||
%preInstall mls
|
||||
|
||||
%post mls
|
||||
%post mls
|
||||
%checkConfigConsistency mls
|
||||
%postInstall $1 mls
|
||||
exit 0
|
||||
@ -2620,7 +2620,7 @@ Resolves: rhbz#1683365
|
||||
|
||||
|
||||
* Tue May 22 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-19
|
||||
- Increase dependency versions of policycoreutils and checkpolicy packages
|
||||
- Increase dependency versions of policycoreutils and checkpolicy packages
|
||||
|
||||
* Mon May 21 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-18
|
||||
- Disable secure mode environment cleansing for dirsrv_t
|
||||
@ -4883,7 +4883,7 @@ Resolves: rhbz#1314372
|
||||
- Fix neverallow assertion for sys_module capability for openvswitch.
|
||||
- kernel_load_module() needs to be called out of boolean for svirt_lxc_net_t.
|
||||
- Fix neverallow assertion for sys_module capability.
|
||||
- Add more attributes for sandbox domains to avoid neverallow assertion issues.
|
||||
- Add more attributes for sandbox domains to avoid neverallow assertion issues.
|
||||
- Add neverallow asserition fixes related to storage.
|
||||
- Allow exec pidof under hypervkvp domain. Allow hypervkvp daemon create connection to the system DBUS
|
||||
- Allow openhpid_t to read system state.
|
||||
@ -5171,7 +5171,7 @@ Resolves: rhbz#1314372
|
||||
|
||||
* Tue Jun 09 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-128
|
||||
- Add ipsec_rw_inherited_pipes() interface.
|
||||
- Allow ibus-x11 running as xdm_t to connect uder session buses. We already allow to connect to userdomains over unix_stream_socket.
|
||||
- Allow ibus-x11 running as xdm_t to connect uder session buses. We already allow to connect to userdomains over unix_stream_socket.
|
||||
- Label /usr/libexec/Xorg.wrap as xserver_exec_t.
|
||||
- Allow systemd-networkd to bind dhcpc ports if DHCP=yes in *.network conf file.
|
||||
- Add fixes for selinux userspace moving the policy store to /var/lib/selinux.
|
||||
@ -5179,13 +5179,13 @@ Resolves: rhbz#1314372
|
||||
- Label all gluster hooks in /var/lib/gluster as bin_t. They are not created on the fly.
|
||||
- Access required to run with unconfine.pp disabled
|
||||
- Fix selinux_search_fs() interface.
|
||||
- Update selinux_search_fs(domain) rule to have ability to search /etc/selinuc/ to check if /etc/selinux/config exists.
|
||||
- Update selinux_search_fs(domain) rule to have ability to search /etc/selinuc/ to check if /etc/selinux/config exists.
|
||||
- Add seutil_search_config() interface.
|
||||
- Make ssh-keygen as nsswitch domain to access SSSD.
|
||||
- Label ctdb events scripts as bin_t.
|
||||
- Add support for /usr/sbin/lvmpolld.
|
||||
- Allow gvfsd-fuse running as xdm_t to use /run/user/42/gvfs as mountpoint.
|
||||
- Add support for ~/.local/share/networkmanagement/certificates and update filename transitions rules.
|
||||
- Add support for ~/.local/share/networkmanagement/certificates and update filename transitions rules.
|
||||
- Allow login_pgm domains to access kernel keyring for nsswitch domains.
|
||||
- Allow hypervkvp to read /dev/urandom and read addition states/config files.
|
||||
- Add cgdcbxd policy.
|
||||
@ -5200,26 +5200,26 @@ Resolves: rhbz#1314372
|
||||
- Allow fowner capability for sssd because of selinux_child handling.
|
||||
- Allow pki-tomcat relabel pki_tomcat_etc_rw_t.
|
||||
- Allow cluster domain to dbus chat with systemd-logind.
|
||||
- Allow tmpreaper_t to manage ntp log content
|
||||
- Allow tmpreaper_t to manage ntp log content
|
||||
- Allow openvswitch_t to communicate with sssd.
|
||||
- Allow isnsd_t to communicate with sssd.
|
||||
- Allow rwho_t to communicate with sssd.
|
||||
- Allow pkcs_slotd_t to communicate with sssd.
|
||||
- Add httpd_var_lib_t label for roundcubemail
|
||||
- Add httpd_var_lib_t label for roundcubemail
|
||||
- Allow puppetagent_t to transfer firewalld messages over dbus.
|
||||
- Allow glusterd to have mknod capability. It creates a special file using mknod in a brick.
|
||||
- Update rules related to glusterd_brick_t.
|
||||
- Allow glusterd to execute lvm tools in the lvm_t target domain.
|
||||
- Allow glusterd to execute xfs_growfs in the target domain.
|
||||
- Allow sysctl to have running under hypervkvp_t domain.
|
||||
- Allow smartdnotify to use user terminals.
|
||||
- Allow pcp domains to create root.socket in /var/lip/pcp directroy.
|
||||
- Allow smartdnotify to use user terminals.
|
||||
- Allow pcp domains to create root.socket in /var/lip/pcp directroy.
|
||||
- Allow NM to execute dnssec-trigger-script in dnssec_trigger_t domain.
|
||||
- Allow rpcbind to create rpcbind.xdr as a temporary file.
|
||||
- Allow dnssec-trigger connections to the system DBUS. It uses libnm-glib Python bindings.
|
||||
- Allow hostapd net_admin capability. hostapd needs to able to set an interface flag.
|
||||
- Allow rpcbind to create rpcbind.xdr as a temporary file.
|
||||
- Allow dnssec-trigger connections to the system DBUS. It uses libnm-glib Python bindings.
|
||||
- Allow hostapd net_admin capability. hostapd needs to able to set an interface flag.
|
||||
- rsync server can be setup to send mail
|
||||
- Make "ostree admin upgrade -r" command which suppose to upgrade the system and reboot working again.
|
||||
- Make "ostree admin upgrade -r" command which suppose to upgrade the system and reboot working again.
|
||||
- Remove ctdbd_manage_var_files() interface which is not used and is declared for the wrong type.
|
||||
- Fix samba_load_libgfapi decl in samba.te.
|
||||
- Fix typo in nagios_run_sudo() boolean.
|
||||
@ -5255,19 +5255,19 @@ Resolves: rhbz#1314372
|
||||
- Allow gluster rpm scripletto create glusterd socket with correct labeling. This is a workaround until we get fix in glusterd.
|
||||
- Add glusterd_filetrans_named_pid() interface.
|
||||
- Allow antivirus_t to read system state info.
|
||||
- Dontaudit use console for chrome-sandbox.
|
||||
- Add support for ~/.local/share/libvirt/images and for ~/.local/share/libvirt/boot.
|
||||
- Clamd needs to have fsetid capability.
|
||||
- Allow cinder-backup to dbus chat with systemd-logind.
|
||||
- Dontaudit use console for chrome-sandbox.
|
||||
- Add support for ~/.local/share/libvirt/images and for ~/.local/share/libvirt/boot.
|
||||
- Clamd needs to have fsetid capability.
|
||||
- Allow cinder-backup to dbus chat with systemd-logind.
|
||||
- Update httpd_use_openstack boolean to allow httpd to bind commplex_main_port and read keystone log files.
|
||||
- Allow gssd to access kernel keyring for login_pgm domains.
|
||||
- Add more fixes related to timemaster+ntp+ptp4l.
|
||||
- Allow docker sandbox domains to search all mountpoiunts
|
||||
- update winbind_t rules to allow IPC for winbind.
|
||||
- Add rpm_exec_t labeling for /usr/bin/dnf-automatic,/usr/bin/dnf-2 and /usr/bin/dnf-3.
|
||||
- Allow inet_gethost called by couchdb to access /proc/net/unix.
|
||||
- Allow eu-unstrip running under abrt_t to access /var/lib/pcp/pmdas/linux/pmda_linux.so
|
||||
- Label /usr/bin/yum-deprecated as rpm_exec_t.
|
||||
- Allow inet_gethost called by couchdb to access /proc/net/unix.
|
||||
- Allow eu-unstrip running under abrt_t to access /var/lib/pcp/pmdas/linux/pmda_linux.so
|
||||
- Label /usr/bin/yum-deprecated as rpm_exec_t.
|
||||
|
||||
* Tue May 05 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-127
|
||||
- Add missing typealiases in apache_content_template() for script domain/executable.
|
||||
@ -5897,9 +5897,9 @@ Resolves: rhbz#1314372
|
||||
- Allow mdadm to connect to own socket created by mdadm running as kernel_t.
|
||||
- Fix pkcs, Remove pkcs_lock_filetrans and Add files_search_locks
|
||||
- Allow bacula manage bacula_log_t dirs
|
||||
- Allow pkcs_slotd_t read /etc/passwd, Label /var/lock/opencryptoki as pkcs_slotd_lock_t
|
||||
- Allow pkcs_slotd_t read /etc/passwd, Label /var/lock/opencryptoki as pkcs_slotd_lock_t
|
||||
- Fix mistakes keystone and quantum
|
||||
- Label neutron var run dir
|
||||
- Label neutron var run dir
|
||||
- Label keystone var run dir
|
||||
- Fix bad labeling for /usr/s?bin/(oo|rhc)-restorer-wrapper.sh in openshift.fc.
|
||||
- Dontaudit attempts to access check cert dirs/files for sssd.
|
||||
@ -5910,13 +5910,13 @@ Resolves: rhbz#1314372
|
||||
- Label also /var/run/glusterd.socket file as gluster_var_run_t
|
||||
- Fix policy for pkcsslotd from opencryptoki
|
||||
- Update cockpik policy from cockpit usptream.
|
||||
- Allow certmonger to exec ldconfig to make ipa-server-install working.
|
||||
- Added support for Naemon policy
|
||||
- Allow certmonger to exec ldconfig to make ipa-server-install working.
|
||||
- Added support for Naemon policy
|
||||
- Allow keepalived manage snmp files
|
||||
- Add setpgid process to mip6d
|
||||
- remove duplicate rule
|
||||
- Allow postfix_smtpd to stream connect to antivirus
|
||||
- Dontaudit list /tmp for icecast
|
||||
- Allow postfix_smtpd to stream connect to antivirus
|
||||
- Dontaudit list /tmp for icecast
|
||||
- Allow zabbix domains to access /proc//net/dev.
|
||||
|
||||
* Wed Jul 23 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-67
|
||||
@ -5938,7 +5938,7 @@ Resolves: rhbz#1314372
|
||||
* Fri Jul 18 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-65
|
||||
- Allow sysadm to dbus chat with systemd
|
||||
- Add logging_dontaudit_search_audit_logs()
|
||||
- Add new files_read_all_mountpoint_symlinks()
|
||||
- Add new files_read_all_mountpoint_symlinks()
|
||||
- Fix labeling path from /var/run/systemd/initctl/fifo to /var/run/initctl/fifo.
|
||||
- Allow ndc to read random and urandom device (#1110397)
|
||||
- Allow zabbix to read system network state
|
||||
@ -7176,7 +7176,7 @@ type in docker.te
|
||||
- Add new attribute to discover confined_admins
|
||||
- Fix labeling for /etc/strongswan/ipsec.d
|
||||
- systemd_logind seems to pass fd to anyone who dbus communicates with it
|
||||
- Dontaudit leaked write descriptor to dmesg
|
||||
- Dontaudit leaked write descriptor to dmesg
|
||||
|
||||
* Mon Oct 14 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-89
|
||||
- Fix gnome_read_generic_data_home_files()
|
||||
@ -7295,7 +7295,7 @@ type in docker.te
|
||||
- Match upstream labeling
|
||||
|
||||
* Wed Sep 25 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-83
|
||||
- Do not build sanbox pkg on MLS
|
||||
- Do not build sanbox pkg on MLS
|
||||
|
||||
* Wed Sep 25 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-82
|
||||
- wine_tmp is no longer needed
|
||||
@ -7451,7 +7451,7 @@ type in docker.te
|
||||
- Add selinux-policy-sandbox pkg
|
||||
|
||||
* Tue Aug 27 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-73
|
||||
0
|
||||
0
|
||||
- Allow rhsmcertd to read init state
|
||||
- Allow fsetid for pkcsslotd
|
||||
- Fix labeling for /usr/lib/systemd/system/pkcsslotd.service
|
||||
@ -7742,17 +7742,17 @@ type in docker.te
|
||||
- fix selinuxuser_use_ssh_chroot boolean
|
||||
|
||||
* Fri Jun 28 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-58
|
||||
- Shrink the size of policy by moving to attributes, also add dridomain so that mozilla_plugin can follow selinuxuse_dri boolean.
|
||||
- Allow bootloader to manage generic log files
|
||||
- Allow ftp to bind to port 989
|
||||
- Fix label of new gear directory
|
||||
- Add support for new directory /var/lib/openshift/gears/
|
||||
- Add openshift_manage_lib_dirs()
|
||||
- allow virtd domains to manage setrans_var_run_t
|
||||
- Allow useradd to manage all openshift content
|
||||
- Add support so that mozilla_plugin_t can use dri devices
|
||||
- Allow chronyd to change the scheduler
|
||||
- Allow apmd to shut downthe system
|
||||
- Shrink the size of policy by moving to attributes, also add dridomain so that mozilla_plugin can follow selinuxuse_dri boolean.
|
||||
- Allow bootloader to manage generic log files
|
||||
- Allow ftp to bind to port 989
|
||||
- Fix label of new gear directory
|
||||
- Add support for new directory /var/lib/openshift/gears/
|
||||
- Add openshift_manage_lib_dirs()
|
||||
- allow virtd domains to manage setrans_var_run_t
|
||||
- Allow useradd to manage all openshift content
|
||||
- Add support so that mozilla_plugin_t can use dri devices
|
||||
- Allow chronyd to change the scheduler
|
||||
- Allow apmd to shut downthe system
|
||||
- Devicekit_disk_t needs to manage /etc/fstab
|
||||
|
||||
* Wed Jun 26 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-57
|
||||
@ -8143,7 +8143,7 @@ type in docker.te
|
||||
- label shared libraries in /opt/google/chrome as testrel_shlib_t
|
||||
|
||||
* Thu Apr 18 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-34
|
||||
- Allow certmonger to dbus communicate with realmd
|
||||
- Allow certmonger to dbus communicate with realmd
|
||||
- Make realmd working
|
||||
|
||||
* Thu Apr 18 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-33
|
||||
@ -8162,7 +8162,7 @@ type in docker.te
|
||||
- Allow sandbox domains to use inherted terminals
|
||||
- Allow pscd to use devices labeled svirt_image_t in order to use cat cards.
|
||||
- Add label for new alsa pid
|
||||
- Alsa now uses a pid file and needs to setsched
|
||||
- Alsa now uses a pid file and needs to setsched
|
||||
- Fix oracleasmfs_t definition
|
||||
- Add support for sshd_unit_file_t
|
||||
- Add oracleasmfs_t
|
||||
@ -8719,7 +8719,7 @@ type in docker.te
|
||||
- Allow certwatch to read meminfo
|
||||
- Fix nscd_dontaudit_write_sock_file() interfac
|
||||
- Fix gnome_filetrans_home_content() to include also "fontconfig" dir as cache_home_t
|
||||
- llow mozilla_plugin_t to create HOMEDIR/.fontconfig with the proper labeling
|
||||
- llow mozilla_plugin_t to create HOMEDIR/.fontconfig with the proper labeling
|
||||
|
||||
* Fri Jan 11 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-3
|
||||
- Allow gnomeclock to talk to puppet over dbus
|
||||
@ -8878,7 +8878,7 @@ type in docker.te
|
||||
- Allow firewalld to dbus chat with devicekit_power
|
||||
- Allow tuned to call lsblk
|
||||
- Allow tor to read /proc/sys/kernel/random/uuid
|
||||
- Add tor_can_network_relay boolean
|
||||
- Add tor_can_network_relay boolean
|
||||
|
||||
* Wed Dec 5 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-60
|
||||
- Add openshift_initrc_signal() interface
|
||||
@ -8983,7 +8983,7 @@ type in docker.te
|
||||
- Fix filetrans interface definitions
|
||||
- Dontaudit xdm_t to getattr on BOINC lib files
|
||||
- Add systemd_reload_all_services() interface
|
||||
- Dontaudit write access on /var/lib/net-snmp/mib_indexes
|
||||
- Dontaudit write access on /var/lib/net-snmp/mib_indexes
|
||||
- Only stop mcsuntrustedproc from relableing files
|
||||
- Allow accountsd to dbus chat with gdm
|
||||
- Allow realmd to getattr on all fs
|
||||
@ -9148,7 +9148,7 @@ type in docker.te
|
||||
- Clean up for tunable+optional statements
|
||||
- Add labeling for /usr/sbin/mkhomedir_helper
|
||||
- Allow antivirus domain to managa amavis spool files
|
||||
- Allow rpcbind_t to read passwd
|
||||
- Allow rpcbind_t to read passwd
|
||||
- Allow pyzor running as spamc to manage amavis spool
|
||||
|
||||
|
||||
@ -9295,7 +9295,7 @@ type in docker.te
|
||||
- Stop using attributes form netlabel_peer and syslog, auth_use_nsswitch setsup netlabel_peer
|
||||
- Move netlable_peer check out of booleans
|
||||
- Remove call to recvfrom_netlabel for kerberos call
|
||||
- Remove use of attributes when calling syslog call
|
||||
- Remove use of attributes when calling syslog call
|
||||
- Move -miscfiles_read_localization to domain.te to save hundreds of allow rules
|
||||
- Allow all domains to read locale files. This eliminates around 1500 allow rules- Cleanup nis_use_ypbind_uncond interface
|
||||
- Allow rndc to block suspend
|
||||
@ -9375,7 +9375,7 @@ type in docker.te
|
||||
|
||||
* Fri Aug 31 2012 Dan Walsh <dwalsh@redhat.com> 3.11.1-15
|
||||
- Separate sandbox policy into sandbox and sandboxX, and disable sandbox by default on fresh installs
|
||||
- Allow domains that can read etc_t to read etc_runtime_t
|
||||
- Allow domains that can read etc_t to read etc_runtime_t
|
||||
- Allow all domains to use inherited tmpfiles
|
||||
|
||||
* Wed Aug 29 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-14
|
||||
@ -9418,7 +9418,7 @@ type in docker.te
|
||||
- Allow xserver to communicate with secure_firmware
|
||||
- Allow fsadm tools (fsck) to read /run/mount contnet
|
||||
- Allow sysadm types to read /dev/kmsg
|
||||
-
|
||||
-
|
||||
|
||||
* Thu Aug 16 2012 Dan Walsh <dwalsh@redhat.com> 3.11.1-9
|
||||
- Allow postfix, sssd, rpcd to block_suspend
|
||||
@ -9775,7 +9775,7 @@ type in docker.te
|
||||
- Allow l2tpd_t to read system state
|
||||
- Allow tuned to run ls /dev
|
||||
- Allow sudo domains to read usr_t files
|
||||
- Add label to machine-id
|
||||
- Add label to machine-id
|
||||
- Fix corecmd_read_bin_symlinks cut and paste error
|
||||
|
||||
* Wed May 16 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-125
|
||||
@ -10094,7 +10094,7 @@ type in docker.te
|
||||
* Fri Mar 9 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-98
|
||||
- Add policy for nove-cert
|
||||
- Add labeling for nova-openstack systemd unit files
|
||||
- Add policy for keystoke
|
||||
- Add policy for keystoke
|
||||
|
||||
* Thu Mar 8 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-97
|
||||
- Fix man pages fro domains
|
||||
@ -10266,7 +10266,7 @@ type in docker.te
|
||||
- Add support for selinux_avcstat munin plugin
|
||||
- Treat hearbeat with corosync policy
|
||||
- Allow corosync to read and write to qpidd shared mem
|
||||
- mozilla_plugin is trying to run pulseaudio
|
||||
- mozilla_plugin is trying to run pulseaudio
|
||||
- Fixes for new sshd patch for running priv sep domains as the users context
|
||||
- Turn off dontaudit rules when turning on allow_ypbind
|
||||
- udev now reads /etc/modules.d directory
|
||||
@ -10322,7 +10322,7 @@ type in docker.te
|
||||
- Add ubac_constrained rules for chrome_sandbox
|
||||
- Need interface to allow domains to use tmpfs_t files created by the kernel, used by libra
|
||||
- Allow postgresql to be executed by the caller
|
||||
- Standardize interfaces of daemons
|
||||
- Standardize interfaces of daemons
|
||||
- Add new labeling for mm-handler
|
||||
- Allow all matahari domains to read network state and etc_runtime_t files
|
||||
|
||||
@ -10439,7 +10439,7 @@ type in docker.te
|
||||
|
||||
* Fri Nov 11 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-57
|
||||
- Pulseaudio changes
|
||||
- Merge patches
|
||||
- Merge patches
|
||||
|
||||
* Thu Nov 10 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-56
|
||||
- Merge patches back into git repository.
|
||||
@ -10484,7 +10484,7 @@ type in docker.te
|
||||
- Check in fixed for Chrome nacl support
|
||||
|
||||
* Thu Oct 27 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-51
|
||||
- Begin removing qemu_t domain, we really no longer need this domain.
|
||||
- Begin removing qemu_t domain, we really no longer need this domain.
|
||||
- systemd_passwd needs dac_overide to communicate with users TTY's
|
||||
- Allow svirt_lxc domains to send kill signals within their container
|
||||
|
||||
@ -10492,7 +10492,7 @@ type in docker.te
|
||||
- Remove qemu.pp again without causing a crash
|
||||
|
||||
* Wed Oct 26 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-50.1
|
||||
- Remove qemu.pp, everything should use svirt_t or stay in its current domain
|
||||
- Remove qemu.pp, everything should use svirt_t or stay in its current domain
|
||||
|
||||
* Wed Oct 26 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-50
|
||||
- Allow policykit to talk to the systemd via dbus
|
||||
@ -10572,7 +10572,7 @@ type in docker.te
|
||||
- Don't check md5 size or mtime on certain config files
|
||||
|
||||
* Tue Oct 11 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-39.1
|
||||
- Remove allow_ptrace and replace it with deny_ptrace, which will remove all
|
||||
- Remove allow_ptrace and replace it with deny_ptrace, which will remove all
|
||||
ptrace from the system
|
||||
- Remove 2000 dontaudit rules between confined domains on transition
|
||||
and replace with single
|
||||
@ -10799,7 +10799,7 @@ dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
|
||||
|
||||
* Wed Aug 10 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-17
|
||||
- livecd fixes
|
||||
- spec file fixes
|
||||
- spec file fixes
|
||||
|
||||
* Thu Aug 4 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-16
|
||||
- fetchmail can use kerberos
|
||||
@ -10876,7 +10876,7 @@ dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
|
||||
- Allow asterisk to read /dev/random if it uses TLS
|
||||
- Allow colord to read ini files which are labeled as bin_t
|
||||
- Allow dirsrvadmin sys_resource and setrlimit to use ulimit
|
||||
- Systemd needs to be able to create sock_files for every label in /var/run directory, cupsd being the first.
|
||||
- Systemd needs to be able to create sock_files for every label in /var/run directory, cupsd being the first.
|
||||
- Also lists /var and /var/spool directories
|
||||
- Add openl2tpd to l2tpd policy
|
||||
- qpidd is reading the sysfs file
|
||||
@ -10917,7 +10917,7 @@ dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
|
||||
* Wed Jun 8 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-27
|
||||
- Fixes for zabbix
|
||||
- init script needs to be able to manage sanlock_var_run_...
|
||||
- Allow sandlock and wdmd to create /var/run directories...
|
||||
- Allow sandlock and wdmd to create /var/run directories...
|
||||
- mixclip.so has been compiled correctly
|
||||
- Fix passenger policy module name
|
||||
|
||||
@ -11014,17 +11014,17 @@ dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
|
||||
- Virt_admin should be allowed to manage images and processes
|
||||
|
||||
* Fri Apr 15 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-15
|
||||
- xdm_t needs getsession for switch user
|
||||
- Every app that used to exec init is now execing systemdctl
|
||||
- Allow squid to manage krb5_host_rcache_t files
|
||||
- xdm_t needs getsession for switch user
|
||||
- Every app that used to exec init is now execing systemdctl
|
||||
- Allow squid to manage krb5_host_rcache_t files
|
||||
- Allow foghorn to connect to agentx port - Fixes for colord policy
|
||||
|
||||
* Mon Apr 11 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-14
|
||||
- Add Dan's patch to remove 64 bit variants
|
||||
- Allow colord to use unix_dgram_socket
|
||||
- Allow apps that search pids to read /var/run if it is a lnk_file
|
||||
- iscsid_t creates its own directory
|
||||
- Allow init to list var_lock_t dir
|
||||
- Allow colord to use unix_dgram_socket
|
||||
- Allow apps that search pids to read /var/run if it is a lnk_file
|
||||
- iscsid_t creates its own directory
|
||||
- Allow init to list var_lock_t dir
|
||||
- apm needs to verify user accounts auth_use_nsswitch
|
||||
- Add labeling for systemd unit files
|
||||
- Allow gnomeclok to enable ntpd service using systemctl - systemd_systemctl_t domain was added
|
||||
@ -11074,7 +11074,7 @@ dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
|
||||
* Wed Mar 23 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-6
|
||||
- Remove some unconfined domains
|
||||
- Remove permissive domains
|
||||
- Add policy-term.patch from Dan
|
||||
- Add policy-term.patch from Dan
|
||||
|
||||
* Thu Mar 17 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-5
|
||||
- Fix multiple specification for boot.log
|
||||
@ -11212,7 +11212,7 @@ assembled or disassembled.
|
||||
* Thu Jan 27 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.13-6
|
||||
- Fix xserver_dontaudit_read_xdm_pid
|
||||
- Change oracle_port_t to oracledb_port_t to prevent conflict with satellite
|
||||
- Allow dovecot_deliver_t to read/write postfix_master_t:fifo_file.
|
||||
- Allow dovecot_deliver_t to read/write postfix_master_t:fifo_file.
|
||||
* These fifo_file is passed from postfix_master_t to postfix_local_t to dovecot_deliver_t
|
||||
- Allow readahead to manage readahead pid dirs
|
||||
- Allow readahead to read all mcs levels
|
||||
@ -11305,7 +11305,7 @@ assembled or disassembled.
|
||||
- fix name of plymouth log file
|
||||
- teamviewer is a wine app
|
||||
- allow dmesg to read system state
|
||||
- Stop labeling files under /var/lib/mock so restorecon will not go into this
|
||||
- Stop labeling files under /var/lib/mock so restorecon will not go into this
|
||||
- nsplugin needs to read network state for google talk
|
||||
|
||||
* Thu Dec 23 2010 Dan Walsh <dwalsh@redhat.com> 3.9.12-3
|
||||
@ -11528,7 +11528,7 @@ assembled or disassembled.
|
||||
- Fix label on /var/log/wicd.log
|
||||
- Transition to initrc_t from init when executing bin_t
|
||||
- Add audit_access permissions to file
|
||||
- Make removable_t a device_node
|
||||
- Make removable_t a device_node
|
||||
- Fix label on /lib/systemd/*
|
||||
|
||||
* Fri Oct 22 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-6
|
||||
@ -11604,8 +11604,8 @@ assembled or disassembled.
|
||||
- Add /etc/localtime as locale file context
|
||||
|
||||
* Thu Sep 30 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-9
|
||||
- Turn off default transition to mozilla_plugin and telepathy domains from unconfined user
|
||||
- Turn off iptables from unconfined user
|
||||
- Turn off default transition to mozilla_plugin and telepathy domains from unconfined user
|
||||
- Turn off iptables from unconfined user
|
||||
- Allow sudo to send signals to any domains the user could have transitioned to.
|
||||
- Passwd in single user mode needs to talk to console_device_t
|
||||
- Mozilla_plugin_t needs to connect to web ports, needs to write to video device, and read alsa_home_t alsa setsup pulseaudio
|
||||
@ -11687,7 +11687,7 @@ Bz #637339
|
||||
Allow iptables to read shorewall tmp files
|
||||
Change chfn and passwd to use auth_use_pam so they can send dbus messages to fpr
|
||||
intd
|
||||
label vlc as an execmem_exec_t
|
||||
label vlc as an execmem_exec_t
|
||||
Lots of fixes for mozilla_plugin to run google vidio chat
|
||||
Allow telepath_msn to execute ldconfig and its own tmp files
|
||||
Fix labels on hugepages
|
||||
@ -11766,7 +11766,7 @@ Add boolean to allow icecast to connect to any port
|
||||
|
||||
* Wed Aug 4 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-10
|
||||
- Allow pcscd to read sysfs
|
||||
- systemd fixes
|
||||
- systemd fixes
|
||||
- Fix wine_mmap_zero_ignore boolean
|
||||
|
||||
* Tue Aug 3 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-9
|
||||
@ -11967,7 +11967,7 @@ Resolves: #585963
|
||||
- Allow rlogind_t to search /root for .rhosts
|
||||
Resolves: #582760
|
||||
- Fix path for cached_var_t
|
||||
- Fix prelink paths /var/lib/prelink
|
||||
- Fix prelink paths /var/lib/prelink
|
||||
- Allow confined users to direct_dri
|
||||
- Allow mls lvm/cryptosetup to work
|
||||
|
||||
@ -12025,7 +12025,7 @@ Resolves: #582145
|
||||
- Fixes for labels during install from livecd
|
||||
|
||||
* Thu Apr 1 2010 Dan Walsh <dwalsh@redhat.com> 3.7.17-4
|
||||
- Fix /cgroup file context
|
||||
- Fix /cgroup file context
|
||||
- Fix broken afs use of unlabled_t
|
||||
- Allow getty to use the console for s390
|
||||
|
||||
@ -12164,7 +12164,7 @@ Resolves: #582145
|
||||
- Merge with upstream
|
||||
|
||||
* Thu Feb 11 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-11
|
||||
- Allow sandbox to work with MLS
|
||||
- Allow sandbox to work with MLS
|
||||
|
||||
* Tue Feb 9 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-9
|
||||
- Make Chrome work with staff user
|
||||
@ -12188,7 +12188,7 @@ Resolves: #582145
|
||||
|
||||
* Mon Jan 25 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-3
|
||||
- Allow abrt_helper to getattr on all filesystems
|
||||
- Add label for /opt/real/RealPlayer/plugins/oggfformat\.so
|
||||
- Add label for /opt/real/RealPlayer/plugins/oggfformat\.so
|
||||
|
||||
* Thu Jan 21 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-2
|
||||
- Add gstreamer_home_t for ~/.gstreamer
|
||||
@ -12304,7 +12304,7 @@ Resolves: #582145
|
||||
- Fix request_module line to module_request
|
||||
|
||||
* Fri Sep 18 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-3
|
||||
- Fix sandbox policy to allow it to run under firefox.
|
||||
- Fix sandbox policy to allow it to run under firefox.
|
||||
- Dont audit leaks.
|
||||
|
||||
* Thu Sep 17 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-2
|
||||
@ -12342,7 +12342,7 @@ Resolves: #582145
|
||||
- Allow xserver to use netlink_kobject_uevent_socket
|
||||
|
||||
* Thu Sep 3 2009 Dan Walsh <dwalsh@redhat.com> 3.6.30-3
|
||||
- Fixes for sandbox
|
||||
- Fixes for sandbox
|
||||
|
||||
* Mon Aug 31 2009 Dan Walsh <dwalsh@redhat.com> 3.6.30-2
|
||||
- Dontaudit setroubleshootfix looking at /root directory
|
||||
@ -12390,7 +12390,7 @@ Resolves: #582145
|
||||
- Add policycoreutils-python to pre install
|
||||
|
||||
* Thu Aug 13 2009 Dan Walsh <dwalsh@redhat.com> 3.6.26-11
|
||||
- Make all unconfined_domains permissive so we can see what AVC's happen
|
||||
- Make all unconfined_domains permissive so we can see what AVC's happen
|
||||
|
||||
* Mon Aug 10 2009 Dan Walsh <dwalsh@redhat.com> 3.6.26-10
|
||||
- Add pt_chown policy
|
||||
@ -12509,7 +12509,7 @@ Resolves: #582145
|
||||
- Allow setroubleshoot to run mlocate
|
||||
|
||||
* Mon Jun 8 2009 Dan Walsh <dwalsh@redhat.com> 3.6.14-1
|
||||
- Update to upstream
|
||||
- Update to upstream
|
||||
|
||||
* Tue Jun 2 2009 Dan Walsh <dwalsh@redhat.com> 3.6.13-3
|
||||
- Add fish as a shell
|
||||
@ -12749,7 +12749,7 @@ Resolves: #582145
|
||||
- Add git web policy
|
||||
|
||||
* Mon Feb 9 2009 Dan Walsh <dwalsh@redhat.com> 3.6.5-1
|
||||
- Add setrans contains from upstream
|
||||
- Add setrans contains from upstream
|
||||
|
||||
* Mon Feb 9 2009 Dan Walsh <dwalsh@redhat.com> 3.6.4-6
|
||||
- Do transitions outside of the booleans
|
||||
@ -12767,7 +12767,7 @@ Resolves: #582145
|
||||
- More fixes for devicekit
|
||||
|
||||
* Tue Feb 3 2009 Dan Walsh <dwalsh@redhat.com> 3.6.4-1
|
||||
- Upgrade to latest upstream
|
||||
- Upgrade to latest upstream
|
||||
|
||||
* Mon Feb 2 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-13
|
||||
- Add boolean to disallow unconfined_t login
|
||||
@ -12782,7 +12782,7 @@ Resolves: #582145
|
||||
- Fixes for wicd daemon
|
||||
|
||||
* Mon Jan 26 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-9
|
||||
- More mls/rpm fixes
|
||||
- More mls/rpm fixes
|
||||
|
||||
* Fri Jan 23 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-8
|
||||
- Add policy to make dbus/nm-applet work
|
||||
@ -12845,7 +12845,7 @@ Resolves: #582145
|
||||
* Thu Dec 4 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-7
|
||||
- Allow iptables to talk to terminals
|
||||
- Fixes for policy kit
|
||||
- lots of fixes for booting.
|
||||
- lots of fixes for booting.
|
||||
|
||||
* Wed Dec 3 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-4
|
||||
- Cleanup policy
|
||||
@ -12861,7 +12861,7 @@ Resolves: #582145
|
||||
|
||||
* Wed Nov 5 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-17
|
||||
- Allow lvm to dbus chat with hal
|
||||
- Allow rlogind to read nfs_t
|
||||
- Allow rlogind to read nfs_t
|
||||
|
||||
* Wed Nov 5 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-16
|
||||
- Fix cyphesis file context
|
||||
@ -12884,7 +12884,7 @@ Resolves: #582145
|
||||
- Add certmaster policy
|
||||
|
||||
* Wed Oct 29 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-11
|
||||
- Fix confined users
|
||||
- Fix confined users
|
||||
- Allow xguest to read/write xguest_dbusd_t
|
||||
|
||||
* Mon Oct 27 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-9
|
||||
@ -12912,7 +12912,7 @@ Resolves: #582145
|
||||
- Fix dovecot access
|
||||
|
||||
* Fri Oct 17 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-1
|
||||
- Policy cleanup
|
||||
- Policy cleanup
|
||||
|
||||
* Thu Oct 16 2008 Dan Walsh <dwalsh@redhat.com> 3.5.12-3
|
||||
- Remove Multiple spec
|
||||
@ -12929,7 +12929,7 @@ Resolves: #582145
|
||||
- Update to upstream policy
|
||||
|
||||
* Mon Oct 6 2008 Dan Walsh <dwalsh@redhat.com> 3.5.10-3
|
||||
- Fixes for confined xwindows and xdm_t
|
||||
- Fixes for confined xwindows and xdm_t
|
||||
|
||||
* Fri Oct 3 2008 Dan Walsh <dwalsh@redhat.com> 3.5.10-2
|
||||
- Allow confined users and xdm to exec wm
|
||||
@ -12940,7 +12940,7 @@ Resolves: #582145
|
||||
- Allow domains to search other domains keys, coverup kernel bug
|
||||
|
||||
* Wed Oct 1 2008 Dan Walsh <dwalsh@redhat.com> 3.5.9-4
|
||||
- Fix labeling for oracle
|
||||
- Fix labeling for oracle
|
||||
|
||||
* Wed Oct 1 2008 Dan Walsh <dwalsh@redhat.com> 3.5.9-3
|
||||
- Allow nsplugin to comminicate with xdm_tmp_t sock_file
|
||||
@ -13003,7 +13003,7 @@ Resolves: #582145
|
||||
- Update to upstream
|
||||
|
||||
* Thu Aug 7 2008 Dan Walsh <dwalsh@redhat.com> 3.5.3-1
|
||||
- Update to upstream
|
||||
- Update to upstream
|
||||
|
||||
* Sat Aug 2 2008 Dan Walsh <dwalsh@redhat.com> 3.5.2-2
|
||||
- Allow system-config-selinux to work with policykit
|
||||
@ -13075,7 +13075,7 @@ Resolves: #582145
|
||||
- Add /var/lib/selinux context
|
||||
|
||||
* Wed Jun 11 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-1
|
||||
- Update to upstream
|
||||
- Update to upstream
|
||||
|
||||
* Wed Jun 4 2008 Dan Walsh <dwalsh@redhat.com> 3.4.1-5
|
||||
- Add livecd policy
|
||||
@ -13152,7 +13152,7 @@ Resolves: #582145
|
||||
- dontaudit setfiles reading links
|
||||
- allow semanage sys_resource
|
||||
- add allow_httpd_mod_auth_ntlm_winbind boolean
|
||||
- Allow privhome apps including dovecot read on nfs and cifs home
|
||||
- Allow privhome apps including dovecot read on nfs and cifs home
|
||||
dirs if the boolean is set
|
||||
|
||||
* Tue Apr 1 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-27
|
||||
@ -13177,14 +13177,14 @@ dirs if the boolean is set
|
||||
|
||||
* Tue Mar 18 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-22
|
||||
- Allow stunnel to transition to inetd children domains
|
||||
- Make unconfined_dbusd_t an unconfined domain
|
||||
- Make unconfined_dbusd_t an unconfined domain
|
||||
|
||||
* Mon Mar 17 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-21
|
||||
- Fixes for qemu/virtd
|
||||
|
||||
* Fri Mar 14 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-20
|
||||
- Fix bug in mozilla policy to allow xguest transition
|
||||
- This will fix the
|
||||
- This will fix the
|
||||
|
||||
libsemanage.dbase_llist_query: could not find record value
|
||||
libsemanage.dbase_llist_query: could not query record value (No such file or
|
||||
@ -13211,7 +13211,7 @@ directory)
|
||||
- Allow syslog to connect to mysql
|
||||
- Allow lvm to manage its own fifo_files
|
||||
- Allow bugzilla to use ldap
|
||||
- More mls fixes
|
||||
- More mls fixes
|
||||
|
||||
* Tue Mar 11 2008 Bill Nottingham <notting@redhat.com> 3.3.1-14
|
||||
- fixes for init policy (#436988)
|
||||
@ -13243,7 +13243,7 @@ directory)
|
||||
* Tue Feb 26 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-5
|
||||
- Allow nsplugin_config execstack/execmem
|
||||
- Allow nsplugin_t to read alsa config
|
||||
- Change apache to use user content
|
||||
- Change apache to use user content
|
||||
|
||||
* Tue Feb 26 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-4
|
||||
- Add cyphesis policy
|
||||
@ -13454,7 +13454,7 @@ directory)
|
||||
- Fix xguest to be able to connect to sound port
|
||||
|
||||
* Fri Oct 19 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-28
|
||||
- Fixes for hald_mac
|
||||
- Fixes for hald_mac
|
||||
- Treat unconfined_home_dir_t as a home dir
|
||||
- dontaudit rhgb writes to fonts and root
|
||||
|
||||
@ -13526,7 +13526,7 @@ directory)
|
||||
|
||||
* Fri Sep 21 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-8
|
||||
- Allow also to search var_lib
|
||||
- New context for dbus launcher
|
||||
- New context for dbus launcher
|
||||
|
||||
* Fri Sep 21 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-7
|
||||
- Allow cupsd_config_t to read/write usb_device_t
|
||||
@ -13569,7 +13569,7 @@ directory)
|
||||
- Allow wine to run in system role
|
||||
|
||||
* Thu Sep 6 2007 Dan Walsh <dwalsh@redhat.com> 3.0.7-5
|
||||
- Fix java labeling
|
||||
- Fix java labeling
|
||||
|
||||
* Thu Sep 6 2007 Dan Walsh <dwalsh@redhat.com> 3.0.7-4
|
||||
- Define user_home_type as home_type
|
||||
@ -13611,7 +13611,7 @@ directory)
|
||||
- Fix Makefile for building policy modules
|
||||
|
||||
* Fri Aug 10 2007 Dan Walsh <dwalsh@redhat.com> 3.0.5-5
|
||||
- Fix dhcpc startup of service
|
||||
- Fix dhcpc startup of service
|
||||
|
||||
* Fri Aug 10 2007 Dan Walsh <dwalsh@redhat.com> 3.0.5-4
|
||||
- Fix dbus chat to not happen for xguest and guest users
|
||||
@ -13688,7 +13688,7 @@ directory)
|
||||
- Allow prelink to read kernel sysctls
|
||||
|
||||
* Mon Jul 2 2007 Dan Walsh <dwalsh@redhat.com> 3.0.1-5
|
||||
- Default to user_u:system_r:unconfined_t
|
||||
- Default to user_u:system_r:unconfined_t
|
||||
|
||||
* Sun Jul 1 2007 Dan Walsh <dwalsh@redhat.com> 3.0.1-4
|
||||
- fix squid
|
||||
@ -13705,7 +13705,7 @@ directory)
|
||||
- Remove ifdef strict policy from upstream
|
||||
|
||||
* Fri May 18 2007 Dan Walsh <dwalsh@redhat.com> 2.6.5-3
|
||||
- Remove ifdef strict to allow user_u to login
|
||||
- Remove ifdef strict to allow user_u to login
|
||||
|
||||
* Fri May 18 2007 Dan Walsh <dwalsh@redhat.com> 2.6.5-2
|
||||
- Fix for amands
|
||||
@ -13721,7 +13721,7 @@ directory)
|
||||
* Wed May 16 2007 Dan Walsh <dwalsh@redhat.com> 2.6.4-5
|
||||
- More fixes for alsactl
|
||||
- Transition from hal and modutils
|
||||
- Fixes for suspend resume.
|
||||
- Fixes for suspend resume.
|
||||
- insmod domtrans to alsactl
|
||||
- insmod writes to hal log
|
||||
|
||||
@ -13897,7 +13897,7 @@ Resolves: #227237
|
||||
|
||||
* Sun Feb 4 2007 Dan Walsh <dwalsh@redhat.com> 2.5.2-5
|
||||
- Fix ssh_agent to be marked as an executable
|
||||
- Allow Hal to rw sound device
|
||||
- Allow Hal to rw sound device
|
||||
|
||||
* Thu Feb 1 2007 Dan Walsh <dwalsh@redhat.com> 2.5.2-4
|
||||
- Fix spamassisin so crond can update spam files
|
||||
@ -13919,7 +13919,7 @@ Resolves: #227237
|
||||
- Continue fixing, additional user domains
|
||||
|
||||
* Wed Jan 10 2007 Dan Walsh <dwalsh@redhat.com> 2.5.1-4
|
||||
- Begin adding user confinement to targeted policy
|
||||
- Begin adding user confinement to targeted policy
|
||||
|
||||
* Wed Jan 10 2007 Dan Walsh <dwalsh@redhat.com> 2.5.1-2
|
||||
- Fixes for prelink, ktalkd, netlabel
|
||||
@ -13966,7 +13966,7 @@ Resolves: #220080
|
||||
Resolves: #219999
|
||||
|
||||
* Thu Dec 14 2006 Dan Walsh <dwalsh@redhat.com> 2.4.6-14
|
||||
- Allow cron to polyinstatiate
|
||||
- Allow cron to polyinstatiate
|
||||
- Fix creation of boot flags
|
||||
Resolves: #207433
|
||||
|
||||
@ -14020,7 +14020,7 @@ Resolves: #216184
|
||||
Resolves: #212957
|
||||
|
||||
* Tue Nov 28 2006 Dan Walsh <dwalsh@redhat.com> 2.4.6-1
|
||||
- Dontaudit appending hal_var_lib files
|
||||
- Dontaudit appending hal_var_lib files
|
||||
Resolves: #217452
|
||||
Resolves: #217571
|
||||
Resolves: #217611
|
||||
@ -14068,7 +14068,7 @@ Resolves: #217725
|
||||
- Allow xen to search automount
|
||||
|
||||
* Thu Nov 9 2006 Dan Walsh <dwalsh@redhat.com> 2.4.3-7
|
||||
- Fix spec of jre files
|
||||
- Fix spec of jre files
|
||||
|
||||
* Wed Nov 8 2006 Dan Walsh <dwalsh@redhat.com> 2.4.3-6
|
||||
- Fix unconfined access to shadow file
|
||||
@ -14129,7 +14129,7 @@ Resolves: #217725
|
||||
- Update xen to read nfs files
|
||||
|
||||
* Mon Oct 23 2006 Dan Walsh <dwalsh@redhat.com> 2.4-4
|
||||
- Allow noxattrfs to associate with other noxattrfs
|
||||
- Allow noxattrfs to associate with other noxattrfs
|
||||
|
||||
* Mon Oct 23 2006 Dan Walsh <dwalsh@redhat.com> 2.4-3
|
||||
- Allow hal to use power_device_t
|
||||
@ -14222,10 +14222,10 @@ Resolves: #217725
|
||||
- Update with upstream
|
||||
|
||||
* Mon Sep 25 2006 Dan Walsh <dwalsh@redhat.com> 2.3.15-2
|
||||
- mls fixes
|
||||
- mls fixes
|
||||
|
||||
* Fri Sep 22 2006 Dan Walsh <dwalsh@redhat.com> 2.3.15-1
|
||||
- Update from upstream
|
||||
- Update from upstream
|
||||
|
||||
* Fri Sep 22 2006 Dan Walsh <dwalsh@redhat.com> 2.3.14-8
|
||||
- More fixes for mls
|
||||
@ -14262,7 +14262,7 @@ Resolves: #217725
|
||||
|
||||
* Thu Sep 7 2006 Dan Walsh <dwalsh@redhat.com> 2.3.13-3
|
||||
- Fix location of xel log files
|
||||
- Fix handling of sysadm_r -> rpm_exec_t
|
||||
- Fix handling of sysadm_r -> rpm_exec_t
|
||||
|
||||
* Thu Sep 7 2006 Dan Walsh <dwalsh@redhat.com> 2.3.13-2
|
||||
- Fixes for autofs, lp
|
||||
@ -14320,7 +14320,7 @@ Resolves: #217725
|
||||
- More java fixes
|
||||
|
||||
* Fri Aug 11 2006 Dan Walsh <dwalsh@redhat.com> 2.3.6-4
|
||||
- Change allow_execstack to default to on, for RHEL5 Beta.
|
||||
- Change allow_execstack to default to on, for RHEL5 Beta.
|
||||
This is required because of a Java compiler problem.
|
||||
Hope to turn off for next beta
|
||||
|
||||
@ -14347,7 +14347,7 @@ Resolves: #217725
|
||||
|
||||
* Wed Aug 2 2006 Dan Walsh <dwalsh@redhat.com> 2.3.3-18
|
||||
- yet more xen rules
|
||||
|
||||
|
||||
* Tue Aug 1 2006 Dan Walsh <dwalsh@redhat.com> 2.3.3-17
|
||||
- more xen rules
|
||||
|
||||
@ -14367,7 +14367,7 @@ Resolves: #217725
|
||||
- fixes for setroubleshoot
|
||||
|
||||
* Wed Jul 26 2006 Dan Walsh <dwalsh@redhat.com> 2.3.3-11
|
||||
- Added Paul Howarth patch to only load policy packages shipped
|
||||
- Added Paul Howarth patch to only load policy packages shipped
|
||||
with this package
|
||||
- Allow pidof from initrc to ptrace higher level domains
|
||||
- Allow firstboot to communicate with hal via dbus
|
||||
@ -14763,7 +14763,7 @@ Resolves: #217725
|
||||
- Fix semoudle polcy
|
||||
|
||||
* Thu Feb 16 2006 Dan Walsh <dwalsh@redhat.com> 2.2.16-1
|
||||
- Update to upstream
|
||||
- Update to upstream
|
||||
- fix sysconfig/selinux link
|
||||
|
||||
* Wed Feb 15 2006 Dan Walsh <dwalsh@redhat.com> 2.2.15-4
|
||||
@ -14826,7 +14826,7 @@ Resolves: #217725
|
||||
- Put back in changes for pup/zen
|
||||
|
||||
* Tue Jan 24 2006 Dan Walsh <dwalsh@redhat.com> 2.2.5-1
|
||||
- Many changes for MLS
|
||||
- Many changes for MLS
|
||||
- Turn on strict policy
|
||||
|
||||
* Mon Jan 23 2006 Dan Walsh <dwalsh@redhat.com> 2.2.4-1
|
||||
@ -14876,7 +14876,7 @@ Resolves: #217725
|
||||
|
||||
* Mon Jan 9 2006 Dan Walsh <dwalsh@redhat.com> 2.1.8-1
|
||||
- Update to upstream
|
||||
- Apply
|
||||
- Apply
|
||||
* Fri Jan 6 2006 Dan Walsh <dwalsh@redhat.com> 2.1.7-4
|
||||
- Add wine and fix hal problems
|
||||
|
||||
@ -14947,7 +14947,7 @@ Resolves: #217725
|
||||
- Fixes to start kernel in s0-s15:c0.c255
|
||||
|
||||
* Wed Dec 14 2005 Dan Walsh <dwalsh@redhat.com> 2.1.6-3
|
||||
- Add java unconfined/execmem policy
|
||||
- Add java unconfined/execmem policy
|
||||
|
||||
* Wed Dec 14 2005 Dan Walsh <dwalsh@redhat.com> 2.1.6-2
|
||||
- Add file context for /var/cvs
|
||||
@ -14976,7 +14976,7 @@ Resolves: #217725
|
||||
- Allow unconfined_t to execmod texrel_shlib_t
|
||||
|
||||
* Sat Dec 10 2005 Dan Walsh <dwalsh@redhat.com> 2.1.2-1
|
||||
- Update to upstream
|
||||
- Update to upstream
|
||||
- Turn off allow_execmem and allow_execmod booleans
|
||||
- Add tcpd and automount policies
|
||||
|
||||
@ -15024,7 +15024,7 @@ Update from upstream
|
||||
- Fixes for dovecot and saslauthd
|
||||
|
||||
* Wed Nov 23 2005 Dan Walsh <dwalsh@redhat.com> 2.0.5-4
|
||||
- Cleanup pegasus and named
|
||||
- Cleanup pegasus and named
|
||||
- Fix spec file
|
||||
- Fix up passwd changing applications
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user